A warning to JavaScript users, ransomware gangs feeling squeezed and an SQL vulnerability found.
Welcome to Cyber Security Today. It’s Monday October 25th. I’m Howard Solomon, contributing writer on cybersecurity for ITWorldCanada.com.
Software and web developers using one of NPM’s JavaScript library packages are being urged to act fast after the discovery of malware in the file. Any computer installed or running with the package called ua-parser-js must be assumed to have been compromised. Not only does that package have to be updated to the latest version, developers need to reset their passwords and rotate the security tokens from systems if the library was used as part of the development process. The reason is an attacker modified the library so they could install a password stealer and cryptocurrency miner on computers and servers. Note that even updating the library may not guarantee all malicious software that has been installed will be removed. NPM has a free registry of JavaScript libraries used by some of the biggest names in tech including Facebook, Microsoft, Amazon and Google. It also makes a popular JavaScript package manager. This discovery of this hack is the fourth malicious NPM package found in the last seven days. I told you about one of them in Friday morning’s podcast.
A report by the Reuters news agency that the U.S. was behind last week’s crippling of the REvil ransomware gang’s payment site has prompted a lengthy and bitter posting by the Conti ransomware gang. It urges Americans to expel the ‘fat degraded bankers’ in power in the U.S. so America again becomes ‘the great free nation that we remember and love.’ At the same time the Groove gang urged crooks called affiliates who work with ransomware gangs to stop competing against each other. Instead affiliates should unite to, in its words, ‘destroy the state sector of the United States.’ Canadian-based threat analyst Brett Callow of Emsisoft told me that this looks like ransomware gangs are feeling the heat from law enforcement agencies. He noted that this year has seen actions against the Darkside, NetWalker, Cl0p and now REvil ransomware gangs. Some have closed, others lost their decryption keys.
Speaking of ransomware, IT staff whose companies use the BillQuick Web Suite, a time and billing service, should sweep their environments for suspicious activity. This comes after researchers at Huntress Labs discovered a critical vulnerability that allowed an attacker to hit a U.S. engineering company with ransomware. For software developers listening, the problem was an old one: An SQL injection attack. That’s where an attacker can type in an SQL command in the username or password field of a login to enter a database without authorization. This type of exploit shouldn’t be happening anymore. But Huntress Labs says many well-established software companies aren’t making sure their code is secure.
The U.S. will soon restrict the export of hacking tools that could be used by foreign companies or countries for malicious cyber activities. The Commerce Department last week released a rule that could come into effect in 90 days mandating sellers of certain products to get a licence to export cybersecurity items. Approval could be denied to countries for national security reasons. It could also be denied if the product could affect the confidentiality, integrity or availability of data without the permission of the data owner. One of the goals, the U.S. said, is to help ensure that American companies are not fueling authoritarian practices. A spokesperson for the government of Canada noted these products have needed an export licence to be sold from this country since December, 2014.
At least 13 telecommunication companies across the world have been compromised by a threat actor since at least 2019, says a cybersecurity company. Crowdstrike calls this group LightBasin, although other researchers call it UNC1945. The UNC prefix is short for uncategorized. The group’s specialty is hacking into Solaris and Linux servers, which are favoured by telcos. In one case that Crowdstrike investigated, the attackers compromised an external DNS server of one cellular provider to get into the wireless GPRS servers used by carriers for customer roaming. One of the gang’s initial tools for getting into a DSN server: Password spraying – which is firing a list of common or stolen passwords at a login and hoping one will work. Once in a network the attacker installed a backdoor for further compromise. Other tools seen would scoop up communications metadata, such as the phone numbers called by a specific mobile station. One key way telecom companies can to stop this kind of attack is by ensuring the firewalls responsible for the GPRS network restrict traffic to known protocols. This hacking group uses the SSH protocol for communications, which is unusual and should be blocked. Crowdstrike also says telcos that are certain they’ve been compromised should not only scrutinize their systems but also those of companies they manage, and partner suppliers as well. Finally, IT departments should make sure systems have multifactor authentication so password spraying can’t work.
That’s it for now Remember links to details about podcast stories are in the text version at ITWorldCanada.com. That’s where you’ll also find other stories of mine.
Follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.