Daily NCSC-FI news followup 2020-07-08

Redirect auction

securelist.com/redirect-auction/ Razor Enhanced, a legitimate assistant tool for Ultima Online, caught our eye when it started trying to access a malicious URL.. The WHOIS data told us that its owner had stopped paying for the domain name, and that it had been purchased using a service for tracking released domains, and then put up for sale on the auction site.. Having observed this page for a while, we noticed that from time to time visitors who initially went to the now inactive website of the app developer did not land on the auction stub, but on a malicious resource (which is basically what happened with Razor Enhanced when it decided to check for updates). Next, we learned that the stub site redirects visitors not to a specific resource, but to . different websites, including ones on partner networks. Whats more, the type of redirect can vary depending on the country and user agent: when accessing from a macOS device, the victim might land on a page that downloads the Shlayer Trojan.

GCHQ’s cyber arm report on Huawei said to be burning hole through UK.gov desks

www.theregister.com/2020/07/08/huawei_ncsc_report_trade_war_uk_ban_roundup/ Britain is all a-tizzy about Huawei again as talk swirls over the imminent release of an unofficial report into the Chinese companys influence over prominent Britons and a ban on its telco equipment.. The Daily Mail reported at length the claims of former MI6 spy Christopher Steele that China had used current tensions over Huawei equipment in phone networks as a means of recruiting “useful idiots”. The firm denied this, describing Steeles dossier as having “no basis in fact”.. Also www.theregister.com/2020/07/08/huawei_uk_govt/

Helsingin poliisi tutkii: Postin nimissä tehty useita huijauksia, rikoshyöty noin 250 000 euroa

yle.fi/uutiset/3-11438089?origin=rss Helsingin poliisilaitos tutkii Postin nimissä tehtyjä ammattimaisia huijauksia. Huijaukset on toteutettu kolmena eri ajankohtana. Helsingin poliisin tietoon on tullut viime viikonlopun aikana ja sen jälkeen yli 30 uhria. Kaikkiaan uhreja on tiedossa lähes 100..



DOJ indict Fxmsp hacker for selling access to hacked orgs, AV firms

www.bleepingcomputer.com/news/security/doj-indict-fxmsp-hacker-for-selling-access-to-hacked-orgs-av-firms/ In an indictment unsealed today, the DOJ is charging a citizen of Kazakhstan named Andrey Turchin, also known as “Fxmsp,” with conspiracy to commit computer hacking, two counts of computer fraud and abuse (hacking), conspiracy to commit wire fraud, and access device fraud. .


Drone Path Often Reveals Operator’s Location

www.darkreading.com/threat-intelligence/drone-path-often-reveals-operators-location/d/d-id/1338292 The way that a drone moves and its path through the sky can reveal the location of the operator, a critical step in preventing drone attacks on critical infrastructure and other malicious activities, researchers at Ben-Gurion University (BGU) of the Negev said in a paper published on July 7. . Original at

in.bgu.ac.il/en/pages/news/drone_pinpoint.aspx paper at


Configuring a Windows Domain to Dynamically Analyze an Obfuscated Lateral Movement Tool

www.fireeye.com/blog/threat-research/2020/07/configuring-windows-domain-dynamically-analyze-obfuscated-lateral-movement-tool.html We suspected the sample to be a lateral movement tool, so we needed an appropriate environment for dynamic analysis. Configuring the environment proved to be essential, and we want to empower other analysts who encounter samples that leverage a domain. Here we will explain the process of setting up a virtualized Windows domain to run the malware, as well as the analysis techniques we used to . confirm some of the malware functionality.

Keeper Magecart Group Infects 570 Sites

geminiadvisory.io/keeper-magecart-group-infects-570-sites/ Gemini discovered that the Keeper Magecart group, which consists of an interconnected network of 64 attacker domains and 73 exfiltration domains, has targeted over 570 victim e-commerce sites in 55 different countries from April 1, 2017 until the present. The Keeper exfiltration and attacker domains use identical login panels and are linked to the same dedicated server; this server hosts both . the malicious payload and the exfiltrated data stolen from victim sites.. Also www.theregister.com/2020/07/07/keeper_crew_magecart/

Cops Seize Server that Hosted BlueLeaks, DDoSecrets Says

www.vice.com/en_us/article/qj43xq/cops-seize-blueleaks-ddosecrets-server Authorities in Germany have seized a server used by the organization that published a trove of US police internal documents commonly known as BlueLeaks, according to the organizations founder.. DDoSecrets has recently taken WikiLeaks mantle as the most influential leaking organization on the internet, publishing several dumps such as data stolen from the Chilean military, and Neo-Nazi messages exchanged on the chat platform Discord.. At the end of June, the organization published what it called BlueLeaks, a collection of almost 270 gigabytes of data likely hacked and stolen from police fusion centers in the US. The data included internal law enforcement communications, as well as some personal information belonging to agents.

Vulnerability Management Maturity Model

www.sans.org/blog/vulnerability-management-maturity-model/ Getting into the meat of the model, it is broken down into five focus areas. They are PREPARE, IDENTIFY, ANALYZE, COMMUNICATE, and TREAT. These are the five areas of the PIACT process from the course. Tasks and activities that are part of a vulnerability management program fit across these five sections.


www.europol.europa.eu/newsroom/news/italy-and-romania-take-down-cyber-fraud-ring-generating-%E2%82%AC20-million-year-in-criminal-profits The criminal organisation was using a wide network of money mules in Italy, created to launder criminal proceeds from a variety of cybercrime activities. The criminal group was involved in financial frauds and cyber scams such as rental fraud (fraud through the advertisement of non-existent properties to rent) and CEO fraud (impersonating a company official to trigger large transfers to bogus . accounts). With these frauds, the criminals were deceiving victims across Europe into making wire transfers to Italian bank accounts, owned by the money mules. It is estimated that the criminal group has generated up to 20 million losses per year for victims across Europe.

Unsecured Chinese companies leak users sensitive personal and business data

cybernews.com/security/unsecured-chinese-companies-leak-users-sensitive-personal-and-business-data/ Our research uncovered two unsecured databases, with millions of records, belonging to companies that are based in China and provide different types of services. One database belongs to Xiaoxintong, which offers multiple apps and services aimed at elderly care. The other database we discovered seems to be connected to Shanghai Yanhua Smartech tools, which provides services related to intelligent . buildings.

OT Infrastructure Attacks The Risk is Real

www.fortinet.com/blog/industry-trends/ot-infrastructure-attacks-the-risk-is-real Despite the added risk to OT networks, IT/OT convergence is happening because it makes financial and operational sense. Operations teams are implementing sophisticated control systems that use software and databases that run on IT systems. Things like WiFi-enabled thermostats and valves can be monitored and controlled remotely over the IT infrastructure And CFOs dont like the costs of separate . networks or the separate teams needed to run them. . Also

www.fortinet.com/blog/industry-trends/report-ot-security-remains-challenge-for-leaders-across-industries. Report at


Mozilla suspends Firefox Send service while it addresses malware abuse

www.zdnet.com/article/mozilla-suspends-firefox-send-service-while-it-addresses-malware-abuse/ Mozilla has temporarily suspended the Firefox Send file-sharing service as the organization investigates reports of abuse from malware operators and while it adds a “Report abuse” button.

More Than 1,000 IoT Security Guidelines: Which One to Use?

www.bankinfosecurity.com/more-than-1000-iot-security-guidelines-which-one-to-use-a-14570 Christopher Bellman, a computer science doctoral student at Carleton, and Paul C. van Oorschot, a professor of computer science, examined the guideline documents. In a research paper, they conclude that terms such as best practices, recommendations, requirements and guidelines were often used interchangeably.. Paper at


Framing the Security Story: The Simplest Threats Are the Most Dangerous

www.darkreading.com/vulnerabilities—threats/framing-the-security-story-the-simplest-threats-are-the-most-dangerous/a/d-id/1338222 Often, it is the simplest vulnerabilities that are leveraged to breach a system. The reason for this: The easier a vulnerability is to exploit, the higher the number of threat actors that can, and actually will, exploit that vulnerability. It is a simple numbers game, yet the CISO and security team have a real problem framing this security story in a way that is both accurate and meaningful for . executive leadership.. What I’ve discovered in almost two decades of attack simulation (including penetration testing and red/blue/purple teaming) as well as developing and advising these programs globally is that breaking in is still relatively easy. This does not mean that all the security work organizations have done is wasted or poor.

Applying the 80-20 Rule to Cybersecurity

www.darkreading.com/operations/applying-the-80-20-rule-to-cybersecurity-/a/d-id/1338205 Can we identify a Cybersecurity Pareto Principle? We can if security teams concentrate on these six priorities:. Principle 1: Develop and Govern a Healthy Security Culture. Principle 2: Manage Risk in the Language of Business. Principle 3: Establish a Control Baseline. Principle 4: Simplify and Rationalize IT and Security. Principle 5: Control Access with Minimal Drag on the Business. Principle 6: Institute Resilient Detection, Response and Recovery

Business efficiency metrics are more important than detection metrics

www.helpnetsecurity.com/2020/07/07/business-efficiency-metrics-are-more-important-than-detection-metrics/ Businesses would benefit from taking a look at detection metrics in the context of how they may impact business efficiency metrics for better or worse. Today, robust security protocols require non-security employees to turn their attention from operational priorities, ultimately slowing productivity.. These implications can even extend to organizations who invest significantly in advanced security technologies to improve detection, if they fail to apply them in a manner that takes both security and business efficiency into account. In a 2019 study from McKinsey, they suggest that spending resources on such solutions can do more harm than good when strategy is misguided, creating significant . inefficiencies within the cybersecurity team, thereby compromising the cybersecurity program overall.

DigiCert ICA Replacement

knowledge.digicert.com/alerts/DigiCert-ICA-Replacement DigiCert has identified an issue where some of our intermediate CAs (ICAs) were not listed as part of our most recent WebTrust EV audit. To resolve the issue, we are replacing the affected ICAs. . [14 CA:s retired]. bugzilla.mozilla.org/show_bug.cgi?id=1650910

– From Exposure To Takeover: Part 1. Beg, Borrow, And Steal Your Way In

www.digitalshadows.com/blog-and-research/from-exposure-to-takeover-part-1-beg-borrow-and-steal-your-way-in/ To date, weve discovered 15 billion-plus credentials, stemming from more than 100,000 discrete breaches. Of these credentials, more than 5 billion are unique. . Also


secure2.sophos.com/en-us/medialibrary/pdfs/whitepaper/sophos-the-state-of-cloud-security-2020-wp.pdf Almost three-quarters of organizations hosting data or workloads in the public cloud experienced a security incident in the last year. Seventy percent of organizations reported they were hit by malware, ransomware, data theft, account compromise attempts, or cryptojacking in the last year.. Multi-cloud organizations reported more security incidents in the last 12 months.. Security gaps in misconfigurations were exploited in 66% of attacks […], while 33% of attacks used stolen credentials to get into cloud provider accounts.. Sophos state of cloud security report 2020

A Most Personal Threat: Implantable Devices in Secure Spaces

www.darkreading.com/iot/a-most-personal-threat-implantable-devices-in-secure-spaces/d/d-id/1338299 Do implantable medical devices pose a threat to secure communication facilities? A Virginia Tech researcher says they do, and the problem is growing.. So far, Michaels says, there has been relatively little recognition of this as an issue in secure facilities, with existing rules driven by HR as much as cybersecurity. “We want to protect the information and support the individual. Yet there comes a point which you probably deny entry,” he adds, and that point may be coming sooner than many people think.

Purple Fox EK Adds Exploits for CVE-2020-0674 and CVE-2019-1458 to its Arsenal

www.proofpoint.com/us/blog/threat-insight/purple-fox-ek-adds-exploits-cve-2020-0674-and-cve-2019-1458-its-arsenal Purple Fox is an exploit kit (EK) that appears to have been built to replace the RIG exploit kit (EK) in the distribution chain of Purple Fox malware (a Trojan/Rootkit). By building their own EK for distribution, the authors of the Purple Fox malware are able to save money by no longer paying for the Rig EK.

Google open-sources Tsunami vulnerability scanner

www.zdnet.com/article/google-open-sources-tsunami-vulnerability-scanner/ The search giant said that going forward Tsunami will focus on meeting the goals of high-end enterprise clients like itself, and the conditions found in these types of large and multi-device networks.. Furthermore, Tsunami will also be extended with support only for high-severity vulnerabilities that are likely to be weaponized, rather than focus on scanning for everything under the sun, as most vulnerability scanners tend to do today. This will be done to reduce alert fatigue for security teams.

USB a prevalent industrial vector vulnerability for OT systems

www.scmagazine.com/home/security-news/vulnerabilities/usb-prevalent-industrial-vector-vulnerability-for-ot-systems/ The company first studied the market in 2018, and since then the number of threats capable of disrupting OT rose from 26 percent in the first report to now 59 percent, which Honeywell tagged as staggering, as targeted and more sophisticated malware and ransomware attacks have become prevalent in focusing on industrial control and process automation systems.. Original at


You might be interested in …

Daily NCSC-FI news followup 2020-11-26

ENISA Report Highlights Resilience of Telecom Sector in Facing the Pandemic www.enisa.europa.eu/news/enisa-news/telecom-security-and-resilience-during-covid19 ENISA is releasing its Telecom Security During a Pandemic report at the 32nd meeting of EU telecom security authorities. Underlining the current strength of the sector in the face of the pandemic, the report also calls for increased cooperation, as telecommunications become more […]

Read More

Daily NCSC-FI news followup 2020-10-02

Emotet malware takes part in the 2020 U.S. elections www.bleepingcomputer.com/news/security/emotet-malware-takes-part-in-the-2020-us-elections/ Emotet is now taking part in the United States 2020 Presidential election with a new spam campaign pretending to be from the Democratic National Convention’s Team Blue initiative. XDSpy cyber-espionage group operated discretely for nine years www.bleepingcomputer.com/news/security/xdspy-cyber-espionage-group-operated-discretely-for-nine-years/ Researchers at ESET today published details about a […]

Read More

Daily NCSC-FI news followup 2021-04-04

Malware attack is preventing car inspections in eight US states www.bleepingcomputer.com/news/security/malware-attack-is-preventing-car-inspections-in-eight-us-states/ A malware cyberattack on emissions testing company Applus Technologies is preventing vehicle inspections in eight states, including Connecticut, Georgia, Idaho, Illinois, Massachusetts, Utah, and Wisconsin. Applus Technologies cannot provide a time frame for when they will restore service as State governments require them to […]

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.