Daily NCSC-FI news followup 2020-11-21

Leaky Buddies: Cross-Component Covert Channels on Integrated CPU-GPU Systems

arxiv.org/pdf/2011.09642.pdf Integrated GPUs share some resources with the CPU and as a result, there is a potential for microarchitectural attacks from the GPU to the CPU or vice versa. We believe this type of attack, crossing the component boundary (GPU to CPU or vice versa) is novel, introducing unique challenges, but also providing the. attacker with new capabilities that must be considered when we design defenses against microarchitectrual attacks in these environments.

Botnets have been silently mass-scanning the internet for unsecured ENV files

www.zdnet.com/article/botnets-have-been-silently-mass-scanning-the-internet-for-unsecured-env-files/ Threat actors are looking for API tokens, passwords, and database logins usually stored in ENV files.

Abusive add-ons arent just a Chrome and Firefox problem. Now its Edges turn

arstechnica.com/gadgets/2020/11/fraudulent-add-ons-infiltrate-the-official-microsoft-edge-store/ Over the past several days, people in website forums have complained of the Google searches being redirected to oksearch[.]com when they use Edge. Often, the searches use cdn77[.]org for connectivity.. After discovering the redirections werent an isolated incident, participants in this Reddit discussion winnowed the list of suspects down to five. All of them are knockoffs of legitimate add-ons. That means that while the extensions bear the names of legitimate developers, they are, in fact, imposters with no relation.

Hundreds of Facebook moderators complain: AI content moderation isn’t working and we’re paying for it

www.theregister.com/2020/11/21/hundreds_of_facebook_moderators_complained/ In an open letter to the social media giant, over 200 content moderators said that the companys technology was futile. It is important to explain that the reason you have chosen to risk our lives is that this year Facebook tried using AI to moderate contentand failed, it said.

Mount Locker ransomware now targets your TurboTax tax returns

www.bleepingcomputer.com/news/security/mount-locker-ransomware-now-targets-your-turbotax-tax-returns/ The Mount Locker ransomware operation is gearing up for the tax season by specifically targeting TurboTax returns for encryption.. Stolen data and the encrypted files are then used in a double-extortion scheme where victims are warned that their stolen files will be published on a data leak site if a ransom is not paid.. When encrypting a computer, Mount Locker only encrypts files that have certain file extensions. With the latest version, the ransomware developers are now targeting the .tax, .tax2009, .tax2013, and .tax2014 file extensions associated with the TurboTax tax preparation software.

Raytheon Employee Jailed for Exporting Missile Data to China

www.infosecurity-magazine.com/news/wei-sun-jailed-for-exporting/ Chinese national Wei Sun was employed in Tucson, Arizona, as an electrical engineer with Raytheon Missiles and Defense for 10 years. In February 2020, the 49-year-old pled guilty to violating the Arms Export Control Act (AECA) by taking a company-issued laptop containing sensitive information to China during a vacation.

Exploiting dynamic rendering engines to take control of web apps

r2c.dev/blog/2020/exploiting-dynamic-rendering-engines-to-take-control-of-web-apps/ If a web page is generated dynamically on the client but needs to be properly indexed by search engines, a common approach is to catch a request from the crawler or bot, render it server-side, and output the pretty HTML with all the content. . Its easy to take advantage of a dynamic rendering app when it is publicly available because it allows you to interact with the app directly and send arbitrary requests, including to local endpoints. There are some restrictions for accessing local infrastructure, but depending on the version of the dynamic rendering app, they can be bypassed.

Consul by HashiCorp: from Infoleak to RCE

lab.wallarm.com/consul-by-hashicorp-from-infoleak-to-rce/ An attacker can use public access to the system to obtain information about the infrastructure and its configuration.. How to protect yourself. Set the EnableLocalScriptChecks and EnableRemoteScriptChecks options to false. … Make sure Consul is on the local network and isnt exposed.

Purgalicious VBA: Macro Obfuscation With VBA Purging

www.fireeye.com/blog/threat-research/2020/11/purgalicious-vba-macro-obfuscation-with-vba-purging.html Malicious Office documents remain a favorite technique for every type of threat actor, from red teamers to FIN groups to APTs. In this blog post, we will discuss “VBA Purging”, a technique we have increasingly observed in the wild and that was first publicly documented by Didier Stevens in February 2020. We will explain how VBA purging works with Microsoft Office documents in Compound File Binary . Format (CFBF), share some detection and hunting opportunities, and introduce a new tool created by Mandiants Red Team: OfficePurge.. [VBA purging] removes strings usually found in PerformanceCache that many AV engines and YARA rules depend on for detection. Once removed, attackers are able to use more standard methodologies and execute suspicious functions (i.e. CreateObject) without being detected.

Kybervaaran kohtaamista voi harjoitella simulaatiolla: Harjoitusten avulla oikeat toimintamallit menevät selkäytimeen

www.kauppalehti.fi/uutiset/kybervaaran-kohtaamista-voi-harjoitella-simulaatiolla-harjoitusten-avulla-oikeat-toimintamallit-menevat-selkaytimeen/0ca46a3f-b23c-41f0-a192-69ade175ae19 Harjoitusten osanottajilla ei ole ollut vaikeuksia eläytyä tilanteisiin, vaan niin oma väki kuin yhteistyökumppanitkin ovat ryhtyneet viipymättä toimiin. Simulaatioissa vastuut, päätöksentekoketjut ja roolit ovat selkiytyneet. Fingridin sisäisissä harjoituksissa on kiertävä vastuunjako, sillä niin kuin tosielämässäkin, keskeinen vastuuhenkilö voi olla vaaratilanteessa poissa . töistä. Mukana on tyypillisesti johtoa, teknisiä asiantuntijoita ja viestinnän edustajia.

ImageMagick – Shell injection via PDF password

insert-script.blogspot.com/2020/11/imagemagick-shell-injection-via-pdf.html mageMagick is an awesome tool to convert files. It supports some really weird old file types (often via external programs) and is trying to be as user friendly as possible, maybe a little too much

GoDaddy Employees Used in Attacks on Multiple Cryptocurrency Services

krebsonsecurity.com/2020/11/godaddy-employees-used-in-attacks-on-multiple-cryptocurrency-services/ Fraudsters redirected email and web traffic destined for several cryptocurrency trading platforms over the past week. The attacks were facilitated by scams targeting employees at GoDaddy, the worlds largest domain name registrar, KrebsOnSecurity has learned.

You might be interested in …

Daily NCSC-FI news followup 2020-04-25

Cybercrime Group Steals $1.3M from Banks www.darkreading.com/attacks-breaches/cybercrime-group-steals-$13m-from-banks-/d/d-id/1337646 Keywords: finanssi A look at how the so-called Florentine Banker Group lurked for two months in a sophisticated business email compromise attack on Israeli and UK financial companies. = Sextortion Campaigns Net Cybercriminals Nearly $500K in Five Months www.darkreading.com/threat-intelligence/sextortion-campaigns-net-cybercriminals-nearly-$500k-in-five-months/d/d-id/1337645 Tracking the cryptocurrency paid by victims finds that, even […]

Read More

Daily NCSC-FI news followup 2019-06-27

Firefox Will Give You a Fake Browsing History to Fool Advertisers www.vice.com/en_us/article/43j8qm/firefox-will-give-you-a-fake-browsing-history-to-fool-advertisers Using the ‘Track THIS’ tool opens up 100 tabs at a time that will make you seem like a hypebeast, a filthy rich person, a doomsday prepper, or an influencer. Google Public DNS over HTTPS (DoH) supports RFC 8484 standard security.googleblog.com/2019/06/google-public-dns-over-https-doh.html Ever since […]

Read More

Daily NCSC-FI news followup 2020-06-06

Windows 10 SMBGhost bug gets public proof-of-concept RCE exploit www.bleepingcomputer.com/news/security/windows-10-smbghost-bug-gets-public-proof-of-concept-rce-exploit/ Working exploit code that achieves remote code execution on Windows 10 machines is now publicly available for CVE-2020-0796, a critical vulnerability in Microsoft Server Message Block (SMB 3.1.1).. see also www.kyberturvallisuuskeskus.fi/fi/kriittinen-haavoittuvuus-microsoftin-smbv3-toteutuksessa US aerospace services provider breached by Maze Ransomware www.bleepingcomputer.com/news/security/us-aerospace-services-provider-breached-by-maze-ransomware/ The Maze Ransomware gang breached […]

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.