Cybersecurity headlines this week contain threat warnings from law enforcement and security organizations. Being updated on such advisories is essential for organizations to keep threat actors away. Here are the most important cyber headlines this week:
Beware of LinkedIn Frauds, Warn Security Researchers
Cybersecurity experts have hinted that LinkedIn is currently the most targeted platform for phishing and impersonation attacks, with over 52% of global spoofing attacks targeting the organization. Researchers have pointed out that LinkedIn brand abuse in impersonation attacks has increased significantly in Q1 2022. In Q4 2021, the platform held the fifth position in the list of impersonating attacks, but this year is undoubtedly one where LinkedIn users remain extra vigil.
This quarter’s second-most impersonated name is that of the German package delivery brand DHL – a significant factor contributing to these attacks is the increased shopping that happens during the holiday season. In a typical LinkedIn scam, the adversaries send phishing emails to victims featuring the real LinkedIn logo and imitating a specific company’s writing style and tone. These emails usually invite users to connect with the fraudulent firm to discuss possible employment opportunities.
Once a victim clicks on the “Accept Invitation” button, they are redirected to a spoofed LinkedIn login page (hosted at an unofficial URL – carriermasr.com/public/linkedin.com/linkedin.com/login.php) where users are expected to enter their login credentials. The hackers can then launch highly effective spear-phishing attacks using these compromised account details. The threat factor involved is greater for LinkedIn scams because the adversaries can use a compromised LinkedIn account to target several higher-level executives at reputable organizations, thereby posing a greater threat to organizations and their employees. Therefore, LinkedIn users are advised to exercise great caution while dealing with emails from LinkedIn, starting with a quick scan of the sender’s email address and then following up with more robust cybersecurity solutions.
Remote Code Execution Risk at Apache Struts
Cybersecurity experts recently discovered a vulnerability in Apache Struts – the open-source framework used to build Java Web applications. If exploited, this vulnerability could allow for remote code execution. The adversaries could then install programs, change, view, edit, delete data, and create new accounts with all user rights. Since the attack’s impact depends on the privileges allowed to a user, those with fewer system rights would be less affected by the breach than those with administrative user rights. All Apache Struts versions before 2.5.30 are vulnerable to the flaw; however, there have been no reports indicating this vulnerability’s exploitation so far.
Security experts warn that large and medium government and business entities are highly vulnerable to the attack vector, and the threat factor is slightly low for home users. Reportedly, the vulnerability occurred due to some tag attributes malfunctioning, whereby a double evaluation happened when developers used the %{…} syntax for forced OGNL evaluation. The forced OGNL evaluation on untrusted user input leads to security degradation and remote code execution. Thus, security experts advise users to upgrade to the latest version of Apache Struts and run all software by allowing minimal user rights or administrative privileges to systems.
CISA Mentions Nine Actively Exploited Bugs
The Cybersecurity and Infrastructure Security Agency (CISA) recently added nine security flaws to its list of actively exploited bugs. These include a Google Chrome zero-day and a VMware privilege escalation flaw (CVE-2022-22960) which can be used for remote code execution (RCE).
Reportedly, the VMware vulnerability occurs due to improper permissions in support scripts and allows adversaries to escalate privileges in vulnerable servers. The vulnerability was fixed on 6th April. The second critical flaw was a zero-day Chrome bug tracked as CVE-2022-1364 and mentioned in CISA’s Known Exploited Vulnerabilities (KEV) catalog. This flaw is caused by a V8 type confusion weakness and could lead to remote code execution.
CISA recommends that all Federal Civilian Executive Branch Agencies (FCEB) agencies update their systems immediately to ensure cybersecurity against these bugs. Agencies have until 6th May to upgrade systems and ensure minimal risk from these ongoing exploitation attempts. Among other security vulnerabilities addressed by CISA in its KEV catalog is a critical VMware remote code execution bug (CVE-2022-22954) that can be used to deploy cryptominer payloads.
Source Music Fined For Overlooking Questionnaire Privacy Settings
The Personal Information Protection Commission (PIPC), South Korea, has imposed a fine of 3 million (around $2,438) on Source Music for overlooking the privacy settings it had circulated in June 2021. After the disbandment of GFRIEND, Source Music circulated a Google Questionnaire with the aim of refunding fan club membership fees. However, it accidentally left the privacy settings set to the public and exposed the personal information of 22 fans in the process.
While Source Music had apologized for the unintentional breach and taken immediate cybersecurity measures to correct the error, the PIPC imposed a 3 million fine on the organization for violating the Personal Information Protection Act.
Beware of Microsoft RPC Bug
Cybersecurity researchers have recently cautioned against a Remote Procedure Call Runtime (RPC) bug in Windows systems. This comes after the latest Microsoft Tuesday update, which reported that the RPC bug was tracked as CVE-2022-26809 (with a CVSS score of 9.8). While the bug stands patched now, it is still a threat factor for Windows hosts running the Server Message Block protocol.
Reportedly, 1,304,288 hosts are currently running the SMB protocol, and 63% of those, meaning 824,011 hosts, are using Windows-based operating systems. For 28% of the hosts, the operating system could not be identified. Most of the systems running SMB are in the US (over 366,000), followed by Russia (144,622), Hong Kong (72,885), Germany (70,980), and France (56,659). Although Microsoft has not revealed much about the vulnerability, it is said that merely sending a malicious packet is enough to trigger the vulnerability in the RPC runtime library, which then allows applications to access Windows’ Remote Procedure Call functionality.
So far, there may not be any evidence of the exploitation of this vulnerability, but experts believe that it’s only a matter of time we hear of such incidents. Therefore, it is recommended for users to patch their systems at the earliest and block RPC to avoid cybersecurity issues.
Vulnerability Detected in Yanluowang Ransomware’s Encryption Algorithm
A vulnerability was recently detected in Yanluowang ransomware’s encryption algorithm, which could allow victims to recover their files encrypted by Yanluowang. Soon after noticing the vulnerability, cybersecurity researchers released a support document guiding Yanluowang victims to decrypt their files using a known-plaintext attack.
However, one must note the size of the file encrypted as Yanluowang encrypts all files bigger than 3GB in 5MB stripes after every 200MB and encrypts files smaller than 3GB in entirety. Thus, all files larger than 3GB can be retrieved quickly, but for files smaller than 3GB, only the small files can be decrypted. Victims need to use the Rannoh decryption tool available to decrypt Yanluowang-affected files. To be able to decrypt files smaller than 3GB, users need to pair them with files of 1024 bytes or more.