Daily NCSC-FI news followup 2020-12-03

Widespread android applications still exposed to vulnerability on google play core library

blog.checkpoint.com/2020/12/03/widespread-android-applications-still-exposed-to-vulnerability-on-google-play-core-library/ A new vulnerability for the Google Play Core Library was published late August, given the CVE-2020-8913, which allows Local-Code-Execution (LCE) within the scope of any application that has the vulnerable version of the Google Play Core Library. Code execution is an attackers ability to execute arbitrary commands or code. The Play Core Library is the apps runtime interface with the Google Play Store.

TrickBot’s new module aims to infect your UEFI firmware

www.bleepingcomputer.com/news/security/trickbots-new-module-aims-to-infect-your-uefi-firmware/ TrickBot malware developers have created a new module that probes for UEFI vulnerabilities, demonstrating the actors effort to take attacks at a level that would give them ultimate control over infected machines. With access to UEFI firmware, a threat actor would establish on the compromised machine persistence that resists operating system reinstalls or replacing of storage drives. Malicious code planted in the firmware (bootkits) is invisible to security solutions operating on top of the operating system because it loads before everything else, in the initial stage of a computers booting sequence.. Also:

thehackernews.com/2020/12/trickbot-malware-gets-uefibios-bootkit.html.

threatpost.com/trickbot-returns-bootkit-functions/161873/.

www.zdnet.com/article/new-trickbot-version-can-tamper-with-uefibios-firmware/

Another LILIN DVR 0-day being used to spread Mirai

blog.netlab.360.com/another-lilin-dvr-0-day-being-used-to-spread-mirai-en/ In March, we reported that multiple botnets, including Chalubo, Fbot, Moobot were using a same 0 day vulnerability to attack LILIN DVR devices, the vendor soon fixed the vulnerability. On August 26, 2020, our Anglerfish honeypot detected that another new LILIN DVR/NVR 0-day paired with system default credential operxxxx:xxxxx(masked for security concern) were used to spread Mirai sample. On September 21, 2020, we reported the finding to the Merit LILIN contact, and the vendor fixed the vulnerability overnight, and also provided us a firmware fix ver 4.0.26.5618.

Egregor Ransomware, Used in a String of High-Profile Attacks, Shows Connections to QakBot

www.recordedfuture.com/egregor-ransomware-attacks/ Egregor ransomware is a complex piece of malware that appears to be associated with the operators of QakBot. The ransomware has been used against organizations across many industries since its debut in September 2020 and is likely to continue to present a threat to organizations in the future. Unlike most ransomware variants, Egregors payload cannot be executed or decrypted fully without the correct cryptographic key provided to the malware at runtime, rendering static or dynamic analysis impossible.

What did DeathStalker hide between two ferns?

securelist.com/what-did-deathstalker-hide-between-two-ferns/99616/ DeathStalker is a threat actor who has been active starting 2012 at least, and we exposed most of its past activities in a previous article, as well as during a GREAT Ideas conference in August 2020. The actor caught our attention in 2018, because of distinctive attacks characteristics that did not fit the usual cybercrime or state-sponsored activities, making us believe that DeathStalker is a hack-for-hire company. DeathStalker leveraged several malware strains and delivery chains across years, from the Python and VisualBasic-based Janicab, to the PowerShell-based Powersing, passing by the JavaScript-based Evilnum.

IBM Uncovers Global Phishing Campaign Targeting the COVID-19 Vaccine Cold Chain

securityintelligence.com/posts/ibm-uncovers-global-phishing-covid-19-vaccine-cold-chain/ At the onset of the COVID-19 pandemic, IBM Security X-Force created a threat intelligence task force dedicated to tracking down COVID-19 cyber threats against organizations that are keeping the vaccine supply chain moving. As part of these efforts, our team recently uncovered a global phishing campaign targeting organizations associated with a COVID-19 cold chain. The cold chain is a component of the vaccine supply chain that ensures the safe preservation of vaccines in temperature-controlled environments during their storage and transportation.

The NCSC Annual Review 2020

www.ncsc.gov.uk/news/annual-review-2020 Since the National Cyber Security Centre (NCSC) was created in 2016 as part of the governments five-year National Cyber Security Strategy, it has worked to make the UK the safest place to live and work online. This Annual Review of its fourth year looks back at some of the key developments and highlights from the NCSCs work between 1st September 2019 and 31st August 2020.

Clop Gang Makes Off with 2M Credit Cards from E-Land

threatpost.com/clop-gang-2m-credit-cards-eland/161833/ The Clop ransomware group is at it again. On Thursday, the gang claimed that it stole 2 million credit cards from South Korean retailer E-Land over a one-year period, in a campaign that culminated with a ransomware attack on the companys headquarters in November. Operators of Clop ransomware reportedly said that they were responsible for the November attack that forced E-Land a subsidiary of E-Land Global to shut down 23 of its New Core and NC Department Store locations.

Kmart nationwide retailer suffers a ransomware attack

www.bleepingcomputer.com/news/security/kmart-nationwide-retailer-suffers-a-ransomware-attack/ US department store Kmart has suffered a ransomware attack that impacts back-end services at the company, BleepingComputer has learned. ears Holding Corp originally owned both Kmart and Sears, but after the company filed for bankruptcy in 2018, it was purchased by Transform Holdco LLC (Transformco) in 2019. While Kmart has been a household name in the USA, its number has dwindled over the past two years to only 34 stores remaining.

Data of 243 million Brazilians exposed online via website source code

www.zdnet.com/article/data-of-243-million-brazilians-exposed-online-via-website-source-code/ he personal information of more than 243 million Brazilians, including alive and deceased, has been exposed online after web developers left the password for a crucial government database inside the source code of an official Brazilian Ministry of Health’s website for at least six months. The security snafu was discovered by reporters from Brazilian newspaper Estadao, the same newspaper that last week discovered that a Sao Paolo hospital leaked personal and health information for more than 16 million Brazilian COVID-19 patients after an employee uploaded a spreadsheet with usernames, passwords, and access keys to sensitive government systems on GitHub.

Näin toimii häläri­huijaus Tappio­summa voi pyörähtää satoihin euroihin

www.is.fi/digitoday/tietoturva/art-2000007658755.html Suomalaisille soitellaan ainakin kahdenlaisia huijauspuheluita. Toiset ovat teknisen tuen huijauksia, joissa vastaaja yritetään naruttaa päästämään soittaja etäyhteydellä tietokoneelleen. Toiset taas ovat wangiri- eli hälärihuijauksia, jotka perustuvat siihen, että puhelin soi vain hetken ja henkilön toivotaan soittavan takaisin mikä käy kalliiksi. Wangirihälärit eli takaisinsoittohuijaukset olivat keväällä iso ongelma, nyt on menty useampi kuukausi yksittäisillä [päivittäisillä] ilmoituksilla, sanoo Traficomin Kyberturvallisuuskeskuksen tietoturva-asiantuntija Ville Kontinen.

Researchers Bypass Next-Generation Endpoint Protection

www.darkreading.com/endpoint/researchers-bypass-next-generation-endpoint-protection/d/d-id/1339593 Just because your endpoint security product employs machine learning (ML) doesn’t mean it can’t be manipulated to miss malware, new research shows. A pair of researchers will demonstrate at Black Hat Europe next week how they were able to bypass ML-based, next-generation anti-malware products. Unlike previous research that reverse-engineered the next-generation endpoint tool such as Skylight’s bypass of Cylance’s endpoint product in 2018 the researchers instead were able to cheat the so-called static analysis malware classifiers used in some next-gen anti-malware products without reverse engineering them.

Heightened Awareness for Iranian Cyber Activity

us-cert.cisa.gov/ncas/current-activity/2020/12/03/heightened-awareness-iranian-cyber-activity Iranian cyber threat actors have been continuously improving their offensive cyber capabilities. They continue to engage in more conventional offensive cyber activities ranging from website defacement, distributed denial of service (DDoS) attacks, and theft of personally identifiable information (PII), to more advanced activitiesincluding social media-driven influence operations, destructive malware, and, potentially, cyber-enabled kinetic attacks.

Oletko saanut ilmoituksen paketista, jota et tiennyt tilanneesi? Niin tuhannet muutkin, sillä nyt on tekstiviestihuijausten sesonki

yle.fi/uutiset/3-11679223 Traficomista arvioidaan, että huijausviestien kohteeksi joutuneiden ihmisten yhteystiedot on saatettu saada vanhojen tietovuotojen kautta. Tuhannet suomalaiset ovat viime päivinä saaneet huijaustekstiviestejä, arvioi tietoturva-asiantuntija Ville Kontinen Liikenne- ja viestintävirasto Traficomin Kyberturvallisuuskeskuksesta. Traficom on tiistain jälkeen saanut reilut 40 ilmoitusta huijausviesteistä. Koska meille ilmoittaa vain rajallinen määrä, niin varovainen arvio on, että vastaanottajia on Suomessa tuhansia, Kontinen ynnää.

You might be interested in …

Daily NCSC-FI news followup 2019-12-03

An Update on Android TLS Adoption security.googleblog.com/2019/12/an-update-on-android-tls-adoption.html Today, were happy to announce that 80% of Android apps are encrypting traffic by default. The percentage is even greater for apps targeting Android 9 and higher, with 90% of them encrypting traffic by default. Critical Android Flaw Leads to Permanent DoS threatpost.com/google-critical-android-permanent-dos-flaw/150764/ The December security update stomped […]

Read More

Daily NCSC-FI news followup 2019-11-11

Threat Alert: TCP Reflection Attacks blog.radware.com/security/2019/11/threat-alert-tcp-reflection-attacks/ Independent research in the behavior of a multitude of systems and devices on the internet exposed more than 4.8 million devices vulnerable to an average amplification factor of 112x and thousands of hosts that could be abused for amplification up to a factor of almost 80,000x, respectively, reflect more […]

Read More

Daily NCSC-FI news followup 2021-05-17

Lukiolaiskolmikko huomasi tietoturva-aukon sähköisessä yo-kirjoitus­järjestelmässä: Oli iso yllätys, että saimme toimimaan näin ison hyökkäys­ketjun www.hs.fi/kotimaa/art-2000007980520.html TÄMÄN kevään ylioppilaskirjoitusten aikana maaliskuun loppupuolella Ylioppilastutkintolautakunta (YTL) sai vinkin, että sen Abitti-järjestelmässä on erittäin vakava tietoturva-aukko. Abitti on nykyisin sähköisissä ylioppilaskirjoituksissa käytettävä järjestelmä.. Alkuperäinen blogikirjoitus www.abitti.fi/blogi/2021/05/abitista-on-korjattu-kaksi-tietoturvahaavoittuvuutta/. Abitista on korjattu kaksi vakavaa tietoturva-aukkoa. Ensimmäinen, merkitykseltään vähäisempi haavoittuvuus koskee kokelaan tikkua. […]

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.