Daily NCSC-FI news followup 2020-07-30

Hackers Broke Into Real News Sites to Plant Fake Stories

www.wired.com/story/hackers-broke-into-real-news-sites-to-plant-fake-stories-anti-nato/ A disinfo operation broke into the content management systems of Eastern European media outlets in a campaign to spread misinformation about NATO. FireEye’s finding that all of those operations to plant fake news were carried out by a single group comes on the heels of a report from The New York Times that Russia’s military intelligence agency, the GRU, has been coordinating the publication of disinformation on sites like InfoRos, OneWorld.press, and GlobalResearch.ca. US intelligence officials speaking to the Times said that disinformation campaign, which included false reports that Covid-19 originated in the US, was specifically the work of the GRU’s “psychological warfare unit, ” known as Unit 54777. also:


Operation ( ) North Star A Job Offer That’s Too Good to be True?

www.mcafee.com/blogs/other-blogs/mcafee-labs/operation-north-star-a-job-offer-thats-too-good-to-be-true/ We are in the midst of an economic slump, with more candidates than there are jobs, something that has been leveraged by malicious actors to lure unwitting victims into opening documents laden with malware. While the prevalence of attacks during this unprecedented time has been largely carried out by low-level fraudsters, the more capable threat actors have also used this crisis as an opportunity to hide in plain sight. One such example is a campaign that McAfee Advanced Threat Research (ATR) observed as an increase in malicious cyber activity targeting the Aerospace & Defense industry.

Chinese State-Sponsored Group RedDelta’ Targets the Vatican and Catholic Organizations

www.recordedfuture.com/reddelta-targets-catholic-organizations/ – From early May 2020, The Vatican and the Catholic Diocese of Hong Kong were among several Catholic Church-related organizations that were targeted by RedDelta, a Chinese-state sponsored threat activity group tracked by Insikt Group. This series of suspected network intrusions also targeted the Hong Kong Study Mission to China and the Pontifical Institute for Foreign Missions (PIME), Italy. These organizations have not been publicly reported as targets of Chinese threat activity groups prior to this campaign. full report (PDF):


ESET Threat Report Q2 2020

www.welivesecurity.com/2020/07/29/eset-threat-report-q22020/ A view of the Q2 2020 threat landscape as seen by ESET telemetry and from the perspective of ESET threat detection and research experts. PDF:


Andrej Hunko and the Party Borotba: Propaganda from the Kremlin to the Bundestag

www.bellingcat.com/news/uk-and-europe/2020/07/28/andrej-hunko-and-the-party-borotba-propaganda-from-the-kremlin-to-the-bundestag/ In 2016 Germany’s counter-intelligence BfV stated that Russia was behind a series of cyber attacks against the country’s institutions and politicians. Those included a major hacking of the German Bundestag in 2015, and another attack the following year against the ruling Christian Democratic Party.

Zoom Bug Allowed Snoopers Crack Private Meeting Passwords in Minutes

thehackernews.com/2020/07/zoom-meeting-password-hacking.html Zoom meetings are by default protected by a six-digit numeric password, but according to Tom Anthony, VP Product at SearchPilot who identified the issue, the lack of rate limiting enabled “an attacker to attempt all 1 million passwords in a matter of minutes and gain access to other people’s private (password protected) Zoom meetings.”

Adversarial use of current events as lures

blog.talosintelligence.com/2020/07/current-events-lures.html In today’s threat landscape, adversaries are always trying to develop and implement the most effective lures to try and draw users into their infection path. They’ve tried a multitude of different tactics in this space, but one always stands out current events. In today’s world, everyone’s thoughts immediately go to COVID-19 and Black Lives Matter, since both stories have dominated the threat landscape over the last several months, but this is something that organically happens frequently on the threat landscape. So much so that organizations should include it in their threat hunting activities. This blog is going to walk through the why and how.

Saitko tällaisen viestin? Ota heti yhteys pankin petosyksikköön

www.tivi.fi/uutiset/tv/8b6c0f37-b841-470d-aa93-e7da60130ce4 Nordean mukaan pankin asiakkaita on kesän aikana lähestytty erilaisilla huijausyrityksillä. Asiakkaat ovat muun muassa saaneet Nordean nimissä lähetettyjä sähköposteja, joissa pyydetään avaamaan suojattu sähköposti klikkaamalla linkkiä. Linkki johdattaa Nordean palvelua muistuttavalle valesivustolle. “Nordea ei milloinkaan pyydä puhelimitse, sähköpostitse tai tekstiviesteillä pankkitunnuksia eikä lähetä linkkejä verkkopankkiin. Jos saa Nordean nimissä lähetetyn sähköposti- tai tekstiviestin, jossa pyydetään klikkaamaan linkkiä, kyseessä on aina huijausviesti ja se kannattaa poistaa heti”, sanoo tiedotteessa liiketoimintajohtaja Janne Kaisto. Jos epäilee, että omat pankkitunnukset ovat joutuneen vääriin käsiin, kannattaa olla pikaisesti yhteydessä Nordean asiakaspalveluun. Epäillyistä huijauksista voi myös raportoida Nordean petosyksikköön

[email protected].

Lemmenkipeille oli käydä ohraisesti treffipalvelun tietoturvassa paha aukko

www.tivi.fi/uutiset/tv/3a533e35-07d9-423f-b433-c79d007255c7 Treffisovellusten käyttäjät haluavat itse päättää, mitä he kertovat itsestään muille. OKCupid-palvelun tietosuojassa havaittiin ikäviä riskejä.

TrickBot’s new Linux malware covertly infects Windows devices

www.bleepingcomputer.com/news/security/trickbots-new-linux-malware-covertly-infects-windows-devices/ TrickBot’s Anchor malware platform has been ported to infect Linux devices and compromise further high-impact and high-value targets using covert channels.

If you own one of these 45 Netgear devices, replace it: Firm won’t patch vulnerable gear despite live proof-of-concept code

www.theregister.com/2020/07/30/netgear_abandons_45_routers_vuln_patching/ Netgear has quietly decided not to patch more than 40 home routers to plug a remote code execution vulnerability despite security researchers having published proof-of-concept exploit code.

Average Cost of a Data Breach: $3.86 Million

www.darkreading.com/attacks-breaches/average-cost-of-a-data-breach-$386-million/d/d-id/1338489 The latest edition of IBM’s annual cost-of-a data-breach study shows that security system complexity and incident response testing are two factors that have the biggest impact on the total cost of a breach. Charles DeBeck, strategic cyber threat analyst at IBM’s X-Force IRIS incident response team, says one notable data point from the report is the difference in breach costs between those organizations that have automated their threat response capabilities, and those that have not. “The main takeaway I see is this growing cost divide, ” DeBeck says. “Businesses that are investing in advanced technologies and practicing preparedness of their incident response experience significantly lower costs, while those that didn’t prepare see their costs rising year over year.”

Here’s Why Credit Card Fraud is Still a Thing

krebsonsecurity.com/2020/07/heres-why-credit-card-fraud-is-still-a-thing/ Most of the civilized world years ago shifted to requiring computer chips in payment cards that make it far more expensive and difficult for thieves to clone and use them for fraud. One notable exception is the United States, which is still lurching toward this goal. Here’s a look at the havoc that lag has wrought, as seen through the purchasing patterns at one of the underground’s biggest stolen card shops that was hacked last year.

EU sanctions Russian espionage unit, Chinese and North Korean firms

www.bleepingcomputer.com/news/security/eu-sanctions-russian-espionage-unit-chinese-and-north-korean-firms/ The Council of the European Union today announced sanctions imposed on a Russian military espionage unit, as well as on front companies for Chinese and North Korean threat groups involved in cyber-attacks targeting the EU and its member states. EU’s sanctions include asset freezes and travel bans, and forbid EU organizations and individuals from transferring to sanctioned people and entities. “The Council today decided to impose restrictive measures against six individuals and three entities responsible for or involved in various cyber-attacks, ” a press release published today reads. “These include the attempted cyber-attack against the OPCW (Organisation for the Prohibition of Chemical Weapons) and those publicly known as ‘WannaCry’, ‘NotPetya’, and ‘Operation Cloud Hopper’.”

Malspam campaign caught using GuLoader after service relaunch

blog.malwarebytes.com/threat-analysis/2020/07/malspam-campaign-caught-using-guloader-after-service-relaunch/ They say any publicity is good publicity. But perhaps this isn’t true for CloudEye, an Italian firm that claims to provide “the next generation of Windows executables’ protection”. First described by Proofpoint security researchers in March 2020, GuLoader is a downloader used by threat actors to distribute malware on a large scale. In June, CloudEye was exposed by CheckPoint as the entity behind GuLoader. Following the spotlight from several security firms and news outlets, GuLoader activity dropped in late June. But around the second week of July, we started seeing the downloader in malspam campaigns again.

Turkey’s New Internet Law Is the Worst Version of Germany’s NetzDG Yet

www.eff.org/deeplinks/2020/07/turkeys-new-internet-law-worst-version-germanys-netzdg-yet a new law, passed by the Turkish Parliament on the 29th of July, introduces sweeping new powers and takes the country another giant step towards further censoring speech online. The law was ushered through parliament quickly and without allowing for opposition or stakeholder inputs and aims for complete control over social media platforms and the speech they host.

You might be interested in …

Daily NCSC-FI news followup 2019-07-15

Lahdessa toivotaan kyberhyökkääjän jäävän kiinni”Tällainen toiminta ei ole mitään askartelua ja puuhastelua, vaan raakaa ammattimaista rikollisuutta” www.ess.fi/uutiset/paijathame/art2554035 Tietoturva-asiantuntijat antavat Lahdelle kiitosta ripeästä toiminnasta kesäkuisen kyberhyökkäyksen alettua. “Toiminta oli erittäin asiantuntevaa”, sanoo Kyberturvallisuuskeskuksen Kauto Huopio. Turla renews its arsenal with Topinambour securelist.com/turla-renews-its-arsenal-with-topinambour/91687/ 2019 has seen the Turla actor actively renew its arsenal. Its developers are still […]

Read More

Daily NCSC-FI news followup 2020-12-02

Using Speakeasy Emulation Framework Programmatically to Unpack Malware www.fireeye.com/blog/threat-research/2020/12/using-speakeasy-emulation-framework-programmatically-to-unpack-malware.html Andrew Davis recently announced the public release of his new Windows emulation framework named Speakeasy. While the introductory blog post focused on using Speakeasy as an automated malware sandbox of sorts, this entry will highlight another powerful use of the framework: automated malware unpacking. I will […]

Read More

Daily NCSC-FI news followup 2020-06-17

Operation In(ter)ception: Aerospace and military companies in the crosshairs of cyberspies www.welivesecurity.com/2020/06/17/operation-interception-aerospace-military-companies-cyberspies/ At the end of last year, we discovered targeted attacks against aerospace and military companies in Europe and the Middle East, active from September to December 2019. A collaborative investigation with two of the affected European companies allowed us to gain insight into […]

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.