Daily NCSC-FI news followup 2020-09-24

#InstaHack: how researchers were able to take over the Instagram App using a malicious image

blog.checkpoint.com/2020/09/24/instahack-how-researchers-were-able-to-take-over-the-instagram-app-using-a-malicious-image/ Instagram is one of the most popular social media platforms globally, with over 100+ million photos uploaded every day, and nearly 1 billion monthly active users. Individuals and companies share photos and messages about their lives and products to their followers globally. So imagine what could happen if a hacker was able to completely take over Instagram accounts, and access all the messages and photos in those accounts, post new photos or delete or manipulate existing photos. What could that do to a persons or companys reputation?

Govt. Services Firm Tyler Technologies Hit in Apparent Ransomware Attack

krebsonsecurity.com/2020/09/govt-services-firm-tyler-technologies-hit-in-apparent-ransomware-attack/ Tyler Technologies, a Texas-based company that bills itself as the largest provider of software and technology services to the United States public sector, is battling a network intrusion that has disrupted its operations. The company declined to discuss the exact cause of the disruption, but their response so far is straight out of the playbook for responding to ransomware incidents.

Sandbox in security: what is it, and how it relates to malware

blog.malwarebytes.com/awareness/2020/09/sandbox-in-security/ To better understand modern malware detection methods, its a good idea to look at sandboxes. In cybersecurity, the use of sandboxes has gained a lot of traction over the last decade or so. With the plethora of new malware coming our way every day, security researchers needed something to test new programs without investing too much of their precious time. Sandboxes provide ideal, secluded environments to screen certain malware types without giving that malware a chance to spread. Based on the observed behavior, the samples can then be classified as harmless, malicious, or needs a closer look.

Threat landscape for industrial automation systems. H1 2020 highlights

securelist.com/threat-landscape-for-industrial-automation-systems-h1-2020-highlights/98427/ Beginning in H2 2019 we have observed a tendency for decreases in the percentages of attacked computers, both in the ICS and in the corporate and personal environments. In H1 2020 the percentage of ICS computers on which malicious objects were blocked has decreased by 6.6 percentage points to 32.6%. The number was highest in Algeria (58.1%), and lowest in Switzerland (12.7%). Despite the overall tendency for the percentages of attacked computers to decrease, we did see the number grow in the Oil & Gas sector by 1.6 p.p. to 37.8% and by 1.9 p.p. to 39.9 % for computers used in building automation systems. These numbers are higher than the percentages around the world overall.

Fuzzing Image Parsing in Windows, Part One: Color Profiles

www.fireeye.com/blog/threat-research/2020/09/fuzzing-image-parsing-in-windows-color-profiles.html Image parsing and rendering are basic features of any modern operating system (OS). Image parsing is an easily accessible attack surface, and a vulnerability that may lead to remote code execution or information disclosure in such a feature is valuable to attackers. In this multi-part blog series, I am reviewing Windows OS built-in image parsers and related file formats: specifically looking at creating a harness, hunting for corpus and fuzzing to find vulnerabilities. In part one of this series I am looking at color profilesnot an image format itself, but something which is regularly embedded within images.

Analysis Report (AR20-268A) – Federal Agency Compromised by Malicious Cyber Actor

us-cert.cisa.gov/ncas/analysis-reports/ar20-268a The Cybersecurity and Infrastructure Security Agency (CISA) responded to a recent threat actors cyberattack on a federal agencys enterprise network. By leveraging compromised credentials, the cyber threat actor implanted sophisticated malwareincluding multi-stage malware that evaded the affected agencys anti-malware protectionand gained persistent access through two reverse Socket Secure (SOCKS) proxies that exploited weaknesses in the agencys firewall.

Party in Ibiza with PowerShell

isc.sans.edu/forums/diary/Party+in+Ibiza+with+PowerShell/26594/ Today, I would like to talk about PowerShell ISE or “Integration Scripting Environment”[1]. This tool is installed by default on all Windows computers (besides the classic PowerShell interpreter). From a malware analysis point of view, ISE offers a key feature: an interactive debugger!

Micropatch for Zerologon, the “perfect” Windows vulnerability (CVE-2020-1472)

blog.0patch.com/2020/09/micropatch-for-zerologon-perfect.html The Zerologon vulnerability allows an attacker with network access to a Windows Domain Controller to quickly and reliably take complete control of the Windows domain. As such, it is a perfect vulnerability for any attacker and a nightmare for defenders. It was discovered by Tom Tervoort, a security researcher at Secura and privately reported to Microsoft, which issued a patch for supported Windows versions as part of August 2020 updates and assigned it CVE-2020-1472.. The micropatch we wrote is logically identical to Microsoft’s fix. We injected it in function NetrServerAuthenticate3 in roughly the same place where Microsoft added the call to NlIsChallengeCredentialPairVulnerable, but since the latter doesn’t exist in old versions of netlogon.dll, we had to implement its logic in our patch.

Alien Android Banking Trojan Sidesteps 2FA

threatpost.com/alien-android-2fa/159517/ A newly uncovered banking trojan called Alien is invading Android devices worldwide, using an advanced ability to bypass two-factor authentication (2FA) security measures to steal victim credentials. Once it has infected a device, the RAT aims to steal passwords from at least 226 mobile applications including banking apps like Bank of America Mobile Banking and Capital One Mobile, as well as a slew of collaboration and social apps like Snapchat, Telegram and Microsoft Outlook.. Also:

www.zdnet.com/article/new-alien-malware-can-steal-passwords-from-226-android-apps/

Microsoft, Italy, and the Netherlands warn of increased Emotet activity

www.zdnet.com/article/microsoft-italy-and-the-netherlands-warn-of-increased-emotet-activity/ Two weeks after cyber-security agencies from France, Japan, and New Zealand published warnings about an uptick in Emotet activity, new alerts have been published this past week by agencies in Italy and the Netherlands, but also by Microsoft. These new warnings come as Emotet activity has continued to increase, dwarfing any other malware operation active today. “It has been very heavy for [Emotet] spam lately,” Joseph Roosen, a member of Cryptolaemus, a group of security researchers who track Emotet malware campaigns, told ZDNet during an interview today.

Erittäin kriittinen Windows-haava uhkaa nyt varoittaa Kyberturvallisuuskeskus: paikkaa heti

www.tivi.fi/uutiset/tv/aeb68634-2592-4790-9d16-7e187b5718ce Kirjoitimme aiemmin tällä viikolla Zerologon-hyökkäyksistä Windowsin turva-aukkoon. Haavoittuvuuden löytäneen turvallisuusyhtiön Securan mukaan sen hyödyntäminen vie “käytännössä noin kolme sekuntia” eikä vaadi hyökkääjältä lainkaan kirjautumista. yberturvallisuuskeskus kertoo nyt, että haavoittuvuuden hyödyntämiseen on julkaistu hyökkäystyökaluja. Haavoittuvuudelle julkaistiin korjaus Microsoftin elokuun päivityksissä, ja Kyberturvallisuuskeskus suosittelee välitöntä päivitysten asentamista. Lisäksi:

www.kyberturvallisuuskeskus.fi/fi/ajankohtaista/kriittisen-zerologon-haavoittuvuuden-aktiivinen-hyvaksikaytto-alkanut

One of this years most severe Windows bugs is now under active exploit

arstechnica.com/information-technology/2020/09/one-of-this-years-most-severe-windows-bugs-is-now-under-active-exploit/ One of the highest-impact Windows vulnerabilities patched this year is now under active exploitation by malicious hackers, Microsoft warned overnight, in a development that puts increasing pressure on laggards to update now. CVE-2020-1472, as the vulnerability is tracked, allows hackers to instantly take control of the Active Directory, a Windows server resource that acts as an all-powerful gatekeeper for all machines connected to a network. Also:

krebsonsecurity.com/2020/09/microsoft-attackers-exploiting-zerologon-windows-flaw/.

www.zdnet.com/article/microsoft-says-it-detected-active-attacks-leveraging-zerologon-vulnerability/.

www.bleepingcomputer.com/news/microsoft/microsoft-hackers-using-zerologon-exploits-in-attacks-patch-now/

ZeroLogon(CVE-2020-1472) – Attacking & Defending

blog.zsec.uk/zerologon-attacking-defending/ A handy walkthrough of CVE-2020-1472 from both a red and blue team perspective, how to detect, patch and hack ZeroLogon. You’re reading this already thinking, not another zerologon post, oh great… Stay tuned it’s a bit more than the normal posts, looking at it from the build break defend fix mentality. I’ve added a quick skip ToC if you want to skip to specific areas that interest you, or otherwise buckle up folks, it’s going to be a long ride!

Phishing attacks are targeting your social network accounts

www.bleepingcomputer.com/news/security/phishing-attacks-are-targeting-your-social-network-accounts/ Scammers are targeting your social network accounts with phishing emails that pretend to be copyright violations or promises of a shiny ‘blue checkmark’ next to your name. With social networks such as Twitter, Facebook, Instagram, and TikTok becoming a significant component in people’s lives, attackers target them for malicious purposes. These stolen accounts are then used for disinformation campaigns, cryptocurrency scams like the recent Twitter hacks, or sold on underground markets. Due to this, social accounts should be treated as a valuable commodity and protected as such.

New Snort, ClamAV coverage strikes back against Cobalt Strike

blog.talosintelligence.com/2020/09/coverage-strikes-back-cobalt-strike-paper.html Cisco Talos is releasing a new research paper called The Art and Science of Detecting Cobalt Strike.. We recently released a more granular set of updated SNORT and ClamAV detection signatures to detect attempted obfuscation and exfiltration of data via Cobalt Strike, a common toolkit often used by adversaries. Cobalt Strike is a paid software platform for adversary simulations and red team operations. It is used by professional security penetration testers and malicious actors to gain access and control infected hosts on a victim network. Cobalt Strike has been utilized in APT campaigns and most recently observed in the IndigoDrop campaign and in numerous ransomware attacks.

Wondering how to tell the world you’ve been hacked? Here’s a handy guide from infosec academics

www.theregister.com/2020/09/24/how_to_admit_youve_been_hacked/ Infosec boffins at the University of Kent have developed a “comprehensive playbook” for companies who, having suffered a computer security breach, want to know how to shrug off the public consequences and pretend everything’s fine. In a new paper titled “A framework for effective corporate communication after cyber security incidents,” Kent’s Dr Jason Nurse, along with Richard Knight of the University of Warwick, devised a framework for companies figuring out how to publicly respond to data security breaches and similar incidents where servers are hacked and customer records end up in the hands of criminals.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.