Daily NCSC-FI news followup 2021-01-12

Going Rogue a Mastermind Behind Android Malware Returns with a New RAT

blog.checkpoint.com/2021/01/12/going-rogue-a-mastermind-behind-android-malware-returns-with-a-new-rat/ Now more than ever, we rely on our smartphones to keep in touch with our work, our families and the world around us. There are over 3.5 billion smartphone users worldwide, and it is estimated that over 85% of those devices around 3 billion run the Android OS. So its no surprise that criminals and threat actors are actively targeting this vast user base for their own malicious purposes, from trying to steal users data and credentials, to planting money-making malware, spyware or ransomware, and more.

How to tell if a website is taking your (browser) fingerprints

www.kaspersky.com/blog/rc3-fpmon-browser-fingerprinting/38369/ Whether youre looking at the whorls and loops of a fingertip or analogously unique browser information, using a fingerprint is a highly accurate way to identify someone. Its a lot harder to get a persons fingerprint without their knowledge, but all kinds of services on the Internet ID users by their browser fingerprint and not always with your interests in mind.. A team at Bundeswehr University Munich has developed a browser extension that lets you track which websites collect your browser fingerprints and how they do it.

Bulletproof Hosting Services Essential for Criminal Underground Security and Anonymity

www.recordedfuture.com/bulletproof-hosting-services/ Bulletproof hosting services (BPHS) provide secure hosting for malicious content and activity and assure anonymity to threat actors. This typically consists of activities commonly disallowed by legitimate hosting providers such as the hosting of malware or other stolen materials. BPHS offerings have continued to flourish across open and closed sources, providing a variety of features to aspiring actors interested in hosting a variety of potential services away from the attention of law enforcement.

What is STRIDE and How Does It Anticipate Cyberattacks?

securityintelligence.com/articles/what-is-stride-threat-modeling-anticipate-cyberattacks/ STRIDE threat modeling is an important tool in a security experts arsenal. Threat modeling provides security teams with a practical framework for dealing with a threat. For example, the STRIDE model offers a proven methodology of next steps. It can suggest what defenses to include, the likely attackers profile, likely attack vectors and the assets attackers want most. It can help find threats, rank which are most serious, schedule fixes and develop plans to secure IT resources.

Opening STEELCORGI: A Sophisticated APT Swiss Army Knife

yoroi.company/research/opening-steelcorgi-a-sophisticated-apt-swiss-army-knife/ 2020 was a really intense year in terms of APT activities, in fact it brought us new evidence of sophisticated campaigns targeting Enterprises organization across Europe and also Italy. In particular the threat group we track as TH-239, also mentioned as UNC1945 by FireEye security researchers, has been one of the sneakiest. We discussed some of the new techniques and modus operandi used by this actor in our previous post, revealing how it leverages modern post exploitation tools even in legacy environments such as old Linux-based machines: with the help of a portable virtual machine, TH-239 is able to move part of its arsenal directly into the victim’s internal network.

Microsoft January 2021 Patch Tuesday

isc.sans.edu/forums/diary/Microsoft+January+2021+Patch+Tuesday/26978/ This month we got patches for 83 vulnerabilities. Of these, 10 are critical, one was previously disclosed, and one is already being exploited according to Microsoft. Amongst critical vulnerability, lets start with the already being exploited CVE-2021-1647. It is related to a remote code execution (RCE) vulnerability affecting Microsoft Defender until version 1.1.17600. The CVSS for this vulnerability is 7.80. There is also a RCE on Windows RPC Runtime (CVE-2021-1658). According to the advisory, it requires no user interaction, low privileges, and low attack complexity. This vulnerability had the highest CVSS score for this month: 8.80. And finally, the previously disclosed one is a privilege escalation vulnerability affecting splwow64 (CVE-2021-1648). Also:

www.bleepingcomputer.com/news/microsoft/microsoft-january-2021-patch-tuesday-fixes-83-flaws-1-zero-day/

Microsoft patches Defender antivirus zero-day exploited in the wild

www.bleepingcomputer.com/news/security/microsoft-patches-defender-antivirus-zero-day-exploited-in-the-wild/ Microsoft has addressed a zero-day vulnerability in the Microsoft Defender antivirus, exploited in the wild by threat actors before the patch was released. Zero-days are vulnerabilities actively exploited in the wild before the vendor issues an official patch or bugs that have publicly available proof-of-concept exploits. The zero-day patched today by Microsoft is being tracked as CVE-2021-1647 and it is a remote code execution (RCE) found in the Malware Protection Engine component (mpengine.dll). Also:

www.zdnet.com/article/microsoft-fixes-defender-zero-day-in-january-2021-patch-tuesday/

Mimecast Certificate Hacked in Microsoft Email Supply-Chain Attack

threatpost.com/mimecast-certificate-microsoft-supply-chain-attack/162965/ A sophisticated threat actor has hijacked email security connections to spy on targets. A Mimecast-issued certificate used to authenticate some of the companys products to Microsoft 365 Exchange Web Services has been compromised by a sophisticated threat actor, the company has announced. Mimecast provides email security services that customers can apply to their Microsoft 365 accounts by establishing a connection to Mimecasts servers. The certificate in question is used to verify and authenticate those connections made to Mimecasts Sync and Recover (backups for mailbox folder structure, calendar content and contacts from Exchange On-Premises or Microsoft 365 mailboxes). Update from Mimecast:

www.mimecast.com/blog/important-update-from-mimecast/. Also:

www.bleepingcomputer.com/news/security/mimecast-discloses-microsoft-365-ssl-certificate-compromise/.

www.zdnet.com/article/mimecast-says-hackers-abused-one-of-its-certificates-to-access-microsoft-accounts/

Unveiled: SUNSPOT Malware Was Used to Inject SolarWinds Backdoor

thehackernews.com/2021/01/unveiled-sunspot-malware-was-used-to.html As the investigation into the SolarWinds supply-chain attack continues, cybersecurity researchers have disclosed a third malware strain that was deployed into the build environment to inject the backdoor into the company’s Orion network monitoring platform. Called “Sunspot,” the malignant tool adds to a growing list of previously disclosed malicious software such as Sunburst and Teardrop. “This highly sophisticated and novel code was designed to inject the Sunburst malicious code into the SolarWinds Orion Platform without arousing the suspicion of our software development and build teams,” SolarWinds’ new CEO Sudhakar Ramakrishna explained. Also:

www.bleepingcomputer.com/news/security/new-sunspot-malware-found-while-investigating-solarwinds-hack/.

www.zdnet.com/article/third-malware-strain-discovered-in-solarwinds-supply-chain-attack/

Microsoft’s beefed-up take on Linux server security has hit general availability

www.theregister.com/2021/01/12/microsoft_linux_edr/ After a few months in preview, Microsoft has made Defender Endpoint Detection and Response (EDR) generally available for Linux servers. Microsoft has extended its Defender product over multiple platforms throughout the last year or so, having shaved the “Windows” prefix from the system. Android, macOS, and iOS have all joined the party and Microsoft Defender for Endpoint turned up for Linux around six months ago. The theory goes that administrators with a mixed network can onboard devices via the same portal and view alerts in what Microsoft describes as a “single pane of glass experience”. Also:

www.bleepingcomputer.com/news/security/microsoft-releases-linux-endpoint-detection-and-response-features/.

www.zdnet.com/article/microsoft-defender-for-linux-now-has-endpoint-detection-and-response-security/

Reserve Bank of New Zealand investigates illegal access of third-party system

www.zdnet.com/article/reserve-bank-of-new-zealand-investigates-illegal-access-of-third-party-system/ The Reserve Bank of New Zealand — Te Ptea Matua — on Monday said it was still responding “with urgency” to an illegal breach of one of its systems. The breach was of a third-party file sharing service provided by California-based Accellion. The bank uses its FTA file transfer product to share information with external stakeholders. Also:

www.bleepingcomputer.com/news/security/new-zealand-reserve-bank-breached-using-bug-patched-on-xmas-eve/

BumbleBee Opens Exchange Servers in xHunt Spy Campaign

threatpost.com/bumblebee-exchange-servers-xhunt-spy/162973/ The BumbleBee web shell allows APT attackers to upload and download files, and move laterally by running commands. A webshell called BumbleBee has taken flight in an ongoing xHunt espionage campaign that has targeted Microsoft Exchange servers at Kuwaiti organizations. According to researchers at Palo Alto Networks Unit 42, BumbleBee (so named because of its color scheme) was observed being used to upload and download files to and from a compromised Exchange server back in September. Report:

unit42.paloaltonetworks.com/bumblebee-webshell-xhunt-campaign/

New Android spyware targets users in Pakistan

news.sophos.com/en-us/2021/01/12/new-android-spyware-targets-users-in-pakistan/ SophosLabs has discovered a small cluster of Trojanized versions of Android apps, mainly marketed to people who live in Pakistan. Someone has modified these otherwise legitimate apps (clean versions are available for download on the Google Play Store) to add malicious features that seem completely focused on covert surveillance and espionage

Operation Spalax: Targeted malware attacks in Colombia

www.welivesecurity.com/2021/01/12/operation-spalax-targeted-malware-attacks-colombia/ In 2020 ESET saw several attacks targeting Colombian entities exclusively. These attacks are still ongoing at the time of writing and are focused on both government institutions and private companies. For the latter, the most targeted sectors are energy and metallurgical. The attackers rely on the use of remote access trojans, most likely to spy on their victims. They have a large network infrastructure for command and control: ESET observed at least 24 different IP addresses in use in the second half of 2020. These are probably compromised devices that act as proxies for their C&C servers.

Adobe Fixes 7 Critical Flaws, Blocks Flash Player Content

threatpost.com/adobe-critical-flaws-flash-player/162958/ Adobe Systems has patched seven critical vulnerabilities, which impact Windows, macOS and Linux users. The impact of the serious flaws range from arbitrary code execution to sensitive information disclosure. The software companys regularly scheduled Tuesday security updates impact a slew of its multimedia and creativity software products from Photoshop to Illustrator to Adobe Bridge.

Hackers leak stolen Pfizer COVID-19 vaccine data online

www.bleepingcomputer.com/news/security/hackers-leak-stolen-pfizer-covid-19-vaccine-data-online/ The European Medicines Agency (EMA) today revealed that some of the Pfizer/BioNTech COVID-19 vaccine data stolen from its servers in December was leaked online. EMA is a decentralized agency responsible for reviewing and approving COVID-19 vaccines, as well as for evaluating, monitoring, and supervising any new medicines introduced to the EU. “The ongoing investigation of the cyberattack on EMA revealed that some of the unlawfully accessed documents related to COVID-19 medicines and vaccines belonging to third parties have been leaked on the internet,” EMA said today. “Necessary action is being taken by the law enforcement authorities.”

Säätääkö hakkeri pian pattereitasi? Suomalaiset verkot pursuilevat suojaamattomia automaatiolaitteita

www.tivi.fi/uutiset/tv/51301fa5-ffe2-4039-aa4a-4e4f1acbee35 Kyberturvallisuuskeskus on kartoittanut suomalaisten verkkojen turvallisuutta etsimällä verkosta suojaamattomia automaatiolaitteita. Automaatiolaitteita ovat esimerkiksi automaation hallintajärjestelmät, näyttöpaneelit, hissien sekä muiden laitteiden ohjaamiseen käytetyt järjestelmät ja kiinteistöjen hallintaan käytetyt järjestelmät. Laite tulkitaan suojaamattomaksi, mikäli siihen tai sen kirjautumissivulle on pääsy internetistä. Kyberturvallisuuskeskuksen suorittama kartoitus tehtiin vuoden 2020 toukokuussa. Kaikkiaan kyberturvallisuuskeskus havaitsi noin tuhat suojaamatonta järjestelmää. Määrä vastaa suurin piirtein vuoden 2019 vastaavaa tulosta.

Poliisi varoittaa pankkitietoja urkkivista Microsoft-huijareista: Sulje puhelu

www.is.fi/digitoday/tietoturva/art-2000007734612.html Kaakkois-Suomen poliisi varoittaa Microsoft-huijauksista. Näissä puheluissa soittaja on esittäytynyt Microsoftin teknisenä tukena ja tiedustellut pankki- ja henkilötietoja. Tiedotteen mukaan Kaakkois-Suomen poliisille on tehty vuoden alussa pari ilmoitusta tällaisista Microsoft-huijauksista. Poliisi muistuttaa, ettei pankkitunnustietoja tai henkilötietoja pidä koskaan luovuttaa, jos vastaanottajasta ei ole täyttä varmuutta. Viranomaiset, rahalaitokset tai muut asialliset tahot eivät näitä tietoja puhelimessa kysele.

Introducing the In-the-Wild Series

googleprojectzero.blogspot.com/2021/01/introducing-in-wild-series.html This is part 1 of a 6-part series detailing a set of vulnerabilities found by Project Zero being exploited in the wild. To read the other parts of the series, head to the bottom of this post. At Project Zero we often refer to our goal simply as make 0-day hard. Members of the team approach this challenge mainly through the lens of offensive security research. And while we experiment a lot with new targets and methodologies in order to remain at the forefront of the field, it is important that the team doesnt stray too far from the current state of the art.

Intel’s New vPro Processors Aim to Help Defend Against Ransomware

www.darkreading.com/threat-intelligence/intels-new-vpro-processors-aim-to-help-defend-against-ransomware/d/d-id/1339873 ntel is bringing ransomware protection to its new 11th Gen Core vPro mobile processors with the goal of strengthening security and visibility at the hardware level without disrupting the user experience. The Intel vPro platform is an enterprise offering built to include new technologies that businesses and employees need, including security tools and higher performance. Its new vPro processors and platform updates aim to provide application, data, and lower-level security protections that sit below the operating system and defend against ransomware attacks plaguing organizations.

Cybersecurity teams are struggling with burnout, but the attacks keep coming

www.zdnet.com/article/cybersecurity-teams-are-struggling-with-burnout-but-the-attacks-keep-coming/ Cybersecurity teams are facing new challenges to how they work as the Covid-19 pandemic has forced many security operation centres (SOC) to work remotely while also having to deal with new threats all of which is leading to higher workloads and an increase in burnout for staff. Research by the Ponenon institute and Respond Software surveyed information security staff and found that the coronavirus pandemic is increasing hours and workloads of staff in a profession which often was already a high intensity environment for people to work in.

You might be interested in …

Daily NCSC-FI news followup 2020-04-18

German government loses tens of millions of euros in COVID-19 phishing attack www.zdnet.com/article/german-government-loses-tens-of-millions-of-euros-in-covid-19-phishing-attack/ The government of North Rhine-Westphalia, a province in western Germany, is believed to have lost tens of millions of euros after it failed to build a secure website for distributing coronavirus emergency aid funding. The funds were lost following a classic phishing […]

Read More

Daily NCSC-FI news followup 2020-05-01

Ransomware mentioned in 1,000+ SEC filings over the past year www.zdnet.com/article/ransomware-mentioned-in-1000-sec-filings-over-the-past-year/#ftag=RSSbaffb68 A growing number of public companies are now listing ransomware as a forward-looking risk factor in documents filed with the US Securities Exchange Commission. Listing ransomware as a risk factor in SEC filings shows that companies now understand the danger posed by a ransomware […]

Read More

Daily NCSC-FI news followup 2020-11-29

Hacker Lexicon: What Is the Signal Encryption Protocol? www.wired.com/story/signal-encryption-protocol-hacker-lexicon/ LAST WEEK, WITH little fanfare, Google announced a change that could soon make its 2 billion Android users worldwide far harder to surveil: The tech giant says it’s rolling out a beta version of its Android messaging app that will now use end-to-end encryption by default. […]

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.