Daily NCSC-FI news followup 2019-06-25

Operation Soft Cell a worldwide campaign against telecommunications providers

www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers In 2018, the Cybereason Nocturnus team identified an advanced, persistent attack targeting global telecommunications providers carried out by a threat actor using tools and techniques commonly associated with the Chinese-affiliated threat actor APT10. This multi-wave attacks focused on obtaining data of specific, high-value targets and resulted in a complete takeover of the network.. See also:

www.zdnet.com/article/these-hackers-broke-into-10-telecoms-companies-to-steal-customers-phone-records/,

techcrunch.com/2019/06/24/hackers-cell-networks-call-records-theft/ and www.theregister.co.uk/2019/06/25/telco_security_hell/. See also:

www.reuters.com/article/us-cyber-telecoms-cybereason/hackers-steal-data-from-telcos-in-espionage-campaign-cyber-firm-idUSKCN1TQ0BC

iPhone Apps Surreptitiously Communicated with Unknown Servers

www.schneier.com/blog/archives/2019/06/iphone_apps_sur.html Long news article (alternate source) on iPhone privacy, specifically the enormous amount of data your apps are collecting without your knowledge. A lot of this happens in the middle of the night, when you’re probably not otherwise using your phone: IPhone apps I discovered tracking me by passing information to third parties ­ just while I was asleep ­ include Microsoft OneDrive, Intuit’s Mint, Nike, Spotify, The Washington Post and IBM’s the Weather Ch. And your iPhone doesn’t only feed data trackers while you sleep. In a single week, I encountered over 5,400 trackers, mostly in apps, not including the incessant Yelp traffic.

Using Whitelisting to Remediate an RCE Vulnerability (CVE-2019-2729) in Oracle WebLogic

blog.trendmicro.com/trendlabs-security-intelligence/using-whitelisting-to-remediate-an-rce-vulnerability-cve-2019-2729-in-oracle-weblogic/ Oracle WebLogic has recently disclosed and patched remote-code-execution (RCE) vulnerabilities in its software, many of which were due to insecure deserialization. Oracle addressed the most recent vulnerability, CVE-2019-2729, in an out-of-band security patch on June 18, 2019. CVE-2019-2729 was assigned a CVSS score of 9.8, making it a critical vulnerability. This vulnerability is relatively easily exploitable, but requires Java Development Kit (JDK) 1.6

RDP Security Explained

securingtomorrow.mcafee.com/other-blogs/mcafee-labs/rdp-security-explained/ Recently, McAfee released a blog related to the wormable RDP vulnerability referred to as CVE-2019-0708 or Bluekeep. The blog highlights a particular vulnerability in RDP which was deemed critical by Microsoft due to the fact that it exploitable over a network connection without authentication. These attributes make it particularly wormable it can easily be coded to spread itself by reaching out to other accessible networked hosts, simila. When trying to run an efficient IT organization, having remote access to certain computer systems might be essential. Unfortunately, when not implemented correctly, the tools that make remote access possible also open your systems up to unwanted guests. In the last few years there have been far too many examples of where vulnerable RDP access gave way to a full-scale network compromise. In this article we have shown that RDP access can be hardened with some easy steps. Please take the time to review your RDP security posture.

Cybersecurity staff burnout risks leaving organisations vulnerable to cyberattacks

www.zdnet.com/article/cybersecurity-staff-burnout-risks-leaving-organisations-vulnerable-to-cyberattacks/ Cybersecurity professionals are overworked and stressed out to such an extent that it threatens to provide hackers and cybercriminals with a better chance of conducting cyberattacks against the enterprise.

Pidä varasi: Facebook-huijaus kaappaa tilin ja napsauttaa 90 kuukausimaksut päälle

www.is.fi/digitoday/tietoturva/art-2000006152703.html Facebookissa kiertää huijaus, joka kaappaa käyttäjien tilejä ja julkaisee heidän nimissään Facebook-ryhmissä viestejä.

Biz tells ransomware victims it can decrypt their files… by secretly paying off the crooks and banking a fat margin

www.theregister.co.uk/2019/06/24/red_mosquito_rm_data_recovery_ransomware/ A Scottish managed services provider is running a lucrative sideline in ransomware decryption however, a sting operation by a security firm appears to show that decryption merely means paying off the malware’s masterminds. Red Mosquitos data recovery business appears to be lucrative. In accounts for fiscal year 2017, RM Data Recovery Ltd had more than £300,000 in the bank, according to Companies House records several orders of magnitude higher than the £300 in the previous year.. See also:

www.tivi.fi/uutiset/tv/93755619-03af-47e0-9ae2-56a1a1d95c3d

Kumpi voittaa iot:n kädenväännön: tietoturva vai yksityisyyden suoja?

www.tivi.fi/uutiset/tv/d2c6b3fc-2f8e-4b8d-a997-13309a9f8b4f Keskustelu iot:n tietoturvasta on vellonut kiivaana ja siinä ovat olleet osallisina niin esineiden internetin asiakkaat eli yritykset kuin laitevalmistajat ja palvelumyyjät. Yhdistettyjen laitteiden tietoturvasta riittääkin puhuttavaa. Pelkästään kesäkuun aikana uutisten aiheiksi on noussut monia tapauksia, joissa iot-laitteilla kerättyä yksityistä dataa on käytetty väärin.

New Mac malware abuses recently disclosed Gatekeeper zero-day

www.zdnet.com/article/new-mac-malware-abuses-recently-disclosed-gatekeeper-zero-day/ Mac malware developers have jumped on a recently disclosed macOS Gatekeeper vulnerability and are actively developing malware that abuses it.. The new malware has been named OSX/Linker and has been tied to the same group that operates the OSX/Surfbuyer adware, according to an investigation carried out by Joshua Long, Chief Security Analyst for Mac security software maker Intego.. See also:

thehackernews.com/2019/06/macos-malware-gatekeeper.html and

threatpost.com/newly-discovered-malware-targets-unpatched-macos-flaw/145997/

Senate investigation finds multiple federal agencies left sensitive data vulnerable to cyberattacks for past decade

thehill.com/homenews/senate/450100-senate-investigation-finds-multiple-federal-agencies-left-sensitive-data Several federal agencies failed to update system vulnerabilities over the course of the last two administrations and left Americans’ personal information open and vulnerable to theft, a report released Tuesday by the Senate Homeland Security and Governmental Affairs Subcommittee on Investigations found. The report, spearheaded by subcommittee Chairman Rob Portman (R-Ohio) and ranking member Tom Carper (D-Del.) and put together after a 10-month investigation, reviewed data compiled over the last decade by the inspector general on federal information security standards for eight agencies.

BlueStacks Flaw Lets Attackers Remotely Control Android Emulator

www.bleepingcomputer.com/news/security/bluestacks-flaw-lets-attackers-remotely-control-android-emulator/ Vulnerabilities in the BlueStacks Android emulator were fixed at the end of May that allowed attackers to perform remote code execution, information disclosure, and to steal backups of the VM and its data. In BlueStacks versions earlier than v4.90.0.1046, a DNS rebinding vulnerability existed that allowed attackers to gain access to the emulator’s IPC functions. These functions could then be used for a variety of different attacks ranging from remote code execution to information disclosure. This vulnerability was discovered and reported by security researcher Nick Cano in April and was fixed in BlueStacks 4.90.0.1046, which was released on May 27th, 2019 along with an advisory.

Malspam Campaigns Hide Infostealers in ISO Image Files

www.bleepingcomputer.com/news/security/malspam-campaigns-hide-infostealers-in-iso-image-files/ Multiple malicious campaigns observed in April concealed LokiBot and Nanocore malware inside ISO image files small enough to fit into an email attachment. Both LokiBot and Nanocore incorporate data-stealing capabilities. They target web browsers, email clients, remote admin tools (SSH, VNC, and RDP), and clipboard data. They can also collect information about documents present on the system and monitor user keystrokes to extract more sensitive details. Security researchers discovered 10 variants of this type of campaign, with variations in the ISO images and messages delivered to potential victims. The endeavors appear to follow the “spray and pray” principle as they did not target specific individuals or businesses.. See also:

threatpost.com/malspam-emails-blanket-lokibot-nanocore-malware-with-iso-files/145991/

Microsoft OneDrive Has 60% Jump in Hosting of Malicious Files

www.bleepingcomputer.com/news/security/microsoft-onedrive-has-60-percent-jump-in-hosting-of-malicious-files/ A retrospective look at the phishing trends from the first quarter of 2019 shows a steep jump in the use of Microsoft’s OneDrive file sharing service to host malicious files. While cybercriminals have abused the service in the past to host their phishing attacks, researchers from FireEye noticed a dramatic increase lately, compared to the last quarter of 2018. OneDrive’s popularity rose from almost complete disregard to a share above 60%. This preference is topped only by Dropbox, which has also seen an increased number of detections, albeit the comparative gap between the last two quarters is much smaller, around 10%. A similar picture is available for Google Drive, where the quarter on quarter difference is less than 20%. For both Dropbox and Google Drive, the difference could be accounted for by a surge in activity at the beginning of this year.

Tesco Hacked on Twitter Spoofs Bill Gates and Pushes BTC Scam

www.bleepingcomputer.com/news/security/tesco-hacked-on-twitter-spoofs-bill-gates-and-pushes-btc-scam/ Tesco’s Twitter account seems to have fallen into the wrong hands, judging by the account’s activity today, and the company is currently in the process of restoring the profile to its previous condition. People following Tesco on Twitter received weird tweet notifications from the groceries and general merchandise retailer and noticed uncommon behavior on the account. A pinned tweet was what suggested that a hack had occurred as the message pushed a Bitcoin cryptocurrency scam, asking Tesco followers to send coins to a wallet and promising to send back twice the value.

Malicious URL attacks using HTTPS surge across the enterprise

www.zdnet.com/article/social-engineering-attacks-surge-across-the-enterprise/#ftag=RSSbaffb68 Cyberattacks launched against the enterprise which makes use of the HTTPS protocol are increasing alongside spoofing and cloud-based threats, new research suggests. According to FireEye’s Q1 2019 Email Threat report, released on Tuesday, there has been a 26 percent increase in the use of malicious URLs made to appear legitimate through HTTPS, quarter-on-quarter, while the popularity of the traditional malware-laden email attachment is steadily falling.. “This indicated malicious actors are taking advantage of the common consumer perception that HTTPS is a “safer” option to engage on the Internet,” FireEye says.. The report, based on the analysis of 1.3 billion emails, further suggests that phishing attacks have risen by 17 percent over Q1 2019. In total, almost 30 percent of all detections impersonate well-known brands including Microsoft, OneDrive, Apple, Amazon, and PayPal.

Tracing the Supply Chain Attack on Android

krebsonsecurity.com/2019/06/tracing-the-supply-chain-attack-on-android-2/ Earlier this month, Google disclosed that a supply chain attack by one of its vendors resulted in malicious software being pre-installed on millions of new budget Android devices. Google didnt exactly name those responsible, but said it believes the offending vendor uses the nicknames Yehuo or Blazefire. What follows is a deep dive into the identity of that Chinese vendor, which appears to have a long and storied history of pushing the en

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.