Categories
NCSC-FI News followup

Daily NCSC-FI news followup 2020-09-01

Norjan parlamenttiin on tehty laajamittainen kyberhyökkäys

yle.fi/uutiset/3-11522222 Joidenkin kansanedustajien ja Suurkäräjien työntekijöiden sähköposteihin on murtauduttu. Otamme asian erittäin vakavasti ja analysoimme tilannetta saadaksemme kuvan tapauksesta ja haittojen laajuudesta, Suurkäräjien hallinnon johtaja Marianne Andreassen sanoo. myös:

www.stortinget.no/no/Hva-skjer-pa-Stortinget/Nyhetsarkiv/Pressemeldingsarkiv/2019-2020/it-angrep-mot-stortinget/. also:

www.zdnet.com/article/norwegian-parliament-discloses-cyber-attack-on-internal-email-system/

Cisco says it will issue patch as soon as possible’ for bugs hackers are trying to exploit

www.cyberscoop.com/cisco-ios-xr-vulnerabilities-patch/ It’s unclear who is attempting to exploit the vulnerability. With the advisory out, cybersecurity incident responders will be watching for any additional hacking. Justin Elze, a principal security consultant at security company TrustedSec, pointed out that in order for the vulnerability to be exploited, a protocol known as IGMP needs to be enabled. That protocol is less common in enterprise networks and tends to be used by cable TV networks to do video streaming, he said.

Iranian hackers are selling access to compromised companies on an underground forum

www.zdnet.com/article/iranian-hackers-are-selling-access-to-compromised-companies-on-an-underground-forum/ The Iranian hacker group who’s been attacking corporate VPNs for months is now trying to monetize some of the hacked systems by selling access to some networks to other hackers. Crowdstrike believes the group is merely trying to diversify its revenue stream and monetize networks that have no intelligence value for Iranian intelligence services. also:

www.crowdstrike.com/blog/who-is-pioneer-kitten/

The Life Cycle of a Compromised (Cloud) Server

blog.trendmicro.com/the-lifecycle-of-a-compromised-cloud-server/ Trend Micro Research has developed a go-to resource for all things related to cybercriminal underground hosting and infrastructure. Today we released the second in this three-part series of reports which detail the what, how, and why of cybercriminal hosting (see the first part here). As part of this report, we dive into the common life cycle of a compromised server from initial compromise to the different stages of monetization preferred by criminals. It’s also important to note that regardless of whether a company’s server is on-premise or cloud-based, criminals don’t care what kind of server they compromise. To a criminal, any server that is exposed or vulnerable is fair game.

Quarterly Report: Incident Response trends in Summer 2020

blog.talosintelligence.com/2020/09/CTIR-quarterly-trends-Q4-2020.html For the fifth quarter in a row, Cisco Talos Incident Response (CTIR) observed ransomware dominating the threat landscape. Infections involved a wide variety of malware families including Ryuk, Maze, LockBit, and Netwalker, among others. In a continuation of trends observed in last quarter’s report, these ransomware attacks have relied much less on commodity trojans such as Emotet and Trickbot. Interestingly, 66 percent of all ransomware attacks this quarter involved red-teaming framework Cobalt Strike, suggesting that ransomware actors are increasingly relying on the tool as they abandon commodity trojans. We continued to see ransomware actors engage in data exfiltration and even observed the new cartel formed by Maze and other ransomware operations in action.

Technical Approaches to Uncovering and Remediating Malicious Activity

us-cert.cisa.gov/ncas/alerts/aa20-245a This joint advisory is the result of a collaborative research effort by the cybersecurity authorities of five nations: Australia, Canada, New Zealand, the United Kingdom, and the United States. It highlights technical approaches to uncovering malicious activity and includes mitigation steps according to best practices. The purpose of this report is to enhance incident response among partners and network administrators along with serving as a playbook for incident investigation.

Exposed Windows Domain Controllers Used in CLDAP DDoS Attacks

isc.sans.edu/forums/diary/Exposed+Windows+Domain+Controllers+Used+in+CLDAP+DDoS+Attacks/26526/ LDAP, like many UDP based protocols, has the ability to send responses that are larger than the request. With UDP not requiring any handshake before data is sent, these protocols make ideal amplifiers for reflective distributed denial of service attacks. Most commonly, these attacks abuse DNS and we have talked about this in the past. But LDAP is another protocol that is often abused. Some of our honeypots have been seeing a small number of the reflected packets from these attacks. In investigating them, we noticed that many of them appear to come from exposed windows domain controllers. Windows domain controllers do use LDAP for active directory and support connectionless LDAP (CLDAP) out of the box. CLDAP is part of the issue here as it supports UDP. So what should you do? I do not know of a good reason to allow clear text LDAP (Port 389, not LDAP over TLS) across your perimeter. Close that port!

Phishing gangs mounting high-ticket BEC attacks, average loss now $80, 000

www.helpnetsecurity.com/2020/09/01/high-ticket-bec-attacks/ Companies are losing money to criminals who are launching Business Email Compromise (BEC) attacks as a more remunerative line of business than retail-accounts phishing, APWG reveals. Abuse of web security infrastructure reached a grim new plateau in Q2 2020, as well, with PhishLabs reporting that nearly 78 percent of all phishing websites employ SSL/TLS certificates as part of the deceptive schemes they use to lure in users and gain their confidence.

UK man arrives to face charges in US after alleged $2 million email scam

www.cyberscoop.com/uk-nigeria-man-extradited-money-laundering-busniess-email-compromise/ A man charged as part of a business email compromise money laundering scheme that allegedly defrauded victims out of $2 million over the course of at least six years is set to face a judge in U.S. court in the Southern District of New York. The man, Habeeb Audu, who is a dual citizen of Nigeria and the U.K., was extradited from London last week for his alleged involvement in multiple money laundering and fraud scams, some of which leveraged information stolen during previous business email compromises, according to the U.S. Department of Justice.

Cybersquatting: Attackers Mimicking Domains of Major Brands Including Facebook, Apple, Amazon and Netflix to Scam Consumers

unit42.paloaltonetworks.com/cybersquatting/ Cybercriminals take advantage of the essential role that domain names play on the internet by registering names that appear related to existing domains or brands, with the intent of profiting from user mistakes. This is known as cybersquatting.

Applen tiukka seula epäonnistui “ensimmäinen” haittaohjelma pääsi Mac-koneisiin

www.tivi.fi/uutiset/tv/a8251213-cffa-4736-85f9-e554ea628d1a Apple hyväksyi vahingossa App Store-kauppaansa haittaohjelman, joka oli naamioitu Adobe Flash Playerin päivitykseksi, TechCrunch uutisoi. Haittaohjelma pääsi näin tekemään tuhojaan Mac-tietokoneissa.

Gozi: The Malware with a Thousand Faces

research.checkpoint.com/2020/gozi-the-malware-with-a-thousand-faces/ Most of the time, the relationship between cybercrime campaigns and malware strains is simple. Some malware strains, like the gone-but-not-forgotten GandCrab, are intimately tied to a single actor, who is using the malware directly or distributing it via an affiliate program. Other strains, like the open-source Quasar RAT, are “public domain” malware; they’ve remained the same for so long and been used as a Lego piece so repeatedly that it’d be a fundamental error to try and attribute them to an actor, a campaign, a victim or a time-frame. Some strains of malware fall into a gray area. There is no single actor in control of the malicious codebase or the binaries, but there is no universal proliferation of the malware as a standard tool, either. In this article we’ll make sense out of one of the worst offenders in the category of divergent evolution malware: Gozi.

New web skimmer steals credit card data, sends to crooks via Telegram

blog.malwarebytes.com/web-threats/2020/09/web-skimmer-steals-credit-card-data-via-telegram/ Attackers have used Telegram to exfiltrate data before, for example via traditional Trojan horses, such as the Masad stealer. However, security researcher @AffableKraut shared the first publicly documented instance of a credit card skimmer used in Telegram in a Twitter thread. For threat actors, this data exfiltration mechanism is efficient and doesn’t require them to keep up infrastructure that could be taken down or blocked by defenders. They can even receive a notification in real time for each new victim, helping them quickly monetize the stolen cards in underground markets.

DLL Fixer leads to Cyrat Ransomware

www.gdatasoftware.com/blog/cyrat-ransomware A new ransomware uses an unusual symmetric encryption method named “Fernet”. It is Python based and appends.CYRAT to encrypted files. As it is often the case with brand new malware discoveries, this sample is buggy and not yet ready to infect any system because it crashes in it’s current state. However, the threat actor’s reply shows they are active and might have already published versions that work. It’s usually just a matter of time until those flaws are fixed. The problematic choice of the Fernet encryption method may take its toll on systems while they try to encrypt gigabyte sized files in RAM all at once. Some parts of the code show an intention of also infecting Darwin and Linux systems, which may be added later on. Unfortunately, there is currently no known way to decrypt files without the key.

Facebook and Google drop plans for underwater cable to Hong Kong after security warnings

www.zdnet.com/article/facebook-and-google-drop-plans-for-underwater-cable-to-hong-kong-after-security-warnings/ The Pacific Light Cable Network (PLCN), an ambitious underwater data cable project partly owned by Facebook and Google, won’t be connecting Los Angeles to Hong Kong after all. The FCC warned that linking Los Angeles to Hong Kong could harm national security.

Is Your Boardroom The Weakest Cybersecurity Link?

www.forbes.com/sites/bobzukis/2020/09/01/is-your-boardroom-the-weakest-cybersecurity-link/ – From phishing to ransomware, one of the primary challenges with effective cybersecurity risk management is related to the weakest link theory.. The essence of this theory is the phrase “a chain is no stronger than its weakest link.” This idiom reflects the fact that effective cybersecurity risk management is a complex system of related and inter-dependent parts. If one component fails, it can jeopardize the entire system.. For many companies, their weakest cybersecurity link is at the top, in their boardroom.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.