A new sophisticated malware is attacking SOHO routers
An unusually advanced hacking group has spent almost two years infecting a wide range of small office/home office routers in North America and Europe with malware that takes full control of connected devices running Windows, macOS, and Linux, researchers reported on June 28. Dubbed ZuoRAT, the remote access Trojan is part of a broader hacking campaign that has existed since at least the fourth quarter of 2020 and continues to operate, affecting routers including routers made by Cisco, Netgear, Asus, and DrayTek. The RAT closely resembles the Mirai malware and is being used to access corporate LANS that home offices connect to.
(Wired)
New study shows over half of employees use prohibited apps
A study released by Cerby in partnership with Osterman Research questioned more than 500 business professionals in the US and UK employed by companies with over $100M in revenue. It found that 52% of employees have had apps they want to use “disallowed” at work because of company policy, 92% want full control over the apps they use for work, even when they are not secure, and half said they want IT to just “get out of the way” when it comes to work application choice. 60% of respondents said that “when the company disallows an app they need for productivity, it negatively affects their perception of their job, employer, and how much their company trusts them.” The full study is available at Cerby.com.
(Cerby)
Google battles bots, puts Workspace admins on alert
Google has added API security tools and Workspace (formerly G-Suite) admin alerts about potentially risky configuration changes such as super admin passwords resets. The API capabilities – aptly named “Advanced API Security” – are built on top of Apigee, the API management platform that the web giant bought for $625 million six years ago. As API data makes up an increasing amount of internet traffic – Cloudflare says more than 50 percent of all of the traffic it processes is API based, and it’s growing twice as fast as traditional web traffic – API security becomes more important to enterprises. Malicious actors can use API calls to bypass network security measures and connect directly to backend systems or launch DDoS attacks. Google’s answer to these problems includes two API security features available in preview: one that identifies API misconfigurations and another that detects bots.
Critical ManageEngine ADAudit Plus vulnerability allows network takeover, mass data exfiltration
A critical vulnerability in Zoho’s widely used compliance tool, ManageEngine ADAudit Plus, which monitors changes to Microsoft Active Directory, leaves endpoints vulnerable to unauthenticated users. A successful exploit could allow an attacker to take over an entire enterprise network, Horizon3.ai researchers warn. The platform’s ability to offer deep access into a company’s internal IT ecosystem heightens the potential for a nightmare-scenario level of data exposure in the event of a breach. The vulnerability numbered CVE-2022-28219 could be used to deploy ransomware, exfiltrate sensitive business data, or disrupt business operations.
Thanks to today’s episode sponsor, Optiv
Optiv’s Advanced Detection and Response (ADR) works with your organization to comb through the D&R clutter and find the ideal security solutions for your business. ADR delivers tailored detection and response backed by technology, real-time intel and deep expertise applied at touch. Bottom line: ADR finds and neutralizes threats fast, so you can focus on what matters.
If you’d like to learn more about Optiv ADR, please visit Optiv.com/adr.
FCC Commissioner asks Apple and Google to remove TikTok from app stores
Brendan Carr, a Republican member of the FCC, wrote in a letter to Apple and Google’s chief executives, “It is clear that TikTok poses an unacceptable national security risk due to its extensive data harvesting being combined with Beijing’s apparently unchecked access to that sensitive data.” Carr further emphasized that the short-form video service which states it has over one billion monthly users, is far from just an app for sharing funny videos or memes, calling out its features as “sheep’s clothing” intended to mask its core function as a “sophisticated surveillance tool” for amassing users’ personal information.
North Korea’s Lazarus Group suspected of $100m Harmony hack
Blockchain analytics company Elliptic has suggested that North Korea’s Lazarus Group may be behind last week’s $100m theft from cryptocurrency firm Harmony. In an advisory released on Wednesday, the security experts confirmed Harmony’s initial claims that the funds had been stolen through Horizon Bridge, a platform enabling the transfer of cryptocurrency across blockchains. This was then transferred to Uniswap – a decentralized exchange (DEX) – to convert much of these assets into ETH. This ETH was next shifted into Tornado Cash – a tool that is often used to launder proceeds of crime.
OpenSea discloses data breach, warns users of phishing attacks
OpenSea, the world’s largest non-fungible token (NFT) marketplace, disclosed a data breach on Wednesday and warned users of phishing attacks that could target them in the coming days. The company, which has more than 600,000 users and a transaction volume over $20 billion, says that an employee of Customer.io, the platform’s email delivery vendor, downloaded email addresses belonging to OpenSea users and newsletter subscribers. Since the emails stolen in the incident were also shared with an unauthorized external party, the company urged potentially affected users to be alert for phishing attempts impersonating OpenSea.
AstraLocker 2.0 infects users directly from Word attachments
A lesser-known ransomware strain called AstraLocker has recently released its second major version, and according to threat analysts, its operators engage in rapid attacks that drop its payload directly from email attachments, opting for “smash-n-grab” attacks to hit with maximum force aiming for a quick payout. The lure used by the operators of AstraLocker 2.0 is a Microsoft Word document that hides an OLE object with the ransomware payload. The embedded executable uses the filename “WordDocumentDOC.exe”. To execute the payload, the user needs to click “Run” on the warning dialog that appears upon opening the document.