Daily NCSC-FI news followup 2021-01-06

FBI, CISA, NSA Officially Blame Russia for SolarWinds Cyber Attack

thehackernews.com/2021/01/fbi-cisa-nsa-officially-blames-russia.html The U.S. government on Tuesday formally pointed fingers at the Russian government for orchestrating the massive SolarWinds supply chain attack that came to light early last month. Lisäksi: This work indicates that an Advanced Persistent Threat (APT) actor, likely Russian in origin, is responsible for most or all of the recently discovered, ongoing cyber compromises of both government and non-governmental networks. –

www.cisa.gov/news/2021/01/05/joint-statement-federal-bureau-investigation-fbi-cybersecurity-and-infrastructure. Lisäksi:

www.bleepingcomputer.com/news/security/us-govt-says-russian-state-hackers-likely-behind-solarwinds-hack/. Lisäksi:

thehackernews.com/2021/01/fbi-cisa-nsa-officially-blames-russia.html. Lisäksi:

apnews.com/article/us-blames-russia-federal-hacking-3921096dfd9693a020420acc787132bd. Lisäksi:

threatpost.com/feds-russia-culprit-solarwinds/162785/. Lisäksi:

www.zdnet.com/article/us-government-formally-blames-russia-for-solarwinds-hack. Lisäksi:

arstechnica.com/tech-policy/2021/01/feds-say-that-russia-was-likely-behind-months-long-hack-of-us-agencies

SolarWinds hackers had access to over 3, 000 US DOJ email accounts

www.bleepingcomputer.com/news/security/solarwinds-hackers-had-access-to-over-3-000-us-doj-email-accounts/ The US Department of Justice (DoJ) said that the attackers behind the SolarWinds supply chain attack have gained access to roughly 3% of the department’s Office 365 email inboxes. Lisäksi:

www.justice.gov/opa/pr/department-justice-statement-solarwinds-update. Lisäksi:

www.forbes.com/sites/thomasbrewster/2021/01/06/doj-admits-microsoft-email-accounts-were-hit-in-solarwinds-attacks/

WhatsApp updates its Terms and Privacy Policy to mandate data-sharing with Facebook

www.xda-developers.com/whatsapp-updates-terms-privacy-policy-mandate-data-sharing-facebook/ WhatsApp users are receiving an in-app notice today regarding the service’s new terms and privacy policy. Lisäksi:

www.bleepingcomputer.com/news/security/whatsapp-share-your-data-with-facebook-or-delete-your-account/. Lisäksi: www.whatsapp.com/legal/updates/key-updates

Google Warns of Critical Android Remote Code Execution Bug

threatpost.com/google-warns-of-critical-android-remote-code-execution-bug/162756/ Google has fixed two critical bugs affecting its Android handsets. The more serious flaws exists in the Android System component and allow remote attackers to execute arbitrary code.

Cybercriminals Ramp Up Exploits Against Serious Zyxel Flaw

threatpost.com/cybercriminals-exploits-zyxel-flaw/162789/ More than 100, 000 Zyxel networking products could be vulnerable to a hardcoded credential vulnerability (CVE-2020-29583) potentially allowing cybercriminal device takeover. Lisäksi:

www.bleepingcomputer.com/news/security/hackers-start-exploiting-the-new-backdoor-in-zyxel-devices/

Retrohunting APT37: North Korean APT used VBA self decode technique to inject RokRat

blog.malwarebytes.com/threat-analysis/2021/01/retrohunting-apt37-north-korean-apt-used-vba-self-decode-technique-to-inject-rokrat/ On December 7 2020 we identified a malicious document uploaded to Virus Total which was purporting to be a meeting request likely used to target the government of South Korea.

SMS Phishing Is Getting Out Of Control

www.vice.com/en/article/m7appv/sms-phishing-is-getting-out-of-control Consumers and security companies report a concerning increase in scams via text message phishing, also known as smishing. Lisäksi:

www.kyberturvallisuuskeskus.fi/fi/ajankohtaista/saitko-tekstiviestin-postin-nimissa-varothan-viesti-voi-olla-huijaus

Understanding And Exploiting Zerologon

packetstormsecurity.com/files/160823/Understanding_and_Exploiting_Zerologon.pdf Zerologon is a vulnerability in Microsoft’s Netlogon Remote Procedural Call (MS-NRPC) protocol. Specifically, this vulnerability occurs due to an incorrect implementation of the AES-128 Counter Feedback mode of operation. This vulnerability was given a CVSS score of 10 by Microsoft and can be carried out by anyone with a foothold in the network. This paper aims to explain the detail and working of MS-NRPC protocol, its vulnerability, and finally cover how to exploit it, something which the original paper by Secura left out.

81, 000 UK-owned.eu domains suspended as Brexit transition ends

www.zdnet.com/article/81000-uk-owned-eu-domains-suspended-as-brexit-transition-ends/ Tens of thousands of website owners who are based in the UK might have started the year with an unpleasant surprise: Eurid, the registry manager of.eu domain names, has suspended.eu domain names registered by UK citizens as a result of the regulatory changes caused by Brexit.

A Trump Sex Video? No, It’s a RAT!

www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/updated-qnode-rat-downloader-distributed-as-trump-video-scandal/ While reviewing our spam traps, a particular campaign piqued our interest primarily because the attachment to the email does not coincide with the theme of the email body. When we investigated further, we discovered that its attachment is a variant of the QRAT downloader we blogged about last August. Lisäksi:

thehackernews.com/2021/01/hackers-using-fake-trumps-scandal-video.html. Lisäksi:

www.zdnet.com/article/this-new-phishing-attack-uses-an-odd-lure-to-deliver-windows-trojan-malware

Stolen employee credentials put leading gaming firms at risk

www.welivesecurity.com/2021/01/05/breached-employee-credentials-gaming-companies More than 500, 000 login credentials linked to the employees of 25 leading game publishers have been found for sale on dark web bazaars, according to a report by threat intelligence company KELA. Threat actors have been increasingly targeting the gaming industry, including by harvesting and selling access credentials into the internal systems of top-tier game companies. Lisäksi:

www.zdnet.com/article/cyber-criminals-are-taking-aim-at-online-gaming-for-their-next-big-pay-day/

You might be interested in …

Daily NCSC-FI news followup 2020-05-06

COVID-19: Cloud Threat Landscape unit42.paloaltonetworks.com/covid-19-cloud-threat-landscape/ Unit 42 researchers analyzed 1.2 million newly registered domain (NRD) names containing keywords related to the COVID-19 pandemic from March 9, 2020 to April 26, 2020 (7 weeks). 86, 600+ domains are classified as “risky” or “malicious”, spread across various regions, as shown in Figure 1. The United States has […]

Read More

Daily NCSC-FI news followup 2020-05-01

Ransomware mentioned in 1,000+ SEC filings over the past year www.zdnet.com/article/ransomware-mentioned-in-1000-sec-filings-over-the-past-year/#ftag=RSSbaffb68 A growing number of public companies are now listing ransomware as a forward-looking risk factor in documents filed with the US Securities Exchange Commission. Listing ransomware as a risk factor in SEC filings shows that companies now understand the danger posed by a ransomware […]

Read More

Daily NCSC-FI news followup 2020-09-01

Norjan parlamenttiin on tehty laajamittainen kyberhyökkäys yle.fi/uutiset/3-11522222 Joidenkin kansanedustajien ja Suurkäräjien työntekijöiden sähköposteihin on murtauduttu. Otamme asian erittäin vakavasti ja analysoimme tilannetta saadaksemme kuvan tapauksesta ja haittojen laajuudesta, Suurkäräjien hallinnon johtaja Marianne Andreassen sanoo. myös: www.stortinget.no/no/Hva-skjer-pa-Stortinget/Nyhetsarkiv/Pressemeldingsarkiv/2019-2020/it-angrep-mot-stortinget/. also: www.zdnet.com/article/norwegian-parliament-discloses-cyber-attack-on-internal-email-system/ Cisco says it will issue patch as soon as possible’ for bugs hackers are trying to exploit […]

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.