Daily NCSC-FI news followup 2020-12-01

Introducing the protocol design principles

www.ncsc.gov.uk/blog-post/introducing-the-protocol-design-principles Systems comprise many building blocks, and protocols describe how they interact. The word protocol comes from Greek: prtos first + kolla glue’, so you could say that protocols are the glue that holds the internet together. A number of observations motivated the production of the white paper. We observe that modern systems are highly complex and heterogeneous; components can be anything from battleships to toothbrushes, or even virtual devices in remote data centres. Some components will inevitably fail or be compromised.

Critical Oracle WebLogic flaw actively exploited by DarkIRC malware

www.bleepingcomputer.com/news/security/critical-oracle-weblogic-flaw-actively-exploited-by-darkirc-malware/ A botnet known as DarkIRC is actively targeting thousands of exposed Oracle WebLogic servers in attacks designed to exploit the CVE-2020-14882 remote code execution (RCE) vulnerability fixed by Oracle two months ago. While attackers are currently targeting potentially vulnerable WebLogic servers using at least five different payloads, the most interesting is the DarkIRC malware “currently being sold on hack forums for $75.”

Wheres the package Im expecting? Watch out for shipping and delivery-related phishing emails that try to track YOUR details

blog.checkpoint.com/2020/12/01/wheres-the-package-im-expecting-watch-out-for-shipping-and-delivery-related-phishing-emails-that-try-to-track-your-details/ The CDC (The Centers for Disease Control and Prevention) classified shopping at crowded stores just before, on or after Thanksgiving on its list of higher-risk activities to avoid, and in its guidance issued ahead of the holiday weekend, it also directly suggested that consumers do more of their shopping online. Not that much encouragement has been needed. During the first 10 days of November, the traditional holiday shopping season, U.S. consumers spent $21.7 billion online a 21% increase year-over-year. And the sales momentum is just getting bigger. According to DC360 shoppers will spend $38 billion online over 2020 Thanksgiving weekend thats over double 2019s spend over the same weekend.

Update Regarding CVE-2018-13379

www.fortinet.com/blog/business-and-technology/update-regarding-cve-2018-13379 The security of our customers is our first priority. As part of our standard PSIRT process, upon an indication of an alleged vulnerability shared through responsible disclosure, Fortinet works hard to remediate those potential vulnerabilities and then communicates mitigation guidance. And, as a PSIRT team and forward-looking security vendor, we are constantly seeking ways to engage, educate, and encourage our customers to institute mitigation best practices and to patch their systems. For example, in May 2019 Fortinet issued a PSIRT advisory regarding an SSL vulnerability that was resolved, and have also communicated directly with customers and again via corporate blog posts in August 2019 and July 2020 strongly recommending an upgrade and have since also issued a Customer Support Bulletin (CSB-200716-1) to highlight the need to upgrade.

IceRat evades antivirus by running PHP on Java VM

www.gdatasoftware.com/blog/icerat-evades-antivirus-by-using-jphp User McMcbrad of the Malwaretips.com forums discovered the first IceRat samples[5][7]. The malware caught his interest due to the low detection rates on VirusTotal for most related samples. At the time of discovery only 2 to 3 engines showed a detection despite the samples being a month old. tatic analysis reveals that most components of IceRat are written in JPHP. This is a PHP implementation that runs on the Java VM. This implementation uses .phb files instead of Java .class files — a file type that, as I suspect, is not commonly supported by antivirus products.

Dox, steal, reveal. Where does your personal data end up?

securelist.com/dox-steal-reveal/99577/ The technological shift that we have been experiencing for the last few decades is astounding, not least because of its social implications. Every year the online and offline spheres have become more and more connected and are now completely intertwined, leading to online actions having real consequences in the physical realm both good and bad.. One of the most affected areas in this regard is communication and sharing of information, especially personal. Posting something on the internet is not like speaking to a select club of like-minded tech enthusiasts anymore it is more akin to shouting on a crowded square.

Advanced Persistent Threat Actors Targeting U.S. Think Tanks

us-cert.cisa.gov/ncas/alerts/aa20-336a The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have observed persistent continued cyber intrusions by advanced persistent threat (APT) actors targeting U.S. think tanks. This malicious activity is often, but not exclusively, directed at individuals and organizations that focus on international affairs or national security policy. The following guidance may assist U.S. think tanks in developing network defense procedures to prevent or rapidly detect these attacks.

Microsoft Defender for Identity now detects Zerologon attacks

www.bleepingcomputer.com/news/security/microsoft-defender-for-identity-now-detects-zerologon-attacks/ Microsoft has added support for Zerologon exploitation detection to Microsoft Defender for Identity to allow Security Operations teams to detect on-premises attacks attempting to abuse this critical vulnerability. Microsoft Defender for Identity (previously known as Azure Advanced Threat Protection or Azure ATP) is a cloud-based security solution designed to leverage on-premises Active Directory signals to detect and analyze compromised identities, advanced threats, and malicious insider activity targeting an enrolled organization.

Threat actor leverages coin miner techniques to stay under the radar heres how to spot them

www.microsoft.com/security/blog/2020/11/30/threat-actor-leverages-coin-miner-techniques-to-stay-under-the-radar-heres-how-to-spot-them/ Cryptocurrency miners are typically associated with cybercriminal operations, not sophisticated nation state actor activity. They are not the most sophisticated type of threats, which also means that they are not among the most critical security issues that defenders address with urgency. Recent campaigns from the nation-state actor BISMUTH take advantage of the low-priority alerts coin miners cause to try and fly under the radar and establish persistence.

FBI warns of BEC scammers using email auto-forwarding in attacks

www.bleepingcomputer.com/news/security/fbi-warns-of-bec-scammers-using-email-auto-forwarding-in-attacks/ The FBI is warning US companies about scammers actively abusing auto-forwarding rules on web-based email clients to increase the likelihood of successful Business Email Compromise (BEC) attacks. This warning was issued through a joint Private Industry Notification (PIN) sent on November 25 and coordinated with DHS-CISA. BEC scammers are known for using social engineering, phishing, or hacking to compromise business email account with the end goal of redirecting future or pending payments to bank accounts under their control.. Also:


Electronic Medical Records Cracked Open by OpenClinic Bugs

threatpost.com/electronic-medical-records-openclinic-bugs/161722/ Four vulnerabilities have been discovered in the OpenClinic application for sharing electronic medical records. The most concerning of them would allow a remote, unauthenticated attacker to read patients personal health information (PHI) from the application. OpenClinic is an open-source health records management software; its latest version is 0.8.2, released in 2016, so the flaws remain unpatched, researchers at Bishop Fox said. The project did not immediately return Threatposts request for comment.

Docker malware is now common, so devs need to take Docker security seriously

www.zdnet.com/article/docker-malware-is-now-common-so-devs-need-to-take-docker-security-seriously/ Towards the end of 2017, there was a major shift in the malware scene. As cloud-based technologies became more popular, cybercrime gangs also began targeting Docker and Kubernetes systems. Most of these attacks followed a very simple pattern where threat actors scanned for misconfigured systems that had admin interfaces exposed online in order to take over servers and deploy cryptocurrency-mining malware.. Over the past three years, these attacks have intensified, and new malware strains and threat actors targeting Docker (and Kubernetes) are now being discovered on a regular basis.

Malicious NPM packages used to install njRAT remote access trojan

www.bleepingcomputer.com/news/microsoft/malicious-npm-packages-used-to-install-njrat-remote-access-trojan/ New malicious NPM packages have been discovered that install the njRAT remote access trojan that allows hackers to gain control over a computer. NPM is a JavaScript package manager that allows developers and users to download packages and integrate them into their projects. As NPM is an open ecosystem, anyone can upload a new package without being reviewed or scanned for malware. While this environment has led to a repository of 1 million rich and diverse packages, it also makes it easy for threat actors to upload malicious packages.

Kiristysohjelmissa käynnissä kolmas vaihe Vastaamo-tapaus poiki silti yhden hyvän asian

www.is.fi/digitoday/tietoturva/art-2000007652557.html Psykoterapiakeskus Vastaamo todisti kivullisen kouriintuntuvasti, miten suomalainen organisaatio voi kärsiä kiristäjien käsissä. Varautuminen uusiin samanlaisiin hyökkäyksiin on kuitenkin nyt käynnissä lukuisissa suomalaisissa organisaatioissa, arvioi tietoturva-asiantuntija Niko Marjomaa. Marjomaan mukaan Vastaamon jälkeen suomalaisissa organisaatioissa keskustellaan suojautumisesta uudella vimmalla. Aletaan ymmärtää, että tietoturva ei ole vain yksi tietotekniikkaosaston alueista, vaan se koskettaa kaikkia rivityöntekijästä ylimpään johtoon ja määrittää koko organisaation tulevaisuutta.

Does Tor provide more benefit or harm? New paper says it depends

arstechnica.com/gadgets/2020/11/does-tor-provide-more-benefit-or-harm-new-paper-says-it-depends/ The Tor anonymity network has generated controversy almost constantly since its inception almost two decades ago. Supporters say its a vital service for protecting online privacy and circumventing censorship, particularly in countries with poor human rights records. Critics, meanwhile, argue that Tor shields criminals distributing child-abuse images, trafficking in illegal drugs, and engaging in other illicit activities.

Xanthe – Docker aware miner

blog.talosintelligence.com/2020/12/xanthe-docker-aware-miner.html Attackers are constantly reinventing ways of monetizing their tools. Cisco Talos recently discovered an interesting campaign affecting Linux systems employing a multi-modular botnet with several ways to spread and a payload focused on providing financial benefits for the attacker by mining Monero online currency. The actor employs various methods to spread across the network, like harvesting client-side certificates for spreading to known hosts using ssh, or spreading to systems with an incorrectly configured Docker API.

Cayman Islands Bank Records Exposed in Open Azure Blob

threatpost.com/cayman-islands-bank-records-exposed-azure-blob/161729/ A Cayman Island investment firm has removed years of backups, which up until recently were easily available online thanks to a misconfigured Microsoft Azure blob. The blobs single URL led to vast stores of files including personal banking information, passport data and even online banking PINs which in addition to a security problem, presents a potential public-relations nightmare for a firm in the business of discreet, anonymous offshore financial transactions.

Suomalaisten puhelimet pirisevät tiuhaan lyö luuri korvaan tällaiselle soittajalle heti

www.is.fi/digitoday/tietoturva/art-2000007654679.html Ulkomailta Suomeen soitetut huijauspuhelut Microsoftin teknisen tuen näyttävät saaneen uutta vauhtia. Ilta-Sanomien toimituksessa ainakin neljä henkilöä allekirjoittanut mukaan lukien on saanut tiistain aikana puheluita, jotka ovat olleet joko selviä huijauksia tai ainakin epäilyttäviä. isäksi tiedossa on useampia tapauksia, joissa henkilö on saanut useita huijaussoittoja muutaman viikon sisällä.

You might be interested in …

Daily NCSC-FI news followup 2019-10-10

Pair Locking your iPhone with Configurator 2 arkadiyt.com/2019/10/07/pair-locking-your-iphone-with-configurator-2/ “In response to the recent iphone bootrom bug (and also because I was already in the market for a new phone), I recently purchased a new iPhone XR. This gave me a chance to re-run the steps required to pair lock the device, a process which prevents […]

Read More

Daily NCSC-FI news followup 2020-11-01

Nyt tuli peli, jota puolustusministeriökin hehkuttaa: “Nyt saa pelata työajalla” www.is.fi/digitoday/tietoturva/art-2000006705549.html Digiturvallinen elämä -peli ei vie paljoa aikaa, mutta sen hyödyt voivat kantaa pitkälle. US Cyber Command exposes new Russian malware www.zdnet.com/article/us-cyber-command-exposes-new-russian-malware/#ftag=RSSbaffb68 Together with CISA and the FBI, US Cyber Command wish Russian state hackers a “Happy Halloween!”. Six of the eight samples are for […]

Read More

Daily NCSC-FI news followup 2020-09-13

BLINDSIDE – A Speculative Execution Attack www.vusec.net/projects/blindside/ BlindSide allows attackers to hack blind in the Spectre era. That is, given a simple buffer overflow in the kernel and no additional info leak vulnerability, BlindSide can mount BROP-style attacks in the speculative execution domain to repeatedly probe and derandomize the kernel address space, craft arbitrary memory […]

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.