Daily NCSC-FI news followup 2020-05-01

Ransomware mentioned in 1,000+ SEC filings over the past year

www.zdnet.com/article/ransomware-mentioned-in-1000-sec-filings-over-the-past-year/#ftag=RSSbaffb68 A growing number of public companies are now listing ransomware as a forward-looking risk factor in documents filed with the US Securities Exchange Commission. Listing ransomware as a risk factor in SEC filings shows that companies now understand the danger posed by a ransomware attack to their bottom line and are declaring it in advance to prevent shareholder lawsuits for negligence. It also shows that ransomware gangs have evolved and perfected their operational tactics to a level of sophistication that even the mighty Alphabet — Google’s parent company — lists ransomware as a credible danger to its many businesses.

LockBit, the new ransomware for hire: a sad and cautionary tale

arstechnica.com/information-technology/2020/05/lockbit-the-new-ransomware-for-hire-a-sad-and-cautionary-tale/ Ransomware has emerged as one of the top threats facing large organizations over the past few years, with researchers reporting a more than a fourfold increase in detections last year. A recent infection by a fairly new strain called LockBit explains why: after it ransacked one company’s poorly secured network in a matter of hours, leaders had no viable choice other than to pay the ransom. also: Tales – From the Trenches; a Lockbit Ransomware Story:


How Cybercriminals are Weathering COVID-19

krebsonsecurity.com/2020/04/how-cybercriminals-are-weathering-covid-19/ In many ways, the COVID-19 pandemic has been a boon to cybercriminals: With unprecedented numbers of people working from home and anxious for news about the virus outbreak, it’s hard to imagine a more target-rich environment for phishers, scammers and malware purveyors. But it’s not all good news: The Coronavirus also has driven up costs and disrupted key supply lines for many cybercriminals. Here’s a look at how they’re adjusting to these new realities.

Healthcare Targeted By More Attacks But Less Sophistication

www.darkreading.com/risk/healthcare-targeted-by-more-attacks-but-less-sophistication/d/d-id/1337702 An increase in attacks targeting healthcare organizations suggests that perhaps new cybercriminals are getting into the game. The mix of more but less sophisticated attacks has led to a greater number of investigations yet about the same number of breaches, says Michael Hamilton, chief information security officer at cybersecurity-response firm CI Security. “The downturn in the global economy has likely led some people into cybercrime, so it’s not surprising that we are seeing more attacks but not necessarily by more sophisticated actors, ” he says.

Sextortion scammers still shilling with stolen passwords

www.welivesecurity.com/2020/04/30/new-sextortion-scam-claims-know-your-password/ Earlier in April, a new sextortion scam campaign was detected making the rounds in countries on both sides of the Atlantic. The spam emails that were detected by ESET’s research laboratory have been trying to dupe unwitting victims by referring to old passwords that have been part of old data breaches.

Attack traffic on TCP port 9673

isc.sans.edu/forums/diary/Attack+traffic+on+TCP+port+9673/26074/ I don’t know how many of you pay attention to the Top 10 Ports graphs on your isc.sans.edu dashboard, but I do. Unfortunately, the top 10 is pretty constant, the botnets are attacking the same ports. What I find more interesting is anomalous behavior. Changes from what is normal on a given port. So, a little over a week ago, I saw a jump on a port I wasn’t familiar with.

Exclusive: Warning Over Chinese Mobile Giant Xiaomi Recording Millions Of People’s Private’ Web And Phone Use

www.forbes.com/sites/thomasbrewster/2020/04/30/exclusive-warning-over-chinese-mobile-giant-xiaomi-recording-millions-of-peoples-private-web-and-phone-use/#66ecd6241b2a “It’s a backdoor with phone functionality, ” quips Gabi Cirlig about his new Xiaomi phone. He’s only half-joking. Cirlig is speaking with Forbes after discovering that his Redmi Note 8 smartphone was watching much of what he was doing on the phone. That data was then being sent to remote servers hosted by another Chinese tech giant, Alibaba, which were ostensibly rented by Xiaomi. In response to the findings, Xiaomi said, “The research claims are untrue, ” and “Privacy and security is of top concern, ” adding that it “strictly follows and is fully compliant with local laws and regulations on user data privacy matters.”. But a spokesperson confirmed it was collecting browsing data, claiming the information was anonymized so wasn’t tied to any identity. They said that users had consented to such tracking.

WhatsApp: Israeli firm ‘deeply involved’ in hacking our users

www.theguardian.com/world/2020/apr/29/whatsapp-israeli-firm-deeply-involved-in-hacking-our-users WhatsApp has alleged in new court filings that an Israeli spyware company used US-based servers and was “deeply involved” in carrying out mobile phone hacks of 1, 400 WhatsApp users, including senior government officials, journalists, and human rights activists.

Labor floats active cyber defence and a civilian cyber corps for Australia

www.zdnet.com/article/labor-floats-active-cyber-defence-and-a-civilian-cyber-corps-for-australia/#ftag=RSSbaffb68 Labor proposes a public health approach, to cybersecurity, addressing the risk and susceptibility of the whole nation to cyber attack, not just critical infrastructure or ‘big-ticket capabilities’.

Hackers say they stole millions of credit cards from Banco BCR

www.bleepingcomputer.com/news/security/hackers-say-they-stole-millions-of-credit-cards-from-banco-bcr/ Hackers claim to have gained access to the network of Banco BCR, the state-owned Bank of Costa Rica, and stolen 11 million credit card credentials along with other data. This attack was allegedly conducted by the operators of the Maze Ransomware, who have been behind numerous cyberattacks against high-profile victims such as IT services giant Cognizant, cyber insurer Chubb, and drug testing facility Hammersmith Medicines Research LTD.

Customers should apply the April 2020 Critical Patch Update without delay!

blogs.oracle.com/security/apply-april-2020-cpu Oracle has recently received reports of attempts to maliciously exploit a number of recently-patched vulnerabilities, including vulnerability CVE-2020-2883, which affects multiple versions of Oracle WebLogic Server. Oracle strongly recommends that customers apply the April 2020 Critical Patch Update. The April 2020 Critical Patch Update advisory is located at


SaltStack Salt critical bugs allow data center, cloud server hijacking as root

rootdaemon.com/2020/05/01/saltstack-salt-critical-bugs-allow-data-center-cloud-server-hijacking-as-root/ The developers of the open source SaltStack Salt management framework, used in data centers and cloud servers, have warned users to update their builds following the discovery of critical remote code execution vulnerabilities. also:


Dreambot malware operation goes silent

www.zdnet.com/article/dreambot-malware-operation-goes-silent/#ftag=RSSbaffb68 The Dreambot malware botnet appears to have gone silent and possibly shut down, according to a report published today by the CSIS Security Group, a cyber-security firm based in Copenhagen, Denmark.

WebMonitor RAT Bundled with Zoom Installer

blog.trendmicro.com/trendlabs-security-intelligence/webmonitor-rat-bundled-with-zoom-installer/ In early April, we spotted an attack leveraging Zoom installers to spread a cryptocurrency miner. We recently encountered a similar attack that drops a different malware: RevCode WebMonitor RAT. Note that although the installers are legitimate, the ones bundled with malware do not come from official sources of the Zoom app like Zoom’s own download center or legitimate app stores such as the Apple App Store and Google Play Store. They instead come from malicious sources.

New phishing campaign packs an info-stealer, ransomware punch

www.bleepingcomputer.com/news/security/new-phishing-campaign-packs-an-info-stealer-ransomware-punch/ A new phishing campaign is distributing a double-punch of a LokiBot information-stealing malware along with a second payload in the form of the Jigsaw Ransomware. By using this malware combo, the attackers first steal saved user names and passwords stored in a variety of applications and then deploy the Jigsaw Ransomware to try and get a small ransom to sweeten the attack. As this phishing campaign utilizes malicious spreadsheets that exploit an old Excel vulnerability, simply making sure you are using the latest security updates for your installed Office applications will protect you.

Coronavirus: Cyber-spies seek coronavirus vaccine secrets

www.bbc.com/news/technology-52490432 Bill Evanina, director of the National Counterintelligence and Security Center, said the US government had warned medical research organisations of the risks. But he would not say whether there had been confirmed cases of stolen data. UK security sources says they have also seen similar activity.

French daily Le Figaro database exposes users’ personal info

www.bleepingcomputer.com/news/security/french-daily-le-figaro-database-exposes-users-personal-info/ French daily newspaper Le Figaro exposed roughly 7.4 billion records containing personally identifiable information (PII) of reporters and employees, as well as of at least 42, 000 users. The data was exposed by an unsecured database owned by Le Figaro and containing over 8TB of data which was publicly accessible because of a misconfigured Elasticsearch server.

You might be interested in …

Daily NCSC-FI news followup 2019-09-05

FunkyBot: A New Android Malware Family Targeting Japan www.fortinet.com/blog/threat-research/funkybot-malware-targets-japan.html Last year, FortiGuard Labs identified a malware campaign targeting Japanese users. The campaign impersonated a logistics company and deployed an Android malware called FakeSpy. We have been monitoring these actors and the phishing websites they created, and recently we noticed that they have started deploying a […]

Read More

Daily NCSC-FI news followup 2019-11-23

FBI says hackers are targeting US auto industry us.cnn.com/2019/11/20/politics/fbi-us-auto-industry-hackers/index.html The American automotive industry has been the target of malicious cyber actors since at least late 2018, according to an FBI report obtained by CNN. Leaky Gekko Group database exposes info on hotel brands, travelers www.scmagazine.com/home/security-news/data-breach/leaky-gekko-group-database-exposes-info-on-hotel-brands-travelers/ European hotel booking platform provider Gekko Group mistakenly stored over […]

Read More

Daily NCSC-FI news followup 2020-02-15

Edes puhelimen nollaus ei auta näin toimii häijy haittaohjelma www.is.fi/digitoday/tietoturva/art-2000006407633.html Erittäin sitkeä xHelper-haittaohjelma on ihmetyttänyt tietoturvatutkijoita kuukausien ajan, mutta nyt sen salaisuudet ovat vihdoin selvinneet ainakin osittain. Unknown number of Bluetooth LE devices impacted by SweynTooth vulnerabilities www.zdnet.com/article/unknown-number-of-bluetooth-le-devices-impacted-by-sweyntooth-vulnerabilities/ BLE software kits from six chipset vendors impacted. More vendor names to be revealed soon. Suomalaisille soitettu […]

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.