Daily NCSC-FI news followup 2020-12-10

Ransomware forces hosting provider Netgain to take down data centers

www.bleepingcomputer.com/news/security/ransomware-forces-hosting-provider-netgain-to-take-down-data-centers/ Netgain offers hosting and cloud IT solutions, including managed IT services and desktop-as-a-service environments, to companies in the healthcare and accounting industry.. According to [a customer], thousands of Netgain servers were affected by the ransomware attack, and that Netgain is working around the clock trying to get their servers back online. Unfortunately, there is still no ETA when these servers will come back online.

SideWinder Uses South Asian Issues for Spear Phishing, Mobile Attacks

www.trendmicro.com/en_us/research/20/l/sidewinder-leverages-south-asian-territorial-issues-for-spear-ph.html While tracking the activities of the SideWinder group, which has become infamous for targeting the South Asia region and its surrounding countries, we identified a server used to deliver a malicious LNK file and host multiple credential phishing pages. We learned that these pages were copied from their victims webmail login pages and subsequently modified for phishing. We believe further . activities are propagated via spear-phishing attacks.

Attack Activities by Quasar Family

blogs.jpcert.or.jp/en/2020/12/quasar-family.html Quasar [1] is an open source RAT (Remote Administration Tool) with a variety of functions. This is easy to use and therefore exploited by several APT actors. JPCERT/CC has confirmed that a group called APT10 used this tool in some targeted attacks against Japanese organisations.. As Quasars source code is publicly available, there are many variants of this RAT seen in the wild (referred to as Quasar Family hereafter). Some of them have been used in attacks against Japanese organisations, and they are seen as a threat as well as Quasar itself.

APT Group Targeting Governmental Agencies in East Asia

decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia/ This summer, Avast discovered a new APT campaign targeting government agencies and a National Data Center of Mongolia. We consider with moderate confidence based on our research that the chinese-speaking APT group LuckyMouse is behind the attack.

Report: Massive Instagram Click Farm Uncovered

www.vpnmentor.com/blog/report-instagram-scam/ […] we believe that the people (or person) behind this click farm instead created a highly automated process for managing 10,000s of proxy Instagram profiles based in countries worldwide, without needing much individual human input.

Ransomware attacks target backup systems, compromising the company insurance policy

www.scmagazine.com/home/security-news/ransomware/ransomware-attacks-target-backup-systems-compromising-the-company-insurance-policy/ The attackers, as he discovered, had deleted their clients backup images and activated ransomware in servers, playing a very thorough long game. In at least one case, malicious software had been sitting out there for six months and they put a key logger in place, he said They targeted arrays first and then went in and attacked.

Microsoft O365 Fails to Block Spoofed Emails Sent from Microsoft.com

ironscales.com/blog/Microsoft-O365-Fails-to-Block-Spoofed-Emails/ The 200 million Microsoft Office 365 (O365) users worldwide are now being targeted by a new global spear-phishing attack spoofing Microsoft.com. Two weeks ago, IRONSCALES researchers first identified what we can now confirm to be a well-coordinated email spoofing campaign targeting O365 users particularly within the financial services, healthcare, insurance, manufacturing, utilities, and telecom . industries, among others.. Our research found that Microsoft servers are not currently enforcing the DMARC protocol, meaning these exact domain spoofing messages are not being rejected by gateway controls, such as Office 365 EOP and ATP. This is especially perplexing when considering Microsoft frequently ranks as a top 5 most spoofed brand year after year.

Trump Signs IoT Security Bill into Law

www.darkreading.com/endpoint/trump-signs-iot-security-bill-into-law/d/d-id/1339636 The new law the Internet of Things Cybersecurity Improvement Act of 2020 requires the creation of security standards and guidelines for IoT device used in and purchased by the federal government, and encompasses issues such as secure development, identity management, patching processes, and configuration management. It also calls for guidelines for vulnerability reporting and handling . security vulnerabilities in IoT devices in government networks as well as of those of federal contractors that provide IT systems that include IoT devices.

Combating the virtual and physical threats banks face

www.helpnetsecurity.com/2020/12/08/physical-threats-banks-face/ The banking sector has perhaps the most to gain from full red teaming exercises. These should be no-holds-barred events that allow the red team operatives to simulate all possible scenarios, including advanced social engineering and the infiltration of branches and attacks on infrastructure such as ATMs, alongside purely digital attacks.

Digging Deeper on Vulnerability Management: Why Do Some Industries Fare Better Than Others?

www.kennasecurity.com/blog/vulnerability-management-industry-comparison/ Each of these industries has different challenges and operates in different IT contexts. Its not surprising then, that we see that par is different for each vertical. For those responsible for vulnerability management in their organizations, what counts as an average or really good job depends.. One thing that doesnt change across verticals is remediation capacity. The typical organization can only close one out of every ten vulnerabilities on their system. . Just around 5 percent of vulnerabilities end up being exploited. The challenge is knowing which one.

Attackers Know Microsoft 365 Better Than You Do

www.darkreading.com/cloud/attackers-know-microsoft-365-better-than-you-do/a/d-id/1339404 In 2019, 85% of all incident response investigations conducted by the Kudelski Security Incident Response team started with a compromised Office 365 account. While reviewing the results of those investigations, one thing quickly became apparent: Attackers know the productivity suite better than most IT administrators and defenders.

Gift Card Scams Explode in Upcoming Holiday Shopping Season

bolster.ai/blog/gift-card-scams-explode-in-upcoming-holiday-shopping-season/ Gift cards are one of most popular gifting options for the holidays, especially as e-gift cards are now available by most major retailers including Amazon, Target and Best Buy. Research firm Technavio forecasts a 13% compound annual growth rate for gift cards, driven by among other things the growth of e-commerce, which has exploded during the pandemic. Cyber criminals have taken notice and are . launching specific online campaigns targeting gift cards.

Persistent parasite in EOL Magento 2 stores wakes at Black Friday

sansec.io/research/magento-2-persistent-parasite Over the last months, hackers have quietly added a subtle security flaw to over 50 large online stores, only to exploit them right before Black Friday, Sansec research shows. The flaws presence would ensure future access for the attackers, even if their primary operation was blown. Sansec has been tracking this developing campaign since April this year, and found numerous stealthy tactics to . dodge detection.

New cyberattack can trick scientists into making toxins or viruses — Ben-Gurion University researchers

www.eurekalert.org/pub_releases/2020-11/aabu-ncc112820.php According to a new paper just published in Nature Biotechnology, it is currently believed that a criminal needs to have physical contact with a dangerous substance to produce and deliver it. However, malware could easily replace a short sub-string of the DNA on a bioengineer’s computer so that they unintentionally create a toxin producing sequence.

Mexican authorities struggle to keep up as cartels embrace crypto

i-aml.com/news/mexican-authorities-struggle-to-keep-up-as-cartels-embrace-crypto/ Rolando Rosas, the head of the Mexican attorney generals offices Cyber Investigations Unit, told Reuters law enforcement lacks the resources needed to tackle cryptocurrency-fueled money laundering. He said the unit has 120 staff about a quarter of what is required and it struggled to keep up with the 1,033 Bitcoin threshold alerts that were triggered on registered trading platforms . this year.

South Korea kills ActiveX-based government digital certificate service

i-aml.com/news/mexican-authorities-struggle-to-keep-up-as-cartels-embrace-crypto/ South Korea on Thursday shuttered a government-run digital certificate service that required the use of Microsofts ancient ActiveX technology.. South Korea knew it had an ActiveX problem way back in 2015, because even then the need to use ActiveX to do business on local websites irked outsiders.

More than 20,000 arrests in year-long global crackdown on phone and Internet scams

www.interpol.int/News-and-Events/News/2020/More-than-20-000-arrests-in-year-long-global-crackdown-on-phone-and-Internet-scams A three-month enforcement phase (1 September 30 November 2019) saw 35 countries participate in a coordinated crackdown on organized crime groups engaged in various types of telecommunications and social engineering scams.. Other types of fraud exposed in the operation include business e-mail compromise, romance scams and smishing, where standard messaging service (SMS) messages are sent to coerce a victim to divulge personal information that can subsequently be fraudulently used.. The results underscored the transnational nature of many telephone and online scams, where perpetrators often operate from a different country or even continent than their victims.

Adobe to block Flash content from running on January 12, 2021

www.zdnet.com/article/adobe-to-block-flash-content-from-running-on-january-12-2021/ “In the latest Flash Player update released yesterday, we updated our uninstall prompt language and functionality to encourage people to uninstall Flash Player before the end of life and to help make users aware that beginning January 12, 2021, Adobe will block Flash content from running,” an Adobe spokesperson told ZDNet.


hackaday.com/2020/12/09/centos-is-dead-long-live-centos/ On Tuesday, December 8th, Red Hat and CentOS announced the end of CentOS 8. To be specific, CentOS 8 will reach end of life at the end of 2021, 8 years ahead of schedule. . In the comments on the CentOS announcement, Gregory Kurtzer asked for users and developers interested in a reboot to check in on one of his slack channels. Within 8 hours, over 250 of us showed up, wanting to make a CentOS replacement happen. Ive talked directly with Gregory, and can confirm that a new community rebuild of RHEL is happening under the name Rocky Linux, in honor of one of another . CentOS co-founder that has passed away. The plan is to support a direct transition path from CentOS to Rocky Linux.

MoleRats APT Returns with Espionage Play Using Facebook, Dropbox

threatpost.com/molerats-apt-espionage-facebook-dropbox/162162/ The MoleRats advanced persistent threat (APT) has developed two new backdoors, both of which allow the attackers to execute arbitrary code and exfiltrate sensitive data, researchers said. They were discovered as part of a recent campaign that uses Dropbox, Facebook, Google Docs and Simplenote for command-and-control (C2) communications.

Spotify resets passwords after a security bug exposed users private account information

techcrunch.com/2020/12/10/spotify-resets-user-passwords-after-a-bug-exposed-private-account-information/ Spotify said it has reset an undisclosed number of user passwords after blaming a software vulnerability in its systems for exposing private account information to its business partners.

PLEASE_READ_ME Ransomware Attacks 85K MySQL Servers

threatpost.com/please_read_me-ransomware-mysql-servers/162136/ Researchers are warning on an active ransomware campaign thats targeting MySQL database servers. The ransomware, called PLEASE_READ_ME, has thus far breached at least 85,000 servers worldwide and has posted at least 250,000 stolen databases on a website for sale.

Romania to host the EU’s new cybersecurity research hub

www.zdnet.com/article/romania-to-host-the-eus-new-cybersecurity-research-hub/#ftag=RSSbaffb68 Named the European Cybersecurity Industrial, Technology and Research Competence Centre, or the ECCC, the new hub is set to start operating next year.

CVE-2020-17049: Kerberos Bronze Bit Attack Practical Exploitation

blog.netspi.com/cve-2020-17049-kerberos-bronze-bit-attack/ This post reviews how the Kerberos Bronze Bit vulnerability (CVE-2020-17049) can be exploited in practice. I strongly suggest first reading the Bronze Bit Attack in Theory post to understand why and how this attacks works.. Theory:


Qakbot Upgrades To Stealthier Persistence Method

www.binarydefense.com/qakbot-upgrades-to-stealthier-persistence-method/ […] a more stealthy and interesting persistence mechanism that listens for System Shutdown Messages, along with PowerBroadcast Suspend/Resume messages. If it detects a shutdown or a system suspend (sleep) as demonstrated in Figure 3.1, Qakbot will install itself to the run key just before the computer goes to sleep or shuts down, so that Qakbot will be executed when the system wakes up or . restarts, but waiting so close to system shutdown that security products dont have a chance to detect and report on the new run key. If it detects a Resume message (which is sent when sleep is ended), it deletes the run key in an effort to evade detection by defenders.

Hundreds of thousands of Russian Covid patients named online ‘by mistake’

www.bbc.com/news/technology-55252652 The Russian government has confirmed spreadsheets containing private details of Covid-19 patients from Moscow have been published online.. An official has said an internal inquiry found a mistake had been made rather than hackers being to blame.

Millions Of Payment Terminals Are Vulnerable To Credit Card Theft Hacks

www.forbes.com/sites/thomasbrewster/2020/12/10/millions-of-payment-terminals-are-vulnerable-to-credit-card-theft-hacks/?sh=67d82f9728f9 The weaknesses lay in devices made by Verifone and Ingenico. The first issue was that they used default passwords that let anyone with physical access through to a service menu. These menus contained functions that could be abused to write malware onto the terminals. The malware could then hoover up credit card numbers once the device was in use again. Though the terminals did encrypt credit . card data, they did so on the same internal system already controlled by the malware, rendering it useless. An attacker would have all the information they required to clone cards and start stealing peoples money.. The obvious barrier to a successful attack is in being able to get access to a terminal for long enough to download the malware. Yunosov, from the Cyber R&D Lab, said it would take between five and ten minutes to connect to the devices via USB and install the malicious card sniffer. One of the vulnerabilities could also have been exploited over the internal network, so if a hacker found a way onto . a shops IT systems they would have a way to install malware on the terminals to start pilfering credit card information.

njRAT Spreading Through Active Pastebin Command and Control Tunnel

unit42.paloaltonetworks.com/njrat-pastebin-command-and-control/ In observations collected since October 2020, Unit 42 researchers have found that malware authors have been leveraging njRAT (also known as Bladabindi), a Remote Access Trojan, to download and deliver second-stage payloads from Pastebin, a popular website that is well-known to be used to store data anonymously.

Tech industry concerns put aside as Critical Infrastructure Bill enters Parliament

www.zdnet.com/article/tech-industry-concerns-put-aside-as-critical-infrastructure-bill-enters-parliament/ The Bill introduces a positive security obligation for critical infrastructure entities, supported by sector-specific requirements and mandatory reporting requirements to the Australian Signals Directorate (ASD); enhanced cybersecurity obligations for those entities most important to the nation; and government assistance to entities in response to significant cyber attacks on Australian systems.


Pwnie Awards 2020 winners include Zerologon, CurveBall, Checkm8, BraveStarr attacks



Microsoft exposes Adrozek, malware that hijacks Chrome, Edge, and Firefox

www.zdnet.com/article/microsoft-exposes-adrozek-malware-that-hijacks-chrome-edge-and-firefox/ Microsoft has raised the alarm today about a new malware strain that infects users’ devices and then proceeds to modify browsers and their settings in order to inject ads into search results pages.

Cyber Actors Target K-12 Distance Learning Education to Cause Disruptions and Steal Data

us-cert.cisa.gov/ncas/alerts/aa20-345a The FBI, CISA, and MS-ISAC assess malicious cyber actors are targeting kindergarten through twelfth grade (K-12) educational institutions, leading to ransomware attacks, the theft of data, and the disruption of distance learning services. Cyber actors likely view schools as targets of opportunity, and these types of attacks are expected to continue through the 2020/2021 academic year.

Dark Caracal: You Missed a Spot

www.eff.org/deeplinks/2020/12/dark-caracal-you-missed-spot Security researchers at EFF have tracked APTs (Advanced Persistent Threats) targeting civil society for many years now. And while in many cases, the advanced appellation is debatable, persistent is not. Since 2015, EFF has tracked the cyber-mercenaries known as Dark Caracal, a threat actor who has carried out digital surveillance campaigns on behalf of government interests in . Kazakhstan and Lebanon.

A Gafgyt variant that exploits Pulse Secure CVE-2020-8218

prod-blog.avira.com/a-gafgyt-variant-that-exploits-pulse-secure-cve-2020-8218 However, recently Aviras IoT labs have seen a surge in IoT malware binaries. These malware binaries contain multiple exploit footprints, and they include CVE-2020-8218 (Pulse Secure).

PGMiner: New Cryptocurrency Mining Botnet Delivered via PostgreSQL

unit42.paloaltonetworks.com/pgminer-postgresql-cryptocurrency-mining-botnet/ Recently, Unit 42 researchers uncovered a novel Linux-based cryptocurrency mining botnet that exploits a disputed PostgreSQL remote code execution (RCE) vulnerability that compromises database servers for cryptojacking. We named the cryptocurrency mining botnet PGMiner after its delivery channel and mining behavior. At its core, PGMiner attempts to connect to the mining pool for Monero . mining. Because the mining pool is not active anymore, we could not recover information about the actual profit of this malware family.

Teen who shook the Internet in 2016 pleads guilty to DDoS attacks

www.bleepingcomputer.com/news/security/teen-who-shook-the-internet-in-2016-pleads-guilty-to-ddos-attacks/ “According to court documents, on Oct. 21, 2016, the individual and others used the botnet they created to launch several DDoS attacks in an effort to take the Sony PlayStation Networks gaming platform offline for a sustained period,” DoJ press release said.. The identity of the defendant was withheld because they were juvenile at the time the offense was commissioned. The individual’s sentencing was scheduled for January 7, 2021..


The Hidden Costs of Cybercrime

www.mcafee.com/enterprise/en-us/assets/reports/rp-hidden-costs-of-cybercrime.pdf We estimated the monetary loss from cybercrime at approximately $945 billion. Added to this was global spending on cybersecurity, which was expected to exceed $145 billion in 2020. Today, this is $1 trillion dollar drag on the global economy.

FCC gets tough on China amid security concerns

www.cnet.com/news/fcc-gets-tough-on-china-amid-security-concerns/ The US Federal Communications Commission on Thursday ordered broadband and wireless companies in the states to remove all equipment from Chinese manufacturers, such as Huawei and ZTE, that could pose national security risks. It also affirmed the agency’s designation of Huawei as a national security threat. And the agency began a process to revoke China Telecom’s authorization to operate in the US.

You might be interested in …

Daily NCSC-FI news followup 2020-02-17

Iranian hackers have been hacking VPN servers to plant backdoors in companies around the world www.zdnet.com/article/iranian-hackers-have-been-hacking-vpn-servers-to-plant-backdoors-in-companies-around-the-world/ Iranian hackers have targeted Pulse Secure, Fortinet, Palo Alto Networks, and Citrix VPNs to hack into large companies.. Source: www.clearskysec.com/fox-kitten/ Austria: Cyber attack on the Foreign Ministry is over www.bmeia.gv.at/en/the-ministry/press/announcements/2020/02/cyber-attack-on-the-foreign-ministry-is-over/ After really intensive work and excellent cooperation between all […]

Read More

Daily NCSC-FI news followup 2020-11-20

Inside the Cit0Day Breach Collection www.troyhunt.com/inside-the-cit0day-breach-collection/ It’s increasingly hard to know what to do with data like that from Cit0Day. If that’s an unfamiliar name to you, start with Catalin Cimpanu’s story on the demise of the service followed by the subsequent leaking of the data. . I was curious as to how much of […]

Read More

Daily NCSC-FI news followup 2019-07-09

Serious Zoom security flaw could let websites hijack Mac cameras www.theverge.com/2019/7/8/20687014/zoom-security-flaw-video-conference-websites-hijack-mac-cameras Today, security researcher Jonathan Leitschuh has publicly disclosed a serious zero-day vulnerability for the Zoom video conferencing app on Macs. He has demonstrated that any website can open up a video-enabled call on a Mac with the Zoom app installed. Exclusive: The true origins […]

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.