Cyber Round-up

Cyber Round-up for 18th March

Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week and year to cover some of the news, posts, views, and highlights from the world of Security. 

In this week’s round-up:

Security News

Guernsey Warns of Rise in Cyber Attacks

The channel island of Guernsey has given a public alert to its citizens and businesses on the increase in cyber-attacks it has been receiving. Collectively, the Channel Islands see more than 10 million potential cyberattacks a month, with the figure expected to increase with tensions between Ukraine and Russia continuing. The advisory warned citizens to be wary of scam emails and to not interact with suspicious sources. The alert also advised about sending personally identifiable information or banking details to untrusted organisations or individuals, especially if being pressured into doing so.


Nvidia Hacked By LAPSUS$ Reveals Company-Wide Weak Login Credentials

The Nvidia data breach last month generated some unwanted attention for the tech company. The attack, orchestrated by the hacking group LAPSUS$, appears to have resulted in the theft of around one terabyte of data; this stolen data supposedly includes the Source code of GPU chips, email addresses and password hashes. The most interesting aspect of this attack is the analysis done on leaked passwords by Specops Software. This investigation revealed the top 10 base words being used are:

  • nvidia
  • nvidia3d
  • mellanox
  • ready2wrk
  • welcome
  • password
  • mynvidia3d
  • nvda
  • qwerty
  • September

This shows that weak passwords are still being utilised, even in multi-billion-pound organisations, and how a well-structured and enforced password policy can enhance identity protection across an organisation.


Ubisoft “Cyber Security Incident” Suspects LAPSUS$ Involvement

LAPSUS$ seems to be making many enemies over the last few months, most recently with their cyberattack on Ubisoft. The “cyber security incident” reportedly impaired systems, services and games, however Ubisoft have clearly stated that “there is no evidence any player personal information was accessed or exposed as a by-product of this incident”. Despite this statement, it is still unclear how the attack happened.

Ubisoft have since issued a company-wide password reset and have confirmed that games and services are now functioning normally. The cybercriminal group known as LAPSUS$ have taken credit for the attack in a Telegram group chat and declared they weren’t aiming for Ubisoft’s customer information; while we know who was responsible for the attack, it is still unclear why or how it was carried out.

We will provide updates on this incident once more information is made publicly available.


Ransomware Variants Dominate Q4 2022

In the last quarter of 2021, it has been reported that 34 different ransomware variants were observed across as many as 722 separate ransomware attacks, with the most prevalent being:

  • LockBit 2.0 (29.7%)
  • Conti (19%)
  • PYSA (10.5%)
  • Hive (10.1%)

With an increase of 110 and 129 attacks from the third and second quarters of 2021, this only shows the growing trend of ransomware and how hacking groups are creating new variations to evade security measures. Nearly a quarter of all ransomware attacks in the last quarter were aimed at the consumer and industry products sector, with an astonishing increase of 22.2% from the previous quarter.


Hosted GoDaddy Infected Sites Increase

As of the 15th March 2022, a noticeable spike in infected GoDaddy sites has been reported by Wordfence. 298 sites have been found to be infected with a backdoor since 11th March, 281 of these are believed to be hosted by GoDaddy. The backdoor in question has been in use since 2015 and is added to the start of the wp-config.php file of the target site. Owners of sites hosted by GoDaddy’s Managed WordPress platform are advised to scan their wp-config.php for signs of infection.

Guidance on how you can find this backdoor can be found here.


Vulnerabilities & Updates

WordPress Update Defends Against XSS and Prototype Pollution Vulnerabilities

The latest WordPress security update, 5.9.2, includes fixes for one high severity and two medium severity vulnerabilities. The high severity XSS vulnerability affecting versions 5.9.0 and 5.9.1 allows malicious JavaScript to be inserted into WordPress posts as a contributor level user or higher. WordFence has pushed a firewall rule to defend customers against this attack until sites update to the newest version. The two medium severity prototype pollution vulnerabilities affect all previous versions of WordPress and could allow the execution of arbitrary JavaScript in a user’s session, once the user has clicked a malicious link created by the attacker. It is recommended that all WordPress users update to keep safe from these vulnerabilities.


And that’s it for this week’s round-up, please do check in next week for our new batch of security news and posts.

Stay Safe, Secure and Healthy!

Edition #182 – 18th March 2022

Why not follow us on social media:

Ironshare – Security Simplified