Daily NCSC-FI news followup 2019-06-04

Headhunting Firm Leaks Millions of Resumes, Client Private Data
A misconfigured and publicly accessible ElasticSearch cluster owned by
FMC Consulting, a Chinese headhunting company, leaked millions of
resumes and company records, as well as customers and employees PII
data.. The database containing hundreds of thousands of customer
records, internal emails, as well as employees daily tasks and calls
they made while contacting clients was left unprotected, exposing all
the data to anyone who knew where and how to look for it.. The
database contained among other data: 20,539,522 resumes ; 9082
company contracts ; 884,178 mail logs with complete email body

Threat actors cobble together open-source pieces into monstrous
Frankenstein campaign
Cisco Talos recently identified a series of documents that we believe
are part of a coordinated series of cyber attacks that we are calling
the Frankenstein campaign. We assess that the attackers carried out
these operations between January and April 2019 in an effort to
install malware on users machines via malicious documents. . We assess
that this activity was hyper-targeted given that there was a low
volume of these documents in various malware repositories.
Frankenstein the name refers to the actors ability to piece together
several unrelated components leveraged four different open-source
techniques to build the tools used during the campaign.. The actors’
preference for open-source solutions appears to be part of a broader
trend in which adversaries are increasingly using publicly available
tools. A campaign that leverages custom tools is more easily
attributed to the tools’ developers. This growing trend highlights
that highly trained operators are increasingly using unsophisticated
tools to accomplish their goals.

Zebrocy APT Group Expands Malware Arsenal with New Backdoor Family
Zebrocy, a Russian-speaking advanced persistent threat (APT) actor
associated with numerous attacks on government, military, and foreign
affairs-related targets since at least 2015 is back at it again..
Researchers from Kaspersky Lab say they have observed the group using
a new downloader to deploy a recently developed backdoor family on
organizations in multiple countries, including Germany, the United
Kingdom, Iran, Ukraine, and Afghanistan.. Kaspersky Lab itself
considers the team using Zebrocy as a sort of separate subgroup that
shares its lineage with Sofacy/Fancy Bear and the BlackEnergy/Sandworm
APT group that is believed to be behind a series of disruptive attacks
on Ukraine’s power grid in 2015.. See also –

Remote Desktop Zero-Day Bug Allows Attackers to Hijack Sessions
A new zero-day vulnerability has been disclosed that could allow
attackers to hijack existing Remote Desktop Services sessions in order
to gain access to a computer.. The flaw can be exploited to bypass the
lock screen of a Windows machine, even when two-factor authentication
(2FA) mechanisms such as Duo Security MFA are used. Other login
banners an organization may set up are also bypassed.. The exploit
does require physical access to the machine from which the RDP session
is initiated from.

The Cost of Cybercrime
In 2012 we presented the first systematic study of the costs of
cybercrime. In this paper,we report what has changed in the seven
years since. The period has seen major platform evolution, with the
mobile phone replacing the PC and laptop as the consumer terminal of
choice, with Android replacing Windows, and with many services moving
to the cloud.The use of social networks has become extremely
widespread. The executive summary is that about half of all pro. The
big money is still in tax fraud, welfare fraud, VAT fraud, and so on.
We spend more money on cyber defense than we do on the actual losses.
Criminals largely act with impunity. They don’t believe they will get
caught, and mostly that’s correct. . Bottom line: the technology has
changed a lot since 2012, but the economic considerations remain

Hackers slurp 19 years of Australian student data in uni’s second
breach within a year
We believe there was unauthorised access to significant amounts of
personal staff, student and visitor data extending back 19 years..
Depending on the information you have provided to the University, this
may include names, addresses, dates of birth, phone numbers, personal
email addresses and emergency contact details, tax file numbers,
payroll information, bank account details, and passport details.
Student academic records were also accessed.

Windows 10 Apps Hit by Malicious Ads that Blockers Won’t Stop
Windows 10 users in Germany are reporting that while using their
computer, their default browser would suddenly open to malicious and
scam advertisements. These advertisements are being shown by
malvertising campaigns on the Microsoft Advertising network that are
being displayed in ad supported apps.. As these ads are being
displayed because of ad-supported apps, any ad blockers you have
installed in your browsers will not prevent the pages from loading.
This is because the scripts that are normally blocked by ad blockers
are being executed in the app and Windows 10 is just launching a web
page in your browser.

Report: No Eternal Blue Exploit Found in Baltimore City Ransomware
According to Joe Stewart, a seasoned malware analyst now consulting
with security firm Armor, the malicious software used in the Baltimore
attack does not contain any Eternal Blue exploit code. Stewart said he
obtained a sample of the malware that he was able to confirm was
connected to the Baltimore incident.

Experts Urge Defense-in-Depth Approach to Security Training
Its very important to do as an organization, but running a phishing
awareness campaign alone doesnt protect you. Security training could
also include elements such as: password management; safe internet
usage, data handling and downloads; and compliance requirements, for
example.. Staff training should be combined with sandboxing, threat
intelligence and other security controls for true defense-in-depth,
argued Kershaw.

You might be interested in …

Daily NCSC-FI news followup 2021-08-28

Update on the vulnerability in the Azure Cosmos DB Jupyter Notebook Feature msrc-blog.microsoft.com/2021/08/27/update-on-vulnerability-in-the-azure-cosmos-db-jupyter-notebook-feature/ On August 12, 2021, a security researcher reported a vulnerability in the Azure Cosmos DB Jupyter Notebook feature that could potentially allow a user to gain access to another customers resources by using the accounts primary read-write key. We mitigated the vulnerability […]

Read More

Daily NCSC-FI news followup 2020-05-09

DigitalOcean Data Leak Incident Exposed Some of Its Customers Data thehackernews.com/2020/05/digitalocean-data-breach.html DigitalOcean, one of the biggest modern web hosting platforms, recently hit with a concerning data leak incident that exposed some of its customers’ data to unknown and unauthorized third parties. Though the hosting company has not yet publicly released a statement, it did has […]

Read More

Daily NCSC-FI news followup 2019-09-16

Undersøgelsesrapport: Statsstøttet hackergruppe forsøger at kompromittere netværksudstyr fe-ddis.dk/cfcs/nyheder/arkiv/2019/Pages/undersoegelsesrapport-hackergruppe-forsoeger-kompromittere-netvaerksudstyr.aspx En statsstøttet aktør har forsøgt at gennemføre flere angreb på udvalgte danske myndigheder med henblik på spionage. CFCS udsendte den 18. april 2018 et offentligt varsel i forbindelse med hændelserne, og CFCS arbejdede efterfølgende videre og håndterede sagerne i samarbejde med relevante myndigheder.. [PDF] fe-ddis.dk/cfcs/publikationer/Documents/Undersoegelsesrapport-kompromittering-netvaerksudstyr.pdf Exclusive: Russia […]

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.