Daily NCSC-FI news followup 2019-06-12

Kyberhyökkääjä iski Lahden kaupungin verkkoon haittaohjelma ehti saastuttaa tietokoneita

yle.fi/uutiset/3-10827423 Lahden kaupungin verkkoon ja työasemiin kohdistui kyberhyökkäys tiistaina iltapäivällä. Hyökkäyksen seurauksena verkko kuormittui ja ohjelma ehti saastuttaa koneita. Haittaohjelma on tunnistettu, ja virustorjuntaohjelmisto eristää sen tartunnan saaneissa koneissa, , kertoo kaupunki tiedotteessaan. Operaattorin palomuureissa on havaittu haittaohjelmaan liittyviä yhteysavauksia ja verkkoliikennettä, joka on estetty.. Myös:

www.verkkouutiset.fi/lahden-kaupunkiin-kohdistui-kyberisku/. Myös

www.phhyky.fi/fi/haittaohjelma-voi-aiheuttaa-viivetta-yhtyman-asiakaspalvelussa/. Myös: www.ess.fi/uutiset/paijathame/art2547392. Myös:

www.tivi.fi/uutiset/tv/d04b3854-83c8-4dcc-8b68-1de2db5b3f5b

Threat Spotlight: MenuPass/QuasarRAT Backdoor

threatvector.cylance.com/en_us/home/threat-spotlight-menupass-quasarrat-backdoor.html During the latter half of 2018, BlackBerry Cylance threat researchers tracked a campaign targeting companies from several verticals across the EMEA region. The campaign seemed to be related to the MenuPass (a.k.a. APT10/Stone Panda/Red Apollo) threat actor, and utilized an open-source backdoor named QuasarRAT to achieve persistence within an organization. We identified several distinct loader variants tailored to specific targets by leveraging machine learning (ML) to analyse our malware corpus. We have not observed new QuasarRAT samples in the wild since late 2018, roughly coinciding with when the FBI indicted several members of the MenuPass group.

Ransomware identification for the judicious analyst

www.gdatasoftware.com/blog/2019/06/31666-ransomware-identification-for-the-judicious-analyst Most ransomware is fire-and-forget malware. The majority of ransomware families do not remain on the system after they have done their deed, and delete the malicious binaries. The system’s owner is left with encrypted data and the ransom message. Web services for ransomware identification like id-ransomware might not be an option if customer data is of a confidential nature. Even though the files are encrypted, they can contain information about the customer’s system or might be recoverable by third parties.

Code signing attacks could be your next big threat

www.itproportal.com/news/code-signing-attacks-could-be-your-next-big-threat/ Although security professionals understand the security risks code signing poses to their organisations, many are not taking proper steps to protect them from attacks. This is according to a new study by machine identity protection firm Venafi, based on a poll of more than 320 security pros in the US, Canada and Europe. It was stated that roughly a quarter (28 per cent) of organisations enforce a defined security process for code signing certificates on a consistent basis. It was stated that roughly a quarter (28 per cent) of organisations enforce a defined security process for code signing certificates on a consistent basis

Why cybercriminals are eyeing smart buildings

www.welivesecurity.com/2019/06/12/cybercriminals-eyeing-smart-buildings/ A recent talk by ESET’s Global Security Evangelist Tony Anscombe looks at the key security challenges facing intelligent buildings. As part of the Segurinfo Argentina 2019 conference in Buenos Aires, ESETs Global Security Evangelist Tony Anscombe gave a talk on smart buildings, in which he explained the security risks associated with intelligent buildings. Lets cut to the nitty-gritty of his interesting talk. In countries like the United States, the growth of smart buildings is estimated to reach 16.6% by 2020 compared to 2014, although this expansion is not limited to the US but rather is taking place on a global scale.

Shifting Tactics: Breaking Down TA505 Groups Use of HTML, RATs and Other Techniques in Latest Campaigns

blog.trendmicro.com/trendlabs-security-intelligence/shifting-tactics-breaking-down-ta505-groups-use-of-html-rats-and-other-techniques-in-latest-campaigns/ TA505 is a prolific cybercriminal group known for its attacks against multiple financial institutions and retail companies using malicious spam campaigns and different malware. We have been following TA505 closely and detected various related activities for the past two months. In the groups latest campaign, they started using HTML attachments to deliver malicious .XLS files that lead to downloader and backdoor FlawedAmmyy, mostly to target users in South Korea.

Major HSM vulnerabilities impact banks, cloud providers, governments

www.zdnet.com/article/major-hsm-vulnerabilities-impact-banks-cloud-providers-governments/ At a security conference in France this past week, two security researchers from hardware wallet maker Ledger have disclosed details about several vulnerabilities in the HSM of a major vendor.. “The presented attacks allow retrieving all HSM secrets remotely, including cryptographic keys and administrator credentials,” researchers said.

BlueKeep Vulnerability (CVE-2019-0708) within Cloud/Datacenter Machines: How to Safeguard Yourself?

www.fortinet.com/blog/threat-research/bluekeep-vulnerability-cloud-datacenters.html A few weeks back, FortiGuard Labs heard of the BlueKeep RDP Wormable Vulnerability [CVE-2019-0708]. According to Microsoft, this vulnerability affects the Remote Desktop Protocol (RDP) service included in older versions of Windows OS, such as Windows XP, Windows Vista, Windows 7, Windows Server 2003, Windows Server 2008, and Windows Server 2008R2.. Recently, there was an article by Robert Graham of Errata Security saying that nearly 1 million machines are still vulnerable to this critical vulnerability. Microsoft and even the NSA have recently issued advisories asking users to patch their systems to avoid another attack on the lines of the WannaCry incident.

Improving Security and Privacy for Extensions Users

security.googleblog.com/2019/06/improving-security-and-privacy-for.html No, Chrome isnt killing ad blockers — were making them safer. The Chrome Extensions ecosystem has seen incredible advancement, adoption, and growth since its launch over ten years ago. Extensions are a great way for users to customize their experience in Chrome and on the web. As this system grows and expands in both reach and power, user safety and protection remains a core focus of the Chromium project.

Europe is its own worst enemy when it comes to cyberattacks

www.itproportal.com/news/europe-is-its-own-worst-enemy-when-it-comes-to-cyberattacks/ Forget China, Brazil, North Korea, Iran when it comes to EU states under cyberattack, their biggest enemy is The Netherlands. Yep, the land of tulips, windmills and Van Persie has seen more attacks launched at European IP addresses than US, China, Russia, France, Iran, Vietnam, Canada, India and Indonesia. According to new analysis by F5 Labs, the Netherlands launched 1,5 times more attacks against European systems than US and China combined, and six times more than Indonesia.

Intel NUC Firmware Open to Privilege Escalation, DoS and Information Disclosure

threatpost.com/intel-patches-nuc-firmware/145620/ Intel has patched seven high-severity vulnerabilities in the system firmware of its Intel NUC (short for Next Unit of Computing), a mini-PC kit used for gaming, digital signage and more. Overall, the chip-maker patched 25 vulnerabilities across various platforms this week including eight high-severity flaws, 13 medium-severity flaws and four low-severity glitches. The majority of the high-severity flaws resided in the system firmware of Intels NUC mini PC kit, which offers processing, memory and storage capabilities for applications like digital signage, media centers and kiosks.

Cybersecurity: These are the Internet of Things devices that are most targeted by hackers

www.zdnet.com/article/cybersecurity-these-are-the-internet-of-things-devices-that-are-most-targeted-by-hackers/ Internet-connected security cameras account for almost half of the Internet of Things devices that are compromised by hackers even as homes and businesses continue to add these and other connected devices to their networks. Research from cybersecurity company SAM Seamless Network found that security cameras represent 47 percent of vulnerable devices installed on home networks.

Uusi maksusovellus on kuin suunniteltu rikosta varten

www.tivi.fi/uutiset/tv/558f94c0-1d93-47e7-af84-534403e7043a Yhdysvalloissa suosiotaan kasvattavan Zelle-maksusovelluksen käyttöönotto on todella helppoa. Tämän ovat huomanneet myös helpon rahan perässä olevat huijarit. News kertoo juonesta, jossa uhri saa yllättäen soiton huijareilta, jotka väittävät työskentelevänsä uhrin pankissa ja havainneensa tämän tilillä epämääräistä toimintaa. . Tämän jälkeen uhria pyydetään luettelemaan tekstiviestitse välitetty numerokoodi, jota väitetään käytettäväksi henkilöllisyyden varmentamiseen. Todellisuudessa huijarit luovat uhrin paljastamalla koodilla tilin Zelle-maksusovellukseen ja vievät pahaa-aavistamattoman uhrin rahat.

Bad Cert Vulnerability Can Bring Down Any Windows Server

www.bleepingcomputer.com/news/security/bad-cert-vulnerability-can-bring-down-any-windows-server/ A Google security expert today revealed that an unpatched issue in the main cryptographic library of Microsoft’s operating system can cause a denial-of-service (DoS) condition in Windows 8 servers and above. The problem is in SymCrypt, the primary library for implementing symmetric cryptographic algorithms in Windows 8 and also for asymmetric ones starting with Windows 10 version 1703

Critical Bug in Infusion System Allows Changing Drug Dose in Medical Pumps

www.bleepingcomputer.com/news/security/critical-bug-in-infusion-system-allows-changing-drug-dose-in-medical-pumps/ Researchers discovered two vulnerabilities in Alaris Gateway Workstations that are used to deliver fluid medication. One of them is critical and an attacker could leverage it to take full control of the medical devices connecting to it. A flaw in the firmware code of the device has been assigned the highest severity score, a perfect 10, so it can be exploited remotely and without authentication. The other issue received is less severe and affects the workstation’s web-based management interface.

New FormBook Dropper Harbors Obfuscation, Persistence

threatpost.com/new-formbook-dropper-harbors-persistence/145614/ Never-before-seen dropper found in FormBook samples that has increased persistence and obfuscation capabilities. Researchers are warning that a future data-theft attack may be brewing after discovering a new sample of the FormBook malware, with a never-before-seen dropper i.e. a malicious file that is used in the initial infection stage and installs malware on the system. FormBook, a browser form-stealer and keylogger, has been under active development since it popped up on hacking forums in 2016

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.