A new vulnerability in MOVEit, a warning to WordPress administrators on poisoned plugins, and more.
Welcome to Cyber Security Today. It’s Wednesday June 26th, 2024. I’m Howard Solomon, contributing reporter on cybersecurity for TechNewsday.com.
 |
 |
 |
Another vulnerability has been found in Progress Software’s MOVEit managed file transfer suite. Researchers at Tenable said Tuesday that a proof-of-concept exploit is already available. In publicly revealing the vulnerability on Tuesday, Progress Software said it could allow an attacker to bypass login authentication “in limited scenarios.” The company “strongly recommends” IT administrators upgrade to the latest version. It’s the only way to close this hole. It isn’t known how many systems might be vulnerable today. Researchers at watchTowr say Progress Software has been quietly contacting customers for some time about this, so perhaps by now all implementations are protected. MOVEit, you will recall, is the same suite with a hole that threat actors including the Cl0p ransomware gang last year used to steal data on 95 million people from over 2,700 organizations.
WordPress administrators are being warned to act on the discovery of five compromised plugins. Researchers at Wordfence say the five are Blaze Retail Widget, Contact Form 7 Multi-Step Addon, Simply Show Hooks, Social Sharing Plugin’s Social Warfare and Wrapper Link Eleminator. These have been injected with malicious PHP scripts that can steal database credentials. After that the attacker can create new fake administrator users for stealing customer and corporate data. Check if these plugins have been newly patched, and if so update them. If not, they should be disabled. Plugin users should also run a complete scan of their WordPress code for malware.
On the news roundup during my Week in Review podcast last Friday I reported on a data theft from the Los Angeles County Department of Public Health. At the time the county said the cause was a phishing attack. In an update the county has offered more detail. The attcker got around multi-factor authentication by using a push-notification attack. That’s sending a victim repeated malicious MFA approval text requests. The attacker hopes the victim will get tired of these texts and just click ‘OK.’ That gives the attacker access to their email account. Two lessons: Regular employee awareness training to remind staff not to give in to this calculated harassment; and invest in phishing-resistant multi-factor authentication.
By the end of the year organizations may have a new AI weapon to help identify and fight misinformation and disinformation. That’s one of the things I came away from Tuesday at the Excite digital trust conference in Toronto. The application will be a spin-off of research by the University of New Brunswick’s Canadian Institute for Cybersecurity. Ali Ghorbani, the institute’s director, said the application will analyze and score problematic content on social media platforms or websites. Then businesses or governments could take remedial action, like direct people to factual websites or issue a news release with corrective information. The application is being piloted now. In an interview Ghorbani said it could be commercialized by a spin-off company by the end of the year, with the institute getting royalty revenue. No pricing information was given.
The theft of data on millions of customers from an Australian telecom provider in 2022 was caused by an API coding error. That’s the conclusion of Australia’s Communications and Media Authority included in a court decision last week. According to an analysis of the decision by the SANS Institute, the API had two entry points and was secured in 2017. But in 2021 a coding error broke an access control list affecting both entry points. It was detected, but only one entry point was fixed. So the hole was open for four years. A SANS Institute commentator said APIs should have only one entry point, one set of security controls and one instance for fixing vulnerabilities.
Crooks are pretending to be lawyers on social media or other messaging platforms to trick people into giving up their cryptocurrency. That warning comes from the FBI. The so-called lawyers claim they are authorized to investigate funds lost in cryptocurrency scams. They may also claim they are working with the FBI or another government agency. The goal is to get victims to provide personal identifying information or bank information. In some cases the crooks may ask victims to pay a portion of initial fees to get their money or even to make payment for back taxes.
The caution comes after the bureau warned earlier this month that crooks are calling American residents at home pretending to be FBI agents or representatives of other law enforcement agencies. This same scam is being run in Canada and other countries. Crooks pressure victims with various explanations into withdrawing money or gold to be picked up by a courier. Another version is pressuring people into buying prepaid gift cards after which the victim reads the card numbers over the phone to the crook. Sometimes these law enforcement impersonators tell victims not to trust anyone at their bank about the withdrawals because the bank is under investigation. No police officer or bank official in the U.S. or Canada will ask you to help in an investigation by withdrawing or spending your money.
New malware is growing and shows no sign of stopping, according to researchers at BlackBerry. The company’s latest quarterly report shows a 40 per cent increase in malicious hashes compared to the last three months of 2023. Sixty per cent of attacks detected by BlackBerry were aimed at critical infrastructure providers such as governments, banks, hospitals and communications providers.
Separately, BlackBerry told shareholders on Tuesday that it is making significant progress on making the Canadian company profitable this year and on splitting it into two separate and standalone divisions: One would focus on cybersecurity products, the other on its IoT products used by car manufactures and others. There was no indication when the split will happen.
Follow Cyber Security Today on Apple Podcasts, Spotify or add us to your Flash Briefing on your smart speaker.
