Daily NCSC-FI news followup 2020-05-15

QNodeService: Node.js Trojan Spread via Covid-19 Lure

blog.trendmicro.com/trendlabs-security-intelligence/qnodeservice-node-js-trojan-spread-via-covid-19-lure/ We recently noticed a Twitter post by MalwareHunterTeam that showed a Java downloader with a low detection rate. Its name, Company PLP_Tax relief due to Covid-19 outbreak CI+PL.jar, suggests it may have been used in a Covid-19-themed phishing campaign. Running this file led to the download of a new, undetected malware sample written in Node.js; this trojan is dubbed as QNodeService.

Tropic Troopers Back: USBferry Attack Targets Air-gapped Environments

blog.trendmicro.com/trendlabs-security-intelligence/tropic-troopers-back-usbferry-attack-targets-air-gapped-environments/ We found that Tropic Troopers latest activities center on targeting Taiwanese and the Philippine militarys physically isolated networks through a USBferry attack (the name derived from a sample found in a related research). We also observed targets among military/navy agencies, government institutions, military hospitals, and even a national bank. The group employs USBferry, a USB malware that . performs different commands on specific targets, maintains stealth in environments, and steals critical data through USB storage. We started tracking this particular campaign in 2018, and our analysis shows that it uses a fake executable decoy and a USB trojan strategy to steal information.

RATicate: an attackers waves of information-stealing malware

news.sophos.com/en-us/2020/05/14/raticate/ Weve identified five separate campaigns between November, 2019 and January, 2020 in which the payloads used similar packing code and pointed to the same command and control (C&C) infrastructure. The campaigns targeted industrial companies in Europe, the Middle East, and the Republic of Korea. This leads us to believe that they are all the work of the same actorsa group weve dubbed RATicate.

Hashes in PowerShell

isc.sans.edu/forums/diary/Hashes+in+PowerShell/26128/ As a follow up to yesterday’s how-to, I thought hashing might a thing to cover. We use hashes all the time, but it’s annoying that md5sum, sha1sum and sha256sum aren’t part of the windows command set – or are they?

THE STATE OF RANSOMWARE 2020 [PDF]

www.sophos.com/en-us/medialibrary/Gated-Assets/white-papers/sophos-the-state-of-ransomware-2020-wp.pdf 94% of organizations whose data was encrypted got it back. Paying the ransom doubles the cost of dealing with a ransomware attack

You might be interested in …

Daily NCSC-FI news followup 2019-10-24

Some ICS Security Incidents Resulted in Injury, Loss of Life: Survey www.securityweek.com/some-ics-security-incidents-resulted-injury-loss-life-survey Some of the recent cybersecurity incidents involving industrial control systems (ICS) have resulted in injury and even loss of life, according to a survey conducted by Control Systems Cyber Security Association International (CS2AI). Cyber chief: The IoT could provide a model for improved […]

Read More

Daily NCSC-FI news followup 2020-02-04

TeamViewer whynotsecurity.com/blog/teamviewer/ TL;DR: TeamViewer stored user passwords encrypted with AES-128-CBC with they key of 0602000000a400005253413100040000 and iv of 0100010067244F436E6762F25EA8D704 in the Windows registry. If the password is reused anywhere, privilege escalation is possible. If you do not have RDP rights to machine but TeamViewer is installed, you can use TeamViewer to remote in. TeamViewer also […]

Read More

Daily NCSC-FI news followup 2020-04-16

Linksys asks users to reset passwords after hackers hijacked home routers last month www.zdnet.com/article/linksys-asks-users-to-reset-passwords-after-hackers-hijacked-home-routers-last-month/ Linksys locks Smart WiFi cloud accounts and asks users to reset passwords after hackers hijacked routers to redirect traffic to malware sites. Continued Threat Actor Exploitation Post Pulse Secure VPN Patching www.us-cert.gov/ncas/alerts/aa20-107a This Alert provides an update to Cybersecurity and Infrastructure […]

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.