Daily NCSC-FI news followup 2020-09-30

Android Spyware Variant Snoops on WhatsApp, Telegram Messages

threatpost.com/new-android-spyware-whatsapp-telegram/159694/ The Android malware comes from threat group APT-C-23, also known as Two-Tailed Scorpion and Desert Scorpion.

The Emerald Connection: EquationGroup collaboration with Stuxnet

fmmresearch.wordpress.com/2020/09/28/the-emerald-connection-equationgroup-collaboration-with-stuxnet/ This article is part of a continued ongoing effort in my research of the use of a series of libraries called Exploit Development Framework (EDF) created by EquationGroup for the development of their exploitation tools (exploits, implants, tools, and more). In my previous piece I wrote about my findings of the Fanny worm better known to EquationGroup developers and operators as: DEMENTIAWHEEL (DEWH).

Blackbaud: Ransomware gang had access to banking info and passwords

www.bleepingcomputer.com/news/security/blackbaud-ransomware-gang-had-access-to-banking-info-and-passwords/ Blackbaud, a leading cloud software provider, confirmed that the threat actors behind the May 2020 ransomware attack had access to unencrypted banking and login information, as well as social security numbers.

Swiss watchmaker Swatch shuts down IT systems to stop cyberattack

www.bleepingcomputer.com/news/security/swiss-watchmaker-swatch-shuts-down-it-systems-to-stop-cyberattack/ Swiss watchmaker Swatch Group shut down its IT systems over the weekend after identifying a cyberattack targeting its organization.

QNAP warns customers of recent wave of ransomware attacks

www.bleepingcomputer.com/news/security/qnap-warns-customers-of-recent-wave-of-ransomware-attacks/ QNAP has issued an advisory about a recent wave of ransomware attacks targeting its NAS storage devices and encrypting files. Last week, BleepingComputer broke the story of ransomware known as AgeLocker attacking publicly exposed QNAP NAS devices.

Linkury adware caught distributing full-blown malware

www.zdnet.com/article/linkury-adware-caught-distributing-full-blown-malware/#ftag=RSSbaffb68 Linkury (SafeFinder) installations linked to infections with the Socelars and Kpot infostealer trojans.

$15 million business email scam campaign in the US exposed

www.zdnet.com/article/15-million-business-email-scam-exposed-in-the-us/ The FBI is investigating the global campaign in which millions of dollars have been stolen from at least 150 victims.

This worm phishing campaign is a game-changer in password theft, account takeovers

www.zdnet.com/article/this-worm-phishing-campaign-is-a-game-changer-in-password-theft-account-takeovers/ The security incident highlights the need for multi-factor authentication in the enterprise. “The phishing emails were being sent as replies to genuine emails, ” the researcher explained. “Emails exchanged between our people and our suppliers, our customers, and even internally between colleagues.”. The technique, resulting in worm-like mass takeovers, left Hays “in awe” of the “phenomenal number of accounts [that] were compromised within a few hours.”

FYI: If you’re running HP Device Manager, anyone on your network can get admin on your server via backdoor

www.theregister.com/2020/09/30/hp_device_manager_backdoor_database_account/ Hidden database account discovered, patches finally available as well as mitigations

Over 247K Exchange servers unpatched for actively exploited flaw

www.bleepingcomputer.com/news/security/over-247k-exchange-servers-unpatched-for-actively-exploited-flaw/ More than 247, 000 Microsoft Exchange servers are yet to be patched against the CVE-2020-0688 post-auth remote code execution (RCE) vulnerability impacting all Exchange Server versions under support. “There are two important efforts that Exchange Administrators and infosec teams need to undertake: verifying deployment of the update and checking for signs of compromise, “

GitHub rolls out new Code Scanning security feature to all users

www.zdnet.com/article/github-rolls-out-new-code-scanning-security-feature-to-all-users/ New Code Scanning feature will tell GitHub users when they’ve added known security flaws in their code

Hackers jailbreak Apple’s T2 security chip powered by bridgeOS

reportcybercrime.com/hackers-jailbreak-apples-t2-security-chip-powered-by-bridgeos/ The Apple T2 Security chip now has a jailbreak

Detecting Microsoft 365 and Azure Active Directory Backdoors

www.fireeye.com/blog/threat-research/2020/09/detecting-microsoft-365-azure-active-directory-backdoors.html Mandiant has seen an uptick in incidents involving Microsoft 365 (M365) and Azure Active Directory (Azure AD). Most of these incidents are the result of a phishing email coercing a user to enter their credentials used for accessing M365 into a phishing site. Other incidents have been a result of password spraying, password stuffing, or simple brute force attempts against M365 tenants. In almost all of these incidents, the user or account was not protected by multi-factor authentication (MFA).

Prepare your shocked faces: Crypto-coin exchange boss laundered millions of bucks for online auction crooks

www.theregister.com/2020/09/30/bitcoin_exchange_laundering/ A Bulgarian man has been convicted of laundering through his cryptocurrency exchange at least £4m ($5m) his fellow crooks had cheated out of hundreds of people online. Rossen Iossifov, 53, who ran the RG Coins exchange, was on Monday found guilty of conspiracy to commit racketeering, and conspiracy to commit money laundering, following a two-week trial.

CISA Releases Telework Essentials Toolkit

us-cert.cisa.gov/ncas/current-activity/2020/09/30/cisa-releases-telework-essentials-toolkit The Cybersecurity and Infrastructure Security Agency (CISA) has released the Telework Essentials Toolkit, a comprehensive resource of telework best practices. The Toolkit provides three personalized modules for executive leaders, IT professionals, and teleworkers. Each module outlines distinctive security considerations appropriate for their role

CISA and MS-ISAC Release Ransomware Guide

us-cert.cisa.gov/ncas/current-activity/2020/09/30/cisa-and-ms-isac-release-ransomware-guide The Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing & Analysis Center (MS-ISAC) have released a joint Ransomware Guide that details practices that organizations should continuously engage in to help manage the risk posed by ransomware and other cyber threats. The in-depth guide provides actionable best practices for ransomware prevention as well as a ransomware response checklist that can serve as a ransomware-specific addendum to organization cyber incident response plans.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.