Daily NCSC-FI news followup 2020-05-13

Microsoft Patch Tuesday, May 2020 Edition

krebsonsecurity.com/2020/05/microsoft-patch-tuesday-may-2020-edition/ Microsoft issued software updates to plug at least 111 security holes in Windows and Windows-based programs. None of the vulnerabilities were labeled as being publicly exploited or detailed prior to today, but as always if youre running Windows on any of your machines its time once again to prepare to get your patches on.

Solving Uninitialized Stack Memory on Windows

msrc-blog.microsoft.com/2020/05/13/solving-uninitialized-stack-memory-on-windows/ This blog post outlines the work that Microsoft is doing to eliminate uninitialized stack memory vulnerabilities from Windows and why were on this path.

WannaCryptor remains a global threat three years on

www.welivesecurity.com/2020/05/12/wannacryptor-remains-global-threat-three-years-on/ On May 12th, 2017, WannaCryptor (also known as WannaCry and WCrypt) wrought havoc on computer systems across the globe to a degree never seen previously. The cryptoworm propagated through an exploit called EternalBlue that targeted a critical vulnerability in an outdated version of Microsofts implementation of the Server Message Block (SMB) protocol, via port 445, which is mainly used for file- and printer-sharing in enterprise networks.. During such an attack, a cybercriminal scans the internet for machines with an exposed SMB port, and launches the exploit code against any vulnerable machines that are found. If the exploit succeeds, the blackhat will run a payload of their choice; in this case, it was the WannaCryptor.D ransomware.

CISA-FBI Joint Announcement on PRC Targeting of COVID-19 Research Organizations

www.cisa.gov/news/2020/05/13/fbi-and-cisa-warn-against-chinese-targeting-covid-19-research-organizations The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) issued a Public Service Announcement today warning organizations researching COVID-19 of likely targeting and network compromise by the Peoples Republic of China (PRC). Healthcare, pharmaceutical and research sectors working on COVID-19 response should all be aware they are the prime targets of this activity and take the necessary steps to protect their systems.

Ramsay: A cyberespionage toolkit tailored for airgapped networks

www.welivesecurity.com/2020/05/13/ramsay-cyberespionage-toolkit-airgapped-networks/ ESET researchers have discovered a previously unreported cyber-espionage framework that we named Ramsay and that is tailored for collection and exfiltration of sensitive documents and is capable of operating within airgapped networks. We initially found an instance of Ramsay in VirusTotal. That sample was uploaded from Japan and led us to the discovery of further components and versions of the framework, along with substantial evidence to conclude that this framework is at a developmental stage, with its delivery vectors still undergoing fine-tuning.

U.S Defense Warns of 3 New Malware Used by North Korean Hackers

thehackernews.com/2020/05/fbi-north-korean-malware.html Yesterday, on the 3rd anniversary of the infamous global WannaCry ransomware outbreak for which North Korea was blamed, the U.S. government released information about three new malware strains used by state-sponsored North Korean hackers. Called COPPERHEDGE, TAINTEDSCRIBE, and PEBBLEDASH, the malware variants are capable of remote reconnaissance and exfiltration of sensitive information from target systems, according to a joint advisory released by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Defense (DoD).. Also:


Malspam with links to zip archives pushes Dridex malware

isc.sans.edu/forums/diary/Malspam+with+links+to+zip+archives+pushes+Dridex+malware/26116/ In recent weeks, I continue to run across examples of malicious spam (malspam) pushing Dridex malware. While malspam pushing Dridex can use attachments (usually Excel spreadsheets with malicious macros), I tend to focus on malspam using links to zip archives for Dridex. Today’s diary, provides a quick rundown of link-based Dridex activity on Tuesday, 2020-05-12.

Healthcare Giant Magellan Struck with Ransomware, Data Breach

threatpost.com/healthcare-giant-magellan-ransomware-data-breach/155699/ Magellan Health, the Fortune 500 insurance company, has reported a ransomware attack and a data breach. The company, which says it empowers 1 in 10 Americans to lead healthier, more vibrant lives according to its website, said the incident was discovered on April 11. It also said that it became apparent during a forensic investigation that the ransomware attack was the final stage in a longer campaign.. Also:


Google removed 813 creepware apps from the Android Play Store

windows-internals.com/printdemon-cve-2020-1048/ We promised you there would be a Part 1 to FaxHell, and with todays Patch Tuesday and CVE-2020-1048, we can finally talk about some of the very exciting technical details of the Windows Print Spooler, and interesting ways it can be used to elevate privileges, bypass EDR rules, gain persistence, and more.. Google has removed last year a batch of 813 “creepware” apps from the official Android Play Store following a report from a group of academics studying stalkerware-like apps. The research behind last year’s report has now been published online this month in a paper titled “The Many Kinds of Creepware Used for Interpersonal Attacks.”


Mustat ja valkoiset listat hylättiin rasistisina seuraavatko muut brittiviranomaisen esimerkkiä?

www.is.fi/digitoday/tietoturva/art-2000006505394.html Britannian tietoturvaelin NCSC (National Cyber Security Centre) lopettaa musta lista- ja valkoinen lista -ilmaisujen käyttämisen (blacklist, whitelist). Virallisen blogin mukaan nämä ilmaisut koetaan rasistisina. Niiden tilalla kautta organisaation aletaan puhua sallitut- ja kielletyt-listoista (allow, deny). Musta ja valkoinen on ollut tietoturva-alalla yleinen tapa jaotella esimerkiksi sovellukset tai salasanat, jotka sallitaan yritysverkossa. Erottelu kuitenkin perustuu ajatukseen, että musta on jotenkin paha asia ja valkoinen puolestaan hyvä.

Onko tietokoneellasi nukkuvia sovelluksia? Tarjoavat kyberkonnille reitin sisään näin poistat ne

www.tivi.fi/uutiset/tv/b5d04bf4-7ad8-4ecf-8d2a-c2cbae2eb51b Tietokoneelle nukkumaan jääneet käyttämättömät ohjelmat ovat tietoturvariski. Kyberrikolliset voivat herättää nukkuvan ohjelman joko porttien tai sähköpostilinkkien kautta ja vallata laitteen. Siksi ei tulisi lainkaan avata sähköpostiin tulleita linkkejä, joissa näkyy itselle tuntemattomia tiedostopäätteitä. Palomuuraamaton mobiilidataliittymä ja tietokoneella jostakin syystä oleva etätyöpöytäpalvelin (remote desktop service) on sellainen yhdistelmä, jolla kaivaa verta nenästään, tietoturva-asiantuntija Perttu Halonen Traficomin Kyberturvallisuuskeskuksesta sanoo.

Ransomware now demands extra payment to delete stolen files

www.bleepingcomputer.com/news/security/ransomware-now-demands-extra-payment-to-delete-stolen-files/ A ransomware family has begun a new tactic of not only demanding a ransom for a decryptor but also demanding a second ransom not to publish files stolen in an attack. For years, ransomware operators have been claiming to steal data before encrypting a company’s network and then threatening to release the data if a victim does not pay.

Danger zone! Brit research supercomputer ARCHER’s login nodes exploited in cyber-attack, admins reset passwords and SSH keys

www.theregister.co.uk/2020/05/13/uk_archer_supercomputer_cyberattack/ One of Britain’s most powerful academic supercomputers has fallen victim to a “security exploitation” of its login nodes, forcing the rewriting of all user passwords and SSH keys. The intrusion, which is understood to be under investigation by GCHQ offshoot the National Cyber Security Centre (NCSC), rendered the ARCHER high-performance computing (HPC) network unavailable to its users on Tuesday.

Microsoft warns of COVID-19 phishing spreading info-stealing malware

www.bleepingcomputer.com/news/security/microsoft-warns-of-covid-19-phishing-spreading-info-stealing-malware/ Microsoft has discovered a new COVID-19 themed phishing campaign using economic concerns to target businesses with the LokiBot information-stealing Trojan. In tweets published today by Microsoft Security Intelligence, Microsoft explains that a recent phishing campaign was detected using COVID-19 lures to spread the LokiBot information-stealing Trojan.

Website Attacks Become Quieter & More Persistent

www.darkreading.com/attacks-breaches/website-attacks-become-quieter-and-more-persistent/d/d-id/1337799 Threat actors are pivoting away from noisy website attacks to campaigns that are quieter and designed to remain undetected for as long as possible. From website defacements and SEO spam, attackers are increasingly targeting websites to install backdoors and other stealthy malware, according to a new study by SiteLock.

Saksan liittokansleri: Tietomurrot eivät helpota suhteiden parantamista Venäjään

yle.fi/uutiset/3-11349928 Saksan liittokansleri Angela Merkel sanoo, että hänellä on konkreettisia todisteita häneen kohdistuneista Venäjän hakkerointiyrityksistä. Pyrin hyviin suhteisiin Venäjän kanssa, koska uskon, että on kaikki syyt jatkaa diplomaattisia ponnistuksia, mutta tämä ei tee siitä helpompaa, Merkel sanoi Saksan liittopäivillä.

Coronavirus: Cyber-attacks hit hospital construction companies

www.bbc.com/news/technology-52646808 Two companies involved in building emergency coronavirus hospitals have been hit by cyber-attacks this month. Interserve, which helped build Birmingham’s NHS Nightingale hospital, and Bam Construct, which delivered the Yorkshire and the Humber’s, have reported the incidents to authorities.. Earlier this month, the government warned healthcare groups involved in the response to the virus were being targeted by malicious actors.

You might be interested in …

Daily NCSC-FI news followup 2019-07-26

Stock Trading Service Robinhood Admits To Storing Some Passwords in Cleartext www.zdnet.com/article/robinhood-admits-to-storing-some-passwords-in-cleartext/ “On Monday night, we discovered that some user credentials were stored in a readable format within our internal system,” the company said.. “We resolved the issue, and after thorough review, found no evidence that this information was accessed by anyone outside our response […]

Read More

Daily NCSC-FI news followup 2020-12-26

SolarWinds releases updated advisory for new SUPERNOVA malware www.bleepingcomputer.com/news/security/solarwinds-releases-updated-advisory-for-new-supernova-malware/ SolarWinds has released an updated advisory for the additional SuperNova malware discovered to have been distributed through the company’s network management platform.. see also www.solarwinds.com/securityadvisory. and kb.cert.org/vuls/id/843464 Apple iCloud outage prevents device activations, access to data www.bleepingcomputer.com/news/apple/apple-icloud-outage-prevents-device-activations-access-to-data/ Apple users are experiencing problems setting up new devices […]

Read More

Daily NCSC-FI news followup 2020-02-18

Active Exploits Hit Vulnerable WordPress ThemeGrill Plugin threatpost.com/active-exploits-hit-vulnerable-wordpress-themegrill-plugin/152947/ Researchers are urging users of a vulnerable WordPress plugin, ThemeGrill Demo Importer, to update as soon as possible after discovering attackers are actively exploiting a flaw in the plugin. Ole organisaatiosi tietoturvan vahvin lenkki myös matkustaessasi ek.fi/ajankohtaista/uutiset/2020/02/18/ole-organisaatiosi-tietoturvan-vahvin-lenkki-myos-matkustaessasi/ Matkustaessa korostuvat mahdollisuus henkilötiedusteluun, eli ihmisiltä tehtävään tiedonhankintaan, sekä riski […]

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.