Daily NCSC-FI news followup 2020-03-24

Fortinet Security Researcher Discovers Multiple Critical Vulnerabilities in Adobe Photoshop

www.fortinet.com/blog/threat-research/fortinet-security-researcher-discovers-multiple-critical-vulnerabilities-in-adobe-photoshop.html This past January, I discovered and reported multiple critical zero-day vulnerabilities in Adobe Photoshop CC 2020. This past Tuesday (Mar 17, 2020), Adobe released several out-of-band security patches that addressed those vulnerabilities. They are identified as CVE-2020-3783, CVE-2020-3784, CVE-2020-3785, CVE-2020-3786, CVE-2020-3787, CVE-2020-3788 and CVE-2020-3789. All of these vulnerabilities have different root causes related to a multitude of Photoshop Plugins. Due to the critical rating of these vulnerabilities, we suggest users apply these latest Adobe patches­­­ as soon as possible.

In December 2018, KrebsOnSecurity looked at how dozens of U.S. political campaigns, cities and towns had paid a shady company called Web Listings Inc. after receiving what looked like a bill for search engine optimization (SEO) services rendered on behalf of their domain names

krebsonsecurity.com/2020/03/whos-behind-the-web-listings-mail-scam/

Combating the Underground Economys Automation Revolution

www.recordedfuture.com/underground-economy-automation/ Automation has become an essential part of nearly every industry, and nowhere is this more true than in cybersecurity. But unfortunately, the benefits of automation are equally available to criminal enterprises and defenders alike. So while the criminal underground has created an ecosystem of tools and resources to operationalize and monetize campaigns, SOARs can be used to tip the balance back in a defenders favor by automating defensive intelligence feeds and combining them with automated detection and prevention.

WildPressure targets industrial-related entities in the Middle East

securelist.com/wildpressure-targets-industrial-in-the-middle-east/96360/ In August 2019, Kaspersky discovered a malicious campaign distributing a fully fledged C++ Trojan that we call Milum. All the victims we registered were organizations from the Middle East. At least some of them are related to industrial sector. Our Kaspersky Threat Attribution Engine (KTAE) doesnt show any code similarities with known campaigns. Nor have we seen any target intersections. In fact, we found just three almost unique samples, all in one country. So we consider the attacks to be targeted and have currently named this operation WildPressure.

TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany

securityintelligence.com/posts/trickbot-pushing-a-2fa-bypass-app-to-bank-customers-in-germany/ IBM X-Force researchers analyzed an Android malware app thats likely being pushed to infected users by the TrickBot Trojan. This app, dubbed TrickMo by our team, is designed to bypass second factor and strong authentication pushed to bank customers when they need to authorize a transaction.

UNCOVERING OPENWRT REMOTE CODE EXECUTION (CVE-2020-7982)

blog.forallsecure.com/uncovering-openwrt-remote-code-execution-cve-2020-7982 For ForAllSecure, Ive been focusing on finding bugs in OpenWRT using their Mayhem software. My research on OpenWRT has been a combination of writing custom harnesses, running binaries of the box without recompilation, and manual inspection of code. I found this vulnerability initially by chance when I was preparing a Mayhem task for opkg. Mayhem can serve data either from a file or from a network socket.

How to Provide Remote Incident Response During the Coronavirus Times

thehackernews.com/2020/03/remote-incident-response.html While the Coronavirus pandemic continues to strike chaos across the global economies, threat actors keep on launching cyberattacks on organizations from all sizes and verticals. IR providers face a unique challenge when approached by these organizations since, due to the Coronavirus mass quarantine, conducting incident response engagements by arriving physically to the customers’ offices is impossible.

Apache Tomcat Exploit Poised to Pounce, Stealing Files

threatpost.com/apache-tomcat-exploit-stealing-files/154055/ Researchers said that a working exploit for CVE-2020-1938 leaked on GitHub makes is a snap to compromise webservers. A vulnerability in the popular Apache Tomcat web server is ripe for active attack, thanks to a proof-of-concept (PoC) exploit making an appearance on GitHub. The now-patched bug affects Tomcat versions 7.0, 8.5 and 9.0.

Microsoft’s Windows 10 warning: Astaroth malware is back. This time it’s even stealthier

www.zdnet.com/article/microsofts-windows-10-warning-astaroth-malware-is-back-this-time-its-even-stealthier/ Astaroth, a group that uses legitimate Windows tools to spread malware, has retooled after Microsoft drew attention to its living-off-the-land techniques last July. The group in February stepped up its activity with even stealthier methods.

Murto suomalaiseen nettipalveluun: Suosittelemme sinua vaihtamaan salasanasi

www.is.fi/digitoday/tietoturva/art-2000006450533.html Suomalainen majoituspalveluja tarjoava Forenom joutui tietomurron kohteeksi. Tiedotteen mukaan osa sen järjestelmään tallennetuista henkilötiedoista on joutunut tuntemattoman ulkopuolisen tahon haltuun. Vuoto ei koske majoittuja- tai asukastietoja, vain ainoastaan ostoksen tehneen henkilön tietoja.

Google Play Store Played Again Tekya Clicker Hides in 24 Childrens Games and 32 Utility Apps

research.checkpoint.com/2020/google-play-store-played-again-tekya-clicker-hides-in-24-childrens-games-and-32-utility-apps/ Although Google has taken steps to secure its Play store and stop malicious activity, hackers are still finding ways to infiltrate the app store and access users devices. Millions of mobile phone users have unintentionally downloaded malicious apps that have the ability to compromise their data, credentials, emails, text messages, and geographical location. For example, in February 2020, the Haken malware family was installed in over 50,000 Android devices by eight different malicious apps, all of which initially appeared to be safe.

Toimi näin, jos kiristäjä iskee älä ainakaan panikoi

www.tivi.fi/uutiset/tv/b711f908-124c-4ede-807d-26bc940f8260 Vielä muutama vuosi sitten kiristys­ohjelmat iskivät lähinnä kotikoneisiin. Ne kryptasivat yhden kiintolevyn ja vaativat kuluttajalta muutamien satojen eurojen lunnaita. Kotikoneiden data ei ole kovin arvokasta, eivätkä kaikki uhrit pysty maksamaan lunnaita bitcoineilla, vaikka haluaisivat. Siksi kiristäjät ovat vaihtaneet taktiikkaa: kohteina ovat nyt isot organisaatiot, joihin iskut tehdään kohdennetusti ja suunnitelmallisesti.. Entistä useampi yritys joutuu kiristyshaittaohjelman uhriksi. Uhkaan kannattaa varautua hyvissä ajoin etukäteen.

Fake Corona Antivirus Software Used to Install Backdoor Malware

www.bleepingcomputer.com/news/security/fake-corona-antivirus-software-used-to-install-backdoor-malware/ Sites promoting a bogus Corona Antivirus are taking advantage of the current COVID-19 pandemic to promote and distribute a malicious payload that will infect the target’s computer with the BlackNET RAT and add it to a botnet. The two sites promoting the fake antivirus software can be found at antivirus-covid19[.]site and corona-antivirus[.]com as discovered by the Malwarebytes Threat Intelligence team and researchers at MalwareHunterTeam, respectively

Tech Giant GE Discloses Data Breach After Service Provider Hack

www.bleepingcomputer.com/news/security/tech-giant-ge-discloses-data-breach-after-service-provider-hack/ Fortune 500 technology giant General Electric (GE) disclosed that personally identifiable information of current and former employees, as well as beneficiaries, was exposed in a security incident experienced by one of GE’s service providers. GE is a multinational operating in a wide range of tech segments including aviation, power, healthcare, and renewable energy, and it is currently ranked by Fortune 500 as the 21st-largest company in the U.S. by revenue.

Adobe debuts disk-cleaning tool cleverly disguised as an arbitrary file deletion bug in Creative Cloud on Windows

www.theregister.co.uk/2020/03/24/adobe_cc_deletion_bug/ Adobe has issued a patch for a critical flaw that can be exploited to delete files from Windows computers running the Creative Cloud client. Dubbed CVE-2020-3808, the vulnerability is a classic time-of-check-to-time-of-use flaw where, by exploiting a race condition, a miscreant could potentially trick the system into deleting work-in-progress files and other data-destroying shenanigans. Also:

www.bleepingcomputer.com/news/security/adobe-fixes-critical-vulnerability-in-creative-cloud-application/.

threatpost.com/critical-adobe-flaw-out-of-band-security-update/154075/

WHO Targeted in Espionage Attempt, COVID-19 Cyberattacks Spike

threatpost.com/who-attacked-possible-apt-covid-19-cyberattacks-double/154083/ The World Health Organization (WHO) has attracted the notice of cybercriminals as the worldwide COVID-19 pandemic continues to play out, with a doubling of attacks recently, according to officials there. Problematically, evidence has also now surfaced that the DarkHotel APT group has tried to infiltrate its networks to steal information.

Hackers Hijack Routers DNS to Spread Malicious COVID-19 Apps

www.bleepingcomputer.com/news/security/hackers-hijack-routers-dns-to-spread-malicious-covid-19-apps/ A new cyber attack is hijacking router’s DNS settings so that web browsers display alerts for a fake COVID-19 information app from the World Health Organization that is the Oski information-stealing malware. For the past five days, people have been reporting their web browser would open on its own and display a message prompting them to download a ‘COVID-19 Inform App’ that was allegedly from the World Health Organization (WHO).

Memcached has a crash-me bug, but hey, only about 83,000 public-facing servers appear to be running it

www.theregister.co.uk/2020/03/24/memcached_crash_bug/ An annoying security flaw been disclosed and promptly fixed in the fairly popular memcached distributed data-caching software. On Monday morning a netizen with the handle IceJi publicly revealed the presence of that could be exploited to crash the software: specifically, the flaw is a buffer-overflow in the binary protocol header in memcached versions 1.6.0 and 1.6.1. Developers were not warned of the bug prior to the public disclosure.

Operation Poisoned News: Hong Kong Users Targeted With Mobile Malware via Local News Links

blog.trendmicro.com/trendlabs-security-intelligence/operation-poisoned-news-hong-kong-users-targeted-with-mobile-malware-via-local-news-links/ A recently discovered watering hole attack has been targeting iOS users in Hong Kong. The campaign uses links posted on multiple forums that supposedly lead to various news stories. While these links lead users to the actual news sites, they also use a hidden iframe to load and execute malicious code. The malicious code contains exploits that target vulnerabilities present in iOS 12.1 and 12.2.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.