Daily NCSC-FI news followup 2020-10-29

Why the extortion of Vastaamo matters far beyond Finland and how cyber pros are responding

www.cyberscoop.com/finland-vastaamo-hack-response/ Even for veterans of cybercriminal investigations, the recent extortion of a psychotherapy practice in Finland has been unusual and disturbing.

Kyberturvallisuusprofessori vaatii kansallista selvitysryhmää penkomaan Vastaamon vuotoa

www.tivi.fi/uutiset/tv/cd1d113a-f573-406a-9aa5-ad59bb17c117 Psykoterapiakeskuksen tietomurto ja kansalaisten laaja kiristys ovat kansallinen kriisitilanne, katsoo kyberturvallisuuden työelämäprofessori Jarno Limnéll. Hän vaatii selvitysryhmää tutkimaan digiajan suuronnettomuutta.

Tietoturva-asiantuntija Sami Laihon sähköposti täyttyy huolestuneista viesteistä: “Hoitajat kirjautuvat lääkärien puolesta järjestelmiin”

yle.fi/uutiset/3-11617870 Valviran mukaan tietoturvaan liittyvät yhteydenotot ovat lisääntyneet erityisesti yksityisen terveydenhuollon asiakkailta.

Satoja it-järjestelmiä valvoo yksi ihminen “kyllä ne pitäisi huomattavasti tarkemmin tarkastaa”

www.tivi.fi/uutiset/tv/646439b0-e1cb-4fb7-b7a4-0d80c6cd3c17 Terveysalan toimijoiden tietoturvan taso ja sen valvonta on Suomessa iso ongelma. Kyberturvayhtiö Nixun johtava tietoturva-asiantuntija Antti Nuopponen toteaa, että parhaitenkin hoidetuissa järjestelmissä potilastietojen tietoturvassa voi olla puutteita. Joissakin yrityksissä tietoturva voi Nuopposen mukaan olla hyvällä tolalla, mutta tästä ei ole tietoa, koska valvonta on niin olematonta. “Satoja järjestelmiä valvoo käytännössä yksi ihminen”, Nuopponen sanoo B-luokan järjestelmistä.

F-Securen Hyppönen: Ainakin 14 ihmistä on maksanut Vastaamon kiristäjälle ensimmäisen kiristyssumman “ransom_man” aktivoitui viime yönä

yle.fi/uutiset/3-11620064 Kiristäjä on pitänyt hiljaisuutta lauantai-illasta asti, mutta Hyppösen mukaan viime yönä hieman ennen kello kolmea kiristäjä tyhjensi tilit, joille uhrit ovat maksaneet rahoja. Hyppösen mukaan bitcoinien sijainti tiedetään tällä hetkellä. Ihannetilanne olisi, että hän siirtäisi rahat euroiksi, dollareiksi tai rupliksi jossakin vaihtopaikassa, josta saisimme ikään kuin reaalimaailmassa kiinni sen, mihin ne ovat menossa. Tätä siis ei ole tapahtunut vielä, Hyppönen toteaa.

Vastaamo-kiristäjän rahavirtoihin iskettiin, maksuja estetty “Tietyillä prosesseilla detektoimme”

www.is.fi/digitoday/tietoturva/art-2000006704088.html Vastaamo-kiristäjän nimeltä mainitsema Bittiraha.fi-palvelu on alkanut estää kiristäjälle tehtäviä rahansiirtoja.

Sosiaali- ja terveysministeriön puhelinvastaajaan tunkeuduttiin salasanalla 1234

www.iltalehti.fi/kotimaa/a/5278f33a-39bb-4b0b-bb0d-0600d305ccb7 Puhelinvastaajaan tunkeutunut it-yrittäjä vaihtoi ministeriön vastaajaviestin ja salasanan. It-yrittäjä Steve Peltonen, 25, pääsi torstaina alkuillasta sosiaali- ja terveysministeriön (STM) puhelinvastaajaan oletussalasanalla 1234. Hän kertoo, että olisi voinut kuunnella vastaajassa olleet 15 viestiä, mutta ei tehnyt sitä. Sen sijaan hän vaihtoi vastaajaviestin ja kertoi uudessa viestissä salasanan. Sitten aloin ajatella, että joku ulkopuolinen taho voisi salasanalla kaapata järjestelmän ja sulkea minut ulos, hän kertoo. Tämän jälkeen Peltonen vaihtoi vastaajaviestin versioon, jonka myös Iltalehti kuuli kuuden aikaan illalla torstaina.

Supo kansallisesta turvallisuudesta: Äärioikeiston uhka Suomessa kasvanut Kiina ja Venäjä vakoilevat kärkkäimmin

yle.fi/uutiset/3-11617605 Supon turvallisuuskatsauksen mukaan terapiakeskus Vastaamoon ei hyökännyt valtiollinen toimija. Kansallinen turvallisuuden katsaus 2020 (PDF):

supo.fi/documents/38197657/39761269/FI+Kansallisen+turvallisuuden+katsaus_2020.pdf

Ransomware Activity Targeting the Healthcare and Public Health Sector

us-cert.cisa.gov/ncas/alerts/aa20-302a

FBI, DHS, HHS Warn of Imminent, Credible Ransomware Threat Against U.S. Hospitals

krebsonsecurity.com/2020/10/fbi-dhs-hhs-warn-of-imminent-credible-ransomware-threat-against-u-s-hospitals/ On Monday, Oct. 26, KrebsOnSecurity began following up on a tip from a reliable source that an aggressive Russian cybercriminal. gang known for deploying ransomware was preparing to disrupt information technology systems at hundreds of hospitals, clinics and medical care facilities across the United States. Today, officials from the FBI and the U.S. Department of Homeland Security hastily assembled a conference call with healthcare industry executives warning about an “imminent cybercrime threat to U.S. hospitals and healthcare providers.”. also:

www.wired.com/story/ransomware-hospitals-ryuk-trickbot/

Emotet campaign used parked domains to deliver malware payloads

www.bleepingcomputer.com/news/security/emotet-campaign-used-parked-domains-to-deliver-malware-payloads/ Researchers tracking malicious use of parked domains have spotted the Emotet botnet using such domains to deliver malware payloads as part of a large scale phishing campaign. Out of 6 million newly parked domains detected as parked between March and September 2020 by Palo Alto Networks, roughly 1% started being used as part of malware or phishing campaigns. “Often, the parking services and the advertisement networks do not have the means or willingness to filter abusive advertisers (i.e. attackers), ” Palo Alto Networks. “Therefore, users are exposed to various threats, such as malware distribution, potentially unwanted program (PUP) distribution, and phishing scams.”. also: Domain Parking: A Gateway to Attackers Spreading Emotet and Impersonating McAfee –

unit42.paloaltonetworks.com/domain-parking/

Buer Loader “malware-as-a-service” joins Emotet for ransomware delivery

nakedsecurity.sophos.com/2020/10/29/buer-loader-malware-as-a-service-joins-emotet-for-ransomware-delivery/ One example of an up-and-coming malware delivery network is Buer Loader, profiled this week in a detailed report from SophosLabs. Briefly summarised, Buer is a way to create a self-managed zombie network of your own, for example to launch remote attacks with your latest ransomware which you could, of course, buy in from someone else in the cybercrime ecosystem. also: Hacks for sale: inside the Buer Loader malware-as-a-service –

news.sophos.com/en-us/2020/10/28/hacks-for-sale-inside-the-buer-loader-malware-as-a-service/

DoNot’s Firestarter abuses Google Firebase Cloud Messaging to spread

blog.talosintelligence.com/2020/10/donot-firestarter.html The newly discovered Firestarter malware uses Google Firebase Cloud Messaging to notify its authors of the final payload location. Even if the command and control (C2) is taken down, the DoNot team can still redirect the malware to another C2 using Google infrastructure. The approach in the final payload upload denotes a highly personalized targeting policy.

Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser

www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html Throughout 2020, ransomware activity has become increasingly prolific, relying on an ecosystem of distinct but co-enabling operations to gain access to targets of interest before conducting extortion. Mandiant Threat Intelligence has tracked several loader and backdoor campaigns that lead to the post-compromise deployment of ransomware, sometimes within 24 hours of initial compromise. Effective and fast detection of these campaigns is key to mitigating this threat. The malware families enabling these attacks previously reported by Mandiant to intelligence subscribers include KEGTAP/BEERBOT, SINGLEMALT/STILLBOT and WINEKEY/CORKBOT. Other security researchers have tracked these malware families under the names BazarLoader and BazarBackdoor or Team9.

Maze ransomware is shutting down its cybercrime operation

www.bleepingcomputer.com/news/security/maze-ransomware-is-shutting-down-its-cybercrime-operation/ The Maze cybercrime gang is shutting down its operations after rising to become one of the most prominent players performing ransomware attacks. When BleepingComputer reached out to Maze to confirm if they were shutting down, we were told, “You should wait for the press release.”. BleepingComputer has learned that many Maze affiliates have switched over to a newew ransomware operation called Egregor.

REvil ransomware gang claims over $100 million profit in a year

www.bleepingcomputer.com/news/security/revil-ransomware-gang-claims-over-100-million-profit-in-a-year/ REvil ransomware developers say that they made more than $100 million in one year by extorting large businesses across the world from various sectors.

Georgia county voter information leaked by ransomware gang

www.bleepingcomputer.com/news/security/georgia-county-voter-information-leaked-by-ransomware-gang/ The DoppelPaymer ransomware gang has released unencrypted data stolen from Hall County, Georgia, during a cyberattack earlier this month.

Malware Analysis Report (AR20-303B) – MAR-10310246-1.v1 ZEBROCY Backdoor

us-cert.cisa.gov/ncas/analysis-reports/ar20-303b The malware variant, known as Zebrocy, has been used by a sophisticated cyber actor. CISA and CNMF are distributing this MAR to enable network defense and reduced exposure to malicious activity. This MAR includes suggested response actions and recommended mitigation techniques.

Malware Analysis Report (AR20-303A) – MAR-10310246-2.v1 PowerShell Script: ComRAT

us-cert.cisa.gov/ncas/analysis-reports/ar20-303a he malware variant, known as ComRAT, has been used by Turla, a Russian-sponsored Advanced Persistent Threat (APT) actor. CISA, CNMF, and FBI are distributing this MAR to enable network defense and reduced exposure to malicious activity. This MAR includes suggested response actions and recommended mitigation techniques.

In a first, researchers extract secret key used to encrypt Intel CPU code

arstechnica.com/gadgets/2020/10/in-a-first-researchers-extract-secret-key-used-to-encrypt-intel-cpu-code/ Hackers can now reverse-engineer updates or write their own custom firmware.

ESET Threat Report Q3 2020

www.welivesecurity.com/2020/10/28/eset-threat-report-q32020/ A view of the Q3 2020 threat landscape as seen by ESET telemetry and from the perspective of ESET threat detection and research experts

German armed forces launch security vulnerability disclosure program

portswigger.net/daily-swig/german-armed-forces-launch-security-vulnerability-disclosure-program The German armed forces (Bundeswehr’) have launched a responsible disclosure program for reporting security vulnerabilities.

You might be interested in …

Daily NCSC-FI news followup 2020-04-18

German government loses tens of millions of euros in COVID-19 phishing attack www.zdnet.com/article/german-government-loses-tens-of-millions-of-euros-in-covid-19-phishing-attack/ The government of North Rhine-Westphalia, a province in western Germany, is believed to have lost tens of millions of euros after it failed to build a secure website for distributing coronavirus emergency aid funding. The funds were lost following a classic phishing […]

Read More

Daily NCSC-FI news followup 2020-10-09

We Hacked Apple for 3 Months: Here’s What We Found samcurry.net/hacking-apple/ There were a total of 55 vulnerabilities discovered with 11 critical severity, 29 high severity, 13 medium severity, and 2 low severity reports. As of now, October 8th, we have received 32 payments totaling $288, 500 for various vulnerabilities. However, it appears that Apple […]

Read More

Daily NCSC-FI news followup 2020-01-20

Citrix Patches CVE-2019-19781 Flaw in Citrix ADC 11.1 and 12.0 www.bleepingcomputer.com/news/security/citrix-patches-cve-2019-19781-flaw-in-citrix-adc-111-and-120/ Citrix released permanent fixes for the actively exploited CVE-2019-19781 vulnerability impacting Citrix Application Delivery Controller (ADC), Citrix Gateway, and Citrix SD-WAN WANOP appliances and allowing unauthenticated attackers to perform arbitrary code execution.. Besides releasing these permanent fixes for the CVE-2019-19781 flaw, Citrix also says […]

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.