Cyber Security Today, March 10, 2023 – A SonicWall device hacked, a ransom attack on a Canadian engineering firm and a swift email attack

by Arthur · March 10, 2023

A SonicWall device hacked, a ransomware attack on a Canadian engineering firm and a quick email attack.

Welcome to Cyber Security today. It is Friday the 10th. March 2023. I’m Howard Solomon, contributing cybersecurity reporter for ITWorldCanada.com and TechNewsday.com in the US

Security experts regularly hunt IT departments to patch software and hardware as soon as possible. Here’s another example of why: Researchers at Mandiant recently discovered a compromised and unpatched SonicWall mobile access device at an unnamed organization. This device allows employees to log into the organization’s IT network in a secure way. It’s not clear how the device was hacked, but it was likely broken into two years ago. And despite several firmware updates, the attacker was able to maintain his grip on the device. The goal was to steal hashed credentials from all users. A China-based threat actor is suspected of being behind this compromise.

A Canadian engineering firm with defense and other critical infrastructure contracts have been hit by ransomware. According to the Canadian Press, corporate customers of Black & McDonald have confirmed being told about the attack. And cyber news site The Register says the Canadian Defense Department also says it was informed. The register quotes a spokesperson for the defense department as saying that so far there is no evidence of any effects on the IT systems.

Some threat actors take their time mapping of a compromised IT system. Others strike quickly. This week Microsoft gave an example, details of an email compromise attack in January. The goal of this type of attack is to send a convincing email to an employee that appears to be from a manager asking to transfer money to an account controlled by the hacker. This particular attack began in December when the threat actor stole a cookie from a target company to bypass multi-factor authentication. In January, the threat actor logged into an email account of the target organization, then spent two hours in the victim’s email looking for a thread to hijack between the employee and another company. When one was found, the attacker over the next seven minutes registered two similar web domains to trick the employee, then emailed employees with new instructions for transferring funds. After that, the attacker deleted the email message from the victim’s Sent Items folder to destroy the evidence. Fortunately in this case the attack was detected. One lesson learned is that staff must be trained to be suspicious of messages requesting changes to expected money transfer routines. Another lesson is the need to better protect email and authentication systems from being hacked.

The American telecommunications company AT&T warns 9 million mobile phone customers that some of their account information was stolen. According to DataBreaches.net, a hacker entered the IT system of an AT&T partner and gained access to the Customer Proprietary Network Information database. It shows the services customers have with AT&T. The telco says no sensitive personal or financial information was accessed.

Note Linux administrators: The IceFire ransomware strain now works on Linux systems. According to researchers at SentinelLabs, an IceFire victim is usually first hit by clicking on an email attachment. In one case, however, the target organization’s Linux system was hit through its out-of-date IBM Aspera Faspex file transfer software.

Finally, Google Chrome users should note that there is a new version out. Version 111 includes 40 security fixes.

That was it for now. But later today the Week in Review podcast will be available. Guest Terry Cutler from Cyology Labs will join me to discuss a new and malicious Windows boot kit, law firms under attack, cybersecurity help for Canadian nonprofits, and hacking a LastPass developer’s home computer.

Follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to the Flash Briefing on your smart speaker.