Warnings about Russian-based cyber attacks, and more.
Welcome to Cyber Security Today. It’s Wednesday, December 6th, 2023. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com and TechNewsday.com in the U.S.
Two reports this week warned of the continuing cyber threat from what is believed to be a Russian military intelligence hacking group. It’s going after organizations that use Microsoft Outlook. The group has been dubbed various names by security researchers including TA422, APT28, Forest Blizzard, Fancy Bear and Strontium. According to researchers at Proofpoint, this gang is leveraging a particular unpatched Outlook vulnerability through email attachments. More recently it has also been trying to do the same through a vulnerability in the WinRAR compression utility. Some of the gang’s phishing messages pretend to be links to a Windows update.
Separately, Microsoft and Poland’s Cyber Command gave a similar warning this week about the Outlook exploit, which was patched in March.
More on Russia: Researchers at the Insikt Group issued a report on the latest online misinformation and disinformation tactics used by a Russia-linked group dubbed Doppelganger. Its continuing campaign is aimed at the U.S., Ukraine and Germany. It probably uses generative artificial intelligence applications to create deceptive news articles, the report says. The goal in each country? To erode public trust in government and increase polarization among the public.
The AlphV/BlackCat ransomware gang says it has hacked an accounts payable supplier called Tipalti. Not only is it seeking money from the company, it is also contacting Tipalti customers and threatening to leak their stolen data as an extra way off squeezing money. The crooks say they have been in the Tipalti system since September 8th.
Threat actors are still trying to exploit a critical vulnerability in Adobe ColdFusion web application servers. That’s the word from the U.S. Cybersecurity and Infrastructure Security Agency (CISA). A patch for this vulnerability was issued in March. However, the CISA says recently unidentified attackers successfully compromised two U.S. government servers over the summer. The warning is to U.S. government IT administrators, but it also applies to any organization using ColdFusion.
I’ve reported before on bad Java, Python and other code being plunked into open source repositories like GitHub, NPM, PyPI and others. Often it’s done by taking over the accounts of developers and abusing their abandonded repositories. It’s a technique called repojacking. Now comes a report that thousands of good modules written in the Go language are vulnerable to being taken over. Researchers at VulnCheck discovered more than 15,000 Go repositories of code are vulnerable because if a Go module creator decides to change their username the abandoned name is open to anyone to pickup — including a threat actor. They can then take over the username and any associated modules for malicious use. GitHub offers some, but not enough, protection against this, says the report. Go developers wanting to use other peoples’ modules in their work have to be careful of the modules they download.
Finally, the iPhone’s Lockdown Mode offers users protection to those who have serious security concerns against the smartphone being hacked. However, researchers at Jamf Threat Labs have discovered a way the protection can be bypassed in an already compromised iPhone. Essentially, malware that was installed before the user turns on Lockdown Mode can make the phone owner think the mode has been enabled and they are protected. First, Lockdown Mode shouldn’t be turned on unless you are a potential target, like a reporter, a government official or a corporate executive. No one has been seen yet using this tactic. But remember, turning on Lockdown Mode may not give the automatic protection hoped for. One defence: Make sure your iPhone always installs the latest security patches.
Follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.
The post Cyber Security Today, Dec. 6, 2023 – Warnings about Russian-based cyber attacks, and more first appeared on IT World Canada.