Categories
NCSC-FI News followup

Daily NCSC-FI news followup 2020-06-24

Why cloud first is not a security problem

www.ncsc.gov.uk/blog-post/why-cloud-first-is-not-a-security-problem When considering moving to the public cloud, one of the first questions is often, Is the cloud secure?. This is a natural question. Although the public cloud offers an impressive array of tools and services, hidden beneath that slick visible layer are the complex layers of software and hardware used to implement the services.

New ransomware posing as COVID19 tracing app targets Canada; ESET offers decryptor

www.welivesecurity.com/2020/06/24/new-ransomware-uses-covid19-tracing-guise-target-canada-eset-decryptor/ New ransomware CryCryptor has been targeting Android users in Canada, distributed via two websites under the guise of an official COVID-19 tracing app provided by Health Canada. ESET researchers analyzed the ransomware and created a decryption tool for the victims. CryCryptor surfaced just a few days after the Canadian government officially announced its intention to back the development of a nation-wide, voluntary tracing app called COVID Alert. The official app is due to be rolled out for testing in the province of Ontario as soon as next month.

Visibility and Threat Detection in a Remote Working World

securityintelligence.com/posts/visibility-threat-detection-remote-work/ At the outset of the COVID-19 pandemic, when governments around the world put stay-at-home orders in place, it was hard to imagine the state of work would permanently change. Yet, as organizations rapidly adopted and expanded systems to enable a remote workforce which doubled in size in just three weeks company cultures began shifting, too. As employees adjusted to life working remotely, many proved to their employers that productivity could remain high, and in some cases even increase, while they worked from home.

Using Shell Links as zero-touch downloaders and to initiate network connections

isc.sans.edu/forums/diary/Using+Shell+Links+as+zerotouch+downloaders+and+to+initiate+network+connections/26276/ Probably anyone who has used any modern version of Windows is aware of their file-based shortcuts, also known as LNKs or Shell Link files. Although they were intended as a simple feature to make Windows a bit more user-friendly, over the years, a significant number[1] of vulnerabilities were identified in handling of LNKs. Many of these vulnerabilities lead to remote code execution and one (CVE-2010-2568) was even used in creation of the Stuxnet worm.

New Bill Targeting Warrant-Proof Encryption Draws Ire

threatpost.com/new-bill-targeting-warrant-proof-encryption-draws-ire/156877/ The Lawful Access to Encrypted Data Act is being decried as an awful idea by security experts. Privacy advocates are decrying a new bill, which would force tech companies to unlock encrypted devices if ordered to do so by law enforcement with a court issued warrant. The Lawful Access to Encrypted Data Act was introduced on Tuesday by Senate Judiciary Committee Chairman Lindsey Graham (R-SC),

Glupteba the malware that gets secret messages from the Bitcoin blockchain

nakedsecurity.sophos.com/2020/06/24/glupteba-the-bot-that-gets-secret-messages-from-the-bitcoin-blockchain/ Heres a SophosLabs technical paper that should tick all your jargon boxes!. Our experts have deconstructed a strain of malware called Glupteba that uses just about every cybercrime trick youve heard of, and probably several more besides. Like a lot of malware these days. Glupteba is whats known a zombie or bot (short for software robot) that can be controlled from afar by the crooks who wrote it.

Magnitude exploit kit evolution

securelist.com/magnitude-exploit-kit-evolution/97436/ Exploit kits are not as widespread as they used to be. In the past, they relied on the use of already patched vulnerabilities. Newer and more secure web browsers with automatic updates simply do not allow known vulnerabilities to be exploited. It was very different back in the heyday of Adobe Flash because its just a plugin for a web browser, meaning that even if the user has an up-to-date browser, theres a non-zero chance that Adobe Flash may still be vulnerable to 1-day exploits. Now that Adobe Flash is about to reach its end-of-life date at the end of this year, it is disabled by default in all web browser and has pretty much been replaced with open standards such as HTML5, WebGL, WebAssembly.

www.zdnet.com/article/cryptocore-hacker-group-has-stolen-more-than-200m-from-cryptocurrency-exchanges/ CryptoCore hacker group has stolen more than $200m from cryptocurrency exchanges. An organized hacker group believed to be operating out of Eastern Europe has stolen around $200 million from online cryptocurrency exchanges, cyber-security firm ClearSky said in a report shared with ZDNet today. Or Blatt, Research Team Leader at ClearSky, told ZDNet the group, which ClearSky has been tracking under the name of CryptoCore, has been active since 2018.. Also:

www.bleepingcomputer.com/news/security/cryptocore-hackers-made-over-200m-breaching-crypto-exchanges/

Mapping the Cloud Native Security Genome

blog.paloaltonetworks.com/2020/06/cloud-native-security-genome/ The only given in cloud is that technology and services are evolving at a rapid pace. Organizations are embracing a wide diversity in technologies, but securing this complexity can be challenging. Current approaches are not sustainable. Leaders need to envision a different future for cloud security. This is what we have learned as we launch the results from our first annual State of Cloud Native Security Report. Conducted by Palo Alto Networks and sponsored by Accenture Security, it is the largest and most globally expansive market research dataset on cloud native security to date.

Huijauspuheluita THL:n nimissä: Soittajat kyselevät ihmisten liikkeistä

www.is.fi/digitoday/art-2000006550763.html Terveyden ja hyvinvoinnin laitos THL varoittaa sen nimissä tehdyistä huijaussoitoista. Laitos on saanut yksittäisiä yhteydenottoja, joissa on kerrottu ikäihmisten saaneen puheluita THL:n nimissä juhannusviikonloppuna. Soittajia ovat kiinnostaneet ihmisten liikkeet. Lisäksi soitoissa oli väitetty, että lähistöllä olisi uusia koronatapauksia.

Koronakriisi pani porttiskannaajat liikkeelle kohteena etenkin ssh

www.tivi.fi/uutiset/tv/b25327ce-f8d2-49c0-ac87-4d338d6c2169 Esineiden internetin laitteisiin kohdistuneet tietoturvauhkat ovat kasvaneet kevään aikana voimakkaasti. Tietoturvayhtiö Cujo.AI:n tietoturvalaboratorio havaitsi huhtikuun alkupuolella 120 miljoonaa uhkaa viikkotasolla. Huhtitoukokuun vaihteessa uhkien määrä oli kasvanut 83 prosenttia 212 miljoonaan uhkaan viikkotasolla. Käytännössä uhkat viittaavat tilanteisiin, joissa hyökkääjä pyrkii saamaan etäohjattavan järjestelmän käyttöönsä.

Defending Exchange servers under attack

www.microsoft.com/security/blog/2020/06/24/defending-exchange-servers-under-attack/ Securing Exchange servers is one of the most important things defenders can do to limit organizational exposure to attacks. Any threat or vulnerability impacting Exchange servers should be treated with the highest priority because these servers contain critical business data, as well as highly privileged accounts that attackers attempt to compromise to gain admin rights to the server and, consequently, complete control of the network.

VMware fixes critical vulnerability in Workstation and Fusion

www.bleepingcomputer.com/news/security/vmware-fixes-critical-vulnerability-in-workstation-and-fusion/ VMware released security updates to fix multiple vulnerabilities in VMware ESXi, Workstation, and Fusion, with one of them being a critical bug in default configurations of Workstation and Fusion having 3D graphics enabled.. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) also issued an alert today warning that an “attacker could exploit some of these vulnerabilities to take control of an affected system,” and encouraging users and administrators to update as soon as possible.

Maze ransomware gang threatens to publish sensitive stolen data after US aerospace biz sensibly refuses to pay

www.theregister.com/2020/06/24/maze_ransomware_gang_vt_aerospace_rant/ The Maze ransomware gang has threatened to publish information stolen from an American firm that overhauls airliners and installs flight control software upgrades because its victim refused to pay a demanded ransom. In a “press release” published on its leaks website, Maze raged against victims who refused to play its game and cough up vast sums of money to decrypt their illicitly encrypted data.

European victims refuse to bow to Thanos ransomware

www.bleepingcomputer.com/news/security/european-victims-refuse-to-bow-to-thanos-ransomware/ A Thanos ransomware campaign targeting mid-level employees of multiple organizations from Austria, Switzerland, and Germany was met by the victims’ refusal to pay the ransoms demanded to have their data decrypted. Thanos ransomware is a Ransomware-as-a-Service (RaaS) operation advertised on Russian-speaking hacker forums that allows affiliates to customize their own ransomware through a builder offered by the developer.

Accessible CoAP Report Exposed Constrained Application Protocol Services on the Internet

www.shadowserver.org/news/accessible-coap-report-scanning-for-exposed-constrained-application-protocol-services/ We have recently enabled a new daily CoAP scan and Accessible CoAP Report. This is the third IoT related IPv4 Internet-wide scan and report implemented (after the Open MQTT scan and Open IPP scan) as part of our ongoing work in the EU CEF VARIoT project. The new IoT scan is aimed at uncovering devices that have an exposed CoAP service running on port 5683/UDP.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.