Daily NCSC-FI news followup 2020-06-19

FEMA IT Specialist Charged in ID Theft, Tax Refund Fraud Conspiracy

krebsonsecurity.com/2020/06/fema-it-specialist-charged-in-id-theft-tax-refund-fraud-conspiracy/ An information technology specialist at the Federal Emergency Management Agency (FEMA) was arrested this week on suspicion of hacking into the human resource databases of University of Pittsburgh Medical Center (UPMC) in 2014, stealing personal data on more than 65,000 UPMC employees, and selling the data on the dark web.

Approximately 300,000 Nintedo user accounts breached by hackers

www.pandasecurity.com/mediacenter/mobile-news/nintedo-accounts-breached/ Over the last few months, the account details of approximately 300,000 Nintendo users have been breached by hackers. In late April, the Japanese consumer electronics and video game company announced that 160,000 members of its user database had been breached. In June, after continuous investigation, Nintendo increased the number to the staggering 300,000.

Microcin is here

securelist.com/microcin-is-here/97353/ With asynchronous sockets, steganography, GitLab ban and a sock. In February 2020, we observed a Trojan injected into the system process memory on a particular host. The target turned out to be a diplomatic entity. What initially attracted our attention was the enterprise-grade API-like (application programming interface) programming style. Such an approach is not that common in the malware world and is mostly used by top-notch actors.

Exposing Ashiyane Digital Security Team – An OSINT Analysis

ddanchev.blogspot.com/2020/06/exposing-ashiyane-digital-security-team.html I wanted to let you know that I’ve decided to publish a set of high-profile and personally identifiable personal photos of all the leading and currently active Iran-based hacking and Web site defacement groups with the idea to assist the Security Industry and U.S Law Enforcement on its way to properly track down the members of these groups part of my two series of actionable threat intelligence type . D: of reports which I’ve recently released and made exclusively publicly available for free.

Sigma rules! The generic signature format for SIEM systems.

isc.sans.edu/forums/diary/Sigma+rules+The+generic+signature+format+for+SIEM+systems/26258/ What Snort is to network traffic, and YARA to files, is Sigma to logs. By creating and using Sigma rules youll have generic rules which can be shared and run against different targets (e.g. SIEMs). Sigma solves the issue of everyone working on their own analysis, searches and dashboards of log data theyve collected by having a standardized format to create rules to be reused and shared with others, supporting many different target systems.

Facebooks FTC-Mandated Privacy Committee Now in Effect

threatpost.com/facebooks-ftc-mandated-privacy-committee-now-in-effect/156730/ Facebook on Thursday said it has started to report its privacy practices to a newly formed, independent Privacy Committee. The creation of the independent committee was part of the companys settlement a year ago with the Federal Trade Commission (FTC) over data privacy violations, which came in addition to a $5 billion fine (which was derided as chump change by lawmakers and privacy analysts).

Security surprise: Four zero-days spotted in attacks on researchers’ fake networks

www.zdnet.com/article/security-four-zero-day-attacks-spotted-in-attacks-against-honeypot-systems/ Four new zero-day attacks were discovered when hackers employed them against fake systems set up by researchers studying hacking attempts on industrial systems. Industrial control systems (ICS) are used to manage a vast range of critical devices, anything from chemical processing through to power generation or even building automation like fire-suppression systems.

Advisory 2020-008: Copy-paste compromises – tactics, techniques and procedures used to target multiple Australian networks

www.cyber.gov.au/threats/advisory-2020-008-copy-paste-compromises-tactics-techniques-and-procedures-used-target-multiple-australian-networks The Australian Government is currently aware of, and responding to, a sustained targeting of Australian governments and companies by a sophisticated state-based actor. The title Copy-paste compromises is derived from the actors heavy use of proof-of-concept exploit code, web shells and other tools copied almost identically from open source.. The actor has been identified leveraging a number of initial access vectors, with the most prevalent being the exploitation of public-facing infrastructure primarily through the use of remote code execution vulnerability in unpatched versions of Telerik UI.. Other vulnerabilities in public-facing infrastructure leveraged by the actor include exploitation of a deserialisation vulnerability in Microsoft Internet Information Services (IIS), a 2019 SharePoint vulnerability and the 2019 Citrix vulnerability.

Australia cyber attacks: PM Morrison warns of ‘sophisticated’ state hack

www.bbc.com/news/world-australia-46096768 Australia’s government and institutions are being targeted by ongoing sophisticated state-based cyber hacks, Prime Minister Scott Morrison says.. Mr Morrison said the cyber attacks were widespread, covering “all levels of government” as well as essential services and businesses. He declined to identify a specific state actor and said no major personal data breaches had been made. The attacks have happened over many months and are increasing, he said.. Also:





Hackers use fake Windows error logs to hide malicious payload

www.bleepingcomputer.com/news/security/hackers-use-fake-windows-error-logs-to-hide-malicious-payload/ Hackers have been using fake error logs to store ASCII characters disguised as hexadecimal values that decode to a malicious payload designed to prepare the ground for script-based attacks. The trick is part of a longer chain with intermediary PowerShell commands that ultimately delivers a script for reconnaissance purposes.

‘Work pressure’ sees Maze ransomware gang demand payoff from wrong company

www.theregister.com/2020/06/18/maze_ransomware_gang_name_screwup/ The Maze ransomware gang has screwed up by targeting a New York design and construction firm instead of the Canadian Standards Association it was intending to hit. While Google returns plenty of hits for the search term “csa group”, almost all of which refer to Canada’s answer to the British Standards Institute, there is one exception: an architectural practice located in New York.

Healthcare CISOs Share COVID-19 Response Stories

www.darkreading.com/threat-intelligence/healthcare-cisos-share-covid-19-response-stories/d/d-id/1338132 Cybersecurity leaders discussed the threats and challenges that arose during the pandemic, and how they responded, during a virtual roundtable. A few months ago, security leaders around the world faced an unprecedented challenge in addressing threats and challenges related to a global pandemic. In the healthcare space, CISOs juggled a spike in cyberattacks, newly remote employees, and securing healthcare institutions.

Academics studied DDoS takedowns and said they’re ineffective, recommend patching vulnerable servers

www.zdnet.com/article/academics-studied-ddos-takedowns-and-said-theyre-ineffective-recommend-patching-vulnerable-servers/ A team of Dutch and German academics has studied the aftermath of a major crackdown against DDoS providers and concluded that law enforcement takedowns are largely ineffective, recommending that authorities rather focus on patching the vulnerable systems that are abused for the DDoS attacks in the first place.

Microsoft Defender ATP now detects Windows 10 UEFI malware

www.bleepingcomputer.com/news/security/microsoft-defender-atp-now-detects-windows-10-uefi-malware/ Microsoft has announced that its Microsoft Defender Advanced Threat Protection (ATP) enterprise endpoint security platform is now capable of detecting and protecting customers from Unified Extensible Firmware Interface (UEFI) malware with the help of a new UEFI scanner.

You might be interested in …

Daily NCSC-FI news followup 2019-06-19

Apu: Kyberhyökkäys tietoverkkoihin voisi pimentää Suomen oletko varautunut? www.apu.fi/artikkelit/kyberhyokkays-tietoverkkoihin-voisi-pimentaa-suomen Kiinan tiedustelupalvelu värvää vakoilijoita LinkedInissä myös suomalaisia ulkopolitiikan asiantuntijoita lähestytty yle.fi/uutiset/3-10838995 Raportin on laatinut Ulkopoliittisen instituutin ohjelmajohtaja Mika Aaltola. Quick Detect: Exim “Return of the Wizard” Attack isc.sans.edu/forums/diary/Quick+Detect+Exim+Return+of+the+Wizard+Attack/25052/ =Thanks to our reader Alex for sharing some of his mail logs with the latest attempts to exploit […]

Read More

Daily NCSC-FI news followup 2020-07-14

Microsoft July 2020 Patch Tuesday: 123 vulnerabilities, 18 Critical! www.bleepingcomputer.com/news/microsoft/microsoft-july-2020-patch-tuesday-123-vulnerabilities-18-critical/ This Patch Tuesday is the second-largest update ever, with the largest one being issued in June 2020 with 129 fixes. 17-Year-Old Critical ‘Wormable’ RCE Vulnerability Impacts Windows DNS Servers thehackernews.com/2020/07/windows-dns-server-hacking.html Microsoft patched today a new highly critical “wormable” vulnerability – – carrying a severity score […]

Read More

Daily NCSC-FI news followup 2020-02-04

TeamViewer whynotsecurity.com/blog/teamviewer/ TL;DR: TeamViewer stored user passwords encrypted with AES-128-CBC with they key of 0602000000a400005253413100040000 and iv of 0100010067244F436E6762F25EA8D704 in the Windows registry. If the password is reused anywhere, privilege escalation is possible. If you do not have RDP rights to machine but TeamViewer is installed, you can use TeamViewer to remote in. TeamViewer also […]

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.