Cyber Security Today, December 13, 2021 – The hunt for apps with log4j vulnerabilities continues, new groups of threats and ransomware are discovered and a warning to WordPress administrators
The hunt for applications with log4j vulnerabilities continues, new groups of threats and ransomware have been discovered and a warning to WordPress administrators
Welcome to cybersecurity today. It’s Monday December 13th. I’m Howard Solomon, contributing author on cybersecurity for ITWorldCanada.com.
Computer scientists around the world continue to research their systems to understand if they are exposed to a severe vulnerability. Known as Log4Shell or LogJam, this is an issue in an open source Java logging library called log4j that is used by hundreds of business applications and websites. Businesses should put in place temporary mitigation measures, such as updating firewall rules and prompt installation of fixes released by their software vendors. An expert I spoke to this weekend worried that it would take years to fix all affected systems.
UPDATE: Here is my last story.
A new group of threats Calling himself Karakurt, a specialist in data theft from organizations, was discovered. According to researchers at Accenture, the group threatens to disclose or sell the stolen information unless they receive a ransom. Since September, it has reached at least 40 organizations, mainly in the United States and Canada. Often times, the gang will use the passwords they obtained to access victims’ networks through their VPN devices for remote access. It’s unclear exactly how the gang obtained the passwords, but Accenture said in all cases it investigated victimized organizations that failed to protect logins with multi-factor authentication.
A new ransomware gang has been detected. Known as ALPHV by its developers and BlackCat by researchers, it is a ransomware as a service operation that recruits affiliates to attack victims. According to the Bleeping Computer news site, affiliates earn at least 80% of the ransom payment, more if it exceeds $ 1.5 million. Victims have been seen in the United States, Australia and India. The gang employs a triple extortion tactic: they steal data from a victim organization before encrypting it, then threaten to release the data if a ransom is not paid to obtain the decryption keys. Further, it threatens to launch a distributed denial of service attack to cripple the victim’s website and business if a ransom is not paid.
A number of threat groups use malicious software called Qakbot to penetrate organizations’ computer systems. It is popular among crooks because it is so flexible in stealing passwords and data or spreading other malware. Last week, Microsoft released an analysis of how Qakbot works. This can be useful for IT advocates. One thing I learned from the report is that Qakbot infections almost always start with someone clicking on a malicious attachment, a link to a webpage, or an image in an email. The email message will often be company-related. For example, it could be a contract, a payslip, or a question about an IT or business process. It may appear to be a response to a message from the victim. Often the message has a sense of urgency, saying that an immediate correction needs to be made or that a form needs to be filled out. The point is that it’s important to remind employees of these kinds of tips on a regular basis, and they should be careful before clicking anything in a message.
Another attack on websites running the WordPress content management system was detected. According to a security company called Wordfence, these attacks attempt to exploit vulnerabilities in four plug-ins: Kiwi Social Share, WordPress Automatic, Pinterest Automatic, and Publish Press Capabilities. All of these have been corrected. In fact, WordPress Automatic and Pinterest Automatic were patched in August. Additionally, attackers attack vulnerabilities in 14 Epsilon Framework themes, which provide templates for WordPress sites. What attackers do is exploit these vulnerabilities to upgrade their access to “administrator”, allowing the crook to steal data. WordPress administrators should constantly ensure that all plugins and themes are fixed. In addition, they should look for suspicious activity such as unauthorized user accounts.
That’s it for now Remember that the links to the details on the podcast stories can be found in the text version at ITWorldCanada.com. This is where you will find other stories of mine as well.
Follow Cyber ââSecurity Today on Apple Podcasts, Google Podcasts, or add us to your Flash Briefing on your smart speaker.