Categories
NCSC-FI News followup

Daily NCSC-FI news followup 2020-04-08

COVID-19 Exploited by Malicious Cyber Actors

www.us-cert.gov/ncas/alerts/aa20-099a This alert provides information on exploitation by cybercriminal and advanced persistent threat (APT) groups of the current coronavirus disease 2019 (COVID-19) global pandemic. It includes a non-exhaustive list of indicators of compromise (IOCs) for detection as well as mitigation advice.. This is a joint alert from the United States Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and the United Kingdoms National Cyber Security Centre (NCSC).

Online credit card skimming increased by 26 percent in March

blog.malwarebytes.com/cybercrime/2020/04/online-credit-card-skimming-increases-by-26-in-march/ Crisis events such as the current COVID-19 pandemic often lead to a change in habits that captures the attention of cybercriminals. With the confinement measures imposed in many countries, for example, online shopping has soared and along with it, credit card skimming. According to our data, web skimming increased by 26 percent in March over the previous month.. While this might not seem like a dramatic jump, digital credit card skimming was already on the rise prior to COVID-19, and this trend will likely continue into the near future.

Introducing our new book Building Secure and Reliable Systems

security.googleblog.com/2020/04/introducing-our-new-book-building.html For good reasons, enterprise security teams have largely focused on confidentiality. However, organizations often recognize data integrity and availability to be equally important, and address these areas with different teams and different controls. . The SRE function is a best-in-class approach to reliability. However, it also plays a role in the real-time detection of and response to technical issuesincluding security- related attacks on privileged access or sensitive data. Ultimately, while engineering teams are often organizationally separated according to specialized skill sets, they have a common goal: ensuring the quality and safety . of the system or application.

ThreatList: Skype-Themed Apps Hide a Raft of Malware

threatpost.com/skype-apps-hide-malware/154566/ It should be said that Skype isnt alone in being targeted: The research found that among a total of 1,300 suspicious files not using the Skype name, 42 percent were disguised as Zoom, followed by WebEx (22 percent), GoToMeeting (13 percent), Flock (11 percent) and Slack (11 percent).

Zoom removes meeting IDs from client title bar to boost security

www.bleepingcomputer.com/news/software/zoom-removes-meeting-ids-from-client-title-bar-to-boost-security/ A new update to the Zoom client has been released that removes the meeting ID from the title bar when conducting meetings to increase security and to prevent them from being exposed in screenshots.. Other Zoom-related news at

www.bleepingcomputer.com/news/security/zoom-creates-council-of-cisos-to-solve-security-privacy-issues/

www.zdnet.com/article/google-heres-how-google-meet-beats-zoombombing-trolls/.

betanews.com/2020/04/08/zoom-account-credentials-dark-web/

Microsoft: No surge in malicious attacks, only more COVID-19 lures

www.bleepingcomputer.com/news/security/microsoft-no-surge-in-malicious-attacks-only-more-covid-19-lures/ “Attackers dont suddenly have more resources theyre diverting towards tricking users; instead, theyre pivoting their existing infrastructure, like ransomware, phishing, and other malware delivery tools, to include COVID-19 keywords that get us to click,” Microsoft 365 Security Corporate Vice President Rob Lefferts said.. Also

www.microsoft.com/security/blog/2020/04/08/microsoft-shares-new-threat-intelligence-security-guidance-during-global-crisis/

Intent to Infekt: Operation Pinball Tactics Reminiscent of Operation Secondary Infektion

www.recordedfuture.com/operation-pinball-tactics/ Insikt Group recently identified an ongoing information operation that we assess with high confidence shares significant overlap with what the Atlantic Councils Digital Forensics Lab (DFRLab) refers to as Operation Secondary Infektion (Secondary Infektion); a covert information operation targeting governments in the United States and Europe and believed to originate from Russia. We have named . this information operation Operation Pinball.

Fingerprint cloning: Myth or reality?

blog.talosintelligence.com/2020/04/fingerprint-research.html Our tests showed that on average we achieved an ~80 percent success rate while using the fake fingerprints, where the sensors were bypassed at least once. Reaching this success rate was difficult and tedious work. We found several obstacles and limitations related to scaling and material physical properties. Even so, this level of success rate means that we have a very high probability of . unlocking any of the tested devices before it falls back into the pin unlocking. The results show fingerprints are good enough to protect the average person’s privacy if they lose their phone. However, a person that is likely to be targeted by a well-funded and motivated actor should not use fingerprint authentication.

Shipbuilder Austal was hacked with stolen creds sold on dark web

www.itnews.com.au/news/shipbuilder-austal-was-hacked-with-stolen-creds-sold-on-dark-web-546165 Austal, the ASX-listed shipbuilder and defence contractor, was compromised in late 2018 by an attacker who used login credentials purchased on a dark web forum, but who then failed to extract much of value or secure a ransom to have it returned.. CEO David Singleton provided a full post-mortem of the mid-October 2018 breach last week – which he said included a grilling from senior government ministers – and revealed cyber defences put in place afterwards had saved the company from credential phishes as recently as the past fortnight.

Maze ransomware group hacks oil giant; leaks data online

www.hackread.com/maze-ransomware-group-hacks-oil-giant-leaks-data/ On April 1st, 2020, Berkine became a victim of cyber-attack by the notorious Maze ransomware group that is known for its unique blackmailing practices.. Berkine is a joint venture of Algerias state-owned oil firm Sonatrach and Anadarko Algeria Company, a subsidiary of a US-based firm previously known as Anadarko Petroleum Corp. and currently Oxy Occidental.

Antivirus for GPS spoofing and other vulnerabilities

www.zdnet.com/article/an-antivirus-for-gps-spoofing-and-other-vulnerabilities/ The Regulus system is a software solution that uses machine learning to detect spoofing and defend any GNSS receiver, device, or chipset against it. GPS spoofing attacks are becoming more common and are often very difficult to detect and protect against.

Domain name registrar suspends 600 suspicious coronavirus websites

www.zdnet.com/article/domain-name-registrar-suspends-600-suspicious-coronavirus-websites/ The UK’s domain name registrar Nominet, which manages the launch of .uk websites, is stepping up efforts to tackle the proliferation of sites dedicated to scamming the public, for example by selling fake vaccines, protective equipment and frauds remedies to the COVID-19 virus. . Rather than taking down domains after they have been reported as malicious, the organization has implemented more radical measures to stop these sites appearing in the first place, with extra scrutiny of websites names containing “coronavirus”, “covid”, or other selected terms related to the pandemic.. It is only once the organization has established that the website is legitimate that the domain name will be able to resolve. Eleanor Bradley, head of registry domains at Nominet, told ZDNet that about 600 names have been suspended so far.

How to implement a secure software development lifecycle

dev.solita.fi/2020/04/08/secure-software-development-lifecycle.html Have you ever found yourself wondering if the system you are implementing is secure enough? I have. Quite often actually. It is not an easy question to answer unless you are prepared. This blog post is about how to prepare yourself for that question. The short answer is the Secure Software Development Lifecycle which I will call SSDLC from this point onwards.

Perussuomalaisten kansanedustajat käyttävät Facebookia valiokunta-asioiden hoitamiseen asiantuntijalta täystyrmäys

www.iltalehti.fi/politiikka/a/80552958-9f50-4d15-be8a-c78e5350f9bd Eduskunnan hallintojohtaja Pertti Rauhio hämmästyy kuullessaan, että perussuomalaisten kansanedustajat käyttävät valiokunta-asioiden hoitamiseen Facebookin Messenger-sovellusta.

How an Attacker Could Use Instance Metadata to Breach Your App in AWS

www.mcafee.com/blogs/enterprise/cloud-security/how-an-attacker-could-use-instance-metadata-to-breach-your-app-in-aws/ All cloud providers have capabilities to manage credentials for resources in your cloud-native applications. When used correctly, these capabilities allow you to avoid storing credentials in the clear, or in a source code repository. In AWS, the Instance Metadata Service (IMDS) makes information about a compute instance, its network, and storage available to software running on the instance. IMDS . also makes temporary, frequently rotated credentials available for any IAM role attached to the instance. IAM roles attached to an instance may for example, define that the instance and software running on it can access data in S3 storage buckets.

New dark_nexus IoT Botnet Puts Others to Shame

labs.bitdefender.com/2020/04/new-dark_nexus-iot-botnet-puts-others-to-shame/ We named the botnet dark_nexus based on a string it prints in its banner. In one of its earliest versions, it used this name in its user agent string when carrying out exploits over HTTP: dark_NeXus_Qbot/4.0, citing Qbot as its influence. Our analysis has determined that, although dark_nexus reuses some Qbot and Mirai code, its core modules are mostly original.

An Elite Spy Group Used 5 Zero-Days to Hack North Koreans

www.wired.com/story/north-korea-hacking-zero-days-google/ Cybersecurity researchers at Google’s Threat Analysis Group revealed on Thursday that an unnamed group of hackers used no fewer than five zero-day vulnerabilities, or secret hackable flaws in software, to target North Koreans and North Korea-focused professionals in 2019. . Also

blog.google/technology/safety-security/threat-analysis-group/identifying-vulnerabilities-and-protecting-you-phishing/

DDG botnet, round X, is there an ending?

blog.netlab.360.com/an-update-on-the-ddg-botnet/ DDG is a mining botnet that we first blogged about in Jan 2018, we reported back then that it had made a profit somewhere between 5.8million and 9.8million RMB(about 820,000 to 1.4Million US dollar ), we have many follow up blogs about this botnet after that, but it shows no sign of slowing down.. Details in Chinese

blog.netlab.360.com/ddg-upgrade-to-new-p2p-hybrid-model/

New year, old threats: Malware peddlers went into overdrive in Q1, says Trend Micro

www.theregister.co.uk/2020/04/07/business_email_compromise_rise_trend_micro/ In a report released today, the outfit said it had seen a 24.3 per cent increase in BEC attempts between January and February 2020.

Microsoft and Google postpone insecure authentication removal

www.bleepingcomputer.com/news/security/microsoft-and-google-postpone-insecure-authentication-removal/ Microsoft says that Basic Authentication’s removal from Exchange Online is being postponed until the second half of 2021 due to the current situation created by the COVID-19 pandemic.. While Google also announced in December 2019 that it will block less secure apps (LSAs) from accessing G Suite accounts’ data starting in February 2021, the company now says that the LSA turn-off is put on hold until further notice.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.