Daily NCSC-FI news followup 2020-12-17

Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations – Alert (AA20-352A)

us-cert.cisa.gov/ncas/alerts/aa20-352a The Cybersecurity and Infrastructure Security Agency (CISA) is aware of compromises of U.S. government agencies, critical infrastructure entities, and private sector organizations by an advanced persistent threat (APT) actor beginning in at least March 2020. This APT actor has demonstrated patience, operational security, and complex tradecraft in these intrusions. CISA expects that removing this threat actor from compromised environments will be highly complex and challenging for organizations. Note: CISA has evidence of additional initial access vectors, other than the SolarWinds Orion platform; however, these are still being investigated. CISA will update this Alert as new information becomes available.

I Was the Homeland Security Adviser to Trump. We’re Being Hacked

www.nytimes.com/2020/12/16/opinion/fireeye-solarwinds-russia-hack.html The magnitude of this national security breach is hard to overstate.

SolarWinds’ shares drop 22 per cent. But what’s this? $286m in stock sales just before hack announced?

www.theregister.com/2020/12/16/solarwinds_stock_sale/ News of the role SolarWinds’ hijacked Orion software played in the hacking spree emerged at the weekend, and on Monday the developer’s share price plummeted more than 20 per cent. It is currently down 22 per cent. However, around a week before, Silver Lake sold $158m of SolarWinds’ shares and Thoma Bravo sold $128m, according to the Washington Post.

Pay2Kitten Fox Kitten 2

www.clearskysec.com/pay2kitten/ During the past four months a wave of cyber-attacks has been targeting Israeli companies. The attacks are conducted by different means and target a range of sectors. We estimate with medium to high confidence that Pay2Key is a new operation conducted by Fox Kitten, an Iranian APT group that began a new wave of attacks in November-December 2020 that entailed dozens of Israeli companies. Full report [PDF]:


Koronarokotteiden laiton urkinta herätti viimeistään karuun todellisuuteen suojaksi uusi “kyberkilpi”?

www.tivi.fi/uutiset/tv/0a47ea0d-5f0f-40aa-aeda-875aeac7b01a Euroopan unioni aikoo päivittää tietoturvaa koskevaa sääntelyään. “Vaarattomuuden aika on ohi. Tiedämme, että olemme [hyökkäysten] kohteena. Meidän täytyy modernisoida, vahvistaa ja sopeutua”, Euroopan komission varapresidentti Margaritis Chinas totesi medialle.

Exclusive-Suspected Chinese hackers stole camera footage from African Union – memo

www.reuters.com/article/us-ethiopia-african-union-cyber-exclusiv-idUSKBN28Q1DB As diplomats gathered at the African Union’s headquarters earlier this year to prepare for its annual leaders’ summit, employees of the international organization made a disturbing discovery. Someone was stealing footage from their own security cameras. The security breach was carried out by a Chinese hacking group nicknamed “Bronze President, ” according to a five-page internal memo reviewed by Reuters.

Israeli spy firm suspected of accessing global telecoms via Channel Islands

www.theguardian.com/world/2020/dec/16/israeli-spy-firm-suspected-accessing-global-telecoms-channel-islands The Israeli private intelligence company Rayzone Group appears to have had access to the global telecommunications network via a mobile operator in the Channel Islands in the first half of 2018, potentially enabling its clients at that time to track the locations of mobile phones across the world.

FBI says DoppelPaymer ransomware gang is harassing victims who refuse to pay

www.zdnet.com/article/fbi-says-doppelpaymer-ransomware-gang-is-harassing-victims-who-refuse-to-pay/ FBI says ransomware group has been calling victims, threatening to send individuals to their homes if they don’t pay the ransom.

Ransomware masquerades as mobile version of Cyberpunk 2077

www.bleepingcomputer.com/news/security/ransomware-masquerades-as-mobile-version-of-cyberpunk-2077/ A threat actor is distributing fake Windows and Android installers for the Cyberpunk 2077 game that is installing a ransomware calling itself CoderWare.

Third Party Browser Extensions for Instagram, Facebook, Vimeo and Others Infected with Malware

press.avast.com/third-party-browser-extensions-from-instagram-facebook-vimeo-and-others-infected-with-malware Around 3 million people affected worldwide, Avast threat intelligence experts recommend to disable or uninstall extensions for now

WordPress plugin with 5 million installs has a critical vulnerability

www.bleepingcomputer.com/news/security/wordpress-plugin-with-5-million-installs-has-a-critical-vulnerability/ The team behind a popular WordPress plugin has disclosed a critical file upload vulnerability and issued a patch. The vulnerable plugin, Contact Form 7, has over 5 million active installs making this urgent upgrade a necessity for WordPress site owners out there.

Hackers are Bypassing Transport Layers and Depositing Spam via IMAP

www.vadesecure.com/en/blog/hackers-are-bypassing-transport-layers-and-depositing-spam-via-imap/ Vade Secure has detected a wave of spam emails that are being directly deposited into mailboxes without passing through transport layers. The wave, which included 300, 000 spam messages sent to a single customer in one day, has been detected in France, Italy, Denmark, and the US. Email Appender allows a cybercriminal to validate compromised account credentials, configure a proxy to avoid IP detection, draft a malicious email, and deposit the spam into compromised users’ accounts.

Talos tools of the trade

blog.talosintelligence.com/2020/12/talos-tools-of-trade.html If you’re looking for something to keep you busy while we’re all stuck inside during the holidays, Cisco Talos has a few tools for you you can play with in the coming days and weeks. We recently updated GhIDA to work with the latest version of IDA and we are releasing new features for the award-winning Dynamic Data Resolver (DDR).

Maximizing Your Defense with Windows DNS Logging

www.domaintools.com/resources/blog/maximizing-your-defense-with-windows-dns-logging The aim of this post is to introduce you to log collection on the Microsoft Windows platform. We will start with an illustration of a Windows source-only log deployment, followed by a collection of chosen fields from log samples and a brief description of these sources. The last part will be on audit logging, as it holds an important role in ensuring infrastructure defense.

Supplier assurance: having confidence in your suppliers

www.ncsc.gov.uk/blog-post/supplier-assurance-having-confidence-in-your-suppliers This blog post outlines some of the thinking which has gone into our Supplier Assurance Questions, a set of basic cyber security questions which will help you to understand how much confidence you can have in the security of your suppliers. also:


Cybersecurity in the Maritime Sector: ENISA Releases New Guidelines for Navigating Cyber Risk

www.enisa.europa.eu/news/enisa-news/cybersecurity-in-the-maritime-sector-enisa-releases-new-guidelines-for-navigating-cyber-risk The European Union Agency for Cybersecurity provides port operators with a set of good practices to help them identify and evaluate cyber risks, and effectively identify suitable security measures.

You might be interested in …

Daily NCSC-FI news followup 2020-09-13

BLINDSIDE – A Speculative Execution Attack www.vusec.net/projects/blindside/ BlindSide allows attackers to hack blind in the Spectre era. That is, given a simple buffer overflow in the kernel and no additional info leak vulnerability, BlindSide can mount BROP-style attacks in the speculative execution domain to repeatedly probe and derandomize the kernel address space, craft arbitrary memory […]

Read More

Daily NCSC-FI news followup 2019-09-25

This vBulletin vBug is vBad: Zero-day exploit lets miscreants hijack vulnerable web forums www.theregister.co.uk/2019/09/24/vbulletin_vbug_zeroday/ Hackers can inject system commands via version 5 of software, no patch available. An anonymous bug hunter has publicly disclosed a zero-day flaw in the version 5 of the popular vBulletin forum software than can be exploited over the internet to […]

Read More

Daily NCSC-FI news followup 2019-11-09

Titanium: the Platinum group strikes again securelist.com/titanium-the-platinum-group-strikes-again/94961/ Platinum is one of the most technologically advanced APT actors with a traditional focus on the APAC region. During recent analysis we discovered Platinum using a new backdoor that we call Titanium (named after a password to one of the self-executable archives). Titanium is the final result of […]

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.