Cyber Security Today, Feb. 5, 2024 – Warnings to AnyDesk and Mastodon administrators, a lesson from a Cloudflare breach, and more

Warnings to AnyDesk and Mastodon administrators, a lesson from a Cloudflare breach, and more.

Welcome to Cyber Security Today. It’s Monday, February 5th, 2024. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com and TechNewsday.com in the U.S.

IT administrators allowing the use of the AnyDesk remote desktop connection software should immediately force users to change their passwords. This is because the developer realized hackers recently got into the company’s production systems. In addition to changing passwords, IT must mandate the use of multifactor authentication as an additional login step if it hasn’t already done so. AnyDesk revealed the compromise on Friday. On Saturday researchers at Resecurity said at least two crooks are already offering to sell 18,000 credentials apparently stolen from AnyDesk customers. The cost of buying those 18,000 passwords? US$15,000 in cryptocurrency. Resecurity has warned that particular group of users that their credentials are at risk. Compromising an AnyDesk installation could lead to compromise of the IT system.

Employees need to be warned that threat actors often try to trick people into installing AnyDesk so they can remotely access computers. Scams include emails or phone calls pretending to be from Microsoft or another company saying they need to install AnyDesk to clean their Windows computer. Another scam is a communication claiming to be from AnyDesk support saying they need remote access to the person’s computer or their Android or Apple smartphone.

Administrators overseeing instances of the Mastodon social networking platform need to update their servers. Due to a vulnerability attackers can impersonate and take over any remote account. All versions of Mastodon are vulnerable.

The consequences to some companies of the compromise last October of identity and access management provider Okta continue to emerge. Last week security provider Cloudflare said a threat actor accessed the Atlassian servers that run its internal source code management system, its corporate wiki and its bug database. How did the attacker do it? By using one access token and three Cloudflare service account credentials that were among credentials stolen from Okta in October. Cloudflare’s mistake? Most, but not all of its credentials were rotated after being told of that attack. Why not rotate them all? Because staff thought those particular accounts weren’t used. The lesson: Don’t assume anything when password credentials have to be revoked, rotated, reset or whatever you call it.

Four vulnerabilities have been found that could allow an attacker to escape the confines of a Docker or Kubernetes container, whose goal is, as the name suggests, to contain nasty people. The discovery by researchers at Snyk means that developers using containers and container build tools need to update those applications as soon as patches are released by their vendors.

Another U.S. company has reported the high cost of a cyberattack. Cleaning products manufacturer Clorox said in a regulatory filing that so far the August cyberattack has cost it US$49 million in IT recovery and related costs. That included having to take systems off line, which resulted in disruption of business operations for weeks. Clorox may get some insurance coverage for some expenses.

A U.S. regulator says the “shoddy” cybersecurity and data retention practices of an American company called Blackbaud caused a huge data theft and ransomware attack in 2020. Blackbaud provides data services to nonprofits, schools, healthcare providers and businesses. Among the victims were universities and charities in the U.S., Canada and the U.K. The U.S. Federal Trade Commission said last week that Blackbaud didn’t monitor attempts by hackers to break into its networks, didn’t segment data for security, didn’t ensure sensitive data that wasn’t needed was deleted or adequately implement multifactor authentication. The attacker was in its system for three months. Blackbaud paid a ransom of about US$250,000, but never verified the attacker actually deleted stolen data. And it waited nearly two months do notify customers about the theft of their data. As part of a proposed settlement with the FTC Blackbaud will have to develop a comprehensive IT security program, and delete personal data it doesn’t have to hold.

News is now coming from Interpol that law enforcement agencies from 50 countries including the U.S., Canada and China participated last fall in the seizure of servers behind phishing, malware and ransomware attacks. So far Operation Synergia has seen 31 people arrested or detained.

Finally, a former CIA software developer has been sentenced to 40 years in prison for sending classified agency documents to the WikiLeaks website and possession of child pornography. Joshua Schulte wasn’t a model employee. In 2016 he was transferred from his work at the time to another branch because of a dispute with another developer. In his new post his administrator privileges were soon revoked. However, he kept secret server adminin privileges which allowed him to steal documents in the largest data breach in CIA history and send them to WikiLeaks from his home computer. While investigating the theft of those documents from the home computer the FBI cam across the child porn.

Follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.