Daily NCSC-FI news followup 2019-09-04

Satori IoT Botnet Operator Pleads Guilty

krebsonsecurity.com/2019/09/satori-iot-botnet-operator-pleads-guilty/ A 21-year-old man from Vancouver, Wash. has pleaded guilty to federal hacking charges tied to his role in operating the Satori botnet, a crime machine powered by hacked Internet of Things (IoT) devices that was built to conduct massive denial-of-service attacks targeting Internet service providers, online gaming platforms and Web hosting companies.. Also:

www.zdnet.com/article/author-of-multiple-iot-botnets-pleads-guilty/

Warshipping: the cyberthreat that arrives in the mail

www.pandasecurity.com/mediacenter/security/warshipping-cyberthreat-mail/ Cybercriminal efforts to threaten IT systems are constantly evolving. Among the techniques that weve seen this year are the injection of malicious code in thousands of ecommerce websites in order to to steal personal data and the use of LinkedIn to install spyware. Whats more, these techniques are working; the cost of cybercrime in 2018 was $45 billion.. Now, researchers at IBMs X-Force Red have developed a proof of concept (PoC) that could be the next step in cybercrimes evolution. It is called warshipping, and it combines tech methods with other, somewhat more traditional methods.

Making the Case for Network Segmentation in AWS

securityintelligence.com/posts/making-the-case-for-network-segmentation-in-aws/ Network segmentation is a concept that dates back to the start of enterprise IT systems. The simplest demonstration of this is separating application and infrastructure components with a firewall. This concept is now a routine part of building data centers and application architectures. In fact, its nearly impossible to find examples of enterprises without some network segmentation model in place.

Glupteba Campaign Hits Network Routers and Updates C&C Servers with Data from Bitcoin Transactions

blog.trendmicro.com/trendlabs-security-intelligence/glupteba-campaign-hits-network-routers-and-updates-cc-servers-with-data-from-bitcoin-transactions/ We recently caught a malvertising attack distributing the malware Glupteba. This is an older malware that was previously connected to a campaign named Operation Windigo and distributed through exploit kits to Windows users. In 2018, a security company reported that the Glupteba botnet may have been independent from Operation Windigo and had moved to a pay-per-install adware service to distribute it in the wild. The activities of the actors behind Glupteba have been varied: they were suspected of providing proxy services in the underground, and were identified as using the EternalBlue exploit to move into local networks and run Monero (XMR) cryptocurrency miners.

Acquiring a VHD to Investigate

msrc-blog.microsoft.com/2019/09/03/acquiring-a-vhd-to-investigate/ In a previous post we described some of the differences between on-premises/physical forensics and cyber investigations and those performed in the cloud, and how this can make cloud forensics challenging. That blog post described a method of creating and maintaining a VM image which can be distributed to multiple regions, allowing you to deploy this pre-prepared machine to be used in an investigation in a matter of minutes. Now that you have your tools, this blog describes how you acquire and access a Virtual Hard Disk (VHD) from a VM which has been flagged for investigation.

JSWorm: The 4th Version of the Infamous Ransomware

blog.yoroi.company/research/jsworm-the-4th-version-of-the-infamous-ransomware/ The ransomware attacks have no end. These cyber weapons are supported by a dedicated staff that constantly update and improve the malware in order to make harder detection and decryption. As the popular GandCrab, which was carried on up to version 5 until its shutdown, also other ransomware are continuously supported with the purpose of creating revenues for cyber criminals. One of them is JSWorm, which has been updated to version 4.

NCSC Releases UK Cyber Incident Trends Report

www.us-cert.gov/ncas/current-activity/2019/09/04/ncsc-releases-uk-cyber-incident-trends-report The United Kingdom (UK) National Cyber Security Centre (NCSC) has released a report detailing cyber incident trends in the UK from October 2018 to April 2019. The report provides technical guidance on how to defend against, and recover from, the following cyber threats: ransomware, phishing, vulnerability scanning, and attacks targeting supply chain and Office 365 cloud services.

Advanced SMS Phishing Attacks Against Modern Android-based Smartphones

research.checkpoint.com/advanced-sms-phishing-attacks-against-modern-android-based-smartphones/ Check Point Researchers have identified a susceptibility to advanced phishing attacks in certain modern Android-based phones, including models by Samsung, Huawei, LG and Sony. In these attacks, a remote agent can trick users into accepting new phone settings that, for example, route all their Internet traffic through a proxy controlled by the attacker. This attack vector relies on a process called over-the-air (OTA) provisioning, which is normally used by cellular network operators to deploy network-specific settings to a new phone joining their network. However, as we show, anyone can send OTA provisioning messages.. Also:

threatpost.com/half-of-android-handsets-susceptible-to-clever-sms-phishing-attack/147988/. Also:

www.zdnet.com/article/samsung-huawei-lg-and-sony-phones-vulnerable-to-rogue-provisioning-messages/. Myös: www.is.fi/digitoday/tietoturva/art-2000006227351.html. Also:

www.bleepingcomputer.com/news/security/android-sms-phishing-can-stealthily-enable-malicious-settings/. Also:

www.darkreading.com/mobile/android-phone-flaw-allows-attackers-to-divert-email/d/d-id/1335729

New Free Offering Enables Any MSP and Security Integrator to Add Incident Response to their Services Portfolio

thehackernews.com/2019/09/msp-incident-response.html The Incident Response (IR) services market is in accelerated growth due to the rise in cyberattacks that result in breaches. More and more organizations, across all sizes and verticals, choose to outsource IR to 3rd party service providers over handling security incidents in-house. Cynet is now launching a first-of-its-kind offering, enabling any Managed Security Provider (MSP) or Security Integrator (SI) to add Incident Response to its services portfolio, without building an in-house team of incident responders, by using Cynet’s IR team and technology at no cost.

Malspam using password-protected Word docs to push Remcos RAT

isc.sans.edu/forums/diary/Malspam+using+passwordprotected+Word+docs+to+push+Remcos+RAT/25292/ Malicious spam (malspam) using attached password-protected Word documents to evade detection is nothing new. I’ve documented it as early as March 2017, and this style of malware distribution started years before then. This particular campaign has pushed a variety of malware, including IcedID (Bokbot), various types of ransomware, and Nymaim. At times, this resume-themed malspam can disappear for several weeks, but I always see it return. This most recent wave began as early as Wednesday 2019-08-28. When I checked on Tuesday 2019-09-03, this infection chain pushed Remcos RAT.

Critical Bugs Open Food-Safety Systems to Remote Attacks

threatpost.com/critical-bugs-food-safety-remote-attacks/148009/ The AK-EM 800 software from Danfoss centralizes alarm management, automatic data collection and food-quality reporting. Two critical vulnerabilities in a food-quality management software package would allow adversaries to completely compromise the system. The issues affect the AK-EM 800 product from SCADA vendor Danfoss. Its an enterprise management solution for the food retail industry that provides a central architecture for alarm management, automatic data collection and food-quality reporting.

Forget email: Scammers use CEO voice ‘deepfakes’ to con workers into wiring cash

www.zdnet.com/article/forget-email-scammers-use-ceo-voice-deepfakes-to-con-workers-into-wiring-cash/ AI-generated audio was used to trick a CEO into wiring $243,000 to a scammer’s bank account. Criminals are using AI-generated audio to impersonate a CEO’s voice and con subordinates into transferring funds to a scammer’s account. So-called deepfake voice attacks could be the next frontier in a scam that’s cost US businesses almost $2bn over the past two years using fraudulent email.

Maailmaa muuttaneen kyberiskun mysteeri selviämässä 12 vuoden jälkeen

www.is.fi/digitoday/tietoturva/art-2000006226845.html Iranin ydinohjelman hyydyttänyt Stuxnet-haittaohjelma saatiin ydinlaitokseen myyrän avulla, Yahoo News kertoo. Kuuluisasta Stuxnet-haittaohjelmasta on saatu uutta tietoa 12 vuotta iskun jälkeen. Yahoo News kertoo, miten Iranin ydinohjelman häirintään suunniteltu haittaohjelma ujutettiin uraaninrikastamoon Natanzissa.. Alkuperäinen artikkeli:

news.yahoo.com/revealed-how-a-secret-dutch-mole-aided-the-us-israeli-stuxnet-cyber-attack-on-iran-160026018.html?

Year-Old Samba Bug Allows Access to Forbidden Root Share Paths

www.bleepingcomputer.com/news/security/year-old-samba-bug-allows-access-to-forbidden-root-share-paths/ For almost a year, threat actors could exploit a vulnerability in Samba software that allowed them to bypass file-sharing permissions and escape outside the share root directory. The security flaw has been introduced in Samba 4.9.0, released on September 13, 2018, and can be leveraged under certain conditions. Exploitation is possible on systems where the ‘wide links’ option in the Samba configuration file is turned on. They also need to either allow insecure wide links (the setting ‘allow insecure wide links’ is set to ‘yes’) or have the ‘unix extension’ parameter set to ‘no.’

Hacked SharePoint Sites Used to Bypass Secure Email Gateways

www.bleepingcomputer.com/news/security/hacked-sharepoint-sites-used-to-bypass-secure-email-gateways/ Phishers behind a new campaign have switched to using compromised SharePoint sites and OneNote documents to redirect potential victims from the banking sector to their landing pages. The attackers take advantage of the fact that the domains used by Microsoft’s SharePoint web-based collaborative platform are almost always overlooked by secure email gateways which allows their phishing messages to regularly reach their targets’ inboxes.

Bus pass or bus ass? Hackers peeved about public transport claim to have reverse engineered ticket app for free rides

www.theregister.co.uk/2019/09/04/corethree_baked_private_rsa_key_first_bus_ticket_app/ A hacker collective has said that it found the private keys for a Manchester bus company’s QR code ticketing app embedded in the app itself and has now released its own ride-buses-for-free code. In an interview with The Register, the hacker claiming to be behind the breach of First Buses’ ticketing app said he had noticed how it “would let you purchase a ticket and activate it offline later”.

The latest on BlueKeep and DejaBlue vulnerabilities Using Firepower to defend against encrypted DejaBlue

blog.talosintelligence.com/2019/09/the-latest-on-bluekeep-and-dejablue.html Over the past few months, Microsoft has released several security updates for critical Remote Desktop Protocol (RDP)-related security bugs. These bugs are significant for IT infrastructure because they are classified as “wormable,” meaning future malware that exploits them could spread from system to system without requiring explicit user interaction. These vulnerabilities could be exploited by an attacker sending a specially crafted request to the target system’s Remote Desktop Service via RDP. We have seen how destructive these kinds of attacks can be, most notably WannaCry. We highly recommend organizations immediately apply Microsoft’s patches.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.