Daily NCSC-FI news followup 2019-09-24

New NetWire RAT Variant Being Spread Via Phishing

www.fortinet.com/blog/threat-research/new-netwire-rat-variant-spread-by-phishing.html NetWire is a Remote Access Trojan (RAT) malware that has been widely used for many years. Recently, FortiGuard Labs noticed a malware spreading via phishing email, and during the analysis on it, we discovered that it was a new variant of NetWire RAT.

LookBack Forges Ahead: Continued Targeting of the United States Utilities Sector Reveals Additional Adversary TTPs

www.proofpoint.com/us/threat-insight/post/lookback-forges-ahead-continued-targeting-united-states-utilities-sector-reveals Early in August, Proofpoint described what appeared to be state-sponsored activity targeting the US utilities sector with malware that we dubbed Lookback. Between August 21 and August 29, 2019, several spear phishing emails were identified targeting additional US companies in the utilities sector. The phishing emails originated from what appears to be an actor-controlled domain: globalenergycertification[.]net. This domain, like those used in previous campaigns, impersonated a licensing body related to the utilities sector. In this case, it masqueraded as the legitimate domain for Global Energy Certification (GEC). The emails include a GEC examination-themed body and a malicious Microsoft Word attachment that uses macros to install and run LookBack. Phishing tactics, techniques, and procedures (TTPs) observed in these campaigns are consistent with previously reported activity. Persistent targeting of entities in the utilities sector demonstrates the continuing risk to US organizations from the actors responsible for LookBack. Proofpoint has identified at least 17 entities in the US utilities sector targeted by these actors from April 5 through August 29, 2019.. Read also:

www.bleepingcomputer.com/news/security/state-backed-attackers-target-us-entities-with-lookback-malware/ and

www.zdnet.com/article/17-us-utility-firms-targeted-by-mysterious-state-sponsored-group/

[Maksumuurin takana] Nuoret hakkeroivat taas kurssilla Espoota 17-vuotias sai viime vuonna stipendin

www.tivi.fi/uutiset/tv/abc89949-6faa-4b67-8ae3-ad25ef661963 Espoon lukiolaisille ja datanomiopiskelijoille järjestetään hakkerointi­kurssi, jonka yhteydessä testataan kaupungin tietojärjestelmiä.

Finnish Govt. Releases Guide on Securing Microsoft Office 365

www.bleepingcomputer.com/news/security/finnish-govt-releases-guide-on-securing-microsoft-office-365/ The National Cyber Security Centre Finland (NCSC-FI) which acts as Finland’s National Communications Security Authority published today a detailed guide on how to secure Microsoft Office 365 against data breaches and credential phishing.. Read the actual guide:

www.kyberturvallisuuskeskus.fi/en/guides

Australians are reporting cybercrime activities once every 10 minutes

www.zdnet.com/article/australians-are-reporting-cybercrime-activities-once-every-10-minutes/ Australians are reaching out to the nation’s Cyber Crime Reporting program more than ever, but there are still many incidents that go unreported.. According to head of the Australian Cyber Security Centre (ACSC) Rachel Noble, since her organisation assumed responsibility for what was previously known as the Australian Cybercrime Online Reporting Network (ACORN) on July 1, it has received about one report every 10 minutes.

 Russian hacker pleads guilty for role in stealing personal data of 80 million people

edition.cnn.com/2019/09/23/politics/russian-hacker-pleads-guilty/ Andrei Tyurin, 35, pleaded guilty to computer intrusion, wire fraud, bank fraud and illegal online gambling offenses related to the extensive hacking campaign that targeted US financial institutions, brokerage firms, financial news publishers and other companies, according to a press release from the US Attorney for the Southern District of New York.

Mapping the Connections Inside Russia’s APT Ecosystem

www.intezer.com/blog-russian-apt-ecosystem/ This research is a joint effort conducted by Omri Ben-Bassat from Intezer and Itay Cohen from Check Point Research.. If the names Turla, Sofacy, and APT29 strike fear into your heart, you are not alone. These are known to be some of the most advanced, sophisticated and notorious APT groups out there, and not in vain. These Russian-attributed actors are part of a larger picture in which Russia is one of the strongest powers in cyber warfare today. Their advanced tools, unique approaches, and solid infrastructures suggest enormous and complicated operations that involve. Read also:

research.checkpoint.com/russianaptecosystem/

How Tortoiseshell created a fake veteran hiring website to host malware

blog.talosintelligence.com/2019/09/tortoiseshell-fake-veterans.html Cisco Talos recently discovered a threat actor attempting to take advantage of Americans who may be seeking a job, especially military veterans. The actor, previously identified by Symantec as Tortoiseshell, deployed a website called

hxxp://hiremilitaryheroes[.]com that posed as a website to help U.S. military veterans find jobs. The URL is strikingly close to the legitimate service from the U.S. Chamber of Commerce,

www.hiringourheroes.org. The . This is just the latest actions by Tortoiseshell. Previous research showed that the actor was behind an attacker on an IT provider in Saudi Arabia. For this campaign Talos tracked, Tortoiseshell used the same backdoor that it has in the past, showing that they are relying on some of the same tactics, techniques and procedures (TTPs).

Zebrocy Infects Targets with New Golang-Based Backdoor via Dropbox

www.bleepingcomputer.com/news/security/zebrocy-infects-targets-with-new-golang-based-backdoor-via-dropbox/ A recently observed campaign from the Zebrocy APT operators relied on a revamped backdoor to maintain access to victim hosts and extract profiling information.. The backdoor comes with previously seen capabilities but the operators used a Golang-based version instead of the variant written in Delphi, which security researchers were familiar with.. Zebrocy is a toolkit of downloaders, droppers, and backdoors, that is associated with the Russian-speaking advanced threat group Sednit; the hackers are also known by the names APT28, Fancy Bear, Sofacy, Group 74, and STRONTIUM and run cyber-espionage operations.

Emotet Tries to Infect You By Claiming It’s Snowden’s Book

www.bleepingcomputer.com/news/security/emotet-tries-to-infect-you-by-claiming-its-snowdens-book/ Emotet has started a new spam campaign that pretends to be a scanned copy of Edward Snowden’s new book. Unsuspecting users who open the attachment and enable its content will find that they have become infected with Emotet, most likely Trickbot, and possibly other malware.. After approximately four months of inactivity, Emotet woke up again on September 16th and since then has been spewing forth a legion of spam. These emails typically pretend to be invoices, financial documents, and other business documents with malicious Word attachments that infect you with a variety of malware.

Study shows that majority of second-hand hard drives contain previous owners data

www.zdnet.com/article/study-shows-that-majority-of-second-hand-hard-drives-contain-previous-owners-data/ A whopping 59 percent of used hard disks sold on sites such as eBay are not properly wiped and still contain data from their previous owners, according to a new study by the University of Hertfordshire and commissioned by Comparitech.

Ransomware: New file-encrypting attack has links to GandCrab malware, say security researchers

www.zdnet.com/article/ransomware-new-file-encrypting-attack-has-links-to-gandcrab-malware-say-security-researchers/ A new form of ransomware shares a number of links with the GandCrab malware according to security company researchers, even though the developers of that infamous piece of ransomware earlier this year claimed to have retired.. GandCrab was one of the most successful families of ransomware during 2018 and 2019, with its authors offering it out ‘as-as-service’ in exchange for a cut for the profits. In June, they suddenly announced they were retiring, claiming to have earned over $2 billion since GandCrab first emerged in January 2018.

Political targets at risk as Fancy Bear returns with refreshed backdoor malware

www.zdnet.com/article/political-targets-at-risk-as-fancy-bear-returns-with-refreshed-backdoor-malware/ A recent attack campaign launched by Fancy Bear has revealed an updated set of tools including a backdoor written in a new language. Fancy Bear, also known as APT28, Sednit, Sofacy, and Strontium, is an advanced persistent threat (APT) group which has been connected to an array of politically-motivated attacks. Previous victims of the APT include the US Democratic National Committee (DNC), the World Anti-Doping Agency (WADA), the Ukranian military, the Association of Athletics Federations (IAAF), and various government entities.

APT or not APT? Whats Behind the Aggah Campaign

blog.yoroi.company/research/apt-or-not-apt-whats-behind-the-aggah-campaign/ During our threat monitoring activities, we discovered an interesting drop chain related to the well-known Aggah campaign, the ambiguous infection chain observed by Unit42 which seemed to deliver payloads potentially associated with the Gorgon Group APT. After that, we discovered other malicious activities using the same TTPs and infrastructures, for instance in The Enigmatic Roma225 Campaign and The Evolution of Aggah: From Roma225 to the. But, despite the very similar infection chain, this latest attacks revealed a curious variation of the final payload, opening up to different interpretations and hypothesis about the Aggah activities.

 Can Authentication Negatively Impact the User Experience?

securityintelligence.com/posts/can-authentication-negatively-impact-the-user-experience/ Authentication can sometimes feel like a balancing act. On one hand, securing your digital experience is a top priority. Preserving your customers trust in your services is often key to maintaining a long-term relationship with your brand. On the other hand, in the age of digital transformation, customers also want a simple, easy-to-navigate digital experience.. Too often, security and user experience are at odds with one another. Extra security can mean extra roadblocks on the customers digital journey. Its hard enough to remember all your usernames and passwords. Factor in two-factor authentication (2FA), SMS text messages and more, and youre very likely to have frustrated users.

Zero Day Vulnerability in Rich Reviews Plugin Exploited In The Wild

www.wordfence.com/blog/2019/09/rich-reviews-plugin-vulnerability-exploited-in-the-wild/ The Wordfence Threat Intelligence team is tracking a series of attacks against an unpatched vulnerability in the Rich Reviews plugin for WordPress. The estimated 16,000 sites running the plugin are vulnerable to unauthenticated plugin option updates, which can be used to deliver stored cross-site scripting (XSS) payloads.. Attackers are currently abusing this exploit chain to inject malvertising code into target websites. The malvertising code creates redirects and popup ads. Our team has been tracking this attack campaign since April of this year. You can find additional research covering this attack campaign, published by us in April and again in August of this year.

Windows 10 1809 Cumulative Update KB4516077 Released With Fixes

www.bleepingcomputer.com/news/microsoft/windows-10-1809-cumulative-update-kb4516077-released-with-fixes/ Microsoft has released a new cumulative update for Windows 10 version 1809 that fixes a huge amount of bugs and issues. Some of the highlighted issues that are fixes with this release are high CPU when switching apps, Calculator shutting down, incorrect file and folder properties in File Explorer, and Narrator not opening properly.. The update is titled “2019-09 Cumulative Update for Windows 10 Version 1809 (KB4516077)” and does not contain any security fixes. With the release of KB4516077, Windows 10 1809 will be upgraded to build 17763.774.. Microsoft warns that some users may see a black screen after booting up for the first time after installing this update. If this bug affects you, press Ctrl+Alt+Delete and then shutdown from the power button in the bottom left of the screen. On next reboot, you should be able to access the desktop.. See also:

support.microsoft.com/en-us/help/4516077/windows-10-update-kb4516077

No right to be forgotten? Here’s how to remove yourself from the internet and hide your identity

www.zdnet.com/article/how-to-erase-your-digital-footprint-and-make-google-forget-you/ Here is a step-by-step guide to reducing your digital footprint online, whether you want to lock down data or vanish entirely.. There is now a very thin line, easily broken, which separates our physical and digital identities.

‘Carpet-bombing’ DDoS attack takes down South African ISP for an entire day

www.zdnet.com/article/carpet-bombing-ddos-attack-takes-down-south-african-isp-for-an-entire-day/ Mysterious attackers have taken down a South African internet service provider over the weekend using a DDoS technique called carpet bombing, ZDNet has learned.. The DDoS attacks took place on Saturday and Sunday, September 21 and 22, and have targeted Cool Ideas, one of South Africa’s largest ISPs.. During the DDoS, attackers successfully managed to bring down Cool Ideas’ external connections to other ISPs, as can be seen from open-source reporting tools.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.