Daily NCSC-FI news followup 2020-01-17

404 Exploit Not Found: Vigilante Deploying Mitigation for Citrix NetScaler Vulnerability While Maintaining Backdoor

www.fireeye.com/blog/threat-research/2020/01/vigilante-deploying-mitigation-for-citrix-netscaler-vulnerability-while-maintaining-backdoor.html As noted in Rough Patch: I Promise It’ll Be 200 OK, our FireEye Mandiant Incident Response team has been hard at work responding to intrusions stemming from the exploitation of CVE-2019-19781. After analyzing dozens of successful exploitation attempts against Citrix ADCs that did not have the Citrix mitigation steps implemented, weve recognized multiple groups of post-exploitation activity.

JhoneRAT: Cloud based python RAT targeting Middle Eastern countries

blog.talosintelligence.com/2020/01/jhonerat.html Today, Cisco Talos is unveiling the details of a new RAT we have identified we’re calling “JhoneRAT.” This new RAT is dropped to the victims via malicious Microsoft Office documents. The dropper, along with the Python RAT, attempts to gather information on the victim’s machine and then uses multiple cloud services: Google Drive, Twitter, ImgBB and Google Forms. The RAT attempts to download

VB2019 paper: King of the hill: nation-state counterintelligence for victim deconfliction

www.virusbulletin.com/virusbulletin/2020/01/vb2019-paper-king-hill-nation-state-counterintelligence-victim-deconfliction/ Cyber situational awareness is the ultimate outcome of mature threat intelligence. Though we normally think of threat intelligence as a defender’s practice, extensive study of advanced cyberespionage operations reveals that attackers are engaged in a similar activity. Defenders apply threat intelligence insights to ensure that attackers don’t gain persistent access to their enterprise machines.

Summing up CVE-2020-0601, or the Let?s Decrypt vulnerability

isc.sans.edu/forums/diary/Summing+up+CVE20200601+or+the+Lets+Decrypt+vulnerability/25720/ Last 24 hours have been extremely interesting this months patch Tuesday by Microsoft brought to us 2 very interesting (and critical) vulnerabilities. The first one, the BlueKeep like remote code execution vulnerability in Remote Desktop Gateway (CVE-2020-0609, CVE-2020-0610) has been kind of ignored, although its really critical so I guess Ill continue doing that in this diary . (but rest assured that we are keeping an eye on the RDG vulnerability as well).

Critical Cisco Flaws Now Have PoC Exploit

threatpost.com/cisco-dcnm-flaw-exploit/151949/ Proof-of-concept exploit code has been published for critical flaws impacting the Cisco Data Center Network Manager (DCNM) tool for managing network platforms and switches.

Enter Dustman: New Wiper Takes After ZeroCleare, Likely Targets Organizations in Region

securityintelligence.com/posts/enter-dustman-new-wiper-takes-after-zerocleare-targets-organizations-in-saudi-arabia/ In December 2019, IBM X-Force Incident Response and Intelligence Services (IRIS) released a report on new malware from the Wiper class, used in a destructive attack in the Middle East. . At the time, we dubbed this malware ZeroCleare per the program database (PDB) pathname of its binary file. About a month later, a ZeroCleare offshoot has been reported by the Saudi National Cybersecurity Authority (NCA) in destructive attacks targeting the same region. This variation of ZeroCleare was dubbed Dustman, also per the PDB pathname of its binary file.

FBI shuts down website selling billions of stolen records

www.welivesecurity.com/2020/01/17/fbi-seizes-website-selling-stolen-personal-data/ US law enforcement has seized the WeLeakInfo.com domain name for peddling personal data stolen in data breaches. The shadowy website offered a pay-to-play scenario that allowed anyone to search for and access other peoples personal details, according to a statement from the Department of Justice (DOJ).. WeLeakInfo.com claimed to provide its users a search engine to review and obtain the personal information illegally obtained in over 10,000 data breaches containing over 12 billion indexed records, said the authorities

Stolen emails reflect Emotet’s organic growth

blog.talosintelligence.com/2020/01/stolen-emails-reflect-emotets-organic.html Emotet continues to infect individuals and organizations all over the world, so to say that it is “targeted” would be a stretch. However, if a person has substantial email ties to a particular organization, when they become infected with Emotet the effects would manifest in the form of increased outbound Emotet email directed at that organization.

Travelex wont say if it has paid a ransom to its attackers

www.grahamcluley.com/travelex-wont-say-if-it-has-paid-a-ransom-to-its-attackers/ Travelex, the foreign currency exchange service whose services have been knocked offline since New Years eve by a cyber attack, is declining to say if it has paid a ransom to the criminals responsible.

Google Chrome Adds Protection for NSA’s Windows CryptoAPI Flaw

www.bleepingcomputer.com/news/security/google-chrome-adds-protection-for-nsas-windows-cryptoapi-flaw/ Google just released Chrome 79.0.3945.130, which will now detect certificates that attempt to exploit the NSA discovered CVE-2020-0601 CryptoAPI Windows vulnerability.

TrickBot Now Uses a Windows 10 UAC Bypass to Evade Detection

www.bleepingcomputer.com/news/security/trickbot-now-uses-a-windows-10-uac-bypass-to-evade-detection/ The TrickBot Trojan has received an update that adds a UAC bypass targeting the Windows 10 operating system so that it infects users without displaying any visible prompts.. A UAC bypass allows programs to be launched without displaying a User Account Control prompt that asks users to allow a program to run with administrative privileges.

Threatpost Poll: Are Published PoC Exploits a Good or Bad Idea?

threatpost.com/poll-published-poc-exploits-good-bad/151966/ Are publicly released proof-of-concept exploits more helpful for system defenders or bad actors?

Zen Cart PayPal Skimmer

blog.sucuri.net/2020/01/zen-cart-paypal-skimmer.html We recently found a case on a lesser known open source ecommerce platform named Zen Cart, which itself is a fork from the older OsCommerce. Credit card skimmers are not found as often for Zen Cart. This is because the Zen Cart user base is quite small (0.1%) when compared to other open source platforms like Magento (0.8%) or Prestashop (0.6%) according to W3s latest information.

Thoughts on the recent Red Team debate

blog.nviso.eu/2020/01/17/thoughts-on-the-recent-red-team-debate/ Around the end of November 2019, Florian Roth wrote a much-discussed post about problems he saw with todays red teaming. I considered writing a blog post to diverge some of my ideas and respond to his concerns.

You might be interested in …

Daily NCSC-FI news followup 2020-06-20

Cyberbullying: Adults can be victims too www.welivesecurity.com/2020/06/19/cyberbullying-adults-can-be-victims-too/ Whenever cyberbullying is mentioned, our minds usually associate the topic with children or teenagers. Much has been said about cyberbullying by psychologists, organizations, public figures, as well as other concerned parties. However, we often fail to realize that adults can be the victims of cyberbullying too. Former DIA […]

Read More

Daily NCSC-FI news followup 2021-09-17

NSO Group iMessage Zero-Click Exploit Captured in the Wild citizenlab.ca/2021/09/forcedentry-nso-group-imessage-zero-click-exploit-captured-in-the-wild/ The Citizen Lab disclosed the vulnerability and code to Apple, which has assigned the FORCEDENTRY vulnerability CVE-2021-30860 and describes the vulnerability as “processing a maliciously crafted PDF may lead to arbitrary code execution.”. In this article, Citizen Lab analyses the exploit chain in detail. Mitigating […]

Read More

Daily NCSC-FI news followup 2021-01-15

Bitcoin-kiristäjä piinaa taas suomalaisia www.kauppalehti.fi/uutiset/bitcoin-kiristaja-piinaa-taas-suomalaisia-ala-maksa-masturbointilunnaita/a65ed063-b6b7-4ae9-93a8-4a4161d70b43 Verkkohuijarit ovat taas liikkeellä pornokiristyksinä tunnettujen huijausviestien kanssa. Huijarit väittävät tartuttaneensa haittaohjelman vastaanottajan koneelle tämän vierailtua aikuisviihdesivustolla. Katso myös Kyberturvallisuuskeskuksen uutinen aiheesta: www.kyberturvallisuuskeskus.fi/fi/ajankohtaista/kiristyshuijauksia-liikkeella-runsaasti-ala-usko-huijarien-vaitteita Signal down after getting flooded with new users www.bleepingcomputer.com/news/software/signal-down-after-getting-flooded-with-new-users/ Signal users are currently experiencing issues around the world, with users unable to send and receive messages. Ransomware […]

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.