Daily NCSC-FI news followup 2019-06-07

A Deep Dive into the Emotet Malware

Emotet is a trojan that is primarily spread through spam emails. During its lifecycle, it has gone through a few iterations. Early versions were delivered as a malicious JavaScript file. Later versions evolved to use macro-enabled Office documents to retrieve a malicious payload from a C2 server. FortiGuard Labs has been tracking Emotet since it was first discovered, and in this blog, I will provide a deep analysis of a new Emotet sample found in early May. This detailed analysis includes how to unpack the persistent payload, how Emotet malware communicates with its C2 servers, how to identify the hard-coded C2 server list and RSA key in the executable, as well as how it encrypts the data it gathers

Strange Bits: Sodinokibi Spam, CinaRAT, and Fake G DATA

n the second part of our Strange Bits series we are taking a closer look at Sodinokibi Spam E-Mails, CinaRAT and a Malware that tries to imitate G DATA. Sodinokibi ransomware was known so far for being installed via Oracle WebLogic exploit (see Talos’ article). A new campaign uses spam emails with attached MS Office Word document to download Sokinokibi to the target system. JamesWT found the first sample, Sculabs another one[1]. The email pretends to be a warning letter from the fee collection center of public-law broadcasting institutions in the Federal Public of Germany and demands 213.50 EUR payment.

CIA sextortion an old scam with a new twist

What would you think if you received an e-mail with Central Intelligence Agency Case #45361978 in the subject line? Would you decide that someone, somewhere had seriously screwed up and accidentally sent you a top-secret file? Or that youre being recruited for the secret services (well, you never know)? Alas, in either case you would almost certainly be mistaken the e-mails in question are just another extortion trick.

New Brute-Force Botnet Targeting Over 1.5 Million RDP Servers Worldwide

Security researchers have discovered an ongoing sophisticated botnet campaign that is currently brute-forcing more than 1.5 million publicly accessible Windows RDP servers on the Internet. Dubbed GoldBrute, the botnet scheme has been designed in a way to escalate gradually by adding every new cracked system to its network, forcing them to further find new available RDP servers and then brute force them.. Also:

. Also:


SandboxEscaper Debuts ByeBear Windows Patch Bypass

Guerrilla developer SandboxEscaper has disclosed a second bypass exploit for a patch that fixes a Windows local privilege-escalation (LPE) flaw again without notifying Microsoft. The exploit, dubbed ByeBear, enables attackers to get past the patch to attack a permissions-overwrite, privilege-escalation flaw (CVE-2019-0841), which exists because Windows AppX Deployment Service (AppXSVC) improperly handles hard links. It allows a local attacker to run processes in an elevated context, allowing them to then install programs, and view, change or delete data, according to Microsoft.. Also:

. Also:


Ancient ICEFOG APT malware spotted again in new wave of attacks

Malware developed by Chinese state-sponsored hackers that was once thought to have disappeared has been recently spotted in new attacks, in an updated and more dangerous form. Spotted by FireEye senior researcher Chi-en (Ashley) Shen, the malware is named ICEFOG (also known as Fucobha). It was initially used by a Chinese APT (advanced persistent threat, a technical term for state-sponsored hacking units), also named ICEFOG, whose operations were first detailed in a Kaspersky report in September 2013.

Tietomurto Marimekon verkkokaupassa: Yli 1 500 käyttäjän syöttämiä tietoja on kerätty luvattomasti

Tietomurto Marimekon verkkokaupassa: Yli 1 500 käyttäjän syöttämiä tietoja on kerätty luvattomasti. Murtautuja on voinut saada haltuunsa sivustolla tietomurron aikana asioineen käyttäjän syöttämiä tietoja, kuten toimitus- ja laskutusosoitteen sekä verkkokaupan kirjautumistiedot, kertoo sähköpostitse Marimekon digitaalisen liiketoiminnan johtaja Kari Härkönen.

PHA Family Highlights: Triada

We continue our PHA family highlights series with the Triada family, which was first discovered early in 2016. The main purpose of Triada apps was to install spam apps on a device that displays ads. The creators of Triada collected revenue from the ads displayed by the spam apps. The methods Triada used were complex and unusual for these types of apps. Triada apps started as rooting trojans, but as Google Play Protect strengthened defenses against rooting expl. Myös:


Someone slipped a vuln into crypto-wallets via an NPM package. Then someone else siphoned off $13m in coins to protect it from thieves

lockchain biz Komodo this week said it had used a vulnerability discovered by JavaScript package biz NPM to take control of some older Agama cryptocurrency wallets to prevent hackers from doing the same. The digital currency startup said it had socked away 8 million KMD (Komodo) and 96 BTC (Bitcoin) tokens worth about almost $13m from the wallets, and stashed them in two digital wallets under its control, where the assets await reclamation by their owners.

Massive Changes to Tech and Platforms, But Cybercrime? Not So Much

The still-relevant recommendation is to invest more in law enforcement, concludes an economic study of cybercrime. In 2012, a group of cybersecurity researchers and social scientists studied the impact of cybercrime and its cost to society, concluding that the money spent anticipating an attack is less effective than money spent responding to an attack. This week, many of the same researchers released an updated paper at the Workshop on the Economics of Information Security (WIES) conference, in Cambridge, Mass., that looks at direct and indirect damages due to cybercrime,

The Endless Scourge of Malicious Email

There is no question that unwanted email is a source of annoyance. It is also the biggest source of cyber threats. In fact, just last month, spam accounted for 85 percent of all email sent. Plus, according to Verizons 2018 Data Breach Investigations Report, email is the number one vector for both malware distribution (92.4 percent) and phishing (96 percent). Attackers know that, unfortunately, this channel just works. Because email forces the user to stop and at least scan every message they receive, it presents the perfect opportunity to serve up malicious links and file attachments that people in a hurry sometimes mistakenly click on. Phishing and social engineering have gotten so sophisticated that it can be hard for even cyber-savvy users to discern the legitimate from the malicious.

Hackers selling services to target FTSE companies

The amount of hacking tools that can be used against FTSE 100 and Fortune 500 companies is on the rise on the dark net, new research has warned. A report from Bromium found four in ten vendors on the dark net are selling targeted hacking services, which it claims translates to a 20 per cent rise compared to the same period three years ago. The price varies, significantly from $150 to $10,000, and mostly depends on the target company, and the plan to which

Cathay Pacific’s unpatched decade-old vulnerability led to 2018 breach

The Hong Kong Privacy Commissioner for Personal Data Stephen Kai-yi Wong released a report [PDF] on Thursday detailing his findings relating to the Cathay Pacific breach disclosed in October that affected 9.4 million people. In his report, Wong spelled out how a pair of groups had targeted the airline, with the first dropping a keylogger onto a reporting system in October 2014 that harvested credentials and allowed them to move laterally through the network and gather other credentials before ceasing on March 22, 2018. The report said Cathay is not aware of how this group entered the system.

AMCA Healthcare Hack Widens Again, Reaching 20.1M Victims

The hack of the American Medical Collection Agency (AMCA), a third-party bill collection vendor, continues to expand, now impacting 20.1 million patients across three laboratory services providers. In the wake of revelations that the personal data of 12 million patients from Quest Diagnostics had been potentially compromised by an infiltration of AMCA systems, another 7.7 million patients from LabCorp were shown on Wednesday to be impacted. And, 400,000 victims from OPKO Health have been now been added to the tally as of Thursday.

New Mirai Variant Adds 8 New Exploits, Targets Additional IoT Devices

Palo Alto Networks Unit 42 has been tracking the evolution of the Mirai malware, known for targeting embedded devices with the primary intent of launching DDoS attacks and self-propagation, since 2016 when it took down several notable targets. As part of this ongoing research, weve recently discovered a new variant of Mirai that has eight new exploits against a wide range of embedded devices. These newly targeted devices range from wireless presentation systems to set-top-boxes, SD-WANs, and even smart home controllers.

You might be interested in …

Daily NCSC-FI news followup 2021-08-18

Pimeään verkkoon ilmestyi kaikki Vastaamo-tiedot löytävä hakukone – “Kyseessä on joku, joka haluaa vahingoittaa” www.is.fi/digitoday/tietoturva/art-2000008200963.html PIMEÄN internetin Tor-verkkoon on ilmestynyt hakukone, joka mahdollistaa hakujen tekemisen koko Vastaamon potilastietokannasta. Tämä tarkoittaa sitä, että ihmisiä on mahdollista hakea tietokannasta esimerkiksi nimellä, paikkakunnalla tai postinumerolla. Hakukone näyttää haun jälkeen käyttäjälle Vastaamon asiakkaan terapiatiedot. F-Securen tutkimusjohtaja Mikko Hyppösen mukaan […]

Read More

Daily NCSC-FI news followup 2020-05-26

New Zealand introduces Bill to block violent extremist content www.zdnet.com/article/new-zealand-introduces-bill-to-block-violent-extremist-content/ It would make livestreaming of objectionable content a criminal offence, censorship calls will be made immediately, and take-down notices will be backed by law. YK: kyberiskuissa roimaa kasvua supervalta boikotoi kokousta www.tivi.fi/uutiset/tv/b9faeb00-ec81-42a1-ba54-18f88164034f YK varoitti perjantaina kyberrikosten olevan kasvussa koronapandemian aikana. YK:n epävirallisessa turvallisuusneuvoston kokouksessa perjantaina […]

Read More

Daily NCSC-FI news followup 2019-11-09

Titanium: the Platinum group strikes again securelist.com/titanium-the-platinum-group-strikes-again/94961/ Platinum is one of the most technologically advanced APT actors with a traditional focus on the APAC region. During recent analysis we discovered Platinum using a new backdoor that we call Titanium (named after a password to one of the self-executable archives). Titanium is the final result of […]

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.