Categories
NCSC-FI News followup

Daily NCSC-FI news followup 2020-02-12

Valentines & Chocolate Dont Always Equal Love

blog.checkpoint.com/2020/02/12/valentines-chocolate-dont-always-equal-love/ With Valentines Day approaching, lovers around the world are working on finding the best way to celebrate with their loved ones. Meanwhile cyber criminals around the world also seem to be caught up in the spirit of this unique day. Over the past 2 years, Check Point Research has identified the use of the word Valentine within malicious websites during the month of February. In both 2018 and 2019, the increase was over 200% compared to the previous months, and this was the biggest increase reported throughout the year.

Microsoft Patch Tuesday, February 2020 Edition

krebsonsecurity.com/2020/02/microsoft-patch-tuesday-february-2020-edition/ Microsoft today released updates to plug nearly 100 security holes in various versions of its Windows operating system and related software, including a zero-day vulnerability in Internet Explorer (IE) that is actively being exploited. Also, Adobe has issued a bevy of security updates for its various products, including Flash Player and Adobe Reader/Acrobat.

Holistic SDN Security Makes Security Comprehensive Everywhere

blog.paloaltonetworks.com/2020/02/cloud-sdn-security/ Its always a good idea to look up and down as well as from side to side when threats abound. Ask any horror film protagonist or big-city pedestrian. Yet even the threats these folks confront seem insignificant compared to the alarming challenges network security architects face. Theyre trying to manage all at once software-defined networking (SDN) environments, tools and platforms such as private clouds, VMware NSX-T, VMware NSX for VSphere and Nutanix Flow. How do you stay vigilant in several places simultaneously and stay calm?

Android Trojan xHelper uses persistent re-infection tactics: heres how to remove

blog.malwarebytes.com/android/2020/02/new-variant-of-android-trojan-xhelper-reinfects-with-help-from-google-play/ We first stumbled upon the nasty Android Trojan xHelper, a stealthy malware dropper, in May 2019. By mid-summer 2019, xHelper was topping our detection chartsso we wrote an article about it. After the blog, we thought the case was closed on xHelper. Then a tech savvy user reached out to us in early January 2020 on the Malwarebytes support forum.

“Distinguished Impersonator” Information Operation That Previously Impersonated U.S. Politicians and Journalists on Social Media Leverages Fabricated U.S. Liberal Personas to Promote Iranian Interests

www.fireeye.com/blog/threat-research/2020/02/information-operations-fabricated-personas-to-promote-iranian-interests.html In May 2019, FireEye Threat Intelligence published a blog post exposing a network of English-language social media accounts that engaged in inauthentic behavior and misrepresentation that we assessed with low confidence was organized in support of Iranian political interests. Personas in that network impersonated candidates for U.S. House of Representatives seats in 2018 and leveraged fabricated journalist personas to solicit various individuals, including real journalists and politicians, for interviews intended to bolster desired political narratives.

FBI Releases IC3 2019 Internet Crime Report

www.us-cert.gov/ncas/current-activity/2020/02/12/fbi-releases-ic3-2019-internet-crime-report The Federal Bureau of Investigation (FBI) Internet Crime Complaint Center (IC3) has released the 2019 Internet Crime Report, which includes statistics based on data reported by the public through the IC3 website. The top three crimes types reported by victims in 2019 were phishing/vishing/smishing/pharming, non-payment/non-delivery, and extortion.. Also:

threatpost.com/fbi-3-5b-lost-in-2019-to-known-cyberscams-ransomware/152815/.

www.zdnet.com/article/fbi-bec-scams-accounted-for-half-of-the-cyber-crime-losses-in-2019/

Malpsam pushes Ursnif through Italian language Word docs

isc.sans.edu/forums/diary/Malpsam+pushes+Ursnif+through+Italian+language+Word+docs/25792/ For the past two weeks or so, I haven’t found any malspam using password-protected zip archives with Word documents having macros for Ursnif. However, on Tuesday 2020-02-11, malspam from this campaign has resumed. This time, it used Italian language Word documents with macros for Ursnif.

SoundCloud Tackles DoS, Account Takeover Issues

threatpost.com/soundcloud-dos-account-takeover/152838/ Online music platform SoundCloud, which can be thought of as an audio-based YouTube for music creators, has addressed several security bugs in its APIs that could lead to denial-of-service (DoS) or account takeover via credential-stuffing.

Phishing scams are costing us more than ever. This trick is most likely to catch you out

www.zdnet.com/article/phishing-scams-are-costing-us-more-than-ever-this-trick-is-most-likely-to-catch-you-out/ Businesses are losing over $700m a month to cyber criminals because employees are falling victim to phishing attacks, business email compromise campaigns and gift card scams and the amount of money being lost is still on the rise.

Microsoft Urges Exchange Admins to Disable SMBv1 to Block Malware

www.bleepingcomputer.com/news/microsoft/microsoft-urges-exchange-admins-to-disable-smbv1-to-block-malware/ Microsoft is advising administrators to disable the SMBv1 network communication protocol on Exchange servers to provide better protection against malware threats and attacks. Since 2016, Microsoft has been recommending that administrators remove support for SMBv1 on their network as it does not contain additional security enhancements added to later versions of the SMB protocol.

Netgear’s routerlogin.com HTTPS cert snafu now has a live proof of concept

www.theregister.co.uk/2020/02/12/netgear_router_https_cert_poc/ An infosec researcher has published a JavaScript-based proof of concept for the Netgear routerlogin.com vulnerability revealed at the end of January. Through service workers, scripts that browsers run as background processes, Rashid Saleem reckons he can exploit Netgear routers to successfully compromise admin panel credentials.

Loda RAT Grows Up

blog.talosintelligence.com/2020/02/loda-rat-grows-up.html Talos has observed several changes in this version of Loda. The obfuscation technique used within the AutoIT script changed to a different form of string encoding. Multiple persistence mechanisms have been employed to ensure Loda continues running on the infected host following reboots. Lastly, the new version leverages WMI to enumerate antivirus solutions running on the infected host.

TIETO20-harjoitus testaa yhteistoimintaa laajassa kyberhäiriötilanteessa

www.epressi.com/tiedotteet/tietoturva/tieto20-harjoitus-testaa-yhteistoimintaa-laajassa-kyberhairiotilanteessa.html TIETO20-harjoitus on Suomen suurin yritysten ja viranomaisten yhteistoimintaharjoitus laajojen kyberhäiriöiden varalta. Yritysten jatkuvuudenhallintaa, varautumista ja kriisiviestintää kyberhäiriötilanteissa sparraava harjoituskokonaisuus lujittaa elintarvike-, vesi- ja polttoainehuoltoa sekä niihin liittyvää logistiikkaa kyberhyökkäysten varalta.

CIA:n peiteyritys myi vuosikymmenien ajan peukaloituja salauslaitteita valtioille ympäri maailmaa

yle.fi/uutiset/3-11204967 Yhdysvaltojen ja Saksan tiedustelupalvelut pyörittivät vuosikymmenten ajan salauslaitteita valmistavaa sveitsiläisyritystä. Washington Post(siirryt toiseen palveluun) ja saksalaismedia(siirryt toiseen palveluun)t uutisoivat tiistaina näyttävästi tiedusteluviranomaisten ja sveitsiläisen Crypto AG:n kytköksestä, jonka ansiosta valtioiden salaisia viestejä virtasi yli viidenkymmenen vuoden

172 ransomware attacks on US healthcare organizations since 2016 (costing over $157 million)

www.comparitech.com/blog/information-security/ransomware-attacks-hospitals-data/ Since 2016, ransomware attacks have become a huge cause for concern for hospitals all over the world. They cripple key systems and prevent hospitals from accessing crucial patient data until a fee is paid to the hacker (or the ransomware is removed by IT specialists).

Jenkins servers can be abused for DDoS attacks

www.zdnet.com/article/jenkins-servers-can-be-abused-for-ddos-attacks/ Jenkins, an open source server used to perform automated tasks, can be abused to launch distributed denial of service (DDoS) attacks. DDoS attacks are possible because of a vulnerability in the Jenkins codebase. The bug (tracked as CVE-2020-2100) has been fixed in Jenkins v2.219, released last month. Details:

mediaserver.responsesource.com/mediabank/18328/RadwareERTAlert2020/ERTAlertJenkinsFINALV3.pdf

Suspected Sapphire Mushroom (APT-C-12) malicious LNK files

bitofhex.com/2020/02/10/sapphire-mushroom-lnk-files/ In July 2018, the Chinese-based research group 360 Technical Intelligence Center (TIC) produced a report “APT-C-12” (Sapphire Mushroom (APT-C-12) Technical Details Revealed). This report analysed a malicious LNK file allegedly used by the APT group “Sapphire Mushroom” (aka Blue Mushroom aka NuclearCrisis). The group appeared in March 2011 and appears to be targeting a wide variety of Chinese government and industries with spear-phishing emails. An early tactic used right-to-left override (RTLO or RLO) character to give the appearance of a regular file, and also malicious LNK files.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.