Categories
NCSC-FI News followup

Daily NCSC-FI news followup 2020-03-05

Attackers Taking Advantage of the Coronavirus/COVID-19 Media Frenzy

www.fortinet.com/blog/threat-research/attackers-taking-advantage-of-the-coronavirus-covid-19-media-frenzy.html Over the past several weeks, FortiGuard Labs has been observing a significant increase in both legitimate and malicious activity surrounding the Coronavirus.. Threat findings via OSINT channels have yielded multiple themes, such as those appearing to be reports from trusted sources, such as governmental agencies, news outlets, etc. but that were actually malicious. It is also important to note that we are likely only scratching the surface on observable attacks as this is a global outbreak, and most of our observations have been in English or languages . The issue has now become so problematic that the World Health Organization (WHO) recently issued a statement on their website titled, Beware of criminals pretending to be WHO. The UN also recently added an advisory on the 29th of February as well reminding citizens to be vigilant of such scams.. also:

blog.checkpoint.com/2020/03/05/update-coronavirus-themed-domains-50-more-likely-to-be-malicious-than-other-domains/

Enable that MF-ing MFA: 1.2 million Azure Active Directory accounts compromised every month, reckons Microsoft

www.theregister.co.uk/2020/03/05/microsoft_12_million_enterprise_accounts_are_compromised_every_month/ Microsoft reckons 0.5 per cent of Azure Active Directory accounts as used by Office 365 are compromised every month.. “About a half of a per cent of the enterprise accounts on our system will be compromised every month, which is a really high number. If you have an organisation of 10,000 users, 50 will be compromised each month,” said Weinert.. The key point, though, is that if an account is compromised, said Weinert, “there’s a 99.9 per cent chance that it did not have MFA [Multi Factor Authentication]”. MFA is where at least one additional identifier is required when logging in, such as a code on an authenticator application or a text message to a mobile phone.

Cloud Snooper Attack Bypasses Firewall Security Measures

news.sophos.com/en-us/2020/02/25/cloud-snooper-attack-bypasses-firewall-security-measures/ In the course of investigating a malware infection of cloud infrastructure servers hosted in the Amazon Web Services (AWS) cloud, SophosLabs discovered a sophisticated attack that employed a unique combination of techniques to evade detection and that permits the malware to communicate freely with its command and control (C2) servers through a firewall that should, under normal circumstances, . PDF:

news.sophos.com/wp-content/uploads/2020/02/CloudSnooper_report.pdf

Intel x86 Root of Trust: loss of trust

blog.ptsecurity.com/2020/03/intelx86-root-of-trust-loss-of-trust.html The scenario that Intel system architects, engineers, and security specialists perhaps feared most is now a reality. A vulnerability has been found in the ROM of the Intel Converged Security and Management Engine (CSME). This vulnerability jeopardizes everything Intel has done to build the root of trust and lay a solid security foundation on the company’s platforms.. The problem is not only that it is impossible to fix firmware errors that are hard-coded in the Mask ROM of microprocessors and chipsets. The larger worry is that, because this vulnerability allows a compromise at the hardware level, it destroys the chain of trust for the platform as a whole.

Ryuk Revisited – Analysis of Recent Ryuk Attack

www.fortinet.com/blog/threat-research/ryuk-revisited-analysis-of-recent-ryuk-attack.html Ryuk is a well-known ransomware variant, and different versions have been reviewed in the past. However, due to its targeted and ever-evolving nature, it is interesting to see what the latest variants hold in store.. In this blog post, we will analyze the tactics, techniques, and procedures (TTPs) used by this recently discovered Ryuk variant, review similarities to past variants, and highlight the methods it uses to maximize the damage it can cause to the networks of targeted organizations. Reviewing these TTPs will allow you to test the current security controls within your network to ensure you are able to

Ryuk Ransomware Attacked Epiq Global Via TrickBot Infection

www.bleepingcomputer.com/news/security/ryuk-ransomware-attacked-epiq-global-via-trickbot-infection/ Legal services and e-discovery giant Epiq Global took their systems offline on Saturday after the Ryuk Ransomware was deployed and began encrypting devices on their network.

Ryuk ransomware hits Fortune 500 company EMCOR

www.zdnet.com/article/ryuk-ransomware-hits-fortune-500-company-emcor/#ftag=RSSbaffb68 EMCOR Group (NYSE: EME), a US-based Fortune 500 company specialized in engineering and industrial construction services, disclosed last month a ransomware incident that took down some of its IT systems.. The incident took place on February 15 and was identified as an infection with the Ryuk ransomware strain.

Alleged Vault 7 leaker trial finale: Want to know the CIA’s password for its top-secret hacking tools? 123ABCdef

www.theregister.co.uk/2020/03/05/cia_leak_trial/ Tales of terrible security, poor compartmentalization, and more, emerge from the Schulte hearings

Mokes and Buerak distributed under the guise of security certificates

securelist.com/mokes-and-buerak-distributed-under-the-guise-of-security-certificates/96324/ The technique of distributing malware under the guise of legitimate software updates is not new. As a rule, cybercriminals invite potential victims to install a new version of a browser or Adobe Flash Player. However, we recently discovered a new approach to this well-known method: visitors to infected sites were informed that some kind of security certificate had expired. Unsurprisingly, the . We detected the infection on variously themed websites from a zoo to a store selling auto parts. The earliest infections found date back to January 16, 2020.

Attack Landscape H2 2019: An unprecedented year for cyber attacks

blog.f-secure.com/attack-landscape-h2-2019-an-unprecedented-year-cyber-attacks/ The last year of the decade set a new standard for cyber attacks. F-Secures Attack Landscape H2 2019 notes that while the impact of sophisticated ransomware attacks continues to be devastating, most of the billions of attacks we see target devices that dont have keyboards.

Email domains without DMARC enforcement spoofed nearly 4X as often

www.helpnetsecurity.com/2020/03/05/dmarc-records/ As of January 2020, nearly 1 million (933,973) domains have published DMARC records an increase of 70% compared to last year, and more than 180% growth in the last two years.. However, just 13% of all DMARC records are configured with enforcement policies, demonstrating that interest in DMARC is increasing but DMARC expertise is not keeping pace.. But publishing a DMARC record is just the first step enforcement must be reached before a domain is protected, and trust can be restored to email.. Theres an additional downside to not getting to enforcement: Our research demonstrates that domains without DMARC policies at enforcement are spoofed nearly four times more often compared to domains with DMARC at enforcement. This is because fraudsters give up trying to spoof a domain once they realize it doesnt work, and move on to easier targets.

Chinese hackers use decade-old Bisonal Trojan in cyberespionage campaigns

www.zdnet.com/article/chinese-hackers-use-decade-old-bisonal-trojan-to-strike-russian-targets/#ftag=RSSbaffb68 The RATs core functions remain the same but it is unusual that the malware has been rehashed over so many years.. also:

blog.talosintelligence.com/2020/03/bisonal-10-years-of-play.html

Guildma: The Devil drives electric

www.welivesecurity.com/2020/03/05/guildma-devil-drives-electric/ The fourth installment of our occasional series demystifying Latin American banking trojans. In this blogpost, we will examine Guildma (also known as Astaroth, a powerful demon), a highly prevalent Latin American banking trojan. This Brazil-targeting trojan, written in Delphi, boasts some innovative execution and attack techniques. We will describe the most recent version, highlighting the most notable changes made since the middle of 2019 when an avalanche of articles about Guildma was

Warning: An Android Security App With 1 Billion Downloads Is Recording Users Web Browsing

www.forbes.com/sites/thomasbrewster/2020/03/03/warning-an-android-security-app-with-1-billion-downloads-is-recording-users-web-browsing/ In February, Google threw 600 apps out of its Play store. Amongst those was an app called Clean Master, a security tool promising antivirus protection and private browsing. It had more than 1 billion installs before it was evicted and, despite Googles ban, is one of Androids most downloaded apps ever and is likely still running on millions of phones.. Whilst Google hasnt commented on what it knew about the app, created by Chinas Cheetah Mobile, Forbes has learned a security company provided the tech giant with evidence the tool was collecting all manner of private Web use data.. That includes which websites users visited from the in-app private browser, their search engine queries and their Wi-Fi access point names, right down to more detailed information like how they scrolled on visited Web pages, according to the security companys researcher, who also provided the information to Forbes.

Lets Encrypt Pushes Back Deadline to Revoke Some TLS Certificates

threatpost.com/lets-encrypt-pushes-back-deadline-to-revoke-some-tls-certificates/153456/ Lets Encrypt said it will give users of its Transport Layer Security (TLS) certificates more time to replace 1 million certificates that are still active and potentially affected by a Certificate Authority Authorization (CAA) bug before it revokes them.

Hackers Can Clone Millions of Toyota, Hyundai, and Kia Keys

www.wired.com/story/hackers-can-clone-millions-of-toyota-hyundai-kia-keys/ Encryption flaws in a common anti-theft feature expose vehicles from major manufacturers .

PwndLocker Ransomware Gets Pwned: Decryption Now Available

www.bleepingcomputer.com/news/security/pwndlocker-ransomware-gets-pwned-decryption-now-available/ Emsisoft has discovered a way to decrypt files encrypted by the new PwndLocker Ransomware so that victims can recover their files without paying a ransom.

Dissecting Geost: Exposing the Anatomy of the Android Trojan Targeting Russian Banks

blog.trendmicro.com/trendlabs-security-intelligence/dissecting-geost-exposing-the-anatomy-of-the-android-trojan-targeting-russian-banks/ The Android banking trojan Geost was first revealed in a research by Sebastian García, Maria Jose Erquiaga and Anna Shirokova from the Stratosphere Laboratory.. The trojan employed several layers of obfuscation, encryption, reflection, and injection of non-functional code segments that made it more difficult to reverse engineer.

Hackers Compromise T-Mobile Employee’ Email Accounts and Steal User’ Data

thehackernews.com/2020/03/hackers-compromise-t-mobile-employees.html US-based telecom giant T-Mobile has suffered yet another data breach incident that recently exposed personal and accounts information of both its employees and customers to unknown hackers.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.