Daily NCSC-FI news followup 2019-11-07

Microsoft crams Office 365 docs into Edge-style sandboxes to thwart malware infections

www.theregister.co.uk/2019/11/07/ignite_2019_security/ Your guide to some of the security enhancements announced this week. Office 365 will be getting additional security protections through Application Guard, the sandboxing tool Microsoft debuted with its Edge browser. The idea is that Application Guard will isolate documents, preventing malicious code from escaping the app and damaging the rest of the system. The feature is currently in limited preview.

Legitimate TDS Platform Abused to Push Malware via Exploit Kits

www.bleepingcomputer.com/news/security/legitimate-tds-platform-abused-to-push-malware-via-exploit-kits/ Threat actors abused the legitimate Keitaro Traffic Direction System (TDS) to drive traffic to malware pushing RIG and Fallout exploit kits as part of both malvertising and malspam campaigns. As security researchers at Proofpoint discovered, Keitaro was abused in campaigns designed to generate “millions of malvertising impressions and URL-based malicious messages.”. This made it almost impossible to block it or distinguish it from legitimate traffic since the TDS is also used for other purposes besides malware distribution.

Specially Crafted ZIP Files Used to Bypass Secure Email Gateways

www.bleepingcomputer.com/news/security/specially-crafted-zip-files-used-to-bypass-secure-email-gateways/ Attackers are always looking for new tricks to distribute malware without them being detected by antivirus scanners and secure email gateways. This was illustrated in a new phishing campaign that utilized a specially crafted ZIP file that was designed to bypass secure email gateways to distribute the NanoCore RAT. Every ZIP archive contains a special structure that contains the compressed data and information about the compressed files. Each ZIP archive also contains a single “End of Central Directory” (EOCD) record, which is used to indicate the end of the archive structure. In a new spam campaign discovered by TrustWave, researchers encountered a spam email pretending to be shipping information from an Export Operation Specialist of USCO Logistics.

The App Defense Alliance: Bringing the security industry together to fight bad apps

security.googleblog.com/2019/11/the-app-defense-alliance-bringing.html Fighting against bad actors in the ecosystem is a top priority for Google, but we know there are others doing great work to find and protect against attacks. Our research partners in the mobile security world have built successful teams and technology, helping us in the fight. Today, we’re excited to take this collaboration to the next level, announcing a partnership between Google, ESET, Lookout, and Zimperium. It’s called the App Defense Alliance and together, we’re working to stop bad apps before they reach users’ devices. Read also:


threatpost.com/google-bad-android-apps/149981/ and


Morrisons tells top court it’s not liable for staffer who nicked payroll data of 100, 000 employees

www.theregister.co.uk/2019/11/07/morrisons_supreme_court_payroll_data_appeal/ Supermarket takes appeal to most senior legal eagles. Brit supermarket Morrisons is arguing in the Supreme Court that it shouldn’t be held vicariously liable for the actions of a rogue employee who stole and leaked the company’s payroll. In a world where nobody’s quite sure where data protection law ends and traditional civil law torts begin, the outcome of the case may well determine for years to come whether companies should be blamed and made to pay compensation if one of their employees breaks the law.

Inside the Microsoft team tracking the world’s most dangerous hackers

www.technologyreview.com/s/614646/inside-the-microsoft-team-tracking-the-worlds-most-dangerous-hackers/ – From Russian Olympic cyberattacks to billion-dollar North Korean malware, how one tech giant monitors nation-sponsored hackers everywhere on earth. When the Pentagon recently awarded Microsoft a $10 billion contract to transform and host the US military’s cloud computing systems, the mountain of money came with an implicit challenge: Can Microsoft keep the Pentagon’s systems secure against some of the most well-resourced, persistent, and sophisticated hackers on earth?. “They’re under assault every hour of the day, ” says James Lewis, vice president at the Center for Strategic and International Studies.

Kaspersky Lab Analysis Shines Light on DarkUniverse APT Group

www.darkreading.com/attacks-breaches/kaspersky-lab-analysis-shines-light-on-darkuniverse-apt-group/d/d-id/1336292 Threat actor was active between 2009 and 2017, targeting military, government, and private organizations. A threat campaign first spotted targeting Tibet and Uyghur activists in 2013 may have been much wider in scope than originally thought, a new analysis by Kaspersky Lab has revealed. The security vendor made the discovery when trying to identify an advanced persistent group the US National Security Agency (NSA) had been quietly tracking when the ShadowBrokers outfit leaked many of the spy agency’s offensive tools in 2017.

Black Hat Q&A: Hacking a ’90s Sports Car

www.darkreading.com/application-security/black-hat-qanda-hacking-a-90s-sports-car/d/d-id/1336283 Security researcher Stanislas Lejay offers a preview of his upcoming Black Hat Europe talk on automotive engine computer management and hardware reverse engineering. Communicating with your car and building your own tools is easier than you think, and well worth the effort, says Stanislas Lejay who will be briefing attendees in London at Black Hat Europe next month on Unleashing the Power of My 20+ Years Old Car. It’s a fun and fascinating look at Lejay’s efforts to bypass the speed limiter (set at ~180 km/h) and still pass inspection. Lejay opens up to Dark Reading about the process, what he learned, and what Black Hat attendees can look forward to in his Briefing.

1-15 October 2019 Cyber Attacks Timeline

www.hackmageddon.com/2019/11/07/1-15-october-2019-cyber-attacks-timeline/ And here we go with the first timeline of October. In this fortnight I have collected 87 events, that is quite an important number. However what is strange, is that this timeline also collects six events occurred in September plus one (the Egyptian campaign uncovered by Amnesty International) in March (I know it’s my fault I completely missed it.

Kaksi Twitterin entistä työntekijää syytettynä vakoilusta Saudi-Arabialle Yhdysvalloissa

yle.fi/uutiset/3-11056008 Syytekirjelmän mukaan miehet urkkivat Saudi-Arabian hallinnon kriitikoiden henkilötietoja. Yhdysvalloissa kahta entistä Twitterin työntekijää ja kolmatta ihmistä syytetään Saudi-Arabian lukuun vakoilusta mikroblogipalvelussa. Oikeusministeriön mukaan syytetyt yrittivät paljastaa etenkin Saudi-Arabian kuningasperheeseen kriittisesti suhtautuvien Twitter-tilien omistajatietoja. Näitä ihmisiä syytetään toisinajattelijoihin ja tunnettuihin kriitikoihin kohdistuvasta yksityistietojen hankkimisesta Saudi-Arabian hallinnon määräyksestä, John Bennett liittovaltion poliisi FBI:sta sanoo. Lue myös



www.theregister.co.uk/2019/11/07/twitter_employees_saudi_spy/ ja www.wired.com/story/twitter-insiders-saudi-arabia-spy/

How to Start Building an Insider Threat Program

securityintelligence.com/articles/how-to-start-building-an-insider-threat-program/ Sometimes, it only takes one moment one life-changing incident for the most trustworthy employee to become an insider threat. As Nick Cavalancia, founder of Microsoft MVP, observed at Spiceworld 2019, malicious user behavior is all about intent. Coming up with the best approach to addressing insider threats means understanding the reasons behind intent. When you understand why someone would go from a highly rated employee to a potential criminal or serious threat to your company’s well-being, you can design a threat prevention program that will actually work.

Amazon’s Ring Video Doorbell Lets Attackers Steal Your Wi-Fi Password

thehackernews.com/2019/11/ring-doorbell-wifi-password.html Security researchers at Bitdefender have discovered a high-severity security vulnerability in Amazon’s Ring Video Doorbell Pro devices that could allow nearby attackers to steal your WiFi password and launch a variety of cyberattacks using MitM against other devices connected to the same network. In case you don’t own one of these, Amazon’s Ring Video Doorbell is a smart wireless home security doorbell camera that lets you see, hear and speak to anyone on your property from anywhere in the World. More info:

www.bitdefender.com/files/News/CaseStudies/study/294/Bitdefender-WhitePaper-RDoor-CREA3949-en-EN-GenericUse.pdf and


Between 200, 000 and 240, 000 Magento online stores will reach EOL next year

www.zdnet.com/article/between-200000-and-240000-magento-online-stores-will-reach-eol-next-year/ A large chunk of today’s e-commerce ecosystem will run on unsupported software starting June 2020, next year, when the Magento 1.x branch is scheduled to reach End-of-Life (EOL) and won’t receive security updates anymore. The number of impacted online stores is currently estimated to be between 200, 000 and 240, 000, according to different statistics sources. The owners of these online shops will need to migrate to the latest Magento version, the 2.x branch, where they can still receive security patches on a regular basis. Store owners who fail to do so will face the risk of having sites hacked and infected with code that steals customers’ payment details. This is a pretty plausible scenario on the backdrop of an increase in the number of web skimming (Magecart) attacks.

You Don’t Know What You Don’t Know: 5 Best Practices for Data Discovery and Classification

securityintelligence.com/posts/you-dont-know-what-you-dont-know-5-best-practices-for-data-discovery-and-classification/ This is the second installment in a two-part series about data discovery and classification. Be sure to read part one for the full story. Discovering and classifying data across the enterprise is crucial to any data protection strategy, but it can be complicated due to the constantly shifting nature of the cybersecurity landscape, the difficulty of unifying processes across diverse environments and the sheer scale of the task at hand. If you’re feeling overwhelmed trying to keep track of and meet the myriad data security and compliance requirements organizations face today, the following five best practices can help you develop effective data discovery and classification processes, which can help address the data security, data privacy and compliance requirements for your organization.

49 Disguised Adware Apps With Optimized Evasion Features Found on Google Play

blog.trendmicro.com/trendlabs-security-intelligence/49-disguised-adware-apps-with-optimized-evasion-features-found-on-google-play/ We recently found 49 new adware apps on Google Play, disguised as games and stylized cameras. These apps are typical adware, hiding themselves within mobile devices to show ads and deploying anti-uninstall and evasion functions. These apps are no longer live but before they were taken down by Google, the total number of downloads was more than 3 million.

Trend Micro Discloses Insider Threat Impacting Some of its Consumer Customers

blog.trendmicro.com/trend-micro-discloses-insider-threat-impacting-some-of-its-consumer-customers/ We recently became aware of a security incident that resulted in the unauthorized disclosure of some personal data of an isolated number of customers of our consumer product. We immediately started investigating the situation and found that this was the result of a malicious insider threat. The suspect was a Trend Micro employee who improperly accessed the data with a clear criminal intent. We immediately began taking the actions necessary to ensure that no additional data could be improperly accessed, and have involved law enforcement.. Our open investigation has confirmed that this was not an external hack, but rather the work of a malicious internal source that engaged in a premeditated infiltration scheme to bypass our sophisticated controls.. Read also:

thehackernews.com/2019/11/insider-threat-data-breach.html and


How to Secure Critical Infrastructure When Patching Isn’t Possible

threatpost.com/secure-critical-infrastructure-when-patching-isnt-possible/149987/ Mission-critical systems can’t just be switched off to apply security updates so patching can take weeks if not years. Cyberattacks are on the rise and threatening our digital life and our most intimate information but also our operational realities. Attacks on critical infrastructure such as power plants, water works, airports and the like (transportation ranks among the highest-value targets for cyberattackers seeking maximal impact) are no longer theoretical but when it comes to securing these complex systems, there are unique challenges, such as an inability to patch.

Data Breach Fines: Are They Working to Boost Consumer Safety?

threatpost.com/data-breach-fines-consumer-safety/149956/ Despite trillions of dollars in breach fine payouts, each year the number of compromised companies and individuals with private data exposed rise. Breach statistics are downright discouraging: Over the past five years the number of businesses breached has skyrocketed. The human consequences are also bad, with billions of private email addresses, bankcard numbers and other deeply personal data points exposed online and now in the hands of hackers. See also:


Mysterious hacker dumps database of infamous IronMarch neo-nazi forum

www.zdnet.com/article/mysterious-hacker-dumps-database-of-infamous-ironmarch-neo-nazi-forum/ Now-defunct IronMarch forum spawned two of today’s most extremist far-right neo-nazi groups — the Atomwaffen Division and SIEGE Culture. A mysterious hacker has published today a database dump of one of the internet’s most infamous neo-nazi meeting places — the IronMarch forum.

You’ve Been Servedwith Subpoena-Themed Phishing Emails

threatpost.com/youve-been-served-subpoena-themed-phishes/149963/ A targeted campaign is delivering an information-stealing malware called Predator the Thief. A phishing campaign claiming to deliver emailed subpoenas is targeting insurance and retail companies. According to researchers, the phishing emails are spoofing the UK Ministry of Justice, aiming to capitalize on scare tactics to convince targets to click on an embedded link to “learn more about the case” by saying that the recipient has 14 days to comply with the subpoena notice. If the target clicks on the link, he or she will find themselves infected with Predator the Thief, a publicly available

Microsegmentation and Isolation: 2 Essential Strategies in Zero-Trust Security

threatpost.com/microsegmentation-and-isolation-2-essential-strategies-in-zero-trust-security/149976/ Tactics for when authorized users need to connect to network resources, or need to venture out to the web to complete important tasks. The headlines over the past few years have been consistent enterprises are pouring more and more money into cybersecurity countermeasures. Indications are that 2020 will be no different, with reports that nearly three quarters of CISOs plan to ask their CFOs for increased cybersecurity investment next year.

Cisco: All these routers have the same embedded crypto keys, so update firmware

www.zdnet.com/article/cisco-all-these-routers-have-the-same-embedded-crypto-keys-so-update-firmware/#ftag=RSSbaffb68 Cisco removes static encryption keys that were shared across its small-business routers. Security researchers have found that the firmware for several Cisco small-business routers contains numerous security issues. The problems include hardcoded password hashes as well as static X.509 certificates with the corresponding public-private key pairs and one static Secure Shell (SSH) host key. The static keys are embedded in the routers firmware and are used for providing HTTPS and SSH access to the affected routers. The issue means all devices with the affected firmware use the same keys.

iPhones Are Big in China, But Apple’s Services Play Gets Mired in Censorship

www.bloomberg.com/news/articles/2019-11-07/apple-tv-apple-arcade-other-apple-services-blocked-in-china The company’s growing roster of digital services increases tension with China’s authoritarian government.. When it comes to many of Apple Inc.’s latest services, iPhone users in China are missing out. Podcast choices are paltry. Apple TV+ is off the air. News subscriptions are blocked, and Arcade gaming is nowhere to be found.

How much do data breaches affect stock prices?

www.welivesecurity.com/2019/11/07/do-data-breaches-hurt-stock-prices/ A study looks at just how badly the news of a data breach affects the company’s share price, revealing some surprising findings. A recent study, conducted by technology site Comparitech, offers insight into precisely this somewhat lesser-explored area of post-breach consequences. The analysis draws on a sample of 28 big-name enterprises that are listed on the New York Stock Exchange (NYSE) and between them have suffered a total of 33 breaches since 2007, each of which exposed at least 1 million data records. One notable finding is that the companies’ share prices tended to hit a low point around 14 market days, i.e. almost three weeks, after the incident is disclosed. Their stock value dropped by 7.27% on average, underperforming the overall NASDAQ market by -4.18%.

Amazon Kindle, Embedded Devices Open to Code-Execution

threatpost.com/amazon-kindle-embedded-devices-code-execution/150003/ Flaws in Das U-Boot affect third-party hardware that uses the universal bootloader as an underlying component. Multiple vulnerabilities have been found in Das U-Boot, a universal bootloader commonly used in embedded devices like Amazon Kindles, ARM Chromebooks and networking hardware. The bugs could allow attackers to gain full control of an impacted device’s CPU and modify anything they choose. Researchers at ForAllSecure found the flaws in U-Boot’s file system drivers. They include a recursive stack overflow in the DOS partition parser, a pair of buffer-overflows in ext4 and a double-free memory corruption flaw in ext4. They open the door to denial-of-service attacks, device takeover and code-execution. See also:


Cisco Releases Security Updates

www.us-cert.gov/ncas/current-activity/2019/11/07/cisco-releases-security-updates Cisco has released security updates to address vulnerabilities in Cisco products. A remote attacker could exploit some of these vulnerabilities to take control of an affected system. For updates addressing lower severity vulnerabilities see the Cisco Security Advisories webpage. The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the following Cisco advisories and apply the necessary updates:. * Cisco Prime Infrastructure and Evolved Programmable Network Manager Remote Code Execution Vulnerability. * Cisco Small Business Routers RV016, RV042, RV042G, RV082, RV320, and RV325 Command Injection Vulnerability. * Cisco TelePresence Collaboration Endpoint and RoomOS Software Denial of Service Vulnerabilities. * Cisco TelePresence Collaboration Endpoint, TelePresence Codec, and RoomOS Software Privilege Escalation Vulnerability. * Cisco Webex Network Recording Player and Cisco Webex Player Arbitrary Code Execution Vulnerabilities. * Cisco Wireless LAN Controller HTTP Parsing Engine Denial of Service Vulnerability. * Cisco Web Security Appliance Unauthorized Device Reset Vulnerability

QNAP Warns Users to Secure Devices Against QSnatch Malware

www.bleepingcomputer.com/news/security/qnap-warns-users-to-secure-devices-against-qsnatch-malware/ Network-attached storage (NAS) maker QNAP urges customers to secure their NAS devices against an ongoing malicious campaign that infects them with QSnatch malware capable of stealing user credentials. QNAP advises users to install the latest version of the Malware Remover app for the QTS operating system running on the company’s NAS devices as soon as possible. Malware Remover and versions are now capable of removing QSnatch after new rules were added by the company updated it on November 1. “Users are urged to install the latest version of the Malware Remover app from QTS App Center or by manual downloading from the QNAP website, ” says QNAP. “Users are advised to take actions listed in the security advisory or, alternatively, contact QNAP for technical assistance. Instructions for creating a support request can be found here.”. Researchers at the National Cyber Security Centre of Finland (NCSC-FI) found in late October that thousands of QNAP NAS devices infected with QSnatch had their firmware injected with malicious code. The malware harvests and exfiltrates user credentials found on compromised NAS devices, and it is also capable of loading malicious code retrieved from its command and control (C2) servers. Germany’s Computer Emergency Response Team (CERT-Bund) said at the time that, based on sinkhole data, around 7, 000 NAS devices in Germany were impacted by QSnatch infections. See also: www.qnap.com/en/security-advisory/nas-201911-01

Australian Govt Warns of Active Emotet and BlueKeep Threats

www.bleepingcomputer.com/news/security/australian-govt-warns-of-active-emotet-and-bluekeep-threats/ The Australian Signals Directorate’s Australian Cyber Security Centre (ACSC) together with state and territory partners warns businesses and people of Emotet and BlueKeep threats being active in the wild. The ACSC urges vigilance as attackers exploiting the Windows BlueKeep vulnerability have started attacking unpatched systems to infect them with coin miners. Also, while the Emotet campaigns the ACSC previously notified about in late October had slowly winded down during the last week, it still represents a significant threat for both organizations and the general population. “There are two concerning cyber security threats in the wild. While we have seen a drop in the number of Emotet infections in the last week, people and businesses should remain vigilant, ” Head of the ACSC, Rachel Noble PSM said. “We are also concerned about reports cybercriminals are exploiting the BlueKeep vulnerability to access computers and control them without the users’ knowledge.”

Anatomy of Scalable Vector Graphics (SVG) Attack Surface on the Web

www.fortinet.com/blog/threat-research/scalable-vector-graphics-attack-surface-anatomy.html Over the past few weeks, Fortinet’s FortiGuard Labs has been assessing web applications with embedded SVG images. As a result, we found a number of common issues in the web applications that we have examined. In this blog post, we will briefly talk about the nature of SVG and the common attack surfaces for SVG images that we have seen so far. The following list is a summary of the common SVG attack vectors that we have observed over time: Cross-Site Scripting, HTML Injection, XML Entity Processing Billion Laughs Attack, and Denial of Service The New SVG Billion Laughs Attack

OpenAI has published the text-generating AI it said was too dangerous to share

www.theverge.com/2019/11/7/20953040/openai-text-generation-ai-gpt-2-full-model-release-1-5b-parameters The research lab OpenAI has released the full version of a text-generating AI system that experts warned could be used for malicious purposes.

You might be interested in …

Daily NCSC-FI news followup 2020-10-02

Emotet malware takes part in the 2020 U.S. elections www.bleepingcomputer.com/news/security/emotet-malware-takes-part-in-the-2020-us-elections/ Emotet is now taking part in the United States 2020 Presidential election with a new spam campaign pretending to be from the Democratic National Convention’s Team Blue initiative. XDSpy cyber-espionage group operated discretely for nine years www.bleepingcomputer.com/news/security/xdspy-cyber-espionage-group-operated-discretely-for-nine-years/ Researchers at ESET today published details about a […]

Read More

Daily NCSC-FI news followup 2020-07-18

Cloudflare outage takes down Discord, BleepingComputer, and other sites www.bleepingcomputer.com/news/technology/cloudflare-outage-takes-down-discord-bleepingcomputer-and-other-sites/ Cloudflare is having an outage that is affecting many sites including Discord, BleepingComputer, and others. It is not known what is causing the outage, but users will not be able to connect to the sites depending on the region you are located. Read also: www.forbes.com/sites/daveywinder/2020/07/18/internet-down-human-error-not-cyber-attack-to-blame-says-cloudflare/ […]

Read More

Daily NCSC-FI news followup 2019-09-29

German Cops Raid Cyberbunker 2.0, Arrest 7 in Child Porn, Dark Web Market Sting krebsonsecurity.com/2019/09/german-cops-raid-cyberbunker-2-0-arrest-7-in-child-porn-dark-web-market-sting/ German authorities said Friday theyd arrested seven people and were investigating six more in connection with the raid of a Dark Web hosting operation that allegedly supported multiple child porn, cybercrime and drug markets with hundreds of servers buried inside […]

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.