Innofactor Cybersecurity Studio – Week 46
Innofactor’s Cybersecurity Consultants Janne Nevalainen and Marcus Söderblom discuss the most topical cybersecurity news from all over the globe in our monthly Cybersecurity Studio. This week’s episode covers news from week 46.
- OpenSSL vulnerabilities
- Chinese hackers abuse antivirus software
- Sensitive information from almost 10 million customers was leaked
- Google Play Store infected by illegal advertising revenue creating malware
- CISA recommends phishing-resistant MFA
- CISA released a stakeholder-specific vulnerability management methodology
OpenSSL is widely used to encrypt communication channels and connections which are used in websites, for example. Recently, two critical vulnerabilities, which concern organizations around the world, were discovered:
- A stack buffer overflow, which could trigger crashes or lead to remote code execution in the target system.
- Via the above buffer overflow, attackers can trigger a denial of service (DNS) state.
OpenSSL versions from 300 to 306 are affected by the vulnerabilities, so the best way to mitigate the threat is to patch the versions to use the latest OpenSSL version 307.
Chinese hackers abuse antivirus software to launch malware
A Chinese Cicada hacking group called APT10 has abused a security software to install a new version of the LODEINFO malware against Japanese organizations, such as media groups, diplomatic agencies, and government. According to the cybersecurity company Kaspersky, the group is constantly evolving new infection tactics to make detections a lot harder.
In March 2022, APT10 started targeting phishing emails to users in an attempt to make them download a RAR archive, containing the legitimate K7Security Suite software executable, NRTOLD.exe, and a malicious DLL named K7SysMn1.dll. As the malware is using legitimate security applications, other security software solutions are unable to detect it, leaving the door open for violations.
Medibank refused to pay ransom – Sensitive information from almost 10 million customers was leaked
In mid-October, an Australian health insurance provider Medibank suffered a serious cyberattack, but the true scope of the damages was not revealed until a few weeks later, on November 9.
Medibank was told to pay a ransom but refused, as the company thought the criminals were only threatening. However, it turned out that the breach was legitimate, and the criminals published selected pieces of information in the dark web, such as data from people’s medical treatments, drug and alcohol addictions, and mental health issues. All in all, sensitive information from up to 9.7 million customers was leaked to the attackers!
A full timeline of the data breach is available here.
Google Play Store infected by illegal advertising revenue creating malware
Google Play Store has, once again, been hit by a cybersecurity attack. This time, as a result of being caught committing mobile ad fraud, as many as 16 malicious apps with over 20 million cumulative downloads have been taken down from Google Play Store.
A malware called The Clicker attempted to trick users into downloading malicious utilities, which were masqueraded as cameras, currency converters, QR code readers, and other ordinary apps. Once installed and launched, Clicker malware started generating illegal advertising revenue by visiting bogus websites and simulating ad clicks – without the victim ever being aware of the activity.
According to the cybersecurity company McAfee, Clicker malware can disrupt the mobile advertising ecosystem by targeting illicit advertising revenue. From an individual end user’s perspective, an affected mobile device may cause heavy network traffic and therefore consume power without any user awareness.
CISA recommends phishing-resistant MFA
MFA-related attacks, such as MFA-fatigue, have been on the rise lately, but here’s a good reminder of how security solutions are always evolving accordingly.
In order to help organizations strengthen their MFA, CISA (Cybersecurity and Infrastructure Security Agency) released a guidance on techniques such as phishing-resistant MFA and numbers matching and strongly recommends organizations to implement them. Likewise recommended are hardware-based and certificate-based MFAs, which can enforce the MFA to be non-phishable.
CISA released a stakeholder-specific vulnerability management methodology
CISA has published a guide on Stakeholder-Specific Vulnerability Categorization (SSVC), which is to assess vulnerabilities, and prioritize remediation efforts based on exploitation status, impacts to safety, and prevalence of the affected product.
Organizations can use the tool freely to prioritize known vulnerabilities based on an assessment of the following decision points:
- Exploitation status
- Technical impact
- Mission popularity
- Public well-being impact
By implementing the methodology, organizations are better prepared to understand whether a vulnerability impacts any product and address, for example, supply chain attacks.
The full episode of Cybersecurity Studio – Week 46 is available here.
P.S. We are arranging a webinar on Security Monitoring on November 24. Sign up below!
With a 20+ year experience in international cybersecurity business, Marcus is a multi-talented ICT professional who is specialized in different kinds of security technologies. Cyber technologies are so dear to Marcus that he even teaches them in his spare time. Marcus is currently working as a Cybesecurity Consultant at Innofactor, and he always views cybersecurity matters from the point of view of the customer.