Daily NCSC-FI news followup 2019-11-14

Qualcomm Chip Flaws Let Hackers Steal Private Data From Android Devices

thehackernews.com/2019/11/qualcomm-android-hacking.html According to a report cybersecurity firm CheckPoint shared with The Hacker News, the flaws could allow attackers to steal sensitive data stored in a secure area that is otherwise supposed to be the most protected part of a mobile device.. Report at

research.checkpoint.com/the-road-to-qualcomm-trustzone-apps-fuzzing/

Strange AnteFrigus Ransomware Only Targets Specific Drives

www.bleepingcomputer.com/news/security/strange-antefrigus-ransomware-only-targets-specific-drives/ A new and strange ransomware called AnteFrigus is now being distributed through malvertising that redirects users to the the RIG exploit kit. Unlike other ransomware, AnteFrigus does not target the C: drive, but only other drives commonly associated with removable devices and mapped network drives.. It turns out, that this ransomware only targets the D:, E:, F:, G:, H:, and I: drives. It does not encrypt any files located on the C: drive or unmapped network shares.

Iranian hacking group built its own VPN network

www.zdnet.com/article/iranian-hacking-group-built-its-own-vpn-network/#ftag=RSSbaffb68 One of Iran’s elite state-sponsored hacking groups has built and has been operating its own private network of VPN nodes, which they’ve using to connect to hacking infrastructure, perform reconnaissance on future targets, and even casual web browsing, according to research published today by cyber-security firm Trend Micro.. Report at

blog.trendmicro.com/trendlabs-security-intelligence/more-than-a-dozen-obfuscated-apt33-botnets-used-for-extreme-narrow-targeting/

Breach affecting 1 million was caught only after hacker maxed out targets storage

arstechnica.com/information-technology/2019/11/breach-affecting-1-million-was-caught-only-after-hacker-maxed-out-targets-storage/# The US Federal Trade Commission has sued an IT provider for failing to detect 20 hacking intrusions over a 22-month period, allowing the hacker to access the data for 1 million consumers. The provider only discovered the breach when the hacker maxed out the providers storage system.. The FTC said in a statement that as part of a proposed settlement, InfoTrax will be barred from collecting, selling, sharing, or storing personal information unless the company implements a security program that corrects the failures identified in the complaint. InfoTrax will also be required to obtain third-party assessments of its security every two years.

Self-Cleaning Payment Card-Skimmer Infects E-Commerce Sites

www.darkreading.com/vulnerabilities—threats/self-cleaning-payment-card-skimmer-infects-e-commerce-sites/d/d-id/1336358 Visa’s researchers discovered Pipka as they are calling the malware on a North American e-commerce site that had been previously infected with Inter, another JavaScript malware for skimming payment-card data from merchant sites. Since that initial discovery, Visa has identified at least 16 other e-commerce sites that Pipka has infected.. Report at

usa.visa.com/dam/VCOM/global/support-legal/documents/pfd-identifies-new-javascript-skimmer.pdf

Exclusive: U.S. manufacturing group hacked by China as trade talks intensified – sources

ca.reuters.com/article/idCAKBN1XN1AY?rpc=401& The National Association of Manufacturers (NAM) was hacked over the summer and hired a cybersecurity firm, which concluded the attack came from China, the two sources said.

India, Russia step up cyber security cooperation after attack on Kudankulam

economictimes.indiatimes.com/news/politics-and-nation/india-russia-step-up-cyber-security-cooperation-after-attack-on-kudankulam/articleshow/72033001.cms Deputy Chief of Mission of the Russian Embassy Roman Babushkin has said Nuclear Power Corporation of India Limited has informed Russian authorities that the plant is safe and additional steps have been taken to enhance its security further. “The Russian authorities are working with Indian agencies to stop any further attacks,” he said.

General election 2019: Labour Party hit by second cyber-attack

www.bbc.com/news/election-2019-50388879 Labour is reportedly suffering a second cyber-attack after saying it successfully thwarted one on Monday.

Labs report finds cyberthreats against healthcare increasing while security circles the drain

blog.malwarebytes.com/reports/2019/11/labs-report-cyberthreats-healthcare-increasing-security-circles-drain/ The healthcare industry is a target for cybercriminals for several reasons, including their large databases of patients personally identifiable information, lack of sophisticated security model, and high number of endpoints and other devices connected to the network. . Report at

resources.malwarebytes.com/files/2019/11/191028-MWB-CTNT_2019_Healthcare_FINAL.pdf

Infosec boffins pour cold water on claims Home Office Brexit app can be easily hacked

www.theregister.co.uk/2019/11/14/home_office_brexit_app_hack_claims/ The Financial Times today splashed with the headline “Home Office app for EU citizens easy to hack” based on a report by Norwegian security firm Promon. The company’s researchers found the app contains loopholes allowing them to access any information that was entered into it, including the facial scans and images of passport pages.. “I’ve already seen it retweeted by many who have taken the headline at face value, and that is unnecessary scaremongering. As far as I am aware, the app isn’t particularly vulnerable. If you practice good security hygiene on your device, you should be fine using the app.”. [said Professor Alan Woodward, of the Department of Computer Science at the University of Surrey]

Canada Spy Agencies Split Over Proposed Huawei 5G Ban: Media

www.securityweek.com/canada-spy-agencies-split-over-proposed-huawei-5g-ban-media The Globe and Mail, citing an unnamed source, said the spy agency CSIS and the electronic eavesdropping agency CSE disagree on how to proceed.. The CSE reportedly supports an outright ban while the CSIS believes the risks can be mitigated with robust testing and monitoring of equipment.

TA2101 plays government imposter to distribute malware to German, Italian, and US organizations

www.proofpoint.com/us/threat-insight/post/ta2101-plays-government-imposter-distribute-malware-german-italian-and-us Proofpoint researchers recently detected campaigns from a relatively new actor, tracked internally as TA2101, targeting German companies and organizations to deliver and install backdoor malware.. The actor initiated their campaigns impersonating the Bundeszentralamt fur Steuern, the German Federal Ministry of Finance, with lookalike domains, verbiage, and stolen branding in the emails.. Proofpoint researchers have also observed this actor distributing Maze ransomware, employing similar social engineering techniques to those it uses for Cobalt Strike, while also targeting organizations in Italy and impersonating the Agenzia Delle Entrate, the Italian Revenue Agency. We have also recently observed the actor targeting organizations in the United States using the IcedID banking Trojan . while impersonating the United States Postal Service (USPS)

Clever WebEx Spam Use Cisco Redirect to Deliver RAT Malware

www.bleepingcomputer.com/news/security/clever-webex-spam-use-cisco-redirect-to-deliver-rat-malware/ A clever spam campaign is underway that pretends to be a WebEx meeting invite and uses a Cisco open redirect that pushes a Remote Access Trojan to the recipient. Using open redirects add legitimacy to spam URLs and increases the chances that victims will click on an URL.

Nettihuijaukset lisääntyvät varoituksista huolimatta lue poliisin aitoja esimerkkejä romanssihuijareista

yle.fi/uutiset/3-11062205?origin=rss Rikosylikomisario Jari Riiali Lounais-Suomen poliisista sanoo, että netissä tapahtuvien huijausten määrä kasvaa jatkuvasti. Vaikka ihmisiä varoitellaan netin huijareista, oppi ei mene perille.

Cyber Threat Report for 2018/19 released

www.ncsc.govt.nz/newsroom/cyber-threat-report-for-201819-released/ The NCSC recorded 339 incidents in the 12 months to 30 June 2019, compared with 347 incidents in the previous year.. The NCSC was able to identify indicators linking state-sponsored cyber actors to 38 percent of total incidents recorded in 2018-19. While this is similar to the previous year (39%) NCSC analysis of these incidents shows they had a greater impact. In previous years more state-sponsored incidents were detected at an early phase before the actors were able to cause harm.

Just-Released Checkra1n iPhone Jailbreak Stirs Security Concerns

threatpost.com/checkra1n-jailbreak-stirs-concerns/150182/ That said, for an adversary to jailbreak a targets phone without their knowledge is an unwieldy process. The prerequisites for a third-party jailbreak is access to an unlocked iPhone, and tethering the device to a macOS computer running the exploit code.

Attention is All They Need: Combatting Social Media Information Operations With Neural Language Models

www.fireeye.com/blog/threat-research/2019/11/combatting-social-media-information-operations-neural-language-models.html In this blog post, we will illustrate an example of how the FireEye Data Science (FDS) team works together with FireEyes Information Operations Analysis team to better understand and detect social media information operations using neural language models.

Symantec Fixes Privilege Escalation Flaw in Endpoint Protection

www.bleepingcomputer.com/news/security/symantec-fixes-privilege-escalation-flaw-in-endpoint-protection/ [Safebreach researcher Peleg] Hadar says that CVE-2019-12758 is caused by the security solution’s attempt to load a DLL from its current working directory (CWD) instead of the DLL’s actual location and by not validating if the DLLs is signed with a digital certificate.. Since August, Hadar also found other similar issues impacting Trend Micro’s Password Manager, Check Point Software’s Endpoint Security Initial Client, the free version of Bitdefender Antivirus, Avira’s Antivirus 2019 software, Avast Software’s AVG Antivirus and Avast Antivirus, and several McAfee Antivirus software solutions.

Hunting for LoLBins

blog.talosintelligence.com/2019/11/hunting-for-lolbins.html Attackers’ trends tend to come and go. But one popular technique we’re seeing at this time is the use of living-off-the-land binaries or “LoLBins”. LoLBins are used by different actors combined with fileless malware and legitimate cloud services to improve chances of staying undetected within an organisation, usually during post-exploitation attack phases.. In this post, we will take a look at the use of LOLBins through the lense of Cisco’s product telemetry. We’ll also walk through the most frequently abused Windows system binaries and measure their usage by analyzing data from Cisco AMP for Endpoints.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.