Daily NCSC-FI news followup 2019-07-19

Security Lessons From a New Programming Language

www.darkreading.com/application-security/security-lessons-from-a-new-programming-language/d/d-id/1335300?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple A security professional needed a secure language for IoT development. So he wrote his own, applying learned lessons about memory and resources in the process.

It’s never good when ‘Magecart’ and ‘bulletproof’ appear in the same sentence, but here we are

www.theregister.co.uk/2019/07/18/magecart_ukraine_hosting/ Researchers with security shop Malwarebytes say that the data-exfiltration and hosting servers used by Magecart operations to collect harvested card details have been traced to the Ukrainian city of Luhansk, located in an area contested by pro-European and pro-Russian forces.

BitPaymer Ransomware Operators Wage Custom, Targeted Attacks

www.darkreading.com/attacks-breaches/bitpaymer-ransomware-operators-wage-custom-targeted-attacks/d/d-id/1335298?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple Researchers from Morphisec say they have observed the tactic being used against numerous public and private sector organizations across the US over the last three months.

One Thousand Misspelled Security Headers

www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2019/july/misspelled-security-headers/ On a client engagement, my security tooling was notifying me of a missing “X-XSS-Protection” header on the client’s website. A quick manual inspection showed that the site was seemingly setting the header, but a second look showed that the site had actually set an “X-XXS-Protection” header. This typo results in a missing additional security control. This made me wonder, “Who else is fat-fingering their security headers?”

Fileless Malware Advisory

cyber.gc.ca/en/alerts/fileless-malware-advisory The Cyber Centre has become aware of a fileless malware campaign affecting Microsoft Windows users that is currently gaining traction. The Astaroth malware, a notorious info-stealing malware known for stealing sensitive information like credentials, keystrokes, and other data, resides solely in memory and is much more difficult to detect than traditional malware.

Elusive MegaCortex Ransomware Found – Here is What We Know

www.bleepingcomputer.com/news/security/elusive-megacortex-ransomware-found-here-is-what-we-know/ When Sophos analyzed the vicitm’s computers, they found that the attackers were gaining access to a network and then compromising the Windows domain controller. Once the domain controller was compromised the attackers would install Cobalt Strike in order to open a reverse shell back to the attackers.. Now that the attackers had full access to the network, they would use PsExec to distribute a batch file and the ransomware named as winnit.exe to the rest of the computers on the network. It would then execute this batch file in order to encrypt the various compromised workstations.

Huawei says Hongmeng operating system not for smartphones, intends to continue with Android

www.xinhuanet.com/english/2019-07/18/c_138238059.htm When FireEye had visibility on the CnC server, we saw the attackers engage in post-compromise information gathering and lateral movement on the target network, where upon FireEye immediately contacted the relevant authorities and began the notification process.. BRUSSELS, July 18 (Xinhua) — Huawei board member and senior Vice President Catherine Chen said here on Thursday that the company’s Hongmeng operating system is not for smartphones and the company intends to continue to use Google’s Android operating system for its smartphones.

To foil hackers, this chip can change its code in the blink of an eye

www.technologyreview.com/s/613968/a-new-microchip-aims-to-stump-hackers-with-a-constantly-moving-target/ The aim is to make it incredibly difficult for hackers to exploit key software that helps govern the chip’s operation. Morpheus does this by repeatedly randomizing elements of the code that attackers need access to in order to compromise the hardware. This can be achieved without disrupting the software applications that are powered by the processor.. [UMich] Austin said a prototype has already resisted every known variant of a widely-used hacking technique known as a control-flow attack

Mozilla Distrusts Certinomis Issued Certificates

www.venafi.com/blog/mozilla-distrusts-certinomis-issued-certificates Certinomis, a French certification authority, is being removed from browsers due to repeated violations of certificate validation rules. A Certification Authority (CA) is an organization that browser vendors trust to issue certificates to websites. Unfortunately, a lot of times these organizations, due to various reasons, misissue certificates that violate the requirements set by the CA/Browser forum (for short CABForum).

Old Tools for New Money: URL Spreading Shellbot and XMRig Using 17-year old XHide

blog.trendmicro.com/trendlabs-security-intelligence/old-tools-for-new-money-url-spreading-shellbot-and-xmrig-using-17-year-old-xhide/ One of our honeypots detected a threat that propagates by scanning for open ports and brute forcing weak credentials, installing a Monero cryptocurrency miner and a Perl-based IRC backdoor as the final payload. The miner process is hidden using XHide Process Faker, a 17-year old open source tool used to fake the name of a process. According to our analysis, we found the attacker issuing commands to the vulnerable machine that will download and install the backdoor and miner. The backdoor called Shellbot, and is capable of scanning for open ports, downloading files, executing UDP floods, and remotely executing shell commands

With FaceApp in the spotlight, new scams emerge

www.welivesecurity.com/2019/07/19/faceapp-spotlight-scams-emerge/ ESET researchers discover fraudulent schemes piggybacking on the popularity of the face-modifying tool FaceApp, using a fake Pro version of the application as a lure. The FaceApp application, which offers various face-modifying filters, is available for both Android and iOS. While the app itself is free, some features, marked as PRO, are paid. Recent concerns about FaceApp privacy issues have generated a huge wave of media attention. Scammers have been trying, to various ends, to exploit this wave of interest, using a fake Pro yet free version of the application as a lure. The fraudsters have also made an effort to spread the word about this fictitious version of the currently-viral app at the time of writing this blogpost, a Google search for FaceApp Pro returns some 200,000 articles

Kazakhstan Begins Intercepting HTTPS Internet Traffic Of All Citizens Forcefully

thehackernews.com/2019/07/kazakhstan-https-security-certificate.html If you are in Kazakhstan and unable to access the Internet service without installing a certificate, you’re not alone. The Kazakhstan government has once again issued an advisory to all major local Internet Service Providers (ISPs) asking them to make it mandatory for all their customers to install government-issued root certificates on their devices in order to regain access to the Internet services. The root certificate in question, labeled as “trusted certificate” or “national security certificate,” if installed, allows ISPs to intercept and monitor users’ encrypted HTTPS and TLS connections, helping the government spy on its citizens and censor content

Bug in NVIDIAs Tegra Chipset Opens Door to Malicious Code Execution

threatpost.com/nvidias-tegra-chipset-attack/146561/ Researcher creates Selfblow proof-of-concept attack for exploiting a vulnerability that exists in every single Tegra device released so far. A flaw impacting millions of mobile and internet of things (IoT) devices running NVIDIAs Tegra processor opens the door for a variety of attacks, including device hijacking or siphoning of data. The warning comes from researcher Triszka Balázs, who discovered the flaw and asserts that the bug affects every single Tegra device released so far. He also created a proof-of-concept (PoC), called Selfblow, to exploit the vulnerability. On Thursday, NVIDIA released a patch for the bug (CVE20195680) via a security bulletin

Onko kyberaseista vanhan ajan ydinpelotteen korvaajiksi?

www.tivi.fi/uutiset/tv/a89634a2-419f-4afa-84a4-2a71e3c01cc4 Kyberiskut ovat halpoja ja aseet lähes kaikkien saatavilla. Koska tässä “tylsässä vanhassa maailmassa” riittää aina vain konflikteja, turvallisuutta hakevien valtioiden kannattaisi edes harkita kyberaseiden sijasta kunnon pelotteita eli ydinaseita rauhan takeeksi, eräs Australian johtavista strategeista vertailee erilaisia uhkakuvia

4 miljoonan ihmisen tiedot kaupan netissä 6 selainlaajennukselle kenkää

www.is.fi/digitoday/tietoturva/art-2000006178161.html The Washington Post löysi kuusi häijyä selainlaajennusta Chrome- ja Firefox-selaimista. Ongelma on kuitenkin paljon tätä suurempi. Googlen Chrome-selainta ja Mozillan Firefox-selainta on usein mukava ja hyödyllistäkin höystää niin sanotuilla laajennuksilla ohjelmilla, jotka lisäävät selaimeen uusia toimintoja. Käyttäjät saattavat pitää laajennuksia tarjoavia virallisia kauppoja turvallisina, mutta niihin livahtaa silti myös haitallisia laajennuksia, kuten vaikkapa Androidin Google Play -kauppaan

You might be interested in …

Daily NCSC-FI news followup 2020-07-25

Will Garmin Pay $10m Ransom To End Two-Day Outage? www.forbes.com/sites/barrycollins/2020/07/25/will-garmin-pay-10m-ransom-to-end-two-day-outage/ Garmin is reportedly being asked to pay a $10 million ransom to free its systems from a cyberattack that has taken down many of its services for two days. Lisäksi yle.fi/uutiset/3-11465640 Hackers actively exploit high-severity networking vulnerabilities arstechnica.com/information-technology/2020/07/hackers-actively-exploit-high-severity-networking-vulnerabilities/ Hackers are actively exploiting two unrelated high-severity […]

Read More

Daily NCSC-FI news followup 2019-10-03

Casbaneiro: Dangerous cooking with a secret ingredient www.welivesecurity.com/2019/10/03/casbaneiro-trojan-dangerous-cooking/ Casbaneiro, also known as Metamorfo, is a typical Latin American banking trojan that targets banks and cryptocurrency services in Brazil and Mexico (Figure 1). It uses the social engineering method described in the introduction to our previous article, where fake pop-up windows are displayed. Just a GIF […]

Read More

Daily NCSC-FI news followup 2020-06-08

German Task Force for COVID-19 Medical Equipment Targeted in Ongoing Phishing Campaign securityintelligence.com/posts/german-task-force-for-covid-19-medical-equipment-targeted-in-ongoing-phishing-campaign/ During the course of ongoing research on coronavirus-related cyber activity, IBM X-Force Incident Response and Intelligence Services (IRIS) uncovered a COVID-19 related phishing campaign targeting a German multinational corporation (MNC), associated with a German government-private sector task force to procure personal protective […]

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.