A new report on phishing, a warning of Venus ransomware, malware hidden in images and more.
Welcome to Cyber Security Today. It’s Remembrance Day, November 11th, 2022. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.
Many advanced email attacks still successfully end with the theft of user credentials or account takeovers. That’s according to new research from Tessian. The company surveyed 600 IT and security leaders in organizations across the U.S., the U.K., the Middle East and Africa. Seventy-one per cent of respondents said an advanced email attack this year at their organization resulted in an account being taken over. Among other things, 62 per cent of respondents said advanced email threats got past even their secure email gateways and into employee inboxes. Ten per cent of respondents said they received over 450 email-based ransomware attempts since the beginning of the year.
Speaking of email attacks, researchers at Avanan looked at patterns against the government of an unnamed country in the Western hemisphere with a population under 100,000. They calculate the government sees an average of 93 phishing attacks a day. For some reason, most attacks were directed at the Bureau of Standards.
Hospitals are being warned that new Venus ransomware is circulating. That’s the word from the U.S. Health Sector Cybersecurity Co-ordination Center. It says the strain, discovered in August, has hit at least one healthcare entity in the United States. Unsecured instances of Windows remote desktop protocol are a common way these attackers get into IT systems. RDP must be put behind a firewall.
Computer technical support scams, like crooks pretending to be from Microsoft, continue to victimize people. That came in a reminder this week from the FBI. Scammers email or phone potential victims demanding money to renew a software subscription. When the victim wants to cancel the so-called renewal the crook says there’s a fee, and asks for the victim’s bank information. Remember, any email or phone request that pressures you to act quickly is likely a scam. Never send money on the instructions of someone you have only spoken to online or by phone.
Software companies like adding features to make life easier for customers. Unfortunately sometimes the features come with vulnerabilities. One example is credential roaming, added to Windows 20 years ago. A Russian-based threat group used a hole in credential roaming early this year against a European diplomatic target. A new report from Mandiant goes deeply into what this problem is. Credential roaming allows a digital certificate used for access to roam with an employee. The vulnerability allows a hacker to compromise the system and gain administrative privileges. Microsoft issued a patch in September to fix this. The Mandiant report details how Windows administrators can avoid or fix the problem. There’s a link to it in the text version of this podcast.
Researchers at Avast have added to knowledge about a threat group dubbed Worok, which hides malware in PNG images. In a report released this week Avast said the purpose of the malware is to steal data. They think the attackers are somehow exploiting unpatched vulnerabilities called ProxyShell in Microsoft Exchange servers and uploading stolen data to a DropBox cloud storage account. This is a good reason to make sure Exchange servers are fully patched.
Another attacker is also hiding malware in images. One was found recently by researchers at Check Point Software in a software package in the open source PyPI library for developers using the Python programming language. Any developer who downloaded and inserted the package called Apicolor in their application would have it infected with a virus. The package has been deleted from PyPi, but it’s another reason why developers who use open source libraries have to be careful before downloading code, and have it scanned before being inserted into applications.
That’s it for now. But later today the Week in Review edition will be available. Terry Cutler of Cyology Labs and I will discuss the latest arrest of a ransomware operative, a cyber insurance settlement and more.
