Daily NCSC-FI news followup 2020-05-06

COVID-19: Cloud Threat Landscape

unit42.paloaltonetworks.com/covid-19-cloud-threat-landscape/ Unit 42 researchers analyzed 1.2 million newly registered domain (NRD) names containing keywords related to the COVID-19 pandemic from March 9, 2020 to April 26, 2020 (7 weeks). 86, 600+ domains are classified as “risky” or “malicious”, spread across various regions, as shown in Figure 1. The United States has the highest number of malicious domains (29, 007), followed by Italy (2, 877), Germany (2, 564), and Russia (2, 456).

Cyber volunteers release blocklists for 26, 000 COVID-19 threats

www.bleepingcomputer.com/news/security/cyber-volunteers-release-blocklists-for-26-000-covid-19-threats/ The COVID-19 Cyber Threat Coalition has released a block list of known URLs and domain names associated with Coronavirus-themed scams, phishing attacks, and malware threats. The URL blocklist currently consists of 13, 863 malicious URLs that have been seen in attacks, and the domain blocklist now contains 12, 258 malicious domains and hostnames.

Nearly a Million WP Sites Targeted in Large-Scale Attacks

www.wordfence.com/blog/2020/05/nearly-a-million-wp-sites-targeted-in-large-scale-attacks/ Our Threat Intelligence Team has been tracking a sudden uptick in attacks targeting Cross-Site Scripting(XSS) vulnerabilities that began on April 28, 2020 and increased over the next few days to approximately 30 times the normal volume we see in our attack data. The majority of these attacks appear to be caused by a single threat actor, based on the payload they are attempting to inject a malicious JavaScript that redirects visitors and takes advantage of an administrator’s session to insert a backdoor into the theme’s header.

Now we know what the P really stands for in PwC: X-rated ads plastered over derelict corner of accountants’ website

www.theregister.co.uk/2020/05/06/pwc_azure_squatting/ A forgotten subdomain on PricewaterhouseCoopers’ dot-com has been hijacked to host ads for porno websites and apps, neatly demonstrating why you should not neglect your corporate DNS records.

Instacart Patches SMS Spoofing Vulnerability Discovered by Tenable Research

www.tenable.com/blog/instacart-patches-sms-spoofing-vulnerability-discovered-by-tenable-research As grocery delivery services have seen an increase in traffic from users during the coronavirus pandemic, Tenable Research identified an SMS spoofing flaw that could have allowed an attacker to send spoofed messages to any mobile number.

Hacker buys old Tesla parts on eBay, finds them full of user data

arstechnica.com/cars/2020/05/hacker-mines-passwords-locations-and-more-from-retired-tesla-infotainment-gear/ Data can be retrieved even after owners perform a factory reset, researcher says. Examples included phonebooks from connected cell phones, call logs containing hundreds of entries, recent calendar entries, Spotify and W-Fi passwords stored in plaintext, locations for home, work, and all places navigated to, and session cookies that allowed access to Netflix and YouTube (and attached Gmail accounts).

SAP notifying 9% of customers about security bugs in some cloud products

www.zdnet.com/article/sap-notifying-9-of-customers-about-security-bugs-in-some-cloud-products/#ftag=RSSbaffb68 German software group SAP announced on Monday plans to notify approximately 9% of its 440, 000 customer base about security holes identified in some of its cloud-based products. The German software group did not elaborate on the nature of the security flaws, as the issues have not yet received fixes across its infrastructure. Nonetheless, SAP said that it did not believe that an attacker exploited any of the issues to gain access to customer data.

Spear-Phishing Attack Spoofs EE To Target Executives

threatpost.com/spear-phishing-attack-spoofs-ee-to-target-executives/155480/ Researchers warn of an ongoing spear-phishing attack mimicking a well-known telecommunications company, EE, to snatch up corporate executives’ credentials and payment details. The phishing campaign comes with a few sloppy red flags that eagle-eyed recipients might pick up on but researchers say its use of HTTPS and SSL certificates for its landing page help it evade detection.

The Complete Azure Compliance Guide: HIPAA, PCI, GDPR, CCPA

www.varonis.com/blog/azure-hipaa/ In this guide, we’ll show you how to make your Azure system compliant with HIPAA, PCI, the GDPR, and CCPA.

Checkm8 review translation

cyberforensicator.com/2020/05/06/checkm8-review-translation/ The checkm8 exploit for iOS devices emerged in September 2019. It opened new doors for digital forensics researchers and investigators, who are always looking to extract and analyze data from devices. Can I extract data from a blocked or damaged iPhone? Can I find the PIN code of a blocked device? You will find the answers to these questions and more in this article.

Taiwan’s state-owned energy company suffers ransomware attack

www.cyberscoop.com/cpc-corp-ransomware-attack-taiwan-trend-micro/ Ransomware has struck the computer systems of Taiwan’s state-owned energy company, CPC Corp., according to local media and private forensic reports reviewed by CyberScoop.

Phantom in the Command Shell

blog.prevailion.com/2020/05/phantom-in-command-shell5.html Prevailion’s Tailored Intelligence Team has detected two new criminal campaigns targeting the global financial industry with the EVILNUM malware, one of which became active on 3 May 2020. We have dubbed these new operations “Phantom in the [Command] Shell”.

Europe’s Largest Private Hospital Operator Fresenius Hit by Ransomware

krebsonsecurity.com/2020/05/europes-largest-private-hospital-operator-fresenius-hit-by-ransomware/ Fresenius, Europe’s largest private hospital operator and a major provider of dialysis products and services that are in such high demand thanks to the COVID-19 pandemic, has been hit in a ransomware cyber attack on its technology systems. The company said the incident has limited some of its operations, but that patient care continues. Fresenius spokesperson Matt Kuhn confirmed the company was struggling with a computer virus outbreak. “I can confirm that Fresenius’ IT security detected a computer virus on company computers, ” Kuhn said in a written statement shared with KrebsOnSecurity.

Search provider Algolia discloses security incident due to Salt vulnerability

www.zdnet.com/article/search-provider-algolia-discloses-security-incident-due-to-salt-vulnerability/#ftag=RSSbaffb68 Algolia now joins the ranks of LineageOS, Ghost, Digicert, and Xen Orchestra. Search service Algolia said it suffered a security breach over the weekend after hackers exploited a well-known vulnerability in the Salt server configuration software to gain access to its infrastructure. The company said the hackers installed a backdoor and a cryptocurrency miner on a small number of its servers, but that the incident did not impact its operations in any significant way.

Mitigating High Severity CVEs Affecting SaltStack on Public Clouds

blog.aquasec.com/saltstack-cve-2020-11651-cve-2020-11652 Two high-severity CVEs in the SaltStack platform were published last week by researchers at F-Secure. These vulnerabilities can enable remote code execution (RCE), which lets attackers remotely execute commands on the Salt leader node. This results in a full compromise of the host and can expose sensitive information within the cloud environment. While we recommend that the updates be installed immediately, cloud admins should also take this opportunity to ensure their Salt environments are not exposed publicly, which is a key enabling component of this attack vector.

DDoS attacks in Q1 2020

securelist.com/ddos-attacks-in-q1-2020/96837/ Since the beginning of 2020, due to the COVID-2019 pandemic, life has shifted almost entirely to the Web people worldwide are now working, studying, shopping, and having fun online like never before. This is reflected in the goals of recent DDoS attacks, with the most targeted resources in Q1 being websites of medical organizations, delivery services, and gaming and educational platforms.

Automation of the Adversary: How to Combat Autonomous Threats With Security Intelligence

www.recordedfuture.com/automated-cyber-threats/ Multi-staged malware campaigns are becoming all too frequent. So much so, that the US-CERT has raised alerts regarding a specific one: Emotet a prolific email distribution malware. It is known to infect a system, perform data exfiltration, and install a second payload, such as the banking trojan, Trickbot and it performs all of this automatically. Executing the Emotet campaign requires well-organized criminal activity consisting of multiple teams or varying criminal entities.

Credit card skimmer masquerades as favicon

blog.malwarebytes.com/threat-analysis/2020/05/credit-card-skimmer-masquerades-as-favicon/ When it comes to online credit card skimmers, we have already seen a number of evasion techniques, some fairly simple and others more elaborate. The goal remains to deceive online shoppers while staying under the radar from website administrators and security scanners. In this latest instance, we observed an old server-side trick combined with the clever use of an icon file to hide a web skimmer. Threat actors registered a new website purporting to offer thousands of images and icons for download, but which in reality has a single purpose: to act as a façade for a credit card skimming operation.

New Mac variant of Lazarus Dacls RAT distributed via Trojanized 2FA app

blog.malwarebytes.com/threat-analysis/2020/05/new-mac-variant-of-lazarus-dacls-rat-distributed-via-trojanized-2fa-app/ We recently identified what we believe is a new variant of the Dacls Remote Access Trojan (RAT) associated with North Korea’s Lazarus group, designed specifically for the Mac operating system. This Mac version is at least distributed via a Trojanized two-factor authentication application for macOS called MinaOTP, mostly used by Chinese speakers. Similar to the Linux variant, it boasts a variety of features including command execution, file management, traffic proxying and worm scanning.

Firefox 76.0 released with critical security patches update now

nakedsecurity.sophos.com/2020/05/06/firefox-76-0-released-with-critical-security-patches-update-now/ Firefox just published its latest now-every-fourth-Tuesday release, bringing numerous security fixes, including three denoted critical.

Uncovering A Pro-Chinese Government Information Operation On Twitter and Facebook: Analysis Of The #MilesGuo Bot Network

www.bellingcat.com/news/2020/05/05/uncovering-a-pro-chinese-government-information-operation-on-twitter-and-facebook-analysis-of-the-milesguo-bot-network/ An ongoing information operation is using a network of bots made up of newly created and stolen accounts to target a businessman, exiled from China, who has spoken critically of China’s response to COVID-19.

Is CVSS the Right Standard for Prioritization?

www.darkreading.com/vulnerabilities—threats/is-cvss-the-right-standard-for-prioritization/a/d-id/1337712 More than 55% of open source vulnerabilities are rated high or critical. To truly understand a vulnerability and how it might affect an organization or product, we need much more than a number.

B2B, B2C SMBs Hit Hard by Ransomware Crews

www.msspalert.com/cybersecurity-news/b2b-b2c-smbs-hit-hard-by-ransomware-crews/ Roughly 30% of small businsses say their IT teams don’t have adequate resources to address ransomware-related cybersecurity threats, Infrascale research says. Nearly half of small businesses (SMBs) have been victimized by ransomware hijackers and almost 75 percent of those have paid up, a recent survey of 500 C-suite executives found.

5g-tukiasemia tuhotaan mistä salaliittoteoria kumpuaa?

www.tivi.fi/uutiset/tv/55913578-c188-4e6e-9dff-f254a328ddd4 Mikään määrä tieteellistä informaatiota ei pysäytä salaliitto­teorioita, koska niille on kova kysyntä. [Tilaajille]

You might be interested in …

Daily NCSC-FI news followup 2019-06-07

A Deep Dive into the Emotet Malware www.fortinet.com/blog/threat-research/deep-dive-into-emotet-malware.html Emotet is a trojan that is primarily spread through spam emails. During its lifecycle, it has gone through a few iterations. Early versions were delivered as a malicious JavaScript file. Later versions evolved to use macro-enabled Office documents to retrieve a malicious payload from a C2 server. […]

Read More

Daily NCSC-FI news followup 2020-11-27

Digitally Signed Bandook Malware Once Again Targets Multiple Sectors thehackernews.com/2020/11/digitally-signed-bandook-malware-once.html A cyberespionage group with suspected ties to the Kazakh and Lebanese governments has unleashed a new wave of attacks against a multitude of industries with a retooled version of a 13-year-old backdoor Trojan. Check Point Research called out hackers affiliated with a group named Dark […]

Read More

Daily NCSC-FI news followup 2020-02-11

Will an immobilizer save your car from being stolen? www.kaspersky.com/blog/36c3-immobilizers/32419/ Automobiles are getting ever smarter, and cracking them with a crowbar and a screwdriver is getting ever more difficult. Statistics back up that assumption: According to research from Jan C. van Ours and Ben Vollaard highlighting car theft and recovery data, vehicle theft decreased by […]

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.