Welcome to Cyber Security Today. This is the Week in Review edition for the week ending Friday, February 10th, 2023. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com and TechNewsday.com in the U.S.
In a few minutes Terry Cutler of Montreal’s Cyology Labs will be here to discuss recent news. But first a look back at some of the headlines from the past seven days:
A security researcher discovered several vulnerabilities in Toyota’s supplier website that gave access to … everything. Terry and I will talk about how this happened.
We’ll delve into the rush to protect servers running unpatched and outdated versions of VMware’s ESXi hypervisor from ransomware, and ask why are companies running old applications.
Lists of some 20 million customers who used two U.S. companies for background checks of employers and individuals are being pedalled by crooks. Terry and I will have something to say about that.
And we’ll look at a suggestion the Canadian government offer tax breaks to encourage small businesses to spend more on cybersecurity.
In other news, IT administrators whose firms use open-source and free versions of certain document management systems were warned of vulnerabilities. Researchers at Rapid7 say the problems are in on-premise versions of OnlyOffice Workspace, OpenKM, Logical-IDOC and Mayan EDMS. At the time of the recording of this podcast the vendors hadn’t patched the holes. So administrators have to take precautions, some of which are outlined in the Rapid7 report.
The U.S. and the United Kingdom have sanctioned seven people who they say are members of the Trickbot cybercrime group. The Trickbot malware is widely distributed through botnets and email campaigns. Sometimes its also used to help deploy ransomware. The U.S. says current members of the gang are associated with Russia’s intelligence service. The sanctions mean the seven can’t access any assets they have in the U.S.
A British member of Parliament says he fell for a phishing scam. Stewart McDonald admitted he opened a message sent to his personal email account with a supposed military update on Ukraine. Clicking on the document opened a form where he filled in his email address and password. The suspicion is a Russian-based group dubbed Seaborgium was behind this attack.
Another DDoS-as-a-service provider has sprung up in Russia. Researchers at Radware say the Passion group is offering denial of service capabilities to Russian hacktivists. The botnet was seen last month attacking hospitals in the U.S., the United Kingdom and several European countries that support Ukraine. It’s another reason for companies in NATO countries to beef up their cybersecurity.
Authorities in the Netherlands, Germany and Poland have dealt another blow to the communication lines of crooks. They did it by dismantling the Exclus encrypted messaging system, which had an estimated 3,000 users. Forty-five people, including the service’s administrators and owners, were arrested. Two drug laboratories were dismantled and 200 smart phones were also seized. In the past two years European police also shut the Sky ECC and EncroChat encryption services used by crooks.
Atlassian has released fixes to patch a critical vulnerability in Jira Service Management Server and Data Center. Versions 5.3 and above have to be patched.
And a 20-year-old man in Australia was sentenced to community service for taking advantage of last year’s theft of data from telecom provider Optus. For a brief time that data was publicly available, and this man got hold of some of it. Then he tried to extort people out of money or their personal information would be sold to hackers.
(The following is a transcript of one part of our discussion. To hear the entire conversation play the podcast)
Howard: France and Italy sparked a worldwide ransomware alert about attacks on vulnerable VMware ESXi servers. They include version 7.0, which is supported. But also versions 6.7 and 6.5 which are no longer supported by VMware. Unpatched versions of ESXi are at risk from a targeted ransomware strain dubbed ‘ESXiArgs.’ The thing is, a patch for the vulnerability was issued two years ago. In theory, no one should be running versions 6.7 and 6.5, let alone unpatched servers. However, the SANS Institute says there are some 300 unsupported or unpatched versions of ESXi out there. Another source says the number is more like 2,400. Terry, what’s worse: Organizations running unpatched severs or running non-supported software?
Terry Cutler: I think the problem is more around how critical the guests that are running on these [virtual] hosts. As you know, we do a lot of work in health care and a lot of these guests have to be up 24/7, 365 days a year. If you try to update the VMware host it usually requires a reboot, which would shut down all the guests that are running on the host. Gawd forbid there’s a problem with with upgrade and the host doesn’t come back up, that means the company is down. Most IT admins are scared of this. I’ve been there. I know the pressure when a system doesn’t come back online and management is breathing down your neck and all you could tell them is, “10 more minutes! Ten more minutes, I promise it’ll be up!” Also, the fact that it ] is on the Linux operating system, most IT managers believe that Linux is never going to get hacked, so they leave it unpatched.
Howard: The good news is the U.S. Cybersecurity and Infrastructure Security Agency issued a recovery script for victims of this strain of ransomware. The bad news is, according to a story on the Bleeping Computer news site, is that the crooks behind this particular ransomware strain quickly issued a new version that apparently gets around the fix that. The recovery script works for the original strain of ransomware, but not version two.
Terry: It is some great news. But then again I think a lot of this could be prevented by running some free vulnerability tools that will help discover what assets are on your network and what’s vulnerable. As I mentioned countless times, if your systems are exposed to the internet and they’re vulnerable they will be exploited. The biggest concern that I see is that most companies don’t even know what assets they have or what’s exposed, and that’s why they need to team up with cyber security experts that will come in and assess that for them and give their risk level.