Cyber Security Today, May 15, 2024 – Ebury botnet still exploits Linux servers, Microsoft, SAP and Apple issue security updates

Share post:

The Ebury botnet continues to exploit Linux servers, Microsoft, SAP and Apple issue security updates, and more.

Welcome to Cyber Security Today. It’s Wednesday, May 15th, 2024. I’m Howard Solomon, contributing reporter on cybersecurity for

Cyb er Security Today on Amazon Alexa Cyber Security Today on Google Podcasts Subscribe to Cyber Security Today on Apple Podcasts

Linux server administrators still aren’t doing enough to protect their machines from being infected by the Ebury botnet. That’s the conclusion from reading a report by researchers at ESET. They say the botnet of compromised Linux servers is still expanding 15 years after its creation, spreading spam, stealing login credentials, plundering cryptocurrency wallets and copying credit card numbers. What’s worrisome is that victims include internet hosting providers. As you can imagine, compromising a hosting provider can give the Ebury operators access to thousands of servers. In one experiment researchers rented a virtual server from a compromised hosting provider and found the Ebury malware was installed on it within seven days. ESET estimates that as of late last year there were over 100,000 Ebury compromised servers. How are servers compromised? Credential stuffing, taking advantage of weak administrator passwords, and then elevating their access privileges. The report has details on how to detect and defuse the rootkit Ebury installs as well as how to cleanse infected servers. Making Linux administrators use of multifactor authentication to restrict access to servers helps block attacks.

In February law enforcement agencies took over the LockBit ransomware gang’s websites. That hasn’t stopped this ransomware from being distributed. A botnet called Phorpiex has started a new email campaign that for the first time distributes a variant of the LockBit malware, according to researchers at Proofpoint. The high-volume campaign started April 24th. The strain being used isn’t from the developer but likely one that was leaked last summer. The infected emails are from “Jenny Green” with the subject line “Your Document.” The message says “Hello, you can find your document in the attachment,” and claims to be from “GSD Support.” The attached ZIP file triggers a chain that results in download of the ransomware. This is a classic case of an unexpected email that employees should be warned against opening. The “Jenny Green” messages flung from the Phorpiex botnet have been seen since at least January, 2023, but they were distributing the Phorpiex malware. Use of a LockBit ransomware strain is new.

For Patch Tuesday, Microsoft released fixes for 61 vulnerabilities. They include a patch for Windows Desktop Window Manager, which researchers at Action1 rate as a significant risk. Another fix closes a hole in SharePoint Server. There’s also a patch for Excel.

SAP released 17 security patches for its products. These include three HotNews Notes and one High Priority Note. According to researchers at Onapsis, one patch — with a CVSS score of 9.8 — fixes two critical vulnerabilities in SAP Customer Experience Commerce. Another patch, with a CVSS score of 9.6, fixes a vulnerability in SAP NetWeaver Application Server ABAP.

Adobe released patches for Acrobat, Acrobat Reader, Illustrator, FrameMaker, Dreamweaver, Animate, Substance 3D Painter and Substance 3D Designer and Aero.

Apple released a new version of iOS that patches 16 vulnerabilities on iPhones and iPads. Patches for the macOS were also released.

Also released this week from Apple and Google are iOS and Android updates that warns users with Bluetooth turned on that someone is tracking them with a Bluetooth-detecting device.

Separately, Google released emergency fixes to plug a new zero-day vulnerability in the Chrome browser. Make sure you’re running the latest version.

VMware has released updates for Workstation and Fusion to fix four critical vulnerabilities. The holes were identified during a recent Pwn2Own hacking contest.

A Dutch court has sentenced a Russian man who lives in the country to just over five years in prison for allowing the laundering of money through the Tornado Cash cryptocurrency mixer. He was accused of being the developer and maintainer of the service that anonymously exchanged cryptocurrency for cash. The prosecution alleged at least US$1.2 billion taken from hacks was laundered. That included some US$450 million that North Korea’s Lazarus Group got from stealing cryptocurrency from the Axie Infinity online game. The accused blamed users for abusing the service. However, the court said the platform was designed to have no impediment for criminal use.

In January I reported that Mississippi’s Singing River Health System was notifying over 250,000 people of a data theft during a ransomware attack. This week it updated that number to just over 895,000 people who are being notified.

WiFi network administrators as well as router manufacturers need to take steps to protect users against a vulnerability in the WiFi protocol. That’s the advice of researchers at Top10VPN who discovered the hole in the IEEE 802.11 standard. Their evidence will be presented at an upcoming conference in South Korea, but is also in a blog published this week. Briefly, the problem is the flaw can allow an attacker to trick a victim into connecting to a hacker-controlled network that spoofs the broadcast name of a legitimate wireless network. That’s because the network name — which viewers see when logging in — doesn’t always have to be authenticated. It’s particularly a problem in places like universities where staff and students re-use WiFi passwords.

Finally, the U.S. Federal Trade Commission has warned manufacturers of cars sold in the U.S. not to illegally collect, use or disclose personal data they collect from internet-connected vehicles. Biometric, telematic, geolocation and other data can be collected from wireless vehicle systems. Selling that data to marketers and data brokers without customer consent can be illegal, the regulator says — as it is for all American businesses.

Follow Cyber Security Today on Apple Podcasts, Spotify or add us to your Flash Briefing on your smart speaker.

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times.


Related articles

Pablo Listingart from ComIT – Hashtag Trending the Weekend Edition for May 25, 2024

Pablo Listingart, founder and executive director of ComIT, discusses the resource shortage in cybersecurity and IT and the...

Cyber Security Today, May 24, 2024 – A threat actor leverages Windows BitLocker in ransomware attacks, beware of ORB networks, and more

A threat actor leverages Windows BitLocker in ransomware attacks, beware of ORB networks, and more. Welcome to Cyber Security...

Consumers don’t trust social media companies with AI. Hashtag Trending for Friday, May 24th, 2024

A new Axios poll says that consumers don’t trust social media giants branching into AI.  Two companies headed...

Canada centralizing cybersecurity efforts of federal IT departments

Federal departments and agencies are making only marginal progress in improving their cyber maturity, Ottawa said Wednesday as...

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways