The hunt for apps with log4j vulnerabilities continues, new threat and ransomware groups discovered and a warning to WordPress admins
Welcome to Cyber Security Today. It’s Monday December 13th. I’m Howard Solomon, contributing writer on cybersecurity for ITWorldCanada.com.
IT workers around the world continue to search their systems to understand if they are exposed to a serious vulnerability. Known as Log4Shell or LogJam, it’s a problem in an open-source Java-based logging library called log4j used by hundreds of business applications and websites. Organizations have to put temporary mitigations in place, such as updating firewall rules and quickly installing released patches from their software suppliers. One expert I talked to over the weekend fears it may take years to patch all the affected systems.
A new threat group calling itself Karakurt that specializes in stealing data from organizations has been uncovered. According to researchers at Accenture, the group threatens to release or sell the stolen information unless they are paid a ransom. Since September it has hit at least 40 organizations, largely in the U.S. and Canada. Often the gang uses passwords it has obtained to get into victims’ networks through their VPN devices for remote access. It isn’t clear how the gang gets passwords, but Accenture said in all cases it investigated the victim organizations didn’t protect logins with multifactor authentication.
A new ransomware gang has been detected. Known as ALPHV by its developers, and BlackCat by researchers, it’s a ransomware-as-a-service operation that recruits affiliates to attack victims. According to the Bleeping Computer news site, affiliates earn at least 80 per cent of the ransom payment, more if its over $1.5 million. Victims have been seen in the U.S., Australia and India. The gang uses a triple extortion tactic: It steals a victim organization’s data before encrypting it, then threatens to publish the data if a ransom is not paid to get the decryption keys. In addition it threatens to launch a distributed denial-of-service attack to cripple the victim’s website and business if a ransom isn’t paid.
A number of threat groups use a piece of malware called Qakbot to get into the IT systems of organizations. It’s popular among crooks because it’s so flexible at stealing passwords and data or delivering other malware. Last week Microsoft put out an analysis of how Qakbot works. That can be helpful for IT defenders. One thing I got from the report is that Qakbot infections almost always start with someone clicking on a malicious attachment, a web page link or an image in an email. The email message will often be business-related. For example, it may refer to a contract, a payslip or a question about an IT or business process. It may appear to be a reply to a message from the victim. Often the message has a sense of urgency, saying an immediate correction has to be made or a form filled out. The point is it’s important to regularly remind employees of these kinds of tricks and that they have to be careful before clicking on anything in a message.
Another attack on websites running the WordPress content management system has been detected. According to a security company called Wordfence, these attacks are trying to leverage vulnerabilities in four plug-ins — Kiwi Social Share, WordPress Automatic, Pinterest Automatic and Publish Press Capabilities. All of these have been patched. In fact WordPress Automatic and Pinterest Automatic were patched in August. In addition attackers are going after vulnerabilities in 14 Epsilon Framework themes, which provide templates for WordPress sites. What attackers are doing is leveraging these vulnerabilities to upgrade their access to ‘administrator,’ allowing the crook to steal data. WordPress administrators have to constantly ensure all plugins and themes are patched. In addition they have to look for suspicious activity such as unauthorized user accounts.
That’s it for now Remember links to details about podcast stories are in the text version at ITWorldCanada.com. That’s where you’ll also find other stories of mine.
Follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.