Daily NCSC-FI news followup 2020-11-24

TA416 Goes to Ground and Returns with a Golang PlugX Malware Loader

www.proofpoint.com/us/blog/threat-insight/ta416-goes-ground-and-returns-golang-plugx-malware-loader Following the Chinese National Day holiday in September, Proofpoint researchers observed a resumption of activity by the APT actor TA416. Historic campaigns by this actor have also been publicly attributed to Mustang Panda and RedDelta. This new activity appears to be a continuation of previously reported campaigns that have targeted entities associated with diplomatic relations . between the Vatican and the Chinese Communist Party, as well as entities in Myanmar.

Smart doorbells delivering the security you expect?

www.which.co.uk/news/2020/11/the-smart-video-doorbells-letting-hackers-into-your-home/ We tested 11 different doorbells found on eBay and Amazon, many of which had scores of 5-star reviews, were recommended as Amazons Choice, or on the bestseller list. One was labelled as the number one bestseller in door viewers. We found vulnerabilities with every single one.

Tietoturvamerkitty älylaite pitää tietosi turvassa

impulssilvm.fi/2020/11/24/tietoturvamerkitty-alylaite-pitaa-tietosi-turvassa/ Harvalla kuluttajalla on kuitenkaan esimerkiksi Black Friday tarjouksia kärkkyessään mahdollisuutta arvioida havittelemiensa tuotteiden tietoturvallisuutta. Tähän kuluttajien haastavaan päätöksentekoprosessiin on jo vuoden ajan pyritty etsimään helpotusta Tietoturvamerkistä.

Imagine things are bad enough that you need a payday loan. Then imagine flaws in systems of loan lead generators leave your records in the open… for years

www.theregister.com/2020/11/24/payday_loan_lead_generators_fix/ US-based software engineer Kevin Traver contacted us after he found two large groups of short-term loan websites that were giving up sensitive personal information via separate vulnerabilities. “From there it would pre-render some information, including a form that asked you to enter the last four digits of your SSN [social security number] to continue,” Traver told us. “The SSN was rendered in a hidden input, so you could just inspect the website code and view it. On the next page you could review or update all information.”

LightBot: TrickBots new reconnaissance malware for high-value targets

www.bleepingcomputer.com/news/security/lightbot-trickbot-s-new-reconnaissance-malware-for-high-value-targets/ Dubbed LightBot by Advanced Intel’s Vitali Kremez, this PowerShell script is a lightweight reconnaissance tool that gathers information about a victim’s network to determine if they are high-value and should be targeted in further attacks.

Verizon Cyber Espionage Report

enterprise.verizon.com/resources/reports/2020-2021-cyber-espionage-report.pdf This data-driven report draws from seven years of Data Breach Investigations Report (DBIR) content as well as more than 14 years of Verizon Threat Research Advisory Center (VTRAC) Cyber-Espionage data breach response expertise. The CER serves as a guide for cybersecurity professionals looking to bolster their organizations cyberdefense posture and incident response (IR) capabilities against . Cyber-Espionage attacks.

2021 Data risk report – financial services

info.varonis.com/hubfs/docs/research_reports/2021-Financial-Data-Risk-Report.pdf Key Findings: Every employee has access to nearly 11 million files, Nearly two-thirds of companies have 1,000+ sensitive files open to every employee, About 60% of companies have 500+ passwords that never expire

Censored Planet: An Internet-wide, Longitudinal Censorship Observatory

censoredplanet.org/censoredplanet This post highlights findings from our recent ACM CCS 2020 paper Censored Planet: An Internet-wide, Longitudinal Censorship Observatory, where we analyze 20 months worth of remote censorship measurement data collected in 220 countries. Censored Planet finds evidence of increasing censorship in over 100 countries. Using time series analysis techniques, Censored Planet reports 15 key censorship events over 20 months, 10 of which were previously not reported, including in reportedly free countries. Alarmingly, in many of these events, news websites, and social media domains are increasingly blocked.. Paper at dl.acm.org/doi/pdf/10.1145/3372297.3417883

Election Cyber Threats in the Asia-Pacific Region

www.fireeye.com/blog/threat-research/2020/11/election-cyber-threats-in-the-asia-pacific-region.html Mandiant Threat Intelligence tracked numerous elections-related incidents in the Asia-Pacific region in recent years. During this time, the most prolific regional actor was China, which we observed in more than 20 elections-related campaigns most frequently affecting Hong Kong and Taiwan. We believe that China’s primary motives for elections targeting includes monitoring political developments, . internal stability, and supporting Belt and Road Initiative (BRI) investments.


blogs.akamai.com/sitr/2020/11/wordpress-malware-setting-up-seo-shops.html While recently looking over my honeypots, I discovered an infection where a malicious actor added a storefront on top of my existing WordPress installation. … My honeypot infection, as far as I could tell, was hosting more than 7,000 e-Commerce websites.

Beware of WAPDropper, the mobile malware that subscribes users to Premium Rate Services

blog.checkpoint.com/2020/11/24/beware-of-wapdropper-the-mobile-malware-that-subscribes-users-to-premium-rate-services/ WAPDropper consists of two different modules: the dropper module, which is responsible for downloading the 2nd stage malware, and a premium dialer module that subscribes victims to premium services offered by legitimate sources In this case, telecommunication services providers in two countries in Southeast Asia Thailand and Malaysia.

Telcos face £100k-a-day fines unless they obey new UK.gov rules on how to deploy Huawei 5G gear in their networks

www.theregister.com/2020/11/24/telecommunications_security_bill/ A new law being laid in Parliament today will allow the government to write binding security rules that shut so-called “high risk” vendors’ equipment out of parts of networks and could even dictate how their existing equipment can be used within telcos’ networks.

Warning: Banned Baidu Apps Exposed Sensitive Data On Up To 1.4 Billion Android Phones

www.forbes.com/sites/thomasbrewster/2020/11/24/warning-banned-baidu-apps-exposed-sensitive-data-on-up-to-14-billion-android-phones/ The two apps – Baidu Maps and the Baidu App – were thrown out of the Google Play store late last month, as Google thanked researchers for disclosing privacy issues in the software. Baidu App is back online after being updated, whilst Baidu Maps remains offline.. The [Unit42] researchers found that a Baidu software development kit (SDK) called Push in the apps were sending sensitive user data to a Chinese server. The information included phone model, IMSI number and MAC address.

www.wired.co.uk/article/ransomware-hospital-death-germany After a detailed investigation involving consultations with medical professionals, an autopsy, and a minute-by-minute breakdown of events, Hartmann believes that the severity of the victims medical diagnosis at the time she was picked up was such that she would have died regardless of which hospital she had been admitted to. The delay was of no relevance to the final outcome, Hartmann . [from public prosecutor’s office] says. The medical condition was the sole cause of the death, and this is entirely independent from the cyberattack. He likens it to hitting a dead body while driving: while you might be breaking the speed limit, youre not responsible for the death.. Local reports have suggested that this attack was misdirected, largely because the ransom note from the hackers on the hospital servers was directed to the affiliated Heinrich Heine University rather than the hospital. The hackers, perhaps in recognition of their mistake, even presented the encryption key to police when they were informed theyd hit the hospital, but this is possibly all part of . an elaborate PR stunt, Hartmann warns.

Spoofed FBI Internet Domains Pose Cyber and Disinformation Risks

www.ic3.gov/Media/Y2020/PSA201123 The Federal Bureau of Investigation (FBI) is issuing this announcement to help the public recognize and avoid spoofed FBI-related Internet domains. The FBI observed unattributed cyber actors registering numerous domains spoofing legitimate FBI websites, indicating the potential for future operational activity. The FBI’s main official website is www.fbi.gov.

Australias spy agencies caught collecting COVID-19 app data

techcrunch.com/2020/11/24/australia-spy-agencies-covid-19-app-data/ The report, published Monday by the Australian governments inspector general for the intelligence community, which oversees the governments spy and eavesdropping agencies, said the app data was scooped up in the course of the lawful collection of other data.. But the watchdog said that there was no evidence that any agency decrypted, accessed or used any COVID app data.

You might be interested in …

Daily NCSC-FI news followup 2019-06-06

Microsoft and Oracle link up their clouds techcrunch.com/2019/06/05/microsoft-and-oracle-link-up-their-clouds/ Microsoft and Oracle announced a new alliance today that will see the two companies directly connect their clouds over a direct network connection so that their users can then move workloads and data seamlessly between the two. This alliance goes a bit beyond just basic direct connectivity […]

Read More

Daily NCSC-FI news followup 2021-09-15

Patch now! PrintNightmare over, MSHTML fixed, a new horror appears OMIGOD blog.malwarebytes.com/exploits-and-vulnerabilities/2021/09/patch-now-printnightmare-over-mshtml-fixed-a-new-horror-appears-omigod/ The September 2021 Patch Tuesday could be remembered as the final patching attempt in the PrintNightmare nightmare. The ease with which the vulnerabilities shrugged off the August patches doesn’t look to get a rerun. So far we haven’t seen any indications that this […]

Read More

Daily NCSC-FI news followup 2021-01-06

FBI, CISA, NSA Officially Blame Russia for SolarWinds Cyber Attack thehackernews.com/2021/01/fbi-cisa-nsa-officially-blames-russia.html The U.S. government on Tuesday formally pointed fingers at the Russian government for orchestrating the massive SolarWinds supply chain attack that came to light early last month. Lisäksi: This work indicates that an Advanced Persistent Threat (APT) actor, likely Russian in origin, is responsible […]

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.