Cyber Security Today, April 15, 2024 – Act fast to a plug hole in Palo Alto Networks firewall, Canadian comedy festival loses over $800K in email scam, and more

Act fast to a plug hole in Palo Alto Networks firewall, Canadian comedy festival loses over $800K in email scam, and more.

Welcome to Cyber Security Today. It’s Monday, April 15th, 2024. I’m cybersecurity reporter Howard Solomon.

A critical vulnerability in the GlobalProtect feature of Palo Alto Networks’ PAN-OS operating system has been exploited at several organizations at least as far back as March 26th. That’s the finding by researchers at Volexity who discovered the hole. A threat actor has in some cases deployed a custom backdoor written in the Python language by using the vulnerability. Then the attacker stole credentials and other files. Palo Alto Networks was expected to have delivered a patch yesterday. Volexity says the skill and speed used in the attacks suggest a highly capable threat actor with a clear playbook of what to access,. Network administrators using GlobalProtect firewalls should either install the patch or recommended mitigations. The vulnerability has a CVSS score of 10.

UPDATE: This issue is fixed in hotfix releases of PAN-OS 10.2.9-h1, PAN-OS 11.0.4-h1, PAN-OS 11.1.2-h3, and in all later PAN-OS versions. Hotfixes for other commonly deployed maintenance releases will also be made available this week.

The organization that produces Montreal’s Just For Laughs comedy shows was stung last year for just over $813,000 after falling for a business email compromise scam. The Quebec news service La Press discovered court documents showing the financial controller fell for emails pretending to be from a company shareholder instructing a switch of the bank account where management payments should go. The scammer was convincing because they created an email account with an extra ‘s’ at the end of the sender’s domain that came close to the spelling of a real email account. Unfortunately there are no protections in the global internet registry system to stop domains from being created with almost identical names to real companies. It’s imperative financial department employees confirm in independent ways any changes in payment procedures requested by email, voice mail or video calls. Staff shouldn’t use email messages or phone numbers in the email from the sender asking for the change to get confirmation.

A former senior IT security employee has been sentenced to three years in prison by an American judge for hacking into smart contracts of cryptocurrency exchanges two years ago. The man stole over US$12 million in digital coin. Shakeeb Ahmed received the sentence Friday after pleading guilty to computer fraud. According to the news site HackingButLegal, Ahmed worked for Amazon.

A threat actor has posted data stolen from a partner of Canadian retailer Giant Tiger. The BleepingComputer news service said the database was posted on a hacker forum with information allegedly on 2.8 million customers. It’s available to any hacker forum member for the price of eight credits. Members get credits for doing something as simple as commenting on a post or contributing a new post.

Are you worried about the recently discovered compromise of the maintainer of a critical Linux package? That’s the scheme where a threat actor took three years to gain the confidence of those helping to oversee the package before switching it for a malicious version. Well, the U.S. Cybersecurity and Infrastructure Security Agency issued a reminder that it has been working on improving open-source security for a while. It backs the Secure by Design initiative with steps for developers on building safe applications using open-source components.

The city of Toronto has budgeted $1 million to cover the costs of last October’s ransomware attack on the Toronto Public Library system. Reporter John Lorinc says the number includes almost $770,000 for cybersecurity experts and related IT system remediation and restoration costs. It also includes $160,000 in legal costs and $74,000 for credit monitoring services for employees who had their data stolen. All of the library system’s 500 computers had to be wiped and rebuilt. Meanwhile the city also has to deal with a January ransomware attack on the Toronto Zoo. In that attack data of current and former employees was stolen.

Speaklng of ransomware, one of the ways of crushing ransomware gangs is to take the money out of their attacks. The problem is forbidding — or even begging — unprepared organizations not to pay a ransom isn’t working. So last week the Ransomware Task Force, a group of public and private sector experts, released a plan to reduce the need to ban ransomware payments. It will take several years, the Task Force admits. But only after all the steps in its plan have been met should governments think about prohibiting ransomware payments. Briefly, the plan says ‘Don’t institute a payment ban until organizations have cybersecurity maturity.’ Here are some of the recommended steps:

–Develop a ransomware framework to provide a national standard for ransomware preparation. The framework would be adapted for organizations of different sizes, maturity and risk profiles;

–provide financial incentives for organizations to comply with the framework;

–mandate limited baseline security measures for critical infrastructure providers including utilities, banks and hospitals;

–form an international law enforcement partnership to target ransomware gangs;

–require cryptocurrency exchanges and over-the-counter trading desks to comply with existing financial transaction tracking controls;

–create a ransomware response fund to help victim organizations recover from attacks;

–work with cyber insurers;

–and end the tax deductibility of ransomware payments.

The Task Force believes things like this could take two years to implement. Only then should governments think about banning ransomware payments.

Meanwhile, nothing stops your organization from toughening its cybersecurity defences.

Follow Cyber Security Today on Apple Podcasts, Spotify or add us to your Flash Briefing on your smart speaker.