It’s Thursday, it’s the Mirus blog… it’s Crackerjaaack! Threat Thursday!
It’s something of a lopsided affair on Threat Thursday this week, with few relevant new threats or vulnerabilities to speak of. Still, there are developments, good and bad, on the cyber security frontlines, and we’ve compiled them all this week for your consideration. Let’s jump in.
Good News, Everyone! Interpol is Cracking Down on Magecart, Making Their First Successful Arrest!
As we’ve covered in previous editions of Threat Thursday, Magecart is a consortium of unsavoury chaps that target online shopping systems, such as Magento, and swipe customer card info in supply chain attacks.
Well, Interpol have caught wind of the growing threat and decided they’re having none of it. Earlier this week, the unstoppable force of international law enforcement laid a smackdown on a group of three Indonesian scammers, arresting them in the first of many proposed investigations.
This crackdown, orchestrated by Interpol, the Indonesian Cyber Police and threat research company Group-IB, is all part of Operation Night Fury – clearly, the group is a fan of the How to Train Your Dragon franchise. There are five other suspected Magecart operations within the ASEAN alone, so here’s hoping Operation Night Fury can continue its campaign of justice.
In the meantime, the Magento payment service has received some critical updates to help path known remote code vulnerabilities. The patches were made available earlier this week, and upgrade to the new Magento 2.3.4. Three critical flaws have been patched, so if you’re a business whose website is running the Magento payment service, now’s the time to check you’re up to the latest security standard.
Bad News, Everyone! Mac’s Most Troublesome Trojan is Back, and More Powerful than Ever!
Apple’s most pervasive malware just got something of a boost.
Shlayer, which sounds like the answer Sean Connery might give you if you asked him what his favourite heavy metal band is, is the most prominent and powerful malvertising trojan facing Mac users everywhere. It’s the most frequently-encountered malware on Apple devices and, according to research from the wonderfully named Kaspersky Labs, ten percent of successful attacks occur within the UK alone.
Shlayer is an advertising trojan which hides within fake and irreputable software, downloadable online. It unleashes a veritable smorgasbord of adware once the software is installed and can hijack browsers to influence yet further adware attacks.
It’s now been revealed that an enterprising individual has purchased a number of expired domains and infected them all with the trojan, hiding links to these Shlayer-infected sites in seemingly innocuous places; YouTube video descriptions, Wikipedia references and sites offering pirated videos, though you should arguably know better than accessing the latter. Kaspersky gives a deep and detailed rundown here, but it seems that we’re likely to see Shlayer shpreading itshelf much further in the coming monthsh.
If you’re a Mac user, YouTube viewer or avid Wikipedia researcher (and who amongst us nerds isn’t?) then you’ll want to tread carefully when online, and ensure you’re protected with a respected anti-virus solution.
Good News, Everyone! The UK’s Introducing Strict New Device Security Laws!
The UK government, seemingly on a roll from the success of their commemorative Brexit tea towels, has made a respectable commitment to cyber security this week.
The Department for Digital Culture, Media and Sport have drafted a law that requires the manufacturers of Internet of Things (IoT) devices to incorporate tighter security controls in their products. It suggests that all IoT devices be set with unique passwords that cannot be reset to their factory defaults, and that flaws can be reported and resolved in a (currently ambiguous) “timely manner”. They’ve also made suitably strict rules on the way devices store credentials, encrypt security-sensitive data and ensure our personal data is protected. The proposals can be read here.
Frankly, this is a fantastic precedent, as IoT devices are rarely equipped with even the most basic of on-board security; one need only read last week’s Threat Thursday report on the Amazon Ring to see how lax manufacturers are with our security. This might finally force them to implement stricter protections, at least for their UK consumers.
Bad News, Everyone! Those Citrix Vulnerabilities We Worried Would Be Exploited Have Now Been Exploited!
It was nail biting for a little while back there, but finally the thrilling conclusion to those Citrix vulnerabilities can be revealed: Citrix lost.
A patching spree set to resolve several vulnerabilities in Citrix Gateway and Citrix Application Delivery Controller concluded last Friday, but resourceful hackers had already snapped up the opportunity to exploit them.
Amongst those compromised are German parts manufacturer Gedia Automotive and - on a larger but no less Germanic scale - the city of Potsdam. As if to make matters schlechter, the ransomware being fed through these vulnerabilities is none other than Sodinokibi. Remember when Travelex got well and truly cream-crackered last month? Yep, that’s the same malware.
Our advice remains the same; patch, patch, and patch, as soon as you possibly can. The longer you leave your Citrix software unfixed, the more likely it is that you’ve already been affected.
Bad But Also Good News, Everyone! A Cisco Webex Vulnerability Has Been Discovered and Subsequently Patched!
Cisco’s Webex Meeting Suite was recently patched to prevent a (slightly embarrassing) vulnerability, which allowed unauthorised attendees to enter password protected chats and strut about like they owned the joint.
The exploit, ranked as high severity, was relatively simple to pull off too, as explained by Cisco’s own security advisory. Essentially, the unauthorised gatecrasher could join the password protected meeting by accessing the URL via a web browser; this would then launch the Citrix mobile app and could then allow the infiltrator to enter the meeting without the need to enter the password. Citrix calls this an “unintended meeting information exposure in a specific meeting join flow for mobile applications”, which is not a normal way to describe anything, frankly.
Still, the exploit isn’t exactly covert; anyone thinking of entering these meetings would still be clearly visible to all other members, which meant it would only take one eagle-eyed attendee to spot the unwelcome guest. Nonetheless, this exploit was a clear and present threat to the confidentiality of Webex meetings.
Cisco has addressed this vulnerability and the patch should now have been applied to the mobile app, without any user action required. However, this whole episode leaves one lingering question; who, with that much spare time on their hands, would voluntarily enter a business meeting? I don’t want to meet the man who does that kind of thing for fun.
And that’s another Threat Thursday in the bag, and the last of this seemingly endless January! Join us next week for more of the latest cyber security news and updates.
In the meantime, why not subscribe to the Threat Thursday email? Simply stick your contact details in the form on the right and get all the latest Threat Thursday goodness directly to your inbox.