NCSC-FI News followup

Daily NCSC-FI news followup 2020-05-22

Ragnar Locker ransomware deploys virtual machine to dodge security A new ransomware attack method takes defense evasion to a new leveldeploying as a full virtual machine on each targeted device to hide the ransomware from view. In a recently detected attack, Ragnar Locker ransomware was deployed inside an Oracle VirtualBox Windows XP virtual machine.. Read also: and

To test its security mid-pandemic, GitLab tried phishing its own work-from-home staff. 1 in 5 fell for it Welp, at least that’s better than industry averages, says code-hosting biz

Cyberstalking Not all hacking is for profit Eventually obsessive stalkers will want more information about their victims, such as home address, telephone number and private pictures. When that data is not easily found online, some will try and break into accounts belonging to their victims. Cyberstalkers use many of the same techniques as hackers. Infecting their victim’s phone or computer with malware allows them to steal data for instance. Once they have gained access, they will continue to access personal data for weeks or months and the victim may never realise until their information is leaked online.

CISA, DOE, and UK’s NCSC Issue Guidance on Protecting Industrial Control Systems Read also: and As well as recommended practices from:

Backdoor, Devil Shadow Botnet Hidden in Fake Zoom Installers Cybercriminals are taking advantage of “the new normal” involving employees’ remote working conditions and the popularity of user-friendly online tools by abusing and spoofing popular legitimate applications to infect systems with malicious routines. We found two malware files that pose as Zoom installers but when decoded, contains the malware code. These malicious fake installers do not come from Zoom’s official installation distribution channels. One of the samples installs a backdoor that allows malicious actors to run malicious routines remotely, while the other sample involves the installation of the Devil Shadow botnet in devices.

Cyber-Criminal espionage Operation insists on Italian Manufacturing During our Cyber Threat Intelligence monitoring we spotted new malicious activities targeting some Italian companies operating worldwide in the manufacturing sector, some of them also part of the automotive production chain.

Studies in secure system design Worked examples for Operational Technology and Virtualised systems, using the NCSC’s secure design principles. Our Secure design principles carefully divide up the work of creating and evaluating secure systems of all kinds. To be widely applicable like this, the principles themselves remain at a fairly high level. This leaves you to fill in the blanks for your particular scenario.

Weekly Threat Report 22nd May 2020 The NCSC’s weekly threat report is drawn from recent open source reporting.

Summary of Tradecraft Trends for 2019-20: Tactics, Techniques and Procedures Used to Target Australian Networks The Australian Cyber Security Centre (ACSC) investigated and responded to numerous cyber security incidents during 2019 and 2020 so far. This advisory provides a summary of notable tactics, techniques and procedures (TTPs) exploited by Advanced Persistent Threats (APT) and cybercriminals identified during the ACSC’s investigations. These TTPs are summarised practically in the framework of tactics and techniques provided by MITRE ATT&CK. This technical guidance is provided for IT security professionals at public and private sector organisations.

Microsoft: Beware this massive phishing campaign using malicious Excel macros to hack PCs Hundreds of different Excel files have been used to trick PC users into installing a remote access tool that attackers can use to control their machine.

Privilege escalation vulnerability patched in Docker Desktop for Windows The security flaw could be used to trick the service into connecting to malicious processes. Read also:

COVID-19 Remote Access to Operational Technology Environments This cyber security advice is for critical infrastructure providers who are deploying business continuity plans for Operational Technology Environments (OTE)/Industrial Control Systems (ICS) during the COVID-19 pandemic.

Kiinan valvovan silmän alla Suojelupoliisi ei kommentoi yksittäistapauksia, mutta kuvaa pakolaisvakoilua MOT:lle sähköpostitse. Se tarkoittaa ulkomaisten viranomaisten pyrkimystä vakoilla ja kontrolloida Suomessa asuvia ihmisiä. Vakoilun kohteet kuuluvat yleensä kotimaidensa poliittiseen oppositioon tai muuhun ryhmittymään, jonka toimintaa vakoileva maa pitää itselleen uhkana. Suojelupoliisin mukaan pakolaisvakoilusta on tullut pysyvä ilmiö Suomessa. Suojelupoliisi ehdotti jo vuonna 2012, että Suomi kriminalisoisi pakolaisvakoilun. Hanke kuitenkin hautautui hallitusten vaihtuessa. Olemme edelleen sitä mieltä, että pakolaisvakoilun tulisi olla yleisen syytteen alainen rikos, viestittää Suojelupoliisi.

Virossa testataan jo sovelluksia, jotka jakaisivat tietoa virustestien tuloksista työnantajille ja liikenne­yhtiöille Tietoturva-asiantuntijan mukaan potilastietojen jakamiseen liittyy aina riskejä, ja siksi sovelluksen käyttäjien täytyy olla hyvin varmoja palveluntarjoajien luotettavuudesta.

Suomessa määrättiin ensi kertaa tietosuojarikkomusmaksuja Postille lankesi 100 000 euroa muuttoilmoituskäytännöistä Postin sadantuhannen euron maksu on seurausta siitä, ettei se kertonut muuttoilmoituksen tehneille asiakkailleen oikeudesta muun muassa estää tietojen luovuttaminen ilmoituksen yhteydessä. Kymen Vesi sai 16 000 euron maksun, koska se oli jättänyt tekemättä sijaintitietojen käsittelyn vaikutustenarvioinnin. Kolmannessa tapauksessa yritys keräsi työnhakijoiden ja työntekijöiden tietoja tarpeettomasti. 12 500 euron seuraamusmaksun saaneen yrityksen nimeä ei kerrottu julkisuuteen.

039| Deconstructing the Dukes: A Researcher’s Retrospective of APT29 APT29, aka Cozy Bear or the Dukes, is a cyber espionage group whose misdeeds include hacking the DNC servers in the runup to the 2016 US election. Now, as the subject of MITRE’s latest ATT&CK Evaluation, the group is in focus again. The Dukes are familiar to F-Secure’s Artturi Lehtio, who extensively researched them during their heyday and authored a 2015 whitepaper on the topic. But hindsight is 20/20 and Artturi joins us for Episode 39 of Cyber Security Sauna to discuss how, over time, his views on the group have evolved.

Taiwan suggests China’s Winnti group is behind ransomware attack on state oil company

Windows malware opens RDP ports on PCs for future remote access Security researchers say they’ve spotted a new version of the Sarwent malware that opens RDP (Remote Desktop Protocol) ports on infected computers so hackers could gain hands-on access to infected hosts.

How to decode a data breach notice Data breach notifications are meant to tell you what happened, when and what impact it may have on you. You’ve probably already seen a few this year. That’s because most U.S. states have laws that compel companies to publicly disclose security incidents, like a data breach, as soon as possible. Europe’s rules are stricter, and fines can be a common occurrence if breaches aren’t disclosed.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.