Daily NCSC-FI news followup 2020-07-09

More evil: A deep look at Evilnum and its toolset

www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/ In this article we connect the dots and disclose a detailed picture of Evilnums activities. The groups targets remain fintech companies, but its toolset and infrastructure have evolved and now consist of a mix of custom, homemade malware combined with tools purchased from Golden Chickens, a Malware-as-a-Service (MaaS) provider whose infamous customers include FIN6 and Cobalt Group.

Active Exploit Attempts Targeting Recent Citrix ADC Vulnerabilities CTX276688

isc.sans.edu/diary/Active+Exploit+Attempts+Targeting+Recent+Citrix+ADC+Vulnerabilities+CTX276688+/26330 It is not clear exactly which CVE was assigned to which vulnerability, but the possible candidates are CVE-2020-8195, CVE-2020-8196, . The first issue, probably the more severe one, is allowing for arbitrary file downloads.. The second vulnerability (which I don’t think has a CVE assigned to it, but I will update this diary if I find one), allows retrieval of a PCI-DSS report without authentication. Also


Critical Vulnerabilities Patched in Adning Advertising Plugin

www.wordfence.com/blog/2020/07/critical-vulnerabilities-patched-in-adning-advertising-plugin/ On June 24, 2020, our Threat Intelligence team was made aware of a possible vulnerability in the Adning Advertising plugin, a premium plugin with over 8,000 customers. We eventually discovered 2 vulnerabilities, one of which was a critical vulnerability that allowed an unauthenticated attacker to upload arbitrary files, leading to Remote Code Execution(RCE), which could allow complete site takeover.

China’s Great Firewall descends on Hong Kong internet users

www.theguardian.com/world/2020/jul/08/china-great-firewall-descends-hong-kong-internet-users Many residents, already anxious since the law took effect last week, rushed to erase their digital footprint of any signs of dissent or support for the last year of protests. Charles Mok, a pro-democracy lawmaker who represents the technology sector, tweeted: We are already behind the de facto firewall.

Google Scrapped Cloud Initiative in China, Other Markets

www.bloomberg.com/news/articles/2020-07-08/google-scrapped-cloud-initiative-in-china-sensitive-markets Google abandoned plans to offer a major new cloud service in China and other politically sensitive countries due in part to concerns over geopolitical tensions and the pandemic, according to two employees familiar with the matter, revealing the challenges for U.S. tech giants to secure business in those markets.

We found yet another phone with pre-installed malware via the Lifeline Assistance program

blog.malwarebytes.com/android/2020/07/we-found-yet-another-phone-with-pre-installed-malware-via-the-lifeline-assistance-program/ We have discovered, yet again, another phone model with pre-installed malware provided from the Lifeline Assistance program via Assurance Wireless by Virgin Mobile. This time, an ANS (American Network Solutions) UL40 running Android OS 7.1.1.

Remote Code Execution in Citrix ADC

swarm.ptsecurity.com/remote-code-execution-in-citrix-adc/ Many of you have probably heard of the CVE-2019-19781 vulnerability that I discovered at the end of last year. It is a critical vulnerability in Citrix ADC that allows unauthorized users to execute arbitrary operating system commands.. […] How I found the CVE-2019-19781

Fresh Options for Fighting Fraud in Financial Services

www.darkreading.com/risk/fresh-options-for-fighting-fraud-in-financial-services/a/d-id/1338249 Simply having access to more data for risk analysis, however, is not enough ensure a truly excellent service. Customers must also be given the opportunity to participate in securing their transactions. Recent research shows that consumers’ attitudes to a “friction-free” experience is changing, and they would now prefer to verify transactions before funds leave their account. While in the past, . banks would have viewed this approach as adding unnecessary friction to the user experience, modern consumers want to be more involved.

TAU Threat Discovery: Conti Ransomware

www.carbonblack.com/blog/tau-threat-discovery-conti-ransomware/ Conti uses a large number of independent threads to perform encryption, allowing up to 32 simultaneous encryption efforts, resulting in faster encryption compared to many other families.

UK Stalkerware Usage Soars During Lockdown

www.infosecurity-magazine.com/news/uk-stalkerware-soars-lockdown/ Anti-malware company Avast saw a sharp spike in the use of stalkerware during the UKs pandemic lockdown, it revealed this week. Installations of online spying and stalking apps across the country rose 83% on average from March onward, compared to January and February.

Report says US State and local government agencies struggle to keep up Cyber Attacks

www.cybersecurity-insiders.com/report-says-us-state-and-local-government-agencies-struggle-to-keep-up-cyber-attacks/ A recent report called The Economic Impact of Cyber Attacks on Municipalities published by KnowBe4 states that the US state and local government agencies are struggling to keep up with the cyber attacks.. Report at


New Mirai Variant Expands Arsenal, Exploits CVE-2020-10173

blog.trendmicro.com/trendlabs-security-intelligence/new-mirai-variant-expands-arsenal-exploits-cve-2020-10173/ As mentioned earlier, the most notable of these vulnerabilities is CVE-2020-10173, a Multiple Authenticated Command injection vulnerability found in Comtrend VR-3033 routers. Remote malicious attackers can use this vulnerability to compromise the network managed by the router.

New Joker variant hits Google Play with an old trick

research.checkpoint.com/2020/new-joker-variant-hits-google-play-with-an-old-trick/ Check Points researchers recently discovered a new variant of the Joker Dropper and Premium Dialer spyware in Google Play. Hiding in seemingly legitimate applications, we found that this updated version of Joker was able to download additional malware to the device, which subscribes the user to premium services without their knowledge or consent.

Protecting your remote workforce from application-based attacks like consent phishing

www.microsoft.com/security/blog/2020/07/08/protecting-remote-workforce-application-attacks-consent-phishing/ While application use has accelerated and enabled employees to be productive remotely, attackers are looking at leveraging application-based attacks to gain unwarranted access to valuable data in cloud services. While you may be familiar with attacks focused on users, such as email phishing or credential compromise, application-based attacks, such as consent phishing, is another threat vector you . must be aware of. Today we wanted to share one of the ways application-based attacks can target the valuable data your organization cares about, and what you can do today to stay safe.


www.evina.com/they-steal-your-facebook/ Evina blocks fraudulent traffic but we dont stop there. New ways of perpetrating fraud are regularly brought to the attention of our cybersecurity experts and we recently discovered new malware that steals Facebook logins. This malware could effectively ruin your online and offline life by making off with the credentials of one of your most valued pieces of digital real estate. The malware was . embedded in a large number of popular apps:

Report: Popular Gambling App Exposed Millions of Users in Massive Data Leak

www.vpnmentor.com/blog/report-clubillion-leak/ The breach originated in a technical database built on an Elasticsearch engine and was recording the daily activities of millions of Clubillion players around the world.


www.cisa.gov/publication/securing-industrial-control-systems The Cybersecurity and Infrastructure Security Agency Industrial Control Systems (ICS) strategy, Securing Industrial Control Systems: A Unified Initiative, is a multi-year, focused approach to improve CISAs ability to anticipate, prioritize, and manage national-level ICS risk. Through this One CISA initiative, CISA will work with critical infrastructure (CI) owners and operators to build . ICS security capabilities that directly empower ICS stakeholders to secure their operations against ICS threats. . Fact sheet at


Introducing Kernel Data Protection, a new platform security technology for preventing data corruption

www.microsoft.com/security/blog/2020/07/08/introducing-kernel-data-protection-a-new-platform-security-technology-for-preventing-data-corruption/ Kernel Data Protection (KDP) is a new technology that prevents data corruption attacks by protecting parts of the Windows kernel and drivers through virtualization-based security (VBS). KDP is a set of APIs that provide the ability to mark some kernel memory as read-only, preventing attackers from ever modifying protected memory. For example, weve seen attackers use signed but vulnerable drivers . to attack policy data structures and install a malicious, unsigned driver. KDP mitigates such attacks by ensuring that policy data structures cannot be tampered with.

Remote Code Execution Vulnerability in Zoom Client for Windows (0day)

blog.0patch.com/2020/07/remote-code-execution-vulnerability-in.html We analyzed the issue and determined it to be only exploitable on Windows 7 and older Windows systems. While Microsoft’s official support for Windows 7 has ended this January, there are still millions of home and corporate users out there

You might be interested in …

Daily NCSC-FI news followup 2021-04-30

DarkPath scam group loses 134 domains impersonating the WHO therecord.media/darkpath-scam-group-loses-134-domains-impersonating-the-who/ United Nations security experts and security firm Group-IB said they worked together to take down 134 websites operated by a cybercrime group known as DarkPath. Group-IB told The Record that after notifying the UN’s International Computing Centre, they worked with “a wide network of regulators […]

Read More

Daily NCSC-FI news followup 2021-04-08

Researchers uncover a new Iranian malware used in recent cyberattacks thehackernews.com/2021/04/researchers-uncover-new-iranian-malware.html An Iranian threat actor has unleashed a new cyberespionage campaign against a possible Lebanese target with a backdoor capable of exfiltrating sensitive information from compromised systems. APT34 (aka OilRig) is known for its reconnaissance campaigns aligned with the strategic interests of Iran, primarily hitting […]

Read More

Daily NCSC-FI news followup 2020-03-30

Revealed: Saudis suspected of phone spying campaign in US www.theguardian.com/world/2020/mar/29/revealed-saudis-suspected-of-phone-spying-campaign-in-us Saudi Arabia appears to be exploiting weaknesses in the global mobile telecoms network to track its citizens as they travel around the US, according to a whistleblower who has shown the Guardian millions of alleged secret tracking requests. Emotet: Dangerous Malware Keeps on Evolving medium.com/threat-intel/emotet-dangerous-malware-keeps-on-evolving-ac84aadbb8de […]

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.