Replace compromised Barracuda email gateways, and more holes found in MOVEit.
Welcome to Cyber Security Today. It’s Monday, June 12th, 2023. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com and TechNewsday.com in the U.S.
I’m back after a week’s vacation. A lot went on while I was away, so this podcast will be longer than usual.
IT administrators have to replace any of their compromised Barracuda Email Security Gateways rather than patch them. That’s the new advice from the manufacturer. The company says only full replacement of the ESG devices will assure security. This comes after Barracuda found a vulnerability last month in the appliances and issued a patch on May 20th. Then it realized the vulnerability had been exploited since last October. Users whose appliances are believed to have been impacted have been notified by Barracuda.
More SQL injection vulnerabilities have been found in the MOVEit file transfer application. These are on top of the vulnerability revealed on May 31st. Progress Software says IT departments using either the on-premise or the cloud version of MOVEit need to install updates released on Friday, June 9th. This comes after the Clop ransomware gang says it has been exploiting the first vulnerability, with victims ranging from the BBC to Nova Scotia’s health service. Meanwhile, researchers at Kroll Incorporated say the Clop gang may have been experimenting with ways of exploiting the first vulnerability as far back as 2021. Their evidence suggests the gang had an exploit for MOVEit before finding a hole earlier this year in the GoAnywhere MFT file transfer tool. However, for some reason the gang decided first to go after organizations using GoAnywhere and then hit those using MOVEit.
The Clop group didn’t deploy ransomware in either the GoAnywhere or MOVEit attacks. It only stole data and demanded money for not releasing the copied files. Researchers at Obsidian believe the Omega ransomware group used the same strategy recently against an unnamed company. In that case a threat actor compromised the organization’s Microsoft 365 SharePoint Online service to get into its IT network. How? I’ll bet you know what’s coming: The credentials of a senior administrator were compromised, credentials that weren’t protected with multi-factor authentication. Once the attacker got in they made a new Active Directory user called Omega, gave themselves access to everything and removed administrator access of everyone else — a total of 200 people. Then the attacker started copying company files. There’s a reason I keep repeating that enabling multifactor authentication is one of the best ways to lower the odds of being hacked. There’s another lesson: Attention has to be paid to security policies for cloud as well as on-premise services.
Japanese pharmaceutical company Eisai admitted last week it was hit by ransomware. The attack was detected June 3rd when some of its servers were encrypted. Some systems, including those involved in logistics, had to be taken offline.
The BlackCat/AlphV ransomware gang last week published almost 1.5 terabytes of data stolen from an Australian law firm. According to a news report, the law firm says that would represent about one-third of the total data stolen, leaving possibly more to be released. The law firm, whose clients include the government of Australia, has refused to pay a ransom.
The University of Manchester in England has suffered what it says cyber incident. So far it is only saying data was likely copied.
Fortinet has released new Fortigate firmware updates to fix an undisclosed vulnerability in its SSL VPN devices. These updates should be installed fast.
Researchers at Varonis released a report detailing a user interface bug they found in Microsoft Visual Studio. A patch was issued in April that should have been installed by now by Visual Studio users. It closes a hole that could be exploited by an attacker sending an email to a developer that includes a malicious security update.
Researchers at Numen published an analysis of a Windows privilege escalation vulnerability that Microsoft recently patched. It’s in the Win32k kernel driver. The hole poses a significant risk to Windows desktop and server below version 11. Make sure your version of Windows is fully patched.
Over 20,000 fans of the San Francisco 49ers football team could get up to $7,500 each if a class-action settlement over a data breach last year is approved. The sports news site The Athletic reports the proposal would compensate people for up to $2,000 for ordinary expenses and more for those who suffered documented extraordinary expenses. The settlement would also require the team to create a new position of executive VP of technology and hire a dedicated cybersecurity IT professional.
Two Russian residents have been charged by the U.S. for the huge cryptocurrency theft in 2011 from the Mt. Gox exchange. With the stolen 647,000 bitcoin they set up their own cryptocurrency laundering exchange for crooks called BTC-e, the American charges allege.
Finally, a listener admitted he was recently fooled by a phishing scam pretending to be from the IT help service called the Geek Squad. The email with the Geek Squad logo was about a supposed $799 purchase. The victim phoned the number in the email to reverse the transaction. The person on the other end of the line said they’d need access to the victim’s computer. He agreed. A form on the victim’s computer screen came up where he could fill in the number. He did. But when he immediately checked his bank account it showed an overpayment (but not by him). What was put in wasn’t $799, but $7,999. To correct this the victim was told to send a wire transfer of $7,999 to a certain account. This nonsense of correcting for an overpayment is an old scam. Fortunately, the victim realized something was suspicious, called his bank and it stopped the transfer of funds. There are several lessons from this: First, if you get an email or text from an organization about a financial problem don’t trust the phone number or the website in the message. Go to the organization’s website yourself by doing an internet search, or use a web address you know and trust. Second, no organization contacts you and then says to solve a problem they need to access your computer. And third, any person who says there’s been an overpayment from them to you and you have to solve it by sending them money is a crook. Anything that goes on like this in Canada should be reported to the Canadian Anti-Fraud Centre, and in the U.S. to the FBI.
Follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.
The post Cyber Security Today, June 12, 2023 – Replace compromised Barracuda email gateways, and more holes found in MOVEit first appeared on IT World Canada.