Daily NCSC-FI news followup 2020-06-23

Introducing the TypeRefHash (TRH)

www.gdatasoftware.com/blog/2020/06/36164-introducing-the-typerefhash-trh We introduce the TypeRefHash (TRH) which is an alternative to the ImpHash that does not work with .NET binaries. Our evaluation shows that it can effectively be used to identify .NET malware families.

Zoom 5 moves toward security

www.kaspersky.com/blog/zoom-5-security/36001/ Zoom developers have made their service more secure. We review whats changed. Not so long ago, we explained how to configure Zoom to make it safer to use. However, technologies can develop very rapidly, especially those in the spotlight. One such case is Zoom, whose developers have, as promised, given the app a data-protection makeover. As a result, version 5.0 has changed a lot from precoronavirus Zoom.

A zero-day guide for 2020: Recent attacks and advanced preventive techniques

blog.malwarebytes.com/exploits-and-vulnerabilities/2020/06/a-zero-day-guide-for-2020/ Zero-day vulnerabilities enable threat actors to take advantage of security blindspots. Typically, a zero-day attack involves the identification of zero-day vulnerabilities, creating relevant exploits, identifying vulnerable systems, and planning the attack. The next steps are infiltration and launch. This article examines three recent zero-day attacks, which targeted Microsoft, Internet Explorer, and Sophos. Finally, you will learn about four zero-day protection and prevention solutionsNGAV, EDR, IPsec, and network access controls.

What is Hacktivism? Campaigns That Shaped the Movement

www.pandasecurity.com/mediacenter/technology/what-is-hacktivism/ – From protests and sit-ins to doxxing and distributed denial-of-service attacks, a new kind of activism rose in the ranks. In 1996, cyber-activism gained a reputation and was given a new name: hacktivism. Consisting of breaking into a computer system for political, social, religious, or anarchistic reasons, hackers began to wage a war on information.

Guarding Healthcare Patient Privacy With Security Intelligence

www.recordedfuture.com/security-intelligence-healthcare/ Healthcare providers are under tremendous pressure to adhere to a plethora of privacy-related regulations. But now they have to do so while also experiencing unprecedented levels of cyberattacks. Neither of these points should come as a surprise given the value of the data at risk and the diversity of end-users and compute devices in the healthcare industry not to mention, the IT environments in which medical devices operate.

Oh, what a boot-iful mornin

securelist.com/oh-what-a-boot-iful-mornin/97365/ In mid-April, our threat monitoring systems detected malicious files being distributed under the name on the new initiative of the World Bank in connection with the coronavirus pandemic (in Russian) with the extension EXE or RAR. Inside the files was the well-known Rovnix bootkit. There is nothing new about cybercriminals exploiting the coronavirus topic; the novelty is that Rovnix has been updated with a UAC bypass tool and is being used to deliver a loader that is unusual for it. Without further ado, lets proceed to an analysis of the malware according to the rules of dramatic structure.

XORDDoS, Kaiji Botnet Malware Variants Target Exposed Docker Servers

blog.trendmicro.com/trendlabs-security-intelligence/xorddos-kaiji-botnet-malware-variants-target-exposed-docker-servers/ We have recently detected variants of two existing Linux botnet malware types targeting exposed Docker servers; these are XORDDoS malware (detected by Trend Micro as Backdoor.Linux.XORDDOS.AE) and Kaiji DDoS malware (detected by Trend Micro as DDoS.Linux.KAIJI.A).. Having Docker servers as their target is a new development for both XORDDoS and Kaiji; XORDDoS was known for targeting Linux hosts on cloud systems, while recently discovered Kaiji was first reported to affect internet of things (IoT) devices.

Scam uses Elon Musks name to trick people out of US$2 million in bitcoin

www.welivesecurity.com/2020/06/22/scam-uses-elon-musk-name-trick-people-us2million-bitcoin/ Cryptocurrency giveaway scams including those impersonating Tesla and SpaceX boss Elon Musk have been making the rounds for quite a few years now. The newest trick up the fraudsters sleeves involves name-dropping Musk into the Bitcoin address itself, which has helped them fleece victims out of more than US$2 million worth of bitcoin over the past two months.

VirusTotal Adds Cynet’s Artificial Intelligence-Based Malware Detection

thehackernews.com/2020/06/virustotal-cynet-malware-detection.html VirusTotal, the famous multi-antivirus scanning service owned by Google, recently announced new threat detection capabilities it added with the help of an Israeli cybersecurity firm. VirusTotal provides a free online service that analyzes suspicious files and URLs to detect malware and automatically shares them with the security community. With the onslaught of new malware types and samples, researchers rely on the rapid discovery and sharing provided by VirusTotal to keep their companies safe from attacks.

Cyberbunker 2.0: Analysis of the Remnants of a Bullet Proof Hosting Provider

isc.sans.edu/forums/diary/Cyberbunker+20+Analysis+of+the+Remnants+of+a+Bullet+Proof+Hosting+Provider/26266/ Cyberbunker refers to a criminal group that operated a bulletproof hosting facility out of an actual military bunker. Bullet Proof hosting usually refers to hosting locations in countries with little or corrupt law enforcement, making shutting down criminal activity difficult. Cyberbunker, which is also known as ZYZtm and Calibour, was a bit different in that it actually operated out of a bulletproof bunker. In September of last year, German police raided this actual Cybebunker and arrested several suspects.

Hackbit Ransomware Attack Uses GuLoader, Malicious Microsoft Excel Attachments

threatpost.com/hackbit-ransomware-attack-uses-guloader-malicious-microsoft-excel-attachments/156826/ Recent spearphishing emails spread the Hackbit ransomware using malicious Microsoft Excel attachments and the GuLoader dropper. A ransomware campaign, dubbed Hackbit, is targeting mid-level employees across Austria, Switzerland and Germany with malicious Excel attachments delivered via the popular email provider GMX.

Sodinokibi: Ransomware Attackers also Scanning for PoS Software, Leveraging Cobalt Strike

symantec-enterprise-blogs.security.com/blogs/threat-intelligence/sodinokibi-ransomware-cobalt-strike-pos Symantec researchers have spotted a Sodinokibi targeted ransomware campaign in which the attackers are also scanning the networks of some victims for credit card or point of sale (PoS) software. It is not clear if the attackers are targeting this software for encryption or because they want to scrape this information as a way to make even more money from this attack.. Organizations in the healthcare, services, and food sectors among victims.

WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group

research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/ WastedLocker is a new ransomware locker weve detected being used since May 2020. We believe it has been in development for a number of months prior to this and was started in conjunction with a number of other changes we have seen originate from the Evil Corp group in 2020. Evil Corp were previously associated to the Dridex malware and BitPaymer ransomware, the latter came to prominence in the first half of 2017. Recently Evil Corp has changed a number of TTPs related to their operations further described in this article.

80,000 printers are exposing their IPP port online

www.zdnet.com/article/80000-printers-are-exposing-their-ipp-port-online/ For years, security researchers have warned that every device left exposed online without being protected by a firewall is an attack surface. Hackers can deploy exploits to forcibly take control over the device, or they can just connect to the exposed port if no authentication is required. Devices hacked this way are often enslaved in malware botnets, or they serve as initial footholds and backdoors into larger corporate networks (Russian hackers already use this technique). However, despite this being common knowledge among cyber-security and IT experts, we still have a large number of devices that are left exposed online unsecured.

Poliisi varoittaa huijaussoitoista: Uhreilta viety kymmeniä tuhansia

www.is.fi/digitoday/tietoturva/art-2000006549900.html Poliisi kertoo kahdesta uhrista, joilta kummaltakin vietiin kymmeniä tuhansia euroja. Suomeen on viime aikoina soitettu runsaasti teknisen tuen huijauspuheluita eli helpdesk-huijauksia Microsoftin nimissä. Helsingin poliisi kertoi tiistaina saaneensa näistä Microsoft-huijauksista useita rikosilmoituksia. Tiedotteen mukaan kahdessa uudessa tapauksessa rikoshyöty on yli 30 000 euroa asianomistajaa kohden.. Myös:



Fxmsp hackers made $1.5M selling access to corporate networks

www.bleepingcomputer.com/news/security/fxmsp-hackers-made-15m-selling-access-to-corporate-networks/ New details have emerged on the activity of the infamous Fxmsp hacker that last year was advertising access to the networks of three cybersecurity vendors. Researchers tracking Fxmsps ventures on underground forums counted the network intrusions associated with this actor and revealed the presumed identity of the attacker.

nside a TrickBot Cobalt Strike Attack Server

labs.sentinelone.com/inside-a-trickbot-cobaltstrike-attack-server/ Trickbot operators utilized PowerTrick and Cobalt Strike to deploy their Anchor backdoor and RYUK ransomware. We review the Cobalt Strike portion of the server and how the actors were leveraging it against multiple targets.

What did it take for stubborn IBM to fix flaws in its Data Risk Manager security software? Someone dropping zero-days

www.theregister.com/2020/06/23/ibm_data_risk_manager/ IBM is under fire for refusing to patch critical vulnerabilities in its Data Risk Manager product until exploit code was publicly disclosed. In what seems a shortsighted move, when a proactive approach may have been better, Big Blue turned down a privately disclosed report of flaws in its enterprise security software only to issue fixes after details of the holes emerged online.

Firmware Flaw Allows Attackers to Evade Security on Some Home Routers

www.darkreading.com/vulnerabilities—threats/firmware-flaw-allows-attackers-to-evade-security-on-some-home-routers/d/d-id/1338150 Wired and wireless routers used by “millions” of home and small-business users are vulnerable to a firmware attack that can downgrade the devices to a less secure version that then allows the devices to be further compromised, cybersecurity firm NanoLock Security announced on Monday. While few details of the vulnerability have been released by the company, NanoLock claims that the issue affects devices sold by Japanese networking and storage firm Buffalo and its US subsidiary Buffalo Americas, as well as “many other similar routers.”

Indiabulls Group hit by CLOP Ransomware, gets 24h leak deadline

www.bleepingcomputer.com/news/security/indiabulls-group-hit-by-clop-ransomware-gets-24h-leak-deadline/ Indian conglomerate Indiabulls Group has allegedly been hit with a cyberattack from the CLOP Ransomware operators who have leaked screenshots of stolen data. The Indiabulls Group is an Indian conglomerate with $3.5 billion in revenue (2019), over 19,000 employees, and subsidiaries focusing on housing, personal finance and lending, infrastructure, and pharmaceuticals.

Common malware attacks-PDF backbone analysis

medium.com/ouspg/common-malware-attacks-pdf-backbone-analysis-957ff8bb8c5 This story is part of a blog series aimed at providing walk troughs of different Dockerized tools used in digital forensics. The utilities presented are part of the CinCan project, aimed at aiding in computer forensics. Nowadays exchange of information is everywhere and it became a common practice sending and receiving of different types of documents, including PDF files. Because of this, the PIDIEF malware family was seen to infect more and more computers. The common mechanism of infection is a document, which opened, exploits a feature which enables JavaScript execution. By this, new malware or backdoor can be installed and run remotely. In the following lines we will focus or attention on a recently detected sample which contains hidden code.

You might be interested in …

Daily NCSC-FI news followup 2021-03-03

HAFNIUM targeting Exchange Servers with 0-day exploits www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/ Microsoft has detected multiple 0-day exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks. In the attacks observed, the threat actor used these vulnerabilities to access on-premises Exchange servers which enabled access to email accounts, and allowed installation of additional […]

Read More

Daily NCSC-FI news followup 2020-09-20

Hackers leak details of 1,000 high-ranking Belarus police officers www.zdnet.com/article/hackers-leak-details-of-1000-high-ranking-belarus-police-officers/ A group of hackers has leaked on Saturday the names and personal details of more than 1,000 high-ranking Belarusian police officers in response to violent police crackdowns against anti-government demonstrations. The leaked data included names, dates of birth, and the officers’ departments and job titles. […]

Read More

Daily NCSC-FI news followup 2019-07-07

Libra Cryptocurrency Scams Already Active Ahead Of 2020 Launch www.bleepingcomputer.com/news/security/libra-cryptocurrency-scams-already-active-ahead-of-2020-launch/ No sooner had Facebook announced Libra cryptocurrency and the matching digital Calibra wallet that cybercriminals tried to get a head start on a new phishing theme. Europe Built a System to Fight Russian Meddling. Its Struggling. www.nytimes.com/2019/07/06/world/europe/europe-russian-disinformation-propaganda-elections.html TWITTER’S DISINFORMATION DATA DUMPS ARE HELPFULTO A POINT […]

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.