A warning about Amazon RDS snapshots, a new ransomware strain found, and more.
Welcome to Cyber Security Today. It’s Friday, November 18th, 2022. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.
Organizations using Amazon’s relational database-as-a-service — known as RDS — are being warned that improperly secured snapshot backups can be a source of personal information for hackers. The warning comes from researchers at Mitiga, who found a way to scan, clone and extract sensitive data from RDS snapshots. Administrators usually store these snapshots in a separate database. But if that database is exposed to the internet or shared with someone the snapshots could be copied by a hacker. Worse, the researchers said, with some work a hacker could figure out where the snapshot came from and threaten to release the data unless the organization pays them off. In doing their work the researchers found 2,783 snapshots around the world, 810 of which were publicly accessible. Mitiga says RDS administrators and users should take care to securely configure and encrypt these snapshots.
Just over a year ago IT and security leaders were warned to patch the Log4Shell vulnerability in applications using the log4j2 logging library. This week the U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned IT and security leaders to make sure all their systems are patched for this hole. They issued that alert after finding suspected Iranian government-sponsored threat actors used that vulnerability last February to compromise a federal organization through an unpatched VMware Horizon server. The attackers used their access to get to the organization’s domain controller, compromised credentials and then implanted reverse proxies on several hosts to maintain persistence. The alert urges administrators with VMware Horizon that didn’t immediately install patches or workarounds to assume they’ve been compromised and take action.
Separately, the CISA issued a background paper on the tactics of the Hive ransomware gang. Security teams can use the information to look for indicators of compromise.
Meanwhile, researchers at Blackberry have identified a new strain of ransomware they call ARCrypter. First seen hitting organizations in Chile and Columbia in August, BlackBerry says victims in Canada and China have uploaded examples with similar code to the VirusTotal scanner for examination. That suggests those behind this strain of ransomware are going after organizations around the world.
Hackers are still using old tricks to fool unsuspecting victims. One of them is an email or text that says something like, ‘We noticed an unusual login on your account. Please click here to secure the account.’ Clicking takes the victim to a fake website where they are asked to log in to confirm or change their username and password. The goal is to steal those credentials. In a blog this week researchers at Armorblox said crooks recently tried to send a message like that to students at an unnamed educational institution. The message looked like it came from Instagram. If you get a message like this, ignore it. Legitimate companies don’t send messages this way. Instead they’ll tell you to go to the application’s login page the way you usually do to check or change a password.
Finally, if you use the Firefox browser make sure it’s running the latest version. An update was released this week that patches a number of vulnerabilities. You should be on version 107.
Later today the Week in Review edition of the podcast will be available. Guest David Shipley and I will discuss what organizations hit by a cyber attack should say publicly.
Follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.