Daily NCSC-FI news followup 2020-11-25

Laser-Based Hacking from Afar Goes Beyond Amazon Alexa

threatpost.com/light-based-attacks-digital-home/161583/ They broadened their research to show how light can be used to manipulate a wider range of digital assistantsincluding Amazon Echo 3 but also sensing systems found in medical devices, autonomous vehicles, industrial systems and even space systems.

Live Patching Windows API Calls Using PowerShell

isc.sans.edu/diary/rss/26826 It’s amazing how attackers can be imaginative when it comes to protecting themselves and preventing security controls to do their job. Here is an example of a malicious PowerShell script that patches live a DLL function to change the way it works (read: “to make it NOT work”). This is not a new technique but it has been a while that I did not find it so, it deserves a quick review.

India blocks another 43 Chinese mobile apps, including AliExpress and TaoBao Live

www.zdnet.com/article/india-blocks-another-43-chinese-mobile-apps-including-aliexpress-and-taobao-live/ The Indian government has banned another 43 Chinese mobile apps on the grounds of national security, according to a government mandate released on Tuesday.. Among the apps banned on Tuesday were AliExpress and TaoBao Live.

Alert: Multiple actors are attempting to exploit MobileIron vulnerability CVE 2020-15505

www.ncsc.gov.uk/news/alert-multiple-actors-attempt-exploit-mobileiron-vulnerability The NCSC strongly advises that organisations refer to the MobileIron guidance referenced in this alert and ensure the necessary updates are installed in affected versions. Organisations should also keep informed of any future updates to the guidance from MobileIron.

Encrypted DNS in Knot Resolver: DoT and DoH

en.blog.nic.cz/2020/11/25/encrypted-dns-in-knot-resolver-dot-and-doh/ In this post, we describe the differences between the two widespread protocols for DNS encryption: DNS-over-TLS (DoT) and DNS-over-HTTPS (DoH). We compare the technical aspects of those protocols as well as their implications on user privacy. We also introduce Knot Resolvers new built-in DoH support and explain some of our design decisions behind DoH.

www.theregister.com/2020/11/25/sopra_steria_ransomware_damage_50m_euros/ In a statement issued this afternoon, [French IT oursourcing conpany] Sopra Steria said: “The remediation and differing levels of unavailability of the various systems since 21 October is expected to have a gross negative impact on the operating margin of between 40m and 50m.”. Ominously, it added: “The Group’s insurance coverage for cyber risks totals 30m.”

AWS admits to ‘severely impaired’ services in US-EAST-1, can’t even post updates to Service Health Dashboard

www.theregister.com/2020/11/25/aws_down/ At fault is the Kinesis Data Streams API in that, er, minor part of the AWS empire. The failure is also impacting a number of other services including CloudWatch, DynamoDB, Lambda and Managed Blockchain among others.. “This issue,” admitted the AWS team, “has also affected our ability to post updates to the Service Health Dashboard.”

Three arrested as INTERPOL, Group-IB and the Nigeria Police Force disrupt prolific cybercrime group

www.interpol.int/News-and-Events/News/2020/Three-arrested-as-INTERPOL-Group-IB-and-the-Nigeria-Police-Force-disrupt-prolific-cybercrime-group Three suspects have been arrested in Lagos following a joint INTERPOL, Group-IB and Nigeria Police Force cybercrime investigation. The Nigerian nationals are believed to be members of a wider organized crime group responsible for distributing malware, carrying out phishing campaigns and extensive Business Email Compromise scams.. The suspects are alleged to have developed phishing links, domains, and mass mailing campaigns in which they impersonated representatives of organizations. They then used these campaigns to disseminate 26 malware programmes, spyware and remote access tools, including AgentTesla, Loki, Azorult, Spartan and the nanocore and Remcos Remote Access Trojans. . According to Group-IB, the prolific gang is believed to have compromised government and private sector companies in more than 150 countries since 2017.

Current Events to Widespread Campaigns: Pivoting from Samples to Identify Activity

www.domaintools.com/resources/blog/current-events-to-widespread-campaigns-pivoting-from-samples-to-identify Tracking themes related to geopolitical events can be quite fruitful for discovering active campaigns likely related to state-sponsored interests. In the above example, searching for items related to the Armenia-Azerbaijan conflict in the Caucasus in late 2020 yielded a malicious document. Further analysis of this document and related infrastructure then led to the discovery of additional items . which outlined an entire campaign stretching back to 2019.. While the victims of this campaign appear geographically limited, largely focusing on Ukraine and Azerbaijan, the lessons drawn from the analysis of both the malicious documents and related network infrastructure can be used to further defense against similar types of attacks.

ZTEs Designation as Security Threat Affirmed by U.S. FCC

www.bloomberg.com/news/articles/2020-11-24/zte-corp-s-designation-as-security-threat-affirmed-by-u-s-fcc The U.S. Federal Communications Commission affirmed its decision to designate ZTE Corp. as a national security threat over concerns telecommunications gear made by the Chinese company could be used for spying.

Amazon partners with the US government to stop the sale of counterfeit goods

www.theverge.com/2020/11/24/21690164/amazon-counterfeit-goods-ipr-center-dhl-customs-border-protection-operation-fulfilled-action [from the press release] The IPR Center plays a critical role in securing the global supply-chain to protect the health and safety of the American public, said IPR Center Director Steve Francis. However, our efforts are increased with partners like Amazon to identify, interdict, and investigate individuals, companies, and criminal organizations engaging in the illegal importation of . counterfeit products. This joint operation is our latest public-private initiative bringing us one step closer to border security.

Allvarliga brister i Skolplattformen i Stockholm

www.datainspektionen.se/nyheter/allvarliga-brister-i-skolplattformen-i-stockholm/ Datainspektionen har granskat Skolplattformen, det it-system som används för bland annat elevadministration av skolor i Stockholm stad. Granskningen visar på brister i säkerheten som är så allvarliga att myndigheten utfärdar en administrativ sanktionsavgift på fyra miljoner kronor mot utbildningsnämnden i Stockholm stad.

Hacker leaks the user data of event management app Peatix

www.zdnet.com/article/hacker-leaks-the-user-data-of-event-management-app-peatix/ Most of the leaked user data belonged to persons with Asian names, which is consistent with the evolution of the Peatix startup, which first launched in Japan in 2011 and later expanded to Singapore in 2013, before opening to the US and other parts of the world.

TikTok fixes bugs allowing account takeover with one click

www.bleepingcomputer.com/news/security/tiktok-fixes-bugs-allowing-account-takeover-with-one-click/ TikTok has addressed two vulnerabilities that could have allowed attackers to take over accounts with a single click when chained together for users who signed-up via third-party apps.. Taskiran reported the account takeover attack chain to TikTok on August 26, 2020, with the company resolving the issues and awarding the bug hunter with a $3,860 bounty on September 18.

DDoS Extortionists Behaviors

www.senki.org/operators-security-toolkit/ddos-extortionist-behaviors/ There will always be a human and motivation behind every DDoS Attack. The security industry has a huge problem in combatting DDoS Attacks. People geek out on the details of the attack, the packet types, the sources, the protocols, the target, the impact, and the size of the attack. It is the equivalent of a Police Chief giving a process conference on a bank robbery and talking about the color of . the gun, the size of the gun, how many guns were used, the type of bullets in the gun with no description of the bank robbers.

TrickBot is Dead. Long Live TrickBot!

labs.bitdefender.com/2020/11/trickbot-is-dead-long-live-trickbot/ In terms of communication between victims and C&Cs, TrickBot update responses seem to have been digitally signed using bcrypt, potentially in an effort to impede future takedowns. This particular improvement ensures that each new update for TrickBot is legitimate. This particular behavior was observed for the 2000016 version, but not for the 100003 version.. The C&C servers for the 100003 version seem to involve only the use of Mikrotik routers

Cyber-attacks Reported on Three US Healthcare Providers

www.infosecurity-magazine.com/news/cyberattacks-on-three-us/ Warnings went out to patients of Advanced Urgent Care of the Florida Keys on November 6 regarding a ransomware attack that took place on March 1, 2020. . In Katonah, New York, a September 1 ransomware attack on Four Winds Hospital locked staff out of computer systems for a fortnight.. Unusually, a ransom was demanded of Galstan & Ward Family and Cosmetic Dentistry in Suwanee, Georgia, over the phone by a caller who said that the practice’s server had been infected with a computer virus.

Windows RpcEptMapper Service Insecure Registry Permissions EoP

itm4n.github.io/windows-registry-rpceptmapper-eop/ If you follow me on Twitter, you probably know that I developed my own Windows privilege escalation enumeration script – PrivescCheck – which is a sort of updated and extended version of the famous PowerUp. If you have ever run this script on Windows 7 or Windows Server 2008 R2, you probably noticed a weird recurring result and perhaps thought that it was a false positive just as I did.. Anyway, the only thing you should know is that this script actually did spot a Windows 0-day privilege escalation vulnerability. Here is the story behind this finding. News coverage e.g.

www.zdnet.com/article/security-researcher-accidentally-discloses-windows-7-and-windows-server-2008-zero-day/

You might be interested in …

Daily NCSC-FI news followup 2020-10-15

Introducing a new phishing technique for compromising Office 365 accounts o365blog.com/post/phishing/ Multiple members of QQAAZZ, a multinational cybercriminal group, were charged today in the US, Portugal, Spain, and the UK for providing money-laundering services to several high-profile malware operations including Dridex, Trickbot, and GozNym. www.bleepingcomputer.com/news/security/qqaazz-group-charged-for-laundering-money-stolen-by-malware-gangs/ U.S. Bookstore giant Barnes & Noble has disclosed that they […]

Read More

Daily NCSC-FI news followup 2020-10-30

Attacks exploiting Netlogon vulnerability (CVE-2020-1472) msrc-blog.microsoft.com/2020/10/29/attacks-exploiting-netlogon-vulnerability-cve-2020-1472/ Microsoft has received a small number of reports from customers and others about continued activity exploiting a vulnerability affecting the Netlogon protocol (CVE-2020-1472) which was previously addressed in security updates starting on August 11, 2020. If the original guidance is not applied, the vulnerability could allow an attacker to […]

Read More

Daily NCSC-FI news followup 2020-08-25

DDoS Hide & Seek: On the Effectiveness of a Booter Services Takedown labs.ripe.net/Members/daniel_kopp/ddos-hide-and-seek In this article, we investigated booter-based DDoS attacks in the wild and the impact of an FBI takedown targeting fifteen booter websites in December 2018. We investigated and compared attack properties of multiple booter services by launching DDoS attacks against our own […]

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.