Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week to cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
The BianLian cybercrime group has publicly claimed responsibility for the recent attack on Air Canada, that resulted in the theft of personal information and private records.
BianLian’s confession stated that 210GB of data was exfiltrated during the attack, which includes technical documents, backups, employee data, and vendor and supplier information. The criminal’s plan was to leverage the stolen records to extort money from Air Canada, but these attempts were unsuccessful; as an additional incentive for the airline, BianLian has threatened to publicise the stolen data if payment is not made.
Air Canada is currently standing their ground and refusing to negotiate with the threat actors; their latest statement has confirmed that no customer data was compromised but is advising everyone to enable multi-factor authentication as a precaution.
A few weeks ago, the FBI announced that they had crippled the core infrastructure being used to operate the QakBot malware loader. This takedown was a huge success for the FBI, with more than 700,000 infected computers being claimed by the malware over the last 15 years.
Despite the FBI’s efforts, the QakBot operators have remained active. The Cisco Talos Threat Intelligence team has discovered new infrastructure being used by the attackers to power their infection attempts and phishing campaigns.
It was unclear whether the attackers would retire after their operations were dismantled, but it appears they have used the recent downtime to rebuild and continue with their existing campaigns.
The National Cyber Security Centre’s (NCSC) latest post focuses on “Mastering Your Supply Chain” and includes a collection of resources designed to introduce businesses to supply chain risk and guidance. The article also includes links to free learning modules that do not require any registration or login. Additionally, the NCSC has built these resources to cater to the needs of everyone, regardless of your level of expertise.
This is a great collection of information and educational content that we strongly advise all businesses to consider.
A malicious caching plugin for WordPress has been posing as a legitimate plugin to get users to download it. The plugin secretly houses a backdoor that is capable of managing plugins and hiding from active ones on a compromised website, replacing content, or redirecting certain users to malicious locations. Along with these capabilities, the malware was also able to create a user account called “superadmin” with admin-level permissions as well as remove the account and any traces of it. "Taken together, these features provide attackers with everything they need to remotely control and monetize a victim site, at the expense of the site’s own SEO rankings and user privacy," reports WordFence.
The US Cybersecurity and Infrastructure Security Agency (CISA) has warned users of Adobe Acrobat Reader about a vulnerability that is being actively exploited. Tracked as CVE-2023-21608, the vulnerability stems from a use-after-free bug within the software that is capable of remote code execution with the current user's privileges. The threat actors taking advantage of this vulnerability are yet to be known however a proof-of-concept exploit has been available since late January 2023. Fortunately, a patch has been made available since January 2023 by Adobe and the CISA is advising all users to update to the latest version of Adobe Acrobat Reader to avoid becoming a victim.
A zero-day vulnerability in Confluence Data Center and Server, a tool for collaborative working developed by Atlassian, has been actively exploited by a threat actor labelled as Storm-0062 with links to China's Ministry of State Security. The zero-day, tracked as CVE-2023-22515 and with the maximum CVSS score of 10.0, is related to a “Broken Access Control Vulnerability in Confluence Data Center and Server” allowing unauthorized access to resources and the creation of administrator accounts. A patch is currently available however mitigation methods such as temporarily restricting external access or blocking /setup/* endpoint access at the network level have been proposed if an immediate update is not possible. Read more about the zero-day from Confluence here.
With 104 vulnerabilities addressed this month, Microsoft’s October Patch Tuesday is the second biggest release of the year. This batch of security updates is compiled of 13 critical and 91 important vulnerabilities, two of which have been publicly disclosed. With 3 flaws being actively exploited, we advise reading this round-up of Microsoft’s October Patch Tuesday and applying updates as soon as possible.
And that’s it for this week’s round-up, please do check in next week for our new batch of security news and posts.
Stay Safe, Secure and Healthy!
Edition #254 – 13th October 2023
Stuart Hare is a Technologist with a passion for helping people in all aspects of IT & Cyber Security. Stuart is the Founder of Ironshare, an Information and Cyber Security company providing consultancy and managed services.
Samuel is a Security Analyst with Ironshare, an Information and Cyber Security company providing Security consultancy and managed services.
Joshua is working as a Managed Service Lead with Ironshare, an Information and Cyber Security company providing Security consultancy and managed services.
Ironshare is a provider of Information and Cyber Security services.