18.11.2022
NEWS:
Black Friday and retail season – watch out for PayPal “money request” scams
Given that we’re getting into peak retail season, you’ll find cybersecurity warnings with a “Black Friday” theme all over the internet… including, of course, right here on Naked Security! As regular readers will know, however, we’re not terribly keen on online tips that are specific to Black Friday, because cybersecurity matters 365-and-a-quarter days a year. Don’t take cybersecurity seriously only when it’s Thanksgiving, Hannukah, Kwanzaa, Christmas or any other gift-giving holiday, or only for the New Year Sales, the Spring Sales, the Summer sales or any other seasonal discount opportunity.
Global Cyber Risk at Elevated Level
In the first half of 2022 we ran the Trend Micro Cyber Risk Index (CRI) to gauge the shifts in how organizations viewed their cyber risk. We included North America, Europe, Asia-Pacific, and Latin/South America, giving us a truly global view of the cyber risk that organizations are dealing with today. The CRI is the result of a collaborative effort between Trend Micro and the Ponemon Institute to survey respondents. In the first half of 2022 we surveyed over 4,100 businesses of all sizes globally. The CRI looks to identify the cyber risk level organizations have based on two areas: Their ability to prepare for cyber-attacks targeting them (cyber preparedness index – CPI). The current assessment of the threats targeting them (cyber threat index – CTI).
https://www.trendmicro.com/en_us/research/22/k/cyber-risk-index-1h-22-snapshot.html
How Schools Can Become Cyber Resilient in 2023
An increasing number of cyber criminals are turning their sights on schools, and the effects are growing more and more worrisome. In 2021 alone, 67 ransomware attacks across almost 1,000 schools cost institutions over $3.5 billion. Factoring in the value of ransom payments, learning loss, and lost data, the true cost of these attacks may never be known. While several ransomware attacks made headlines in 2022, the actual number may be even higher because not all US school districts are required to report cybersecurity incidents. The consequences of these attacks directly impact students and institutions.
https://www.infosecurity-magazine.com/blogs/how-schools-can-become-cyber
What is an External Penetration Test?
A penetration test (also known as a pentest) is a security assessment that simulates the activities of real- world attackers to identify security holes in your IT systems or applications. The aim of the test is to understand what vulnerabilities you have, how they could be exploited, and what the impact would be if an attacker was successful. Usually performed first, an external pentest (also known as external network penetration testing) is an assessment of your perimeter systems. Your perimeter is all the systems that are directly reachable from the internet. By definition, they are exposed and are, therefore the most easily and regularly attacked.
https://thehackernews.com/2022/11/what-is-external-penetration-test.html
Top passwords used in RDP brute-force attacks
Specops Software released a research analyzing the top passwords used in live attacks against Remote Desktop Protocol (RDP) ports. This analysis coincides with the latest addition of over 34 million compromised passwords to the Specops Breached Password Protection Service, which now includes over 3 billion unique compromised passwords. “Weak passwords continue to leave organizations vulnerable to attacks on RDP ports and other systems, but it doesn’t have to be this way”
INCIDENTS:
Lockbit gang leaked data stolen from global high-tech giant Thales
Thales is a global high-tech leader with more than 81,000 employees worldwide. The Group invests in digital and deep tech innovations – big data, artificial intelligence, connectivity, cybersecurity and quantum – to build a future of trust, essential to the development of our societies, by placing people at the heart of decision-making. Early this month, the French defence and technology group confirmed to be aware that the ransomware group LockBit 3.0 claimed to have stolen some of its data. Thales was added to the list of victims of the Lockbit 3.0 group on October 31, the gang threatened to publish stolen data by November 7, 2022, if the company would have not paid the ransom by the deadline.
Over 15,000 WordPress Sites Compromised in Malicious SEO Campaign
A new malicious campaign has compromised over 15,000 WordPress websites in an attempt to redirect visitors to bogus Q&A portals. “These malicious redirects appear to be designed to increase the authority of the attacker’s sites for search engines,” Sucuri researcher Ben Martin said in a report published last week, calling it a “clever black hat SEO trick.” The search engine poisoning technique is designed to promote a “handful of fake low quality Q&A sites” that share similar website-building templates and are operated by the same threat actor.
https://thehackernews.com/2022/11/over-15000-wordpress-sites-compromised.html
China-linked APT Billbug breached a certificate authority in Asia
State-sponsored actors compromised a digital certificate authority in a country in Asia as part of a cyber espionage campaign aimed at multiple government agencies in the region, Symantec warns. Symantec attributes the attack to a China-linked cyberespionage group tracked as Billbug (aka Lotus Blossom, Thrip). The attribution is based on the use of tools previously attributed to this APT group. In 2019 Symantec researchers reported that the group was using the backdoors Hannotog (Backdoor.Hannotog) and Sagerunex (Backdoor.Sagerunex), which were both used in the recent campaign.
MALWARE:
WASP malware stings Python developers
Malware dubbed WASP is using steganography and polymorphism to evade detection, with its malicious Python packages designed to steal credentials, personal information, and cryptocurrency. Researchers from Phylum and Check Point earlier this month reported seeing new malicious packages on PyPI, a package index for Python developers. Analysts at Checkmarx this week connected the same attacker to both reports and said the operator is still releasing malicious packages.
https://www.theregister.com/2022/11/16/wasp_python_malware_checkmarx/
Healthcare sector warned of Venus ransomware attacks
Healthcare organisations in the United States are being warned to be on their guard once again, this time against a family of ransomware known as Venus. An advisory from the United States Department of Health and Human Services (HHS) has warned that the cybercriminals behind the Venus ransomware have targeted at least one healthcare entity in the United States, and are known to be targeting publicly-exposed Remote Desktop Servers. The Venus ransomware (also known as GoodGame),which is known to have been successfully attacking organisations since the middle of August 2022, encrypts data files, and changes their filenames so they are appended with a .venus extension, while deleting event logs and shadow copy volumes.
https://www.tripwire.com/state-of-security/healthcare-sector-warned-venus-ransomware-attacks
VULNERABILITIES:
Researchers Discover Hundreds of Amazon RDS Instances Leaking Users’ Personal Data
Hundreds of databases on Amazon Relational Database Service (Amazon RDS) are exposing personal identifiable information (PII), new findings from Mitiga, a cloud incident response company, show. “Leaking PII in this manner provides a potential treasure trove for threat actors – either during the reconnaissance phase of the cyber kill chain or extortionware/ransomware campaigns,” researchers Ariel Szarf, Doron Karmi, and Lionel Saposnik said in a report shared with The Hacker News. This includes names, email addresses, phone numbers, dates of birth, marital status, car rental information, and even company logins.
https://thehackernews.com/2022/11/researchers-discover-hundreds-of-amazon.html
Remote Code Execution Vulnerabilities Found in F5 Products
Researchers at cybersecurity firm Rapid7 have identified several vulnerabilities and other potential security issues affecting F5 products. Rapid7 reported its findings to the vendor in mid-August and disclosed details on Wednesday, just as F5 released advisories to inform customers about the security holes and the availability of engineering hotfixes. Two of the issues discovered by Rapid7 researchers have been described as high-severity remote code execution vulnerabilities and assigned CVE identifiers, while the rest are security bypass methods that F5 does not view as vulnerabilities.
https://www.securityweek.com/remote-code-execution-vulnerabilities-found-f5-products
Cyber4Dev collates data from Open-Source websites, any opinions or attributions expressed in the articles are not those of Cyber4Dev and are not endorsed by the project or the EU.
