Cyber Security Today, March 5, 2021 – Ransomware gang patterns revealed, software code bug exploited, malware hidden in images, and mysterious hacks of criminal forums

Ransomware gang patterns revealed, software code bug exploited, beware of malware hidden in images and mysterious hacks of criminal forums.

Welcome to Cyber Security Today. It’s Friday March 5th. I’m Howard Solomon, contributing reporter on cybersecurity for To hear the podcast click on the arrow below:

Cyb er Security Today on Amazon Alexa Cyber Security Today on Google Podcasts Subscribe to Cyber Security Today on Apple Podcasts

Ransomware gangs sometimes try to lock up as many computers in an organization as fast as they can. That way the IT department doesn’t have time to react. However, a new report from a cybersecurity firm called Group IB looking at attack patterns notes on average some attackers were in organizations for up to 13 days before deploying ransomware. What were they doing? First, figuring out where important data was. Second, copying data for double extortion: Pay up, or not only will your organization be embarrassed by the copied data we release, but you also won’t be able to decrypt the data that’s been scrambled. This 13 day dwell time means security teams may have time to detect an attack before its finalized. The report also notes that just over half of successful attacks last year started by going through improperly secured remote desktop access applications. Employees use remote access to get into IT systems when they’re not in the office. That, of course, is more common today due to the pandemic. If IT staff want to reduce the odds of any attack they’ve got to toughen protection for remote access — including the use of multifactor authentication as extra protection for logins.

Three weeks ago I told you security researcher Alex Birsan had discovered a possible way to sneak corrupted software code into the public code some companies use in their applications. An attacker could use this tactic to infect the private code used in applications. This week a cybersecurity company called Sonatype said researchers are seeing lots of people are taking advantage of the idea. Malicious packages of code have been spotted targeting the code of Amazon, Lyft, Slack, Zillow, and others. Apparently, some want to do what Birsan did and collect big money from bug bounty programs. However, the discovery of malicious code in some attempts raises two worries: One is that some well-meaning testers are being careless. The other is crooks are trying to compromise the software code of big companies. Either way software developers have to be more rigorous screening and protecting their code.

Cybercrooks use many techniques to hide their activities. Often they compromise legitimate websites to hide their malware. When a victim opens a link or an infected document in an email, the malware gets downloaded from the legitimate site. Smart cybersecurity teams know this so they constantly scan their website code looking for unapproved and unusual additions. Security researchers at Cisco Systems this week said a gang has found a different way of hiding malware on those infected websites: Inside a bitmap graphic called a BMP. The hope is someone looking for suspicious code will overlook a graphic. In this case, the image has a ZIP file with malware that enables the hackers to have remote access to the victim’s computer. It’s a tactic that security teams watching their website code have to be aware of.

Finally, a mystery: Security reporter Brian Krebs reports that over the past few weeks three of the longest-running Russian-language online forums used by cybercriminals have been hacked. In two of the breaches, someone made off with the forums’ database of users’ email and IP addresses. One of the databases has been posted on a dark website for anyone to copy. Police would be very interested in those lists, which would help them track down crooks. Whodunnit?

That’s it for this morning. Don’t forget this afternoon you can catch the Week In Review edition of the podcast, when I discuss some of this week’s news with a guest analyst. You can listen on your way home or on the weekend.

Links to details about these stories are in the text version of this podcast at That’s where you’ll also find my news stories aimed at cybersecurity professionals.

Subscribe to Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada
Howard Solomon
Howard Solomon
Currently a freelance writer. Former editor of and Computing Canada. An IT journalist since 1997, Howard has written for several of ITWC's sister publications, including Before arriving at ITWC he served as a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times.

Follow this Cyber Security Today

More Cyber Security Today