Daily NCSC-FI news followup 2021-01-13

Cloud Threat Hunting: Attack & Investigation Series- Lateral Movement Under the Radar

blog.checkpoint.com/2021/01/13/cloud-threat-hunting-attack-investigation-series-lateral-movement-under-the-radar/ A sign of a truly sophisticated attack in the cloud is the ability to move laterally undetected. Doing so successfully requires knowledge of many techniques. In this latest installation of the Cloud Threat Hunting: Attack and Investigation Series, we present the most involved attack flow yet. We will break down all of the steps a threat actor took to successfully exfiltrate data out of an AWS account. This attack began with a compromised pair of AWS access keys. The first thing the threat actor does is obtain temporary credentials using the get-session-token command.

SolarWinds: What Hit Us Could Hit Others

krebsonsecurity.com/2021/01/solarwinds-what-hit-us-could-hit-others/ New research into the malware that set the stage for the megabreach at IT vendor SolarWinds shows the perpetrators spent months inside the companys software development labs honing their attack before inserting malicious code into updates that SolarWinds then shipped to thousands of customers. More worrisome, the research suggests the insidious methods used by the intruders to subvert the companys software development pipeline could be repurposed against many other major software providers.

Ubiquiti breach, and other IoT security problems

blog.malwarebytes.com/iot/2021/01/ubiquiti-breach-and-other-iot-security-problems/ Networking equipment manufacturer Ubiquiti sent out an email to warn users about a possible data breach. The email stated there had been unauthorized access to its IT systems that are hosted with a third-party cloud provider. Ubiquiti Networks sells networking devices and IoT devices. It did not specify which products were affected but pointed at UI.com, which is its customer web portal. The servers in this domain store user profile information for account.ui.com, the web portal that Ubiquiti makes available to customers who bought one of its products. From there, users can manage devices from a remote location and access a help and support portal.

Authorities Take Down World’s Largest Illegal Dark Web Marketplace

thehackernews.com/2021/01/authorities-take-down-worlds-largest.html Europol on Tuesday said it shut down DarkMarket, the world’s largest online marketplace for illicit goods, as part of an international operation involving Germany, Australia, Denmark, Moldova, Ukraine, the U.K.’s National Crime Agency (NCA), and the U.S. Federal Bureau of Investigation (FBI). At the time of closure, DarkMarket is believed to have had 500,000 users and more than 2,400 vendors, with over 320,000 transactions resulting in the transfer of more than 4,650 bitcoin and 12,800 monero a sum total of 140 million ($170 million).

2020 Cyber Attacks Statistics

www.hackmageddon.com/2021/01/13/2020-cyber-attacks-statistics/ As promised, I have pulled together some statistics from the data collected in 2020. The master table is available at the end of the post after the charts. As always, be aware that the sample refers exclusively to the attacks included in my timelines, available from public sources such as blogs and news sites. Obviously the sample cannot be complete, but only aims to provide an high level overview of the threat landscape.

SolarLeaks site claims to sell data stolen in SolarWinds attacks

www.bleepingcomputer.com/news/security/solarleaks-site-claims-to-sell-data-stolen-in-solarwinds-attacks/ A website named ‘SolarLeaks’ is selling data they claim was stolen from companies confirmed to have been breached in the SolarWinds attack. Last month, it was disclosed that network management company SolarWinds suffered a sophisticated cyberattack that led to a supply chain attack affecting 18,000 customers.. According to a joint statement issued by the FBI, CISA, and the NSA, this attack was “likely” conducted by a Russian state-sponsored hacking group who wanted to steal cloud data such as email and files from its victims.

Hancitor activity resumes after a hoilday break

isc.sans.edu/forums/diary/Hancitor+activity+resumes+after+a+hoilday+break/26980/ Campaigns spreading Hancitor malware were active from October through December 2020, but Hancitor went quiet after 2020-12-17. On Tuesday 2021-01-12, criminals started sending malicious spam (malspam) pushing Hancitor again. Some people have already tweeted about this year’s first wave of Hancitor.

Sophisticated Hacks Against Android, Windows Reveal Zero-Day Trove

threatpost.com/hacks-android-windows-zero-day/163007/ Google researchers have detailed a major hacking campaign that was detected in early 2020, which mounted a series of sophisticated attacks, some using zero-day flaws, against Windows and Android platforms. The team spent months analyzing the attacks, including examining what happened post-exploitation on Android devices. In that case, additional payloads were delivered that collected device fingerprinting information, location data, a list of running processes and a list of installed applications for the phone.

Iranian cyberspies behind major Christmas SMS spear-phishing campaign

www.zdnet.com/article/iranian-cyberspies-behind-major-christmas-sms-spear-phishing-campaign/ An Iranian cyber-espionage group known as Charming Kitten (APT35 or Phosphorus) has used the recent winter holiday break to attack targets from all over the world using a very sophisticated spear-phishing campaign that involved not only email attacks but also SMS messages. “Charming Kitten has taken full advantage of this timing to execute its new campaign to maximum effect,” said CERTFA, a cybersecurity organization specialized in tracking Iranian operations.

Reikä siellä missä ei pitäisi: Microsoftin tietoturvaohjelmistossa vakava aukko päivitä heti

www.tivi.fi/uutiset/tv/70970e6c-e143-494d-953b-9e960c5f0181 Microsoft julkaisi tiistaina päivityksiä ohjelmistoihinsa. Kyberturvallisuuskeskus kiinnittää erityisesti huomiota Microsoft Defenderin haavoittuvuuteen (CVE-2021-1647), joka mahdollistaa hyökkääjän haltuun saamalla koneella etänä suoritettavat komennot.

Microsoft fixes Secure Boot bug allowing Windows rootkit installation

www.bleepingcomputer.com/news/security/microsoft-fixes-secure-boot-bug-allowing-windows-rootkit-installation/ Microsoft has fixed a security feature bypass vulnerability in Secure Boot that allows attackers to compromise the operating systems booting process even when Secure Boot is enabled. Secure Boot blocks untrusted operating systems bootloaders on computers with Unified Extensible Firmware Interface (UEFI) firmware and a Trusted Platform Module (TPM) chip to help prevent rootkits from loading during the OS startup process.

Attackers Exploit Poor Cyber Hygiene to Compromise Cloud Security Environments

us-cert.cisa.gov/ncas/current-activity/2021/01/13/attackers-exploit-poor-cyber-hygiene-compromise-cloud-security CISA is aware of several recent successful cyberattacks against various organizations cloud services. Threat actors used a variety of tactics and techniques, including phishing and brute force logins, to attempt to exploit weaknesses in cloud security practices. In response, CISA has released Analysis Report AR21-013A: Strengthening Security Configurations to Defend Against Attackers Targeting Cloud Services which provides technical details and indicators of compromise to help detect and respond to potential attacks. Report:

us-cert.cisa.gov/ncas/analysis-reports/ar21-013a

Critical WordPress-Plugin Bug Found in Orbit Fox Allows Site Takeover

threatpost.com/orbit-fox-wordpress-plugin-bugs/163020/ Two vulnerabilities (one critical) in a WordPress plugin called Orbit Fox could allow attackers to inject malicious code into vulnerable websites and/or take control of a website. Orbit Fox is a multi-featured WordPress plugin that works with the Elementor, Beaver Builder and Gutenberg site-building utilities. It allows site administrators to add features such as registration forms and widgets. The plugin, from a developer called ThemeIsle, has been installed by 400,000+ sites.

New Variant of Ursnif Continuously Targeting Italy

www.fortinet.com/blog/threat-research/new-variant-of-ursnif-continuously-targeting-italy Ursnif (also known as Gozi) is identified as a banking Trojan, but its variants also include components (backdoors, spyware, file injectors, etc.) capable of a wide variety of behaviors. The Ursnif Trojan has been observed targeting Italy over the past year. A few days ago, FortiGuard Labs detected a phishing campaign in the wild that was spreading a fresh variant of the Ursnif Trojan via an attached MS Word document that is continuously targeting Italy. Although Ursnif is identified as a banking Trojan, due to its C2 servers shutdown, this latest variant has been unable download the malicious banking module it needs to steal banking information from the victim, causing it to fail to start the second stage of its attack.

You might be interested in …

Daily NCSC-FI news followup 2020-03-09

A vulnerability is Microsoft Exchange servers is being actively exploited by multiple APT groups, researchers warn. threatpost.com/microsoft-exchange-server-flaw-exploited-in-apt-attacks/153527/ Multiple threat groups are actively exploiting a vulnerability in Microsoft Exchange servers, researchers warn. If left unpatched, the flaw allows authenticated attackers to execute code remotely with system privileges.. see also www.thezdi.com/blog/2020/2/24/cve-2020-0688-remote-code-execution-on-microsoft-exchange-server-through-fixed-cryptographic-keys ENTSO-E: cyber intrusion on its office […]

Read More

Daily NCSC-FI news followup 2020-05-15

QNodeService: Node.js Trojan Spread via Covid-19 Lure blog.trendmicro.com/trendlabs-security-intelligence/qnodeservice-node-js-trojan-spread-via-covid-19-lure/ We recently noticed a Twitter post by MalwareHunterTeam that showed a Java downloader with a low detection rate. Its name, Company PLP_Tax relief due to Covid-19 outbreak CI+PL.jar, suggests it may have been used in a Covid-19-themed phishing campaign. Running this file led to the download of […]

Read More

Daily NCSC-FI news followup 2020-06-21

Ransomware operators lurk on your network after their attack www.bleepingcomputer.com/news/security/ransomware-operators-lurk-on-your-network-after-their-attack/ When a company suffers a ransomware attack, many victims feel that the attackers quickly deploy the ransomware and leave so they won’t get caught. Unfortunately, the reality is much different as threat actors are not so quick to give up a resource that they worked […]

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.