Misconfigured Firebase instances are leaking passwords, a China-related threat actor is hacking governments and more.

Welcome to Cyber Security Today. It’s Wednesday, March 20th. 2024. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com and TechNewsday.com in the U.S.



 Misconfigured web services on 900 sites that use Google’s Firebase web application development platform are leaking valuable data including plaintext passwords. That’s according to three anonymous programmers. All I can tell you is one of them says they live in New Zealand. In a posting the trio said their work follows up on the discovery in January that an artificial intelligence hiring system used by many large companies called Chattr.ai had a Firebase vulnerability. Scanning the internet for misconfigured Firebase installations they found 900 vulnerable websites that allowed them to download 84 million usernames, 106 million email addresses, 20 million passwords — some of which were in plaintext — and more. Vulnerable firms include a learning management website for teachers and students, which exposed records of 27 million users. The researchers sent warning emails to the 900 websites. Of those, only 24 per cent fixed the misconfiguration by the time their blog was published.

A China-related threat actor is using unpatched vulnerabilities in OpenFire collaboration servers and Oracle Web Applications Desktop Integrator to attack government departments and companies around the world. That’s according to researchers at Trend Micro. This group, which the researchers call Earth Lusca, has been installing previously unseen backdoors through spear phishing emails in a new campaign. Once a government IT infrastructure is compromised, the attacker uses its position to host malicious payloads and send phishing emails to other government-related targets. That would take advantage of the trust message recipients would give to a government sender. The backdoors that get installed help the attackers steal credentials and data. The gang also tries to brute force Exchange servers through a list of common passwords. Trend Micro believes this latest campaign by the gang has hit 70 victim organizations in 23 countries including the U.K., Mexico, India and Brazil. Among the recommended defences: IT departments need to make sure software is updated with the latest security patches.

Researchers at Palo Alto Networks and Ukraine’s Cyber Protection Centre have released an analysis of the most recent use of a piece backdoor malware. It’s known by security researchers as Smoke Loader, Dofoil or Sharik. The reason for releasing the report is the discovery that this backdoor is being increasingly used by threat actors against government departments and financial institutions in Ukraine. However, Smoke Loader has been around since 2011 to break into Windows systems around the world. Threat actors often try to slip it into IT systems through infected emails, so security leaders need to — again — remind employees to be cautious when opening email attachments or clicking on links from unknown senders. They also need to be reminded to only download material from approved websites.

Does your firm have an operational technology network? We’re talking about networked industrial control systems and supervisory control and data acquisition systems (SCADA) that run factories, pipeline sensors and municipal traffic lights. If so a just-released report on OT cyber security by the U.K. National Cyber Security Centre may be worth reading. Among other things it has advice on making a risk-based decision to migrate a SCADA system to the cloud. You can do a full migration, a hybrid move or use the cloud just for standby or recovery. But what’s vital is making an informed decision. Here’s a link to the report.

Management frustration at a breach of security controls is only going to make it harder for an IT department to recover fast from an attack. That’s the advice Gartner analysts gave an audience this week at the advisory firm’s Security and Risk Management Summit in Australia. According to The Register, the speakers argued management has to remember that no amount of effort can stop security compromises. The quality of an IT and security team’s effectiveness is how fast they responds to an incident, the speakers argued. And they do that by having recovery plans. Does your organization have plans for recovering from different types of cyber attacks?

Finally, Fortra is publicly acknowledging that a critical vulnerability in its FileCatalyst file transfer software was reported and patched last August. The disclosure is being made now because the vulnerability has been given a number under the Common Vulnerability and Exposures system. This is just the latest in a series of vulnerabilities found in file transfer utilities such as MOVEit, Accellion, and Fortra’s GoAnywhere MFT.

Follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.

If you also want to start your day with a podcast on broader technology news IT World Canada has a daily news roundup called Hashtag Trending.

The post Cyber Security Today, March 20, 2024 – Misconfigured Firebase instances are leaking passwords, a China-related threat actor is hacking governments and more first appeared on IT World Canada.