PyPI repository shuts to stop malicious uploads, a plea to developers to stop creating apps with SQL vulnerabilities, and more.
Welcome to Cyber Security Today. It’s Friday, March 29th, 2024. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com and TechNewsday.com in the U.S.
I’ve reported before that threat actors are increasingly uploading malicious code into open-source repositories like GitHub and NPM. Well, things got so bad yesterday that the Python Package Index, known as PyPI, had to temporarily suspend new project creation and new user mitigation. According to researchers at Checkmarx, the administrators likely had to do this because someone automated the uploading of malware-filled Python code. A favourite tactic is to give the bad code a file name similar to a legitimate package that developers regularly look for. If a developer unknowingly plants malicious code in their application it can be exploited by the threat actor to steal data from software users or the developer. As I’ve said before, anyone downloading code from an open-source library has to take precautions. Make sure you’re not downloading something that’s infected.
The U.S. is offering a reward of up to US$10 million for information about anyone connected to the AlphV/BlackCat ransomware gang. This comes after the gang claimed responsibility for the February attack on American medical billing services provider Change Healthcare. According to some news reports the company paid US$22 million to the gang to get access back to scrambled data. Since then there have bveen reports the gang is dissolving.
A new Linux version of the XDealer remote access trojan has been discovered. It’s also called DinodasRAT by some researchers. Kaspersky says the new variant of this backdoor largely targets servers running Red Hat and Ubuntu Linux. There’s no detail in the report about how servers are infected. So far compromised servers have been seen in China, Taiwan, Turkey and Uzbekistan.
U.S. cyber authorities are begging application developers to stop creating software with SQL injection vulnerabilities. Ways of doing that have been around for 20 years. But software companies are still releasing products open to SQL compromise. Example number one: Progress Software’s MOVEit file transfer application, which the Cl0p ransomware gang leveraged last year to steal personal data on 94 million people from over 2,700 organizations around the world. Here’s a link to the advice to safely create applications.
Companies operating in critical infrastructure sectors in the U.S. have just under two months to comment on proposed regulations for cyber incident and ransom payment reporting to the Cybersecurity and Infrastructure Security Agency. Briefly, the proposed rules says some 316,000 organizations would have to report certain incidents within 72 hours after discovery, and within 24 hours of paying a ransom. Hospitals with under 100 beds would be exempt.
Also this week the Agency warned that threat actors are actively exploiting a code injection vulnerability in Microsoft SharePoint Server. This vulnerability was revealed 12 months ago. There’s no reason why IT departments haven’t installed a patch by now.
The Vulture malware that steals bank login information from Android devices has added new features. Researchers at NCC Group/Fox-IT say that among other things the malware can now disable Keyguard to bypass lock screen security on infected devices. Often victims are suckered into downloading the malware by falling for a text message that asks them to call a number if they didn’t authorize a large financial transaction or purchase.
Finally, a number of companies issued security patches for their products this week:
Splunk issued upgrades for Splunk Enterprise, Cloud Platform and Universal Forwarder. Cisco Systems patched the IOS and IOS XE software for multiple vulnerabilities., as well as its Access Point software. Nvidia released a software update for its ChatRTX artificial intelligence chatbot for Windows to close two holes. And the Cybersecurity and Infrastructure Security Agency released four advisories for industrial control systems. Three are for products from Rockwell Automation involving its PowerFlex 527, Arena Simulation and FactoryTalk ViewME products. The other is for Automation-Direct’s C-MORE display system.
Later today the Week in Review podcast will be available. Guest David Shipley of Beauceron Security will discuss his company’s latest State of Security Awareness report, what World Backup Day should mean to IT pros, a call for the U.S. healthcare sector to meet mandatory minimum cybersecurity standards, and more.
Follow Cyber Security Today on Apple Podcasts or add us to your Flash Briefing on your smart speaker.
The post Cyber Security Today, March 29, 2024 – PyPI repository shuts to stop malicious uploads, a plea to developers to stop creating apps with SQL vulnerabilities, and more first appeared on IT World Canada.