Daily NCSC-FI news followup 2020-02-29

TRICKBOT DELIVERY METHOD GETS A NEW UPGRADE FOCUSING ON WINDOWS 10

blog.morphisec.com/trickbot-delivery-method-gets-a-new-upgrade-focusing-on-windows Over the past few weeks, Morphisec Labs researchers identified a couple dozen documents that execute the OSTAP javascript downloader.. This time we have identified the use of the latest version of the remote desktop activeX control class that was introduced for Windows 10. The attackers utilize the activeX control for automatic execution of the malicious Macro following an enable of the Document content.. also:

www.bromium.com/deobfuscating-ostap-trickbots-javascript-downloader/

Meet the white-hat group fighting Emotet, the world’s most dangerous malware

www.zdnet.com/article/meet-the-white-hat-group-fighting-emotet-the-worlds-most-dangerous-malware/#ftag=RSSbaffb68 A private group of 20+ security researchers and system administrators have been waging a silent war against Emotet, today’s most dangerous malware operation.

TA505 hacking crew spent much of 2019 trying to breach South Korea’s financial sector

www.cyberscoop.com/ta505-south-korea-bank-phishing/ A gang of hackers with a long history of financially motivated attacks increased its targeting of businesses in South Korea last year, using a combination of malicious attachments and ransomware to haunt victims, according to new findings.

US Railroad Contractor Reports Data Breach After Ransomware Attack

www.bleepingcomputer.com/news/security/us-railroad-contractor-reports-data-breach-after-ransomware-attack/ RailWorks Corporation, one of North Americas leading railroad track and transit system providers, disclosed a ransomware attack that led to the exposure of personally identifiable information of current and former employees, their beneficiaries and dependents, as well as that of independent contractors.

The Long Path out of the Vulnerability Disclosure Dark Ages

www.wired.com/story/vulnerability-disclosure-bug-bounties/ Letting a company know about flaws in their products has gotten easier since 2003but not by much.

Domen toolkit gets back to work with new malvertising campaign

blog.malwarebytes.com/threat-analysis/2020/02/domen-toolkit-gets-back-to-work-with-new-malvertising-campaign/ Last year, we documented a new social engineering toolkit we called Domen being used in the wild. Threat actors were using this kit to trick visitors into visiting compromised websites and installing malware under the guise of a browser update or missing font.. Despite being a robust toolkit, we only saw Domen in sporadic campaigns last year, often reusing the same infrastructure that had already been partially disrupted. However, we recently came across a new malvertising campaign with brand new infrastructure that shows Domen is still being used by threat actors.. Even though Domen shares similarities with other social engineering templates, it is unique in its own ways. The client-side JavaScript responsible for the fake updates is one of the most thorough and professional coding jobs we had ever seen.

NVIDIA Fixes High Severity Flaw in Windows GPU Display Driver

www.bleepingcomputer.com/news/security/nvidia-fixes-high-severity-flaw-in-windows-gpu-display-driver/ NVIDIA has released a GPU display driver security update today, February 28, 2020, that fixes high and medium severity vulnerabilities that might lead to code execution, local escalation of privileges, information disclosure, and denial of service on unpatched Windows computers.

Käytätkö Windows-konettasi järjestelmänvalvojana? Näin luot itsellesi turvallisemman tilin

www.tivi.fi/uutiset/kaytatko-windows-konettasi-jarjestelmanvalvojana-nain-luot-itsellesi-turvallisemman-tilin/de2ebb88-5fba-4a42-b724-93215b9ab1b9 Tietokoneen käyttö on myös turvallisempaa, kun oma käyttäjä ei ole järjestelmänvalvoja. Uuden tietokoneen käyttöönoton yhteydessä kannattaa järjestelmänvalvojan lisäksi tehdä itselle peruskäyttäjätili, jolla ei ole järjestelmänvalvojan oikeuksia. Tällöin mahdolliset haittaohjelmat eivät voi itsestään rellestää tietokoneella, vaan laajoja oikeuksia vaativissa . Kommentti: Tilaajille

Hazelcast IMDG Discover Scan

isc.sans.edu/forums/diary/Hazelcast+IMDG+Discover+Scan/25850/ Today my honeypot has been capturing scans for the Hazelcast REST API. I checked my logs for the past 2 years and these only started today. The last vulnerability published for Hazelcast was CVE-2018-10654 and related to “There is a Hazelcast Library Java Deserialization Vulnerability in Citrix XenMobile Server 10.8 before RP2 and 10.7 before RP3.”

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.