A new North Korean ransomware gang spotted, and more
Welcome to Cyber Security Today. It’s Wednesday, May 29th, 2024. I’m Howard Solomon, contributing reporter on cybersecurity for TechNewsday.com.
 |
 |
 |
A North Korean gang is now in the ransomware business. Microsoft calls this crew Moonstone Sleet. It sets up fake companies and job opportunities to get close to target organizations and eventually deliver custom ransomware. It’s tactics for spreading malware vary. It often delivers a trojanized version of the PuTTY terminal emulator. It may deploy malicious NPM packages of open-source code through freelancing websites or LinkedIn. For example, it created a fake company to email .zip files with an infected NPM package pretending to be a technical skills assessment for job applicants. It also pretended to be a game developer seeking investment or developer support for a malicious tank game. Goals until now have been to steal login credentials and intellectual property. But since April, Microsoft has seen Moonstone Sleet delivering a new ransomware variant. To deflect this and any other ransomware gang from your organization the IT department needs to ensure all hardware and software have the latest security updates, ensure all logins use strong passwords and multifactor authentication, and ensure all employees are trained to think twice about clicking on links and attachments.
There’s more ransomware news: Security Week says the RansomHub gang claims it recently hit the Christie’s auction house. Christie’s, which temporarily went offline earlier this month, said it suffered a technology security incident that resulted in the theft of what it called a “limited amount of personal data relating to some of our clients.”
And the public library of the city of Seattle, Wash., said it was hit by ransomware Saturday, just before the institution was going to take IT systems offline for planned maintenance over the Memorial Day long weekend. IT systems are now offline, although library branches are open. Threat actors often hit targets just before long weekends.
The United States has named and sanctioned three Chinese citizens and three companies in Thailand for running the 911 SS botnet. It helped siphon billions in phony government COVID aid applications and other scams. This botnet is a residential proxy service made up of millions of comprised computers that threat actors used to hide their digital tracks when applying for fake virus relief programs, paying for goods through stolen credit cards and money laundering. All American property and interests in property linked to the named people and companies must be reported to the U.S. Treasury Department.
OpenAI, the company behind ChatGPT, has created a safety and security committee. It will make recommendations to the board on critical safety and security decisions for OpenAI projects. The first recommendations will be made within 90 days. Ilia Kolochenko CEO of ImmunitWeb, said it’s a good idea. However, he added, preventing an AI system from having hallucinations is just one risk. The collection of training data from the internet without the permission of content creators is one of the biggest generative AI problems that deserves more attention than safety, he argues. Another is making sure GenAI systems are accurate, reliable, fair and transparent as well as being non-discriminatory.
IT administrators who use Fortinet’s security information event management suite called FortiSIEM better have the latest security patches installed. That’s because security researchers at Horizon3 have released a proof of concept exploit for previously-announced vulnerabilities.
Network administrators using Cisco Systems’ Firepower Management Centre software should install the latest update. It fixes an SQL injection vulnerability.
IT administrators with Check Point Software’s Network Security gateways on their systems should install the latest update. It closes a vulnerability that could allow a threat actor to read certain information on internet-connected gateways with remote access VPN or mobile access enabled.
A threat actor has found a new way of getting around multifactor authentication login defences. Researchers at Huntress say the hacker is sending mass phishing messages to targets that tricks them into signing into what they think is a Microsoft Outlook login page. Then the attacker can steal login credentials and the MFA token. The brief technical explanation is the victim gets an HTML file attachment that hides a link to malware. That isn’t new. What’s new here is the Outlook authentication portal is injected as an iframe of a legitimate Microsoft portal directly into the victim’s browser that is retrieved from a hacker-controlled infrastructure. That allows the session token theft. The report doesn’t explain the phishing message victims get, but it’s something that tells the employee ‘click here and log in.’ Like a message from IT support or the payroll department, for example. Employees have to be trained to be suspicious of email or text messages that have a link leading them to a supposed login page. Not only do they have to be suspicious, these messages have to be reported to a superior or to IT.
Follow Cyber Security Today on Apple Podcasts, Spotify or add us to your Flash Briefing on your smart speaker.
