Three warnings to application developers
Welcome to Cyber Security Today. It’s Monday, January 15th, 2024. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com and TechNewsday.com in the U.S.
From time to time I report that malware was found on Microsoft’s GitHub application development platform. Threat actors leave bad code there hoping to trick developers into downloading infected snippets to include in their apps. But a new report from researchers at Recorded Future says the strategy of abusing GitHub’s many services is only increasing. The abuse includes payload delivery, dead drop resolving, full command-and-control and data exfiltration. “GitHub’s popularity among threat actors lies in its ability to allow them to blend in with legitimate network traffic,” says the report. You may have heard of ‘living off the land,’ where threat actors use the tools in legitimate software like Windows to further their attacks. Abuse of GitHub and other platforms is called ‘living-off-trusted-sites.’ GitHub told The Register that it has teams and automated systems dedicated to detect malicious content. Meanwhile application developers have to be careful downloading code from any open source repository. And platforms have to protect themselves from being exploited by threat actors.
A separate report came out at the same time showing how platforms can be manipulated. Security researcher John Stawinksi and colleagues showed how malicious code created on the PyTorch machine learning framework could be uploaded to GitHub, AWS and other places. The report is another warning that threat actors are exploiting holes in continuous application integration and deployment platforms to further supply chain attacks.
And here’s the third warning: Developers using the GitLab Community or Enterprise DevOps software are being urged to upgrade to the latest versions. They have important security fixes to close two critical vulnerabilities. One could give a hacker the ability to take over an account through a password reset.
Modular laptop manufacturer Framework is telling customers that their personal information was stolen in a January 11th data breach at its accounting and consulting provider. This comes from SecurityWeek, which says it’s seen the notification Framework is sending. Customers are being told that an employee of Keating Consulting fell for a phishing message that pretended to be from the consulting firm’s CEO. That message asked the employee to send accounts receivable information of Framework buyers, which included their names, email addresses and balance owned on products.
Singing River Health System, which includes three hospitals in Mississippi, is notifying over 250,000 people of a data theft last August. It was part of a ransomware attack. Data stolen includes people’s names, dates of birth, addresses, Social Security numbers, medical and health insurance information.
American actuarial firm Milliman Inc. has upped the number of people affected by the hack of a MOVEit server used by a third-party data processor. The company now says just over 56,000 people had their data stolen. That’s up from the original estimate of 44,000.
Police in Ukraine have arrested a person they believe is the mastermind behind a sophisticated cryptojacking scheme. The suspect is believed to have mined over US$2 million in cryptocurrencies by compromising servers of an unnamed American cloud provider. According to Bleeping Computer, Ukrainian police say the suspect broke into 1,500 accounts by brute-forcing their passwords. Europol says cloud providers and customers should make sure strong access control and authentication is Used to protect servers and accounts.
A digital currency trading company will pay a US$8 million penalty for violating New York State’s virtual currency and cybersecurity regulations. Genesis Global Trading failed to meet required monitoring and cybersecurity standards, the state’s financial regulator found. As a result not only is it fined, the company is surrendering its BitLicence and is being closed.
Russia’s Sandworm hacking group was suspected of being behind two waves of cyber attacks last May against companies in Denmark. However, researchers at Forescout aren’t so sure. In a new report they say the two groups of attacks were unrelated. They also believe the second wave was a mass exploitation of unpatched Zyxel firewalls and not part of a targeted attack by any nation-state-sponsored group. Regardless of the source, the lesson of the attacks remains: Poorly secured routers, firewalls and servers are a prime target for any threat actor.
Juniper Networks has released updates to its Junos operating system for its SRX firewalls and EX switches. This is to close a critical vulnerability that could allow an attacker to cause a denial of service or run code remotely to get root access to a Juniper device.
Finally, Apple has updated its firmware for Magic Keyboard users. It closes a Bluetooth hole that could be abused by a bad person to mess up a Mac, iPhone, iPad or Apple TV digital media player. If you use a Magic Keyboard make sure its running version 2.0.6.
Follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.