Cyber Round-up for 5th March
Welcome to the latest edition of the Ironshare Cyber Round-up where we look back at the events of that last week and cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
Two teenage girls recently went missing, and investigations found that they were chatting with their abductors using laptops provided by their school. Fortunately, the missing girls were found alive and were rescued by law enforcement, but it is worrying that the school-issued device could be used to reach online platforms and communicate with the abductors in this way.
UK energy company, Npower, recently suffered a data breach in which personal information was stolen and user accounts were accessed by the hackers. The attack involved credential-stuffing and many accounts were compromised; as a result, Npower have shut down their mobile app and advised all users to change their passwords as soon as possible. This attack was entirely avoidable if users had unique passwords; password reuse is one of the primary causes of account compromise, and the prime reason why this breach was possible.
A new variant of the Ryuk ransomware has emerged, and this time it is capable of spreading to other Windows devices on the local network, much like a worm. In addition, it can also remotely execute itself using scheduled tasks created on each host it has compromised. This is not the first time we have seen the Ryuk ransomware or its evolution, and I doubt it will be the last.
The Cisco Talos team have found a new variant of a known malware campaign that is using malicious MS Office documents, to spread the remote access trojan known as ObliqueRAT. So far, this campaign has been seen targeting organisations in South Asia; it has links to the Transparent Tribe APT group and can be difficult to spot, since the payload is hidden in “seemingly benign image files hosted on compromised websites”.
More details on this campaign can be found here.
Vulnerabilities & Updates
This week, Microsoft discovered multiple zero-day exploits being used in attacks against on-premise Exchange Servers. The group responsible for the attacks is believed to be a state-sponsored group called HAFNIUM, who have been known to operate out of China. Users of on-premise Exchange Servers are strongly advised to update their systems as soon as possible.
Technical details, IoCs and other information can be found here.
A critical vulnerability has been found affecting Cisco Nexus 3000 and Nexus 9000 Series Switches. This flaw allows remote attackers to bypass authentication on the device and is one of three critical flaws addressed in the latest patch. This authentication-bypass bug has been given a CVSS score of 10 due to how easily it can be exploited. As always, we recommend updating your devices as soon as possible.
More details can be found here in Cisco’s official security advisory.
Google have released their latest security patch, and in it is fixes for a newly discovered zero-day flaw that is being actively exploited in the Chrome Web Browser. The patch also addresses 46 other vulnerabilities, including an “object lifecycle issue in audio”. We advise all Chrome users to update to version 89.0.4389.72 to ensure they are protected from exploitation.
And that is it for this week’s round-up, please do not forget to tune in for new instalments every week.
Stay Safe, Secure and Healthy!
Edition #131 – 5th March 2021
Why not follow us on social media:
Ironshare – Security Simplified