Categories
NCSC-FI News followup

Daily NCSC-FI news followup 2020-01-23

Increased Emotet Malware Activity

www.us-cert.gov/ncas/current-activity/2020/01/22/increased-emotet-malware-activity The Cybersecurity and Infrastructure Security Agency (CISA) is aware of a recent increase in targeted Emotet malware attacks. Emotet is a sophisticated Trojan that commonly functions as a downloader or dropper of other malware. Emotet primarily spreads via malicious email attachments and attempts to proliferate within a network by brute forcing user credentials and writing to shared drives

Complex Obfuscation VS Simple Trick

isc.sans.edu/forums/diary/Complex+Obfuscation+VS+Simple+Trick/25738/ The Emotet malware family does not need to be presented. Very active for years, new waves of attacks are always fired using different infection techniques. Yesterday, an interesting sample was spotted at a customer. The security perimeter is quite strong with multiple lines of defenses based on different technologies/vendors.. This one passed all the controls! A malicious document was delivered via a well-crafted email. The document (SHA256:ff48cb9b2f5c3ecab0d0dd5e14cee7e3aa5fc06d62797c8e79aa056b28c6f894) has a low VT score of 18/61[1] and is not detected by some major AV players.

To Avoid Disruption, Ransomware Victims Continue to Pay Up

www.darkreading.com/attacks-breaches/to-avoid-disruption-ransomware-victims-continue-to-pay-up/d/d-id/1336863 For all the cautions against doing so, one-third of organizations in a Proofpoint survey said they paid their attackers after getting infected with ransomware.

Telia kerää asiakkailtaan sijaintitietoja, vaikka gps olisi pois päältä tiedot myydään kaupungeille, jotka näkevät kartalla väkijoukkojen liikkeet

yle.fi/uutiset/3-11169972 Kaupungit etsivät keinoja väkijoukkojen liikkeiden seuraamiseen muun muassa keskustojen hiljentymisen vuoksi.

How CISOs Can Expand Their Security Duties into Industrial Environments

www.tripwire.com/state-of-security/ics-security/cisos-expand-security-duties-industrial-environments/ Divij Agarwal, senior product manager at Belden Inc., notes that this process begins by recognizing the advent of the IIoT and IT-OT convergence in which the IT (Enterprise) and OT (Industrial) networks are coming together. As part of that meeting, many industrial networksespecially those in the areas of smart grids, smart factories and smart buildingsare using many new next-gen industrial

Pwn2Own Miami Contestants Haul in $180K for Hacking ICS Equipment

threatpost.com/pwn2own-miami-ics-equipment/152122/ The very first Pwn2Own hacking competition that exclusively focuses on the industrial control systems (ICS) has kicked off in Miami. So far, a total of $180,000 has been awarded for pwning five different products.

Thousands of WordPress Sites Hacked to Fuel Scam Campaign

www.bleepingcomputer.com/news/security/thousands-of-wordpress-sites-hacked-to-fuel-scam-campaign/ Over 2,000 WordPress sites have been hacked to fuel a campaign to redirect visitors to scam sites containing unwanted browser notification subscriptions, fake surveys, giveaways, and fake Adobe Flash downloads.

Seksisivusto jätti malliensa tiedot nettiin lojumaan 875 000 tiedostoa

www.is.fi/digitoday/tietoturva/art-2000006381832.html PussyCash-niminen seksikameraverkosto jätti avoimeksi verkkoon 875 000 tiedostoa, jotka sisältävät tietoa yli 4000 kameramallista.. Noin 20 gigatavun edestä tietoja säilytettiin avoimella Amazonin palvelimella Virginiassa Yhdysvalloissa. Saatavilla oli kattavasti tietoja kameroille esiintyvistä naisista, kuten täydet nimet, syntymäajat, sosiaaliturvatunnukset, luottokorttinumerot, passitiedot, sormenjäljet ja kotiosoitteet.

Its time to patch your Cisco security solutions again

www.helpnetsecurity.com/2020/01/23/patch-cisco-security-appliances/ Cisco has released another batch of security updates and patches for a variety of its offerings, including many of its security solutions.. Among the security holes plugged is CVE-2019-16028, a critical authentication bypass vulnerability affecting the Cisco Firepower Management Center a device that provides visibility into an organizations network and allows admis to centrally manage critical Cisco network security solutions.

Sodinokibi Ransomware Threatens to Publish Data of Automotive Group

www.bleepingcomputer.com/news/security/sodinokibi-ransomware-threatens-to-publish-data-of-automotive-group/ The attackers behind the Sodinokibi Ransomware are now threatening to publish data stolen from another victim after they failed to get in touch and pay the ransom to have the data decrypted.. Sodinokibi claims that this data was stolen from GEDIA Automotive Group, a German automotive supplier with production plants in Germany, China, Hungary, India, Mexico, Poland, Hungary, Spain, and the USA.

Maze Ransomware Not Getting Paid, Leaks Data Left and Right

www.bleepingcomputer.com/news/security/maze-ransomware-not-getting-paid-leaks-data-left-and-right/ Maze ransomware operators have infected computers from Medical Diagnostic Laboratories (MDLab) and are releasing close to 9.5GB of data stolen from infected machines.. This action was prompted by the company’s refusal to pay a ransom of 200 bitcoins (a little over $1.7 million today) that would buy from the attacker the file decryption key from the attacker and the promise to destroy the data.

European Energy Sector Organization Targeted by PupyRAT Malware in Late 2019

www.recordedfuture.com/pupyrat-malware-analysis/ Over the course of the last year, Recorded Future research has demonstrated that Iran-nexus groups, possibly including APT33 (also called Elfin), have been prolific in amassing operational network infrastructure throughout 2019.. The targeting of a key organization in the European energy sector is of particular interest given their role in the coordination of European energy resources.. We emphasize that this activity predates the recent escalation of kinetic activity between the U.S. and Iran, and therefore likely relates to espionage-motivated intrusion activity or the prepositioning of network access within a high-value network in the European energy sector.. Report:

go.recordedfuture.com/hubfs/reports/cta-2020-0123.pdf

Shlayer Trojan attacks one in ten macOS users

securelist.com/shlayer-for-macos/95724/ For close to two years now, the Shlayer Trojan has been the most common threat on the macOS platform: in 2019, one in ten of our Mac security solutions encountered this malware at least once, and it accounts for almost 30% of all detections for this OS.. The first specimens of this family fell into our hands back in February 2018, and we have since collected almost 32,000 different malicious samples of the Trojan and identified 143 C&C server domains.

Euro Cup and Olympics Ticket Reseller Hit by MageCart

www.bleepingcomputer.com/news/security/euro-cup-and-olympics-ticket-reseller-hit-by-magecart/ Site belonging to a reseller of tickets for Euro Cup and the Tokyo Summer Olympics, two major sports events happening later this year, have been infected with JavaScript that steals payment card details.. Pimental and Kersten warn that shopping at olympictickets2020.com or eurotickets2020.com between December 3, 2019, and January 21, 2020, likely resulted in card data being stolen. Contacting the issuing bank and requesting a card replacement is the recommended action.. also:

maxkersten.nl/2020/01/20/ticket-resellers-infected-with-a-credit-card-skimmer/

The Fractured Statue Campaign: U.S. Government Targeted in Spear-Phishing Attacks

unit42.paloaltonetworks.com/the-fractured-statue-campaign-u-s-government-targeted-in-spear-phishing-attacks/ Between July and October 2019, Unit 42 observed several malware families typically associated with the Konni Group (see Attribution section below for more details) used to primarily target a US government agency, using the ongoing and heightened geopolitical relations issues surrounding North Korea to lure targets into opening malicious email attachments.. The malware families used in this campaign consisted mainly of malicious documents featuring CARROTBAT downloaders with SYSCON payloads, but also included a new malware downloader Unit 42 has dubbed CARROTBALL.

Ransomware Costs Double in Q4 as Ryuk, Sodinokibi Proliferate

www.coveware.com/blog/2020/1/22/ransomware-costs-double-in-q4-as-ryuk-sodinokibi-proliferate In Q4 of 2019, the average ransom payment increased by 104% to $84,116, up from $41,198 in Q3 of 2019.. The doubling of the average reflects diversity of the threat actors that are actively attacking companies. Some variants such as Ryuk and Sodinokibi have moved into the large enterprise space and are focusing their attacks on large companies where they can attempt to extort the organization for a seven-figure payout.. In Q4 of 2019, average downtime increased to 16.2 days, from 12.1 days in Q3 of 2019.. The increase in downtime was driven by a higher prevalence of attacks against larger enterprises, who often spend weeks fully remediating and restoring their systems.

Ryuk Ransomware Hit Multiple Oil & Gas Facilities, ICS Security Expert Says

www.darkreading.com/threat-intelligence/ryuk-ransomware-hit-multiple-oil-and-gas-facilities-ics-security-expert-says-/d/d-id/1336865 More signs that the industrial control system (ICS) sector has become one of the latest favorite targets of ransomware attacks: The head of an operational technology (OT) cybersecurity services firm says at least five organizations in the oil and gas industry were recently hit by Ryuk.

Critical MDhex Vulnerabilities Shake the Healthcare Sector

www.bleepingcomputer.com/news/security/critical-mdhex-vulnerabilities-shake-the-healthcare-sector/ Critical vulnerabilities have been discovered in popular medical devices from GE Healthcare that could allow attackers to alter the way they function or render them unusable.. A set of six security flaws, they have been collectively named MDhex. Five of them received the highest severity rating on the Common Vulnerability Scoring System, 10 out of 10.

Lappiin isketään somen kautta “Instagram-sotilaat” saaneet saaliikseen jopa sata tuhatta euroa

www.tivi.fi/uutiset/tv/4d6e6b7f-eb29-4891-a75d-69e5a8b42cc7 Poliisille on tullut lyhyessä ajassa useita ilmoituksia romanssihuijauksista Lapissa. Huijaukset ovat lähteneet liikkeelle pääsääntöisesti Facebookin, Messengerin tai jonkin Internetin seuranhakupalvelun kautta, kertoo Lapin poliisi verkkosivullaan.

Tietovuoto Porin rakennusvalvonnassa noin 2 000 asiakkaan lupatiedot olivat ulkopuolisten ulottuvilla

yle.fi/uutiset/3-11173114 Järjestelmään on asetettu suojaus, eikä kaupungin mukaan väärinkäyttötapauksia ole havaittu.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.