Daily NCSC-FI news followup 2019-12-16

Inside Evil Corp, a $100M Cybercrime Menace

krebsonsecurity.com/2019/12/inside-evil-corp-a-100m-cybercrime-menace/ The U.S. Justice Department this month offered a $5 million bounty for information leading to the arrest and conviction of a Russian man indicted for allegedly orchestrating a vast, international cybercrime network that called itself Evil Corp and stole roughly $100 million from businesses and consumers. As it happens, for several years KrebsOnSecurity closely monitored the day-to-day communications and activities of the accused and his accomplices. What follows is an insiders look at the back-end operations of this gang.

TP-Link Archer Router Vulnerability Voids Admin Password, Can Allow Remote Takeover

securityintelligence.com/posts/tp-link-archer-router-vulnerability-voids-admin-password-can-allow-remote-takeover/ This blog post gives details about a zero-day vulnerability in TP-Link Archer C5 v4 routers that run firmware version 3.16.0 0.9.1 v600c.0 Build 180124 Rel.28919n. The issue has been reported as CVE-2017-7405 and issued patches by TP-Link. Please see links to patches at the end of this post and patch with priority.

DDoS Attacks and IoT Exploits: New Activity from Momentum Botnet

blog.trendmicro.com/trendlabs-security-intelligence/ddos-attacks-and-iot-exploits-new-activity-from-momentum-botnet/ We recently found notable malware activity affecting devices running Linux, a platform that has battled numerous issues just this year. Further analysis of retrieved malware samples revealed that these actions were connected to a botnet called Momentum (named for the image found in its communication channel). We found new details on the tools and techniques the botnet is currently using to compromise devices and perform distributed denial-of-service (DDoS) attacks.

5 Reasons Why Programmers Should Think like Hackers

thehackernews.com/2019/12/cybersecurity-for-programmers.html Programming has five main steps: the identification and definition of the problem, the planning of the solution for the problem, coding of the program, testing, and documentation. It’s a meticulous process that cannot be completed without going through all the essential points. In all of these, security must be taken into account. As you come up with a solution to the problem and write the code for it, you need to make sure security is kept intact.

Malicious .DWG Files?

isc.sans.edu/forums/diary/Malicious+DWG+Files/25612/ This weekend, I took a look at AutoCAD drawing files (.dwg) with embedded VBA macros. When a .dwg file contains VBA macros, a Compound File Binary Format file (what I like to call an OLE file) is embedded inside the .dwg file. This OLE file contains the VBA macros. It’s similar to .docm files, except that a .dwg file is not a ZIP container.

Echobot IoT Botnet Casts a Wide Net with Raft of Exploit Additions

threatpost.com/echobot-iot-botnet-exploit-additions/151154/ A variant of the Mirai Internet of Things (IoT) botnet known as Echobot has added 13 more vulnerability exploits to its bag of infiltration tricks, according to researchers. These target a range of devices, including routers, firewalls, IP cameras, server management utilities, a programmable logic controller used in industrial environments, an online payment system and even a Yachtcontrol web application.

Web Cache Deception attacks still impact websites with ‘substantial user populations’

www.zdnet.com/article/web-cache-deception-attacks-still-impact-websites-with-substantial-user-populations/ Two years after first being disclosed, web cache deception attacks impact 25 of today’s most popular websites. Almost two years after first being documented, Web Cache Deception attacks are still a major issue, and they still impact many popular websites. New academic research published this month reveals that 25 of the Alexa Top 5,000 websites are still impacted by Web Cache Deception (WCD) attacks.

Google töpeksi: Chromeen jäi paha vika ja ihmiset haukkuvat väärää puuta

www.is.fi/digitoday/art-2000006344830.html Google on keskeyttänyt Chrome-selaimensa päivitykset Android-laitteille. Päivitetty versio on johtanut tietojen katoamiseen mahdollisesti miljoonilta käyttäjiltä. Vian taustalla oli Chrome-selaimen siirtäminen uuteen hakemistoon, mutta kaikkien sisältöjä ei siirretty muutoksen yhteydessä. Tämän myötä käyttäjät eivät pääse käsiksi monien verkkosivujen ja web-selaimessa toimivien sovellusten käyttämien localStorage- ja WebSQL-tallenteiden sisältöön. Also:



Over 435K Security Certs Can Be Compromised With Less Than $3,000

www.bleepingcomputer.com/news/security/over-435k-security-certs-can-be-compromised-with-less-than-3-000/ After analyzing millions of RSA keys and certificates generated on low entropy lightweight IoT devices, security researchers at Keyfactor discovered that more than 435,000 of them shared their prime factors making it easy to derive their private key and compromise them. RSA keys are derived from random prime numbers (prime factors) and are used to securely transfer data to a remote source by encrypting it with the publicly available key, a process that only allows the remote source to decrypt the information using a private key.. Also:


Chinese e-commerce site LightInTheBox.com bared 1.3TB of server logs, user data and more

www.theregister.co.uk/2019/12/16/lightinthebox_data_breach_1_5bn_customer_records/ Exclusive Infosec researchers have uncovered a data breach affecting 1.3TB of web server log entries held by Chinese e-commerce website LightInTheBox.com. Noam Rotem and Ran Locar, VPN comparison site VPNmentors research team, uncovered the breach in late November.

Talos Vulnerability Discovery Year in Review 2019

blog.talosintelligence.com/2019/12/vulnerability-discovery-2019.html Cisco Talos’ Systems Security Research Team investigates software, operating system, IoT and ICS vulnerabilities to make sure we find vulnerabilities before the bad guys do. We provide this information to the affected vendors so that they can create patches and protect their customers as soon as possible. We strive to improve the security of our customers with detection content, which protects them while the vendor is creating, testing, and delivering the patch.

Phishing Campaign Targets Login Credentials of Multiple US, International Government Procurement Services

www.anomali.com/blog/phishing-campaign-targets-login-credentials-of-multiple-us-international-government-procurement-services The Anomali Threat Research Team identified a credential harvesting campaign designed to steal login details from multiple government procurement services. The procurement services are used by many public and private sector organisations to match buyers and suppliers. In this campaign, attackers spoofed sites for multiple international government departments, email services and two courier services. Lure documents sent via phishing emails were found to contain links to spoof phishing sites masquerading as legitimate login pages relevant to the spoofed government agencies.

Ryuk Ransomware Likely Behind New Orleans Cyberattack

www.bleepingcomputer.com/news/security/ryuk-ransomware-likely-behind-new-orleans-cyberattack/ Based on files uploaded to the VirusTotal scanning service, the ransomware attack on the City of New Orleans was likely done by the Ryuk Ransomware threat actors. On December 14th, 2019, one day after the City of New Orleans ransomware attack, what appear to be memory dumps of suspicious executables were uploaded from an IP address from the USA to the VirusTotal scanning service.

N.J.s Largest Hospital System Pays Up in Ransomware Attack

threatpost.com/ransomware-attack-new-jersey-largest-hospital-system/151148/ The ransomware attack earlier this month led the hospital system to reschedule surgeries and appointments. New Jerseys largest hospital system said that it has paid hackers a ransom after a ransomware attack disrupted its services earlier this month. Hackensack Meridian Health, a $6 billion non-profit health provider system based in Edison, N.J., operates 17 hospitals, nursing homes and outpatient centers, as well as psychiatric facility Carrier Clinic. The hospital system told media outlets on Friday that it was targeted by a cyberattack on Dec. 2, crippling its computer software systems for nearly five days.

You might be interested in …

[NCSC-FI News] Operation RestyLink: APT campaign targeting Japanese companies

Our SOC observed APT campaign targeting Japanese companies starting from mid of April 2022. We think that this campaign had already started in March 2022 and related attack might have performed around October 2021. It implies that this campaign is not temporary nor intensive, and it could continue from here forward. In this article, we […]

Read More

[NCSC-FI News] VMware fixes command injection, file upload flaws in Carbon Black security tool

VMware has patched two security flaws, an OS command injection vulnerability and a file upload hole, in its Carbon Black App Control security product running on Windows Lisäksi: https://thehackernews.com/2022/03/vmware-issues-patches-for-critical.html Source: Read More (NCSC-FI daily news followup)

Read More

[NCSC-FI News] Follow the Money: How eCriminals Monetize Ransomware

Cybercrime has evolved over the past several years from simple “spray and pray” attacks to a sophisticated criminal ecosystem centered around highly effective monetization techniques that enable adversaries to maximize success and profitability Monetization is the step attackers take to receive a payout when an operation is complete. Threat actors are constantly evolving their methods […]

Read More

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.