Cyber Security Today, April 12, 2024 – A warning to Sisense customers, a new tactic for spreading the Raspberry Robin worm, and more

A warning to Sisense customers, a new tactic for spreading the Raspberry Robin worm, and more.

Welcome to Cyber Security Today. It’s Friday April 12th, 2024. I’m Howard Solomon.

Organizations that use products from business analytics provider Sisense [SI-SENSE] are being told to reset user login credentials and digital keys. The warning comes from the U.S. Cybersecurity and Infrastructure Security Agency after the discovery by independent researchers of a compromise at Sisense. IT leaders are also urged to report suspicious access to their Sisense platform to the CISA. Sean Deuby, principle technologist at Semperis, said the fact that the CISA had to issue a warning is ominous because Sisense has a number of large customers. Among them are Verizon and Philips Healthcare.

Crooks have found a new way to spread the Raspberry Robin worm for Windows systems. According to threat researchers at HP, the malware is now being delivered through Windows WSF Script Files. The scripts use a range of techniques to evade detection. Up to now usually Raspberry Robin was spread through removable media like USB drives, RAR files and 7-zip files hosted on Discord. The malware acts as an intial foothold into systems allowing the download of other nasty attack tools. It isn’t clear how crooks are spreading the bad .wsf files. Probably it’s through phishing messages. Regardless, IT administrators should watch for unusual or unexpected .wsf files.

Threat actors are manipulating GitHub’s search function to distribute malware. That’s according to researchers at Checkmarx. Here’s the scam: Attackers create repositories with popular names and topics on GitHub. These hold malicious code in Visual Studio project files. Using tactics like automated updates and fake stars, they boost search rankings to attract unwitting victims to download the infected files. I regularly warn developers to be cautious when downloading files from public repositories. This is another example of why. Be suspicious of repositories with high commit frequencies in recently created accounts.

The cyber attack that hit Japanese optics manufacturer Hoya Corp. last week was ransomware. That’s according to several news media. The French website LeMagIT quotes Jbpress saying the Hunters International gang is responsible, and is demanding US$10 million after stealing 2TB of data.

The most common tactic threat actors use is a malicious script to automate action. That’s according to researchers at D3 Security. They recently paired incident data to the Mitre Att&ck framework and found just over 50 per cent of attacks used a command and scripting interpreter to execute malicious payload on victims’ systems. The second most common tactic was email phishing for initial access. That was used in just over 15 per cent of attacks. One lesson: watch for unusual and unexpected scripts on your network.

Finally, it can be hard for outsiders to measure the maturity of a country’s cybersecurity status. But consider these numbers from a survey by Cradlepoint of over 500 technology decision-makers at Canadian organizations: Only 45 per cent of respondents said their organization was using or familiar with multifactor authentication. Other endpoint or network security solutions with less than 50 per cent usage or knowledge include Secure Access Service Edge (also called SASE), web browser isolation, mobile device management, zero trust network access and edge security.

That’s it for now. But later today the Week in Review podcast will be out. Guest commentator David Shipley and I will discuss another cybersecurity issue at Microsoft, how IT help desks should be prepared for scammers, and more.

Follow Cyber Security Today on Apple Podcasts, Spotify or add us to your Flash Briefing on your smart speaker.