Daily NCSC-FI news followup 2020-08-14

NSA and FBI Cybersecurity Advisory – Russian GRU 85th GTsSS Deploys Previously Undisclosed Drovorub Malware

media.defense.gov/2020/Aug/13/2002476465/-1/-1/0/CSA_DROVORUB_RUSSIAN_GRU_MALWARE_AUG_2020.PDF Drovorub is a Linux malware toolset consisting of an implant coupled with a kernel module rootkit, a file transfer and port forwarding tool, and a Command and Control (C2) server. When deployed on a victim machine, the Drovorub implant (client) provides the capability for direct communications with actorcontrolled C2 infrastructure; file download and upload capabilities; execution of arbitrary commands as “root”; and port forwarding of network traffic to other hosts on the network.

Australian government wants power to run cyber-response for businesses under attack

www.theregister.com/2020/08/14/australian_critical_infrastructure_defence_plan/ Ponders giving ’em immunity too for countermeasures up to hacking back. Australia’s government has proposed giving itself the power to take over private enterprises’ response to cyber-attacks on critical infrastructure.

CactusPete APT group’s updated Bisonal backdoor

securelist.com/cactuspete-apt-groups-updated-bisonal-backdoor/97962/ CactusPete (also known as Karma Panda or Tonto Team) is an APT group that has been publicly known since at least 2013. Some of the group’s activities have been previously described in public by multiple sources. We have been investigating and privately reporting on this group’s activity for years as well. Historically, their activity has been focused on military, diplomatic and infrastructure targets in Asia and Eastern Europe. This is also true of the group’s latest activities. A new CactusPete campaign, spotted at the end of February 2020 by Kaspersky, shows that the group’s favored types of target remain the same. The victims of the new variant of the Bisonal backdoor, according to our telemetry, were from financial and military sectors located in Eastern Europe. Our research started from only one sample, but by using the Kaspersky Threat Attribution Engine (KTAE) we found 300+ almost identical samples. All of them appeared between March 2019 and April 2020. This underlines the speed of CactusPete’s development more than 20 samples per month. The target location forced the group to use a hardcoded Cyrillic codepage during string manipulations. This is important, for example, during remote shell functionality, to correctly handle the Cyrillic output from executed commands. Once the malware starts it tries to reach a hardcoded C2. The communication takes place using the unmodified HTTP-based protocol, the request and response body are RC4-encrypted, and the encryption key is also hardcoded into the sample. As the result of the RC4 encryption may contain binary data, the malware additionally encodes it in BASE64, to match the HTTP specification.

IoT Security: 7 Essential Must-Knows

blog.paloaltonetworks.com/2020/08/iot-security-7-essential-must-knows/ Today’s enterprises are moving at great speed towards transformation, and the definition of their network is constantly changingwith hybrid clouds, IoT devices, and now home offices. With an expanding network edge comes increased cyber riskinseparably linking businesses to frequent, severe and sophisticated cyberattacks.

Tor and anonymous browsing just how safe is it?

nakedsecurity.sophos.com/2020/08/13/tor-and-anonymous-browsing-just-how-safe-is-it/ Loosely speaking, that strapline implies that if you visit a website using Tor, typically in the hope of remaining anonymous and keeping away from unwanted surveillance, censorship or even just plain old web tracking for marketing purposes. then one in four of those visits (perhaps more!) will be subject to the purposeful scrutiny of cybercriminals.

NHS Test and Trace app security redux

www.ncsc.gov.uk/blog-post/nhs-test-and-trace-app-security-redux NCSC Technical Director Dr Ian Levy and the NHS Test and Trace App acting CISO Stuart H explain how security and privacy have been approached in the new version of the app.

USA:n vaatimus huolestuttaa perustelee koronavirusta vastaan taistelemisella

www.tivi.fi/uutiset/tv/0c589aa6-82d6-48c5-bd03-d3640338f858 Yhdysvallat toivoo pääsevänsä käsiksi ihmisten paikkatietoihin, nimettömät lähteet paljastavat.

Phishing Emails Used to Deploy KONNI Malware

us-cert.cisa.gov/ncas/alerts/aa20-227a The Cybersecurity and Infrastructure Security Agency (CISA) has observed cyber actors using emails containing a Microsoft Word document with a malicious Visual Basic Application (VBA) macro code to deploy KONNI malware. KONNI is a remote administration tool (RAT) used by malicious cyber actors to steal files, capture keystrokes, take screenshots, and execute arbitrary code on infected hosts.

Mac malware spreads through Xcode projects, abuses WebKit, Data Vault vulnerabilities

www.zdnet.com/article/mac-malware-spreads-through-xcode-projects-abuses-previously-unknown-vulnerabilities/ Xcode projects are being exploited to spread a form of Mac malware specializing in the compromise of Safari and other browsers.

Mekotio: These arent the security updates youre looking for

www.welivesecurity.com/2020/08/13/mekotio-these-arent-the-security-updates-youre-looking-for/ Another in our occasional series demystifying Latin American banking trojans

300,000 links taken down in crackdown on investment scams with bogus celebrity endorsements

www.zdnet.com/article/300000-links-taken-down-in-crackdown-on-investment-scams-with-bogus-celebrity-endorsements/ NCSC issues warning to criminals stealing money from people with the promise of get-rich-quick schemes from phoney celebrity testimonials that cost victims hundreds of millions a year.

Microsoft Defender casts a jaundiced eye over Citrix, slams services in quarantine on suspicion of being malware

www.theregister.com/2020/08/14/microsoft_defender_citrix/ You say broker, I say trojan, let’s call the whole thing off

Critical Flaws in WordPress Quiz Plugin Allow Site Takeover

threatpost.com/critical-flaws-wordpress-quiz-plugin-site-takeover/158379/ The recently patched flaws could be abused by an unauthenticated, remote attackers to take over vulnerable websites.

Instagram Retained Deleted User Data Despite GDPR Rules

threatpost.com/instagram-retained-deleted-user-data-despite-gdpr-rules/158366/ The photo-sharing app retained peoples photos and private direct messages on its servers even after users removed them.

Chrome extensions that lie about their permissions

blog.malwarebytes.com/puppum/2020/08/chrome-extensions-that-lie-about-their-permissions/ Recently, we came across a family of search hijackers that are deceptive about the permissions they are going to use in their install prompt.

Google resumes its attack on the URL bar, hides full addresses on Chrome 86

www.androidpolice.com/2020/08/13/google-resumes-its-senseless-attack-on-the-url-bar-hides-full-addresses-on-chrome-canary/ Google has tried on and off for years to hide full URLs in Chrome’s address bar, because apparently long web addresses are scary and evil. Despite the public backlash that came after every previous attempt, Google is pressing on with new plans to hide all parts of web addresses except the domain name in Chrome 86, this time accompanied by an admittedly hover animation.

How Your Unemployment Checks Are At Risk From Russian Cyber Thieves

www.forbes.com/sites/zakdoffman/2020/08/14/trump-employment-benefit-check-fraud-russian-hacker-cyber-criminal/ American unemployment checks have become the latest target for cyber thieves who have lurched from one scam to another as the world battles the coronavirus pandemic.

A simple telephony honeypot received 1.5 million robocalls across 11 months

www.zdnet.com/article/a-simple-telephony-honeypot-received-1-5-million-robocalls-across-11-months/ Researchers say that most campaigns take place in short-burst storms and that answering a robocall doesn’t mean you’ll be targeted more often in the future.

Alexa vulnerability is a reminder to delete your voice history

www.cnet.com/news/alexa-vulnerability-is-a-reminder-to-delete-your-voice-history/ The one-click hack could’ve let an attacker view all the conversations you’ve had with Amazon’s voice assistant.

You might be interested in …

Daily NCSC-FI news followup 2019-09-11

Ryuk Related Malware Steals Confidential Military, Financial Files www.bleepingcomputer.com/news/security/ryuk-related-malware-steals-confidential-military-financial-files/ A new malware with strange associations to the Ryuk Ransomware has been discovered to look for and steal confidential financial, military, and law enforcement files. Microsoft to Improve Office 365 Phishing Email Notifications www.bleepingcomputer.com/news/security/microsoft-to-improve-office-365-phishing-email-notifications/ Microsoft is currently working on enhancing the notification system for quarantined malware […]

Read More

Daily NCSC-FI news followup 2020-01-10

Why is a 22GB database containing 56 million US folks’ personal details sitting on the open internet using a Chinese IP address? Seriously, why? www.theregister.co.uk/2020/01/09/checkpeoplecom_data_exposed/ The information silo appears to belong to Florida-based CheckPeople.com, which is a typical people-finder website: for a fee, you can enter someone’s name, and it will look up their current […]

Read More

Daily NCSC-FI news followup 2021-04-29

Prime targets: Governments shouldn’t go it alone on cybersecurity www.welivesecurity.com/2021/04/29/prime-targets-governments-shouldnt-go-it-alone-on-cybersecurity/ A year into the pandemic, ESET reveals new research into activities of the LuckyMouse APT group and considers how governments can rise to the cybersecurity challenges of the accelerated shift to digital “BadAlloc” Memory allocation vulnerabilities could affect wide range of IoT and OT devices […]

Read More

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.