Categories
NCSC-FI News followup

Daily NCSC-FI news followup 2020-08-12

Annatko selaimen tallentaa salasanasi? Haittaohjelman uusi versio voi varastaa ne salaa

www.is.fi/digitoday/tietoturva/art-2000006598720.html Salasanoja vohkiva Agent Tesla muuttui entistäkin pahemmaksi uhkaksi. Samalla se osoittaa, miten kätevyys voi kostautua salasanojen säilytyksessä.. Selain kysyy verkkopalveluun kirjautuessa, tallennetaanko salasana jatkoa varten. Kovin usein tulee painettua kyllä, jotta seuraavalla kerralla olisi helpompi päästä sisään. Tämä kuitenkin synnyttää rikollisille houkuttelevan varannon kirjautumistietoja, joita Agent Tesla -haittaohjelman uusi versio jahtaa.. Jo vuosien ajan tunnettu Agent Tesla on kaupallisesti saatavilla oleva haittaohjelma tietojen varastamiseksi niin yrityksiltä kuin yksityishenkilöiltäkin. Se on varsin suosittu tapa murtautua yritysten sähköposteihin ja sitä kautta päästä vakoilemaan uhrien tietokoneita.. Bleeping Computer uutisoi tietoturvayhtiö SentinelOnen havainnoista, joiden mukaan uusi Agent Tesla iskee lukuisiin eri verkkoselaimiin niihin tallennettujen kirjautumistietojen varastamiseksi. Lisäksi kohteena on myös vpn-, ftp- ja sähköpostiohjelmia.. Lue myös:

labs.sentinelone.com/agent-tesla-old-rat-uses-new-tricks-to-stay-on-top/ ja threatpost.com/agent-tesla-spyware-tricks-arsenal/158284/

Microsoft Patch Tuesday, August 2020 Edition

krebsonsecurity.com/2020/08/microsoft-patch-tuesday-august-2020-edition/ Microsoft today released updates to plug at least 120 security holes in its Windows operating systems and supported software, including two newly discovered vulnerabilities that are actively being exploited. Yes, good people of the Windows world, its time once again to backup and patch up!

Critical Flaws Affect Citrix Endpoint Management (XenMobile Servers)

thehackernews.com/2020/08/citrix-endpoint-management.html Citrix today released patches for multiple new security vulnerabilities affecting its Citrix Endpoint Management (CEM), also known as XenMobile, a product made for enterprises to help companies manage and secure their employees’ mobile devices remotely.. Citrix Endpoint Management offers businesses mobile device management (MDM) and mobile application management (MAM) capabilities. It allows companies to control which apps their employees can install while ensuring updates and security settings are applied to keep business information protected.. Read also:

www.theregister.com/2020/08/12/citrix_endpoint_management_critical_bug/. As well as:

media.cert.europa.eu/static/SecurityAdvisories/2020/CERT-EU-SA2020-040.pdf. And:

www.kyberturvallisuuskeskus.fi/fi/kriittinen-haavoittuvuus-citrix-endpoint-managementin-paikallisissa-asennuksissa

The skinny on the Instacart breach

blog.malwarebytes.com/hacking-2/2020/08/all-about-t-instacart-breach/ Instacart, one of the top three brands in the grocery and pick-up services in the world, was recently believed to be hacked, after more than 270,000 accounts of its clients were seen being peddled in the Dark Web. It was reported that these accounts contained information, such as names, addresses, credit card data, and transaction history.. Days after the report, however, Instacart denied that a security breach happened. Our teams have been working around the clock to quickly determine the validity of reports related to site security and so far our investigation had shown that the Instacart platform was not compromised or breached, the company wrote in a Medium post.

We spent way too long on this Microsoft, Intel, Adobe, SAP, Red Hat Patch Tuesday article. Just click on it, pretend to read it, apply updates

www.theregister.com/2020/08/11/patch_tuesday_august/ Patch Tuesday Patch Tuesday used to be Microsoft’s day to release patches. Now Adobe, Intel, and SAP are routinely joining the fun with special guest star Red Hat this month.

If you haven’t yet patched this critical hole in SAP NetWeaver Application Server, today is not your day

www.theregister.com/2020/08/12/sap_netweaver_abap_bug/ We hope you’ve patched CVE-2020-6262, aka note 2835979, that affects SAP NetWeaver Application Server ABAP, because the folks who found and reported the vulnerability are going public with the details.. SEC Consult will today, we’re told, reveal the nitty-gritty of the flaw on its website, giving miscreants the info they need to exploit any vulnerable systems they can find. The infosec biz’s Alexander Meier and Fabian Hag found the security hole and reported it to SAP in April. It was patched in May.

Twitter working to fix issue with 2FA feature

www.welivesecurity.com/2020/08/11/twitter-working-fix-issue-2fa-feature/ An apparent glitch is preventing a number of users from signing into their accounts. A number of Twitter users from around the globe report experiencing problems when attempting to log into their accounts. The microblogging site is investigating what seems to be a glitch in its verification systems that is affecting some people who utilize text messages or automated phone calls as an added means of authentication.

Operation PowerFall: Two zero-day vulnerabilities

www.kaspersky.com/blog/cve-2020-1380-vulnerability/36698/ The exploits for these vulnerabilities operated in tandem. First, the victim was slipped a malicious script that a hole in Internet Explorer 11 allowed to run; and then a flaw in the system service further escalated the malicious processs privileges.. As a result, the attackers were able to take control of the system. Their goal was to compromise the computers of several employees and penetrate the organizations internal network.. Our experts have dubbed this malicious campaign Operation PowerFall. At present, researchers have found no inarguable link between this campaign and known actors. However, judging by the similarity of the exploits, they havent ruled out involvement by DarkHotel.. Microsoft released a patch for CVE-2020-0986 (in the Windows kernel) on June 9, 2020. The second vulnerability, CVE-2020-1380, was patched on August 11. If you update your operating systems regularly, they should already be protected against Operation PowerFalltype attacks.

Norway : Financial Sector Assessment Program-Technical Note-Cybersecurity Risk Supervision and Oversight

www.imf.org/en/Publications/CR/Issues/2020/08/07/Norway-Financial-Sector-Assessment-Program-Technical-Note-Cybersecurity-Risk-Supervision-and-49673 The Norwegian financial system has a long history of incorporating new technology.. Norway is at the forefront of digitization and has tight interdependencies within its financial system, making it particularly vulnerable to evolving cyber threats. Norway is increasingly a cashless society, with surveys and data collection suggesting that only 10 percent of point-of-sale and person-to-person transactions in 2019 were made using cash.. 1 – Most payments made in Norway are digital (e.g., 475 card transactions per capita per annum). 2 – and there is an increase in new market entrants providing a broad range of services. Thus, good cybersecurity is a prerequisite for financial stability in Norway.. Read also:

www.imf.org/~/media/Files/Publications/CR/2020/English/1NOREA2020004.ashx

Euroclear aikoo selvittää oikeudessa, saako osakkeenomistajien tietoja jakaa puhelimitse

www.hs.fi/talous/art-2000006598733.html Osakeyhtiön tai osuuskunnan osakasluettelon tietojen luovuttaminen puhelinpalvelun kautta on lainvastaista, toteaa apulais­tietosuoja­valtuutettu kesällä antamassaan päätöksessä.. Euroclear eli entinen Suomen Arvopaperikeskus on tarjonnut jo parin vuoden ajan puhelinpalvelua, jonka kautta se on luovuttanut osakasluettelosta saatuja henkilötietoja. Osakasluettelot ovat julkisia ja tavallisesti niiden tietoja on voinut tarkastella Euroclearin toimipisteessä.. Puhelinpalvelun lisäksi Euroclear on luovuttanut osakasluetteloiden tietoja suora­markkinointiin. Valtuutetun mukaan Euroclear on toiminut vastoin rekisterinpitäjän velvollisuuksiaan antaessaan tietoja mainostajille.. Euroclear on saanut valtuutetulta huomautuksen tietosuoja-asetuksen rikkomisesta. Valtuutettu on myös määrännyt yrityksen muuttamaan toimintaansa lailliseksi ja vastaamaan rekisterinpitäjän velvollisuuksia.. Päätös ei ole lainvoimainen ja siitä voi valittaa hallinto-oikeuteen. Euroclear myös aikoo tehdä valituksen.

HAAVOITTUVUUS 27/2020 – Kriittinen haavoittuvuus vBulletin:ssa

www.kyberturvallisuuskeskus.fi/fi/kriittinen-haavoittuvuus-vbulletinssa vBulletin:sta on löytynyt nollapäivähaavoittuvuus, joka ohittaa aiemmin julkaistun korjauksen Remote Code Execution -haavoittuvuuteen (CVE-2019-16759). Haavoittuvuuden löytäjä on julkaissut sen hyödyntämiseen esimerkkikoodin (PoC) ja aktiivisia hyväksikäyttötapauksia on jo havaittu, joten päivittämistä suositellaan välittömästi.

The Secret SIMs Used By Criminals to Spoof Any Number

www.vice.com/amp/en_us/article/n7w9pw/russian-sims-encrypted This SIM card, the caller said, allowed him to spoof any phone number he wanted. Want to look like you’re calling from a bank in order to scam a target? Easy. Want to change it to a random series of digits so that the recipient’s phone won’t record your real number? That just takes a few seconds to set up, according to tutorials of how to use the cards available online.. To test the process of obtaining such a SIM, Motherboard purchased a so-called white SIM, known for not having any branding or labelling, through a source close to the criminal world. After sending the supplier around $100 in Bitcoin, a package arrived the next day.. Essentially, entering this tells a user’s phone that they want to connect to a particular phone network, one that it may not ordinarily recognize.. Karsten Nohl, a security researcher from SRLabs focused on telecommunications security, told Motherboard in an email that operators of the SIM cards likely run their own Mobile Virtual Network Operator (MVNO), which is essentially a telecom company piggy backing off of the infrastructure of a more established network. . Many MVNOs exist, including Google’s Fi, which runs on top of T-Mobile’s infrastructure.. In order to obtain SIMs and data to sell, smaller companies can go to different carriers around the world and buy the data in bulk, according to a source who currently works in the secure communications industry.

SP 800-207 – Zero Trust Architecture

csrc.nist.gov/publications/detail/sp/800-207/final Zero trust (ZT) is the term for an evolving set of cybersecurity paradigms that move defenses from static, network-based perimeters to focus on users, assets, and resources. . A zero trust architecture (ZTA) uses zero trust principles to plan industrial and enterprise infrastructure and workflows. Zero trust assumes there is no implicit trust granted to assets or user accounts based solely on their physical or network location (i.e., local area networks versus the internet) or based on asset ownership (enterprise or personally owned).. Authentication and authorization (both subject and device) are discrete functions performed before a session to an enterprise resource is established. . Zero trust is a response to enterprise network trends that include remote users, bring your own device (BYOD), and cloud-based assets that are not located within an enterprise-owned network boundary.. Zero trust focuses on protecting resources (assets, services, workflows, network accounts, etc.), not network segments, as the network location is no longer seen as the prime component to the security posture of the resource.. Read also:

nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-207.pdf

NHS hit with wave of scam emails at height of COVID-19 pandemic

www.zdnet.com/article/nhs-staff-hit-with-over-40000-scam-emails-at-height-of-covid-19-pandemic/ NHS Digital said its cybersecurity teams were working hard to keep patient data secure as attackers continued to target under-pressure services.

16-30 June 2020 Cyber Attacks Timeline

www.hackmageddon.com/2020/08/12/16-30-june-2020-cyber-attacks-timeline/ This number confirms a decreasing trend, likely due to the diminishing impact of the COVID-19-themed attacks.. Unfortunately the same cannot be said for ransomware: new samples emerge on a regular basis and the list of high-profile victims continues to grow. It looks like double extortion attacks are paying off, and even in this timeline, nearly one event out of four is related to a ransomware attack. . Netwalker, Sodinokibi, Maze, and newcomers such as WastedLocker are a constant presence throughout the timeline.. In terms of cyber crime, other interesting events of this timeline include the discovery of a new Android spyware downloaded 32 million times, and three massive DDoS attacks against AWS, an undisclosed European bank, and an undisclosed ISP.

Call Me Maybe: Ea­ves­drop­ping En­cryp­ted LTE Calls With Re­VoL­TE

revolte-attack.net/ Voice over LTE (VoLTE) is a packet-based telephony service seamlessly integrated into the Long Term Evolution (LTE) standard. By now all major telecommunication operators use VoLTE. To secure the phone calls, VoLTE encrypts the voice data between the phone and the network with a stream cipher. . The stream cipher shall generate a unique keystream for each call to prevent the problem of keystream reuse.. We introduce ReVoLTE, an attack that exploits an LTE implementation flaw to recover the contents of an encrypted VoLTE call. This enables an adversary to eavesdrop on VoLTE phone calls. ReVoLTE makes use of a predictable keystream reuse, which was discovered by Raza & Lu.. Eventually, the keystream reuse allows an adversary to decrypt a recorded call with minimal resources.. Read also:

revolte-attack.net/media/revolte_camera_ready.pdf. As well as:

www.zdnet.com/article/re-vol-te-attack-can-decrypt-4g-lte-calls-to-eavesdrop-on-conversations/

Cybersecurity: These two basic flaws make it easy for hackers to break into you systems

www.zdnet.com/article/cybersecurity-these-two-basic-flaws-make-it-easy-for-hackers-to-break-into-you-systems/ One of the most common security issues is weak passwords, allowing hackers to gain access to accounts by using brute force attacks. Cracking the password of one account shouldn’t be enough to gain full access to an internal network, but in many cases, it just takes this and the ability to exploit known vulnerabilities to gain further access to systems.. In addition to weak passwords, over two thirds of organisations are using vulnerable versions of software which hasn’t received the required security updates, leaving it open to being exploited.

Irony, thy name is SANS: 28k records nicked from infosec training org after staffer’s email account phished

www.theregister.com/2020/08/12/sans_institute_data_breach/ Names, email addresses, phone numbers, job titles, company names, country of residence etc. pinched. Read also:

www.sans.org/dataincident2020

Exclusive: August Smart Lock Flaw Opens Your Wi-Fi Network to Hackers

uk.pcmag.com/encryption/128120/exclusive-august-smart-lock-flaw-opens-your-wi-fi-network-to-hackers Implementing this hack would take a lot of patience. The hacker would have to find a spot close enough to listen in on the Wi-Fi network, perhaps a parked car. The attack that forces the doorbell offline takes time. And the device doesnt reconnect until its owner notices that it’s offline and initiates the exchange.. Read also:

www.bitdefender.com/files/News/CaseStudies/study/363/Bitdefender-PR-Whitepaper-AugustConnect-creat4699-en-EN-GenericUse.pdf

Kr00k, KRACK, and the Seams in Wi-Fi, IoT Encryption

www.darkreading.com/iot/kr00k-krack-and-the-seams-in-wi-fi-iot-encryption/d/d-id/1338633 Earlier this year, two ESET researchers disclosed a flaw in processor chips powering over 1 billion Wi-Fi and Internet of Things (IoT) devices that would make it easy for attackers to snoop on encrypted traffic.. Last week at Black Hat, the researchers explained that the attack surface area for these kinds of flaws is broader than they initially thought and that the weakness is present in a several other popular chipsets that could put even more IoT and Wi-Fi devices at risk.. Dubbed “Kr00k” by researchers Robert Lipovsky and Stefan Svorencik, the flaw in question occurs in how Wi-Fi chips handle the four-way handshake process that occurs between a device and an access point to facilitate WPA2 encryption. . When devices associate and disassociate with a network, the handshake process governs authentication and how cryptographic keys are exchanged as connection is both established and broken between device and access point.. Kr00k is a flaw in how the chips handle the process of WLAN session disassociation, in which they overwrite the encryption keys with all zeros in the expectation that no further data will be transmitted after disassociation. The expectation is when the device reassociates with a new session, a new encryption key will be negotiated and encryption will remain seamless.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.