Daily NCSC-FI news followup 2020-04-28

WordPress plugin bug lets hackers create rogue admin accounts

www.bleepingcomputer.com/news/security/wordpress-plugin-bug-lets-hackers-create-rogue-admin-accounts/ WordPress owners are advised to secure their websites by updating the Real-Time Find and Replace plugin to prevent attackers from injecting malicious code into their sites and creating rogue admin accounts by exploiting a Cross-Site Request Forgery flaw. The security vulnerability is a Cross-Site Request Forgery (CSRF) that leads to Stored Cross-Site Scripting (Stored XSS) attacks and it impacts all Real-Time Find and Replace versions up to 3.9. The vulnerability was discovered and reported on April 22 and Real-Time Find and Replace’s developer responded with a full patch within a few hours after the initial disclosure report. Wordfence has rated this security flaw with a CVSS score of 8.8 which makes it a high severity issue, a fact that should prompt all users to immediately update to version 4.0.2, the plugin release that fully patches the bug. Read also:

www.zdnet.com/article/hackers-are-creating-backdoor-accounts-and-cookie-files-on-wordpress-sites-running-onetone/. As well as:

threatpost.com/wordpress-plugin-bug-100k-websites-compromise/155230/. And


We’re going on a vuln hunt. We’re going catch a big one: Researchers find Windows bugs dominate but fixes are fast

www.theregister.co.uk/2020/04/28/vulnerabilities_report_9_million/ Kenna Security has published a report based on “vulnerability data culled from more than 9 million active assets across nearly 450 organizations, ” gathered by its cybersecurity research partner Cyentia Institute and based in part on data from automated vulnerability scanners. Read also:


Why a Data-Security Expert Fears U.S. Voting Will Be Hacked [maksumuurin takana]

www.wsj.com/articles/why-a-data-security-expert-fears-u-s-voting-will-be-hacked-11587747159 Harri Hursti has spent 15 years trying to draw attention to the weaknesses in America’s election systems. With the potential resurgence of the coronavirus in the fall of 2020, many are questioning how they will vote in November without jeopardizing their health. Some lawmakers are calling for universal voting by mail, while others are saying it’s not worth the risk. WSJ explains. In 2005, a concerned Florida election supervisor asked the Finnish data-security expert Harri Hursti to hack into one of the state’s commonly used voting machines to test its vulnerability. The verdict wasn’t reassuring. By modifying just a few lines of code on the machine’s memory card, Mr. Hursti says, he could change the results of a mock election. That same model, he adds, will be among those used in the 2020 elections. (A spokesperson for the machine’s vendor, Dominion Voting, says that these weaknesses were fixed in 2012, but Mr. Hursti says that he has tested the new version and found the updates insufficient.)

Outlaw is Back, a New Crypto-Botnet Targets European Organizations

yoroi.company/research/outlaw-is-back-a-new-crypto-botnet-targets-european-organizations/ During our daily monitoring activities, we intercepted a singular Linux malware trying to penetrate the network of some of our customers. The Linux malware is the well-known “Shellbot”, it is a crimetool belonging to the arsenal of a threat actor tracked as the “Outlaw Hacking Group.”. The Outlaw Hacking Group was first spotted by TrendMicro in 2018 when the cyber criminal crew targeted automotive and financial industries. The Outlaw Botnet uses brute force and SSH exploit (exploit Shellshock Flaw and Drupalgeddon2 vulnerability) to achieve remote access to the target systems, including server and IoT devices. The first version spotted by TrendMicro includes a DDoS script that could be used by botmaster to set-up DDoS for-hire service offered on the dark web. The main component of this malware implant is a variant of “Shellbot”, a Monero miner bundled with a Perl-based backdoor, which includes an IRC-based bot and an SSH scanner. Shellbot is known since 2005 and even available on GitHub. Now, Shellbot has re-appeared in the threat landscape in a recent campaign, targeting organizations worldwide with a new IRC server and new Monero pools, so we decided to deepen the analysis. This Outlaw Botnet is still active and it is targeting organizations worldwide, this time with new monero pools and different C2. The Command and Control IRC server is down at the time of writing, but the two C2 which provide the victim IPs list are still active. This means that, most probably, the gang will deploy a new IRC server leaving the rest of the infrastructure untouched. We suggest to harden and update your SSH server configuring authentication with authorized keys and disabling passwords.

Cloud data protection: how to secure what you store in the cloud

blog.malwarebytes.com/how-tos-2/2020/04/cloud-data-protection-how-to-secure-what-you-store-in-the-cloud/ The cloud has become the standard for data storage. Just a few years ago, individuals and businesses pondered whether or not they should move to the cloud. This is now a question of the past. Today, the question isn’t whether to adopt cloud storage but rather how.

Agent Tesla delivered by the same phishing campaign for over a year

isc.sans.edu/forums/diary/Agent+Tesla+delivered+by+the+same+phishing+campaign+for+over+a+year/26062/ While going over malicious e-mails caught by our company gateway in March, I noticed that several of those, that carried ACE file attachments, appeared to be from the same sender. That would not be that unusual, but and after going through the historical logs, I found that e-mails from the same address with similar attachments were blocked by the gateway as early as March 2019.

GDPR Compliance Site Leaks Git Data, Passwords

threatpost.com/data-leak-gdpr-advice-site/155199/ Researchers discovered a.git folder exposing passwords and more for a website that gives advice to organizations about complying with the General Data Protection Regulation (GDPR) rules. A website that gives advice on privacy regulation compliance has fixed a security issue that was exposing MySQL database settings including passwords to anyone on the internet. The website, GDPR.EU, is an advice site for organizations that are struggling to comply with the General Data Protection Regulation (GDPR) laws that were imposed by the EU in 2018. The website is operated by Proton Technologies AG, the company behind end-to-end encrypted mail service ProtonMail. While it isn’t an official EU commission site, it is partly co-funded by the Horizon 2020 Framework Programme of the European Union, an EU research and innovation program.

Troves of Zoom Credentials Shared on Hacker Forums

threatpost.com/troves-of-zoom-credentials-shared-on-hacker-forums/155163/ Several new databases have been uncovered on underground forums sharing recycled Zoom credentials. Hackers have a new favorite topic of conversation on underground forums: How to obtain and leverage valuable credentials for Zoom, Skype, Webex and other web conferencing platforms increasingly used by remote workers.

Lucy malware for Android adds file-encryption for ransomware ops

www.bleepingcomputer.com/news/security/lucy-malware-for-android-adds-file-encryption-for-ransomware-ops/ A threat actor focusing on Android systems has expanded their malware-as-a-service (MaaS) business with file-encrypting capabilities for ransomware operations. The new feature allows customers of the service to encrypt files on infected devices and show a ransom note in the browser window asking for $500. The message purports to be from the FBI and accuses the victim of storing adult content on the mobile device. According to researchers from Check Point, who discovered the Black Rose Lucy malware family in September 2018, more than 80 samples of the new version have been distributed in the wild via instant messaging apps and social media. Read also:


Näitä kolmea sovellusta kannattaa välttää videopuheluiden turvallisuus tutkittiin

www.is.fi/digitoday/tietoturva/art-2000006489870.html Kolme sovellusta ei täyttänyt tietoturvan tai tietosuojan vähimmäisvaatimuksia Mozillan tarkastelussa. Tutkitut sovellukset ovat Zoom, Google Hangouts, FaceTime, Jitsi Meet, Skype, Facebook Messenger, WhatsApp, Signal, Microsoft Teams, BlueJeans, GoTo Meeting, Cisco WebEx, Houseparty, Discord ja Doxy.me. Mozilla mittasi, täyttävätkö sovellukset turvallisuuden vähimmäisvaatimukset. Ne käsittävät viisi kohtaa, joihin jokaisen sovelluksen tulisi yltää. Kohdat ovat salaus, tietoturvapäivitykset, vahva salasana, haavoittuvuuksien hallinta ja tietosuojakäytäntö. Mozilla oli osaltaan mukana luomassa vaatimuksia. Kolme videopuhelusovellusta, Discord, Houseparty ja Doxy.me, eivät ylittäneet tätä alinta rimaa. Ongelmia oli tyypillisesti vahvan salasanan vaatimisessa. Palveluihin pystyi luomaan todella heikon ja lyhyen salasanan. Varsinkin etälääkintäsovellus Doxy.me pärjäsi kehnosti. Sille kelpasi salasanaksi jopa 123.

PhantomLance spying campaign breaches Google Play security

www.zdnet.com/article/phantomlance-spying-campaign-breaches-google-play-security/ The four-year-long attack wave has been connected to dozens of malicious apps found in app stores. On Tuesday, cybersecurity researchers said the campaign, dubbed PhantomLance, has been active for at least four years and is ongoing. Kaspersky has warned of an ongoing campaign in which malicious apps hosted by Google Play are covertly spying and stealing Android user data. According to the team, “dozens” of malicious apps connected to PhantomLance and harboring a new Trojan have been discovered in Google Play, the tech giant’s official Android mobile application repository. In addition, malicious apps have also been found on the APK download site APKpure. A sophisticated, ongoing espionage campaign aimed at Android users in Asia is likely the work of the OceanLotus advanced persistent threat (APT) actor, researchers said this week. Read also:


threatpost.com/sophisticated-android-spyware-google-play/155202/ and

www.wired.com/story/phantomlance-google-play-malware-apt32/. As well as:


The Windows 10 security guide: How to protect your business

www.zdnet.com/article/the-windows-10-security-guide-how-to-safeguard-your-business/ How do you configure Windows 10 PCs to avoid common security problems? There’s no software magic bullet, unfortunately, and the tools are different for small businesses and enterprises. Here’s what to watch out for. It is tempting to think that the process of securing a Windows 10 device can be reduced to a simple checklist. Install some security software, adjust a few settings, hold a training session or two, and you can move on to the next item on your to-do list.

Tavoitteena ymmärtää kyberharjoitteluympäristöjen nykytilaa Euroopassa

www.epressi.com/tiedotteet/hanketiedotteet/tavoitteena-ymmartaa-kyberharjoitteluymparistojen-nykytilaa-euroopassa.html Kyberharjoitteluympäristöt (engl. cyber range) ja niihin liittyvät teknologiat ja tuotteet ovat kehittyneet huimasti viimeisten vuosien aikana sekä kansallisesti että kansainvälisesti. Tähän on monia syitä, muuan muassa se, että yksityiset ja julkiset organisaatiot ovat alkaneet investoida niihin. Jyväskylän ammattikorkeakoulu on mukana selvittämässä kyberharjoitteluympäristöjen nykytilaa Euroopassa ja koko maailmassa. CyberSec4Europe on Horisontti 2020 – -tutkimusohjelmasta rahoitettu tutkimus- ja kehittämishanke, johon osallistuu 43 toimijaa yhteensä 20 EU-jäsenvaltiosta sekä kahdesta liitännäismaasta. Suomesta hankkeessa on mukana Jyväskylän ammattikorkeakoulun lisäksi VTT. Molemmat tunnetaan laadukkaina kyberharjoitteluympäristöpalveluita ja alan huippuosaamista tuottavina organisaatioina. Read also:.

www.epressi.com/tiedotteet/tietoturva/aiming-to-understand-the-current-state-of-existing-cyber-ranges-in-europe.html. Projektin kotisivut: cybersec4europe.eu/

Ransomware groups continue to target healthcare, critical services; here’s how to reduce risk

www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/ At a time when remote work is becoming universal and the strain on SecOps, especially in healthcare and critical industries, has never been higher, ransomware actors are unrelenting, continuing their normal operations. The ransomware deployments in this two-week period appear to cause a slight uptick in the volume of ransomware attacks. However, Microsoft security intelligence as well as forensic data from relevant incident response engagements by Microsoft Detection and Response Team (DART) showed that many of the compromises that enabled these attacks occurred earlier. Using an attack pattern typical of human-operated ransomware campaigns, attackers have compromised target networks for several months beginning earlier this year and have been waiting to monetize their attacks by deploying ransomware when they would see the most financial gain. Read also:

www.wired.com/story/covid-19-pandemic-ransomware-long-game/ and


Adobe fixes critical vulnerabilities in Magento and Illustrator

www.bleepingcomputer.com/news/security/adobe-fixes-critical-vulnerabilities-in-magento-and-illustrator/ Adobe has released security updates for Adobe Illustrator, Bridge, and Magento that fix numerous vulnerabilities, including ones that could allow remote code execution.

Gif-kuvalla voidaan hyökätä Teamsiin onhan tuorein päivitys asennettu?

www.tivi.fi/uutiset/tv/2a097140-2db5-4659-af86-fcaef2513bbc Microsoft on paikannut Teams-palvelussa olleen haavoittuvuuden, joka mahdollisti tietojen kaappaamisen pelkän haitallisen linkin tai harmittomalta vaikuttavalla kuvan avulla. Teams-haavoittuvuus koski sekä sovellusversiota että selainversiota. Microsoft paikkasi haavoittuvuuden 20. huhtikuuta tuodulla päivityksellä. CyberArk-tietoturvayhtiön löydöksistä kertoo Hacker News. “Vaikka hyökkääjä ei olisikaan saanut kerättyä Teams-tililtä paljon tietoa, pystyi tämä käyttämään tiliä organisaation läpikäymiseen. Lopulta hyökkääjä pystyi pääsemään kaikkiin yhtiön sisällä oleviin Teams-tileihin ja keräämään luottamuksellisia tietoja, kalenteri- ja kokoustietoja, kilpailuun liittyviä tietoja, liikesalaisuuksia, salasanoja, yksityisiä tietoja sekä tietoa liiketoimintasuunnitelmista”, Omer Tsarfati CyberArkilta kertoi yhtiön blogissa. Hyökkääjät pääsivät hyödyntämään haavoittuvuutta lähettämällä haitallisen linkin esimerkiksi harmittomalta vaikuttavan GIF-kuvan muodossa uhrille tai kokonaiselle keskusteluryhmälle Teamsissa. Kun kuvan yritti avata, paljasti uhri todellisuudessa tietonsa hyökkääjälle, eikä uhri itse edes tiennyt tehneensä niin. Lue myös:


Hackers threaten to leak data from high-end architecture firm Zaha Hadid

www.zdnet.com/article/hackers-threaten-to-leak-data-from-high-end-architecture-firm-zaha-hadid/ Hackers have stolen data from the company’s network, encrypted everything with ransomware, and are now threatening to release files on the dark web if the company doesn’t pay a ransom demand. A group of hackers has breached the network of Zaha Hadid Architects, one of the world’s leading architectural firms, responsible for hundreds of high-end building designs all over the world. The intrusion took place last week, and hackers stole files from the company’s network, encrypted files using ransomware, and are now threatening to release sensitive information on the dark web unless the company pays a hefty ransom demand.

Hackers Leak Biopharmaceutical Firm’s Data Stolen in Ransomware Attack

threatpost.com/hackers-leak-biopharmaceutical-firms-data-stolen-in-ransomware-attack/155237/ The Clop ransomware group has reportedly leaked compromised data of biopharmaceutical company ExecuPharm after a recent cyberattack.

You might be interested in …

Daily NCSC-FI news followup 2020-09-25

Microsoft boots apps out of Azure used by China-sponsored hackers arstechnica.com/information-technology/2020/09/microsoft-boots-apps-used-by-china-sponsored-hackers-out-of-azure/ Active Directory apps used for command-and-control infrastructure are no more. Report: www.microsoft.com/security/blog/2020/09/24/gadolinium-detecting-empires-cloud/ Feds Hit with Successful Cyberattack, Data Stolen threatpost.com/feds-cyberattack-data-stolen/159541/ The attack featured a unique, multistage malware and a likely PulseSecure VPN exploit. FinSpy Spyware for Mac and Linux OS Targets Egyptian Organisations thehackernews.com/2020/09/finspy-malware-macos-linux.html […]

Read More

Daily NCSC-FI news followup 2020-11-10

With Great Power comes Great Leakage platypusattack.com/ With PLATYPUS, we present novel software-based power side-channel attacks on Intel server, desktop and laptop CPUs. We exploit the unprivileged access to the Intel RAPL interface exposing the processor’s power consumption to infer data and extract cryptographic keys. Lisäksi: www.zdnet.com/article/new-platypus-attack-can-steal-data-from-intel-cpus. Lisäksi: arstechnica.com/information-technology/2020/11/intel-sgx-defeated-yet-again-this-time-thanks-to-on-chip-power-meter/. Lisäksi: www.theregister.com/2020/11/10/intel_sgx_side_channel/ Microsoft Releases November 2020 […]

Read More

Daily NCSC-FI news followup 2020-01-19

Kohta kaikki tapahtuu pilvessä Amazonin evankelista vertaa pilvipalveluita sähkölaitoksiin yle.fi/uutiset/3-11151242 Pilvipalveluista on lyhyessä ajassa muodostunut perusta, jonka päälle arkemme rakentuu. Sähköpostit, valokuvat ja pikaviestit tallentuvat kaikki palvelinkeskuksiin eri puolille maailmaa.. Suomessa yritykset ovat viime vuosien aikana siirtyneet vauhdilla pilvipalveluiden asiakkaiksi. Elinkeinoelämän keskusliiton EK:n tilastojen mukaan suurista suomalaisyrityksistä 90 prosenttia käyttää maksullisia pilvipalveluita.. Suunta on aivan […]

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.