Daily NCSC-FI news followup 2020-02-26

Iranian APT Targets Govs With New Malware

threatpost.com/iranian-apt-targets-govs-with-new-malware/153162/ A new campaign is targeting governments with the ForeLord malware, which steals credentials.. A never before seen credential-stealing malware, dubbed ForeLord, has been uncovered in recent spear phishing emails. Researchers have attributed the campaign to a known Iranian advanced persistence threat (APT) group.

Internal Docs Show Why the U.S. Military Publishes North Korean and Russian Malware

www.vice.com/en_us/article/5dmwyx/documents-how-cybercom-publishes-russian-north-korean-malware-virustotal A previously secret document obtained by Motherboard shows how, and why, CYBERCOM is publicly releasing malware from adversaries.

Zyxel 0day Affects its Firewall Products, Too

krebsonsecurity.com/2020/02/zyxel-0day-affects-its-firewall-products-too/ On Monday, networking hardware maker Zyxel released security updates to plug a critical security hole in its network attached storage (NAS) devices that is being actively exploited by crooks who specialize in deploying ransomware.. Today, Zyxel acknowledged the same flaw is present in many of its firewall products.

Flaw in billions of Wi-Fi devices left communications open to eavesdropping

arstechnica.com/information-technology/2020/02/flaw-in-billions-of-wi-fi-devices-left-communications-open-to-eavesdroppng/ Cypress and Broadcom chip bug bit iPhones, Macs, Android devices, Echoes, and more.. also:

www.welivesecurity.com/2020/02/26/krook-serious-vulnerability-affected-encryption-billion-wifi-devices/. also:

www.bleepingcomputer.com/news/security/kr00k-bug-in-broadcom-cypress-wifi-chips-leaks-sensitive-info/

Hackers Scanning for Vulnerable Microsoft Exchange Servers, Patch Now!

www.bleepingcomputer.com/news/security/hackers-scanning-for-vulnerable-microsoft-exchange-servers-patch-now/ Attackers are actively scanning the Internet for Microsoft Exchange Servers vulnerable to the CVE-2020-0688 remote code execution vulnerability patched by Microsoft two weeks ago.. To exploit this flaw attackers only have to find vulnerable servers that are accessible on the Internet, search for email addresses they collect from the Outlook Web Access (OWA) portal URL, and get relevant dumps from previous data breaches.. Next, they only have to launch a credential stuffing attack and keep at it until they get a

DoppelPaymer Hacked Bretagne Télécom Using the Citrix ADC Flaw

www.bleepingcomputer.com/news/security/doppelpaymer-hacked-bretagne-t-l-com-using-the-citrix-adc-flaw/ Cloud services provider Bretagne Télécom was hacked by the threat actors behind the DoppelPaymer Ransomware using an exploit that targeted servers unpatched against the CVE-2019-19781 vulnerability.

Admins beware! Microsoft gives heads-up for ‘disruptive’ changes to authentication in Office 365 email service

www.theregister.co.uk/2020/02/26/disruptive_authentication_change_coming_to_exchange_online_microsoft_details_help_for_admins/ Basic authentication will be OFF for Exchange Online email and other services from October 2020

New CWE List of Common Security Weaknesses

www.us-cert.gov/ncas/current-activity/2020/02/26/new-cwe-list-common-security-weaknesses-0 With version 4.0, the CWE list expands to include hardware security weaknesses. Additionally, version 4.0 simplifies the presentation of weaknesses into various views and adds a search function to enable easier navigation of the information.

Suomalaisten puhelimiin tulee huijausviestejä älä klikkaa linkkiä

www.is.fi/digitoday/tietoturva/art-2000006419704.html?ref=rss Ainakin viikon verran jatkunutta huijausta tehdään PostNordin nimissä.

Firefox, you know you tapped Cloudflare for DNS-over-HTTPS? In January, it briefly knackered two root servers at the heart of the internet

www.theregister.co.uk/2020/02/26/cloudflare_isc_f_dns_root/ A bug in software pushed out by Cloudflare resulted in failures at the heart of the web’s infrastructure, according to a report published this week by the Internet Systems Consortium (ISC).

Rotherwood Healthcare AWS bucket security fail left elderly patients’ DNR choices freely readable online

www.theregister.co.uk/2020/02/26/rotherwood_healthcare_data_leak_10k_records_aws/ Plus birth certificates, job interview data and more

Chrome 80 update cripples top cybercrime marketplace

www.zdnet.com/article/chrome-80-update-cripples-top-cybercrime-marketplace/#ftag=RSSbaffb68 90% of all stolen credentials on the Genesis Store came from the AZORult malware. Now, the malware doesn’t work in Chrome 80.

Stalkerware Attacks Increased 50 Percent Last Year, Report

threatpost.com/stalkerware-attacks-increased-50-percent/153248/ Research puts the emerging mobile threatwhich monitors the whereabouts and device activity of devices users as well as collects personal datainto clearer focus.

Unpatched Security Flaws Open Connected Vacuum to Takeover

threatpost.com/unpatched-security-flaws-open-connected-vacuum-to-takeover/153142/ A connected, robotic vacuum cleaner has serious vulnerabilities that could allow remote hackers to view its video footage and launch denial of service attacks.

Facial-Recognition Company That Works With Law Enforcement Says Entire Client List Was Stolen

www.thedailybeast.com/clearview-ai-facial-recognition-company-that-works-with-law-enforcement-says-entire-client-list-was-stolen

Threat Analysis: Active C2 Discovery Using Protocol Emulation Part2 (Winnti 4.0) [With IOCs]

www.carbonblack.com/2020/02/20/threat-analysis-active-c2-discovery-using-protocol-emulation-part2-winnti-4-0/ The new command and control (C2) protocol that was implemented in one of the 4.0 samples was completely different from the existing understanding of the 3.0 protocol.. TAU is providing this analysis as well as the investigation results of discovered C2s or victim hosts infected with the server variants on the Internet.

Tracking Kimsuky, the North Korea-based cyber espionage group: Part 1

www.pwc.co.uk/issues/cyber-security-data-privacy/research/tracking-kimsuky-north-korea-based-cyber-espionage-group-part-1.html For years, we have tracked the espionage threat actor we call Black Banshee (also known in open source as Kimsuky). In 2019, it launched multiple parallel cyber espionage campaigns, from large-scale credential harvesting to narrowly targeted espionage and exfiltration operations.

You might be interested in …

Daily NCSC-FI news followup 2019-12-19

How to keep spies off your phone in real life, not the movies www.kaspersky.com/blog/smartphone-spying-protection/31894/ In the new Terminator movie, Sarah Connor puts her phone inside an empty bag of chips to hide her movements from the bad guys. Our recent experiment showed that this method is actually workable (with some provisos): A couple of foil […]

Read More

Daily NCSC-FI news followup 2019-10-08

CISO series: Lessons learned from the Microsoft SOCPart 3a: Choosing SOC tools www.microsoft.com/security/blog/2019/10/07/ciso-series-lessons-learned-from-the-microsoft-soc-part-3a-choosing-soc-tools/ Over the course of the series, weve discussed how we operate our SOC at Microsoft. In the last two posts, Part 2a, Organizing people, and Part 2b: Career paths and readiness, we discussed how to support our most valuable resourcespeoplebased on successful […]

Read More

Daily NCSC-FI news followup 2019-06-07

A Deep Dive into the Emotet Malware www.fortinet.com/blog/threat-research/deep-dive-into-emotet-malware.html Emotet is a trojan that is primarily spread through spam emails. During its lifecycle, it has gone through a few iterations. Early versions were delivered as a malicious JavaScript file. Later versions evolved to use macro-enabled Office documents to retrieve a malicious payload from a C2 server. […]

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.