Categories
NCSC-FI News followup

Daily NCSC-FI news followup 2020-01-09

Satasairaalassa jälleen tietoverkkokatkos, vika luultua pahempi myös perusturvassa ongelmia

yle.fi/uutiset/3-11149405 Katkos alkoi torstaina aamupäivällä ja kesti noin 20 minuuttia. Satasairaalan tietohallintojohtaja Leena Ollonqvistin mukaan sairaalan it-osasto teki testiä, jolla estää viimeviikkoinen katkos. Testi aiheutti samankaltaisen luupin kuin viime viikolla.

A lazy fix 20 years ago means the Y2K bug is taking down computers now

www.newscientist.com/article/2229238-a-lazy-fix-20-years-ago-means-the-y2k-bug-is-taking-down-computers-now/ Programmers wanting to avoid the Y2K bug had two broad options: entirely rewrite their code, or adopt a quick fix called windowing, which would treat all dates from 00 to 20, as from the 2000s, rather than the 1900s. An estimated 80 per cent of computers fixed in 1999 used the quicker, cheaper option.. Another piece of software, Splunk, which ironically looks for errors in computer systems, was found to be vulnerable to the Y2020 bug in November. The company rolled out a fix to users the same week which include 92 of the Fortune 100, the top 100 companies in the US.

2020: The Vulnerability Fujiwhara Effect Oracle and Microsoft Collide

www.riskbasedsecurity.com/2020/01/08/2020-the-vulnerability-fujiwhara-effect-oracle-and-microsoft-collide/ On the surface this may seem like a positive thing, and is certainly an improvement on uncoordinated disclosures (still referred to as irresponsible disclosure by many vendors and described as a situation that hurts customers). But as more vendors have gravitated towards releasing on Patch Tuesday, organizations are now being subjected to the routine updates of six vendors on the same . day, with the possibility of an additional seven. This is in stark contrast to the normal day of vulnerability disclosures.. It cant be ignored that there is a clear and substantial risk to organizations that do not have the necessary vulnerability intelligence and processes in place to enable the handling of the large volume of vulnerabilities being disclosed.

Yle: Puolustusvoimien nimissä huijaustekstareita kutsutaan palvelukseen, sijoituspaikka Iran

www.is.fi/digitoday/art-2000006367124.html?ref=rss Puolustusvoimien nimissä lähetetään tekstiviestejä, joissa kehotetaan saapumaan palvelukseen Lähi-idän kiristyneen tilanteen vuoksi. Viestissä kehotetaan ottamaan mukaan ainoastaan passi ja sijoituspaikaksi kerrotaan Iran, kertoo Yle.

Satasairaalan kaikki torstain kaihileikkaukset peruutettu

www.satakunnankansa.fi/a/6e3dc9f0-c603-49d0-863c-0f7e6386f42a?c=1528874183846

Satasairaalaa piinannut laaja tietoliikennekatkos ohi viimeviikkoista pahempi sulki myös puhelinkeskuksen ja maakunnan potilastietojärjestelmät

www.satakunnankansa.fi/a/09bf62bc-d88e-4aa4-a851-494e71190986 Satakunnan sairaanhoitopiirin tietohallintojohtajan Leena Ollonqvistin mukaan Satasairaalaa ja samalla koko torstaina maakuntaa piinannut tietoliikennekatkos on saatu korjattua.. Satasairaalassa oli aamusta lähtien paha tietoliikennekatkos, minkä vuoksi sairaalan puhelinkeskus ei toiminut eikä maakunnan potilastietojärjestelmiin päästy käsiksi.. Satasairaalassa tapahtui viime viikon maanantaina vastaavanlainen tietoliikennekatkos.. Silloin tietoverkko kaatui, kun uuteen paikkaan siirretyn tietokoneen verkkokaapeli liitettiin väärään kytkimeen aiheuttaen päättymättömän luupin, joka lopulta ylikuormitti verkon.. Tällä kertaa ylikuormitus syntyi, kun sairaanhoitopiirin it-toimittaja teki verkkoon testausta viime viikon ylikuormituksen estämiseksi.. Torstain virhekytkennän aiheuttama verkkoliikennekatkos oli kuitenkin viimeviikkoista pahempi, sillä se samalla kaatoi sairaalan konesalipuolella olevia palvelimia.

cablehaunt.com/ Cable Haunt is a critical vulnerability found in cable modems from various manufacturers across the world. The vulnerability enables remote attackers to gain complete control of a cable modem, through an endpoint on the modem. Your cable modem is in charge of the internet traffic for all devices on the network. Cable Haunt might therefore be exploited to intercept private messages, redirect . traffic, or participation in botnets.. […] Once the websocket has been reached, the buffer overflow vulnerability can be exploited. The websocket requests are given as JSON. The parser which interprets this JSON request, will copy the input parameters to a buffer, regardless of length, allowing values on the stack to be overwritten. Among these values are saved registers, such as the program counter and return address. With a . carefully crafted message the modem can be manipulated to execute arbitrary code specified by a remote attacker.

SAIGON, the Mysterious Ursnif Fork

www.fireeye.com/blog/threat-research/2020/01/saigon-mysterious-ursnif-fork.html Ursnif (aka Gozi/Gozi-ISFB) is one of the oldest banking malware families still in active distribution. While the first major version of Ursnif was identified in 2006, several subsequent versions have been released in large part due source code leaks. FireEye reported on a previously unidentified variant of the Ursnif malware family to our threat intelligence subscribers in September 2019 after . identification of a server that hosted a collection of tools, which included multiple point-of-sale malware families. This malware self-identified as “SaiGon version 3.50 rev 132,” and our analysis suggests it is likely based on the source code of the v3 (RM3) variant of Ursnif. Notably, rather than being a full-fledged banking malware, SAIGON’s capabilities suggest it is a more generic backdoor, . perhaps tailored for use in targeted cybercrime operations.

U.S. Funds Free Android Phones For The Poor But With Permanent Chinese Malware

www.forbes.com/sites/thomasbrewster/2020/01/09/us-funds-free-android-phones-for-the-poor—but-with-permanent-chinese-malware/#3e52a6faabab For years, low-income households have been able to get cheap cell service and even free smartphones via the U.S. government-funded Lifeline Assistance program. One provider, Assurance Wireless, offers a free Android device along with free data, texts and minutes.. It all sounds ideal for those who dont have the money to splash on fancy Apple or Google phones. But according to security researchers, theres a catch: the Android phones come with preinstalled Chinese malware, which effectively opens up a backdoor onto the device and endangers their private data. One of the malware types is impossible to remove, according to the researchers.. Original at

blog.malwarebytes.com/android/2020/01/united-states-government-funded-phones-come-pre-installed-with-unremovable-malware/

Texas Department of Agriculture website features pro-Iran image after cyberattack

thehill.com/policy/cybersecurity/477408-texas-department-of-agriculture-website-featured-pro-iran-image-after The websites homepage was replaced and instead featured a picture of Soleimani with white imagery over a black background and text that read, hacked by Iranian Hacker, according to KXAN. State and federal officials are investigating the incident, which came after Tehran vowed to retaliate for Soleimanis death.

medium.com/mitre-attack/launching-attack-for-ics-2be4d2fb9b8 Its straightforward enough to categorize the initial stages of these attacks using tactics and techniques from the Enterprise knowledge base. Adversary behavior in the later stages of these attacks, however, is not specifically addressed by ATT&CK for Enterprise. The adversarys targets, technical goals, and techniques significantly differ between the Enterprise and ICS domains. For example, . Industroyer has the capability to issue Unauthorized Command Messages to change the state of electrical substation switches and circuit breakers directly. This activity is out of scope for ATT&CK for Enterprise but is now represented as T855 in ATT&CK for ICS.. Framework at

collaborate.mitre.org/attackics/index.php/Main_Page

– From Mega to Giga: Cross-Version Comparison of Top MegaCortex Modifications

securityintelligence.com/posts/from-mega-to-giga-cross-version-comparison-of-top-megacortex-modifications/ The current version in the wild is v4, which also threatens victimized organizations that their data will be leaked online if they do not pay but can it follow through? MegaCortex itself does not feature that sort of functionality and, even if it did, loading massive amounts of company data and attempting to exfiltrate it would either make too much noise on the network and be discovered, or . take very long to exfiltrate slowly.

What the continued escalation of tensions in the Middle East means for security

blog.talosintelligence.com/2020/01/mideast-tensions-preparations.html Apt33/34 Actors have not only attacked traditional targets for espionage but have shown an interest in attacking critical infrastructure with the dam attack and have shown a willingness to be destructive in their activities. Actors in the region have also shown a willingness to attack some of the critical components of the internet, most notably DNS. These things combined make for a dangerous . adversary that is operating during heightened tensions. As such we are providing a list of the ways that we cover these various attacks and a series of IOCs for organizations to be aware.

WannaCry Virus Was the Most Common Crypto Ransomware Attack in 2019

www.precisesecurity.com/articles/wannacry-virus-was-the-most-common-crypto-ransomware-attack-in-2019/ As one of the biggest malware threats, ransomware continues to disturb the business operations and daily lives of internet users all over the world. According to PreciseSecurity.com research, 23.56 % of all encryption ransomware attacks during 2019 had encountered the WannaCry virus, making it the most ordinary type of hack in the last year.. The 2019 data show that phishing scams were the most common cause of ransomware infection globally during the last year. More than 67% of MSP users reported ransomware attacks caused by spam and phishing emails

What is the Hainan Xiandun Technology Development Company?

intrusiontruth.wordpress.com/2020/01/09/what-is-the-hainan-xiandun-technology-development-company/ APT groups in China have a common blueprint: contract hackers and specialists, front companies, and an intelligence officer. We know that multiple areas of China each have their own APT.. After a long investigation we now know that it is possible to take a province and identify front companies, from those companies identify individuals who work there, and then connect these companies and individuals to an APT and the State.. […] In summary, we have multiple companies with identical descriptions and job adverts, overlapping contact details and office locations, but different names, recruiting for offensive hacking skills. Like Boyusec, Huaying Haitai, Antorsoft, and others, these companies have very little presence on the Internet outside of these adverts.

4 Ring Employees Fired For Spying on Customers

threatpost.com/four-ring-employees-fired-spying/151689/ The disclosure comes in a recent letter to senators (in response to a November inquiry into the companys data policies) from Amazon-owned Ring as it attempts to defend the privacy of its platform (which has been plagued by data privacy incidents over the past year). n the letter, Ring said that the four former employees were authorized to view video data, but their attempted access to the data . exceeded what was necessary for their job functions.

The State of Threats to Electric Entities in North America

dragos.com/blog/industry-news/the-state-of-threats-to-electric-entities-in-north-america/ Today Dragos released a new report: The North American Electric Cyber Threat Perspective. The information in this report is based on Dragos ICS-specific threat intelligence, global Platform telemetry, and service engagements and provides an overview of threats to electric and other critical infrastructure sectors in North America.. Additionally, supply chain and third-party compromise remain real and present risk and significant threat to this sector, in addition to adversaries exploiting remote connectivity services used by organizations like vendors or contractors. PARISITE for instance a new activity group Dragos identified in 2019 largely focuses on exploiting vulnerabilities in virtual private network (VPN) . appliances to gain initial access to target ICS networks.. Report at

dragos.com/wp-content/uploads/NA-EL-Threat-Perspective-2019.pdf. Also www.wired.com/story/iran-apt33-us-electric-grid/

New Iranian data wiper malware hits Bapco, Bahrain’s national oil company

www.zdnet.com/article/new-iranian-data-wiper-malware-hits-bapco-bahrains-national-oil-company/#ftag=RSSbaffb68 Iranian state-sponsored hackers have deployed a new strain of data-wiping malware on the network of Bapco, Bahrain’s national oil company, ZDNet has learned from multiple sources.. The incident took place on December 29. The attack did not have the long-lasting effect hackers might have wanted, as only a portion of Bapco’s computer fleet was impacted, with the company continuing to operate after the malware’s detonation.. Although the Bapco incident doesn’t appear to be connected to the current US-Iranian political tensions, it does come to show Iran’s advanced technical capabilities when it comes to launching destructive cyber-attacks. Some said hackers exploited a vulnerability in Pulse Secure servers, while others pointed the finger at Fortinet VPN servers.

Sodinokibi Ransomware Says Travelex Will Pay, One Way or Another

www.bleepingcomputer.com/news/security/sodinokibi-ransomware-says-travelex-will-pay-one-way-or-another/ In a conversation with BleepingComputer, the Sodinokibi Ransomware actors state that they were demanding a $3 million ransom or they would release the data containing “DOB SSN CC and other”. According to the BBC, this ransom was later changed to $6 million, which BleepingComputer has not been able to independently confirm.

Top-Tier Russian Organized Cybercrime Group Unveils Fileless Stealthy PowerTrick Backdoor for High-Value Targets

labs.sentinelone.com/top-tier-russian-organized-cybercrime-group-unveils-fileless-stealthy-powertrick-backdoor-for-high-value-targets/ Their offensive tooling such as PowerTrick is flexible and effective which allows the TrickBot cybercrime actors to leverage them to augment on the fly and stay stealthy as opposed to using larger more open source systems such as PowerShell Empire.

Dixons fined £500,000 by ICO for crap security that exposed 5.6 million customers’ payment cards

www.theregister.co.uk/2020/01/09/dixons_store_group_fined_500000_by_ico_for_crap_security_that_exposed_56_millino_customers_payment_cards/ The fine is the maximum the ICO could levy under the previous data laws but had it occured following the roll-out of GDPR legislation Dixons may have found itself slapped with a bigger fine, he added.

Senators Prod FCC to Act on SIM Swapping

krebsonsecurity.com/2020/01/senators-prod-fcc-to-act-on-sim-swapping/ On Thursday, a half-dozen Democrats in the Senate sent a letter to FCC Chairman Ajit Pai, asking the agency to require the carriers to offer more protections for consumers against unauthorized SIM swaps.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.