Exchange Servers under attack, ransomware-fighting advice and vulnerabilities in industrial control systems continue to climb.
Welcome to Cyber Security Today. It’s Monday August 23rd. I’m Howard Solomon, contributing writer on cybersecurity for ITWorldCanada.com.
IT administrators are apparently not getting the message about patching on-premise versions of Microsoft Exchange. On Saturday the U.S. Cybersecurity and Infrastructure Security Agency issued an urgent alert reminding admins to install security updates for Exchange to protect against exploitation of what are called ProxyShell vulnerabilities. Microsoft issued these patches in May after being warned about the possibility of these bugs being used by attackers. On August 9th I reported to listeners that attackers were actively exploiting the vulnerabilities. But researchers at Huntress Labs found a surge in scans for vulnerable Exchange Servers starting late last week. The U.S. agency warning is another reminder that attackers are still finding unpatched versions of Exchange Server.
This comes as Symantec warns that vulnerabilities in Exchange called PetitPotam are being leveraged to install the new LockFile ransomware. After getting into a victim’s network through Exchange Server, the PetitPotam vulnerability is used to access domain controllers which are then used to install the ransomware. Symantec has seen at least 10 organizations victimized by this ransomware. Microsoft has issued mitigations for the PetitPotam vulnerabilities.
It is believed threat actors are using the unpatched ProxyShell vulnerabilities to start Lockfile ransomware attacks.
For those IT administrators still without a strategy for fighting ransomware, last week the Cyber Security and Infrastructure Agency issued a four-page guide. Among the advice: Maintain offline encrypted backups of data; regularly test backup restoration procedures; have a cyber incident response plan for reacting to any loss of critical IT functions; close unneeded remote access capabilities; scan applications regularly for software vulnerabilities identified by vendors and patch them fast; make sure antivirus and anti-malware software is up to date; and train employees to recognize suspicious emails and texts.
The Canadian government’s Centre for Cyber Security reminds IT administrators that Fortinet has issued an important update for its FortiWeb management console. A command injection vulnerability could allow an attacker to access a system.
The Centre also notes industrial equipment manufacturer Siemens has issued a firmware update for its SINEMA Remote Connect Client, used to remotely connect to plants or machines
While I’m on the topic of industrial equipment, a company that makes solutions to protect industrial control systems (ICS) says the number of vulnerabilities found in ICS and operational technology products continues to climb. In its latest report Claroty found 637 ICS vulnerabilities were disclosed in the first half of the year. That’s almost 200 more than during the previous six month period. But while 60 per cent of software problems were addressed, almost 62 per cent of flaws in products’ firmware had no fix or only a partial remediation recommended. This is just the latest proof that finding and resolving bugs in internet-connected industrial equipment is hard.
That’s it for now Remember links to details about podcast stories are in the text version at ITWorldCanada.com. That’s where you’ll also find other stories of mine.
Follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.