Daily NCSC-FI news followup 2020-11-30

German users targeted with Gootkit banker or REvil ransomware

blog.malwarebytes.com/threat-analysis/2020/11/german-users-targeted-with-gootkit-banker-or-revil-ransomware/ On November 23, we received an alert from a partner about a resurgence of Gootkit infections in Germany. Gootkit is a very capable banking Trojan that has been around since 2014 and possesses a number of functionalities such as keystroke or video recording designed to steal financially-related information. In this latest campaign, threat actors are relying on compromised websites to socially engineer users by using a decoy forum template instructing them to download a malicious file. While analyzing the complex malware loader we made a surprising discovery. Victims receive Gootkit itself or, in some cases, the REvil (Sodinokibi) ransomware.

Credit card skimmer fills fake PayPal forms with stolen order info

www.bleepingcomputer.com/news/security/credit-card-skimmer-fills-fake-paypal-forms-with-stolen-order-info/ A newly discovered credit card skimmer uses an innovative technique to inject highly convincing PayPal iframes and hijack the checkout process on compromised online stores. Payment card skimmers are JavaScript-based scripts that cybercrime gangs known as Magecart groups inject within the checkout pages of e-commerce sites after hacking them as part of web skimming (also known as e-skimming) attacks.. The attackers’ end goal is to harvest the payment and personal information submitted by the hacked stores’ customers and to send it to remote servers under their control.

Single Sign-On Security: Security Analysis of real-life OpenID Connect Implementations

web-in-security.blogspot.com/2020/11/single-sign-on-security-security.html This post outlines the lessons learned during the research on the security of real-life OpenID Connect implementations that were roughly performed between April and October 2020. We presume basic knowledge of OpenID Connect 1.0 and OAuth 2.0 for this post. First, we describe the attacker models that will be applied in this post. Afterward, we outline a high-level overview of the selection criteria for real-life OpenID Connect implementations. Furthermore, we describe patterns that were regularly observed during the analysis of real-life OpenID Connect Service Provider and Identity Provider implementations

DNS data mining case study – skidmap

blog.netlab.360.com/security-with-dns-data_en/ As the foundation and core protocol of the Internet, the DNS protocol carries data that, to a certain extent, reflects a good deal of the user behaviors, thus security analysis of DNS data can cover a decent amount of the malicious activities. In the early days, typical scenarios for early security practices using DNS data include DGA and fastflux. Although the specific methods for detecting these two types of malicious behavior vary, the core of the detection is still based on pure DNS data.

Chaos Engineering: Building the Next Generation of Cyber Ranges

securityintelligence.com/posts/chaos-engineering-building-next-generation-cyber-ranges/ In one of our past posts on the same subject, we discussed how to apply chaos engineering principles to cyber war-games and team simulation exercises in broad brush strokes. In short, chaos engineering is the discipline of working and experimenting with new features and changes on a system thats already in live production. The purpose is, among others, to test the systems ability to implement changes and remain resilient.

Shadows From the Past Threaten Italian Enterprises

yoroi.company/research/shadows-from-the-past-threaten-italian-enterprises/ The modern cyber threat landscape hides nasty surprises for companies, especially for the most structured and complex companies. Many times, threat actors develop very dangerous and effective techniques using tools and technologies in a smart, unattended way. This is the case of a particular cyber criminal group operating cyber intrusion against one of the most targeted and cyber-mature industry sectors: the Banking sector.

MacOS Users Targeted By OceanLotus Backdoor

threatpost.com/macos-users-targeted-oceanlotus-backdoor/161655/ A macOS backdoor variant has been uncovered that relies of multi-stage payloads and various updated anti-detection techniques. Researchers linked it to the OceanLotus advanced persistent threat (APT) group. The Vietnam-backed OceanLotus (also known as APT 32) has been around since at least 2013, and previously launched targeted attacks against media, research and construction companies. Researchers said that in this case the attackers behind the malware variant appear to be hitting users from Vietnam, because the name of the lure document from the campaign is in Vietnamese.. Also:


Four years after the Dyn DDoS attack, critical DNS dependencies have only gone up

www.zdnet.com/article/four-years-after-the-dyn-ddos-attack-critical-dns-dependencies-have-only-gone-up/ In 2016, Dyn, a provider of managed DNS servers, was the victim of a massive DDoS attack that crippled the company’s operations and took down domain-name-resolving operations for more than 175,000 websites. While some sites managed to stay up by activating a redundancy and switching DNS resolving to secondary servers, many websites were not prepared and remained down for almost a day as Dyn dealt with the attack.. Four years later, a team of academics from Carnegie Mellon University have conducted a large-scale study of the top 100,000 websites on the internet to see how website operators reacted to this attack and how many are still operating with one single DNS provider and no other backup.. Academic paper:


Whac-A-Mole: Six Years of DNS Spoofing

arxiv.org/abs/2011.12978 DNS is important in nearly all interactions on the Internet. All large DNS operators use IP anycast, announcing servers in BGP from multiple physical locations to reduce client latency and provide capacity. However, DNS is easy to spoof: third parties intercept and respond to queries for benign or malicious purposes. Spoofing is of particular risk for services using anycast, since service is already . DNS is important in nearly all interactions on the Internet. All large DNS operators use IP anycast, announcing servers in BGP from multiple physical locations to reduce client latency and provide capacity. However, DNS is easy to spoof: third parties intercept and respond to queries for benign or malicious purposes. Spoofing is of particular risk for services using anycast, since service is already announced from multiple origins. In this paper, we describe methods to identify DNS spoofing, infer the mechanism being used, and identify organizations that spoof from historical data.. Our methods detect overt spoofing and some covertly-delayed answers, although a very diligent adversarial spoofer can hide. We use these methods to study more than six years of data about root DNS servers from thousands of vantage points.

You might be interested in …

Daily NCSC-FI news followup 2020-04-22

Google Sees State-Sponsored Hackers Ramping Up Coronavirus Attacks www.wired.com/story/google-state-sponsored-hackers-coronavirus-phishing-malware/ More than 12 government-backed groups are using the pandemic as cover for digital reconnaissance and espionage, according to a new report. Report: blog.google/technology/safety-security/threat-analysis-group/findings-covid-19-and-online-security-threats/ Chinese Agents Helped Spread Messages That Sowed Virus Panic in U.S., Officials Say www.nytimes.com/2020/04/22/us/politics/coronavirus-china-disinformation.html American officials were alarmed by fake text messages and […]

Read More

Daily NCSC-FI news followup 2020-12-31

Adobe Flash Player is officially dead tomorrow www.bleepingcomputer.com/news/security/adobe-flash-player-is-officially-dead-tomorrow/ Flash Player will reach its end of life (EOL) on January 1, 2021, after always being a security risk to those who have used it over the years. Lisäksi www.bleepingcomputer.com/news/software/adobe-now-shows-alerts-in-windows-10-to-uninstall-flash-player/ What’s Next for Ransomware in 2021? threatpost.com/ransomware-getting-ahead-inevitable-attack/162655/ Ransomware response demands a whole-of-business plan before the next attack, […]

Read More

Daily NCSC-FI news followup 2019-11-19

Why Were the Russians So Set Against This Hacker Being Extradited? krebsonsecurity.com/2019/11/why-were-the-russians-so-set-against-this-hacker-being-extradited/ The Russian government has for the past four years been fighting to keep 29-year-old alleged cybercriminal Alexei Burkov from being extradited by Israel to the United States.. When Israeli authorities turned down requests to send him back to Russia supposedly to face separate […]

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.