Daily NCSC-FI news followup 2020-12-15

Yhdysvalloissa on hakkeroitu lisää hallinnon järjestelmiä kotimaan turvallisuusvirasto oli viimeisimmän kyberhyökkäyksen uhri

yle.fi/uutiset/3-11697114 Yhdysvaltain kotimaan turvallisuusviraston vastuulla on maan suojeleminen perinteisiä sekä verkkohyökkäyksiä vastaan.

No One Knows How Deep Russia’s Hacking Rampage Goes

www.wired.com/story/russia-solarwinds-supply-chain-hack-commerce-treasury/

Dark Halo Leverages SolarWinds Compromise to Breach Organizations

www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/ Volexity is releasing additional research and indicators associated with compromises impacting customers of the SolarWinds Orion software platform. Many of the technical details regarding the malware used are covered in the FireEye notification. However, in this blog, Volexity can share examples of command-line actions the attacker took after gaining access to the target network and provide insight into additional tools, infrastructure, and attacker objectives. also:

news.sophos.com/en-us/2020/12/14/solarwinds-playbook/ – Incident response playbook for responding to SolarWinds Orion compromise

SolarWinds Orion Platform Supply Chain Attack

tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-solarwinds-supply-chain-attack While there are no vulnerabilities in Cisco products related to this issue, if a customer was using an affected version of SolarWinds Orion Platform and would like to investigate potential impact to Cisco devices, Cisco has published a number of documents that can help the investigation.

SolarWinds Hack Could Affect 18K Customers

krebsonsecurity.com/2020/12/solarwinds-hack-could-affect-18k-customers/

SolarWinds exposed FTP credentials in Public Github Repo: US Government Breach

savebreach.com/solarwinds-credentials-exposure-led-to-us-government-fireye-breach/ Did some poor security practices lead to the US Government and FireEye breach? SolarWinds exposed their FTP server credentials in a Github leak in 2019

Tässä ovat 100 it-vaikuttajaa

www.tivi.fi/uutiset/tv/63a4f0d1-0480-4ba1-9b33-a7e3bce5ff92 Vuosi 2020 jää historiaan paitsi koronapandemiasta, myös kyberturvallisuuteen liittyvistä tapahtumista. Korona pani ihmiset ympäri maailman etätöihin. Tietojenkalastelu ja kiristyshaittaohjelmat lisääntyivät entisestään. Vuoden lopulla sattui Vastaamon tietovuototapaus, jota voidaan pitää Suomessa vaikutustensa laajuudelta merkittävimpänä tietoturvatapahtumana tähän saakka. Kyberuhkat eivät tule lähivuosina myöskään vähenemään. Kyberturvallisuuden tai siihen liittyvän tietosuojan parissa vaikuttaa tänä vuonna lähestulkoon joka viides sadan vaikuttajan listalla. Joukkoon kuuluvat Benjamin Särkän lisäksi esimerkiksi Kyberturvallisuuskeskuksen Juhani Eronen, tietosuojavaltuutettu Anu Talus, HackerOnen Mårten Mickos, Nixun Anu Laitila ja valtion kyberturvallisuusjohtaja Rauli Paananen.

Vakoilu sai marraskuun kybersään salamoimaan

www.kyberturvallisuuskeskus.fi/fi/kybersaa-marraskuu-2020 Euroopan lääkevirastoon ja tietoturvayhtiö FireEyeen kohdistuneet vakoilutapaukset herättivät huomiota ja toivat marraskuun kybersäähän salamoita. Pientä poutaa saatiin, kun poistimme Emotet-haittaohjelmaan liittyvän varoituksen.

Googlen kompurointi nostaa esiin huolen koko internetin haavoittuvuudesta

yle.fi/uutiset/3-11697064 “Tunnin katko osoitti, miten paljon me tietyn ison yrityksen palveluja käytämme”, Kyberturvallisuuskeskuksen Matias Mesiä toteaa. also:

www.theguardian.com/technology/2020/dec/14/google-suffers-worldwide-outage-with-gmail-youtube-and-other-services-down

45 million medical scans from hospitals all over the world left exposed online for anyone to view some servers were laced with malware

www.theregister.com/2020/12/15/dicom_45_million_medical_scans_unsecured/ Two thousand servers containing 45 million images of X-rays and other medical scans were left online during the course of the past twelve months, freely accessible by anyone, with no security protections at all.

Cruise line operator Hurtigruten crippled in ransomware attack

hotforsecurity.bitdefender.com/blog/cruise-line-operator-hurtigruten-crippled-in-ransomware-attack-24869.html Norwegian shipping and cruise line Hurtigruten has revealed it is the latest maritime firm to suffer at the hands of cybercriminals, following a crippling ransomware attack that it sustained on Monday leaving some of its systems down around the world.

Spotify Changes Passwords After Another Data Breach

threatpost.com/spotify-changes-passwords-data-breach/162256/ This is the third breach in the past few weeks for the world’s most popular streaming service.

Agent Tesla Keylogger Gets Data Theft and Targeting Update

threatpost.com/agent-tesla-targeting-data-tactics/162268/ The infamous keylogger has shifted its targeting tactics and now collects stored credentials for less-popular web browsers and email clients.

Threat profile: Egregor ransomware is making a name for itself

blog.malwarebytes.com/ransomware/2020/12/threat-profile-egregor-ransomware-is-making-a-name-for-itself/ Egregor ransomware is a relatively new ransomware (first spotted in September 2020) that seems intent on making its way to the top right now. As we’ve reported in the past, affiliates that were using Maze ransomware started moving over to Egregor even before the Maze gang officially announced they were calling it quits. Egregor has already targeted some well-known victims like Barnes & Noble, Kmart and Ubisoft. The primary distribution method for Egregor is Cobalt Strike. Targeted environments are initially compromised through various means (RDP probing, phishing) and once the Cobalt Strike beacon payload is established and persistent, it is then used to deliver and launch the Egregor payloads.

Everything but the kitchen sink: more attacks from the Gitpaste-12 worm

blogs.juniper.net/en-us/threat-research/everything-but-the-kitchen-sink-more-attacks-from-the-gitpaste-12-worm In November, Juniper Threat Labs documented a new wormable cryptomining campaign dubbed Gitpaste-12. The initial wave of Gitpaste-12 attacks was last seen on October 27, when the GitHub repository hosting the bulk of the worm’s payloads was removed. On November 10, we discovered a new round of attacks.

High-risk vulnerabilities discovery increased 65% in 2020

www.helpnetsecurity.com/2020/12/15/high-risk-vulnerabilities-discovery/ 2020 has been a record year for crowdsourced cybersecurity adoption, with enterprises across all industries implementing crowdsourced cybersecurity programs to keep up with the evolving threat landscape.

Millions of Unpatched IoT, OT Devices Threaten Critical Infrastructure

threatpost.com/unpatched-iot-ot-devices-threaten-critical-infrastructure/162275/ Industrial, factory and medical gear remain largely unpatched when it comes to the URGENT/11 and CDPwn groups of vulnerabilities. According to researchers at Armis, a whopping 97 percent of the OT devices impacted by URGENT/11 have not been patched, despite fixes being delivered in 2019. And, 80 percent of those devices affected by CDPwn remain unpatched.

Coordinated disclosure of XML round-trip vulnerabilities in Go’s standard library

mattermost.com/blog/coordinated-disclosure-go-xml-vulnerabilities/ This blog post is a part of Mattermost’s public disclosure of three serious vulnerabilities in Go’s encoding/xml related to tokenization round-trips.

cPanel and WHM Vulnerability Easy to Exploit With Dark Web Credentials

www.recordedfuture.com/cpanel-whm-vulnerability/ Sophisticated malware is no longer needed to gain access to these web hosting platforms. Instead, cybercriminals can exploit a recently disclosed two-factor authentication (2FA) vulnerability using valid credentials, which can easily be purchased from dark web markets. Recorded Future demonstrates the simple process that threat actors use and the importance of patching web hosting technology to protect organizations around the world from data theft.

42% of security leaders said the pandemic has changed their cybersecurity priorities

www.helpnetsecurity.com/2020/12/15/pandemic-cybersecurity-priorities/ Fudo Security published the results of it survey, enlisting the unique perspectives of a diverse, select group of CISOs, senior cybersecurity executives and industry decision-makers from around the globe including the US, Europe, Asia and MENA. More than 42% said the pandemic has changed their cybersecurity priorities.

How Regulation Is Impacting 5G Security in Europe

blog.paloaltonetworks.com/2020/12/5g-security-in-europe/ Over the past few years, I have witnessed a growing focus in Europe on telecom and 5G security. Many service providers in the region are evolving cybersecurity practices and postures, both for existing 4G networks and also for planned 5G deployments, many of which are launching now. This increased focus is in reaction to the growing number of cyberthreats on mobile networks, as well as the realisation that security can be a service differentiator. It also comes in response to growing expectations by government policymakers.

Analyzing FireEye Maldocs

isc.sans.edu/forums/diary/Analyzing+FireEye+Maldocs/26882/

Removing Coordinated Inauthentic Behavior from France and Russia

about.fb.com/news/2020/12/removing-coordinated-inauthentic-behavior-france-russia/ Today we removed three separate networks for violating our policy against foreign or government interference which is coordinated inauthentic behavior (CIB) on behalf of a foreign or government entity. These networks originated in France and Russia and targeted multiple countries in North Africa and the Middle East.

Academics turn RAM into Wi-Fi cards to steal data from air-gapped systems

www.zdnet.com/article/academics-turn-ram-into-wifi-cards-to-steal-data-from-air-gapped-systems/ AIR-FI technique can send stolen data at speeds of up to 100 b/s to Wi-Fi receivers at a distance of a few meters.

Poliisilta vakava varoitus Uudenlaiset tilaushuijarit vaanivat konekauppiaita: “Pienellä vaivalla voi säästää kymmeniä tuhansia euroja

www.kauppalehti.fi/uutiset/poliisilta-vakava-varoitus-uudenlaiset-tilaushuijarit-vaanivat-konekauppiaita-pienella-vaivalla-voi-saastaa-kymmenia-tuhansia-euroja/6070d0a3-1ccf-4b77-961b-28cd6dba784f “Perustetaan sähköpostiosoite, joka näyttää olemassa olevan yrityksen osoitteelta, mutta onkin loppuosaltaan ilmaisesta sähköpostipalvelusta. Allekirjoitukseksi liitetään oikean yrityksen toimitusjohtajan tiedot, yrityksen y-tunnus ja postiosoite”, Kortelainen kertoo. Kyseisellä sähköpostilla rikolliset lähestyvät esimerkiksi konevuokraamoa tai -kauppiasta. “Koneet tilataan tai vuokrataan jonkun työmaan portille. Vääriin käsiin päätynyt kone, vaikkapa kaivinkone tai henkilönostin, viedään myytäväksi Viroon”, Kortelainen toteaa.

Poliisi Hyrylän koulu-uhkauksesta: Epäilty latasi oppilaan koneelle viruksen nettipelissä, vei Wilma-tunnukset ja lähetti koululle pommiuhkauksen

yle.fi/uutiset/3-11698045 Poliisin tutkimusten perusteella koulun ulkopuolisen henkilön epäillään saaneen yhden koulun oppilaan Wilma-tunnukset käyttöönsä nettipelin yhteydessä. Henkilön epäillään lähettäneen oppilaan koneeseen troijalaistyppisen viruksen. – Tunnusten avulla henkilö on lähettänyt koulun henkilökunnalle pommiuhkausviestin, kertoo tapauksen tutkinnanjohtaja, rikoskomisario Jere Pääkkönen Itä-Uudenmaan poliisilaitokselta poliisin tiedotteessa.

You might be interested in …

Daily NCSC-FI news followup 2020-07-19

WSJ: Yhdysvaltalaistutkijat jäljittivät matkapuhelinten signaaleja lähellä venäläisiä sotilaskohteita yle.fi/uutiset/3-11455540 Kaupallisesti saatavilla olevaa paikannustietoa käytetään yhä enemmän myös valtiollisessa tiedustelussa. Amerikkalainen tutkijaryhmä Mississippin yliopistosta seurasi viime vuonna matkapuhelinten signaaleja lähellä Venäjän sotilasalueita, Wall Street Journal uutisoi. Lue myös: www.wsj.com/articles/academic-project-used-marketing-data-to-monitor-russian-military-sites-11595073601 iOS 13.6: Apple Just Gave iPhone Users 29 Security Reasons To Update Now www.forbes.com/sites/kateoflahertyuk/2020/07/19/ios-136-apple-just-gave-iphone-users-29-security-reasons-to-update-now/ Apple’s iOS 13.6 […]

Read More

Daily NCSC-FI news followup 2020-10-02

Emotet malware takes part in the 2020 U.S. elections www.bleepingcomputer.com/news/security/emotet-malware-takes-part-in-the-2020-us-elections/ Emotet is now taking part in the United States 2020 Presidential election with a new spam campaign pretending to be from the Democratic National Convention’s Team Blue initiative. XDSpy cyber-espionage group operated discretely for nine years www.bleepingcomputer.com/news/security/xdspy-cyber-espionage-group-operated-discretely-for-nine-years/ Researchers at ESET today published details about a […]

Read More

Daily NCSC-FI news followup 2019-11-18

How the Iranian Government Shut Off the Internet www.wired.com/story/iran-internet-shutoff/ Amid widespread demonstrations over rising gasoline prices, Iranians began experiencing internet slowdowns over the last few days that became a near-total internet and mobile data blackout on Saturday. The government is apparently seeing to silence protestors and quell unrest. So how does a country like Iran […]

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.