A Linux trojan is spreading, malware aimed at security researchers and more.
Welcome to Cyber Security Today. It’s Wednesday May 25th, 2022. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.
Linux administrators are being warned to have the latest endpoint and server defences on their systems. This comes after Microsoft detected an increase in the use of a Linux trojan called XorDdos. It infects Linux systems to use them as a denial of service botnet. It also adds malware to systems it infects. This trojan usually spreads by compromising passwords with a brute force attack. One way these are detected is by a large number of failed login attempts. In addition to deploying antimalware software, administrators can also protect internet-facing Linux servers by not allowing remote password access to anyone. And make sure any password used by employees for any system is strong and enforced with multifactor authentication.
Security researchers are juicy targets for threat actors because they help defeat cyberattacks. Which is why they have to be among those least trusting of the internet. This comes after infected and fake proof of concept exploits were found on GitHub, where researchers often look for possible vulnerabilities to work on. According to a company called Cyble, supposed researchers blogged on GitHub about creating proofs of concept to leverage software vulnerabilities. However, those files had malware. The suspicion is someone is targeting the infosec community. As the Bleeping Computer news site points out, security researchers often take apart a security patch issued by a software company and create a proof of concept exploit to learn how a threat actor could create abuse the vulnerability. In this case a threat actor likely thought this curiosity could be used to infect the computers of researchers. The lesson: Security researchers have to be careful what they download.
Russia has been hammered by Western countries for launching cyberattacks. Now Russia is a target, according to researchers at Malwarebytes. Just after it began invading Ukraine in February, a previously unknown group started spearphishing attacks against Russian government entities trying to install a remote access trojan. There have been four types of messages: One pretends to be an attachment with an interactive map, another pretends to a patch for the log4j vulnerability, a third pretends to be from the Russian Rostec defence group and the fourth is an attachment for a fake job ad at the Saudi Aramco oil company.
Here’s another warning for Android phone users: Google has seen evidence that governments in a number of countries including Spain, Indonesia, Egypt, Serbia and Greece are buying zero-day Android exploits for use against certain people. The vulnerabilities were found and sold by a commercial surveillance company called Cytrox. Governments use exploits to spy on the smartphones of terrorists and crooks, but also political opponents and reporters. The report is another reason why executives, politicians and others who think they may be targeted by governments must install the latest software security updates and use the latest version of browsers on their mobile devices.
Crooks try to use stolen usernames and passwords wherever they can — email providers, banks and even car companies. The latest example: Someone used stolen credentials to access the online customer rewards program of General Motors car owners. They then converted customers’ points to gift cards. The gift cards might be used to buy goods at a wide number of retailers. GM says the attacker got owners’ names, email addresses, personal addresses and phone numbers, but not dates of birth, Social Security, drivers licence or credit card numbers.
Finally, Sophos researchers note that attackers are still hunting for on-premise Microsoft Exchange servers that haven’t been patched against the ProxyShell and ProxyLogon vulnerabilities. Security updates for these holes were issued a while ago. There’s no reason why your Exchange Server hasn’t been patched yet.
That’s it for now. You can follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.