Daily NCSC-FI news followup 2019-11-01

Safe downloading habits: What to teach your kids

www.welivesecurity.com/2019/11/01/safe-downloading-habits-teach-kids/ Even if you are careful about what you click and download, chances are your children will be less cautious. Heres how you can help them and your entire family stay safe. Life without the internet is rather difficult to fathom, and particularly for children the online world holds a magical allure. While many parents are becoming increasingly aware of the potentially negative effects of too much screen time, the undeniable truth is that theres a host of opportunities to explore on the internet. However, its also important to consider that not all thats free on the internet is necessarily safe. Aside from potential copyright issues, the free movie, game or music album that your child downloads may be bundled with malware, adware or another software nasty. This could occur, for example, when kids visit a dodgy website and are bombarded with giant download buttons and flashing ads, finding . Many grown-ups are wising up to the risks of clicking and downloading anything from shady sites or shared by strangers, but children may be less cautious. The consequences can come in the form of frustrating ads and popups, but can also be much more sinister and involve having personal details stolen or losing access to your important data.

Utah renewables company was hit by rare cyberattack in March

www.cyberscoop.com/spower-power-grid-cyberattack-foia/ Keywords: energia, ics, teollisuus A Utah-based renewable energy company was the victim of a rare cyberattack that temporarily disrupted communications with several solar and wind installations in March, according to documents obtained under the Freedom of Information Act. The attack left operators at the company, sPower, unable to communicate with a dozen generation sites for five-minute intervals over the course of several hours on March 5. Each generation site experienced just one communication outage. It is believed to be the first cybersecurity incident on record that caused a disruption in the U.S. power industry, as defined by the Department of Energy. See also:

www.zdnet.com/article/cyber-attack-hits-utah-wind-and-solar-energy-provider/ and www.eenews.net/stories/1060242741/

Chrome Zero-Day Bug with Exploit in the Wild Gets A Patch

www.bleepingcomputer.com/news/security/chrome-zero-day-bug-with-exploit-in-the-wild-gets-a-patch/ Google on Thursday night started to roll out an update for Chrome that patches two use-after-free vulnerabilities, one of them having at least one exploit in the wild. Both security issues are serious as they could be leveraged to take control of a vulnerable system, reads an alert from the Cybersecurity and Infrastructure Security Agency (CISA). Read also:





www.us-cert.gov/ncas/current-activity/2019/10/31/google-releases-security-updates-chrome. …and



www.tenable.com/blog/cve-2019-13720-use-after-free-zero-day-in-google-chrome-exploited-in-the-wild and


Uber allegedly paid $100, 000 ransom and had hackers sign NDAs after massive data breach

www.cbsnews.com/news/uber-hack-company-allegedly-paid-hackers-ransom-had-them-sign-ndas/ New details about how Uber responded to a massive hack attack in 2016 raise questions about the way it handled sensitive customer information. Instead of reporting the hackers to police, the company allegedly paid $100, 000 in exchange for a promise to delete 57 million user files the men stole off a third party server, prosecutors said. Within weeks of paying the ransom, Uber employees showed up at Brandon Glover’s Winter Park, Florida, home and found Vasile Mereacre at a hotel restaurant in Toronto, Canada, the Justice Department said. The pair admitted their crimes, but Uber didn’t turn them over to the cops. Instead, they had the hackers sign non-disclosure agreements, promising to keep quiet. The two hackers pleaded guilty on Wednesday. But there was a third person involved who was unknown to Uber, U.S. attorney for Northern California Dave Anderson told CBS News correspondent Kris Van Cleave in an exclusive interview. Anderson, who investigated the hack, said there’s “no way to know definitively” what actually happened to the stolen data.

Firefox to discontinue sideloaded extensions

blog.mozilla.org/addons/2019/10/31/firefox-to-discontinue-sideloaded-extensions/ Sideloading is a method of installing an extension in Firefox by adding an extension file to a special location using an executable application installer. This installs the extension in all Firefox instances on a computer. Sideloaded extensions frequently cause issues for users since they did not explicitly choose to install them and are unable to remove them from the Add-ons Manager. This mechanism has also been employed in the past to install malware into Firefox. To give users more control over their extensions, support for sideloaded extensions will be discontinued. If you self-distribute your extension via sideloading, please update your install flows and direct your users to download your extension through a web property that you own, or through addons.mozilla.org (AMO). Please note that all extensions must meet the requirements outlined in our Add-on Policies and Developer Agreement. If you choose to continue self-distributing your extension, make sure that new versions use an update URL to keep users up-to-date. Instructions for distributing an extension can be found in our Extension Workshop document repository. See also:


At least 13 managed service providers were used to push ransomware this year

www.zdnet.com/article/at-least-13-managed-service-providers-were-used-to-push-ransomware-this-year/ Once hackers compromise an MSP’s network, they can use its remote access tools to deploy ransomware to hundreds of companies and thousands of computers. A new report published this week by threat intelligence firm Armor puts the number of managed service providers (MSPs) that got hit with ransomware this year at 13, possibly more. For those unfamiliar with the term, a managed service provider is a company that manages a customer’s IT infrastructure using remote administration tools. Starting this year, ransomware gangs have realized that they could compromise the network of an MSP, and then use their remote access tools to deploy ransomware on the MSP’s customer networks, infecting hundreds of companies and thousands of computers, all at once, with the push of a few buttons.

Paradise Ransomware Decryptor Gets Your Files Back for Free

www.bleepingcomputer.com/news/security/paradise-ransomware-decryptor-gets-your-files-back-for-free/ A decryptor for the Paradise Ransomware has been released by Emsisoft that allows victims to decrypt their files for free. For over two years, the Paradise Ransomware has been encrypting victims and users have been unable to recover their files unless they recovered from backups or paid the ransom. Today, Emsisoft has released a decryptor for the Paradise Ransomware that allows victims going back as far as 2017 to decrypt their files without paying a ransom. See also:

www.is.fi/digitoday/tietoturva/art-2000006291853.html and.


Exclusive: Government officials around the globe targeted for hacking through WhatsApp – sources

www.reuters.com/article/us-facebook-cyber-whatsapp-nsogroup-excl/exclusive-government-officials-around-the-globe-targeted-for-hacking-through-whatsapp-sources-idUSKBN1XA27H Senior government officials in multiple U.S.-allied countries were targeted earlier this year with hacking software that used Facebook Incs (FB.O) WhatsApp to take over users phones, according to people familiar with the messaging companys investigation. Sources familiar with WhatsApps internal investigation into the breach said a significant portion of the known victims are high-profile government and military officials spread across at least 20 countries on five continents. Many of the nations are U.S. allies, they said. The hacking of a wider group of top government officials smartphones than previously reported suggests the WhatsApp cyber intrusion could have broad political and diplomatic consequences. WhatsApp filed a lawsuit on Tuesday against Israeli hacking tool developer NSO Group. The Facebook-owned software giant alleges that NSO Group built and sold a hacking platform that exploited a flaw in WhatsApp-owned servers to help clients hack into the cellphones of at least 1, 400 users between April 29, 2019, and May 10, 2019. The total number of WhatsApp users hacked could be even higher. A London-based human rights lawyer, who was among the targets, sent Reuters photographs showing attempts to break into his phone dating back to April 1. Read also:

www.is.fi/digitoday/art-2000006292639.html and


Oikeuskanteesta vlitn seuraus: vakoiluvlinefirman tyntekijt pihalle Facebookista

www.is.fi/digitoday/art-2000006292462.html Facebook on heittnyt NSO:n tyntekijit ulos palvelustaan heti nostettuaan kanteen yhtit vastaan, Ars Technica kertoo. Facebook on sulkenut vakoiluohjelmia valtioille myyvn NSO Groupin tyntekijit ulos palvelustaan. Ars Technican mukaan israelilaisen NSO:n tyntekijt ovat saaneet ilmoituksen, jonka mukaan tili on poistettu kyttehtojen rikkomisen takia. Estoista voi valittaa. Vain hetke aikaisemmin Facebookin omistama WhatsApp haastoi NSO:n oikeuteen jopa 1400 laitteen saastuttamisesta haittaohjelmalla. Kanteen mukaan haittaohjelmaa kytettiin useiden ihmisten vakoiluun mukaan lukien ihmisoikeusaktivisteja, toisinajattelijoita ja diplomaatteja. Estojen laajuudesta on ristiriitaista tietoa. Yhden vitteen mukaan se koskee lhes kaikkia NSO:n tyntekijit, mutta yhdelle NSO:n tyntekijlle puhunut tietoturvatutkija sanoo eston koskevan huomattavasti pienemp osuutta eik se koske WhatsApp-tilej.

Chinese hackers developed malware to steal SMS messages from telco’s network

www.zdnet.com/article/chinese-hackers-developed-malware-to-steal-sms-messages-from-telcos-network/ One of China’s state-sponsored hacking groups has developed a custom piece of Linux malware that can steal SMS messages from a mobile operator’s network. The malware is meant to be installed on Short Message Service Center (SMSC) servers — the servers inside a mobile operator’s network that handle SMS communications. US cyber-security firm FireEye said it spotted this malware on the network of a mobile operator earlier this year. FireEye analysts said hackers breached a yet-to-be-named telco and planted the malware — named MessageTap — on the company’s SMSC servers, where it would sniff incoming SMS messages, and apply a set of filters. See also:


Mongolia arrests 800 Chinese citizens in cybercrime probe

www.reuters.com/article/us-mongolia-crime-china-idUSKBN1XA0NW Police in the Mongolian capital of Ulaanbaatar have apprehended 800 Chinese citizens and confiscated hundreds of computers and mobile phone SIM cards as part of an investigation into a cybercrime ring, local security authorities said. The arrests took place after police raided four locations on Tuesday, and followed two months of investigations, Gerel Dorjpalam, the head of the General Intelligence Agency of Mongolia, said at a media briefing on Wednesday. He did not go into specific details of the offences but said they involved illegal gambling, fraud, computer hacking, identity theft and money laundering.

Marriott Reports Exposure of Associates’ Social Security Numbers

www.bleepingcomputer.com/news/security/marriott-reports-exposure-of-associates-social-security-numbers/ Marriott International notified some of its associates of an incident that exposed their social security numbers (SSNs) to an unknown party. An unknown individual may have accessed the information from the network of an unnamed vendor that was acting as the hotel’s agent for receiving service of official documents. Marriott learned on September 4 that someone accessed sensitive information available in official papers, like subpoenas and court documents, present on the systems of an outside vendor, formerly used by Marriott. “A document containing your information was sent to this vendor, and it was accessed during the incident, ” reads a letter to affected individuals signed by Peggy Hassinger, Vice President, Associate Relations.

Emotet Trojan Brings a Malware Scare with Halloween Emails

www.bleepingcomputer.com/news/security/emotet-trojan-brings-a-malware-scare-with-halloween-emails/ The Emotet Trojan is celebrating Halloween by pushing out new spam templates that want to invite you to a neighborhood party. While these emails promise you a treat, in reality Emotet is tricking you into installing an infection. For those not familiar with Emotet, it is a malware infection that is spread through spam emails containing malicious documents. These documents install the Emotet Trojan on the victim’s computer, which then installs other malware and uses the victim’s computer to send out more spam. To take advantage of the holiday, the Emotet gang has changed their email template to use new themes that pretend to invite you to a Halloween party.

32, 000+ WiFi Routers Potentially Exposed to New Gafgyt Variant

www.darkreading.com/iot/32000+-wifi-routers-potentially-exposed-to-new-gafgyt-variant/d/d-id/1336238 Keywords: ics Researchers detect an updated Gafgyt variant that targets flaws in small office and home wireless routers from Zyxel, Huawei, and Realtek. A newly discovered variant of the Gafgyt Internet of Things (IoT) botnet is attempting to infect connected devices, specifically small office and home wireless routers from brands that include Zyxel, Huawei, and Realtek. Gafgyt was first detected in 2014. Since then, it has become known for large-scale distributed denial-of-service attacks, and its many variants have grown to target a range of businesses across industries. Starting in 2016, researchers with Unit 42 (formerly Zingbox security research) noticed wireless routers are among the most common IoT devices in all organizations and prime targets for IoT

Resources for Measuring Cybersecurity

www.schneier.com/blog/archives/2019/11/resources_for_m.html Kathryn Waldron at R Street has collected all of the different resources and methodologies for measuring cybersecurity. Read also:


GandCrab RaaS Was a Training Ground for Malware Distributors

www.bleepingcomputer.com/news/security/gandcrab-raas-was-a-training-ground-for-malware-distributors/ GandCrab operators changed the ransomware business from the ground up, establishing a model that is embraced and continued by other cybercriminals. Instead of keeping the operation private, limited to a small circle of experienced cybercriminals, they opened the doors to newcomers, advertised, built a relationship with customers and affiliates, and communicated with victims and researchers to stay on top of the game.

Stubborn Malware Targets QNAP NAS Hardware Specifically

threatpost.com/malware-targets-qnap-hardware/149796/ QNAP Systems says there is no known way to remove the Qsnatch malware infecting its NAS devices besides a full factory reset. Top-selling network attached storage devices (NAS) made by QNAP Systems are being singled out by attackers, who have crafted malware specifically designed for the vendors hardware. Researchers at the Finlands National Cyber Security Centre (NCSC-FI) reported the targeted attacks late last month, dubbing the malware QSnatch. Once infected, hackers can access the NAS devices and retrieve all related usernames and passwords, sending them to a command-and-control (C2) server, said NCSC-FI. The malware has modular capacity to load new features from the C2 servers for further activities, wrote researchers. Firmware updates are prevented via overwriting update sources completely [A] QNAP MalwareRemover App is prevented from being run [And] firmware updates are prevented via overwriting update sources completely. Read also:


Media Giant Nikkei Losses $29 Million to BEC Scammers

www.bleepingcomputer.com/news/security/media-giant-nikkei-losses-29-million-to-bec-scammers/ Publishing giant Nikkei lost roughly 29 million dollars after an employee of the Nikkei America subsidiary was tricked by scammers to send the funds to a bank account they controlled. BEC (short for business email compromise) and otherwise known as Email Account Compromise, CEO fraud, or CEO impersonation is a fraud scheme through which crooks trick a company’s employees into transferring funds to attacker-controlled bank accounts they control either via computer intrusion or by using social engineering. In Nikkei America’s case, the scammers requested wire transfers using fraudulent information by posing as a Nikkei executive.

You might be interested in …

Daily NCSC-FI news followup 2021-09-22

Russian state hackers use new TinyTurla malware as secondary backdoor www.bleepingcomputer.com/news/security/russian-state-hackers-use-new-tinyturla-malware-as-secondary-backdoor/ Russian state-sponsored hackers known as the Turla APT group have been using new malware over the past year that acted as a secondary persistence method on compromised systems in the U.S., Germany, and Afghanistan. Security researchers at Cisco Talos say that TinyTurla is a […]

Read More

Daily NCSC-FI news followup 2021-01-26

Poliisi tutkii jälleen huijauksia Mieheltä vietiin lähes 300 000 euroa poliisi.fi/-/poliisi-tutkii-jalleen-huijauksia-miehelta-vietiin-lahes-300-000-euroa Helsingin poliisi tutkii kahta erillistä tapausta, joissa uhreilta huijattiin puhelimitse ja sähköpostitse rahaa. Also: www.is.fi/digitoday/art-2000007763427.html CVE-2021-3156: Heap-Based Buffer Overflow in Sudo (Baron Samedit) blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit The Qualys Research Team has discovered a heap overflow vulnerability in sudo, a near-ubiquitous utility available on major Unix-like operating […]

Read More

Daily NCSC-FI news followup 2019-06-04

Headhunting Firm Leaks Millions of Resumes, Client Private Data www.bleepingcomputer.com/news/security/headhunting-firm-leaks-millions-of-resumes-client-private-data/ A misconfigured and publicly accessible ElasticSearch cluster owned by FMC Consulting, a Chinese headhunting company, leaked millions of resumes and company records, as well as customers and employees PII data.. The database containing hundreds of thousands of customer records, internal emails, as well as employees […]

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.