Daily NCSC-FI news followup 2019-06-04

Headhunting Firm Leaks Millions of Resumes, Client Private Data
A misconfigured and publicly accessible ElasticSearch cluster owned by
FMC Consulting, a Chinese headhunting company, leaked millions of
resumes and company records, as well as customers and employees PII
data.. The database containing hundreds of thousands of customer
records, internal emails, as well as employees daily tasks and calls
they made while contacting clients was left unprotected, exposing all
the data to anyone who knew where and how to look for it.. The
database contained among other data: 20,539,522 resumes ; 9082
company contracts ; 884,178 mail logs with complete email body

Threat actors cobble together open-source pieces into monstrous
Frankenstein campaign
Cisco Talos recently identified a series of documents that we believe
are part of a coordinated series of cyber attacks that we are calling
the Frankenstein campaign. We assess that the attackers carried out
these operations between January and April 2019 in an effort to
install malware on users machines via malicious documents. . We assess
that this activity was hyper-targeted given that there was a low
volume of these documents in various malware repositories.
Frankenstein the name refers to the actors ability to piece together
several unrelated components leveraged four different open-source
techniques to build the tools used during the campaign.. The actors’
preference for open-source solutions appears to be part of a broader
trend in which adversaries are increasingly using publicly available
tools. A campaign that leverages custom tools is more easily
attributed to the tools’ developers. This growing trend highlights
that highly trained operators are increasingly using unsophisticated
tools to accomplish their goals.

Zebrocy APT Group Expands Malware Arsenal with New Backdoor Family
Zebrocy, a Russian-speaking advanced persistent threat (APT) actor
associated with numerous attacks on government, military, and foreign
affairs-related targets since at least 2015 is back at it again..
Researchers from Kaspersky Lab say they have observed the group using
a new downloader to deploy a recently developed backdoor family on
organizations in multiple countries, including Germany, the United
Kingdom, Iran, Ukraine, and Afghanistan.. Kaspersky Lab itself
considers the team using Zebrocy as a sort of separate subgroup that
shares its lineage with Sofacy/Fancy Bear and the BlackEnergy/Sandworm
APT group that is believed to be behind a series of disruptive attacks
on Ukraine’s power grid in 2015.. See also –

Remote Desktop Zero-Day Bug Allows Attackers to Hijack Sessions
A new zero-day vulnerability has been disclosed that could allow
attackers to hijack existing Remote Desktop Services sessions in order
to gain access to a computer.. The flaw can be exploited to bypass the
lock screen of a Windows machine, even when two-factor authentication
(2FA) mechanisms such as Duo Security MFA are used. Other login
banners an organization may set up are also bypassed.. The exploit
does require physical access to the machine from which the RDP session
is initiated from.

The Cost of Cybercrime
In 2012 we presented the first systematic study of the costs of
cybercrime. In this paper,we report what has changed in the seven
years since. The period has seen major platform evolution, with the
mobile phone replacing the PC and laptop as the consumer terminal of
choice, with Android replacing Windows, and with many services moving
to the cloud.The use of social networks has become extremely
widespread. The executive summary is that about half of all pro. The
big money is still in tax fraud, welfare fraud, VAT fraud, and so on.
We spend more money on cyber defense than we do on the actual losses.
Criminals largely act with impunity. They don’t believe they will get
caught, and mostly that’s correct. . Bottom line: the technology has
changed a lot since 2012, but the economic considerations remain

Hackers slurp 19 years of Australian student data in uni’s second
breach within a year
We believe there was unauthorised access to significant amounts of
personal staff, student and visitor data extending back 19 years..
Depending on the information you have provided to the University, this
may include names, addresses, dates of birth, phone numbers, personal
email addresses and emergency contact details, tax file numbers,
payroll information, bank account details, and passport details.
Student academic records were also accessed.

Windows 10 Apps Hit by Malicious Ads that Blockers Won’t Stop
Windows 10 users in Germany are reporting that while using their
computer, their default browser would suddenly open to malicious and
scam advertisements. These advertisements are being shown by
malvertising campaigns on the Microsoft Advertising network that are
being displayed in ad supported apps.. As these ads are being
displayed because of ad-supported apps, any ad blockers you have
installed in your browsers will not prevent the pages from loading.
This is because the scripts that are normally blocked by ad blockers
are being executed in the app and Windows 10 is just launching a web
page in your browser.

Report: No Eternal Blue Exploit Found in Baltimore City Ransomware
According to Joe Stewart, a seasoned malware analyst now consulting
with security firm Armor, the malicious software used in the Baltimore
attack does not contain any Eternal Blue exploit code. Stewart said he
obtained a sample of the malware that he was able to confirm was
connected to the Baltimore incident.

Experts Urge Defense-in-Depth Approach to Security Training
Its very important to do as an organization, but running a phishing
awareness campaign alone doesnt protect you. Security training could
also include elements such as: password management; safe internet
usage, data handling and downloads; and compliance requirements, for
example.. Staff training should be combined with sandboxing, threat
intelligence and other security controls for true defense-in-depth,
argued Kershaw.

You might be interested in …

Daily NCSC-FI news followup 2021-01-29

“Kun Vastaamo-tiedosto poistetaan yhdestä paikasta, se ilmestyy kahteen uuteen” poliisilta vahva vetoomus netin käyttäjille www.is.fi/digitoday/tietoturva/art-2000007768820.html Vastaamo-tietojen jakaminen ja uudelleenjulkaiseminen on avannut uuden haaran keskusrikospoliisin tutkinnassa. Poliisi peräänkuuluttaa verkon käyttäjiltä yhteiskuntavastuuta. Poliisi vetoaa kansalaisiin, etteivät nämä koskisi Vastaamo-tiedostoon tai jakaisi sitä eteenpäin. Sillä saattaa olla rikosoikeudellisia seurauksia, mutta kyse on myös vastuullisuudesta. – Poliisi korostaa tässä […]

Read More

Daily NCSC-FI news followup 2019-12-23

Finnish government supports local authorities in cyber security initiative www.computerweekly.com/news/252475795/Finnish-government-supports-local-authorities-in-cyber-security-initiative Over 200 of Finlands 311 municipalities have joined the Local Government Anti Cyberspace Threats (LGACT) project to conduct joint IT network defence exercises. Venäjä testasi verkkoyhteyksiä ulkoisen hyökkäyksen varalta yle.fi/uutiset/3-11133312 Venäjän viranomaiset ilmoittavat varautuvansa ääritilanteeseen, jossa maa joutuisi maailmanlaajuisen verkon ulkopuolelle ja eristyksiin muusta maailmasta. […]

Read More

Daily NCSC-FI news followup 2021-08-17

BadAlloc Vulnerability Affecting BlackBerry QNX RTOS us-cert.cisa.gov/ncas/alerts/aa21-229a On August 17, 2021, BlackBerry publicly disclosed that its QNX Real Time Operating System (RTOS) is affected by a BadAlloc vulnerabilityCVE-2021-22156. BadAlloc is a collection of vulnerabilities affecting multiple RTOSs and supporting libraries. myös: www.kyberturvallisuuskeskus.fi/fi/haavoittuvuus_24/2021 Mandiant Discloses Critical Vulnerability Affecting Millions of IoT Devices www.fireeye.com/blog/threat-research/2021/08/mandiant-discloses-critical-vulnerability-affecting-iot-devices.html Today, Mandiant disclosed […]

Read More

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.