Cyber Security Today, April 1, 2022 – Spring Java framework needs patching, nation-state attackers take advantage of Ukraine war and a warning to student job seekers

Share post:

Spring Java framework needs patching, nation-state attackers take advantage of Ukraine war and a warning to student job seekers. Welcome to Cyber Security Today. It’s Friday, April 1st, 2022. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.
Cyb er Security Today on Amazon Alexa Cyber Security Today on Google Podcasts Subscribe to Cyber Security Today on Apple Podcasts
  Software developers using the Spring Java application development framework should install the latest security updates. These close three vulnerabilities. Two were discovered this year. The third is a patch for an older vulnerability some researchers have dubbed SpringShell or Spring4Shell. That’s because they think its similar to the Log4Shell vulnerability in the Apache log4j logging library. That may or may not be true. Regardless, a patch for that particular hole was released on Thursday by VMware, which owns the Spring framework. Lots of threat actors are using the war in Ukraine as cover for spear phishing attacks, according to Google. It says government-backed threat actors from China, Iran, North Korea and Russia as well as some unattributed groups are using war-related themes to trick victims into opening malicious emails or clicking on malicious links. For example, someone is impersonating military personnel to extort money for rescuing relatives in Ukraine. A Russian-based threat actor sometimes referred to as Calisto has launched credential phishing campaigns targeting several U.S.-based non-profits and think tanks. They’re also going after the military of several Eastern European countries as well as a NATO Centre of Excellence. A group believed to be from China’s military has conducted campaigns against government and military organizations in Ukraine, Russia, Kazakhstan, and Mongolia. So, be careful of unexpected email with themes about the war. Meanwhile fixed broadband satellite provider Viasat has acknowledged the consumer side of its service was disrupted in Ukraine and several European countries by a cyber attack just as the Russian invasion started on February 24th. The attack didn’t affect Viasat’s mobility service, it said, or service to government customers. But it damaged some customer modems so much that Viasat has shipped tens of thousands of replacement units to distributors. The company said an attacker exploited a misconfiguration in a VPN appliance to gain remote access to the management segment of the satellite network. Then they issued destructive commands to the modems. University and college students are understandably eager to have money to pay rent to make a dent in their student loans. However, crooks are preying on that eagerness with tempting emailed job offers from recruiters they never meet. One goal is to get the victims’ name, address, birthday and social insurance number for identity fraud. Another is to sucker the victim into handing over money. The so-called jobs can be as varied as caregivers, mystery shoppers, administrative assistants, models, or rebate processors. Some enticements are that the victim can work from home. Sometimes the recruiter asks for a small amount of money upfront by promising big money later. In the worst cases the victim ends up working as an unsuspecting money mule for a criminal gang. These job offers are sometimes dazzling. Earlier this year Proofpoint discovered a scam trying to recruit university students for an executive personal assistant role at the United Nations Children’s Fund, known as UNICEF. Another email offered a three-day modeling job on a film shoot, claiming the company saw the victim’s profile on Instagram. Beware of an unexpected job offer received from a freemail account such as Gmail or Hotmail that spoofs a legitimate organization. Beware of nonexistent or overly simplistic interview questions with little to no information about the job duties. Finally, researchers at Bitdefender have found vulnerabilities in the Wyze Cam computer video camera used by consumers and small businesses. Make sure the latest security patches have been installed. Note that patches are only available for version 2 and 3 of this device. Version 1 is discontinued and no longer receives security fixes. Don’t forget later today the Week in Review podcast will be available. Terry Cutler of Cyology Labs and I will discuss backups, nation-state cyberattacks and how police are being fooled into giving up your subscriber information. You can follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker. The post Cyber Security Today, April 1, 2022 – Spring Java framework needs patching, nation-state attackers take advantage of Ukraine war and a warning to student job seekers first appeared on IT World Canada.
Howard Solomon
Howard Solomonhttps://www.itworldcanada.com
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times.

Featured Tech Jobs

SUBSCRIBE NOW

Related articles

40 thousand routers compromised: Hashtag Trending for Wednesday, March 27th, 2024

A new cyberthreat is taking down home routers. Germany passes a law insisting on end to end encryption. Reports expose the craziness of tech hiring practices, the US government has had it with SQL injection attacks and Elon Musk gets a smackdown from a federal judge as we see more from the X files –

Cyber Security Today, March 27, 2024 – A botnet exploits old routers, a new malware loader discovered, and more warnings about downloading code from...

This episode reports on a new network of 40,000 infected small and home office routers and other devices that are part of a criminal botnet

Apple gets hammered by the EU again: Hashtag Trending for Tuesday, March 26, 2024

Apple gets hammered by the EU once again while there’s a threat in the US of breaking up the big tech giants. Google appears to have another problem AI implementation, Steve Wozniak is back as an unlikely critic of the TikTok ban, a new open source AI that runs on your computer an an Amazon

CIOs complain of “application sprawl” – Hashtag Trending, Monday March 25th, 2024

Apple may get an unexpected penalty from the US Governments new lawsuit, survey of CIOs complains of application sprawl but proposes that the way to get out of it is “more applications”, 1% of employees cause 89% of data loss events and information surfaces about some potentially enormous developments in AI in the coming months.

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways