Daily NCSC-FI news followup 2019-11-26

The RIPE NCC has run out of IPv4 Addresses

www.ripe.net/publications/news/about-ripe-ncc-and-ripe/the-ripe-ncc-has-run-out-of-ipv4-addresses Today, at 15:35 (UTC+1) on 25 November 2019, we made our final /22 IPv4 allocation from the last remaining addresses in our available pool. We have now run out of IPv4 addresses.

Stantinko botnet adds cryptomining to its pool of criminal activities

www.welivesecurity.com/2019/11/26/stantinko-botnet-adds-cryptomining-criminal-activities/ The operators of the Stantinko botnet have expanded their toolset with a new means of profiting from the computers under their control. The roughly half-million-strong botnet known to have been active since at least 2012 and mainly targeting users in Russia, Ukraine, Belarus and Kazakhstan now distributes a cryptomining module.

NYPD Fingerprint Database Taken Offline to Thwart Ransomware

threatpost.com/nypd-fingerprint-database-ransomware/150592/ The New York Police Departments database of fingerprints was knocked offline over the weekend thanks to a ransomware scare, according to reports.

Exploit kits: fall 2019 review

blog.malwarebytes.com/exploits-and-vulnerabilities/2019/11/exploit-kits-fall-2019-review/ Despite a slim browser market share, Internet Explorer is still being exploited in fall 2019 in a number of drive-by download campaigns. Perhaps even more surprising, were seeing new exploit kits emerge.

A hacking group is hijacking Docker systems with exposed API endpoints

www.zdnet.com/article/a-hacking-group-is-hijacking-docker-systems-with-exposed-api-endpoints/ A hacking group is currently mass-scanning the internet looking for Docker platforms that have API endpoints exposed online.. The purpose of these scans is to allow the hacker group to send commands to the Docker instance and deploy a cryptocurrency miner on a company’s Docker instances, to generate funds for the group’s own profits.

Some Fortinet products shipped with hardcoded encryption keys

www.zdnet.com/article/some-fortinet-products-shipped-with-hardcoded-encryption-keys/#ftag=RSSbaffb68 Fortinet, a vendor of cyber-security products, took between 10 and 18 months to remove a hardcoded encryption key from three products that were exposing customer data to passive interception.. See also:

www.bleepingcomputer.com/news/security/fortiguard-used-hardcoded-key-xor-to-encrypt-communications/

fortiguard.com/psirt/FG-IR-18-100

HPE issues firmware fix to to stop SSD failure

blocksandfiles.com/2019/11/25/hpe-issues-firmware-fix-to-to-stop-ssd-failure/ The HPE customer bulletin, dated 19 November, says SSD Firmware Version HPD8 is a critical fix. If it is not applied the drive will fail at 32,768 hours operating time, meaning 3 years, 270 days 8 hours, and data on the drive will be lost.

Sale of 4 Million Stolen Cards Tied to Breaches at 4 Restaurant Chains

krebsonsecurity.com/2019/11/sale-of-4-million-stolen-cards-tied-to-breaches-at-4-restaurant-chains/ On Nov. 23, one of the cybercrime undergrounds largest bazaars for buying and selling stolen payment card data announced the immediate availability of some four million freshly-hacked debit and credit cards.. KrebsOnSecurity has learned this latest batch of cards was siphoned from four different compromised restaurant chains that are most prevalent across the midwest and eastern United States.

Malicious Android SDKs Caught Accessing Facebook and Twitter Users Data

thehackernews.com/2019/11/sdk-twitter-facebook-android.html Two third-party software development kits integrated by over hundreds of thousands of Android apps have been caught holding unauthorized access to users’ data associated with their connected social media accounts.. See also: help.twitter.com/en/sdk-issue

Microsoft says new Dexphot malware infected more than 80,000 computers

www.zdnet.com/article/microsoft-says-new-dexphot-malware-infected-more-than-80000-computers/ Microsoft security engineers detailed today a new malware strain that has been infecting Windows computers since October 2018 to hijack their resources to mine cryptocurrency and generate revenue for the attackers.

New DeathRansom Ransomware Begins to Make a Name for Itself

www.bleepingcomputer.com/news/security/new-deathransom-ransomware-begins-to-make-a-name-for-itself/ A new ransomware called DeathRansom began with a rocky start, but has now resolved it’s issues and has begun to infect victims and encrypt their data. . When DeathRansom was first being distributed, it pretended to encrypt files, but researchers and users found that they could just remove the appended .wctc extension and the files would become usable again. Starting around November 20th, though, something changed.

Detecting a MuddyWater APT using the RSA NetWitness Platform

community.rsa.com/community/products/netwitness/blog/2019/11/21/detecting-a-muddywater-apt-using-the-rsa-netwitness-platform MuddyWater is a state-sponsored threat group suspected to be linked to Iran. The group relied on spear phishing emails with macro infected Word documents in the past and has recently been using similar techniques using Excel documents in a new wave of attacks during October-November 2019.

Server-Side Request Forgery Exposes Data of Technology, Industrial and Media Organizations

unit42.paloaltonetworks.com/server-side-request-forgery-exposes-data-of-technology-industrial-and-media-organizations/ Server-Side Request Forgery (SSRF) is a web application vulnerability that redirects the attackers requests to the internal network or localhost behind the firewall. SSRF poses a particular threat to cloud services due to the use of the metadata API that allows applications to access the underlying cloud infrastructures information such as configurations, logs, and credentials. . Unit 42 researchers took a closer look at the Jira SSRF vulnerability (CVE-2019-8451) and studied its impact on six public cloud service providers (CSPs). This is the same type of vulnerability that led to the Capital One data breach in July 2019.

You might be interested in …

Daily NCSC-FI news followup 2020-09-25

Microsoft boots apps out of Azure used by China-sponsored hackers arstechnica.com/information-technology/2020/09/microsoft-boots-apps-used-by-china-sponsored-hackers-out-of-azure/ Active Directory apps used for command-and-control infrastructure are no more. Report: www.microsoft.com/security/blog/2020/09/24/gadolinium-detecting-empires-cloud/ Feds Hit with Successful Cyberattack, Data Stolen threatpost.com/feds-cyberattack-data-stolen/159541/ The attack featured a unique, multistage malware and a likely PulseSecure VPN exploit. FinSpy Spyware for Mac and Linux OS Targets Egyptian Organisations thehackernews.com/2020/09/finspy-malware-macos-linux.html […]

Read More

Daily NCSC-FI news followup 2020-01-17

404 Exploit Not Found: Vigilante Deploying Mitigation for Citrix NetScaler Vulnerability While Maintaining Backdoor www.fireeye.com/blog/threat-research/2020/01/vigilante-deploying-mitigation-for-citrix-netscaler-vulnerability-while-maintaining-backdoor.html As noted in Rough Patch: I Promise It’ll Be 200 OK, our FireEye Mandiant Incident Response team has been hard at work responding to intrusions stemming from the exploitation of CVE-2019-19781. After analyzing dozens of successful exploitation attempts against Citrix […]

Read More

Daily NCSC-FI news followup 2020-01-13

Citrix ADC Exploits: Overview of Observed Payloads isc.sans.edu/forums/diary/Citrix+ADC+Exploits+Overview+of+Observed+Payloads/25704/ Now that there are public exploits for Citrix ADC, we are seeing many attacks and are observing various payloads. For the moment, after normalization, we observed 37 different payloads Who else works for this cover company network? intrusiontruth.wordpress.com/2020/01/13/who-else-works-for-this-cover-company-network/ In our previous articles we identified a network of […]

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.