Ransomware gang targets, Confluence servers under attack and a warning to Firebase developers.

Welcome to Cyber Security Today. It’s Wednesday September 8th. I’m Howard Solomon, contributing writer on cybersecurity for ITWorldCanada.com.

Cyb er Security Today on Amazon AlexaCyber Security Today on Google PodcastsSubscribe to Cyber Security Today on Apple Podcasts

 

Which organizations are ransomware gangs looking to target? According to Israeli cybersecurity firm KELA, they primarily want firms based in the U.S., Canada, Australia and Europe who on average earn more than $100 million in annual revenue and are not in the education, healthcare, government or non-profit sectors. That’s according to an analysis of 48 conversation threads in July on criminal forums. These forums are where initial access brokers claim to have hacked into a company and are now willing to sell that access to ransomware-as-a-service groups. Attackers are looking to buy specific types of access to victims. So IT and security administrators should pay attention to this: Highly desirable are companies that have vulnerabilities in their Microsoft Remote Desktop Protocol setup, which is used by employees for remote access, as well as those with vulnerable virtual private network setups using products from Citrix, Palo Alto Networks, VMware, Fortinet and Cisco Systems.

In the last several months all of these products have issued patches for vulnerabilities, so you shouldn’t be caught off guard. For such access ransomware attackers are willing to pay up to $100,000. Remember, if your company earns less than $100 million a year don’t be complacent. That’s an average of the requirements of some attackers, and only for messages seen during a narrow time frame.

Last week I warned that the on-premise version of Atlasian’s Confluence collaboration server had to be patched to close a serious vulnerability. It’s already being exploited. The latest victim is Jenkins, which makes the Jenkins open source automation server. The company said the attacker seems to have installed a cryptomining app on a Confluence sever being deactivated. As a precaution passwords for any developers who access Jenkins’ corporate systems have been reset. This incident is a reminder to those with Confluence servers to patch them immediately.

Attention software developers: If you use the NPM package manager for JavaScript programming a serious vulnerability has been found. It’s in PAC-Resolver component that could allow a threat actor do nasty things with your application. It’s important to upgrade to version 5.0 if you use PAC-Resolver and use Proxy Auto-Config files for Proxy-Agent, a piece of code for HTTP proxy autodetection and configuration in Nod.js. The researcher who discovered the problem notes Proxy-Agent is very popular. It gets about 3 million downloads a week.

Attention cyber security teams: If your developers use Google’s Firebase mobile and web development platform make sure their apps are securely locked down. Researchers at Avast recently discovered over 19,000 open instances of Firebase on the internet. Of them, 10 per cent were open, meaning their data was exposed to unauthenticated users. Not all databases have sensitive or personally identifiable information. But developers have to be reminded of safe security practices.

Attention network administrators: If you use Netgear equipment the manufacturer has issued patches for three vulnerabilities in 20 of its smart switches. The researcher who discovered the problems said it can be exploited if Netgear’s Smart Control Center (SCC) is turned on. One vulnerability could allow an attacker to change an administrator’s password resulting in a full compromise of the device.

That’s it for now. Remember links to details about podcast stories are in the text version at ITWorldCanada.com. That’s where you’ll also find other stories of mine.

Follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.

Share on LinkedIn Share with Google+
More Articles