Daily NCSC-FI news followup 2019-12-06

If there’s somethin’ stored in a secure enclave, who ya gonna call? Membuster!

www.theregister.co.uk/2019/12/05/membuster_secure_enclave/ Computer scientists from UC Berkeley, Texas A&M, and semiconductor biz SK Hynix have found a way to defeat secure enclave protections by observing memory requests from a CPU to off-chip DRAM through the memory bus. Read also: arxiv.org/pdf/1912.01701.pdf

VCs find exciting new way to blow $1m: Wire it directly to hackers after getting spoofed

www.theregister.co.uk/2019/12/05/vcs_tricked_mitm/ A group of hackers used a compromised email account to steal a start-up’s $1m venture capital payment. The incident response team at security house Check Point says it was called in to investigate the case of money that a Chinese VC firm had reported missing after it was supposedly sent to a startup in Israel. It was believed that the attack was down to a compromised email account that had been used to re-route the payment to an account controlled by the attacker, a rather cut-and-dry business email compromise (BEC) operation.

Tricky VPN-busting bug lurks in iOS, Android, Linux distros, macOS, FreeBSD, OpenBSD, say university eggheads

www.theregister.co.uk/2019/12/06/vpnbusting_bug_spotted/ A bug in the way Unix-flavored systems handle TCP connections could put VPN users at risk of having their encrypted traffic hijacked, it is claimed. The University of New Mexico team of William Tolley, Beau Kujath, and Jedidiah Crandall this week said they’ve discovered CVE-2019-14899, a security weakness they report to be present in “most” Linux distros, along with Android, iOS, macOS, FreeBSD, and OpenBSD. The upshot is, if exploited, encrypted VPN traffic can be potentially hijacked and disrupted by miscreants on the network. To pull off the attack, the US-based posse says, a hacker would need to be “network adjacent” to their target, or control an access point on the victim’s local network. Once the victim connected to their VPN, the spy would be able to, for one thing, tamper with the TCP stream to do things like inject packets into the stream. This could be potentially used, we imagine, to force malicious JavaScript into webpages being visited via the VPN, for example. Read also:


Get yourself a USB condom

www.zdnet.com/article/get-yourself-a-usb-condom/ Sometimes simple is best. And security doesn’t come much easier than the Original USB Condom.

FBI recommends that you keep your IoT devices on a separate network

www.zdnet.com/article/fbi-recommends-that-you-keep-your-iot-devices-on-a-separate-network/ The FBI also recommends changing factory-set (default) passwords and not allowing an IoT device’s accompanying mobile app to gain access to too many smartphone permissions. The FBI says owners of IoT (Internet of Things) devices should isolate this equipment on a separate WiFi network, different from the one they’re using for their primary devices, such as laptops, desktops, or smartphones. Read also:


Labor’s plan to fix Australia’s encryption laws doesn’t go far enough

www.zdnet.com/article/labors-plan-to-fix-australias-encryption-laws-doesnt-go-far-enough/ The new Bill to require judicial oversight and a clarification of definitions is a great start, Labor says, but the Assistance and Access regime needs reining in much more tightly.

The most copied StackOverflow Java code snippet contains a bug

www.zdnet.com/article/the-most-copied-stackoverflow-java-code-snippet-contains-a-bug/ The most copied StackOverflow Java code snippet of all time contains a bug. The admission comes from the author of the snippet itself, Andreas Lundblad, a Java developer at Palantir, and one of the highest-ranked contributors to StackOverflow, a Q&A website for programming-related topics. Academics found that this code had been copied and embedded in more than 6, 000 GitHub Java projects, more than any other StackOverflow Java snippet.

The “Great Cannon” has been deployed again

cybersecurity.att.com/blogs/labs-research/the-great-cannon-has-been-deployed-again The Great Cannon is a distributed denial of service tool (“DDoS”) that operates by injecting malicious Javascript into pages served from behind the Great Firewall. These scripts, potentially served to millions of users across the internet, hijack the users’ connections to make multiple requests against the targeted site. These requests consume all the resources of the targeted site, making it . The Great Cannon was the subject of intense research after it was used to disrupt access to the website Github.com in 2015. Little has been seen of the Great Cannon since 2015. However, we’ve recently observed new attacks, which are detailed below.

Most of the largest US voting districts are vulnerable to email spoofing

techcrunch.com/2019/12/05/major-voting-districts-vulnerable-email-security/ Only 5% of the largest voting counties in the U.S. are protected against email impersonation and phishing attacks, seen as a key attack method by hackers who officials say want to disrupt the upcoming presidential election.

Phishing with a self-contained credentials-stealing webpage

isc.sans.edu/diary/rss/25580 Phishing e-mails which are used to steal credentials usually depend on user clicking a link which leads to a phishing website that looks like login page for some valid service. Not all credentials-stealing has to be done using a remote website, however.

Some Hardware-based Password Managers Have Poor Security

www.bleepingcomputer.com/news/security/some-hardware-based-password-managers-have-poor-security/ Some hardware-based password managers lack proper protections for the sensitive data they store and allow reading it in plain text, even after they’ve been reset. The information was retrieved through physical access to the electronic board inside the device and connecting directly to the flash chips used for storage.

Näin toimii dnssec “lisää tietoturvaa kuten esimerkiksi ssl”

www.tivi.fi/uutiset/tv/c116bc6a-a238-4ee8-a24a-200e1de66a48 Internetin nimipalvelulla (dns) on tärkeä tehtävä muuntaa koneiden verkko-osoitteita numeerisiksi tcp/ip-osoitteiksi ja päinvastoin. Se on kuin netin hajautettu puhelinluettelo koneille. Dns-osoitteiston puurakenteen solmuja kutsutaan domaineiksi. Juurisolmun alla ovat esimerkiksi.edu, .org, .com, ja suomalainen.fi. Niiden alla ovat organisaatioiden, yritysten ja käyttäjien domainit, joilla voi edelleen olla alidomaineja. Internet­osoit­tees­sa domainit on listattu pisteellä eroteltuina oikealta vasemmalle, esimerkiksi:

www.suomi.fi. Dnssec on internetin nimipalvelin­standardin ­turvalaajennus, joka tarjoaa lisäturvaa verkko­liikenteeseen.

To catch criminals faster, the police needs a technology revamp

www.zdnet.com/article/to-catch-criminals-faster-the-police-needs-a-technology-revamp/ Motorola has already started a small revolution with a “digital policing platform”, but a lot more change is still needed, say police officers.

New ransomware attacks target your NAS devices, backup storage

www.zdnet.com/article/new-ransomware-attack-targets-your-nas-devices-backup-storage/ The number of ransomware strains targeting NAS and backup storage devices is growing, with users “unprepared” for the threat, researchers say.

Researcher discovered a MacOS trojan hiding behind a fake crypto trading platform believed to be the work of the state-sponsored North Korean hackers behind WannaCry

threatpost.com/stealthy-macos-malware-lazarus-apt/150881/ Researchers have identified new MacOS malware that can execute remote code in memory that they believe is the work of the powerful North Korean APT group Lazarus, they said Thursday.

How to spot if your child is a victim of cyberbullying

www.welivesecurity.com/2019/12/06/how-spot-your-child-is-victim-cyberbullying/ What are some of the most common warning signs that your child is experiencing online harassment?. Answers: Unexplained physical changes, School avoidance, Mood swings, Loss of interest, and Quitting social media.

BMW Infiltrated by Hackers Hunting for Automotive Trade Secrets

www.bleepingcomputer.com/news/security/bmw-infiltrated-by-hackers-hunting-for-automotive-trade-secrets/ The German automotive giant BMW discovered and monitored a group of hackers who infiltrated the company’s networks and stayed active since at least the spring of 2019.

NVIDIA Patches Severe Flaws in Mercedes Infotainment System Chips

www.bleepingcomputer.com/news/security/nvidia-patches-severe-flaws-in-mercedes-infotainment-system-chips/ NVIDIA released security updates for six high severity vulnerabilities found in the Tegra Linux Driver Package (L4T) for Jetson AGX Xavier, TK1, TX1, TX2, and Nano chips used in Mercedes-Benz’s MBUX infotainment system and Bosch self-driving computer systems. The chips affected by these flaws are also used in HP and Acer Chromebooks [1, 2], Android tablets, Nintendo Switch video game consoles, and Magic Leap One virtual retinal displays. These security flaws that could allow local attackers with various levels of user privileges to execute arbitrary code, escalate privileges, trigger denial-of-service (DoS) states, and launch information disclosure attacks against devices featuring unpatched chips.

Fake VPN Site Pushes CryptBot and Vidar Info-Stealing Trojans

www.bleepingcomputer.com/news/security/fake-vpn-site-pushes-cryptbot-and-vidar-info-stealing-trojans/ A cyberthreat actor has created a web site that promotes a fake VPN program that installs the Vidar and CryptBot password-stealing trojans. These trojans will then attempt to steal saved browser credentials and other information from a victim’s computer. While investigating a different malware infection, BleepingComputer stumbled upon a website promoting a VPN program called ‘Inter VPN’ that claims to be the “fastest VPN”. It then shows an image of the VPN client, which is actually an image of the legitimate VPN Pro software.

Microsoft to Make Office 365 Encrypted Emails Look Less Spammy

www.bleepingcomputer.com/news/security/microsoft-to-make-office-365-encrypted-emails-look-less-spammy/ Microsoft is currently working on enhancing the way emails sent using the Office 365 Message Encryption (OME) service are seen by mail servers so that they are less likely to be marked as spam and sent to the Trash folder. OME is built on Microsoft Azure Rights Management (Azure RMS), part of Azure Information Protection, and it allows Office 365 customers to send and receive encrypted email messages using Outlook.com, Yahoo!, Gmail, and several other email services using encryption, identity, and authorization policies.

VMware has released security updates to address a vulnerability in ESXi and Horizon DaaS. An attacker could exploit this vulnerability to take control of an affected system

www.us-cert.gov/ncas/current-activity/2019/12/06/vmware-releases-security-updates-esxi-and-horizon-daas The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review VMware Security Advisory VMSA-2019-0022 and apply the necessary updates and workarounds. Read also: www.vmware.com/security/advisories/VMSA-2019-0022.html

These are the worst hacks, cyberattacks, and data breaches of 2019

www.zdnet.com/article/these-are-the-worst-hacks-cyberattacks-and-data-breaches-of-2019/ A slew of hacks, data breaches, and attacks tainted the cybersecurity landscape in 2019. For the past few years, there has been a constant stream of data breaches that have hit the headlines, ranging from the theft of medical information, account credentials, corporate emails, and internal sensitive enterprise data. When a data breach occurs, companies will usually haul in third-party investigators, notify regulators, promise to do better and give any impacted consumers free credit monitoring — but we’ve reached a stage where you should consider signing up to such services anyway, given how much of our information is now available in data dumps strewn all over the internet. (Consider using Have I Been Pwned to check if you’ve been involved in a breach.)

BMW and Hyundai hacked by Vietnamese hackers, report claims

www.zdnet.com/article/bmw-and-hyundai-hacked-by-vietnamese-hackers-report-claims/ Hacks linked to Ocean Lotus (APT32), a group believed to operate with orders from the Vietnamese government. German media is reporting that hackers suspected to have ties to the Vietnamese government have breached the networks of two car manufacturers, namely BMW and Hyundai. The report, coming from Bayerischer Rundfunk (BR) and Taggesschau (TS), claims that hackers breached the network of a BMW branch sometime this spring. Read also (in German):

www.tagesschau.de/investigativ/br-recherche/bmw-hacker-101.html and

www.br.de/nachrichten/wirtschaft/fr-autoindustrie-im-visier-von-hackern-bmw-ausgespaeht, RjnLkD4

Feds Crack Down on Money Mules, Warn of BEC Scams

threatpost.com/feds-crack-down-on-money-mules-warn-of-bec-scams/150900/ Authorities say they have halted over 600 domestic money mules exceeding the 400 money mules stopped last year. The Justice Department said this week that it is cracking down on money mules, i.e., middlemen who assist in fraud schemes by receiving money from victims and forwarding proceeds to foreign-based perpetrators. So far, feds say they have halted more than 600 domestic money mules exceeding the 400 money mules stopped last year. Of these, more than 30 individuals were criminally charged for their roles in receiving victim payments and providing the fraud proceeds to accomplices. The Department of Justice (DoJ) said this is triple the number of criminal prosecutions brought against money mules in last year’s

You might be interested in …

[NCSC-FI News] Malware Civil War Malicious npm Packages Targeting Malware Authors

JFrog Uncovers 25 Malicious Packages in npm Registry [Also https://therecord.media/another-set-of-malicious-npm-packages-caught-stealing-discord-tokens-environment-variables/] Source: Read More (NCSC-FI daily news followup)

Read More

Daily NCSC-FI news followup 2020-04-05

Suomessa kaupitellaan nyt olemattomia hengityssuojaimia Koronapandemia pitää rötöstelijätkin kotona, mutta nettirikolliset aktiivisina yle.fi/uutiset/3-11288563?origin=rss EU-komissio ja eurooppalaiset kuluttajaviranomaiset ovat ryhtyneet toimiin koronaan liittyvien huijausten ehkäisemiseksi. Esimerkiksi EU-komissio on vaatinut suurilta markkinoijilta ja alustoilta yhteistyötä. Koronaan liittyviä huijausilmoituksia on tullut parikymmentä tähän mennessä, sanoo erityisasiantuntija Saija Kivimäki Kilpailu- ja kuluttajavirastosta. Microsoft: Emotet Took Down a Network by […]

Read More

Daily NCSC-FI news followup 2019-08-08

Porin kaupunki joutunut tietomurron kohteeksi www.pori.fi/uutinen/2019-08-08_porin-kaupunki-joutunut-tietomurron-kohteeksi Keskiviikkona 7. elokuuta iltapäivällä yhdellä Porin kaupungin opetusverkon työasemalla havaittiin tietomurto. Kyseisen työaseman kautta oli saatu asennettua haittaohjelma opetusverkon käyttäjähakemistopalvelimille.. Haittaohjelman tarkoituksena oli datan kerääminen, joka on saattanut vaarantaa käyttäjien kirjautumistietoja. Varotoimenpiteenä kaikkien opetusverkon käyttäjien salasanat vaihdetaan, sanoo ICT-yksikön päällikkö Heikki Haaparanta. . Reagoimme tilanteeseen nopeasti, minkä vuoksi murto […]

Read More

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.