Weekly CyberTip: Reboot your computer periodically!
As a matter of convenience, some people never turn off their desktop computers or laptops. While this may save some reboot time, this practice can lead to security issues. An occasional reboot (ideally once a day, definitely at least once a week) will not just give your computer a fresh start by clearing temporary files and memory: more importantly, it will also give your system an opportunity to auto-install or complete patches and security fixes (for operating systems, Internet browsers, etc.) that help protect your data.
Patch Alert 1: New Chrome release addresses 10 security vulnerabilities, including one critical issue
On February 22, Google announced the release of a new version of its Chrome browser. The new release features fixes for 10 security flaws: one medium, eight high priority, and one critical issue.
The critical fix, coded as CVE-2023-0941, is a “use after free in Prompts” vulnerability, which is a memory-related issue in the Chrome browser. Specifically, it means that the browser can allow a threat actor to access memory that has already been freed or released, which can cause unexpected behaviour, crashes, and security vulnerabilities. Several similar flaws were addressed; this one specifically dealt with memory issues in dialog box prompts like confirmation messages and pop-ups.
As of February 27, the latest version of the Chrome browser for Windows was 110.0.5481.178. To check your version, click the three dots (⋮) at the top right of your Chrome screen, then select Help, then About Chrome. The browser should either confirm you are on the latest version, or attempt an on-the-spot upgrade.
Patch Alert 2: Important patch for macOS and iOS devices
In a February 21 report, researchers at Trellix describe recently-discovered malware that can bypass the protections in macOS and iOS devices that prevent unapproved software from running.
“The vulnerabilities above represent a significant breach of the security model of macOS and iOS which relies on individual applications having fine-grained access to the subset of resources they need and querying higher privileged services to get anything else,” according to the report.
The vulnerabilities have been patched in releases macOS 13.2 and iOS 16.3, which have been available since mid-February. Check your Apple devices to ensure that they are at the current patch level.
Cryptocurrency exchange platform Coinbase discloses cybersecurity attack
In a February 17 blog post, Jeff Lunglhofer, Chief Information Security Officer of Coinbase, disclosed a successful – albeit limited – social engineering attack targeting Coinbase employees. Coinbase is the largest cryptocurrency exchange in the U.S. (by trading volume).
Lunglhofer’s post describes how, on February 5, several staff members received SMS messages asking them to log in via a link in the text in order to receive an important message. Most of the employees ignored the text, recognizing it as a smshing (i.e., phishing over SMS) attack. However, one individual clicked the phony link, and entered their userid and password.
After “logging in,” the employee was prompted to disregard the message and thanked for complying. The threat actor then used the employee’s credentials to make repeated attempts to gain remote access to Coinbase systems. Since MFA was in place, the attacker was unable to penetrate the network, so they called the employee claiming to be from the Coinbase corporate IT team and directed the individual to log into their workstation and follow a set of instructions.
Meanwhile, real Coinbase techs received alerts about the suspicious behaviour and managed to discontinue communications between the employee and the threat actor, but not before a “limited amount of data” from its directory, including employee names, e-mail addresses, and some phone numbers had been harvested.
The frank and informative blog post documents IOCs and lessons learned from the incident, which is a cautionary tale about the dangers of social engineering cyber attacks and the importance of layered defenses and security awareness training.
Coinbase further noted that the attack is likely linked to the sophisticated phishing campaign known as 0ktapus (a.k.a. Scatter Swine) that targeted over 130 companies, including DoorDash, Okta, Twilio, Cloudflare, and MailChimp in 2022 and early 2023.
Microsoft issues bulletin for Exchange administrators
In a February 23 blog post, Microsoft issued a reminder to Exchange administrators to check the file exclusions on their anti-virus systems. Exclusions previously recommended by Microsoft are now being reversed.
“We’ve found that some existing exclusions, namely the Temporary ASP.NET Files and Inetsrv folders, and the PowerShell and w3wp processes – are no longer needed, and that it would be much better to scan these files and folders. Keeping these exclusions may prevent detections of IIS webshells and backdoor modules, which represent the most common security issues,” according t cyo the post, which itemizes two folders and two processes that should be scanned to provide superior protection. They are:
- %SystemRoot%\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files
Dole plc officially confirms cyber attack
In a terse February 22 press release, Dole plc – one of the world’s largest producers of fruit and vegetables – formally disclosed that it had suffered a “a cybersecurity incident that has been identified as ransomware” in early February 2023.
“Upon learning of this incident, Dole moved quickly to contain the threat and engaged leading third-party cybersecurity experts, who have been working in partnership with Dole’s internal teams to remediate the issue and secure systems,” explained the bulletin. “While continuing to investigate the scope of the incident, the impact to Dole operations has been limited.”
That limited impact included shutting down production plants in North America and suspending food shipments to grocery stores around the continent, according to a report by CNN.