IT provider recovering from a cyber attack, more action from Karakurt and Chinese attackers and new Linux malware.
Welcome to Cyber Security Today. It’s Friday, July 8th, 2022. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.
American-based cybersecurity solution provider SHI International, which has offices around world including Canada, France, the U.K. and Hong Kong, is recovering after a cyber attack last weekend. The company said it was the target of what it called “a co-ordinated and professional malware attack.” In a blog it says the incident was swiftly identified and measures were taken to minimize the impact. That included taking websites and email offline. Email service has been restored, but as of Thursday afternoon, when this podcast was recorded, the home page of SHI.com and the Canadian SHI.ca only showed the incident statement. The company’s normal web pages had been shifted to a domain starting blog.shi.com.
The Karakurt data theft and extortion group is back. That’s according to researchers at Cyberint, who note at the end of last month the gang launched a new data leak site listing alleged victims. That new site listed 34 organizations. The site offers victims the ability to buy back copied data. There are three categories listed of victims: Those who are unwilling to pay a ransom for stolen data and risk it being publicly released, those whose data is in the process of being published and those whose data is fully published. The strategy is to increase the pressure on organizations to pay before they’re embarrassed by the release of the stolen data. In May researchers at AdvIntel said Karakurt partners with some of those behind the Conti ransomware group.
Here’s something interesting: A Chinese state-supported threat actor is allegedly targeting Russian organizations. That’s the claim made by researchers at SentinelLabs. The attacks use phishing emails to deliver infected Office documents that install a remote access trojan. Ironically, one document purports to be a warning from Russia’s cyber centre to watch for attempts to steal employee passwords. “It remains clear that the Chinese intelligence apparatus is targeting a wide range of Russian-linked organizations,” say the researchers.
A new threat to Linux systems has been found. It’s being dubbed OrBit, and according to a researcher at Intezer once the malware is installed it will infect all of the running processes on a computer or server. The report doesn’t say how the malware is distributed — through email or an application weakness or another method. But it does say the malware gains persistence on the machine by hooking into key functions, giving the attacker remote access capabilities over SSH, stealing credentials, and logging TTY commands.
Application developers using the OpenSSL library for implementing the SSL and TLS security protocols should install the latest version of the platform. That’s because the project has released patches to close a high-severity bug. You should be using version 3.0.5.
Finally, network administrators using Apache HTTP Server version 2.4.5 are urged to update to the latest version. That’s version 2.4.54 or above. It closes a memory allocation vulnerability that could cause a denial of service, according to a report in The New Stack.
Later today the Week in Review edition will be out. Guest Terry Cutler of Cyology Labs will be here to discuss how to start a career in cybersecurity.
Remember links to details about podcast stories are in the text version at ITWorldCanada.com.
Follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.