Cyber Round-up for 21st June
Welcome to the Ironshare Cyber Round-up where we look back at the events of that last week and cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
XENOTIME, the Advanced Persistent Threat group behind the TRISIS Industrial Control System (ICS) malware, whom originally targeted oil and gas industries, has recently been expanding its focus to target electric companies. The Russian linked XENOTIME group, have been spotted exploring the networks of U.S. electric organisations, indicating a potentially attack on critical infrastructure. It is believed that an attack of this nature could also result in loss of life and major physical damage, making it extremely dangerous. Governments and companies are recommended to work cooperatively to defend critical infrastructure and the lives of the workers, from such devastating cyber attacks.
ASCO, one of the world’s largest airplane manufacturers, has been hit by a ransomware attack. After ASCO’s plant in Zaventem, Belgium, was severely impacted by the infection, it was forced to shut down production in its U.S, Canada and Germany based factories. About 70% of the Belgium plant’s workers have been given leave for a week until the issue is resolved. ASCO have not revealed if the ransom has been paid, but it is evident that the damage caused by the attack is severe. It is never recommended to pay the ransom, always ensure that you have offline backups available to restore systems and service, in the event of an attack.
A Mobile cyberespionage campaign, named “Bouncing Golf”, has been discovered and it is targeting Middle Eastern Countries. The malware involved in the campaign has been identified as AndroidOS_GolfSpy.HRX; and possesses a large amount of cyberespionage capabilities. The attack works by embedding malicious code in applications that bad actors have repackaged from legitimate apps. The capabilities of this malware give it the potential to completely hijack an infected android mobile device, and from this hackers can effectively steal device accounts, device locations, stored files and messages. Although the number of devices impacted so far is small in number, military info was included in the stolen data. Users are recommended to keep their devices up to date with the latest software and install mobile endpoint security (such as Cisco AMP for Endpoints), to help protect your device against these types of exploits and rogue applications.
Vulnerabilities & Updates
A new cryptocurrency mining botnet has been discovered, that exploits poor default settings, including a lack of authentication on open ADB (Android Debug Bridge) ports. The botnet has the potential to spread to any system that has previously established an SSH connection with the infected host. This vulnerability is present in all Android-based devices, and the botnet has been seen operating in 21 different countries. Users are suggested to update their devices immediately and always change any default authentication settings to ensure devices are secure.
MSRC (Microsoft Security Response Center) recently confirmed the existence of an active Linux worm that could potentially take advantage of a critical Remote Code Execution vulnerability in Linux Exim email servers. Only customer’s using Exim version 4.87 to 4.91 are affected, and it was confirmed that the vulnerability does not exist in Microsoft Azure infrastructure and Services. Microsoft recommends that any customer’s running a vulnerable version of Exim should update to the latest fixed version as soon as possible.
And that’s it for this week round-up, please don’t forget to tune in for our next instalment.
Why not follow us on social media using the links provided on the right.
Edition #46 – 21st June 2019
Ironshare – Security Simplified