Daily NCSC-FI news followup 2019-10-04

COMpfun successor Reductor infects files on the fly to compromise TLS traffic

securelist.com/compfun-successor-reductor/93633/ In April 2019, we discovered new malware that compromises encrypted web communications in an impressive way. Analysis of the malware allowed us to confirm that the operators have some control over the targets network channel and could replace legitimate installers with infected ones on the fly. That places the actor in a very exclusive club, with capabilities that few other actors in the world have.

PKPLUG: Chinese Cyber Espionage Group Attacking Asia

unit42.paloaltonetworks.com/pkplug_chinese_cyber_espionage_group_attacking_asia/ For three years, Unit 42 has tracked a set of cyber espionage attack campaigns across Asia, which used a mix of publicly available and custom malware. Unit 42 created the moniker PKPLUG for the threat actor group, or groups, behind these and other documented attacks referenced later in this report.

Another Lazarus Injector

norfolkinfosec.com/another-lazarus-injector/ Recently, a VirusTotal submitter uploaded a file that was digitally signed with the same certificate as two previously reported Lazarus tools. Like one of those tools, this newly uploaded malware appears to act as an injector, although it behaves significantly differently.

AVIVORE Hunting Global Aerospace through the Supply Chain

www.contextis.com/en/blog/avivore The Threat Intelligence and Incident Response Team at Context Information Security has identified a new threat group behind a series of incidents targeted at the aerospace and defence industries in the UK and Europe.

Attackers exploit 0day vulnerability that gives full control of Android phones

arstechnica.com/information-technology/2019/10/attackers-exploit-0day-vulnerability-that-gives-full-control-of-android-phones/ Attackers are exploiting a zeroday vulnerability in Googles Android mobile operating system that can give them full control of at least 18 different phone models, including four different Pixel models, a member of Googles Project Zero research group said on Thursday night.

Here’s what we know about the ransomware that hit 3 Ontario hospitals

www.cbc.ca/news/technology/ransomware-ryuk-ontario-hospitals-1.5308180 Hackers have crippled the computer systems of three Ontario hospitals in recent weeks, prompting concern about the type of malicious software used and whether more facilities may be at risk.. The criminals behind the attack “will learn how you operate from A to Z then they’ll hit you,” Zohar Pinhasi, a Florida-based cyber counterterrorism expert told CBC News. He said it’s likely other Canadian hospitals are affected and haven’t yet detected it.

The Eye on the Nile

research.checkpoint.com/the-eye-on-the-nile/ Back in March 2019, Amnesty International published a report that uncovered a targeted attack against journalists and human rights activists in Egypt. The victims even received an e-mail from Google warning them that government-backed attackers attempted to steal their passwords.. Recently, we were able to find previously unknown or undisclosed malicious artifacts belonging to this operation. A new website we attributed to this malicious activity revealed that the attackers are going after their prey in more than one way, and might even be hiding in plain sight: developing mobile applications to monitor their targets, and hosting them on Googles official Play Store.

Magecart Group 4: A link with Cobalt Group?

blog.malwarebytes.com/threat-analysis/2019/10/magecart-group-4:-a-link-with-cobalt-group/?/ In this blog, we will detail our findings and show that Group 4 was not only conducting client-side skimming via JavaScript but wasand most likely still isdoing the same server-side. This is important to note as most reports about Magecart only cover the former, which is by far easier to identify.

Australian Govt Issues Android and iOS Security Hardening Guides

www.bleepingcomputer.com/news/security/australian-govt-issues-android-and-ios-security-hardening-guides/ The Australian Signals Directorate (ASD)s Australian Cyber Security Centre (ACSC) has published a set of two guides designed to help Australian government, commercial organizations, and enterprises harden the security of iOS and Android devices in their fleets.

Recent cyberattacks require us all to be vigilant

blogs.microsoft.com/on-the-issues/2019/10/04/recent-cyberattacks-require-us-all-to-be-vigilant/ Today were sharing that weve recently seen significant cyber activity by a threat group we call Phosphorus, which we believe originates from Iran and is linked to the Iranian government.. In a 30-day period between August and September, the Microsoft Threat Intelligence Center (MSTIC) observed Phosphorus making more than 2,700 attempts to identify consumer email accounts belonging to specific Microsoft customers and then attack 241 of those accounts. The targeted accounts are associated with a U.S. presidential campaign, current and former U.S. government officials, journalists covering global politics and prominent Iranians living outside

All your creds are belong to us!

techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/All-your-creds-are-belong-to-us/ba-p/855124 Lets not get crazy – Multi-factor Authentication (MFA) is the least you can do if you are at all serious about protecting your accounts. Use of anything beyond the password significantly increases the costs for attackers, which is why the rate of compromise of accounts using any type of MFA is less than 0.1% of the general population.. Compared to password attacks, attacks which target non-password authenticators are extremely rare. When we evaluate all the tokens issued with MFA claims, we see that less than 10% of users use MFA per month in our enterprise accounts (and that includes on premises and third party MFA). Until MFA is more broadly adopted, there is little reason for attackers to evolve. But MFA attacks do exist, and in this blog well confront them.

The sLoad Threat: Ten Months Later

blog.yoroi.company/research/the-sload-threat-ten-months-later/ Ten months ago, we wrote about the complex infection chain the sLoad malware threat was using during its attack campaigns, and today we are looking at the evolution of the threat by dissecting one of its latest attacks.

Virus Bulletin 2019: VoIP Espionage Campaign Hits U.S. Utilities Supplier

threatpost.com/voip-espionage-campaign-utilities-supplier/148916/ An attacker whose motives are unclear compromised an Asterisk server in a highly targeted campaign.

Länsimaat haluavat takaportin Facebookin salaukseen Asiantuntija: “Hyvien tyyppien suojeleminen on tärkeämpää kuin pahojen ihmisten jahtaaminen”

yle.fi/uutiset/3-11005675 Yhdysvallat, Britannia ja Australia vaativat Facebookia keskeyttämään suunnitelmat viestipalveluidensa salaamiseksi. Buzzfeed News – -verkkomedian mukaan(siirryt toiseen palveluun) maiden hallinnot julkaisevat tänään Facebookin perustajalle ja toimitusjohtajalle Mark Zuckerbergille osoitetun avoimen kirjeen, jossa ne ilmaisevat huolensa salauksen vaikutuksista terrorismin tai lasten hyväksikäytön vastaiseen työhön.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.