Categories
NCSC-FI News followup

Daily NCSC-FI news followup 2020-08-25

DDoS Hide & Seek: On the Effectiveness of a Booter Services Takedown

labs.ripe.net/Members/daniel_kopp/ddos-hide-and-seek In this article, we investigated booter-based DDoS attacks in the wild and the impact of an FBI takedown targeting fifteen booter websites in December 2018. We investigated and compared attack properties of multiple booter services by launching DDoS attacks against our own infrastructure. To understand spatial and temporal trends of the DDoS traffic originating from booters, we scrutinised five months worth of inter-domain traffic.

Dos and Donts for Charting Your Security Intelligence Journey

www.recordedfuture.com/threat-intelligence-journey/ For many organizations, moving toward a comprehensive security intelligence philosophy begins with threat intelligence. Yet as were exploring throughout this series, threat intelligence is extremely versatile with myriad applications. This means your intelligence journey will also be unique, and should reflect your organizations specific needs and goals

Identifying People by Their Browsing Histories

www.schneier.com/blog/archives/2020/08/identifying_peo_9.html Interesting paper: “Replication: Why We Still Can’t Browse in Peace: On the Uniqueness and Reidentifiability of Web Browsing Histories”

Teknisen tuen puhelinhuijareita liikkeellä

news.microsoft.com/fi-fi/2020/08/25/teknisen-tuen-puhelinhuijareita-liikkeella/ Teknisen tuen puhelinhuijaukset ovat tällä hetkellä yleisiä koko Suomessa. Rikolliset pyrkivät huijaamaan uhrin maksamaan tarpeettomia teknisiä tukipalveluja, joiden uskotellaan korjaavan laitteen, alustan tai ohjelmiston väitettyjä ongelmia. Tuoreeltaan Microsoftin nimissä tehdystä puhelinhuijauksesta on varoittanut muun muassa Helsingin poliisi.

Cyber attacks: Several Canadian government services disrupted

www.welivesecurity.com/2020/08/24/cyber-attacks-canada-revenue-agency-government/ Cybercriminals set their sights on the Canadian government at the beginning of August, when several government services were disabled following a series of cyberattacks. On August 15, the Treasury Board Secretariat announced that approximately 11,000 online government services accounts, originating from the Government of Canada Key service (GCKey) and Canada Revenue Agency (CRA) accounts, had been victims of hacking attempts.

Popular iOS SDK Caught Spying on Billions of Users and Committing Ad Fraud

thehackernews.com/2020/08/ios-sdk-ad-fraud.html A popular iOS software development kit (SDK) used by over 1,200 appswith a total of more than a billion mobile usersis said to contain malicious code with the goal of perpetrating mobile ad-click fraud and capturing sensitive information.

Keep An Eye on LOLBins

isc.sans.edu/forums/diary/Keep+An+Eye+on+LOLBins/26502/ Don’t misread, I won’t talk about “lolcats” today but “LOLBins” or “Living Off The Land Binaries”. All operating systems provide a rich toolbox to achieve multiple day-to-day tasks like maintenance of the certificates, installation of patches and applications, management of files, and many more. Those tools are installed by default and available to all users without specific access rights (most of the time). Also very important, they are signed by the operating system so they are usually considered safe by default.

Safari Bug Revealed After Apple Takes Nearly a Year to Patch

threatpost.com/safari-bug-revealed-after-apple-takes-nearly-a-year-to-patch/158612/ A security researcher disclosed details of an Apple Safari web browser security hole that could leak files with other browsers and applications and open the door to exploitation by attackers. The disclosure came only after Apple said it would delay patching the vulnerability for nearly a year. For context, researcher rated the bug as not very serious.. Blog post:

blog.redteam.pl/2020/08/stealing-local-files-using-safari-web.html

Conti (Ryuk) joins the ranks of ransomware gangs operating data leak sites

www.zdnet.com/article/conti-ryuk-joins-the-ranks-of-ransomware-gangs-operating-data-leak-sites/ More and more ransomware gangs are now operating sites where they leak sensitive data from victims who refuse to pay the ransom demand. It has now become a mainstream tactic for big ransomware groups to create so-called “leak sites” where they upload and leak sensitive documents from companies who refuse to pay the ransomware decryption fee.. Also:

www.bleepingcomputer.com/news/security/ryuk-successor-conti-ransomware-releases-data-leak-site/

Vulnerability Spotlight: Use-after-free vulnerability in Google Chrome WebGL could lead to code execution

blog.talosintelligence.com/2020/08/vuln-spotlight-chrome-use-free-aug-2020.html The Google Chrome web browser contains a use-after-free vulnerability in its WebGL component that could allow a user to execute arbitrary code in the context of the browser process. This vulnerability specifically exists in ANGLE, a compatibility layer between OpenGL and Direct3D that Chrome uses on Windows systems. An adversary could manipulate the memory layout of the browser in a way that they could gain control of the use-after-free exploit, which could ultimately lead to arbitrary code execution. Also:

threatpost.com/google-fixes-high-severity-chrome-browser-code-execution-bug/158600/.

www.bleepingcomputer.com/news/security/google-chrome-85-fixes-webgl-code-execution-vulnerability/

Threat Intelligence Report: Lazarus Group Campaign Targeting the Cryptocurrency Vertical

labs.f-secure.com/publications/ti-report-lazarus-group-cryptocurrency-vertical In 2019, F-Secure uncovered technical details on Lazarus Groups modus operandi during an investigation of an attack on an organisation in the cryptocurrency vertical. Consistent with public reporting on the groups activities, the main objective of the attack was financial gain. F-Secure assess the attack on the target to be advanced in nature and was able to link this activity with a global phishing campaign running since at least January 2018. The attack was linked to this wider set of activity through several common indicators found in samples from the investigation, open source repositories, and proprietary intelligence sources.. Also:

www.theregister.com/2020/08/25/lazarus_group_north_korea_linkedin_lure/.

www.bleepingcomputer.com/news/security/lazarus-hackers-target-cryptocurrency-orgs-with-fake-job-offers/.

threatpost.com/lazarus-group-targets-cryptocurrency-firms-via-linkedin-messages/158614/.

www.zdnet.com/article/lazarus-group-strikes-cryptocurrency-firm-through-linkedin-job-adverts/

Office 365 now opens attachments in a sandbox to prevent infections

www.bleepingcomputer.com/news/security/office-365-now-opens-attachments-in-a-sandbox-to-prevent-infections/ Microsoft today announced the launch of Application Guard for Office in public preview to protect enterprise users from threats using malicious attachments as an attack vector. Application Guard for Office (also known as Microsoft Defender Application Guard for Office) is designed to help prevent block files downloaded from untrusted sources from gaining access trusted resources by opening them within an isolated sandbox.

Browser-based cryptojacking sees sudden spike in activity in Q2 2020

www.zdnet.com/article/browser-based-cryptojacking-sees-sudden-spike-in-activity-in-q2-2020/ Browser-based cryptocurrency mining, also known as cryptojacking, made a surprising comeback earlier this year, in the month of June. In its Threat Landscape Trends report for Q2 2020, US cyber-security vendor Symantec said cryptojacking saw a 163% increase in detections, compared to the previous quarters. The spike in activity is extremely uncharacteristic for this particular threat, considered by all security experts to be long dead.

Impersonating users of ‘protest’ app Bridgefy was as simple as sniffing Bluetooth handshakes for identifiers

www.theregister.com/2020/08/25/bridgefy_royal_holloway_security_analysis/ University of London researchers poked around in ‘secure’ messaging platform, but didn’t like what they found. An instant messaging app whose creators promoted it as secure and end-to-end encrypted was in fact no such thing, according to researchers at Royal Holloway. The University of London college found, according to a paper it published yesterday, that the app “permits its users to be tracked, offers no authenticity, no effective confidentiality protections and lacks resilience against adversarially crafted messages”.

MITRE Releases ‘Shield’ Active Defense Framework

www.darkreading.com/attacks-breaches/mitre-releases-shield-active-defense-framework-/d/d-id/1338741 Free knowledge base offers techniques and tactics for engaging with and better defending against network intruders. MITRE Corp. has released a new guide cataloging measures that organizations can take to actively engage with and counter intruders on their networks. Like MITRE’s widely used ATT&CK framework, which offers a comprehensive listing of attacker behavior, the federally funded organization’s new Shield is a publicly availably knowledge base, this time of tactics and techniques for proactive defense.

DarkSide Ransomware hits North American real estate developer

www.bleepingcomputer.com/news/security/darkside-ransomware-hits-north-american-real-estate-developer/ North American land developer and home builder Brookfield Residential is one of the first victims of the new DarkSide Ransomware. Brookfield Residential is a U.S. and Canada planned community and single-family home builder with $5.7 billion in assets. Brookfield Residential is owned by Brookfield Asset Management, a Canadian asset management company with over $500 billion in assets under their control. The similar names have led to some confusion as to which entity was attacked by the DarkSide ransomware.

Google Search Fails Again: Recent Black Hat SEO Attacks Lead To Malware And Porn

www.forbes.com/sites/davidbalaban/2020/08/25/google-search-fails-again-recent-black-hat-seo-attacks-lead-to-malware-and-porn/ There is no such thing as a flawless electronic system. Computers are hackable, and networks are susceptible to remote compromise. The same goes for search providers. Development slip-ups and security loopholes can undermine the integrity and defenses of these services. All it takes is a competent adversary with enough time and resources at their disposal. Even Google that leverages state-of-the-art technologies to thwart adverse manipulation cannot stop all black hat SEO stratagems in their tracks. To hoodwink the tech giants sophisticated algorithms and poison search results with dodgy content, though, malicious actors must think outside the box.

Dragos Teams with Industry Veterans to Establish New Industrial Reference Architecture

www.dragos.com/blog/industry-news/dragos-announces-converged-industrial-edge-architecture/ Amid the Digital Transformation era for electric utilities, oil & gas, and other industrial-type organizations, there is often a struggle to converge information technology (IT) and operational technology (OT) environments without disrupting safety, reliability, security, and performance of mission-critical protection and control applications. The Department of Energy (DOE) awarded a project to help address this situation. Its goal is to develop a software architecture that manages the trust, data, and resource allocations safely and securely between software applications from multiple suppliers that all operate on the same software-defined network (SDN) infrastructure.

A Tale of Escaping a Hardened Docker container

www.redtimmy.com/docker/a-tale-of-escaping-a-hardened-docker-container/ Legend has it that before his death, Harry Houdini once said: if it is truly possible for someone to return from the afterlife, I will. Despite of the fact he was a great illusionist and escape artist, it seems this last proof has revealed to be very hard, even for him. Much simpler trying to escape out of a container. Of course a docker container… our topic for today.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.