Cyber Round-up for 14th January
Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week and year to cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
Panasonic, an electrical good producer, has disclosed a data breach lasting four months. The breach running from 22nd June 2021 to 3rd November 2021 was caused by hackers gaining access to a file server located in Japan from a subsidiary. The breach allowed hackers to access personal information via stored job applications, which Panasonic claimed was “primarily standard business contact details.” Panasonic were clear that the server held no personal information of its customers however is resistant to releasing the number of people whose personal information was possibly stolen via the stored job applications.
With the release of FIFA 22, EA has been questioned about its user security. Reported account breaches of high-profile players has sparked players to question if the developers are taking its user’s security seriously. EA reported that “less than 50” accounts have been breached since the arrival of the game through the use of exploiting human factors in customer service and bypassing two-factor authentication. EA has made plans to alter its customer service and account verification processes in an attempt to protect user accounts from hackers.
The last quarter of 2021 was plagued with distributed denial-of-service attacks, especially those linked to extortion and ransomware. In December alone, almost a third of all Cloudflare customers reported receiving a ransom note. Ransom DDoS attacks have become increasingly popular over the last two years, and they are rapidly increasing in strength. Cloudflare recently stated that “terabit-strong attacks are becoming the norm”. It seems that automated mitigation solutions are the way forward for dealing with this, since they can respond immediately to prevent the attacks.
More details on this can be found here.
A newly discovered malware, SysJoker, is causing ripples in the world of cybersecurity. The malware is a type of backdoor that allows a hacker or command-and-control server access to a system while evading detection. This type of malware allows initial access for an attacker to take over a machine or extend their access across the organisations network. Researchers have observed that the malware has a hardcoded XOR key which allows the malware access to a file located on google drive containing the location of the command-and-control server. They have also noted that the contents of this file located on google drive have changed several times and that the attack seems targeted inferring that the cybercriminals are actively monitoring the malware.
Back in October 2021, the Cisco Talos team discovered a malicious campaign that was delivering variants of Nanocore, Netwire and AsyncRAT. With the majority of its victims in the US, Italy and Singapore, this campaign was targeting user information and uses cloud services such as Azure and AWS to set up their infrastructure. Not only does this make it easier for the attackers, but also makes the defender’s life much harder when trying to find them. In this instance, the threat actors used information stealing RAT variants in combination with malicious sub domains that were registered through DuckDNS. We recommend looking into this advisory by Cisco Talos, which contains an in-depth analysis of the campaign, as well as IoCs and recommendations for defending against it.
Vulnerabilities & Updates
The WordPress team released version 5.8.3 last week, which includes fixes for 4 high-severity vulnerabilities, including SQL injection and cross-site scripting flaws. Wordfence is currently protecting against all flaws covered by this patch and have added new firewall rules to defend against cross site scripting. Most WordPress sites should have received automatic updates; however, we encourage all site admins to ensure updates are complete. The patch is available for anyone running a version of WordPress later than 3.7.
Users of the Sonicwall SMA 100 VPN product are advised to apply the latest updates as soon as possible, to ensure they are protected against a recently discovered remote code execution vulnerability. This flaw, which was found in SMA 200, 210, 400, 410 and 500v products as well, has not yet been exploited in the wild; however, exploitation notes and technical details have now been released, so immediate patching is recommended. Four other flaws were disclosed as part of this patch, the most severe of which has a CVSS rating of 7.5.
Microsoft have released their monthly batch of security updates for January. This month includes 97 flaws, 9 of which are rated critical. If you are interested in catching up on the details of this patch, you can find our Patch Tuesday blog here.
A word of caution though, it was confirmed that the latest Windows Server updates are causing issues with Hyper-V and Domain Controllers. Details on this can also be found in the Update Links & Advisories section of the Patch Tuesday blog.
And that is it for this week’s round-up, please do not forget to tune in for new instalments every week.
Stay Safe, Secure and Healthy!
Edition #174 – 14th January 2022
Why not follow us on social media:
Ironshare – Security Simplified