Daily NCSC-FI news followup 2019-12-17

Visa Security Alert – CYBERCRIME GROUPS TARGETING FUEL DISPENSER MERCHANTS

click.broadcasts.visa.com/xfm/?30761/0/0624013ddc6f39785bf56d504f3b812e/lonew In summer 2019, Visa Payment Fraud Disruption (PFD) identified three unique attacks targeting merchant point-of-sale (POS) systems that were likely carried out by sophisticated cybercrime groups. Two of the attacks targeted the POS systems of North American fuel dispenser merchants. PFD recently reported on the observed increase of POS attacks against fuel dispenser merchants, and it is likely these merchants are an increasingly attractive target for cybercrime groups. Track 1 and track 2 payment card data was at risk in the merchant’s POS environments due to the lack of secure acceptance technology, (e.g. EMV® Chip, Point-to-Point Encryption, Tokenization, etc.) and non-compliance with PCI DSS.The activity detailed in this alert highlights continued targeting of POS systems, as well as targetedinterest in compromising fuel dispenser merchants to obtain track . Read also:

usa.visa.com/dam/VCOM/global/support-legal/documents/visa-security-alert-attacks-targeting-fuel-dispenser-merchant-pos.pdf

N.J.’s Largest Hospital System Pays Up in Ransomware Attack

threatpost.com/ransomware-attack-new-jersey-largest-hospital-system/151148/ The ransomware attack earlier this month led the hospital system to reschedule surgeries and appointments. New Jersey’s largest hospital system said that it has paid hackers a ransom after a ransomware attack disrupted its services earlier this month.

BreakingApp WhatsApp Crash & Data Loss Bug

research.checkpoint.com/2019/breakingapp-whatsapp-crash-data-loss-bug/ Some of the latest news regarding WhatsApp vulnerabilities are relating to a manipulation of the WhatsApp protocol using a tool built by Check Point Research in order to validate WhatsApp security without jeopardizing WhatsApp end to end encryption. This tool allows a user to modify WhatsApp messages before being sent and change the general parameters, such as participant’s phone number. Read also:

www.theregister.co.uk/2019/12/17/whatsapp_group_chat_crash_vulnerability/,

thehackernews.com/2019/12/whatsapp-group-crash.html

www.zdnet.com/article/this-whatsapp-bug-could-allow-hackers-to-crash-the-app-and-delete-group-chats-forever/,

www.wired.com/story/whatsapp-group-chat-crash-bug/. Kuten myös:

www.tivi.fi/uutiset/tv/bf84cbef-83f1-4916-9b01-ce6d23c4de0c ja

www.is.fi/digitoday/tietoturva/art-2000006345948.html

F-SECURE FINDS MAJOR VULNERABILITIES IN POPULAR WIRELESS PRESENTATION SYSTEM

press.f-secure.com/2019/12/16/f-secure-finds-major-vulnerabilities-in-popular-wireless-presentation-system/ Security consultants warn that the devices we trust without a second thought are attackers’ favorite targets. Consultants with cyber security provider F-Secure have discovered several exploitable vulnerabilities in a popular wireless presentation system. Attackers can use the flaws to intercept and manipulate information during presentations, steal passwords and other confidential information, and install backdoors and other malware. Barco’s ClickShare wireless presentation system is a collaboration tool that helps groups of people present content from different devices. ClickShare is a market-leading wireless presentation system with a market share of 29% according to FutureSource Consulting’s “Global wireless presentation solutions 2019” report.*. F-Secure Consulting’s Dmitry Janushkevich, a senior consultant that specializes in hardware security, says the popularity of these user-friendly tools make them logical targets for attack, which is what compelled his team to investigate. Read also:

www.tivi.fi/uutiset/tv/495e810b-04c3-45b9-9dcf-ae55e7913469,

www.wired.com/story/dten-video-conferencing-vulnerabilities/ and

www.computerweekly.com/news/252475460/Barco-fixes-ClickShare-wireless-flaw-but-users-still-at-risk

Microsoftin neuvo: näin et kannusta kyberrikollisia

www.tivi.fi/uutiset/tv/7b29a743-3129-4564-ac1b-c77cc9b7c87e Haittaohjelmien hyöky on pannut amerikkalaiset taas kerran ihmettelemään sitä, pitäisikö lunnaiden vaatijoille maksaa vai ei. Microsoft on ensi kertaa tehnyt oman kantansa selväksi: ei missään nimessä. Ohjelmistojätin mukaan kaikkien organisaatioiden on syytä varautua ajoissa kiristyshaittaohjelmien kaltaisiin hyökkäyksiin. Kyse on ennemminkin “kun”- eikä “jos”-tilanteesta, Microsoft arvioi yritysten tietoturvan yleistä tilaa. Lue myös:

www.zdnet.com/article/microsoft-we-never-encourage-a-ransomware-victim-to-pay/

Operaattori ei vaivautunut suojaamaan asiakasdataansa, sai lähes 10 miljoonan euron gdpr-sakot

www.kauppalehti.fi/uutiset/operaattori-ei-vaivautunut-suojaamaan-asiakasdataansa-sai-lahes-10-miljoonan-euron-gdpr-sakot/56761224-361d-4563-ab10-928301d27501 Saksalainen teleoperaattori 1&1 Telecommunications sai vakavasta gdpr-rikkomuksesta 9, 55 miljoonan euron sakot. Lue myös:

www.zdnet.com/article/data-privacy-germans-dish-out-one-of-biggest-gdpr-fines-yet-over-lax-call-centers/

South African IT firm Conor behind the leak of 1 million web browsing records

www.zdnet.com/article/south-african-it-firm-conor-behind-the-leak-of-1-million-web-browsing-records/ Over 890GB of browsing log data of all online activities of over 1 million users has been revealed due to an unencrypted database hailing from a web filter app built by Conor. A database containing highly sensitive and private information and activity, including porn browsing history, has been exposed, with users in South Africa mostly affected. Read also:

www.vpnmentor.com/blog/report-conor-leak/?utm_source=MyBroadband

It’s time to disconnect RDP from the internet

www.welivesecurity.com/2019/12/17/bluekeep-time-disconnect-rdp-internet/ Brute-force attacks and BlueKeep exploits usurp convenience of direct RDP connections; ESET releases a tool to test your Windows machines for vulnerable versions. While the BlueKeep (CVE-2019-0708) vulnerability has not, to date, caused widespread havoc, and we will be looking at the reasons why in this post, it is still very early in its exploitation life cycle. The fact remains that many systems are still not patched, and a thoroughly wormable version of the exploit might still be found. Because of these factors, ESET has created a free utility to check if

TP-Link Router Bug Lets Attackers Login Without Passwords

www.bleepingcomputer.com/news/security/tp-link-router-bug-lets-attackers-login-without-passwords/ TP-Link patched a critical vulnerability impacting some of its Archer routers that could allow potential attackers to void their admin passwords and remotely take control of the devices over LAN via a Telnet connection. “If exploited, this router vulnerability can allow a remote attacker to take control of the router’s configuration via Telnet on the local area network (LAN) and connect to a File Transfer Protocol (FTP) server through the LAN or wide area network (WAN), ” found IBM X-Force Red’s Grzegorz Wypych. To exploit this security flaw, attackers have to send an HTTP request containing a character string longer than the allowed number of bytes, with the result being that the user password is completely voided and replaced with an empty value. This works despite built-in validation because it only checks the referrer’s HTTP headers, allowing the attacker to trick the router’s httpd service to recognize the request as valid by using the hardcoded tplinkwifi.net value.

Emotet Trojan is Inviting You To A Malicious Christmas Party

www.bleepingcomputer.com/news/security/emotet-trojan-is-inviting-you-to-a-malicious-christmas-party/ Just in time for the holidays, the Emotet Trojan gang has started to send Christmas themed emails that they hope will entice you to open their attachments and become infected. They even want you to wear your ugliest Christmas sweater!. When the Emotet crew sends out a spam campaign their main goal is to get the recipient to open the attached malicious document so they are infected with the Emotet Trojan and other malware. This is typically done using a variety of email themes such as payment invoices, payment receipts, shipping details, voicemails, and eFaxes. During the major holidays, Emotet takes a more festive mood by sending out holiday-themed emails that invite you to Halloween, Thanksgiving, and now Christmas parties.

Where the 5G Data Storm Will Hit First

www.wired.com/story/where-5g-data-storm-will-hit-first/ While we’re all waiting for our phones to see speeds of 10 gigs per second, next-gen wireless tech will transform transportation, medicine, manufacturing, and VR. Blazing-fast speeds! Zero latency! Moar data to moar devices! Unless you’ve been trapped in a tech-news dead zone, you’ve heard that the rollout of the next generation of wireless broadband has begun. Still, smartphone data addicts shouldn’t hold their breath for speeds of 10 gigabits per second. To provide the kind of 5G coverage consumers will expect, carriers will need to install as many as 20 access points per square kilometer, an expensive endeavor that will take years. Until then, we’ll have to accept that 5G is here, but it’s unevenly distributed. Here are some places to watch for it in the (nearish) future. The folks who are gunning to make cars drive themselves are itching for 5G connectivity. Why? The faster you can get data into and out of a rolling robot, the better the experience. Constantly updated, ultrahigh-res maps of their environment make the ride safer and smoother. Developers in remote operation centers will also be monitoring lidar and camera feeds to keep an eye on their creations. And, of course, while they roll, their liberated occupants will demand streaming entertainment (and advertisers will demand to pummel them with targeted ads). But that’s all for the current kind of self-driving car, the one that watches but doesn’t talk to its surroundings. Way more exciting, if we’re talking real 5G, is not replacing human drivers but completely rethinking the way cars drive. Link vehicles together and we’ll solidly surpass human limitations. Cars could move like schools of fish, in unison, smoothly and tightly, without colliding. Engineers have longed to let cars swap data on location, speed, and heading for decades, and since the ’90s many have pinned their hopes on short-range radio transmitters. In 2017, UC Berkeley researchers sent a trio of connected semi-trucks down a highway with just 60 to 140 feet between them. Such convoys could improve fuel efficiency by letting vehicles draft each other and might even allow for going human-free in all but the lead truck. But the tech’s max range is only about 3, 000 feet, it can’t handle many vehicles at once, and it requires special hardware in each car. Which helps explain why such luxuries are available only in a top-line Cadillacleaving precious few chances for meaningful carversation.

Weak Crypto Practice Undermining IoT Device Security

www.darkreading.com/iot/weak-crypto-practice-undermining-iot-device-security/d/d-id/1336636 Keyfactor says it was able to break nearly 250, 000 distinct RSA keys – – many associated with routers, wireless access points, and other Internet-connected devices. A failure by many IoT device manufacturers to follow cryptographic best practices is leaving a high proportion of the devices vulnerable to attack, researchers warn. Researchers at Keyfactor recently collected some 175 million RSA certificates and keys from the Internet using a proprietary SSL/TLS certificate discovery process and then analyzed the data using a particular mathematical method. The analysis showed that roughly 435, 000 of the RSA certificates analyzedor roughly 1 in every 172 active certificatewere vulnerable to compromise or attack. A high percentage of the weak certificates belonged to routers, modems, firewalls, and other network devices. Other potentially impacted devices included cars and medical implants.

Mobile Devices Account for 41% of DDoS Attack Traffic

www.darkreading.com/attacks-breaches/mobile-devices-account-for-41–of-ddos-attack-traffic/d/d-id/1336635 DNS amplification attacks continue to dominate distributed denial-of-service (DDoS) attacks, while mobile devices make up a larger share of traffic. The number of distributed denial-of-service (DDoS) attacks rose 86% in the third quarter compared to a year ago, with amplification attacks using the domain name system (DNS) remaining the most popular technique for attacking targets. DNS amplification attacks accounted for 45% of the attacks, while HTTP floods and TCP SYN attacks accounted for 14% and 7.7%, respectively, according to new data published by network security firm Nexusguard.

Ransomware ‘Crisis’ in US Schools: More Than 1, 000 Hit So Far in 2019

www.darkreading.com/threat-intelligence/ransomware-crisis-in-us-schools-more-than-1000-hit-so-far-in-2019/d/d-id/1336634 Meanwhile, the mayor of the city of New Orleans says no ransom money demands were made as her city struggles to recover from a major ransomware attack launched last week. Ransomware attacks have continued pummeling US schools, with 11 new school districts 226 schools hit since October, while major US cities such as New Orleans and Pensacola gradually recover from attacks this month.

“Kyberarmeija on ottanut jumalan tehtävän” vaalien lähestyminen kuumentaa tunteita

www.tivi.fi/uutiset/tv/5227b98d-c75e-4dad-9a13-3e487312f0db Nykyään ei enää voi järjestää enää minkäänlaisia vaaleja ilman, että keskusteluissa nousee pinnalle äänestäjiin vaikuttaminen nettipalvelujen avulla. Taiwanissa käydään vaalit tammikuussa, ja laineet käyvät jo korkeina. Ei riitä, että kilpailevat puolueet vääntävät keskenään. Lisää löylyä lyö jättimäinen naapuri Kiina, joka pitää Taiwania maakuntanaan, ei missään nimessä itsenäisenä valtiona. CNBC kirjoittaa, että Facebook kertoo juuri sulkeneensa satakunta taiwanilaista sivua ja suunnilleen saman verran ryhmiä. Tämä liittyi siihen, että FB on luvannut suojella tulevien vaalien riippumattomuutta.

www.cnbc.com/2019/12/17/taiwan-elections-fought-online-amid-accusations-of-flagrant-disinformation.html

Uusi haavoittuvuus vaanii vpn-yhteyksiä, ei korjausta näin voit kuitenkin suojautua

www.tivi.fi/uutiset/tv/06695771-334e-4f5b-a4ed-2a3b73dd7537 Unix-pohjaisten käyttöjärjestelmien verkkopinosta on löytynyt haavoittuvuus, joka mahdollistaa datan ujuttamisen vpn-tunneloituun liikenteeseen sekä tietojen urkkimisen vpn-yhteyksien tilasta. Unixiin pohjautuvia käyttöjärjestelmiä ovat muun muassa Linux, Applen macOS ja Googlen Android. Traficomin Kyberturvallisuuskeskuksen tiedotteen mukaan haavoittuvuus koskee tcp/ip-pinon ominaisuutta, jossa päätelaitteella on monia ip-osoitteita. Jos tietystä fyysisestä verkkosovittimesta saapuvien ip-pakettien kohdeosoite ei vastaa kyseiseen sovittimeen määriteltyä verkkoa, paketit joko hylätään (strong host model) tai hyväksytään (weak host model). Jälkimmäinen konfigurointitapa mahdollistaa nyt löydetyn haavoittuvuuden hyödyntämisen siten, että tunnelin ulkopuolelta saapuneet ip-paketit käsitellään tunnelista tulleiden tavoin.

“Ei saa antaa tuumaakaan periksi” Trafin tietosuojaongelmien jälkipyykki on nyt pesty

www.tivi.fi/uutiset/tv/2cdca48b-af33-4dba-ad93-d059d6bc3066 Vuosi sitten silloisen Liikenteen turvallisuusvirasto Trafin uudesta verkkopalvelusta löytyi ongelma, jonka jälkipuintia on riittänyt vuodeksi. Viime vuoden joulukuussa havaittiin, että Trafin uudesta verkkopalvelusta sai haettua suomalaisten henkilötietoja tarpeettoman laajasti. Palvelun varsinainen tarkoitus oli tarjota tietoja kuljettajan ajo-oikeudesta. Trafi painoi paniikkinappulaa ja otti kaikki sähköiset asiointipalvelunsa pois käytöstä varmistaakseen kuljettajatiedot-palvelun sulkeutumisen asian selvittelyn ajaksi.

Alexa, Google Home Eavesdropping Hack Not Yet Fixed

threatpost.com/alexa-google-home-eavesdropping-hack-not-yet-fixed/151164/ Researchers say that Amazon and Google need to focus on weeding out malicious skills from the getgo, rather than after they are already live. Months after researchers disclosed a new way to exploit Alexa and Google Home smart speakers to spy on users, those same researchers now warn that Amazon and Google have yet to create effective ways to prevent the eavesdropping hack.

Update Intel’s Rapid Storage App to Fix Bug Letting Malware Evade AV

www.bleepingcomputer.com/news/security/update-intels-rapid-storage-app-to-fix-bug-letting-malware-evade-av/ A DLL hijacking vulnerability exists in an older version of the Intel Rapid Storage Technology (Intel RST) software that could allow malicious programs to appear as a trusted program and thus bypass antivirus engines.

Facebook’s Tor Site Down for Over a Week Due to Expired TLS Cert

www.bleepingcomputer.com/news/security/facebooks-tor-site-down-for-over-a-week-due-to-expired-tls-cert/ Facebook has announced that its Tor gateway will be down for one to two weeks due to an expired TLS certificate. This is a bit strange as it normally should not take two weeks to renew a certificate.

Päiväkodin johtaja lähetti salaamattomalla sähköpostilla arkaluonteisia tietoja lapsesta sai sapiskaa apulaisoikeuskanslerilta

www.tivi.fi/uutiset/tv/0d14c43a-c53d-4248-946b-2e4188c59520 Sähköposti on usein ylivertaisen kätevä tapa hoitaa viestintätarpeet, mutta aina se ei ole oikea. Tästä sai muistutuksen päiväkodinjohtaja, jonka sähköpostin käyttö päätyi apulaisoikeuskansleri Mikko Puumalaisen tutkittavaksi. Asian halusi tutkittavaksi kantelija, jolle päiväkodin johtaja oli lähettänyt arkaluonteista ja salassa pidettävää tietoa suojaamattomassa sähköpostissa. Viestissä näkyy selkeästi lastensuojeluasia, jota se koskee, ja kenelle se on lähetetty. Virhe tapahtui, kun kantelija oli lähettänyt päiväkotiin sähköpostia, johon johtaja oli vastannut niin ikään sähköpostitse. Vastaus on mennyt myös palvelujohtajalle, joka on ollut alkuperäisessä kantelijan viestissä myös vastaanottajana. Puumalainen toteaa, että päiväkodin johtaja ei menetellyt julkisuuslain edellyttämättä tavalla eikä ole noudattanut kaupungin tietosuojaohjeistusta. Tapaus kuitenkin tulkittiin yksittäiseksi erehdykseksi. Apulaisoikeuskanslerin ratkaisu on kiinnittää päiväkodin johtajan huomiota julkisuuslain säännöksiin salassa pidettävien tietojen käsittelyssä sekä salassa pidettäviä tietoja sisältävien sähköpostien lähettämiseen turvapostina. Muihin toimenpiteisiin kantelu ei anna aihetta.

Lazarus pivots to Linux attacks through Dacls Trojan

www.zdnet.com/article/lazarus-pivots-to-linux-attacks-through-dacls-trojan/ Lazarus, an advanced persistent threat (APT) group, has expanded its reach with the development and use of a Trojan designed to attack Linux systems.

South Korean industrial giants slammed in active info-stealing APT campaign

www.zdnet.com/article/south-korean-industrial-giants-slammed-in-new-info-stealing-hacker-campaign/ Over 200 companies are reported as victims of the covert cyberespionage effort. An ongoing cyberespionage campaign against industrial, engineering, and manufacturing organizations has been exposed by researchers.

IBM X-Force Security Predictions for 2020

securityintelligence.com/posts/ibm-x-force-security-predictions-for-2020/ With 2019 coming to a close, it’s time to reflect on the year and also look at what the new year will bring.

Iranian Attacks on Industrial Control Systems

www.schneier.com/blog/archives/2019/12/iranian_attacks.html At the CyberwarCon conference in Arlington, Virginia, on Thursday, Microsoft security researcher Ned Moran plans to present new findings from the company’s threat intelligence group that show a shift in the activity of the Iranian hacker group APT33, also known by the names Holmium, Refined Kitten, or Elfin. Microsoft has watched the group carry out so-called password-spraying attacks over the past year that try just a few common passwords across user accounts at tens of thousands of organizations. That’s generally considered a crude and indiscriminate form of hacking. But over the last two months, Microsoft says APT33 has significantly narrowed its password spraying to around 2, 000 organizations per month, while increasing the number of accounts targeted at each of those organizations almost tenfold on average.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.