Hackers are after vulnerable Apache and Citrix products.
Welcome to Cyber Security Today. It’s Friday, November 3rd, 2023. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com and TechNewsday.com in the U.S.
It didn’t take long for threat actors to exploit a vulnerability in the Apache ActiveMQ message broker. Apache announced the vulnerability and a fix on October 25th — a week ago Wednesday. Two days later researchers at Rapid7 detected attempts to exploit it and install the HelloKitty ransomware. The lesson: Patch Apache ActiveMQ if you haven’t already done so.
More on Apache: Earlier this year a vulnerability was reported in Apache Airflow, an open source platform for scheduling workflows in Amazon AWS and Google Cloud Composer. Unfortunately, say researchers at Tenable, the managed Airflow services provided by AWS and Google were using an unpatched version of this platform. AWS now offers a non-vulnerable version of Airflow, while Google is working on a new non-vulnerable. This is important because IT departments using Apache Airflow in a cloud environment have a choice of Airflow images from AWS and Google. They should make sure they are running the updated version.
Four threat actors are trying to exploit a recently disclosed vulnerability in Citrix’s NetScaler Application Delivery Controllers and Gateways. That’s according to researchers at Mandiant. Although the vulnerability was disclosed on October 10th, Mandiant says it’s been exploited since late August. Once devices have been compromised the attackers have taken over user sessions, bypassing password and multifactor authentication. It’s vital by now to patch these devices and look for indicators of network compromise.
There’s been a recent surge in threat actors taking advantage of spreading malware through Excel spreadsheets. That’s according to researchers at HP Wolf Security. Attackers are trying to infect peoples’ computers by emailing them what are supposed to be invoices. The emails were likely sent from a hacked email account so they don’t look suspicious to email security apps.
Application developers for cryptocurrency platforms should know they are targets for hackers. One of the most recent attempts to compromise their computers was caught by Elastic Security. A threat actor believed to be from North Korea pretended to be a member of a blockchain engineering community on the Discord platform. The attacker then offered members a link to a bot that is supposed to be a cryptocurrency utility. Installing the bot started a complicated infection chain. One lesson: Developers should always be wary of any applications they are offered. Even the trusted online community you belong to can hide a hacker.
How prepared is your IT infrastructure for power failures? I mention it because yesterday the core North American data centre of Cloudflare, which many organizations rely on for content delivery and mitigation of denial of service attacks, suffered a power outage. Impacted for much of the day were alerts, dashboards, load balancing, healthchecks and other services. Some core services flipped over to a backup data centre, but that only partially mitigated the impact.
(After this was published Cloudflare issued a more detailed explanation of what happened: “We operate in multiple redundant data centers in Oregon that power Cloudflare’s control plane (dashboard, logging, etc). There was a regional power issue that impacted multiple facilities in the region. The facilities failed to generate power overnight on November 1. Then, on the morning of November 2, there were multiple generator failures that took the facilities entirely offline. We have failed over to our disaster recovery facility and most of our services are restored. This data center outage impacted Cloudflare’s dashboards and APIs, but it did not impact traffic flowing through our global network. We are working with our data center vendors to investigate the root cause of the regional power outage and generator failures. We expect to publish multiple blogs based on what we learn and can share those with you when they’re live.” )
There are 5.5 million people around the world holding cybersecurity jobs, a new high according to the ISC2, which offers cybersecurity certification programs> However, that’s still not enough meet the demand. In its annual survey released this week the organization said only 52 per cent of members questioned believe their organization has the people and tools to face cyber incidents over the next two years. Ninety-two per cent of respondents report skills gaps at their organization.
Later today the Week in Review podcast will be available. Guest commentator Terry Cutler of Montreal’s Cyology Labs and I will discuss allegations against SolarWinds, an international ransomware conference and more.
Follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.