NCSC-FI News followup

Daily NCSC-FI news followup 2020-09-25

Microsoft boots apps out of Azure used by China-sponsored hackers Active Directory apps used for command-and-control infrastructure are no more. Report:

Feds Hit with Successful Cyberattack, Data Stolen The attack featured a unique, multistage malware and a likely PulseSecure VPN exploit.

FinSpy Spyware for Mac and Linux OS Targets Egyptian Organisations Amnesty International today exposed details of a new surveillance campaign that targeted Egyptian civil society organizations with previously undisclosed versions of FinSpy spyware designed to target Linux and macOS systems.

Mount Locker ransomware joins the multi-million dollar ransom game A new ransomware operation named Mount Locker is underway stealing victims’ files before encrypting and then demanding multi-million dollar ransoms.

The Week in Ransomware – September 25th 2020 – A Modern-Day Gold Rush This week showed continued attacks against large organizations as new ransomware operations rush to join a modern-day ransomware gold rush.

RayBan parent company reportedly suffers major ransomware attack There is no evidence that cybercriminals were also able to steal customer data

Taurus Project stealer now spreading via malvertising campaign For the past several months, Taurus Projecta relatively new stealer that appeared in the spring of 2020has been distributed via malspam campaigns targeting users in the United States. The macro-laced documents spawn a PowerShell script that invokes certutil to run an autoit script ultimately responsible for downloading the Taurus binary.

Windows-huijarit puhuvat nyt jopa suomea puhelimessa “Erittäin huolestuttava ilmiö” Moni on saanut viime viikkoina puhelun, jossa hänen tietokoneen väitetään olevan saastunut haittaohjelmilla ja soittajan auttavan tätä tietokoneen kanssa. Puheluita tehdään Kyberturvallisuuskeskukseen mukaan nyt Suomeen miljoona kuukaudessa.

Twitter is warning devs that API keys and tokens may have leaked Twitter is emailing developers stating that their API keys, access tokens, and access token secrets may have been exposed in a browser’s cache.

Fortinet VPN with Default Settings Leave 200, 000 Businesses Open to Hackers “We quickly found that under default configuration the SSL VPN is not as protected as it should be, and is vulnerable to MITM attacks quite easily, ” SAM IoT Security Lab’s Niv Hertz and Lior Tashimov said. “The Fortigate SSL-VPN client only verifies that the CA was issued by Fortigate (or another trusted CA), therefore an attacker can easily present a certificate issued to a different Fortigate router without raising any flags, and implement a man-in-the-middle attack.”

Update now: Cisco warns over 25 high-impact flaws in its IOS and IOS XE software Cisco has alerted customers using its IOS and ISO XE networking gear software to apply updates for 34 flaws across 25 high-severity security advisories.

Blast from the past! Windows XP source code allegedly leaked online If the reports are to be believed, someone has just leaked a mega-torrent (pun intended allegedly some of the files have also been uploaded to Kiwi file-sharing service Mega) of Microsoft source code going all the way back to MS-DOS 6.

“Organisaation näkökulmasta Whatsapp on katastrofi”, sanoo digikonsultti mahdoton hallinnoitava, silti käytössä työpaikoilla Ryhmien hallinta on käsityötä ja se mahdollistaa myös virheitä.

NCSC-FI News followup

Daily NCSC-FI news followup 2020-09-24

#InstaHack: how researchers were able to take over the Instagram App using a malicious image Instagram is one of the most popular social media platforms globally, with over 100+ million photos uploaded every day, and nearly 1 billion monthly active users. Individuals and companies share photos and messages about their lives and products to their followers globally. So imagine what could happen if a hacker was able to completely take over Instagram accounts, and access all the messages and photos in those accounts, post new photos or delete or manipulate existing photos. What could that do to a persons or companys reputation?

Govt. Services Firm Tyler Technologies Hit in Apparent Ransomware Attack Tyler Technologies, a Texas-based company that bills itself as the largest provider of software and technology services to the United States public sector, is battling a network intrusion that has disrupted its operations. The company declined to discuss the exact cause of the disruption, but their response so far is straight out of the playbook for responding to ransomware incidents.

Sandbox in security: what is it, and how it relates to malware To better understand modern malware detection methods, its a good idea to look at sandboxes. In cybersecurity, the use of sandboxes has gained a lot of traction over the last decade or so. With the plethora of new malware coming our way every day, security researchers needed something to test new programs without investing too much of their precious time. Sandboxes provide ideal, secluded environments to screen certain malware types without giving that malware a chance to spread. Based on the observed behavior, the samples can then be classified as harmless, malicious, or needs a closer look.

Threat landscape for industrial automation systems. H1 2020 highlights Beginning in H2 2019 we have observed a tendency for decreases in the percentages of attacked computers, both in the ICS and in the corporate and personal environments. In H1 2020 the percentage of ICS computers on which malicious objects were blocked has decreased by 6.6 percentage points to 32.6%. The number was highest in Algeria (58.1%), and lowest in Switzerland (12.7%). Despite the overall tendency for the percentages of attacked computers to decrease, we did see the number grow in the Oil & Gas sector by 1.6 p.p. to 37.8% and by 1.9 p.p. to 39.9 % for computers used in building automation systems. These numbers are higher than the percentages around the world overall.

Fuzzing Image Parsing in Windows, Part One: Color Profiles Image parsing and rendering are basic features of any modern operating system (OS). Image parsing is an easily accessible attack surface, and a vulnerability that may lead to remote code execution or information disclosure in such a feature is valuable to attackers. In this multi-part blog series, I am reviewing Windows OS built-in image parsers and related file formats: specifically looking at creating a harness, hunting for corpus and fuzzing to find vulnerabilities. In part one of this series I am looking at color profilesnot an image format itself, but something which is regularly embedded within images.

Analysis Report (AR20-268A) – Federal Agency Compromised by Malicious Cyber Actor The Cybersecurity and Infrastructure Security Agency (CISA) responded to a recent threat actors cyberattack on a federal agencys enterprise network. By leveraging compromised credentials, the cyber threat actor implanted sophisticated malwareincluding multi-stage malware that evaded the affected agencys anti-malware protectionand gained persistent access through two reverse Socket Secure (SOCKS) proxies that exploited weaknesses in the agencys firewall.

Party in Ibiza with PowerShell Today, I would like to talk about PowerShell ISE or “Integration Scripting Environment”[1]. This tool is installed by default on all Windows computers (besides the classic PowerShell interpreter). From a malware analysis point of view, ISE offers a key feature: an interactive debugger!

Micropatch for Zerologon, the “perfect” Windows vulnerability (CVE-2020-1472) The Zerologon vulnerability allows an attacker with network access to a Windows Domain Controller to quickly and reliably take complete control of the Windows domain. As such, it is a perfect vulnerability for any attacker and a nightmare for defenders. It was discovered by Tom Tervoort, a security researcher at Secura and privately reported to Microsoft, which issued a patch for supported Windows versions as part of August 2020 updates and assigned it CVE-2020-1472.. The micropatch we wrote is logically identical to Microsoft’s fix. We injected it in function NetrServerAuthenticate3 in roughly the same place where Microsoft added the call to NlIsChallengeCredentialPairVulnerable, but since the latter doesn’t exist in old versions of netlogon.dll, we had to implement its logic in our patch.

Alien Android Banking Trojan Sidesteps 2FA A newly uncovered banking trojan called Alien is invading Android devices worldwide, using an advanced ability to bypass two-factor authentication (2FA) security measures to steal victim credentials. Once it has infected a device, the RAT aims to steal passwords from at least 226 mobile applications including banking apps like Bank of America Mobile Banking and Capital One Mobile, as well as a slew of collaboration and social apps like Snapchat, Telegram and Microsoft Outlook.. Also:

Microsoft, Italy, and the Netherlands warn of increased Emotet activity Two weeks after cyber-security agencies from France, Japan, and New Zealand published warnings about an uptick in Emotet activity, new alerts have been published this past week by agencies in Italy and the Netherlands, but also by Microsoft. These new warnings come as Emotet activity has continued to increase, dwarfing any other malware operation active today. “It has been very heavy for [Emotet] spam lately,” Joseph Roosen, a member of Cryptolaemus, a group of security researchers who track Emotet malware campaigns, told ZDNet during an interview today.

Erittäin kriittinen Windows-haava uhkaa nyt varoittaa Kyberturvallisuuskeskus: paikkaa heti Kirjoitimme aiemmin tällä viikolla Zerologon-hyökkäyksistä Windowsin turva-aukkoon. Haavoittuvuuden löytäneen turvallisuusyhtiön Securan mukaan sen hyödyntäminen vie “käytännössä noin kolme sekuntia” eikä vaadi hyökkääjältä lainkaan kirjautumista. yberturvallisuuskeskus kertoo nyt, että haavoittuvuuden hyödyntämiseen on julkaistu hyökkäystyökaluja. Haavoittuvuudelle julkaistiin korjaus Microsoftin elokuun päivityksissä, ja Kyberturvallisuuskeskus suosittelee välitöntä päivitysten asentamista. Lisäksi:

One of this years most severe Windows bugs is now under active exploit One of the highest-impact Windows vulnerabilities patched this year is now under active exploitation by malicious hackers, Microsoft warned overnight, in a development that puts increasing pressure on laggards to update now. CVE-2020-1472, as the vulnerability is tracked, allows hackers to instantly take control of the Active Directory, a Windows server resource that acts as an all-powerful gatekeeper for all machines connected to a network. Also:

ZeroLogon(CVE-2020-1472) – Attacking & Defending A handy walkthrough of CVE-2020-1472 from both a red and blue team perspective, how to detect, patch and hack ZeroLogon. You’re reading this already thinking, not another zerologon post, oh great… Stay tuned it’s a bit more than the normal posts, looking at it from the build break defend fix mentality. I’ve added a quick skip ToC if you want to skip to specific areas that interest you, or otherwise buckle up folks, it’s going to be a long ride!

Phishing attacks are targeting your social network accounts Scammers are targeting your social network accounts with phishing emails that pretend to be copyright violations or promises of a shiny ‘blue checkmark’ next to your name. With social networks such as Twitter, Facebook, Instagram, and TikTok becoming a significant component in people’s lives, attackers target them for malicious purposes. These stolen accounts are then used for disinformation campaigns, cryptocurrency scams like the recent Twitter hacks, or sold on underground markets. Due to this, social accounts should be treated as a valuable commodity and protected as such.

New Snort, ClamAV coverage strikes back against Cobalt Strike Cisco Talos is releasing a new research paper called The Art and Science of Detecting Cobalt Strike.. We recently released a more granular set of updated SNORT and ClamAV detection signatures to detect attempted obfuscation and exfiltration of data via Cobalt Strike, a common toolkit often used by adversaries. Cobalt Strike is a paid software platform for adversary simulations and red team operations. It is used by professional security penetration testers and malicious actors to gain access and control infected hosts on a victim network. Cobalt Strike has been utilized in APT campaigns and most recently observed in the IndigoDrop campaign and in numerous ransomware attacks.

Wondering how to tell the world you’ve been hacked? Here’s a handy guide from infosec academics Infosec boffins at the University of Kent have developed a “comprehensive playbook” for companies who, having suffered a computer security breach, want to know how to shrug off the public consequences and pretend everything’s fine. In a new paper titled “A framework for effective corporate communication after cyber security incidents,” Kent’s Dr Jason Nurse, along with Richard Knight of the University of Warwick, devised a framework for companies figuring out how to publicly respond to data security breaches and similar incidents where servers are hacked and customer records end up in the hands of criminals.

NCSC-FI News followup

Daily NCSC-FI news followup 2020-09-23

Phishers spoof reliable cybersecurity training company to garner clicks It happens to the best of us. And, indeed, no adage is better suited to a phishing campaign that recently made headlines. Fraudsters used the brand, KnowBe4a trusted cybersecurity company that offers security awareness training for organizationsto gain recipients trust, their Microsoft Outlook credentials, and other personally identifiable information (PII). This is according to findings from our friends at Cofense Intelligence, who did a comprehensive analysis of the campaign, and of course, KnowBe4, who first reported about it.

Looking for sophisticated malware in IoT devices Smart watches, smart home devices and even smart cars as more and more connected devices join the IoT ecosystem, the importance of ensuring their security becomes patently obvious. Its widely known that the smart devices which are now inseparable parts of our lives are not very secure against cyberattacks. Malware targeting IoT devices has been around for more than a decade. Hydra, the first known router malware that operated automatically. appeared in 2008 in the form of an open-source tool. Hydra was an open-source prototype of router malware. Soon after Hydra, in-the-wild malware was also found targeting network devices. Since then, different botnet families have emerged and become widespread, including families such as Mirai, Hajime and Gafgyt.

A Recipe for Reducing Medical Device Internet of Things Risk You may recall this blog post from March 2020. It highlighted the importance of factoring in clinical, organizational, financial and regulatory impact when determining which medical Internet-of-Things (IoMT) security vulnerabilities should be fixed first. Consider this post a part two. Whereas the previous post focused on the fact that IoMT devices are here to stay and finding and prioritizing vulnerabilities based on impact cannot be overlooked, this post highlights an up and coming security challenge.

New tool helps companies assess why employees click on phishing emails Researchers at the US National Institute of Standards and Technology (NIST) have devised a new method that could be used to accurately assess why employees click on certain phishing emails. The tool, dubbed Phish Scale, uses real data to evaluate the complexity and quality of phishing attacks to help organizations comprehend where their (human) vulnerabilities lie. Heres a quick refresher: in its simplest form, phishing is an unsolicited email or any other form of electronic communication where cybercriminals impersonate a trusted organization and attempt to pilfer your data.

Zerologon Vulnerability: Analysis and Detection Tools In September 2020 Secura published an article disclosing a vulnerability in Windows Server (all known versions) Netlogon Remote Protocol. This vulnerability is known as CVE-2020-1472 or more commonly, Zerologon.. Due to the magnitude and potential impact of this vulnerability, Cynet decided to release two detection mechanisms for the wide community that provide visibility for exploits for Zerologon vulnerability. First is a YARA rule which can be used to scan memory dumps of lsass.exe. The rule will alert upon detection of Mimikatz or other Zerologon exploits. Second is an executable file, Cynet.ZerologonDetector.exe which detects spikes in network traffic of lsass.exe from a given IP.

A New Hacking Group Hitting Russian Companies With Ransomware As ransomware attacks against critical infrastructure continue to spike in recent months, cybersecurity researchers have uncovered a new entrant that has been actively trying to conduct multistage attacks on large corporate networks of medical labs, banks, manufacturers, and software developers in Russia. The ransomware gang, codenamed “OldGremlin” and believed to be a Russian-speaking threat actor, has been linked to a series of campaigns at least since March, including a successful attack against a clinical diagnostics laboratory that occurred last month on August 11.. Also:

Malicious Word Document with Dynamic Content Here is another malicious Word document that I spotted while hunting. “Another one?” may ask some of our readers. Indeed but malicious documents remain a very common infection vector and you learn a lot when you analyze them. I was recently asked to talk about Powershell (de)obfuscation techniques. When you’re dealing with an incident in a corporate environment, you don’t have time to investigate in deep. . The incident must be resolved as soon as possible because the business must go on and a classic sandbox analysis is performed to get the feedback: It’s malicious or not.

Shopify discloses security incident caused by two rogue employees Online e-commerce giant Shopify is working with the FBI and other law enforcement agencies to investigate a security breach caused by two rogue employees. The company said two members of its support team accessed and tried to obtain customer transaction details from Shopify shop owners (merchants). Shopify estimated the number of stores that might be affected by the employees’ actions at less than 200. The company boasted more than one million registered merchants in its latest quarterly filings.. Also:

Miksi suomalaisia piinaavia Windows-huijaussoittoja ei voi vain estää? Asiantuntija vastaa Suomalaiset ovat saaneet tänä vuonna riesakseen ennen kokemattoman huijauspuhelujen aallon. Englantia puhuvat huijarit esiintyvät Microsoftin teknisen tuen edustajina. He ilmoittavat, että vastaajan Windows-tietokoneessa on ongelma ja tarjoavat apua. Todellisuudessa ongelmaa ei ole ja soittaja yrittää huijata puhelun vastaajan antamaan hänelle etäyhteyden koneelle tai maksamaan hänelle rahaa avusta.

AgeLocker ransomware targets QNAP NAS devices, steals data QNAP NAS devices are being targeted in attacks by the AgeLocker ransomware, which encrypts the device’s data, and in some cases, steal files from the victim. AgeLocker is ransomware that utilizes an encryption algorithm called Age (Actually Good Encryption) designed to replace GPG for encrypting files, backups, and streams. In July 2020, we reported about a new ransomware called AgeLocker that was utilizing this algorithm to encrypt victims’ files.

As you’re scrambling to patch the scary ZeroLogon hole in Windows Server, don’t forget Samba it’s also affected Administrators running Samba as their domain controllers should update their installations as the open-source software suffers from the same ZeroLogon hole as Microsoft’s Windows Server. An alert from the project has confirmed that its code, in certain configurations, is also vulnerable to the CVE-2020-1472 bug, which can be exploited to gain domain-level administrator access.

2020: Q2 Threat Report When security teams, managers, and leaders have limited time and budget, prioritizing investments to achieve the greatest impact and reduction in risk becomes paramount. Threat reports, such as this one, help security and business professionals alike get a high-level view of the threats they face and how organizations are dealing with them. Our quarterly Threat Report is typically structured to look at threats from both a cause and effect perspective. The Focus on Telemetry section delivers analysis on the risk and prevalence of threats, while the Focus on Detections section delivers analysis on those affected and the impact of threats.

India’s Cybercrime and APT Operations on the Rise Growing geopolitical tensions with China in particular are fueling an increase in cyberattacks between the two nations, according to IntSights. A combination of economic, political, and social factors is driving an increase in cyber threat activity out of India. Much of the activity involves scams, online extortion schemes, hacktivist campaigns, and the sale of narcotics and other illicit goods online. But also operating out of the country is a handful of relatively sophisticated advanced persistent threat actors and hacker-for-hire groups that have targeted organizations in multiple countries in recent years, according to a new report from IntSights.

Hackers sell access to your network via remote management apps Remote monitoring and management (RMM) software is starting to get attention from hackers as these types of tools provide access to multiple machines across the network. At least one network access broker has been advertising access to networks of organizations in various regions of the world that use the ManageEngine Desktop Central from Zoho to manage their Windows, Linux, and Mac systems. Some of the breached companies are attractive targets for ransomware operators, who may already have jumped at the opportunity.

NCSC-FI News followup

Daily NCSC-FI news followup 2020-09-22

How to fight delayed phishing Phishing links in e-mails to company employees often become active after initial scanning. But they still can and must be caught. Phishing has long been a major attack vector on corporate networks. Its no surprise, then, that everyone and everything, from e-mail providers to mail gateways and even browsers, use antiphishing filters and malicious address scanners. Therefore, cybercriminals are constantly inventing new, and refining old, circumvention methods. One such method is delayed phishing.

How identification, authentication, and authorization differ We use raccoons to explain how identification, authorization, and authentication differ, and why 2FA is necessary. t happens to every one of us every day. We are constantly identified, authenticated, and authorized by various systems. And yet, many people confuse the meanings of these words, often using the terms identification or authorization when, in fact, they are talking about authentication.

New and improved Security Update Guide! Were excited to announce a significant update to the Security Update Guide, our one-stop site for information about all security updates provided by Microsoft. This new version will provide a more intuitive user experience to help protect our customers regardless of what Microsoft products or services they use in their environment. Weve listened to your feedback and incorporated many of your suggestions and new feature ideas. For example, it is now much easier to get a simple list of all CVEs being released on an Update Tuesday or between your own custom date range (see Vulnerabilities tab).

Carlos Arnal: The economic impact of a DNS attack is too great to ignore the vulnerabilities that would enable it One of the main problems with DNS attacks is the increasing cost of the damage they cause, as well as their rapid evolution and the diverse range of attack types. Data exfiltration over DNS is a major concern in corporate environments. In order to protect themselves, organizations are prioritizing the security of network endpoints and improving DNS traffic monitoring. We discussed this with Carlos Arnal, Product Marketing Manager Endpoint Security at Panda.

Uncover Return on Investment From Using a SOAR Platform When a cybersecurity attack happens, people may be tempted to react impulsively. Instead, security leaders should take a proactive approach. Carefully considering the long-term effects of actions on resources and security posture becomes easier with the right tools. Using a Security Orchestration, Automation and Response (SOAR) platform from day one can help your organization be better positioned to respond to cyberattacks today and in the future. At the same time, it can mean a significant return on investment (ROI) for the security budget.

Alert (AA20-266A) – LokiBot Malware CISA has observed a notable increase in the use of LokiBot malware by malicious cyber actors since July 2020. Throughout this period, CISAs EINSTEIN Intrusion Detection System, which protects federal, civilian executive branch networks, has detected persistent malicious LokiBot activity. LokiBot uses a credential- and information-stealing malware, often sent as a malicious attachment and known for being simple, yet effective, making it an attractive tool for a broad range of cyber actors across a wide variety of data compromise use cases.

Unsecured Microsoft Bing Server Exposed Users’ Search Queries and Location A back-end server associated with Microsoft Bing exposed sensitive data of the search engine’s mobile application users, including search queries, device details, and GPS coordinates, among others. The logging database, however, doesn’t include any personal details such as names or addresses.. The data leak, discovered by Ata Hakcil of WizCase on September 12, is a massive 6.5TB cache of log files that was left for anyone to access without any password, potentially allowing cybercriminals to leverage the information for carrying out extortion and phishing scams.

6% of all Google Cloud Buckets are vulnerable to unauthorized access 131 of 2,064 scanned Google Cloud buckets were vulnerable to unauthorized access by users who could list, download, and/or upload files. Amazons S3 buckets are the most popular means for apps, websites, and online services to store data in the cloud. So when data breaches and exposures occur, vulnerable S3 buckets are often cited as the target. But Amazon Web Services is far from the only provider of cloud file storage. Google Cloud buckets, for instance, are also quite common, and they are just as vulnerable (due to misconfiguration) as their more popular counterparts, according to the latest research by Comparitechs cybersecurity research team.

Firefox 81 Release Kills High-Severity Code-Execution Bugs Mozilla patched high-severity vulnerabilities with the release of Firefox 81 and Firefox ESR 78.3, including several that could be exploited to run arbitrary code. Two severe bugs (CVE-2020-15674 and CVE-2020-15673) are errors in the browsers memory-safety protections, which prevent memory access issues like buffer overflows. CVE-2020-15674 was reported in Firefox 80, while CVE-2020-15673 was reported in Firefox 80 and Firefox ESR 78.2.

Healthcare lags behind in critical vulnerability management, banks hold their ground Vulnerability management is a key component of modern strategies to combat cyberattackers, but which industries perform well in this area?. The general public faces phishing attempts, spam, malvertising, and more in their daily lives. However, in the business realm, successfully targeting major companies — including banks, industrial giants, and medical facilities — can be far more lucrative for cybercriminals.

Tämän takia paha bluetooth-aukko ei koske Koronavilkkua Itse pidän huoletta päällä Jopa miljardeja laitteita koskeva bluetooth-haavoittuvuus nimeltä Blesa ei vaikuta mitenkään Koronavilkkuun, vaikka se nojaakin ongelmalliseksi todettuun bluetooth low energy (ble) -toimintoon. Asiasta kertoo Koronavilkun toteuttaneen Solitan teknologia-asiantuntija Sami Köykkä Twitterissä. Koronavilkun käyttö on turvallista, koska se ei käytä haavoittuvuuden hyödyntämiseen tarvittavaa toimintoa.

A tip from a kid helps detect iOS and Android scam apps 2.4 million downloads Researchers said that a tip from a child led them to discover aggressive adware and exorbitant prices lurking in iOS and Android smartphone apps with a combined 2.4 million downloads from the App Store and Google Play. Posing as apps for entertainment, wallpaper images, or music downloads, some of the titles served intrusive ads even when an app wasnt active. To prevent users from uninstalling them, the apps hid their icon, making it hard to identify where the ads were coming from.

Emotet double blunder: fake Windows 10 Mobile and outdated messages The Emotet botnet has switched up their malicious spamming campaign and is now heavily distributing password-protected archives to bypass email security gateways. This campaign started on Friday with documents claiming to be created on the expired Windows 10 Mobile and continued with a large volume of messages pretending to be made on Android.

Russia wants to ban the use of secure protocols such as TLS 1.3, DoH, DoT, ESNI The Russian government is working on updating its technology laws so it can ban the use of modern internet protocols that can hinder its surveillance and censorship capabilities. According to a copy of the proposed law amendments and an explanatory note, the ban targets internet protocols and technologies such as TLS 1.3, DoH, DoT, and ESNI.

Nearly 70% of IT & Security Pros Hone Their Cyber Skills Outside of Work–of-it-and-security-pros-hone-their-cyber-skills-outside-of-work/d/d-id/1338980 New research shows how security skills are lacking across multiple IT disciplines as well – including network engineers, sys admins, and cloud developers. early three out of four organizations are struggling with a gap in security skills, and 68% of IT and security professionals say they work on advancing their cyber skills on their own time, outside of work.

Russian hackers use fake NATO training docs to breach govt networks A Russian hacker group known by names, APT28, Fancy Bear, Sofacy, Sednit, and STRONTIUM, is behind a targeted attack campaign aimed at government bodies. The group delivered a hard-to-detect strand of Zebrocy Delphi malware under the pretense of providing NATO training materials. Researchers further inspected the files containing the payload and discovered these impersonated JPG files showing NATO images when opened on a computer.

Cybersäkerhetscentret – Anvisning om cyberövningar Cybersäkerhetscentret har i samarbete med Försörjningsberedskapscentralen upprättat manualen “Anvisning om cyberövningar” som nu finns tillgänglig på engelska och svenska.

NCSC-FI – Manual for cyber exercise Organisers The Finnish National Cyber Security Centre together with the Finnish National Emergency Supply Agency present their “Manual for cyber exercise Organisers”, now available for download in English.

NCSC-FI News followup

Daily NCSC-FI news followup 2020-09-21

JAMK kartoitti kyberharjoitusympäristöjä: Euroopassa tietoverkkohyökkäyksiä vastaan harjoitellaan aktiivisesti Jyväskylän ammattikorkeakoulussa (JAMK) on selvitetty eurooppalaisia kyberturvallisuusympäristöjä ja niiden ominaisuuksia. Laaja selvitys on Euroopassa ensimmäinen laatuaan. Raportoituja eurooppalaisia kyberturvallisuusharjoitusympäristöjä (cyber range) löytyi selvityksessä kolmekymmentäyhdeksän. Suomalaisia harjoitusympäristöjä raportointiin maakohtaisesti eniten, yhteensä seitsemän.

Slightly broken overlay phishing At the Internet Storm Center, we often receive examples of interesting phishing e-mails from our readers. Of course, this is not the only source of interesting malicious messages in our inboxes sometimes the phishing authors cut out the middleman and send their creations directly to us. Last week, this was the case with a slightly unusual (and slightly broken) phishing, which tries to use legitimate pages overlaid with a fake login prompt.

The ransomware crisis is getting worse. We need to make these four big changes The cruel march of ransomware has apparently reached a grim new milestone. In Germany, authorities are investigating the death of a patient during a ransomware attack on a hospital; according to reports, the woman, who needed urgent medical care, died after being re-routed to a hospital further away, as a nearer hospital was in the midst of dealing with a ransomware attack. Elsewhere ransomware continues to create painful, if less tragic, disruptions. The UK’s cybersecurity agency has just warned that ransomware groups are launching ‘reprehensible’ attacks against universities as the new academic year starts.

Threat Landscape Trends: Endpoint Security, Part 1 In the ongoing battle to defend your organization, deciding where to dedicate resources is vital. To do so efficiently, you need to have a solid understanding of your local network topology, cloud implementations, software and hardware assets, and the security policies in place. On top of that, you need to have an understanding of whats traveling through and residing in your environment, and how to respond when something is found that shouldnt be there.

NSA:n työkalu epäilytti tietoturvaosaajia CUJOn suomalaistiimi huomasi ottaa sen avukseen Go-kielestä on tullut nopeasti haittaohjelmanikkarien uusi suosikki. CUJO AI:n Suomessa toimiva laboratorio on huomannut tämän iot-laitteiden kohdalla. Tietoturvayhtiö CUJO AI:n tietoturvalaboratoriosta vastaavan johtajan Kimmo Kasslinin mukaan go:n suosio johtuu pääosin iot-laitteiden bottiverkkojen yleistymisestä.

Strava app shows your info to nearby users unless this setting is disabled Popular running and cycling app Strava can expose your information to nearby strangers, which has sparked privacy concerns among its users. After learning of this information sharing feature, some fear this functionality can be abused for stalking and “predatory” motives. Previously, Strava had published heatmaps generated from 13 trillion GPS coordinates from joggers’ data, which inadvertently exposed the locations of military bases around the world, including those in the U.S.

Activision Accounts Hacked? 500,000 Call Of Duty Players Could Be AffectedReport According to reports, more than 500,000 Activision accounts may have been hacked with login data being compromised. The eSports site Dexerto has reported that a data breach occurred on Sunday, September 20. The credentials to access these accounts are, Dexerto said, being leaked publicly, and account details changed to prevent easy recovery by the rightful owners. Activision accounts are mostly used by players of the hugely popular Call of Duty franchise.

What to Expect When Reporting Vulnerabilities to Microsoft At the Microsoft Security Response Centers (MSRC), our primary mission is to help protect our customers. One of the ways we do this is by working with security researchers to discover security vulnerabilities in our services and products, and then making sure those that pose a threat to customers get fixed. Many researchers report these types of issues to many different companies, and how these companies manage their process for receiving, assessing, and fixing these can vary considerably. So, we would like to let you know what you can do to help speed your submission through our process when reporting security vulnerabilities to Microsoft, and what to expect afterwards.

NCSC-FI News followup

Daily NCSC-FI news followup 2020-09-20

Hackers leak details of 1,000 high-ranking Belarus police officers A group of hackers has leaked on Saturday the names and personal details of more than 1,000 high-ranking Belarusian police officers in response to violent police crackdowns against anti-government demonstrations. The leaked data included names, dates of birth, and the officers’ departments and job titles.

Google App Engine feature abused to create unlimited phishing pages A newly discovered technique by a researcher shows how Google’s App Engine domains can be abused to deliver phishing and malware while remaining undetected by leading enterprise security products. Google App Engine is a cloud-based service platform for developing and hosting web apps on Google’s servers. While reports of phishing campaigns leveraging enterprise cloud domains are nothing new, what makes Google App Engine infrastructure risky in how the subdomains get generated and paths are routed.

The Cybersecurity Threat No One Talks About Is A Simple Code QR codes are going through a renaissance today. All businesses are focusing on how they can protect employees, customers and suppliers during the pandemic by adopting touchless transactions and services to provide a safer, more streamlined buying experience. Fraudsters are quick to capitalize on the opportunity QR codes soaring popularity present too. Combining social engineering with QR codes that can be created in a second, fraudsters are using them to open victims bank accounts and drain it within seconds, install malware, penetrate entire corporate networks and more.

Analysis of a Salesforce Phishing Emails Over the past week, I have noticed several phishing emails linked to Salesforce asking to confirm the recipients email address.

NCSC-FI News followup

Daily NCSC-FI news followup 2020-09-19

5 ways cybercriminals can try to extort you When it comes to coercing people into parting with their money, cybercriminals seem to have an endless bag of tricks to choose from. There are some tricks, that they favor more than others, one of which is extortion. According to the FBIs latest Internet Crime Report, US victims of extortion lost some US$107.5 million to these crimes last year.

Stubborn WooCommerce Plugin Bugs Get Third Patch E-commerce sites using the WordPress plugin Discount Rules for WooCommerce are being urged to patch two high-severity cross-site scripting flaws that could allow an attacker to hijack a targeted site. Two fixes for the flaws, first available on Aug. 22 and second on Sept. 2, failed to patch the problem. A third round of patches for the bugs became available to customers on Sept. 9. On Thursday, the Wordfence Threat Intelligence researchers that were tipped-off to the vulnerabilities, publicly disclosed the flaws and offered a technical analysis.

Firefox bug lets you hijack nearby mobile browsers via WiFi Mozilla has fixed a bug that can be abused to hijack all the Firefox for Android browsers on the same WiFi network and force users to access malicious sites, such as phishing pages. The bug was discovered by Chris Moberly, an Australian security researcher working for GitLab. The actual vulnerability resides in the Firefox SSDP component. SSDP stands for Simple Service Discovery Protocol and is the mechanism through which Firefox finds other devices on the same network in order to share or receive content (i.e., such as sharing video streams with a Roku device).

Tutanota encrypted email service suffers DDoS cyberattacks Encrypted email service, Tutanota has experienced a series of DDoS attacks this week, first targeting the Tutanota website and further its DNS providers. This had caused downtime for several hours for millions of Tutanota users. The outage was further exacerbated by the fact that different DNS servers continued to cache the incorrect entries for the domain. Tutanota is a German provider of end-to-end encrypted email service with over 2 million users. The company is frequently cited alongside popular encrypted email providers like ProtonMail.

CISA Releases Emergency Directive on Microsoft Windows Netlogon Remote Protocol The Cybersecurity and Infrastructure Security Agency (CISA) has released Emergency Directive (ED) 20-04 addressing a critical vulnerability CVE-2020-1472affecting Microsoft Windows Netlogon Remote Protocol. An unauthenticated attacker with network access to a domain controller could exploit this vulnerability to compromise all Active Directory identity services.

Nainen kuoli ambulanssiin, kun kyberhyökkäys jumitti saksalaisen sairaalan tietojärjestelmän syyttäjä avasi harvinaisen henkirikostutkimuksen Jos tutkimukset johtavat syytteeseen, on kyseessä Reutersin mukaan ensimmäinen kerta, kun ihmisen kuolema on suoraan yhdistetty kyberhyökkäykseen. Rikosnimikkeenä olisi kuolemantuottamus. Saksassa syyttäjä avasi perjantaina harvinaisen henkirikostutkimuksen, jossa naisen epäillään kuolleen sairaalaan tehdyn kyberhyökkäyksen seurauksena, kertoo uutistoimisto Reuters.

NCSC-FI News followup

Daily NCSC-FI news followup 2020-09-18

RampantKitten: An Iranian Surveillance Operation unraveled Check Point Research has unraveled an ongoing surveillance operation by Iranian entities that has been targeting Iranian expats and dissidents for years. While some individual sightings of this attack were previously reported by other researchers and journalists, our investigation allowed us to connect the several different campaigns and attribute all of them to the same attackers.. Full research:

Chinese Antivirus Firm Was Part of APT41 Supply Chain Attack The U.S. Justice Department this week indicted seven Chinese nationals for a decade-long hacking spree that targeted more than 100 high-tech and online gaming companies. The government alleges the men used malware-laced phishing emails and supply chain attacks to steal data from companies and their customers. One of the alleged hackers was first profiled here in 2012 as the owner of a Chinese antivirus firm.

Is domain name abuse something companies should worry about? Even though some organizations and companies may not realize it, their domain name is an important asset. Their web presence can even make or break companies. Therefor, domain name abuse is something that can ruin your reputation.

A real-life Maze ransomware attack If at first you dont succeed Youve probably heard terms like spray-and-pray and fire-and-forget applied to cybercriminality, especially if your involvement in cybersecurity goes back to the early days of spamming and scamming. Those phrases recognise that sending unsolicited email is annoyingly cheap and easy for cybercrooks, who generally dont bother running servers of their own they often just rent email bandwidth from other crooks.

Plugging in a strange USB drive What could possibly go wrong? External data storage devices have been around almost as long as computers have existed. Magnetic tape and floppy disks, which were once the dominant media, are now mostly fond memories, while optical discs are mostly used in gaming consoles. For the past 20 years, the dominant player on the external storage scene has been the USB flash drive. No wonder: over the years, their storage capacity has increased, and their prices have dropped.

U.S. Treasury Sanctions Hacking Group Backed by Iranian Intelligence The U.S. government on Thursday imposed sweeping sanctions against an Iranian threat actor backed by the country’s Ministry of Intelligence and Security (MOIS) for carrying out malware campaigns targeting Iranian dissidents, journalists, and international companies in the telecom and travel sectors. According to the U.S. Treasury and the Federal Bureau of Investigation (FBI), the sanctions target Rana Intelligence Computing Company (or Rana), which the agencies said operated as a front for the threat group APT39 (aka Chafer or Remix Kitten).. Also:

A Mix of Python & VBA in a Malicious Word Document A few days ago, Didier wrote an interesting diary about embedded objects into an Office document[1]. I had a discussion about an interesting OLE file that I found. Because it used the same technique, I let Didier publish his diary first. Now, let’s have a look at the document.

Apple Bug Allows Code Execution on iPhone, iPad, iPod Release of iOS 14 and iPadOS 14 brings fixes 11 bugs, some rated high-severity. Apple has updated its iOS and iPadOS operating systems, which addressed a wide range of flaws in its iPhone, iPad and iPod devices. The most severe of these could allow an adversary to exploit a privilege-escalation vulnerability against any of the devices and ultimately gain arbitrary code-execution.

US charges Iranian hackers for breaching US satellite companies Three Iranian nationals have been indicted on charges of hacking US aerospace and satellite companies, the US Department of Justice announced today. Federal prosecutors accused Said Pourkarim Arabi, Mohammad Reza Espargham, and Mohammad Bayati of orchestrating a years-long hacking campaign on behalf of the Iranian government.. The hacking spree started in July 2015 and targeted a broad spectrum of victim organizations from both the US and abroad, from where they stole commercial information and intellectual property, officials said today.

Opiskelijat huijaripuheluiden kohteena Helsingin yliopisto varoittaa teknisestä tuesta Helsingin yliopisto varoittaa sen nimissä liikkuvista huijaussoitoista. Yliopisto kirjoittaa Twitterissä, että huijarit esiintyvät teknisenä tukena. Puhelut voivat tulla aidolta vaikuttavasta numerosta, sillä rikolliset käyttävät väärennettyjä numeroita. Huijaussoittoja tehtailevat rikolliset yrittävät saada asennettua käyttäjän koneelle etähallintaohjelman. Tämän ohjelman avulla huijarit voivat ottaa koneen haltuunsa.

Leading U.S. laser developer IPG Photonics hit with ransomware IPG Photonics, a leading U.S. developer of fiber lasers for cutting, welding, medical use, and laser weaponry has suffered a ransomware attack that is disrupting their operations. Based out of Oxford, Massachusets, IPG Photonics has locations worldwide where they employ over 4,000 people and have a $1.3 billion revenue in 2019. The company’s lasers were used as part of the U.S. Navy’s Laser Weapon System (LaWS) that was installed on the USS Ponce. This system is an experimental defensive weapon against small threats and vehicles.

Indictments Unlikely to Deter China’s APT41 Activity So far, at least, the threat group has not let public scrutiny slow it down, security researchers say. Security researchers hold little hope that indictments unsealed this week against five members of the China-based APT41 threat group will deter it from acting with the same impunity it has for the past several years. The US Department of Justice on Wednesday unsealed two indictments one from August 2019 and the other from August 2020 charging five members of APT41 with computer intrusions, including ransomware attacks and cryptojacking schemes at over 100 companies in the US and abroad.

Spammers use hexadecimal IP addresses to evade detection A spam group has picked up a pretty clever trick that has allowed it to bypass email filters and security systems and land in more inboxes than usual. The trick relies on a quirk in RFC791 a standard that describes the Internet Protocol (IP).

Testaa verkkopalvelusi tietoturva vertailussa 6 avoimen koodin tietoturvaskanneria Krakkereiden käyttämät avoimen lähdekoodin tietoturvaskannerit on hyvä tuntea. Parhaista on apua myös tietoturvan varmistamisessa. Viime vuosina ei ole voinut olla lukematta uutisia miljoonien käyttäjätunnusten ja salasanojen tietovuodoista. Joukossa on ollut monien suomalaisten käyttämiä palveluja kuten Adobe, MyFitnessPal ja MyHeritage. Tapaukset ovat herättäneet tarpeita etsiä ja korjata verkkosovellusten tietoturva-aukot ennen verkkorikollisia. Vikojen etsintään tarvitaan hyviä menetelmiä.

Taas yksi tapa huijata rantautui ulkomailta: Viitteellä Facebk viety luottokortilta rahaa Veloitukset luottokortilta on tehty usein ulkomailta. Tästä syystä petoksien selvittäminen voi olla hankalaa. Huijarit ovat yhä kekseliäämpiä. Sisä-Suomen poliisilaitos varoittaa uusista posti- ja Facebk-petoksista. Niistä on ilmoitettu tällä viikolla poliisille. Postihuijausyrityksissä henkilö on poliisin mukaan saanut tekstiviestin, jossa kerrotaan, että hänelle olisi lähetys tulossa, mutta postimaksua uupuu. Viestin linkki ohjeistaa tietojenkalastelusivulle, jossa pyydetään henkilön pankkitunnuksia.

NCSC-FI News followup

Daily NCSC-FI news followup 2020-09-17

Ransomware attack at German hospital leads to death of patient A person in a life-threatening condition passed away after being forced to go to a more distant hospital due to a ransomware attack. Postin nimissä lähetettäviä huijaustekstiviestejä tulee suomalaisille hyvin aktiivisesti. Ilta-Sanomat Digitoday on saanut useita ilmoituksia viime viikonloppuna ja tällä viikolla lähetetyistä viesteistä.

Zerologon hacking Windows servers with a bunch of zeros The big, bad bug of the week is called Zerologon.. As you can probably tell from the name, it involves Windows everyone else talks about logging in, but on Windows youve always very definitely logged on and it is an authentication bypass, because it lets you get away with using a zero-length password.

Emotet strikes Quebecs Department of Justice: An ESET Analysis The cyber attack affects 14 inboxes belonging to the Department of Justice was confirmed by ESET researchers.

Ransomware warning: Hackers are launching fresh attacks against universities Cybersecurity agency warns about a spike in ransomware attacks targeting universities and colleges.

Maze ransomware now encrypts via virtual machines to evade detection The Maze ransomware operators have adopted a tactic previously used by the Ragnar Locker gang; to encrypt a computer from within a virtual machine.

A New Botnet Attack Just Mozied Into Town A relatively new player in the threat arena, the Mozi botnet, has spiked among Internet of things (IoT) devices, IBM X-Force has discovered.

Two Russians Charged in $17M Cryptocurrency Phishing Spree U.S. authorities today announced criminal charges and financial sanctions against two Russian men accused of stealing nearly $17 million worth of virtual currencies in a series of phishing attacks throughout 2017 and 2018 that spoofed websites for some of the most popular cryptocurrency exchanges.

NCSC-FI News followup

Daily NCSC-FI news followup 2020-09-16

Tietovuoto: Kiinalaisyrityksen urkintalistalla on 799 suomalaista, joukossa poliitikkoja ja heidän lähipiiriään Katso, miten suomalaiset on jaoteltu Poikkeuksellinen tietovuoto kertoo, millaiset suomalaiset vaikuttajat kiinnostavat Kiinaa.

Pitkään kestävä syysmyrsky huolettaa sähköyhtiöitä “Valmiudessa on moninkertainen määrä työntekijöitä” Keski-Pohjanmaalla toimivat sähköyhtiöt ovat nostaneet selvästi varautumistaan voimakkaan ja poikkeuksellisen pitkäkestoisen syysmyrskyn varalle.

Yhä useampi on huolissaan lähipiiriinsä kohdistuvista tietoturvauhkista Liikenne- ja viestintävirasto Traficomin loppukeväällä teettämän kuluttajatutkimuksen mukaan suomalaiset kokevat tietoturvaan liittyvät uhkakuvat merkittävinä huomattavasti aiempaa laajemmin. Valmiuksien suojautua näiltä uhkilta ei kuitenkaan ole koettu parantuneen samassa suhteessa. Samaan aikaan nettiin kytketyt älylaitteet ovat yleistyneet kodeissa.

Billions of devices vulnerable to new ‘BLESA’ Bluetooth security flaw New BLESA attack goes after the often ignored Bluetooth reconnection process, unlike previous vulnerabilities, most found in the pairing operation.

DDoS Attacks Skyrocket as Pandemic Bites More people being online during lockdowns and work-from-home shifts has proven to be lucrative for DDoS-ers.

US charges two hackers for defacing US websites following Soleimani killing US authorities have tracked down the two hackers behind a January 2020 mass-defacement campaign.

FBI adds 5 Chinese APT41 hackers to its Cyber’s Most Wanted List The United States government today announced charges against 5 alleged members of a Chinese state-sponsored hacking group and 2 Malaysian hackers that are responsible for hacking than 100 companies throughout the world.

Koronavilkulla yli kaksi miljoonaa latausta 218 ilmoittanut tartunnasta Tartunnoista on ilmoitettu Koronavilkussa samassa suhteessa kuin mitä sovellusta on otettu käyttöön.

LockBit ransomware launches data leak site to double-extort victims The LockBit ransomware gang has launched a new data leak site to be used as part of their double extortion strategy to scare victims into paying a ransom.

Payments stopped, three arrested in medical supplies fraud case Three members of an international crime syndicate wanted for tricking an Italian company into making fraudulent payments for non-existent medical equipment were arrested in Indonesia, in a case supported by INTERPOL.

Cerberus banking Trojan source code released for free to cyberattackers An auction designed to net the developer of the Android malware $100,000 failed.

Microsoft announces new Project OneFuzz framework, an open source developer tool to find and fix bugs at scale Today, were excited to release this new tool called Project OneFuzz, an extensible fuzz testing framework for Azure. Available through GitHub as an open-source tool, the testing framework used by Microsoft Edge, Windows, and teams across Microsoft is now available to developers around the world.

This security awareness training email is actually a phishing scam A creative phishing campaign uses an email template that pretends to be a reminder to complete security awareness training from a well-known security company.

Worried about bootkits, rootkits, UEFI nasties? Have you tried turning on Secure Boot, asks the No Sh*! Agency The NSA has published online a guide for IT admins to keep systems free of bootkits and rootkits.. see also

Improved malware protection for users in the Advanced Protection Program Googles Advanced Protection Program helps secure people at higher risk of targeted online attacks, like journalists, political organizations, and activists, with a set of constantly evolving safeguards that reflect todays threat landscape.