Weekly Threat Report 22nd January 2021
www.ncsc.gov.uk/report/weekly-threat-report-22nd-january-2021 The NCSC’s weekly threat report is drawn from recent open source reporting.
A look at the NIS 2.0 Recitals
Cyber Criminals Leave Stolen Phishing Credentials in Plain Sight
blog.checkpoint.com/2021/01/21/cyber-criminals-leave-stolen-phishing-credentials-in-plain-sight/ Check Point Research recently joined forces with Otorio to analyze and take a deep dive into a large scale phishing campaign that targeted thousands of global organizations, revealing the campaign’s overall infection chain, infrastructure and how the emails were distributed.
Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop
DDoS-Guard To Forfeit Internet Space Occupied by Parler
krebsonsecurity.com/2021/01/ddos-guard-to-forfeit-internet-space-occupied-by-parler/ Parler, the beleaguered social network advertised as a “free speech” alternative to Facebook and Twitter, has had a tough month. Apple and Google removed the Parler app from their stores, and Amazon blocked the platform from using its hosting services. Parler has since found a home in DDoS-Guard, a Russian digital infrastructure company. But now it appears DDoS-Guard is about to be relieved of more than two-thirds of the Internet address space the company leases to clients including the Internet addresses currently occupied by Parler.
Technical report: Responsible use of the Border Gateway Protocol (BGP) for ISP interworking
www.ncsc.gov.uk/report/responsible-use-of-bgp-for-isp-interworking Technical report on best practice use of this fundamental data routing protocol.
Can you help improve the Cyber Security Toolkit for Boards?
www.ncsc.gov.uk/blog-post/help-improve-the-board-toolkit Your chance to be part of the research that will shape the next iteration of the NCSC’s Board Toolkit.
SQL Server Malware Tied to Iranian Software Firm, Researchers Allege
threatpost.com/sql-server-malware-tied-to-iranian-software-firm-researchers-allege/163230/ Researchers have traced the origins of a campaign infecting SQL servers to mine cryptocurrency back to an Iranian software firm.
Breach Data Shows Attackers Switched Gears in 2020
www.darkreading.com/attacks-breaches/breach-data-shows-attackers-switched-gears-in-2020/d/d-id/1339949 Attackers focused more on ransomware, while the consolidation of data into large databases led to fewer reported breaches but more records leaked.
It’s 2021 and you can hijack a Cisco SD-WAN deployment with malicious IP traffic and a buffer overflow. Patch now
New SAP Exploit Published Online: How to Stay Secure?
onapsis.com/blog/new-sap-exploit-published-online-how-stay-secure The Onapsis Research Labs has identified a functional exploit affecting SAP which was published on GitHub, making it publicly available for malicious purposes. This is a fully-functional exploit that abuses CVE-2020-6207 vulnerability, a missing authentication check in EEM Manager, a component of SAP Solution Manager (SolMan). A successful attack exploiting this vulnerability would put an organization’s mission-critical SAP applications, business process and data at riskimpacting cybersecurity and regulatory compliance.
Threat Actors Can Exploit Windows RDP Servers to Amplify DDoS Attacks
threatpost.com/threat-actors-can-exploit-windows-rdp-servers-to-amplify-ddos-attacks/163248/ Netscout researchers identify more than 14, 000 existing servers that can be abused by the general attack population’ to flood organizations’ networks with traffic. Read also:
MyFreeCams site hacked to steal info of 2 million paying users
www.bleepingcomputer.com/news/security/myfreecams-site-hacked-to-steal-info-of-2-million-paying-users/ A hacker is selling a database with login details for two million high-paying users of the MyFreeCams adult video streaming and chat service.
Drupal releases fix for critical vulnerability with known exploits
www.bleepingcomputer.com/news/security/drupal-releases-fix-for-critical-vulnerability-with-known-exploits/ Drupal has released a security update to address a critical vulnerability in a third-party library with documented or deployed exploits available in the wild.
Necro is going to version 3 and using PyInstaller and DGA
blog.netlab.360.com/necro/ Necro is a classic family of botnet written in Python that was first discovered in 2015, at the beginning, it targeted Windows systems and often tagged by security vendors as Python.IRCBot and called N3Cr0m0rPh (Necromorph) by the author himself.
Uudet tiedot: Vastaamon potilaiden tiedot olivat ehkä jopa vuosia suojaamatta netissä tietoturva-asiantuntija: “Älyvapaata”
yle.fi/uutiset/3-11750220 Vastaamon perustaja Ville Tapio vierittää vastuuta tietomurrosta entisten alaistensa niskoille.
After big hack of U.S. government, Biden enlists ‘world class’ cybersecurity team
www.reuters.com/article/us-usa-biden-cyber-idUSKBN29R18I President Joe Biden is hiring a group of national security veterans with deep cyber expertise, drawing praise from former defense officials and investigators as the U.S. government works to recover from one of the biggest hacks of its agencies attributed to Russian spies. Read also:
MITRE ATT&CK: The Magic of Segmentation
blogs.cisco.com/security/mitre-attck-the-magic-of-segmentation In cybersecurity, nation states, cyber criminals, hacktivists, and rogue employees are the usual suspects. They fit nicely into categories like external attackers or insider threats.
Microsoft Edge goes homomorphic: Nobody will see your credentials… but you’ll need to sign in to use it
www.theregister.com/2021/01/22/edge_password_monitor/ Has your password been pwned? MS browser will tell you
CSC harjoittelee myös pahan varalle
www.csc.fi/fi/-/csc-harjoittelee-my%C3%B6s-pahan-varalle CSC on osallistunut yritysten ja viranomaisten kansalliseen TIETO20-yhteistoimintaharjoitukseen laajojen kyberhäiriöiden varalta. Lue myös
Bugs Allowed Hackers to Hijack Kindle Accounts With Malicious Ebooks
US administration adds “subliminal” ad to White House website
nakedsecurity.sophos.com/2021/01/22/us-administration-adds-subliminal-ad-to-white-house-website/ Hidden messages, features or jokes in apps and websites are commonly known in hacker jargon as easter eggs, because they’re supposed to be found and enjoyed, but they’re not supposed to be immediately obvious.
Watchdog Warns Adtech That It’s Set For More Scrutiny
www.forbes.com/sites/emmawoollacott/2021/01/22/watchdog-warns-adtech-that-its-set-for-more-scrutiny/ex The UK’s data watchdog is resuming its investigation over the use of real-time bidding (RTB) in the adtech industry – but observers fear it won’t take meaningful action any time soon.
Hackers publish thousands of files after government agency refuses to pay ransom
www.zdnet.com/article/hackers-publish-thousands-of-files-after-government-agency-refuses-to-pay-ransom/ Ransomware gang publishes stolen data after Scottish Environment Protection Agency (SEPA) refuses to pay ransom – as agency confirms operations remain disrupted.
New website launched to document vulnerabilities in malware strains
www.zdnet.com/article/new-website-launched-to-document-vulnerabilities-in-malware-strains/ Launched by security researcher John Page, the new MalVuln website lists bugs in malware code.
Cisco warns on critical security vulnerabilities in SD-WAN software, so update now
SEC calls out dubious cryptocurrency traders, miners soliciting customers worldwide
www.zdnet.com/article/sec-calls-out-dubious-cryptocurrency-exchanges-miners-soliciting-customers-worldwide/ The companies mentioned are considered “misleading” or impersonators of genuine businesses. Read also:
QNAP warns users to secure NAS devices against Dovecat malware
www.bleepingcomputer.com/news/security/qnap-warns-users-to-secure-nas-devices-against-dovecat-malware/ QNAP urges customers to secure their network-attached storage (NAS) devices against an ongoing malware campaign that infects and exploits them to mine bitcoin without their knowledge. Read also:
Belgian Hospital Reroutes Critical Patients after Cyberattack
hotforsecurity.bitdefender.com/blog/belgian-hospital-reroutes-critical-patients-after-cyberattack-25165.html On Sunday evening, the CHwapi hospital in Belgium suffered a cyberattack that prompted the facility to redirect emergency patients to other hospitals and delay surgical procedures. As reported by local media group L’Avenir, 80 of the hospital center’s 300 servers were affected by the attack, forcing staff and nurses to abandon digital entries and turn to pen and paper for patient assessments. Patient data was not compromised, according to CHwapi.