Daily NCSC-FI news followup 2021-01-11

Sunburst backdoor code overlaps with Kazuar

securelist.com/sunburst-backdoor-kazuar/99981/ On December 13, 2020, FireEye published a blog post detailing a supply chain attack leveraging Orion IT, an infrastructure monitoring and management platform by SolarWinds. In parallel, Volexity published an article with their analysis of related attacks, attributed to an actor named Dark Halo. FireEye did not link this activity to any known actor; instead, they gave it an unknown, temporary moniker UNC2452.

Russian Hacker Gets 12-Years Prison for Massive JP Morgan Chase Hack

thehackernews.com/2021/01/russian-hacker-gets-12-years-prison-for.html A U.S. court on Thursday sentenced a 37-year-old Russian to 12 years in prison for perpetrating an international hacking campaign that resulted in the heist of a trove of personal information from several financial institutions, brokerage firms, financial news publishers, and other American companies. Andrei Tyurin was charged with computer intrusion, wire fraud, bank fraud, and illegal online gambling offenses, and for his role in one of the largest thefts of U.S. customer data from a single financial institution in history, which involved the personal information of more than 80 million J.P. Morgan Chase customers.

FADE DEAD | Adventures in Reversing Malicious Run-Only AppleScripts

labs.sentinelone.com/fade-dead-adventures-in-reversing-malicious-run-only-applescripts/ macOS.OSAMiner is a cryptominer campaign that has resisted full researcher analysis for at least five years due to its use of multiple run-only AppleScripts. macOS.OSAMiner has evolved to use a complex architecture, embedding one run-only AppleScript within another and retrieving further stages embedded in the source code of public-facing web pages. Combining a public AppleScript disassembler repo with our own AEVT decompiler tool allowed us to statically reverse run-only AppleScripts for the first time and reveal previously unknown details about the campaign and the malwares architecture.

DarkSide ransomware decryptor recovers victims’ files for free

www.bleepingcomputer.com/news/security/darkside-ransomware-decryptor-recovers-victims-files-for-free/ Romanian cybersecurity firm Bitdefender has released a free decryptor for the DarkSide ransomware to allow victims to recover their files without paying a ransom. DarkSide is a human-operated ransomware that has already earned millions in payouts since it started targeting enterprises in August 2020. The operation has seen a spike in activity between October and December 2020 when the amount of DarkSide sample submissions on the ID-Ransomware platform more than quadrupled.

Decrypting TLS Streams With Wireshark: Part 3

blog.didierstevens.com/2021/01/11/decrypting-tls-streams-with-wireshark-part-3/ Say that you have to share a decrypted TLS stream, like the stream we decrypted in part 1. You did a forensic investigation, and you need to included the decrypted TLS stream in your findings. Or you are troubleshooting an issue, and need need to share the decrypted TLS stream with a vendor.. Im sure you dont want to share the web servers private key with a vendor (remember, in part 1, we used a web servers private key to decrypt a TLS stream, while in part 2 we used a clients SSLKEYLOGFILE).

Ransomware Gangs Scavenge for Sensitive Data by Targeting Top Executives

www.tripwire.com/state-of-security/featured/ransomware-gangs-scavenge-sensitive-data-targeting-executives/ In their attempt to extort as much money as quickly as possible out of companies, ransomware gangs know some effective techniques to get the full attention of a firms management team. And one of them is to specifically target the sensitive information stored on the computers used by a companys top executives, in the hope of finding valuable data that can best pressure bosses into approving the payment of a sizeable ransom.

Cybersecurity for Healthcare: Addressing Medical Image Privacy

securityintelligence.com/articles/cybersecurity-for-healthcare-problems-and-solutions/ Medical imaging devices have greatly improved patient care and become a critical part of modern medical treatment. But, these devices werent always connected in ways they are today. Todays tools are digital, networked with other devices and can be reached through a computer workstation. As such, more cyber threats can pose harm. So how can equipment makers and users build better cybersecurity for healthcare into imaging equipment?

December 2020 Cyber Attacks Statistics

www.hackmageddon.com/2021/01/11/december-2020-cyber-attacks-statistics/ And finally the last blog for the 2020 monthly statistics series is here! For sure you know that the statistics are derived from the corresponding timelines (part I and part II) and maybe you also know that in the next few days I will publish the aggregated data for 2020. Definitely a year to forget from many points of views (but I have the feeling that it will be remembered for a very long time

Using the NVD Database and API to Keep Up with Vulnerabilities and Patches – Tool Drop: CVEScan (Part 3 of 3)

isc.sans.edu/forums/diary/Using+the+NVD+Database+and+API+to+Keep+Up+with+Vulnerabilities+and+Patches+Tool+Drop+CVEScan+Part+3+of+3/26974/ Now with a firm approach to or putting an inventory and using the NVD API in part 1 and part 2, for any client I typically create 4 inventories.

New version of Sysinternals released, Process Hollowing detection added in Sysmon, new registry access detection added to Procmon

docs.microsoft.com/en-us/sysinternals/ This update to Sysmon adds a process image tampering event that reports when the mapped image of a process doesnt match the on-disk image file, or the image file is locked for exclusive access. These indicators are triggered by process hollowing and process herpaderping. This release also includes several bug fixes, including fixes for minor memory leaks. This update to Process Monitor adds monitoring for RegSaveKey, RegLoadKey and RegRestoreKey APIs, as well as fixes a bug in the details output for some types of directory queries.

Capitol attack’s cybersecurity fallout: Stolen laptops, lost data and possible espionage

www.zdnet.com/article/capitol-attacks-cybersecurity-fallout-stolen-laptops-lost-data-and-possible-espionage/ When hostile actors penetrated the Capitol Building on January 6, they gained access to individual chambers and offices and remained at large within the Capitol complex for well over two hours. We have reports that items were stolen. One report comes from acting US Attorney for DC, Michael Sherwin, who stated “items, electronic items were stolen from senators’ offices, documents and … we have to identify what was done to mitigate that.” My local Senator, Jeff Merkley (D-Ore.), reported that at least one laptop had been stolen.

Tietomurtoihin liittyvät kiristykset ovat lisääntyneet pienistäkin kyber­hyökkäyksistä toivotaan ilmoituksia

www.is.fi/digitoday/tietoturva/art-2000007733085.html Kyberhyökkäysten määrä on tehtyjen ilmoitusten perusteella nousussa, kerrotaan Liikenne- ja viestintäviraston kyberturvallisuuskeskuksesta. Esimerkiksi pelkästään tietomurtoja ilmoitettiin keskukselle viime vuonna noin 800, kun toissa vuonna määrä oli vielä noin 500. Osin taustalla voi olla se, että media on uutisoinut paljon aiheesta, minkä ansioista hyökkäyksistä ilmoitetaan aiempaa enemmän. Kyberturvallisuuskeskuksen eri lähteistä saamista tiedoista voidaan silti päätellä, että itse hyökkäysten määräkin on ainakin lievästi kasvussa.

Haittaohjelmat vaanivat myös kryptovaluuttasovelluksissa

www.kauppalehti.fi/uutiset/haittaohjelmat-vaanivat-myos-kryptovaluuttasovelluksissa/666c460c-2730-4a6f-b695-ba4bd8444a3c Sovelluksia on mainostettu turvallisina kryptovaluuttafoorumeilla sekä Twitterissä, vaikka todellisuudessa ne on suunniteltu varastamaan käyttäjien tietoja sekä kryptovaluuttalompakon avaimia. Tietoturvayhtiö Intezer Labs on löytänyt haittaohjelmia kryptovaluuttasovelluksista, uutisoi Decrypt. ElectroRAT-haittaohjelman uhriksi on Intezer Labsin mukaan viimeisen vuoden aikana joutunut ainakin 6500 käyttäjää.

Husin tietoturva sai pyyhkeitä sairaanhoitopiiri sanoo petranneensa tarkastuksen jälkeen

www.tivi.fi/uutiset/tv/07d476ab-ae6f-4d6a-ac45-bbf01c330b32 Helsingin ja Uudenmaan sairaanhoitopiirin tietoturvasta löytyi useita kehittämiskohteita keväällä 2020 teetetyssä selvityksessä. Husin tietohallinto kertoo Tiville tarkastusraportin suositusten johtaneen jo useisiin parannuksiin. Deloitten tekemä selvitys koski Husin tietohallinnon johtamis- ja ohjausjärjestelmää, joten mukana tarkastelussa oli myös esimerkiksi hankintojen tekeminen, muutoshallinta ja tietosuoja. Eniten suosituksia kehityskohteista löytyi tietoturvan puolelta.

Networking giant Ubiquiti alerts customers of potential data breach

www.bleepingcomputer.com/news/security/networking-giant-ubiquiti-alerts-customers-of-potential-data-breach/ Networking device maker Ubiquiti has announced a security incident that may have exposed its customers’ data. Ubiquiti is a very popular networking device manufacturer best known for its Unifi line of wired and wireless network products and a cloud management platform.. Today, Ubiquiti began emailing customers to change their passwords after an attacker hacked their systems hosted at a third-party cloud provider.

Eilakaislan hyökkäys saatu hallintaan tietovuotoa ei tietenkään voi sulkea pois

www.tivi.fi/uutiset/tv/692d4e0f-5215-447a-8a4f-67833f0e0be9 Henkilöstöpalveluyhtiö Eilakaislan perjantaina tapahtunut kyberhyökkäys on saatu hallintaan. Asiasta Tiville kertoo yhtiön toimitusjohtaja Erika Ehrnrooth. Hänen mukaansa palvelimet ja ohjelmat ovat jälleen käytössä normaaliin tapaan. Yhtiön tietoon ei ole tullut, että työnhakijoiden ja -tekijöiden henkilötietoja tai asiakasyritysten laskutustietoja olisi joutunut vääriin käsiin. Väärinkäytön uhka on silti olemassa. Myös:



Parler Is Gone, But Hackers Say They Downloaded Everything First

www.vice.com/en/article/jgqbex/parler-is-gone-but-hackers-say-they-downloaded-everything-first Right-wing social network Parler was taken offline in the early hours of Monday morning, but not before a hacker found a way to download all data posted by users including messages, images, videos, and users location data shared during last weeks attack on the Capitol. The data taken from Parler is still being processed, but Trump supporters are already voicing their concerns about what the data dump could expose about them and their activity in Washington, D.C. last week.

You might be interested in …

Daily NCSC-FI news followup 2020-03-28

Two zero days are Targeting DrayTek Broadband CPE Devices blog.netlab.360.com/two-zero-days-are-targeting-draytek-broadband-cpe-devices-en/ rom December 4, 2019, 360Netlab Threat Detection System has observed two different attack groups using two 0-day vulnerabilities of DrayTek[1] Vigor enterprise routers and switch devices to conduct a series of attacks, including eavesdropping on devices network traffic, running SSH services on high ports, creating […]

Read More

Daily NCSC-FI news followup 2021-07-05

REvil ransomware asks $70 million to decrypt all Kaseya attack victims www.bleepingcomputer.com/news/security/revil-ransomware-asks-70-million-to-decrypt-all-kaseya-attack-victims/ REvil ransomware has set a price for decrypting all systems locked during the Kaseya supply-chain attack. The gang wants $70 million in Bitcoin for the tool that allows all affected businesses to recover their files. Lisäksi: nakedsecurity.sophos.com/2021/07/05/kaseya-ransomware-attackers-say-pay-70-million-and-well-set-everyone-free/. Lisäksi: thehackernews.com/2021/07/revil-used-0-day-in-kaseya-ransomware.html. Lisäksi: therecord.media/revil-gang-asks-70-million-to-decrypt-systems-locked-in-kaseya-attack/ ISA, FBI […]

Read More

Daily NCSC-FI news followup 2020-08-05

Defending the Oil and Gas Industry Against Cyber Threats securityintelligence.com/posts/oil-gas-security/ The oil and gas industry is one of the most powerful financial sectors in the world, critical to global and national economies. Therefore, this industry is a valuable target for adversaries seeking to exploit Industrial Control Systems (ICS) vulnerabilities. As the recent increase in attacks […]

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.