Daily NCSC-FI news followup 2020-07-18

Cloudflare outage takes down Discord, BleepingComputer, and other sites

www.bleepingcomputer.com/news/technology/cloudflare-outage-takes-down-discord-bleepingcomputer-and-other-sites/ Cloudflare is having an outage that is affecting many sites including Discord, BleepingComputer, and others. It is not known what is causing the outage, but users will not be able to connect to the sites depending on the region you are located. Read also:

www.forbes.com/sites/daveywinder/2020/07/18/internet-down-human-error-not-cyber-attack-to-blame-says-cloudflare/

Twitter vahvistaa: Hakkerit manipuloivat someyhtiön työntekijöitä päästäkseen tunnettujen ihmisten tileille

yle.fi/uutiset/3-11455204 New York Times -lehden mukaan hyökkäyksen takana oli nuori hakkeriporukka. Sosiaalisen median yhtiö Twitter kertoo, että keskiviikkoisen hyökkäyksen tehneet hakkerit manipuloivat yrityksen työntekijöitä päästäkseen kirjautumaan tunnettujen ihmisten tileihin sisään. Hyökkäys vaikutti kymmenien tunnettujen ihmisten ja yritysten Twitter-tileihin. Twitterin mukaan hakkerit saivat käyttöönsä työkaluja, jotka ovat tavallisesti viestipalvelun sisäisen tukitiimin käytössä. He kohdistivat hyökkäyksen 130 tiliin, joista 45:llä pystyttiin nollaamaan salasanat, kirjautumaan sisään sekä lähettämään tviittejä. Tviiteillä pyrittiin keräämään bitcoin-kryptovaluuttaa. Lisää aiheesta: www.hs.fi/talous/art-2000006575801.html,

www.is.fi/digitoday/tietoturva/art-2000006575573.html,

www.nytimes.com/2020/07/16/us/politics/twitter-hack.html ja

www.forbes.com/sites/daveywinder/2020/07/18/twitter-confirms-data-downloaded-from-8-hacked-accounts-heres-what-we-know-so-far-trump-biden-obama/. Lisää aiheesta:

www.reuters.com/article/us-twitter-cyber/twitter-says-attackers-downloaded-data-from-up-to-eight-non-verified-accounts-idUSKBN24J068 ja

www.forbes.com/sites/louiscolumbus/2020/07/18/dissecting-the-twitter-hack-with-a-cybersecurity-evangelist/. Lisää aiheesta:

www.eff.org/deeplinks/2020/07/after-weeks-hack-it-past-time-twitter-end-end-encrypt-direct-messages ja

www.theverge.com/2020/7/18/21329277/twitter-hack-breach-update-july-17-your-twitter-data-theft

Threat Roundup for July 10 to July 17

blogs.cisco.com/security/talos/threat-roundup-0710-0717 Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between July 3 and July 10. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

Election Security: Recovering from 2016, Looking Toward 2020

www.darkreading.com/operations/election-security-recovering-from-2016-looking-toward-2020/d/d-id/1338381 Researchers publish the results of a four-year investigation and discuss whether the US is ready to secure its largest elections. Months away from another presidential election, many wonder whether the United States has the protections and processes in place to secure its most important elections. Research shows 2016 was a wake-up call of sorts, prompting federal, state, and local officials to work together. Cisco Talos researchers began a long-term investigation into election security issues following the 2016 breach of the Democratic National Committee’s servers. Four years of research are summarized in a new report, which encompasses the elements of US election infrastructure, the complex role of political theory, the progress made since 2016, and the work that still needs to be done to protect elections.

Judge green-lights Facebook, WhatsApp hacking lawsuit against spyware biz NSO, unleashing Zuck’s lawyers

www.theregister.com/2020/07/17/facebook_whatsapp_nsa/ Facebook won a significant legal victory on Thursday when the judge hearing the lawsuit against Israeli spyware maker NSO Group declined to dismiss the case and allowed the crucial discovery process to move forward.

Seven ‘no log’ VPN providers accused of leaking yup, you guessed it 1.2TB of user logs onto the internet

www.theregister.com/2020/07/17/ufo_vpn_database/ A string of “zero logging” VPN providers have some explaining to do after more than a terabyte of user logs were found on their servers unprotected and facing the public internet. This data, we are told, included in at least some cases clear-text passwords, personal information, and lists of websites visited, all for anyone to stumble upon.

Magento adds 2FA to protect against card skimming attacks

www.bleepingcomputer.com/news/security/magento-adds-2fa-to-protect-against-card-skimming-attacks/ Adobe has added two-factor authentication (2FA) throughout the Magento platform in response to the widespread number of attacks where skimmer scripts are deployed on hacked e-commerce sites to steal customers’ credit cards.

It’s baaaack: Public cyber enemy Emotet has returned

blog.malwarebytes.com/trojans/2020/07/long-dreaded-emotet-has-returned/ It was never a question of “if” but “when”. After five months of absence, the dreaded Emotet has returned. Following several false alarms over the last few weeks, a spam campaign was first spotted on July 13 showing signs of a likely comeback. The Emotet botnets started pushing malspam actively on Friday, July 17, using the same techniques as it employed previously. Malicious emails contain either a URL or an attachment. One familiar technique is for the document to be sent as a reply within existing email threads. Read also:

www.zdnet.com/article/emotet-botnet-returns-after-a-five-month-absence/,

arstechnica.com/information-technology/2020/07/destructive-emotet-botnet-returns-with-250k-strong-blast-of-toxic-email/ and

www.bleepingcomputer.com/news/security/emotet-spam-trojan-surges-back-to-life-after-5-months-of-silence/

The Week in Ransomware – July 17th 2020 – Freshly squeezed

www.bleepingcomputer.com/news/security/the-week-in-ransomware-july-17th-2020-freshly-squeezed/ With Twitter hackers, 10/10 vulnerabilities, and Cloudflare outages this week, thankfully ransomware has been pretty slow this week. The biggest news is Orange confirming they were hit with a Nefilim ransomware attack and business customer’s data being stolen. We also saw an interesting ransomware that utilizes the Age encryption tool.

Petollinen Android-haittaohjelma iskee satoihin sovelluksiin: Salasanat ja luottokortit vaarassa

www.is.fi/digitoday/tietoturva/art-2000006574364.html Uusi Android-haittaohjelma varastaa tietoja 337 sovelluksesta, mutta yksi seikka pitää käyttäjän ainakin toistaiseksi turvassa. Android-käyttäjien kirjautumis- ja maksutietoja varastetaan uudella BlackRock-haittaohjelmalla, tietoturvayhtiö ThreatFabric kertoo. Sen analyysista kirjoittavat esimerkiksi Bleeping Computer ja ZDNet. BlackRock poikkeaa massasta kohdelistallaan. Se hyökkää kaikkiaan 337 sovellusta vastaan, joista monet liittyvät sosiaaliseen mediaan, verkottumiseen, viestintään ja seurusteluun. Haittaohjelma pohjautuu pankkitroijalaiseen, mutta hämärtää rajaa tyypillisen pankkitroijalaisen ja vakoiluohjelman välillä. Tämä raja hämärtyi jo kauan sitten pc-haittaohjelmissa. Tällä kertaa kyse ei kuitenkaan ole sellaisesta uhasta, joka helposti pääsisi käyttäjän laitteeseen. Toisin kuin monessa muussa tapauksessa, BlackRockia ei ainakaan vielä ole tavattu Android-sovellusten virallisessa latauskaupassa Google Playssa. Sen saadakseen käyttäjän pitää suunnistaa epävirallisiin kauppoihin, mitä ei voi suositella juuri vakavien tietoturvariskien vuoksi.

Thousands of Vulnerable F5 BIG-IP Users Still Open to Takeover

threatpost.com/thousands-f5-big-ip-users-takeover/157543/ Less than 500 machines have been patched since U.S. Cyber Command issued an alert to patch a critical bug that’s under active exploit. About 8, 000 users of F5 Networks’ BIG-IP family of networking devices are still vulnerable to full system access and remote code-execution (RCE), despite a patch for a critical flaw being available for two weeks.

Tech Firms Hire ‘Red Teams.’ Scientists Should, Too

www.wired.com/story/tech-firms-hire-red-teams-scientists-should-too/ The recent retraction of a research paper which claimed to find no link between police killings and the race of the victims was a story tailor-made for today’s fights over cancel culture. First, the authors asked for the paper to be withdrawn, both because they’d been “careless when describing the inferences that could be made from our data” and because of how others had interpreted the work. (In particular they pointed to recent op-ed in The Wall Street Journal with the headline, “The Myth of Systemic Police Racism.”). Then, after two days of predictable blowback from those decrying what they saw as left-wing censorship, the authors tried to clarify: “People were incorrectly concluding that we retracted due to either political pressure or the political views of those citing the paper, ” they wrote in an amended statement.

All in One SEO Pack Plugin Patches XSS Vulnerability

wptavern.com/all-in-one-seo-pack-plugin-patches-xss-vulnerability All in One SEO Pack patched an XSS vulnerability this week that was discovered by the security researchers at Wordfence on July 10. The popular plugin has more than 2 million active installs, according to WordPress.org. Wordfence researchers categorized it as “a medium severity security issue” that could result in “a complete site takeover and other severe consequences:” This flaw allowed authenticated users with contributor level access or above the ability to inject malicious scripts that would be executed if a victim accessed the wp-admin panel’s all posts’ page. Version 3.6.2, released on July 15, 2020, includes the following update in the changelog: “Improved the output of SEO meta fields + added additional sanitization for security hardening.”. Read also:

www.wordfence.com/blog/2020/07/2-million-users-affected-by-vulnerability-in-all-in-one-seo-pack/

MMS Exploit Part 1: Introduction to the Samsung Qmage Codec and Remote Attack Surface

googleprojectzero.blogspot.com/2020/07/mms-exploit-part-1-introduction-to-qmage.html By publishing this and further blog posts in the Qmage series, I am hoping to shed more light on how I found the codec, what I learned about it during reconnaissance and preparation for fuzzing, and finally how I managed to circumvent various Android mitigations and obstacles along the way to write a reliable MMS exploit. Please join me on this ride!

The cybercriminal group SILENCE

www.cert.ssi.gouv.fr/cti/CERTFR-2020-CTI-007/ SILENCE is a group of allegedly Russian-speaking, independent cybercriminals that has been on the scene since 2016. Initially it mostly targeted banks in CIS countries (such as Russia, Belarus, Moldova, Armenia and Kazakhstan) as well as Ukraine, but has since extended its reach to some thirty countries across Europe (Germany, Switzerland, the UK and Austria among them), Asia (including Israel, Turkey, Taiwan, Malaysia and South Korea) and Africa (e.g. Ghana and Kenya). This report provides a synthesis of ANSSI’s knowledge on SILENCE and aims at helping financial institutions to protect themselves from this cybercriminal group. Indicators of compromise are available on the page CERTFR-2020-IOC-002. Read also:

www.cert.ssi.gouv.fr/ioc/CERTFR-2020-IOC-002/ and

www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-007.pdf

The malware Dridex: origins and uses

www.cert.ssi.gouv.fr/cti/CERTFR-2020-CTI-008/ Surfacing in June 2014 as a variant of the banking trojan Bugat, Dridex is a malware which has evolved a lot since then in terms of functionalities and uses. This report provides a synthesis of ANSSI’s knowledge on Dridex and its operators to help increasing protections against them. Indicators of compromise are available on the page CERTFR-2020-IOC-003. Read also:

www.cert.ssi.gouv.fr/ioc/CERTFR-2020-IOC-003/ and

www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf

Alert (AA20-198A) – Malicious Cyber Actor Use of Network Tunneling and Spoofing to Obfuscate Geolocation

us-cert.cisa.gov/ncas/alerts/aa20-198a Attributing malicious cyber activity that uses network tunneling and spoofing techniques to a specific threat actor is difficult. Attribution requires analysis of multiple variables, including location. Because threat actors can use these techniques to obfuscate their location, it is not possible to identify the true physical location of malicious activity based solely on the geolocation of Internet Protocol (IP). This Alert discusses how threat actors use these obfuscation techniques to mislead incident responders.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.