Daily NCSC-FI news followup 2020-07-02

Connection discovered between Chinese hacker group APT15 and defense contractor

www.zdnet.com/article/connection-discovered-between-chinese-hacker-group-apt15-and-defense-contractor/ Lookout said it linked APT15 malware to Xi’an Tianhe Defense Technology, a Chinese defense contractor. In a report published today, cyber-security firm Lookout said it found evidence connecting Android malware that was used to spy on minorities in China to a large government defense contractor from the city of Xi’an.

Hundreds arrested after encrypted messaging network takeover

www.bleepingcomputer.com/news/security/hundreds-arrested-after-encrypted-messaging-network-takeover/ European law enforcement agencies arrested hundreds of suspects in several countries including France, Netherlands, the UK, Norway, and Sweden after infiltrating the EncroChat encrypted mobile communication network used by organized crime groups. EncroChat phones used by international criminal networks around the world to exchange encrypted data and millions of messages came with dual operating systems (Android OS and the EncroChat OS).

Inside a ransomware attack: From the first breach to the ransom demand

www.zdnet.com/article/inside-a-ransomware-attack-from-the-first-breach-to-encrypting-a-network-in-just-two-weeks/ Security researchers map out how a ransomware attack plays out over a two week period.

Ransomware Gangs Don’t Need PR Help

krebsonsecurity.com/2020/07/ransomware-gangs-dont-need-pr-help/ We’ve seen an ugly trend recently of tech news stories and cybersecurity firms trumpeting claims of ransomware attacks on companies large and small, apparently based on little more than the say-so of the ransomware gangs themselves. Such coverage is potentially quite harmful and plays deftly into the hands of organized crime.

Hacker ransoms 23k MongoDB databases and threatens to contact GDPR authorities

www.zdnet.com/article/hacker-ransoms-23k-mongodb-databases-and-threatens-to-contact-gdpr-authorities/ The hacker has attempted to ransom nearly 47% of all MongoDB databases left exposed online.

This is how EKANS ransomware is targeting industrial control systems

www.zdnet.com/article/this-is-how-ekans-ransomware-is-targeting-industrial-control-systems/ New samples of the ransomware reveal the techniques used to attack critical ICS systems. report:

www.fortinet.com/blog/threat-research/ekans-ransomware-targeting-ot-ics-systems

FakeSpy Android Malware Spread Via Postal-Service’ Apps

threatpost.com/fakespy-android-malware-spread-via-postal-service-apps/157102/ New smishing’ campaigns from the Roaming Mantis threat group infect Android users with the FakeSpy infostealer.

Sixteen Facebook apps caught secretly sharing data with third-parties

www.zdnet.com/article/sixteen-facebook-apps-caught-secretly-sharing-data-with-third-parties/ Academic study used unique “honeytoken” emails to install Facebook apps and see which inboxes received emails from unrecognized senders.

Alina Point Of Sale Malware Still Lurking In DNS

blog.centurylink.com/alina-point-of-sale-malware-still-lurking-in-dns/

G DATA threat report: Number of cyber attacks increases significantly in the first quarter

www.gdatasoftware.com/blog/2020/07/36199-number-of-cyber-attacks-increases-significantly-in-the-first-quarter The current threat analysis by G DATA CyberDefense shows that the number of attacks prevented in March 2020 has increased significantly. The cyber defence company averted almost a third more attacks than in February. Especially active – GuLoader and Trickbot. Old tricks, new losses – tech supports scams

GoldenSpy backdoor installed by tax software gets remotely removed

www.bleepingcomputer.com/news/security/goldenspy-backdoor-installed-by-tax-software-gets-remotely-removed/ As soon as security researchers uncovered the activity of GoldenSpy backdoor, the actor behind it fell back and delivered an uninstall tool to remove all traces of the malware. GoldenSpy stayed hidden in software called Intelligent Tax, from Aisino Corporation, that a Chinese bank required its company customers to install for paying local taxes.

Apache Guacamole Opens Door for Total Control of Remote Footprint

threatpost.com/apache-guacamole-control-remote-footprint/157124/ Several vulnerabilities can be chained together for a full exploit. Apache Guacamole, a popular infrastructure for enabling remote working, is vulnerable to a slew of security bugs related to the Remote Desktop Protocol (RDP), researchers have warned. Admins should update their systems to avoid attacks bent on stealing information or remote code-execution. report:

research.checkpoint.com/2020/apache-guacamole-rce/

MITEN VALITA TURVALLINEN ETÄTYÖVÄLINE? OHJEITA JA VINKKEJÄ AVUKSI

www.huoltovarmuuskeskus.fi/miten-valita-turvallinen-etatyovaline-ohjeita-ja-vinkkeja-avuksi/ Moni on tänä vuonna miettinyt, mikä etätyöhön käytettävä sovellus on turvallinen käyttää. Tästä syntyi ajatus oppaasta, joka auttaa organisaatioita, heidän työntekijöitään ja tietoturvasta vastaavia vertailemaan eri etätyövälineitä keskenään ja valitsemaan sopiva monista vaihtoehdoista. Oppaan on teettänyt Huoltovarmuusorganisaation Digipooli.

NSA releases guidance on securing IPsec Virtual Private Networks

www.bleepingcomputer.com/news/security/nsa-releases-guidance-on-securing-ipsec-virtual-private-networks/ The US National Security Agency (NSA) has published guidance on how to properly secure IP Security (IPsec) Virtual Private Networks (VPNs) against potential attacks.

Windows 10 background image tool can be abused to download malware

www.bleepingcomputer.com/news/security/windows-10-background-image-tool-can-be-abused-to-download-malware/ A binary in Windows 10 responsible for setting an image for the desktop and lock screen can help attackers download malware on a compromised system without raising the alarm. Researchers from SentinelOne discovered that “desktopimgdownldr.exe, ” located in Windows 10’s system32 folder, can also serve as a LoLBin.

ENISA Launches Public Consultation for First Candidate Cybersecurity Certification Scheme

www.enisa.europa.eu/news/enisa-news/enisa-launches-public-consultation-for-first-candidate-cybersecurity-certification-scheme The EUCC Candidate Scheme for ICT Products, set to replace the SOG-IS, is released today for public feedback.

We discovered the Palo Alto SAML vulnerability (CVE-2020-2012). There’s lots of confusion about the role of the ‘Disable cert validation’ check box in this issue. TLDR; Having this turned off is standard, expected, and not bad practice. Patch your PA, and leave this off.

threadreaderapp.com/thread/1278074919092289537.html

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.