Malware hiding in Apache Tomcat servers, new backdoors found, and more
Welcome to Cyber Security Today. It’s Friday, May 17th, 2024. I’m Howard Solomon, contributing reporter on cybersecurity for TechNewsday.com.
 |
 |
 |
Threat actors are hiding the Kinsing malware on Apache Tomcat web servers. According to researchers at Tenable, one of the hiding places is a folder where manual files are stored. Presumably the threat actors think defenders won’t look there. The malware sets up the XMRig cryptominer for mining Monero. Tomcat administrators should make sure their servers are patched and protected with strong passwords to prevent being compromised.
Researchers at ESET have discovered two new backdoors suspected of being used by the Russian group nicknamed Turla. These backdoors have been used for the past four years to compromise an unnamed European country’s ministry of foreign affairs and three of its offices in the Middle East. One backdoor, which ESET calls LunarWeb, is deployed on servers. It uses HTTP(S) and attempts to blend in by mimicking the traffic of legitimate services such as Windows Update The other backdoor, called LunarMail, is deployed on workstations. It piggybacks on Microsoft Outlook and communicates via email messages, using either PNG images or PDF documents to exfiltrate data. The report doesn’t say how the foreign affairs department was initially compromised. But it found evidence a network monitoring application was leveraged, and there is evidence a malicious macro in a Word document downloaded one backdoor. That malicious document may have been delivered by spearphishing.
The U.S. has charged five people including an Arizona woman with being part of a North Korean conspiracy to get spies hired as remote application developers by American companies. The scheme involved stealing the identities of 60 Americans so two spies could pose as people in the U.S. The woman received laptop computers issued by the gullible companies for the supposed new American-based employees. Using the laptops she made it look like the spies were in the U.S. The State Department said the scheme generated at least $6.8 million for North Korea in salaries paid to the workers. The charges should be a wakeup call for American companies and government agencies that want to hire remote IT workers, a deputy assistant attorney general said in a press statement.
UDPDATE: After this podcast was recorded the U.S. Justice Department announced more charges and said the scheme was wide. A man in Maryland was also arrested. In addition 12 website domains used by North Korean IT workers to mimic Western IT services firms to support their resume claims were seized.
AI developers who downloaded the llama-cpp-python package for integrating artificial intelligence models with Python are urged to upgrade to the latest version. This comes after the discovery of a vulnerability in the package that could allow a hacker to compromise an AI application and do nasty things. According to researchers at Checkmarx, over 6,000 AI models on the Hugging Face platform for downloading code were potentially vulnerable. Checkmark says the discovery underscores the fact that AI platforms and developers have yet to fully catch up to the challenges of supply chain security.
Vulnerabilities in on-premise VPNs are increasingly being exploited by threat actors. That’s why Norway this week urged IT departments to drop virtual private network devices that use secure socket layer/transport layer security — SSL/TLS — for short. These are also known as SSLVPNs, WebVPNs or client-less VPNs. Norway’s National Cyber Security Center says solutions for secure remote access should instead use IPsec with Internet Key Exchange. Solutions using those protocols aren’t free of holes, but they have a smaller attack surface and a lower risk of configuration errors. The Norwegian cyber centre says most organizations should move by the end of 2025. Those organizations designated by the country as critical should drop SSL/TLS VPNs by the end of this year. Cyber authorities in other countries, including the U.S., have already made the same recommendation.
Later today the Week in Review podcast will be available. Terry Cutler of Cyology Labs will join to discuss the FBI takedown of the BreachForums criminal marketplace, and other news.
Follow Cyber Security Today on Apple Podcasts, Spotify or add us to your Flash Briefing on your smart speaker.
