Daily NCSC-FI news followup 2020-03-02

Active Scans for Apache Tomcat Ghostcat Vulnerability Detected, Patch Now

www.bleepingcomputer.com/news/security/active-scans-for-apache-tomcat-ghostcat-vulnerability-detected-patch-now/ Ongoing scans for Apache Tomcat servers unpatched against the Ghostcat vulnerability that allows potential attackers to take over servers have been detected over the weekend.. As cyber threat intelligence firm Bad Packets said on Saturday, “mass scanning activity targeting this vulnerability has already begun. PATCH NOW!”. Ghostcat is a high-risk file read/include vulnerability tracked as CVE-2020-1938 and present in the Apache JServ Protocol (AJP) of Apache Tomcat between versions 6.x and 9.x.. All unpatched Apache Tomcat 6, 7, 8, and 9 installations ship with AJP Connector enabled by default and listening on all configured server IP addresses on port 8009.

Large-scale phishing attack on Western Europe

blog.360totalsecurity.com/en/large-scale-phishing-attack-on-western-europe/ Beginning in November 2019, 360 Security Center detected multiple large-scale cyber attack incidents carrying AgentTesla stealing Trojans.. At first, the email attachment was an RTF document, which contained multiple identical excel objects. These excel objects also contained malicious macro code, and eventually downloaded AgentTesla stealing software to steal the users sensitive information. However, new email attachments captured recently have been converted into docx documents, and template injection technology has been used to

This phishing email contains a password-protected file. Don’t open it.

www.zdnet.com/article/this-phishing-email-contains-a-password-protected-file-dont-open-it/#ftag=RSSbaffb68 Researchers at Palo Alto Networks detail a strange new campaign which tricks users with phoney security and compromises networks.. Palo Alto Unit 42 blog:


Hackers are actively exploiting zero-days in several WordPress plugins

www.zdnet.com/article/hackers-are-actively-exploiting-zero-days-in-several-wordpress-plugins/#ftag=RSSbaffb68 During the past two weeks, we’ve seen a resurgence in attacks against WordPress sites, signaling an end to the period of relative calm we’ve seen in December and January.. Several cybersecurity firms specialized in WordPress security products — such as Wordfence, WebARX, and NinTechNet — have reported on an ever-increasing number of attacks on WordPress sites.. Below is a summary of all the WordPress hacking campaigns that have happened in February and which targeted new WordPress plugin flaws.

Visser, a parts manufacturer for Tesla and SpaceX, confirms data breach

techcrunch.com/2020/03/01/visser-breach/?guccounter=1 Visser Precision, a Denver, Colorado-based manufacturer, makes custom parts for a number of industries, including automotive and aeronautics. In a brief statement, the company confirmed it was the recent target of a criminal cybersecurity incident, including access to or theft of data.. The company said it continues its comprehensive investigation of the attack, and business is operating normally, a spokesperson told TechCrunch.. Security researchers say the attack was caused by the DoppelPaymer ransomware, a new kind of file-encrypting malware which first exfiltrates the companys data. The ransomware threatens to publish the stolen files if the ransom is not paid.

Ransomware victims are paying out millions a month. One particular version has cost them the most.

www.zdnet.com/article/fbi-ransomware-victims-have-paid-out-140-million-one-version-has-cost-them-the-most/#ftag=RSSbaffb68 Ransomware victims have paid out more than $140 million to crooks over the last six-and-a-half years, according to calculations by the FBI.. Ryuk was the leading ransomware variant, generating roughly $61m between February 2018 and October 2019. Crysis/Dharma was the second most lucrative ransomware, generating $24m between November 2016 and November 2019. Third on the list, Bitpaymer, generated $8 million between October 2017 and September 2019, while SamSam managed $6.9m between January 2016 and the end of November 2018.. In terms of how ransomware attacks begin, DeCapua said that Remote Desktop Protocol (RDP) provides the initial foothold in 70% to 80% of incidents. Mostly this is done by brute-force attacks on RDP that is, the use of automated tools to try password variations until one works.

Exclusive: Newly obtained documents show Huawei role in shipping prohibited U.S. gear to Iran

www.reuters.com/article/us-huawei-iran-sanctions-exclusive/exclusive-newly-obtained-documents-show-huawei-role-in-shipping-prohibited-u-s-gear-to-iran-idUSKBN20P1VA Chinas Huawei Technologies, which for years has denied violating American trade sanctions on Iran, produced internal company records in 2010 that show it was directly involved in sending prohibited U.S. computer equipment to Irans largest mobile-phone operator.

This week, several media reported that agents of the Russian intelligence reportedly went to Ireland to inspect the undersea cables.

securityaffairs.co/wordpress/98710/intelligence/russia-spies-undersea-cables.html The Sunday Times reported that Russian intelligence agents have been sent to Ireland to gather detailed information on the undersea cables that connect Europe to North America. The news is alarming, intelligence agencies fear that Russia plans to carry out new cyber-espionage operations by tapping the undersea cables or even sabotage them.. Russia has sent intelligence agents to Ireland to map the precise location of the fibre-optic, ocean-bed cables that connect Europe to America, gardai suspect. This has raised concerns that Russian agents are checking the cables for weak points, with a view to tapping or even damaging them in the future. reported The Sunday Times.

Karkoff 2020: a new APT34 espionage operation involves Lebanon Government

blog.yoroi.company/research/karkoff-2020-a-new-apt34-espionage-operation-involves-lebanon-government/ In April 2019, Cisco Talos discovered evidence of the link between APT34 (codename Helix Kitten or OilRig) and the DNSEspionage operation. Talos analysts discovered several overlaps in the infrastructure employed by attackers and identified common TTPs. They tracked this new implant Karkoff.. Experts from Cybaze/ Yoroi Zlab, as part of ordinary Threat Intelligence activities, spotted a new sample which they believe to be an update of the Karkoff implant. It could prove that APT34 is still active and threat actors used it in a new campaign that appears to be active at the time of writing. The APT group made some changes in its technique, tactics, and procedures, but the target is the

French Firms Rocked by Kasbah Hacker?

krebsonsecurity.com/2020/03/french-firms-rocked-by-kasbah-hacker/ A large number of French critical infrastructure firms were hacked as part of an extended malware campaign that appears to have been orchestrated by at least one attacker based in Morocco, KrebsOnSecurity has learned.

FuzzBench: Fuzzer Benchmarking as a Service

security.googleblog.com/2020/03/fuzzbench-fuzzer-benchmarking-as-service.html We are excited to launch FuzzBench, a fully automated, open source, free service for evaluating fuzzers. The goal of FuzzBench is to make it painless to rigorously evaluate fuzzing research and make fuzzing research easier for the community to adopt.

Ethical hackers submitted more bugs to the Pentagon than ever last year

www.cyberscoop.com/ethical-hackers-submitted-bugs-pentagon-ever-last-year/ Outside security researchers alerted the Pentagon about more software vulnerabilities in its networks than ever before, according to statistics released by a Department of Defense unit focused on cyber operations.. Working with hackers to improve an organizations cyber hygiene was considered a revolutionary idea in 2016, but it has evolved to become almost commonplace in DOD, Johnson said in a blog post. Trust is the foundation of the disclosure programWe trust that the hackers will follow the policy and do no harm.

Offense and Defense A Tale of Two Sides: PowerShell

www.fortinet.com/blog/threat-research/offense-and-defense-a-tale-of-two-sides-powershell.html This is the start of a new blog series Im calling Offense and Defense A Tale of Two Sides. This monthly series will focus on the different tactics and techniques adversaries are known to use to complete their cyber missions, and how organizations can detect and ultimately prevent them. I will use the Mitre ATT&CK knowledgebase and terminology to guide us through the various techniques.

Rail station wi-fi provider exposed traveller data

www.bbc.com/news/technology-51682280 Network Rail and the service provider C3UK confirmed the incident three days after being contacted by BBC News about the matter.. The database, found online by a security researcher, contained 146 million records, including personal contact details and dates of birth.. It was not password protected.

Hackers Can Use Ultrasonic Waves to Secretly Control Voice Assistant Devices

thehackernews.com/2020/03/voice-assistants-ultrasonic-waves.html Researchers have discovered a new means to target voice-controlled devices by propagating ultrasonic waves through solid materials in order to interact with and compromise them using inaudible voice commands without the victims’ knowledge.

You might be interested in …

Daily NCSC-FI news followup 2019-06-19

Apu: Kyberhyökkäys tietoverkkoihin voisi pimentää Suomen oletko varautunut? www.apu.fi/artikkelit/kyberhyokkays-tietoverkkoihin-voisi-pimentaa-suomen Kiinan tiedustelupalvelu värvää vakoilijoita LinkedInissä myös suomalaisia ulkopolitiikan asiantuntijoita lähestytty yle.fi/uutiset/3-10838995 Raportin on laatinut Ulkopoliittisen instituutin ohjelmajohtaja Mika Aaltola. Quick Detect: Exim “Return of the Wizard” Attack isc.sans.edu/forums/diary/Quick+Detect+Exim+Return+of+the+Wizard+Attack/25052/ =Thanks to our reader Alex for sharing some of his mail logs with the latest attempts to exploit […]

Read More

Daily NCSC-FI news followup 2019-11-19

Why Were the Russians So Set Against This Hacker Being Extradited? krebsonsecurity.com/2019/11/why-were-the-russians-so-set-against-this-hacker-being-extradited/ The Russian government has for the past four years been fighting to keep 29-year-old alleged cybercriminal Alexei Burkov from being extradited by Israel to the United States.. When Israeli authorities turned down requests to send him back to Russia supposedly to face separate […]

Read More

Daily NCSC-FI news followup 2020-03-14

Etätyö kaatoi valtion salatun verkkoyhteyden työntekijöiltä estetään Facebookiin pääsy ensi viikolla yle.fi/uutiset/3-11255717 Moni työpaikka kehottaa nyt tekemään etätöitä koronaviruksen leviämisen estämiseksi. Salattuja eli VPN-verkkoyhteyksiä ei ole kuitenkaan suunniteltu siten, että suurin osa työntekijöistä olisi etätöissä. Silloin ne saattavat kaatua. Kapasiteettia kuormittaa käyttäjämäärän lisäksi se, mitä käyttäjät tekevät verkossa. Esimerkiksi videoiden katsominen kuormittaa verkkoa. Keskisuurissa ja […]

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.