More suspicious attempts to take over open source projects, a data theft at a Cisco Duo partner, and more.
Welcome to Cyber Security Today. It’s Wednesday, April 17, 2024. I’m Howard Solomon.
The recent takeover of an encryption utility used by Linux may not be an isolated incident. The OpenJS Foundation, home to open JavaScript projects, says it recently detected an attempt by a threat actor or actors to designate them as a new maintainer of a project to correct any vulnerabilities. After that the OpenJS recognized two other JavaScript projects not hosted by the Foundation had similar takeover attempts. This follows on the discovery by a Microsoft developer earlier this month of a three-year effort by a threat actor to persuade maintainers of the XZ Utils compression tool to take over that project. In that case some Linux distributors actually included a malicious version of that utility in development versions of Linux that contained a backdoor uploaded by the new overseer. If a threat actor takes over a JavaScript project they, too, could use their access to upload a malicious code that would end up in hundreds or thousands of IT systems. The OpenJS and Open Source Security Foundations are warning project maintainers to be wary of email requests from unknown members of the open source community to be elevated to maintainer status.
Another major company has been stung by a data breach at a partner. This time it’s Cisco Systems. According to Bleeping Computer, organizations using the Cisco Duo multifactor authentication platform for accessing corporate IT systems are being notified of an April 1st incident. A hacker compromised the system of a telecom provider Cisco uses to send MFA codes to individuals by SMS text or voice over IP calls. Cisco didn’t name the provider. Nor is it saying how many individuals were affected. How was the telecom provider hacked? An employee fell for a phishing email, allowing the attacker to get their login credentials. They then downloaded message logs. The logs don’t have personal information. But they include phone numbers of those who use Duo, including company employees. A hacker could use those numbers to call employees and trick them into giving out sensitive things like passwords.
Delinea has released security updates for its platform as well as for on-premise and cloud versions of its Secret Server access management suite. The updates plug a critical vulnerability in the SOAP messaging API that could allow an attacker to bypass access authentication to IT networks. This comes after a researcher published a report last week on discovering the flaw. He publicly released his findings because he’d been trying unsuccessfully since February to get Delinea’s attention. It wasn’t until last Friday the company acknowledged the finding. In a statement Delinea said patches for older versions of Secret Server are coming.
IT administrators whose firms use the open-source PuTTY utility for file transfer, or who use applications with the PuTTY client such as FileZilla, WinSCP and TortiseGit, are urged to update the applications immediately. This comes after the discovery of a critical vulnerability that could allow a threat actor to recover a private key and then forge digital signatures allowing access to any server the key is used for. Administrators should revoke their existing keys and generate new keys to replace them.
Omni Hotels, with properties in the U.S., Canada and Mexico, says “limited information” of a subset of customers was involved in last month’s cyber attack. The data doesn’t involve personal payment details, financial information or Social Security numbers. But, the company says, it may include names, email and mailing addresses. According to Security Week, the Daixin Team ransomware gang has claimed responsibility.
Three Canadian school boards have signed up for Fortinet’s Security Awareness Curriculum. The free, bilingual program has modules for K-12 students covering how to be safe online and how to protect privacy. The three boards are in Ontario.
Threat actors use multiple tricks to get login credentials to private Zoom video conferencing sessions of organizations. A report this week from Abnormal Security notes six tactics. These include creating fake login pages that look like the official Zoom website and then spreading links to them in phishing emails; tricking employees into downloading malware that steal Zoom credentials; and just plain credential stuffing with passwords bought on the dark web. The report could be used by IT departments in security training.
Automated bad bots are increasingly taking up internet traffic. That’s according to a new report from Imperva. Automated traffic is costing organizations billions of dollars by attacks on websites, APIs and applications. Bot do everything from web scraping, account takeovers, spreading spam and launching denial of service attacks. The report says IT leaders can blunt this threat by fortifying website defences, strengthening website employee and customer login processes; securing exposed APIs and mobile applications and watching for suspicious traffic.
Finally, a North Korean spying group is ramping up its activity. That’s according to researchers at Proofpoint. They issued a report this week on a group security experts call by a number of names including TA 427, Emerald Sleet, APT43, Thallium or Kimsuky KIM-SUCK-IE. Usually the group targets experts on American and South Korean foreign policy by impersonating a member of a think tank, a reporter or an academic. Targets are sent emails with the hope of starting an online conversation. One tactic: Taking advantage of an organization’s lax email protection, particularly failing to enforce the strict use of the DMARC protocol. That’s allowing this group to impersonate senders in email addresses.
Follow Cyber Security Today on Apple Podcasts, Spotify or add us to your Flash Briefing on your smart speaker.