A new data wiper found, and security updates released for Windows and Citrix products.
Welcome to Cyber Security Today. It’s Wednesday, November 9th, 2022. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.
A new strain of malware is spreading that overwrites data of corporate victims. That’s according to a report by New Jersey’s cyber security centre. The operators of the data wiper call their malware Azov Ransomware. But there’s no way listed in the ransom note to contact the operator to get a key for unlocking the damage. So this destructive weapon is more properly called a data wiper. It is being distributed through pirated software, key generators and adware. Employees have to be reminded to not download applications without IT approval.
Employees also have to be reminded to ignore USB keys they find lying around their organization. This comes because investigators at Kroll are seeing an increase in the the number of USB-based malware attacks they’ve been called in on. Threat actors are dropping infected USB drives in offices hoping curious employees will pick them up and plug them into computers. Sometimes threat actors email or courier the drives to staff. These might appear to come from a legitimate company supposedly with product information or a business proposal. If you haven’t asked for a drive to be sent, don’t plug it in. Even if you have agreed to receive a USB drive, make sure it is scanned on a safe computer. Check with your IT department to find out how — if company policy allows receiving USB drives. As for drives found on a floor or unexpectedly on a desk, again, ask IT how they can be safely looked at. By the way, don’t pick up USB keys at trade shows.
The Kroll news on suspicious USB keys was part of an analysis of cyber incidents it investigated in the third quarter. Another finding: A recent increase in cases of employees stealing data, otherwise known as insider theft. In one case a company detected and stopped an employee attempting to copy gigabytes of corporate data to a cloud storage provider. But after that person left for a competitor the company suspected they were still using its corporate data. The former employee’s personal laptop was examined. The company missed that their ex-staffer had uploaded several copies of company data to several cloud storage locations. The lesson: Organizations must implement technologies and policies to detect employees wanting to either cash in on corporate data. With organizations increasingly announcing layoffs this is becoming important.
A Nigerian man involved in laundering tens of millions of dollars through online scams has been imprisoned for just over 11 years by an American judge. Ramon Abbas was arrested in 2020 in the United Arab Emirates and ultimately brought to the U.S. In April 2021 he pleaded guilty to one count of conspiracy to launder money and was finally sentenced. His co-conspirator, Ghaleb Alaumary, who holds dual American and Canadian citizenship, was also sentenced to just over 11 years last year by an American judge. Alaumary was also ordered to pay US$30 million in restitution. The two men conspired to launder money stolen from banks and through business email scams. In one case, prosecutors alleged the pair laundered millions of dollars stolen from a bank in Malta by North Korean hackers.
Separately, the U.S. Justice Department announced it seized 50,000 bitcoin, worth more than US$3.3 billion today. The digital currency was stolen over a decade ago from the Silk Road criminal marketplace by an American resident, James Zhong, who pleaded guilty last week to wire fraud. That’s the reason the news is only now coming out. Prosecutors said Zhong created a number of accounts on Silk Road, then tricked its withdrawal processing system into releasing thousands of bitcoin. And where was the digital currency? In an underground safe in Zhong’s home and on a single-board computer hidden in a box under blankets in a bathroom closet. The Silk Road marketplace was shut in 2015 when police caught operator Ross Ulbricht.
Because of the nature of the internet, it can be hard to knock criminal cyber groups offline. The latest example is the Robin Banks criminal group, which offers a phishing-as-a-service website to anyone who pays up. In July it was knocked offline when it was exposed by researchers at IronNet. But in a new report the researchers said the operators behind Robin Banks are back in business. They relocated its front-end and back-end infrastructure to a Russian-based provider, and require customers to use two-factor authentication for login security. More importantly, its malware now includes a way to bypass the two-factor authentication used by target organizations to protect their logins. It’s done by stealing login session cookies of potential victims lured to a phishing site set up by crooks. Defences to this group are the same for any phishing attack: Make sure employees are regularly reminded to not click on links sent through emails or texts, especially those that end up asking them to log into a page.
Citrix is urging administrators to quickly install security patches for some of its customer-managed Gateway and ADC products. They close vulnerabilities that could allow remote desktop takeover from a phishing attack and brute force login attacks. There are also new security updates for some SAP products.
Finally, yesterday was Microsoft’s monthly Patch Tuesday, when it releases security updates for Windows and other products. Important patches are available for Windows Server and Exchange Server. Having a process for prioritizing and installing patches from all of the organization’s IT suppliers is a sign of a mature cybersecurity policy.
Follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.