Daily NCSC-FI news followup 2020-11-03

Tietoturvan suunnannäyttäjä -tunnustuksen voittajat tekevät korvaamatonta työtä yhteiskunnan kyberturvallisuuden hyväksi

www.epressi.com/tiedotteet/teknologia/tietoturvan-suunnannayttaja-tunnustuksen-voittajat-tekevat-korvaamatonta-tyota-yhteiskunnan-kyberturvallisuuden-hyvaksi.html Tietoturvan suunnannäyttäjä -tunnustus jaettiin 3.11.2020 Liikenne- ja viestintävirasto Traficomin Kyberturvallisuuskeskuksen ja Huoltovarmuuskeskuksen vuosittaisessa tietoturvaseminaarissa. Tunnustuksen saivat Jouko Katainen (Ilmarinen), Jussi Törhönen (Enfo), Tomi Vehkasalo (Aditro) ja Jani Räty (Aditro) tunnustuksena aktiivisesta yhteistyöstä Traficomin Kyberturvallisuuskeskuksen kanssa. Lue myös:


Vastaamon tietomurto aiheutti vyöryn: viikossa tehty yli 10 000 rekisterikieltopyyntöä, tavallisesti koko vuonna alle 300

yle.fi/uutiset/3-11628308 Psykoterapiakeskus Vastaamon tietomurto on saanut tuhannet suomalaiset tekemään Patentti- ja rekisterihallitukselle rekisterikieltopyynnön.

The NCSC Annual Review 2020

www.ncsc.gov.uk/news/annual-review-2020 Highlights from the last twelve months at the NCSC:

www.ncsc.gov.uk/files/Annual-Review-2020.pdf. Read also:

www.theregister.com/2020/11/03/ncsc_annual_report_nhs_ransomware/. As well as:

www.zdnet.com/article/cybersecurity-one-in-three-attacks-are-coronavirus-related/ and


Miljoonan ihmisen tiedot vuotivat it-jäteille “Tällaista ei saisi tapahtua”

www.tivi.fi/uutiset/tv/9acacd54-c2a2-4340-919f-d016828140cf Folksamin verkkopalveluita käyttäneiden ihmisten arkaluonteisia tietoja on päätynyt esimerkiksi Facebookille, Googlelle, Microsoftille, LinkedInille ja Adobelle. Ruotsalainen vakuutusyhtiö Folksam kertoi tiistaina havainneensa, että yrityksen noin miljoonan asiakkaan tai sen sivuilla muuten vierailleen ihmisen henkilötietoja on vuotanut sen digitaalisille yhteistyökumppaneille. Lue myös:

www.tivi.fi/uutiset/tv/499da4a9-ef10-4ae2-b8dc-0a92bce8b94d ja

www.bleepingcomputer.com/news/security/folksam-data-breach-leaks-info-of-1m-swedes-to-google-facebook-more/. Ja:


Google tilkitsee Chromesta jo toisen vakavan turvallisuusaukon parin viikon sisällä

www.tivi.fi/uutiset/tv/c61e5878-861e-4bf9-ab2b-717b5a2781db Google Chrome 86.0.4240.183 on julkaistu ladattavaksi. Mukana on 10 turvallisuuspäivitystä, joista yksi aktiivisesti hyväksikäytettyyn ja aiemmin paikkaamattomaan aukkoon, kertoo ZDnet. Lue myös:

www.zdnet.com/article/google-patches-second-chrome-zero-day-in-two-weeks/ and

www.bleepingcomputer.com/news/security/google-patches-one-more-actively-exploited-chrome-zero-day/. Ja:


Maze operators claim they are shutting down

www.scmagazine.com/home/security-news/ransomware/maze-operators-claim-they-are-shutting-down/ One of the most powerful ransomware cartels on the web claims they are shutting down operations. In a bizarre open letter posted to their public website and dated Nov. 1, representatives from the group claimed in broken English that their “project” is “officially closed, ” and that the group never had any partners and doesn’t plan to bless any successor groups in the future. Read also:

www.bleepingcomputer.com/news/security/maze-ransomware-is-shutting-down-its-cybercrime-operation/ and


Live off the Land? How About Bringing Your Own Island? An Overview of UNC1945

www.fireeye.com/blog/threat-research/2020/11/live-off-the-land-an-overview-of-unc1945.html Through Mandiant investigation of intrusions between February 2018 and September 2020, the FLARE Advanced Practices team observed a group we track as UNC1945 compromise telecommunications companies and operate against a tailored set of targets within the financial and professional consulting industries by leveraging access to third-party networks. UNC1945 targeted Oracle Solaris operating systems, utilized several tools and utilities against Windows and Linux operating systems, loaded and operated custom virtual machines, and employed techniques to evade detection. UNC1945 demonstrated access to exploits, tools and malware for multiple operating systems, a disciplined interest in covering or manipulating their activity, and displayed advanced technical abilities during interactive operations. Mandiant discovered and reported to Oracle CVE-2020-14871, which was addressed in Oracle’s October 2020 Critical Patch Update. Mandiant recommends staying current on all current patch updates to ensure a high security posture. We will discuss this vulnerability in greater detail in a follow up blog post. Read also:


FireEye releases ThreatPursuit, a Windows VM for threat intel analysts

www.zdnet.com/article/fireeye-releases-threatpursuit-a-windows-vm-for-threat-intel-analysts/ Check also: github.com/fireeye/ThreatPursuit-VM

Google to GitHub: Time’s up this unfixed ‘high-severity’ security bug affects developers

www.zdnet.com/article/google-to-github-times-up-this-unfixed-high-severity-security-bug-affects-developers/ No, GitHub, we can’t give you an extra two days for a flaw that we’ve already given you 104 days to fix, says Google. Read also:

bugs.chromium.org/p/project-zero/issues/detail?id=2070 and

github.blog/changelog/2020-10-01-github-actions-deprecating-set-env-and-add-path-commands/. As well as:


Hospitals take action to avoid ransomware attacks, including pre-emptive email shut down

www.beckershospitalreview.com/cybersecurity/hospitals-take-action-to-avoid-ransomware-attacks-including-pre-emptive-email-shut-down.html Hospitals and health systems across the U.S. are on heightened alert and some are taking new action. Ogdensburg, N.Y.-based Claxton-Hepburn Medical Center shut down its email to prevent cyberattacks, according to a local 7 News report. The hospital remains operational and has not reduced patient services. Online patient portals and the hospital’s website are still operating, according to the report.

Roundup: COVID-19 pandemic delivers extraordinary array of cybersecurity challenges

www.zdnet.com/article/roundup-the-coronavirus-pandemic-delivers-an-array-of-cyber-security-challenges/ As the COVID-19 outbreak threatens to overload the healthcare system and the global economy, it’s also having a powerful impact on the security of businesses and individuals.

Hospital ransomware: Gangs are back to target healthcare

blog.malwarebytes.com/ransomware/2020/11/ransomware-gangs-target-hospitals/ In late September, a chain of hospitals under the Universal Health Services (UHS), one of the largest healthcare providers in the United States, were hit with what appeared to be Ryuk ransomware. According to their official statement, they successfully provided patient care despite not being able to access their IT applications, largely because of back-up processes and offline documentation methods they already had in place. Thankfully, no patient and/or employee data were compromised during the attack.

Google Forms Used In Password-Stealing Spree: What You Need To Know

www.forbes.com/sites/daveywinder/2020/11/03/always-trust-google-here-are-256-password-stealing-reasons-you-shouldnt/ Seeing the google.com domain instills trust, which could lead to your password being compromised. Here’s what you need to know. Cybercriminals will use any, and every means possible to win your trust before going in for the kill. Security researchers at Zimperium have today revealed how that includes leveraging the trust that people have in the google.com domain. Here’s what they found and what you need to do to mitigate your risk of having your password and other credentials stolen.

Windows 10 bug: Certificates lost after feature upgrade? We’re working on fix, says Microsoft

www.zdnet.com/article/windows-10-bug-certificates-lost-after-feature-upgrade-were-working-on-fix-says-microsoft/ Microsoft confirms that upgrading to a newer version of Windows 10 sometimes results in lost certificates.

Malicious npm package opens backdoors on programmers’ computers

www.zdnet.com/article/malicious-npm-package-opens-backdoors-on-programmers-computers/ JavaScript library posing as a Twilio-related library opens backdoors to let attackers access infected workstations.

Q3 2020 Vulnerability Landscape

www.recordedfuture.com/q3-vulnerability-landscape/ This report examines high-risk vulnerabilities disclosed by major hardware and software vendors released from July 1 to September 30, 2020. Data was assembled from Recorded Future queries and public reporting on NVD data. This report does not attempt to summarize all vulnerabilities disclosed during this time period, but instead paints an overall picture of vulnerabilities disclosed in Q3 2020. Note that Recorded Future triggered risk rules are dynamic and apt to change after publication. Our client-only version of this report contains a full list of the vulnerabilities identified during the course of this research. Read also:


These software bugs are years old. But businesses still aren’t patching them

www.zdnet.com/article/these-software-bugs-are-years-old-but-businesses-still-arent-patching-them/ Almost two thirds of vulnerabilities on enterprise networks involve flaws which are over two years old which have not been patched, despite fixes being available. This lack of patching is putting businesses at risk of attacks which could often be easily avoided if security updates were applied.

SaltStack reveals new critical vulnerabilities, patch now

www.bleepingcomputer.com/news/security/saltstack-reveals-new-critical-vulnerabilities-patch-now/ SaltStack, a VMware-owned company, has revealed critical vulnerabilities impacting Salt versions 3002 and prior, with patches available as of today. Read also:

www.saltstack.com/blog/active-saltstack-cve-announced-10-30-20/ and


Adobe Warns Windows, MacOS Users of Critical Acrobat and Reader Flaws

threatpost.com/adobe-windows-macos-critical-acrobat-reader-flaws/160903/ The critical-severity Adobe Acrobat and Reader vulnerabilities could enable arbitrary code execution and are part of a 14-CVE patch update. Read also:


Russian jailed for eight years in the US for writing code that sifted botnet logs for web banking creds for fraudsters

www.theregister.com/2020/11/02/botnet_brovko_jailed/ A Russian programmer has been sentenced to eight years behind bars in America for his part in a massive cybercriminal network that hacked into and drained victims’ bank accounts. Read also:

www.zdnet.com/article/russian-hacker-jailed-over-botnet-data-scraping-scheme-that-drained-victim-bank-accounts/. And:


Analysis by Bitdefender found that 64 percent of all reported unpatched vulnerabilities during the first half of 2020 involve known bugs dating from 2018 and previous years, which means organisations are at risk from flaws that somebody should have fixed a long time ago

www.zdnet.com/article/these-software-bugs-are-years-old-but-businesses-still-arent-patching-them/ “The vast majority of organizations still have unpatched vulnerabilities that were identified anywhere between 2002 and 2018, ” the report said. Read also:


APT Groups Finding Success with Mix of Old and New Tools

threatpost.com/apt-groups-success-mix-tools/160927/ Advanced persistent threat (APT) groups continue to use the fog of intense geopolitics to supercharge their campaigns, but beyond these themes, actors are developing individual signature tactics for success. That’s according to Kaspersky’s most recent APT trends report for Q3 2020, which found that some groups are innovating and pushing technical boundaries, while others take a more low-tech approach, honing messaging around COVID, the elections and other headlines. Read also: securelist.com/apt-trends-report-q3-2020/99204/

Blackbaud sued in 23 class action lawsuits after ransomware attack

www.bleepingcomputer.com/news/security/blackbaud-sued-in-23-class-action-lawsuits-after-ransomware-attack/ Leading cloud software provider Blackbaud has been sued in 23 proposed consumer class action cases in the U.S. and Canada related to the ransomware attack that the company suffered in May 2020.

Look What Was Left On USB Drives Sold On eBay

www.forbes.com/sites/barrycollins/2020/11/03/passwords-bank-statements-and-cvs-left-on-usb-drives-sold-on-ebay/ Two thirds of USB drives bought off eBay contain some kind of retrievable personal data, according to a study conducted by British academics.

N-Day Vulnerabilities: How They Threaten Your ICS Systems’ Security

www.tripwire.com/state-of-security/featured/n-day-vulnerabilities-ics-systems-security/ In the last quarter of 2019, researchers at ClearSky uncovered an attack operation that they dubbed the “Fox Kitten Campaign.” Iranian actors used this offensive to gain persistent access into the networks of dozens of companies operating in Israel and around the world across the IT, telecommunication, oil and gas, aviation, government and security sectors. These individuals were successful in their efforts because they employed a variety of attack vectors. Overall, ClearSky found that their most effective attack vector was the exploitation of “1-day” vulnerabilities in unpatched VPN solutions for the purpose of infiltrating and compromising critical corporate information storages.

Öljynporaaja on nettihuijarien trendiammatti netissä tavaroitaan myyvä huijataan koukkuun ja sitten alkaa erikoisten maksujen lypsäminen

www.mtvuutiset.fi/artikkeli/oljynporaaja-on-nettihuijarien-trendiammatti-netissa-tavaroitaan-myyva-huijataan-koukkuun-ja-sitten-alkaa-erikoisten-maksujen-lypsaminen/7972720 Twitterissä eilen kerrottiin tapauksesta, jossa huonekalujaan Tori.fi:ssä kaupannut joutui huijausyrityksen kohteeksi. Poliisi tunnisti kuvion tutuksi, mutta siinä todettiin myös aiemmin poliisin tietoon tulemattomia yksityiskohtia.

You might be interested in …

Daily NCSC-FI news followup 2020-06-06

Windows 10 SMBGhost bug gets public proof-of-concept RCE exploit www.bleepingcomputer.com/news/security/windows-10-smbghost-bug-gets-public-proof-of-concept-rce-exploit/ Working exploit code that achieves remote code execution on Windows 10 machines is now publicly available for CVE-2020-0796, a critical vulnerability in Microsoft Server Message Block (SMB 3.1.1).. see also www.kyberturvallisuuskeskus.fi/fi/kriittinen-haavoittuvuus-microsoftin-smbv3-toteutuksessa US aerospace services provider breached by Maze Ransomware www.bleepingcomputer.com/news/security/us-aerospace-services-provider-breached-by-maze-ransomware/ The Maze Ransomware gang breached […]

Read More

Daily NCSC-FI news followup 2021-02-23

Cyber Criminals Exploit Accellion FTA for Data Theft and Extortion www.fireeye.com/blog/threat-research/2021/02/accellion-fta-exploited-for-data-theft-and-extortion.html “”. Starting in mid-December 2020, malicious actors that Mandiant tracks as UNC2546 exploited multiple zero-day vulnerabilities in Accellion’s legacy File Transfer Appliance (FTA) to install a newly discovered web shell named DEWMODE. The motivation of UNC2546 was not immediately apparent, but starting in late […]

Read More

Daily NCSC-FI news followup 2021-03-12

Exploits on Organizations Worldwide Tripled every Two Hours after Microsoft’s Revelation of Four Zero-days blog.checkpoint.com/2021/03/11/exploits-on-organizations-worldwide/ Following the revelation of four zero-day vulnerabilities currently affecting Microsoft Exchange Server, Check Point Research (CPR) discloses its latest observations on exploitation attempts against organizations that it tracks worldwide. myös: www.tivi.fi/uutiset/tv/31187ac4-d460-4a33-be35-0256443bbb11 F-Secure: “Tilanne voi revetä käsiin” Exchange-hyökkäysten hirmumyrsky repii maailmaa […]

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.