Daily NCSC-FI news followup 2020-11-21

Leaky Buddies: Cross-Component Covert Channels on Integrated CPU-GPU Systems

arxiv.org/pdf/2011.09642.pdf Integrated GPUs share some resources with the CPU and as a result, there is a potential for microarchitectural attacks from the GPU to the CPU or vice versa. We believe this type of attack, crossing the component boundary (GPU to CPU or vice versa) is novel, introducing unique challenges, but also providing the. attacker with new capabilities that must be considered when we design defenses against microarchitectrual attacks in these environments.

Botnets have been silently mass-scanning the internet for unsecured ENV files

www.zdnet.com/article/botnets-have-been-silently-mass-scanning-the-internet-for-unsecured-env-files/ Threat actors are looking for API tokens, passwords, and database logins usually stored in ENV files.

Abusive add-ons arent just a Chrome and Firefox problem. Now its Edges turn

arstechnica.com/gadgets/2020/11/fraudulent-add-ons-infiltrate-the-official-microsoft-edge-store/ Over the past several days, people in website forums have complained of the Google searches being redirected to oksearch[.]com when they use Edge. Often, the searches use cdn77[.]org for connectivity.. After discovering the redirections werent an isolated incident, participants in this Reddit discussion winnowed the list of suspects down to five. All of them are knockoffs of legitimate add-ons. That means that while the extensions bear the names of legitimate developers, they are, in fact, imposters with no relation.

Hundreds of Facebook moderators complain: AI content moderation isn’t working and we’re paying for it

www.theregister.com/2020/11/21/hundreds_of_facebook_moderators_complained/ In an open letter to the social media giant, over 200 content moderators said that the companys technology was futile. It is important to explain that the reason you have chosen to risk our lives is that this year Facebook tried using AI to moderate contentand failed, it said.

Mount Locker ransomware now targets your TurboTax tax returns

www.bleepingcomputer.com/news/security/mount-locker-ransomware-now-targets-your-turbotax-tax-returns/ The Mount Locker ransomware operation is gearing up for the tax season by specifically targeting TurboTax returns for encryption.. Stolen data and the encrypted files are then used in a double-extortion scheme where victims are warned that their stolen files will be published on a data leak site if a ransom is not paid.. When encrypting a computer, Mount Locker only encrypts files that have certain file extensions. With the latest version, the ransomware developers are now targeting the .tax, .tax2009, .tax2013, and .tax2014 file extensions associated with the TurboTax tax preparation software.

Raytheon Employee Jailed for Exporting Missile Data to China

www.infosecurity-magazine.com/news/wei-sun-jailed-for-exporting/ Chinese national Wei Sun was employed in Tucson, Arizona, as an electrical engineer with Raytheon Missiles and Defense for 10 years. In February 2020, the 49-year-old pled guilty to violating the Arms Export Control Act (AECA) by taking a company-issued laptop containing sensitive information to China during a vacation.

Exploiting dynamic rendering engines to take control of web apps

r2c.dev/blog/2020/exploiting-dynamic-rendering-engines-to-take-control-of-web-apps/ If a web page is generated dynamically on the client but needs to be properly indexed by search engines, a common approach is to catch a request from the crawler or bot, render it server-side, and output the pretty HTML with all the content. . Its easy to take advantage of a dynamic rendering app when it is publicly available because it allows you to interact with the app directly and send arbitrary requests, including to local endpoints. There are some restrictions for accessing local infrastructure, but depending on the version of the dynamic rendering app, they can be bypassed.

Consul by HashiCorp: from Infoleak to RCE

lab.wallarm.com/consul-by-hashicorp-from-infoleak-to-rce/ An attacker can use public access to the system to obtain information about the infrastructure and its configuration.. How to protect yourself. Set the EnableLocalScriptChecks and EnableRemoteScriptChecks options to false. … Make sure Consul is on the local network and isnt exposed.

Purgalicious VBA: Macro Obfuscation With VBA Purging

www.fireeye.com/blog/threat-research/2020/11/purgalicious-vba-macro-obfuscation-with-vba-purging.html Malicious Office documents remain a favorite technique for every type of threat actor, from red teamers to FIN groups to APTs. In this blog post, we will discuss “VBA Purging”, a technique we have increasingly observed in the wild and that was first publicly documented by Didier Stevens in February 2020. We will explain how VBA purging works with Microsoft Office documents in Compound File Binary . Format (CFBF), share some detection and hunting opportunities, and introduce a new tool created by Mandiants Red Team: OfficePurge.. [VBA purging] removes strings usually found in PerformanceCache that many AV engines and YARA rules depend on for detection. Once removed, attackers are able to use more standard methodologies and execute suspicious functions (i.e. CreateObject) without being detected.

Kybervaaran kohtaamista voi harjoitella simulaatiolla: Harjoitusten avulla oikeat toimintamallit menevät selkäytimeen

www.kauppalehti.fi/uutiset/kybervaaran-kohtaamista-voi-harjoitella-simulaatiolla-harjoitusten-avulla-oikeat-toimintamallit-menevat-selkaytimeen/0ca46a3f-b23c-41f0-a192-69ade175ae19 Harjoitusten osanottajilla ei ole ollut vaikeuksia eläytyä tilanteisiin, vaan niin oma väki kuin yhteistyökumppanitkin ovat ryhtyneet viipymättä toimiin. Simulaatioissa vastuut, päätöksentekoketjut ja roolit ovat selkiytyneet. Fingridin sisäisissä harjoituksissa on kiertävä vastuunjako, sillä niin kuin tosielämässäkin, keskeinen vastuuhenkilö voi olla vaaratilanteessa poissa . töistä. Mukana on tyypillisesti johtoa, teknisiä asiantuntijoita ja viestinnän edustajia.

ImageMagick – Shell injection via PDF password

insert-script.blogspot.com/2020/11/imagemagick-shell-injection-via-pdf.html mageMagick is an awesome tool to convert files. It supports some really weird old file types (often via external programs) and is trying to be as user friendly as possible, maybe a little too much

GoDaddy Employees Used in Attacks on Multiple Cryptocurrency Services

krebsonsecurity.com/2020/11/godaddy-employees-used-in-attacks-on-multiple-cryptocurrency-services/ Fraudsters redirected email and web traffic destined for several cryptocurrency trading platforms over the past week. The attacks were facilitated by scams targeting employees at GoDaddy, the worlds largest domain name registrar, KrebsOnSecurity has learned.

You might be interested in …

Daily NCSC-FI news followup 2021-02-15

Sandworm intrusion set campaign targeting Centreon systems www.cert.ssi.gouv.fr/cti/CERTFR-2021-CTI-005/ ANSSI has been informed of an intrusion campaign targeting the monitoring software Centreon distributed by the French company CENTREON which resulted in the breach of several French entities.. see full report www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf Microsoft: SolarWinds attack took more than 1,000 engineers to create www.zdnet.com/article/microsoft-solarwinds-attack-took-more-than-1000-engineers-to-create/ The months-long hacking campaign […]

Read More

Daily NCSC-FI news followup 2020-08-15

PoC Exploit Targeting Apache Struts Surfaces on GitHub threatpost.com/poc-exploit-github-apache-struts/158393/ Researchers have discovered freely available PoC code and exploit that can be used to attack unpatched security holes in Apache Struts 2. Medical Debt Collection Firm R1 RCM Hit in Ransomware Attack krebsonsecurity.com/2020/08/medical-debt-collection-firm-r1-rcm-hit-in-ransomware-attack/ R1 RCM Inc. [NASDAQ:RCM], one of the nations largest medical debt collection companies, […]

Read More

Daily NCSC-FI news followup 2020-11-16

Verkkorikolliset yrittävät nyt kiristää varastetulla datalla tuplasti Yhä useampi raportoi, ettei tietoja ole palautettu lunnaiden maksun jälkeen www.kauppalehti.fi/uutiset/verkkorikolliset-yrittavat-nyt-kiristaa-varastetulla-datalla-tuplasti-yha-useampi-raportoi-ettei-tietoja-ole-palautettu-lunnaiden-maksun-jalkeen/5d70090b-104d-4950-a751-0… Esimerkiksi Revil-kiristysohjelmaa käyttäneet hakkerit olivat lähestyneet uhreja uudelleen viikkoja sen jälkeen, kun lunnaat oli vastaanotettu. Kun uhri saa lunnaat maksettuaan salausavaimen, sitä ei voida häneltä ottaa pois. Varastettujen tietojen avulla rikolliset sen sijaan voivat palata toiseen maksuun […]

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.