This week’s Cyber Security Headlines – Week in Review, is hosted by Rich Stroffolino with guest Bob Schuetter, CISO, Ashland
Cyber Security Headlines – Week in Review is live every Friday at 12:30pm PT/3:30pm ET. Join us each week by registering for the open discussion at CISOSeries.com
Critical Progress FTP bug now being exploited in attacks
Following up on a story we brought to you Friday on Cyber Security Headlines related to the new maximum severity vulnerability in Progress Software’s WS_FTP Server file sharing platform (CVE-2023-40044), security researchers from Assetnote released a proof-of-concept (PoC) exploit for the bug on Saturday. Later the same evening, cybersecurity firm Rapid7 revealed that attackers began exploiting the bug. The vuln stems from a .NET deserialization flaw in the Ad Hoc Transfer Module, allowing unauthenticated attackers to remotely execute commands on the underlying operating system. Assetnote found that there are about 2,900 hosts running WS_FTP on the internet. Progress said that upgrading to a patched release using the full installer is the only way to address the issue.
Cloudflare DDoS protections bypassed using Cloudflare
A researcher at Certitude has discovered that Cloudflare’s Firewall and DDoS prevention can be bypassed through “a specific attack process that leverages logic flaws in cross-tenant security controls,” by simply using a free Cloudflare account. Through a proof of concept, the researcher, Stefan Proksch, identifies the source of the vulnerability to “Cloudflare’s strategy to use shared infrastructure that accepts connections from all tenants,” and he points specifically to Cloudflare’s “Authenticated Origin Pulls” and “Allowlist Cloudflare IP Addresses. Proksch and his research colleague Florian Schweitzer reported the logic flaws to Cloudflare on March 16, but the issue was closed as “informative.”
Lazarus Group poses as Meta recruiters to spearfish Spanish engineers
The Lazarus Group from North Korea has been identified as the source of a sophisticated attack which involved posing as a recruiter from Meta seeking to attract employees from a Spanish aerospace company. The interested candidates were then send coding quizzes or challenges to solve as part of the application process. These of course contained sophisticated malware called LightlessCan, which ESET describes as representing “a significant advancement in malicious capabilities,” especially since each piece of malware was specifically designed for each individual candidate’s machine.
New feature-rich malware-as-a-service emerges
Security researchers discovered a new malware-as-a-service (MaaS) named ‘BunnyLoader’ advertised on multiple hacker forums as a fileless loader that can steal and replace the contents of the system clipboard. The malware can now download and execute payloads, log keys, steal sensitive data and cryptocurrency, and execute remote commands. BunnyLoader is under rapid development, adding features including anti-detection mechanisms and extra info-stealing capabilities since its first version emerged on September 4. Researchers at Zscaler note that BunnyLoader is quickly becoming popular among cybercriminals due to its rich features, low price, and ease of use even by low-skilled cybercriminals.
Thanks to today’s episode sponsor, Conveyor
Red Cross issues hacktivist rules
The International Committee of the Red Cross published a set of rules regarding hacktivist activities in time of armed conflict in the European Journal of International Law. This noted the rise in cyber-attacks by civilians during war impacting non-military targets, including hospitals. The rules call for no direct cyber-attacks against civilian objects and not to use malware that spreads indiscriminately or automatically. It also calls for no cyber attacks on humanitarian facilities like hospitals. These rules come from cyber attacks from both pro-Russian groups and the IT Army of Ukraine escalated as part of the ongoing war in Ukraine.
Researchers warn of 100,000 exposed ICS systems
Power grids, traffic light systems, security and water systems are among the infrastructure that cybersecurity company BitSight has noted as being exposed and vulnerable on the internet, through units such as “sensors, actuators, switches, building management systems, and automatic tank gauges.” This number is actually a year-over-year improvement since 2019. The vulnerabilities cover all major industry sectors, such as finance, education, and energy, and the most vulnerable countries are the US, Canada, Italy, the UK, and France.
Cloud giants face UK competition probe over lock-in practices
The UK’s Competition and Markets Authority (CMA) is launching a broad investigation into large cloud organizations like AWS, Google, and Microsoft, to determine whether large cloud companies make it difficult for businesses to move or to use multiple providers. These three companies account for 90 percent of cloud revenues in the UK. Key issues being scrutinized are egress fees, that cloud companies charge customers for moving their data elsewhere, and interoperability, in which cloud companies make their procedures incompatible with other vendors, making moving out more problematic.