A SonicWall device hacked, a ransomware attack on a Canadian engineering firm and a fast business email attack.
Welcome to Cyber Security Today. It’s Friday, March 10th, 2023. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com and TechNewsday.com in the U.S.
Security experts regularly hound IT departments to patch software and hardware as soon as possible. Here’s another example why: Researchers at Mandiant recently discovered a compromised an unpatched SonicWall mobile access appliance at an unnamed organization. This device allows employees to securely log into the organization’s IT network. It isn’t clear how the device was hacked, but it was likely broken into two years ago. And despite several firmware updates the attacker was able to maintain their hold on the device. The goal was to steal hashed credentials of all users. A China-based threat actor is suspected of being behind this compromise.
A Canadian engineering firm with defence and other critical infrastructure contracts has been hit by ransomware. According to the Canadian Press, corporate customers of Black & McDonald have confirmed being told of the attack. And the cyber news site The Register says the Canadian defence department also says it was informed. The Register quotes a defence department spokesperson saying so far there is no evidence of any effects on its IT systems.
Some threat actors take their time surveying a compromised IT system. Others strike fast. This week Microsoft gave an example, detailing a business email compromise attack in January. The goal of this kind of attack is to send a convincing email to an employee that seemingly comes from an executive asking to transfer funds to an account controlled by the hacker. This particular attack started in December when the threat actor stole a cookie from a target company to bypass multifactor authentication. In January the threat actor logged into an email account of the target organization, then spent two hours in the victim’s email looking for a thread to hijack between that employee and another company. When one was found, over the next seven minutes the attacker registered two lookalike web domains to fool the employee, then sent an email message to the staffer with new money transfer instructions. After that, the attack deleted the email message from the victim’s Sent Item folder to destroy the evidence. Fortunately in this case the attack was detected. One lesson is that staff have to be trained to be suspicious of messages asking for changes in expected money transfer routines. Another lesson is the need to better protect email and authentication systems from being hacked.
American telco AT&T is notifying 9 million cellphone customers that some of their account information was stolen. According to DataBreaches.net, a hacker got into the IT system of an AT&T partner and accessed the Customer Proprietary Network Information database. It lists the services customers have with AT&T. The telco says no sensitive personal or financial information was accessed.
Attention Linux administrators: The IceFire ransomware strain now works on Linux systems. According to researchers at SentinelLabs, typically an IceFire victim is hit initially by clicking on an email attachment. However, in one case the target organization’s Linux system was hit through its unpatched IBM Aspera Faspex file transfer sharing software.
Finally, users of Google Chrome should note there’s a new version out. Version 111 includes 40 security fixes.
That’s it for now. But later today the Week in Review podcast will be available. Guest Terry Cutler of Cyology Labs will be with me to discuss a new and damaging Windows bootkit, law firms under attack, cybersecurity help for Canadian non-profits and the hack of a LastPass developer’s home computer.
Follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.