The Simply Cyber Report: October 31, 2022
The top cyber news stories you need to know about right now.
Microsoft Security Threat Intelligence is reporting on the Raspberry Robin worm, having infected at least 3000 systems across 1000 organizations at time of this report.
First reported by Red Canary in September, Raspberry Robin is spread via USB drive (yes this is still a viable attack vector, and very similar to how Stuxnet initially kicked off). It has very similar technical behavior to the FakeUpdates malvertising campaigns.
Raspberry Robin compromises the endpoint and begins to build a collection of machines which the threat actors can grant access to whenever and to whomever.
The cyber criminal community is leveraging this offering as an access-as-a-service model to deploy info stealers, ransomware, and persistence mechanisms to name a few.
Practitioners should protect from this malware through fundamental practices of end user education around USB drives, validating Autorun of usb drives is not enabled (both on the endpoint and in group policy), and visit the Microsoft Security threat intelligence site for technical indicators of compromise.
All you Chrome users out there, prioritize patching your instance and ensuring your end users are patched too.
Google has announced an emergency patch for a type confusion vulnerability in its popular web browser Chrome, ID'd CVE-2022-3723.
Google is not disclosing much information on this vulnerability, but there is moderate confidence that it is being actively exploited in the wild and can lead to arbitrary code execution on a compromised system.
Important to note this affects all versions of Chrome, so Windows users, mac users, linux users, and android users can finally agree on something.
I'd recommend centrally forcing an update if possible in your environment and/or notifying end users to take a minute, update, and share it with their friends and family to help protect them as well.
Moving on to terrible passwords still happening in 2022, FastCompany has reported a data breach and some reputation damage as a hacker named Thrax was able to login to multiple of the company's Wordpress instances with the password pizza123 (which i looked up and confirmed is in the well worn "rockyou" password dictionary).
The hacker accessed the systems, and collected multiple API keys and authentication tokens. Not to be basic, Thrax sent 2 obscene and offensive push notifications to the mobile device home screens of FastCompany customers.
Apple news service suspended FastCompany until it got sorted out and FastCompany issued a public apology, but the real TL;DR; here is to educate both end users and IT staff (to include application owners like Wordpress) on the risk of using terrible passwords and how to easily leverage password vaults for better password practices.
And finally, statistical evidence has been published revealing that phishing attacks are not just still a threat, but are increasing in frequency and effectiveness.
Phishing has always been a popular initial attack vector for all levels of cyber threat actors, with a variety of objectives. As technical defenses have improved over the years, Threat actors have relied on the tried and true practice of Social engineering end users into giving up their credentials or pulling down malware.
SlashNext has released findings showing that phishing emails have increased 61% year to date from 2021, and that 75% of phishing emails are focused on credential harvesting.
I myself have what I think is pretty good email security practices and still received a "Free Yeti Backpack" phish email just yesterday.
End users are the clear target here. Consistency, vigilance, and non-technical language are the keys to winning in nerfing the success of phishing attacks on you, your loved ones, and your organization.