Daily NCSC-FI news followup 2020-02-06

Protecting users from insecure downloads in Google Chrome

security.googleblog.com/2020/02/protecting-users-from-insecure_6.html Today were announcing that Chrome will gradually ensure that secure (HTTPS) pages only download secure files. In a series of steps outlined below, well start blocking “mixed content downloads” (non-HTTPS downloads started on secure pages). This move follows a plan we announced last year to start blocking all insecure subresources on secure pages.

Insider threats have increased 47%

www.pandasecurity.com/mediacenter/security/cost-insider-threat-report/ Last year, a Canadian bank suffered a data breach that affected some 2.7 million people and around 173,000 companies. The stolen information included names, addresses, dates of birth, social insurance numbers, email addresses and information on customers transaction habits. The culprit of this breach? A malicious insider.

Biased AI Is Another Sign We Need to Solve the Cybersecurity Diversity Problem

securityintelligence.com/articles/biased-ai-is-another-sign-we-need-to-solve-the-cybersecurity-diversity-problem/ Artificial intelligence (AI) excels at finding patterns like unusual human behavior or abnormal incidents. It can also reflect human flaws and inconsistencies, including 180 known types of bias. Biased AI is everywhere, and like humans, it can discriminate against gender, race, age, disability and ideology.

Malicious Optimizer and Utility Android Apps on Google Play Communicate with Trojans that Install Malware, Perform Mobile Ad Fraud

blog.trendmicro.com/trendlabs-security-intelligence/malicious-apps-on-google-play-communicate-with-trojans-install-malware-perform-mobile-ad-fraud/ We recently discovered several malicious optimizer, booster, and utility apps (detected by Trend Micro as AndroidOS_BadBooster.HRX) on Google Play that are capable of accessing remote ad configuration servers that can be used for malicious purposes, perform mobile ad fraud, and download as many as 3,000 malware variants or malicious payloads on affected devices. These malicious apps, which are supposed to increase device performance by cleaning, organizing, and deleting files, have been collectively downloaded over 470,000 times.

The Rise of the Open Bug Bounty Project

thehackernews.com/2020/02/open-bug-bounty-project.html The once skyrocketing bug bounty industry seems to be not in the best shape today. While prominent security researchers are talking about a growing multitude of hurdles they experience with the leading commercial bug bounty platforms, the latter are trying to reinvent themselves as “next-generation penetration testing” or similar services. You be the judge of how successful they will be.

Fake browser update pages are “still a thing”

isc.sans.edu/forums/diary/Fake+browser+update+pages+are+still+a+thing/25774/ SocGholish is a term I first saw in signatures from the EmergingThreats Pro ruleset to describe fake browser update pages used to distribute malware like a NetSupport RAT-based malware package or Chthonic banking malware. Although this activity has continued into 2020, I hadn’t run across an example until this week.

Fake Interview: The New Activity of Charming Kitten

blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/ Certfa Lab has identified a new series of phishing attacks from the Charming Kitten1, the Iranian hacking group who has a close relationship with Irans state and Intelligence services. According to our investigation, these new attacks have targeted journalists, political and human rights activists.

Metamorfo Returns with Keylogger Trick to Target Financial Firms

threatpost.com/metamorfo-variant-keylogger-financial/152640/ Researchers have discovered a recent spate of phishing emails spreading a new variant of Metamorfo, a financial malware known for targeting Brazilian companies. Now, however, its expanding its geographic range and adding a new technique. Report:

www.fortinet.com/blog/threat-research/another-metamorfo-variant-targeting-customers-of-financial-institutions.html

UM Cyber Attack Symposium Lessons learnt

www.maastrichtuniversity.nl/um-cyber-attack-symposium-%E2%80%93-lessons-learnt At a symposium on Wednesday 5 February, Maastricht University (UM) addressed the cyber attack that took place on 23 December. The symposium was open to invited guests only. Other interested parties could follow the livestream, which you can replay below. Due to the complexity of the subject matter and the presence of Dutch media only, the symposium was held in Dutch.

Advisory 2020-003: Mailto ransomware incidents

www.cyber.gov.au/threats/advisory-2020-003-mailto-ransomware-incidents The Australian Signals Directorates Australian Cyber Security Centre (ACSC) is aware of recent ransomware incidents involving a ransomware tool known as Mailto or Kazakavkovkiz. Mailto belongs to the KoKo ransomware family. At this time, the ACSC is unaware whether these incidents are indicative of a broader campaign.

Emotet attacks a spike to start the year…

www.menlosecurity.com/blog/emotet-attacks-a-spike-to-start-the-year The Emotet malware is a very destructive banking Trojan that was first identified in 2014. Over the years it has evolved with new capabilities and functionalities, prompting cybersecurity agencies like the Australian Cyber Security Centre and US-CERT to issue advisories. Emotet malware generally spreads via malicious documents that drop a modular Trojan bot, which is used to download and install additional remote access tools.

Wacom drawing tablets track every app you open

www.zdnet.com/article/wacom-drawing-tablets-track-every-app-you-open/ Wacom drawing tablets will track every app you open or close on your computer, Robert Heaton, a software engineer, has revealed.. Following a months-long investigation, Heaton says Wacom’s official driver comes with a vague privacy policy that if accepted will begin tracking the apps a user opens on his device.

Infostealer, Keylogger, and Ransomware in One: Anubis Targets More than 250 Android Applications

cofense.com/infostealer-keylogger-ransomware-one-anubis-targets-250-android-applications/ The Cofense Phishing Defense Center uncovered a phishing campaign that specifically targets users of Android devices that could result in compromise if unsigned Android applications are permitted on the device.

Living off another land: Ransomware borrows vulnerable driver to remove security software

news.sophos.com/en-us/2020/02/06/living-off-another-land-ransomware-borrows-vulnerable-driver-to-remove-security-software/ Sophos has been investigating two different ransomware attacks where the adversaries deployed a legitimate, digitally signed hardware driver in order to delete security products from the targeted computers just prior to performing the destructive file encryption portion of the attack.

Medicaid CCO Vendor Breach Exposes Health, Personal Info of 654K

www.bleepingcomputer.com/news/security/medicaid-cco-vendor-breach-exposes-health-personal-info-of-654k/ Medicaid coordinated care organization (CCO) Health Share of Oregon today disclosed a data breach exposing the health and personal info of 654,362 individuals following the theft of a laptop owned by its transportation vendor GridWorks IC.

IoT Malware Campaign Infects Global Manufacturing Sites

www.darkreading.com/iot/iot-malware-campaign-infects-global-manufacturing-sites/d/d-id/1336982 A new malware campaign built to exploit flaws in connected devices is targeting manufacturers around the world and affecting products from smart printers to heavy operational equipment. Researchers at TrapX Labs first saw this attack targeting Latin American manufacturers in October 2019. Since then, it has continued to expand, with a peak in December and ongoing growth this year in regions including North America, Africa, and the Middle East, says TrapX CEO Ori Bach.

Vahva tunnistautuminen otettiin käyttöön nopeutetulla aikataululla sen jälkeen, kun Terveystalo oli kertonut sen sähköiseen verkkoajanvaraukseen kohdistuneesta tietojenkalastelusta.

yle.fi/uutiset/3-11196085 Terveyspalveluita tarjoava Terveystalo otti torstaina käyttöön vahvan tunnistautumisen sähköisessä verkkoajanvarauksessaan

Ghost in the shell: Investigating web shell attacks

www.microsoft.com/security/blog/2020/02/04/ghost-in-the-shell-investigating-web-shell-attacks/ Recently, an organization in the public sector discovered that one of their internet-facing servers was misconfigured and allowed attackers to upload a web shell, which let the adversaries gain a foothold for further compromise. The organization enlisted the services of Microsofts Detection and Response Team (DART) to conduct a full incident response and remediate the threat before it could cause further damage.

You might be interested in …

Daily NCSC-FI news followup 2019-10-03

Casbaneiro: Dangerous cooking with a secret ingredient www.welivesecurity.com/2019/10/03/casbaneiro-trojan-dangerous-cooking/ Casbaneiro, also known as Metamorfo, is a typical Latin American banking trojan that targets banks and cryptocurrency services in Brazil and Mexico (Figure 1). It uses the social engineering method described in the introduction to our previous article, where fake pop-up windows are displayed. Just a GIF […]

Read More

Daily NCSC-FI news followup 2019-07-29

Video: Analyzing Compressed PowerShell Scripts isc.sans.edu/diary/Video%3A+Analyzing+Compressed+PowerShell+Scripts/25178 In diary entry “Analyzing Compressed PowerShell Scripts”, we took a look at a malicious Word document with compressed PowerShell script.. See also: isc.sans.edu/forums/diary/Analyzing+Compressed+PowerShell+Scripts/25158/ DMARC’s Abysmal Adoption Explains Why Email Spoofing is Still a Thing www.zdnet.com/article/dmarcs-abysmal-adoption-explains-why-email-spoofing-is-still-a-thing/ Around 79.7% don’t use DMARC, according to a report that surveyed the DMARC policies […]

Read More

Daily NCSC-FI news followup 2020-02-03

TERVEYSTALON SÄHKÖISEEN VERKKOAJANVARAUKSEEN ON KOHDISTUNUT TIETOJENKALASTELUA www.terveystalo.com/fi/Sijoittajat/Tiedotteet/?crid=2AECEBB792F63309 Terveystalon sähköiseen verkkoajanvaraukseen on kohdistunut tietojenkalastelua. Tämän seurauksena yksittäisten henkilöiden henkilötunnus on todennäköisesti saatu selvitettyä. Verkkoajanvarauksessa ei käsitellä potilastietoja, ainoastaan nimi- ja henkilötunnustietoja. Potilastietoja verkkoajanvarauksen kautta ei saa selvitettyä.. Lue myös yle.fi/uutiset/3-11189706, www.hs.fi/kotimaa/art-2000006393563.html, www.is.fi/digitoday/tietoturva/art-2000006394014.html ja www.is.fi/digitoday/tietoturva/art-2000006394067.html Hakkerointi on yhtä murhaava ase kuin ohjusisku, sanoo Israelin armeijan tiedustelun veteraani […]

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.