Cyber Security Today, May 17, 2024 – Malware hiding in Apache Tomcat servers

Share post:

Malware hiding in Apache Tomcat servers, new backdoors found, and more
Welcome to Cyber Security Today. It’s Friday, May 17th, 2024. I’m Howard Solomon, contributing reporter on cybersecurity for

Cyb er Security Today on Amazon Alexa Cyber Security Today on Google Podcasts Subscribe to Cyber Security Today on Apple Podcasts


Threat actors are hiding the Kinsing malware on Apache Tomcat web servers. According to researchers at Tenable, one of the hiding places is a folder where manual files are stored. Presumably the threat actors think defenders won’t look there. The malware sets up the XMRig cryptominer for mining Monero. Tomcat administrators should make sure their servers are patched and protected with strong passwords to prevent being compromised.

Researchers at ESET have discovered two new backdoors suspected of being used by the Russian group nicknamed Turla. These backdoors have been used for the past four years to compromise an unnamed European country’s ministry of foreign affairs and three of its offices in the Middle East. One backdoor, which ESET calls LunarWeb, is deployed on servers. It uses HTTP(S) and attempts to blend in by mimicking the traffic of legitimate services such as Windows Update The other backdoor, called LunarMail, is deployed on workstations. It piggybacks on Microsoft Outlook and communicates via email messages, using either PNG images or PDF documents to exfiltrate data. The report doesn’t say how the foreign affairs department was initially compromised. But it found evidence a network monitoring application was leveraged, and there is evidence a malicious macro in a Word document downloaded one backdoor. That malicious document may have been delivered by spearphishing.

The U.S. has charged five people including an Arizona woman with being part of a North Korean conspiracy to get spies hired as remote application developers by American companies. The scheme involved stealing the identities of 60 Americans so two spies could pose as people in the U.S. The woman received laptop computers issued by the gullible companies for the supposed new American-based employees. Using the laptops she made it look like the spies were in the U.S. The State Department said the scheme generated at least $6.8 million for North Korea in salaries paid to the workers. The charges should be a wakeup call for American companies and government agencies that want to hire remote IT workers, a deputy assistant attorney general said in a press statement.

UDPDATE: After this podcast was recorded the U.S. Justice Department announced more charges and said the scheme was wide. A man in Maryland was also arrested. In addition 12 website domains used by North Korean IT workers to mimic Western IT services firms to support their resume claims were seized.

AI developers who downloaded the llama-cpp-python package for integrating artificial intelligence models with Python are urged to upgrade to the latest version. This comes after the discovery of a vulnerability in the package that could allow a hacker to compromise an AI application and do nasty things. According to researchers at Checkmarx, over 6,000 AI models on the Hugging Face platform for downloading code were potentially vulnerable. Checkmark says the discovery underscores the fact that AI platforms and developers have yet to fully catch up to the challenges of supply chain security.

Vulnerabilities in on-premise VPNs are increasingly being exploited by threat actors. That’s why Norway this week urged IT departments to drop virtual private network devices that use secure socket layer/transport layer security — SSL/TLS — for short. These are also known as SSLVPNs, WebVPNs or client-less VPNs. Norway’s National Cyber Security Center says solutions for secure remote access should instead use IPsec with Internet Key Exchange. Solutions using those protocols aren’t free of holes, but they have a smaller attack surface and a lower risk of configuration errors. The Norwegian cyber centre says most organizations should move by the end of 2025. Those organizations designated by the country as critical should drop SSL/TLS VPNs by the end of this year. Cyber authorities in other countries, including the U.S., have already made the same recommendation.

Later today the Week in Review podcast will be available. Terry Cutler of Cyology Labs will join to discuss the FBI takedown of the BreachForums criminal marketplace, and other news.

Follow Cyber Security Today on Apple Podcasts, Spotify or add us to your Flash Briefing on your smart speaker.

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times.


Related articles

Cyber Security Today, Week in Review for week ending Friday, June 21, 2024

Welcome to Cyber Security Today. This is the Week in Review edition for the week ending Friday June...

Cyber Security Today, June 21, 2024 – US to ban Kaspersky for businesses, consumers

U.S. to ban the sale of Kaspersky products to consumers and businesses. Welcome to Cyber Security Today. It's Friday...

Why Jensen Huang in the Taylor Swift of tech. Hashtag Trending for Friday, June 21, 2024

Hashtag Trending is brought you with the generous sponsorship of Zoho Canada. We thank them for making it...

Biden administration to ban US sales of Kaspersky software over ties to Russia

The Biden administration is set to announce a ban on the sale of Kaspersky Lab's antivirus software in...

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways