Daily NCSC-FI news followup 2019-09-03

Feds Allege Adconion Employees Hijacked IP Addresses for Spamming

krebsonsecurity.com/2019/09/feds-allege-adconion-employees-hijacked-ip-addresses-for-spamming/ Federal prosecutors in California have filed criminal charges against four employees of Adconion Direct, an email advertising firm, alleging they unlawfully hijacked vast swaths of Internet addresses and used them in large-scale spam campaigns. KrebsOnSecurity has learned that the charges are likely just the opening salvo in a much larger, ongoing federal investigation into the companys commercial email practices.

Massive iPhone Hack Targets Uyghurs

www.schneier.com/blog/archives/2019/09/massive_iphone_.html China is being blamed for a massive surveillance operation that targeted Uyghur Muslims. This story broke in waves, the first wave being about the iPhone. Earlier this year, Google’s Project Zero found a series of websites that have been using zero-day vulnerabilities to indiscriminately install malware on iPhones that would visit the site. (The vulnerabilities were patched in iOS 12.1.4, released on February 7.). Also:

www.volexity.com/blog/2019/09/02/digital-crackdown-large-scale-surveillance-and-exploitation-of-uyghurs/

SharPersist: Windows Persistence Toolkit in C#

www.fireeye.com/blog/threat-research/2019/09/sharpersist-windows-persistence-toolkit.html PowerShell has been used by the offensive community for several years now but recent advances in the defensive security industry are causing offensive toolkits to migrate from PowerShell to reflective C# to evade modern security products. Some of these advancements include Script Block Logging, Antimalware Scripting Interface (AMSI), and the development of signatures for malicious PowerShell activity by third-party security vendors. Several public C# toolkits such as Seatbelt, SharpUp and SharpView have been released to assist with tasks in various phases of the attack lifecycle.

What is MITRE ATT&CK and how is it useful?

www.welivesecurity.com/2019/09/03/what-is-mitre-attck-useful/ An introduction to the MITRE ATT&CK framework and how it can help organize and classify various types of threats and adversarial behaviors. MITRE is a not-for-profit company set up in 1958 whose mission is to solve problems for a safer world. This goal is being fulfilled, in part, via the organizations new curated knowledge base known as MITRE ATT&CK, which stands for Adversarial Tactics, Techniques, and Common Knowledge. It is a platform that organizes and categorizes various types of tactics, techniques, and procedures (TTPs) used by threat actors in the digital world, helping organizations pinpoint gaps in their cyber-defenses.

XKCD Forum Hacked Over 562,000 Users Account Details Leaked

thehackernews.com/2019/09/xkcd-forum-hacked.html XKCDone of the most popular webcomic platforms known for its geeky tech humor and other science-laden comic strips on romance, sarcasm, math, and languagehas suffered a data breach exposing data of its forum users. The security breach occurred two months ago, according to security researcher Troy Hunt who alerted the company of the incident, with unknown hackers stealing around 562,000 usernames, email and IP addresses, as well as hashed passwords.. Also:

www.bleepingcomputer.com/news/security/xkcd-forum-breach-exposes-emails-passwords-of-562-000-users/

Tricky LNK points to TrickBot

isc.sans.edu/forums/diary/Guest+Diary+Tricky+LNK+points+to+TrickBot/25290/ Recently, I was asked to analyze a phishing e-mail which was sent to one of our customers. The e-mail itself was a run of the mill affair (a variation on the you have unpaid invoices, click here to download them theme), but the link it contained pointed to a quite interesting file. The file in question was a ZIP archive containing an unusually large (almost 10 kB) LNK file trying to look like an RTF document.

WordPress Plugins Anchor Widespread Malvertising, Rogue Backdoor Campaign

threatpost.com/wordpress-plugins-malvertising-backdoor-campaign/147926/ An ongoing attack on websites has added new exploits and an administrative backdoor to its bag of tricks. A malvertising campaign redirecting website visitors and surfacing popups is plaguing the WordPress ecosystem, according to researchers, using known vulnerabilities in WordPress plugins as the attack vector. The campaign has been ongoing all summer, with cybercrooks bent on redirecting website visitors to malware and fraud sites, according to researchers at Wordfence; theyre targeting vulnerable websites with outdated WordPress plugin versions to inject malicious JavaScript into the front ends to perform the redirects.

Android exploits are now worth more than iOS exploits for the first time

www.zdnet.com/article/android-exploits-are-now-worth-more-than-ios-exploits-for-the-first-time/ Exploit broker Zerodium increases zero-day prices for Android, now worth more than iOS. Zerodium, a company which claims it buys and then resells software exploits to government and law enforcement agencies, has updated its price list today, and Android exploits are worth more than iOS exploits for the first time ever.. Also:

www.bleepingcomputer.com/news/security/zerodium-makes-android-zero-days-more-expensive-than-ios/

Hakkerin löydös: Facebook penkoo käyttäjiensä puhelimia tavalla, jota ei aiemmin tiedetty

www.is.fi/digitoday/tietoturva/art-2000006225176.html Facebook kopioi Android-puhelimista järjestelmätiedostoja tuntemattomiin tarkoituksiin. Facebookin Android-sovelluksen käytös herätti tunnetun hakkerin Jane Manchun Wongin huomion. Hän kertoo sarjassa Twitter-viestejä, että sovellus kerää käyttäjien puhelimista paljon tietoja ja lähettää ne Facebookin palvelimille.

Nemty Ransomware Gets Distribution from RIG Exploit Kit

www.bleepingcomputer.com/news/security/nemty-ransomware-gets-distribution-from-rig-exploit-kit/ The operators of Nemty ransomware appear to have struck a distribution deal to target systems with outdated technology that can still be infected by exploit kits. Exploit kits are not as commonly used since they typically thrive on vulnerabilities in Internet Explorer and Flash Player, two products that used to dominate the web a few years ago but are now with one foot out in the grave. Even so, many companies still depend on them and Microsoft’s web browser continues to be used in many countries, turning them into targets for web threats to which most of the world is immune.

Fake BleachBit Website Built to Distribute AZORult Info Stealer

www.bleepingcomputer.com/news/security/fake-bleachbit-website-built-to-distribute-azorult-info-stealer/ Users of utilities that reclaim disk space should think twice if someone tries to get them to download BleachBit. Cybercriminals have created a web page that purports to be the official website of the tool, but instead spreads the AZORult information stealer. BleachBit is a tool that can help Windows, Linux, and macOS users reclaim disk space by deleting disposable data. It has over one million downloads on Sourceforge since its original release and is also available straight from the developer’s website.

Enjoy the holiday weekend, America? Well-rested? Good. Supermicro server boards can be remotely hijacked

www.theregister.co.uk/2019/09/03/supermicro_server_flaw/ Virtual USB hub allows attackers to get into BMCs. Tens of thousands of servers around the world are believed to be hosting a vulnerability that would allow an attacker to remotely commandeer them. The team at Eclypsium says it has discovered a set of flaws it refers to as USBAnywhere that, when exploited, would potentially allow an attacker to take over the baseboard management controller (BMC) for three different models of server boards: the X9, X10, and X11.. Also:

www.bleepingcomputer.com/news/security/usbanywhere-bugs-in-supermicro-servers-allow-remote-usb-access/.

www.zdnet.com/article/over-47000-supermicro-servers-are-exposing-bmc-ports-on-the-internet/.

threatpost.com/usbanywhere-bugs-supermicro-remote-attack/147899/.

thehackernews.com/2019/09/hacking-bmc-server.html.

www.wired.com/story/supermicro-bug-virtual-usb/

Instagram-tilin kaappaus toi kyyneleet silmiin: Tuntui aivan siltä kuin kotona olisi käynyt varkaita

yle.fi/uutiset/3-10933407 Sosiaalisen median tilin kaappauksella voidaan tavoitella rahallista hyötyä, propagandan levittämistä tai kiusantekoa. Liikenne- ja viestintäviraston Kyberturvallisuuskeskuksen tietoturva-asiantuntija Ville Kontinen sanoo, että motiivit kaappausten taustalla vaihtelevat, eikä paljon seuraajia sisältävä tili ole sen vuoksi automaattisesti suuremmassa vaarassa. Kontisen mukaan olennaista on, miten nopeasti käyttäjä reagoi tilanteeseen – kaappaaja kun pystyy tilin haltuun saatuaan rellestämään mielensä mukaan. Myös tilin palautustoimenpiteiden kannalta kuluneella ajalla voi olla merkitystä.

Denmarks rail ticket system targeted in digital attack

www.thelocal.dk/20190902/denmarks-rail-ticket-system-targeted-in-digital-attack National rail operator DSB suffered an outage to its ticketing system on Sunday night after an apparent cyber-attack on the online platform. The system was operating normally again by Monday morning, DSBs press service confirmed. The issue impacted online ticketing platforms, machines at stations and staffed ticket desks, although the Rejsekort travel card could still be used on train journeys.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.