NCR’s Aloha POS system hit by ransomware, attackers ask big money from Western Digital, and more.

Welcome to Cyber Security Today. It’s Monday, April 17th, 2023. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com and TechNewsday.com in the U.S.



Restaurants owners who use NCR’s Aloha point of sales platform are furious at what they believe is the poor communication from the company after their systems were inaccessible for days. It wasn’t until Saturday the company told restaurants that it was hit by a ransomware attack earlier in the week. Restaurant owners posted on Reddit an NCR message they received saying the attack hit a single data centre and impacted a subset of its hospitality customers. “Please rest assured that we have a clear path to recovery,” the NCR message says. The Bleeping Computer news service says the Black Cat/AlphV ransomware gang claimed responsibility for the attack.

The LockBit ransomware gang is working on a macOS-specific version of its ransomware. Brett Callow, a threat analyst for Emsisoft, said so far it seems only a test build has been detected by researchers. As far as he knows it has not yet been deployed in the wild.

The hackers who compromised storage device manufacturer Western Digital claim to have stolen around 10 TB of data. That’s according to the news site TechCrunch, which says it spoke to one of the hackers. The person said the gang is looking for a minimum of eight figures in ransom for not publishing the data. The person said a threatening email was sent to Western Digital that starts: “We are the vermin who breached your company.” Meanwhile, Western Digital’s My Cloud backup service, which was pulled offline because of the attack, is now back up.

Application developers have long been warned not to include credentials or access keys in their code. Why? To prevent compromise of the application by threat actors. A new report from researchers at Permsio has another reason: It could lead to the compromise of the developers’ Amazon AWS access if the access key is to their AWS account. The researchers found a hacker discovered an AWS access key in a newly-published mobile app. What the hacker did next was try to use that key to go after the developers’ AWS credentials through their smartphone’s SMS text service. If it succeeded the attacker could have done real damage to their organization. The lesson to developers: Always use best security practices when writing code.

Supporters of the open-source Kodi media player are dealing with the theft of data from its user forum. The inactive account of a forum member was compromised to get into the administration console of the forum’s bulletin board in February to create and then copy an unapproved backup. That included all posts and people’s usernames and email addresses. According to the Hacker News, that amounts to over 400,000 users. Not only that, the hacker attempted to sell the data on the now-defunct BreachForums marketplace.

By now IT security pros should know to look for unapproved versions of the Cobalt Strike penetration testing tool in their environments. Copies of this legitimate commercial tool are used by hackers to help their attacks. Evidence of another unapproved tool defenders should watch for is called Action1. That’s according to a recent Twitter notice by a member of The DFIR report. Why is this important? Because Action1 can allow an attacker remote IT access.

Attention IT managers at accounting and tax return companies: Make sure you regularly warn employees about clicking on attachments from supposed clients. This isn’t easy because it’s income tax time when clients are sending in their forms. However, Microsoft warned last week that hackers are taking advantage of this. They are sending emails pretending to be from a client with a link to supposed tax return documents. Instead the link goes to a file hosting site that downloads malware — in particular the Remcos remote access trojan. In addition to warning staff, make sure your IT system will block JavaScript or VBScript from launching downloaded executables. A legitimate document shouldn’t come with an executable file.

Israel has seen a large number of denial-of-service attacks in the past few days. Researchers at Armis said on Sunday that targets include banks, critical infrastructure and the postal service. Armis believes these are co-ordinated attacks from groups associated with Iran and Russia going through Sudan.

Hikvision has patched a security vulnerability in some of its Hybrid SAN/Cluster Storage products. If you have one of these in your environment it needs to be fixed or an attacker can get network access to the device.

Finally, Google has pushed out an update to fix a serious security vulnerability in the Chrome browser. Usually updates are automatically installed, but it doesn’t hurt to check. Click on the three dots in the upper right corner of the browser and click on Help and then About Google Chrome. You should be on version 112 which ends in .121.

That’s it for now Remember links to details about podcast stories are in the text version at ITWorldCanada.com. That’s where you’ll also find other stories of mine.

Follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.

The post Cyber Security Today, April 17, 2023 – NCR’s Aloha POS system hit by ransomware, attackers ask big money from Western Digital, and more. first appeared on IT World Canada.

Leave a Reply