Boeing division hacked through NetScaler vulnerability, and more.
Welcome to Cyber Security Today. It’s Wednesday, November 22nd, 2023. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com and TechNewsday.com in the U.S.
Last week I told listeners that the LockBit ransomware gang had publicly released 45 gigabytes of data it recently stole from the parts distribution division of aircraft manufacturer Boeing. A report from U.S. cyber authorities released yesterday explained how it was done: The gang exploited a vulnerability in Citrix NetScaler ADC and Gateway appliances. The hole has been nicknamed Citrix Bleed. It allows attackers to bypass password requirements and multi-factor authentication. According to researchers at Mandiant, threat actors have been trying to exploit that vulnerability since late August. Citrix released security updates on October 10th. On October 27th LockBit claimed responsibility for the attack and said it would publish the stolen data if it wasn’t paid.
The first time I reported that Netscaler vulnerability was in a November 3rd podcast. That same episode included news that hackers were exploiting a vulnerability in Apache’s ActiveMQ message broker. A patch for that was issued on October 25th. But some people didn’t get the message, because this week researchers at Trend Micro said hackers are looking for unpatched Linux systems to compromise. If they do, they install a cryptocurrency miner to soak up processor power. Hackers are also trying to exploit this vulnerability to install malware or ransomware. Admins need to remember that ActiveMQ is a message broker that allows communications between different applications. Do you know if it’s in your IT environment? Has it been patched?
Still on Linux, in an October 4th podcast I reported a vulnerability in a library of the operating system that needed to be patched in Fedora, Ubuntu, Debian and other distributions. This week the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the bug to its known exploited vulnerabilities catalog. That means federal civilian agencies have to get cracking and plug this hole. Businesses should too, if they haven’t already done so.
Personal information of staff working at the Idaho National Laboratory was stolen over the weekend. The lab is a federal nuclear energy research facility. In a statement to a local news service the lab said servers supporting its Oracle human resources system were hacked. The information of thousands of employees was apparently copied. According to Bleeping Computer, the SiegedSec hacktivist group says it is responsible and is publishing the data about staff members.
American car parts chain AutoZone is notifying almost 185,000 people that their personal information it has was stolen. How? A compromise of the MOVEit file transfer application it uses from Progress Software. Data included names and Social Security numbers.
Another American victim of a MOVEit hack has emerged. Enstar US, a re-insurance provider to other insurance companies, is notifying almost 65,000 people some of the personal data it holds was stolen in the hack of Enstar’s MOVEit server.
Security provider Sumo Logic says no customer data was impacted in cybersecurity incident earlier this month. On November 3rd the company detected an attacker used a compromised credential to access a Sumo Logic AWS account. As a result it urged customers to change their login credentials for accessing Sumo Logic products and related API keys.
Finally, is your IT security team concentrating on stopping malware? That may be the wrong strategy, according to researchers at Huntress Labs. In a report this week the company said threat actors continue to focus on breaking into IT networks by taking advantage of tools already in an environment. One example is remote monitoring and management software for administrators. This is particularly important for managed service providers to pay attention to, because they oversee IT environments of many customers. One solution: Deploy behavior analysis tools to help identify unusual behavior by those on your network.
Follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.