Beware of this botnet, new phishing campaigns spotted and cybersecurity oversight boosted in the EU.
Welcome to Cyber Security Today. It’s Monday May 16th, 2022. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.
It’s long been known IT departments that don’t patch their applications with security updates run the risk of having their organizations hacked. The latest example comes from researchers at Microsoft. They warn a new variant of the Sysrv botnet has been found. It exploits software vulnerabilities to install coin miners on both Windows and Linux systems. Those coin miners make money for threat actors. What this new variant looks for are vulnerable web servers, including old holes in WordPress plugins. Once having taken over a server the botnet looks for ways to spread to other computers on the network. The thing is, patches for all of the exploits are availabe for installation. So there’s no reason why your servers should be compromised by this bot.
Malware that executes in memory — also known as fileless malware — is a big threat to organizations. Here’s one of the latest attempts to slip fileless malware past IT defences. It hides itself as a phishing message aimed at employees who handle finances. According to researchers at Fortinet the message says something like “Please find the attached payments report” The email address of the sender includes the words “accountpayable”, so it reads “accountpayable[at]company.co.” It would seem convincing at a glance. The payload is an infected Excel spreadsheet. First, the victim has to enable macros to run. Microsoft Office apps are configured so macros don’t automatically run, so trying to open the file will trigger a warning. Hopefully the employee won’t enable macros. Because if they do the fileless malware will execute. Keeping all applications patched and having a multi-layered defence are the best ways to fight fileless malware.
Researchers at Kaspersky have discovered a different phishing campaign. This one is aimed at customers of Wells Fargo bank, which has operations in more than 40 countries. An email tells the person their Wells Fargo account has been blocked for some reason — an unverified email address or a mistake in their home address. To regain access they have to click on a link to verify their identity within 24 hours or they lose access to the account. If they click it leads to the theft of their login password. First, listeners should know this type of scam is used by crooks for many financial institutions, not just Wells Fargo. Second, one tip-off this is a scam is the deadline. It hopes victims will feel pressure. If you get an email like this and think it’s real don’t click on the link. Go to your institution’s website the way you usually do — through a bookmark you have made, or by looking up the institution’s site on Google or another search engine, log in and see if there’s a warning. Or, phone your bank using a trusted phone number like the one on your monthly bill. Or go to the nearest bank branch.
The European Union is about to formally set up a body to co-ordinate the management of large-scale cybersecurity incidents in critical infrastructure providers. The European Cyber Crisis Liaison Organization Network– or EU-Cyclone for short — has been tested over the past two years. It will help manage incidents that spill over the borders of the 27 countries in the EU. Its formal adoption is part of an agreement announced Friday to increase the common level of cybersecurity across EU. It will set a baseline for cybersecurity risk management measures and reporting obligations for critical infrastructure sectors like banks and utilities. The deal still has to be approved by each country.
Finally, network administrators with SonicWall SMA 1000 devices for allowing remote IT access by employees and partners are urged to install the latest security patch. It closes a vulnerability in devices running version 12.4 and higher of the firmware. Successful exploitation of the hole could allow an attacker to take over the device.
That’s it for now Remember links to details about podcast stories are in the text version at ITWorldCanada.com. That’s where you’ll also find other stories of mine.
Follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.