Ransomware groups getting twitchy, and install these security updates
Welcome to Cyber Security Today. It’s Wednesday June 9th. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.
This podcast is brought to you by Terranova Security, helping you discover how to build an effective security awareness training program and train the world’s cyber heroes from a lineup of cyber security experts. Register now for the 2021 Security Awareness Virtual Summit by clicking here.
Ransomware gangs appear a bit edgy these days. And that was before the FBI and the U.S. Justice Department made the surprising announcement on Monday they had recovered about half of the ransom money paid last month by Colonial Pipeline. Consider these incidents: Last week researchers found a new strain of ransomware which calls itself PayloadBin. It was a name that had popped up at the end of May on the data leak site of a ransomware gang called Babuk. But researchers now say PayloadBin is a rebranding of ransomware being used by a gang called either Dridex or Evil Corp. According to the Bleeping Computer news site, one theory is Evil Corp is using the new malware name to avoid being linked to groups the United States has forbidden companies from sending money to.
Meanwhile an alleged spokesperson for the REvil gang was interviewed on a Russian language Telegram channel claiming it had no intention of targeting U.S. companies. This cames after REvil was accused of being behind last week’s ransomware attack on the JBS Foods meat packing corporation. The ThreatPost news site quotes the spokesperson saying the gang was focusing on companies in Brazil. That’s where JBS is headquartered. However, the attack led to temporary plant closings in the U.S. and Australia, and plant shifts being canceled in Canada. In recent days the U.S. has said it will treat ransomware is going after ransomware groups. As a result, the REvil spokesperson said, the gang has canceled its ban on U.S. attacks.
Another reason ransomware groups might be on edge? When the CEO of Colonial Pipeline testified before a U.S. Senate committee on Tuesday, one of the things he said was the FBI was closer to identifying the perpetrators of the ransomware attack on his company. The FBI has already blamed the Darkside group as being behind the ransomware attack. According to the executive’s testimony, the FBI has a malware centre of excellence that among other things specializes in Darkside.
Separately, three more Canadian firms have recently been listed as victims of a ransomware group called Psya. I haven’t been able to confirm this, so I won’t name them. But they are allegedly a Southern Ontario fire alarm monitoring system, a Newfoundland security company and a Quebec kitchen cabinet maker.
Another serious vulnerability has been found in a WordPress plugin. This time it’s the Fancy Product Designer plugin, which website developers use to upload images and PDF files to products. According to a security firm called WordFence, which discovered the problem, an attacker could bypass the plugin’s checks and upload files allowing them to takeover the website. Administrators are urged to install the latest version of Fancy Product Designer to close the hole. Some 17,000 WordPress websites use this product.
Yesterday was Microsoft’s monthly Patch Tuesday, when it releases security patches for Windows, Office and other products. Also included this time are patches for Intel processors and Adobe Acrobat PDF Reader and Photoshop software. Usually Windows is set to automatically download updates, but it doesn’t hurt to check.
It’s always important to install the latest security updates on everything that runs on your computer, more so this week because researchers at Kaspersky discovered a new attack against the latest versions of Windows 10. This attack exploits vulnerabilities in the Google Chrome browser. So not only do you have to make sure Windows is patched, if you use Chrome make sure it’s on the latest version. Kaspersky found the attackers are using a chain of Chrome and Windows in highly targeted attacks to take over systems.
Separately, IT administrators running the RabbitMQ, EMQ X and VerneMQ open source message brokers are urged to install the latest patches. Vulnerabilities can allow a denial of service attack, according to researchers at Synopsys who discovered the faults. Message brokers are unseen capabilities used in software systems to enable multiple independent components to exchange information between them.
That’s it for now Remember links to details about podcast stories are in the text version at ITWorldCanada.com. That’s where you’ll also find other stories of mine.
Follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.