Categories
NCSC-FI News followup

Daily NCSC-FI news followup 2020-07-31

Tutorial of ARM Stack Overflow Exploit against SETUID Root Program

www.fortinet.com/blog/threat-research/tutorial-arm-stack-overflow-exploit-against-setuid-root-program In part I of this blog series, Tutorial of ARM Stack Overflow Exploit Defeating ASLR with ret2plt, I presented how to exploit a classic buffer overflow vulnerability when ASLR is enabled. That target program calls the function gets() to read a line from stdin. In this blog, I will demonstrate how to use data from a local file, instead of stdin, to cause a stack overflow. For this scenario, as in part I, the ASLR (address space layout randomization) feature is enabled on the target machine. Likewise, in order to complete a full exploit, an attacker first needs to defeat ASLR before performing code execution

How to Know If Your Phone Has a Virus + How to Remove It

www.pandasecurity.com/mediacenter/mobile-security/phone-has-virus/ When you picture hackers you likely think of two things. Either large scale, enterprise attacks that cause millions in damage, or micro phishing attacks that prey on the most vulnerable internet users. Growing up in the internet age, with the said-to-be indestructible Apple products, its hard to fathom a virus wreaking havoc on your phone and mining your data without the slightest suspicion.

WastedLocker: technical analysis

securelist.com/wastedlocker-technical-analysis/97944/ The use of crypto-ransomware in targeted attacks has become an ordinary occurrence lately: new incidents are being reported every month, sometimes even more often. On July 23, Garmin, a major manufacturer of navigation equipment and smart devices, including smart watches and bracelets, experienced a massive service outage. As confirmed by an official statement later, the cause of the downtime was a cybersecurity incident involving data encryption.. The situation was so dire that at the time of writing of this post (7/29) the operation of the affected online services had not been fully restored.

DDoS Attacks Increase in Size, Frequency and Duration

securityintelligence.com/articles/avoid-ddos-attacks/ Distributed denial of service (DDoS) attacks are increasing in size, frequency and duration. Kaspersky Lab reported a doubling of DDoS attacks in the first quarter of 2020 compared with the fourth quarter of 2019, plus an 80% jump compared with the same quarter last year.. A recent DDoS attack against a large European bank clocked in at 809 million packets per second, more than double the previous record on the Akamai platform.

Obscured by Clouds: Insights into Office 365 Attacks and How Mandiant Managed Defense Investigates

www.fireeye.com/blog/threat-research/2020/07/insights-into-office-365-attacks-and-how-managed-defense-investigates.html With Business Email Compromises (BECs) showing no signs of slowing down, it is becoming increasingly important for security analysts to understand Office 365 (O365) breaches and how to properly investigate them. This blog post is for those who have yet to dip their toes into the waters of an O365 BEC, providing a crash course on Microsofts cloud productivity suite and its assortment of logs and data sources useful to investigators.

New Attack Leverages HTTP/2 for Effective Remote Timing Side-Channel Leaks

thehackernews.com/2020/07/http2-timing-side-channel-attacks.html Security researchers have outlined a new technique that renders a remote timing-based side-channel attack more effective regardless of the network congestion between the adversary and the target server. Remote timing attacks that work over a network connection are predominantly affected by variations in network transmission time (or jitter), which, in turn, depends on the load of the network connection at any given point in time.

CWT Travel Agency Faces $4.5M Ransom in Cyberattack, Report

threatpost.com/cwt-travel-agency-ransom-cyberattack-report/157911/ The corporate-travel leader has confirmed an attack that knocked systems offline. CWT, a giant in the corporate travel agency world with a global clientele, may have faced payment of $4.5 million to unknown hackers in the wake of a ransomware attack. Independent malware hunter @JAMESWT tweeted on Thursday that a malware sample used against CWT (formerly known as Carlson Wagonlit Travel) had been uploaded to VirusTotal on July 27; he also included a ransom note indicating that the ransomware in question is Ragnar Locker.. Also:

www.theregister.com/2020/07/31/carlson_wagonlit_travel_ragnarlocker_ransom_paid/

EU sanctions China, Russia, and North Korea for past hacks

www.zdnet.com/article/eu-sanctions-china-russia-and-north-korea-for-past-hacks/ The EU has imposed today its first-ever economical sanctions following cyber-attacks from foreign adversaries. The European Union has imposed sanctions today against China, Russia, and North Korea for past cyber-attacks carried out against European citizens and businesses.. Also:

thehackernews.com/2020/07/sanctions-against-wanted-hackers.html.

www.theregister.com/2020/07/31/eu_sanctions_hackers/. Myös:

www.tivi.fi/uutiset/tv/95137f72-7d57-4a6d-9957-c43c5040ae4a

Jopa 2,5 miljoonan käyttäjän tiedot varastettiin Verkkokauppa joutui hakkereiden uhriksi

www.tivi.fi/uutiset/tv/fa6f1adc-f17e-4ab5-a2ae-d56e9f3cbad8 Alkoholijuomia myyvä verkkokauppa Drizly kertoi asiakkailleen joutuneensa tietovuodon uhriksi, kirjoittaa TechCrunch. Asiakkaiden saamassa sähköpostissa yhtiö kertoi, että hakkerit pääsivät käsiksi käyttäjädataan. Hakkerit varastivat sähköpostiosoitteita, syntymäaikoja, salasanoja ja toimitusosoitteita.

QNAP urges users to update Malware Remover after QSnatch alert

www.bleepingcomputer.com/news/security/qnap-urges-users-to-update-malware-remover-after-qsnatch-alert/ QNAP urges its users to update the Malware Remover app and bolster their NAS devices’ security following a QSnatch malware joint alert published earlier this week by UK’s NCSC and the US CISA government cybersecurity agencies. While QNAP made it a point out of asking customers to reinforce their devices’ security, the Taiwanese vendor also contradicted reports mentioning an increase in the number of NAS devices infected since October 2019.

Twitter hackers used phone spear phishing in mass account takeover

arstechnica.com/information-technology/2020/07/twitter-hackers-used-phone-spear-phishing-in-mass-account-takeover/ The hackers behind this months epic Twitter breach targeted a small number of employees through a phone spear phishing attack, the social media site said on Thursday night. When the pilfered employee credentials failed to give access to account support tools, the hackers targeted additional workers who had the permissions needed to access the tools.. Also:

threatpost.com/twitter-hack-mobile-spearphishing-scam/157896/.

www.theverge.com/2020/7/30/21348974/twitter-spear-phishing-attack-bitcoin-scam.

www.theregister.com/2020/07/31/twitter_spear_phishing/.

www.bleepingcomputer.com/news/security/hackers-stole-twitter-employee-credentials-via-phone-phishing/.

blog.twitter.com/en_us/topics/company/2020/an-update-on-our-security-incident.html

Exclusive: China-backed hackers ‘targeted COVID-19 vaccine firm Moderna’

www.reuters.com/article/us-health-coronavirus-moderna-cyber-excl/exclusive-chinese-backed-hackers-targeted-covid-19-vaccine-firm-moderna-idUSKCN24V38M Chinese government-linked hackers targeted biotech company Moderna Inc, a U.S.-based coronavirus vaccine research developer, this year in a bid to steal data, according to a U.S. security official tracking Chinese hacking.. China on Friday rejected the accusation that hackers linked to it had targeted Moderna.

‘Hidden Property Abusing’ Allows Attacks on Node.js Applications

www.darkreading.com/vulnerabilities—threats/hidden-property-abusing-allows-attacks-on-nodejs-applications/d/d-id/1338509 A team of researchers from Georgia Tech find a new attack technique that targets properties in Node.js and plan to publicly release a tool that has already identified 13 new vulnerabilities.. The novel attack technique, dubbed Hidden Property Abusing, allows a remote attacker to inject new values into Node.js programs through passing objects that the framework, under the right circumstances, will treat as internal data.

Fun fact: If you noticed a while ago Zoom’s web client going AWOL for a week, it’s because someone found a passcode-cracking hole

www.theregister.com/2020/07/31/zoom_cracking_flaw/ Zoom has confirmed it fixed a vulnerability that could have been exploited by miscreants to crack the passcodes needed to access strangers’ private chin-wagging.. The video-conferencing biz said it addressed the weakness in its systems after the issue was discovered and privately reported by UK-based bug-hunter Tom Anthony. To hear him tell it, Zoom did not put sufficient protections in place to prevent criminals from discovering a given meeting’s passcode through brute-force.. Also:

threatpost.com/zoom-flaw-could-have-allowed-hackers-to-crack-meeting-passcodes/157883/

Linux warning: TrickBot malware is now infecting your systems

www.bleepingcomputer.com/news/security/linux-warning-trickbot-malware-is-now-infecting-your-systems/ TrickBot’s Anchor malware platform has been ported to infect Linux devices and compromise further high-impact and high-value targets using covert channels. TrickBot is a multi-purpose Windows malware platform that uses different modules to perform various malicious activities, including information stealing, password stealing, Windows domain infiltration, and malware delivery.

Container adoption is on the rise: How can security keep up?

www.zdnet.com/article/container-adoption-is-on-the-rise-how-can-security-keep-up/ Containers are becoming increasingly popular, and its not surprising considering benefits like scalability, agility, and cost reduction. However, it is important that security pros are brought into the adoption process to ensure that they have a strategy in place to secure the use of these containers.

FBI Releases Flash Alert on Netwalker Ransomware

www.tripwire.com/state-of-security/security-data-protection/fbi-releases-flash-alert-on-netwalker-ransomware/ The Federal Bureau of Investigations (FBI) released a flash alert in which it warned organizations about the dangers of Netwalker ransomware.. On July 28, the FBI revealed in Flash Alert MI-000130-MW that it had received notifications of attacks involving Netwalker against U.S. and foreign government organizations along with entities operating in the healthcare and education sectors.

Threat Assessment: WastedLocker Ransomware Activities

unit42.paloaltonetworks.com/wastedlocker/ Unit 42 has observed a recent uptick in WastedLocker ransomware activity, which has increased since the initial samples were analyzed by WildFire in May 2020. In light of this, together with recent media coverage around large U.S. corporations being targeted by the threat, we have created this general assessment of the ransomware. WastedLocker is post-intrusion ransomware of the same ilk as Samsa, Maze, EKANS, Ryuk, BitPaymer and others.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.