Categories
NCSC-FI News followup

Daily NCSC-FI news followup 2020-08-28

Is China the World’s Greatest Cyber Power?

www.darkreading.com/threat-intelligence/is-china-the-worlds-greatest-cyber-power/d/d-id/1338778 The nation’s aggressive approach to using cyber operations to achieve political and national aims has set its cyber strategy apart from the more cautious and considered approaches of most other nations. Attackers linked to China have vacuumed up personally identifiable information on US and European citizens, stolen trade secrets and intellectual property, and exfiltrated classified information from government agencies, all without much political impact to the Chinese government. PDF:

wow.intsights.com/rs/071-ZWD-900/images/Dark%20Side%20of%20China.pdf

Russian tourist offered employee $1 million to cripple Tesla with malware

arstechnica.com/information-technology/2020/08/russian-tourist-offered-employee-1-million-to-cripple-tesla-with-malware/ Tesla’s Nevada Gigafactory was the target of a concerted plot to cripple the company’s network with malware, CEO Elon Musk confirmed on Thursday afternoon. The plan’s outline was divulged on Tuesday in a criminal complaint that accused a Russian man of offering $1 million to the employee of a Nevada company, identified only as “Company A, ” in exchange for the employee infecting the company’s network. The employee reported the offer to Tesla and later worked with the FBI in a sting that involved him covertly recording face-to-face meetings discussing the proposal.

The Kittens Are Back in Town 3

www.clearskysec.com/the-kittens-are-back-in-town-3/ During 2017-2019, Clearsky had published several reports about the Iranian APT group “Charming Kitten”. One of the group’s most common attack vectors is impersonating journalists, particularly those from the German “Deutsche Welle” broadcasting company and the “Jewish Journal” magazine. Starting July 2020, we have identified a new TTP of the group, impersonating “Deutsche Welle” and the “Jewish Journal” using emails alongside WhatsApp messages as their main platform to approach the target and convince them to open a malicious link. Full report (PDF):

www.clearskysec.com/wp-content/uploads/2020/08/The-Kittens-are-Back-in-Town-3.pdf

Näin Koronavilkku toimii: Sovelluksen avulla on tarkoitus katkaista tartuntaketjut pian sen voi ladata puhelimeen

www.is.fi/digitoday/mobiili/art-2000006616452.html Suomen koronatartuntojen seurantaan tarkoitettu Koronavilkku-sovellus saavutti merkittävän virstanpylvään, THL:n webinaarissa kerrottiin perjantaina. Sovellus sai Traficomin alaiselta Kyberturvallisuuskeskukselta (KTK) vihreää valoa läpikotaisen syynin jälkeen. Tässä on tehty hyvää työtä, Kyberturvallisuuskeskuksen johtava asiantuntija Juhani Eronen kiteytti. Erosen mukaan KTK hakkeroi sovellusta, tutki lähdekoodia ja ihan vain käytti sovellusta. Pyrkimyksenä oli asettua mahdollisen rikollisen saappaisiin. Projekti oli erikoinen ja ainutlaatuinen monessakin suhteessa, Eronen viittaa julkishallinnon tavoitteeseen tuottaa tällainen sovellus näin nopealla aikataululla.

Virus pääsi leviämään Satasairaalan koneilla

yle.fi/uutiset/3-11515127 Satasairaalan tietokoneisiin on levinnyt haittaohjelma torstaina iltapäivällä. Haittaohjelman saastuttamia koneita on parikymmentä. Haitallisten viestien aihe näyttää todelliselta, aiemmin lähetetyltä viestiltä, mutta tarkemmin katsottaessa viestin lähettäjä on eri kuin alkuperäinen, Satakunnan sairaanhoitopiirin tietohallintojohtaja Leena Ollonqvist kertoo. Potilastyö ei ole ollut vaarassa, koska sähköpostissa ja potilastyössä käytetyt tietokannat eivät ole yhteydessä. Ollonqvistin mukaan liitetiedoston leviäminen on saatu estettyä iltapäivän aikana.

Espoon nimissä on levitetty haittaohjelmia

yle.fi/uutiset/3-11516177 Kaupungin tai sen työntekijöiden nimissä on levitetty haittaohjelmia sähköpostiviestien välityksellä. Tiedotteen mukaan Espoon tietojärjestelmiin ei ole murtauduttu, vaan viestit on lähetetty väärentämällä lähettäjänimi.

Example of Malicious DLL Injected in PowerShell

isc.sans.edu/forums/diary/Example+of+Malicious+DLL+Injected+in+PowerShell/26512/ For a while, PowerShell remains one of the favorite languages for attackers. Installed by default (and almost impossible to get rid of it), powerful, perfectly integrated with the core operating system. It’s very easy to develop specific PowerShell functions that will provide interesting features for an attacker but, if written in PowerShell, they could easily ring a bell for the defenders (example: by using many suspicious API calls). Another technique to expand the language with more functions is just to load a DLL! I found a sample that exfiltrates data from the victim’s computer.

350 million decrypted email addresses left exposed on an unsecured server

securityaffairs.co/wordpress/107604/data-breach/email-addresses-data-leak.html Experts found an unsecured data bucket containing seven gigabytes worth of unencrypted files that include 350, 000, 000 strings of unique email addresses. The timeline of uploads might indicate that these emails have been either stolen or acquired on the black market back in October 2018, and then gradually decrypted by the owner of the bucket. The unsecured bucket was located in the US and hosted on an Amazon S3 server that has been exposed for what seems to be at least an 18-month period.

DDoS extortion campaign targets financial firms, retailers

www.welivesecurity.com/2020/08/27/ddos-extortion-campaign-targets-financial-firms-retailers/ Over the last few weeks, a cybercrime group has been extorting various organizations all over the world by threatening to launch distributed denial-of-service (DDoS) attacks against them unless they pay thousands of dollars in Bitcoin. According to ZDNet, the group is also behind a string of attacks against MoneyGram, YesBank, Braintree, Venmo, and most recently also the New Zealand stock exchange, which has been forced to stop its trading for three days running.

Stopping Active Directory attacks and other post-exploitation behavior with AMSI and machine learning

www.microsoft.com/security/blog/2020/08/27/stopping-active-directory-attacks-and-other-post-exploitation-behavior-with-amsi-and-machine-learning/ When attackers successfully breach a target network, their typical next step is to perform reconnaissance of the network, elevate their privileges, and move laterally to reach specific machines or spread as widely as possible. For these activities, attackers often probe the affected network’s Active Directory, which manages domain authentication and permissions for resources.

Deep Analysis of TeamTNT Techniques Using Container Images to Attack

blog.aquasec.com/container-security-tnt-container-attack Ever notice how news about hidden malware almost always focuses on remediation AFTER the fact? So did we. Even now, there’s yet another news story about a rash of attacks by a group called TeamTNT. They used a crypto-mining worm to steal AWS credentials from Docker Hub. Well, if hijacking cloud resources is so popular, it’s time to make finding threats BEFORE the attack just as fashionable. Our investigation determined that dynamic analysis could have saved some overworked security teams a lot of time and aggravation if these images were detected and removed from Docker Hub before being deployed in much the same way it helps security teams with their private registries.

We hacked 28, 000 unsecured printers to raise awareness of printer security issues

cybernews.com/security/we-hacked-28000-unsecured-printers-to-raise-awareness-of-printer-security-issues/ Cybersecurity experts at CyberNews hijacked close to 28, 000 unsecured printers worldwide and forced them to print out a guide on printer security

Fake Android notifications first Google, then Microsoft affected

nakedsecurity.sophos.com/2020/08/28/fake-android-notifications-first-google-then-microsoft-affected/ If you’re a Google Android user, you may have been pestered over the past week by popup notifications that you didn’t expect and certainly didn’t want. The first mainstream victim seems to have been Google’s own Hangouts app.

Sendgrid Under Siege from Hacked Accounts

krebsonsecurity.com/2020/08/sendgrid-under-siege-from-hacked-accounts/ Email service provider Sendgrid is grappling with an unusually large number of customer accounts whose passwords have been cracked, sold to spammers, and abused for sending phishing and email malware attacks. Sendgrid’s parent company Twilio says it is working on a plan to require multi-factor authentication for all of its customers, but that solution may not come fast enough for organizations having trouble dealing with the fallout in the meantime.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.