This week’s Cyber Security Headlines – Week in Review, Mar 28-Apr 1, is hosted by Rich Stroffolino with our guest, Fredrick Lee, CISO, Gusto
Cyber Security Headlines – Week in Review is live every Friday at 12:30pm PT/3:30pm ET. Join us each week by registering for the open discussion at CISOSeries.com
Remote code execution flaws in Spring and Spring Cloud frameworks put Java apps at risk
This development has sparked fears that it could have a widespread impact across enterprise environments, since Spring is one of the most popular open-source frameworks for developing Java applications. The flaw, which has since been dubbed SpringShell or Spring4Shell, is tracked as CVE-2022-22965 and is rated critical. The Spring developers confirmed that its impact is remote code execution (RCE), which is the most severe impact a vulnerability could have. A Chinese developer released a proof-of-concept (PoC) exploit on GitHub and then removed it, prompting widespread speculation about the unpatched flaw, its causes and potential impact. There was also some early confusion between this vulnerability and a different one patched Tuesday in Spring Cloud, a microservices library that’s different from the core Spring Framework. This will be a developing story.
‘Precursor malware’ infection may be a sign you’re about to get ransomware
Lumu Technologies founder and CEO Ricardo Villadiego suggests that “precursor malware,” which is essentially reconnaissance malicious code, lays the groundwork for a full ransomware campaign to come. Companies that can find and remediate that precursor malware can ward off the ransomware attack, he says. He bases his statements on a study of more than 2,000 companies that Lumu monitors, in which every ransomware attack came with other malware preceding it and paving the way. Lumu collected information from such aspects as DNS queries, network flows, access logs, firewalls and proxies and correlates the data to identify whether any asset is trying to contact an adversarial infrastructure. “A better way to operate, he says, “is by assuming you’re compromised and let your network prove otherwise.”
Apple and Meta leak user data to hackers posing as police
Bloomberg reports that the tech giants fell prey to a phishing operation that tricked employees into handing over customer data to cybercriminals posing as law enforcement. In 2021, the hackers sent fake “emergency data requests” to the companies demanding customer info including street addresses, IP addresses, and phone numbers. The messages included forged signatures of police officers. Sources say the perpetrators are believed to be affiliated with “Recursion Team,” a now-defunct hacking group that is said to have spawned members of the infamous Lapsus$ ransomware gang. Allison Nixon, chief research officer at cyber firm Unit 221B, commented, “In every instance where these companies messed up, at the core of it there was a person trying to do the right thing.”
Thanks to our episode sponsor, Varonis
Scammers abuse Facebook’s Media Partner Portal
Motherboard shared that some scammers are using this portal in an attempt to verify accounts on Facebook and Instagram, as well as claim inactive username. This portal is meant to provide a streamlined way for media outlets to resolve issues with Facebook accounts, including helping with doxxing and harassment, or challenge content removals. Motherboard reports Upwork and other freelance hiring sites contain multiple listings looking for people with access to the Media Partner Portal to verify accounts. People looking to verify pages use them to verify profiles for Play to Earn cryptocurrency games, as well as pages related to entertainment, sports, and startups.
(Vice)
Lapsus$ shows that not all MFA is created equal
One of the table stakes recommendations for shoring up security usually involves implementing multifactor authentication. But recent cyber attacks by both Lapsus$ and APTs like Nobelium show that older forms of MFA offer substantially weaker security protections. Both used a technique known as MFA prompt bombing to get around these protections, effectively spamming an end user’s legitimate device with push notification authentication prompts until the user accepted the authentication and gave the attackers access. Researchers note this isn’t a new or novel approach, just an effective one. Using FIDO2-compliant MFA, while not impervious to the approach, would prevent one device from giving access to a different one.
Log4Shell exploited to infect VMware Horizon servers
On Tuesday, researchers from Sophos revealed that the now infamous 10.0 severity remote code execution (RCE) vuln, Log4Shell, is being actively exploited to deliver malware to unpatched VMware Horizon servers. The researchers say the attackers are deploying remote monitoring packages, Atera agent or Splashtop Streamer, as well as an offensive security implant called Silver, to serve as backdoors. The attackers have also been observed deploying four different Monero crypto miners (z0Miner, JavaX miner, Jin, and Mimu) to exploited machines. Finally, the researchers uncovered evidence of reverse shell deployment designed to collect device and backup information. Although Log4Shell patches were released back in December 2021, sadly many internet-facing servers have not yet been updated.
(ZDNet)