Warnings to VMware hypervisor and Office 365 administrators.
Welcome to Cyber Security Today. It’s Monday, October 17th, 2022. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.
A major event happened over the weekend: VMware ended general support for versions 6.5 and 6.7 of its ESXi hypervisor. There will be no more security patches or bug fixes for these versions. There are two more years of technical guidance available, where VMware will give support for low-severity issues. But, I repeat, no more security patches for versions 6.5 and 6.7. How many IT departments are running these two versions? A company called Lansweeper, which sells asset management software, said 6,000 of its customers run about 79,000 instances of ESXi. Of them, at the end of September tens of thousands of organizations were running versions about to go end of life. By the way, quite a few were still running versions older than 6.5. The current version of ESXi is 7.0. Remember old versions of applications are at the greatest risk of being hacked.
Attention Microsoft Office 365 administrators: If you use the suite’s Message Encryption tool it might be exposing the organization to risk. That’s according to researchers at a company in Helsinki called WithSecure. Office Message Encryption, or OME, uses an insecure technology called Electronic Codebook for encryption. In fact, the researchers point out, NIST said so as far back as 2020. Briefly, if enough encrypted messages are captured a hacker might be able to infer parts of the clear text of scrambled messages. Microsoft isn’t planning to change OME. So the researchers recommend administrators change to a more secure method of email encryption.
Most malware doesn’t work alone. Threat actors need a communications server or servers to communicate back and forth with the malware initially implanted on a victim’s computer and servers. That’s how they upload tools like backdoors and ransomware, and download stolen data. Researchers at Cisco Systems have discovered a new attack framework run by an unnamed gang. They call this framework Alchimist. Along with it they discovered a new piece of malware they call Insekt, which when installed on a victim’s computer signals back to the Alchimist command and control server. An instructor at the SANS Institute notes there are currently 110 command and control frameworks being used by threat actors around the world. For security professionals looking for indicators of compromise there’s a link to the Cisco report here.
Threat actors try to infect applications made by one company as a way to get into the IT systems of that firm’s customers. The SolarWinds Orion hack is an example. Putting corrupt copies of packages in open-source libraries is another. Researchers at Aqua Security say the latest attack on packages in the NPM library goes after private packages that are supposed to be visible only to a limited number of developers. The tactic being used is called a timing attack: The hacker sends a request to get a package they think exists on the NPM site. Unapproved or unauthenticated users get an error message that says “404 not found.” But if the attacker sends five consecutive requests the speed of the error response will signal if there really is a private package with that name. Then the attacker can find a way to add a re-named but infected version of that package to the developer’s NPM page, hoping a victim will download that version. GitHub says it can’t fix this problem. So the researchers advise developers with private packages on NPM to regularly search for and delete packages with lookalike names.
I regularly warn listeners to stay away from emailed or text offers of free or cracked versions of commercial software and games. Invariably they deliver malware to your computer. One of the latest campaigns is reported by researchers at Zscaler. A gang known for trying to get usernames and passwords of employees’ Facebook Business accounts is expanding its targets. Now it’s using these offers of hacked software to steal the credentials of anyone with a Facebook account. And it also scoops up as much personal data as it can that’s stored in Chrome browsers. Again, messages you get by email, text, LinkedIn or any social media account from someone you don’t know offering a deal on commercial software is likely poison.
Finally, don’t forget IT World Canada’s free MapleSec cybersecurity summit will be held this week. Wednesday’s sessions are in-person in mid-town Toronto at the Aga Khan Museum. Among the sessions will be a panel discussion on ransomware. Another features a panel of CISOs. Thursday’s sessions will be online and include a session on cybersecurity essentials for SMBs. Click here to see the full agenda and register.