Mystery surrounds the outage at a ransomware gang’s site, and more
Welcome to Cyber Security Today. It’s Wednesday, December 13th, 2023. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com and TechNewsday.com in the U.S.
The official data leak site of the AlphV/BlackCat ransomware gang was still down on Tuesday afternoon, when this podcast was recorded. That would make it the sixth day in a row the site has been inaccessible. According to researchers at RedSense, the gang believes an unnamed law enforcement agency or agencies is responsible. In a tweet RedSense said the gang’s administrator has told others that “everything will work soon.”
Administrators with Netgate’s pfSense open-source firewall should install the latest patch. It closes two cross-site scripting vulnerabilities and a command injection vulnerability. According to researchers at SonarSource, there are patches for pfSense Plus, and the community edition of the firewall.
There are two new reports about fraudulent job application emails:
A threat actor who has been phishing for corporate victims for years by replying to job listings has added a new tactic: Trying to trick personnel recruiters. That’s according to researchers at Proofpoint. The group, which has been dubbed TA4557, recently started emailing headhunters saying they are interested in being hired for a corporate position. Their updated resume is available on the so-called applicant’s personal home page. Here’s the trick: Knowing that for security reasons people may be reluctant to click on a link in an email, or that an email scanner may block a link, the threat actor offers an alternative: To see the so-called resume the recruiter is asked to use the domain name in the email. So if the applicant’s email address is “john[at]johnjones[dot]com.” the recruiter themselves would go to “www[dot]johnjones[dot]com.” That’s probably to convince the recruiter that the so-called applicant is security-conscious. The alleged personal website looks real, but it leads to the downloading of malware. People in HR either responding to job postings or emailed cold-calls need to be aware that behind every message could be a crook.
Separately, researchers at Nisos say hackers believed to be from North Korea are applying for IT jobs with American companies. Their goal is to infiltrate organizations and steal data that can help in North Korea’s weapons development. These applicants claim to have expert programming skills, and may even say they live in the U.S. Those involved in the scheme aren’t very sophisticated because they have created several web pages on IT networking sites with resumes that have different names but the same photo.
SAP issued 17 new or updated security patches this week, including four HotNews Notes and four High Priority Notes. According to researchers at Onapsis, two of the updates are follow-ups to an operating system vulnerability patched in July. Another addresses a critical escalation of privileges vulnerability in the SAP Business Technology Platform.
The U.S. telecommunications regulator has — again — reminded wireless carriers that they have to protect their customers from threat actors. In particular the Federal Communications Commission has warned carriers to find ways of preventing crooks from convincing them to digitally switch the SIM cards in phones of customers. SIM-card swapping is one of the ways threat actors can get control over a victim’s phone and from there access victims’ personal and corporate email and possibly their bank account. Failure to reasonably protect customer information is a violation of federal law and FCC rules. This reminder comes after the FCC last month issued new rules carriers that have to follow to prevent scams.
There’s a link between a threat group nicknamed Sandman and suspected Chinese-based groups. That’s according to researchers at SentinelLabs, Microsoft and PwC. The link is that Sandman’s malware and a backdoor used by suspected Chinese groups have been seen together in the IT environments of some victim organizations. The belief is these groups share infrastructure control and attack management practices. The researchers aren’t sure if this is one group, so for the time being they are being monitored individually. Their report includes indicators of compromise that defenders can watch for.
There’s a new version available of Apache Struts, an open-source framework for creating Java web applications. It fixes a critical vulnerability that could allow an attacker to do nasty things.
Finally, yesterday was December’s Patch Tuesday, when Microsoft and others released security updates. There are 34 Windows fixes available. In addition, Atlassian released patches for four critical vulnerabilities. They include fixes for Confluence Data Center and Confluence Server, the cloud, server and data centre versions of Jira, and Atlassian Companion for MacOS.
Follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.