Spring Java framework needs patching, nation-state attackers take advantage of Ukraine war and a warning to student job seekers.
Welcome to Cyber Security Today. It’s Friday, April 1st, 2022. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.
Software developers using the Spring Java application development framework should install the latest security updates. These close three vulnerabilities. Two were discovered this year. The third is a patch for an older vulnerability some researchers have dubbed SpringShell or Spring4Shell. That’s because they think its similar to the Log4Shell vulnerability in the Apache log4j logging library. That may or may not be true. Regardless, a patch for that particular hole was released on Thursday by VMware, which owns the Spring framework.
Lots of threat actors are using the war in Ukraine as cover for spear phishing attacks, according to Google. It says government-backed threat actors from China, Iran, North Korea and Russia as well as some unattributed groups are using war-related themes to trick victims into opening malicious emails or clicking on malicious links. For example, someone is impersonating military personnel to extort money for rescuing relatives in Ukraine. A Russian-based threat actor sometimes referred to as Calisto has launched credential phishing campaigns targeting several U.S.-based non-profits and think tanks. They’re also going after the military of several Eastern European countries as well as a NATO Centre of Excellence. A group believed to be from China’s military has conducted campaigns against government and military organizations in Ukraine, Russia, Kazakhstan, and Mongolia. So, be careful of unexpected email with themes about the war.
Meanwhile fixed broadband satellite provider Viasat has acknowledged the consumer side of its service was disrupted in Ukraine and several European countries by a cyber attack just as the Russian invasion started on February 24th. The attack didn’t affect Viasat’s mobility service, it said, or service to government customers. But it damaged some customer modems so much that Viasat has shipped tens of thousands of replacement units to distributors. The company said an attacker exploited a misconfiguration in a VPN appliance to gain remote access to the management segment of the satellite network. Then they issued destructive commands to the modems.
University and college students are understandably eager to have money to pay rent to make a dent in their student loans. However, crooks are preying on that eagerness with tempting emailed job offers from recruiters they never meet. One goal is to get the victims’ name, address, birthday and social insurance number for identity fraud. Another is to sucker the victim into handing over money. The so-called jobs can be as varied as caregivers, mystery shoppers, administrative assistants, models, or rebate processors. Some enticements are that the victim can work from home. Sometimes the recruiter asks for a small amount of money upfront by promising big money later. In the worst cases the victim ends up working as an unsuspecting money mule for a criminal gang. These job offers are sometimes dazzling. Earlier this year Proofpoint discovered a scam trying to recruit university students for an executive personal assistant role at the United Nations Children’s Fund, known as UNICEF. Another email offered a three-day modeling job on a film shoot, claiming the company saw the victim’s profile on Instagram.
Beware of an unexpected job offer received from a freemail account such as Gmail or Hotmail that spoofs a legitimate organization. Beware of nonexistent or overly simplistic interview questions with little to no information about the job duties.
Finally, researchers at Bitdefender have found vulnerabilities in the Wyze Cam computer video camera used by consumers and small businesses. Make sure the latest security patches have been installed. Note that patches are only available for version 2 and 3 of this device. Version 1 is discontinued and no longer receives security fixes.
Don’t forget later today the Week in Review podcast will be available. Terry Cutler of Cyology Labs and I will discuss backups, nation-state cyberattacks and how police are being fooled into giving up your subscriber information.
You can follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.