Daily NCSC-FI news followup 2019-08-05

– From State-Sponsored Attackers to Common Cybercriminals: Destructive Attacks on the Rise

securityintelligence.com/posts/from-state-sponsored-attackers-to-common-cybercriminals-destructive-attacks-on-the-rise/ Destructive attacks have left their mark over the past few years, wiping data and rendering millions of enterprise devices inoperable at companies around the world. A new report today from IBM X-Force Incident Response and Intelligence Services (IRIS) shows that these attacks have been on the rise, posing a growing threat to a wide variety of businesses that may not consider themselves an obvious target.

New version of MegaCortex targets business disruption

www.accenture.com/us-en/blogs/blogs-megacortex-business-disruption iDefense engineers have identified and analyzed a recently updated version of the dangerous ransomware MegaCortex, which is known to have previously caused costly incidents across various industries in Europe and North America.. So far, cybercriminals have only used MegaCortex in manual, post-exploitation, targeted attacks where important files on servers and network hosts are encrypted and the victims are asked to pay the ransom to reinstate access to their files.. The authors of MegaCortex v2 have redesigned the ransomware to self-execute and removed the password requirement for installation; the password is now hard-coded in the binary. . The changes in Version 2 suggest that the malware authors traded some security for ease of use and automation.

Sharpening the Machete

www.welivesecurity.com/2019/08/05/sharpening-machete-cyberespionage/ ESET research uncovers a cyberespionage operation targeting the Venezuelan military

Sextortion: Follow the Money – The Final Chapter

isc.sans.edu/forums/diary/Sextortion+Follow+the+Money+The+Final+Chapter/25204/ Since the last update in the Sextortion series I have contined to track the bitcoin addresses reported to the ISC. Altogether 563 BTC addresses have been reported. 90 of those addresses received 497 payments totalling over $785,000 USD. . That is an average payment of nearly $1600 USD at current Bitcoin prices. Over $530,000 USD of that value has been moved out of the tracked addresses, leaving about $250,000 USD still sitting in the tracked addresses.. also:

cofense.com/cofense-labs-publishes-database-200-million-compromised-accounts-targeted-sextortion-email-campaigns/

Microsoft: We’re disabling VBScript in Windows 7, 8 to block attackers

www.zdnet.com/article/microsoft-were-disabling-vbscript-in-windows-7-8-to-block-attackers/#ftag=RSSbaffb68 Windows 7 and Windows 8 updates scheduled for next Patch Tuesday will disable VBScript in Internet Explorer 11.

Puolustusvoimat hankkii verkkosodan tutkimusta

www.tivi.fi/uutiset/tv/8522efd8-6347-4bbe-8e36-fbaacb87ffba Puolustusvoimat on hankkimassa tietoverkkosodankäynnin tutkimusta lähes miljoonalla eurolla.

We’ve, um, changed our password policy, says CafePress amid reports of 23m pwned accounts

www.theregister.co.uk/2019/08/05/cafebreach_breach_23m_user_records/ Twee T-shirts ‘n’ merch purveyor CafePress had 23 million user records swiped reportedly back in February and this morning triggered a mass password reset, calling it a change in internal policy.

DDoS attacks in Q2 2019

securelist.com/ddos-report-q2-2019/91934/ The second quarter of 2019 turned out to be richer than the first in terms of high-profile DDoS attacks. True, most of the campaigns that attracted media attention appeared to be politically, rather than commercially, motivated and that despite the fact that some security experts discern a clear fall in hacktivism in recent years.

Barr says the US needs encryption backdoors to prevent going dark. Um, what?

arstechnica.com/tech-policy/2019/08/post-snowden-tech-became-more-secure-but-is-govt-really-at-risk-of-going-dark/ Citing the threat posed by violent criminals using encryption to hide their activities from law enforcement, Barr said that information security “should not come at the expense of making us more vulnerable in the real world.” He claimed that this is what is happening today.. “Service providers, device manufacturers, and application developers are developing and deploying encryption that can only be decrypted by the end user or customer, and they are refusing to provide technology that allows for lawful access by law enforcement agencies in appropriate circumstances,” Barr proclaimed.

Terminating Service for 8Chan

new.blog.cloudflare.com/terminating-service-for-8chan/ 8chan is among the more than 19 million Internet properties that use Cloudflare’s service. We just sent notice that we are terminating 8chan as a customer effective at midnight tonight Pacific Time.

Latest Trickbot Campaign Delivered via Highly Obfuscated JS File

blog.trendmicro.com/trendlabs-security-intelligence/latest-trickbot-campaign-delivered-via-highly-obfuscated-js-file/ We have been tracking Trickbot banking trojan activity and recently discovered a variant of the malware from distributed spam emails that contain a Microsoft Word document with enabled macro. . Once the document is clicked, it drops a heavily obfuscated JS file (JavaScript) that downloads Trickbot as its payload. . This malware also checks for the number of running processes in the affected machine; if it detects that its in an environment with limited processes, the malware will not proceed with its routine as it assumes that it is running in a virtual environment.

Corporate IoT a path to intrusion

msrc-blog.microsoft.com/2019/08/05/corporate-iot-a-path-to-intrusion/ In April, security researchers in the Microsoft Threat Intelligence Center discovered infrastructure of a known adversary communicating to several external devices. Further research uncovered attempts by the actor to compromise popular IoT devices (a VOIP phone, an office printer, and a video decoder) across multiple customer locations.. These devices became points of ingress from which the actor established a presence on the network and continued looking for further access.. We attribute the attacks on these customers using three popular IoT devices to an activity group that Microsoft refers to as STRONTIUM. Since we identified these attacks in the early stages, we have not been able to conclusively determine what STRONTIUMs ultimate objectives were in these intrusions.

Puzzling Gwmndy Botnet Focuses on Low-Volume Proxy Connections

threatpost.com/gwmndy-botnet-proxy-connections/146963/ An odd botnet has been spotted targeting Fiberhome routers, in a quest to add 200 of them per day to its botnet web.. Unlike the typical botnets which try their best to infect as many victims as they can, this one has pretty much stopped looking for new bots after its active daily bot number reaches the low 200s, 360 Netlab researchers said in a blog post on Friday. It seems that the author is satisfied with the number, which probably provides enough proxy service for whatever purpose he needs.. 360 Netlab blog:

blog.netlab.360.com/some-fiberhome-routers-are-being-utilized-as-ssh-tunneling-proxy-nodes-2/

Vigilante hackers are exploiting SMS to send millions of texts

www.wired.co.uk/article/sms-hack-text-twitter-j3ws3r The duo behind the PewDiePie printer hacks are back. This time they’re trying to spam US mobile numbers through a SMS protocol. The hackers have taken advantage of SMS gateways, which are often used by businesses to send text messages en masse to users.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.