Daily NCSC-FI news followup 2020-05-08

Techniques: Current Use of Virtual Machine Detection Methods

www.gdatasoftware.com/blog/2020/05/36068-current-use-of-virtual-machine-detection-methods A common approach to analyse potentially malicious software is dynamic analysis in a virtual machine. Therefore, malware authors use techniques to alter the malware’s behavior when being run in a VM. But how do they actually do it?

Meant to Combat ID Theft, Unemployment Benefits Letter Prompts ID Theft Worries

krebsonsecurity.com/2020/05/meant-to-combat-id-theft-unemployment-benefits-letter-prompts-id-theft-worries/ Millions of Americans now filing for unemployment will receive benefits via a prepaid card issued by U.S. Bank, a Minnesota-based financial institution that handles unemployment payments for more than a dozen U.S. states. Some of these unemployment applications will trigger an automatic letter from U.S. Bank to the applicant. The letters are intended to prevent identity theft, but many people are mistaking these vague missives for a notification that someone has hijacked their identity.

Naikons Aria

securelist.com/naikons-aria/96899/ Our colleagues at Checkpoint put together a fine research writeup on some Naikon resources and activity related to aria-body that we detected in 2017 and similarly reported in 2018. To supplement their research findings, we are summarizing and publishing portions of the findings reported in our June 2018 Naikons New AR Backdoor Deployment to Southeast Asia. This malware and activity aligns with much of what the Checkpoint researchers brought to light today.

Navigating the MAZE: Tactics, Techniques and Procedures Associated With MAZE Ransomware Incidents

www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html Targeted ransomware incidents have brought a threat of disruptive and destructive attacks to organizations across industries and geographies. FireEye Mandiant Threat Intelligence has previously documented this threat in our investigations of trends across ransomware incidents, FIN6 activity, implications for OT networks, and other aspects of post-compromise ransomware deployment. Since November 2019, weve seen the MAZE ransomware being used in attacks that combine targeted ransomware use, public exposure of victim data, and an affiliate model.

Digital transformation could be accelerated by COVID19

www.welivesecurity.com/2020/05/07/digital-transformation-could-be-accelerated-covid-19/ The pandemic has highlighted the need for businesses to act with alacrity and prepare for the long haul and to do so with cybersecurity in mind

Using Nmap As a Lightweight Vulnerability Scanner

isc.sans.edu/forums/diary/Using+Nmap+As+a+Lightweight+Vulnerability+Scanner/26098/ Nmap has a scan type that tries to determine the service/version information running behind an open port (enabled with the ‘-sV’ flag). Based on this information, the script looks for interesting CVE in a flat database.. Unfortunately, the script was developed by a third-party developer and was never integrated into the official list of scripts. However, a second project was kicked off and integrated into Nmap: The vulners script.

Blue Mockingbird Monero-Mining Campaign Exploits Web Apps

threatpost.com/blue-mockingbird-monero-mining/155581/ A Monero cryptocurrency-mining campaign has emerged that exploits a known vulnerability in public-facing web applications built on the ASP.NET open-source web framework. The campaign has been dubbed Blue Mockingbird by the analysts at Red Canary that discovered the activity. Research uncovered that the cybercriminal gang is exploiting a deserialization vulnerability, CVE-2019-18935, which can allow remote code execution.

Cognizant expects to lose between $50m and $70m following ransomware attack

www.zdnet.com/article/cognizant-expects-to-lose-between-50m-and-70m-following-ransomware-attack/ IT services provider Cognizant said in an earnings call this week that a ransomware incident that took place last month in April 2020 will negatively impact its Q2 revenue. “While we anticipate that the revenue impact related to this issue will be largely resolved by the middle of the quarter, we do anticipate the revenue and corresponding margin impact to be in the range of $50 million to $70 million for the quarter,” said Karen McLoughlin, Cognizant Chief Financial Officer in an earnings call yesterday.

Karu psykologinen fakta: ihmiset uskovat toisten lankeavan nettihuijauksiin heitä itseään helpommin

www.tivi.fi/uutiset/tv/77ae344f-d484-4c7f-a874-b61e8acd1456 Ihmiset ainakin nuoret aikuiset pitävät todennäköisempänä, että toiset lankeavat sähköpostilla saapuviin kalasteluhuijauksiin useammin kuin he itse. Tähän sinänsä vähemmän yllättävään tulokseen päätyivät apulaisprofessori Emily Balcetisin johtamat tutkijat New Yorkin yliopistosta tuoreessa psykologisessa tutkimuksessa.

Zoom sai ison kasan laiskanläksyjä: näin palvelu muuttuu

www.tivi.fi/uutiset/tv/e1812667-fd47-4a37-890f-ea3567c84edd Videopuhelupalvelu Zoom ottaa käyttöön uusia käyttäjän yksityisyyttä suojaavia ominaisuuksia. Toimet ovat seurausta New Yorkin oikeuskanslerin yrityksen toimiin tekemistä tutkimuksista. Oikeuskansleri käynnisti palvelun yksityisyydensuojaa ja tietoturvaa koskevat tutkimukset maaliskuussa sen jälkeen, kun tiedot palvelun haavoittuvuuksista vuotivat julkisuuteen.

US military is furious at FCC over 5G plan that could interfere with GPS

arstechnica.com/tech-policy/2020/05/millions-of-gps-devices-at-risk-from-fcc-approved-5g-network-military-says/ GPS is facing a major interference threat from a 5G network approved by the Federal Communications Commission, US military officials told Congress in a hearing on Wednesday. In testimony to the Senate Committee on Armed Services, Department of Defense Chief Information Officer Dana Deasy disputed the FCC’s claims that conditions imposed on the Ligado network will protect GPS from interference.

Ruhr University Bochum shuts down main servers after cyberattack

www.bleepingcomputer.com/news/security/ruhr-university-bochum-shuts-down-main-servers-after-cyberattack/ The Ruhr University Bochum (RUB), Ruhr-Universität Bochum in German, announced today that it was forced to shut down large parts of its central IT infrastructure, also including the backup systems, due to a cyberattack that took place overnight, between May 6 and May 7.

REvil ransomware threatens to leak A-list celebrities’ legal docs

www.bleepingcomputer.com/news/security/revil-ransomware-threatens-to-leak-a-list-celebrities-legal-docs/ The Sodinokibi ransomware group threatens to release hundreds of gigabytes of legal documents from a prominent entertainment and law firm that counts dozens of international stars as their clients. Grubman Shire Meiselas & Sacks (GSMLaw) is based in New York and represents dozens of heavyweight artists. Looking at its list of clients, you can spot names that are known all over the world.

Report: Microsofts GitHub Account Gets Hacked

threatpost.com/report-microsofts-github-account-gets-hacked/155587/ Hackers have broken into Microsofts GitHub account and stolen 500 GB of data from the tech giants own private repositories on the developer platform, according to published reports. A group that calls itself Shiny Hunters claims it stole and then leaked the data, which did not appear to include any critical or sensitive information. The data was then posted on hacker forum, according to a multiple reports. Also:



We Chat, They Watch

citizenlab.ca/2020/05/we-chat-they-watch/ How International Users Unwittingly Build up WeChats Chinese Censorship Apparatus. We present results from technical experiments which reveal that WeChat communications conducted entirely among non-China-registered accounts are subject to pervasive content surveillance that was previously thought to be exclusively reserved for China-registered accounts.

3.68 Million MobiFriends User Credentials Stolen and Shared on Hacking Forum

www.riskbasedsecurity.com/2020/05/07/3-68-million-mobifriends-user-credentials-stolen-and-shared-on-hacking-forum/ The credentials of nearly 4 million MobiFriends users have recently been discovered by our Data Breach Research team on a prominent deep web hacking forum. The leaked data sets are currently available in a non-restricted manner despite being originally offered for sale.

Hackers sell stolen user data from HomeChef, ChatBooks, and Chronicle

www.bleepingcomputer.com/news/security/hackers-sell-stolen-user-data-from-homechef-chatbooks-and-chronicle/ Three more high-profile databases are being offered for sale by the same group claiming the Tokopedia and Unacademy breaches, and the more recently reported theft of Microsofts private GitHub repositories. Going by the name Shiny Hunters, the group is now selling user records from meal kit delivery service HomeChef, from photo print service ChatBooks, and Chronicle.com, a news source for higher education.

On 5 May 2020, German media reported that Germanys Federal Prosecutor has issued an arrest warrant against Russian citizen Dmitry Badin, the main suspect in the 2015 hacking of the German Bundestag.


Attacking SCADA: Vulnerabilities in Schneider Electric SoMachine and M221 PLC (CVE-2017-6034 and CVE-2020-7489)

www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/vulnerabilities-in-schneider-electric-somachine-and-m221-plc/ SCADA/OT security has been a growing concern for quite some time. This technology controls some of our most essential services and utilities, like our nuclear plants and electric grids. While most of these implementations are protected to a certain extent by unique complexity, 24/7 monitoring, and built-in fault tolerance and redundancy, vulnerabilities and attacks targeting them should not be discounted.

As Remote Work Becomes the Norm, Security Fight Moves to Cloud, Endpoints

www.darkreading.com/cloud/as-remote-work-becomes-the-norm-security-fight-moves-to-cloud-endpoints/d/d-id/1337774 As states and cities look to lifting stay-at-home orders, the increased level of employees working remotely will not disappear. That means many businesses will be moving more of their infrastructure to the cloud and having to deal with the security challenges that come from a hybrid infrastructure, experts said this week.

You might be interested in …

Daily NCSC-FI news followup 2019-09-08

Initial Metasploit Exploit Module for BlueKeep (CVE-2019-0708) blog.rapid7.com/2019/09/06/initial-metasploit-exploit-module-for-bluekeep-cve-2019-0708/

Read More

Daily NCSC-FI news followup 2020-01-17

404 Exploit Not Found: Vigilante Deploying Mitigation for Citrix NetScaler Vulnerability While Maintaining Backdoor www.fireeye.com/blog/threat-research/2020/01/vigilante-deploying-mitigation-for-citrix-netscaler-vulnerability-while-maintaining-backdoor.html As noted in Rough Patch: I Promise It’ll Be 200 OK, our FireEye Mandiant Incident Response team has been hard at work responding to intrusions stemming from the exploitation of CVE-2019-19781. After analyzing dozens of successful exploitation attempts against Citrix […]

Read More

Daily NCSC-FI news followup 2021-05-03

Pulse Secure fixes VPN zero-day used to hack high-value targets www.bleepingcomputer.com/news/security/pulse-secure-fixes-vpn-zero-day-used-to-hack-high-value-targets/ Apple releases fixes for three WebKit zero-days, additional patches for a fourth therecord.media/apple-releases-fixes-for-three-webkit-zero-days-additional-patches-for-a-fourth/ Spam and phishing in Q1 2021 securelist.com/spam-and-phishing-in-q1-2021/102018/ Several instances of scammers using the COVID-19 pandemic as a lure. See article for screenshots of the phishing campaigns. Spearphishing Attack Uses COVID-21 Lure […]

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.