Daily NCSC-FI news followup 2020-05-22

Ragnar Locker ransomware deploys virtual machine to dodge security

news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/ A new ransomware attack method takes defense evasion to a new leveldeploying as a full virtual machine on each targeted device to hide the ransomware from view. In a recently detected attack, Ragnar Locker ransomware was deployed inside an Oracle VirtualBox Windows XP virtual machine.. Read also:

www.bleepingcomputer.com/news/security/ransomware-encrypts-from-virtual-machines-to-evade-antivirus/ and


To test its security mid-pandemic, GitLab tried phishing its own work-from-home staff. 1 in 5 fell for it

www.theregister.co.uk/2020/05/21/gitlab_phishing_pentest/ Welp, at least that’s better than industry averages, says code-hosting biz

Cyberstalking Not all hacking is for profit

www.pandasecurity.com/mediacenter/mobile-news/cyberstalking/ Eventually obsessive stalkers will want more information about their victims, such as home address, telephone number and private pictures. When that data is not easily found online, some will try and break into accounts belonging to their victims. Cyberstalkers use many of the same techniques as hackers. Infecting their victim’s phone or computer with malware allows them to steal data for instance. Once they have gained access, they will continue to access personal data for weeks or months and the victim may never realise until their information is leaked online.

CISA, DOE, and UK’s NCSC Issue Guidance on Protecting Industrial Control Systems

www.us-cert.gov/ncas/current-activity/2020/05/22/cisa-doe-and-uks-ncsc-issue-guidance-protecting-industrial-control Read also:

www.cisa.gov/publication/cybersecurity-best-practices-for-industrial-control-systems and

www.cisa.gov/sites/default/files/publications/Cybersecurity_Best_Practices_for_Industrial_Control_Systems.pdf. As well as recommended practices from:


Backdoor, Devil Shadow Botnet Hidden in Fake Zoom Installers

blog.trendmicro.com/trendlabs-security-intelligence/backdoor-devil-shadow-botnet-hidden-in-fake-zoom-installers/ Cybercriminals are taking advantage of “the new normal” involving employees’ remote working conditions and the popularity of user-friendly online tools by abusing and spoofing popular legitimate applications to infect systems with malicious routines. We found two malware files that pose as Zoom installers but when decoded, contains the malware code. These malicious fake installers do not come from Zoom’s official installation distribution channels. One of the samples installs a backdoor that allows malicious actors to run malicious routines remotely, while the other sample involves the installation of the Devil Shadow botnet in devices.

Cyber-Criminal espionage Operation insists on Italian Manufacturing

yoroi.company/research/cyber-criminal-espionage-operation-insists-on-italian-manufacturing/ During our Cyber Threat Intelligence monitoring we spotted new malicious activities targeting some Italian companies operating worldwide in the manufacturing sector, some of them also part of the automotive production chain.

Studies in secure system design

www.ncsc.gov.uk/blog-post/studies-in-secure-system-design Worked examples for Operational Technology and Virtualised systems, using the NCSC’s secure design principles. Our Secure design principles carefully divide up the work of creating and evaluating secure systems of all kinds. To be widely applicable like this, the principles themselves remain at a fairly high level. This leaves you to fill in the blanks for your particular scenario.

Weekly Threat Report 22nd May 2020

www.ncsc.gov.uk/report/weekly-threat-report-22nd-may-2020 The NCSC’s weekly threat report is drawn from recent open source reporting.

Summary of Tradecraft Trends for 2019-20: Tactics, Techniques and Procedures Used to Target Australian Networks

www.cyber.gov.au/threats/summary-of-tradecraft-trends-for-2019-20-tactics-techniques-and-procedures-used-to-target-australian-networks The Australian Cyber Security Centre (ACSC) investigated and responded to numerous cyber security incidents during 2019 and 2020 so far. This advisory provides a summary of notable tactics, techniques and procedures (TTPs) exploited by Advanced Persistent Threats (APT) and cybercriminals identified during the ACSC’s investigations. These TTPs are summarised practically in the framework of tactics and techniques provided by MITRE ATT&CK. This technical guidance is provided for IT security professionals at public and private sector organisations.

Microsoft: Beware this massive phishing campaign using malicious Excel macros to hack PCs

www.zdnet.com/article/microsoft-beware-this-massive-phishing-campaign-using-malicious-excel-macros-to-hack-pcs/ Hundreds of different Excel files have been used to trick PC users into installing a remote access tool that attackers can use to control their machine.

Privilege escalation vulnerability patched in Docker Desktop for Windows

www.zdnet.com/article/privilege-escalation-vulnerability-patched-in-docker-desktop-for-windows/ The security flaw could be used to trick the service into connecting to malicious processes. Read also:


COVID-19 Remote Access to Operational Technology Environments

www.cyber.gov.au/advice/covid-19-remote-access-to-operational-technology-environments This cyber security advice is for critical infrastructure providers who are deploying business continuity plans for Operational Technology Environments (OTE)/Industrial Control Systems (ICS) during the COVID-19 pandemic.

Kiinan valvovan silmän alla

yle.fi/aihe/artikkeli/2020/05/21/uhkaavassa-puhelinsoitossa-harria-vaadittiin-lopettamaan-kiinan-arvostelu-tai Suojelupoliisi ei kommentoi yksittäistapauksia, mutta kuvaa pakolaisvakoilua MOT:lle sähköpostitse. Se tarkoittaa ulkomaisten viranomaisten pyrkimystä vakoilla ja kontrolloida Suomessa asuvia ihmisiä. Vakoilun kohteet kuuluvat yleensä kotimaidensa poliittiseen oppositioon tai muuhun ryhmittymään, jonka toimintaa vakoileva maa pitää itselleen uhkana. Suojelupoliisin mukaan pakolaisvakoilusta on tullut pysyvä ilmiö Suomessa. Suojelupoliisi ehdotti jo vuonna 2012, että Suomi kriminalisoisi pakolaisvakoilun. Hanke kuitenkin hautautui hallitusten vaihtuessa. Olemme edelleen sitä mieltä, että pakolaisvakoilun tulisi olla yleisen syytteen alainen rikos, viestittää Suojelupoliisi.

Virossa testataan jo sovelluksia, jotka jakaisivat tietoa virustestien tuloksista työnantajille ja liikenne­yhtiöille

www.hs.fi/ulkomaat/art-2000006514777.html Tietoturva-asiantuntijan mukaan potilastietojen jakamiseen liittyy aina riskejä, ja siksi sovelluksen käyttäjien täytyy olla hyvin varmoja palveluntarjoajien luotettavuudesta.

Suomessa määrättiin ensi kertaa tietosuojarikkomusmaksuja Postille lankesi 100 000 euroa muuttoilmoituskäytännöistä

yle.fi/uutiset/3-11364819 Postin sadantuhannen euron maksu on seurausta siitä, ettei se kertonut muuttoilmoituksen tehneille asiakkailleen oikeudesta muun muassa estää tietojen luovuttaminen ilmoituksen yhteydessä. Kymen Vesi sai 16 000 euron maksun, koska se oli jättänyt tekemättä sijaintitietojen käsittelyn vaikutustenarvioinnin. Kolmannessa tapauksessa yritys keräsi työnhakijoiden ja työntekijöiden tietoja tarpeettomasti. 12 500 euron seuraamusmaksun saaneen yrityksen nimeä ei kerrottu julkisuuteen.

039| Deconstructing the Dukes: A Researcher’s Retrospective of APT29

blog.f-secure.com/podcast-dukes-apt29/ APT29, aka Cozy Bear or the Dukes, is a cyber espionage group whose misdeeds include hacking the DNC servers in the runup to the 2016 US election. Now, as the subject of MITRE’s latest ATT&CK Evaluation, the group is in focus again. The Dukes are familiar to F-Secure’s Artturi Lehtio, who extensively researched them during their heyday and authored a 2015 whitepaper on the topic. But hindsight is 20/20 and Artturi joins us for Episode 39 of Cyber Security Sauna to discuss how, over time, his views on the group have evolved.

Taiwan suggests China’s Winnti group is behind ransomware attack on state oil company


Windows malware opens RDP ports on PCs for future remote access

www.zdnet.com/article/windows-malware-opens-rdp-ports-on-pcs-for-future-remote-access/ Security researchers say they’ve spotted a new version of the Sarwent malware that opens RDP (Remote Desktop Protocol) ports on infected computers so hackers could gain hands-on access to infected hosts.

How to decode a data breach notice

techcrunch.com/2020/05/19/decoding-data-breach-notice/ Data breach notifications are meant to tell you what happened, when and what impact it may have on you. You’ve probably already seen a few this year. That’s because most U.S. states have laws that compel companies to publicly disclose security incidents, like a data breach, as soon as possible. Europe’s rules are stricter, and fines can be a common occurrence if breaches aren’t disclosed.

You might be interested in …

Daily NCSC-FI news followup 2020-04-14

Koronan ja 5g:n yhdistävä salaliittoteoria leviää nyt tukiasemat palavat Hollannissa www.is.fi/digitoday/mobiili/art-2000006474027.html Tuhopoltoiksi epäillyt tukiasemapalot levisivät Britanniasta Hollantiin. Hackers Targeting Critical Healthcare Facilities With Ransomware During Coronavirus Pandemic thehackernews.com/2020/04/ransomware-hospitals-coronavirus.html As hospitals around the world are struggling to respond to the coronavirus crisis, cybercriminalswith no conscience and empathyare continuously targeting healthcare organizations, research facilities, and other governmental […]

Read More

Daily NCSC-FI news followup 2021-05-07

Connected Places: new NCSC security principles for ‘Smart Cities’ www.ncsc.gov.uk/blog-post/connected-places-new-ncsc-security-principles-for-smart-cities NCSC Technical Director warns that ‘Connected Places’ will likely be a target for malicious actors. It wasnt a teenager accidentally taking control of nuclear command and control, or a magic box that can decrypt anything stolen and used by shady Bond villains intent on taking […]

Read More

Daily NCSC-FI news followup 2021-06-01

Ruotsi ja Norja vaativat Tanskalta selvitystä vakoiluväitteistä yle.fi/uutiset/3-11955732 Mediatietojen mukaan Tanskan puolustusministeri olisi tiennyt jo viime elokuussa, että Yhdysvaltain Kansallisen turvallisuuden virasto NSA on vakoillut Tanskan kautta useiden liittolaismaiden poliitikkoja ja virkamiehiä. Ruotsin ja Norjan puolustusministerit vaativat Tanskalta selvitystä mediatiedoista, joiden mukaan Yhdysvallat olisi vakoillut Tanskan kautta niiden poliitikkoja ja virkamiehiä, kertoo muun muassa Tanskan […]

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.