A business email scam group is broken in Europe, GoDaddy’s IT system hit again and more.
Welcome to Cyber Security Today. It’s Monday, February 20th, 2023. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com and TechNewsday.com in the U.S.
On Friday’s podcast I reminded listeners that business email compromise scams — where a threat actor pretends to be an executive by email or phone — happen in all countries. The goal is to convince an employee to transfer money to an account controlled by a crook. After I recorded that podcast police in Europe announced they had cracked a gang in January doing just that. The gang was made up of French and Israeli residents. In one case a suspect impersonated the CEO of a French metallurgy company and convinced an accountant to make two urgent and confidential transfers of hundreds of thousands of euros. In another case the gang pretended to be lawyers for an accounting company. They convinced the chief financial officer of a Paris real estate developer to transfer about 40 million euros. Listeners should note that to make the scams work victims didn’t question large transfers of money from a superior. And they were persuaded by two demands: The transfers had to be done quickly and in confidence — two signs that should have aroused suspicion. Employees in finance departments have to regularly be warned about those signs.
Website hosting provider GoDaddy has admitted its system was again compromised, this time late last year. In December a hacker was able to access the control panel linked to servers and install malware that redirected visitors to some of GoDaddy’s customers’ websites to infected sites controlled by the threat actor. Going deeper in a regulatory filing, GoDaddy said it believes this is the latest in a multi-year campaign by a sophisticated threat actor group. The filing mentions several previous successful attacks. In 2021 hackers used a compromised password to access the provisioning system for GoDaddy’s 1.2 million managed WordPress customers. In 2020 a threat actor compromised the hosting login credentials of approximately 28,000 hosting customers.
Last December I told listeners about a ransomware attack at a U.S. hospital chain called CommonSpirit Health. Last week the company said that attack has cost the chain at least US$150 million — so far — in recovery costs. Some of that may be covered by cyberinsurance.
The public school board of Des Moines, Iowa says those behind last month’s ransomware attack were able to copy data it holds. However, it’s not saying how much data, and whether it’s student, teacher or employee information. The board had to close schools for two days as staff started to restore servers. According to researchers at Emsisoft, at least nine American school districts with 242 schools have been hit by ransomware so far this year.
Attention network administrators using SolarWinds Platform: Due to the discovery of several vulnerabilities the company will issue a security update by the end of the month. Until then make sure the suite’s website is not exposed to the public internet. If access is needed, create a strict allow list and block other traffic. Disable unnecessary ports, protocols and services on your host operating system and on applications like SQL Server. For more instructions see the SolarWinds Security Vulnerabilities page here.
VMware is warning administrators to not install a Windows Server 2022 update if they are also running certain earlier versions of the vSphere ESXi hypervisor with secure boot enabled. There’s a conflict that prevents the operating system from booting. This involves versions 6.7 and 7.x of the hypervisor. Version 8 is not affected.
Remember the 2020 hacking of 130 Twitter accounts of people including Barack Obama, Joe Biden and Bill Gates? A British man arrested in Spain has been ordered extradited to the U.S. to face 14 criminal charges relating to those attacks.
People are still hoping to make billions on cryptocurrency. And crooks are still trying to trick those people into downloading malware. The latest example was discovered by researchers at Cisco Systems. Victims are being sent phishing emails pretending to be from a crypto payment site called CoinPayments. The victim is asked to click on a ZIP file that allegedly has details about a failed transaction. The file really downloads ransomware or malware. Be careful with any messages involving cryptocurrency and downloading attachments.
Finally, if you use the Firefox browser make sure it’s running the latest version. Mozilla last week released a new version that patches 10 high-severity vulnerabilities.
Follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.