Daily NCSC-FI news followup 2019-11-04

Chrome bug squashed, QNAP NAS nasty hits, BlueKeep malware spreads, and more

www.theregister.co.uk/2019/11/04/security_roundup_november1/ Including Spanish camgirl sites spill info, domain registrars hacked

Happy Birthday, CVE! Naked Security

nationalcybersecurity.com/happy-birthday-cve-naked-security/ It was October 1999. Macs had just got embedded Wi-Fi, Napster had launched, and Yahoo had purchased Geocities for $3.6bn. Something else happened that escaped most computer users at the time: CVE posted its first bug. The Common Vulnerabilities and Exposures (CVE) system is 20 years old this week. Created by the non-profit Mitre Corporation, which oversees several federal government programs, CVE provides common identifiers for cybersecurity bugs, making them easier to track and fix

Vpn-palvelu kiistelee suomalaisen palveluntarjoajan kanssa suojaamattomia salasanoja tarjolla verkossa

www.tivi.fi/uutiset/tv/29e67d1d-90fd-4278-a801-7599a34b9bf3 Pari viikkoa sitten kävi ilmi, että NordVPN-palvelun järjestelmiin oli tunkeuduttu. Paljastus johti kumppanusten syyttelytalkoisiin. NordVPN kertoi itse, että murto kohdistui suomalaisessa konesalissa sijanneeseen palvelimeen. Suomalaiskumppani on Creanova, jonka yhdelle palvelimelle hakkeri pääsi iskemään vanhentuneen salausavaimen avulla. Sen jälkeen kumppanukset löysivät toistensa toiminnasta vikoja, omastaan eivät niinkään. Lisää tietoa:

arstechnica.com/information-technology/2019/11/nordvpn-users-passwords-exposed-in-mass-credential-stuffing-attacks/

A network of ‘camgirl’ sites exposed millions of users and sex workers

techcrunch.com/2019/11/03/camgirl-network-exposed-millions-users/ A number of popular camgirl sites have exposed millions of sex workers and users after the company running the sites left the back-end database unprotected. Most of the sites users are based in Spain and Europe, but we found evidence of users across the world, including the United States. The database, containing months-worth of daily logs of the site activities, was left without a password for weeks. Those logs included detailed records of when users logged in including usernames and sometimes their user-agents and IP addresses, which can be used to identify users. The logs also included users private chat messages with other users, as well as promotional emails they were receiving from the various sites. The logs even included failed login attempts, storing usernames and passwords in plaintext. We did not test the credentials as doing so would be unlawful. Read also:

www.tivi.fi/uutiset/tv/73c6e732-0157-46d3-83ad-b2eb81b2163f

BEC Fraudsters Divert $742,000 from Ocala City in Florida

www.bleepingcomputer.com/news/security/bec-fraudsters-divert-742-000-from-ocala-city-in-florida/ The City of Ocala in Florida fell victim to a business email compromise scam (BEC) that ended with redirecting over $742,000 to a bank account controlled by the fraudster(s). The swindle involved a phishing email impersonating an employee of a construction company the city is using to build a new terminal at the Ocala International Airport

Homemade TEMPEST Receiver

www.schneier.com/blog/archives/2019/11/homemade_tempes.html Tom’s Guide writes about home brew TEMPEST receivers:. Today, dirt-cheap technology and free software make it possible for ordinary citizens to run their own Tempest programs and listen to what their own — and their neighbors’ — electronic devices are doing. Elliott, a researcher at Boston-based security company Veracode, showed that an inexpensive USB dongle TV tuner costing about $10 can pick up a broad range of signals, which can be “tuned” and interpreted by software-defined radio (SDR) applications running on a laptop computer. More info:

www.tomsguide.com/us/usb-tv-tuner-software-defined-radio-sdr-radio-spying-privacy,review-1836.html

GitLab considers ban on new hires in China and Russia due to espionage fears

www.zdnet.com/article/gitlab-considers-ban-on-new-hires-in-china-and-russia-due-to-espionage-fears/ Companies are afraid that future GitLab support staff in China and Russia might steal their data, or be coerced by foreign intelligence services to pass on trade secrets. Eric Johnson, VP of Engineering at GitLab, said discussions on banning new hires from the two countries began after enterprise customers expressed concerns about the geopolitical climate of the two countries. GitLab is a service akin to GitHub, where companies can host source code projects and have their employees work on the code, synchroonizing it to a cloud-hosted server. Companies can also host their own version of GitLab locally, using an eponymously named platform. Companies pay GitLab for access to various enterprise features, and if something goes wrong, GitLab staff provide support

Cybersecurity: Under half of organisations are fully prepared to deal with cyberattacks

www.zdnet.com/article/cybersecurity-under-half-of-organisations-believe-theyre-fully-prepared-to-deal-with-cyber-attacks/ Only 49% of CISOs and other senior executives are fully confident that their organisation could deal with the fallout of a hacking incident or data breach right now, and most think the threat from cyberattacks will get worse. Under half of organisations believe they’re fully ready to respond to a cyberattack or data breach — despite most senior executives and chief information security officers (CISOs) believing that the threats posed by hacking and other malicious cyber incidents will escalate in 2020 and beyond. The Cyber Trendscape 2020 report from cybersecurity company FireEye sheds light on how CISOs across the world are feeling about the current cyber threat landscape. The study found that just under half (49%) believe their organisation is fully ready to face a cyberattack or a data breach. Read also:

www.fireeye.com/offers/rpt-cyber-trendscape.html

Microsoft 365 Helps Improve Orgs’ Security and Compliance Posture

www.bleepingcomputer.com/news/microsoft/microsoft-365-helps-improve-orgs-security-and-compliance-posture/ AI-powered security and compliance guidance is rolling out to Microsoft 365 customers starting this week to help them address potential issues via guided experience. “Starting the week of Ignite, new AI-powered recommendations in the Microsoft 365 admin center will begin rolling out to Microsoft 365 customers to help them improve their security and compliance posture, ” Microsoft said.

www.bleepingcomputer.com/news/microsoft/office-365-breach-detection-capabilities-now-in-public-preview/. Office 365 Breach Detection Capabilities Now in Public Preview. Microsoft announced the release of a new Office 365 Advanced Threat Protection (ATP) feature designed to detect breaches, dubbed enhanced compromise detection and response. The new feature makes it easier to quickly detect unusual behavior by “the breadth of signal across Office 365, including email flow patterns and other activities” and alert the organization’s security team of potential intrusions. This Office 365 ATP capability also allows Security Operations (SecOps) teams to automatically detect and investigate suspicious users and remediate hacked accounts. Over 90% of phishing attacks are orchestrated over email with the sole purpose of causing users and organizations harm by compromising identities, moving laterally, exfiltrating data and/or causing disruptions. Hackers launch these attacks using meticulously constructed campaigns that morph continuously. Security teams need advanced threat defenses that recognize campaigns, prevent and detect compromise, and quickly put response measures in place to limit impact in the event of a breach. – Microsoft

Please tell us why you’re not securing yourselves, UK.gov asks businesses

www.theregister.co.uk/2019/11/04/ukgov_security_survey/ If security worries you, send them your fears on a postcard. The British government wants your bright ideas for improving the nation’s cybersecurity because it wants to “understand the apparent lack of strong commercial rationale for investment” in locking down your shizz. As part of its fond hope of making the UK a bit more secure than the rest of the world, the Department for Digital, Culture, Media and Sport (DCMS) wants you to tell it what it could be doing better. The Cyber Security Incentives and Regulation Review is intended to tell UK.gov which of its security-enhancing initiatives do and don’t work. Many of those are routed to the great unwashed via the National Cyber Security Centre (NCSC). Read also:

www.gov.uk/government/publications/cyber-security-incentives-regulation-review-call-for-evidence

Office 365 to Prevent Malicious Docs From Infecting Windows

www.bleepingcomputer.com/news/microsoft/office-365-to-prevent-malicious-docs-from-infecting-windows/ Microsoft Office 365 ProPlus is getting a new feature called Application Guard that will allow users to open attachments in a virtualized container to protect Windows from malicious macros and exploits. Microsoft Edge for Windows 10 includes a feature called Windows Defender Application Guard that allows you to launch a browser tab into a special sandboxed environment. As this browsing environment is sandboxed, any malicious sites that attempt to exploit vulnerabilities, download malicious software, or exhibit malicious behavior will be blocked from affecting the normal machine.

Global Registrar Web.com Suffers Major Breach

www.infosecurity-magazine.com/news/global-registrar-webcom-suffers/ A global internet registrar with millions of customers has admitted suffering a data breach in August which exposed user account information. US-based Web.com, and subsidiaries Network Solutions and Register.com, discovered on October 16 that they were hit by an attack late in August

September 2019 Cyber Attacks Statistics

www.hackmageddon.com/2019/11/04/september-2019-cyber-attacks-statistics/ This month I have collected 140 events that confirm the decreasing trend after the 160 collected in August. The Daily Trend of Events chart shows two peaks in the first and fourth week of the month, a tail at the end of the month and the usual weekend cycle.

C2 With It All: From Ransomware To Carding

blog.talosintelligence.com/2019/11/c2-with-it-all.html Cisco Talos recently discovered a new server hosting a large stockpile of malicious files. Our analysis of these files shows that these attackers were able to obtain a deep level of access to victims’ infrastructure all of which allowed us to identify several targets of these attacks, including one American manufacturing company. Talos notified these targets of the attack. We found a great variety of malicious files on this server, ranging from ransomware like the DopplePaymer, to credit card capture malware like the TinyPOS, as well as some loaders that execute code delivered directly from the command and control (C2). The data found on this server shows how malicious actors can diversify their activities to target different organizations and individuals, while still using the same infrastructure. The tools we studied paint a picture of an adversary that is resourceful and has a widespread infrastructure shared across different operations

CSET Version 9.2 Now Available

www.us-cert.gov/ncas/current-activity/2019/11/04/cset-version-92-now-available The Cybersecurity and Infrastructure Security Agency (CISA) has released version 9.2 of its Cyber Security Evaluation Tool (CSET). CSET is a desktop software tool that guides asset owners and operators through a consistent process for evaluating control system networks as part of a comprehensive cybersecurity assessment that uses recognized government and industry standards and recommendations. See also:

github.com/cisagov/cset/wiki

Security Controls Assessment

www.secureworks.com/resources/ds-security-controls-assessment Assess Security Controls Against Regulatory Requirements and Industry Best Practice. Download the data sheet to learn more about how our experienced security experts help you understand how your existing security controls align with the top security frameworks and compliance mandates, including CIS Top 20, NIST 800-53/171/82, ISO 27002, PCI DSS, HIPAA, or Secureworks’ proprietary Information Security Assessment framework

Security Maturity Assessment

www.secureworks.com/resources/ds-security-maturity-assessment Identify and prioritize areas of improvement across your security program. Download the data sheet to learn more about how our experienced security experts leverage the NIST Cybersecurity Frameworks (NIST CSF) and deep security expertise to help drive end-to-end security program improvements and strengthen your security posture.

Wizard Spider Upgrades Ryuk Ransomware to Reach Deep into LANs

threatpost.com/wizard-spider-upgrades-ryuk-ransomware/149853/ Wake-on-LAN and ARP pinging have expanded Ryuk’s reach into corporate LANs and its operators’ monetization abilities. The Ryuk ransomware has added two features to enhance its effectiveness: The ability to target systems that are in “standby” or sleep mode; and the use of Address Resolution Protocol (ARP) pinging to find drives on a company’s LAN. Both are employed after the initial network compromise of a victim organization.

Your WordPress site is at risk: These precautions and plugins can keep it secure

www.zdnet.com/article/18-security-precautions-and-plugins-for-your-wordpress-site/ Do you have any idea how bad your day (your week, your month) can get if your website is hacked? If you’re running a WordPress site, you’re at risk. Follow the best practices outlined in this guide to help keep your visitors safe. It’s an interesting paradox. WordPress powers 35 percent of all websites on the Internet, in part because it’s so flexible and modular. It has a robust library of more than 50, 000 plugins, each adding new features and functions to WordPress. Those plugins have been downloaded more than 1.2 billion times. There are also thousands of pre-built themes that provide looks and styles for new websites.

Nemty Ransomware Now Spreads via Trik Botnet

www.bleepingcomputer.com/news/security/nemty-ransomware-now-spreads-via-trik-botnet/ The operators of Nemty ransomware have found a new distributor for their file-encrypting malware, which now spreads via Trik, a botnet that pushes all sorts of threats. The malware is spread to systems that have the Server Message Block (SMB) network communication protocol exposed on the web and protected by weak credentials.

Alexa, Siri, Google Smart Speakers Hacked Via Laser Beam

threatpost.com/alexa-siri-google-smart-speakers-hacked-via-laser-beam/149860/ Smart voice assistants can be hijacked by attackers using lasers to send them remote, inaudible commands. Researchers have discovered a new way to hack Alexa and Siri smart speakers merely by using a laser light beam. No physical access of the victims’ device, or owner interaction, is needed to launch the hack, which allows attackers to send voice assistants inaudible commands such as unlocking doors. Read also: www.wired.com/story/lasers-hack-amazon-echo-google-home/

Ransomware Attacks Hit Everis and Spain’s Largest Radio Network

www.bleepingcomputer.com/news/security/ransomware-attacks-hit-everis-and-spains-largest-radio-network/ Everis, an NTT DATA company and one of Spain’s largest managed service providers (MSP), had its computer systems encrypted today in a ransomware attack, just as it happened to Spain’s largest radio station Cadena SER (Sociedad Española de Radiodifusión). While the ransomware attacks were not yet publicly acknowledged by the company, the ransom note left on Everis’ encrypted computers has already leaked and BleepingComputer can confirm that the MSP’s data was infected using the BitPaymer ransomware. Read also:

www.zdnet.com/article/ransomware-hits-spanish-companies-sparking-wannacry-panic/ and

thehackernews.com/2019/11/everis-spain-ransomware-attack.html

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.