Daily NCSC-FI news followup 2019-12-18

MPY:n runkoverkkoon iski vakava häiriö ja suuri osa tietoliikenneyhteyksistä meni poikki “Liian pitkä katkos, palaverin paikka”

lansi-savo.fi/uutiset/lahella/412aad43-f61a-4456-a342-9e98bd254d16 MPY tiedotti iltapäivällä vakavasta häiriöstä runkoverkossaan ja kertoi suuren osan yhteyksistä olevan poikki. Yhteys korjaantui seitsemän jälkeen illalla. . Myyntijohtaja Juha Putkonen kertoo, että asia havaittiin kahden maissa iltapäivällä eli katkos kesti noin viisi tuntia.. Myös:


Seven Critical Vulnerabilities Discovered in Portainer

www.fortinet.com/blog/threat-research/seven-critical-vulnerabilities-portainer.html Portainer is a lightweight management UI which allows you to easily manage your Docker host or Swarm cluster. Over the past few months, FortiGuard Labs has been working closely with the Portainer team to address multiple critical vulnerabilities that we discovered in their Portainer application. In this technical advisory we will provide an overview of each of these vulnerabilities

Protecting programmatic access to user data with Binary Authorization for Borg

security.googleblog.com/2019/12/protecting-programmatic-access-to-user.html At Google, the safety of user data is our paramount concern and we strive to protect it comprehensively. That includes protection from insider risk, which is the possible risk that employees could use their organizational knowledge or access to perform malicious acts. Today, were releasing a whitepaper, Binary Authorization for Borg: how Google verifies code provenance and implements code identity, that explains one of the mechanisms we use to protect user data from insider risks on Google’s cluster management system Borg.

Nuclear Bot Author Arrested in Sextortion Case

krebsonsecurity.com/2019/12/nuclear-bot-author-arrested-in-sextortion-case/ Last summer, a wave of sextortion emails began flooding inboxes around the world. The spammers behind this scheme claimed theyd hacked your computer and recorded videos of you watching porn, and promised to release the embarrassing footage to all your contacts unless a bitcoin demand was paid. Now, French authorities say theyve charged two men they believe are responsible for masterminding this scam. One of them is a 21-year-old hacker interviewed by KrebsOnSecurity in 2017 who openly admitted to authoring a banking trojan called Nuclear Bot.

14 Ways to Evade Botnet Malware Attacks On Your Computers

thehackernews.com/2019/12/botnet-malware-attacks.html Cybercriminals are busy innovators, adapting their weapons and attack strategies, and ruthlessly roaming the web in search of their next big score. Every manner of sensitive information, such as confidential employee records, customers’ financial data, protected medical documents, and government files, are all subject to their relentless threats to cybersecurity.

Emotet infection with spambot activity

isc.sans.edu/forums/diary/Emotet+infection+with+spambot+activity/25622/ On Monday 2019-12-16, I tested some Emotet samples. I normally get Trickbot as the follow-up malware, which I’ve already documented from Monday. But every once in a while, I’ll see spambot traffic instead of (or in addition to) Trickbot. When I tested another Emotet sample later that day, I saw spambot traffic. Today’s diary reviews information from that infection.

Microsoft Issues Out-of-Band Update for SharePoint Bug

threatpost.com/microsoft-issues-out-of-band-update-sharepoint-bug/151260/ An attacker could exploit CVE-2019-1491 to obtain sensitive information that could be used to mount further attacks. Microsoft has released out-of-band security updates to address a vulnerability in SharePoint Server. According to a Microsoft Security Advisory, an attacker could exploit the bug (CVE-2019-1491) to obtain sensitive information and then use that information to mount further attacks.

Another ransomware strain is now stealing data before encrypting it

www.zdnet.com/article/another-ransomware-strain-is-now-stealing-data-before-encrypting-it/ The Zeppelin ransomware gang has joined the ranks of ransomware strains that will also collect and steal a victim’s data before encrypting files. Zeppelin joins Maze, REvil (Sodinokibi), Snatch, and the now-defunct Merry Christmas ransomware in doing so. The discovery that Zeppelin also steals victim data before the encryption process was made by cyber-security firm Morphisec while investigating and providing incident response services to a Zeppelin victim in the real estate sector.. Related: ScreenConnect MSP Software Used to Install Zeppelin Ransomware.


Pohjoissavolainen Janne, 39, joutui ovelan huijauksen kohteeksi sitten työsähköpostista lähti viestejä sadoille vastaanottajille

www.is.fi/digitoday/tietoturva/art-2000006347025.html Pohjoissavolainen teollisuusyrittäjä Janne, 39, joutui torstaina sähköpostihuijauksen uhriksi. Saksalaiselta tavarantoimittajalta tuli osana englanninkielistä tarjouspyyntökeskustelua latauslinkki isokokoiseen tiedostoon. Tämä on täysin normaalia, sillä raskaita liitetiedostoja on usein tapana siirtää pilvipalvelimen kautta. TRAFICOMIN kyberturvallisuuskeskuksen tietoturva-asiantuntija Ville Kontinen sanoo tietojenkalastelun olevan suomalaisten yleisimmin kohtaama tietoturvauhka, ja niiden yleisin kohde ovat Office 365 – -tunnukset. Käytännössä noin yksi suomalainen menettää tunnuksensa Office-kalasteluun per arkipäivä.

Hackers Could Use Smart Displays to Spy on Meetings

www.wired.com/story/dten-video-conferencing-vulnerabilities/ By exploiting flaws in popular video conferencing hardware from DTEN, attackers can monitor audio, capture slidesand take full control of devices. Add another entry to the list of internet-connected devices causing problems in unexpected places. Touchscreen smart TVs from DTEN, a “certified hardware provider” for popular video conferencing service Zoom, have flaws that hackers could use to essentially bug conference rooms, lift video feeds, or nab notes written on the device’s digital whiteboard. Just one more reason to hate long meetings.

Olikohan järkevää? Hakkerit veivät 15 miljoonan ihmisen tiedot järjestelmästä yhtiö maksoi lunnaat datan palauttamiseksi

www.tivi.fi/uutiset/tv/f6d14285-a4c2-4fe8-b26e-3ded13b3e71c Kanadalainen laboratoriotestien hallinnointiin erikoistunut yritys joutui marraskuussa hyökkäyksen kohteeksi. Yhtiö kertoo maksaneensa hakkereille lunnaat tietojen palauttamisesta. Also:





Attackers Posing as German Authorities Distribute Emotet Malware

www.bleepingcomputer.com/news/security/attackers-posing-as-german-authorities-distribute-emotet-malware/ An active malspam campaign is distributing Emotet banking Trojan payloads via emails camouflaged to look like messages delivered by several German federal authorities warns the BSI, Germany’s federal cybersecurity agency. The attackers behind this malicious campaign have already successfully infected a number of federal administration authorities during the last few days according to reports cited by the BSI (also known as the Federal Office for Security in Information Technology Bundesamt für Sicherheit in der Informationstechnik).

OilRigs Poison Frog old samples, same trick

securelist.com/oilrigs-poison-frog/95490/ After we wrote our private report on the OilRig leak, we decided to scan our archives with our YARA rule, to hunt for new and older samples. Aside from finding some new samples, we believe we also succeeded in finding some of the first Poison Frog samples. Were not quite sure whether the name Poison Frog is the name given to the backdoor by the malware authors, or by the leakers. The fact is though, that one of the earliest Poison Frog samples we could find uses poison-frog[.]club as the domain name for its C2.

We Tested Rings Security. Its Awful

www.vice.com/en_us/article/epg4xm/amazon-ring-camera-security Ring lacks basic security features, making it easy for hackers to turn the company’s cameras against its customers. From across the other side of the world, a colleague has just accessed my Ring account, and in turn, a live-feed of a Ring camera in my apartment. He sent a screenshot of me stretching, getting ready for work. Then a second colleague accessed the camera from another country, and started talking to me through the Ring device.

Industrial Cyber-Espionage Campaign Targets Hundreds of Companies

www.bleepingcomputer.com/news/security/industrial-cyber-espionage-campaign-targets-hundreds-of-companies/ Hundreds of industrial companies are currently the targets of cyber-espionage activity from an advanced threat actor. The adversary uses a new version of an older info-stealer to extract sensitive data and files. The attacker uses spear-phishing emails with malicious attachments often disguised as PDF files. Separ is the malware of choice, which steals login data from browsers and email clients, also hunting for various types of documents and images.

Rancor: Cyber Espionage Group Uses New Custom Malware to Attack Southeast Asia

unit42.paloaltonetworks.com/rancor-cyber-espionage-group-uses-new-custom-malware-to-attack-southeast-asia/ In late June 2018, Unit 42 revealed a previously unknown cyber espionage group we dubbed Rancor, which conducted targeted attacks in Southeast Asia throughout 2017 and 2018. In recent attacks, the group has persistently targeted at least one government organization in Cambodia from December 2018 through January 2019. While researching these attacks, we discovered an undocumented, custom malware family which weve named Dudell. In addition, we discovered the group using Derusbi, which is a malware family believed to be unique to a small subset of Chinese cyber espionage groups.

Hackers hit Norsk Hydro with ransomware. The company responded with transparency

news.microsoft.com/transform/hackers-hit-norsk-hydro-ransomware-company-responded-transparency/ he bedside phone rang at 4 a.m. in Oslo, Norway. The pre-dawn call filled Torstein Gimnes Are with a drowsy sense of dread. That only deepened when he heard the first words from the other end. We may be under attack, said his IT colleague at Norsk Hydro, one of the worlds largest aluminum companies. Production lines had stopped at some of its 170 plants. Other facilities were switching from computer to manual operations. – Bad news. – It would get worse.

Tietomurtoepäily sähköpotkulautayritys VOI:ssa – yli miljoonan käyttäjän tiedot saattaneet vuotaa

www.iltalehti.fi/ulkomaat/a/d31bd30f-5646-4151-92c4-c4165b6b4775 Sähköpotkulautoja tarjoava ruotsalaisyhtiö VOI on joutunut tietomurron kohteeksi, minkä seurauksena yli miljoonan ihmiset tiedot ovat saattaneet vuotaa. Tietomurto tapahtui marraskuussa ja sen kuviteltiin aluksi olevan pienempi, kertoo ruotsalainen teknologiauutisiin keskittyvä sivusto Di Digital.

Incident Response lessons from recent Maze ransomware attacks

blog.talosintelligence.com/2019/12/IR-Lessons-Maze.html This year, we have been flooded with reports of targeted ransomware attacks. Whether it’s a city, hospital, large- or medium-sized enterprise they are all being targeted. These attacks can result in significant damage, cost, and have many different initial infection vectors. Recently, Talos Incident Response has been engaged with a couple of these attacks, which involved the use of targeted ransomware. The concept of targeted ransomware attacks is simple: Get access to a corporate network, gain access to many systems, encrypt the data on a large chunk of them, ask for a large lump sum payment to regain access to those systems, and profit.

You might be interested in …

Daily NCSC-FI news followup 2020-06-02

Varo tätä ilmiötä: huijarit tehtailevat oikeista konserttistriimeistä valetapahtumia, joiden avulla yritetään kalastaa luottokorttitietoja yle.fi/uutiset/3-11380829 Idea on yksinkertainen. Huijari luo aidon näköisen Facebook-eventin ja tarjoaa klikattavaksi linkkiä, jossa muka voisi ostaa lipun konserttistriimiin. Entä jos huomaa tulleensa huijatuksi? Miten toimia?. – Ihan ensimmäisenä ja aika nopeasti pitäisi ottaa yhteyttä pankkiin. Parhaassa tapauksessa sieltä pystytään vielä estämään […]

Read More

Daily NCSC-FI news followup 2021-04-11

Clubhouse data leak: 1.3 million user records leaked online for free cybernews.com/security/clubhouse-data-leak-1-3-million-user-records-leaked-for-free-online/ So far, it seems like its been the worst week of the year for social media platforms in terms of data leaks, with Clubhouse seemingly joining the fray. Sudden New Warning Will Surprise Millions Of WhatsApp Users www.forbes.com/sites/zakdoffman/2021/04/10/shock-new-warning-for-millions-of-whatsapp-users-on-apple-iphone-and-google-android-phones/ A nasty new surprise for […]

Read More

Daily NCSC-FI news followup 2021-03-05

PLEASE LEAVE AN EXPLOIT AFTER THE BEEP www.dubex.dk/aktuelt/nyheder/please-leave-an-exploit-after-the-beep In January 2021, Dubex investigated suspicious activity on a set of Exchange servers. Generic post exploitation activity was seen, and many POST requests were sent to webshells hosted in the OWA directory. It was initially suspected the servers might be backdoored directly through the OWA and that […]

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.