Daily NCSC-FI news followup 2019-10-31

Breaches at NetworkSolutions, Register.com, and Web.com

krebsonsecurity.com/2019/10/breaches-at-networksolutions-register-com-and-web-com/ Top domain name registrars NetworkSolutions.com, Register.com and Web.com are asking customers to reset their passwords after discovering an intrusion in August 2019 in which customer account information was accessed..


How a months-old AMD microcode bug destroyed my weekend

arstechnica.com/gadgets/2019/10/how-a-months-old-amd-microcode-bug-destroyed-my-weekend/ AMD shipped Ryzen 3000 with a serious microcode bug in its random number generator. This weekend, I was excited to deploy my first Ryzen 3000-powered workstation in my home office. Unfortunately, a microcode bugoriginally discovered in July but still floating around in large numbers in the wildwrecked my good time. I eventually got my Ryzen 3700X system working, and it’s definitely fast. But unfortunately, it’s still bugged, and there’s no easy way to fix it.

MESSAGETAP: Whos Reading Your Text Messages?

www.fireeye.com/blog/threat-research/2019/10/messagetap-who-is-reading-your-text-messages.html FireEye Mandiant recently discovered a new malware family used by APT41 (a Chinese APT group) that is designed to monitor and save SMS traffic from specific phone numbers, IMSI numbers and keywords for subsequent theft. Named MESSAGETAP, the tool was deployed by APT41 in a telecommunications network provider in support of Chinese espionage efforts. APT41s operations have included state-sponsored cyber espionage missions as well as financially-motivated intrusions.. Also:






North Korean Malicious Cyber Activity

www.us-cert.gov/ncas/current-activity/2019/10/31/north-korean-malicious-cyber-activity The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Defense (DoD) have identified a Trojan malware variantreferred to as HOPLIGHTused by the North Korean government. U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA.

Two Hackers Who Extorted Money From Uber and LinkedIn Plead Guilty

thehackernews.com/2019/10/hackers-extorted-money.html Two grey hat hackers have pleaded guilty to blackmailing Uber, LinkedIn, and other U.S. corporations for money in exchange for promises to delete data of millions of customers they had stolen in late 2016..


Office 365 Users Targeted by Voicemail Scam Pages

securingtomorrow.mcafee.com/other-blogs/mcafee-labs/office-365-users-targeted-by-voicemail-scam-pages/ Over the past few weeks McAfee Labs has been observing a new phishing campaign using a fake voicemail message to lure victims into entering their Office 365 email credentials. At first, we believed that only one phishing kit was being used to harvest the users credentials. However, during our investigation, we found three different malicious kits and evidence of several high-profile companies being targeted. McAfee Customers using VSE, ENS, Livesafe, WebAdvisor and MGW are protected against this phishing campaign.. Also:



EML attachments in O365 – a recipe for phishing

isc.sans.edu/forums/diary/EML+attachments+in+O365+a+recipe+for+phishing/25474/ Ive recently come across interesting behavior of Office 365 when EML files are attached to e-mail messages, which can be useful for any red teamers out there but which can potentially also make certain types of phishing attacks more successful.

Calypso APT: new group attacking state institutions

www.ptsecurity.com/ww-en/analytics/calypso-apt-2019/#id5 The PT Expert Security Center first took note of Calypso in March 2019 during threat hunting. Our specialists collected multiple samples of malware used by the group. They have also identified the organizations hit by the attackers, as well as the attackers’ C2 servers.. Also:


ICS Attackers Set To Inflict More Damage With Evolving Tactics

threatpost.com/ics-attackers-damage-evolving-tactics/149743/ While it remains difficult to attack critical infrastructure successfully, adversaries aim to use past experience to launch more destructive future attacks, according to analysis. Future attacks on industrial control system (ICS) networks may inflict even more damage in the long run, according to new research. Analysts expect them to evolve from attacks that have immediate, direct impact to those with multiple stages and attack vectors that are more stealthy.

This aggressive IoT malware is forcing Wi-Fi routers to join its botnet army

www.zdnet.com/article/this-aggressive-iot-malware-is-forcing-wi-fi-routers-to-join-its-botnet-army/ Gafgyt has been updated with new capabilities, and it spreads by killing rival malware. Tens of thousands of Wi-Fi routers are potentially vulnerable to an updated form of malware which takes advantage of known vulnerabilities to rope these devices into a botnet for the purposes of selling distributed denial of service (DDoS) attack capabilities to cyber criminals.. Also:


QSnatch Malware Infects Thousands of NAS Devices, Steals Credentials

www.bleepingcomputer.com/news/security/qsnatch-malware-infects-thousands-of-nas-devices-steals-credentials/ Thousands of QNAP NAS devices are getting infected with a malware dubbed QSnatch that injects into their firmware and proceeds to steal credentials and load malicious code retrieved from its command and control (C2) servers.. The malware strain was spotted by researchers at the National Cyber Security Centre of Finland (NCSC-FI) after receiving reports from the Autoreporter service of infected NAS devices trying to communicate to C2 servers.. Also:


Discord Abused to Spread Malware and Harvest Stolen Data

www.bleepingcomputer.com/news/security/discord-abused-to-spread-malware-and-harvest-stolen-data/ Malware developers and attackers are abusing the Discord chat service by using it to host their malware, act as command and control servers, or by modifying the chat client to perform malicious behavior.

ProtonMail shoves its iOS app’s source code on GitHub for world+dog to rummage around in

www.theregister.co.uk/2019/10/31/protonmail_ios_app_open_source/ Let’s all have a code audi- oh, wait, they did that already. Encrypted email biz ProtonMail has open-sourced the code for its iOS app, having paid for a code audit that says there’s nothing wrong with it.

As Phishing Kits Evolve, Their Lifespans Shorten

www.darkreading.com/threat-intelligence/as-phishing-kits-evolve-their-lifespans-shorten/d/d-id/1336220 Most phishing kits last less than 20 days, a sign defenders are keeping up in the race against cybercrime. Phishing kits are growing more sophisticated as their life spans grow shorter: More than 60% of kits monitored were active for 20 days or less, Akamai researchers found in a new report on the threat. All the while, attackers rely on enterprise-based strategy to fuel their criminal business.

You might be interested in …

Daily NCSC-FI news followup 2020-12-22

Kyberturvallisuuskeskuksen uusi julkaisu: Opas tietomurtojen havaitsemiseen www.kyberturvallisuuskeskus.fi/fi/julkaisut/opas-tietomurtojen-havaitsemiseen Tässä ohjeessa keskitytään erityisesti tietomurron havaitsemiseen lokitietojen avulla. Esimerkkeinä käytetään Windows Event Log – -­tapahtumalokeja tai muita Windows-­käyttöjärjestelmän lokitapahtumia. Valittuja esimerkkitapahtumia on havaittu tutkituissa tietomurroista tunkeutujien jäljiltä. PDF: www.kyberturvallisuuskeskus.fi/sites/default/files/media/file/Opas-tietomurtojen-havaitsemiseen.pdf SolarWinds hackers breached US Treasury officials’ email accounts www.bleepingcomputer.com/news/security/solarwinds-hackers-breached-us-treasury-officials-email-accounts/ US Senator Ron Wyden said that dozens of US Treasury […]

Read More

Daily NCSC-FI news followup 2019-07-10

Lapin Kansa: Kemin kaupungin tietoliikenneverkossa poikkeuksellisen pitkä vikatilanne syytä selvitetään www.lapinkansa.fi/lappi/kemin-kaupungin-tietoliikenneverkossa-poikkeuksellisen-pitka-vikatilanne-syyta-selvitetaan-3596802/ Zoom reverses course to kill off Mac local web server www.zdnet.com/article/zoom-reverses-course-to-kill-off-mac-local-web-server/ Less than a day after backing its approach to get around Safari restrictions on Mac, Zoom’s local web server is no more. New FinSpy iOS and Android implants revealed ITW securelist.com/new-finspy-ios-and-android-implants-revealed-itw/91685/ FinSpy is […]

Read More

Daily NCSC-FI news followup 2019-11-07

Microsoft crams Office 365 docs into Edge-style sandboxes to thwart malware infections www.theregister.co.uk/2019/11/07/ignite_2019_security/ Your guide to some of the security enhancements announced this week. Office 365 will be getting additional security protections through Application Guard, the sandboxing tool Microsoft debuted with its Edge browser. The idea is that Application Guard will isolate documents, preventing malicious […]

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.