A warning from the NSA about nation-state attacks, and more.
Welcome to Cyber Security Today. It’s Wednesday, October 19th, 2022. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.
The Russian cyber attacks that accompanied the invasion of Ukraine are just another sign that the threat of nation-state-backed attackers are increasing. That was the message this week from Ron Joyce, cybersecurity director of the U.S. National Security Agency. He was addressing a conference of customers and partners of cybersecurity firm Mandiant. His advice: Organizations — especially those in critical infrastructure sectors — need to harden their networks and systems; be active on defence — meaning watch your logs and what’s going through your networks — and share intelligence and best practices with other firms.
Here’s more from the conference: Mandiant CEO and founder Kevin Mandia said last year the company discovered 1,143 new threat groups, bringing the total to over 4,000. The company also categorized 733 families of malware. By the way, he said the top two ways attackers are breaking into systems is by using stolen or guessed usernames and passwords, and exploiting vulnerabilities.
One last thing from that conference: There was a panel of CISOs from big companies that had been hit by threat actors: SolarWinds, Colonial Pipelines and Kaseya. Their advice on how to regain trust of customers and partners after being hacked: Be open about what you’re doing to prevent another attack from happening.
Attention application developers and IT administrators: If you have software using the open-source Apache Commons Text library in your environment it needs to be patched. The latest version closes a serious vulnerability. Researchers at Rapid7 say the vulnerability isn’t as bad as Log4Shell, but it still needs to be plugged.
A database of real customer data was stolen last month from an application testing server belonging to Australian wine distributor Vinomofo. The company said data included customers’ names, addresses, dates of birth and phone numbers. An Australian news site quoted the company saying the incident happened during a test of a system upgrade. A customer database was used to critically test the platform, a company spokesman was quoted as saying. Developers want to use real data during testing because it will show how an application will perform under real conditions. But some experts warn using real data poses a risk this corporate database can be stolen.
More from Australia: The online marketplace called MyDeal has acknowledged a hacker used compromised login credentials to access the company’s customer relationship management system. Data on 2.2 million customers was copied, including their names, email addresses, phone numbers and, in some cases, dates of birth.
As a security measure most companies only expose the last four digits of a credit or debit card on their systems or a customer’s receipt. However, that appears to have been enough for a hacker to steal the cellphone access of about 250 Verizon pre-paid customers in the U.S. According to the Bleeping Computer news site, Verizon said that earlier this month a hacker used the four digits of cards to change the SIM cards on some customers’ phones. The attacker couldn’t access the victims’ full payment card number or passwords. However, one victim told the news site that the attacker was able to get into their email through the hacker-controlled smartphone and also tried to access their cryptocurrency account. It isn’t clear how the attacker was able to change the SIM card — whether it was done online or if a Verizon support staffer was conned into making the change. Verizon offers a number lock feature that prevents a phone number from being switched to another device.
Finally, security teams looking for background information on the ransomware gang called Ransom Cartel can turn to a new report from Palo Alto Networks. It includes indicators of compromise defenders can look for, as well as common techniques and tactics used by the gang’s affiliates. The researchers believe the operators had access to earlier versions of the REvil ransomware source code, but not REvil’s more recent developments. There’s a link to the report here.
Follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker. Thanks for listening. I’m Howard Solomon