Daily NCSC-FI news followup 2020-12-20

Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers

www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/ In many of their actions, the attackers took steps to maintain a low profile. For example, the inserted malicious code is lightweight and only has the task of running a malware-added method in a parallel thread such that the DLL’s normal operations are not altered or interrupted. In an interesting turn of events, the investigation of the whole SolarWinds compromise led to the discovery of an additional malware that also affects the SolarWinds Orion product but has been determined to be likely unrelated to this compromise and used by a different threat actor

CISA Updates Alert and Releases Supplemental Guidance on Emergency Directive for SolarWinds Orion Compromise

us-cert.cisa.gov/ncas/current-activity/2020/12/19/cisa-updates-alert-and-releases-supplemental-guidance-emergency This update states that CISA has evidence of, and is currently investigating, initial access vectors in addition to those attributed to the SolarWinds Orion supply chain compromise.

Windows Hello is now being used by 84% of Windows 10 users

www.bleepingcomputer.com/news/microsoft/windows-hello-is-now-being-used-by-84-percent-of-windows-10-users/ Windows Hello, which is an all-in-one biometric authentication process integrated into Windows 10, is slowly growing in popularity, according to a new report from Microsoft. According to a new report from Microsoft, the number of consumers using Windows Hello to sign in to Windows 10 instead of a password grew to 84.7 percent from 69.4 percent in 2019.

Passwords begone: GitHub will ban them next year for authenticating Git operations

www.theregister.com/2020/12/17/github_bans_passwords/ Microsoft’s GitHub plans to stop accepting account passwords as a way to authenticate Git operations, starting August 13, 2021, following a test period without passwords two-weeks earlier.

Gitpaste-12 worm botnet returns with 30+ vulnerability exploits

www.bleepingcomputer.com/news/security/gitpaste-12-worm-botnet-returns-with-30-plus-vulnerability-exploits/ Recently discovered Gitpaste-12 worm that spreads via GitHub and also hosts malicious payload on Pastebin, has returned with even more exploits. Expanding on its predecessor, this new version of Gitpaste-12 comes equipped with over 30 vulnerability exploits, concerning Linux systems, IoT devices, and open-source components.

Ransomware’s Next Nasty Surprise: Pay Up Or We’ll Brick Your PC’s UEFI Firmware

www.forbes.com/sites/johndunn/2020/12/18/ransomwares-next-nasty-surprise-pay-up-or-well-brick-your-pcs-uefi-firmware/ After researching the discovery with research partner Eclypsium, the companies recently published an analysis of what they nicknamed TrickBoot which suggests the answer might be connected to a new and imminent type of ransomware attack.

Ransomware and Cyber-Extortion Payments Double in 2020

www.infosecurity-magazine.com/news/ransomware-extortion-payments/ The total cost of ransom payments doubled year-on-year during the first six months of 2020. Businesses have to consider the financial impact of a ransomware attack beyond the ransom payment; business interruption, loss of income and now breach damages such as compromised data. The best outcome for businesses is to have a backup and subscribe to a cyber insurance policy that covers recovery expenses and brings expertise in negotiating a ransom payment if at all needed.

You might be interested in …

Daily NCSC-FI news followup 2020-04-17

China-linked Electric Panda hackers seek U.S. targets, intel agency warns www.politico.com/news/2020/04/16/china-electric-panda-hackers-seek-us-targets-191220 Nearly 40 U.S. contracting facilities with access to classified information have been targeted by a hacking group with suspected ties to the Chinese government since Feb. 1, according to a bulletin disseminated to contractors by the Defense Counterintelligence and Security Agency on Wednesday. Hacking […]

Read More

Daily NCSC-FI news followup 2020-09-25

Microsoft boots apps out of Azure used by China-sponsored hackers arstechnica.com/information-technology/2020/09/microsoft-boots-apps-used-by-china-sponsored-hackers-out-of-azure/ Active Directory apps used for command-and-control infrastructure are no more. Report: www.microsoft.com/security/blog/2020/09/24/gadolinium-detecting-empires-cloud/ Feds Hit with Successful Cyberattack, Data Stolen threatpost.com/feds-cyberattack-data-stolen/159541/ The attack featured a unique, multistage malware and a likely PulseSecure VPN exploit. FinSpy Spyware for Mac and Linux OS Targets Egyptian Organisations thehackernews.com/2020/09/finspy-malware-macos-linux.html […]

Read More

Daily NCSC-FI news followup 2020-09-18

RampantKitten: An Iranian Surveillance Operation unraveled blog.checkpoint.com/2020/09/18/rampantkitten-an-iranian-surveillance-operation-unraveled/ Check Point Research has unraveled an ongoing surveillance operation by Iranian entities that has been targeting Iranian expats and dissidents for years. While some individual sightings of this attack were previously reported by other researchers and journalists, our investigation allowed us to connect the several different campaigns and […]

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.