Updated malware attacks a Ukraine power company, the RaidForums darkweb site is seized, a new Hafnium attack and more patches issued.
Welcome to Cyber Security Today. It’s Wednesday April 13th, 2022. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.
The Russian military threat group known as Sandworm has allegedly reached back into the past for its latest cyber attack on Ukraine. According to security researchers at ESET, last Friday Sandworm deployed an updated version of a piece of malware that it successfully used in 2016 to temporarily bring down part of Ukraine’s power grid. The latest victim was also a power provider. The original malware, dubbed Industroyer, goes after network-connected industrial controllers. Industroyer2 is slightly different: It goes after devices only running the IEC-104 protocol. Then it releases a new version of the CaddyWiper destructive malware to attack those devices. CaddyWiper was first discovered in March going after a bank in Ukraine. There was also a third piece of malware deployed against the energy company last week, another wiper that destroys servers running the Linux and Solaris operating systems. ESET isn’t sure how the attackers compromised the energy company last week, or how it moved from the IT to the industrial control system network. IT admins need to familiarize themselves with this malware in case it’s used in other countries.
On the other side of the cyberwar, the British news agency The Telegraph reports a hacking group claims it has compromised servers at the Russian space agency, while the hacktivist group Anonymous claims it hacked three more Russian companies and leaked their emails.
The U.S. and Europol announced the seizure of the website called RaidForums, a criminal marketplace where stolen data was bought and sold. The U.S. also unsealed six criminal charges laid against the site’s founder and chief administrator. He was arrested in January in Romania, where the U.S. has requested his extradition. The investigation was done with the help of Europol as well as police in the U.K., Sweden, Romania, Portugal, Germany and other law enforcement agencies.
The China-based Hafnium threat group has a new attack campaign against telecommunications companies, internet service providers and data services firms. According to Microsoft, it’s been going on since last August. It leverages a hole in the Rest API of Zoho’s ManageEngine, an identity and access management authentication suite. As part of the attack a new evasion malware dubbed Tarrask is used that hides in Windows Task Scheduler. It then executes tasks the attacker wants done. This link to a report includes indicators of compromise security teams should look for.
Attention IT administrators: If staff at your firm use the AWS Client VPN for remotely connecting to servers and data on the AWS platform make sure you’re running the latest version. That’s because a serious vulnerability has been found. According to researchers at Rhino Security Labs, the client can be compromised by an attacker. The new version users should have is 3.0.
Another update warning comes from HP and the remote desktop utility it now owns called Teradici PCoIP. There are high severity vulnerabilities in the Client and Graphics Agents that need to be patched with the latest updates. These are tools used not only in Windows but also Linux and macOS environments. According to a news report these Teradici products are available not only from HP but also other vendors.
Finally, yesterday was Patch Tuesday, when a number of IT companies release patches or security updates for their products. That includes Microsoft and SAP. SAP administrators should note one them fixes a serious hole in the HANA Extended Application Services. For any vendor make sure patches are prioritized and applied as soon as possible.
You can follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.