Daily NCSC-FI news followup 2020-05-26

New Zealand introduces Bill to block violent extremist content

www.zdnet.com/article/new-zealand-introduces-bill-to-block-violent-extremist-content/ It would make livestreaming of objectionable content a criminal offence, censorship calls will be made immediately, and take-down notices will be backed by law.

YK: kyberiskuissa roimaa kasvua supervalta boikotoi kokousta

www.tivi.fi/uutiset/tv/b9faeb00-ec81-42a1-ba54-18f88164034f YK varoitti perjantaina kyberrikosten olevan kasvussa koronapandemian aikana. YK:n epävirallisessa turvallisuusneuvoston kokouksessa perjantaina puhunut alemman tason apulaispääsihteeri Izumi Nakamitsu sanoi, että kriisi on johdattanut maailmaa kohti teknologista innovointia ja verkon kautta tehtävää yhteistyötä. Samalla hän sanoi kentältä kuuluvan huolestuttavia uutisia: kyberiskuja on suunnattu terveydenhoidon organisaatioita ja lääketieteellisiä tutkimuslaitoksia vastaan ympäri maailmaa. Haittasähköpostien määrissä on nähty 600 prosenttia kasvua. Etätöihin siirtymisen aikakaudella lisääntynyt riippuvuus verkkopalveluista on samalla lisännyt myös organisaatioiden haavoittuvuutta verkkohyökkäyksille. Arvion mukaan joku joutuu iskun uhriksi joka 39 sekunti. Lue myös:

apnews.com/c7e7fc7e582351f8f55293d0bf21d7fb

Bulletin (SB20-146) – Vulnerability Summary for the Week of May 18, 2020

www.us-cert.gov/ncas/bulletins/sb20-146 The CISA Vulnerability Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. NVD is sponsored by CISA. In some cases, the vulnerabilities in the bulletin may not yet have assigned CVSS scores. Please visit NVD for updated vulnerability entries, which include CVSS scores once they are available.

– From Agent.BTZ to ComRAT v4: A tenyear journey

www.welivesecurity.com/2020/05/26/agentbtz-comratv4-ten-year-journey/ ESET researchers have found a new version of one of the oldest malware families run by the Turla group, ComRAT. Turla, also known as Snake, is an infamous espionage group that has been active for more than ten years. We have previously described many campaigns attributed to this group. Read also:

www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf

Spam and phishing in Q1 2020

securelist.com/spam-and-phishing-in-q1-2020/97091/ Quarterly highlights

“Postin” huijausviesti kaappaa tiedot ja asentaa haittaohjelman “sinulle tuleva paketti odottaa allekirjoitusta”

www.tivi.fi/uutiset/tv/da776e59-900f-4110-baf9-80b901f7533f Suomalaiset ovat saaneet tekstiviestejä, joilla houkutellaan Postia imitoivalle sivustolle.

Do Androids dream of equal security?

blog.f-secure.com/android-security/ Several pieces of research published by F-Secure Labs demonstrate that region-specific default configurations and settings in some flagship Android devices are creating security problems that affect people in some countries but not others. According to F-Secure Consulting’s UK Director of Research James Loureiro, the research highlights the security compromises vendors can inadvertently make when customizing Android builds. Read also:

www.is.fi/digitoday/tietoturva/art-2000006519208.html and

www.tivi.fi/uutiset/tv/453ce939-d0ae-4bbe-a8c6-67474a046664. As well as:

fi.press.f-secure.com/2020/05/26/android-matkapuhelimista-loydetty-maakohtaisia-tietoturvaongelmia/

EasyJet faces £18 billion class-action lawsuit over data breach

www.zdnet.com/article/easyjet-faces-18-billion-class-action-lawsuit-over-data-breach/ The lawsuit aims to secure up to £2, 000 per impacted customer.

16-30 April 2020 Cyber Attacks Timeline

www.hackmageddon.com/2020/05/26/16-30-april-2020-cyber-attacks-timeline/ It’s time to publish the second timeline of April, covering the main cyber attacks occurred between April 16 and April 30 (including three events occurred in the first half of the same month. Due to the COVID-19 crisis, the level of activity continues to be quite high. In this timeline I have collected 92 events, less than the 104 events collected in the first timeline of April, but equally an important number. So the pandemic continues to characterize the threat landscape, nearly one quarter of the events is somehow related to COVID-19: we have seen opportunistic phishing campaigns exploiting the fear, but also targeted cyber espionage operations against institutions involved in the fight against the virus.

Bluetooth Vulnerability: BIAS

www.schneier.com/blog/archives/2020/05/bluetooth_vulne_1.html This is new research on a Bluetooth vulnerability (called BIAS) that allows someone to impersonate a trusted device.

Europol, Capgemini team up in cybercrime prevention, awareness campaigns

www.zdnet.com/article/europol-capgemini-team-up-in-cybercrime-prevention-awareness-campaigns/ Capgemini is now also supporting the No More Ransom Project.

Automating your.apk reverse engineering workflow

medium.com/ouspg/automating-your-apk-reverse-engineering-workflow-95604e096402 Lets say I’m handed an encoded.zip containing a malicious.apk file. My typical workflow would consist of unzipping the file (the password most commonly is “infected”). Generating a hash of it to search if previous analysis exists and whether it is found in VirusTotal. Then I want to see the unobfuscated AndroidManifest.xml which will at the very least tell me the permissions the application requests. Finally I want to see the source code the.apk was compiled from. Check also:

cincan.io/

Qatar: Contact tracing app security flaw exposed sensitive personal details of more than one million

www.amnesty.org/en/latest/news/2020/05/qatar-covid19-contact-tracing-app-security-flaw/ An investigation by Amnesty’s Security Lab discovered the critical weakness in the configuration of Qatar’s EHTERAZ contact tracing app. Now fixed, the vulnerability would have allowed cyber attackers to access highly sensitive personal information, including the name, national ID, health status and location data of more than one million users. “While the Qatari authorities were quick to fix this issue, it was a huge security weakness and a fundamental flaw in Qatar’s contact tracing app that malicious attackers could have easily exploited. This vulnerability was especially worrying given use of the EHTERAZ app was made mandatory last Friday, ” said Claudio Guarnieri, Head of Amnesty International’s Security Lab.

Hacking group builds new Ketrum malware from recycled backdoors

www.bleepingcomputer.com/news/security/hacking-group-builds-new-ketrum-malware-from-recycled-backdoors/ The Ke3chang hacking group historically believed to be operating out of China has developed new malware dubbed Ketrum by merging features and source code from their older Ketrican and Okrum backdoors.

New [F]Unicorn ransomware hits Italy via fake COVID-19 infection map

www.bleepingcomputer.com/news/security/new-f-unicorn-ransomware-hits-italy-via-fake-covid-19-infection-map/ A new ransomware threat called [F]Unicorn has been encrypting computers in Italy by tricking victims into downloading a fake contact tracing app that promises to bring real-time updates for COVID-19 infections.

List of ransomware that leaks victims’ stolen files if not paid

www.bleepingcomputer.com/news/security/list-of-ransomware-that-leaks-victims-stolen-files-if-not-paid/ Starting last year, ransomware operators have escalated their extortion strategies by stealing files from victims before encrypting their data. These stolen files are then used as further leverage to force victims to pay.

Protect Workloads Utilizing RDP in AWS from Increasingly Common Brute Force Attacks

blog.checkpoint.com/2020/05/26/protect-workloads-utilizing-rdp-in-aws-from-increasingly-common-brute-force-attacks/ As business rush to scale up existing workloads or bring up new solutions to help support their new remote workforce, threat actors are shifting their attention to these same systems. One notable example is the popular application-level protocol for accessing Windows workstations or servers RDP (Remote Desktop Protocol). According to researchers at Kaspersky, the number of brute-force attacks against exposed RDP services have skyrocketed around the world since the beginning of March 2020.

Näin teollisuuden iot-järjestelmiin isketään “koko ajan yhä edistyneempiä hyökkäysvektoreita”

www.mikrobitti.fi/uutiset/nain-teollisuuden-iot-jarjestelmiin-isketaan-koko-ajan-yha-edistyneempia-hyokkaysvektoreita/ac437742-96ae-4faa-a858-3ad8663b5d20 Tutkijat ovat paljastaneet uusia hyökkäysvektoreita, joiden avulla hakkerit voivat tunkeutua iiot-järjestelmiin ja lähes tulkoon saada robotin tanssimaan tehtaan lattialla ripaskaa.

Why Is 3sYqo15hiL Such A Popular Password?

www.forbes.com/sites/daveywinder/2020/05/25/why-is-3syqo15hil-such-a-popular-password-lets-mark-that-mystery-solved-cybersecurity-advice-password-manager/#5156d9d550a0 3sYqo15hiL was, the analysis revealed, the 21st most used password within this breach data. Which begs the question, why the heck is that? Luckily, the people at Passlo who performed the FTSE100 data breach analysis had the answer. It appears that 3sYqo15hiL is linked to email addresses used for spamming purposes. In other words, it’s a common password being applied by a spam bot network that uses free email providers. This doesn’t, however, explain why it turns up in emails within the domain of such a large and reputable financial company as Standard Chartered.

Venäjä haluaa oman suljetun internetin ulkoa tuleva kritiikki voitaisiin kytkeä pois päältä: “Valta haluaa suojella itseään”

www.mtvuutiset.fi/artikkeli/venaja-haluaa-oman-suljetun-internetin-ulkoa-tuleva-kritiikki-voitaisiin-kytkea-pois-paalta-valta-haluaa-suojella-itseaan/7829940#gs.6s58cp Maapuolustuskorkeakoulun kapteeni Juha Kukkola on tehnyt väitöskirjan Venäjälle suunniteltavasta ja mahdollisesti avattavasta “omasta internetistä”, ja väitös tarkistetaan huomenna. Lue myös:

www.doria.fi/handle/10024/177157

Huge rise in hacking attacks on home workers during lockdown

www.theguardian.com/technology/2020/may/24/hacking-attacks-on-home-workers-see-huge-rise-during-lockdown Hackers have launched a wave of cyber-attacks trying to exploit British people working from home, as the coronavirus lockdown forces people to use often unfamiliar computer systems.

Spike in Credential Leaks for the Pharmaceutical and Biotech Industry

www.recordedfuture.com/pharmaceutical-biotech-credential-leaks/ Recorded Future noted a spike in the relative number of credential leaks from the pharmaceutical and biotechnology sector compared to all credential leaks between November of 2019 and March of 2020. The number of credentials that are leaked vary greatly from month to month a large credential dump can cause numbers for a given month to increase dramatically, and many of those credentials may be repackaged from previous leaks. That’s why this report looks at the percentage of leaks tied to the pharmaceutical and biotechnology industry, rather than the absolute numbers, as it provides a more accurate picture of the situation.

StrandHogg 2.0 – The evil twin’

promon.co/strandhogg-2-0/ New Android Vulnerability Even More Dangerous, With Attacks More Difficult to Detect Than Predecessor. Read also:

www.bleepingcomputer.com/news/security/critical-android-bug-lets-malicious-apps-hide-in-plain-sight/ and

arstechnica.com/information-technology/2020/05/new-android-flaw-could-let-malicious-apps-hijack-trusted-apps-icons/. As well as:

thehackernews.com/2020/05/stranhogg-android-vulnerability.html

Cyberattacks against hospitals must stop, says Red Cross

www.zdnet.com/article/cyberattacks-against-hospitals-must-stop-says-red-cross/ International rules needed to clamp down on hackers targeting healthcare and risking lives during the Covid-19 pandemic

Qihoo & Baidu disrupt malware botnet with hundreds of thousands of victims

www.zdnet.com/article/qihoo-baidu-disrupt-malware-botnet-with-hundreds-of-thousands-of-victims/# There’s malware in China, too. Meet DoubleGuns, one of China’s largest malware botnets.

RangeAmp attacks can take down websites and CDN servers

www.zdnet.com/article/rangeamp-attacks-can-take-down-websites-and-cdn-servers/ Twelve of thirteen CDN providers said they fixed or planned to fix the problem. A team of Chinese academics has found a new way to abuse HTTP packets to amplify web traffic and bring down websites and content delivery networks (CDNs). Read also:

www.tivi.fi/uutiset/tv/3d84fed6-2577-4432-a89d-4310b0219d78

Thai Database Leaks 8.3 Billion Internet Records

rainbowtabl.es/2020/05/25/thai-database-leaks-internet-records/ I recently discovered an exposed ElasticSearch database when browsing BinaryEdge and Shodan. This database appears to be controlled by a subsidiary of a major Thailand-based mobile network operator named Advanced Info Service (AIS). According to Wikipedia, AIS is “Thailand’s largest GSM mobile phone operator with 39.87 million customers” as of 2016. The database was likely controlled by AIS subsidiary Advanced Wireless Network (AWN). It contained a combination of DNS query logs and NetFlow logs for what appears to be AWN customers. Using this data it is quite simple to paint a picture of what a person does on the Internet. I made multiple attempts to contact AIS to get the database secured without success. At that point I contacted Zack Whittaker a journalist from TechCrunch for assistance. We were still unable to make contact with AIS. I then contacted the Thailand National CERT team (ThaiCERT). ThaiCERT who was able to make contact with AIS, and we were successful in getting the database secured.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.