Cyber Security Today, April 1, 2024 – An alert about a critical Linux vulnerability, a warning about password-spray attacks on Cisco VPNs, and more

An alert about a critical Linux vulnerability, a warning about password-spray attacks on Cisco VPNs, and more.

Welcome to Cyber Security Today. It’s Monday, April 1st, 2024. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com and TechNewsday.com in the U.S.

Linux administrators and developers must take fast action after the discovery of a backdoor that can compromise some Linux distributions. It’s in a malicious version of the XZ Utils compression utility. For certain this library is in some versions of Red Hat Fedora, Debian Unstable and possibly other Linux distributions. Developers, users and admins should make sure they are using a version of XZ Utils before version 5.6.0. Red Hat says the use of Fedora Rawhide and Fedora Linux 40 should stop immediately unless it uses an older version of the compression utility. Red Hat Enterprise Linux is affected. Developers and users should consult with distributors of other versions of Linux for guidance. This vulnerability is rated critical. Under the right circumstances a threat actor could exploit the vulnerability to gain remote access to a Linux system.

The U.S. Cybersecurity and Infrastructure Security Agency urges developers and users who have affected systems to move to a safe version of the operating system, then hunt for any malicious activity. Any positive findings should be reported to CISA.

Threat actors are using password-spraying tactics to infiltrate Cisco Systems’ Secure Firewall. The warning comes from Cisco, which notes that password-spraying is also being used to attack VPN concentrators used by large enterprises. One tip-off your organization has been hit: Users can’t log into the VPN. Another is a log that shows huge numbers of rejected authentication attempts. Cisco urges network admins to make sure their Secure Firewall software is running the latest version. Admins should also use certificates for authentication to Cisco Secure Firewall rather than passwords. More broadly, security admins should ensure their gateway devices are properly configured.

JetBrains released a bunch of fixes for the on-prem version of its TeamCity continuous integration server. In total 26 security problems were fixed. By the way, starting with version 2024.03, TeamCity can auto-download lightweight security patches for crucial security issues.

Makers of keycard-controlled door locks used in hotels and offices should pay attention to research released last month. White-hat hackers discovered vulnerabilities in Saflock door locks made by Dormakaba which open using an RFID wireless technology. Actually, according to an article in Wired, they discovered the holes two years ago at a Black Hat Las Vegas conference. The manufacturer was notified in 2022 and has been working with hotels to fix or replace the vulnerable locks. On releasing their research last month the team estimated only 36 per cent of installed locks around the world have been updated. By the way, part of their research involved getting hold of and reverse engineering the manufacturer’s front desk software. How did they do that? They asked around. Vendors assume no one copies their software, the researchers said. There’s a lesson in that.

AT&T is forcing over 7 million of its current customers to reset their four-digit passcodes. This comes after an investigation into the posting of stolen data two weeks ago on a dark website. The American telecommunications carrier said Saturday that information on just over 73 million customers — 65 million of them former subscribers — are involved in the data posting. It isn’t clear where the data was stolen from. AT&T says the information appears to be from 2019 or earlier. It includes names, email addresses, mailing addresses, phone numbers, Social Security numbers and dates of birth.

The Chattanooga Heart Institute has issued a fourth update on the number of people affected by a data breach just over a year ago. In a filing with Maine’s attorney general’s office it now says over data on 547,000 people was stolen. Initially it said data on over 170,000 people was copied. Data stolen included credit or debit card numbers along with the security codes passwords or PIN numbers.

Prudential Insurance of America is notifying over 36,000 people that some of the personal data it holds was stolen in early February. Data copied included names, drivers’ licence numbers or identification card numbers.

Security experts urge IT departments to move to cloud application providers where possible for a number of reasons. One is that the provider can apply security updates faster than an on-prem IT team. However, that doesn’t solve all security problems. American university researchers recently discovered a new vulnerability if an organization uses a cloud email filtering service — such as Proofpoint or Barracuda — that scans incoming mail before passing it on to the firm’s cloud email system — for example, Gmail or Exchange Online. If the email system hasn’t been configured to only accept messages from the email filtering provider then malicious email could get through to employees. A clever threat actor could identify the server user by the company’s domain’s email hosting provider and send malicious mail directly to it. In other words, the attacker bypasses the email filtering provider. The researchers believe 80 per cent of email filtering systems can be bypassed. The lesson to IT departments: Make sure your email systems are properly configured.

Follow Cyber Security Today on all major podcast distributors including Apple and Spotify.

If you want a daily dose of general IT news, we also offer Hashtag Trending every morning. Subscribe wherever you get your podcasts.