Daily NCSC-FI news followup 2020-02-26

Iranian APT Targets Govs With New Malware

threatpost.com/iranian-apt-targets-govs-with-new-malware/153162/ A new campaign is targeting governments with the ForeLord malware, which steals credentials.. A never before seen credential-stealing malware, dubbed ForeLord, has been uncovered in recent spear phishing emails. Researchers have attributed the campaign to a known Iranian advanced persistence threat (APT) group.

Internal Docs Show Why the U.S. Military Publishes North Korean and Russian Malware

www.vice.com/en_us/article/5dmwyx/documents-how-cybercom-publishes-russian-north-korean-malware-virustotal A previously secret document obtained by Motherboard shows how, and why, CYBERCOM is publicly releasing malware from adversaries.

Zyxel 0day Affects its Firewall Products, Too

krebsonsecurity.com/2020/02/zyxel-0day-affects-its-firewall-products-too/ On Monday, networking hardware maker Zyxel released security updates to plug a critical security hole in its network attached storage (NAS) devices that is being actively exploited by crooks who specialize in deploying ransomware.. Today, Zyxel acknowledged the same flaw is present in many of its firewall products.

Flaw in billions of Wi-Fi devices left communications open to eavesdropping

arstechnica.com/information-technology/2020/02/flaw-in-billions-of-wi-fi-devices-left-communications-open-to-eavesdroppng/ Cypress and Broadcom chip bug bit iPhones, Macs, Android devices, Echoes, and more.. also:

www.welivesecurity.com/2020/02/26/krook-serious-vulnerability-affected-encryption-billion-wifi-devices/. also:

www.bleepingcomputer.com/news/security/kr00k-bug-in-broadcom-cypress-wifi-chips-leaks-sensitive-info/

Hackers Scanning for Vulnerable Microsoft Exchange Servers, Patch Now!

www.bleepingcomputer.com/news/security/hackers-scanning-for-vulnerable-microsoft-exchange-servers-patch-now/ Attackers are actively scanning the Internet for Microsoft Exchange Servers vulnerable to the CVE-2020-0688 remote code execution vulnerability patched by Microsoft two weeks ago.. To exploit this flaw attackers only have to find vulnerable servers that are accessible on the Internet, search for email addresses they collect from the Outlook Web Access (OWA) portal URL, and get relevant dumps from previous data breaches.. Next, they only have to launch a credential stuffing attack and keep at it until they get a

DoppelPaymer Hacked Bretagne Télécom Using the Citrix ADC Flaw

www.bleepingcomputer.com/news/security/doppelpaymer-hacked-bretagne-t-l-com-using-the-citrix-adc-flaw/ Cloud services provider Bretagne Télécom was hacked by the threat actors behind the DoppelPaymer Ransomware using an exploit that targeted servers unpatched against the CVE-2019-19781 vulnerability.

Admins beware! Microsoft gives heads-up for ‘disruptive’ changes to authentication in Office 365 email service

www.theregister.co.uk/2020/02/26/disruptive_authentication_change_coming_to_exchange_online_microsoft_details_help_for_admins/ Basic authentication will be OFF for Exchange Online email and other services from October 2020

New CWE List of Common Security Weaknesses

www.us-cert.gov/ncas/current-activity/2020/02/26/new-cwe-list-common-security-weaknesses-0 With version 4.0, the CWE list expands to include hardware security weaknesses. Additionally, version 4.0 simplifies the presentation of weaknesses into various views and adds a search function to enable easier navigation of the information.

Suomalaisten puhelimiin tulee huijausviestejä älä klikkaa linkkiä

www.is.fi/digitoday/tietoturva/art-2000006419704.html?ref=rss Ainakin viikon verran jatkunutta huijausta tehdään PostNordin nimissä.

Firefox, you know you tapped Cloudflare for DNS-over-HTTPS? In January, it briefly knackered two root servers at the heart of the internet

www.theregister.co.uk/2020/02/26/cloudflare_isc_f_dns_root/ A bug in software pushed out by Cloudflare resulted in failures at the heart of the web’s infrastructure, according to a report published this week by the Internet Systems Consortium (ISC).

Rotherwood Healthcare AWS bucket security fail left elderly patients’ DNR choices freely readable online

www.theregister.co.uk/2020/02/26/rotherwood_healthcare_data_leak_10k_records_aws/ Plus birth certificates, job interview data and more

Chrome 80 update cripples top cybercrime marketplace

www.zdnet.com/article/chrome-80-update-cripples-top-cybercrime-marketplace/#ftag=RSSbaffb68 90% of all stolen credentials on the Genesis Store came from the AZORult malware. Now, the malware doesn’t work in Chrome 80.

Stalkerware Attacks Increased 50 Percent Last Year, Report

threatpost.com/stalkerware-attacks-increased-50-percent/153248/ Research puts the emerging mobile threatwhich monitors the whereabouts and device activity of devices users as well as collects personal datainto clearer focus.

Unpatched Security Flaws Open Connected Vacuum to Takeover

threatpost.com/unpatched-security-flaws-open-connected-vacuum-to-takeover/153142/ A connected, robotic vacuum cleaner has serious vulnerabilities that could allow remote hackers to view its video footage and launch denial of service attacks.

Facial-Recognition Company That Works With Law Enforcement Says Entire Client List Was Stolen

www.thedailybeast.com/clearview-ai-facial-recognition-company-that-works-with-law-enforcement-says-entire-client-list-was-stolen

Threat Analysis: Active C2 Discovery Using Protocol Emulation Part2 (Winnti 4.0) [With IOCs]

www.carbonblack.com/2020/02/20/threat-analysis-active-c2-discovery-using-protocol-emulation-part2-winnti-4-0/ The new command and control (C2) protocol that was implemented in one of the 4.0 samples was completely different from the existing understanding of the 3.0 protocol.. TAU is providing this analysis as well as the investigation results of discovered C2s or victim hosts infected with the server variants on the Internet.

Tracking Kimsuky, the North Korea-based cyber espionage group: Part 1

www.pwc.co.uk/issues/cyber-security-data-privacy/research/tracking-kimsuky-north-korea-based-cyber-espionage-group-part-1.html For years, we have tracked the espionage threat actor we call Black Banshee (also known in open source as Kimsuky). In 2019, it launched multiple parallel cyber espionage campaigns, from large-scale credential harvesting to narrowly targeted espionage and exfiltration operations.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.