Cyber Security Today, Oct. 6, 2023 – The Qakbot gang is still operating

The Qakbot gang is still operating.

Welcome to Cyber Security Today. It’s Friday, October 6th, 2023. I’m Howard Solomon, contributing reporter on cybersecurity for and in the U.S.

Cyb er Security Today on Amazon Alexa Cyber Security Today on Google Podcasts Subscribe to Cyber Security Today on Apple Podcasts

The operators behind the Qakbot malware are still going strong. In August law enforcement agencies from seven countries said they infiltrated and took down the IT infrastructure spreading the malware. But researchers at Cisco Systems said Thursday that even before the police action the gang had started a separate operation. It’s been launching phishing emails to distribute the Ransom Knight ransomware and the Remcos backdoor. The implication is the law enforcement action only disrupted the gang’s command and control servers but not their spam delivery infrastructure. The kind of emails that are being sent try to trick employees with subject lines involving unpaid invoices and bank transfer requests. It’s not the first time a criminal gang has been hit by police but not destroyed. It won’t be the last.

Another American company has acknowledged being victimized by the MOVEit file transfer vulnerability. Pathward NA, which provides data processing services for H&R Block’s Emerald debit card users, is notifying over 793,000 people their personal information was copied in a hack of Pathward’s MOVEit server. Data stolen includes names, addresses, dates of birth, Social Security numbers, driver’s licence numbers and certain debit card information.

The on-premise version of Atlassian Confluence collaboration suite has a critical vulnerability that IT departments have to deal with. The company says Confluence Data Centre and Confluence Server above version 8.0 have a hole that allow an attacker to create unauthorized administrator accounts. Administrators have to either upgrade to the latest version of the applications or implement recommended mitigations. The cloud version of Confluence isn’t affected.

Sony is still investigating claims of the RansomedVC ransomware group that it recently hit the entertainment and electronics giant. According to SecurityWeek, Sony admits one of its internal test servers was hacked. That server didn’t have customer or business partner data, Sony said. That doesn’t mean it didn’t have important corporate data. RansomedVC has posted a 2GB file allegedly stolen from Sony.

Finally, IT departments with Microsoft’s SQL Server in their environments have to make sure the application is locked down. Microsoft says an attacker tried to exploit a vulnerability in SQL Server to get into an organization’s Azure cloud environment. The goal from there would be to get deeper into the IT infrastructure. They try do that by taking advantage of an SQL Server cloud identity. Administrators have to make sure any cloud access identities are secured to protect SQL Server and cloud resources from compromise.

That’s it for now. But later today the Week in Review edition of the show will be available. Guest commentator Terry Cutler of Montreal’s Cyology Labs will discuss ways of implementing an effective cybersecurity awareness program for employees.

Follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada
Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Sponsored By:

Cyber Security Today Podcast