Daily NCSC-FI news followup 2020-04-24

New Training: on orchestration of CSIRT Tools

www.enisa.europa.eu/news/enisa-news/csirt-training-tools-new-orchestration The EU agency for Cybersecurity introduces new training materials to support Member States’ CSIRTs. ENISA puts great effort into supporting the development of EU Member States’ national incident response preparedness. To that purpose, ENISA updated its CSIRT training material aimed at improving the skills of CSIRT teams. The scope of this new training is to adapt to new technologies and best practices in a fast changing domain. Courses:


CTI League Inaugural Report (March 2020)

cti-league.com/2020/04/21/cti-league-inaugural-report/ The CTI-League, an all-volunteer non-profit group, issued its Inaugural Report on its efforts aggressively dismantling cyber criminal infrastructure and protecting healthcare organizations against cyber attacks. Report:

cti-league.com/wp-content/uploads/2020/04/CTI-League-Inaugural-Report-March-2020.pdf. Read also:


Nintendo confirms 160, 000 Nintendo Accounts accessed in hacking attempts

www.theverge.com/2020/4/24/21234205/nintendo-account-hack-nnid-breach-security-hacking-attempt Nintendo is disabling the ability to log into a Nintendo Account through a Nintendo Network ID (NNID), after 160, 000 accounts have been affected by hacking attempts. Nintendo says login IDs and passwords “obtained illegally by some means other than our service, ” have been used since the beginning of April to gain access to the accounts. Read also:


SeaChange video platform allegedly hit by Sodinokibi ransomware

www.bleepingcomputer.com/news/security/seachange-video-platform-allegedly-hit-by-sodinokibi-ransomware/ A leading supplier of video delivery software solutions is reportedly the latest victim of the Sodinokibi Ransomware, who has posted images of data they claim to have stolen from the company during a cyberattack.

New GreyNoise free service alerts you when your devices get hacked

www.bleepingcomputer.com/news/security/new-greynoise-free-service-alerts-you-when-your-devices-get-hacked/ Cyber-security firm GreyNoise Intelligence today announced the launch of GreyNoise Alerts, a new free service that will automatically notify you via email when any devices on your organization’s IP address range get hacked and start exhibiting potentially malicious behavior. Read also: viz.greynoise.io/cheat-sheet/examples

Apple says ‘no evidence’ iPhone mail flaw used against customers

www.reuters.com/article/us-apple-cyber/apple-says-no-evidence-iphone-mail-flaw-used-against-customers-idUSKCN2260F0 Apple Inc said on Thursday it has found “no evidence” a flaw in its email app for iPhones and iPads has been used against customers, and that it believes the flaw does “not pose an immediate risk to our users”. Read also:

www.zdnet.com/article/apple-disputes-recent-ios-zero-day-claim/ and

threatpost.com/apple-pushes-back-against-zero-day-exploit-claims/155108/. As well as:


HUS hyödyntää Elisan rakentamaa ainutlaatuista älykästä tilannekuvaa ja liikkumisdataa koronaviruspandemian leviämisen ennustamisessa

corporate.elisa.fi/uutishuone/tiedotteet/uutinen/hus-hy%C3%B6dynt%C3%A4%C3%A4-elisan-rakentamaa-ainutlaatuista-%C3%A4lyk%C3%A4st%C3%A4-tilannekuvaa-ja-liikkumisdataa-koronaviruspandemian-levi%C3%A4… HUS Helsingin yliopistollinen sairaala hyödyntää Elisan toteuttamaa älykästä tilannekuvaa sekä ihmisvirtojen liikkumisdataa koronavirustilanteen entistä syvällisemmän ymmärtämisen ja johtamisen tukena. Tilannekuvaratkaisun ja liikkumisdatan avulla koronaviruspandemian etenemisen ennustaminen on reaaliaikaista. Elisa luovuttaa HUSille anonyymiä ihmismassojen liikkumisdataa ja on myös kehittänyt tilannekuvan hahmottamiseen tarkoitetun työkalun HUSille. HUSin johdon käyttöön tarkoitettu tilannekuvaratkaisu hyödyntää tiedon keräämistä, yhdistämistä, analysointia, automatisointia ja visualisointia. Lue myös:


Näin toimisi paljon puhuttu koronasovellus kovin haaste on saada tarpeeksi käyttäjiä

www.tivi.fi/uutiset/tv/d7151e25-d7d3-4c06-bb6d-cdad2e5d19b9 Koronaseurantasovellukset hyödyntäisivät bluetooth-tekniikkaa eikä käyttäjien sijainteja pystyttäisi jäljittämään.

Following ESET’s discovery, a Monero mining botnet is disrupted

www.welivesecurity.com/2020/04/23/eset-discovery-monero-mining-botnet-disrupted/ ESET researchers discover, and play a key role in the disruption of, a 35, 000-strong botnet spreading in Latin America via infected USB drives. ESET researchers recently discovered a previously undocumented botnet that we have named VictoryGate. It has been active since at least May 2019 and, since then, three different variants of the initial module have been identified, in addition to approximately 10 secondary payloads that are downloaded from file hosting websites. The initial module is detected by ESET security products as MSIL/VictoryGate. Report contains also Indicators of Compromise (IOCs). Read also:

thehackernews.com/2020/04/usb-drive-botnet-malware.html and


New iPhone text-bomb bug: Just receiving this Sindhi character notification crashes iPhones

www.zdnet.com/article/new-iphone-text-bomb-bug-just-receiving-this-sindhi-character-notification-crashes-iphones/ Turn off notifications for messaging and social-media apps until Apple has released a fix. Read also:


Getting ATT&CKed By A Cozy Bear And Being Really Happy About It: What MITRE Evaluations Are, and How To Read Them

blog.trendmicro.com/mitre-evaluation2020/ I’ve been following the MITRE ATT&CK Framework for a while, and this week the results were released of the most recent evaluation using APT29 otherwise known as COZY BEAR. Read also:

attackevals.mitre.org/APT29/ and


Threat Spotlight: MedusaLocker

blog.talosintelligence.com/2020/04/medusalocker.html MedusaLocker is a ransomware family that has been observed being deployed since its discovery in 2019. Since its introduction to the threat landscape, there have been several variants observed. However, most of the functionality remains consistent. The most notable differences are changes to the file extension used for encrypted files and the look and feel of the ransom note that is left on systems following the encryption process.

Cracking the Netatmo Smart Indoor Security Camera

labs.bitdefender.com/2020/04/cracking-the-netatmo-smart-indoor-security-camera/ CVE-2019-17101 Command execution due to unsanitized input. Indoor video surveillance has become one of the most frequent applications for IoT devices. In public places, offices or private homes, video surveillance helps deter crime and detect accidents before they become uncontainable. Security cameras have become a necessity but, in the IoT world, any new gadget added to a network can turn into a liability.

Detect and prevent web shell malware

www.cyber.gov.au/advice/detect-and-prevent-web-shell-malware Malicious web shells are a type of software uploaded to a compromised web server to enable remote access by an attacker. While web shells may be benign, their use by cyber adversaries is becoming more frequent due to the increasing use of web-facing services by organisations across the world. The Australian Signals Directorate and counterparts at the US National Security Agency (NSA) have for the first time jointly published new guidance on mitigating the threat of web shell malware. Read also:

www.nsa.gov/News-Features/News-Stories/Article-View/Article/2159419/detect-prevent-cyber-attackers-from-exploiting-web-servers-via-web-shell-malware/ and


US universities targeted with malware used by state-backed actors

www.bleepingcomputer.com/news/security/us-universities-targeted-with-malware-used-by-state-backed-actors/ Faculty and students at several U.S. colleges and universities were targeted in phishing attacks with a remote access Trojan (RAT) previously used by Chinese state-sponsored threat actors.

BazarBackdoor: TrickBot gang’s new stealthy network-hacking malware

www.bleepingcomputer.com/news/security/bazarbackdoor-trickbot-gang-s-new-stealthy-network-hacking-malware/ A new phishing campaign is delivering a new stealthy backdoor from the developers of TrickBot that is used to compromise and gain full access to corporate networks.

Facebook-NSO lawsuit: Hundreds of WhatsApp attacks linked to one IP address

www.zdnet.com/article/nso-lawsuit-facebook-links-hundreds-of-whatsapp-attacks-to-one-ip-address/ Facebook fights to keep the lawsuit on track after NSO filed a motion to dismiss the case earlier this month. “In 720 instances of the attack, the remote server’s IP address was In 3 instances of the attack, the remote server’s IP address was, ” Gheorghe added.

A Dozen Nation-Backed APTs Tap COVID-19 to Cover Spy Attacks

threatpost.com/nation-backed-apts-covid-19-spy-attacks/155082/ Iran’s Charming Kitten and other nation-state actors are using the coronavirus pandemic to their advantage, for espionage. Cybercriminals have seized on the novel coronavirus as a theme in their attacks, and it turns out that the most sophisticated players on that scene are no exception. According to Google’s Threat Analysis Group (TAG), more than a dozen nation-state-backed APTs are using the COVID-19 pandemic as a cover for their various cyberespionage and malware activities.

Update #3: Business continuity with Azure

azure.microsoft.com/en-us/blog/update-3-business-continuity-azure/ Read also:


Security alert: ‘Dramatic’ increase in cyber attacks says WHO, after passwords leaked online

www.zdnet.com/article/security-alert-dramatic-increase-in-cyber-attacks-says-who-after-passwords-leaked-online/#ftag=RSSbaffb68 Five times as many attacks against the World Health Organisation as hackers look to exploit the coronavirus outbreak.

Valve Confirms CS:GO, Team Fortress 2 Source-Code Leak

threatpost.com/valve-confirms-csgo-team-fortress-2-source-code-leak/155092/ Leaked source code for Counter-Strike: Global Offensive and Team Fortress 2 has led to widespread gamer worries about security and cheating.

You might be interested in …

Daily NCSC-FI news followup 2021-05-03

Pulse Secure fixes VPN zero-day used to hack high-value targets www.bleepingcomputer.com/news/security/pulse-secure-fixes-vpn-zero-day-used-to-hack-high-value-targets/ Apple releases fixes for three WebKit zero-days, additional patches for a fourth therecord.media/apple-releases-fixes-for-three-webkit-zero-days-additional-patches-for-a-fourth/ Spam and phishing in Q1 2021 securelist.com/spam-and-phishing-in-q1-2021/102018/ Several instances of scammers using the COVID-19 pandemic as a lure. See article for screenshots of the phishing campaigns. Spearphishing Attack Uses COVID-21 Lure […]

Read More

Daily NCSC-FI news followup 2020-06-15

AWS Hit With a Record 2.3 Tbps DDoS Attack www.cbronline.com/news/record-ddos-attack-aws AWS says it was hit with a record DDoS attack of 2.3 Tbps earlier this year, with the (unsuccessful) attempt to knock cloud services offline continuing for three days in February. To put the scale of the attempt in context, it is nearly double the […]

Read More

Daily NCSC-FI news followup 2020-10-30

Attacks exploiting Netlogon vulnerability (CVE-2020-1472) msrc-blog.microsoft.com/2020/10/29/attacks-exploiting-netlogon-vulnerability-cve-2020-1472/ Microsoft has received a small number of reports from customers and others about continued activity exploiting a vulnerability affecting the Netlogon protocol (CVE-2020-1472) which was previously addressed in security updates starting on August 11, 2020. If the original guidance is not applied, the vulnerability could allow an attacker to […]

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.