New malware hides as legit nginx process on e-commerce servers
As reported in BleepingComputer, “eCommerce servers are being targeted with remote access malware that hides on Nginx web servers in a way that makes it virtually invisible to security solutions.” It has been named NginRAT, in recognition of the application it attacks and the remote access capabilities it provides. It is being used in server-side attacks to steal payment card data from online stores. NginRAT has been spotted on eCommerce servers in North America and Europe that have been infected with CronRAT, a remote access trojan (RAT) that “hides payloads in tasks scheduled to execute on an invalid day of the calendar.”
Data from 400,000 Planned Parenthood patients compromised
On October 17, the Los Angeles chapter of Planned Parenthood (PPLA) identified suspicious activity on its computer network, and immediately notified law enforcement and a third-party cybersecurity investigative team. It was determined that a cyberattacker “accessed the PPLA network between October 9 and 17, installed malware and ransomware and exfiltrated files containing patient data from the Planned Parenthood system including patient names, birth dates, insurance information and clinical data including diagnosis and treatment information.”
Double extortion ransomware victims soar 935%
Group-IB’s Hi-Tech Crime Trends 2021/2022 report posted this figure as covering the second six months of 2020 and the first six months of 2021. They report that during that time, an “unholy alliance of initial access brokers and ransomware-as-a-service (RaaS) affiliate programs has led to a surge in breaches.” The total number of breach victims on ransomware data leak sites jumped from 229 in the previous reporting period to 2371, while, the number of leak sites more than doubled to 28, and the number of RaaS affiliates increased 19%, with 21 new groups discovered. Group-IB issued the oft-repeated warning that “even if victim organizations pay the ransom, their data often end up on these sites.”
Jack Dorsey’s Square changes its name to Block
Just a few days after resigning as chief executive of Twitter, his other company, Square, the digital-payments company he owns and runs, has now changed its name to Block. The individual businesses owned by Block, “building blocks”, as the company put it, such as Square and music-streaming platform Tidal, retain their original names. This rebrand has been planned for over a year, and as Block states from Twitter, “we’re here to build simple tools to increase access to the economy.”
Thanks to our episode sponsor, Votiro
CISA adds Zoho, Qualcomm, Mikrotik flaws to ‘Must-Patch’ list
In addition to these three companies, CISA has also added the Apache Software Foundation. Citing “evidence of active exploitation against five specific vulnerabilities, CISA warned that further delays in applying available fixes “pose significant risk to the federal enterprise.” This gives Federal agencies until December, 15, 2021 to apply patches for a pair of Zoho ManageEngine ServiceDesk flaws that have been at the center of documented APT attacks over the last few months.
FBI document shows what data can be obtained from encrypted messaging apps
According to The Record, “a recently discovered FBI training document shows that US law enforcement can gain limited access to the content of encrypted messages from secure messaging services like iMessage, Line, and WhatsApp, but not to messages sent via Signal, Telegram, Threema, Viber, WeChat, or Wickr.” The training document had been obtained via a Freedom of Information FOIA request filed by Property of the People, “a US nonprofit dedicated to government transparency, appears to contain training advice for what kind of data agents can obtain from the operators of encrypted messaging services and the legal processes they have to go through.” A copy is available for view at therecord.media.
Nine WiFi routers used by millions were vulnerable to 226 flaws
Security researchers at at IoT Inspector analyzed nine popular WiFi routers and found a of “226 potential vulnerabilities in them, even when running the latest firmware.” The routers tested are made by Asus, AVM, D-Link, Netgear, Edimax, TP-Link, Synology, and Linksys, and are used by millions of people. The models with the highest number of vulnerabilities are the TP-Link Archer AX6000, having 32 flaws, and the Synology RT-2600ac, which has 30 security bugs.
UK Cabinet Office fined £500,000 over New Year honors list data breach
UK’s data watchdog levied the fine after the home addresses of the 2020 New Year honors recipients were published on 27 December 2019 on the gov.uk website. The Information Commissioner’s Office (ICO) found officials failed to put in place “appropriate technical and organizational measures” to prevent the unauthorized disclosure of personal information in breach of data protection law. The list included prominent public figures such as Elton John, as well as more than a dozen MoD employees and senior counter-terrorism officers.