Daily NCSC-FI news followup 2020-10-28

Vastaamo-kiristäjä pysyi piilossa vaikka lunnaiden maksuaika umpeutui nyt uhkana uhrien identiteettivarkaudet

yle.fi/uutiset/3-11618253 Kiristäjä ei tiettävästi julkaissut uusia henkilötietoja tai potilaskertomuksia tiistaina, kuten uhkasi.

Vastaamo-kiristyksen uhrien tietoja levitetään nyt uudella tavalla asiantuntijat: Harkitse tarkkaan, mitä kirjoitat someen

www.is.fi/digitoday/art-2000006702529.html Tiedetään, että idiootit pimeässä verkossa ovat jo levittäneet poliisien, kansanedustajien ja muiden julkisuuden henkilöiden potilastietoja, sanoo F-Securen tietoturvajohtaja Erka Koivunen.

Maksoitko lunnaat Vastaamo-kiristäjälle? Mikko Hyppönen: Näin voit auttaa saamaan hänet kiinni

www.is.fi/digitoday/tietoturva/art-2000006702689.html Mikko Hyppönen vetoaa Vastaamo-iskun lunnaat maksaneisiin uhreihin ja pyytää heitä ottamaan yhteyttä. myös:


Marin toivoo, että Vastaamon tietomurron uhrit voisivat muuttaa henkilötunnustaan nopeasti hallitus pui tietomurtoa iltakoulussaan

yle.fi/uutiset/3-11617366 Pääministeri Sanna Marin (sd.) kommentoi iltakoulun jälkeen, että on hallituksen vastuulla kartoittaa laajasti ne asiat, joita lainsäädännössä pitäisi mahdollisesti muuttaa, jotta tietomurtoja voidaan estää. Nopealla aikataululla on tarkoitus katsoa se, että tarjoaako nykylainsäädäntö välineitä Vastaamon tietomurron uhreille muuttaa henkilötunnusta vai tarvitaanko siihen lainsäädäntömuutoksia. Liikenne- ja viestintäministeriötä Marin on puolestaan pyytänyt johtamaan työtä, jonka tarkoitus on parantaa kyberturvallisuutta ja tietosuojaa. Marinin mukaan pitää pohtia myös sitä, pitäisikö yhden ministeriön olla selkeästi vastuussa kyberturvallisuudesta, tietosuojasta ja digiasioista.

Hakkeriyrityksen johtaja Mårten Mickos vaatii ankaria sakkoja tietoturvansa laiminlyöville yrityksille Vastaamon tapauksen hän uskoo selviävän

www.kauppalehti.fi/uutiset/hakkeriyrityksen-johtaja-marten-mickos-vaatii-ankaria-sakkoja-tietoturvansa-laiminlyoville-yrityksille-vastaamon-tapauksen-han-uskoo-selviavan/72a050dd-8d7d-4987-9759-374… Yritysten tietoturva-aukkojen etsimiseen keskittyvän Hacker Onen toimitusjohtaja ja startup- rahoittaja Mårten Mickos sanoo, että Suomessa ei ymmärretä digitaalisen datan arvoa ja merkitystä. Sen takia lainsäädäntö on liian lepsua, ja tämä voi johtaa uusiin tietomurtoihin. “Pitäisi tajuta, että kyberuhat ovat yhtä vaarallisia kuin kemialliset, terveydelliset ja sotilaalliset uhat. Vaikutus ja tuho voivat olla samaa luokkaa”, hän sanoo.

Hurjia lukuja: Suomeen soitetaan joka kuukausi jopa miljoona huijaussoittoa “ilmeisen moni ihminen niihin lankeaa”

www.mtvuutiset.fi/artikkeli/hurjia-lukuja-suomeen-soitetaan-joka-kuukausi-jopa-miljoona-huijaussoittoa-ilmeisen-moni-ihminen-niihin-lankeaa/7966792 Digi- ja väestötietoviraston johtavan erityisasiantuntijan Kimmo Rouskun mukaan Suomeen soitetaan joka kuukausi jopa miljoona huijaussoittoa.

Scammers are spoofing bank phone numbers to rob victims

blog.malwarebytes.com/social-engineering/2020/10/scammers-are-spoofing-bank-phone-numbers-to-rob-victims/ It can be a very convincing trick “You can check the number in your display online sir. You’ll see I’m really calling from your bank.” That is, of course, if you are unaware that phone numbers can be spoofed.

Tunnistaisitko sähköpostihuijauksen? Näinkin työntekijöitä koulutetaan kybervaaroihin Suomessa

www.tivi.fi/uutiset/tv/13ed9315-acce-4b79-ad20-2f78ad3fcdef Verohallinnon kehitys- ja tietohallintojohtaja suosittelee kaikille organisaatioille tilanneskenaarioihin perustuvia harjoituksia. Verohallinto hyödyntää henkilöstön tietoturvakoulutuksissa myös pelillistämistä ja etsii haavoittuvuuksia hakkereiden avulla.

Six ways to reduce the risk from human-operated ransomware attacks

pwc.blogs.com/cyber_security_updates/2020/10/six-ways-to-reduce-the-risk-from-human-operated-ransomware-attacks.html Based on our understanding of the TTPs used by these attackers, and our experience preventing, detecting and responding to attacks, we have published a new whitepaper called Responding to the growing threat of human-operated ransomware attacks. In this article we’ve summarised the six areas we recommend CISOs and security professionals focus on for security improvement. You can download the full whitepaper for pragmatic, actionable recommendations on how to reduce the risk from these attacks. PDF:


Keeping ransomware cash away from your business

blog.malwarebytes.com/cybercrime/2020/10/keeping-ransomware-cash-away-from-your-business/ A ransomware gang has made headlines for donating a big chunk of stolen funds to two charities. Two separate donations given to Children International and The Water Project rang tills to the tune of $10, 000 each. Their reason was that they’re targeting “only large profitable corporations, we think it’s fair that some of the money they’ve paid will go to charity. No matter how bad you think our work is, we are pleased to know that we helped change someone’s life.”. This has raised several questions outside the usual “Is it morally right to pay a ransom” debate. It’s a whole new world of “Is it morally acceptable for ransomware authors to donate ill-gotten gains to charities, Robin Hood style?”

How does an illicit cybercrime market evolve: A longitudinal study

www.lightbluetouchpaper.org/2020/10/28/how-does-an-illicit-cybercrime-market-evolve-a-longitudinal-study/ Online underground marketplaces are an essential part of the cybercrime economy. They often act as a cash-out market, enabling the trade in illicit goods and services between pseudonymous members. To understand their characteristics, previous research mostly uses vendor ratings, public feedback, sometimes private messages, friend status, and post content. However, most research lacks comprehensive (and important) data about transactions made by the forum members.

TrickBot Linux Variants Active in the Wild Despite Recent Takedown

thehackernews.com/2020/10/trickbot-linux-variants-active-in-wild.html Efforts to disrupt TrickBot may have shut down most of its critical infrastructure, but the operators behind the notorious malware aren’t sitting idle. According to new findings shared by cybersecurity firm Netscout, TrickBot’s authors have moved portions of their code to Linux in an attempt to widen the scope of victims that could be targeted. also: www.netscout.com/blog/asert/dropping-anchor

Turla uses HyperStack, Carbon, and Kazuar to compromise government entity

www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity Accenture Cyber Threat Intelligence researchers identified a Turla compromise of a European government organization. During this compromise Turla utilized a combination of remote procedure call (RPC)-based backdoors, such as HyperStack and remote administration trojans (RATs), such as Kazuar and Carbon, which ACTI researchers analyzed between June and October 2020. The RATs transmit the command execution results and exfiltrate data from the victim’s network while the RPC-based backdoors use the RPC protocol to perform lateral movement and issue and receive commands on other machines in the local network. These tools often include several layers of obfuscation and defense evasion techniques.

Cyberattacks target international conference attendees

blogs.microsoft.com/on-the-issues/2020/10/28/cyberattacks-phosphorus-t20-munich-security-conference/ Today, we’re sharing that we have detected and worked to stop a series of cyberattacks from the threat actor Phosphorous masquerading as conference organizers to target more than 100 high-profile individuals. Phosphorus, an Iranian actor, has targeted with this scheme potential attendees of the upcoming Munich Security Conference and the Think 20 (T20) Summit in Saudi Arabia. The Munich Security Conference is the most important gathering on the topic of security for heads of state and other world leaders, and it has been held annually for nearly 60 years. Likewise, T20 is a highly visible event that shapes policy ideas for the G20 nations and informs their critical discussions.

DDoS attacks in Q3 2020

securelist.com/ddos-attacks-in-q3-2020/99171/ If Q2 2020 surprised us with an unusually high number of DDoS attacks for this period, the Q3 figures point to a normalization. Judging by the number of unique targets, in comparison with last quarter, cybercriminals were more attracted by European, and less by the Asian countries, such as Japan and South Korea, although interest in China is still high and continues to grow in terms both of unique targets and of attacks. Growth was observed in the number of short and ultra-short attacks, as well as multi-day ones. The sharp contrast between the highest and lowest number of attacks per day is curious. Taken together, these indicators mark Q3 2020 out as somewhat contradictory from a DDoS viewpoint.

SMBGhost – the critical vulnerability many seem to have forgotten to patch

isc.sans.edu/forums/diary/SMBGhost+the+critical+vulnerability+many+seem+to+have+forgotten+to+patch/26732/ You probably remember that back in March, Microsoft released a patch for a vulnerability in SMBv3 dubbed SMBGhost (CVE-2020-0796), since at that time, it received as much media attention as was reasonable for a critical (CVSS 10.0) vulnerability in Windows, which might lead to remote code execution. I’m unsure what method Shodan uses to determine whether a certain machine is vulnerable to SMBGhost, but if its detection mechanism is accurate, it would appear that there are still over 103 000 affected machines accessible from the internet. This would mean that a vulnerable machine hides behind approximately 8% of all IPs, which have port 445 open.

QNAP warns of new QTS bugs that allow take over of devices

www.bleepingcomputer.com/news/security/qnap-warns-of-new-qts-bugs-that-allow-take-over-of-devices/ QNAP today announced two vulnerabilities affecting QTS, the operating system powering its network-attached storage devices, that could allow running arbitrary commands. The bugs are remotely exploitable and have been reported in versions of the software released before September 8, 2020.

Fake COVID-19 survey hides ransomware in Canadian university attack

blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/ On October 19, we identified a new phishing document targeting staff at the University of British Columbia (UBC) with a fake COVID-19 survey. However, this attack and motives are different than the ones previously documented. The survey is a malicious Word document whose purpose is to download ransomware and extort victims to recover their encrypted files.

Trump’s official campaign website vandalized by hackers who ‘had enough of the President’s fake news’

www.theregister.com/2020/10/28/trump_website_hacked/ Well, that narrows down the list of suspects to just a few billion people

WannaCry: How the Widespread Ransomware Changed Cybersecurity

securityintelligence.com/articles/wannacry-worm-ransomware-changed-cybersecurity/ If I had polled cybersecurity experts on their way to work on May 12, 2017, most of them would have said they knew a major cybersecurity event loomed. Yet, on that day no one expected that they were walking into the perfect storm in the form of WannaCry ransomware, the most damaging cyberattack to date when they traveled by car, train or ferry to their respective offices that spring morning.

Welcome to ThreatPursuit VM: A Threat Intelligence and Hunting Virtual Machine

www.fireeye.com/blog/threat-research/2020/10/threatpursuit-vm-threat-intelligence-and-hunting-virtual-machine.html ThreatPursuit Virtual Machine (VM) is a fully customizable, open-sourced Windows-based distribution focused on threat intelligence analysis and hunting designed for intel and malware analysts as well as threat hunters to get up and running quickly.

Threat Hunting as an Official Cybersecurity Discipline

www.secureworks.com/blog/threat-hunting-as-an-official-cybersecurity-discipline Now that threat hunting is recognized as an official discipline by NIST, Secureworks explains what that means for companies who want to implement threat hunting, supplement their own programs, or partner with others.

You might be interested in …

Daily NCSC-FI news followup 2020-09-24

#InstaHack: how researchers were able to take over the Instagram App using a malicious image blog.checkpoint.com/2020/09/24/instahack-how-researchers-were-able-to-take-over-the-instagram-app-using-a-malicious-image/ Instagram is one of the most popular social media platforms globally, with over 100+ million photos uploaded every day, and nearly 1 billion monthly active users. Individuals and companies share photos and messages about their lives and products to […]

Read More

Daily NCSC-FI news followup 2019-10-23

NCSC-UK Annual Review 2019 www.ncsc.gov.uk/news/annual-review-2019 Single-page version PDF: www.ncsc.gov.uk/files/NCSC_Annual%20Review_2019%20single%20pagination.pdf Virus Bulletin confernce 2019: Papers on Emotet and Ryuk www.virusbulletin.com/blog/2019/10/vb2019-papers-emotet-and-ryuk/ Targeted ransomware has become one of the biggest and most damaging cybercrime trends in recent years. ‘Targeted’ is a bit of a misnomer though: the operators of the ransomware rarely choose the victim organisations. Instead, they […]

Read More

Daily NCSC-FI news followup 2020-11-16

Verkkorikolliset yrittävät nyt kiristää varastetulla datalla tuplasti Yhä useampi raportoi, ettei tietoja ole palautettu lunnaiden maksun jälkeen www.kauppalehti.fi/uutiset/verkkorikolliset-yrittavat-nyt-kiristaa-varastetulla-datalla-tuplasti-yha-useampi-raportoi-ettei-tietoja-ole-palautettu-lunnaiden-maksun-jalkeen/5d70090b-104d-4950-a751-0… Esimerkiksi Revil-kiristysohjelmaa käyttäneet hakkerit olivat lähestyneet uhreja uudelleen viikkoja sen jälkeen, kun lunnaat oli vastaanotettu. Kun uhri saa lunnaat maksettuaan salausavaimen, sitä ei voida häneltä ottaa pois. Varastettujen tietojen avulla rikolliset sen sijaan voivat palata toiseen maksuun […]

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.