Employees lured to plant ransomware, warning from Cisco and how a U.S. government department was hacked.
Welcome to Cyber Security Today. It’s Friday August 20th. I’m Howard Solomon, contributing writer on cybersecurity for ITWorldCanada.com.
Ransomware gangs usually try to compromise victims’ computers by secrecy, tricking employees into downloading what they think is a legitimate file. But one attacker is blatantly appealing to employees’ greed. He is sending emails to employees asking them to infect their company’s system with ransomware. In return they’d get a piece of the ransom. According to security company Abnormal Security, which has seen emails like this recieved its customers, the crook says the employee would get $1 million in bitcoin – assuming the employer pays a $2.5 million ransom. And how does this attacker find potential victims? By searching through LinkedIn. In fact this attacker started out by sending poisoned email attachments to senior executives, but when all of his attempts failed turned to finding greedy employees.
Two things: First, good for executives for spotting the initial phony messages. Second, employees need to be warned they might get a pitch inviting them to be a criminal.
Cisco Systems is investigating what it calls a medium severity vulnerability that could impact some of its routers and edge platforms. The problem is in the Server Name Identification request filtering in Cisco’s Web Security Appliance and Firepower Threat Defense devices. It also affects all open source project releases of the Snort intrusion detection engine prior to Release 2.9.18. The current version of Snort is 3. An attacker could exploit the vulnerability to compromise a host machine. At the moment there are no workarounds for the Cisco products and earlier version of Snort. Those with affected Cisco devices should watch the company’s security website for mitigations or patches.
Finally, another reminder of the importance of IT staff having and following a process for learning of and installing security updates. This involved a just-released American government review into the January, 2020 hack of Citrix remote access servers used by the U.S. Census Bureau. Three weeks before the hack Citrix publicly released information about the vulnerability, along with steps to mitigate it. The Census Bureau’s computer incident response team knew about it. But that team didn’t co-ordinate with the IT team responsible for implementing the mitigation until it was too late. Not only that, the remote access servers weren’t being scanned for vulnerabilities. That was because the system and vulnerability scanning teams hadn’t transferred the system credentials needed for scanning. And the servers shouldn’t have been online at all: They were no longer supported, and were in the process of being replaced by new servers. But the old ones were still operating. The bureau says that was because the needed Citrix engineers were helping other federal departments so the migration was delayed.
Fortunately, the bureau’s firewalls blocked the attacker’s attempt to install a backdoor after compromising the servers. But the attacker was still able to make changes to those servers, including creating new user accounts. No bureau data was compromised.
In its response the Census Bureau said it has accepted recommendations for changes, including implementing procedures to promptly notify IT personnel when word of critical vulnerabilities is released.
Later today the Week In Review edition will be available. Today I’ll be talking with Dinah Davis of Arctic Wold about BlackBerry, T-Mobile and SDKs.
Remember links to details about podcast stories are in the text version at ITWorldCanada.com. That’s where you’ll also find other stories of mine.
Follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.