Daily NCSC-FI news followup 2020-09-02

Suomalaisyhtiö löysi vakavan tietoturva-aukon WordPress-julkaisualustasta

yle.fi/uutiset/3-11524279 Suomalaisyhtiö Seravo on löytänyt merkittävän tietoturva-aukon internetin WordPress-julkaisualustasta. Haavoittuvuus koskettaa maailmanlaajuisesti yli 700 000:ta sivua. Haavoittuvuuden paikkaava päivitys on jo julkaistu, ja Seravo kehottaakin kaikkia alustan käyttäjiä asentamaan päivityksen heti. also:


Pelkäätkö Koronavilkkua? Vielä keväällä ammattihakkeri Benjamin Särkkä sanoi, ettei asentaisi koronasovellusta – 5 syytä miksi mieli on nyt muuttunut

yle.fi/uutiset/3-11523504 “Moni taskulamppukin vaatii enemmän oikeuksia kuin Koronavilkku”, tietoturva-asiantuntija sanoo.

Poliisi varoittaa huijausyrityksistä – älä anna pankkitunnus- tai henkilötietoja puhelimessa tai sähköpostissa

www.poliisi.fi/tietoa_poliisista/tiedotteet/1/1/poliisi_varoittaa_huijausyrityksista_-_ala_anna_pankkitunnus-_tai_henkilotietoja_puhelimessa_tai_sahkopostissa_93057 Kaakkois-Suomen poliisille on Etelä-Karjalan alueella tehty tämän viikon aikana kolme rikosilmoitusta, joissa poliisiksi esittäytynyt soittaja on tiedustellut puhelimessa pankkitietoja. Puhelut ovat tulleet tuntemattomasta numerosta ja soittaja on puhunut suomea. Poliisi haluaa muistuttaa, että huijatuksi jouduttuaan on ensiarvoisen tärkeää olla mahdollisimman nopeasti yhteydessä sekä omaan pankkikonttoriin että poliisiin. Nopealla toiminnalla on mahdollisuus saada estettyä rahojen siirtyminen rikollisen tilille.

After FBI tip, Facebook says it uncovered Russian meddling

edition.cnn.com/2020/09/01/tech/russian-troll-group-facebook-campaign/ The disrupted operation used fake personas including realistic-looking computer-generated photos of people, a network of Facebook accounts and pages that had only a small amount of engagement and influence at the time it was taken down, and a website that was set up to look and operate like a left-wing news outlet. also:


Companies continue to expose unsafe network services to the internet

www.helpnetsecurity.com/2020/09/02/companies-continue-to-expose-unsafe-network-services-to-the-internet/ 33% of companies within the digital supply chain expose common network services such as data storage, remote access and network administration to the internet, according to RiskRecon. In addition, organizations that expose unsafe services to the internet also exhibit more critical security findings. The research is based on an assessment of millions of internet-facing systems across approximately 40, 000 commercial and public institutions. The data was analyzed in two strategic ways: the direct proportion of internet-facing hosts running unsafe services, as well as the percentage of companies that expose unsafe services somewhere across their infrastructure.

Machine learning from idea to reality: a PowerShell case study

blog.fox-it.com/2020/09/02/machine-learning-from-idea-to-reality-a-powershell-case-study/ This blog provides a look behind the scenes’ at the RIFT Data Science team and describes the process of moving from the need or an idea for research towards models that can be used in practice. More specifically, how known and unknown PowerShell threats can be detected using Windows event log 4104. In this case study it is shown how research into detecting offensive (with the term offensive’ used in the context of offensive security’) and obfuscated PowerShell scripts led to models that can be used in a real-time environment.

Operation PowerFall: CVE-2020-0986 and variants

securelist.com/operation-powerfall-cve-2020-0986-and-variants/98329/ In August 2020, we published a blog post about Operation PowerFall. This targeted attack consisted of two zero-day exploits: a remote code execution exploit for Internet Explorer 11 and an elevation of privilege exploit targeting the latest builds of Windows 10. While we already described the exploit for Internet Explorer in the original blog post, we also promised to share more details about the elevation of privilege exploit in a follow-up post. Let’s take a look at vulnerability CVE-2020-0986, how it was exploited by attackers, how it was fixed and what additional mitigations were implemented to complicate exploitation of many other similar vulnerabilities.

Chinese APT Debuts Sepulcher Malware in Spear-Phishing Attacks

threatpost.com/chinese-apt-sepulcher-malware-phishing-attacks/158871/ A Chinese APT has been sending organizations spear-phishing emails that distribute a never-before-seen intelligence-collecting RAT dubbed Sepulcher. Researchers discovered the new malware being distributed over the past six months through two separate campaigns. The first, in March, targeted European diplomatic and legislative bodies, non-profit policy research organizations and global organizations dealing with economic affairs. The second, in July, targeted Tibetan dissidents. They tied the campaigns to APT group TA413, which researchers say has been associated with Chinese state interests and is known for targeting the Tibetan community.

WellMess malware: analysis of its Command and Control (C2) server

www.pwc.co.uk/issues/cyber-security-services/insights/wellmess-analysis-command-control.html The NCSC has publicly attributed WellMess to the threat actor we track as Blue Kitsune (a.k.a. APT29). Although we cannot definitively tie the WellMess malware to a particular threat actor based on current information, the WellMess backdoor does share some design similarities with a previous Blue Kitsune tool called Seaduke.


www.msreverseengineering.com/blog/2020/8/31/an-exhaustively-analyzed-idb-for-comrat-v4 This blog entry announces the release of an exhaustive analysis of ComRAT v4.

KryptoCibule: The multitasking multicurrency cryptostealer

www.welivesecurity.com/2020/09/02/kryptocibule-multitasking-multicurrency-cryptostealer/ ESET researchers have uncovered a hitherto undocumented malware family that we named KryptoCibule. This malware is a triple threat in regard to cryptocurrencies. It uses the victim’s resources to mine coins, tries to hijack transactions by replacing wallet addresses in the clipboard, and exfiltrates cryptocurrency-related files, all while deploying multiple techniques to avoid detection. KryptoCibule makes extensive use of the Tor network and the BitTorrent protocol in its communication infrastructure.

Cloud firewall management API SNAFU put 500k SonicWall customers at risk

www.pentestpartners.com/security-blog/cloud-firewall-management-api-snafu-put-500k-sonicwall-customers-at-risk/ I found a security issue so serious that we then spent £££ on our own SonicWall products in order to independently validate the issue, to be certain it wasn’t just our client that was affected. What I discovered was a trivial method to compromise every single cloud managed device attached to mysonicwall.com, affecting around 1.9 million user groups across hundreds of thousands of organisations. At least 10 million individual devices were affected. Disclosure was initially very positive, then went rapidly downhill as SonicWall procrastinated with a fix and refused to take down the vulnerable functionality in the meantime, knowingly leaving their customers exposed for a full 17 days.

AlphaBay Market: Dark Web Moderator Receives 11 Years Imprisonment

darkweblink.com/alphabay-moderator-sentenced/ An Alphabay moderator who was held responsible for moderating the content on the now-defunct darknet market, AlphaBay has been sentenced imprisonment until 2031. As per the statement released by the Department of Justice (DOJ) on the 1st of September 2020, the Alphabay moderator Bryan Connor Herrell (26 years of age) was sentenced to 11 years (132 months) of jail on account of the conspiracy to engage in a corrupt organization influenced by racketeer for the role he played as an Alphabay moderator. AlphaBay market happened to be one of the largest darknet marketplaces selling credit card data, guns and other illicit items against payment with cryptocurrency.

Inter: The Magecart Skimming Tool Now on More than 1, 500 Sites

www.riskiq.com/blog/external-threat-management/inter-skimmer/ Digital web skimming attacks continue to increase. By now, anyone running an e-commerce shop is aware of the dangers of groups like Magecart, which infect a website every 16 minutes. However, to truly understand these skimmer groups, you have to understand the tools of the trade. The Inter Skimmer kit is one of today’s most common and widely used digital skimming solutions globally. It has been involved in some of the most high-profile magecart attacks to date, most notably Group 7’s breach of the Nutribullet website. RiskIQ has identified more than 1, 500 sites compromised by the Inter skimmer, but the data theft tool is still misunderstood by those tasked with defending their organization against it. To demystify Inter, RiskIQ tapped our unmatched body of research into Magecart and its dozens of groups, open-source intelligence (OSINT), and our global internet telemetry.

Magento Sites Vulnerable to RCE Stemming From Magmi Plugin Flaws

threatpost.com/magento-sites-vulnerable-to-rce-stemming-from-magmi-plugin-flaws/158864/ Researchers have disclosed two flaws that could enable remote code execution attacks on the Magento Mass Import (Magmi) plugin, an open source database client that imports data into Magento.

Using assert() to Execute Malware in PHP 7 Environments

blog.sucuri.net/2020/09/using-assert-to-execute-malware-php-7.html During a recent investigation, our team stumbled across some malicious code which is used to inject a.user.ini file into a PHP 7 environment and add zend.assertions = 1. Once this injection is accomplished, bad actors can leverage PHP’s assert() function to execute any malicious code they like.

Android security: Six more apps containing Joker malware removed from the Google Play Store

www.zdnet.com/article/android-security-six-more-apps-containing-joker-malware-removed-from-the-google-play-store/ Cybersecurity researchers have unmasked six applications on the Google Play store with a combined total of over 200, 000 downloads in yet another example of the highly persistent malware that has been plaguing Android users for the past three years. Joker malware pretends to be a legitimate app in the Play Store but after installation conducts billing fraud by either sending SMS messages to a premium rate number or using the victim’s account to repeatedly make purchases using WAP billing, which also lines the pockets of Joker’s operators.

Announcing new reward amounts for abuse risk researchers

security.googleblog.com/2020/09/announcing-new-reward-amounts-for-abuse.html Thanks to your work, we have identified more than 750 previously unknown product abuse risks, preventing abuse in Google products and protecting our users. Collaboration to address abuse is important, and we are committed to supporting research on this growing challenge. To take it one step further, and as of today, we are announcing increased reward amounts for reports focusing on potential attacks in the product abuse space.

Gartner expects more CEOs to be personally liable for cyber-physical security incidents

www.zdnet.com/article/gartner-expects-more-ceos-to-be-personally-liable-for-cyber-physical-security-incidents/ The liability for failing to protect systems from cyber incidents will fall directly onto many CEOs by 2024, Gartner is predicting. “Regulators and governments will react promptly to an increase in serious incidents resulting from failure to secure CPSs, drastically increasing rules and regulations governing them, ” research vice president at Gartner Katell Thielemann said.

You might be interested in …

Daily NCSC-FI news followup 2021-07-02

Microsoft shares mitigations for Windows PrintNightmare zero-day bug www.bleepingcomputer.com/news/security/microsoft-shares-mitigations-for-windows-printnightmare-zero-day-bug/ Microsoft has provided mitigation guidance to block attacks on systems vulnerable to exploits targeting the Windows Print Spooler zero-day vulnerability known as PrintNightmare. Lisäksi: www.fortinet.com/blog/threat-research/fortinet-releases-ips-signature-microsoft-printnightmare-vulnerability. Lisäksi: www.theregister.com/2021/07/01/printnightmare_windows_fix/. Lisäksi: us-cert.cisa.gov/ncas/current-activity/2021/06/30/printnightmare-critical-windows-print-spooler-vulnerability Microsoft warns of critical PowerShell 7 code execution vulnerability www.bleepingcomputer.com/news/security/microsoft-warns-of-critical-powershell-7-code-execution-vulnerability/ Microsoft warns of a critical.NET Core remote […]

Read More

Daily NCSC-FI news followup 2020-03-28

Two zero days are Targeting DrayTek Broadband CPE Devices blog.netlab.360.com/two-zero-days-are-targeting-draytek-broadband-cpe-devices-en/ rom December 4, 2019, 360Netlab Threat Detection System has observed two different attack groups using two 0-day vulnerabilities of DrayTek[1] Vigor enterprise routers and switch devices to conduct a series of attacks, including eavesdropping on devices network traffic, running SSH services on high ports, creating […]

Read More

Daily NCSC-FI news followup 2019-12-02

Meet PyXie: A Nefarious New Python RAT threatvector.cylance.com/en_us/home/meet-pyxie-a-nefarious-new-python-rat.html BlackBerry Cylance researchers have recently discovered a previously unnamed Python RAT were calling PyXie. PyXie has been observed in the wild since at least 2018 without much attention from the cybersecurity industry.. PyXie has been deployed in an ongoing campaign that targets a wide range of industries. […]

Read More

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.