Daily NCSC-FI news followup 2019-11-20

A Notorious Iranian Hacking Crew Is Targeting Industrial Control Systems

www.wired.com/story/iran-apt33-industrial-control-systems/ The recent shift away from IT networks raises the possibility that Irans APT33 is exploring physically disruptive cyberattacks on critical infrastructure.

Ransomware Gangs Adopt APT Tactics in Targeted Attacks

www.bleepingcomputer.com/news/security/ransomware-gangs-adopt-apt-tactics-in-targeted-attacks/ Ransomware operators are moving away from mass volume attacks and partnering with specialists who use APT techniques to provide stealthy infiltration and network-wide encryption capabilities.. In a new report by cybersecurity and intelligence firm AdvIntel, we explore how ransomware operators are partnering with actors who utilize APT methods to gain access to networks and perform network-wide ransomware attacks or supply-chain attacks.. AdvIntel report:

www.advanced-intel.com/post/digital-pharmacusa-supply-chain-attacks-for-ransomware-intrusions

Ransomware Surge & Living-Off-the-Land Tactics Remain Big Threats

www.darkreading.com/attacks-breaches/ransomware-surge-and-living-off-the-land-tactics-remain-big-threats/d/d-id/1336411 Group-IB’s and Rapid7’s separate analysis of attack activity in recent months shows threat actors are making life harder for enterprise organizations in a variety of ways.

Haittaohjelmapiikki kiinnitti huomiomme – auttoi löytämään maailmalta yli 100 000 QSnatchin saastuttamaa laitetta

www.kyberturvallisuuskeskus.fi/fi/ajankohtaista/haittaohjelmapiikki-kiinnitti-huomiomme-auttoi-loytamaan-maailmalta-yli-100-000 Miten yksittäisestä Autoreporter-havainnosta päästään kansainvälisesti merkittävän haittaohjelman jäljille? Olemme jo kertoneet QSnatchin toiminnasta ja saastuneiden laitteiden puhdistamisesta. Nyt kerromme, kuinka sen löysimme. QSnatch on herättänyt huomiota Euroopasta Aasiaan saakka. Maailmanlaajuisesti haittaohjelmatartuntoja on havaittu ainakin 100 000.

Näin ihmisten osoitteet ja iät vuotivat Gigantin sivuilta rekisterin ylläpitäjä sai kenkää

www.is.fi/digitoday/tietoturva/art-2000006315183.html Gigantti kertoo tiedotteessaan, että sen kanta-asiakasohjelman tiedot eivät vaarantuneet viikonloppuna havaitussa tietovuodossa. Gigantti sanoo tiedotteessaan, että verkkosivulla olleet haut kohdistuivat sen kumppani Bisnoden yhteystieto- ja henkilömarkkinointirekisteriin, jossa tietosuojaongelma ilmeni.

New Phoenix Keylogger tries to stop over 80 security products to avoid detection

www.zdnet.com/article/new-phoenix-keylogger-tries-to-stop-over-80-security-products-to-avoid-detection/#ftag=RSSbaffb68 A new keylogger called Phoenix that started selling on hacking forums over the summer has now been linked to more than 10,000 infections, researchers from Cybereason said today in a report.. Cybereason report:

www.cybereason.com/blog/phoenix-the-tale-of-the-resurrected-alpha-keylogger

NSA Publishes Advisory Addressing Encrypted Traffic Inspection Risks

www.bleepingcomputer.com/news/security/nsa-publishes-advisory-addressing-encrypted-traffic-inspection-risks/ The National Security Agency (NSA) published an advisory that addresses the risks behind Transport Layer Security Inspection (TLSI) and provides mitigation measures for weakened security in organizations that use TLSI products..

media.defense.gov/2019/Nov/18/2002212783/-1/-1/0/MANAGING%20RISK%20FROM%20TLS%20INSPECTION_20191106.PDF

D-Link Adds More Buggy Router Models to Wont Fix List

threatpost.com/d-link-wont-fix-router-bugs/150438/ D-Link has warned that more of its routers are vulnerable to critical flaws that allow remote hackers to take control of hardware and steal data. The routers wont be fixed, said D-Link, explaining that the hardware has reached its end-of-life and will no longer receive security updates.. D-Link identified the additional affected models as: DIR-866, DIR-655, DHP-1565, DIR-652, DAP-1533, DGL-5500, DIR-130, DIR-330, DIR-615, DIR-825, DIR-835, DIR-855L and DIR-862.

Thousands of Enterprises At Risk Due to Oracle EBS Critical Flaws

www.bleepingcomputer.com/news/security/thousands-of-enterprises-at-risk-due-to-oracle-ebs-critical-flaws/ Two critical security vulnerabilities discovered in Oracle’s E-Business Suite (EBS) could allow potential attackers to take full control over a company’s entire enterprise resource planning (ERP) solution.. Onapsis reported the issues to the Oracle Security Response Team in December 2018 and helped fix the vulnerabilities, with patches released as part of Oracle’s April 2019 Critical Patch Update Advisory.. At the moment, Onapsis’ research team estimates that approximately 50% of all Oracle EBS customers have not yet deployed the patches.

Mac Backdoor Linked to Lazarus Targets Korean Users

blog.trendmicro.com/trendlabs-security-intelligence/mac-backdoor-linked-to-lazarus-targets-korean-users/ Criminal interest in MacOS continues to grow, with malware authors churning out more threats that target users of the popular OS. Case in point: A new variant of a Mac backdoor (detected by Trend Micro as Backdoor.MacOS.NUKESPED.A) attributed to the cybercriminal group Lazarus, which was observed targeting Korean users with a macro-embedded Microsoft Excel spreadsheet.

Bug bounties: Mozilla just doubled its payouts as it tries to attract software vulnerability hunters

www.zdnet.com/article/bug-bounties-mozilla-just-doubled-its-payouts-as-it-tries-to-attract-software-vulnerability-hunters/#ftag=RSSbaffb68 Mozilla has doubled the payout across its bug bounty program and added new sites and services to the list in an attempt to attract more attention from the bug-hunting community.. The browser-maker said it has doubled all web payouts for critical, core and other Mozilla sites as part of its web and services bug bounty program page. Mozilla has also tripled payouts to $15,000 for remote code execution payouts on critical sites and is adding new sites to the program.

Exploit kits: fall 2019 review

blog.malwarebytes.com/exploits-and-vulnerabilities/2019/11/exploit-kits-fall-2019-review/ Despite a slim browser market share, Internet Explorer is still being exploited in fall 2019 in a number of drive-by download campaigns. Perhaps even more surprising, were seeing new exploit kits emerge.. Based on our telemetry, these drive-bys are happening worldwide (with the exception of a few that are geo-targeted) and are fueled by malvertising most often found on adult websites.

Attackers increasingly embrace small-scale DDoS attacks to evade detection

www.helpnetsecurity.com/2019/11/20/small-scale-ddos-attacks/ The growth in both large- and small-scale DDoS attacks continues its upward trajectory, according to a report released by Neustar.. The report reveals that the total number of DDoS attacks was up 241% in the third quarter of 2019, compared to the same period last year. The report also confirmed the continued increase in small-scale attacks and the use of multiple threat vectors, as new vectors continue to expand the attack surface that organizations must defend.

New Roboto botnet emerges targeting Linux servers running Webmin

www.zdnet.com/article/new-roboto-botnet-emerges-targeting-linux-servers-running-webmin/#ftag=RSSbaffb68 The botnet’s main function is the ability to conduct DDoS attacks, a feature it has not used yet.. The awaiting Roboto Botnet:

blog.netlab.360.com/the-awaiting-roboto-botnet-en/

How to Recover from a DDoS Attack

blog.radware.com/security/ddos/2019/11/how-to-recover-from-a-ddos-attack/ They say nothing lasts forever and neither do DDoS attacks. Recovering from a DDoS attack is no simple matter, but once an attack is over, it is time to assess the impact, evaluate your defenses, and better prepare for the next incident.

Active C2 Discovery Using Protocol Emulation Part1 (HYDSEVEN NetWire)

www.carbonblack.com/2019/11/20/active-c2-discovery-using-protocol-emulation-part1-hydseven-netwire/ Malware C2 addresses can be an important IOC to detect known threats. In order to obtain C2 information, we first need malware samples which are then analyzed dynamically or statically. However the analysis task is often times not straightforward. Increasingly anti-analysis methods are implemented in malware or C2 information is extracted from secondary or tertiary websites.. VMware Carbon Black Threat Analysis Unit (TAU) analyzed HYDSEVEN NetWire samples then implemented a scanner to discover active C2 servers on the Internet by emulating the customized C2 protocol. In this blog post, the latest protocol and scanner implementation are detailed for researchers and practitioners.

Kaspersky Security Bulletin 2019. Advanced threat predictions for 2020

securelist.com/advanced-threat-predictions-for-2020/95055/ Nothing is more difficult than making predictions. Rather than trying to gaze into a crystal ball, we will be making educated guesses based on what has happened during the last 12 months, to see where we can see trends that might be exploited in the near future.. This is what we think might happen in the coming months, based on the knowledge of experts in this field and our observation of APT attacks since APT threat actors have historically been the center of innovation.

Cryptominers, ransomware among top malware in IR engagements in Q4

blog.talosintelligence.com/2019/11/incident-response-malware-recap-q4-2019.html The discoveries outlined in this blog were observed during CTIR engagements between May and July, which corresponds to Ciscos fourth quarter in fiscal year 2019. These reports, which we intend to publish quarterly, are intended to provide executives and network defenders with regular updates and analysis on the threat landscape.

Why Organizations are Failing to Deal With Rising Bot Attacks

blog.radware.com/security/2019/11/why-organizations-are-failing-to-deal-with-rising-bot-attacks/ The need for bot management is fueled by the rise in automated attacks. In the early days, the use of bots was limited to small scraping attempts or spamming. Today, things are vastly different. Bots are being used to take over user accounts, perform DDoS attacks, abuse APIs, scrape unique content and pricing information and more.

Want to build a successful SOC? Heres what you need to know

www.helpnetsecurity.com/2019/11/19/successful-soc/ There is no arguing the fact that networks are continually growing in complexity and the cyberattack surface is constantly expanding. A critical step in building a stronger security posture and more robust data protection strategy is a 24×7 facility whose mission is to monitor, detect, investigate and resolve active threats.. When the inevitable attack happens, timely identification, reaction and collaboration is everything, and a business with a successful SOC will be far quicker and coordinated in its response than one without.

1.19 billion confidential medical images available on the internet

www.helpnetsecurity.com/2019/11/20/confidential-medical-images/ 1.19 billion confidential medical images are now freely available on the internet, according to Greenbones research into the security of Picture Archiving and Communication Systems (PACS) servers used by health providers across the world to store images of X-rays as well as CT, MRI and other medical scans.. Greenbone report:

www.greenbone.net/wp-content/uploads/Greenbone_Security_Report_Unprotected_Patient_Data_a_Review.pdf

High-Severity Windows UAC Flaw Enables Privilege Escalation

threatpost.com/windows-uac-flaw-privilege-escalation/150463/ Researchers disclosed details of a high-severity Microsoft Windows vulnerability that could give attackers elevated privileges ultimately allowing them to install programs, and view, change or delete data.. This vulnerability allows local attackers to escalate privileges on affected installations of Microsoft Windows, researchers with Zero Day Initiative (ZDI) said in a Tuesday detailed analysis of the vulnerability. An attacker must first obtain the ability to access an interactive desktop as a low-privileged user on the target system in order to exploit this vulnerability.. ZDI analysis:

www.zerodayinitiative.com/blog/2019/11/19/thanksgiving-treat-easy-as-pie-windows-7-secure-desktop-escalation-of-privilege

Millions of Sites Exposed by Flaw in Jetpack WordPress Plugin

www.bleepingcomputer.com/news/security/millions-of-sites-exposed-by-flaw-in-jetpack-wordpress-plugin/ Admins and owners of WordPress websites are urged to immediately apply the Jetpack 7.9.1 critical security update to prevent potential attacks that could abuse a vulnerability that has existed since Jetpack 5.1.. Jetpack is an extremely popular WordPress plugin that provides free security, performance, and site management features including site backups, secure logins, malware scanning, and brute-force attack protection. The plugin has over 5 million active installations, and it was developed and it is currently maintained by Automattic, the company behind WordPress.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.