Daily NCSC-FI news followup 2021-01-08

Sealed U.S. Court Records Exposed in SolarWinds Breach

krebsonsecurity.com/2021/01/sealed-u-s-court-records-exposed-in-solarwinds-breach/ The ongoing breach affecting thousands of organizations that relied on backdoored products by network software firm SolarWinds may have jeopardized the privacy of countless sealed court documents on file with the U.S. federal court system, according to a memo released Wednesday by the Administrative Office (AO) of the U.S. Courts. The judicial branch agency said it will be deploying more stringent controls for receiving and storing sensitive documents filed with the federal courts, following a discovery that its own systems were compromised as part of the SolarWinds supply chain attack.. Also:

www.theregister.com/2021/01/08/solarwinds_court_docs/

Why Red Team Testing Rules the Cloud

securityintelligence.com/posts/red-teaming-cybersecurity-rules-the-cloud/ Red team testing is a key way to help prevent data breaches today. Most cyber defense focuses on spotting openings and fixing general risks in your environment. Red teaming not only reduces risks, but also prevents possible breaches. Methods, such as threat modeling, static analysis and dynamic testing, reduce the attack surface but do not eliminate risk. With red teaming, your team encounters real-life attacks in a safe scenario, making them more prepared for the threats to come.

Ryuk ransomware Bitcoin wallets point to $150 million operation

www.bleepingcomputer.com/news/security/ryuk-ransomware-bitcoin-wallets-point-to-150-million-operation/ Security researchers following the money circuit from Ryuk ransomware victims into the threat actor’s pockets estimate that the criminal organization made at least $150 million. They found that Ryuk operators primarily use two legitimate cryptocurrency exchanges to cash out the Bitcoin from paying victims as fiat money.. Also:

threatpost.com/ryuk-150m-ransom-payments/162905/.

www.zdnet.com/article/ryuk-gang-estimated-to-have-made-more-than-150-million-from-ransomware-attacks/

CISA Releases New Alert on Post-Compromise Threat Activity in Microsoft Cloud Environments and Tools to Help Detect This Activity

us-cert.cisa.gov/ncas/current-activity/2021/01/08/cisa-releases-new-alert-post-compromise-threat-activity-microsoft CISA has evidence of post-compromise advanced persistent threat (APT) activity in the cloud environment. Specifically, CISA has seen an APT actor using compromised applications in a victims Microsoft 365 (M365)/Azure environment and using additional credentials and Application Programming Interface (API) access to cloud resources of private and public sector organizations. In response, CISA has released AA21-008A: Detecting Post-Compromise Threat Activity in Microsoft Cloud Environments to describe this malicious APT activity and offer guidance on three open-source tools.

us-cert.cisa.gov/ncas/alerts/aa21-008a

New Attack Could Let Hackers Clone Your Google Titan 2FA Security Keys

thehackernews.com/2021/01/new-attack-could-let-hackers-clone-your.html Hardware security keyssuch as those from Google and Yubicoare considered the most secure means to protect accounts from phishing and takeover attacks. But a new research published on Thursday demonstrates how an adversary in possession of such a two-factor authentication (2FA) device can clone it by exploiting an electromagnetic side-channel in the chip embedded in it. The vulnerability (tracked as CVE-2021-3011) allows the bad actor to extract the encryption key or the ECDSA private key linked to a victim’s account from a FIDO Universal 2nd Factor (U2F) device like Google Titan Key or YubiKey, thus completely undermining the 2FA protections. Researchers writeup:

ninjalab.io/a-side-journey-to-titan/. Also:

www.zdnet.com/article/new-side-channel-attack-can-recover-encryption-keys-from-google-titan-security-keys/.

www.zdnet.com/article/new-side-channel-attack-can-recover-encryption-keys-from-google-titan-security-keys/.

arstechnica.com/information-technology/2021/01/hackers-can-clone-google-titan-2fa-keys-using-a-side-channel-in-nxp-chips/

Dassault Falcon Jet reports data breach after ransomware attack

www.bleepingcomputer.com/news/security/dassault-falcon-jet-reports-data-breach-after-ransomware-attack/ Dassault Falcon Jet has disclosed a data breach that may have led to the exposure of personal information belonging to current and former employees, as well as their spouses and dependents. Dassault Falcon Jet is the US subsidiary of French aerospace company Dassault Aviation which designs and builds military aircraft, business jets, and space systems.

ENISA and eu-LISA Cooperation for a More Digitally Resilient Europe

www.enisa.europa.eu/news/enisa-news/enisa-and-eu-lisa-2013-cooperation-for-a-more-digitally-resilient-europe ENISA and eu-LISA sign Cooperation Plan to share knowledge, information and expertise. Within the priorities of the Portuguese Presidency of the Council of the European Union and the current Recovery Plan for Europe put forward by the European Commission, the words digital and resilience are prominent and at times used together. When combined they bring to mind IT-related challenges that need to be addressed to ensure a stronger and safer Europe for its citizens.

FBI Warns of Egregor Attacks on Businesses Worldwide

threatpost.com/fbi-egregor-attacks-businesses-worldwide/162885/ The agency said the malware has already compromised more than 150 organizations and provided insight into its ransomware-as-a-service behavior. The FBI has alerted companies in the private sector to a spate of attacks using the Egregor ransomware. The malware currently is raging a warpath across businesses worldwide and has already compromised more than 150 organizations. The agency issued an advisory that also shed new light and identifies the innerworkings of the prolific malware, which has already been seen wreaking indiscriminate havoc against various types of organizations..

assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf

December 2020s Most Wanted Malware: Emotet Returns as Top Malware Threat

blog.checkpoint.com/2021/01/07/december-2020s-most-wanted-malware-emotet-returns-as-top-malware-threat/ Our latest Global Threat Index for December 2020 has revealed that the Emotet trojan has returned to first place in the top malware list, impacting 7% of organizations globally, following a spam campaign which targeted over 100,000 users per day during the holiday season. In September and October 2020, Emotet was consistently at the top of the Global Threat Index, and was linked to a wave of ransomware attacks. But in November it was much less prevalent, dropping to 5th place in the Index. It has now been updated with new malicious payloads and improved detection evasion capabilities.

Malicious Shell Script Steals AWS, Docker Credentials

www.trendmicro.com/en_us/research/21/a/malicious-shell-script-steals-aws-docker-credentials.html We recently spotted new attacks where, again, threat actors used shell scripts to perform their malicious activities. Based on previous attacks, these malicious scripts were typically used to deploy cryptocurrency miners. But recent cases involving these fresh samples highlighted how the scripts are developed, as they now serve other purposes besides being downloaders for cryptominers. Based on its Command and Control URLs, some strings, crypto keys, and the language used on the samples, we deduced that this latest attack came from the TeamTNT arsenal.

SolarWinds hires Chris Krebs and Alex Stamos as part of security review

www.zdnet.com/article/solarwinds-hires-chris-krebs-and-alex-stamos-as-part-of-security-review/ The software company targeted by Russian hackers as part of one of the most wide-ranging cyber espionage in recent years has the hired former US government cybersecurity chief Chris Krebs to help recover and learn lessons from the incident. Hackers breached the network of SolarWinds before planting Sunburst malware into its Orion software update packages. As a result of this supply chain attack, hackers had access to the networks of around 18,000 SolarWinds customers around the world, including the US government. Also:

threatpost.com/solarwinds-chris-krebs-alex-stamos-hack/162889/

Nissan NA source code leaked due to default admin:admin credentials

www.bleepingcomputer.com/news/security/nissan-na-source-code-leaked-due-to-default-admin-admin-credentials/ Multiple code repositories from Nissan North America became public this week after the company left an exposed Git server protected with default access credentials. The entire collection is around 20 gigabytes large and contains source code for mobile apps and various tools used by Nissan internally for diagnostics, client acquisition, market research, or NissanConnect services. It is unclear if Nissan learned about the leak by itself or received a tip, but the company took down the insecure server on Tuesday before media outlets started publishing news of the incident.

Adversary Infrastructure Report 2020: A Defenders View

www.recordedfuture.com/2020-adversary-infrastructure-report/ Recorded Future tracks the creation and modification of new malicious infrastructure for a multitude of post-exploitation toolkits, custom malware frameworks, and open-source remote access trojans. The effort has been ongoing since 2017, when Insikt Group created methodologies to identify the deployments of open-source remote access trojans (RATs). Recorded Future collected over 10,000 unique command and control servers during 2020, across more than 80 families.

FireEye’s Mandia: ‘Severity-Zero Alert’ Led to Discovery of SolarWinds Attack

www.darkreading.com/threat-intelligence/fireeyes-mandia-severity-zero-alert-led-to-discovery-of-solarwinds-attack/d/d-id/1339851 FireEye CEO Kevin Mandia today shared some insight on the cyberattack on the security firm that was the first clue to a massive and wide-ranging attack campaign against several major US government and commercial networks. In a panel today hosted by the Aspen Institute, Mandia described how his company first recognized the serious attack it had suffered, describing how a newly registered phone using a FireEye user account was the first indication of malicious activity.

You might be interested in …

Daily NCSC-FI news followup 2020-11-18

Hackers are actively probing millions of WordPress sites www.bleepingcomputer.com/news/security/hackers-are-actively-probing-millions-of-wordpress-sites/ Unknown threat actors are scanning for WordPress websites with Epsilon Framework themes installed on over 150, 000 sites and vulnerable to Function Injection attacks that could lead to full site takeovers. Hacking group exploits ZeroLogon in automotive, industrial attack wave www.zdnet.com/article/cicada-hacking-group-exploits-zerologon-launches-new-backdoor-in-automotive-industry-attack-wave/ The active cyberattack is thought […]

Read More

Daily NCSC-FI news followup 2020-09-27

Google removes 17 Android apps doing WAP billing fraud from the Play Store www.zdnet.com/article/google-removes-17-android-apps-doing-wap-billing-fraud-from-the-play-store/ The 17 apps were infected with the Joker (Bread) malware, which Google described in January 2020 as one of the most persistent threats it dealt with since 2017. iOS 14: The Surprising Security Risk Of Sharing Your New iPhone Home Screen […]

Read More

Daily NCSC-FI news followup 2019-06-19

Apu: Kyberhyökkäys tietoverkkoihin voisi pimentää Suomen oletko varautunut? www.apu.fi/artikkelit/kyberhyokkays-tietoverkkoihin-voisi-pimentaa-suomen Kiinan tiedustelupalvelu värvää vakoilijoita LinkedInissä myös suomalaisia ulkopolitiikan asiantuntijoita lähestytty yle.fi/uutiset/3-10838995 Raportin on laatinut Ulkopoliittisen instituutin ohjelmajohtaja Mika Aaltola. Quick Detect: Exim “Return of the Wizard” Attack isc.sans.edu/forums/diary/Quick+Detect+Exim+Return+of+the+Wizard+Attack/25052/ =Thanks to our reader Alex for sharing some of his mail logs with the latest attempts to exploit […]

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.