We lost our Groove, an FBI ransomware warning and an alert to GitLab users.
Welcome to Cyber Security Today. It’s Wednesday November 3rd. I’m Howard Solomon, contributing writer on cybersecurity for ITWorldCanada.com.
We’ve been had. Or at least some of us in the media as well as some cybersecurity researchers. We’ve been had by a trickster who in August announced the new Groove ransomware on a new Russian-language cybercrime forum. It turns out there is no Groove ransomware gang. According to cybersecurity reporter Brian Krebs, Groove’s darknet blog disappeared last week and an established cybercrook admitted the con. How did this start? With an announcement on an anonymous cybercrime forum. Forum members were asked to help design a website for the new group, three big cybersecurity companies published a report speculating that Groove had split off from another ransomware gang, and then the Groove’s darknet blog published half a million stolen login credentials for Fortinet VPN products. It looked like the new gang had made a big theft. But those usernames and passwords were old. What to make of this scam? Sometimes, in a criminal world that’s opaque, it’s not hard to fool experts. On the other hand, the number of real data thefts and ransomware attacks is increasing. They aren’t a prank.
Here’s what’s going on in the real world: Some ransomware gangs are timing their extortions to coincide with corporate activities, such as announcements of mergers and acquisitions. This is according to a report this week by the FBI. It’s seen evidence that after compromising a company and stealing data some gangs wait for a juicy moment to send messages threatening to disclose sensitive corporate information unless they’re paid. In three cases last year publicly-traded American companies that were negotiating a merger or acquisition found they were hit by ransomware. The attackers may have read news reports about the potential ongoing negotiations or they may have had a tip. One thing the FBI did note is that in one attack a hacker was seen searching a corporate victim’s network for information about its share price. The report warns companies that threat actors often look for sensitive non-public information after breaking into an IT network before they launch malware. They can threaten to publish that information to embarrass the company, or cause its stock to drop.
Application developers using the web-based GitLab software lifecycle tool for writing and managing software are being warned to upgrade to the latest version. The alert comes from researchers at Rapid7, which estimates almost half of the 60,000 internet-facing GitLab installations haven’t updated their versions although a patch for a major vulnerability has been available since April. Hackers have been exploiting the vulnerability since the summer. The hole could allow an attacker to get into code and change anything. To give an idea of the seriousness of the vulnerability, it’s now rated as 10 out of 10. Rapid7 also says GitLab developers shouldn’t access the tool directly over the internet. Instead they should go through a VPN.
That’s it for now Remember links to details about podcast stories are in the text version at ITWorldCanada.com. That’s where you’ll also find other stories of mine.
Follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.