Daily NCSC-FI news followup 2019-10-25

Cachet Financial Reeling from MyPayrollHR Fraud

krebsonsecurity.com/2019/10/cachet-financial-reeling-from-mypayrollhr-fraud/ When New York-based cloud payroll provider MyPayrollHR unexpectedly shuttered its doors last month and disappeared with $26 million worth of customer payroll deposits, its payment processor Cachet Financial Services ended up funding the bank accounts of MyPayrollHR client company employees anyway, graciously eating a $26 million loss which it is now suing to recover.

Keep Adversaries at Bay With the MITRE ATT&CK Framework

securityintelligence.com/posts/keep-adversaries-at-bay-with-the-mitre-attck-framework/ Organizations are adopting the MITRE ATT&CK framework to map their cybersecurity threat detection, prevention and response capabilities to attack scenarios. MITRE, a nonprofit organization that has worked closely with the U.S. government to strengthen its cyberdefenses for more than four decades, developed the model after years of observing how real-world adversary groups operate.

AutoIT-compiled Negasteal/Agent Tesla, Ave Maria Delivered via Malspam

blog.trendmicro.com/trendlabs-security-intelligence/autoit-compiled-negasteal-agent-tesla-ave-maria-delivered-via-malspam/ We recently saw a malicious spam campaign that has AutoIT-compiled payloads the trojan spy Negasteal or Agent Tesla (detected by Trend Micro as TrojanSpy.Win32.NEGASTEAL.DOCGC), and remote access trojan (RAT) Ave Maria or Warzone (TrojanSpy.Win32.AVEMARIA.T) in our honeypots. The upgrading of payloads from a typical trojan spy to a more insidious RAT may indicate that the cybercriminals behind this campaign are moving towards deploying more destructive (and lucrative) payloads, such as ransomware, post-reconnaissance.

Your smart doorbell may be collecting more data than you think, study finds

www.welivesecurity.com/2019/10/25/iot-smart-doorbell-collecting-data-study/ The study tested 81 IoT devices to analyze their behavior and tracking habits, and in some cases brought rather surprising findings. Have you stopped to think what kind of data may be collected by an innocuously-looking smart device, where the information is sent, and whether it is encrypted? Researchers at Northeastern University and Imperial College London have looked into this very issue and conducted a range of experiments in controlled environments in both the United States and the United Kingdom.

ACSC Releases Advisory on Emotet Malware Campaign

www.us-cert.gov/ncas/current-activity/2019/10/25/acsc-releases-advisory-emotet-malware-campaign The Australian Cyber Security Centre (ACSC) has released an advisory on an ongoing, widespread Emotet malware campaign. Emotet is a Trojancommonly spread via malicious email attachmentsthat attempts to proliferate within a network by brute forcing user credentials and writing to shared drives. ACSC provides indicators of compromise (IOCs) and recommendations to help organizations defend

Verizon, AT&T, Sprint and T-Mobile to replace SMS with RCS Messaging in 2020

thehackernews.com/2019/10/rcs-messaging-sms.html Mobile carriers in the United States will finally offer a universal cross-carrier communication standard for the next-generation RCS messaging service that is meant to replace SMS and has the potential to change the way consumers interact with brands for years to come. All major United States mobile phone carriers, including AT&T, Verizon, T-Mobile, and Sprint, have joined forces to launch a new initiative that will replace SMS with RCS mobile messaging standard.

More on DNS Archeology (with PowerShell)

isc.sans.edu/forums/diary/More+on+DNS+Archeology+with+PowerShell/25452/ I while back I posted a “part 1” story on DNS and DHCP recon (

isc.sans.edu/diary/DNS+and+DHCP+Recon+using+Powershell/20995 ) and recent events have given me some more to share on the topic. There’s been a lot of interest in collecting DNS information from client stations lately (specifically with sysmon), but I’m still seeing lots of value in using the DNS logs we’ve already got centrally positioned in many organisations. Let’s consider a typical windows based company, with DNS implemented on the Domain Controllers.

Raccoon Malware Scavenges 100,000+ Devices to Steal Data

threatpost.com/raccoon-malware-steal-data/149525/ A new information stealer is gaining rapid popularity with the cybercriminal community leading to it infecting hundreds of millions of victims. A new information stealer, dubbed Raccoon, is rapidly gaining popularity with cybercriminals. In just a few months, researchers say the malware has already infected hundreds of thousands of devices across the world to rove through victims credit card data, email credentials and more. The malware is not overly sophisticated or innovative, but its malware-as-a-service (MaaS) model gives cybercriminals a quick-and-easy way to make money stealing sensitive data.

2020 Vision: Check Points cyber-security predictions for the coming year

blog.checkpoint.com/2019/10/24/2020-vision-check-points-cyber-security-predictions-for-the-coming-year/ Hindsight is 20/20 vision, as the old saying goes: its always easy to know what the right course of action was after something has happened, but much harder to predict the future. However, by looking at security developments over the past couple of years, its possible to forecast whats likely to happen in the cyber landscape over the next 12 months. Here are the key security and related trends that we expect to see during 2020, in two sections: first, the high-level geopolitical predictions; then the technology-related trends.

A DDoS gang is extorting businesses posing as Russian government hackers

www.zdnet.com/article/a-ddos-gang-is-extorting-businesses-posing-as-russian-government-hackers/ Exclusive: Fake “Fancy Bear” group is demanding money from companies in the financial sector, threatening DDoS attacks. For the past week, a group of criminals has been launching DDoS attacks against companies in the financial sector and demanding ransom payments while posing as “Fancy Bear,” the infamous hacking group associated with the Russian government, known for hacking the White House in 2014 and the DNC in 2016.

Tietoturva-asiat vaikeutuvat Posti vastaa lakkauttamalla turvallisuusyksikkönsä ja tietoturvapäällikön toimen

www.tivi.fi/uutiset/tv/149dfa31-0a14-4634-82dc-b9bb69c6036d Posti luopuu sekä tietoturvapäällikön (CISO) että turvallisuus- ja riskienhallintajohtajan (chief risk and security officer) tehtävistä. Samalla se lopettaa myös koko riskienhallinta- ja turvallisuusyksikkönsä ja tietoturvan johtaminen siirtyy ict-yksikköön. Muutoksen myötä turvallisuus- ja riskienhallinta-asioita hoidetaan kaikissa liiketoiminnoissamme osana päivittäistä työtä, ei keskitetysti erikseen nimetyssä yksikössä, Ulla Parviainen Postin viestinnästä kertoo Tiville.

Asiakirjoja paljastanut tietoturva-aukko tukittu M-Files pahoittelee tapahtunutta

www.tivi.fi/uutiset/tv/1b9c50ea-0b01-464a-9999-99d902a18d4d Tiedonhallinnan ohjelmistoratkaisuja tarjoava M-Files kertoo korjanneensa tietoturvaongelmansa, jotka vaaransivat asiakirjojen luottamuksellisuuden. Tivi kirjoitti keskiviikkona saamansa vinkin perusteella turva-aukosta, joka oli havaittu Eksoten (Etelä-Karjalan sosiaali- ja terveyspiiri) käyttämässä julkaisuportaalissa. Julkaistujen asiakirjojen portaaliosoitteita on ollut mahdollista muokata manuaalisesti, ja siten on ollut mahdollista nähdä myös sellaisia dokumentteja, joita ei ole tarkoitettu julkisiksi.

Office 365 Enables ARC for Enhanced Anti-Spoofing Detection

www.bleepingcomputer.com/news/microsoft/office-365-enables-arc-for-enhanced-anti-spoofing-detection/ Microsoft has enabled Authenticated Received Chain (ARC) for all for Office 365 hosted mailboxes to improve anti-spoofing detection and to check authentication results within Office 365. ARC is a protocol designed to provide an authenticated “chain of custody” for messages making it possible for each of the users handling an email to see what other entities handled it previously, as well as determine its authentication assessment at each step during the delivery process.

City of Johannesburg hit by ransomware, again

www.zdnet.com/article/city-of-johannesburg-hit-by-ransomware-again/ South Africa’s largest city falls prey to ransomware for the second time in four months. A hacker group going by the name of Shadow Kill Hackers has infected the city of Johannesburg’s internal network with ransomware and is holding South Africa’s largest city for ransom.

Time to check who left their database open and leaked 7.5m customer records: Hi there, Adobe Creative Cloud!

www.theregister.co.uk/2019/10/25/adobe_user_data_exposed/ Info on millions of accounts just out sitting there in the open. Adobe has pulled offline a public-facing poorly secured Elasticsearch database containing information on 7.5 million Creative Cloud customers. The cloud-based silo was uncovered by infosec detective Bob Diachenko, who reported it to Adobe last week.

How 18 Malware Apps Snuck Into Apple’s App Store

www.wired.com/story/apple-app-store-malware-click-fraud/ Despite some recent pronounced lapses, the iPhone remains one of the most secure consumer devices you can buy, thanks in large part to the locked-down ecosystem of the iOS App Store. But things do slip through the cracksincluding 18 apps that used evasive maneuvers to sneak past Apples defenses. The malicious apps17 of which were discovered by mobile security company Wandera, all from the same developer, while Apple spotted another using the same techniquehave already been taken down.

Oracle Releases Free Tool for Monitoring Internet Routing Security

www.darkreading.com/vulnerabilities—threats/oracle-releases-free-tool-for-monitoring-internet-routing-security/d/d-id/1336158 IXP Filter Check gives Internet Exchange Points a way to verify whether they are properly filtering out incorrect and malicious routes. Oracle has released a free tool that shows how well Internet Exchange Points (IXPs) are doing at filtering out incorrect or malicious traffic-routing information that could lead to major Internet disruptions. The goal is to help an IXP identify and address gaps in its route-filtering capabilities while providing the broader public with a view of the IXP’s role in keeping the Internet safe. An IXP routes traffic between different ISP networks. It is a physical location containing numerous network switches that seamlessly link one service provider’s network to another.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.