A botnet exploits old routers, a new malware loader discovered, and more warnings about downloading code from open source repositories.
Welcome to Cyber Security Today. It’s Wednesday March 27th, 2024. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com and TechNewsday.com in the U.S.
Despite repeated warnings that old internet-connected devices are being compromised by threat actors, organizations and individuals continue to keep these devices online and inadvertently help spread malware. The latest alert comes from researchers at Lumen, who say a network of 40,000 infected small and home office routers and other devices are part of a criminal botnet. The botnet creates a network dubbed Faceless to anonymize the attacks of crooks. This botnet, in operation since 2014, is infecting these unpatched devices with malware that looks for and infects other devices. In the first week of March the botnet targeted over 6,000 Asus routers in less than 72 hours. Many small organizations and individuals install a router or internet-connected video camera and forget about it for years. They can’t. Like desktop computers and smartphones, any internet-connected device has to be regularly checked to see if security updates are available. And if updates aren’t available any more, these devices have to be replaced.
Attention owners of Apple devices running the iOS and macOS operating systems: New security patches are available to close a vulnerability.
Canadian discount retail chain Giant Tiger continues dealing with the theft of customer information earlier this month. That data was stolen from a company that manages its customer marketing. Giant Tiger is telling affected customers that their names, email addresses, street addresses and phone numbers are among the information that may have been copied. Victims subscribed to Giant Tiger email advertising, registered in a loyalty plan, or placed an order for home delivery or store pickup. No payment card data or passwords were stolen.
Threat actors are going after what some believe is a critical vulnerability in Anyscale Ray, a widely used open source artificial intelligence framework. Researchers at Oligo say it’s one of five recently discovered holes in Ray. Four were patched, but one issue hasn’t been addressed so has been exploited for the last seven months. All organizations using Ray are urged to review their IT environments to ensure they haven’t been compromised.
UPDATE: After this was published Anyscale issued this explanation and fix.
A new malware loader has been spotted that can bypass antivirus defences. Researchers at Trustwave, who spotted the loader, say at the moment it’s distributing the Agent Tesla malware. Agent Tesla executes in memory and steals data such as passwords from infected computers. In the incident Trustwave investigated an employee of an organization got an email with an attachment purporting to be a payment receipt from a bank. That tactic may change to other themes, all of which are aimed at getting a victim to click on the attachment. Every organization has to have a strategy of regularly reminding employees of suspicious signs to watch for before accepting email attachments.
Here’s another reminder to be careful downloading code from open-source repositories. Researchers at ReversingLabs recently discovered a suspicious package in the NuGet repository for .NET packages. This .dll may be targeting developers working with apps for a Chinese company called Bozhon Precision Industry. It makes a wide range of consumer and industrial products. If installed in an application this suspicious package takes screenshots from infected devices. Is the purpose to spy on Bozhon and steal data? To spy on its customers? Or was it created by a Bohzhon developer to help their work? No one knows. But it has been downloaded 2,400 times. As I said, it’s another example to be careful what you download.
Open-source repositories of code are targets for hackers because it’s a great way to spread malware. This week researchers at Checkmarx described a complex campaign by a threat actor to infect software supply chains. It includes compromising a GitHub community of developers and taking over accounts, and creating a mirror of the Python PyPi registry to publish an infected version of the popular ‘Colorama’ package. The malware that’s being spread harvests browser cookies, login credentials, credit card numbers, data from cryptocurrency wallets and more. Again, developers have to take great care in downloading packages for their applications even from trusted sources.
May 31st of every year is World Backup Day. This year it falls on Sunday. Regardless, the purpose is to remind senior corporate and IT leaders to review their data backup and recovery plans. Data backup is a vital part of any organization’s cybersecurity defence strategy. Start with identifying where your sensitive data is. It’s not just in the server or servers where data is initially stored. Sensitive data can be copied multiple times by staff for analysis, so it can be on employees’ desktop computers, sitting in individuals’ email folders or copied onto file transfer servers. You’ve got to know where data is to protect it, and then to back it up. Then decide how often data needs backing up in line with the organization’s recovery objectives. Some firms need to do it every minute, others at the end of the day. Whatever your needs are, data has to be backed up in several places — one copy on prem and one copy in the cloud at the very least. Finally, data backups and recovery have to be tested regularly not only for integrity but also so the IT staff involved have the practice down pat. You’ll find lots of advice on backups from government sources like the National Institute on Standards and Technology and the U.S. Cyber Security and Infrastructure Security Agency. On this Friday’s Week in Review podcast guest commentator David Shipley and I will discuss more about backups.
Finally, crooks continue to use phone scams to scare families for cash. One of the latest was reported Monday by a Cincinnati TV station, which said a local appliance store owner got what he thought was a hysterical call from his daughter. Then a man got on the line and demanded US$5,000 or his daughter would be harmed. Fortunately, a store employee heard what was happening and phoned his daughter, who was safe in school. This was a so-called virtual kidnapping. It may be helped by technology that can impersonate a voice. There are variations of this scam. For example, a supposed family member calls and says they’ve been in a car accident and need money immediately for a lawyer, or to be released on bail. The crooks may want money wired to them. Or they may want the victim to pay in cryptocurrency or a prepaid gift card. These are prime signs the call is a scam. How can you protect your family from being taken by scams like this? First, if you have a second phone call the family member who’s supposedly in trouble. If they answer the phone and say they are safe hang up on the scammer. Also, agree on a family codeword to be used in case there is trouble. Your family member has to give the codeword as proof they really are in trouble.
Follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.