Daily NCSC-FI news followup 2019-11-05

Ransomware freezes govt IT in Canadian territory of Nunavut, drops citizens right Inuit

www.theregister.co.uk/2019/11/04/ransomware_freezes_nunavut_canada/ A malware infection has crippled the IT operations in the remote Canadian territory of Nunavut. An alert from the provincial government on Monday says that “all government services requiring access to electronic information” are being impacted by what they describe as a “new and sophisticated” infection. “Essential services will not be impacted and the [government of Nunavik] will continue to operate while we work through this issue, ” Premier Joe Savikataaq said. “There will likely be some delays as we get back online, and I thank everyone for their patience and understanding.”

Bulletin (SB19-308) – Vulnerability Summary for the Week of October 28, 2019

www.us-cert.gov/ncas/bulletins/sb19-308 The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) / United States Computer Emergency Readiness . For modified or updated entries, please visit the NVD, which contains historical vulnerability information

Bluekeep exploitation causing Bluekeep vulnerability scan to fail

isc.sans.edu/diary/rss/25488 I woke up this morning to the long anticipated news that Bluekeep exploitation is happening in the wild. As some of you may recall, back in August I wrote a diary demonstrating a way to scan for Bluekeep vulnerable devices. So the next thing I did was check my Bluekeep scan results and was presented with this graph.

Magecart Groups Attack Simultaneous Sites in Card-Theft Frenzy

threatpost.com/magecart-groups-attack-simultaneous-sites-in-card-theft-frenzy/149872/ Stealing payment-card data and PII from e-commerce sites has become so lucrative that some are being targeted by multiple groups at the same time. In an interesting development on the financial cybercrime scene, different Magecart groups have been spotting stepping over each other and attacking the same sites.

Alleged Capital One hacker released from federal custody

www.zdnet.com/article/alleged-capitalone-hacker-released-from-federal-custody/ The alleged Capital One hacker, Paige Thompson, was released from federal custody on Tuesday as she awaits her trial. Thompson, who is allegedly responsible for the theft of 106 million records from Capital One, had previously requested for a release from federal custody back in August, but was initially denied due to the judge at the time deciding that she was a flight risk.

Chinese APT Group Targets Mobile Networks: FireEye Mandiant

www.databreachtoday.in/chinese-apt-group-targets-mobile-networks-fireeye-mandiant-a-13345 The Chinese advanced threat group APT41 is using a new espionage tool to intercept SMS messages from specific phone numbers by infecting mobile telecommunication networks, according to the security firm FireEye Mandiant. The campaign, dubbed Messagetap, targets the short message service center servers in mobile networks to monitor and save SMS traffic from specific phone numbers, which then can be used for other cyberthefts, the researchers say. Read also:

www.fireeye.com/blog/threat-research/2019/10/messagetap-who-is-reading-your-text-messages.html

Italy’s UniCredit: Breach Went Undetected for Four Years

www.databreachtoday.eu/italys-unicredit-breach-went-undetected-for-four-years-a-13347 UniCredit, an Italian banking and financial services company, sustained a data breach exposing information on 3 million customers that went undetected for four years, the company acknowledged last week. Data exposed includes customer names, city of residence, telephone numbers and email addresses, the company reports. Back in 2017, UniCredit reported two other breaches that affected 400, 000 Italian customers. A bank spokesperson told Reuters that the latest breach wasn’t related to the previous breaches. Read also:

www.reuters.com/article/us-unicredit-cyber/unicredit-hit-by-data-breach-of-italian-client-records-idUSKBN1X70HM

Europol on Methodology Behind Successful Spear Phishing Attacks

www.securityweek.com/europol-methodology-behind-successful-spear-phishing-attacks “Spear phishing… remains the principal attack vector for most cybercrimes, ” says Europol in a new report. Sixty-five percent of targeted attack groups use it as their primary infection vector, while 32% of breaches involve phishing. During 2018, up to 0.55 % of all incoming emails were phishing emails, while phishing was present in 78% of cyber espionage incidents. Over two days in March 2019, 70 global financial institutions, internet security firms, and telecommunications providers met and shared insights on phishing. Now Europol has published (PDF) the outcome of that meeting in what it describes as “a unique, law enforcement-industry view on the threat of spear phishing.”. Read also:

www.europol.europa.eu/sites/default/files/documents/report_on_phishing_-_a_law_enforcement_perspective.pdf

Varoituksista huolimatta käytössä Windows 95 ja näinhän siinä sitten kävi: virus jyräsi Berliinin hovioikeuden, pääsee pystyyn vasta 2020

www.tivi.fi/uutiset/varoituksista-huolimatta-kaytossa-windows-95-ja-nainhan-siina-sitten-kavi-virus-jyrasi-berliinin-hovioikeuden-paasee-pystyyn-vasta-2020/d97c5ef8-5251-40ab-8b8a-517f0a19883d Berliinin hovioikeus joutui tuhoisan virushyökkäyksen kohteeksi. Iskun seurauksena oikeusistuin joutui irrottamaan kaikki tietokoneensa netistä. Virus pääsi puremaan ikävästi, ja PC Weltin mukaan virus vei mennessään kokonaan tai osittain tiedostoja vuosikymmenien ajalta. On epätodennäköistä, että Berliinin hovioikeus palaa verkkoon ennen vuotta 2020. Lue:

www.tagesspiegel.de/berlin/experten-warnten-schon-2017-it-katastrophe-am-berliner-kammergericht-kam-mit-ansage/25163810.html

Five ways to strengthen employee cybersecurity awareness

www.welivesecurity.com/2019/11/05/five-ways-strengthen-employee-cybersecurity-awareness/ Since human error has a well-documented history of causing many breaches, no organization can afford to overlook the importance of ensuring that its employees are aware of online dangers. This is mainly why the first instalment in our series of articles to mark this year’s Antimalware Day will outline five ideas for creating a culture that inspires staff to stay on their toes and with cybersecurity top of mind. Creating an email account where employees can send their questions on any and all things cybersecurity provides for a good start and has multiple benefits. For one thing, the designated email account can encourage employees to come forward and ask questions that they might not otherwise ask. Employers can also ask their staff to forward suspiciously-looking emails to the address for review, which can help the employees become more astute at recognizing fraudulent email messages. The messages can also be used for organizing training sessions that will benefit the other employees and the company as a whole.

Brooklyn Hospital Loses Patient Data In Ransomware Attack

www.bleepingcomputer.com/news/security/brooklyn-hospital-loses-patient-data-in-ransomware-attack/ A ransomware attack hitting several computer systems at the Brooklyn Hospital Center in New York caused permanent loss of some patient’s data. The hospital tried to recover the data but all efforts were in vain. This indicates that a ransom for decrypting the files was not paid. The attack occurred in late July but the hospital acknowledged it publicly only last week, following what the institution calls “an exhaustive investigation, ” and after undertaking “diligent remediation efforts.”. Attempts to recover the encrypted records, however, remained fruitless, the hospital informs in a public notification. Not all patients are impacted by the incident but there is no estimation on how many are.

Three UK does it again: Random folk on network website are still seeing others’ account data

www.theregister.co.uk/2019/11/05/three_uk_data_breach_homepage_again/ Once is an unfortunate cockup. Twice needs stamping on. British telco Three UK has once again let random people viewing its homepage view its customers’ account details as if they were logged in, exposing personal and billing data to casual browsing. Several Reg readers got in touch with us on Friday afternoon and Saturday after noticing that when visiting Three’s website, they appeared to be logged into accounts that were not their own.

The Story of Sandworm, the Kremlin’s Most Dangerous Hackers

www.wired.com/story/sandworm-kremlin-most-dangerous-hackers/ For three years, WIRED has tracked the elite and shadowy Russian vanguard of cyberwar. Over the last half decade, the world has witnessed a disturbing escalation in disruptive cyberattacks. In 2015 and 2016, hackers snuffed out the lights for hundreds of thousands of civilians in the first power outages ever triggered by digital sabotage. Then came the most expensive cyberattack in history, NotPetya, which inflicted more than $10 billion in global damage in 2017. Finally, the 2018 Olympics became the target of the most deceptive cyberattack ever seen, masked in layers of false flags. In fact, those unprecedented events aren’t merely the recent history of cyberwarfare’s arms race. They’re all linked back to a single, highly dangerous group of hackers: Sandworm.

New Exploit Kit Capesand Reuses Old and New Public Exploits and Tools, Blockchain Ruse

blog.trendmicro.com/trendlabs-security-intelligence/new-exploit-kit-capesand-reuses-old-and-new-public-exploits-and-tools-blockchain-ruse/ We discovered a new exploit kit named Capesand in October 2019. Capesand attempts to exploit recent vulnerabilities in Adobe Flash and Microsoft Internet Explorer (IE). Based on our investigation, it also exploits a 2015 vulnerability for IE. It seems the cybercriminals behind the exploit kit are continuously developing it and are reusing source code from a publicly shared exploit kit code. In the middle of October, we found a malvertising campaign using the Rig exploit kit and delivering DarkRAT and njRAT malware. By the end of October, however, we noticed a change in the malvertisement and the redirection was no longer to the Rig exploit kit. The cybercriminals shifted to loading an exploit kit we were unfamiliar with. Investigating further led us to a panel provided for this unknown exploit kit to customers. The panel has the name Capesand on it and directly provides the source code of the exploit kit.

Machine Learning: With Great Power Come New Security Vulnerabilities

securityintelligence.com/machine-learning-with-great-power-come-new-security-vulnerabilities/ Machine learning (ML) has brought us self-driving cars, machine vision, speech recognition, biometric authentication and the ability to unlock the human genome. But it has also given attackers a variety of new attack surfaces and ways to wreak havoc. Machine learning applications are unlike those that came before them, making it all the more important to understand their risks. What are the potential consequences of an attack on a model that controls networks of connected autonomous vehicles or coordinates access controls for hospital staff? The results of a compromised model can be catastrophic in these scenarios, but there are also more prosaic threats to consider, such as fooling biometric security controls into granting access to unauthorized users. Machine learning is still in its early stages of development, and the attack vectors are not yet clear. Cyberdefense strategies are also in their nascent stages. While we can’t prevent all forms of attacks, understanding why they occur helps us narrow down our response strategies.

Turvayhtiö pamautti pöytään synkän ennusteen: “Varautukaa uuteen kylmään sotaan!”

www.is.fi/digitoday/tietoturva/art-2000006297266.html Lisääntyvät konfliktit näkyvät kyberhyökkäyksinä. Tavalliset ihmisetkään eivät ole suojassa. Tietoturvayhtiö Check Point on antanut synkän ennusteen vuoden 2020 tietoturvanäkymistä. Tiedotteessaan yhtiö kehottaa varautumaan uuteen kylmään sotaan. Amerikkalais-israelilaisen yhtiön mukaan kansainvälisten jännitteiden kiristyminen kiihdyttää kyberhyökkäyksiä.

Actively exploited bug in fully updated Firefox is sending users into a tizzy

arstechnica.com/information-technology/2019/11/scammers-are-exploiting-an-unpatched-firefox-bug-to-send-users-into-a-panic/ Fraudulent tech-support sites cause Firefox to freeze while displaying scary message. Scammers are actively exploiting a bug in Firefox that causes the browser to lock up after displaying a message warning the computer is running a pirated version of Windows that has been hacked. The attack works on both Windows and Mac versions of the open source browser. The only way to close the window to is to force-close the entire browser using either the Windows task manager or the Force Close function in macOS. Even then, Firefox will reopen previously open tabs, resulting in an endless loop. (Update: as a commenter pointed out, restore tabs is turned off by default.) To resolve the problem, users must force-close Firefox and then, immediately upon restarting it, quickly close the tab of the scammer site before it has time to load.

DarkUniverse the mysterious APT framework #27

securelist.com/darkuniverse-the-mysterious-apt-framework-27/94897/ In April 2017, ShadowBrokers published their well-known Lost in Translation’ leak, which, among other things, contained an interesting script that checked for traces of other APTs in the compromised system. In 2018, we found an APT described as the 27th function of this script, which we call DarkUniverse’. This APT was active for at least eight years, from 2009 until 2017. We assess with medium confidence that DarkUniverse is a part of the ItaDuke set of activities due to unique code overlaps. ItaDuke is an actor known since 2013. It used PDF exploits for dropping malware and Twitter accounts to store C2 server urls.

Buran Ransomware; the Evolution of VegaLocker

securingtomorrow.mcafee.com/other-blogs/mcafee-labs/buran-ransomware-the-evolution-of-vegalocker/ McAfee’s Advanced Threat Research Team observed how a new ransomware family named Buran’ appeared in May 2019. Buran works as a RaaS model like other ransomware families such as REVil, GandCrab (now defunct), Phobos, etc. The author(s) take 25% of the income earned by affiliates, instead of the 30% 40%, numbers from notorious malware families like GandCrab, and they are willing to negotiate that rate with anyone who can guarantee an impressive level of infection with Buran. They announced in their ads that all the affiliates will have a personal arrangement with them.

Experts: Don’t reboot your computer after you’ve been infected with ransomware

www.zdnet.com/article/experts-dont-reboot-your-computer-after-youve-been-infected-with-ransomware/ Rebooting may lead to restarting a crashed file-encryption process, potential loss of encryption keys stored in-memory. Security experts don’t recommend that users reboot their computers after suffering a ransomware infection, as this could help the malware in certain circumstances. Instead, experts recommend that victims power down the computer, disconnect it from their network, and reach out to a professional IT support firm. Experts are recommending against PC reboots because a recent survey of 1, 180 US adults who fell victim to ransomware in the past years has shown that almost 30% of victims chose to reboot their computers as a way to deal with the infection

Trump, Putin and Politics Name-Dropped to Peddle Malware

threatpost.com/trump-putin-and-politics-name-dropped-to-peddle-malware/149884/ Cybercriminals are leveraging political names and figures for social engineering as the elections loom. With the U.S. presidential elections looming, bad actors are tapping into the political craze with several malware distribution campaigns, using high-profile political names to tap into victims’ emotions and convince them to click on malicious links. Researchers have uncovered hundreds of politically-charged malware campaigns distributing ransomware, remote access trojans (RATs) and more using the names of prominent political figures like U.S. President Donald Trump, Russia President Vladimir Putin, North Korea ruler Kim Jong-un and more

WordPress sites have been the target of a highly active malicious campaign that infects them with a malware dubbed WP-VCD that hides in plain sight and quickly spreads to the entire website

www.bleepingcomputer.com/news/security/wordpress-admins-infect-their-sites-with-wp-vcd-via-pirated-plugins/ The group of hackers behind it have also made sure that their malicious payload is also very hard to get rid of once it manages to compromise a site. To make things worse, the malware is also designed to scan its way through the hosting server and infect any other WordPress sites it finds. WP-VCD is spread by the most active malicious campaign impacting WordPress sites as of late, with the Wordfence threat intelligence team that took a closer look at it associating “individual WP-VCD malware samples with a higher rate of new infections than any other WordPress malware since August 2019.”

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.