Daily NCSC-FI news followup 2020-06-25

As organizations get back to business, cyber criminals look for new angles to exploit

blog.checkpoint.com/2020/06/25/as-organizations-get-back-to-business-cyber-criminals-look-for-new-angles-to-exploit/ Criminals are using COVID-19 training for employees as phishing bait. Non coronavirus-related headline news (including Black Lives Matter) being used in phishing scams. Weekly cyber-attacks increase 18% compared to May average. However, Covid-19 related cyber-attacks down 24% compared to May.

How to secure DevOps

www.kaspersky.com/blog/devops-security-hybrid/36021/ Supply-chain attacks through public repositories have become more frequent of late. Heres how to deal with them. Last month, IT news websites reported that RubyGems, the official channel for distributing libraries for the Ruby programming language, had been poisoned. An attacker uploaded fake packages containing a malicious script, so all programmers who used the code in their projects unwittingly infected users computers with malware that changed cryptocurrency wallet addresses.

Patch time! NVIDIA fixes kernel driver holes on Windows and Linux

nakedsecurity.sophos.com/2020/06/25/patch-time-nvidia-fixes-kernel-driver-holes-on-windows-and-linux/ The latest security patches from NVIDIA, the maker of high-end graphics cards, are out. Both Windows and Linux are affected. NVIDIA hasnt yet given out any real details about the bugs, but 12 different CVE-tagged flaws have been fixed, numbered sequentially from CVE-2020-5962 to CVE-2020-5973.. Also:

threatpost.com/nvidia-windows-gamers-graphics-driver-bugs/156911/.

www.bleepingcomputer.com/news/security/nvidia-patches-high-severity-flaws-in-windows-linux-drivers/

Attackers Cryptojacking Docker Images to Mine for Monero

unit42.paloaltonetworks.com/cryptojacking-docker-images-for-mining-monero/ Docker containers have been gaining popularity over the past few years as an effective way of packaging software applications. Docker Hub provides a strong community-based model for users and companies to share their software applications. This is also attracting the attention of malicious actors intending to make money by cryptojacking within Docker containers and using Docker Hub to distribute these images. We identified a malicious Docker Hub account, azurenql, active since October 2019 that was hosting six malicious images intended to mine the cryptocurrency, Monero.

Critical Bugs and Backdoor Found in GeoVision’s Fingerprint and Card Scanners

thehackernews.com/2020/06/geovision-scanner-vulnerabilities.html GeoVision, a Taiwanese manufacturer of video surveillance systems and IP cameras, recently patched three of the four critical flaws impacting its card and fingerprint scanners that could’ve potentially allowed attackers to intercept network traffic and stage man-in-the-middle attacks. In a report shared exclusively with The Hacker News, enterprise security firm Acronis said it discovered the vulnerabilities last year following a routine security audit of a Singapore-based major retailer.

Threat Spotlight: New cryptominer malware variant

blog.barracuda.com/2020/06/25/threat-spotlight-new-cryptominer-malware-variant/ A new variant of the cryptominer malware known as Golang is targeting both Windows and Linux machines. While the volume of attacks is low because the variant is so new, Barracuda researchers have seen seven source IP addresses linked to this malware so far, all based in China. Instead of targeting end users, this new malware attacks servers.

Lucifer: New Cryptojacking and DDoS Hybrid Malware Exploiting High and Critical Vulnerabilities to Infect Windows Devices

unit42.paloaltonetworks.com/lucifer-new-cryptojacking-and-ddos-hybrid-malware/ On May 29, 2020, Unit 42 researchers discovered a new variant of a hybrid cryptojacking malware from numerous incidents of CVE-2019-9081 exploitation in the wild. A closer look revealed the malware, which weve dubbed Lucifer, is capable of conducting DDoS attacks and well-equipped with all kinds of exploits against vulnerable Windows hosts.

Chinese bank forced western companies to install malware-laced tax software

www.zdnet.com/article/chinese-bank-forced-western-companies-to-install-malware-laced-tax-software/ A Chinese bank has forced at least two western companies to install malware-laced tax software on their systems, cyber-security firm Trustwave said in a report published today. The two companies are a UK-based technology/software vendor and a major financial institution, both of which had recently opened offices in China. “Discussions with our client revealed that [the malware] was part of their bank’s required tax software,” Trustwave said today.. Also:

www.darkreading.com/threat-intelligence/goldenspy-malware-hidden-in-tax-software-spies-on-companies-doing-business-in-china/d/d-id/1338174

Web skimmer hides within EXIF metadata, exfiltrates credit cards via image files

blog.malwarebytes.com/threat-analysis/2020/06/web-skimmer-hides-within-exif-metadata-exfiltrates-credit-cards-via-image-files/ They say a picture is worth a thousand words. Threat actors must have remembered that as they devised yet another way to hide their credit card skimmer in order to evade detection. When we first investigated this campaign, we thought it may be another one of those favicon tricks, which we had described in a previous blog. However, it turned out to be different and even more devious. We found skimming code hidden within the metadata of an image file (a form of steganography) and surreptitiously loaded by compromised online stores.

Vulnerable Powerline Extenders Underline Lax IoT Security

securityintelligence.com/posts/vulnerable-powerline-extenders-underline-lax-iot-security/ Multiple vulnerabilities have been found in Tenda PA6 Wi-Fi Powerline extender, version 1.0.1.21. This device is part of Tendas PH5 Powerline Extender Kit and extends the wireless network through homes existing electrical circuitry.

Two record DDoSes disclosed this week underscore their growing menace

arstechnica.com/information-technology/2020/06/two-record-ddoses-disclosed-this-week-underscore-their-growing-menace/ Distributed denial-of-service attacksthose floods of junk traffic that criminals use to disrupt or completely take down websites and serviceshave long been an Internet scourge, with events that regularly cripple news outlets and software repositories and in some cases bring huge parts on the Internet to a standstill for hours. Now theres evidence that DDoSes, as theyre usually called, are growing more potent with two record-breaking attacks coming to light in the past week.. Related:

www.bleepingcomputer.com/news/security/european-bank-suffers-biggest-pps-ddos-attack-new-botnet-suspected/.

www.theregister.com/2020/06/25/akamai_809mpps_attack/.

www.darkreading.com/attacks-breaches/another-record-breaking-ddos-attack-signals-shift-in-criminal-methods/d/d-id/1338177

List of Ripple20 vulnerability advisories, patches, and updates

www.bleepingcomputer.com/news/security/list-of-ripple20-vulnerability-advisories-patches-and-updates/ The dust is far from settled following the disclosure of the 19 vulnerabilities in the TCP/IP stack from Treck, collectively referred to as Ripple20, which could help attackers take full control of vulnerable devices on the network. Trecks code is fundamental for the embedded devices it is implemented on because it bestows network communication to them and is present on gadgets used in a variety of sectors: technology, medical, construction, mining, printing, energy, software, industrial control systems (ICS), telecom, retail, commerce.

Ransomware and hacking: How it feels to be the victim of cybercrime

www.zdnet.com/article/it-is-stressful-it-is-frightening-what-its-like-to-be-a-victim-of-hacking-and-ransomware/ Much of the analysis of cybercrime tends to focus on the financial costs or the technical aspects involved. That means the psychological impact of falling victim to hacking, ransomware or other cyberattacks tends to be ignored. There’s a widespread perception that cybercrimes don’t have as bad an impact as some physical crimes, said Professor Mark Button, director of the Centre for Counter Fraud Studies at the University of Portsmouth.

Ransomware crims to sell off ‘scandalous’ files swiped from Mariah Carey, Nicki Minaj, Puff Daddy’s legal eagles

www.theregister.com/2020/06/24/celebrity_ransomware_blackmail/ $600k starting bid, say public extortionists, or $42m to keep schtum. Ransomware criminals claiming to have siphoned confidential docs on Nicki Minaj, Mariah Carey, and Lebron James from an American law firm are threatening to auction off the info.

Vulnerabilities Declining in Open Source, But Slow Patching Still a Problem

www.darkreading.com/vulnerabilities—threats/vulnerabilities-declining-in-open-source-but-slow-patching-still-a-problem/d/d-id/1338179 Even as more code is produced, indirect dependencies continue to undermine security. Driven by growth in the JavaScript, Java, and Python ecosystems, the number of open source software packages more than doubled in 2019, but the number of vulnerabilities fell by 20%, suggesting that developers are weeding out simple vulnerabilities, a new report shows.

LG Electronics allegedly hit by Maze ransomware attack

www.bleepingcomputer.com/news/security/lg-electronics-allegedly-hit-by-maze-ransomware-attack/ Maze ransomware operators have claimed on their website that they breached and locked the network of the South Korean multinational LG Electronics. The details of the attack have not been released but the hackers stated that they have stolen from the company proprietary information for projects that involve big U.S. Companies.

Why Cybersecurity Is Really A Business Problem

www.forbes.com/sites/louiscolumbus/2020/06/25/why-cybersecurity-is-really-a-business-problem/ Absolutes 2020 Endpoint Resilience Report illustrates why the purpose of any cybersecurity program needs to be attaining a balance between protecting an organization and the need to keep the business running, starting with secured endpoints. Enterprises whove taken a blank-check approach in the past to spending on cybersecurity are facing the stark reality that all that spending may have made them more vulnerable to attacks.

ICS/OT Incident Response in Times of Lockdown

www.dragos.com/blog/industry-news/ics-ot-incident-response-in-times-of-lockdown/ The restrictions put in place to slow the spread of the COVID-19 pandemic have forced us to reassess how to react to cyber incidents in OT environments. As travel restrictions were being put in place, the Dragos Incident Response team began to create plans, procedures, and tooling to enable us to still perform IR services to our customers during these challenging times. This article aims to give some guidance on how to adapt your incident response posture to the current situation.

Maersk, me & notPetya

gvnshtn.com/maersk-me-notpetya/ Maersk is the worlds largest integrated shipping and container logistics company. I was massively privileged (no pun intended) to be their Identity & Access Management (IAM) Subject Matter Expert (SME), and later IAM Service Owner. Along with tens (if not hundreds) of others, I played a role in the recovery and cybersecurity response to the events of the well-publicised notPetya malware attack in 2017. I left Maersk in March 2019, and as is customary I wrote the obligatory thank you and goodbye note. But there was always a lot more to add. A story to tell.

You might be interested in …

Daily NCSC-FI news followup 2019-10-14

Laajamittainen häiriö Nesteen IT-järjestelmissä www.neste.com/fi/tiedotteet-ja-uutiset/laajamittainen-hairio-nesteen-it-jarjestelmissa Nesteen IT-järjestelmissä on havaittu laajamittainen häiriö. Häiriö vaikuttaa Nesteen Suomen ja Baltian toimintoihin laajasti prosessi-, säiliö- ja terminaalialueella, ja aiheuttaa viivästyksiä tuotejakelussa. Häiriön syytä tutkitaan parhaillaan yhteistyössä palveluntarjoajien kanssa. Connecting the dots: Exposing the arsenal and methods of the Winnti Group www.welivesecurity.com/2019/10/14/connecting-dots-exposing-arsenal-methods-winnti/ New ESET white paper released describing updates to […]

Read More

Daily NCSC-FI news followup 2020-08-14

NSA and FBI Cybersecurity Advisory – Russian GRU 85th GTsSS Deploys Previously Undisclosed Drovorub Malware media.defense.gov/2020/Aug/13/2002476465/-1/-1/0/CSA_DROVORUB_RUSSIAN_GRU_MALWARE_AUG_2020.PDF Drovorub is a Linux malware toolset consisting of an implant coupled with a kernel module rootkit, a file transfer and port forwarding tool, and a Command and Control (C2) server. When deployed on a victim machine, the Drovorub implant […]

Read More

Daily NCSC-FI news followup 2019-11-25

Livingston School District in New Jersey Hit With Ransomware www.bleepingcomputer.com/news/security/livingston-school-district-in-new-jersey-hit-with-ransomware/ Students at the Livingston public school district in New Jersey are undoubtedly happy for a two hour delayed opening tomorrow. Unfortunately, this delay is not being caused by snow, but rather by a ransomware attack that the district is still recovering from. Hidden Cam Above […]

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.