SAN MATEO, CA, January 9, 2023 — Cybersecurity news weekly roundup. Stories, news, politics, and events that impacted the network security industry last week. Brought to you by NetworkTigers.
- More than 60,000 unpatched Microsoft Exchange servers remain vulnerable to ProxyNotShell
- Hackers getting victims to download BitRAT using stolen banking info
- Major US toy manufacturer suffers Hive ransomware attack
- Experts: LastPass misleading users about severity of data breach
- WordPress sites targeted by new Linux malware
- TikTok’s parent company used app’s data in effort to identify journalists
- Quantum Cybersecurity Preparedness Act signed into law by President Biden
- LockBit apologizes for hospital attack, provides decryption key
- BlackCat ransomware gang posts victim’s data on cloned website
More than 60,000 unpatched Microsoft Exchange servers remain vulnerable to ProxyNotShell
Security researchers at Shadowserver Foundation have found that nearly 70,000 Microsoft Exchange servers have not been patched, leaving them vulnerable to the CVE-2022-41082 remote code execution (RCE) vulnerability despite the update remedying it having been issued in November. One of two ProxyNotShell attacks, this exploit allows an unauthorized user to gain remote code execution. Only a fully patched server is protected. Users are strongly urged to follow Microsoft’s instructions about the update procedure to ensure that their Exchange servers are adequately defended against what continues to be a lucrative, popular way to wreak havoc. Read more.
Hackers getting victims to download BitRAT using stolen banking info
Security firm Qualsys has observed a new malware campaign that tricks victims into downloading BitRAT malware by using their stolen banking data. The hackers are believed to have “hijacked the IT infrastructure of a Colombian cooperative bank” and then created phishing emails that include an Excel attachment loaded with a macro that executes BitRAT on their system. BitRAT is an easily purchased malware that can be configured in several ways, from crypto mining to credential stealing, depending on how the threat actor wants to use it. Read more.
Major US toy manufacturer suffers Hive ransomware attack
Jakks Pacific, a major US toy maker, has disclosed that it was hit with a ransomware attack from the Hive and BlackCat groups. The company has stated that the attack will not affect business operations, however, the “attackers were able to exfiltrate employees’ personal data, including names, addresses, emails, taxpayer identification numbers, and banking details.” Jakks Pacific did not pay the $5 million ransom demanded of it, resulting in the data being posted online by Hive on December 19th. Read more.
Experts: LastPass misleading users about severity of data breach
A number of security experts are calling out LastPass for misleading users about the nature and potential consequences of the password manager’s most recent data breach. Researchers are claiming that LastPass’s characterization of August and December’s hacks as two separate incidents, as opposed to one ongoing campaign, is designed to make the company appear less culpable for their security lapses. They’re also holding LastPass to task for claiming that the data stolen is impossible for hackers to crack when what they have access to can be used to mount phishing attacks against users or be cracked with enough time and determination. Users of LastPass are encouraged to change their passwords, and some security pros are going so far as to recommend dropping the platform altogether. Read more.
WordPress sites targeted by new Linux malware
Researchers at Doctor Web have reported a new Linux malware that exploits flaws in WordPress plugins and themes. The malware can redirect victims to websites of a threat actor’s choice by injecting JavaScript code from a remote server. Malware and users of the CMS are targeting around two dozen WordPress plugins and themes are strongly encouraged to update all components, including those from third-party developers, up to date. Read more.
TikTok’s parent company used app’s data in effort to identify journalists
Employees at ByteDance, TikTok’s parent company, accessed the platform’s data in a failed effort to identify the source of media leaks by determining what ByteDance workers may have been in the same location as journalists and when. ByteDance has condemned the effort, reporting that four employees involved in the snooping have been fired. The covert espionage comes as a setback for ByteDance, as the company has long been suspected of compiling data to be used by the Chinese government despite great efforts to convince US lawmakers that they take data privacy seriously and do not pose a security threat. Read more.
Quantum Cybersecurity Preparedness Act signed into law by President Biden
The Quantum Cybersecurity Preparedness Act, “designed to secure the federal government systems and data against the threat of quantum-enabled data breaches, ahead of ‘Q Day’ – the point at which quantum computers can break existing cryptographic algorithms,” has been officially signed into law by President Biden. The law gives federal agencies six months to shore up systems vulnerable to quantum hacking and develop a strategy for migrating them to post-quantum cryptography. The new law comes on the heels of other provisions developed to update and future-proof federal agencies against increasingly sophisticated cyberattacks and espionage. Read more.
LockBit apologizes for hospital attack, provides decryption key
SickKids, a teaching and research hospital in Toronto that focuses on providing care to sick children, suffered a December 18th ransomware attack that affected internal phone lines and their website. Two days after SickKids announced the attack, the LockBit ransomware group “formally apolized” for the incident and provided a free decryptor key to the organization. LockBit, a ransomware-as-a-service administrator, said that a user violated their rules by attacking a medical institution and has been blocked. Oddly, previous attacks on hospitals using LockBit ransomware have not been issued apologies or keys. Read more.
BlackCat ransomware gang posts victim’s data on cloned website
The BlackCat ransomware gang has created a clone of a victim organization’s website upon which they have listed links to stolen data. The cloned site is different from a ransomware group’s typical operations in that it is available for all internet users to peruse as opposed to dumping on a dark web forum or database. The site closely matches the look of the victim’s and was created as a consequence for refusing to pay for a decryption key. This new tactic makes it easy for BlackCat to direct employees, customers or other people affected by an attack to a site where they can see what was exposed and put additional pressure on organizations to pay ransoms. Read more.
More cybersecurity news
- Last week’s news
- All cybersecurity news and articles are brought to you by NetworkTigers.
