Daily NCSC-FI news followup 2020-08-03

EU imposes the first ever sanctions against cyber-attacks

www.consilium.europa.eu/en/press/press-releases/2020/07/30/eu-imposes-the-first-ever-sanctions-against-cyber-attacks/ The Council today decided to impose restrictive measures against six individuals and three entities responsible for or involved in various cyber-attacks. These include the attempted cyber-attack against the OPCW (Organisation for the Prohibition of Chemical Weapons) and those publicly known as ‘WannaCry’, ‘NotPetya’, and ‘Operation Cloud Hopper’.. Read also:


Launching a new version of Logging Made Easy (LME)

www.ncsc.gov.uk/blog-post/launching-a-new-version-of-logging-made-easy-lme The NCSC has launched version 0.3 of LME to make logging even easier with some enhanced features. We launched Logging Made Easy (LME) officially in April 2019, enabling hundreds of you to install a basic logging capability on your IT estate, detecting and protecting against cyber attack.. Now, we’re launching LME version 0.3. This release makes logging even easier, adding some enhanced features to the open source project.

Microsoft Joins Open Source Security Foundation

msrc-blog.microsoft.com/2020/08/03/microsoft-joins-open-source-security-foundation/ Microsoft has invested in the security of open source software for many years and today Im excited to share that Microsoft is joining industry partners to create the Open Source Security Foundation (OpenSSF), a new cross-industry collaboration hosted at the Linux Foundation. The OpenSSF brings together work from the Linux Foundation-initiated Core Infrastructure Initiative (CII), the GitHub-initiated Open Source Security Coalition (OSSC), and other open source security efforts to improve the security of open source software by building a broader community, targeted initiatives, and best practices.

Build a Roadmap for Cyber Resilience

securityintelligence.com/articles/build-roadmap-cyber-resilience/ The current information security landscape is rapidly evolving. According to the latest research from IBM Security and the Ponemon Institutes 2020 Cyber Resilient Organization Report, 67% of organizations reported that the volume of attacks had significantly increased over the past 12 months. Its not just the amount of attacks that grew; 64% of organizations also saw an increase in the severity of the attacks. Roughly 53% of responding organizations experienced a data breach involving more than 1,000 records within the last two years.

Powershell Bot with Multiple C2 Protocols

isc.sans.edu/forums/diary/Powershell+Bot+with+Multiple+C2+Protocols/26420/ I spotted another interesting Powershell script. It’s a bot and is delivered through a VBA macro that spawns an instance of msbuild.exe This Windows tool is often used to compile/execute malicious on the fly (I already wrote a diary about this technique.). I dont have the original document but based on a technique used in the macro, it is part of a Word document. It calls Document_ContentControlOnEnter.

Meetup Critical Flaws Allow Group Takeover, Payment Theft

threatpost.com/critical-meetup-website-flaws-takeover-payment-theft/157934/ A popular online social service, Meetup, has fixed several critical flaws in its website. If exploited, the flaws could have enabled attackers to hijack any Meetup group, access the groups member details and even redirect Meetup payments to an attacker-owned PayPal account. Meetup is a service with a user base of over 35 million users, used to organize online groups with events for people with similar interests. These events are either for free, or participants can register for a fee using PayPal.. Also:


BlackBerry releases new security tool for reverse-engineering PE files

www.zdnet.com/article/blackberry-releases-new-security-tool-for-reverse-engineering-pe-files/ Today, at the Black Hat USA 2020 security conference, BlackBerry released a new tool for the cyber-security community. Named PE Tree, this is a new Python-based app for Linux, Mac, and Windows that can be used to reverse-engineer and analyze the internal structure of Portable Executable (PE) files — a common file that malware authors have used to hide malicious payloads.

Netwalker ransomware earned $25 million in just five months

www.bleepingcomputer.com/news/security/netwalker-ransomware-earned-25-million-in-just-five-months/ The Netwalker ransomware operation has generated a total of $25 million in ransom payments since March 1st according to a new report by McAfee. Netwalker is a Ransomware-as-a-Service (RaaS) operation that began operating in late 2019, where affiliates are enlisted to distribute the ransomware and infect victims in return for a 60-70% cut of ransom payments. Known as a human-operated, or enterprise-targeting, ransomware, Netwalker affiliates will hack into an organization’s network and quietly gain control.. Also:



Netgear Wont Patch 45 Router Models Vulnerable to Serious Flaw

threatpost.com/netgear-wont-patch-45-router-models-vulnerable-to-serious-flaw/157977/ Almost two months after a high-severity flaw was disclosed and seven months after it was first reported Netgear has yet to issue fixes for 45 of its router models.. The remote code execution vulnerability in question, which was disclosed June 15, allows network-adjacent attackers to bypass authentication on vulnerable Netgear routers sans authentication.

CISA, DOD, FBI expose new Chinese malware strain named Taidoor

www.zdnet.com/article/cisa-dod-fbi-expose-new-chinese-malware-strain-named-taidoor/ Three agencies of the US government have published today a joint alert on Taidoor, a new strain of malware that has been used during recent security breaches by Chinese government hackers. The alert has been authored by the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (DHS CISA), the Department of Defense’s Cyber Command (CyberCom), and the Federal Bureau of Investigations (FBI).. Also:


‘We stopped ransomware’ boasts Blackbaud CEO. And by ‘stopped’ he means ‘got insurance to pay off crooks’

www.theregister.com/2020/08/03/blackbaud_glosses_over_ransomware_payoff/ “We discovered and stopped a sophisticated attempted ransomware attack,” Blackbaud CEO Michael Gianoni has told financial analysts failing to mention the company simply paid off criminal extortionists to end the attack. Speaking on the US cloud CRM provider’s Q2 FY2020 earnings call late on Friday, Gianoni said: “Like a lot of companies, we get millions of intrusion attempts a month and unfortunately one got into a subset of our customers and a subset of our backup environment.”

Ransomware: Your biggest security headache refuses to go away

www.zdnet.com/article/ransomware-why-the-internets-biggest-headache-refuses-to-go-away/ Ransomware has been around for more than three decades, so it’s hardly an unexpected threat. And yet, organisations large and small are still being taken completely by surprise by the file-encrypting malware, leaving them to decide between rebuilding many of their computer systems from scratch to rid themselves of the ransomware or paying up to the crooks in the hope that they will hand over the encryption keys.

Kiristäjävirus on viranomaisten mukaan yksi USA:n vaalien pahimmista uhkista: “Yrityksiä lähes päivittäin”

yle.fi/uutiset/3-11476769 Yhdysvaltain liittovaltion viranomaisten mukaan marraskuun presidentinvaalien äänestyksen pahimpiin uhkiin kuuluvat hyvin ajoitetut haittaohjelmien hyökkäykset, jotka voivat halvaannuttaa äänestämisen. Kiristysviruksen hyökkäyksessä hakkeri voi muun muassa estää kohteen kovalevyn tietojen käyttämisen salaamalla tiedot. Salausavaimen saa hakkerilta tyypillisesti Bitcoin-valuutassa toimitetun, jopa miljoonien arvoisen maksun jälkeen.

The Biggest Challenges and Best Practices to Mitigate Risks in Maritime Cybersecurity

www.tripwire.com/state-of-security/security-data-protection/biggest-challenges-best-practices-mitigate-risks-maritime-cybersecurity/ Ships are increasingly using systems that rely on digitalization, integration, and automation, which call for cyber risk management on board. As technology continues to develop, the convergence of information technology (IT) and operational technology (OT) onboard ships and their connection to the Internet creates an increased attack surface that needs to be addressed.

Falsification and eavesdropping of contents across multiple websites via Web Rehosting services

jvn.jp/en/ta/JVNTA96129397/ Researchers at NTT Secure Platform Laboratories and Waseda University have identified multiple security issues that lead to content being tampered with and eavesdropped on a service called Web Rehosting. These issues have been published in NDSS 2020. “Web Rehosting” is the name of a group of web services proposed in this study, which has the function of retrieving content from a user-specified website and hosting it again on its server.. If a web rehosting service does not take measures against the attacks listed in this advisory, there is a risk that some of the browser resources of users may be manipulated by an attacker, resulting in a security and privacy violation.

Newsletter plugin bugs let hackers inject backdoors on 300K sites

www.bleepingcomputer.com/news/security/newsletter-plugin-bugs-let-hackers-inject-backdoors-on-300k-sites/ Owners of WordPress sites who use the Newsletter plugin are advised to update their installations to block attacks that could use a fixed vulnerability allowing hackers to inject backdoors, create rogue admins, and potentially take over their websites. The vulnerability was found in the Newsletter WordPress plugin that provides the tools needed to create responsive newsletter and email mail marketing campaigns on WordPress blogs using a visual composer.

You might be interested in …

Daily NCSC-FI news followup 2021-01-17

BugTraq Will Continue: Strong internal and community feedback cancels termination www.securityfocus.com/archive/1/542248 CISA Publishes 2020 Chemical Security Presentations www.cisa.gov/chemical-security-summit Topic include: cyber and physical security in manufacturing, cybersecurity evaluation tool and others. Researchers Disclose Undocumented Chinese Malware Used in Recent Attacks thehackernews.com/2021/01/researchers-disclose-undocumented.html Cybersecurity researchers have disclosed a series of attacks by a threat actor of Chinese […]

Read More

Daily NCSC-FI news followup 2019-06-24

How to remove Ryuk Ransomware (Uninstall guide) csirt.cy/how-to-remove-ryuk-ransomware-uninstall-guide/ Ryuk ransomware is the cryptovirus that targets companies with large ransom demands to make more profit from one attack. However, ransomware can also affect everyday users and corrupt or delete their data. You need a thorough system scan to terminate the malware in time.. According to the […]

Read More

Daily NCSC-FI news followup 2021-09-17

NSO Group iMessage Zero-Click Exploit Captured in the Wild citizenlab.ca/2021/09/forcedentry-nso-group-imessage-zero-click-exploit-captured-in-the-wild/ The Citizen Lab disclosed the vulnerability and code to Apple, which has assigned the FORCEDENTRY vulnerability CVE-2021-30860 and describes the vulnerability as “processing a maliciously crafted PDF may lead to arbitrary code execution.”. In this article, Citizen Lab analyses the exploit chain in detail. Mitigating […]

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.