Categories
NCSC-FI News followup

Daily NCSC-FI news followup 2020-08-26

Reverse Engineering and observing an IoT botnet

www.gdatasoftware.com/blog/2020/08/36243-reverse-engineering-and-observing-an-iot-botnet IoT devices are everywhere around us and some of them are not up to date with todays security standard. A single light bulb exposed to the internet can offer an attacker a variety of possibilities to attack companies or households. The possibilities are endless. If we think about a router or follow the example with the light bulb, such a hijacked device can be used for various malicious activities. For example building a botnet and monetizing it by offering DDoS as a service or using the IoT device as a gateway into a corporate network. There have also been cases, where ransomware was used on IoT devices.

43 COVID-19 Cybersecurity Statistics

www.pandasecurity.com/mediacenter/news/covid-cybersecurity-statistics/ In January 2020, the Coronavirus outbreak started to garner international headlines. On March 11, 2020, the World Health Organization declared COVID-19 a worldwide pandemic. That week, life around the world changed. Bustling streets became empty, hospital beds overflowed, and businesses were faced with the impossible decision of whether or not to close their doors, in some cases, for good.

Transparent Tribe: Evolution analysis, part 2

securelist.com/transparent-tribe-part-2/98233/ Transparent Tribe, also known as PROJECTM or MYTHIC LEOPARD, is a highly prolific group whose activities can be traced as far back as 2013. In the last four years, this APT group has never taken time off. They continue to hit their targets, which typically are Indian military and government personnel. This is the second of two articles written to share the results of our recent investigations into Transparent Tribe. In the previous article, we described the various Crimson RAT components and provided an overview of impacted users.

Emulation of Malicious Shellcode With Speakeasy

www.fireeye.com/blog/threat-research/2020/08/emulation-of-malicious-shellcode-with-speakeasy.html In order to enable emulation of malware samples at scale, we have developed the Speakeasy emulation framework. Speakeasy aims to make it as easy as possible for users who are not malware analysts to acquire triage reports in an automated way, as well as enabling reverse engineers to write custom plugins to triage difficult malware families. Originally created to emulate Windows kernel mode malware, Speakeasy now also supports user mode samples. The projects main goal is high resolution emulation of the Windows operating system for dynamic malware analysis for the x86 and amd64 platforms.

Confessions of an ID Theft Kingpin, Part I

krebsonsecurity.com/2020/08/confessions-of-an-id-theft-kingpin-part-i/ At the height of his cybercriminal career, the hacker known as Hieupc was earning $125,000 a month running a bustling identity theft service that siphoned consumer dossiers from some of the worlds top data brokers. That is, until his greed and ambition played straight into an elaborate snare set by the U.S. Secret Service. Now, after more than seven years in prison Hieupc is back in his home country and hoping to convince other would-be cybercrooks to use their computer skills for good.

FASTCash 2.0: North Korea’s BeagleBoyz Robbing Banks

us-cert.cisa.gov/ncas/alerts/aa20-239a North Korea’s intelligence apparatus controls a hacking team dedicated to robbing banks through remote internet access. To differentiate methods from other North Korean malicious cyber activity, the U.S. Government refers to this team as BeagleBoyz, who represent a subset of HIDDEN COBRA activity. The BeagleBoyz overlap to varying degrees with groups tracked by the cybersecurity industry as Lazarus, Advanced Persistent Threat 38 (APT38), Bluenoroff, and Stardust Chollima and are responsible for the FASTCash ATM cash outs reported in October 2018, fraudulent abuse of compromised bank-operated SWIFT system endpoints since at least 2015, and lucrative cryptocurrency thefts..

us-cert.cisa.gov/ncas/current-activity/2020/08/26/north-korean-malicious-cyber-activity-fastcash

APT Hackers Exploit Autodesk 3ds Max Software for Industrial Espionage

thehackernews.com/2020/08/autodesk-malware-attack.html It’s one thing for APT groups to conduct cyber espionage to meet their own financial objectives. But it’s an entirely different matter when they are used as “hackers for hire” by competing private companies to make away with confidential information. Bitdefender’s Cyber Threat Intelligence Lab discovered yet another instance of an espionage attack targeting an unnamed international architectural and video production company that had all the hallmarks of a carefully orchestrated campaign.. Also:

threatpost.com/hackers-exploit-autodesk-flaw-in-recent-cyberespionage-attack/158669/.

www.zdnet.com/article/mercenary-hacker-group-targets-companies-with-3ds-max-malware/.

www.bleepingcomputer.com/news/security/hackers-for-hire-attack-architecture-firm-via-3ds-max-exploit/.

www.theregister.com/2020/08/26/autodesk_3ds_max_plugin_malware_attack/

Malicious Excel Sheet with a NULL VT Score

isc.sans.edu/forums/diary/Malicious+Excel+Sheet+with+a+NULL+VT+Score/26506/ Just a quick diary today to demonstrate, once again, that relying only on a classic antivirus solution is not sufficient in 2020. I found a sample that just has a very nice score of 0/57 on VT. Yes, according to all AV’s the file is safe. Really? If it matched one of my hunting rules, there is for sure something suspicious inside. Let’s have a look at it.

Four More Bugs Patched in Microsofts Azure Sphere IoT Platform

threatpost.com/four-more-bugs-patched-in-microsofts-azure-sphere-iot-platform/158643/ Researchers have unearthed more vulnerabilities in Microsofts IoT security solution. Details tied to a pair of remote code execution bugs in Microsofts IoT security platform called Azure Sphere were released Monday. Also made public were specifics associated with two additional privilege escalation flaws impacting the same cloud security platform. Public disclosure of all four of the bugs piggyback on six vulnerabilities found in July also impacting Microsofts Azure Sphere. Cybersecurity researchers at Cisco Talos found each of the bugs and released the technical details of the vulnerabilities only after Microsoft issued patches.

FBI informant provides a glimpse into the inner workings of tech support scams

www.zdnet.com/article/fbi-informant-provides-a-glimpse-into-the-inner-workings-of-tech-support-scams/ US authorities have charged three suspects involved in a large-scale tech support scam operation after FBI agents arrested one of their co-conspirators and turned him into an informant. Evidence provided by the informant along with court documents filed in the case provide an in-depth glimpse at the techniques and inner workings of a modern-day tech support scam, from its earliest stages to the methods crooks use to launder funds obtained from defrauded victims.

Tekijää arvaillaan raju palvelunestohyökkäys kaatoi kaukaisen pörssin, osakekauppa pysähtyi

www.tivi.fi/uutiset/tv/de6acbb4-07df-4fb9-9434-03765cdaa607 Uuden-Seelannin pörssi ei ole romahtanut, mutta kaupankäynti on pysähtynyt toistuvasti palvelunestohyökkäysten vuoksi. Osakekauppa Uudessa-Seelannissa on toistuvasti pysähtynyt kirskahdellen tällä viikolla. Sikäläinen pörssi (NZX) on ollut jo parin päivän ajan palvelunestohyökkäysten kohteena. Ongelmien vuoksi kauppa arvopapereilla on jouduttu keskeyttämään toistuvasti.. Also:

www.bleepingcomputer.com/news/security/new-zealand-stock-exchange-halted-trading-after-ddos-attacks/

Russian Arrested After Offering $1 Million to U.S. Company Employee for Planting Malware

thehackernews.com/2020/08/russian-extortion-malware.html Hackers always find a way in, even if there’s no software vulnerability to exploit. The FBI has arrested a Russian national who recently traveled to the United States and offered $1 million in bribe to an employee of a targeted company for his help in installing malware into the company’s computer network manually. Also:

www.zdnet.com/article/russian-arrested-for-trying-to-recruit-an-insider-and-hack-a-nevada-company/.

www.bleepingcomputer.com/news/security/fbi-foiled-a-russians-plan-to-ransom-a-nevada-company/

Code-execution bug in Pulse Secure VPN threatens patch laggards everywhere

arstechnica.com/information-technology/2020/08/code-execution-bug-in-pulse-secure-vpn-threatens-patch-laggards-everywhere/ If you haven’t updated Pulse Secure VPN, now would be an excellent time to do so. Organizations that have yet to install the latest version of the Pulse Secure VPN have a good reason to stop ditheringa code-execution vulnerability that allows attackers to take control of networks that use the product. Tracked as CVE-2020-8218, the vulnerability requires an attacker to have administrative rights on the machine running the VPN. Researchers from GoSecure, the firm that discovered the flaw, found an easy way to clear that hurdle: trick an administrator into clicking on a malicious link embedded in an email or other type of message.

SunCrypt Ransomware sheds light on the Maze ransomware cartel

www.bleepingcomputer.com/news/security/suncrypt-ransomware-sheds-light-on-the-maze-ransomware-cartel/ A ransomware named SunCrypt has joined the ‘Maze cartel,’ and with their membership, we get insight into how these groups are working together. In June, we broke the story that the Maze threat actors created a cartel of ransomware operations to share information and techniques to help each other extort their victims. When first started, this cartel included Maze and LockBit, but soon expanded to include Ragnar Locker. When Maze first formed this group, they refused to answer our questions on how members of their cartel benefited, and if there was a monetary benefit to Maze.

A quarter of the Alexa Top 10K websites are using browser fingerprinting scripts

www.zdnet.com/article/a-quarter-of-the-alexa-top-10k-websites-are-using-browser-fingerprinting-scripts/ Academics also discover many new previously unreported JavaScript APIs that are currently being used to fingerprint users. A browser fingerprinting script is a piece of JavaScript code that runs inside a web page and works by testing for the presence of certain browser features. Today, browser fingerprinting is commonly used by online advertisers as a next-gen user tracking mechanism. Advertisers run different types of fingerprinting operations, create one or more “fingerprints” for each user, and then use them to track the user as he/she accesses other sites on the internet.

Phishing Attack Used Box to Land in Victim Inboxes

www.darkreading.com/attacks-breaches/phishing-attack-used-box-to-land-in-victim-inboxes/d/d-id/1338754 A phishing attack targeting government and security organizations used a legitimate Box page with Microsoft 365 branding to trick victims. A newly discovered credential phishing campaign used a legitimate Box webpage and exploited widespread trust in Microsoft 365 to capture victims’ credentials in a convoluted attack chain. The team at Armorblox discovered this threat back in June and say it affected city officials, as well as government and cybersecurity organizations. Attackers chose to host the phishing site on a legitimate Box page, which security experts say helped the emails land in victims’ inboxes.

Cisco Patches High-Severity Bugs Impacting Switches, Fibre Storage

threatpost.com/cisco-high-severity-bugs-impact-switches-fibre-storage/158691/ Cisco Systems disclosed eight high-severity bugs impacting a range of its networking gear, including its switches and fiber storage solutions. Ciscos NX-OS was hardest hit, with six security alerts tied to the network operating system that underpins the networking giants Nexus-series Ethernet switches and MDS-series Fibre Channel storage area network switches.  Patches are available for all vulnerabilities, according to a Cisco Security Advisory posted on Wednesday. In addition to the eight patched high-severity bugs, Cisco also fixed a flaw (CVE-2020-3504) listed as medium severity that impacts the Cisco Unified Computing System management software.

Emotet Update increases Downloads

www.hornetsecurity.com/en/security-information/emotet-update-increases-downloads/ The Hornetsecurity Security Lab observed a 1000 % increase in downloads of the Emotet loader. The increase in Emotet loader downloads correlates with Emotets packer change, which causes the Emotet loader to be less detected by AV software. Our gathered data suggests that the increase in Emotet loader downloads stems from the loader being detected less and thus also the Emotet loader download URLs being blocked less by security mechanisms. Our data, however, also suggests that AV vendors are already closing the detection gap and the detection of the Emotet loader should increase again and thus the number of downloads decreasing again.

RATs and Spam: The Node.JS QRAT

www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/rats-and-spam-the-nodejs-qrat/ The Qua or Quaverse Remote Access Trojan (QRAT) is a Java-based RAT that can be used to gain complete control over a system. Introduced in 2015, QRAT was marketed as an undetectable Java RAT and is offered under the software-as-a-service model. Just after its original debut, we blogged about QRATs being spammed. As shown in Figure 1, the functionality of the spammed QRATs can be extended through the

Conti (Ryuk) joins the ranks of ransomware gangs operating data leak sites

www.zdnet.com/article/conti-ryuk-joins-the-ranks-of-ransomware-gangs-operating-data-leak-sites/ More and more ransomware gangs are now operating sites where they leak sensitive data from victims who refuse to pay the ransom demand. It has now become a mainstream tactic for big ransomware groups to create so-called “leak sites” where they upload and leak sensitive documents from companies who refuse to pay the ransomware decryption fee. These “leak sites” are part of a new trend forming on the cybercriminal underground where ransomware groups are adopting a new tactic called “double extortion.”

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.