Daily NCSC-FI news followup 2020-05-07

A Deep Dive Into the Latest Maze Ransomware TTPs

www.kroll.com/en/insights/publications/cyber/latest-maze-ransomware-ttps Kroll incident response (IR) practitioners worked on multiple Maze ransomware cases during the first quarter of 2020 and have new insights on the tactics, techniques and procedures (TTPs) of these actors and why organizations should revisit their IR plans. In our work with one client, Kroll had access to a discussion with Maze actors that revealed some of their inner workings. Coupled with the new FAQ document that Maze recently posted on their “shaming” site, it becomes apparent these threat actors are leaving nothing to chance when pressuring victims to pay up quickly.

Targeted Ransomware Attack Hits Taiwanese Organizations

blog.trendmicro.com/trendlabs-security-intelligence/targeted-ransomware-attack-hits-taiwanese-organizations/ A new targeted attack has infected several organizations in Taiwan with a new ransomware family, which we have dubbed ColdLock. This attack is potentially destructive as the ransomware appears to target databases and email servers for encryption. The information we gathered indicates that this attack started hitting organizations in early May. Analysis of the malware points to similarities between ColdLock and two previously known ransomware families, specifically Lockergoga, Freezing, and the EDA2 “educational” ransomware kit. There have been no indications that this attack has hit any other organization outside of those targeted; we do not believe that this family is currently in widespread use.

Samsung patches 0-click vulnerability impacting all smartphones sold since 2014

www.zdnet.com/article/samsung-patches-0-click-vulnerability-impacting-all-smartphones-sold-since-2014/#ftag=RSSbaffb68 The security flaw resides in how the Android OS flavor running on Samsung devices handles the custom Qmage image format (.qmg), which Samsung smartphones started supporting on all devices released since late 2014. Jurczyk says the Qmage bug can be exploited in a zero-click scenario, without any user interaction. This happens because Android redirects all images sent to a device to the Skia library for processing — such as generating thumbnail previews — without a user’s knowledge. The researcher discovered the vulnerability in February and reported the issue to Samsung. The South Korean phone maker patched the bug in its May 2020 security updates.

[Identiteettivarkaudet] lisääntyivät korona-aikana – alkaa yleensä netissä

www.is.fi/digitoday/tietoturva/art-2000006499332.html Verkkohuijareiden aktiivisuudesta koronaviruspandemian aikana on varoiteltu useaan otteeseen. Vakuutuspalveluyhtiö mySafetyn teettämän kyselyn mukaan identiteettivarkaudet ovat todella lisääntyneet Suomessa.. myös: yle.fi/uutiset/3-11338445

Nazar: Spirits of the Past

research.checkpoint.com/2020/nazar-spirits-of-the-past/ Recently, security researcher Juan Andres Guerrero-Saade revealed a previously misidentified and unknown threat group, called Nazar, which was part of the last leak by the Shadow Brokers. In this research, we will expand upon the analysis done by Juan and another which was written by Maciej Kotowicz, and will provide an in-depth analysis of each of the Nazar components. But the real question is, do those new revelations add a missing piece to the puzzle, or do they show us how much of the puzzle we are missing?

Naikon APT: Cyber Espionage Reloaded

research.checkpoint.com/2020/naikon-apt-cyber-espionage-reloaded/ Recently Check Point Research discovered new evidence of an ongoing cyber espionage operation against several national government entities in the Asia Pacific (APAC) region. This operation, which we were able to attribute to the Naikon APT group, used a new backdoor named Aria-body, in order to take control of the victims’ networks. In the following report, we will describe the tactics, techniques, procedures and infrastructure that have been used by the Naikon APT group over the 5 years since the last report, and offer some insight into how they were able to remain under the radar.

Cisco Webex phishing uses fake cert errors to steal credentials

www.bleepingcomputer.com/news/security/cisco-webex-phishing-uses-fake-cert-errors-to-steal-credentials/ A highly convincing series of phishing attacks are using fake certificate error warnings with graphics and formatting lifted from Cisco Webex emails to steal users’ account credentials. According to stats shared by email security company Abnormal Security, these phishing emails have already landed in the mailboxes of up to 5, 000 targets that use Cisco Webex while working remotely. also:

abnormalsecurity.com/blog/abnormal-attack-stories-cisco-webex-phishing/

For 8 years, a hacker operated a massive IoT botnet just to download Anime videos

www.zdnet.com/article/for-8-years-a-hacker-operated-a-massive-iot-botnet-just-to-download-anime-videos/#ftag=RSSbaffb68 The botnet consisted solely of D-Link NAS and NVR devices and the botnet peaked at 10, 000 bots in 2015.

Scanning with nmap?s NSE scripts

isc.sans.edu/forums/diary/Scanning+with+nmaps+NSE+scripts/26096/ Since I do a lot of network penetration tests, where quite often I need to scan large networks (and report on findings), I found some NSE scripts unbelievably useful this diary will contain some of the top NSE scripts I use during penetration tests

Senior MP tells UK Defence Committee on 5G security: Russia could become China’s cyber-attack dog

www.theregister.co.uk/2020/05/07/defence_committee_huawei_5g/ Russia might begin carrying out cyber attacks against Britain’s 5G networks “at the behest of China”, the chairman of a Parliamentary Select Committee has ventured. The startling prediction came from Tobias Ellwood MP, chairman of the Defence Committee, as he presided over a hearing on 5G security and Huawei’s involvement.

Large scale Snake Ransomware campaign targets healthcare, more

www.bleepingcomputer.com/news/security/large-scale-snake-ransomware-campaign-targets-healthcare-more/ The operators of the Snake Ransomware have launched a worldwide campaign of cyberattacks that have infected numerous businesses and at least one health care organization over the last few days. This past January, BleepingComputer reported on the new Snake ransomware that was targeting enterprise networks. Since then, the ransomware operators have been relatively quiet, with little to no new infections being detected in the wild. This lack of activity all changed on May 4th, when the ransomware operators conducted a massive campaign that targeted organizations throughout the world and across all verticals.

SilverTerrier BEC scammers target US govt healthcare agencies

www.bleepingcomputer.com/news/security/silverterrier-bec-scammers-target-us-govt-healthcare-agencies/ The Nigerian BEC actors tracked as SilverTerrier y Palo Alto Networks’ Unit 42 threat intelligence team since 2014 were seen switching to COVID-19 themed lures from January 30 to April 30. Unit 42 attributed 2.1 million BEC attacks to the SilverTerrier actors since they began tracking their activities, with an average of 92, 739 BEC attacks per month during 2019 and peaking at 245, 637 BEC attacks in June. They are also known for using malicious tools like information stealers (Agent Tesla, AzoRult, Lokibot, Pony, and PredatorPain) and remote administration tools (RATs) (Netwire, DarkComet, NanoCore, Remcos, ImminentMonitor, Adwind, Hworm, Revenge, and WSHRat) to maintain access and steal sensitive information from their victims after they manage to compromise their networks.

Poulight Stealer, a new Comprehensive Stealer from Russia

yoroi.company/research/poulight-stealer-a-new-comprehensive-stealer-from-russia/ Nowadays, info-stealer is one of the most common threats. This category of malware includes famous malware like Azorult, Agent Tesla, and Hawkeye. Infostealer market is one of the most remunerative for cyber criminals, information gathered from infected systems could be resold in the cybercrime underground or used for credential stuffing attacks. Over the last two months, we monitored the evolution and the diffusion of an infostealer dubbed by the authors Poulight that most likely has a Russian origin.

CinCan vs CovidLock

medium.com/ouspg/cincan-vs-covidlock-ed4d076ec162 Despite everyone being locked down due to COVID-19 the bad guys aren’t resting. Bunch of COVID-19 themed phishing and malware are making rounds targeting everything from individuals to corporations. We at the CinCan project decided to take a look at one COVID-19 themed Android ransomware and see what we can dig up using tools we’ve dockerized.

More and more organizations are falling to ransomware will you be next?

www.theregister.co.uk/2020/05/07/knowbe4_ransomware_webcast/ It’s been “the year of ransomware” for about the past three years. And while you may be tired of hearing about the trend and just getting used to the reality, you may also like to remember: instances of attacks are climbing quickly and we’re now reaching a level where more than half of ransomware schemes result in a business paying out. As with any commercialized form of criminality, the attacks are becoming more sophisticated. Ransomware is moving from opportunistic, mass-mailing attacks to carefully curated, targeted approaches led by phishing. The variety of exploits, encryption, and general propagation techniques used by the malware is escalating.

Tech Support Scam Uses Child Porn Warning

krebsonsecurity.com/2020/05/tech-support-scam-uses-child-porn-warning/ A new email scam is making the rounds, warning recipients that someone using their Internet address has been caught viewing child pornography. The message claims to have been sent from Microsoft Support, and says the recipient’s Windows license will be suspended unless they call an “MS Support” number to reinstate the license, but the number goes to a phony tech support scam that tries to trick callers into giving fraudsters direct access to their PCs.

Who’s Viktor? Tracking down the XTC/Polaris Botnets

blog.radware.com/security/botnets/2020/05/whos-viktor-tracking-down-the-xtc-polaris-botnets/ In April, both Radware and Palo Alto Networks published reports about a new botnet family called Hoaxcalls’. Both reports detailed the development of a new, fast-moving and relatively noisy campaign. In this blog, I hope to shed some light on the scope, depth and evolution of the XTC IRC Bot campaign. I hope to demonstrate that since August of 2019, the operators behind this campaign have experimented with source code from several IoT botnets and learned how to leverage current exploits for the purpose of developing a new botnet family, Hoaxcalls.

Jump in vulnerable RDP ports is leaving networks open to hacking and cyberattacks

www.zdnet.com/article/jump-in-vulnerable-rdp-ports-is-leaving-networks-open-to-hacking-and-cyberattacks/ According to analysis by cybersecurity researchers at McAfee, there’s been a spike in RDP ports facing the open internet, growing from around three million in January to more than four and a half million in March.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.