Cyber Security Today, March 25, 2024 – A suspected China threat actor going after unpatched F5 and ScreenConnet installations

Share post:

A suspected China threat actor going after unpatched F5 and ScreenConnet installations.

Welcome to Cyber Security Today. It’s Monday, March 25th, 2024. I’m Howard Solomon, contributing reporter on cybersecurity for and in the U.S.

Cyb er Security Today on Amazon Alexa Cyber Security Today on Google Podcasts Subscribe to Cyber Security Today on Apple Podcasts

Hundreds of organizations in the U.S., Canada, the U.K., Australia and other countries are being targeted by a China-based threat actor. That’s according to researchers at Mandiant. Given the name UNC5174, this threat actor is going after unpatched installations of F5’s BIG-IP appliances, ConnectWise’s ScreenConnect, Atlassian’s Confluence servers, Zyxel Firewalls and Linux servers. The suspicion is this person used to be with a Chinese hacktivist collective and is now selling access to compromised companies it gets to China’s Ministry of State Security. IT administrators are urged to quickly take recommended remediation steps for F5 appliances and ScreenConnect software.

Over 100 companies in the U.S. and Europe have been targeted by threat actors in the latest phishing message campaign spreading the StrelaStealer malware for stealing email passwords. Researchers at Palo Alto Networks say this new campaign began in January. Some messages claim the attachment is an invoice that has to be paid. High-tech companies are particularly being targeted. Employees need to be reminded not to click on email or text attachments unless they are sure who the message comes from.

A more powerful variant of the Russian AcidRain data wiper that crippled satellite modems across Europe at the beginning of the invasion of Ukraine has been spotted. Researchers at SentinelOne call this variant AcidPour. While the first version was aimed at devices with MIPS processors, AcidPour can hit those running x86 processors. These include Linux-powered networking and IoT devices, RAID arrays and large storage devices. This new wiper is being used against internet and telecom service providers in Ukraine. IT and network administrators in critical industries in any country need to keep vital devices patched to avoid successful infrastructure attacks.

Microsoft has released an emergency Windows Server update to cure a problem with the March patches it released a few weeks ago. The problem causes Windows domain servers to crash. Bleeping Computer said the updates are for WinServer 2022, 2016 and 2012. A fix for WinServer 2019 will be released shortly.

German authorities have seized the darknet market called Nemesis as part of an operation with the U.S. and Lithuania. Founded in 2021, the Nemesis Market sold stolen data, ransomware and phishing services, and drugs. Forensic data gathered in the seizure will help investigate the over 150,000 users and 1,100 sellers on the market.

What will it take to get American hospitals and healthcare providers to get tougher on cybersecurity? Being forced to act with legislation, says American Senator Mark Warner. He introduced a bill on Friday to allow health care providers to get accelerated medicare payments if they are victims of a cyber attack — but only if they meet minimum cybersecurity standards. Those proposed standards haven’t been set yet. Warner introduced the legislation because of the impact across the U.S. on a ransomware attack on Change Healthcare, which processes payments for patients. According to the news site Cyberscoop, major American healthcare groups oppose having to meet mandatory minimum cybersecurity standards.

Mozilla, the group behind the Firefox browser, has dropped a reputation service called Onerep that it had been bundling with its Mozilla Plus subscription service. This comes after security journalist Brian Krebs reported that Onerep’s owner also owns dozens of services that do internet searches on people, including one that sells background reports on individuals. Onerep’s owner said there was no information sharing between that company, called Nuwber, and Onerep. But that didn’t satisfy Mozilla.

Here’s the latest data breach news:

Select Education Group, which runs several post-secondary schools in California and Oregon including the Institute of Technology, Bauman College, Fremont University and the National Holistic Institute, is notifying just over 67,000 people personal data it holds was stolen. The incident happened last November. Data stolen included names, Social Security numbers, billing and payment records and/or academic records.

Monmouth College of Illinois, which has a student body of about 750 students, is notifying just under 45,000 people that their personal data was exposed in a ransomware attack last December.

By coincidence — or not — nearby Henry County was hit by a ransomware attack last week. According to the cybersecurity news service The Record, the Medusa ransomware gang is taking credit for that attack.

The city of Jacksonville Beach, Fla., is notifying about 49,000 people their personal data was copied in a January cyber attack. According to a local news site, the mayor says this was a ransomware attack.

The American division of GardaWorld Cash, a cash management provider for banks and retailers, is notifying almost 40,000 people of the theft of personal data held in administrative files. It happened last fall, but it took until this month to identify and get the addresses of the victims. Data stolen included names, Social Security numbers, drivers licence numbers, dates of birth and either insurance benefits or health information.

Finally, March is when individuals in Canada, the U.S., the U.K. and other countries prepare to file their income taxes. It’s also a time when crooks unveil their latest email or text-based tax scams. Ignore emails that purport to be from a government tax agency with an attachment that’s supposed to help fill out your taxes. Also, ignore phone messages warning to you to call a number because of a tax problem. Usually the government will tell you to log into your tax account to look for a message rather than send you an email with an attachment. Scammers are also sending out emails promising to help with large refunds under certain government programs, or to help you fill out your taxes. Here’s an IRS list of common tax scams and a Microsoft report on tax scams.

Follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker. Thanks for listening.

The post Cyber Security Today, March 25, 2024 – A suspected China threat actor going after unpatched F5 and ScreenConnet installations first appeared on IT World Canada.
Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times.


Related articles

Microsoft faces criticism for managing of vulnerability disclosure

Microsoft is criticized for its handling of bug reporting with critics saying, “they just don’t seem to get...

FBI rapidly hacks into Trump shooter’s phone, raises privacy concerns

Just two days after the attempted assassination at a Trump rally, the FBI announced it had gained access...

Disney investigating a potential major leak of internal communications

Disney is investigating a significant data breach by the hacking group Nullbulge, which claims to have accessed and...

Kaspersky to shut down its US business due to sanctions

Russian cybersecurity firm Kaspersky Lab announced it will cease its U.S. operations starting July 20, following sanctions from...

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways