Cyber Round-up for 8th May
Welcome to the latest edition of the Ironshare Cyber Round-up where we look back at the events of that last week and cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
Many of the new campaigns being launched against key healthcare organisations rely on password-spraying techniques to gain access to accounts; because of this, strong password practice is vital. Cyber experts have published an in-depth advisory on changing passwords, strengthening them, and implementing two-factor authentication to ensure accounts are secure. The advisory also contains advise on what is considered a strong password; the guide can be found here.
Over the last week, an unknown hacker group has attempted to hijack over 900,000 WordPress sites, primarily through the exploitation of cross-site scripting vulnerabilities. This allows them to redirect all traffic to the site to a secondary malicious site. Reports revealed that more than half of the attacks exploited a specific XSS flaw in the Easy2Map plugin, which was removed from WordPress in August of 2019; this plugin was only installed on 3,000 sites. The company issued a warning that the malicious actor behind the attacks is advanced enough to create new exploits for future campaigns.
With World Password Day being this week, we thought it would be appropriate to encourage better password habits with some staggering statistics. In the UK, an overwhelming 64% of individuals reuse passwords to avoid forgetting them, and 54% claim to not have changed their passwords after a security breach. Poor password practice has always been a big issue when it comes to account security, so why not change that today? If you want to find more of these crazy statistics, or maybe want to know how to make your accounts more secure, we recommend reading this blog.
GoDaddy, the biggest domain registrar in the world, has recently confirmed that they have suffered a data breach. According to reports, the breach took place in October 2019 and only impacts hosting accounts; those with customer accounts are not affected and their information is reportedly safe. All hosting accounts that were impacted have been reset and emails have been sent to everyone on how to regain account access. GoDaddy have responded to the incident by offering those affected with free malware protection and security services. They also confirmed that around 28,000 accounts were affected.
A new phishing campaign has launched that aims to steal Microsoft SharePoint and Office credentials from investment brokers. The fraudulent emails contain a warning demanding immediate action, as well as a malicious attachment that is in some way related to the victim’s organisation. To further deceive users, the emails contain signatures of actual FINRA officers; FINRA is the Financial Industry Regulatory Authority. These kinds of campaigns are becoming increasingly popular, and we recommend always keeping your eye out when receiving suspicious emails.
For the last couple of months, internet trolls have been interrupting zoom video calls with offensive content and imagery. Zoom has been working hard on ways to tackle this issue, and have implemented new security features to help. One of these features is the requirement of passwords for all meetings if you’re using a free account. Zoom has been in the spotlight recently because of the amount it has suffered from these attacks, however they have been working hard to remediate these issues and deserve credit for their effort.
A new variant of the Dacls Remote Access Trojan has been found, and it appears to be associated with North Korea’s Lazarus Group; the difference is this version is specifically designed for MacOS. A trojanised two-factor authentication app called MinaOTP is used to distribute the RAT; the application is common amongst Chinese speakers. More details on the nature of the malware can be found in the technical blog on Malwarebytes’ site.
A new botnet campaign called Kaiji has been created from scratch and has already begun compromising Linux servers and IoT devices. The botnet has been actively using these infected machines to launch DDoS attacks; the malware is very advanced and different to all other botnets, as it does not aim to exploit unpatched vulnerabilities. In addition it was written in the Go programming language which is very uncommon. It also uses very unusual brute force techniques that are not typical of a botnet. IoCs can be found on Intezer’s blog, and we highly advise using complex passwords to reduce the risk of a brute force attack succeeding.
And that’s it for this week’s round-up, please don’t forget to tune in for new instalments every week.
We hope this makes for light reading during these times of uncertainty.
Stay Safe, Secure and Healthy!
Edition #90 – 8th May 2020
Why not follow us on social media:
Ironshare – Security Simplified