Daily NCSC-FI news followup 2019-06-07

A Deep Dive into the Emotet Malware

Emotet is a trojan that is primarily spread through spam emails. During its lifecycle, it has gone through a few iterations. Early versions were delivered as a malicious JavaScript file. Later versions evolved to use macro-enabled Office documents to retrieve a malicious payload from a C2 server. FortiGuard Labs has been tracking Emotet since it was first discovered, and in this blog, I will provide a deep analysis of a new Emotet sample found in early May. This detailed analysis includes how to unpack the persistent payload, how Emotet malware communicates with its C2 servers, how to identify the hard-coded C2 server list and RSA key in the executable, as well as how it encrypts the data it gathers

Strange Bits: Sodinokibi Spam, CinaRAT, and Fake G DATA

n the second part of our Strange Bits series we are taking a closer look at Sodinokibi Spam E-Mails, CinaRAT and a Malware that tries to imitate G DATA. Sodinokibi ransomware was known so far for being installed via Oracle WebLogic exploit (see Talos’ article). A new campaign uses spam emails with attached MS Office Word document to download Sokinokibi to the target system. JamesWT found the first sample, Sculabs another one[1]. The email pretends to be a warning letter from the fee collection center of public-law broadcasting institutions in the Federal Public of Germany and demands 213.50 EUR payment.

CIA sextortion an old scam with a new twist

What would you think if you received an e-mail with Central Intelligence Agency Case #45361978 in the subject line? Would you decide that someone, somewhere had seriously screwed up and accidentally sent you a top-secret file? Or that youre being recruited for the secret services (well, you never know)? Alas, in either case you would almost certainly be mistaken the e-mails in question are just another extortion trick.

New Brute-Force Botnet Targeting Over 1.5 Million RDP Servers Worldwide

Security researchers have discovered an ongoing sophisticated botnet campaign that is currently brute-forcing more than 1.5 million publicly accessible Windows RDP servers on the Internet. Dubbed GoldBrute, the botnet scheme has been designed in a way to escalate gradually by adding every new cracked system to its network, forcing them to further find new available RDP servers and then brute force them.. Also:

. Also:


SandboxEscaper Debuts ByeBear Windows Patch Bypass

Guerrilla developer SandboxEscaper has disclosed a second bypass exploit for a patch that fixes a Windows local privilege-escalation (LPE) flaw again without notifying Microsoft. The exploit, dubbed ByeBear, enables attackers to get past the patch to attack a permissions-overwrite, privilege-escalation flaw (CVE-2019-0841), which exists because Windows AppX Deployment Service (AppXSVC) improperly handles hard links. It allows a local attacker to run processes in an elevated context, allowing them to then install programs, and view, change or delete data, according to Microsoft.. Also:

. Also:


Ancient ICEFOG APT malware spotted again in new wave of attacks

Malware developed by Chinese state-sponsored hackers that was once thought to have disappeared has been recently spotted in new attacks, in an updated and more dangerous form. Spotted by FireEye senior researcher Chi-en (Ashley) Shen, the malware is named ICEFOG (also known as Fucobha). It was initially used by a Chinese APT (advanced persistent threat, a technical term for state-sponsored hacking units), also named ICEFOG, whose operations were first detailed in a Kaspersky report in September 2013.

Tietomurto Marimekon verkkokaupassa: Yli 1 500 käyttäjän syöttämiä tietoja on kerätty luvattomasti

Tietomurto Marimekon verkkokaupassa: Yli 1 500 käyttäjän syöttämiä tietoja on kerätty luvattomasti. Murtautuja on voinut saada haltuunsa sivustolla tietomurron aikana asioineen käyttäjän syöttämiä tietoja, kuten toimitus- ja laskutusosoitteen sekä verkkokaupan kirjautumistiedot, kertoo sähköpostitse Marimekon digitaalisen liiketoiminnan johtaja Kari Härkönen.

PHA Family Highlights: Triada

We continue our PHA family highlights series with the Triada family, which was first discovered early in 2016. The main purpose of Triada apps was to install spam apps on a device that displays ads. The creators of Triada collected revenue from the ads displayed by the spam apps. The methods Triada used were complex and unusual for these types of apps. Triada apps started as rooting trojans, but as Google Play Protect strengthened defenses against rooting expl. Myös:


Someone slipped a vuln into crypto-wallets via an NPM package. Then someone else siphoned off $13m in coins to protect it from thieves

lockchain biz Komodo this week said it had used a vulnerability discovered by JavaScript package biz NPM to take control of some older Agama cryptocurrency wallets to prevent hackers from doing the same. The digital currency startup said it had socked away 8 million KMD (Komodo) and 96 BTC (Bitcoin) tokens worth about almost $13m from the wallets, and stashed them in two digital wallets under its control, where the assets await reclamation by their owners.

Massive Changes to Tech and Platforms, But Cybercrime? Not So Much

The still-relevant recommendation is to invest more in law enforcement, concludes an economic study of cybercrime. In 2012, a group of cybersecurity researchers and social scientists studied the impact of cybercrime and its cost to society, concluding that the money spent anticipating an attack is less effective than money spent responding to an attack. This week, many of the same researchers released an updated paper at the Workshop on the Economics of Information Security (WIES) conference, in Cambridge, Mass., that looks at direct and indirect damages due to cybercrime,

The Endless Scourge of Malicious Email

There is no question that unwanted email is a source of annoyance. It is also the biggest source of cyber threats. In fact, just last month, spam accounted for 85 percent of all email sent. Plus, according to Verizons 2018 Data Breach Investigations Report, email is the number one vector for both malware distribution (92.4 percent) and phishing (96 percent). Attackers know that, unfortunately, this channel just works. Because email forces the user to stop and at least scan every message they receive, it presents the perfect opportunity to serve up malicious links and file attachments that people in a hurry sometimes mistakenly click on. Phishing and social engineering have gotten so sophisticated that it can be hard for even cyber-savvy users to discern the legitimate from the malicious.

Hackers selling services to target FTSE companies

The amount of hacking tools that can be used against FTSE 100 and Fortune 500 companies is on the rise on the dark net, new research has warned. A report from Bromium found four in ten vendors on the dark net are selling targeted hacking services, which it claims translates to a 20 per cent rise compared to the same period three years ago. The price varies, significantly from $150 to $10,000, and mostly depends on the target company, and the plan to which

Cathay Pacific’s unpatched decade-old vulnerability led to 2018 breach

The Hong Kong Privacy Commissioner for Personal Data Stephen Kai-yi Wong released a report [PDF] on Thursday detailing his findings relating to the Cathay Pacific breach disclosed in October that affected 9.4 million people. In his report, Wong spelled out how a pair of groups had targeted the airline, with the first dropping a keylogger onto a reporting system in October 2014 that harvested credentials and allowed them to move laterally through the network and gather other credentials before ceasing on March 22, 2018. The report said Cathay is not aware of how this group entered the system.

AMCA Healthcare Hack Widens Again, Reaching 20.1M Victims

The hack of the American Medical Collection Agency (AMCA), a third-party bill collection vendor, continues to expand, now impacting 20.1 million patients across three laboratory services providers. In the wake of revelations that the personal data of 12 million patients from Quest Diagnostics had been potentially compromised by an infiltration of AMCA systems, another 7.7 million patients from LabCorp were shown on Wednesday to be impacted. And, 400,000 victims from OPKO Health have been now been added to the tally as of Thursday.

New Mirai Variant Adds 8 New Exploits, Targets Additional IoT Devices

Palo Alto Networks Unit 42 has been tracking the evolution of the Mirai malware, known for targeting embedded devices with the primary intent of launching DDoS attacks and self-propagation, since 2016 when it took down several notable targets. As part of this ongoing research, weve recently discovered a new variant of Mirai that has eight new exploits against a wide range of embedded devices. These newly targeted devices range from wireless presentation systems to set-top-boxes, SD-WANs, and even smart home controllers.

You might be interested in …

Daily NCSC-FI news followup 2019-11-19

Why Were the Russians So Set Against This Hacker Being Extradited? krebsonsecurity.com/2019/11/why-were-the-russians-so-set-against-this-hacker-being-extradited/ The Russian government has for the past four years been fighting to keep 29-year-old alleged cybercriminal Alexei Burkov from being extradited by Israel to the United States.. When Israeli authorities turned down requests to send him back to Russia supposedly to face separate […]

Read More

Daily NCSC-FI news followup 2020-09-10

Viranomainen varoittaa huijausviestistä – varo tätä sähköpostia www.is.fi/digitoday/tietoturva/art-2000006630773.html Apple ID -tunnusten kalastelu on nyt aktiivista. Huijauksen mukaan vastaanottajan Apple ID:tä olisi käytetty luvattomasti muualla Applen iCloud-palveluun kirjautumiseksi. Tämän väitetään tapahtuneen Moskovasta käsin. Mukana on keinotekoinen ip-osoite sekä päivämäärä ja kellonaika. Ne saattavat vaihdella viestistä toiseen. Katso myös meidän twiitti: https://twitter.com/CERTFI/status/1303604786361774080 Ransomware accounted for 41% of […]

Read More

Daily NCSC-FI news followup 2019-09-15

Attack Landscape H1 2019: IoT, SMB traffic abound blog.f-secure.com/attack-landscape-h1-2019-iot-smb-traffic-abound/ To no ones surprise, internet of things (IoT) device insecurity has emerged as a top concern and top driver of internet attack traffic in the first half of 2019. According to our new report, Attack Landscape H1 2019, which details traffic measured by F-Secures global network […]

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.