Top news stories this week
- Cisco zero-day. Over 40,000 devices affected by critical vulnerability.
- Ragnar locked, TriGone. Law enforcement and hacktivists take down two ransomware gangs.
- Two-faced. Thousands of North Korean IT workers use false identities to work for US companies.
- Stop the clock. Casio blames data breach impacting 120,000 customers on internal error.
- Open sesame. Customer access tokens exposed in Okta breach.
- Back to basics. Kansas court returns to paper fillings following ransomware attack.
1. 40,000 Cisco devices affected by critical vulnerability exploited by hackers
Over 40,000 Cisco devices using IOS XE software have been compromised due to a maximum severity vulnerability affecting the software’s web UI. Malicious actors have actively exploited this flaw in the wild. While no immediate patch or workaround exists, Cisco has pledged to provide more information upon completion of its investigation.
If your organisation uses Cisco appliances that are publicly accessible from the internet, it is advised to take them offline to reduce the likelihood of exploitation prior to a patch being released.
2. Ragnar Locker and Trigona ransomware gangs taken offline
The FBI, Europol, and multiple European police agencies have successfully taken down the ransomware group Ragnar Locker, arresting key suspects in a coordinated international effort.
Separately, the Ukrainian Cyber Alliance (UCA) hacktivist group has hacked the infrastructure of the Trigona ransomware gang through a Confluence zero-day vulnerability. UCA has taken control of Trigona’s leak site and is claiming to have exfiltrated the gang’s data.
The takedown of ransomware gang infrastructure causes major disruption to threat actor activities and is likely to halt their operations. However, ransomware gangs are proven to be persistent and will likely recover and re-establish themselves.
3. US companies employ thousands of North Korean remote IT workers
The FBI has revealed that US companies have unknowingly employed thousands of North Korean remote IT workers who used false identities to secure their employment. In addition to generating funds for North Korea’s weapons programmes, some workers also infiltrated their company’s network, stole data, and maintained access for future malicious activity.
Properly vetting new employees and carefully managing user privileges is crucial to safeguarding the security of your organisation and mitigating the risk of insider threats.
4. Casio data breach exposes customer records from 149 countries
Electronics manufacturer Casio has confirmed that an unidentified third party accessed a database containing customer information. Network security settings were disabled in the development environment hosting the data, which Casio attributed to an operational error and insufficient management.
Organisations should implement a comprehensive cyber security change management process that documents change requests, approvals, and post-change reviews.
5. Hackers access customer data in Okta breach
Identity and access management provider Okta has disclosed that stolen credentials were used by hackers in the breach of its support case management system. The threat actors were able to view customer uploads that were made as part of the support process. The uploads contained sensitive cookie and session token data which could be used to gain unauthorised access to customer accounts if active.
It is important for organisations to manage the sharing of cookie and session tokens, and to revoke tokens when no longer required to limit access.
6. Ransomware attack disrupts Kansas court system
The court system in Kansas has reverted to paper records while it investigates a ransomware attack which took place earlier this month. There have been dozens of attacks on public sector bodies in the United States in recent weeks. Last week, officials from Rock County in Wisconsin refused to pay the Russia-based Cuba ransomware group a ransom of USD 1.9 million.
Public sector organisations are a popular target for ransomware. Recent high-profile attacks demonstrate the importance of having a predefined response strategy.