A new threat actor goes after American IT firms, Canada’s Auditor General slams federal cybercrime-fighting agencies, and more.
Welcome to Cyber Security Today. It’s Wednesday June 5th, 2024. I’m Howard Solomon, contributing reporter on cybersecurity for TechNewsday.com.
 |
 |
 |
A new threat actor is going after software companies building solutions for the industrial and research sectors in the U.S., energy providers in Europe and pharmaceutical manufacturers in Asia. That’s according to researchers at Cisco Systems. They dub this gang LilacSquid. Their weapons are an open-source remote management tool called MeshAgent and a customized version of the Quasar remote access trojan. The group leverages vulnerable application servers and remote desktop applications that are open to stolen credentials. What the gang wants is sensitive corporate and intellectual data. It’s been at it since 2021.
Canada’s cybercrime-fighting agencies aren’t doing a good enough job, says the country’s Auditor General. A report released Tuesday complains the RCMP, the Communications Security Establishment and Public Safety Canada still haven’t set up a single place for individuals to report cybercrime. The Royal Canadian Mounted Police has the National Cybercrime Co-ordination Centre, but as of January almost one-third of cybercrime investigation jobs were still open. On the other hand, the report says the RCMP and the Communications Security Establishment — which is the agency that advises on protecting federal IT systems — were often well co-ordinated in responding to high-priority cyber attacks. The Auditor-General urges federal agencies to work together to ensure all reported cybercrimes are routed to the right department. In response the RCMP said the need for the force to be equipped by government to deliver on its cyber mandate is more critical than ever. The Communications Security Establishment said it is working with departments to create a single place for the public to report cyber incidents. The CRTC said it is working to address the Auditor-General’s recommendations.
A number of surgeries and other medical procedures had to be canceled or changed this week after a ransomware attack on a British lab that processes tests. Affected are medical practices and two major British hospital groups in London. The target was Synnovis Group, which provides pathology services to hospitals, clinics and doctors’ offices. Emergency care services are still available at hospitals.
Two vulnerabilities in unpatched versions of Progress Software’s Telerik Report Server can be chained together to bypass authentication, achieve remote access and run code. That’s according to a researcher at Summoning Team and a colleague. A proof-of-concept script was published on GitHub on June 3rd, so administrators of Telerik Report Server should make sure the software is fully patched.
A China-based threat actor known for exploiting unpatched vulnerabilities in Oracle WebLogic has adopted new techniques to hide its work. That’s the finding of researchers at Trend Micro. They’re talking about a gang dubbed Water Sigbin by some researchers and the 8220 Gang by others. This group focuses on deploying cryptocurrency miners in Windows and Linux servers. First, the gang hides URL used to download and deploy a malicious PowerShell script in hexadecimal coding. Second, the malware uses HTTP on port 443 to hide its communications. Interestingly, this gang continues to exploit one WebLogic vulnerability that dates back to 2017, and another fixed last year. If your IT environment uses WebLogic there’s no reason why these holes haven’t been patched by now.
Last Wednesday I reported on the need for IT administrators with Check Point Software’s network security gateways to install the latest security hotfixes to close a zero-day vulnerability. Those who have waited are in trouble: A proof of concept to exploit the hole has now been published, according to Security Week. Affected are Check Point CloudGuard Network and several models of its Quantum gateways.
A Nigerian-based threat actor is spreading the Remcos remote access trojan. That’s according to researchers at HYAS Threat Intelligence. The campaign, which began in the middle of last month, is using domains hosted by an internet provider in Lithuania. Remcos is a legitimate commercial remote access tool from a German company. But in the hands of threat actors it can be used to help steal data. IT departments have to watch for unapproved installation of this malware.
IT departments and individuals running unsupported versions of Zyxel network attached storage devices have received a gift: Patches for three recently-discovered critical vulnerabilities. They are among five holes discovered by Outpost24 that need to be patched. However, the lesson is not to hold onto end-of-life equipment hoping the manufacturer will issue patches, but to eliminate the risk by replacing gear when support runs out.
Finally, software companies that offer free trial versions of tools may be helping hackers. That’s one of the conclusions in the latest annual Cyber Threat Report from Huntress. The report in particular cites threat actors installing remote access management tools to further their attacks. A trial version of a tool has the advantage to a hacker of not having to leave a verified identity when they download it. Software firms should consider locking down these trials, the report says.
Follow Cyber Security Today on Apple Podcasts, Spotify or add us to your Flash Briefing on your smart speaker.
