A new ransomware strain found, watch for double backdoors, a new sextortion tactic and more
Welcome to Cyber Security Today. It’s Friday, February 25th. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.
A new ransomware strain has been spotted. Researchers at Sophos have dubbed it Entropy. The significant thing I found in the report was how the attackers first got into victims’ IT systems. In one case they exploited a known vulnerability in a Microsoft Exchange Server called ProxyShell. In the second case an employee clicked on a malicious email attachment that led to the delivery of the Dridex malware and ultimately the ransomware. There’s two lessons here: In both cases attackers took advantage of vulnerable Windows systems that lacked current patches and updates. That’s why fast patching is vital. And if employees had been required to use multifactor authentication it would have made things harder for the attackers.
The installation of a backdoor into IT networks by hackers isn’t new. But researchers at Palo Alto Networks have discovered something that is: Installing a backup backdoor in case the primary one is removed. The researchers dub this secondary backdoor SockDetour because it hijacks the internet connection of an existing network socket. As a result it’s hard to detect. The hacker or hackers using this tool may be associated with an attack campaign that’s been going on against organizations in the technology, energy, healthcare, education, finance and defence sectors. In one case the server that hosted a SockDetour backdoor was a compromised storage devices from QNAP. One defence: Keep Windows servers up to date with the latest patches. Some anti-malware software may detect this backdoor running in memory.
Hackers are sending threatening sextortion emails to people in France. The message claims to be from a government agency that has video evidence of a victim’s visits to a porn site. It demands payment of a fine. This uses a tactic that attackers may try in other countries: Embedding an image of a fake but official-looking government document that isn’t detected by email spam filters. Threatening email messages should be reported to police.
Finally, owners of recent Samsung Galaxy S-series smartphones should make sure the devices have the latest security updates. This comes after Israeli researchers said they found Samsung didn’t properly implement encryption protection. Fortunately, the researchers told Samsung about this over a year ago and patches were released last August and October. If you haven’t installed updates in a while, your data and communications may have been at risk.
Don’t forget later today the Week in Review podcast will be out. Today’s guest commentator is ransomware expert Brett Callow of Emsisoft.
Remember links to details about podcast stories are in the text version at ITWorldCanada.com.
You can follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.