Daily NCSC-FI news followup 2019-12-09

2020 is when cybersecurity gets even weirder, so get ready

www.zdnet.com/article/2020-is-when-cybersecurity-gets-even-weirder-so-get-ready/ AI-powered deepfakes, ransomware, IoT, and 5G all mean that protecting your data is about to get a lot harder. Tech analyst Forrester predicts that deepfakes could end up costing businesses a lot of money next year: as much as $250m. That might happen in a couple of ways. There’s the risk to your share price if someone creates a deepfake of your CEO apparently resigning from the company. Alternatively, a convincing deepfake of a celebrity well known for using your products seemingly being rude about your brand could easily hurt sales if it spreads widely.

Bypass discovered to allow Windows 7 Extended Security Updates on all systems

www.zdnet.com/article/bypass-discovered-to-allow-windows-7-extended-security-updates-on-all-systems/ Windows hobbyists discover a way to enable (paid) Windows 7 Extended Security Updates on all systems. The community of My Digital Life, an online tech support forum, has found a way to bypass Microsoft’s restrictions and allow the installation of Windows 7 Extended Security Updates on all systems, and not just those who paid Microsoft’s fee. The official Windows 7 end-of-support date is January 14, 2020, just a few weeks away. The Windows 7 Extended Security Updates (ESU) is a paid Microsoft service that will deliver security updates to businesses that are still running Windows 7 computers, past this deadline and until 2023, but for a substantial fee. ESU updates cost between $25 to $200 per workstation, depending on the Windows 7 version a company is running (Enterprise or Pro) and the amount of time they’ll need the updates. But not everybody is eligible for ESU. Only companies with volume-licensing agreements and small-and-midsize businesses (SMBs) can sign up for an ESU license.

Chinese government to replace foreign hardware and software within three years

www.zdnet.com/article/chinese-government-to-replace-foreign-hardware-and-software-within-three-years/ New Beijing “5-3-2” policy to give local tech scene a boost to the detriment of foreign companies. Beijing officials have ordered all government offices and public institutions to replace foreign hardware and software with Chinese alternatives within the next three years. The mass replacement process was detailed in a government directive issued to public institutions earlier this spring.

Poliisi varoittaa Satakunnassa aktivoituneista valepoliiseista kalastelevat puhelimitse pankkitunnuksia

yle.fi/uutiset/3-11108016 Poliisi muistuttaa, että viranomaiset eivät koskaan tiedustele tällaisia tietoja puhelimella tai sähköpostiviestillä. Valepoliisien soitosta poliisi neuvoo tekemään rikosilmoituksen poliisipäivystykseen, soittamalla hätänumeroon 112 tai tekemällä ilmoituksen sähköisesti.

How Panasonic is using internet honeypots to improve IoT device security

www.zdnet.com/article/how-panasonic-is-using-internet-honeypots-to-improve-iot-device-security/ Researchers at the electronics and home-appliance manufacturer leave connected devices open to the internet in a controlled environment – and watch how hackers attempt to attack them. Electronics and home-appliance manufacturer Panasonic has detailed how it has strengthened the security of its Internet of Things devices by connecting them to internet honeypots and allowing hackers to try and take them over. The global corporation uses two specially built honeypot sites that have the effect of exposing devices to the internet, to lure cyber criminals into attacking the devices. The products being tested like this range from IP cameras to connected home appliances like fridges and other kitchen products

Nation-State Attackers May Have Co-opted Vega Ransomware

www.darkreading.com/threat-intelligence/nation-state-attackers-may-have-co-opted-vega-ransomware/d/d-id/1336551 The tactics used by the latest version of the Vega cryptolocker program indicates the code may have been stolen from its authors and is now being used for destructive attacks, a new report suggests. Significant changes in the tactics of a new variant of the Vega ransomware may indicate that the code for the software is now in the hands of a nation-state actors, security firm BlackBerry Cylance stated on December 9. The new ransomware variant, dubbed Zeppelin by BlackBerry Cylance, started spreading in early November and avoids infecting systems in Russia, Ukraine, Belorussia, and Kazakhstan, instead focusing on US and European technology and healthcare companies, according to the company’s researchers. While the malware framework is modular and can easily be configured for different tasks, Zeppelin focuses on destructive attacks, says Josh Lemos, vice president of research and intelligence at BlackBerry Cylance. (Lemos is not related to this reporter.)

Metasploit for drones? Best of luck with that, muses veteran tinkerer

www.theregister.co.uk/2019/12/09/dronesploit_framework/ Been down this path and it ain’t that easy, says man who knows. A veteran drone hacker reckons the recent release of the Dronesploit framework won’t go down quite as its inventors hope. Alexandre D’Hondt and Yannick Pasquazzo gave a quick talk about Dronesploit during Black Hat Europe, held in London last week. The duo aim to produce a Metasploit-style CLI framework tailored for tinkering with everybody’s favourite unmanned flying objects. At the moment, they say their framework is able to sniff comms for “Wi-Fi controlled light commercial drones”, with plans to include radio-controlled drones and eventually “more complex” craft.

Ad network ransomware crook to flog £5k Rolex after court confiscates £270k in ill-gotten gains

www.theregister.co.uk/2019/12/09/zain_qaiser_confiscation_order_270k/ A jailed hacker who profited from the Angler Exploit Kit has been ordered to sell his £5, 000 Rolex watch after the National Crime Agency (NCA) applied to confiscate £270, 000 of criminal proceeds from him. Read also:


Suositusta projektityökalusta löydettiin vakava nollapäivähaavoittuvuus paljastui vahingossa twiitistä

www.tivi.fi/uutiset/tv/efe2727b-558c-4c0d-a100-2426b22847dd Jira- ja Confluence-projektityökaluista tunnettu Atlassian taistelee nollapäivähaavoittuvuutta vastaan. Atlassian kamppailee Confluence-sovelluksestaan äskettäin löydetyn haavoittuvuuden eli nollapäivähaavoittuvuuden kanssa, The Register uutisoi. Julkaisussa kerrottiin, että Atlassian tarjoaa tukisivuillaan verkkotunnusta, jonka kautta pääsee käsiksi paikalliseen palvelimeen. Yhteinen SSL-varmenne suojaa verkkoliikennettä Confluence-pilvipalvelun ja Atlassian Companion -sovelluksen välillä. Ongelma on siinä, että kuka tahansa voi kopioida SSL-avaimen ja käyttää sitä hyökkäyksessä. Hyökkääjä voi esimerkiksi iskeä keskelle sovellusten välistä tietoliikennettä ja ohjata sen kulkemaan haluamallensa vahingolliselle sivustolle. Tavallinen käyttäjä ei huomaa, minne liikenne kulkee. Lue myös: www.theregister.co.uk/2019/12/05/atlassian_zero_day_bug/

Windows 10 Mobile is over: Prepare for final security patches as support ends

www.zdnet.com/article/windows-10-mobile-is-over-prepare-for-final-security-patches-as-support-ends/ Tuesday marks the end of Microsoft’s failed bid to get the world on Windows Mobile, Windows Phone or Windows 10 Phone. Come December 2019 Patch Tuesday, it will be the last time Microsoft ever offers security updates for devices running Windows 10 Mobile.

Microsoft to help Office 365 customers track entire phishingcampaigns, not just lone emails

www.zdnet.com/article/microsoft-to-help-office-365-customers-track-entire-phishing-campaigns-not-just-lone-emails/ Microsoft is launching today a new security feature in public preview. Named “Campaign Views, ” this is a new feature that will be available for Office 365 Advanced Threat Protection (ATP) — which is the company’s paid email filtering service, available as an add-on for Office 365, its multi-functional cloud-based office suite. Campaign Views will be a new section in the Office 365 ATP Threat Explorer dashboard where customers can get a full view of an entire malicious email phishing campaign that’s hitting a company’s email inboxes. Until today, Office 365 ATP users could only see details about each of the individual malicious emails that reached users. Campaign Views will show details about the entire phishing campaign and all the tricks and infrastructure it uses. Read also:


Bulletin (SB19-343) – Vulnerability Summary for the Week of December 2, 2019

www.us-cert.gov/ncas/bulletins/sb19-343 The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) / United States Computer Emergency Readiness

Detecting unsafe path access patterns with PathAuditor

security.googleblog.com/2019/12/detecting-unsafe-path-access-patterns.html What can go wrong if this command runs as root? Does it change anything if foo is a symbolic link to /etc/shadow? How is the output going to be used?. Depending on the answers to the questions above, accessing files this way could be a vulnerability. The vulnerability exists in syscalls that operate on file paths, such as open, rename, chmod, or exec. For a vulnerability to be present, part of the path has to be user controlled and the program that executes the syscall has to be run at a higher privilege level. In a potential exploit, the attacker can substitute the path for a symlink and create, remove, or execute a file. In many cases, it’s possible for an attacker to create the symlink before the syscall is executed.

Ryuk ransomware contains a bug causing data loss for some victims

www.zdnet.com/article/ryuk-ransomware-contains-a-bug-causing-data-loss-for-some-victims/ Cyber-security firm Emsisoft said it found a bug in Ryuk’s decrypter app that makes file recovery impossible, even after paying the ransom demand. Antivirus maker Emsisoft said it found a bug in the decrypter app of the Ryuk ransomware. This is the app the Ryuk gang provides to victims to recover their files, after victims paid the ransom. The bug, according to Emsisoft, causes an incomplete recovery of some types of files, leading to data loss, even if the victim paid the ransom demand. The issue, as explained by Emsisoft in a blog post today, is that the decrypter truncates one byte from the end of each file it decrypts.

Cybercriminals Lend Tactics and Skills to Political Meddlers

www.bleepingcomputer.com/news/security/cybercriminals-lend-tactics-and-skills-to-political-meddlers/ Disinformation campaigns for political purposes are deeply rooted in cybercriminal endeavors, with threat actors relying on actions specific to financially-motivated attacks to attain their goals. Criminal syndicates running black SEO (search engine optimization), carding, ransomware, or network intrusion activities lend their skills and experience to serve political agendas for various entities. Across the line, professionals are on the job. An investigation from Advanced Intelligence (AdvIntel) and Nime Mile Security Group (NMSG) researchers shows that cybercriminals can successfully adapt their methods for “intrusive social actions into the U.S. environments.”. For their project, the researchers turned to the dark web where it took less than two weeks to find 40 experienced cybercriminals with a “coherent strategy” ready to deploy the operation the next day. Budget spent in this stage: $0.

Protect yourself from “Hacker in the box” Devices with the IoT Security Risk Assessment

blog.checkpoint.com/2019/12/09/protect-yourself-from-hacker-in-the-box-devices-with-the-iot-security-risk-assessment/ According to IBM’s research, there are more than 60 variants of the notorious IoT botnet Mirai that are increasingly targeting IP enterprise IoT devices. Read more to learn how you can reduce your risk exposure in advance before you even purchase or connect IoT devices to your network. A recent industry study reveals: 67% of enterprises have experienced an IoT security incident[2]. From smart TV’s, IP cameras, and smart elevators, to hospital infusion pumps and industrial PLC controllers, IoT and OT (Operational Technology) devices are inherently vulnerable and easy to hack. Many of these devices come with out-of-the-box security flaws such as weak or hardcoded passwords, misconfigurations in the operating system, and known vulnerabilities (CVEs). Their inherent security weaknesses and the fact that they are poorly protected made IoT devices an attractive target for bad actors. Hackers are continually looking for ways to exploit device vulnerabilities so they can attack the devices themselves or better use them as an entry point to the corporate network. IP cameras can be used to spy on users, medical devices can be shut down, and critical infrastructure (such as power grid controllers) can be taken over to generate colossal damage. The risk is high and enterprises across different industries are exposed.

Fake Elder Scrolls Online Devs Run PlayStation Phishing Scam

www.bleepingcomputer.com/news/security/fake-elder-scrolls-online-devs-run-playstation-phishing-scam/ Scammers are masquerading as The Elder Scrolls Online developers and sending Playstation private messages that state your account will be banned if you do not provide your login credentials. If you are a user of online games, especially shooters and MMORPGs, you are likely familiar with users commonly being banned from games for cheating or even suspected cheating. There have also been many cases where users are banned for no reason that they know of and trying to get their accounts reinstated can be an ordeal. In a new phishing scam shared by a recipient on Reddit, scammers are pretending to be Elder Scrolls Online developers and stating that unusual activity has been detected on the account that is in violation of the game’s Terms of Service. It then tell the recipient that they have 15 minutes to send the ‘ElderScrollDevs’ their email address, password, and date of birth or the account will be banned.

Varo huijausta Prisman nimissä verkkokonnilla on ihan uusi niksi

www.is.fi/digitoday/tietoturva/art-2000006337522.html Facebookissa leviävässä huijauksessa otetaan yhteyttä suoraan Messengerin kautta. Facebookissa levitetään Prisman nimissä tehtyä Facebook-päivitystä, joka on nettihuijaus. Viestissä Prisma sanoo juhlivansa syntymäpäiväänsä lahjoittamalla pois 1100 euron arvoisia Samsungin QuickDrive-pesukoneita. Viesti on kirjoitettu hyvällä suomella. Toisin kuin huijauksissa yleensä, huijausviestissä ei ole linkkiä verkkosivulle. Sen sijaan osallistujia kehotetaan merkitsemään ystävä kommenttiin ja jakamaan viesti. “Voittajiin” otetaan yhteyttä Facebook Messengerillä.

You might be interested in …

Daily NCSC-FI news followup 2021-08-17

BadAlloc Vulnerability Affecting BlackBerry QNX RTOS us-cert.cisa.gov/ncas/alerts/aa21-229a On August 17, 2021, BlackBerry publicly disclosed that its QNX Real Time Operating System (RTOS) is affected by a BadAlloc vulnerabilityCVE-2021-22156. BadAlloc is a collection of vulnerabilities affecting multiple RTOSs and supporting libraries. myös: www.kyberturvallisuuskeskus.fi/fi/haavoittuvuus_24/2021 Mandiant Discloses Critical Vulnerability Affecting Millions of IoT Devices www.fireeye.com/blog/threat-research/2021/08/mandiant-discloses-critical-vulnerability-affecting-iot-devices.html Today, Mandiant disclosed […]

Read More

Daily NCSC-FI news followup 2020-10-22

Psykoterapiakeskus Vastaamon kiristäjä julkaisi yöllä lisää erittäin arkaluontoisia potilaskertomuksia yle.fi/uutiset/3-11606925 Psykoterapiakeskus Vastaamoa kiristävä henkilö on julkaissut yöllä Tor-verkossa lisää varastamiaan potilastietoja. Potilastiedoista ilmenee Vastaamon asiakkaiden nimet, osoitteet, henkilötunnukset ja potilaskertomukset.. katso myös www.poliisi.fi/tietoa_poliisista/tiedotteet/1/1/poliisi_jatkaa_epaillyn_torkean_tietomurron_tutkintaa_uhreja_pyydetaan_tekemaan_rikosilmoitus_94140?language=fi Toimi näin, jos epäilet joutuneesi tietovuodon uhriksi yle.fi/uutiset/3-11608585 Kyberturvallisuuskeskus ja rikosuhripäivystys ovat koonneet toimintaohjeet tietovuodon uhriksi joutuneille.. katso myös www.kyberturvallisuuskeskus.fi/fi/ajankohtaista/neuvoja-identiteettivarkauden-tai-tietovuodon-uhrille US govt: […]

Read More

Daily NCSC-FI news followup 2020-09-10

Viranomainen varoittaa huijausviestistä – varo tätä sähköpostia www.is.fi/digitoday/tietoturva/art-2000006630773.html Apple ID -tunnusten kalastelu on nyt aktiivista. Huijauksen mukaan vastaanottajan Apple ID:tä olisi käytetty luvattomasti muualla Applen iCloud-palveluun kirjautumiseksi. Tämän väitetään tapahtuneen Moskovasta käsin. Mukana on keinotekoinen ip-osoite sekä päivämäärä ja kellonaika. Ne saattavat vaihdella viestistä toiseen. Katso myös meidän twiitti: https://twitter.com/CERTFI/status/1303604786361774080 Ransomware accounted for 41% of […]

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.