Report shows how Lapsus$ gang was successful, and patches for Atlassian, Java and Amazon software are released
Welcome to Cyber Security Today. It’s Monday April 25th, 2022. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.
Cybersecurity pros are agog that the Lapsus$ extortion gang was able to hack into the systems of American wireless carrier T-Mobile last month. Security reporter Brian Krebs made the discovery after reading the gang’s chats on the Telegram messaging service. These were communications made shortly before a number of gang members were arrested in Britain. Two of them now face criminal charges. Most news sites are focusing on T-Mobile’s admission that it was hacked. The carrier stressed no customer data was accessed. What I found more interesting from Krebs’ story is how gang members were able to get into T-Mobile, Microsoft, Samsung, Nvidia and other big companies: Either by buying credentials with access to IT systems from criminal websites or by convincing company support staff to reassign an employee’s mobile phone number in a tactic called SIM swapping so they could get around two-factor authentication. As I’ve said before, done right two-factor or multifactor authentication prevents many attacks. But doing it right means training support staff not to fall for sob stories from a stranger over the phone or by text about needing to change or add phone numbers to accounts. It also means smartphone users must have a PIN number on their accounts that an attacker has to know to make changes on a user’s account. What happens when internal procedures are done right? Attackers are blocked. According to the Krebs story, that’s what happened at a Florida customer support outsourcing company called Iqor. Lapsus$ spent days trying to convince employees into removing multifactor authentication on accounts they had the username and password for. Iqor employees wouldn’t fall for any tricks.
Atlassian has issued security updates for its Jira and Jira Service Management project management applications. These updates patch a critical vulnerability that under certain configurations could allow an attacker to bypass authentication controls. The updates should be installed as soon as possible.
Sometimes patches need patches. The latest example comes from Amazon, which in December issued a hotpatch for both versions of Amazon Linux systems running Java virtual machines to fix critical vulnerabilities in the log4j2 library. However, that hotfix created problems of its own. So Amazon has issued a new version of the hotpatch. It’s also issued a new version of the utility called Hotdog, which is used to inject the log4j2 hot patch into containers. Customers using the Amazon Bottlerocket OS for running containers should update that as well.
There’s another Java-related problem IT administrators urgently need to pay attention to. If your environment uses applications with Java 17 and 18 they need to be updated. Oracle has already issued an April critical patch update for its applications. The problem is in an algorithm used for signing digital documents in capabilities such as multifactor authentication. A vulnerability could allow an attacker to forge an SSL certificate to get around a security check. The vulnerability could also affect versions 15 and 16 of Java, but these are no longer supported so shouldn’t be used anymore.
That’s it for now. Remember links to details about podcast stories are in the text version at ITWorldCanada.com.
You can follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.