Tag Archives: Business Advice

Posted on Author Atlantic Computer Services Categories Blog

Upgrade This WordPress Plugin To Avoid Being Hacked

Do you own and manage a WordPress site either personally or as part of your business?  Do you also use the Tatsu plugin which offers a powerful suite of in-browser editing features and has been installed by more than 100,000 users worldwide?

If so, be aware that there is a serious security flaw in the plugin, and you should update right away to minimize your risk.

The vulnerability in this case is being tracked as CVE-2021-25094 and allows a remote attacker to execute arbitrary code.  The developers behind the plugin made a patch available that protects against the exploit, and that patch has been available since April (2022). Shockingly though, only about half of Tatsu’s users have updated their plugin, leaving more than fifty thousand websites around the world still vulnerable.

Finding out if you’re included in that number is easy.  Simply check the version of Tatsu you’re running.  If you’re running anything from before version 3.3.12, you are at risk and should update as soon as possible.

Independent security researcher Vincent Michel is credited with discovering the flaw, and he made his discovery public on March 28th 2022, releasing proof of concept exploit code along with his disclosure.

The plugin vendor was highly responsive and released a patch less than two weeks later on April 7th 2022. They urged all users to apply the update right away.

Unfortunately, that plea fell on as many deaf ears as responsive ones, which is how we got where we are today.

Wordfence has been tracking the number of times that hackers have made use of this exploit and has observed a large, widespread campaign in progress.  The company reports that more than a million attacks have come from just three IP addresses (148.251.183; 254, 176.9.117.218; and 217.160.145.62).

Site administrators are urged to add these IP addresses to their blocklist in addition to updating.  It is very good advice.

0
Posted on Author Atlantic Computer Services Categories Blog

You Might Need This HP Bios Security Update

HP recently released a BIOS update to address a pair of high-severity vulnerabilities that affect a wide range of PC and notebook products offered by the company.  In both cases, the vulnerabilities would allow an attacker to execute code arbitrarily and with Kernel level privileges.

The two flaws are being tracked as CVE-2021-3808 and CVE-2021-3809 respectively, and both bear a CVSS 3.1 score of 8.8 which makes them both serious issues indeed.

Worse, the two issues impact more than 200 models of HP equipment, including Zbook Studio, ZHAN Pro, EliteBook, ProBook, Elite Dragonfly, business desktop PCs like the EliteDesk and ProDesk, retail PoS computers like the Engage, workstations like the Z1 and Z2, and thin client PCs.

For a comprehensive listing of impacted products, please refer to HP’s security advisory page and scan for the product you own.

Security researcher Nicholas Starke has done a deep dive into both issues.

Starke had this to say about the matter:

“This vulnerability could allow an attacker executing with kernel-level privileges (CPL == 0) to escalate privileges to System Management Mode (SMM). Executing in SMM gives an attacker full privileges over the host to further carry out attacks.”

HP has been having a tough time of things lately.  Just two months ago, the company released a BIOS update that addressed sixteen separate flaws. Three months before that, they released a BIOS update that addressed a completely different set of flaws.

Kudos to HP for their time and attention to this matter. However, one has to wonder what has broken down in their core development process that allowed so many serious BIOS flaws to slip through undetected in the first place?

Unfortunately, there’s no word on that but if you haven’t yet applied the latest security update, you’ll definitely want to apply this one as soon as possible.

0
Posted on Author Atlantic Computer Services Categories Blog

Update Zyxel Products To Fix Possible Security Vulnerability

Do you use a Zyxel firewall?  If so, there’s good news.  The company has fixed an issue you may not have even been aware that you had.

The company pushed out the fix in a silent update a little over two weeks ago, but when they implemented the push, they didn’t provide many details about it.  More of those details are emerging now.

Security researchers at Rapid7 discovered a critical security flaw, now being tracked as CVE-2022030525, which is listed as being a severity 9.8 (critical) issue.

The flaw is described as an unauthenticated remote command injection issue, via the HTTP interface.  It impacts all Zyxel firewalls that support Zero Touch Provisioning running firmware versions ZLD5.00 to ZLD5.21 Patch 1.

The following models are specifically impacted:

  • USG FLEX 50, 50W, 100W, 200, 500, 700 using firmware 5.21 and below
  • USG20-VPN and USG20W-VPN using firmware 5.21 and below
  • And ATP 100, 200, 500, 700, 800 using firmware 5.21 and below

According to the company, these products are most commonly found in smaller branch offices and corporate headquarters for SSL inspection, VPN, web filtering, email security, and intrusion protection.

Per the Rapid7 report given to Zyxel on April 13, 2022:

“Commands are executed as the “nobody” user. This vulnerability is exploited through the /ztp/cgi-bin/handler URI and is the result of passing unsanitized attacker input into the os.system method in lib_wan_settings.py.

The vulnerable functionality is invoked in association with the setWanPortSt command. An attacker can inject arbitrary commands into the mtu or the data parameter.”

For their part, Zyxel moved very quickly on the issue.  They initially promised to release a fix by June 2022, but quietly pushed out the patch on April 28th, 2022 without supplying a security advisory or other technical details.

We’re not sure why that decision was made, but we’re very pleased to gain access to those details now. Kudos to Zyxel for their rapid response!

0
Posted on Author Atlantic Computer Services Categories Blog

Tricky Ransomware Encrypts Small Data But Overwrites Large Data

The MalwareHunterTeam recently discovered a new ransomware operation that is particularly nasty.  Called Onyx, outwardly, the operation does what most ransomware campaigns do.  It gets inside a corporate network, exfiltrates the data that it wants, then seems to encrypt the rest, and then threatens to release the files to the broader public unless their demands for payment are met.

An additional fee is demanded to unlock the encrypted files, but there’s a catch in this instance.

Any file larger than 2MB in size is deleted and then overwritten before encryption to make it appear that the file is still intact.  Unfortunately, when victims pay the fee to have their files decrypted, they discover that the file is garbage and the actual file they wanted has been deleted.

This is not a flaw in the malicious code but rather an intentional design decision. It is implemented to inflict maximal pain on companies that fall victim to their attack.

The discovery was only recently made. So it’s quite likely that at least some companies have paid the demanded ransom in hopes of getting their files back, only to have those hopes dashed.

Given this fact, if you are hit with an Onyx attack, don’t pay the ransom.  It won’t do you any good, except where your smaller files are concerned.  Your only hope is to restore those files from backup, and you certainly don’t need to pay the ransom to do that.

Malware attacks in general and particularly ransomware attacks are an unfortunate part of corporate life these days.  Whether due to poor planning, faulty backups, or something else, some companies feel the need to pay the ransom and get on with the business of their business. However, in this case, the Onyx campaign proves that there is no honor among thieves.  Be careful out there.

0
Posted on Author Atlantic Computer Services Categories Blog

 Secure Your SQL Server To Avoid This Malware Infection

Do you rely on Microsoft SQL and MySQL databases?  If so, be advised that the cybersecurity firm AhnLab recently published a report about a newly emerging threat.

It seems that hackers are now targeting poorly secured Microsoft SQL and MySQLdatabases with a malware strain known as GhostCringe.

If you’re not familiar with it, GhostCringe is also known as CirenegRAT. It is a variant of the GhostRAT malware made famous by the Chinese government in a series of attacks in 2020, but dating back to 2018.

Of interest, it seems that the threat actors behind the GhostCringe attack aren’t alone.  A forensic analysis of compromised servers indicates that several other malware strains were present. That suggests that competing gangs of hackers were all competing to break into the same databases as part of their own campaigns.

As malware strains go, GhostCringe isn’t the worst or most destructive we’ve seen, but it does make rather aggressive use of its keylogging function. So once any passwords you enter on the system have been compromised, they will be fed directly to the hackers who control the code and that could expose you to a whole world of pain.

This is a genuine threat that should be taken seriously.  The first step in terms of taking it seriously is to make sure your server software is up to date with the latest security patches applied.  In addition to that, please do not make the mistake of either not setting an administrator password or setting one that is weak and easily guessed.

Those are rookie mistakes that are easy to avoid, and you don’t want to be the business owner who lost tens of thousands of dollars to a mistake like that.

Finally, be relentless in terms of monitoring all activity on your server including suspicious “reconnaissance” activity which could be a harbinger of things to come.

0
1 3 4 5 6 7 23