Daily NCSC-FI news followup 2020-05-15

QNodeService: Node.js Trojan Spread via Covid-19 Lure

blog.trendmicro.com/trendlabs-security-intelligence/qnodeservice-node-js-trojan-spread-via-covid-19-lure/ We recently noticed a Twitter post by MalwareHunterTeam that showed a Java downloader with a low detection rate. Its name, Company PLP_Tax relief due to Covid-19 outbreak CI+PL.jar, suggests it may have been used in a Covid-19-themed phishing campaign. Running this file led to the download of a new, undetected malware sample written in Node.js; this trojan is dubbed as QNodeService.

Tropic Troopers Back: USBferry Attack Targets Air-gapped Environments

blog.trendmicro.com/trendlabs-security-intelligence/tropic-troopers-back-usbferry-attack-targets-air-gapped-environments/ We found that Tropic Troopers latest activities center on targeting Taiwanese and the Philippine militarys physically isolated networks through a USBferry attack (the name derived from a sample found in a related research). We also observed targets among military/navy agencies, government institutions, military hospitals, and even a national bank. The group employs USBferry, a USB malware that . performs different commands on specific targets, maintains stealth in environments, and steals critical data through USB storage. We started tracking this particular campaign in 2018, and our analysis shows that it uses a fake executable decoy and a USB trojan strategy to steal information.

RATicate: an attackers waves of information-stealing malware

news.sophos.com/en-us/2020/05/14/raticate/ Weve identified five separate campaigns between November, 2019 and January, 2020 in which the payloads used similar packing code and pointed to the same command and control (C&C) infrastructure. The campaigns targeted industrial companies in Europe, the Middle East, and the Republic of Korea. This leads us to believe that they are all the work of the same actorsa group weve dubbed RATicate.

Hashes in PowerShell

isc.sans.edu/forums/diary/Hashes+in+PowerShell/26128/ As a follow up to yesterday’s how-to, I thought hashing might a thing to cover. We use hashes all the time, but it’s annoying that md5sum, sha1sum and sha256sum aren’t part of the windows command set – or are they?

THE STATE OF RANSOMWARE 2020 [PDF]

www.sophos.com/en-us/medialibrary/Gated-Assets/white-papers/sophos-the-state-of-ransomware-2020-wp.pdf 94% of organizations whose data was encrypted got it back. Paying the ransom doubles the cost of dealing with a ransomware attack

Daily NCSC-FI news followup 2020-01-08

No, the US Army isnt drafting you for WWIII by text message www.theverge.com/2020/1/7/21055797/us-army-draft-ww3-scam-text-message-fake On Tuesday, the Army put out a news bulletin alerting the public of fraudulent text messages from people claiming to be recruiters. Some texts tell the person receiving them to head to their local recruiting office for immediate departure to Iran. Others […]

Daily NCSC-FI news followup 2021-05-08

Largest U.S. pipeline shuts down operations after ransomware attack www.bleepingcomputer.com/news/security/largest-us-pipeline-shuts-down-operations-after-ransomware-attack/ Colonial Pipeline, the largest fuel pipeline in the United States, has shut down operations after suffering what is reported to be a ransomware attack. Colonial Pipeline transports refined petroleum products between refineries located in the Gulf Coast and markets throughout the southern and eastern United […]

Daily NCSC-FI news followup 2020-08-24

Bring Your Own Device – the new normal www.ncsc.gov.uk/blog-post/bring-your-own-device-the-new-normal Bring Your Own Device (BYOD) may not be a new topic but it has renewed significance in light of the wholesale changes to working practices instigated by the COVID-19 pandemic. In response to the pandemic, some organisations have already adapted for the future, by taking the […]