Daily NCSC-FI news followup 2020-05-06

COVID-19: Cloud Threat Landscape

unit42.paloaltonetworks.com/covid-19-cloud-threat-landscape/ Unit 42 researchers analyzed 1.2 million newly registered domain (NRD) names containing keywords related to the COVID-19 pandemic from March 9, 2020 to April 26, 2020 (7 weeks). 86, 600+ domains are classified as “risky” or “malicious”, spread across various regions, as shown in Figure 1. The United States has the highest number of malicious domains (29, 007), followed by Italy (2, 877), Germany (2, 564), and Russia (2, 456).

Cyber volunteers release blocklists for 26, 000 COVID-19 threats

www.bleepingcomputer.com/news/security/cyber-volunteers-release-blocklists-for-26-000-covid-19-threats/ The COVID-19 Cyber Threat Coalition has released a block list of known URLs and domain names associated with Coronavirus-themed scams, phishing attacks, and malware threats. The URL blocklist currently consists of 13, 863 malicious URLs that have been seen in attacks, and the domain blocklist now contains 12, 258 malicious domains and hostnames.

Nearly a Million WP Sites Targeted in Large-Scale Attacks

www.wordfence.com/blog/2020/05/nearly-a-million-wp-sites-targeted-in-large-scale-attacks/ Our Threat Intelligence Team has been tracking a sudden uptick in attacks targeting Cross-Site Scripting(XSS) vulnerabilities that began on April 28, 2020 and increased over the next few days to approximately 30 times the normal volume we see in our attack data. The majority of these attacks appear to be caused by a single threat actor, based on the payload they are attempting to inject a malicious JavaScript that redirects visitors and takes advantage of an administrator’s session to insert a backdoor into the theme’s header.

Now we know what the P really stands for in PwC: X-rated ads plastered over derelict corner of accountants’ website

www.theregister.co.uk/2020/05/06/pwc_azure_squatting/ A forgotten subdomain on PricewaterhouseCoopers’ dot-com has been hijacked to host ads for porno websites and apps, neatly demonstrating why you should not neglect your corporate DNS records.

Instacart Patches SMS Spoofing Vulnerability Discovered by Tenable Research

www.tenable.com/blog/instacart-patches-sms-spoofing-vulnerability-discovered-by-tenable-research As grocery delivery services have seen an increase in traffic from users during the coronavirus pandemic, Tenable Research identified an SMS spoofing flaw that could have allowed an attacker to send spoofed messages to any mobile number.

Hacker buys old Tesla parts on eBay, finds them full of user data

arstechnica.com/cars/2020/05/hacker-mines-passwords-locations-and-more-from-retired-tesla-infotainment-gear/ Data can be retrieved even after owners perform a factory reset, researcher says. Examples included phonebooks from connected cell phones, call logs containing hundreds of entries, recent calendar entries, Spotify and W-Fi passwords stored in plaintext, locations for home, work, and all places navigated to, and session cookies that allowed access to Netflix and YouTube (and attached Gmail accounts).

SAP notifying 9% of customers about security bugs in some cloud products

www.zdnet.com/article/sap-notifying-9-of-customers-about-security-bugs-in-some-cloud-products/#ftag=RSSbaffb68 German software group SAP announced on Monday plans to notify approximately 9% of its 440, 000 customer base about security holes identified in some of its cloud-based products. The German software group did not elaborate on the nature of the security flaws, as the issues have not yet received fixes across its infrastructure. Nonetheless, SAP said that it did not believe that an attacker exploited any of the issues to gain access to customer data.

Spear-Phishing Attack Spoofs EE To Target Executives

threatpost.com/spear-phishing-attack-spoofs-ee-to-target-executives/155480/ Researchers warn of an ongoing spear-phishing attack mimicking a well-known telecommunications company, EE, to snatch up corporate executives’ credentials and payment details. The phishing campaign comes with a few sloppy red flags that eagle-eyed recipients might pick up on but researchers say its use of HTTPS and SSL certificates for its landing page help it evade detection.

The Complete Azure Compliance Guide: HIPAA, PCI, GDPR, CCPA

www.varonis.com/blog/azure-hipaa/ In this guide, we’ll show you how to make your Azure system compliant with HIPAA, PCI, the GDPR, and CCPA.

Checkm8 review translation

cyberforensicator.com/2020/05/06/checkm8-review-translation/ The checkm8 exploit for iOS devices emerged in September 2019. It opened new doors for digital forensics researchers and investigators, who are always looking to extract and analyze data from devices. Can I extract data from a blocked or damaged iPhone? Can I find the PIN code of a blocked device? You will find the answers to these questions and more in this article.

Taiwan’s state-owned energy company suffers ransomware attack

www.cyberscoop.com/cpc-corp-ransomware-attack-taiwan-trend-micro/ Ransomware has struck the computer systems of Taiwan’s state-owned energy company, CPC Corp., according to local media and private forensic reports reviewed by CyberScoop.

Phantom in the Command Shell

blog.prevailion.com/2020/05/phantom-in-command-shell5.html Prevailion’s Tailored Intelligence Team has detected two new criminal campaigns targeting the global financial industry with the EVILNUM malware, one of which became active on 3 May 2020. We have dubbed these new operations “Phantom in the [Command] Shell”.

Europe’s Largest Private Hospital Operator Fresenius Hit by Ransomware

krebsonsecurity.com/2020/05/europes-largest-private-hospital-operator-fresenius-hit-by-ransomware/ Fresenius, Europe’s largest private hospital operator and a major provider of dialysis products and services that are in such high demand thanks to the COVID-19 pandemic, has been hit in a ransomware cyber attack on its technology systems. The company said the incident has limited some of its operations, but that patient care continues. Fresenius spokesperson Matt Kuhn confirmed the company was struggling with a computer virus outbreak. “I can confirm that Fresenius’ IT security detected a computer virus on company computers, ” Kuhn said in a written statement shared with KrebsOnSecurity.

Search provider Algolia discloses security incident due to Salt vulnerability

www.zdnet.com/article/search-provider-algolia-discloses-security-incident-due-to-salt-vulnerability/#ftag=RSSbaffb68 Algolia now joins the ranks of LineageOS, Ghost, Digicert, and Xen Orchestra. Search service Algolia said it suffered a security breach over the weekend after hackers exploited a well-known vulnerability in the Salt server configuration software to gain access to its infrastructure. The company said the hackers installed a backdoor and a cryptocurrency miner on a small number of its servers, but that the incident did not impact its operations in any significant way.

Mitigating High Severity CVEs Affecting SaltStack on Public Clouds

blog.aquasec.com/saltstack-cve-2020-11651-cve-2020-11652 Two high-severity CVEs in the SaltStack platform were published last week by researchers at F-Secure. These vulnerabilities can enable remote code execution (RCE), which lets attackers remotely execute commands on the Salt leader node. This results in a full compromise of the host and can expose sensitive information within the cloud environment. While we recommend that the updates be installed immediately, cloud admins should also take this opportunity to ensure their Salt environments are not exposed publicly, which is a key enabling component of this attack vector.

DDoS attacks in Q1 2020

securelist.com/ddos-attacks-in-q1-2020/96837/ Since the beginning of 2020, due to the COVID-2019 pandemic, life has shifted almost entirely to the Web people worldwide are now working, studying, shopping, and having fun online like never before. This is reflected in the goals of recent DDoS attacks, with the most targeted resources in Q1 being websites of medical organizations, delivery services, and gaming and educational platforms.

Automation of the Adversary: How to Combat Autonomous Threats With Security Intelligence

www.recordedfuture.com/automated-cyber-threats/ Multi-staged malware campaigns are becoming all too frequent. So much so, that the US-CERT has raised alerts regarding a specific one: Emotet a prolific email distribution malware. It is known to infect a system, perform data exfiltration, and install a second payload, such as the banking trojan, Trickbot and it performs all of this automatically. Executing the Emotet campaign requires well-organized criminal activity consisting of multiple teams or varying criminal entities.

Credit card skimmer masquerades as favicon

blog.malwarebytes.com/threat-analysis/2020/05/credit-card-skimmer-masquerades-as-favicon/ When it comes to online credit card skimmers, we have already seen a number of evasion techniques, some fairly simple and others more elaborate. The goal remains to deceive online shoppers while staying under the radar from website administrators and security scanners. In this latest instance, we observed an old server-side trick combined with the clever use of an icon file to hide a web skimmer. Threat actors registered a new website purporting to offer thousands of images and icons for download, but which in reality has a single purpose: to act as a façade for a credit card skimming operation.

New Mac variant of Lazarus Dacls RAT distributed via Trojanized 2FA app

blog.malwarebytes.com/threat-analysis/2020/05/new-mac-variant-of-lazarus-dacls-rat-distributed-via-trojanized-2fa-app/ We recently identified what we believe is a new variant of the Dacls Remote Access Trojan (RAT) associated with North Korea’s Lazarus group, designed specifically for the Mac operating system. This Mac version is at least distributed via a Trojanized two-factor authentication application for macOS called MinaOTP, mostly used by Chinese speakers. Similar to the Linux variant, it boasts a variety of features including command execution, file management, traffic proxying and worm scanning.

Firefox 76.0 released with critical security patches update now

nakedsecurity.sophos.com/2020/05/06/firefox-76-0-released-with-critical-security-patches-update-now/ Firefox just published its latest now-every-fourth-Tuesday release, bringing numerous security fixes, including three denoted critical.

Uncovering A Pro-Chinese Government Information Operation On Twitter and Facebook: Analysis Of The #MilesGuo Bot Network

www.bellingcat.com/news/2020/05/05/uncovering-a-pro-chinese-government-information-operation-on-twitter-and-facebook-analysis-of-the-milesguo-bot-network/ An ongoing information operation is using a network of bots made up of newly created and stolen accounts to target a businessman, exiled from China, who has spoken critically of China’s response to COVID-19.

Is CVSS the Right Standard for Prioritization?

www.darkreading.com/vulnerabilities—threats/is-cvss-the-right-standard-for-prioritization/a/d-id/1337712 More than 55% of open source vulnerabilities are rated high or critical. To truly understand a vulnerability and how it might affect an organization or product, we need much more than a number.

B2B, B2C SMBs Hit Hard by Ransomware Crews

www.msspalert.com/cybersecurity-news/b2b-b2c-smbs-hit-hard-by-ransomware-crews/ Roughly 30% of small businsses say their IT teams don’t have adequate resources to address ransomware-related cybersecurity threats, Infrascale research says. Nearly half of small businesses (SMBs) have been victimized by ransomware hijackers and almost 75 percent of those have paid up, a recent survey of 500 C-suite executives found.

5g-tukiasemia tuhotaan mistä salaliittoteoria kumpuaa?

www.tivi.fi/uutiset/tv/55913578-c188-4e6e-9dff-f254a328ddd4 Mikään määrä tieteellistä informaatiota ei pysäytä salaliitto­teorioita, koska niille on kova kysyntä. [Tilaajille]

You might be interested in …

Daily NCSC-FI news followup 2020-05-29

Highly-targeted attacks on industrial sector hide payload in images www.bleepingcomputer.com/news/security/highly-targeted-attacks-on-industrial-sector-hide-payload-in-images/ Attackers looking to steal employee credentials from organizations tied to the industrial sector deployed highly-targeted operations that delivered malicious PowerShell scripts in images. Victims in multiple countries (Japan, the U.K., Germany, Italy) were identified. Some of them supply equipment and software solutions to industrial enterprises. […]

Read More

Daily NCSC-FI news followup 2020-09-27

Google removes 17 Android apps doing WAP billing fraud from the Play Store www.zdnet.com/article/google-removes-17-android-apps-doing-wap-billing-fraud-from-the-play-store/ The 17 apps were infected with the Joker (Bread) malware, which Google described in January 2020 as one of the most persistent threats it dealt with since 2017. iOS 14: The Surprising Security Risk Of Sharing Your New iPhone Home Screen […]

Read More

Daily NCSC-FI news followup 2021-03-09

Dangerous Malware Dropper Found in 9 Utility Apps on Googles Play Store blog.checkpoint.com/2021/03/09/dangerous-malware-dropper-found-in-9-utility-apps-on-googles-play-store/ Check Point Research (CPR) recently discovered a new dropper spreading via the Google Play store. The dropper, dubbed Clast82, has the ability to avoid detection by Google Play Protect, complete the evaluation period successfully, and change the payload dropped from a non-malicious […]

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.