Daily NCSC-FI news followup 2020-04-27

Ciscon USC-laitteet ovat vaarassa tuhoutua omin päin, mikäli ylläpitäjät eivät tilannetta ratkaise

www.tivi.fi/uutiset/tv/be4dd0ae-92ab-4e18-8e9b-9d3a04adacb9 The Register kertoo, että 23:ssa Ciscon USC-malliston palvelimessa on ikävä vika. Ne nimittäin ottavat ja itsetuhoutuvat, kun niiden käyttöaika yltää 40 000 tuntiin. “Jos ssd-levy yltää 40 000 käyttötuntiin asti, levy muuttuu täysin käyttökelvottomaksi ja se on vaihdettava”, Cisco varoittaa asiakkaitaan. Lue myös:




Beware of the GIF: Account Takeover Vulnerability in Microsoft Teams

www.cyberark.com/threat-research-blog/beware-of-the-gif-account-takeover-vulnerability-in-microsoft-teams/ As more and more business is conducted from remote locations, attackers are focusing their efforts on exploiting the key technologies like Zoom and Microsoft Teams that companies and their employees depend on to stay connected. We found that by leveraging a subdomain takeover vulnerability in Microsoft Teams, attackers could have used a malicious GIF to scrape user’s data and ultimately take over an organization’s entire roster of Teams accounts. Since users wouldn’t have to share the GIF just see it to be impacted, vulnerabilities like this have the ability to spread automatically. This vulnerability would have affected every user who uses the Teams desktop or web browser version. CyberArk worked with Microsoft Security Research Center under Coordinated Vulnerability Disclosure after finding the account takeover vulnerability and a fix was quickly issued. Read also:


www.theregister.co.uk/2020/04/27/microsoft_teams_gif_pwn_patch/ and

www.zdnet.com/article/this-is-how-viewing-a-gif-in-microsoft-teams-triggers-account-hijacking-bug/. As well as:


Australia and US call out cyber attacks on hospitals during COVID-19 pandemic

www.zdnet.com/article/australia-and-us-call-out-cyber-attacks-on-hospitals-during-covid-19-pandemic/ As China pushes Huawei-inspired supply chain freedoms at the United Nations, Australia reminds the world that a cyber legal framework already exists and attacking hospitals is not on. Australia’s cyber diplomats have called for an end to attacks on medical facilities, such as the recent cyber attack on one of the Czech Republic’s biggest COVID-19 testing laboratories.

“Asnarök” Trojan targets firewalls

news.sophos.com/en-us/2020/04/26/asnarok/ Customized malware used to compromise physical and virtual firewalls. As we described last week in this KBA, Sophos and its customers were the victims of a coordinated attack by an unknown adversary. This attack revealed a previously unknown SQL injection vulnerability that led to remote code execution on some of our firewall products. As described in the KBA, the vulnerability has since been remediated. There was significant orchestration involved in the execution of the attack, using a chain of Linux shell scripts that eventually downloaded ELF binary executable malware compiled for a firewall operating system. This attack targeted Sophos products and apparently was intended to steal sensitive information from the firewall.

Facebookissa kiertää nyt viattoman näköisiä kyselyitä, joissa piilee riski Asiantuntija kertoo, miksi kannattaa harkita tarkasti, ennen kuin listaa somessa entiset työpaikkansa

www.hs.fi/teknologia/art-2000006488268.html Korona-aika ja kotiin eristäytyminen on saanut monet netissä kiertävät kyselyt elpymään uudelleen. Vaikka henkilökohtaisien knoppitietojen arvuuttelu vaikuttaa harmittomalta, siinä piilee huijauksen riski. Lue myös: www.is.fi/digitoday/tietoturva/art-2000006488628.html

5g-tukiasemat tulessa pitkin Eurooppaa näin salaliittoteoria sai alkunsa

www.tivi.fi/uutiset/tv/24187891-1102-42b9-91ce-af3f287e4c3f Jotkut ihmiset ovat suhtautuneet 5g-verkkotekniikkaan nyreästi jo alusta alkaen. Nyt on siirrytty sanoista tekoihin jo useassa Euroopan maassa.. Lue myös:


Huuto.net joutui pornoviesti-iskun kohteeksi: “Tuhansia”

www.is.fi/digitoday/tietoturva/art-2000006488752.html Kauppapaikassa nähtiin viikonloppuna haitallisten viestien tulva. Seurauksena palvelun suojauksia parannetaan. Suosittu suomalainen kirpputoripalvelu Huuto.net joutui viikonloppuna poikkeuksellisen voimakkaan roskaviestikampanjan kohteeksi. Ulkomailta tullut hyökkäys näkyi ilmoituksiin jätettyinä kysymyksinä, jotka olivat huonosti konekäännettyä suomea ja viittasivat pornoon. – Kysymyksiä on tullut tuhansia. Tämän mittakaavan hyökkäystä ei ole koskaan aikaisemmin tapahtunut, kertoo Huuto.netin myyntipäällikkö Joni Valkeapää. Seurauksena käyttäjätunnusten luomista aletaan valvoa tarkemmin. Tämä voisi tapahtua esimerkiksi niin sanotulla captcha-tunnistuksella, joka pyrkii erottamaan aidot ihmiset robottien tekemistä automaattisista rekisteröinneistä.

Ransomware gangs are changing targets again. That could make them even more of a threat

www.zdnet.com/article/ransomware-gangs-are-changing-targets-again-that-could-make-them-even-more-of-a-threat/ It’s still business as usual for cyber criminals – and some are now paying more attention to hospitals than ever before. The coronavirus pandemic has forced most organisations to rethink how they work. And it appears now that even cybercrooks and ransomware gangs are having to adapt their behaviour to adjust to the ongoing virus crisis. Phishing attacks using coronavirus as a lure have grown rapidly in recent months as malicious hackers look to use it as a means of tricking victims into giving up usernames and passwords, personal information and bank details. And there is some evidence that ransomware groups have increased their attacks aimed at staff newly working from home. Some have even been launching ransomware attacks against hospitals, medical research facilities and other important healthcare operations, at a time when they’re needed more than ever.

Eight Common OT / Industrial Firewall Mistakes

threatpost.com/waterfall-eight-common-ot-industrial-firewall-mistakes/155061/ Firewalls are easy to misconfigure. While the security consequences of such errors may be acceptable for some firewalls, the accumulated risks of misconfigured firewalls in a defense-in-depth OT network architecture are generally unacceptable. Most industrial sites deploy firewalls as the first line of defense for their Operations Technology (OT) / industrial networks. However, configuring and managing these firewalls is a complex undertaking. Configuration and other mistakes are easy to make. This article explores eight common mistakes that firewall administrators make and describes how these mistakes can compromise firewall functionality and network security. The lesson here though is not “stop making mistakes.” This article also explores unidirectional gateway technology as an alternative to our most important OT firewalls. Unidirectional gateways provide physical protection for industrial operations, rather than merely software protection. This means that with a unidirectional gateway, no mistake in configuration can impair the protection that the gateway provides to the industrial network.

SBA Spoofed in COVID-19 Spam to Deliver Remcos RAT

securityintelligence.com/posts/sba-spoofed-in-covid-19-spam-to-deliver-remcos-rat/ Between late March and mid-April 2020, IBM X-Force Incident Response and Intelligence Services (IRIS) uncovered a phishing campaign targeting small businesses that appears to originate from the U.S. Government Small Business Administration (SBA.gov). The emails, which contain subjects and attachments related to the need for small businesses to apply for disaster relief loans or provide application status following the impact of the ongoing COVID-19 pandemic, ultimately deliver malware to those who open the attachments. These emails may coincide with a notification from the SBA regarding some small business loan applicants who potentially had their personally identifiable information (PII) exposed, possibly being used by cybercriminals to compose target lists.

Telia antaa tällä viikolla selvityksen laajan häiriön syistä lauantaisen häiriön “häntiä” korjattiin vielä maanantaina


Jukka Niva: Kun Google määritti Ylen uutiset vahingollisiksi

yle.fi/uutiset/3-11321506 Pari viikkoa sitten Yle.fi-sovellus poistettiin yllättäen Googlen sovelluskaupasta. Googlessa ilmeisesti robotit olivat tulkinneet, että sovellus voisi olla huijaus tai jotain muuta kauheaa, kirjoittaa Yle News Labin päällikkö Jukka Niva blogissaan.

Israel government tells water treatment companies to change passwords

www.zdnet.com/article/israel-says-hackers-are-targeting-its-water-supply-and-treatment-utilities/ Israel cyber-security agency reported intrusion attempts last week.

Artificial intelligence will be used to power cyber attacks, warn security experts

www.zdnet.com/article/artificial-intelligence-will-be-used-to-power-cyber-attacks-warn-security-experts/ Intelligence agencies need to use artificial intelligence to help deal with threats from criminals and hostile states who will try to use AI to strengthen their own attacks. Read also:

www.bbc.com/news/technology-52415775 and


Shade (Troldesh) ransomware shuts down and releases decryption keys

www.zdnet.com/article/shade-troldesh-ransomware-shuts-down-and-releases-all-decryption-keys/ The Shade ransomware gang have published more than 750, 000 decryption keys on GitHub. Kaspersky is working on a decryption app.

Financial sector is seeing more credential stuffing than DDoS attacks

www.zdnet.com/article/financial-sector-has-been-seeing-more-credential-stuffing-than-ddos-attacks-in-recent-years/ North American financial institutions and banks are targeted the most, primarily because most leaked credentials are from US services.

U.S. Universities Hit With Adult Dating’ Spear-Phishing Attack

threatpost.com/us-universities-adult-dating-spear-phishing-attack/155170/ More than 150, 000 emails spreading the Hupigon RAT that use adult dating as a lure have been uncovered, with almost half being sent to U.S. university and college email addresses.

Bulletin (SB20-118) – Vulnerability Summary for the Week of April 20, 2020

www.us-cert.gov/ncas/bulletins/sb20-118 The CISA Vulnerability Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. NVD is sponsored by CISA. In some cases, the vulnerabilities in the bulletin may not yet have assigned CVSS scores. Please visit NVD for updated vulnerability entries, which include CVSS scores once they are available.

You might be interested in …

Daily NCSC-FI news followup 2021-05-06

Syväteknologiaa kehittävä Unikie kyberturvallisuusjärjestö FISCin jäseneksi: “Kaiken internet (IoE) ilman salattua tietoliikennettä on vastuuton” www.epressi.com/tiedotteet/ohjelmistoteollisuus/syvateknologiaa-kehittava-unikie-kyberturvallisuusjarjesto-fiscin-jaseneksi-kaiken-internet-ioe-ilman-salattua-tietoliikennetta-on-vastuuton.html tsuNAME – New DNS bug allows attackers to DDoS authoritative DNS servers www.bleepingcomputer.com/news/security/new-tsuname-dns-bug-allows-attackers-to-ddos-authoritative-dns-servers/ “What makes TsuNAME particularly dangerous is that it can be exploited to carry out DDoS attacks against critical DNS infrastructure like large TLDs or ccTLDs, potentially affecting […]

Read More

Daily NCSC-FI news followup 2019-07-31

Poliisi: Edistyneet kiristyshyökkäykset jatkuvat www.poliisi.fi/tietoa_poliisista/tiedotteet/1/1/edistyneet_kiristyshyokkaykset_jatkuvat_82917?language=fi Koulujen alkaessa kuullaan usein varoitteluja uusista tienkäyttäjistä. Tällä kertaa poliisi varoittaa jälleen tietoverkoissa liikkuvia ja tietoverkkojen ylläpitäjiä. Taustalla on Kokemäellä tapahtunut tietomurto.. Lounais-Suomen poliisilaitoksen kyberrikostutkintaryhmä tutkii tapausta yhteistyössä Keskusrikospoliisin ja Traficom Liikenne- ja Viestintäviraston Kyberturvallisuuskeskuksen kanssa. Tutkintanimikkeenä on törkeä datavahingonteko. On varsin todennäköistä, että muitakin rikosnimikkeitä tulee tutkinnan edetessä kyseeseen.. […]

Read More

Daily NCSC-FI news followup 2021-01-19

DNSpooq – 7 vulnerabilities found in dnsmasq, an open-source DNS forwarding software in common use www.jsof-tech.com/disclosures/dnspooq/ The Dnspooq vulnerabilities include DNS cache poisoning vulnerabilities as well as a potential Remote code execution and others. The list of devices using dnsmasq is long and varied. According to our internet-based research, prominent users of dnsmasq seem to […]

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.