Daily NCSC-FI news followup 2020-09-23

Phishers spoof reliable cybersecurity training company to garner clicks

blog.malwarebytes.com/scams/2020/09/phishers-spoof-reliable-cybersecurity-training-company-to-garner-clicks/ It happens to the best of us. And, indeed, no adage is better suited to a phishing campaign that recently made headlines. Fraudsters used the brand, KnowBe4a trusted cybersecurity company that offers security awareness training for organizationsto gain recipients trust, their Microsoft Outlook credentials, and other personally identifiable information (PII). This is according to findings from our friends at Cofense Intelligence, who did a comprehensive analysis of the campaign, and of course, KnowBe4, who first reported about it.

Looking for sophisticated malware in IoT devices

securelist.com/looking-for-sophisticated-malware-in-iot-devices/98530/ Smart watches, smart home devices and even smart cars as more and more connected devices join the IoT ecosystem, the importance of ensuring their security becomes patently obvious. Its widely known that the smart devices which are now inseparable parts of our lives are not very secure against cyberattacks. Malware targeting IoT devices has been around for more than a decade. Hydra, the first known router malware that operated automatically. appeared in 2008 in the form of an open-source tool. Hydra was an open-source prototype of router malware. Soon after Hydra, in-the-wild malware was also found targeting network devices. Since then, different botnet families have emerged and become widespread, including families such as Mirai, Hajime and Gafgyt.

A Recipe for Reducing Medical Device Internet of Things Risk

securityintelligence.com/posts/big-data-in-healthcare-reducing-risk-internet-of-medical-things/ You may recall this blog post from March 2020. It highlighted the importance of factoring in clinical, organizational, financial and regulatory impact when determining which medical Internet-of-Things (IoMT) security vulnerabilities should be fixed first. Consider this post a part two. Whereas the previous post focused on the fact that IoMT devices are here to stay and finding and prioritizing vulnerabilities based on impact cannot be overlooked, this post highlights an up and coming security challenge.

New tool helps companies assess why employees click on phishing emails

www.welivesecurity.com/2020/09/22/new-tool-helps-companies-assess-why-employees-click-phishing-emails/ Researchers at the US National Institute of Standards and Technology (NIST) have devised a new method that could be used to accurately assess why employees click on certain phishing emails. The tool, dubbed Phish Scale, uses real data to evaluate the complexity and quality of phishing attacks to help organizations comprehend where their (human) vulnerabilities lie. Heres a quick refresher: in its simplest form, phishing is an unsolicited email or any other form of electronic communication where cybercriminals impersonate a trusted organization and attempt to pilfer your data.

Zerologon Vulnerability: Analysis and Detection Tools

www.cynet.com/zerologon In September 2020 Secura published an article disclosing a vulnerability in Windows Server (all known versions) Netlogon Remote Protocol. This vulnerability is known as CVE-2020-1472 or more commonly, Zerologon.. Due to the magnitude and potential impact of this vulnerability, Cynet decided to release two detection mechanisms for the wide community that provide visibility for exploits for Zerologon vulnerability. First is a YARA rule which can be used to scan memory dumps of lsass.exe. The rule will alert upon detection of Mimikatz or other Zerologon exploits. Second is an executable file, Cynet.ZerologonDetector.exe which detects spikes in network traffic of lsass.exe from a given IP.

A New Hacking Group Hitting Russian Companies With Ransomware

thehackernews.com/2020/09/russian-ransomware-hack.html As ransomware attacks against critical infrastructure continue to spike in recent months, cybersecurity researchers have uncovered a new entrant that has been actively trying to conduct multistage attacks on large corporate networks of medical labs, banks, manufacturers, and software developers in Russia. The ransomware gang, codenamed “OldGremlin” and believed to be a Russian-speaking threat actor, has been linked to a series of campaigns at least since March, including a successful attack against a clinical diagnostics laboratory that occurred last month on August 11.. Also:

threatpost.com/oldgremlin-russian-ransomware/159479/.

www.zdnet.com/article/ransomware-gang-targets-russian-businesses-in-rare-coordinated-attacks/.

www.bleepingcomputer.com/news/security/new-ransomware-actor-oldgremlin-uses-custom-malware-to-hit-top-orgs/

Malicious Word Document with Dynamic Content

isc.sans.edu/forums/diary/Malicious+Word+Document+with+Dynamic+Content/26590/ Here is another malicious Word document that I spotted while hunting. “Another one?” may ask some of our readers. Indeed but malicious documents remain a very common infection vector and you learn a lot when you analyze them. I was recently asked to talk about Powershell (de)obfuscation techniques. When you’re dealing with an incident in a corporate environment, you don’t have time to investigate in deep. . The incident must be resolved as soon as possible because the business must go on and a classic sandbox analysis is performed to get the feedback: It’s malicious or not.

Shopify discloses security incident caused by two rogue employees

www.zdnet.com/article/shopify-discloses-security-incident-caused-by-two-rogue-employees/ Online e-commerce giant Shopify is working with the FBI and other law enforcement agencies to investigate a security breach caused by two rogue employees. The company said two members of its support team accessed and tried to obtain customer transaction details from Shopify shop owners (merchants). Shopify estimated the number of stores that might be affected by the employees’ actions at less than 200. The company boasted more than one million registered merchants in its latest quarterly filings.. Also:

www.bleepingcomputer.com/news/security/shopify-data-breach-illustrates-the-danger-of-insider-threats/

Miksi suomalaisia piinaavia Windows-huijaussoittoja ei voi vain estää? Asiantuntija vastaa

www.tivi.fi/uutiset/tv/f61c962f-6771-4e3f-903c-6b626bdee7ad Suomalaiset ovat saaneet tänä vuonna riesakseen ennen kokemattoman huijauspuhelujen aallon. Englantia puhuvat huijarit esiintyvät Microsoftin teknisen tuen edustajina. He ilmoittavat, että vastaajan Windows-tietokoneessa on ongelma ja tarjoavat apua. Todellisuudessa ongelmaa ei ole ja soittaja yrittää huijata puhelun vastaajan antamaan hänelle etäyhteyden koneelle tai maksamaan hänelle rahaa avusta.

AgeLocker ransomware targets QNAP NAS devices, steals data

www.bleepingcomputer.com/news/security/agelocker-ransomware-targets-qnap-nas-devices-steals-data/ QNAP NAS devices are being targeted in attacks by the AgeLocker ransomware, which encrypts the device’s data, and in some cases, steal files from the victim. AgeLocker is ransomware that utilizes an encryption algorithm called Age (Actually Good Encryption) designed to replace GPG for encrypting files, backups, and streams. In July 2020, we reported about a new ransomware called AgeLocker that was utilizing this algorithm to encrypt victims’ files.

As you’re scrambling to patch the scary ZeroLogon hole in Windows Server, don’t forget Samba it’s also affected

www.theregister.com/2020/09/22/samba_zerologon_patch/ Administrators running Samba as their domain controllers should update their installations as the open-source software suffers from the same ZeroLogon hole as Microsoft’s Windows Server. An alert from the project has confirmed that its code, in certain configurations, is also vulnerable to the CVE-2020-1472 bug, which can be exploited to gain domain-level administrator access.

2020: Q2 Threat Report

www.rapid7.com/research/report/2020Q2-threat-report/ When security teams, managers, and leaders have limited time and budget, prioritizing investments to achieve the greatest impact and reduction in risk becomes paramount. Threat reports, such as this one, help security and business professionals alike get a high-level view of the threats they face and how organizations are dealing with them. Our quarterly Threat Report is typically structured to look at threats from both a cause and effect perspective. The Focus on Telemetry section delivers analysis on the risk and prevalence of threats, while the Focus on Detections section delivers analysis on those affected and the impact of threats.

India’s Cybercrime and APT Operations on the Rise

www.darkreading.com/threat-intelligence/indias-cybercrime-and-apt-operations-on-the-rise/d/d-id/1338999 Growing geopolitical tensions with China in particular are fueling an increase in cyberattacks between the two nations, according to IntSights. A combination of economic, political, and social factors is driving an increase in cyber threat activity out of India. Much of the activity involves scams, online extortion schemes, hacktivist campaigns, and the sale of narcotics and other illicit goods online. But also operating out of the country is a handful of relatively sophisticated advanced persistent threat actors and hacker-for-hire groups that have targeted organizations in multiple countries in recent years, according to a new report from IntSights.

Hackers sell access to your network via remote management apps

www.bleepingcomputer.com/news/security/hackers-sell-access-to-your-network-via-remote-management-apps/ Remote monitoring and management (RMM) software is starting to get attention from hackers as these types of tools provide access to multiple machines across the network. At least one network access broker has been advertising access to networks of organizations in various regions of the world that use the ManageEngine Desktop Central from Zoho to manage their Windows, Linux, and Mac systems. Some of the breached companies are attractive targets for ransomware operators, who may already have jumped at the opportunity.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.