Follow ISA Cybersecurity on LinkedIn for the latest cybersecurity news
Weekly CyberTip: Watch out for Equifax settlement phishing emails
Just before the holidays, Equifax began sending settlement benefit notices to U.S. consumers who had filed class action claims in the wake of the credit rating firm’s massive data breach in September 2017. Payments for eligible out-of-pocket losses and time spent started rolling out on December 19, in the form of cheques, PayPal account payments, or prepaid gift cards via emails from the settlement administrators.
Unsurprisingly, hackers have seized this opportunity to send fake settlement notices and phishing emails in an attempt to harvest personal financial information. Dozens of reports of suspicious communications have been recorded. Don’t be fooled: if you receive a notice you are not expecting, or have concerns about a communication you have received, refer to the official breach settlement website for more information.
Action Required: At least 30 WordPress plugins and themes are vulnerable to new malware strain
In a report posted December 30, security researchers at Doctor Web reported the discovery of malicious Linux code that is designed to compromise unpatched WordPress websites. According to the bulletin, the malware “exploits 30 vulnerabilities in a number of plugins and themes for [WordPress]. If sites use outdated versions of such add-ons, lacking crucial fixes, the targeted webpages are injected with malicious JavaScripts. As a result, when users click on any area of an attacked page, they are redirected to other sites.”
The original announcement identifies 19 vulnerable WordPress plugins and themes, but researchers have identified a second backdoor bringing the over-all total to 30. A complete list of the known plugins and themes affected:
- Blog Designer WordPress Plugin
- Brizy WordPress Plugin
- Coming Soon Page and Maintenance Mode
- Easy SMTP
- Facebook Live Chat by Zotabox
- FV Flowplayer Video Player
- Google Code Inserter
- Hybrid
- Newspaper Theme on WordPress Access Control (vulnerability CVE-2016-10972)
- Poll, Survey, Form & Quiz Maker by Opinion Stage
- Post Custom Templates Lite
- Rich Reviews plugin
- Simple Fields WordPress Plugin
- Social Metrics Tracker
- Thim Core
- Total Donations Plugin
- WooCommerce
- WordPress – Yuzo Related Posts
- WordPress Coming Soon Page
- WordPress Delucks SEO plugin
- WordPress ND Shortcodes For Visual Composer
- WordPress theme OneTone
- WordPress Ultimate FAQ (vulnerabilities CVE-2019-17232 and CVE-2019-17233)
- WP GDPR Compliance Plugin
- WP Live Chat
- WP Live Chat Support Plugin
- WP Quick Booking Manager
- WPeMatico RSS Feed Fetcher
- WP-Matomo Integration (WP-Piwik)
- Yellow Pencil Visual Theme Customizer Plugin
WordPress administrators are urged to check for the latest versions of these applications, and patch or replace vulnerable software as soon as possible. More broadly, WordPress users are encouraged to keep all components of the web platform current, including all third-party add-ons and themes, and advised to use MFA, unique logins, and strong passwords to secure their environments.
B.C. copper mining company suffers cyber attack
On December 29, Copper Mountain Mining Corporation (CMMC) in Vancouver, BC issued a statement advising that its corporate office and mining systems had experienced a ransomware attack two days earlier on December 27.
“The Company quickly implemented its risk management systems and protocols in response to the attack. The Company has isolated operations, switched to manual processes, where possible, and the mill has been preventatively shutdown to determine the effect on its control system,” according to the press release.
The company reassured the general public that there had been no safety or environmental impacts as a result of the incident.
The release provided no details of the nature or specific impacts of the incident, stating only that they are “continuing to assess risks and are actively establishing additional safeguards to mitigate any further risk to the Company.”
Canada’s third-largest copper mine, CMMC’s Copper Mountain operation processes 45,000 tons of material per day, producing an average of 100 million pounds of copper equivalent annually.
LockBit ransomware: two decryption stories
Japanese police appear to have made an important breakthrough in decrypting LockBit ransomware. According to a report by Nikkei Asia, researchers with the National Police Agency have successfully decrypted the data of three separate LockBit victims, including auto parts manufacturer Nittan, which suffered an attack in September 2022. While other LockBit decryptors have been reported in recent months, they generally focus on older variants of the malware, making the new code-breaker an important step forward. The research is being shared with various other law enforcement agencies.
Japan’s police force has devoted a considerable number of resources to combat cyber crime, with “around 2,400 investigators and technical personnel focused on cybercrime, including about 450 specialists drawn from industry and research,” according to the report.
Meanwhile, closer to home, the LockBit ransomware gang themselves may have provided an alleged decryption key – and an apology – to Toronto’s Hospital for Sick Children. SickKids was affected by a cyber attack on December 19 that affected its internal and corporate systems, phone system, and the website. By December 29, the hospital announced that it had recovered almost half of its systems, revising that figure to 60% recovered by January 1. However, on December 31, cybersecurity researcher Dominic Alvieri tweeted about a posting on the gang’s dark web portal announcing “We formally apologize for the attack on sikkids.ca [sic] and give back the decryptor for free, the partner who attacked this hospital violated our rules, is blocked and is no longer in our affiliate program.” SickKids has acknowledged receipt of the decryption key, and is currently working with third parties to assess its validity and effectiveness.