Daily NCSC-FI news followup 2020-03-17

Working from home: Cybersecurity tips for remote workers

www.zdnet.com/article/working-from-home-cybersecurity-tips-for-remote-workers/ Switching to remote working because of the coronavirus can create cybersecurity problems for employers and employees. Here are some things to watch.. ENISA said it had already seen an increase in coronavirus-related phishing attacks. The agency recommends, as far as possible, that workers try to not mix work and leisure activities on the same device and be particularly careful with any mails referencing the coronavirus. “Attackers are exploiting the situation, so look out for phishing emails and scams,” ENISA said.. Read also


The Internet is drowning in COVID-19-related malware and phishing scams

arstechnica.com/information-technology/2020/03/the-internet-is-drowning-in-covid-19-related-malware-and-phishing-scams/ Emails and websites are promising vital information about keeping safe from the coronavirus pandemic thats sweeping the globe and threatening millions. In fact, a flood of them are scams that push malware, ransomware, and disinformation; attempt to steal passwords and personal information; and conduct espionage operations by hackers working for nation-states.

Bulletin (SB20-076) – Vulnerability Summary for the Week of March 9, 2020

www.us-cert.gov/ncas/bulletins/sb20-076 The CISA Vulnerability Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. NVD is sponsored by CISA. In some cases, the vulnerabilities in the bulletin may not yet have assigned CVSS scores. Please visit NVD for updated vulnerability entries, which include CVSS scores once they are available.

Convincing Google Impersonation Opens Door to MiTM, Phishing

threatpost.com/convincing-google-impersonation-opens-door-to-mitm-phishing/153745/ Using homographic characters is an easy way to execute a convincing fake site. An attack that uses homographic characters to impersonate domain names and launch convincing but malicious websites takes minutes and a bare modicum of skill while reaping high rates of success in luring victims, according to an independent researcher. Researcher Avi Lumelsky set out to see how easy it would be to set up a phishing page that used homographics to impersonate legitimate sites. As he explained in a posting this week, “homographic characters look like ASCII letters, but their encoding is different, in a way that is usually not noticeable for the human eye.”

Roundup: The coronavirus pandemic delivers an array of cyber-security challenges

www.zdnet.com/article/roundup-the-coronavirus-pandemic-delivers-an-array-of-cyber-security-challenges/ As the COVID-19 outbreak threatens to overload the healthcare system and the global economy, it’s also having a powerful impact on the security of businesses and individuals.

Most ransomware attacks take place during the night or over the weekend

www.zdnet.com/article/most-ransomware-attacks-take-place-during-the-night-or-the-weekend/ The vast majority of ransomware attacks targeting the enterprise sector occur outside normal working hours, during the night or over the weekend. According to a report published today by US cyber-security FireEye, 76% of all ransomware infections in the enterprise sector occur outside working hours, with 49% taking place during nighttime over the weekdays, and 27% taking place over the weekend. Read also:


Intel CPUs vulnerable to new ‘Snoop’ attack

www.zdnet.com/article/intel-cpus-vulnerable-to-new-snoop-attack/ Applying the the patches for the Foreshadow (L1TF) attack disclosed in 2018 also blocks Snoop attacks. Intel processors are vulnerable to a new attack that can leak data from the CPU’s internal memory — also known as the cache.

Facebook does the right thing for once: Joins Google, LinkedIn, Microsoft, Reddit, Twitter, YouTube to clean out dodgy COVID-19 info

www.theregister.co.uk/2020/03/17/big_social_networks_join_to_remove_fake_covid_19_news/ Facebook, Google, LinkedIn, Microsoft, Reddit, Twitter and YouTube have issued a joint statement in which they promise to disinfect their platforms of contagiously incorrect COVID-19 content. “We are working closely together on COVID-19 response efforts, ” the statement says. “We’re helping millions of people stay connected while also jointly combating fraud and misinformation about the virus, elevating authoritative content on our platforms, and sharing critical updates in coordination with government healthcare agencies around the world. We invite other companies to join us as we work to keep our communities healthy and safe.”

Privacy in a Pandemic: What You Can (and Can’t) Ask Employees

www.darkreading.com/endpoint/privacy-in-a-pandemic-what-you-can-(and-cant)-ask-employees/d/d-id/1337326 Businesses struggle to strike a balance between workplace health and employees’ privacy rights in the midst of a global health emergency. The balance between employee health and privacy rights is difficult to strike, especially at a time when organizations are making critical decisions based on health-related information.

Valtion verkko kaatui etätöihin totaalisesti ja pätkii yhä korjauksista huolimatta videot ja korttitunnistus estetty

www.tivi.fi/uutiset/tv/e6523ba3-2b52-4822-8e87-c2005954628a Valtiohallinnon etäjärjestelmä kaatui perjantaina pahasti, koska se ei kestänyt kuormitusta. Viikonlopun aikana palvelinkapasiteettia lisättiin ja videopalvelujen estettiin, mutta tänään tiistaina on ilmennyt taas merkittäviä ongelmia. Valtionhallinnon etäkäyttöön tarkoitettu salattu vpn-verkko Kauko pätki perjantaina pahasti, kun järjestelmä ei kestänyt koronavirustilanteen aiheuttamaa poikkeuksellisen runsasta etätyötä. Asiasta kertoi ensimmäisenä Ilta-Sanomat jo perjantaina sekä maanantaina STT. Lue myös:


16-29 February 2020 Cyber Attacks Timeline

www.hackmageddon.com/2020/03/17/16-29-february-2020-cyber-attacks-timeline/ It’s time to publish the second timeline of February covering the main cyber attacks occurred in the second half of this month. Despite the 29 days, I have collected a total of 97 events, including 6 falling in previous that slipped away from the first timeline. Definitely a sharp increase compared with the previous ones. Ransomware continues to characterize this beginning of 2020. Once again, and this is not a surprise, new high-profile targets joined the long list of victims, along with the multiple educational and healthcare institutions that normally populate the timelines. Unfortunately, and this is really sad not only from an infosec perspective, also the number of campaigns exploiting the Coronavirus outbreak is growing in parallel with the expansion of the virus in the real world.

Tärkeä parannus webin turvallisuuteen vaikuttaa lukuisiin sivustoihin

www.tivi.fi/uutiset/tv/f6f13405-b4b3-4527-84c9-f1244961ec1f WordPress lisää julkaisualustan teemoihin ja lisäosiin automaattisen päivityksen. Tämä parantaa tietoturvaa, sillä vanhentuneet lisäosat ja teemat ovat yleisin hyökkäysreitti WordPressin varaan rakennettuja sivuja vastaan. WordPress lisää julkaisualustan teemoihin ja lisäosiin automaattisen päivityksen. Ominaisuus on jo käytössä lisäosissa, ja se tulee käyttöön teemoihin todennäköisesti lähikuukausina. Tämä uusi toiminnallisuus parantaa tietoturvaa, sillä WordPress-alustan käyttäjät unohtavat liian usein lisäosien päivitystarpeen, vaikka sivujen ylläpidosta huolehdittaisiinkin muuten. Asiasta uutisoi ZDNet, jonka siteeraamien tietoturvayhtiöiden mukaan vanhentuneet lisäosat ja teemat ovat selkeästi yleisin hyökkäysreitti WordPressin varaan rakennettuja sivuja vastaan.

UK ministers will no longer claim ‘no successful examples’ of Russian interference

www.theguardian.com/technology/2020/mar/15/uk-ministers-will-no-longer-claim-no-successful-examples-of-russian-interference Ministers have been told they can no longer say there have been “no successful examples” of Russian disinformation affecting UK elections, after the apparent hacking of an NHS dossier seized on by Labour during the last campaign. The dropping of the old line is the first official admission of the impact of Kremlin efforts to distort Britain’s political processes, and comes after three years of the government’s refusal to engage publicly with the threat. Read also:


Nigerian spammer made 3X average national salary firehosing macro-laden Word docs at world+dog

www.theregister.co.uk/2020/03/17/nigerian_spammer_deep_dive/ A most entertaining piece of threat research from Check Point gives a unique insight into the “working” life of a Nigerian email spammer who made thousands of dollars from stolen credit cards alone in recent years. The scammer in question, whose true identity was known to Check Point, was by day “a leader, a content creator, an entrepreneur and an innovator; an accomplished business administrator; a renaissance man who is adored by his colleagues, ” as the infosec biz put it.

Many Ransomware Attacks Can be Stopped Before They Begin

www.darkreading.com/attacks-breaches/many-rasomware-attacks-can-be-stopped-before-they-begin/d/d-id/1337329 Many threat actors tend to lurk around compromised networks for days before deploying ransomware, giving victim organizations a chance to prevent the attacks if they can spot the initial activity quickly enough. Researchers from FireEye Mandiant recently reviewed more than two years’ worth of ransomware attack data to see what trends they could spot. The researchers wanted to identify common characteristics around initial intrusion vectors, average attacker dwell time on a compromised network, and the time of day when attackers typically tended to deploy ransomware.

A New Complex Infection Chain to Deliver Ursnif Malware

yoroi.company/research/a-new-complex-infection-chain-to-deliver-ursnif-malware/ Ursnif is one of the most and widespread common threats today delivered through malspam campaigns. It appeared on the threat landscape about 13 years ago and gained its popularity since 2014 when its source code was leaked online giving the opportunity to several threat actors to develop their own version. For months, Italian users have been targeted by Ursnif malicious campaigns and Cybaze-Yoroi Zlab have closely observed these campaigns in order to track the evolution of TTPs and the sophistication of the infection chains. In almost all the campaigns identified by the researchers it is possible to notice a massive usage of powershell as dropper stagers

Activities of a Nigerian Cybercriminal Uncovered

threatpost.com/activities-of-a-nigerian-cybercriminal-uncovered/153751/ Rise and fall of a Nigerian cybercriminal called ‘Dton’, who made hundreds of thousands of dollars in a 7-year campaign, outlined in new report. Ever wonder who’s behind one of those Nigerian cyber-crime email campaigns asking you to enter into a shady business deal and how they’re enacted?. In a unique profile, researchers pulled back the curtain on such an attack with a report outlining how a Nigerian cybercriminal made hundreds of thousands of dollars over the course of seven years by targeting people through numerous malicious campaigns.

Tattoo Recognition Score Card: How Institutions Handled Unethical Biometric Surveillance Dataset

www.eff.org/deeplinks/2020/03/tattoo-recognition-score-card-how-institutions-handled-unethical-biometric In response to an EFF campaign started last year, roughly a third of institutions that we believe requested problematic and exploitive data as part of a government automated tattoo recognition challenge deleted the data or reported that they had never received or used it. EFF has long been concerned with the many problems associated with efforts to use automated tattoo recognition, a form of biometric surveillance similar to face recognition that can use your body art to reveal your identity or personal information about you, such as your political, religious, familial, or cultural affiliations. We have particular ethical concerns about an effort known as Tatt-C (also known as the Tattoo Recognition Challenge) that was managed by the National Institute of Standards and Technology (NIST) and the Federal Bureau of Investigation. NIST launched this tattoo recognition program in 2014 by creating an “open tattoo database” that institutions could use to test, train, and improve software that could recognize tattoos.

New Nefilim Ransomware Threatens to Release Victims’ Data

www.bleepingcomputer.com/news/security/new-nefilim-ransomware-threatens-to-release-victims-data/ A new ransomware called Nefilim that shares much of the same code as Nemty has started to become active in the wild and threatens to release stolen data. Nefilim became active at the end of February 2020 and while it not known for sure how the ransomware is being distributed, it is most likely through exposed Remote Desktop Services.

Raju kasvu data- ja puhelinliikenteessä “ruuhkia voi ilmetä””

www.tivi.fi/uutiset/tv/ab4f4019-6962-42e5-9072-99571cf6cbd3 Puhe- ja dataliikenne ovat koronaviruksen takia rajussa kasvussa Suomessa. Suomea kohdannut koronavirusepidemia on ajanut suuren osan suomalaisista tekemään mahdollisuuksien mukaan etätöitä. Luonnollisesti tämä muutos tarkoittaa myös data- ja puhelinliikenteen kuormittumista. Telian julkaisemien tietojen mukaan puheliikenne kasvoi maanantaina operaattorin verkossa jopa 30 prosenttia, ja dataliikenne puolestaan 16 prosenttia edelliseen viikkoon verrattuna. Lue myös: www.is.fi/digitoday/art-2000006443057.html

WordPress and Apache Struts account for 55% of all weaponized vulnerabilities

www.zdnet.com/article/wordpress-and-apache-struts-account-for-55-of-all-weaponized-vulnerabilities/ Comprehensive study looks at the most attacked web technologies of the last decade.

Best security keys in 2020: Hardware-based two-factor authentication for online protection

www.zdnet.com/article/best-security-keys/ Being sensible when it comes to passwords is important, and a crucial step to securing your online life. However, some of your online accounts — for example, your Google Account or Dropbox — might be so important and contain such a wealth of information that you might want to take additional steps to protect it.

A Quick Summary of Current Reflective DNS DDoS Attacks

isc.sans.edu/diary/rss/25916 DNS is still a popular protocol to amplify denial of service attacks. A rather small DNS query, sent to an open recursive resolver, can be used to trigger a large response. Over the last few years, DNS servers implemented many countermeasures to make it more difficult to launch these attacks and easier to mitigate them. It also has become easier (but not trivial) to defend against these attacks. But in the end, you still have to “buy your way out” of a denial of service attacks. For smaller organizations, even an average attack can be devastating.

You might be interested in …

Daily NCSC-FI news followup 2021-02-27

Amazon Dismisses Claims Alexa Skills Can Bypass Security Vetting Process threatpost.com/amazon-dismisses-claims-alexa-skills-can-bypass-security-vetting/164316/ Our analysis shows that while Amazon restricts access to user data for skills and has put forth a number of rules, there is still room for malicious actors to exploit or circumvent some of these rules, said researchers this week. This can enable an […]

Read More

Daily NCSC-FI news followup 2020-04-08

COVID-19 Exploited by Malicious Cyber Actors www.us-cert.gov/ncas/alerts/aa20-099a This alert provides information on exploitation by cybercriminal and advanced persistent threat (APT) groups of the current coronavirus disease 2019 (COVID-19) global pandemic. It includes a non-exhaustive list of indicators of compromise (IOCs) for detection as well as mitigation advice.. This is a joint alert from the United […]

Read More

Daily NCSC-FI news followup 2019-09-11

Ryuk Related Malware Steals Confidential Military, Financial Files www.bleepingcomputer.com/news/security/ryuk-related-malware-steals-confidential-military-financial-files/ A new malware with strange associations to the Ryuk Ransomware has been discovered to look for and steal confidential financial, military, and law enforcement files. Microsoft to Improve Office 365 Phishing Email Notifications www.bleepingcomputer.com/news/security/microsoft-to-improve-office-365-phishing-email-notifications/ Microsoft is currently working on enhancing the notification system for quarantined malware […]

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.