Daily NCSC-FI news followup 2020-04-07

80% of all exposed Exchange servers still unpatched for critical flaw

www.bleepingcomputer.com/news/security/80-percent-of-all-exposed-exchange-servers-still-unpatched-for-critical-flaw/ Starting March 24, Rapid7 used its Project Sonar internet-wide survey tool to discover all publicly-facing Exchange servers on the Internet and the numbers are grim.. As they found, “at least 357,629 (82.5%) of the 433,464 Exchange servers” are still vulnerable to attacks that would exploit the CVE-2020-0688 vulnerability.

Trusting Zoom?

www.cs.columbia.edu/~smb/blog/2020-04/2020-04-06.html Since the world went virtual, often by using Zoom, several people have asked me if I use it, and if so, do I use their app or their web interface. If I do use it, isn’t this odd, given that I’ve been doing security and privacy work for more than 30 years and everyone knows that Zoom is a security disaster?. Also

www.sans.org/webcasts/zomg-its-zoom-114670

Haittaohjelma leviää pikaviestinä kaverilta älä klikkaa, toimi näin

www.is.fi/digitoday/tietoturva/art-2000006466723.html Samanlaista haittaohjelmaa on levitetty myös vuosina 2016, 2017 ja 2018. Kaikki ovat toimintalogiikaltaan samanlaisia: ne pyrkivät säikäyttämään tai hämmentämään vastaanottajaa yhdistämällä viestin tämän nimeen.

Support of DANE and DNSSEC in Office 365 Exchange Online

techcommunity.microsoft.com/t5/exchange-team-blog/support-of-dane-and-dnssec-in-office-365-exchange-online/ba-p/1275494 Microsoft has been working closely with partners through the industry association M3AAWG to solve such limitations throughout the email ecosystem. As a result, we have decided to build and add support for DNSSEC and DANE for SMTP to Exchange Online. This support will be specific to SMTP traffic between SMTP gateways. We will also be providing support for TLS reporting (TLS-RPT). . The first phase will include only outbound support (mail sent outbound from Exchange Online) and we aim to enable this by the end of the calendar year 2020. The second phase will add inbound support for Exchange Online and we plan to enable that by the end of 2021. For both of those phases, corresponding TLS-RPT support will be provided.

Defense Evasion Dominant in Top MITRE ATT&CK Tactics of 2019

go.recordedfuture.com/hubfs/reports/cta-2020-0331.pdf In 2019, Recorded Future began integrating data regarding cyberattacker tactics, techniques, and procedures (TTPs) based on MITRE ATT&CK® into its data collection and analysis. As part of a review of these identifiers across sandbox submissions for the year,. Recorded Futures Insikt Group assembled a list of the top 10 most frequently referenced techniques. Our analysis of this data found that Defense Evasion was the predominant tactic observed in 2019, with the number one technique being Security Software Discovery.

Europol arrests man for coronavirus business email scam peddling masks, sanitizer

www.zdnet.com/article/europol-arrests-man-for-coronavirus-business-email-scam-money-laundering/ It is claimed the individual was involved in a scam in which an unnamed pharmaceutical company, based in Europe, was defrauded out of 6.64 million. The man masqueraded as a legitimate organization that advertised the quick supply and delivery of FFP2 surgical masks and hand sanitizers, products that have become invaluable in the fight against COVID-19 while also allowing core businesses, . research projects, and services to continue.

Microsoft announces IPE, a new code integrity feature for Linux

www.zdnet.com/article/microsoft-announces-ipe-a-new-code-integrity-feature-for-linux/ On Linux systems where IPE is enabled, system administrators can create a list of binaries that are allowed to execute and then add the verification attributes the kernel needs to check for each binary before allowing it to run. If binaries have been altered by an attacker, IPE can block the execution of the malicious code.

ITG08 (aka FIN6) Partners With TrickBot Gang, Uses Anchor Framework

securityintelligence.com/posts/itg08-aka-fin6-partners-with-trickbot-gang-uses-anchor-framework/ The past two years have borne witness to the increasing collaboration between organized cybercrime groups to avoid duplication of efforts and maximize profits. Although this collaboration has primarily occurred between gangs developing and distributing well-known banking Trojans, such as Emotet, TrickBot and IcedID, it does not stop there. In a new and dangerous twist to this trend, IBM X-Force . Incident Response and Intelligence Services (IRIS) research believes that the elite cybercriminal threat actor ITG08, also known as FIN6, has partnered with the malware gang behind one of the most active Trojans TrickBot to use TrickBots new malware framework dubbed Anchor against organizations for financial profit.

Small business owners applying for COVID-19 relief may have had PII exposed, agency says

www.cyberscoop.com/sba-data-exposure-covid-19-loan-program-small-business-administration/ As the federal agency overseeing relief to small businesses during the coronavirus pandemic was preparing to ramp up its lending, some of the Small Business Administrations loan applicants may have had their personally identifiable information exposed to others, an agency spokeswoman tells CyberScoop.

Official Government COVID-19 Mobile Apps Hide a Raft of Threats

threatpost.com/official-government-covid-19-apps-threats/154512/ Security researchers at the ZeroFOX Alpha Team have uncovered various privacy concerns and security vulnerabilities including a backdoor in various apps. The apps are either created and endorsed by countries or invented as one-offs by threat actors to take advantage of the current pandemic, according to a blog post published Monday.. Original at

www.zerofox.com/blog/covid-19-mobile-apps/. Also

www.androidcentral.com/google-nukes-all-coronavirus-android-apps-play-store

www.cnbc.com/2020/03/05/apple-rejects-coronavirus-apps-that-arent-from-health-organizations.html

PayPal and Venmo Are Letting SIM Swappers Hijack Accounts

www.vice.com/en_us/article/pke9zk/paypal-and-venmo-are-letting-sim-swappers-hijack-accounts Several major apps and websites, such as Paypal and Venmo have a flaw that lets hackers easily take over users accounts once they have taken control of the victims phone number.. Last week, two months after their initial outreach to the companies to report this flaw in their authentication mechanisms, the Princeton researchers checked again to see if the companies had fixed the problem. Some, including Adobe, Blizzard, Ebay, Microsoft, and Snapchat, have plugged the hole.

Email provider got hacked, data of 600,000 users now sold on the dark web

www.zdnet.com/article/email-provider-got-hacked-data-of-600000-users-now-sold-on-the-dark-web/ The data of more than 600,000 Email.it users is currently being sold on the dark web, ZDNet has learned following a tip from one of our readers.

Australia on the cyber offence to bring down COVID-19 scammers

www.zdnet.com/article/australia-on-the-cyber-offence-to-bring-down-covid-19-scammers/ Minister for Defence Linda Reynolds said in a statement that the Australian Signals Directorate (ASD) had mobilised its offensive cyber capabilities to disrupt the foreign cyber criminals behind the spate of malicious activities that have come out of the global pandemic.

Microsoft Buys Corp.com So Bad Guys Cant

krebsonsecurity.com/2020/04/microsoft-buys-corp-com-so-bad-guys-cant/ Wisconsin native Mike OConnor, who bought corp.com 26 years ago but has done very little with it since, said he hoped Microsoft would buy it because hundreds of thousands of confused Windows PCs are constantly trying to share sensitive data with corp.com. Also, early versions of Windows actually encouraged the adoption of insecure settings that made it more likely Windows computers might try to

How we abused Slack’s TURN servers to gain access to internal services

www.rtcsec.com/2020/04/01-slack-webrtc-turn-compromise/ Confusion surrounding official information channels, like in the case of Italy where there are many sanctioned applications, also puts users at increased risk of falling victim to unofficial applications like the backdoored one Alpha Team identified.

Unkillable xHelper and a Trojan matryoshka

securelist.com/unkillable-xhelper-and-a-trojan-matryoshka/96487/ It was the middle of last year that we detected the start of mass attacks by the xHelper Trojan on Android smartphones, but even now the malware remains as active as ever. The main feature of xHelper is entrenchment once it gets into the phone, it somehow remains there even after the user deletes it and restores the factory settings. We conducted a thorough study to determine how xHelpers . creators furnished it with such survivability.

Dutch indicted for running criminal data center in Germany

www.nu.nl/tech/6043162/nederlanders-aangeklaagd-om-runnen-crimineel-datacentrum-in-duitsland.html Four Dutch people have been charged with cybercrime in Germany, reports the German police. The Dutch ran a data center for criminal use from an old NATO bunker in the German state of Rhineland-Palatinate.. Among other things, the data center ran the infamous Wall Street Market, which was taken off the air in April last year. This place was one of the largest dark web marketplaces, where large numbers of drugs were traded.

Thinking Outside the Bochs: Code Grafting to Unpack Malware in Emulation

www.fireeye.com/blog/threat-research/2020/04/code-grafting-to-unpack-malware-in-emulation.html This blog post continues the FLARE script series with a discussion of patching IDA Pro database files (IDBs) to interactively emulate code. While the fastest way to analyze or unpack malware is often to run it, malware wont always successfully execute in a VM. I use IDA Pros Bochs integration in IDB mode to sidestep tedious debugging scenarios and get quick results. Bochs emulates the opcodes . directly from your IDB in a Bochs VM with no OS.

Decade of the RATs: Novel APT Attacks Targeting Linux, Windows and Android

blogs.blackberry.com/en/2020/04/decade-of-the-rats BlackBerry researchers have released a new report that examines how five related APT groups operating in the interest of the Chinese government have systematically targeted Linux servers, Windows systems and Android mobile devices while remaining undetected for nearly a decade.. Report at

www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-decade-of-the-rats.pdf

Increase in RDP Scanning

isc.sans.edu/diary/Increase+in+RDP+Scanning/25994 The increased interest in scanning port 3389 indicates that attackers are ready for some of the changes to network configurations as a result of increased remote access requirements. Sadly attackers do not give us a break. Instead, they are focusing on weaknesses that organizations are exposing now. Every single attack vector we have looked at these last few months has incorporated the Coronavirus . crisis, and attackers are ruthless as usual in exploiting any weakness they can find.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.