Daily NCSC-FI news followup 2020-08-13

Alert (AA20-225A) – Malicious Cyber Actor Spoofing COVID-19 Loan Relief Webpage via Phishing Emails

us-cert.cisa.gov/ncas/alerts/aa20-225a The Cybersecurity and Infrastructure Security Agency (CISA) is currently tracking an unknown malicious cyber actor who is spoofing the Small Business Administration (SBA) COVID-19 loan relief webpage via phishing emails. These emails include a malicious link to the spoofed SBA website that the cyber actor is using for malicious re-directs and credential stealing.

How to organize your security team: The evolution of cybersecurity roles and responsibilities

www.microsoft.com/security/blog/2020/08/06/organize-security-team-evolution-cybersecurity-roles-responsibilities/ Security functions represent the human portion of a cybersecurity system. They are the tasks and duties that members of your team perform to help secure the organization. Depending on your company size and culture, individuals may be responsible for a single function or multiple functions; in some cases, multiple people might be assigned to a single function as a team. A security operations center (SOC) detects, responds to, and remediates active attacks on enterprise assets. SOCs are currently undergoing significant change, including an elevation of the function to business risk management, changes in the types of metrics tracked, new technologies, and a greater emphasis on threat hunting.

Deepfakes’ ranked as most serious AI crime threat

www.ucl.ac.uk/news/2020/aug/deepfakes-ranked-most-serious-ai-crime-threat Fake audio or video content has been ranked by experts as the most worrying use of artificial intelligence in terms of its potential applications for crime or terrorism, according to a new UCL report. Read also: dx.doi.org/10.1186/s40163-020-00123-8

“Microsoft-tuen” huijausyritys karahti pahasti kiville: “Pikkasen vedätin, ja mulla paloi päreet”

www.is.fi/digitoday/tietoturva/art-2000006599788.html Salkkareissakin esiintynyt ja useissa mainoksissa työskennellyt Aaro Huhtala, 61, kertoo joutuneensa niin sanotun helpdesk-huijauksen kohteeksi. Näissä huijari soittaa teknisen tuen edustajana ja väittää vastaanottajalla olevan ongelma tietokoneessa. Sen ratkaisemiseksi pitäisi antaa huijarille pääsy tietokoneeseen. Huijauspuheluissa voi olla meneillään uusi aalto. Tästä todistaa myös se, että yksi IS Digitodayn lomaileva toimittaja sai tiistaina kaksi Microsoft-huijauspuhelua tunnin sisään. Huhtalan päivityksen vastauksissa moni kertoo saaneensa samanlaisia huijauspuheluita. Jos saat teknistä tukea esittävän huijaussoiton, niin lopeta puhelu. Omia pankkitietoja tai muita henkilötietoja ei teknisen tuen esittäjälle tule missään tapauksessa antaa. Eikä missään nimessä pidä asentaa ohjelmia tai hyväksyä etäyhteyttä tietokoneelle, rikostarkastaja Jukkapekka Risu Helsingin poliisilaitokselta neuvoi tuolloin.

Penetration testing of corporate information systems – External pentests results, 2020

www.ptsecurity.com/upload/corporate/ww-en/analytics/external-pentests-2020-eng.pdf Even an unskilled hacker can penetrate the infrastructure of most tested companies, because many attack vectors involve exploitation of known security flaws. To secure the network perimeter, the first step is to follow basic information security rules. Recommendations for protecting against the most common penetration vectors are given in our research. Web applications are the most vulnerable component on the network perimeter. Perform security analysis regularly. White-box testing, which includes source code analysis, is the most effective method. Vulnerabilities allowing internal network penetration occur in both in-house apps and solutions by well-known vendors. Fixing them takes time, and meanwhile the application remains vulnerable. For proactive security, we recommend using a web application firewall to prevent exploitation of known vulnerabilities, even ones that have not been detected yet. Usually companies install a WAF only on certain sites. However, keep in mind that WAF solutions can be used to protect many remote access systems. For instance, a correctly installed WAF would stop attackers from exploiting vulnerability CVE2019-19781 in Citrix Gateway, even before a patch is released and installed. Penetration testing, regularly performed, detects and closes new penetration vectors. It sheds light on how security at a particular company actually works in practice. And ultimately from a business standpoint, penetration testing examines the plausibility of key business risks related to cyberattacks, providing the basis for an effective and evidence-driven security system.

F-Secure authorized to be a CVE Numbering Authority (CNA)

www.f-secure.com/en/press/p/f-secure-authorized-to-be-a-cve-numbering-authority–cna- CVE Program’s accreditation allows F-Secure to assign CVE identifiers in accordance with the cyber security industry’s best practices. Cyber security provider F-Secure is authorized by the CVE Program to assign Common Vulnerability and Exposures (CVE) identifiers as a CVE Numbering Authority (CNA). CNAs are organizations authorized by the CVE Program to assign CVE IDs to vulnerabilities affecting products within their distinct, agreed-upon scope.

India to trial restoration of Internet access in Kashmir

www.theregister.com/2020/08/13/trial_internet_restoration_kashmir/ India has taken a small step towards restoring meaningful internet access to the disputed states of Jammu and Kashmir, by ordering a trial restoration of 4G services in select areas. The region is disputed by India, Pakistan and China, but was governed by India as a semi-autonomous region until 2019. However in August of that year India revoked the section of its constitution that gave the region special status. A month later the region was cut off from the Internet, an act India justified as improving security by preventing misinformation reaching residents. That’s a reference to the fact that Kashmir and Jammu are the only regions India administers that have a majority Muslim population, and that locals have spent decades agitating for greater autonomy from Hindu-majority India. Protests have sometimes spilled into armed conflict, some of it between Indian and Pakistani regulars, some of it involving proxies who have conducted a lengthy insurgency and committed acts of terror. India alleges that Pakistan assists and promotes the insurgency.

RedCurl cybercrime group has hacked companies for three years

www.zdnet.com/article/redcurl-cybercrime-group-has-hacked-companies-for-three-years/ Security researchers have uncovered a new Russian-based hacking group that they claim has been focusing on the past three years on corporate espionage, targeting companies across the world to steal documents that contain commercial secrets and employee personal data. The company has been tracking the group since the summer of 2019 when it was first called to investigate a security breach at a company hacked by the group. Since then, Group-IB said it identified 26 other RedCurl attacks, carried out against 14 organizations, going as far back as 2018. Victims varied across countries and industry sectors, and included construction companies, retailers, travel agencies, insurance companies, banks, and law and consulting firms from countries like Russia, Ukraine, Canada, Germany, Norway, and the UK.

FireEye’s bug bounty program goes public

www.zdnet.com/article/fireeyes-bug-bounty-program-goes-public/ 42 vulnerabilities in FireEye domains have, so far, been resolved. On Wednesday, the cybersecurity firm said the scheme is now open to any researcher or bug bounty hunter willing to take a look at in-scope FireEye domains and services.

What is the cost of a data breach?

www.welivesecurity.com/2020/08/12/what-is-cost-data-breach/ The price tag is higher if the incident exposed customer data or if it was the result of a malicious attack, an annual IBM study finds. The average cost of a data breach has declined by 1.5% year-over-year, costing companies US$3.86 million per incident, according to IBM’s 2020 Cost of a Data Breach Report. The annual study analyzed data from 524 organizations that, while being based in 17 countries and regions and operating in 17 industries, have one thing in common each of them has suffered a security breach over the past year. Read also:


Kybersää – Heinäkuu 2020

www.kyberturvallisuuskeskus.fi/sites/default/files/media/file/Kybers%C3%A4%C3%A4%20hein%C3%A4kuu%202020.pdf #kybersää kertoo kuukauden merkittävistä tietoturvapoikkeamista ja – -ilmiöistä. Tämä tuote on ensisijaisesti suunnattu tietoturvasta vastaaville henkilöille. Lukija saa nopean kokonaiskuvan siitä, mitä kyberturvallisuuskentällä on kauden aikana tapahtunut.

Victims Of Cyberattacks Have Much To Teach Us About The Early Warning Signs Of Intruders

www.forbes.com/sites/adambradley1/2020/08/13/victims-of-cyberattacks-have-much-to-teach-us-about-the-early-warning-signs-of-intruders/ Our team found five indicators, in particular, that are each almost certainly a sign that attackers have been poking around to get an idea of what your network looks like, and to learn how they can get the accounts and access they need to launch a ransomware attack. First, a network scanner, particularly on a server, which none of your IT admin staff can account for. Second, any tools, including commercial, licensed ones, that can disable antivirus software it may just be someone legitimately testing defences internally, but chances are it’s not. Third, the presence of open source tools that can extract usernames and passwords. Again, it could be someone in the IT team is using this for a legitimate purpose, but you need to be sure because attackers use them for the same purposes and they’re banking on you assuming it’s just a colleague doing stuff. Fourth, any unexpected patterns of behaviour, like a detection triggered at the same time every day, or the same pattern popping up at regular intervals. These are a pretty good sign that something’s up, even if you’ve already detected and removed malicious files and think everything’s clean. Lastly, any sign of a test’ or very small-scale attack. Sometimes attackers try out these micro assaults to see if their tools work. If you spot this last sign, you may have very little time left before the main attack is launched, hours at most, so you need to move fast. Read also:


Why You Must Beware What You Ask Amazon Alexa

www.forbes.com/sites/zakdoffman/2020/08/13/amazon-alexa-cyber-attack-check-point-report-smart-speaker-warning/ Warnings about the dangers of smart speakers and their extended families of virtual assistants are not new. These are the same devices that causes such scandal last year, when it transpired humans were listening to conversations to better train the AI. The issue here is different, much more akin to the broader problem of IoT security. Every different gadget you connect to the internet becomes a potential vulnerability. Check Point tells me the methods needed to crack Amazon’s devices were not particularly sophisticated. First things firstAmazon was obviously informed about the risks and quickly patched its software. A spokesperson for the company told me “the security of our devices is a top priority, and we appreciate the work of independent researchers like Check Point who bring potential issues to us. We fixed this issue soon after it was brought to our attention, and we continue to further strengthen our systems. We are not aware of any cases of this vulnerability being used against our customers or of any customer information being exposed.”. Read also:


Taloyhtiö asensi sähkölukot, mutta mokasi gdpr:n kanssa näin päätti tietosuojavaltuutettu

www.tivi.fi/uutiset/tv/a7401466-c107-43f3-a3e9-86514efd28d4 Taloyhtiön asentama sähkölukkojärjestelmä on apulaistietosuojavaltuutetun näkemyksen mukaan luvaton, sillä gdpr:n vaatimuksia ei noudateta. Apulaistietosuojavaltuutetun päätös ei ole lainvoimainen, vaan siitä voi valittaa hallinto-oikeuteen.. Lue myös:


Attribution: A Puzzle

blog.talosintelligence.com/2020/08/attribution-puzzle.html The attribution of cyber attacks is hard. It requires collecting diverse intelligence, analyzing it and deciding who is responsible. Rarely does the evidence available to researchers reach a level of proof that would be acceptable in a court of law. The WellMess malware is an excellent example of how examination of infrastructure and the techniques used in an attack can lead to different conclusions. The Japanese national CERT named this malware in their July 2018 report. Two years later, the malware was used in attacks targeting COVID-19 vaccine research. In some cases, false evidence is planted deliberately to confuse researchers. In acknowledging the existence of false flags, we must also admit it’s possible researchers have misattributed attacks after being fooled by the threat actor. One of the most egregious examples of false flags was that of Olympic Destroyer, the malware that disrupted the opening of the 2018 Winter Olympics. In this attack, the threat actor left clues in the malware that potentially implicated three different state-sponsored actors in carrying out the attack.

The Simulation of Scandal: Hack-and-Leak Operations, the Gulf States, and U.S. Politics

tnsr.org/2020/08/the-simulation-of-scandal-hack-and-leak-operations-the-gulf-states-and-u-s-politics/ Four hack-and-leak operations in U.S. politics between 2016 and 2019, publicly attributed to the United Arab Emirates (UAE), Qatar, and Saudi Arabia, should be seen as the “simulation of scandal” deliberate attempts to direct moral judgement against their target. Although “hacking” tools enable easy access to secret information, they are a double-edged sword, as their discovery means the scandal becomes about the hack itself, not about the hacked information. There are wider consequences for cyber competition in situations of constraint where both sides are strategic partners, as in the case of the United States and its allies in the Persian Gulf.

June 2020 Cyber Attacks Statistics

www.hackmageddon.com/2020/08/13/june-2020-cyber-attacks-statistics/ The Daily Trend chart, shows a constant trend (with a clear drop during the weekends), while the peak on the 29 reflects the leak of a trove of 14 databases in the dark web. Cyber crime is always on top of the Motivations Behind Attacks chart with a percentage similar to May (85.6% vs 87%). Cyber Espionage is back to values similar to April and grows to 10.7% from 9.8%. Hacktivism accounts for 2.1% (in May it was 2.7%) and Cyber Warfare for 1.1% (it was 0.5% in May). Ransomware attacks push once again malware on top of the Attack Techniques chart with 36.4% (it was 34.8% in May). Account hijackings are still at number two among the known attack techniques with 16% (in May it was 16.3%). Similarly to May, targeted attacks close the top trio of the known attack vectors with 9.1% (down from 10.9% of May). As always bear in mind that the sample refers exclusively to the attacks included in my timelines, available from public sources such as blogs and news sites. Obviously the sample cannot be complete, but only aims to provide an high level overview of the threat landscape.

7 Ways to Identify if Your Security Stack is Too Complex

www.secureworks.com/resources/wp-7-ways-to-identify-if-your-security-stack-is-too-complex Read also:


Insider Attacks: Protecting Your Business From Itself

www.secureworks.com/resources/wp-insider-attacks-protecting-your-business-from-itself Read also:


You might be interested in …

Daily NCSC-FI news followup 2021-10-16

CISA Issues Warning On Cyber Threats Targeting Water and Wastewater Systems thehackernews.com/2021/10/cisa-issues-warning-on-cyber-threats.html The U.S. Cybersecurity Infrastructure and Security Agency (CISA) on Thursday warned of continued ransomware attacks aimed at disrupting water and wastewater facilities (WWS), highlighting five incidents that occurred between March 2019 and August 2021. Lisäksi: us-cert.cisa.gov/ncas/alerts/aa21-287a Apache is Actively Scan for CVE-2021-41773 & […]

Read More

Daily NCSC-FI news followup 2020-08-15

PoC Exploit Targeting Apache Struts Surfaces on GitHub threatpost.com/poc-exploit-github-apache-struts/158393/ Researchers have discovered freely available PoC code and exploit that can be used to attack unpatched security holes in Apache Struts 2. Medical Debt Collection Firm R1 RCM Hit in Ransomware Attack krebsonsecurity.com/2020/08/medical-debt-collection-firm-r1-rcm-hit-in-ransomware-attack/ R1 RCM Inc. [NASDAQ:RCM], one of the nations largest medical debt collection companies, […]

Read More

Daily NCSC-FI news followup 2020-11-17

Nordean tietomurrosta kahdelle vankeutta yhden syytteet hylättiin Pohjanmaan käräjäoikeudessa yle.fi/uutiset/3-11652084?origin=rss Rikokset ajoittuivat kesään 2019. Käräjäoikeus määräsi tiistaina tuomitut maksamaan pankille yhteensä yli 276 000 euroa vahingonkorvauksia. Delhin poliisi pidätti 17 ihmistä “Microsoftin palvelukeskuksesta” www.tivi.fi/uutiset/tv/79cbdf6d-9551-46b5-b6ff-06a378686a75 Poliisin antamien tietojen mukaan huijariporukka oli ehtinyt petkuttaa ihmisiä jo runsaan vuoden ajan. Uhrien määräksi kerrotaan 2268 ja saaliiksi runsaat 0, […]

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.