Cyber Round-up

Cyber Round-up for 5th March

Welcome to the latest edition of the Ironshare Cyber Round-up where we look back at the events of that last week and cover some of the news, posts, views, and highlights from the world of Security.

In this week’s round-up:

Security News

Missing Teenagers Contacted Suspected Abductors Using School Laptops

Two teenage girls recently went missing, and investigations found that they were chatting with their abductors using laptops provided by their school. Fortunately, the missing girls were found alive and were rescued by law enforcement, but it is worrying that the school-issued device could be used to reach online platforms and communicate with the abductors in this way.


Npower Data Breach Compromises User Accounts

UK energy company, Npower, recently suffered a data breach in which personal information was stolen and user accounts were accessed by the hackers. The attack involved credential-stuffing and many accounts were compromised; as a result, Npower have shut down their mobile app and advised all users to change their passwords as soon as possible. This attack was entirely avoidable if users had unique passwords; password reuse is one of the primary causes of account compromise, and the prime reason why this breach was possible.


Umbrella Graphic 2809


Ryuk Ransomware Evolves to Self-Spread Across LAN Devices

A new variant of the Ryuk ransomware has emerged, and this time it is capable of spreading to other Windows devices on the local network, much like a worm. In addition, it can also remotely execute itself using scheduled tasks created on each host it has compromised. This is not the first time we have seen the Ryuk ransomware or its evolution, and I doubt it will be the last.


New ObliqueRAT Campaign Uses Hijacked Websites

The Cisco Talos team have found a new variant of a known malware campaign that is using malicious MS Office documents, to spread the remote access trojan known as ObliqueRAT. So far, this campaign has been seen targeting organisations in South Asia; it has links to the Transparent Tribe APT group and can be difficult to spot, since the payload is hidden in “seemingly benign image files hosted on compromised websites”.

More details on this campaign can be found here.


DUO 2809

Vulnerabilities & Updates

Zero-Days Discovered in Microsoft Exchange Servers

This week, Microsoft discovered multiple zero-day exploits being used in attacks against on-premise Exchange Servers. The group responsible for the attacks is believed to be a state-sponsored group called HAFNIUM, who have been known to operate out of China. Users of on-premise Exchange Servers are strongly advised to update their systems as soon as possible.

Technical details, IoCs and other information can be found here.


Critical Security Flaw Found in Cisco Nexus Switches

A critical vulnerability has been found affecting Cisco Nexus 3000 and Nexus 9000 Series Switches. This flaw allows remote attackers to bypass authentication on the device and is one of three critical flaws addressed in the latest patch. This authentication-bypass bug has been given a CVSS score of 10 due to how easily it can be exploited. As always, we recommend updating your devices as soon as possible.

More details can be found here in Cisco’s official security advisory.


New Chrome Zero-Day Used in Active Attacks

Google have released their latest security patch, and in it is fixes for a newly discovered zero-day flaw that is being actively exploited in the Chrome Web Browser. The patch also addresses 46 other vulnerabilities, including an “object lifecycle issue in audio”. We advise all Chrome users to update to version 89.0.4389.72 to ensure they are protected from exploitation.


And that is it for this week’s round-up, please do not forget to tune in for new instalments every week.

Stay Safe, Secure and Healthy!

Edition #131 – 5th March 2021

Why not follow us on social media:

Ironshare – Security Simplified