Daily NCSC-FI news followup 2020-06-22

Google Analytics as a data exfiltration channel

www.kaspersky.com/blog/web-skimming-with-ga/35986/ Web skimming, a fairly common method of getting cardholder data from visitors of online stores, is a time-honored cybercriminal practice. Recently, however, our experts discovered a rather dangerous innovation involving the use of Google Analytics to exfiltrate stolen data. Lets explore why this is dangerous and how to deal with it.. More details on the attack mechanism and indicators of compromise:

securelist.com/web-skimming-with-google-analytics/97414/. Also:


BlueLeaks Exposes Files from Hundreds of Police Departments

krebsonsecurity.com/2020/06/blueleaks-exposes-files-from-hundreds-of-police-departments/ Hundreds of thousands of potentially sensitive files from police departments across the United States were leaked online last week. The collection, dubbed BlueLeaks and made searchable online, stems from a security breach at a Texas web design and hosting company that maintains a number of state law enforcement data-sharing portals.. Also:





Seventy-three percent of SMBs pay up after a ransomware attack

www.pandasecurity.com/mediacenter/business/smbs-pay-ransomware-attack/ SMBs account for 99% of all businesses in the USA, and create 1.5 million new jobs every year, 64% of the total. This means that SMBs are a true economic powerhouse in the States. Although many of these companies believe that they are too small to be attacked by cybercriminals, almost half of all cyberattacks in the world target this kind of business.

AMD: Fixes For High-Severity SMM Callout Flaws Upcoming

threatpost.com/amd-fixes-for-high-severity-smm-callout-flaws-upcoming/156787/ AMD has fixed one high-severity vulnerability affecting its client and embedded processors; fixes for the other two will come out later in June. Three high-severity vulnerabilities have been disclosed in AMDs client and embedded processors that came out between 2016 and 2019. An attacker with physical or privileged access to certain AMD powered systems could exploit the flaws to execute arbitrary code or take control of the firmware.

Microsoft: These hackers got from a broken password to full control of a network – in just days

www.zdnet.com/article/microsoft-how-hackers-got-from-a-broken-password-to-full-network-control-in-just-days/ Microsoft has detailed how one sophisticated hacking group is able to get from a cracked cloud password to full control over a network in less than a week. “Every day, we see attackers mount an offensive against target organizations through the cloud and various other attack vectors with the goal of finding the path of least resistance, quickly expanding foothold, and gaining control of valuable information and assets,” Microsoft’s Threat Protection Intelligence Team said.

Älä avaa! Vakuuttavasta osoitteesta lähetetyllä sähköpostilla ilkeä päämäärä

www.tivi.fi/uutiset/tv/a9385075-4579-483d-af1e-7fd386383d92 Oxfordin yliopiston nimissä lähetetyt tietojenkalasteluviestit piinaavat yrityksiä. Tietojenkalastelu on yksi verkon ikävimmistä ilmiöistä. Yleensä yritykset ovat helposti tunnistettavissa, mutta ajoittain kalastelijoiden tuottama sisältö voi onnistua uskottavuudessaan.

BitDefender fixes bug allowing attackers to run commands remotely

www.bleepingcomputer.com/news/security/bitdefender-fixes-bug-allowing-attackers-to-run-commands-remotely/ Security solutions are designed to keep an organization safe, but that models crumble when that same software becomes a threat vector for the attackers to exploit. Such is the case with a new Bitdefender remote code execution vulnerability, dubbed CVE-2020-8102, lurking in its Safepay browser component.

Australians reported 25,000 phishing scams last year

www.zdnet.com/article/australians-reported-25000-phishing-scams-to-the-accc-last-year/ Australians reported 167,797 scams to the Australian Competition and Consumer Commission (ACCC)-controlled Scamwatch in 2019. A 34% increase over the year prior, the financial impact in 2019 to Australians was just over AU$634 million. This was an average loss of AU$7,224. The Scamwatch Targeting scams 2019: A review of scam activity since 2009 report [PDF] showed only 11.8% of scam reports included a financial loss.

IndigoDrop spreads via military-themed lures to deliver Cobalt Strike

blog.talosintelligence.com/2020/06/indigodrop-maldocs-cobalt-strike.html Cisco Talos has recently discovered a new campaign distributing a multistage attack used to infect target endpoints with customized Cobalt Strike beacons. Due to the theme of the malicious documents (maldocs) employed, it is highly likely that military and government organizations in South Asia were targeted by this attack.

Vulnerability identified in PACTware Instrument Management Software

www.dragos.com/blog/industry-news/vulnerability-identified-in-pactware-instrument-management-software/ The PACTware Consortium, via distributor Pepperl+Fuchs, recently released an update to supported versions of the popular Instrument Management Software. During testing, Dragos identified issues in the access control system. End users who utilize the role-based access control system should make plans to update their PACTware installations during their next plant maintenance/refresh window. The PACTware software is redistributed by several instrument vendors and incorporates a basic role-based access control system. Simple roles allow the plant owner to establish passwords, which restrict access to instrument settings

Huijarit kalastelevat henkilö- ja maksutietoja Turun Keskiaikaisten markkinoiden virtuaalitapahtuman varjolla

yle.fi/uutiset/3-11411899 Koronatilanteen takia verkkoon täksi kesäksi siirtyneen tapahtuman järjestäjät korostavat ohjelman olevan ilmaista. Torstaina alkavien Turun Keskiaikaisten markkinoiden varjolla yritetään kalastella henkilö- ja maksutietoja verkossa. Koronaepidemian takia perinteisesti Vanhalla Suurtorilla järjestetty tapahtuma toteutetaan tänä vuonna virtuaalisena verkossa.. Nyt Facebookissa on levinnyt jäljitelmiä Keskiaikaiset markkinat verkossa -tapahtumasivusta ja Keskiaikaiset markkinat -sivusta.

Encrypted Phone Network Says It’s Shutting Down After Police Hack

www.vice.com/en_us/article/5dz9qx/encrochat-hacked-shutting-down-encrypted-phone Someone in control of an email address long associated with Encrochat, a company that sells custom encrypted phones often used by organized criminals, tells Motherboard the company is shutting down after a law enforcement hacking operation against its customers. The news comes as law enforcement agencies have arrested multiple criminal users of Encrochat across Europe in what appears to be a large scale, coordinated operation against the phone network and its users.

Comparing Office Documents with WinMerge

isc.sans.edu/forums/diary/Comparing+Office+Documents+with+WinMerge/26268/ Sometimes I have to compare the internals of Office documents (OOXML files, e.g. ZIP container with XML files, ). Since they are ZIP containers, I have to compare the files within. I used to do this with with zipdump.py tool, but recently, I started to use WinMerge because of its graphical user interface.

Hijacking DLLs in Windows

www.wietzebeukema.nl/blog/hijacking-dlls-in-windows DLL Hijacking is a popular technique for executing malicious payloads. This post lists nearly 300 executables vulnerable to relative path DLL Hijacking on Windows 10 (1909), and shows how with a few lines of VBScript some of the DLL hijacks can be executed with elevated privileges, bypassing UAC.

You might be interested in …

Daily NCSC-FI news followup 2020-09-14

Alert (AA20-258A) – Chinese Ministry of State Security-Affiliated Cyber Threat Actor Activity us-cert.cisa.gov/ncas/alerts/aa20-258a The Cybersecurity and Infrastructure Security Agency (CISA) has consistently observed Chinese Ministry of State Security (MSS)-affiliated cyber threat actors using publicly available information sources and common, well-known tactics, techniques, and procedures (TTPs) to target U.S. Government agencies.. see also www.zdnet.com/article/cisa-chinese-state-hackers-are-exploiting-f5-citrix-pulse-secure-and-exchange-bugs/ Magecart Attack […]

Read More

Daily NCSC-FI news followup 2021-04-08

Researchers uncover a new Iranian malware used in recent cyberattacks thehackernews.com/2021/04/researchers-uncover-new-iranian-malware.html An Iranian threat actor has unleashed a new cyberespionage campaign against a possible Lebanese target with a backdoor capable of exfiltrating sensitive information from compromised systems. APT34 (aka OilRig) is known for its reconnaissance campaigns aligned with the strategic interests of Iran, primarily hitting […]

Read More

Daily NCSC-FI news followup 2020-12-18

Kansallinen turvallisuusauditointikriteeristö Katakri 2020 julkaistu valtioneuvosto.fi/-/kansallinen-turvallisuusauditointikriteeristo-katakri-2020-julkaistu Kansallisen turvallisuusviranomainen NSA julkaisee Katakri 2020:n, eli viranomaisten tietoturvallisuuden auditointityökaluksi tarkoitetun kansallisen auditointikriteeristön 18.joulukuuta 2020 verkkoversiona.. Katakrin neljännen version päivitystyön taustalla keskeisimpänä tekijänä on ollut vastaaminen 2020 alusta uusiutuneen kansallisen lainsäädännön muutoksiin.. Painettu julkaisu ja englanninkielinen verkkoversio on saatavilla vuoden 2021 alkupuolella. SolarWinds hackers breach US nuclear weapons agency […]

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.