Daily NCSC-FI news followup 2020-06-12

Slovak police found wiretapping devices connected to the Govnet government network

securityaffairs.co/wordpress/104567/intelligence/slovak-govnet-network-wiretapping-devices.html Slovak police seized wiretapping devices connected to Govnet government network and arrested four individuals, including the head of a government agency.

Power company Enel Group suffers Snake Ransomware attack

www.bleepingcomputer.com/news/security/power-company-enel-group-suffers-snake-ransomware-attack/ European energy company giant Enel Group suffered a ransomware attack a few days ago that impacted its internal network. Enel Group confirmed for BleepingComputer that its internal IT network was disrupted on Sunday evening following a ransomware attack caught by their antivirus before the malware could spread. Dealing with the incident required isolating the corporate network for a limited time, “to carry out all interventions aimed at eliminating any residual risk.” All connectivity was safely restored on early Monday morning, the company says.

Knoxville shuts down IT network following ransomware attack

www.zdnet.com/article/knoxville-shuts-down-it-network-following-ransomware-attack/ The attack took place last night, between June 10 and June 11. The city’s IT department did not detect the intrusion until it was too late and the ransomware had already encrypted multiple systems. Responding to the attack, IT staff shut down impacted servers and workstations and disconnected the city’s network from the internet. This resulted in downtimes for the city’s internal IT network, its public website, and the network of the city’s court.sa

Lion warns of beer shortages following ransomware attack

www.zdnet.com/article/lion-warns-of-beer-shortages-following-ransomware-attack/ It said it survived COVID-19, but ransomware had other plans for the Australian beverage giant’s supply operations.

Tor2Mine is up to their old tricks and adds a few new ones

blog.talosintelligence.com/2020/06/tor2mine-is-up-to-their-old-tricks-and_11.html Cisco Talos has identified a resurgence of activity by Tor2Mine, a cryptocurrency mining group that was likely last active in 2018. Tor2Mine is deploying additional malware to harvest credentials and steal more money, including AZORult, an information-stealing malware; the remote access tool Remcos; the DarkVNC backdoor trojan; and a clipboard cryptocurrency stealer.

Misconfigured Kubeflow workloads are a security risk

www.microsoft.com/security/blog/2020/06/10/misconfigured-kubeflow-workloads-are-a-security-risk/ In this blog, we’ll reveal a new campaign that was observed recently by ASC that targets Kubeflow, a machine learning toolkit for Kubernetes. We observed that this attack effected on tens of Kubernetes clusters. Kubeflow has grown and become a popular framework for running machine learning tasks in Kubernetes. Nodes that are used for ML tasks are often relatively powerful, and in some cases include GPUs. This fact makes Kubernetes clusters that are used for ML tasks a perfect target for crypto mining campaigns, which was the aim of this attack.

Protocol Vulnerability Threatens Mobile Networks

www.darkreading.com/vulnerabilities—threats/protocol-vulnerability-threatens-mobile-networks/d/d-id/1338068 A protocol that allows millions of customers to use their mobile phones for data applications can also allow criminals to launch denial-of-service (DoS), user impersonation, and fraud cyberattacks. And according to a new report, the protocol, GTP, is as much a vulnerability for certain 5G networks as it is for 2G, 3G, and 4G cellular infrastructures. PDF Report:

positive-tech.com/storage/articles/gtp-2020/threat-vector-gtp-2020-eng.pdf

New Android Spyware ActionSpy Revealed via Phishing Attacks from Earth Empusa

blog.trendmicro.com/trendlabs-security-intelligence/new-android-spyware-actionspy-revealed-via-phishing-attacks-from-earth-empusa/ While tracking Earth Empura, also known as POISON CARP/Evil Eye, we identified an undocumented Android spyware we have named ActionSpy (detected by Trend Micro as AndroidOS_ActionSpy.HRX). This group is known to use watering hole attacks, but we recently observed them using phishing attacks to deliver their malware.

Which hacker group is attacking your corporate network? Don’t guess, check!

www.kaspersky.com/blog/kaspersky-threat-attribution-engine/35852/ We have released a new solution that provides businesses with code similarity analysis and gives technical evidence for APT attribution.

Facebook Helped the FBI Hack a Child Predator

www.vice.com/en_us/article/v7gd9b/facebook-helped-fbi-hack-child-predator-buster-hernandez Facebook paid a cybersecurity firm six figures to develop a zero-day in Tails to identify a man who extorted and threatened girls.

Cisco discloses technical details for Firefox code execution flaw

securityaffairs.co/wordpress/104595/hacking/cisco-firefox-code-execution.html Cisco Talos experts released technical details on a recently addressed vulnerability in Firefox that could be exploited for code execution. also:

talosintelligence.com/vulnerability_reports/TALOS-2020-1053. (CVE-2020-12405, 2020-06-02 – Vendor Patched)

New Data-Driven Research Shows 5 Areas Organizations are Most Vulnerable Outside the Firewall

www.riskiq.com/blog/external-threat-management/analysis-attack-surface/ Businesses have been undergoing a digital transformation demanding rapid migration to the cloud and expanded adoption of web, mobile, and social platforms. These initiatives, which expand organizations’ digital presence far across the internet, are badly exposing the limitations of network security controls like firewalls, DLP, and network monitoring. In our latest research, Analysis of an Attack Surface, ‘ we’ll highlight five areas that we feel help to frame the challenges faced in going beyond network security controls to discovering unknowns outside the firewall.

Kingminer escalates attack complexity for cryptomining

news.sophos.com/en-us/2020/06/09/kingminer-report/ An opportunistic botnet that tries (not always successfully) to fly under the radar, Kingminer is nevertheless a persistent nuisance that delivers cryptocurrency miners as a payload. The botnet’s operators may be ambitious and capable, but they don’t appear to have endless resources, so they take advantage of any freely available solution to the problem of infecting machines and spreading, getting inspiration from public domain tools as well as techniques used by APT groups. PDF report:

www.sophos.com/en-us/medialibrary/pdfs/technical-papers/sophos-labs-kingminer-botnet-report.pdf

Hackers are quick to notice exposed Elasticsearch servers

www.bleepingcomputer.com/news/security/hackers-are-quick-to-notice-exposed-elasticsearch-servers/ Bad guys find unprotected Elasticsearch servers exposed on the web faster than search engines can index them. A study found that threat actors are mainly going for cryptocurrency mining and credential theft. For the duration of the experiment, a honeypot with a fake database recorded more than 150 unauthorized requests, the first one occurring less than 12 hours since being exposed.

Vard Hit by Cyberattack

maritime-executive.com/article/vard-hit-by-cyberattack Norwegian shipbuilder Vard has been hit with a ransomware encryption cyberattack, the company confirmed Tuesday. According to local outlet Vestnesavisa, the attack affected Vard’s Langsten shipyard. “It is true that Vard is affected by a data breach. But what kind of data breach and what consequences this has for the company, we do not want to comment on now. But it is a complex matter, and we are working with Kripos to solve this in the best possible way, ” police inspector Kjell Arne Hestad of the Mre and Romsdal Police District told E24.

Russia says Germany has not provided any evidence of Bundestag hack

www.zdnet.com/article/russia-says-germany-has-not-provided-any-evidence-of-bundestag-hack/ Russian officials said this week that German authorities have failed to produce the evidence that Russian military hackers breached the German Parliament in 2015. German prosecutors said Badin was a member of a hacking group named APT28 (Fancy Bear, Sofacy, Strontium, Grizzly Steppe), which breached the German Parliament (Bundestag) in the first half of 2015, where he installed malware and stole government documents. However, in an interview with Russian news agency RIA on Thursday, Vladimir Titov, Russia’s First Deputy Foreign Minister, said that more than a month after Germany filed the Badin arrest warrant, German officials did not provide any evidence of Badin’s involvement in the hack, needed to support an extradition request.

Twitter deletes 170, 000 accounts linked to China influence campaign

www.theguardian.com/technology/2020/jun/12/twitter-deletes-170000-accounts-linked-to-china-influence-campaign Twitter has removed more than 170, 000 accounts the social media site says are state-linked influence campaigns from China focusing on Hong Kong protests, Covid-19 and the US protests in relation to George Floyd.

U.S. lawmakers ask Zoom to clarify China ties after it suspends accounts

www.reuters.com/article/us-zoom-video-commn-privacy/u-s-lawmakers-ask-zoom-to-clarify-china-ties-after-it-suspends-accounts-idUSKBN23I3GP The California-based firm has come under heavy scrutiny after three U.S. and Hong Kong-based activists said their accounts had been suspended and meetings disrupted after they tried to hold events related to the anniversary of China’s Tiananmen Square crackdown. Zoom said on Friday it was notified of the events and asked to take action by the Chinese government in May and early June. It said it suspended one account in Hong and two in the United States but has now reinstated these accounts and will not allow further requests from China to affect users outside the country. “We did not provide any user information or meeting content to the Chinese government, ” Zoom said in a statement. “We do not have a backdoor that allows someone to enter a meeting without being visible.”

Yrityksen verkkoon kytketty älykello voi aiheuttaa riskin Etätyön räjähdysmäinen kasvu herätti yritykset pohtimaan tietoturvaa

studio.kauppalehti.fi/studiovieras/fortinet-yrityksen-verkkoon-kytketty-alykello-voi-aiheuttaa-riskin-etatyon-rajahdysmainen-kasvu-heratti-yritykset-pohtimaan-tietoturvaa Kotikonttorilla tietoturva ei ole samalla tasolla kuin työpaikalla, ja poikkeusolojen keskellä ihmiset ovat myös alttiimpia sosiaalisen hakkeroinnin johdatteluille. “Teknologian lisäksi ihmisten kouluttaminen hyviin tietoturvakäytäntöihin on nyt kriittistä”, muistuttaa Fortinetin vanhempi tietoturva-asiantuntija Timo Lohenoja.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.