Warnings from Cisco, a huge DDoS attack and more MOVEit and ransomware victims.
Welcome to Cyber Security Today. It’s Monday, September 11th, 2023. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com and TechNewsday.com in the U.S.
Three stories involving Cisco Systems top the news in this edition.
First, following almost two weeks of warnings about a problem in the VPN of Cisco’s Adaptive Security Appliance, the company said a vulnerability in the remote access feature in ASA and Cisco’s Firepower Threat Defense Software leaves them open to brute force attacks. Network and security administrators will have to impose workarounds until software updates are issued. This follows reports that a vulnerability in ASA is being exploited by the Akira ransomware gang.
Second, Cisco released security fixes to plug holes in its Broadworks Application Delivery Platform and Broadworks Xtended Services Platform. The critical vulnerability in the single-sign-on function of both applications could allow an attacker to authenticate with forged credentials.
And third, Cisco researchers warned that cybercriminals are trying to trick graphic designers into downloading applications that lead to the installation of cryptocurrency miners. The crooks are advertising versions of Adobe Illustrator, Autodesk 3ds Max and SketchUp Pro. They come with a legitimate Windows installation tool called Advanced Installer that helps hide the malware. The targets are likely French language companies that do 3-D modeling and graphics design. Most of the victims have been found in France and Switzerland, but some organizations in Canada, the U.S., Algeria, Sweden and Germany have also been hit. Employees need to be warned about downloading any software without management approval.
Threat actors continue using distributed denial of service attacks against selected targets. Last week it was an unnamed U.S. financial institution. Researchers at Akamai said the attack that flung just over 633 gigabits of data at that company’s website in less than two minutes. It wasn’t the biggest attack detected by Akamai. That took place earlier this year when a website in the Asia-Pacific area was hit by 900 gigabits per second. DDoS attacks come from infected internet-connected devices under the control of a threat actor. In last week’s attack the biggest sources of data came from Bulgaria, Brazil, China and India. Often the goal of a DDoS attack is to knock a website offline and perhaps cause the victim organization trouble dealing with customers. But another goal is to divert attention away from a data theft or installation of ransomware.
A Russian businessman was sentenced last week by a U.S. judge to nine years in prison for his role in a nearly US$100 million stock market cheating scheme. The scam relied on a gang hacking companies to steal inside financial information so they could make lucrative stock market trades. The man had been convicted in February after a trial in Boston. Four alleged co-conspirators remain at large. The man had been extradited from Switzerland in 2021 after arriving there for a vacation. According to the Associated Press, authorities say he pocketed more than $33 million as his share of the scheme.
Speaking of the Associated Press, it is notifying 224 people who bought the AP Stylebook online that their personal information was stolen in July from a third-party service provider. The Stylebook is an editing bible for many reporters and editors. The information that the hacker got had been stored on a database on an old website of the service provider that hadn’t been closed. Associated Press found out about the hack because some customers got phishing emails asking them to provide updated credit card information on a fake AP Stylebook website.
Nine Russians have been indicted by grand juries in the U.S. for their role in cyber attacks on American organizations. They are accused of allegedly being behind the spread of Trickbot malware or Conti ransomware, or, in some cases, both. The infrastructure behind Trickbot, used for initial compromise, was taken down in 2022. None of those indicted are currently in U.S. custody.
More American victims of the MOVEit file transfer hack are coming forward. Community Trust Bank of Kentucky is notifying almost 100,000 people their personal information was stolen. The data was taken from an unnamed service provider that the bank uses. That service provider used Progress Sofware’s MOVEit application for moving large files. The stolen data included names, financial or credit card numbers as well as security codes, passwords or PIN numbers for the accounts.
Northfield Bank of New Jersey is notifying just over 4,100 customers their personal information was stolen from an unnamed outside company that handles bank data and uses MOVEit.
Planet Home Lending of Meriden, Connecticut is notifying just over 3,100 people their personal information from loan files was stolen when the lender’s MOVEit server was hacked.
Emsisoft calculates 1,167 organizations have publicly acknowledged being directly or indirectly victimized by the vulnerability in MOVEit.
Meanwhile, ransomware in North America is still going strong. Ryders Health Management of Georgia is notifying just over 7,000 people their personal information was stolen in a ransomware attack last month. Data stolen includes people’s Social Security numbers, diagnostic and treatment information.
A massive ransomware attack hit Sri Lanka’s government email servers on August 26th, including the system used by the Cabinet Office. According to a news report, the online backup for two and a half months’ worth of messages has been lost. There was no offline backup for that period. The government was using Microsoft Exchange 2013, which stopped getting security updates in April.
And the Ragnar Locker ransomware gang claims to have stolen 1 TB of data from an Israeli hospital. According to a news site the gang admits the theft, but stresses it didn’t encrypt data so hospital equipment wouldn’t be affected.
Follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.