Daily NCSC-FI news followup 2020-08-24

Bring Your Own Device – the new normal

www.ncsc.gov.uk/blog-post/bring-your-own-device-the-new-normal Bring Your Own Device (BYOD) may not be a new topic but it has renewed significance in light of the wholesale changes to working practices instigated by the COVID-19 pandemic. In response to the pandemic, some organisations have already adapted for the future, by taking the decision to allow their staff to work from home “forever”, if they wish to. Whilst this may be an extreme example, home working will continue to increase, and BYOD is a typical organisational answer to this. Repeatedly the NCSC is asked to provide our view on this.

Five Reasons Voters and Election Officials Should Be Worried About Ransomware

therecord.media/five-reasons-voters-and-election-officials-should-be-worried-about-ransomware/ In the run-up to the U.S. presidential election, federal officials have raised concerns about how a well-timed ransomware attack could disrupt voting or lock up electoral databases. Allan Liska, a ransomware specialist at Recorded Future who has been analyzing election security threats in recent months, said his research has left him feeling bleak.

Lifting the veil on DeathStalker, a mercenary triumvirate

securelist.com/deathstalker-mercenary-triumvirate/98177/ State-sponsored threat actors and sophisticated attacks are often in the spotlight. Indeed, their innovative techniques, advanced malware platforms and 0-day exploit chains capture our collective imagination. Yet these groups still arent likely to be a part of the risk model at most companies, nor should they be. Businesses today are faced with an array of much more immediate threats, from ransomware and customer information leaks, to competitors engaging in unethical business practices. In this blog post, well be focusing on DeathStalker: a unique threat group that appears to target law firms and companies in the financial sector.

Tracking A Malware Campaign Through VT

isc.sans.edu/forums/diary/Tracking+A+Malware+Campaign+Through+VT/26498/ During the weekend, I found several samples from the same VBA macro. The only difference between all the samples was the URL to fetch a malicious PE file. I have a specific YARA rule to search for embedded PowerShell strings and my rule fired several times with the same pattern and similar size.

JAMK menestyi kansainvälisessä kriittisen infrastruktuurin tietoturvakilpailussa

www.epressi.com/tiedotteet/koulutus/jamk-menestyi-kansainvalisessa-kriittisen-infrastruktuurin-tietoturvakilpailussa.html JAMKin kyberturvallisuuden tutkimus-, kehitys- ja koulutuskeskus JYVSECTEC on sijoittunut kolmanneksi kansainvälisessä Critical Infrastructure Security Showdown 2020 Online -tietoturvakilpailussa. Neljännen kerran järjestettävään kilpailuun osallistui 17 joukkuetta ympäri maailmaa.

Iran-Linked Newbie Hackers Spread Dharma Ransomware Via RDP Ports

threatpost.com/iran-linked-newbie-hackers-spread-dharma-ransomware-via-rdp-ports/158580/ A group of script kiddies tied to Iran are targeting companies worldwide with internet-facing Remote Desktop Protocol (RDP) ports and weak credentials in order to infect them with Dharma ransomware. The Dharma malware (also known as Crysis) has been distributed as a ransomware-as-a-service (RaaS) model since at least 2016. While the ransomware was previously used by advance persistent threat (APT) actors, its source code surfaced in March 2020, making it available to a wider breadth of attackers.. Also:



Top exploits used by ransomware gangs are VPN bugs, but RDP still reigns supreme

www.zdnet.com/article/top-exploits-used-by-ransomware-gangs-are-vpn-bugs-but-rdp-still-reigns-supreme/ While some ransomware groups have heavily targeted Citrix and Pulse Secure VPNs to breach corporate networks in H1 2020, most ransomware attacks take place because of compromised RDP endpoints. Ransomware attacks targeting the enterprise sector have been at an all-time high in the first half of 2020. While ransomware groups each operate based on their own skillset, most of the ransomware incidents in H1 2020 can be attributed to a handful of intrusion vectors that gangs appear to have prioritized this year.

Suomessa Office-murtojen aalto näin hyökkäys tapahtuu

www.is.fi/digitoday/tietoturva/art-2000006611837.html Suomalaisia organisaatioita jo vuosien ajan piinanneet Office 365 – -hyökkäykset ovat kasvussa, kertoo Traficomin alainen Kyberturvallisuuskeskus. Useiden suomalaisten organisaatioiden Office 365 -käyttäjätileille on murtauduttu. Uusista tietomurroista ilmoitetaan päivittäin, keskus kertoo tiedotteessaan.. Myös:


Milloin kvanttitietokone pystyy murtamaan nykysalaukset?

www.tivi.fi/uutiset/milloin-kvanttitietokone-pystyy-murtamaan-nykysalaukset/9cca64ef-f419-4a18-8590-82480a165a66 Tulevaisuuden kvanttitietokoneet mullistavat suurteholaskennan, mutta murtavat samalla internetin tärkeimmät salausmenetelmät. Uhkaan varaudutaan myös Suomessa. Kvanttitekniikka lupaa jättimäistä laskentakapasiteettia säätilojen ennustamiseen, geenitutkimukseen ja muihin suurteholaskentaa vaativiin tehtäviin. Samalla kvanttitekniikka herättää myös pelkoa. Yleiskäyttöinen kvanttitietokone voisi murtaa tärkeimmät internetissä käytetyt salausmenetelmät hetkessä. Siksi kvanttikoneiden uhkaan varaudutaan nyt myös meillä Suomessa.

Dark web market Empire down for days from DDoS attack

www.bleepingcomputer.com/news/cryptocurrency/dark-web-market-empire-down-for-days-from-ddos-attack/ The popular dark web site Empire Market has been down for at least 48 hours, with some users suspecting an exit scam and others blaming a prolonged distributed denial-of-service (DDoS) attack. Over the weekend, multiple reports emerged on Twitter and Reddit from users complaining about not being to load the Empire Market website. Empire Market features numerous illicit goods including illegal drugs, chemicals, counterfeit items, jewelry, and credit card numbers while offering payment methods including Bitcoin (BTC), Litecoin (LTC), and Monero (XMR).

APIs Are the Next Frontier in Cybercrime

threatpost.com/apis-next-frontier-cybercrime/158536/ API usage has exploded, and cybercriminals are increasingly taking advantage of API security flaws to commit fraud and steal data. APIs make everything a bit easier from data sharing to system connectivity to delivery of critical features and functionality but they also make it much easier for the bad actors (and the bad bots they deploy) to carry out attacks.

Canadian shipping company Canpar gets an unwanted delivery ransomware

www.theregister.com/2020/08/24/in_brief_security/ In brief It has not been a good week for major Canadian shipping company Canpar Express. The Canuck parcel-mover’s website fell offline for days as it tackled a ransomware outbreak on its internal systems. We are also told by readers who reside in America’s Hat that deliveries have been negatively affected things like package tracking and scheduling pickups are not possible right now, for instance.

Chromium DNS hijacking detection accused of being around half of all root queries

www.zdnet.com/article/chromium-dns-hijacking-detection-accused-of-being-around-half-of-all-root-queries/ In an effort to detect whether a network will hijack DNS queries, Google’s Chrome browser and its Chromium-based brethren randomly conjures up three domain names between 7 and 15 characters to test, and if the response of two domains returns the same IP, the browser believes the network is capturing and redirecting nonexistent domain requests.. This test is completed on startup, and whenever a device’s IP or DNS settings change.

Large Ad Network Collects Private Activity Data, Reroutes Clicks

www.darkreading.com/mobile/large-ad-network-collects-private-activity-data-reroutes-clicks/d/d-id/1338733 A Chinese mobile advertising firm has modified code in the software development kit included in more than 1,200 apps, maliciously collecting user activity and performing ad fraud, says Snyk, a software security firm. More than 1,200 applications exceeding 300 million collective monthly downloads have incorporated a software development kit (SDK) from Chinese advertising service Mintegral that has malicious code to spy on user activity and steal potential revenue from competitors, software security firm Snyk stated in an analysis published on Aug. 24.

Hunting for Risky Rules in Office 365

blog.rothe.uk/risky-rules-in-office365/ When an attacker compromises an Office 365 mailbox, one of the most common activities that we see is new inbox rules being created – therefore finding these rules is a good way to identify compromised accounts and mailboxes. One obvious way to achieve this is to feed Office365 audit logs into a SIEM or use MCAS – however there are a couple of disadvantages to relying solely on this approach – Firstly it will only detect new compromises so if a rule already exists when the logging is enabled then it won’t be detected.. Secondly, MCAS requires a more expensive license that a lot of customers currently have assigned which makes it a less attractive approach for smaller companies that might also not have a SIEM.

You might be interested in …

Daily NCSC-FI news followup 2020-10-18

New Windows 10 Remote Hacking Threat ConfirmedHomeland Security Says Update Now www.forbes.com/sites/daveywinder/2020/10/18/new-windows-10-remote-hacking-threat-confirmed-homeland-security-says-update-now/ CVE-2020-5135 – Buffer Overflow in SonicWall VPNs – Patch Now isc.sans.edu/forums/diary/CVE20205135+Buffer+Overflow+in+SonicWall+VPNs+Patch+Now/26692/ Discovered by Tripwire VERT, CVE-2020-5135 is a buffer overflow vulnerability in the popular SonicWall Network Security Appliance (NSA) which can permit an unauthenticated bad guy to execute arbitrary code on the device. […]

Read More

Daily NCSC-FI news followup 2020-12-25

SUNBURST Additional Technical Details www.fireeye.com/blog/threat-research/2020/12/sunburst-additional-technical-details.html FireEye has discovered additional details about the SUNBURST backdoor since our initial publication on Dec. 13, 2020. Before diving into the technical depth of this malware, we recommend readers familiarize themselves with our blog post about the SolarWinds supply chain compromise, which revealed a global intrusion campaign by a sophisticated […]

Read More

Daily NCSC-FI news followup 2019-08-13

Attackers could use this coding bug to turn BIG-IP load balancers against organizations blog.f-secure.com/command-injection-in-f5-irules/ During a routine security assessment, F-Secure Senior Security Consultant Christoffer Jerkeby discovered that an obscure coding bug could allow attackers to exploit F5 Networks popular BIG-IP load balancer. Further research found that, following a successful exploit, an adversary could turn the […]

Read More

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.