Daily NCSC-FI news followup 2021-01-22

Weekly Threat Report 22nd January 2021

www.ncsc.gov.uk/report/weekly-threat-report-22nd-january-2021 The NCSC’s weekly threat report is drawn from recent open source reporting.

A look at the NIS 2.0 Recitals


Cyber Criminals Leave Stolen Phishing Credentials in Plain Sight

blog.checkpoint.com/2021/01/21/cyber-criminals-leave-stolen-phishing-credentials-in-plain-sight/ Check Point Research recently joined forces with Otorio to analyze and take a deep dive into a large scale phishing campaign that targeted thousands of global organizations, revealing the campaign’s overall infection chain, infrastructure and how the emails were distributed.

Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop


DDoS-Guard To Forfeit Internet Space Occupied by Parler

krebsonsecurity.com/2021/01/ddos-guard-to-forfeit-internet-space-occupied-by-parler/ Parler, the beleaguered social network advertised as a “free speech” alternative to Facebook and Twitter, has had a tough month. Apple and Google removed the Parler app from their stores, and Amazon blocked the platform from using its hosting services. Parler has since found a home in DDoS-Guard, a Russian digital infrastructure company. But now it appears DDoS-Guard is about to be relieved of more than two-thirds of the Internet address space the company leases to clients including the Internet addresses currently occupied by Parler.

Technical report: Responsible use of the Border Gateway Protocol (BGP) for ISP interworking

www.ncsc.gov.uk/report/responsible-use-of-bgp-for-isp-interworking Technical report on best practice use of this fundamental data routing protocol.

Can you help improve the Cyber Security Toolkit for Boards?

www.ncsc.gov.uk/blog-post/help-improve-the-board-toolkit Your chance to be part of the research that will shape the next iteration of the NCSC’s Board Toolkit.

SQL Server Malware Tied to Iranian Software Firm, Researchers Allege

threatpost.com/sql-server-malware-tied-to-iranian-software-firm-researchers-allege/163230/ Researchers have traced the origins of a campaign infecting SQL servers to mine cryptocurrency back to an Iranian software firm.

Breach Data Shows Attackers Switched Gears in 2020

www.darkreading.com/attacks-breaches/breach-data-shows-attackers-switched-gears-in-2020/d/d-id/1339949 Attackers focused more on ransomware, while the consolidation of data into large databases led to fewer reported breaches but more records leaked.

It’s 2021 and you can hijack a Cisco SD-WAN deployment with malicious IP traffic and a buffer overflow. Patch now


New SAP Exploit Published Online: How to Stay Secure?

onapsis.com/blog/new-sap-exploit-published-online-how-stay-secure The Onapsis Research Labs has identified a functional exploit affecting SAP which was published on GitHub, making it publicly available for malicious purposes. This is a fully-functional exploit that abuses CVE-2020-6207 vulnerability, a missing authentication check in EEM Manager, a component of SAP Solution Manager (SolMan). A successful attack exploiting this vulnerability would put an organization’s mission-critical SAP applications, business process and data at riskimpacting cybersecurity and regulatory compliance.

Threat Actors Can Exploit Windows RDP Servers to Amplify DDoS Attacks

threatpost.com/threat-actors-can-exploit-windows-rdp-servers-to-amplify-ddos-attacks/163248/ Netscout researchers identify more than 14, 000 existing servers that can be abused by the general attack population’ to flood organizations’ networks with traffic. Read also:


MyFreeCams site hacked to steal info of 2 million paying users

www.bleepingcomputer.com/news/security/myfreecams-site-hacked-to-steal-info-of-2-million-paying-users/ A hacker is selling a database with login details for two million high-paying users of the MyFreeCams adult video streaming and chat service.

Drupal releases fix for critical vulnerability with known exploits

www.bleepingcomputer.com/news/security/drupal-releases-fix-for-critical-vulnerability-with-known-exploits/ Drupal has released a security update to address a critical vulnerability in a third-party library with documented or deployed exploits available in the wild.

Necro is going to version 3 and using PyInstaller and DGA

blog.netlab.360.com/necro/ Necro is a classic family of botnet written in Python that was first discovered in 2015, at the beginning, it targeted Windows systems and often tagged by security vendors as Python.IRCBot and called N3Cr0m0rPh (Necromorph) by the author himself.

Uudet tiedot: Vastaamon potilaiden tiedot olivat ehkä jopa vuosia suojaamatta netissä tietoturva-asiantuntija: “Älyvapaata”

yle.fi/uutiset/3-11750220 Vastaamon perustaja Ville Tapio vierittää vastuuta tietomurrosta entisten alaistensa niskoille.

After big hack of U.S. government, Biden enlists ‘world class’ cybersecurity team

www.reuters.com/article/us-usa-biden-cyber-idUSKBN29R18I President Joe Biden is hiring a group of national security veterans with deep cyber expertise, drawing praise from former defense officials and investigators as the U.S. government works to recover from one of the biggest hacks of its agencies attributed to Russian spies. Read also:


MITRE ATT&CK: The Magic of Segmentation

blogs.cisco.com/security/mitre-attck-the-magic-of-segmentation In cybersecurity, nation states, cyber criminals, hacktivists, and rogue employees are the usual suspects. They fit nicely into categories like external attackers or insider threats.

Microsoft Edge goes homomorphic: Nobody will see your credentials… but you’ll need to sign in to use it

www.theregister.com/2021/01/22/edge_password_monitor/ Has your password been pwned? MS browser will tell you

CSC harjoittelee myös pahan varalle

www.csc.fi/fi/-/csc-harjoittelee-my%C3%B6s-pahan-varalle CSC on osallistunut yritysten ja viranomaisten kansalliseen TIETO20-yhteistoimintaharjoitukseen laajojen kyberhäiriöiden varalta. Lue myös


Bugs Allowed Hackers to Hijack Kindle Accounts With Malicious Ebooks


US administration adds “subliminal” ad to White House website

nakedsecurity.sophos.com/2021/01/22/us-administration-adds-subliminal-ad-to-white-house-website/ Hidden messages, features or jokes in apps and websites are commonly known in hacker jargon as easter eggs, because they’re supposed to be found and enjoyed, but they’re not supposed to be immediately obvious.

Watchdog Warns Adtech That It’s Set For More Scrutiny

www.forbes.com/sites/emmawoollacott/2021/01/22/watchdog-warns-adtech-that-its-set-for-more-scrutiny/ex The UK’s data watchdog is resuming its investigation over the use of real-time bidding (RTB) in the adtech industry – but observers fear it won’t take meaningful action any time soon.

Hackers publish thousands of files after government agency refuses to pay ransom

www.zdnet.com/article/hackers-publish-thousands-of-files-after-government-agency-refuses-to-pay-ransom/ Ransomware gang publishes stolen data after Scottish Environment Protection Agency (SEPA) refuses to pay ransom – as agency confirms operations remain disrupted.

New website launched to document vulnerabilities in malware strains

www.zdnet.com/article/new-website-launched-to-document-vulnerabilities-in-malware-strains/ Launched by security researcher John Page, the new MalVuln website lists bugs in malware code.

Cisco warns on critical security vulnerabilities in SD-WAN software, so update now


SEC calls out dubious cryptocurrency traders, miners soliciting customers worldwide

www.zdnet.com/article/sec-calls-out-dubious-cryptocurrency-exchanges-miners-soliciting-customers-worldwide/ The companies mentioned are considered “misleading” or impersonators of genuine businesses. Read also:


QNAP warns users to secure NAS devices against Dovecat malware

www.bleepingcomputer.com/news/security/qnap-warns-users-to-secure-nas-devices-against-dovecat-malware/ QNAP urges customers to secure their network-attached storage (NAS) devices against an ongoing malware campaign that infects and exploits them to mine bitcoin without their knowledge. Read also:


Belgian Hospital Reroutes Critical Patients after Cyberattack

hotforsecurity.bitdefender.com/blog/belgian-hospital-reroutes-critical-patients-after-cyberattack-25165.html On Sunday evening, the CHwapi hospital in Belgium suffered a cyberattack that prompted the facility to redirect emergency patients to other hospitals and delay surgical procedures. As reported by local media group L’Avenir, 80 of the hospital center’s 300 servers were affected by the attack, forcing staff and nurses to abandon digital entries and turn to pen and paper for patient assessments. Patient data was not compromised, according to CHwapi.

You might be interested in …

Daily NCSC-FI news followup 2020-01-13

Citrix ADC Exploits: Overview of Observed Payloads isc.sans.edu/forums/diary/Citrix+ADC+Exploits+Overview+of+Observed+Payloads/25704/ Now that there are public exploits for Citrix ADC, we are seeing many attacks and are observing various payloads. For the moment, after normalization, we observed 37 different payloads Who else works for this cover company network? intrusiontruth.wordpress.com/2020/01/13/who-else-works-for-this-cover-company-network/ In our previous articles we identified a network of […]

Read More

Daily NCSC-FI news followup 2020-12-18

Kansallinen turvallisuusauditointikriteeristö Katakri 2020 julkaistu valtioneuvosto.fi/-/kansallinen-turvallisuusauditointikriteeristo-katakri-2020-julkaistu Kansallisen turvallisuusviranomainen NSA julkaisee Katakri 2020:n, eli viranomaisten tietoturvallisuuden auditointityökaluksi tarkoitetun kansallisen auditointikriteeristön 18.joulukuuta 2020 verkkoversiona.. Katakrin neljännen version päivitystyön taustalla keskeisimpänä tekijänä on ollut vastaaminen 2020 alusta uusiutuneen kansallisen lainsäädännön muutoksiin.. Painettu julkaisu ja englanninkielinen verkkoversio on saatavilla vuoden 2021 alkupuolella. SolarWinds hackers breach US nuclear weapons agency […]

Read More

Daily NCSC-FI news followup 2020-05-05

How Many Engineers Does It Take to Digitally Secure a Solar Panel? www.nist.gov/blogs/cybersecurity-insights/how-many-engineers-does-it-take-digitally-secure-solar-panel The headline for this blog post is not a trick question or the beginning of a bad joke. I asked this question maybe a bit facetiously when I met the National Cybersecurity Center of Excellence (NCCoE) energy sector team in late 2018. […]

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.