It’s your 7-day storm of cyber security slipperiness – Threat Thursday is back.
This week Cisco and VMWare have both suffered from security slip-ups – and Travelex are feeding the beast.
Travelex Solves Ransomware Problem by Throwing Money at It
In a move that is sadly becoming all-too common, Travelex revealed this week that it paid the perpetrators behind their January cyber attack in order to take back control of their systems. The attack, reportedly involving the Sodinokibi malware, knocked their entire service offline, leaving customers unable to make foreign currency transactions. The Wall Street Journal reports that the $2.3million sum was actually considered a tactical decision, when compared to the cost of lost business while bringing systems back online.
Cyber security experts working with Travelex have – against all previous advice – defended Travelex’s decision, citing the complexity of modern ransomware and ineffective alternatives as the basis behind the decision. Our recurring friends at IBM X-Force suggest this trend is set to continue, with 70% of businesses interviewed in their Ransomware Report claiming to have taken a similar approach.
With ransomware only becoming nastier and more capable, the advice around when and how much to pay appears to be changing; perhaps the discussion should move onto how better to defend our systems in the first place – outside of the usual virus protection techniques..
And this Week’s Web Conferencing Victim of Choice is….. Webex!
Well, it was inevitable. Following the recent ‘Zoom-bombing’ craze (and the revelation that 2300 Zoom user details were found for sale on the Dark Web this week), Cisco’s Webex is this week’s comms application of choice for targeted credential stealing.
The explosion of users across web conferencing apps, bought about by this Covid-19 business, has been a siren song to hackers, who’ve immediately swept in on our security-unconscious home workers to snaffle up as much unsecured data as possible. In their most recent attempts on Cisco Webex users, attackers send non-targeted phishing emails to random recipients pertaining to be from Webex themselves. Claiming that users need to ‘update’ their login details, the email instead tricks users into compromising legitimate login data; the hope being that eventually, a Webex user will not only receive the email, but be duped by its authenticity.
And the authenticity is surprisingly competent too, spoofing an entirely plausible sender address while linking users to a dodgy URL. The URL differs only slightly from a legitimate Webex address, making it all the more likely that recipients will trust it. Finally, the use of Webex branding within the email itself is that little dash of believability that cyber criminals find, just….. *chef’s kiss sound effect*.
If you’re a Cisco Webex user and receive any emails of this sort, chuck ‘em right in that virtual recycle bin. And if you really do believe an email to be legit, hover your mouse over the sender’s name and address and double-check where that link is really taking you.
Be Aware of VMWare Scare
A critical vulnerability in VMWare’s Directory Service has been patched recently, fixing a disastrous exploit that ranked 10 out of 10 on the Common Vulnerability Scoring System.
The exploit, known as CVE-2020-3952, could easily allow attackers to bypass authentication and access a corporation’s entire virtual infrastructure. The exploit was first revealed by VMWare a week ago today, with technical details available here, if you’re into that sort of thing.
A patch is already available for the VMWare directory service, and admins are advised to get this patch implemented immediately; with details now publicly available, threat actors will be itching to single out those who are yet to apply the update.
Get Comfy: It’s the Monthly Patch Tuesday Run Down!
Another month has passed, which means there’s just enough time to go over those regular patches and updates for the Windows and Android operating systems.
Android’s monthly update dropped on April 6th, with Microsoft’s dropping earlier this week. Android’s rundown sees 13 critical-severity exploits patched, with the most severe enabling “a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process”. Full details of the exploits and their fixes can be found here.
Over at camp Microsoft, they’ve not yet exceeded the heights of last month’s record-breaking 115 fixes, but this month’s 113 is nothing to be sniffed at either. Of 19 critical updates, one fixed a remote code vulnerability in that long-defunct relic, Internet Explorer. Its exploitation in the wild suggests it’s always hunting season for IE users, and hackers will continue to target anyone not moving to Edge, Firefox or Chrome.
We'd love you to join us next Thursday for the usual rundown.