Cyber Security Today, March 1, 2024 – Warnings to GitHub users and Ivanti gateway administrators, and more

Warnings to GitHub users and Ivanti gateway administrators, and more.

Welcome to Cyber Security Today. It’s Friday, March 1st, 2024. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com and TechNewsday.com in the U.S.

Developers who download code from the open-source GitHub repository always have to be careful they don’t get tricked by malicious packages. This is vital more than ever because since November a threat actor launched an automated campaign of uploading bad code into the repository. They hope this code will find its way into commercial or open-source applications, compromising millions of computers. According to researchers at Apiiro over 100,000 infected packages have recently been poured into GitHub. The threat actor behind this campaign clones existing packages, infects them and then re-loads them into GitHub. Then these bad packages are promoted to unsuspecting developers in forums. They collect login credentials of developers and anyone who uses an application the developer put the bad code in. An estimated 99 per cent of bad packages have been removed by GitHub. But the that still leaves thousands on the platform. And the campaign continues.

I’ve reported previously about the need for administrators of Ivanti Connect Secure and Policy Secure gateways to reset and patch those devices. Well, that isn’t enough. Cybersecurity agencies of the Five Eyes intelligence-sharing countries warned Thursday that threat actors can get around mitigations. In particular they can deceive Ivanti’s integrity Checker Tool to continue compromising these devices through three vulnerabilities. Administrators should consider dropping these devices, the agency say.

After years of company reminders and media reports about following safe cybersecurity practices some people still don’t get it. That’s a takeaway from a phishing report this week by Proofpoint. The company’s annual State-of-the-Phish report includes a survey of over 7,000 working adults in 15 countries. About a quarter admit they do risky things like use a work device for personal activities, reuse or share passwords and connect without using a VPN in a public place like a mall or airport. Some of these activities could be legitimate — there’s nothing wrong with sharing a password with a family member so they can access your personal email in an emergency. Or using an office computer to go to a website if its OK with management, like sites about your hobbies or to research a vacation. But the numbers suggest that some people do risky things because the security message isn’t getting through. A quarter of the respondents said they took risky action to meet an urgent deadline. Others did it to save time or money. Eleven per cent said they did it to meet a revenue target; 10 per cent did it to meet a performance objective. Here’s another factoid from the report: While 99 per cent of security pros surveyed said their organization has a security awareness program, only slightly more than half say they train everyone in the organization.

Speaking of phishing, Pepco Group, a European discount retailer, has acknowledged its division in Hungary recently lost the equivalent of US$16 million. How? Staff fell for a phishing lure.

Finally, a Malwarebytes researcher stumbled across a crook running an apartment reservation scam while trying to book a vacation in Amsterdam on Airbnb. The person who posted the apartment asked him to switch to communicating by email because Airbnb’s platform was allegedly having some problems. If interested, the owner said, they would send the traveler a link to Tripadvisor to complete the reservation. Well, the link went to a fake Tripadvisor website. The goal of this scam: To get an unsuspecting victim to click on a booking button on the fake Tripadvisor site and enter credit or debit card details. Two lessons: If someone asks you to switch communicating from one site to a different one or email when making any kind of purchase, be suspicious. And when you buy anything, do it on a full-screen computer or laptop, not a smartphone, so you can see the full email address of who you’re dealing with or the full website address of where you’re going.

That’s it for now. But later today the Week in Review podcast will be out. Guest Terry Cutler of Cyology Labs will join me to discuss how hard it is for law enforcement to put ransomware gangs out of business and Canada’s proposed law to make social media platforms take down child porn images fast.

Follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker. Thanks for listening. I’m Howard Solomon