Daily NCSC-FI news followup 2020-07-07

F5 BigIP vulnerability exploitation followed by a backdoor implant attempt

isc.sans.edu/diary/rss/26322 While monitoring SANS Storm Center’s honeypots today, I came across the second F5 BIGIP CVE-2020-5902 vulnerability exploitation followed by a backdoor deployment attempt. The first one was seen by Johannes yesterday.


Mac ThiefQuest malware may not be ransomware after all

blog.malwarebytes.com/mac/2020/07/mac-thiefquest-malware-may-not-be-ransomware-after-all/ The ThiefQuest malware, which was discovered last week, may not actually be ransomware according to new findings. The behaviors that have been documented thus far are still all accurate, but we no longer believe that the ransom is the actual goal of this malware.. Also


On Artifact Constellations And “Toolmarks”

windowsir.blogspot.com/2020/07/on-artifact-constellations-and-toolmarks.html While it’s very useful that there are cheat sheets available that provide us with a list of DFIR artifacts to examine, as analysts we are called upon to go beyond looking at artifacts in isolation, and instead base findings on artifact constellations. Doing so also allows us to develop toolmarks associated with specific sets of activities, providing context and allowing us to better understand . that threat actors. It’s easy to say that some event (Windows Defender was disabled) occurred, but developing the how and the when of that event provides the context to better visualize a threat actor’s activities.

Citrix Bugs Allow Unauthenticated Code Injection, Data Theft

threatpost.com/citrix-bugs-allow-unauthenticated-code-injection-data-theft/ Attacks on the management interface of the products could result in system compromise by an unauthenticated user on the management network; or system compromise through cross-site scripting (XSS). Attackers could also create a download link for the device which, if downloaded and then executed by an unauthenticated user on the management network, could result in the compromise of a local . computer.

Cerberus Banking Trojan Unleashed on Google Play

threatpost.com/cerberus-banking-trojan-unleashed-google-play/157218/ Researchers said that the trojan was found within the last few days, as it was being spread via a Spanish currency converter app (called Calculadora de Moneda), which has been available to Android users in Spain since March. Once executed, the malware has the capabilities to steal victims bank-account credentials and bypass security measures, including two-factor authentication (2FA).

Microsoft’s Project Freta: This new free service spots rootkits lurking in cloud VMs

www.zdnet.com/article/microsofts-project-freta-this-new-free-service-spots-rootkits-lurking-in-cloud-vms/ “Project Freta intends to automate and democratize VM forensics to a point where every user and every enterprise can sweep volatile memory for unknown malware with the push of a button no setup required,” says Mike Walker, a senior director at Microsoft Research’s New, or NExT, Security Ventures team. . Api code to the service at

github.com/Microsoft/project-freta. Also


New research reveals privacy risks of home security cameras

techxplore.com/news/2020-07-reveals-privacy-home-cameras.html For the study, researchers from the Chinese Academy of Science and Queen Mary University of London tested if an attacker could infer privacy-compromising information about a camera’s owner from simply tracking the uploaded data passively without inspecting any of the video content itself.. The findings, published at the IEEE International Conference on Computer Communications (6-9 July 2020), showed that the traffic generated by the cameras could be monitored by attackers and used to predict when a house is occupied or not.

US Treasury shares tips on spotting money mule and imposter scams

www.bleepingcomputer.com/news/security/us-treasury-shares-tips-on-spotting-money-mule-and-imposter-scams/ The advisory provides detailed descriptions of what imposter scams and money mule schemes are, a series of financial red-flag indicators that can be used for detecting them, and info needed by financial orgs to report such suspicious activity.. Advisory at


COVID-19 Cybercrime Capitalizing on Brazils Government Assistance Program

securityintelligence.com/posts/covid-19-cybercrime-capitalizing-on-brazils-government-assistance-program/ We examine how cybercriminals are capitalizing on COVID-19 in Brazil the most populous country in South America and second in the world for the number of coronavirus infections as of early June by delivering malicious email, SMS text and WhatsApp messages and creating hundreds of malicious sites since March 2020. In particular, our analysts found that over 693 new COVID-19-related Brazilian . cybercriminal malicious websites have been created this year, many capitalizing on the countrys government assistance program related to the pandemic.

Hundreds of forgotten corners of mega-corp websites fall into the hands of spammers and malware slingers

www.theregister.com/2020/07/07/microsoft_azure_takeovers/ More than 240 website subdomains belonging to organizations large and small, including household names, were hijacked to redirect netizens to malware, X-rated material, online gambling, and other unexpected content.. These big names are said to include Chevron, the Red Cross, UNESCO, 3M, Getty Images, Hawaiian Airlines, Arm, Warner Brothers, Honeywell, Autodesk, Toshiba, Xerox, the NHS, Siemens, Volvo, Clear Channel, Total, and more.

First-Ever Russian BEC Gang, Cosmic Lynx, Uncovered

threatpost.com/russian-bec-gang-cosmic-lynx-uncovered/ The BEC gang is called Cosmic Lynx, and has been associated with more than 200 BEC campaigns targeting senior-level executives in 46 countries since last July. The threat group sets itself apart from other run-of-the-mill BEC scams in that it uses extremely well-written emails, targets victims without DMARC policies and leverages a fake merger-and-acquisition scenario that allows it to steal . larger sums of money from victims.. The pretext in almost all attacks observed is that the victims company is preparing to close an acquisition deal with an Asian company. Cosmic Lynx purports to be the Asian companys CEO and asks the target employee to work with external legal counsel to coordinate the payments necessary to close the acquisition.

Apple under pressure to act after TikTok pulls out of Hong Kong

www.theguardian.com/world/2020/jul/07/tiktok-pulls-out-of-hong-kong-as-police-get-sweeping-new-powers TikTok is to withdraw from Hong Kong app stores and Zoom will stop complying with city authorities data requests as technology companies react to the sweeping new national security laws imposed on the city by Beijing.. Facebook, Microsoft, Twitter, Google and Telegram have already said they are pausing cooperation with requests for user information, putting pressure on Apple, which says it is assessing the new law, to do the same.. Also



Pig in a poke: smartphone adware

securelist.com/pig-in-a-poke-smartphone-adware/ Our support team continues to receive more and more requests from users complaining about intrusive ads on their smartphones from unknown sources. In some cases, the solution is quite simple. In others, the task is far harder: the adware plants itself in the system partition, and trying to get rid of it can lead to device failure. In addition, ads can be embedded in undeletable system apps and . libraries at the code level. According to our data, 14.8% of all users attacked by malware or adware in the past year suffered an infection of the system partition.

Hey Alexa. Is This My Voice Or a Recording?

www.bankinfosecurity.com/hey-alexa-this-my-voice-or-recording-a-14562 A group of researchers with Samsung Research and Data61, a unit within Australia’s Commonwealth Scientific and Industrial Research Organization, or CSIRO, have developed a system called Void – short for Voice liveness Detection – to prevent voice-spoofing attacks. A research paper describing Void will be presented at the USENIX Security Symposium in Boston in August.. Void looks at 97 spectrogram features, or how recorded voices look when the frequencies are visually mapped. There are significant differences that emerge when comparing live voices to recorded ones. Played-back voices have distortions that occur when played through loudspeakers, the researchers write.

France won’t ban Huawei, but encouraging 5G telcos to avoid it: report

www.reuters.com/article/us-france-huawei-5g/france-wont-ban-huawei-but-encouraging-5g-telcos-to-avoid-it-report-idUSKBN2460TT The head of the French cybersecurity agency ANSSI said there would not be a total ban on using equipment from Huawei in the rollout of the French 5G telecoms network, but that it was pushing French telcos to avoid switching to the Chinese company.

Hackers Are Spreading Trump Propaganda Through Roblox

www.forbes.com/sites/davidthier/2020/07/05/hackers-are-spreading-trump-propaganda-through-roblox/#4c6b689b6aa7 Roblox, a popular game among children and early teens that announced 100 million active players last year, has become a small-scale battleground in the upcoming presidential elections. The BBC is reporting that hackers are taking over accounts to spread pro-Trump propaganda, dressing them up in red hats like Trump supporters and putting pro-Trump messages in profiles.

Pompeo says U.S. looking at banning Chinese social media apps, including TikTok

www.reuters.com/article/us-usa-tiktok-china-pompeo-idUSKBN2480DF Secretary of State Mike Pompeo said late on Monday that the United States is certainly looking at banning Chinese social media apps, including TikTok.

X-FAB Affected by Cyber Attack

www.businesswire.com/news/home/20200705005045/en/X-FAB-Affected-Cyber-Attack On July 5, 2020, X-FAB Group was the target of a cyber security attack. Following the advice of leading security experts engaged by X-FAB, all IT systems have been immediately halted. As an additional preventive measure, production at all six manufacturing sites has been stopped.

Microsoft Seizes Domains Used in COVID-19-Themed Attacks

www.darkreading.com/operations/microsoft-seizes-domains-used-in-covid-19-themed-attacks/d/d-id/1338293 Court grants company’s bid to shut down infrastructure used in recent campaigns against Office 365 users.

You might be interested in …

Daily NCSC-FI news followup 2020-11-09

Tietoja ja toimintaohjeita on saatavissa poliisin nettisivuilta ja poliisin valtakunnallisesta puhelinneuvontapalvelusta Vastaamon tietomurtoon liittyen www.poliisi.fi/tietoa_poliisista/tiedotteet/1/1/tietoja_ja_toimintaohjeita_on_saatavissa_poliisin_nettisivuilta_ja_poliisin_valtakunnallisesta_puhelinneuvontapalvelusta_vastaamon_tietomurtoon_liitt… Psykoterapiakeskus Vastaamon tietovuodon uhrit ovat tehneet poliisille jo noin 25 000 rikosilmoitusta. Ilmoituksia käsitellään poliisilaitoksissa jatkuvasti. Rikosilmoitusten käsittely viivästyttää myös rikosilmoitusten jäljennösten lähettämistä. Lisäksi: yle.fi/uutiset/3-11637719 Työryhmä selvittämään kriittisten toimialojen tietoturvaa – Psykoterapiapalveluja tarjovan Vastaamon tietomurron jälkeen on havahduttu tutkimaan ja […]

Read More

Daily NCSC-FI news followup 2020-10-13

Windows Update can be abused to execute malicious programs www.bleepingcomputer.com/news/security/windows-update-can-be-abused-to-execute-malicious-programs/ MDSec researcher David Middlehurst discovered that Windows Update client (wuauclt) can also be used by attackers to execute malicious code on Windows 10 systems. Middlehurst also found a sample using it in the wild. Microsoft October Patch Tuesday fixes 87 bugs, six publicly disclosed www.bleepingcomputer.com/news/security/microsoft-october-patch-tuesday-fixes-87-bugs-six-publicly-disclosed/ […]

Read More

Daily NCSC-FI news followup 2020-11-20

Inside the Cit0Day Breach Collection www.troyhunt.com/inside-the-cit0day-breach-collection/ It’s increasingly hard to know what to do with data like that from Cit0Day. If that’s an unfamiliar name to you, start with Catalin Cimpanu’s story on the demise of the service followed by the subsequent leaking of the data. . I was curious as to how much of […]

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.