Cyber Round-up for 22nd January
Welcome to the latest edition of the Ironshare Cyber Round-up where we look back at the events of that last week and cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
Wentworth Golf Club has been hit by a ransomware attack, which has reportedly affected all 4000 members. The private club, which is known for its high-profile members, celebrities, and sports stars, has warned that personal details may have been compromised; this could include names, home addresses, email addresses and partial payment card information. Wentworth have apologised to its members, but we are still unsure if they plan to pay the ransom. We will update when we hear more from the club.
In December 2020, FireEye discovered a campaign in which attackers gained unauthorised access to Microsoft 365 environments. This is now being tracked as UNC2452 and FireEye have published their threat research, including remediation and hardening strategies for M365 to defend against the attack. We advise looking into these techniques so that you can harden your environment and stay protected.
Here is the Mandiant Azure AD Investigator; this detects artifacts associated with UNC2452 and flags any IoCs found in your environment.
In iomart’s recent Cybersecurity Insights Report, it was found that 25% of company directors do not offer cybersecurity training due to financial restrictions. The report also shows that 42% offer training to select employees and 82% of these claim it was simply a “short briefing rather than a comprehensive course”. Considering how frequent cyber attacks are now, this lack of training is concerning. It is important that all organisations are aware of cyber threats so that they know how to mitigate the risk and respond in the event of an attack.
Symantec have found a new piece of malware that was used in the recent SolarWinds attacks. This malware is a backdoor and has been named Raindrop. Raindrop was designed to deliver a payload of Cobalt Strike and is similar to the Teardrop tool; however, the new tool was used to spread across the victim’s network.
More details on this new malware can be found here.
Depop has had a big problem with scammers and account takeover recently, with many users losing access to their accounts. In some cases, users regained access to their accounts to find scammers using it to steal from unknowing buyers. There have been 15 cases of this reported to BBC News and we advise all users to change their passwords and be aware of scammers when buying on Depop.
Vulnerabilities & Updates
Researchers have issued warnings of a new malware known as FreakOut, which has been recruiting devices into a botnet to launch DDoS and cryptomining attacks. FreakOut is targeting Linux devices, specifically those that are unpatched and are vulnerable to certain flaws such as the remote code execution flaw in TerraMaster TOS. As always, ensure that you always apply the latest security updates to stay protected against these kinds of attacks.
Cisco’s first patch release of 2021 is here, and we advise all customers to update their systems as soon as possible. This patch cycle addresses multiple high-severity vulnerabilities, including DLL injection in Cisco AnyConnect and a CMX password authorisation flaw.
More details on these bugs can be found here.
JSOF Researchers have discovered seven vulnerabilities associated with an open-source DNS forwarding software known as DNSMasq; These flaws include spoofing, buffer overflow, and DNS cache poisoning. The most recent patch for DNSMasq provided fixes for these vulnerabilities, so we urge users to update when they can.
And that is it for this week’s round-up, please do not forget to tune in for new instalments every week.
Stay Safe, Secure and Healthy!
Edition #125 – 22nd January 2021
Why not follow us on social media:
Ironshare – Security Simplified