Cyber Round-up for 26th November
Welcome to the latest edition of the Ironshare Cyber Round-up where we look back at the events of that last week and cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
GoDaddy recently announced that they had been hit by a data breach, in which 1.2 million user accounts may have been exposed. The breach was initially discovered when unauthorised access to GoDaddy’s WordPress server hosting system was detected; this was made possible by the compromise of an employee’s password. It was not specified if the compromised account was using multi-factor authentication but once access was gained, the attacker was able to see the email addresses and customer numbers of the users. This news story is expanding and it appears that more areas of the GoDaddy infrastructure may have been impacted. No passwords were leaked in this breach, but the exposed email addresses could be used in future phishing attacks, so we encourage everyone to be cautious when receiving suspicious emails.
The UK is expected to bring in new legislation to ban default passwords. The legislation is aiming to make technology in the UK more secure for its users by combating the increase in attacks on smart home devices. The legislation dictates that:
- Easy to guess default passwords that are loaded on devices during manufacturing are banned. The password needs to be unique to every device created.
- Buyers should be told the minimum period of time the device is likely receive vital security updates.
- Security researchers will have a public point of contact to point out flaws and bugs with specific devices.
- Companies not inline with the new legislation will be fined.
The legislation is expected to cover internet-connected devices such as: smartphones, networking routers, smart security cameras, gaming consoles, smart speakers, and kitchen goods and toys however vehicles, smart electric and gas meters as well as desktop computers and laptops are not yet in scope.
Python Package Index (PyPI) is a popular library that the Python community use to share and distribute software. Earlier this week, the operators of PyPI were forced to remove 11 libraries that were found to contain traces of malicious behaviour; these malicious packages were flagged for behaviour such as credential theft and the installation of remote access shells. Some packages also appeared to steal Discord access tokens. Unfortunately, these libraries accumulated 30,00 installs before being removed, so some PyPI users may have already been compromised.
A full list of the malicious packages can be found here, along with details, descriptions and number of downloads.
WordPress servers have been receiving a vast amount of malicious traffic recently, that attempts to brute force login credentials of its users. In the past week, malicious attacks against WordPress have doubled and are expected to increase, with more than a quarter being recorded from Amazon Elastic Compute Cloud IP addresses. The reason for this increase in malicious login attempts is not yet known. WordPress admins and users should ensure that account passwords are long strong and unique, and its advised to enable 2 Factor Authentication ASAP if not already in use.
A new SMS phishing scam has been discovered that is targeting Monzo Bank customers. The SMS message received by victims reads:
“To avoid issues and remain verified with Monzo, please confirm your account at the link below. https://monzo-log-in[.]com/”
The SMS messages received by the victims appears to be spoofed to seem like a legitimate message and even groups with genuine past text messages from Monzo Bank, which further decreases suspicion from its recipients. When receiving a text message like this its best to be cautious and always validate it before clicking links or giving away your information. Always call the service directly using its helpline (and not through the number the message came from) to check if it legitimate and discuss the issue with them.
The FBI has released a document detailing their recommendations on how to stay safe from phishing scams from Big Brands that are seeing an increase across the world. Their recommendations are:
- “Be suspicious of unsolicited contact via email or social media from any individual you do not know personally and/or containing messages enticing you to open a link or attached file.
- When receiving account alerts, rather than clicking a link within an email or text, opt to navigate to the website using the secure URL to review any logs, messages, or notices.
- Closely verify the spelling of web addresses, websites, and email addresses that look trustworthy but may be imitations of legitimate websites, to include the username and/or domain names/addresses (i.e., capital “I” vs small “L”, etc.).
- Use strong unique passwords, and do not re-use the same password across multiple accounts.
- Do not store important documents or information in your email account (e.g., digital currency private keys, documents with your social security number, or photocopies of a driver’s license).
- Enable 2FA and/or multi-factor authentication (MFA) options to help secure online accounts, such as a phone number, software-based authenticator programs/apps, USB security key, or a separate email account (with a unique password that does not link to other consumer accounts) in order to receive authentication codes for account logins, password resets, or updates to sensitive account information.
- When possible, do not use your primary email address for logins on Websites. Create a unique username not associated with your primary email address.”
See the full announcement here.
Vulnerabilities & Updates
Microsoft have released a threat advisory for the recently discovered Windows Installer zero-day vulnerability, that is already being exploited in the wild. This zero-day was marked as medium-severity with a CVSS score of 5.5 and currently affects every version of Windows, including Windows 11 and Server 2022. Although a patch was released by Microsoft, it was not successful in fixing the flaw, and so all systems are still at risk.
You can find Microsoft’s security advisory here.
A proof-of-concept exploit has now been released for the recently discovered Microsoft Exchange server vulnerability, which allows attackers to remotely execute arbitrary code if already authenticated. A patch is available for this flaw, so we advise all admins to update their Exchange servers as soon as possible; this is even more urgent now that proof-of-concept has been released.
You can find Microsoft’s security advisory here.
And that is it for this week’s round-up, please do not forget to tune in for new instalments every week.
Stay Safe, Secure and Healthy!
Edition #168 – 26th November 2021
Why not follow us on social media:
Ironshare – Security Simplified