Daily NCSC-FI news followup 2020-08-05

Defending the Oil and Gas Industry Against Cyber Threats

securityintelligence.com/posts/oil-gas-security/ The oil and gas industry is one of the most powerful financial sectors in the world, critical to global and national economies. Therefore, this industry is a valuable target for adversaries seeking to exploit Industrial Control Systems (ICS) vulnerabilities. As the recent increase in attacks against ICS demonstrates, adversaries with a specific interest in oil and gas companies remain active and are evolving their behaviors. Protection against cyber attacks is essential to the worldwide economy.

Repurposing Neural Networks to Generate Synthetic Media for Information Operations

www.fireeye.com/blog/threat-research/2020/08/repurposing-neural-networks-to-generate-synthetic-media-for-information-operations.html FireEyes Data Science and Information Operations Analysis teams released this blog post to coincide with our Black Hat USA 2020 Briefing, which details how open source, pre-trained neural networks can be leveraged to generate synthetic media for malicious purposes. To summarize our presentation, we first demonstrate three successive proof of concepts for how machine learning models can be fine-tuned in order to generate customizable synthetic media in the text, image, and audio domains.

Toolmarks and Intrusion Intelligence

windowsir.blogspot.com/2020/08/toolmarks-and-intrusion-intelligence.html Very often, DFIR and intel analysts alike don’t appear to consider such things as toolmarks associated with TTPs, nor intrusion intelligence. However, considering such things can lead to greater edge sharpness with respect to attribution, as well as to the intrusion itself. What I’m suggesting in this post is fully exploiting the data that most DFIR analysts already collect and therefore have available. I’m not suggesting that additional tools be purchased; rather, what I’m illustrating is the value of going just below the surface of much of what’s shared, and adding a bit of context regarding the how and when of various actions taken by threat actors.

Apple Touch ID Flaw Could Have Let Attackers Hijack iCloud Accounts

thehackernews.com/2020/08/apple-touchid-sign-in.html Apple earlier this year fixed a security vulnerability in iOS and macOS that could have potentially allowed an attacker to gain unauthorized access to a user’s iCloud account. Uncovered in February by Thijs Alkemade, a security specialist at IT security firm Computest, the flaw resided in Apple’s implementation of TouchID (or FaceID) biometric feature that authenticated users to log in to websites on Safari, specifically those that use Apple ID logins.

Traffic Analysis Quiz: What’s the Malware From This Infection?

isc.sans.edu/forums/diary/Traffic+Analysis+Quiz+Whats+the+Malware+From+This+Infection/26430/ Today’s diary is a traffic analysis quiz where you try to identify the malware based on a pcap of traffic from an infected Windows host. Download the pcap from this page, which also has the alerts. Don’t open or review the alerts yet, because they give away the answer.

Microsoft Teams Updater Living off the Land

www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/microsoft-teams-updater-living-off-the-land/ During this global pandemic COVID-19 situation, there has been an increasing trend of video conferencing solutions, Trustwave SpiderLabs are exercising extra vigilance in monitoring the video conferencing traffics. During our threat hunt, we have observed lots of Microsoft Teams updater traffic. Due to the noisy nature of the traffic, there is a possibility that malicious traffic hiding there will evade the analyst’s view or even be added to a list of allowed, and therefore unmonitored, list of applications.

High-Severity Android RCE Flaw Fixed in August Security Update

threatpost.com/high-severity-android-rce-flaw-fixed-in-august-security-update/158049/ Google has released patches addressing a high-severity issue in its Framework component, which if exploited could enable remote code execution (RCE) on Android mobile devices. Overall, 54 high-severity flaws were patched as part of Googles August security updates for the Android operating system, released on Monday. As part of this, Qualcomm, whose chips are used in Android devices, patched a mix of high and critical-severity vulnerabilities tied to 31 CVEs.

Researcher Demonstrates 4 New Variants of HTTP Request Smuggling Attack

thehackernews.com/2020/08/http-request-smuggling.html A new research has identified four new variants of HTTP request smuggling attacks that work against various commercial off-the-shelf web servers and HTTP proxy servers. Amit Klein, VP of Security Research at SafeBreach who presented the findings today at the Black Hat security conference, said that the attacks highlight how web servers and HTTP proxy servers are still susceptible to HTTP request smuggling even after 15 years since they were first documented.

How the NSA Says You Can Limit Location Data Exposure

www.vice.com/en_us/article/v7gxv3/nsa-location-data-privacy Location data can be one of the most valuable pieces of information for an attacker, and also arguably one of the hardest to protect. Smartphones are constantly providing such data through apps, the phone’s operating system itself, or in virtue of just using telecommunications networks or being near other devices. With that in mind, the National Security Agency (NSA) on Tuesday published its own guidelines for limiting the exposure of location data. The guidelines are geared more for government officials, but the advice itself can be useful for those hoping to stop sending so much location data to tech companies, ad firms, or apps that may then expose it later.

Hacker leaks passwords for 900+ enterprise VPN servers

www.zdnet.com/article/hacker-leaks-passwords-for-900-enterprise-vpn-servers/ A hacker has published today a list of plaintext usernames and passwords, along with IP addresses for more than 900 Pulse Secure VPN enterprise servers. ZDNet, which obtained a copy of this list with the help of threat intelligence firm KELA, verified its authenticity with multiple sources in the cyber-security community.

Canon hit by Maze Ransomware attack, 10TB data allegedly stolen

www.bleepingcomputer.com/news/security/canon-hit-by-maze-ransomware-attack-10tb-data-allegedly-stolen/ Canon has suffered a ransomware attack that impacts numerous services, including Canon’s email, Microsoft Teams, USA website, and other internal applications. BleepingComputer has been tracking a suspicious outage on Canon’s image.canon cloud photo and video storage service resulting in the loss of data for users of their free 10GB storage feature. The image.canon site suffered an outage on July 30th, 2020, and over six days, the site would show status updates until it went back in service yesterday, August 4th.. Also:


Threat Hunting Techniques: A Quick Guide

securityintelligence.com/posts/threat-hunting-guide/ Threat hunting is an essential part of security operations center services and should be incorporated at an early stage. Threat hunting is the art of finding the unknowns in the environment, going beyond traditional detection technologies, such as security information and event management (SIEM), endpoint detection and response (EDR) and others. There are multiple methods to perform hunting, and your team can select the one that fits best based on what you want to accomplish.

FBI issues warning over Windows 7 end-of-life

www.zdnet.com/article/fbi-issues-warning-over-windows-7-end-of-life/ The Federal Bureau of Investigation has sent a private industry notification (PIN) on Monday to partners in the US private sector about the dangers of continuing to use Windows 7 after the operating system reached its official end-of-life (EOL) earlier this year. “The FBI has observed cyber criminals targeting computer network infrastructure after an operating system achieves end of life status,” the agency said.

Less Than Half of Security Pros Can Identify Their Organization’s Level of Risk

www.darkreading.com/risk/less-than-half-of-security-pros-can-identify-their-organizations-level-of-risk-/d/d-id/1338577 Just 51% work with the business side of the house on risk reduction objectives, new study shows. Security leaders still struggle to communicate their organization’s cyber risk to business executives and the board. New research by Forrester and Tenable found that just four out of 10 security leaders can answer with a high level of confidence the question: “How secure, or at risk, are we?”

Misconfigured servers contributed to more than 200 cloud breaches

www.scmagazine.com/home/security-news/cloud-misconfigurations-contributed-to-more-than-200-breaches/ Misconfigured storage services in 93 percent of cloud deployments have contributed to more than 200 breaches over the past two years, exposing more than 30 billion records, according to a report from Accurics, which predicted that cloud breaches are likely to increase in both velocity and scale. The researchers found that 91 percent of the cloud deployments analyzed had at least one major exposure that left a security group wide open while in 50 percent unprotected credentials were stored in container configuration files, significant because 84 percent of organizations use containers.

Twitter for Android vulnerability gave access to direct messages

www.bleepingcomputer.com/news/security/twitter-for-android-vulnerability-gave-access-to-direct-messages/ Twitter today announced that it fixed a security vulnerability in the Twitter for Android app that could have allowed attackers to gain access to users’ private Twitter data including direct messages. “We recently discovered and fixed a vulnerability in Twitter for Android related to an underlying Android OS security issue affecting OS versions 8 and 9,” Twitter explained.. Also:


The Official Facebook Chat Plugin Created Vector for Social Engineering Attacks

www.wordfence.com/blog/2020/08/the-official-facebook-chat-plugin-created-vector-for-social-engineering-attacks/ On June 26, 2020, our Threat Intelligence team discovered a vulnerability in The Official Facebook Chat Plugin, a WordPress plugin installed on over 80,000 sites. This flaw made it possible for low-level authenticated attackers to connect their own Facebook Messenger account to any site running the vulnerable plugin and engage in chats with site visitors on affected sites. We initially reached out to Facebook on June 26, 2020 and included the full disclosure details at the time of reaching out. They initially responded on June 30, 2020, and after much back and forth, Facebook released a patch on July 28, 2020

You might be interested in …

Daily NCSC-FI news followup 2019-12-10

Venäjä käytti kahta eri vakoilukampanjaa tärvelläkseen Ranskan vaalit: Macronin toimisto sumutti vakoojia vitseillä www.hs.fi/ulkomaat/art-2000006337940.html Venäjän tiedustelu yritti sotkea Emmanuel Macronin vaalivoiton kahdella eri verkkovakoilukampanjalla. Kampanjaväki sumutti vakoojia jakamalla heille väärää tietoa. Snatch Ransomware Reboots to Windows Safe Mode to Bypass AV Tools www.bleepingcomputer.com/news/security/snatch-ransomware-reboots-to-windows-safe-mode-to-bypass-av-tools/ Researchers discovered a new Snatch ransomware strain that will reboot computers it […]

Read More

Daily NCSC-FI news followup 2020-11-29

Hacker Lexicon: What Is the Signal Encryption Protocol? www.wired.com/story/signal-encryption-protocol-hacker-lexicon/ LAST WEEK, WITH little fanfare, Google announced a change that could soon make its 2 billion Android users worldwide far harder to surveil: The tech giant says it’s rolling out a beta version of its Android messaging app that will now use end-to-end encryption by default. […]

Read More

Daily NCSC-FI news followup 2019-07-10

Lapin Kansa: Kemin kaupungin tietoliikenneverkossa poikkeuksellisen pitkä vikatilanne syytä selvitetään www.lapinkansa.fi/lappi/kemin-kaupungin-tietoliikenneverkossa-poikkeuksellisen-pitka-vikatilanne-syyta-selvitetaan-3596802/ Zoom reverses course to kill off Mac local web server www.zdnet.com/article/zoom-reverses-course-to-kill-off-mac-local-web-server/ Less than a day after backing its approach to get around Safari restrictions on Mac, Zoom’s local web server is no more. New FinSpy iOS and Android implants revealed ITW securelist.com/new-finspy-ios-and-android-implants-revealed-itw/91685/ FinSpy is […]

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.