Daily NCSC-FI news followup 2019-11-26

The RIPE NCC has run out of IPv4 Addresses

www.ripe.net/publications/news/about-ripe-ncc-and-ripe/the-ripe-ncc-has-run-out-of-ipv4-addresses Today, at 15:35 (UTC+1) on 25 November 2019, we made our final /22 IPv4 allocation from the last remaining addresses in our available pool. We have now run out of IPv4 addresses.

Stantinko botnet adds cryptomining to its pool of criminal activities

www.welivesecurity.com/2019/11/26/stantinko-botnet-adds-cryptomining-criminal-activities/ The operators of the Stantinko botnet have expanded their toolset with a new means of profiting from the computers under their control. The roughly half-million-strong botnet known to have been active since at least 2012 and mainly targeting users in Russia, Ukraine, Belarus and Kazakhstan now distributes a cryptomining module.

NYPD Fingerprint Database Taken Offline to Thwart Ransomware

threatpost.com/nypd-fingerprint-database-ransomware/150592/ The New York Police Departments database of fingerprints was knocked offline over the weekend thanks to a ransomware scare, according to reports.

Exploit kits: fall 2019 review

blog.malwarebytes.com/exploits-and-vulnerabilities/2019/11/exploit-kits-fall-2019-review/ Despite a slim browser market share, Internet Explorer is still being exploited in fall 2019 in a number of drive-by download campaigns. Perhaps even more surprising, were seeing new exploit kits emerge.

A hacking group is hijacking Docker systems with exposed API endpoints

www.zdnet.com/article/a-hacking-group-is-hijacking-docker-systems-with-exposed-api-endpoints/ A hacking group is currently mass-scanning the internet looking for Docker platforms that have API endpoints exposed online.. The purpose of these scans is to allow the hacker group to send commands to the Docker instance and deploy a cryptocurrency miner on a company’s Docker instances, to generate funds for the group’s own profits.

Some Fortinet products shipped with hardcoded encryption keys

www.zdnet.com/article/some-fortinet-products-shipped-with-hardcoded-encryption-keys/#ftag=RSSbaffb68 Fortinet, a vendor of cyber-security products, took between 10 and 18 months to remove a hardcoded encryption key from three products that were exposing customer data to passive interception.. See also:



HPE issues firmware fix to to stop SSD failure

blocksandfiles.com/2019/11/25/hpe-issues-firmware-fix-to-to-stop-ssd-failure/ The HPE customer bulletin, dated 19 November, says SSD Firmware Version HPD8 is a critical fix. If it is not applied the drive will fail at 32,768 hours operating time, meaning 3 years, 270 days 8 hours, and data on the drive will be lost.

Sale of 4 Million Stolen Cards Tied to Breaches at 4 Restaurant Chains

krebsonsecurity.com/2019/11/sale-of-4-million-stolen-cards-tied-to-breaches-at-4-restaurant-chains/ On Nov. 23, one of the cybercrime undergrounds largest bazaars for buying and selling stolen payment card data announced the immediate availability of some four million freshly-hacked debit and credit cards.. KrebsOnSecurity has learned this latest batch of cards was siphoned from four different compromised restaurant chains that are most prevalent across the midwest and eastern United States.

Malicious Android SDKs Caught Accessing Facebook and Twitter Users Data

thehackernews.com/2019/11/sdk-twitter-facebook-android.html Two third-party software development kits integrated by over hundreds of thousands of Android apps have been caught holding unauthorized access to users’ data associated with their connected social media accounts.. See also: help.twitter.com/en/sdk-issue

Microsoft says new Dexphot malware infected more than 80,000 computers

www.zdnet.com/article/microsoft-says-new-dexphot-malware-infected-more-than-80000-computers/ Microsoft security engineers detailed today a new malware strain that has been infecting Windows computers since October 2018 to hijack their resources to mine cryptocurrency and generate revenue for the attackers.

New DeathRansom Ransomware Begins to Make a Name for Itself

www.bleepingcomputer.com/news/security/new-deathransom-ransomware-begins-to-make-a-name-for-itself/ A new ransomware called DeathRansom began with a rocky start, but has now resolved it’s issues and has begun to infect victims and encrypt their data. . When DeathRansom was first being distributed, it pretended to encrypt files, but researchers and users found that they could just remove the appended .wctc extension and the files would become usable again. Starting around November 20th, though, something changed.

Detecting a MuddyWater APT using the RSA NetWitness Platform

community.rsa.com/community/products/netwitness/blog/2019/11/21/detecting-a-muddywater-apt-using-the-rsa-netwitness-platform MuddyWater is a state-sponsored threat group suspected to be linked to Iran. The group relied on spear phishing emails with macro infected Word documents in the past and has recently been using similar techniques using Excel documents in a new wave of attacks during October-November 2019.

Server-Side Request Forgery Exposes Data of Technology, Industrial and Media Organizations

unit42.paloaltonetworks.com/server-side-request-forgery-exposes-data-of-technology-industrial-and-media-organizations/ Server-Side Request Forgery (SSRF) is a web application vulnerability that redirects the attackers requests to the internal network or localhost behind the firewall. SSRF poses a particular threat to cloud services due to the use of the metadata API that allows applications to access the underlying cloud infrastructures information such as configurations, logs, and credentials. . Unit 42 researchers took a closer look at the Jira SSRF vulnerability (CVE-2019-8451) and studied its impact on six public cloud service providers (CSPs). This is the same type of vulnerability that led to the Capital One data breach in July 2019.

You might be interested in …

[NCSC-FI News] New Bumblebee malware replaces Conti’s BazarLoader in cyberattacks

A newly discovered malware loader called Bumblebee is likely the latest development of the Conti syndicate, designed to replace the BazarLoader backdoor used to deliver ransomware payloads. Source: Read More (NCSC-FI daily news followup)

Read More

Daily NCSC-FI news followup 2019-06-25

Operation Soft Cell a worldwide campaign against telecommunications providers www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers In 2018, the Cybereason Nocturnus team identified an advanced, persistent attack targeting global telecommunications providers carried out by a threat actor using tools and techniques commonly associated with the Chinese-affiliated threat actor APT10. This multi-wave attacks focused on obtaining data of specific, high-value targets and […]

Read More

Daily NCSC-FI news followup 2020-09-07

Windows 10 low-effort zero-day in Hyper-V / Windows Sandbox enabled computers www.bleepingcomputer.com/news/security/windows-10-sandbox-activation-enables-zero-day-vulnerability/ A reverse engineer discovered a new zero-day vulnerability in most Windows 10 editions, which allows creating files in restricted areas of the operating system – e.g. under system32. The researcher told BleepingComputer that the vulnerable component is ‘storvsp.sys’ (Storage VSP – Virtualization Service […]

Read More

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.