SAN MATEO, CA, January 16, 2023 — Cybersecurity news weekly roundup. Stories, news, politics, and events that impacted the network security industry last week. Brought to you by NetworkTigers.
- Majority of Cacti servers under attack as most users fail to patch bug
- Cyberattack on Royal Mail linked to LockBit
- Cisco warns of public exploit in EoL routers
- Twitter: data leak was not due to bug
- Ransomware gangs installing backdoors for later use
- Microsoft’s first patch of 2023 addresses 98 security flaws
- Cyberattack keeps Iowa’s largest school closed for two days
- Microsoft: Kinsing malware attacks on the rise
- API vulnerabilities found in 16 major automobile brands
Majority of Cacti servers under attack as most users fail to patch bug
A major security vulnerability within Cacti servers has been spotted in the wild, leading the developer to issue a patch that the majority of Cacti users have yet to install. According to attack surface management platform Censys, only 26 out of 6.427 servers are running the most recently updated version of Cacti. The public disclosure of the vulnerability (CVE-2022-46169) has led to increased attempts by hackers to leverage the exploit, which allows a threat actor to “xecute arbitrary code on an affected version of the open-source, web-based monitoring solution.” Read more.
Cyberattack on Royal Mail linked to LockBit
A cyber incident that resulted in the UK’s largest delivery service, Royal Mail, halting international shipments has been determined to be linked to the LockBit ransomware gang. A ransom note sent by the threat actors says that “LockBit Black” ransomware was used in the attack. LockBit Black is the group’s latest encryptor, which uses code and features assimilated from the now defunct BlackMatter gang. LockBit, however, has denied that they are responsible for the attack claiming that someone using a leaked version of their ransomware is responsible. Read more.
Cisco warns of public exploit in EoL routers
Multiple end-of-life Cisco routers are susceptible to a critical authentication bypass exploit, the company warns. The flaw, CVE-2023-20025, has been found in the management interfaces of Cisco Small Business RV016, RV042, RV042G and RV082 routers. Despite Cisco’s Product Security Incident Response Team’s awareness of the bug, the company does not plan to release a patch to fix the vulnerability. Users can disable their router’s web-based web interface and block access to ports 443 and 60443 to black attacks and are encouraged to migrate to newer routers that are still supported. Read more.
Twitter: data leak was not due to bug
Twitter, responding to a leak that has seen data associated with more than 200 million accounts placed for sale on the dark web, has stated that the information could not be traced to the company and was not the result of a hacker exploiting a vulnerability within the platform. Asserting their belief that the data was accumulated from publicly available sources, Twitter has also assured users that password information is not included in the trove. Some security experts remain skeptical of the company’s statement, however, citing the authenticity of the information as evidence that it was gained due to a compromised third party. Read more.
Ransomware gangs installing backdoors for later use
Security researchers are warning that some ransomware gangs have been observed installing backdoors while exploitation remains unpatched in order to use them at a later date. The Lorenz gang has been witnessed doing just that, as researchers noted that they planted a backdoor on an exploitable system before it was patched and allowed it to remain dormant until they used it to launch ransomware in spite of it having been updated. Security experts are warning that, while patching in a timely fashion is critical, it’s important to check for intrusions consistently to remove any potential for future attacks. Read more.
Microsoft’s first patch of 2023 addresses 98 security flaws
Microsoft’s first Patch Tuesday of the new year has been pushed, addressing 98 security flaws. One bug has been witnessed being exploited in the wild. 11 of the flaws are rated as Critical and the other 87 have been listed as Important. The exploited bug, CVE-2023-21674, is a “privilege escalation flaw in Windows Advanced Local Procedure Call that could be exploited by an attacker to gain SYSTEM permissions.” The flaw has also made it to CISA’s Known Exploited Vulnerabilities, signaling the importance of it with regard to federal agencies. The patches also arrive as Windows 7, Windows 8.1, and Windows RT reach the end of their support by Microsoft. Read more.
Cyberattack keeps Iowa’s largest school closed for two days
An apparent cyberattack targeting the Des Moines school district, Iowa’s largest, has resulted in classes being canceled for the second day in a row as IT administrators attempt to restore network functionality. While the nature of the “cybersecurity incident” has yet to be disclosed, the school’s interim superintendent says they are operating as if it was a ransomware attack. Classes are expected to resume later in the week. Schools and universities have become favored targets as they store large amounts of data, provide necessary services and are often underfunded when it comes to IT infrastructure. Read more.
Microsoft: Kinsing malware attacks on the rise
Microsoft’s Defender for Cloud team has reported an increase in Kinsing malware breaching Kubernetes clusters by leveraging known weaknesses in container images and misconfigured PostgreSQL containers. These types of attacks, while not new, indicate to researchers that threat actors are on the hunt for exploitable vulnerabilities, specifically with regard to crypto mining. Microsoft warns that PHPUnit, Liferay, Oracle WebLogic and WordPress are the apps that this current surge seems to be targeting with the most regularity. Read more.
API vulnerabilities found in 16 major automobile brands
Millions of vehicles are at risk of cyberattack due to bugs found in their APIs by a researcher at Yuga Labs. The vulnerabilities range from severe to inconvenient and allow attackers to do anything from access user information to remotely execute code that could disable vehicles in a number of ways. This type of exploit not only poses a threat to the average driver, but could be leveraged to control features on law enforcement or emergency response vehicles. Affected brand include Acura, BMW, Ferrari, Ford, Genesis, Honda, Hyundai, Infiniti, Jaguar, Kia, Land Rover, Mercedes-Benz, Nissan, Porsche, Rolls Royce, Toyota and more. All bugs found have been fixed by manufacturers after having been disclosed. However, the disclosure of the findings reveals that modern vehicles could be a dangerous new hacking frontier. Read more.