Lessons from cyber attacks against Ukraine, and beware of attempted extortion emails.
Welcome to Cyber Security Today. It’s Monday, November 14th, 2022. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.
Company and IT leaders need to keep reminding employees that doing foolish things leads to data breaches. They can cite the latest example: Ukraine’s computer emergency response team says downloading compromised software and failing to implement two-factor authentication has led to computers in that country being encrypted by malware. The attacks, which a Russian-based threat group called Z-Team is taking credit for, starts with an employee being drawn to a fake website supposedly with a network tool called Advanced IP Scanner. Installing the compromised tool also installs data-capturing malware called Vidar. Vidar looks for passwords to steal. In this case, it found the usernames and passwords of employees at victim organizations who used the Telegram instant messaging service. If those employees didn’t enable Telegram’s two-factor authentication then their credentials were captured. The attacker was then able to use those credentials to log into the victim organization through its VPN. From there the attacker used other tools to eventually steal data and then install the data wiper.
Note there were at least two mistakes here: First, employees were tricked into downloading bad software, probably because they were emailed offers for a free version of Advanced IP Scanner. Note this isn’t the first time hackers have used fake versions of this application. Last month Kaspersky warned that threat actors are distributing a similar tool called Advanced IP Spyware. The second mistake was employees not enabling two-factor authentication on Telegram. It isn’t clear how, but the attackers were able to use credentials or digital authentication tokens from Telegram to log into the VPN of victim companies in Ukraine. Perhaps a third problem was the corporate VPNs of those organizations didn’t force users to enable two-factor authentication. The bottom line is, according to the Ukrainian version of events, these attacks could have been prevented.
Separately, last week Microsoft updated its October warning about a new ransomware strain hitting Ukraine and Poland. Microsoft now says a Russian-based threat group it calls Iridium is likely behind these attacks. The targets so far have been firms in the transportation and logistics sectors.
Organizations around the world are getting extortion emails claiming their websites, databases and email systems have been hacked. According to the Bleeping Computer news service, the threats are coming from a gang calling itself Team Montesano. It demands US$2,500 in bitcoin or data will be released or sold to the highest bidder. So far this appears to be an empty threat with no evidence firms have actually been hacked.
IT departments using the OpenLiteSpeed web server or LiteSpeed Web Server Enterprise are urged to install the latest version of these applications if they haven’t already done so. Patched versions were released on October 18th. I’m telling you about this now because Palo Alto Networks, which discovered three vulnerabilities, just published a report detailing what it found.
Users of Foxit Reader for reading PDF documents should update the application to the latest version. This comes after researchers at Cisco Systems discovered four vulnerabilities.
The U.S. Postal Service and the FBI have shut 17 websites that were used for scams. One type of scam offered people work-from-home jobs, like being a so-called ‘logistics’ or ‘quality control inspector’. Another scam asked innocent victims as part of their ‘job’ to re-ship items sent to them to another address. What they were really doing was handling products bought with stolen credit cards. Other victims were asked to buy products and ship them to an address but were never given back promised money for what they spent. The goods were also going to crooks. Responding to internet ads for work-from-home jobs carries risks if you don’t investigate the prospective employer.
Developers releasing open source code on the GitHub platform may receive some unexpected but valuable warnings soon: Messages about vulnerabilities in their code. GitHut has created a way people scrutinizing code can send private messages to developers of holes in their projects. This was announced last week at the GitHub Universe conference. The reporting mechanism is in beta now, and expected to be generally available early next year.
Finally, Apple has released security updates for iPhones, iPads and Mac computers. Make sure your devices are up to date.