An angry ransomware gang partner allegedly leaks secrets, reports of more Canadian ransomware victims and a DNS problem found.
Welcome to Cyber Security Today. It’s Friday August 6th, I’m Howard Solomon, contributing writer on cybersecurity for ITWorldCanada.com.
Has the Conti ransomware gang really angered one of its affiliate partners? That’s what cybersecurity professionals are wondering after an allegedly upset person posted information about the gang’s operations on a Russian-speaking hacking forum. Conti is one of the ransomware gangs that creates the malware and runs its infrastructure, leaving affiliate partners to do the hacking. Affiliates get to share in payouts, reportedly getting as much as 80 per cent of a ransom. But according to the Bleeping Computer news service, one alleged affiliate is upset that they only got $1,500 as a share of an attack. So the angry person has posed IP addresses for Conti’s command and control servers. If legitimate, blocking those addresses would at least temporarily put a crimp in the gang’s business. In addition the aggrieved person published a bunch of tools and instruction manuals Conti allegedly gives its partners. That could be a help to law enforcement agencies and security researchers hunting for the gang.
Speaking of Conti, a security researcher has tipped me off that a British Columbia-based apparel firm and a Quebec county are the latest organizations listed on the Conti list of victims. In addition, an agency that helps First Nations in Quebec and a Quebec-based distributor of industrial equipment are the latest listed on the site of the LockBit ransomware gang. We haven’t been able to confirm those firms were attacked.
After calls for the U.S. to work closer with the private sector to meet cyber attacks, Washington has created the Joint Cyber Defense Collaborative. Part of the Cybersecurity and Infrastructure Security Agency, the collaborative will design a public-private cyber defence plan to reduce cyber risks. Initial companies in the group are Amazon Web Services, AT&T, Crowdstrike, FireEye Mandiant, Google Cloud, Lumen, Microsoft, Palo Alto Networks, and Verizon.
Also this week the Cybersecurity and Infrastructure Security Agency issued guidance to IT teams on how to secure Kubernetes containers. Kubernetes is an open-source system that automates the deployment of applications run in containers, often in the cloud. If an attacker compromises a container they can get access to the data inside. The advice includes making sure online access to containers and pods is restricted to as few people as possible, and make sure there’s strong authentication for those who can access containers. There’s a link to the full recommendations in the text version of this podcast at ITWorldCanada.com.
Domain name service hosting providers are scrambling to close a hole in their service. This comes after researchers at a cybersecurity company called Wiz found a problem that could allow anyone to tap into a portion of DNS traffic and find information that would help hacking – like a computer’s name, employee names, an organization’s web domains and more. DNS hosting providers allow people who bought domain names from a DNS registrar to update their information. In theory that shouldn’t impact web traffic on the domain. But the researchers found that by registering a special domain they can switch traffic to a server they control. No one knows if anyone else has been able to find this trick. But managed DNS providers need to prevent this. And those who own a domain need to as well. There’s a link in the text version of this podcast at ITWorldCanada.com to an article that has more detail.
Finally, Cisco Systems has released patches fixing critical vulnerabilities in the web-based management interface of four models of its Small Business Router RV340 line. The vulnerabilities could allow an attacker to run malicious code or cause a distributed denial of service attack if remote management is turned on. By default the device only allows local management.
That’s it for now. Remember later today the Week in Review podcast will be out. There will be discussion about how to fight supply chain attacks.
Follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.