Cyber Security Week in Review (March 28)

Welcome to this week's Cyber Security Week in Review, where Cisco Talos runs down all of the news we think you need to know in the security world.

Top headlines this week

  • ASUS had to release an emergency fix for a malware that may have accidentally deployed to their machines. Attackers may have implanted the backdoor, “known as ShadowHammer” and disguised it as a legitimate ASUS update. ASUS released a new firmware version that promises “multiple security verification mechanisms” to reduce the chance of future attacks, and started using an “enhanced end-to-end encryption mechanisms.
  • Facebook kept hundreds of thousands of users’ passwords stored in plaintext for years. The social media site says it has no information to indicate employees with access to that data abused the privileges. Reportedly, between 200 million and 600 million users may have had their passwords stored in plaintext and searchable by more than 20,000 Facebook employees.
  • Attackers are increasingly working together to spread banking trojans. A new report states that there’s been a recent uptick in the spread of certain trojans, including IcedID, with evidence that they are working with longstanding droppers. Snort rules 49544 - 49547, 49549 and 49550 can protect users from the IcedID trojan.

From Talos

  • GOG Galaxy Games contains multiple vulnerabilities that could allow a malicious actor to carry out a variety of attacks. Talos tested and confirmed that GOG Galaxy, version is affected by these vulnerabilities. Snort rules 48433 and 48434 protects users from the exploitation of these vulnerabilities. 
  • Cisco Talos is adding a new content category to Talos Intelligence. Starting on April 3, supported Cisco platforms using Talos Intelligence will receive a new "Not Actionable" category. This category applies to sites that Cisco Talos has analyzed, but due to the nature of the site, a more specific category cannot be applied.

The rest of the news

  • WordPress patched major vulnerabilities in two of its plugins that were being exploited by attackers in the wild. If exploited, the bugs could allow attackers to run extensions over top of the content management system. Users of the Social Warfare plugin can use Snort rules 49527 and 49528 to stay protected. 
  • The U.S. Federal Emergency Management Agency mistakenly leaked the personal identifiable of disaster survivors. The agency says it has no information that would indicate the information was being used maliciously. At one time, the agency said it shared more information with a third-party contractor than necessary, including the PIIs.
  • Norwegian aluminum producer Norsk Hydro lost an estimated $40 million in the one week after it was struck with a ransomware attack. The company says its Building Systems unit is still almost completely shut down, and its Extruded Solutions unit was, at one point, running at 50 percent of its normal capacity. 
  • Cisco released patches for 27 vulnerabilities in IOS XE. The company also warned that two small office routers, the RV320 and RV325, are still open to attack. As of Thursday morning, no patches were available for those two routers. Snort users should use rules 49606 - 49612 and 49588 - 49591 to protect themselves from these bugs.
  • iOS 12.2 included fixes for more than 50 vulnerabilities in Apple products. The bugs fixed existed in some high-profile apps, including Contacts, FaceTime, Mail and Messages. There was also a vulnerability in WebKit when using Safari that could have allowed sites to access the user’s microphone without any notification. 

Article Link: