Daily NCSC-FI news followup 2020-05-14

Spam campaign: Netwire RAT via paste.ee and MS Excel to German users

www.gdatasoftware.com/blog/netwire-rat-via-pasteee-and-ms-excel G DATA discovered an email spam campaign in Germany that delivers NetWire RAT via PowerShell in Excel documents. The emails mimick the German courier, parcel and express mail service DHL.

Sodinokibi drops greatest hits collection, and crime is the secret ingredient

blog.malwarebytes.com/cybercrime/2020/05/sodinokibi-drops-greatest-hits-collection-and-crime-is-the-secret-ingredient/ When a group of celebrities ask to speak with their lawyer, they usually dont have to call in a bunch of other people to go speak with their lawyer. However, in this case it may well be a thing a little down the line. A huge array of musicians including Bruce Springsteen, Lady Gaga, Madonna, Run DMC and many more have had documents galore pilfered by the Sodinokibi gang.

The Perils of Video Calls (And How To Protect Yourself)

www.pandasecurity.com/mediacenter/mobile-news/perils-of-video-calls/ Governments across the world have been instructing people to work from home as much as possible to limit the spread of the deadly Covid-19 virus. As a result, weve seen an increase in the use of video conferencing services to host virtual meetings between colleagues. And families are also getting together online to stay in touch using the same tools.

Automating Threat Detection and Response With Security Intelligence

www.recordedfuture.com/automated-threat-detection/ Automating threat detection and response has historically been a very expensive and time-consuming process. However, with the prevalence of restful Application Programming Interfaces (APIs), commercial threat intelligence, and crowd-sourced feeds, it has never been easier and more cost effective to do so. Through careful thought and a little bit of Python, organizations can begin to adopt automation into their defenses.

COMpfun authors spoof visa application with HTTP status-based Trojan

securelist.com/compfun-http-status-based-trojan/96874/ You may remember that in autumn 2019 we published a story about how a COMpfun successor known as Reductor infected files on the fly to compromise TLS traffic. If youre wondering whether the actor behind the malware is still developing new features, the answer is yes. Later in November 2019 our Attribution Engine revealed a new Trojan with strong code similarities. Further research showed that it was obviously using the same code base as COMPFun.

X-Force IRIS Overcomes Broken Decryption Mechanism in Jest Ransomware

securityintelligence.com/posts/x-force-iris-overcomes-broken-decryption-mechanism-in-jest-ransomware/ IBM X-Force Incident Response and Intelligence Services (IRIS) recently helped a company fend off a ransomware attack by building a custom decryptor for a strain of ransomware known as Jest.. Even though attackers made ransom demands to decrypt the victims data and systems, our team uncovered evidence suggesting that the actor never intended to decrypt the files and that this strain of Jest ransomware may not have been designed to decrypt files even after a ransom was paid.

Using Real-Time Events in Investigations

www.fireeye.com/blog/threat-research/2020/05/using-real-time-events-in-investigations.html To understand what a threat actor did on a Windows system, analysts often turn to the tried and true sources of historical endpoint artifacts such as the Master File Table (MFT), registry hives, and Application Compatibility Cache (AppCompat). However, these evidence sources were not designed with detection or incident response in mind; crucial details may be omitted or cleared through anti-forensic methods. By looking at historical evidence alone, an analyst may not see the full story.

Mikroceen: Spying backdoor leveraged in highprofile networks in Central Asia

www.welivesecurity.com/2020/05/14/mikroceen-spying-backdoor-high-profile-networks-central-asia/ In this joint blogpost with fellow researchers from Avast, we provide a technical analysis of a constantly developed RAT that has been used in various targeted campaigns against both public and private subjects since late 2017. We observed multiple instances of attacks involving this RAT, and all of them happened in Central Asia. Among the targeted subjects were several important companies in the telecommunications and gas industries, and governmental entities.

Reverse RDP The Path Not Taken

research.checkpoint.com/2020/reverse-rdp-the-path-not-taken/ During 2019, we published our research on the Reverse RDP Attack: Part 1 and Part 2. In those blog posts, we described how we found numerous critical vulnerabilities in popular Remote Desktop Protocol (RDP) clients. In addition, we focused on a Path-Traversal vulnerability we found in Microsofts RDP client, a vulnerability that was also applicable as a guest-to-host VM escape in Hyper-V Manager.. When testing the applicability of our findings to Microsofts RDP client for MacOS, we made an interesting discovery: not only can we bypass Microsofts patch, we can bypass any path canonicalization check performed according to Microsofts best practice.

Patch Tuesday Revisited – CVE-2020-1048 isn’t as “Medium” as MS Would Have You Believe

isc.sans.edu/forums/diary/Patch+Tuesday+Revisited+CVE20201048+isnt+as+Medium+as+MS+Would+Have+You+Believe/26124/ Looking at our patch Tuesday list, I looked a bit closer at CE-2020-1048 (Print Spooler Privilege Escalation) and Microsoft’s ratings for that one. Microsoft rated this as: Disclosed: NO, Exploited: NO, xploitability (old and new versions). Unfortunately, this vulnerabiltiy was actually disclosed to Microsoft by the research community, so the code to exploit it absolutely does exist and was disclosed, and a full write-up was posted as soon as the patch came out.

BEC Gang Exploits G Suite, Long Domain Names in Cyberattacks

threatpost.com/bec-gang-exploits-g-suite-long-domain-names-in-cyberattacks/155718/ Business email compromise (BEC) attacks continue to be a thorn in companies sides, with the FBI in its IC3 annual cybercrime report saying that the attacks cost victims $1.7 billion in 2019. Making matters worse, BEC cybergangs are turning to new tactics and tricks to avoid detection and capitalize on existing victims. For instance, a cybercriminal gang that researchers call Exaggerated Lion has been making use of G Suite and extremely long domain names to swindle millions of dollars out of its victims.

Mandrake owning Android devices since 2016

labs.bitdefender.com/2020/05/mandrake-owning-android-devices-since-2016/ In early 2020 we identified a new, highly sophisticated Android espionage platform that had been active in the wild for at least 4 years. We named the threat Mandrake as the actor(s) behind it used names of toxic plants, or other botanical references, for major development branches: e.g. Briar, Ricinus or Nerium.

Access-as-a-Service Remote Access Markets in the Cybercrime Underground

ke-la.com/access-as-a-service-remote-access-markets-in-the-cybercrime-underground/ Remote Access Markets are automated stores that allow attackers to exchange access credentials to compromised websites and services. As such, they represent an endless stream of opportunities for attackers; buying access to an organization as a service lowers the skill bar for further exploitation and exposes organizations to a plethora wave of online threats from ransomware to card skimming.

COVID-19 blamed for 238% surge in cyberattacks against banks

www.zdnet.com/article/covid-19-blamed-for-238-surge-in-cyberattacks-against-banks/ The coronavirus pandemic has been connected to a 238% surge in cyberattacks against banks, new research claims. On Thursday, VMware Carbon Black released the third edition of the Modern Bank Heists report, which says that financial organizations experienced a massive uptick in cyberattack attempts between February and April this year — the same months in which COVID-19 began to spread rapidly across the globe.

Nyt ovat WhatsApp-tilit vaarassa: Älä vastaa tällaiseen viestiin kavala huijaus yleistyy Suomessa

www.tivi.fi/uutiset/tv/2afd0a75-f1c7-472c-bea3-e5d33d32d621 Traficomin Kyberturvallisuuskeskus varoittaa Suomessa leviävästä huijauksesta, jossa WhatsApp-käyttäjiltä kalastellaan sovelluksen vahvistuskoodeja. Huijausviesteissä väitetään, että tekstiviestitse lähetetty vahvistuskoodi on päätynyt muka vahingossa uhrin puhelimeen. Jos kuusinumeroisen koodin erehtyy paljastamaan huijareille, WhatsApp-tili joutuu kaapatuksi.

Huawei denies involvement in buggy Linux kernel patch proposal

www.zdnet.com/article/huawei-denies-involvement-in-buggy-linux-kernel-patch-proposal/ Huawei denied on Monday having any official involvement in an insecure patch submitted to the Linux kernel project over the weekend; patch that introduced a “trivially exploitable” vulnerability. The buggy patch was submitted to the official Linux kernel project via its mailing list on Sunday. Named HKSP (Huawei Kernel Self Protection), the patch allegedly introduced a series of security-hardening options to the Linux kernel.

Scammers steal $10 million from Norway’s state investment fund

www.bleepingcomputer.com/news/security/scammers-steal-10-million-from-norways-state-investment-fund/ Fraudsters running business email compromise scams were able to swindle Norfund, Norways state investment fund, out of $10 million. The attackers took their time before pulling the trigger and took action to ensure that the theft would be discovered long after they got the money.

‘iOS security is f**ked’ says exploit broker Zerodium: Prices crash for taking a bite out of Apple’s core tech

www.theregister.co.uk/2020/05/14/zerodium_ios_flaws/ Five years ago, Zerodium offered a $1m reward for a browser-based, untethered jailbreak in iOS 9. On Wednesday, the software exploit broker said it won’t pay anything for some iOS bugs due to an oversupply. “We will NOT be acquiring any new Apple iOS LPE [local privilege escalation], Safari RCE [remote code execution], or sandbox escapes for the next two to three months due to a high number of submissions related to these vectors,” the company said via Twitter.

Organizations Conduct App Penetration Tests More Frequently – and Broadly

www.darkreading.com/cloud/organizations-conduct-app-penetration-tests-more-frequently—and-broadly/d/d-id/1337811 In an encouraging sign for application security, enterprise organizations are conducting penetration tests more frequently and more broadly than before, data from a new Cobalt.io study suggests.. Unlike in the past where regulatory and other compliance mandates used to be the primary driver for these tests, organizations are now conducting them more to proactively detect and address security issues in their software, the study found.

Digging into the vortex of unknown memory dump [Part 1/X]

medium.com/ouspg/digging-into-the-vortex-of-unknown-memory-dump-part-1-x-aaa6e0ee81d3 This blog series is based on the CinCan workshops memory dump analysis part, which was introduced in the Disobey 2020. Story is purely fictional but attempts to demonstrate some real-life situation.

Yhdysvallat varoittaa koronavirustutkijoita kiinalaishakkereista

yle.fi/uutiset/3-11350443 Yhdysvaltain liittovaltion poliisi FBI ja Yhdysvaltain kotimaan turvallisuusvirasto varoittavat, että Kiinan hallitukseen kytkeytyvät hakkerit voivat ottaa kohteikseen laitoksia ja yhtiöitä, jotka tutkivat ja kehittävät koronaviruksen vastaisia rokotteita, lääkehoitoja ja testausta.

You might be interested in …

Daily NCSC-FI news followup 2019-10-18

KRP epäilee: Rikosliiga hankki suomalaisia henkilötunnuksia ja pankkitilejä kuin liukuhihnalta kansainvälisessä petossarjassa yle.fi/uutiset/3-11026054 KRP:n mukaan asianomistajille aiheutuneet vahingot ovat olleet tutkittavassa kokonaisuudessa yhteensä noin 725 000 euroa. APT trends report Q3 2019 securelist.com/apt-trends-report-q3-2019/94530/ UK government has revealed it is working with chip-maker Arm on a £36m initiative to make more secure processors. www.infosecurity-magazine.com/news/uk-government-announces/ See also […]

Read More

Daily NCSC-FI news followup 2020-01-02

New evasion techniques found in web skimmers blog.malwarebytes.com/threat-analysis/2019/12/new-evasion-techniques-found-in-web-skimmers/ For a number of years, criminals have been able to steal credit card details from unaware online shoppers without attracting too much attention. Few people in the security industry were talking about these credit card web skimmers, both server-side and client-side, before the latter became largely known […]

Read More

Daily NCSC-FI news followup 2020-02-22

Slickwraps Data Breach Exposes Financial and Customer Info www.bleepingcomputer.com/news/security/slickwraps-data-breach-exposes-financial-and-customer-info/ Slickwraps has suffered a data breach after a security researcher was able to access their systems and after receiving no response to emails, publicly disclosed how they gained access to the site and the data that was exposed.. Slickwraps is a mobile device case retailer who […]

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.