Daily NCSC-FI news followup 2019-12-11

How we turned 5G into 5k

medium.com/sensorfu/how-we-turned-5g-into-5k-a8636b549248 Hacking is a good way to learn and hackathons are a great place to learn with other like-minded people. And that was exactly what we had in mind when we invited our friends and signed in as a team to the first 5G hackathon in the world. We had no preparation or idea what we were going to do. After we conquered a table for ourselves to set up our base in we quickly found us split between two different challenges. Myself and Jukka (with initial help from Jani) took on to investigate the cylindrical device Nokia has brought into event. Meanwhile Mikko, Ossi and Jani challenged themselves with University of Oulu’s 5G hospital

FBI shares security advice for online shopping

www.zdnet.com/article/fbi-shares-security-advice-for-online-shopping/ FBI: Use credit cards rather than debit cards, don’t use public WiFi, keep your devices updated, and more. Ahead of the yearly Christmas shopping spree, one of the FBI’s regional offices has published yesterday a series of security tips to help users stay safe while they shop online. The security tips, part of the bureau’s weekly tech advice column, deal with everything from keeping devices up-to-date to avoiding online scams. While the Bureau’s advice is geared toward the upcoming holiday season, some of the tips can — and should — be applied at any given time throughout the year:

Exploring Legacy Unix Security Issues

www.liquidmatrix.org/blog/2019/12/11/exploring-legacy-unix-security-issues/ Sometimes after looking at web application security, IoT botnets, and various malware I long for the pre-2000 hacking days. Where, instead of looking for XSS or SQL injection vulnerabilities, you would be hunting for server-side vulnerabilities. This summer, I was gifted an SGI Indy R5000. I’d mentioned on Twitter a while back that I’d love to have an IRIX system in my lab, since this was the system I’d discovered my first vulnerability on, CVE-1999-0765. Someone who follows me on Twitter asked me to message him privately since he had an SGI system laying around in his maker space. The system he gave me is an SGI Indy R5000. He had all the original manuals and CD packs that came with it while it was under full support from its previous owner. The system has 64MB of RAM and a 1GB disk. Yes, that’s Megabytes of RAM. I had the system upgraded to 128MB of RAM and a 30GB disk by ordering parts from an SGI enthusiast in the UK. The operating system SGI IRIX 6.5.22 was declared end of life in 2003, so it has limited use as a production system. I decided I could relive the good old days by looking for new vulnerabilities on an old system in my spare time. It was also an excuse to write some C code, and refresh my memory.

Data Leak Week: Billions of Sensitive Files Exposed Online

www.darkreading.com/cloud/data-leak-week-billions-of-sensitive-files-exposed-online/d/d-id/1336574 A total of 2.7 billion email addresses, 1 billion email account passwords, and nearly 800, 000 applications for copies of birth certificate were found on unsecured cloud buckets. Revelations this week of separate data exposure incidents a billion passwords displayed in plaintext as well as hundreds of thousands of US birth certificate applications shared a common thread: unsecured cloud-based databases that left the sensitive information wide open for anyone to access online. An epidemic in the past year or so of organizations inadvertently leaving their Amazon Web Services S3 and ElasticSearch cloud-based storage buckets exposed and without proper security has added a new dimension to data breaches. Organizations literally aren’t locking down their cloud servers, researchers are finding them en masse, and it’s likely cybercriminals and nation-state are as well. Misconfigured online storage has led to an increase of 50% in exposed files this year over 2018, according to data from Digital Shadows published in May. “Cloud services are inexpensive ways to do things we’ve done expensively for years, so it makes sense why so many people are moving their resources to the cloud. The problem is that it’s still far too easy to make mistakes that expose all your data to the Internet, ” says John Bambanek, vice president of security research and intelligence at ThreatStop. Security researcher Bob Diachenko last week discovered a massive ElasticSearch database of more than 2.7 billion email addresses, 1 billion of which included passwords in plaintext. Most of the stolen email domains were from Internet providers in China, such as Tencent, Sina, Sohu, and NetEase, although there were some Yahoo, Gmail, and Russian email domains as well. The pilfered emails that came with the passwords were confirmed to be part of a previous massive breach from 2017, when a Dark Web vendor had them for sale.

Only Half of Malware Caught by Signature AV

www.darkreading.com/threat-intelligence/only-half-of-malware-caught-by-signature-av/d/d-id/1336577 Machine learning and behavioral detection are necessary to catch threats, WatchGuard says in a new report. Meanwhile, network attacks have risen, especially against older vulnerabilities, such as those in Apache Struts. For years, signature-based antivirus has caught about two-thirds of threats at the network edge in the last quarter, that success rate has plummeted to only 50%, according to WatchGuard Technologies’ latest quarterly report, published on December 11. The network security firm found that the percentage of malware that successfully bypassed signature-based antivirus scanners at companies’ network gateways has increased significantly, either by scrambling code known as “packing” using basic encryption techniques or by the automatic creation of code variants. In the past quarter, the share of malware using these obfuscation techniques has jumped to 50% of malicious programs detected at the edge of the network, bypassing common antivirus engines, the company found. Dubbed “zero-day malware, ” these attacks demonstrate how attackers have adapted to the decades-old signature-based antivirus scanning technology, says Corey Nachreiner, chief technology officer at WatchGuard Technologies. “The big change is that more and more malware is becoming evasive, so that signature-based protection is no longer sufficient, ” he says. “There is nothing wrong with having it, because it will catch 50% to two-thirds of the traffic, but you definitely need something more.”. In the first quarter of 2019, the company saw signature antivirus catch 64% of malware. In the second quarter, that dropped only slightly to 62%. In 2017, antivirus firm Malwarebytes found that using two signature-based antivirus engines still only caught about 60% of threats.

Beware of bad Santas this Xmas: Piles of insecure smart toys fill retailers’ shelves

www.theregister.co.uk/2019/12/11/top_toys_still_toppled_by_security_testing/ Latest Which? study with NCC Group highlights toys it ain’t smart to buy. It seems to come around quicker every year the failure of so-called smart toys to meet the most basic of security requirements. Which? has discovered a bunch of sack fillers that dirtbags can use to chat to your kids this Christmas. Back in 2017, the consumer group found toys with security problems relating to network connections, apps or other interactive features. The results of its latest round of testing show manufacturers are struggling to improve standards. Working with security researchers NCC Group, Which? found a karaoke machine that could transmit audio from anyone passing within Bluetooth range because of its unsecured connection. It found walkie-talkies from VTech which anyone with their own set of similar equipment could connect to over a 200-metre range. It also found a Mattel-backed games portal which appeared to be unmoderated, allowing users to upload their own games with content inappropriate for children. Ken Munro, security researcher with consultancy Pen Test Partners, said that although there was no evidence the vulnerabilities revealed by Which? had not been used by nefarious characters to contact children, parents should still beware of toys that do not meet minimum standards.

KeyWe Smart Lock unauthorized access and traffic interception

labs.f-secure.com/advisories/keywe-smart-lock-unauthorized-access-traffic-interception The KeyWe smart lock suffers from multiple design flaws resulting in an unauthenticated – potentially malicious – actor being able to intercept and decrypt traffic coming from a legitimate user. This traffic – as described below – can then be used to execute actions (such as opening/closing the lock, denial of service, silencing the lock etc.) on behalf of the owner. An attacker could exploit this vulnerability by intercepting any legitimate communications to steal the key and unlock the door at any point remotely. Communication messages between a legitimate application and the lock are transported using Bluetooth Low Energy. Before sending they are encrypted using AES-128-ECB with a random 2B (two-byte) prefix (functioning as a replacement for an Initialization Vector) thus disallowing a third party to easily eavesdrop and tamper with commands originating from the legitimate parties. The key generation process is, however, affected by a serious flaw. Read also:

www.theregister.co.uk/2019/12/11/f_secure_keywe/ and


It’s the end of the 20-teens, and your Windows PC can still be pwned by nothing more than a simple bad font

www.theregister.co.uk/2019/12/10/patch_tuesday_december_2019/ End 2019 with a Patch Tuesday from Microsoft, Adobe, SAP and Intel. This month is a relatively small patch bundle from Microsoft, with fixes kicked out for just 36 CVE-listed bugs, only seven of which are considered to be critical risks by Redmond standards. Not among those seven is CVE-2019-1458, a flaw believed to be under active attack in the wild. The bug, an elevation of privilege error caused by the handling of objects in memory, is said to have been chained with a Chrome flaw to let attackers remotely attack PCs, and is just rated as important.

Windows, Chrome Zero-Days Chained in Operation WizardOpium Attacks

www.bleepingcomputer.com/news/security/windows-chrome-zero-days-chained-in-operation-wizardopium-attacks/ Zero-day vulnerabilities in Google Chrome and Microsoft Windows were used to download and install malware onto Windows computers that visited a Korean-language news portal. A zero-day vulnerability is one that is known, but not patched by the developers in charge of patching the vulnerability. These zero-day vulnerabilities are particularly dangerous as they can be used by state-sponsored attackers to perform malicious activity on vulnerable devices. Last month, Kaspersky revealed that they discovered a zero-day Google Chrome vulnerability that was actively being used in online attacks called Operation WizardOpium. The attackers had hacked a Korean-language news site and injected a JavaScript tag into the site that would execute malicious scripts in the visitor’s browser. Fast forward to today when Microsoft released their December 2019 Patch Tuesday security updates, we discover that the Operation WizardOpium attack chained together the Chrome zero-day as well as a Windows zero-day privilege elevation vulnerability to install the malware. Read also:


Lazarus Hackers Use TrickBot to Infect High-End Victims

www.bleepingcomputer.com/news/security/lazarus-hackers-use-trickbot-to-infect-high-end-victims/ Security researchers analyzing infections from TrickBot trojan found an interesting artifact that points to a connection to the Lazarus group of hackers associated with North Korea. Operations of nation-state hackers and cybercriminal groups are typically distinct from one another but the new findings suggest that these threat actors may cooperate towards a financially-motivated goal. Since its discovery in 2016, TrickBot added a score of capabilities well beyond the initial banking trojan purposes. Malware delivery, network profiling, and extended data collection are some of the modules that make it a flexible crimeware solution fitting all sorts of needs. Vitali Kremez, the head of SentinelLABS, writes that TrickBot opening its doors to APT actors sets a new milestone in the evolution of cybercrime. Read also:



threatpost.com/lazarus-collaborates-trickbots-anchor-project/151000/ and

Zeppelin: Russian Ransomware Targets High Profile Users in the U.S. and Europe

labs.sentinelone.com/the-deadly-planeswalker-how-the-trickbot-group-united-high-tech-crimeware-apt/ Zeppelin is the newest member of the Delphi-based Ransomware-as-a-Service (RaaS) family initially known as Vega or VegaLocker. Although it’s clearly based on the same code and shares most of its features with its predecessors, the campaign that it’s been part of differs significantly from campaigns involving the previous versions of this malware. Vega samples were first discovered in the beginning of 2019, being distributed alongside other widespread financial malware as part of a malvertising operation on Yandex.Direct – – a Russian online advertising network. This campaign was aimed at Russian speaking users (with apparent focus on the people working in accounting) and was designed to have a broad reach, as opposed to careful targeting. The binaries were often signed with a valid certificate and hosted on GitHub. During a course of this year, several new versions of Vega appeared, each bearing a different name (Jamper, Storm, Buran, etc.), some of them offered as a service on underground forums. The recent campaign that utilizes the newest variant, Zeppelin, is visibly distinct. The first samples of Zeppelin – – with compilation timestamps no earlier than November 6, 2019 – were discovered targeting a handful of carefully chosen tech and healthcare companies in Europe and the U.S. In a stark opposition to the Vega campaign, all Zeppelin binaries (as well as some newer Buran samples) are designed to quit if running on machines that are based in Russia and some other ex-USSR countries. Zeppelin appears to be highly configurable and can be deployed as an EXE, DLL, or wrapped in a PowerShell loader. The samples are hosted on water-holed websites and, in the case of PowerShell, on Pastebin. There are reasons to believe at least some of the attacks were conducted through MSSPs, which would bear similarities to another recent highly targeted campaign that used a ransomware called Sodinokibi. Read also:


www.bleepingcomputer.com/news/security/zeppelin-ransomware-targets-healthcare-and-it-companies/ and


Inside Kraken Security Labs: Flaw Found in Keepkey Crypto Hardware Wallet

threatvector.cylance.com/en_us/home/zeppelin-russian-ransomware-targets-high-profile-users-in-the-us-and-europe.html Kraken Security Labs has found a way to extract seeds from a KeepKey cryptocurrency hardware wallet. All that is required is physical access to the wallet for about 15 minutes.

10 things security teams should focus on, according to AWS’ CISO

blog.kraken.com/post/3245/flaw-found-in-keepkey-crypto-hardware-wallet/ Amazon Web Services (AWS) chief information security officer and president of security engineering Steven Schmidt has detailed 10 things he thinks should be of the highest value to every security group.

iOS 13.3 brings bug fixes and a new security feature, but does it bring new bugs

www.zdnet.com/article/10-things-security-teams-should-focus-on-according-to-aws-ciso/ iOS 13.3 and iPadOS 13.3 landed last night, and as well as bringing with them a whole array of bug fixes, but also a new security feature to help protect users from attacks. Another day, another new iOS update. This time it is iOS and iPadOS 13.3, which not only bring with them numerous fixes but also a new security feature to help protect users on the internet.

Cybersecurity: How Facebook’s red team is pushing boundaries to keep your data safe

www.zdnet.com/article/ios-13-3-brings-bug-fixes-and-a-new-security-feature-but-does-it-bring-new-bugs/ Facebook’s red team has to think outside the box in order to keep the social media giant safe from hacking and other malicious attacks. Facebook has detailed some of the red team security techniques it uses to keep hackers from attacking its systems. The social-media giant has a 10-strong red team security experts who try to think like the hackers who want to infiltrate its networks with the aim of allowing Facebook to pre-empt the strategies of actual attackers and defend its data better. By testing networks using real-life techniques and tactics, the red team can provide the company with a better picture of its cybersecurity and point it towards areas that need improving. Amanda Rousseau, offensive research engineer at Facebook, who was formerly a malware researcher and a computer forensic examiner, detailed how the red teaming at Facebook works and the challenges it involves at the Black Hat Europe 2019 cybersecurity conference in London.

After Windows 10 upgrade, do these seven things immediately

www.zdnet.com/article/cybersecurity-how-facebooks-red-team-is-pushing-boundaries-to-keep-your-data-safe/ You’ve just upgraded to the most recent version of Windows 10. Before you get back to work, use this checklist to ensure that your privacy and security settings are correct and that you’ve cut annoyances to a bare minimum. Full version upgrades to a Windows PC used to be rare: Most people only had to deal with an upgrade once every three to five years, and then typically as part of the process of buying a new PC. Now, in the “Windows as a service” era, you can expect a feature update (essentially a full version upgrade) roughly every six months. And although you can skip a feature update or even two, you can’t wait longer than about 18 months.

German language malspam pushes yet another wave of Trickbot

www.zdnet.com/article/after-windows-10-upgrade-do-these-seven-things-immediately/ On Tuesday 2019-12-10, artifacts found through VirusTotal reveal a wave of German language emails pushed Trickbot. Today’s diary reviews information from this specific channel of Trickbot distribution. Trickbot executable files are tagged with a marker that identifies the specific campaign used to distribute it. The tag (usually referred to as “gtag”) is shown in URLs generated by Trickbot’s password grabber module, which caused HTTP traffic over TCP port 8082. The gtag for this infection was mango21.

Waterbear is Back, Uses API Hooking to Evade Security Product Detection

isc.sans.edu/diary/rss/25594 Waterbear, which has been around for several years, is a campaign that uses modular malware capable of including additional functions remotely. It is associated with the cyberespionage group BlackTech, which mainly targets technology companies and government agencies in East Asia (specifically Taiwan, and in some instances, Japan and Hong Kong) and is responsible for some infamous campaigns such as PLEAD and Shrouded Crossbow. In previous campaigns, we’ve seen Waterbear primarily being used for lateral movement, decrypting and triggering payloads with its loader component. In most cases, the payloads are backdoors that are able to receive and load additional modules. However, in one of its recent campaigns, we’ve discovered a piece of Waterbear payload with a brand-new purpose: hiding its network behaviors from a specific security product by API hooking techniques. In our analysis, we have discovered that the security vendor is APAC-based, which is consistent with BlackTech’s targeted countries.

The FireEye Approach to Operational Technology Security

blog.trendmicro.com/trendlabs-security-intelligence/waterbear-is-back-uses-api-hooking-to-evade-security-product-detection/ Today FireEye launches the Cyber Physical Threat Intelligence subscription, which provides cyber security professionals with unmatched context, data and actionable analysis on threats and risk to cyber physical systems. In light of this release, we thought it would be helpful to explain FireEye’s philosophy and broader approach to operational technology (OT) security. In summary, combined visibility into both the IT and OT environments is critical for detecting malicious activity at any stage of an OT intrusion. The FireEye approach to OT security is to: Detect threats early using full situational awareness of IT and OT networks. The surface area for most intrusions transcend architectural layers because at almost every level along the way there are computers (servers and workstations) and networks using the same or similar operating systems and protocols as used in IT, which serve as an avenue of approach for impacting physical assets or control of a physical process. The oft touted airgap is in many cases a myth.

Public Sector Security Is Lagging How Can State and Local Governments Better Defend Against Cyberattacks in 2020?

www.fireeye.com/blog/threat-research/2019/12/fireeye-approach-to-operational-technology-security.html After looking into recent history and current-day security issues that affect federal and local government bodies, IBM X-Force Incident Response and Intelligence Services (IRIS) researchers stress that the state of cybersecurity and resilience in the public sector needs an urgent boost. U.S. citizens rely on state governments and local municipalities to provide a host of services everything from access to public records, law enforcement protection, education and welfare to voting and election services. These resources allow citizens to participate in our democracy and benefit from social services. As technology advances, so does the citizen-consumer’s demand for an increasing number of these services to be provided digitally. State and local government bodies have thus responded to the demand by increasingly modernizing the way they serve citizens and digitizing access to what was previously only available in-person or on paper.

What Are the Risks of the IoT in Financial Services?

securityintelligence.com/posts/public-sector-security-is-lagging-how-can-states-and-governments-better-defend-against-cyberattacks-in-2020/ Increased reliance on the internet of things (IoT) is one of the biggest trends in enterprise technology, and the financial services industry is a big part of that trend. And due to the nature of financial business, both the promises and the risks of the IoT in financial services are great. To demystify the IoT a bit, an IoT device is anything with processing power that is not usable as a computing device. That covers point-of-sale (POS) devices, security motion detectors and even internet-connected coffee machines, to name a few. Gartner predicted that the world will see nearly 21 billion IoT devices by next year. Many IoT devices used in the financial services industry are customer-facing. Banks, for example, can use IoT tech to form a higher-resolution picture of credit risk or to recognize customers as they come through the door for a smoother, more personalized customer service experience. Businesses can use IoT devices to collect more data about customer preferences and behavior, and financial institutions can gather real-time data from wearables to enable personalized product advertising.

Extracting Data from Smartphones

securityintelligence.com/articles/what-are-the-risks-of-the-iot-in-financial-services/ Privacy International has published a detailed, technical examination of how data is extracted from smartphones. Read also:


Busted by Cortex: AI Catches Employee Using Backdoor Four Years After His Termination

www.schneier.com/blog/archives/2019/12/extracting_data.html This is based on a true story. “Fred” did not depart from his employer with good intent: For years, he kept coming back and exfiltrating the company’s intellectual property. The moment of truth came four years later, when the company deployed Cortex XDR. An IT admin for a large multinational American corporation, Fred had been let go four years prior. Knowing the IT group inside and out, he suspected that his ex-colleagues forgot to disable his VPN account. To test it, he used his VPN credentials from his private computer and surprise: He successfully logged in!. He knew his company’s network very well. He also knew what he was looking for and where to find it. So, for the next four years, he kept coming back to exfiltrate the latest source code from the company’s Git repositories.

November 2019’s Most Wanted Malware: Researchers Warn of Fast-growing Mobile Threat While Emotet’s Impact Declines

blog.paloaltonetworks.com/2019/12/cortex-busted-by-xdr/ Check Point’s researchers report that the XHelper mobile trojan is spreading so fast, it has entered the overall top 10 malware list at #8 as well as being the biggest threat impacting mobiles. Our latest Global Threat Index for November 2019 marks the first time in over three years that a mobile trojan has entered the overall top malware listing, as well as being the most prevalent mobile threat over the past month. The mobile trojan is XHelper, which was first seen in the wild in March 2019.

ACLU sues Homeland Security agencies over phone spying practices

blog.checkpoint.com/2019/12/11/november-2019s-most-wanted-malware-researchers-warn-of-fast-growing-mobile-threat-while-emotets-impact-declines/ The suit calls on two border-control and immigration agencies to reveal how they use a controversial gadget that poses as a cell tower to suck up data. The American Civil Liberties Union filed a lawsuit Wednesday requesting that two US Homeland Security agencies — Customs and Border Protection and Immigration and Customs Enforcement — release details on how they’ve been using powerful phone surveillance tools. The ACLU is suing after the two agencies declined to provide it with documents related to International Mobile Subscriber Identity, or IMSI, catchers, more commonly known as Stingrays. These devices pretend to be cell towers and connect with nearby phones, intercepting data that details calls, messages and device location.

Microsoft Threat Protection Released in Public Preview

www.cnet.com/g00/news/aclu-is-suing-ice-for-details-on-how-it-uses-phone-spying-devices/ Microsoft says that the integrated Microsoft Threat Protection is now available in public preview, adding automated threat response to stop attacks in their tracks, as well as self-healing for compromised devices, user identities, and mailboxes. Microsoft Threat Protection (MTP) is designed to consolidate a security team’s incident response process by integrating key capabilities across Microsoft Defender Advanced Threat Protection (ATP), Office 365 ATP, Microsoft Cloud App Security, and Azure ATP. MTP works by pulling data from Office 365 Threat Intelligence, Azure Active Directory Identity Protection, and Windows Advanced Threat Protection and combining it all into one centralized dashboard. The end-to-end MTP security solution was first announced at the Ignite 2018 conference on September 26, 2018, and described as a service that will an overview of an organization’s overall threat landscape allowing admins to easily spot new threats and attacks.


You might be interested in …

Daily NCSC-FI news followup 2020-02-16

Rikolliset huijasivat 2,6 miljoonaa Puerto Ricon hallitukselta www.tivi.fi/uutiset/tv/be9c0d32-bac0-42b0-ae4d-2ea0bca660cc Puerto Ricossa on paljastunut tapaus, jossa hakkerit ovat onnistuneet saamaan omalle tililleen peräti 2,6 miljoonaa paikallisen hallinnon rahoja. Tarkkaa huijauskeinoa ei ole paljastettu, mutta Softpedian mukaan hakkerit onnistuivat jollakin konstilla vaihtamaan yhden tilinumeron, ja sitä kautta rahat valuivat vääriin käsiin. Israelilaissotilaita houkuteltiin naisten avulla – seksikuvien sijasta […]

Read More

Daily NCSC-FI news followup 2020-11-14

Schools Struggling to Stay Open Get Hit by Ransomware Attacks www.wsj.com/articles/my-information-is-out-there-hackers-escalate-ransomware-attacks-on-schools-11605279160?mod=djemalertNEWS Districts around the U.S. are fighting a wave of increasingly aggressive hackers, who are publicly posting sensitive student information. Based on searches of hackers’ sites on the dark weba network of websites accessed through special software that gives users anonymityas well as publicly known […]

Read More

Daily NCSC-FI news followup 2020-07-13

The NCSC-UK’s Exercise in a Box tool set has been updated to help organisations keep their employees safe while working from home www.zdnet.com/article/remote-working-this-free-tool-tests-how-good-your-security-really-is/ The ‘Home and Remote Working’ exercise has been added to the NCSC-UK’s Exercise in a Box, a toolkit designed to help small and medium-sized businesses prepare to defend against cyber attacks by […]

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.