Daily NCSC-FI news followup 2019-06-10

Email attacks are on the rise

www.itproportal.com/news/email-attacks-are-on-the-rise/ The number of organisations that use email security as part of their threat defences is actually shrinking, new figures from Cisco are showing. The Cisco 2019 Cybersecurity Series says that this year, 41 per cent of organisations have this type of security set up, down from 56 per cent last year. At the same time, the number of email threats is on the rise, and email as a threat in general is considered one of the top issues keeping CISOs up at night.

Musta lista ei kelvannut: nyt vpn-palveluntarjoajat joutuvat itse pulaan

www.tivi.fi/uutiset/musta-lista-ei-kelvannut-nyt-vpn-palveluntarjoajat-joutuvat-itse-pulaan/b61dfc29-cba7-4c0d-91b6-5882a8982616 Venäjän televiranomainen Roskomnadzor vaati aiemmin maassa palvelujaan tarjoavia vpn-palveluita ottamaan käyttöön kansallisen mustan listan, joka sisältää ison joukon sivuja, joille venäläiskävijöitä ei saa päästää.. Vpn-palveluntarjoajat suhtautuivat pyyntöön nihkeästi. Roskomnadzorin johtajan, Alexander Zharovin mukaan vpn-palvelut eivät ainoastaan kieltäytyneet ottamasta mustaa listaa käyttöön, vaan ne kertoivat niskurointiaikeistaan julkisesti myös verkkosivuillaan.

Ars Technica: Millions of machines affected by command execution flaw in Exim mail server

arstechnica.com/information-technology/2019/06/millions-of-machines-affected-by-command-execution-flaw-in-exim-mail-server/ Millions of Internet-connected machines running the open source Exim mail server may be vulnerable to a newly disclosed vulnerability that, in some cases, allows unauthenticated attackers to execute commands with all-powerful root privileges.. The flaw, which dates back to version 4.87 released in April 2016, is trivially exploitable by local users with a low-privileged account on a vulnerable system running with default settings. All that’s required is for the person to send an email to “${run{…}}@localhost,” where “localhost” is an existing local domain on a vulnerable Exim installation. With that, attackers can execute commands of their choice that run with root privileges.. The command execution flaw is also exploitable remotely, albeit with some restrictions

How spammers use Google services

www.kaspersky.com/blog/spam-through-google-services/27228/ As you know, Google is not just a search tool, but multiple services used by billions of people every day: Gmail, Calendar, Google Drive, Google Photos, Google Translate, the list goes on. And they are all integrated with each other. Calendar is linked to Gmail, Gmail to Google Drive, Google Drive to Google Photos, and so on. Its all very handy register once and away you go. And theres no need to mess around moving files and data between services; Google does everything for you. The downside is that online fraudsters have learned to exploit the convenience of Google services to send spam or worse.

Zero Trust: Debunking Misperceptions

blog.paloaltonetworks.com/2019/06/network-zero-trust-debunking-misperceptions/ As organizations explore Zero Trust as a means to prevent successful cyberattacks, more vendors are using Zero Trust as a cybersecurity buzzword. If you walked through the halls of RSA this year, you will have noticed this to be true. Zero Trust was a part of dozens upon dozens of vendor booths, presentations, pamphlets, etc. in one fashion or another. This has resulted in misperceptions of what Zero Trust really is. With the recent availability of Zero Trust products, the perception is that Zero Trust is all about identity or the belief that you have to rip and replace everything to achieve it. With so much noise and confusion, its no surprise that people believe that its a complex, costly and time-consuming initiative.

MuddyWater Resurfaces, Uses Multi-Stage Backdoor POWERSTATS V3 and New Post-Exploitation Tools

blog.trendmicro.com/trendlabs-security-intelligence/muddywater-resurfaces-uses-multi-stage-backdoor-powerstats-v3-and-new-post-exploitation-tools/ We found new campaigns that appear to wear the badge of MuddyWater. Analysis of these campaigns revealed the use of new tools and payloads, which indicates that the well-known threat actor group is continuously developing their schemes. We also unearthed and detailed our other findings on MuddyWater, such as its connection to four Android malware families and its use of false flag techniques, among others, in our report New MuddyWater Activities Uncovered: . One of the campaigns sent spear-phishing emails to a university in Jordan and the Turkish government. The said legitimate entities sender addresses were not spoofed to deceive email recipients. Instead, the campaign used compromised legitimate accounts to trick victims into installing malware.

Interesting JavaScript Obfuscation Example

isc.sans.edu/forums/diary/Interesting+JavaScript+Obfuscation+Example/25020/ Last Friday, one of our reader (thanks Mickael!) reported to us a phishing campaign based on a simple HTML page. He asked us how to properly extract the malicious code within the page. I did an analysis of the file and it looked interesting for a diary because a nice obfuscation technique was used in a Javascript file but also because the attacker tried to prevent automatic analysis by adding some boring code. In fact, the HTML page contains a malicious Word d

Microsoft Warns of Email Attacks Executing Code Using an Old Bug

threatpost.com/microsoft-arbitrary-code-execution-old-bug/145527/ Microsoft is warning of a fresh email campaign that distributes malicious RTF files boobytrapped with an exploit dating back to a 2017 vulnerability, CVE-2017-11882. The exploit allows attackers to automatically run malicious code without requiring user interaction. The CVE-2017-11882 vulnerability was fixed in 2017, but to this day, we still observe the exploit in attacks, Microsoft Security Intelligence tweeted on Friday. Notably, we saw increased activity in the past few weeks. We strongly recommend applying security updates.”

Eight years later, the case against the Mariposa malware gang moves forward in the US

www.zdnet.com/article/eight-years-later-the-case-against-the-mariposa-malware-gang-moves-forward-in-the-us/ Eight years after US law enforcement opened a first case in the operations of the Mariposa (Butterfly Bot, BFBOT) malware gang, officials are now moving forward with new charges and arrest warrants against four suspects. The original case started way back in May 2011, when US officials first filed a complaint against three European hackers. The investigation into this group’s operations unearthed a cyber-crime empire and eventually led to the takedown of the infamous Darkode hacking forum, a famous meeting place for high-end hackers.

CVE-2019-2725 Exploited and Certificate Files Used for Obfuscation to Deliver Monero Miner

blog.trendmicro.com/trendlabs-security-intelligence/cve-2019-2725-exploited-and-certificate-files-used-for-obfuscation-to-deliver-monero-miner/ In April 2019, a security advisory was released for CVE-2019-2725, a deserialization vulnerability involving the widely used Oracle WebLogic Server. Soon after the advisory was published, reports emerged on the SANS ISC InfoSec forums that the vulnerability was already being actively exploited to install cryptocurrency miners. We managed to confirm these reports after feedback from the Trend Micro Smart Protection Network security architecture revealed a

FBI Issues Warning on Secure Websites Used For Phishing

www.bleepingcomputer.com/news/security/fbi-issues-warning-on-secure-websites-used-for-phishing/ The U.S. Federal Bureau of Investigation (FBI) issued a public service announcement regarding TLS-secured websites being actively used by malicious actors in phishing campaigns. Internet users are accustomed by now to always look at the padlock next to the web browser’s address bar to check if the current page is served by a website secured using a TLS certificate. Users also look for after landing on a website is the “https” protocol designation in front of the hostname which is another hint of a domain being “secure” and the web traffic is encrypted.

‘Lone Wolf’ Scammer Built a Multifaceted BEC Cybercrime Operation

www.darkreading.com/threat-intelligence/lone-wolf-scammer-built-a-multifaceted-bec-cybercrime-operation-/d/d-id/1334916 A one-man 419 scam evolved into a lucrative social-engineering syndicate over the past decade that conducts a combination of business email compromise, romance, and financial fraud.. This wasn’t the first time the chief financial officer of email security vendor Agari had been targeted in a business email compromise (BEC) scam. As with the first incident in August 2018, three months later Agari’s software tool flagged a suspicious email meant for its CFO, Raymond Lim, that posed as a supplier requesting a wire transfer for an invoice payment.

Urgent: If you havent updated your operating system, youre in danger!

www.pandasecurity.com/mediacenter/security/urgent-updated-operating-danger/ Install the patch that fixes BlueKeep: the latest Windows vulnerability. Nearly a million computers are at risk of a cyber attack. Learn more about the BlueKeep vulnerability that is affecting millions of Windows XP, Windows Vista, and Windows 7 users.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.