Categories
NCSC-FI News followup

Daily NCSC-FI news followup 2019-12-05

Suojelupoliisi: Ulkomaiset vakoojat entistä kiinnostuneempia Suomen kriittisestä infrasta

mybroadband.co.za/news/internet/330379-how-internet-resources-worth-r800-million-were-stolen-and-sold-on-the-black-market.html The theft and sale of large swaths of valuable African Internet resources was an inside job, Internet investigator Ron Guilmette has concluded after five months of detective work.. Documents obtained from industry sources and public records in Uganda show that at least one insider at AFRINIC is also a shareholder of a company that received money for selling IP addresses.. That insider is Ernest M. Byaruhanga, Guilmette said. Byaruhanga was the second employee to be hired at AFRINIC in 2014, after former CEO Adiel Akplogan.. AFRINIC has confirmed that it is conducting an internal investigation regarding the allegations that its databases were tampered with and that IP address blocks were stolen.. Ulkomaisten tiedustelutoimijoiden kiinnostus Suomen kriittiseen infrastruktuuriin on lisääntynyt viime vuosina, käy ilmi Suojelupoliisin torstaina julkaisemasta kansallisen turvallisuuden katsauksesta. Tiedustelutoimijat ovat entistä kiinnostuneempiä myös muille strategisille aloille suuntautuneista investoinneista, Supo kertoo. Katsauksen mukaan henkilötiedustelun lisäksi Suomeen kohdistuu jatkuvasti kyberoperaatioita, joiden tavoitteena on vakoilu, teknisen ympäristön kartoittaminen tai vaikuttaminen. Katsaus:

www.supo.fi/instancedata/prime_product_julkaisu/intermin/embeds/supowwwstructure/78653_20191205_Supo_kansallinen_turvallisuus_web.pdf. Lue myös:

www.tivi.fi/uutiset/tv/42bcfef8-27f8-485f-abd0-3df86aaf1fbe

Over 1 billion people’s data leaked in an unsecured server

yle.fi/uutiset/3-11104203 Toimintojen uudelleenjärjestelyllä yli viiden miljoonan euron säästöt.. Yt-neuvottelujen alkaessa kerrottiin, etteivät vähennykset koske tutkimus- ja tuotekehityshenkilöstöä, kyberturvakonsultteja eivätkä kuluttajatietoturvaliiketoimintayksikköä.. Toimitusjohtaja Samu Konttinen sanoi lokakuussa, että F-Secure on muuntautumassa päätelaitetietoturvaan keskittyneestä yhtiöstä kyberturvatoimijaksi.. The dangers inherent to data enrichment were put in the spotlight in the middle of October when it was discovered that the personal data of 1.2 billion people had been exposed online. Bob Diachenko and Vinny Troia discovered an Elasticsearch server containing around 4 billion user accountsaround 4TB of data in total, in four datasets. This data is believed to belong to two data enrichment companies. Three of the datasets were tagged with the name of a company of this kind called “People Data Labs”, while the third set is tagged “EXY”, which the security researchers believe could be Oxydata, another data enrichment firm.

ACSC Releases Fundamentals of Cross Domain Solutions

www.us-cert.gov/ncas/current-activity/2019/12/05/acsc-releases-fundamentals-cross-domain-solutions The Australian Cyber Security Centre (ACSC) has released a cybersecurity guide outlining the fundamentals of cross domain solution (CDS) technologies. This guidance provides cross domain security principles to enable organizations to share information securely across separated networks. The Cybersecurity and Infrastructure Security Agency (CISA) encourages organizations with information sharing requirements to review ACSC’s Fundamentals of Cross Domain Solutions to learn how to plan, analyze, design, and implement CDS systems. Read also:

www.cyber.gov.au/publications/fundamentals-of-cross-domain-solutions

Microsoft Releases Security Advisory for Windows Hello for Business

www.us-cert.gov/ncas/current-activity/2019/12/05/microsoft-releases-security-advisory-windows-hello-business Microsoft has released a Security Advisory to address an issue in Windows Hello for Business (WHfB). An attacker could exploit this issue on devices that were affected by CVE-2017-15361, also known as Return of Coppersmith’s Attack (ROCA), to take control of an affected system. Read also:

portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV190026 and

portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV170012

NCSC-NZ Releases Cyber Governance Resource for Leaders

www.us-cert.gov/ncas/current-activity/2019/12/05/ncsc-nz-releases-cyber-governance-resource-leaders The New Zealand National Cyber Security Centre (NCSC-NZ) has released an article on a new cybersecurity governance resource to support public and private sector leaders in making decisions about their cybersecurity resilience and risk. NCSC-NZ developed this governancea series of documents with practical advice and simple stepsfollowing a cybersecurity resilience assessment of New Zealand’s . Read also:

www.ncsc.govt.nz/newsroom/gcsb-encourages-leaders-to-connect-with-cyber-security-governance/,

www.ncsc.govt.nz/guidance/charting-your-course-cyber-security-governance/ and

www.ncsc.govt.nz/assets/NCSC-Documents/NCSC-Cyber-Security-Resilience-Assessment.pdf

Microsoft Releases Security Advisory for Windows Hello for Business

www.us-cert.gov/ncas/alerts/aa19-339a Microsoft has released a Security Advisory to address an issue in Windows Hello for Business (WHfB). An attacker could exploit this issue on devices that were affected by CVE-2017-15361, also known as Return of Coppersmith’s Attack (ROCA), to take control of an affected system. Read also:

portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV190026 and

portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV170012

NCSC-NZ Releases Cyber Governance Resource for Leaders

www.us-cert.gov/ncas/current-activity/2019/12/05/ncsc-nz-releases-cyber-governance-resource-leaders The New Zealand National Cyber Security Centre (NCSC-NZ) has released an article on a new cybersecurity governance resource to support public and private sector leaders in making decisions about their cybersecurity resilience and risk. NCSC-NZ developed this governancea series of documents with practical advice and simple stepsfollowing a cybersecurity resilience assessment of New Zealand’s nationally significant organizations. Read also:

www.ncsc.govt.nz/newsroom/gcsb-encourages-leaders-to-connect-with-cyber-security-governance/,

www.ncsc.govt.nz/guidance/charting-your-course-cyber-security-governance/ and

www.ncsc.govt.nz/assets/NCSC-Documents/NCSC-Cyber-Security-Resilience-Assessment.pdf

Alert (AA19-339A) – Dridex Malware

www.us-cert.gov/ncas/alerts/aa19-339a The Dridex malware, and its various iterations, has the capability to impact confidentiality of customer data and availability of data and systems for business processes. According to industry reporting, the original version of Dridex first appeared in 2012, and by 2015 had become one of the most prevalent financial Trojans. We expect actors using Dridex malware and its derivatives to continue

Severe Auth Bypass and Priv-Esc Vulnerabilities Disclosed in OpenBSD

thehackernews.com/2019/12/openbsd-authentication-vulnerability.html OpenBSD, an open-source operating system built with security in mind, has been found vulnerable to four new high-severity security vulnerabilities, one of which is an old-school type authentication bypass vulnerability in BSD Auth framework. The other three vulnerabilities are privilege escalation issues that could allow local users or malicious software to gain privileges of an auth group, root, as well as of other users, respectively. The vulnerabilities were discovered and reported by Qualys Research Labs earlier this week, in response to which OpenBSD developers released security patches for OpenBSD 6.5 and OpenBSD 6.6 just yesterdaythat’s in less than 40 hours. See also:

threatpost.com/openbsd-authentication-lpe-bugs/150849/ and

www.zdnet.com/article/openbsd-patches-severe-authentication-bypass-privilege-escalation-vulnerabilities/

ZeroCleare: New Iranian Data Wiper Malware Targeting Energy Sector

thehackernews.com/2019/12/zerocleare-data-wiper-malware.html Cybersecurity researchers have uncovered a new, previously undiscovered destructive data-wiping malware that is being used by state-sponsored hackers in the wild to target energy and industrial organizations in the Middle East. Read also:

www.tivi.fi/uutiset/tv/1d24c65e-f79e-4548-a865-5bc5fb09a049,

www.theregister.co.uk/2019/12/05/iran_zerocleare_attack/ and

www.bleepingcomputer.com/news/security/new-iranian-zerocleare-data-wiper-malware-used-in-targeted-attacks/

Ransomware Attack Hits Data Center Provider CyrusOne: Report

threatpost.com/ransomware-data-center-cyrusone/150873/ Security experts say the incident shows that cybercriminals are using ransomware to hit companies where it hurts. U.S. data center provider CyrusOne has been hit by a ransomware attack, which has impacted six of its managed services customers, a report has found. CyrusOne, which is based in Texas and is one of the biggest data center providers in the U.S., serves more than 185 of Fortune 1000 customers worldwide. The ransomware attack, first reported Thursday by ZDNet, took place Wednesday and created availability issues for six of CyrusOne’s managed services customers that are located in its New York data center, including financial and brokerage company . Read also:

www.zdnet.com/article/ransomware-attack-hits-major-us-data-center-provider/

AT&T, Verizon Subscribers Exposed as Mobile Bills Turn Up on the Open Web

threatpost.com/att-verizon-subscribers-exposed-mobile-bills/150867/ Names, addresses, phone numbers, call and text message records and account PINs were all caught up in a cloud misconfiguration. Hundreds of thousands of mobile phone bills for AT&T, Verizon and T-Mobile subscribers have been laid open to anyone with an internet connection, thanks to the oversight of a contractor working with Sprint. According to a media investigation, the contractor misconfigured a cloud storage bucket on Amazon Web Services (AWS), in which more than 261, 300 documents were stored mainly cell phone bills from Sprint customers who switched from other carriers.

Feds Offer $5M Reward to Nab Evil Corp’ Dridex Hacker

threatpost.com/feds-5m-reward-evil-corp-dridex-hacker/150858/ Authorities cracked down on cybercrime group Evil Corp. with sanctions and charges against its leader, known for his lavish lifestyle. U.S. authorities are offering up $5 million for information leading to the arrest of Evil Corp. leader Maksim V. Yakubets, 32, of Russia, who goes under the moniker “aqua.” The U.S. alleges that Yakubets and his company have stolen millions of dollars from victims using the Dridex banking trojan and Zeus malware. Read also:

home.treasury.gov/news/press-releases/sm845,

www.wired.com/story/alleged-russian-hacker-evil-corp-indicted/ and

www.bleepingcomputer.com/news/security/evil-corp-hackers-charged-for-stealing-over-100-million/

HackerOne Breach Leads to $20, 000 Bounty Reward

threatpost.com/hackerone-breach-20000-bounty-reward/150846/ HackerOne has paid out $20, 000 to a bounty hunter who discovered a session cookie issue, due to “human error, ” on the bug bounty platform. HackerOne has paid out $20, 000 after a high-severity vulnerability was discovered in the bug-bounty platform. The flaw allowed an outside bounty hunter to access customers’ reports and other sensitive information.

Ultimate’ MiTM Attack Steals $1M from Israeli Startup

threatpost.com/ultimate-mitm-attack-steals-1m-from-israeli-startup/150840/ Researchers uncovers “ultimate man-in-the-middle attack” that used an elaborate spoofing campaign to fool a Chinese VC firm and rip off an emerging business. Hackers pulled off an elaborate man-in-the-middle campaign to rip off an Israeli startup by intercepting a wire transfer from a Chinese venture-capital firm intended for the new business. New research by Check Point Software details how the security vendor uncovered the wire-transfer heist, in which an attacker used unique tacticsincluding communicating through email and even canceling a critical in-person meetingto fool both parties on either end of the transfer, researchers said.

Nebraska Medicine Breached By Rogue Employee

threatpost.com/nebraska-medicine-breached-rogue-employee/150823/ Nebraska Medicine is warning that a rogue, former employee accessed patients’ medical records, Social Security numbers and more.

Facebook sues Chinese malware operator for abusing its ad platform

www.zdnet.com/article/facebook-sues-chinese-malware-operator-for-abusing-its-ad-platform/ Facebook sues ILikeAd and two Chinese nationals for using Facebook ads to trick users into downloading malware. Facebook said today that ILikeAd used Facebook ads to lure victims into downloading and installing malware. Once installed, the malware would compromise victims’ Facebook accounts and use access to these accounts to place new ads, on behalf of the infected users.

44 million Microsoft users reused passwords in the first three months of 2019

www.zdnet.com/article/44-million-microsoft-users-reused-passwords-in-the-first-three-months-of-2019/ The Microsoft threat research team scanned all Microsoft user accounts and found that 44 million users were employing usernames and passwords that leaked online following security breaches at other online services. Microsoft said it scanned user accounts using a database of over three billion leaked credentials, which it obtained from multiple sources, such as law enforcement and public databases.

Huijaus leviää suositun pelipalvelun kautta tarkkaile varoitusta nettiselaimessasi

www.is.fi/digitoday/tietoturva/art-2000006331374.html Videopelaajat ovat taas huijarien tähtäimissä, Bleeping Computer ja SCMagazineUK kertovat. Tietoturvatutkija nullcookies varoitti Twitterissä verkkosivusta, joka mainostaa ilmaisia skinejä erittäin suosittuun Counter-Strike: Global Offensive (CSGO) -moninpeliin. Read also:

www.bleepingcomputer.com/news/security/fake-steam-skin-giveaway-site-steals-your-login-credentials/

Ubuntu Linux Gets Intel Microcode Update to Fix CPU Hangs

www.bleepingcomputer.com/news/linux/ubuntu-linux-gets-intel-microcode-update-to-fix-cpu-hangs/ Canonical has released a new Linux Intel microcode update for Ubuntu that fixes an issue causing Intel Skylake CPUs to hang after a warm reboot.

How to fool infosec wonks into pinning a cyber attack on China, Russia, Iran, whomever

www.theregister.co.uk/2019/12/05/fooling_attribution_breadcrumbs/ Black Hat Europe Faking digital evidence during a cyber attack planting a false flag is simple if you know how, as noted infosec veteran Jake Williams told London’s Black Hat Europe conference. Speaking to a packed room, Williams informed his rapt audience that it’s straightforward to misdirect investigators trying to attribute a cyber attack to a particular location or nation state. Rather than telling the world how to do bad things, however, the point of his talk which he made with some force at the outset was to inform investigators and defenders alike that common attribution go-tos can be manipulated to deceive. It’s no good confidently telling people that X was a Chinese hack if crafty black hats from elsewhere are leaving a false trail intended to trick you into saying

Atlassian scrambles to fix zero-day security hole accidentally disclosed on Twitter

www.theregister.co.uk/2019/12/05/atlassian_zero_day_bug/ Twitter security celeb SwiftOnSecurity on Tuesday inadvertently disclosed a zero-day vulnerability affecting enterprise software biz Atlassian, a flaw that may be echoed in IBM’s Aspera software. The SwiftOnSecurity Twitter account revealed that Atlassian provided a domain that resolved to a local server with a common SSL certificate for its Confluence cloud service, to enable the Atlassian Companion app to edit files in a preferred local application and save the files back to Confluence.

Lazarus group goes back to the Apple orchard with new macOS trojan

www.theregister.co.uk/2019/12/05/lazarus_group_macos_malware/ Dinesh_Devadoss, a threat analyst with anti-malware merchant K7 Computing, took credit for the discovery and reporting of what is believed to be the Lazarus group’s first piece of in-memory malware on the Apple operating system. In-memory infections, also known as fileless malware, operate entirely within the host machine’s volatile RAM. This allows the software nasty to avoid setting off any antivirus systems that monitor files in storage or otherwise don’t regularly scan all of system memory for threats. The malware sample found by Dinesh_Devadoss was dissected this week by Mac security guru Patrick Wardle, who says that the attack is a new spin on the classic Lazarus group tactic for slipping its malware onto the machines of unsuspecting users; by not installing any files during the secondary stage of the attack where the actual malicious activity occurs.

New Linux Vulnerability Lets Attackers Hijack VPN Connections

www.bleepingcomputer.com/news/security/new-linux-vulnerability-lets-attackers-hijack-vpn-connections/

AT&T subscribers back in court to crack open telco giant’s $60m FTC settlement over limited ‘unlimited data’ plans

www.theregister.co.uk/2019/12/04/att_fine_lawsuit/ Last month, the FTC finally reached an agreement with AT&T following a five-year legal battle in which the telco goliath argued – successfully at one point – that the government regulator had no authority over it. The $60m figure the FTC decided on was a little lower than the $100m fine its sister regulator the FCC had levied against AT&T for screwing over people with “unlimited” data plans.

The Future of Texting Is Far Too Easy to Hack

www.wired.com/story/rcs-texting-security/ Ask practically any phone carrier, and they’ll tell you that the future of smartphone features from texting to video calls is a protocol called Rich Communication Services. Think of RCS as the successor to SMS, an answer to iMessage that can also handle phone and video calls. Last month, Google announced it would begin rolling RCS out to its Messages app in all US Android phones. It’s easy to imagine a near-future where RCS is the default for a billion people or more. But when security researchers looked under the hood, they found the way carriers and Google have implemented the protocol creates a basket of worrisome vulnerabilities.

How Internet resources worth R800 million were stolen and sold on the black market

mybroadband.co.za/news/internet/330379-how-internet-resources-worth-r800-million-were-stolen-and-sold-on-the-black-market.html The theft and sale of large swaths of valuable African Internet resources was an inside job, Internet investigator Ron Guilmette has concluded after five months of detective work.

Suojelupoliisi: Ulkomaiset vakoojat entistä kiinnostuneempia Suomen kriittisestä infrasta

yle.fi/uutiset/3-11104959 Ulkomaisten tiedustelutoimijoiden kiinnostus Suomen kriittiseen infrastruktuuriin on lisääntynyt viime vuosina, käy ilmi Suojelupoliisin torstaina julkaisemasta kansallisen turvallisuuden katsauksesta. Tiedustelutoimijat ovat entistä kiinnostuneempiä myös muille strategisille aloille suuntautuneista investoinneista, Supo kertoo. Katsauksen mukaan henkilötiedustelun lisäksi Suomeen kohdistuu jatkuvasti kyberoperaatioita, joiden tavoitteena on vakoilu, teknisen ympäristön kartoittaminen tai vaikuttaminen. Katsaus:

www.supo.fi/instancedata/prime_product_julkaisu/intermin/embeds/supowwwstructure/78653_20191205_Supo_kansallinen_turvallisuus_web.pdf. Lue myös:

www.tivi.fi/uutiset/tv/42bcfef8-27f8-485f-abd0-3df86aaf1fbe

Over 1 billion people’s data leaked in an unsecured server

www.pandasecurity.com/mediacenter/news/billion-consumers-data-breach-elasticsearch/ The dangers inherent to data enrichment were put in the spotlight in the middle of October when it was discovered that the personal data of 1.2 billion people had been exposed online. Bob Diachenko and Vinny Troia discovered an Elasticsearch server containing around 4 billion user accountsaround 4TB of data in total, in four datasets. This data is believed to belong to two data enrichment companies. Three of the datasets were tagged with the name of a company of this kind called “People Data Labs”, while the third set is tagged “EXY”, which the security researchers believe could be Oxydata, another data enrichment firm.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.