Daily NCSC-FI news followup 2020-12-11

AIVD exposes espionage network in the Netherlands; two Russian intelligence officers forced to leave the country

english.aivd.nl/latest/news/2020/12/10/aivd-exposes-espionage-network-in-the-netherlands-two-russian-intelligence-officers-forced-to-leave-the-country Recently the General Intelligence and Security Service (“Algemene Inlichtingen- en Veiligheidsdienst” AIVD) disrupted the covert activities of an intelligence officer of the Russian civil intelligence agency SVR. The intelligence officer – who worked at the Russian Embassy in The Hague with diplomatic accreditation – engaged in espionage activities in the field of science and technology. He . built a substantial network of sources, all of whom work or used to work within the Dutch high-tech sector.

Uteliaat harrastajat jakavat tietoa Ruotsin sotilaskohteista netissä lehti: kartat ja muut julkiset tiedot auttavat vakoojia ja rikollisiakin

yle.fi/uutiset/3-11690386?origin=rss Kasvavana ongelmana ovat viime aikoina olleet myös sotaharrastajat ja sotilasintoilijat, jotka ovat esimerkiksi kuvanneet ja kartoittaneet salaisia kohteita. Näitä tietoja on jaettu erilaisissa netin harrastajaryhmissä.

Luottokorttirikolliset iskivät Kauneimmat joululaulut – -nettitapahtumaan

yle.fi/uutiset/3-11692046?origin=rss – – Huijarit jakoivat tapahtuman sivulla ja seurakunnan Facebook-sivulla kommenteissa linkkejä ulkopuolisille sivustoille, joilla vaadittiin luottokorttitietoja, jotta suoratoisto voi alkaa. Ainakin muutama henkilö oli päätynyt luottokorttitietojen antamiseen. Tapauksesta kertonutta opastettiin tekemään rikosilmoitus ja sulkemaan kortti, sanoo Tampereen seurakuntien viestintäjohtaja Sami . Kallioinen.

Operation StealthyTrident: corporate software under attack

www.welivesecurity.com/2020/12/10/luckymouse-ta428-compromise-able-desktop/ ESET researchers discovered that chat software called Able Desktop, part of a business management suite popular in Mongolia and used by 430 government agencies in Mongolia (according to Able), was used to deliver the HyperBro backdoor (commonly used by LuckyMouse), the Korplug RAT (also known as PlugX), and a RAT called Tmanger (which was first documented by NTT Security and was used during . Operation Lagtime IT campaigns attributed to TA428 by Proofpoint). A connection with the ShadowPad backdoor, which is now used by at least five different threat actors, was also found.

‘Fingerprint-Jacking’ Attack Technique Manipulates Android UI

www.darkreading.com/threat-intelligence/fingerprint-jacking-attack-technique-manipulates-android-ui-/d/d-id/1339684 In his Black Hat Europe talk, Wang explained how he was hunting for bugs in a mobile wallet app when he found a tactic to enable “fingerprint-jacking,” which is a user interface-based attack that targets fingerprints in Android apps. The term stems from clickjacking, he said, as this type of attack conceals a malicious application interface beneath a fake covering.

Portable Data exFiltration: XSS for PDFs

portswigger.net/research/portable-data-exfiltration PDF documents and PDF generators are ubiquitous on the web, and so are injection vulnerabilities. Did you know that controlling a measly HTTP hyperlink can provide a foothold into the inner workings of a PDF? In this paper, you will learn how to use a single link to compromise the contents of a PDF and exfiltrate it to a remote server, just like a blind XSS attack.. Think about PDF injection just like an XSS injection inside a JavaScript function call. In this case, you would need to ensure that your syntax was valid by closing the parentheses before your injection and repairing the parentheses after your injection. The same principle applies to PDF injection, except you are injecting inside a dictionary value, such as a text stream or annotation URI, rather . than a function call.

Fake data breach alerts used to steal Ledger cryptocurrency wallets

www.bleepingcomputer.com/news/security/fake-data-breach-alerts-used-to-steal-ledger-cryptocurrency-wallets/ Starting in October 2020, Ledger users began receiving fake emails about a new data breach from Ledger. The email stated that the user was affected by the breach and that they should install the latest version of Ledger Live to secure their assets with a new pin.

Ransomware Threat To Critical Infrastructure Is A New Priority

www.forbes.com/sites/guidehouse/2020/12/11/ransomware-threat-to-critical-infrastructure-is-a-new-priority/ As the government works to combat overarching cybersecurity risks to critical infrastructure, the bottom line is that cybersecurity decisions are business decisions. Businesses cannot wait to invest until after a major incident. Implementing policy and regulation only goes so far, as cyber criminals and foreign adversaries continue to adapt their tactics to meet objectives. The onus is on managers of critical infrastructure to take cybersecurity seriously and to begin taking a holistic approach to securing critical systems and data.

Iso kiltti hakkeri Vuoden Tivi-vaikuttaja on Benjamin Särkkä

www.tivi.fi/uutiset/tv/3e1b058c-f139-4d86-8bf4-bd79edd96227 Valkohattuhakkeri Benjamin Särkkä on iso tatuoitu mies, joka puhuu kiltillä äänellä kiltimmän maailman puolesta. Hän on vuoden Tivi-vaikuttaja 2020. Benjamin Särkkä on valkohatuista tunnetuimpia ja tehnyt vuosikausia pitkäjänteistä työtä hakkerikulttuurin puolesta tietoturvan parantamiseksi. Hän on myös huippusuosituksi kasvaneen Disobey-tapahtuman perustaja. “Disobey on poistanut mystiikkaa hakkeroinnin ympäriltä. Siitä on tullut tärkeä riippumaton ääni tietoturva-asioissa.”

Viranomaiset iskivät Tor-verkon suomenkieliseen huumekauppaan palvelin ja bitcoineja takavarikkoon

www.tivi.fi/uutiset/tv/8d1f8c85-578c-4e20-8913-190f82b89b8d Suomen tulli tiedottaa takavarikoineensa Tor-verkossa toimineen Sipulimarket-kauppapaikan verkkopalvelimen ja kaiken sen sisällön. Viranomaisten mukaan Sipulimarketin kautta on myyty suuria määriä huumausaineita sekä muuta laitonta tavaraa. Tullin tiedote:

www.epressi.com/tiedotteet/hallitus-ja-valtio/suomen-tulli-takavarikoi-sipulimarket-verkkopalvelimen-sisallon-onnistuminen-anonyymissa-tor-verkossa.html

Vastaamon ex-pomo väittää, että murto pimitettiin häneltä yksi suuri kysymys auki

www.is.fi/digitoday/tietoturva/art-2000007675634.html Wired-lehdelle puhunut Vastaamon entinen toimitusjohtaja Ville Tapio sanoo, että murrot huomattiin todennäköisesti jo keväällä 2019, mutta hänelle ei kerrottu asiasta. – Pitäisi olla aika selvää, että se ei ole 300 hengen yrityksen toimitusjohtajan tehtävä, Tapio sanoo Wiredille.

Wormable code-execution flaw in Cisco Jabber has a severity rating of 9.9 out of 10

arstechnica.com/information-technology/2020/12/wormable-zero-click-vulnerability-in-cisco-jabber-gets-patched-a-second-time/ Cisco has patched its Jabber conferencing and messaging application against a critical vulnerability that made it possible for attackers to execute malicious code that would spread from computer to computer with no user interaction required. Again. also:

www.watchcom.no/nyheter/nyhetsarkiv/cisco-jabber-vulnerabilities-resurface/

Facebook links APT32, Vietnam’s primary hacking group, to local IT firm

www.zdnet.com/article/facebook-doxes-apt32-links-vietnams-primary-hacking-group-to-local-it-firm/ In a surprising and unexpected announcement on Thursday, the Facebook security team has revealed the real identity of APT32, one of today’s most active state-sponsored hacking group, believed to be linked to the Vietnamese government. “Our investigation linked this activity to CyberOne Group [archived website, archived Facebook page], an IT company in Vietnam (also known as CyberOne Security, CyberOne Technologies, Hành Tinh Company Limited, Planet and Diacauso), ” said Nathaniel Gleicher, Head of Security Policy at Facebook, and Mike Dvilyanski, Cyber Threat Intelligence Manager. FB:

about.fb.com/news/2020/12/taking-action-against-hackers-in-bangladesh-and-vietnam/

MountLocker Ransomware-as-a-Service Offers Double Extortion Capabilities to Affiliates

blogs.blackberry.com/en/2020/12/mountlocker-ransomware-as-a-service-offers-double-extortion-capabilities-to-affiliates Since mid-October 2020, the BlackBerry Incident Response Team have been actively tracking MountLocker affiliate campaigns as part of ongoing investigations. The affiliates are typically responsible for the initial compromise, distribution of MountLocker ransomware, and exfiltration of sensitive client data during a breach. In coordination with the BlackBerry Research and Intelligence Team, our researchers and investigators have produced the following wide-ranging report on MountLocker. It covers this threat’s operators, affiliates, ransomware, decryptor, and associated tactics, techniques, and procedures (TTPs).

Massive Subway UK phishing attack is pushing TrickBot malware

www.bleepingcomputer.com/news/security/massive-subway-uk-phishing-attack-is-pushing-trickbot-malware/ A massive phishing campaign pretending to be a Subway order confirmation is underway distributing the notorious TrickBot malware.

Ex-Cisco engineer who nuked 16k WebEx accounts sent to prison

www.bleepingcomputer.com/news/security/ex-cisco-engineer-who-nuked-16k-webex-accounts-sent-to-prison/ Sudhish Kasaba Ramesh, a former Cisco engineer, was sentenced on Wednesday to two years in prison and ordered to pay a $15, 000 fine for shutting down more than 16, 000 WebEx Teams accounts and over 450 virtual machines in 2018

Update now: Researchers warn of security vulnerabilities in these widely used point-of-sale terminals

www.zdnet.com/article/update-now-researchers-warn-of-security-vulnerabilities-in-widely-used-point-of-sale-terminals/ Security researchers disclose vulnerabilities including default passwords in two of the largest PoS manufacturers in the world. The vulnerabilities in Verifone and Ingenico products – which are used in millions of stores around the world – have been detailed by independent researcher Aleksei Stennikov and Timur Yunusov, head of offensive security research at Cyber R&D Lab during a presentation Black Hat Europe 2020. One of the key vulnerabilities in both brands of device is the use of default passwords which could provider attackers with access to a service menu and the ability to manipulate or change the code on the machines in order to run malicious commands. also:

www.cyberdlab.com/research-blog/posworld-vulnerabilities-within-ingenico-telium-2-and-verifone-vx-and-mx-series-point-of-sales-terminals

Exclusive: Israeli Surveillance Companies Are Siphoning Masses Of Location Data From Smartphone Apps

www.forbes.com/sites/thomasbrewster/2020/12/11/exclusive-israeli-surveillance-companies-are-siphoning-masses-of-location-data-from-smartphone-apps/ This year has seen a rush amongst government snoops for a new and sometimes contentious data set: location data grabbed by smartphone popular apps. Customs and Border, the FBI, the U.S. military and other federal agencies have been keen buyers, though it’s caused a furor amongst privacy and human rights watchdogs. The outcry this week led Apple and Google to kick apps containing location-grabbing code from Reston, Virginia-based provider X-Mode out of their respective app stores.

Cyberpunk 2020: The hacker’s Netrunner’s arsenal

www.kaspersky.com/blog/cyberpunk-2020-netrunner-arsenal/37988/ If we are to believe the science-fiction of the last century, the hackers of 2020 should have access to a rather curious toolkit.

You might be interested in …

Daily NCSC-FI news followup 2020-01-29

EXCLUSIVE: The cyber attack the UN tried to keep under wraps www.thenewhumanitarian.org/investigation/2020/01/29/united-nations-cyber-attack The UN did not publicly disclose a major hacking attack into its IT systems in Europe a decision that potentially put staff, other organisations, and individuals at risk, according to data protection advocates.. also: apnews.com/0d958e15d7f5081dd612f07482f48b73 Someone Tried to Hack My Phone. Technology Researchers […]

Read More

Daily NCSC-FI news followup 2019-07-26

Stock Trading Service Robinhood Admits To Storing Some Passwords in Cleartext www.zdnet.com/article/robinhood-admits-to-storing-some-passwords-in-cleartext/ “On Monday night, we discovered that some user credentials were stored in a readable format within our internal system,” the company said.. “We resolved the issue, and after thorough review, found no evidence that this information was accessed by anyone outside our response […]

Read More

Daily NCSC-FI news followup 2019-11-05

Ransomware freezes govt IT in Canadian territory of Nunavut, drops citizens right Inuit www.theregister.co.uk/2019/11/04/ransomware_freezes_nunavut_canada/ A malware infection has crippled the IT operations in the remote Canadian territory of Nunavut. An alert from the provincial government on Monday says that “all government services requiring access to electronic information” are being impacted by what they describe as […]

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.