A botnet tries to brute-force WordPress sites, a warning to Atlassian admins and new ransomware tactics.
Welcome to Cyber Security Today. It’s Wednesday, December 14th, 2022.
I’ll start with a warning to WordPress and OpenCart website administrators: A new botnet has been discovered that tries to brute-force its way into poorly-protected websites. Researchers at Fortinet say the botnet has a list of stolen passwords it uses to get access. If successful it installs malware and waits for further commands. Fortinet calls this botnet GoTrim. Make sure WordPress and OpenCart administrators and users have strong passwords protected with multifactor authentication and make sure that these applications — and any plugins — are fully patched.
IT administrators with applications from Atlassian — including Jira, Confluence, Trello and BitBucket — are being warned of a vulnerability in their session cookies. Session cookies, which have data that can help hackers, are supposed to expire when a user logs out or closes their browser. However, researchers at CloudSEK of India say Atlassian cookies can last for 30 days unless a user ends their session. This is important because session cookies are increasingly being stolen along with log information and sold on the dark web. CloudSEK discovered the vulnerability when investigating the compromise of an employee’s Jira password by an attacker earlier this month. The attacker used a Jira session cookie from a stolen log. Atlassian says affected session tokens have now been revoked.
Ransomware gangs always look for new ways of getting money. Security reporter Brian Krebs recently quoted researchers at Hold Security on new tactics of two gangs. One gang called Venus is looking at blackmailing executives of publicly-traded companies by hacking into and manipulating their email so it looks like the executives are participating in insider trading. Then the victim is threatened that the phony messages will be publicly released unless the gang is paid. Hold Security says forensically the scam can be discovered. But some executives might be spooked into paying.
The other scheme is being used by the Clop ransomware gang against doctors. Using stolen healthcare insurance and payment data, the gang figures out which physicians might ask a colleague for a consultation on an alleged patient with cirrhosis of the liver. Then the targeted doctor is sent an infected medical report, which would spread malware to any connected computers. If the victim physician works in a hospital, the malware could spread widely and imperil the institution. Both of these attacks can be blunted with tough email security and security awareness training of employees.
Uber says the hack of the backup server of a company it uses for IT asset management is the cause of stolen Uber corporate data. According to the Bleeping Computer news site, the data includes Uber source code, IT asset management reports as well as Windows Active Directory information of 77,000 Uber employees and their email addresses. Uber said the data was stolen from provider Teqtivity. Teqtivity put out a statement acknowledging its cloud backup server on AWS was hacked. This is another example of how third-party providers can be a weak security link for companies.
A malicious Python package called cookiezlog has been removed from the PyPI registry of open-source projects. This comes after researchers at JFrog discovered the package hides anti-debugging code, which can thwart dynamic analysis tools and allow cookiezlog to steal passwords. Developers who have or are using cookiezlog should remove it from their applications.
Finally, yesterday was Microsoft’s monthly Patch Tuesday when security updates for Windows and other company products are released. Fifty-two fixes are available, seven of which are critical.
One of them revokes malicious Windows drivers used by the Cuba ransomware group. These drivers had been certified by compromising the accounts of several third-party developers enrolled in Microsoft’s Hardware Developer Program. According to researchers at Sophos, who helped discovered the vulnerability, the custom-built drivers defeated security products used by targeted organizations. Researchers at SentinelOne and Mandiant also tipped off Microsoft.
According to researchers at Action1, the other Patch Tuesday fixes plug a zero-day vulnerability that can bypass Windows SmartScreen security feature. It affects Windows 7 and up, as well as WinServer 2008 R2. Fixes also plug vulnerabilities in PowerShell, SharePoint, .Net framework and Print Spooler. Windows administrators should look at and prioritize the installation of these patches.
Separately, SAP released 22 new and updated SAP patches for its products.
Follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.