Daily NCSC-FI news followup 2019-08-08

Porin kaupunki joutunut tietomurron kohteeksi

www.pori.fi/uutinen/2019-08-08_porin-kaupunki-joutunut-tietomurron-kohteeksi Keskiviikkona 7. elokuuta iltapäivällä yhdellä Porin kaupungin opetusverkon työasemalla havaittiin tietomurto. Kyseisen työaseman kautta oli saatu asennettua haittaohjelma opetusverkon käyttäjähakemistopalvelimille.. Haittaohjelman tarkoituksena oli datan kerääminen, joka on saattanut vaarantaa käyttäjien kirjautumistietoja. Varotoimenpiteenä kaikkien opetusverkon käyttäjien salasanat vaihdetaan, sanoo ICT-yksikön päällikkö Heikki Haaparanta. . Reagoimme tilanteeseen nopeasti, minkä vuoksi murto ei päässyt leviämään laajemmalle. Ainekset laajempaan vahinkoon olivat olemassa, toteaa Haaparanta. . Tietomurtoon johtaneet tapahtumat tullaan selvittämään tarkasti. . myös: yle.fi/uutiset/3-10913191

A case study in industry collaboration: Poisoned RDP vulnerability disclosure and response

www.microsoft.com/security/blog/2019/08/07/a-case-study-in-industry-collaboration-poisoned-rdp-vulnerability-disclosure-and-response/ The vulnerability, called Poisoned RDP vulnerability and designated as CVE-2019-0887, has been fixed, but it serves as a good case study for industry collaboration leading to better and speedier response to security issues. In this blog, well share an overview of the vulnerability and how we worked with Check Point to build the defenses using Windows telemetry.. Check Point: Reverse RDP Attack: The Hyper-V Connection –

research.checkpoint.com/reverse-rdp-the-hyper-v-connection/

Black Hat 2019: 5G Security Flaw Allows MiTM, Targeted Attacks

threatpost.com/5g-security-flaw-mitm-targeted-attacks/147073/ At a session at Black Hat 2019 called New Vulnerabilities in 5G Networks, presenting research he carried out with his partner, Ravishankar Borgaonkar of SINTEF Digital, Shaik noted that in 5G, as with 4G, the device capability information is sent to the base station before any security is layered onto the connection. . Over-the-air security includes encryption of traffic from the endpoint to a base station; but since the device capabilities are transmitted prior to that kicking in, they are visible in plain text. This, according to Shaik, enables three kinds of attacks: Mobile network mapping (MNmap); bidding down; and battery drain on narrowband Internet of Things (NB IoT) devices.

A Boeing Code Leak Exposes Security Flaws Deep In A 787’s Guts

www.wired.com/story/boeing-787-code-leak-security-flaws/ Now, nearly a year later, Santamarta claims that leaked code has led him to something unprecedented: security flaws in one of the 787 Dreamliner’s components, deep in the plane’s multi-tiered network. He suggests that for a hacker, exploiting those bugs could represent one step in a multi­stage attack that starts in the planes in-flight entertainment system and extends to highly protected, safety-critical systems like flight controls and sensors.. In a statement, Boeing said it had investigated IOActive’s claims and concluded that they don’t represent any real threat of a cyberattack. “IOActives scenarios cannot affect any critical or essential airplane system and do not describe a way for remote attackers to access important 787 systems like the avionics system,” the company’s statement reads.

Top Dangers That Online Gamers Face

www.hackread.com/top-dangers-that-online-gamers-face/ Below is a one-stop cybersecurity guide for game fans and a lowdown on the common risks you may encounter if youre on board the gaming hype train.

Severe local 0-Day escalation exploit found in Steam Client Services

arstechnica.com/gaming/2019/08/severe-local-0-day-escalation-exploit-found-in-steam-client-services/ Earlier today, disgruntled security researcher Vasily Kravets released a zero-day vulnerability in the Windows version of the ubiquitous gaming service Steam. The vulnerability allows any user to run arbitrary code with LOCALSYSTEM privileges using just a very few simple commands.. Steam Windows Client Local Privilege Escalation 0day – – amonitoring.ru/article/steamclient-0day/

Commando VM 2.0: Customization, Containers, and Kali, Oh My!

www.fireeye.com/blog/threat-research/2019/08/commando-vm-customization-containers-kali.html The Complete Mandiant Offensive Virtual Machine (Commando VM) swept the penetration testing community by storm when it debuted in early 2019 at Black Hat Asia Arsenal. Our 1.0 release made headway featuring more than 170 tools. Well now we are back again for another spectacular release, this time at Black Hat USA Arsenal 2019! In this 2.0 release weve listened to the community and implemented some new must have features: Kali Linux, Docker contai

Researchers uncover over 35 vulnerabilities in six leading enterprise printers

www.helpnetsecurity.com/2019/08/08/vulnerabilities-enterprise-printers/ NCC Group researchers have uncovered significant vulnerabilities in six commonly used enterprise printers, highlighting the vast attack surface that can be presented by internet-connected printers.

FBI, NSA to hackers: Let us be blunt. Weed need your help. We’ll hire you even if you’ve smoked a little pot in the past

www.theregister.co.uk/2019/08/08/hackers_feds_weed/ America’s crime-fighters, desperate to recruit white-hat hackers to collar spies and cyber-crooks, have been quietly and slightly relaxing the ban on hiring anyone who has used illegal drugs.. What with marijuana now legal in various US states, including California, and it being 2019 and all, and recruitment of infosec bods is still somewhat of a struggle, it appears Uncle Sam is easing up. . So, if you haven’t done anything bonkers, like injected mephedrone into your eyeballs over breakfast, and can pass, and continue to pass, a drug test, and you have the infosec skillz needed, Uncle Sam may well want you… to apply, at least.

Tricky Chinese-Targeted Trojan Bypasses Authentication

www.fortinet.com/blog/threat-research/chinese-targeted-trojan-analysis.html FortiGuard Labs uncovered a new campaign targeted at Chinese-speakers using malware that bypasses normal authentication by exploiting known WinRAR file (cve-2018-20250) and RTF file (cve-2017-11882) vulnerabilities. This attack uses a watering hole attack strategy to target Chinese-speaking users by delivering malware through a hacked Chinese news site. Based on our analysis, the campaign also appears to be experimental because it uses so many different t

How AT&T Insiders Were Bribed To ‘unlock’ Millions Of Phones

www.wired.com/story/att-insiders-bribed-unlock-phones/ A DRAMATIC SAGA that began with a civil lawsuit between AT&T and former employees has resulted in a high-profile arrest. Muhammad Fahd, 34, and his co-conspirators allegedly paid AT&T employees more than $1 million in bribes over five years to install malware and spying devices at their offices in Washington, according to a Department of Justice indictment unsealed Monday.. Fahd is accused of orchestrating an elaborate conspiracy from the other side of the world, designed not to steal sensitive customer data or proprietary information but to illegally unlock more than 2 million AT&T cell phones..

www.justice.gov/opa/press-release/file/1191196/download

Kasvot kelpaavat maksuvälineeksi, mutta niillä voidaan myös valvoa kansalaisten liikkeitä Miten kehittynyt teknologia vaikuttaa yksityisyydensuojaan?

seura.fi/asiat/ajankohtaista/kasvot-kelpaavat-maksuvalineeksi-mutta-niilla-voidaan-myos-valvoa-kansalaisten-liikkeita-miten-kehittynyt-teknologia-vaikuttaa-yksityisyydensuojaan/ Kesäkuusta 2019 lähtien poliisi ja tulli ovat saaneet verrata valvontakameroiden kuvia henkilörekistereihin tallennettuihin kasvokuviin tunnistusjärjestelmän avulla. Tosin laitteisto siihen tarkoitukseen ei vielä ole. Uutta kamerakalustoa hankitaan paraikaa.. Rikollisuuden torjuminen on kiistatta hyvä asia. Kasvojentunnistusteknologiaan liittyy kuitenkin useita kysymysmerkkejä. Sitä on pidetty ongelmallisena erityisesti yksityisyydensuojan kannalta.

Varenyky: Spambot à la Française

www.welivesecurity.com/2019/08/08/varenyky-spambot-campaigns-france/ ESET researchers document malware-distributing spam campaigns targeting people in France. This spambot is interesting because it can steal passwords, spy on its victims screen using FFmpeg when they watch pornographic content online, and communication to the C&C server is done through Tor, while spam is sent as regular internet traffic. This article describes the functionality of the malware.

HTTP Desync Attacks: Request Smuggling Reborn

portswigger.net/blog/http-desync-attacks-request-smuggling-reborn HTTP Request Smuggling was first documented back in 2005 by Watchfire, but a fearsome reputation for difficulty and collateral damage left it mostly ignored for years while the web’s susceptibility grew. Alongside new attack variants and exploitation vectors, I’ll help you tackle this legacy with custom open source tooling and a refined methodology for reliable black-box detection, assessment and exploitation with minimal risk of collateral damage.

Kyberhyökkäys on maksanut Lahden kaupungille lähes 690 000 euroa

yle.fi/uutiset/3-10914550 Työ haittaohjelman leviämisen estämiseksi ja jälkien siivoaminen ovat aiheuttaneet korkeat kustannukset.. Alkukesän kyberhyökkäys on maksanut Lahden kaupungille jo yli puoli miljoonaa euroa. Tapauksesta koituneet suorat kustannukset olivat heinäkuun loppuun mennessä 685 670 euroa.

Spanish brothel chain leaves internal database exposed online

www.zdnet.com/article/spanish-brothel-chain-leaves-internal-database-exposed-online/ “Men’s club” exposes data about escort girls, customer reviews, and club finances.

FakesApp: A Vulnerability in WhatsApp

research.checkpoint.com/fakesapp-a-vulnerability-in-whatsapp/ Check Point Research recently unveiled new vulnerabilities in the popular messaging application that could allow threat actors to intercept and manipulate messages sent in both private and group conversations, giving attackers immense power to create and spread misinformation from what appear to be trusted sources.

Protect against BlueKeep

www.microsoft.com/security/blog/2019/08/08/protect-against-bluekeep/ To protect against BlueKeep, we strongly recommend you apply the Windows Update, which includes a patch for the vulnerability. If you use Remote Desktop in your environment, its very important to apply all the updates. If you have Remote Desktop Protocol (RDP) listening on the internet, we also strongly encourage you to move the RDP listener behind some type of second factor authentication, such as VPN, SSL Tunnel, or RDP gateway.. Via open source telemetry, we see more than 400,000 endpoints lacking any form of network level authentication, which puts each of these systems potentially at risk from a worm-based weaponization of the BlueKeep vulnerability.

The Curious Case of a Fileless TrickBot Infection

securityintelligence.com/posts/the-curious-case-of-a-fileless-trickbot-infection/ In a recent analysis in our cybercrime research labs, we noticed changes in the deployment of the TrickBot Trojan. At the time, the change we observed only applied to infection attempts on Windows 10 64-bit operating systems (OSs). In those cases, TrickBot ran the payload, but did not save its typical modules and configurations to disk.. X-Force threat engineer Ofir Ozer took a closer look at this change in TrickBots deployment routine and found that it was a fileless version. Lets look into the changes and the possible reasons they were implemented.

Understanding why phishing attacks are so effective and how to mitigate them

security.googleblog.com/2019/08/understanding-why-phishing-attacks-are.html As part of our ongoing efforts to further protect users from phishing, were partnering with Daniela Oliveira from the University of Florida during a talk at Black Hat 2019 to explore the reasons why social engineering attacks remain effective phishing tactics, even though they have been around for decades.

July 2019s Most Wanted Malware: Vulnerability in OpenDreamBox 2.0.0 WebAdmin Plugin Enables Attackers to Execute Commands Remotely

blog.checkpoint.com/2019/08/08/july-2019s-most-wanted-malware-vulnerability-in-opendreambox-2-0-0-webadmin-plugin-enables-attackers-to-execute-commands-remotely/ In July, a new vulnerability in the OpenDreamBox 2.0.0 WebAdmin Plugin that has impacted 32% of organizations globally in the last month, was discovered.

Yritykset yhä useammin huijauksen kohteena

www.verkkouutiset.fi/yritykset-yha-useammin-huijauksen-kohteena/ Yrityksiin kohdistuvat huijaukset ja petosrikollisuus ovat lisääntyneet merkittävästi. Suomen Yrittäjät on julkaissut oppaan, joka auttaa tunnistamaan ja torjumaan erilaisia huijauksia.. Opas esittelee yleisimpiä yrityksiin kohdistuvia huijauksia. Näitä ovat esimerkiksi hakemistohuijaukset, huijauslaskut, identiteettivarkaudet ja toimitusjohtajahuijaukset..

www.yrittajat.fi/sites/default/files/torju_huijaukset_opas_a4_hr.pdf

Security researchers who built a phony engineering workstation that was able to dupe and alter operations of the Siemens S7 programmable logic controller (PLC) found that modern S7 PLC families running the same firmware also share the same public cryptographic key, leaving the devices vulnerable to attacks like the ones they simulated.

www.darkreading.com/vulnerabilities—threats/siemens-s7-plcs-share-same-crypto-key-pair-researchers-find-/d/d-id/1335452 “All PLCs of the same model have the same key, which means if you crack one, you’ve cracked all of them,” said Avishai Wool, a professor at Tel Aviv University’s School of Electrical Engineering, of the S7-1500 PLCs he and his fellow researchers studied. “So if you are able to talk to one of them, you are able to talk to all of them.”

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.