Daily NCSC-FI news followup 2020-05-22

Ragnar Locker ransomware deploys virtual machine to dodge security

news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/ A new ransomware attack method takes defense evasion to a new leveldeploying as a full virtual machine on each targeted device to hide the ransomware from view. In a recently detected attack, Ragnar Locker ransomware was deployed inside an Oracle VirtualBox Windows XP virtual machine.. Read also:

www.bleepingcomputer.com/news/security/ransomware-encrypts-from-virtual-machines-to-evade-antivirus/ and


To test its security mid-pandemic, GitLab tried phishing its own work-from-home staff. 1 in 5 fell for it

www.theregister.co.uk/2020/05/21/gitlab_phishing_pentest/ Welp, at least that’s better than industry averages, says code-hosting biz

Cyberstalking Not all hacking is for profit

www.pandasecurity.com/mediacenter/mobile-news/cyberstalking/ Eventually obsessive stalkers will want more information about their victims, such as home address, telephone number and private pictures. When that data is not easily found online, some will try and break into accounts belonging to their victims. Cyberstalkers use many of the same techniques as hackers. Infecting their victim’s phone or computer with malware allows them to steal data for instance. Once they have gained access, they will continue to access personal data for weeks or months and the victim may never realise until their information is leaked online.

CISA, DOE, and UK’s NCSC Issue Guidance on Protecting Industrial Control Systems

www.us-cert.gov/ncas/current-activity/2020/05/22/cisa-doe-and-uks-ncsc-issue-guidance-protecting-industrial-control Read also:

www.cisa.gov/publication/cybersecurity-best-practices-for-industrial-control-systems and

www.cisa.gov/sites/default/files/publications/Cybersecurity_Best_Practices_for_Industrial_Control_Systems.pdf. As well as recommended practices from:


Backdoor, Devil Shadow Botnet Hidden in Fake Zoom Installers

blog.trendmicro.com/trendlabs-security-intelligence/backdoor-devil-shadow-botnet-hidden-in-fake-zoom-installers/ Cybercriminals are taking advantage of “the new normal” involving employees’ remote working conditions and the popularity of user-friendly online tools by abusing and spoofing popular legitimate applications to infect systems with malicious routines. We found two malware files that pose as Zoom installers but when decoded, contains the malware code. These malicious fake installers do not come from Zoom’s official installation distribution channels. One of the samples installs a backdoor that allows malicious actors to run malicious routines remotely, while the other sample involves the installation of the Devil Shadow botnet in devices.

Cyber-Criminal espionage Operation insists on Italian Manufacturing

yoroi.company/research/cyber-criminal-espionage-operation-insists-on-italian-manufacturing/ During our Cyber Threat Intelligence monitoring we spotted new malicious activities targeting some Italian companies operating worldwide in the manufacturing sector, some of them also part of the automotive production chain.

Studies in secure system design

www.ncsc.gov.uk/blog-post/studies-in-secure-system-design Worked examples for Operational Technology and Virtualised systems, using the NCSC’s secure design principles. Our Secure design principles carefully divide up the work of creating and evaluating secure systems of all kinds. To be widely applicable like this, the principles themselves remain at a fairly high level. This leaves you to fill in the blanks for your particular scenario.

Weekly Threat Report 22nd May 2020

www.ncsc.gov.uk/report/weekly-threat-report-22nd-may-2020 The NCSC’s weekly threat report is drawn from recent open source reporting.

Summary of Tradecraft Trends for 2019-20: Tactics, Techniques and Procedures Used to Target Australian Networks

www.cyber.gov.au/threats/summary-of-tradecraft-trends-for-2019-20-tactics-techniques-and-procedures-used-to-target-australian-networks The Australian Cyber Security Centre (ACSC) investigated and responded to numerous cyber security incidents during 2019 and 2020 so far. This advisory provides a summary of notable tactics, techniques and procedures (TTPs) exploited by Advanced Persistent Threats (APT) and cybercriminals identified during the ACSC’s investigations. These TTPs are summarised practically in the framework of tactics and techniques provided by MITRE ATT&CK. This technical guidance is provided for IT security professionals at public and private sector organisations.

Microsoft: Beware this massive phishing campaign using malicious Excel macros to hack PCs

www.zdnet.com/article/microsoft-beware-this-massive-phishing-campaign-using-malicious-excel-macros-to-hack-pcs/ Hundreds of different Excel files have been used to trick PC users into installing a remote access tool that attackers can use to control their machine.

Privilege escalation vulnerability patched in Docker Desktop for Windows

www.zdnet.com/article/privilege-escalation-vulnerability-patched-in-docker-desktop-for-windows/ The security flaw could be used to trick the service into connecting to malicious processes. Read also:


COVID-19 Remote Access to Operational Technology Environments

www.cyber.gov.au/advice/covid-19-remote-access-to-operational-technology-environments This cyber security advice is for critical infrastructure providers who are deploying business continuity plans for Operational Technology Environments (OTE)/Industrial Control Systems (ICS) during the COVID-19 pandemic.

Kiinan valvovan silmän alla

yle.fi/aihe/artikkeli/2020/05/21/uhkaavassa-puhelinsoitossa-harria-vaadittiin-lopettamaan-kiinan-arvostelu-tai Suojelupoliisi ei kommentoi yksittäistapauksia, mutta kuvaa pakolaisvakoilua MOT:lle sähköpostitse. Se tarkoittaa ulkomaisten viranomaisten pyrkimystä vakoilla ja kontrolloida Suomessa asuvia ihmisiä. Vakoilun kohteet kuuluvat yleensä kotimaidensa poliittiseen oppositioon tai muuhun ryhmittymään, jonka toimintaa vakoileva maa pitää itselleen uhkana. Suojelupoliisin mukaan pakolaisvakoilusta on tullut pysyvä ilmiö Suomessa. Suojelupoliisi ehdotti jo vuonna 2012, että Suomi kriminalisoisi pakolaisvakoilun. Hanke kuitenkin hautautui hallitusten vaihtuessa. Olemme edelleen sitä mieltä, että pakolaisvakoilun tulisi olla yleisen syytteen alainen rikos, viestittää Suojelupoliisi.

Virossa testataan jo sovelluksia, jotka jakaisivat tietoa virustestien tuloksista työnantajille ja liikenne­yhtiöille

www.hs.fi/ulkomaat/art-2000006514777.html Tietoturva-asiantuntijan mukaan potilastietojen jakamiseen liittyy aina riskejä, ja siksi sovelluksen käyttäjien täytyy olla hyvin varmoja palveluntarjoajien luotettavuudesta.

Suomessa määrättiin ensi kertaa tietosuojarikkomusmaksuja Postille lankesi 100 000 euroa muuttoilmoituskäytännöistä

yle.fi/uutiset/3-11364819 Postin sadantuhannen euron maksu on seurausta siitä, ettei se kertonut muuttoilmoituksen tehneille asiakkailleen oikeudesta muun muassa estää tietojen luovuttaminen ilmoituksen yhteydessä. Kymen Vesi sai 16 000 euron maksun, koska se oli jättänyt tekemättä sijaintitietojen käsittelyn vaikutustenarvioinnin. Kolmannessa tapauksessa yritys keräsi työnhakijoiden ja työntekijöiden tietoja tarpeettomasti. 12 500 euron seuraamusmaksun saaneen yrityksen nimeä ei kerrottu julkisuuteen.

039| Deconstructing the Dukes: A Researcher’s Retrospective of APT29

blog.f-secure.com/podcast-dukes-apt29/ APT29, aka Cozy Bear or the Dukes, is a cyber espionage group whose misdeeds include hacking the DNC servers in the runup to the 2016 US election. Now, as the subject of MITRE’s latest ATT&CK Evaluation, the group is in focus again. The Dukes are familiar to F-Secure’s Artturi Lehtio, who extensively researched them during their heyday and authored a 2015 whitepaper on the topic. But hindsight is 20/20 and Artturi joins us for Episode 39 of Cyber Security Sauna to discuss how, over time, his views on the group have evolved.

Taiwan suggests China’s Winnti group is behind ransomware attack on state oil company


Windows malware opens RDP ports on PCs for future remote access

www.zdnet.com/article/windows-malware-opens-rdp-ports-on-pcs-for-future-remote-access/ Security researchers say they’ve spotted a new version of the Sarwent malware that opens RDP (Remote Desktop Protocol) ports on infected computers so hackers could gain hands-on access to infected hosts.

How to decode a data breach notice

techcrunch.com/2020/05/19/decoding-data-breach-notice/ Data breach notifications are meant to tell you what happened, when and what impact it may have on you. You’ve probably already seen a few this year. That’s because most U.S. states have laws that compel companies to publicly disclose security incidents, like a data breach, as soon as possible. Europe’s rules are stricter, and fines can be a common occurrence if breaches aren’t disclosed.

You might be interested in …

Daily NCSC-FI news followup 2020-02-08

Dangerous Domain Corp.com Goes Up for Sale krebsonsecurity.com/2020/02/dangerous-domain-corp-com-goes-up-for-sale/ As an early domain name investor, Mike OConnor had by 1994 snatched up several choice online destinations, including bar.com, cafes.com, grill.com, place.com, pub.com and television.com. Some he sold over the years, but for the past 26 years OConnor refused to auction perhaps the most sensitive domain in […]

Read More

Daily NCSC-FI news followup 2020-02-24

Operation DRBControl www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-drbcontrol-uncovering-a-cyberespionage-campaign-targeting-gambling-companies-in-southeast-asia Uncovering a Cyberespionage Campaign Targeting Gambling Companies in Southeast Asia. The DRBControl campaign attacks its targets using a variety of malware and techniques that coincide with those used in other known cyberespionage campaigns. EU Commission to staff: Switch to Signal messaging app www.politico.eu/pro/eu-commission-to-staff-switch-to-signal-messaging-app/ The European Commission has told its staff to start […]

Read More

Daily NCSC-FI news followup 2019-12-09

2020 is when cybersecurity gets even weirder, so get ready www.zdnet.com/article/2020-is-when-cybersecurity-gets-even-weirder-so-get-ready/ AI-powered deepfakes, ransomware, IoT, and 5G all mean that protecting your data is about to get a lot harder. Tech analyst Forrester predicts that deepfakes could end up costing businesses a lot of money next year: as much as $250m. That might happen in […]

Read More

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.