Welcome to Cyber Security Today. This is the Week in Review for the week ending Friday June 28th, 2024. I’m Howard Solomon, contributing reporter on cybersecurity for TechNewsday.com.
 |
 |
 |
In a few minutes Terry Cutler of Montreal’s Cyology Labs will be here to discuss three of the week’s more interesting developments: The latest MOVEit vulnerability, a report on recruiting cybersecurity pros and how an API coding error is being blamed for a large cyber breach in Australia.
But first a look at other headlines from the past seven days:
The discovery that a domain supporting the Polyfill.js open-source library has been injecting malware after it was bought by a Chinese company started a rush by website administrators this week to delete the code. Polyfill allows websites to support older browsers. Quick action by cybersecurity companies since news of this vulnerability was released by researchers at Sansec has helped blunt the danger. For example, Google began blocking Google Ads for e-commerce sites that link to cdn[.]polyfill[.]io, and Cloudflare implemented real-time rewrites of that domain to their own, safe, version. In addition, an American domain registrar put the bad domain on hold. Still, web developers and admins using this code should remove any polyfill.io references in their code.
Since the beginning of the year Google has disrupted over 10,000 instances of YouTube video and editorials on Blogger that come from a China-based group. That brings the total number of blocked instances of pro-China spam to over 175,000 since last year. The campaign, which Google calls Dragonbridge, creates content reacting to breaking news. Most of the content doesn’t have a political message, but some portray U.S. government, society and democracy in a negative light. Google takes action against unauthentic activity such as videos that pretend to be news shows.
The attorney general of Arkansas is suing the e-commerce website called Temu for allegedly violating the state’s Deceptive Trade Practices Act and its privacy law. The suit alleges Temu is spyware, designed to gain unrestricted access to shoppers’ mobile phones. Temu, the attorney-general alleges, is led by “a cadre of former Chinese Communist Party officials.” According to The Verge, Temu’s parent company was based in China, but last year moved its headquarters to Ireland.
Finally, the P2Pinfect malware now has crypto miner, rootkit and ransomware payloads. That’s according to researchers at Cado Security. This worm spreads by exploiting the replication features in Redis, an in-memory data store that can be used as a database, cache or message broker. Infection adds the computer to a botnet for distributing the r sagan ransomware. Redis administrators should make sure Redis servers are patched and protected from compromise.
(The following is a transcript of the first of three news items discussed. Play the podcast to hear the full conversation)
Howard: Let’s start with how Progress Software handled the discovery of a new vulnerability in its MOVEit file transfer software. Listeners may remember that last year a vulnerability in MOVEit was exploited mercilessly by the Cl0p ransomware gang and others to steal data on over 90 million people from over 2,700 companies. Data thieves have found file transfer applications are excellent sources of personal data. Their servers hold large amounts of compressed data for transfer. So in the past five years they’ve been targeted, particularly by Cl0p: These include Accellion, SolarWinds’ Serve-U Managed File Transfer, Fortra’s GoAnywhere MFT, Citrix ShareFile and IBM Faspex. Last year Progress Software was badly burned by the zero-day hole in MOVEit. But according to researchers at watchTowr, this vulnerability was found by by company. And in response, it began quietly notifying customers so they could patch before publicly releasing word of the hole. That’s good news, isn’t it?
Terry Cutler:Â Â Absolutely. And I believe it’s really the right approach as well. Quietly notifying your customers about a vulnerability before making it public allows your organization to patch their flaws without potentially alerting the attackers. So this also reduces the risk of exploitation and strengthens the security of the systems that are involved in this patch. And I think by addressing these issues promptly, companies can prevent these breaches and protect themselves and especially their sensitive data, which is critical to maintain the trust with customers and especially the stakeholders. So I think this proactive stance is essential in today’s Cyberspace landscape.
Howard: The only thing is this wasn’t a zero-day that the crooks found first. And so it seems that Progress Software had the luxury of alerting customers.
Terry: And I think this is really fantastic news because it means that the developers probably received proper cybersecurity training in order to test these flaws before releasing the updates. And this expertise in testing gives them a critical edge because as you know, right, the developers are often under the pressure to ship out products quickly. At the same time, you know, it’s very expensive and they don’t do enough thorough testing. So these small victories can become a beacon of hope. So it shows that it’s possible to make it even more difficult for cybercriminals to exploit these vulnerabilities if the security measures are properly tested and integrated into the development process from the start.
Howard: What’s the lesson here that other application developers can learn?
Terry: There’s a lot of critical lessons. A key takeaway is the importance of the proactive vulnerability management. So when a vulnerability is found internally, rather than being exploited in the wild the developers have the obligation now to notify the customers to quickly and quietly apply these patches. Unfortunately, what we see in the industry, even though we look at other vendors whose software has been exploited, customers don’t take enough proactive approach to patch these systems rapidly. That’s why it’s very important to keep their systems monitored at all times to see if attackers are still lingering in their system.
Howard: Hopefully by now, almost all of the on-prem or hosted versions of MoveIT Transfer have been patched. And that’s because the Shadow Server Foundation reports that there are signs of attackers already trying to exploit the vulnerability after Progress Software publicly released news of the vulnerability and that a patch was available.
Terry: We’ve seen how good that’s been going for the last 10 years. Patch management has been one of the biggest problems we’ve been facing. So I’m not getting my hopes upon this one, to be honest. And of course, the attacks highlight the urgency and timing of these patches that are needed to visually patch these systems as quickly as possible. So organizations need to find a way to get ahead of these potential threats by make sure they deploy proper patch management solutions.
