Daily NCSC-FI news followup 2020-06-18

Car autopilot security

www.kaspersky.com/blog/protecting-adas/35961/ Today, many companies are experimenting to the max with autopilots of varying complexity. Some are trying to build devices that actually take control of the vehicle out of human hands, while others are developing advanced driver-assistance systems (ADAS). . The main issue that autopilot manufacturers must address is guaranteeing reliability and safety. After all, peoples lives depend on the proper functioning of the system.

When Security Takes a Backseat to Productivity

krebsonsecurity.com/2020/06/when-security-takes-a-backseat-to-productivity/ So ends a key section of a report the U.S. Central Intelligence Agency produced in the wake of a mammoth data breach in 2016 that led to Wikileaks publishing thousands of classified documents stolen from the agencys offensive cyber operations division. The analysis highlights a shocking series of security failures at one of the worlds most secretive entities, but the underlying weaknesses that gave rise to the breach also unfortunately are all too common in many organizations today.

How to Track Cyber Risk With the Threat Category Risk Framework

www.recordedfuture.com/track-cyber-risk/ Ideally, organizations would make every cybersecurity decision based on an objective risk assessment. Unfortunately, this often isnt possible. Cyber risk is notoriously difficult to measure. This leaves many organizations in the unhappy position of making educated guesses about which threats are most significant. Recently, we wrote about the Threat Category Risk (TCR) framework a practical, quantitative cyber risk framework designed to help security teams estimate the likelihood and cost associated with different threats.

Ginp Malware Operations are on the Rise, Aiming to Expand in Turkey

securityintelligence.com/posts/ginp-malware-operations-rising-expansions-turkey/ The Ginp mobile banking malware, which emerged in late 2019, is one of the top most prevalent Android banking malware families today. It started as a simple short message server (SMS) stealer and rapidly evolved into one of the most advanced actors in the financial fraud landscape. Ginp has primarily targeted Spanish banks, but recent evidence suggests the malware has changed or may change its targeting strategy in the near future to focus on Turkey.

Operation In(ter)ception: Aerospace and military companies in the crosshairs of cyberspies

www.welivesecurity.com/2020/06/17/operation-interception-aerospace-military-companies-cyberspies/ ESET researchers uncover targeted attacks against high-profile aerospace and military companies. At the end of last year, we discovered targeted attacks against aerospace and military companies in Europe and the Middle East, active from September to December 2019. A collaborative investigation with two of the affected European companies allowed us to gain insight into the operation and uncover previously undocumented malware.

The State of Business Email Compromise Q1 2020: Attacks Shift From the C-Suite to Finance

abnormalsecurity.com/blog/the-state-of-business-email-compromise-q1-2020-attacks-shift-from-the-c-suite-to-finance/ Every day, we track and prevent email security threats for our users, which gives us enormous insight into where and how attackers attempt to infiltrate a business through email. Our main interest is in, of course, business email compromise (BEC) because its the costliest and most sophisticated type of email attack that bypasses traditional security email gateways. These insights are powerful. They help us better understand when, where and how attacks happen and allow us to track trends in attack campaigns that we can link to external events such was the case in Q1

CERT NZ Releases Advisory on Ransomware Campaign

www.us-cert.gov/ncas/current-activity/2020/06/18/cert-nz-releases-advisory-ransomware-campaign The New Zealand Computer Emergency Response Team (CERT NZ) has released an advisory on a ransomware campaign leveraging remote access technologies. Malicious cyber actors are targeting organizations networks through remote access tools, such as Remote Desktop Protocol and virtual private networks, to exploit unpatched vulnerabilities and weak authentication.

Digging up InvisiMoles hidden arsenal

www.welivesecurity.com/2020/06/18/digging-up-invisimole-hidden-arsenal/ ESET researchers reveal the modus operandi of the elusive InvisiMole group, including newly discovered ties with the Gamaredon group. In our tracking of the InvisiMole group, which we rediscovered and first reported on in 2018, we have found a new campaign targeting high-profile organizations in Eastern Europe. Investigating the attacks, in close cooperation with the affected organizations, we uncovered its updated toolset and previously unknown details about InvisiMoles tactics, techniques and procedures (TTPs).

Broken phishing accidentally exploiting Outlook zero-day

isc.sans.edu/forums/diary/Broken+phishing+accidentally+exploiting+Outlook+zeroday/26254/ When we think of zero-days, what comes to mind are usually RCEs or other high-impact vulnerabilities. Zero-days, however, come in all shapes and sizes and many of them are low impact, as is the vulnerability were going to discuss today. What is interesting about it, apart from it allowing a sender of an e-mail to include/change a link in an e-mail when it is forwarded by Outlook, is that I noticed it being exploited in a low-quality phishing e-mail by what appears to be a complete accident.

AcidBox: Rare Malware Repurposing Turla Group Exploit Targeted Russian Organizations

unit42.paloaltonetworks.com/acidbox-rare-malware/ When the news broke in 2014 about a new sophisticated threat actor dubbed the Turla Group, which the Estonian foreign intelligence service believes has Russian origins and operates on behalf of the FSB, its kernelmode malware also became the first publicly-described case that abused a third-party device driver to disable Driver Signature Enforcement (DSE). This security mechanism was introduced in Windows Vista to prevent unsigned drivers from loading into kernel space. Turla exploited the signed VirtualBox driver, VBoxDrv.sys v1.6.2, to deactivate DSE and load its unsigned payload drivers afterward.

Office 365 Phishing Campaign Exploits Samsung, Adobe and Oxford Servers

research.checkpoint.com/2020/phishing-campaign-exploits-samsung-adobe-and-oxford-servers/ Recently, a seemingly unsophisticated Office 365 phishing campaign caught our attention. The attackers abused an Adobe Campaign redirection mechanism, using a Samsung domain to redirect victims to an O365 themed phishing website. The hackers took advantage of the fact that access to a reputable domain, such as Samsungs, would not be blocked by security software.. To expand their campaign, the attackers also compromised several websites to inject a script that imitates the same mechanism offered by the Adobe redirection service. Further investigation revealed that the actors behind the campaign implemented a few other interesting tricks to hide the phishing kit and avoid detection at each stage of the attack.

COVID-19 and FMLA Campaigns used to install new IcedID banking malware

blogs.juniper.net/en-us/threat-research/covid-19-and-fmla-campaigns-used-to-install-new-icedid-banking-malware uniper Threat Labs has been monitoring a campaign that pushes a new IcedID banking trojan. This new campaign changes tactics by injecting into msiexec.exe to conceal itself and use full steganography for downloading its modules and configurations. Previous versions of IcedID injected into svchost.exe and downloaded encrypted modules and config as .dat files. This campaign also takes advantage of the COVID-19 pandemic by using keywords such as COVID-19 and FMLA in email sender names and attachment names. IcedID is a banking malware that performs Man-in-the-Browser attacks to steal financial information.

Cisco Webex, Router Bugs Allow Code Execution

threatpost.com/cisco-webex-router-code-execution/156706/ Cisco is warning of three high-severity flaws in its popular Webex web conferencing app, including one that could allow an unauthenticated attacker to remotely execute code on impacted systems. Beyond Webex, the networking giant on Wednesday also patched a slew of bugs across several products, including its small business RV routers and TelePresence Collaboration Endpoint software. Its also investigating whether vulnerabilities affect other products.. Also:

www.bleepingcomputer.com/news/security/new-cisco-webex-meetings-flaw-lets-attackers-steal-auth-tokens/.

www.theregister.com/2020/06/18/cisco_webex/

Unpatched vulnerability identified in 79 Netgear router models

www.zdnet.com/article/unpatched-vulnerability-identified-in-79-netgear-router-models/ A whopping 79 Netgear router models are vulnerable to a severe security flaw that can let hackers take over devices remotely. The vulnerability has been discovered by two security researchers independently, namely Adam Nichols from cyber-security GRIMM and a security researcher going by the nickname of d4rkn3ss, working for Vietnamese internet service provider VNPT.. Also:

www.bleepingcomputer.com/news/security/79-netgear-router-models-risk-full-takeover-due-to-unpatched-bug/

Iot:n tietoturvakulttuuri kypsyy hiljalleen

www.tivi.fi/uutiset/tv/ecfb8aa0-a137-498e-ae95-07fb84265efd Internet of things eli iot on tapana mieltää turvattomaksi teknologiaympäristöksi. Verkkokaupat ovat pullollaan halpoja kuluttajatuotteita, joiden tietoturva on luvattoman usein retuperällä. Näitä ovat erilaiset mittarit ja anturit, älyvalaisimet, etäohjattavat lukot ja muut vempaimet. Yritysten operatiiviset iot-ratkaisut ovat tietoturvan suhteen onneksi paremmalla tolalla kuin kuluttajatuotteet. Isot pilvialustat tarjoavat palveluita, joilla iot:n tietoturvan saa hoidettua kuntoon. Ongelmana on kuitenkin se, että palveluita ei osata vielä käyttää oikein.

To evade detection, hackers are requiring targets to complete CAPTCHAs

arstechnica.com/information-technology/2020/06/to-evade-detection-hackers-are-requiring-targets-to-complete-captchas/ CAPTCHAs, those puzzles with muffled sounds or blurred or squiggly letters that websites use to filter out bots (often unsuccessfully), have been annoying end users for more than a decade. Now, the challenge-and-response tests are likely to vex targets in malware attacks. Microsoft recently spotted an attack group distributing a malicious Excel document on a site requiring users to complete a CAPTCHA, most likely in an attempt to thwart automated detection by good guys.

IT giant Cognizant confirms data breach after ransomware attack

www.bleepingcomputer.com/news/security/it-giant-cognizant-confirms-data-breach-after-ransomware-attack/ In a series of data breach notifications, IT services giant Cognizant has stated that unencrypted data was most likely accessed and stolen during an April Maze Ransomware attack. Cognizant is one of the largest IT managed services company in the world with close to 300,000 employees and over $15 billion in revenue. As a managed service provider (MSP), Cognizant remotely manages many of its clients to fix issues, install patches, and monitor their security.

Chrome extensions are ‘the new rootkit’ say researchers linking surveillance campaign to Israeli registrar Galcomm

www.theregister.com/2020/06/18/chrome_browser_extensions_new_rootkit/ Researchers at Awake Security have published a report on malicious extensions in the Chrome web store, making both specific claims of over 32 million downloads of one malware family, and general claims of weak security in both domain registration and Google’s store. The researchers said they have been tracking a “massive global surveillance campaign that affects almost every enterprise we have investigated” linked to a specific Israel-based domain registrar called Communigal Communication Ltd (Galcomm).

EKANS Ransomware Misconceptions and Misunderstandings

www.dragos.com/blog/industry-news/ekans-ransomware-misconceptions-and-misunderstandings/ Since its initial public disclosure by Vitali Kremez, MalwareHuntTeam, and others on 06 January 2020, a relatively new ransomware variant referred to as EKANS by Dragos has continued to operate against multiple, high-profile organizations. This group of identified activity likely represents a subset of behavior, as other events are either disputed or nonpublic at this time. Irrespective of specific victimology, EKANS incorporates certain specific functionality previously deployed via stand-alone scripts or supporting tools directly into a ransomware executable.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.