Ransomware gang hits CommScope, unsanitized routers being re-sold and more
Welcome to Cyber Security Today. It’s Wednesday, April 19th, 2023. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com and TechNewsday.com in the U.S.
Hackers have published stolen data from U.S. network device manufacturer CommScope including thousands of employees’ names, Social Security numbers and bank account details. That’s according to the TechCrunch news service. It says the data was released by the Vice Society ransomware gang. Data posted also includes internal CommScope documents, invoices and technical drawings. The company told reporters it was hit by a ransomware attack late last month.
What do you do when your organization’s routers have to be disposed of? According to researchers at ESET, some IT departments aren’t scrubbing old routers of sensitive data before selling them. The researchers said nine of 16 routers it picked up on the used market had complete configuration data still loaded, including customer data, credentials, router-to-router authentication keys — and enough data to identify the previous corporate owner. All IT departments should have rules on decommissioning any corporately-owned electronic devices.
Separately, ESET said four repositories on GitHub used by operators of the RedLine information stealer have been taken down. That should at least temporarily disrupt use of this malware. The repositories were used as dead-drop resolvers for the malware’s control panel. Unfortunately, the removal of the four repositories won’t break the malware. But it will force RedLine operators to distribute new controls panels to the crooks it sells to.
Employees continue to foolishly create unprotected internet-linked databases with sensitive data. The latest example was found by a security researcher at vpnMentor. It’s a database of people who either work for or applied for law enforcement jobs in the Philippines. The database has highly sensitive personal information, including birth certificates, passports, driver’s licences, security clearance documents and more. The researcher said it took 15 times to get a response from the government before the database was finally secured.
Just over a year ago the Conti ransomware group re-organized, with some members going off to create spinoffs like the Royal, Black Basta, and BlackByte ransomware gangs. According to researchers at IBM, former members have also teamed up with a group it names FIN7 to create a new malware family dubbed Domino. In a report this week the researchers say Domino is used to deliver either an information stealer called Project Nemesis or backdoors like Cobalt Strike. The report includes indicators of compromise IT and security teams should look for. There’s a link to the report in the text version of this podcast.
Finally, hackers continue to use the effective QBot family of malware in phishing attacks. The latest campaign using the stuff was discovered this month by researchers at Kaspersky. They warn a threat actor is sending out email messages in English, German, Italian or French with attachments asking targets to open an enclosed PDF. The document, of course, has the QBot malware. The lure is that the hackers have somehow hacked into the email system of targets to create a message that looks like it came from a legitimate source. So, for example, the message might ask for documentation or a cost estimate on the attached application. One tip-off: While the sender’s name might be one that the target expects, the email address won’t be the same as the real sender. This is called address spoofing. This campaign again shows the importance of educating employees about the dangers of opening attachments, and how to look for signs of suspicious emails.
Follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.