Daily NCSC-FI news followup 2021-01-26

Poliisi tutkii jälleen huijauksia Mieheltä vietiin lähes 300 000 euroa

poliisi.fi/-/poliisi-tutkii-jalleen-huijauksia-miehelta-vietiin-lahes-300-000-euroa Helsingin poliisi tutkii kahta erillistä tapausta, joissa uhreilta huijattiin puhelimitse ja sähköpostitse rahaa. Also:

www.is.fi/digitoday/art-2000007763427.html

CVE-2021-3156: Heap-Based Buffer Overflow in Sudo (Baron Samedit)

blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit The Qualys Research Team has discovered a heap overflow vulnerability in sudo, a near-ubiquitous utility available on major Unix-like operating systems. Any unprivileged user can gain root privileges on a vulnerable host using a default sudo configuration by exploiting this vulnerability. Also:

www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt. Also: www.sudo.ws/alerts/unescape_overflow.html

NAT Slipstreaming v2.0: New Attack Variant Can Expose All Internal Network Devices to The Internet

www.armis.com/resources/iot-security-blog/nat-slipstreaming-v2-0-new-attack-variant-can-expose-all-internal-network-devices-to-the-internet/ The new variant attack could allow attackers to bypass NATs & Firewalls and reach any unmanaged device within the internal network from the Internet.

New campaign targeting security researchers

blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/ Over the past several months, the Threat Analysis Group has identified an ongoing campaign targeting security researchers working on vulnerability research and development at different companies and organizations. The actors behind this campaign, which we attribute to a government-backed entity based in North Korea, have employed a number of means to target researchers which we will outline below. We hope this post will remind those in the security research community that they are targets to government-backed attackers and should remain vigilant when engaging with individuals they have not previously interacted with. Also:

www.bleepingcomputer.com/news/security/north-korean-hackers-are-targeting-security-researchers-with-malware-0-days/. Also:

thehackernews.com/2021/01/n-korean-hackers-targeting-security.htmlh. Also:

www.zdnet.com/article/google-north-korean-hackers-have-targeted-security-researchers-via-social-media/. Also: www.theregister.com/2021/01/26/norks_hack_researchers/. Also:

arstechnica.com/information-technology/2021/01/north-korea-hackers-use-social-media-to-target-security-researchers/. Also:

www.tivi.fi/uutiset/tv/29d4036c-f9fa-4479-bbdd-fd1bc711ef2d

CLAROTY FINDS CRITICAL FLAWS IN OPC PROTOCOL IMPLEMENTATIONS

www.claroty.com/2021/01/25/blog-research-critical-flaws-in-opc-protocol/ Three vendors: Softing Industrial Automation GmbH, Kepware PTC, and Matrikon Honeywell have provided fixes for their respective products. Users of affected products are urged to determine whether they are vulnerable and update immediately to the latest versions. The Industrial Control System Cyber Emergency Response Team (ICS-CERT) has also published advisories, warning users of the affected products about the risks. Update and mitigation information is also available in the advisories. Also:

www.petermorin.com/new-significant-vulnerabilities-identified-in-the-opc-protocol/

Former LulzSec Hacker Releases VPN Zero-Day Used to Hack Hacking Team

www.vice.com/en/article/dy85nz/former-lulzsec-hacker-releases-vpn-zero-day-used-to-hack-hacking-team A security researcher has released an exploit for SonicWall VPNs that was originally found by Phineas Fisher in 2015. Also:

darrenmartyn.ie/2021/01/24/visualdoor-sonicwall-ssl-vpn-exploit/. Also: www.cybersecurity-help.cz/blog/1892.html

Internet Protocol Next Header escape

medium.com/sensorfu/internet-protocol-next-header-escape-248ab1574e7c In IPv6 header it’s called “Next Header” and in IPv4 header it’s just “Protocol”. This eight bit value contains information about what kind of content we can expect after the IP header. Usual suspect being a value for all familiar TCP, UDP and ICMP. But there’s also other familiar protocols like GRE and L2TP, and parts of bigger systems like IPSec. This header field deserved a closer look since my business is to make sure networks don’t leak, and we design escape tests for that purpose. There are a total of 256 possibilities to try out and this is exactly what our new escape does.

Historic victory for privacy as dating app receives gigantic fine

www.forbrukerradet.no/news-in-english/historic-victory-for-privacy-as-dating-app-receives-gigantic-fine/ Today, the Norwegian Data Protection Authority issued an advance notification of a 100 million NOK ( 9 600000) fine to the dating app Grindr, as a result of a legal complaint filed by the Norwegian Consumer Council. Also:

www.nytimes.com/2021/01/25/business/grindr-gdpr-privacy-fine.html. Also:

www.tivi.fi/uutiset/tv/7dd991ab-4cd9-4c7e-904b-b45ce5b6829e

Follow the Money: Qualifying Opportunism Behind Cyberattacks During the COVID-19 Pandemic

www.recordedfuture.com/opportunism-behind-cyberattacks-during-pandemic/ The opportunism of threat actors is primarily created by the socioeconomic conditions of the pandemic and is visible in the evolution of the themes used to target victims over the course of the pandemic. Threat actors have targeted the healthcare and vaccine “ecosystems” with a variety of tactics aimed at financial exploitation, intelligence gathering, and destruction. China and Russia each conducted coordinated and aggressive disinformation campaigns targeting Western democracies such as the United States and United Kingdom. Manipulating global audiences towards favoring their own systems of governance is a long-term strategic objective of both China and Russia. However, despite similar aims, their influence operations tactics vary based on unique tool sets and resources. China and Russia each used information operations to target vaccine developers and the COVID economy in Western nations to gain business and economic advantage over competitors. Also:

go.recordedfuture.com/hubfs/reports/cta-2021-0122.pdf

Beware of this active UK NHS COVID-19 vaccination phishing attack

www.bleepingcomputer.com/news/security/beware-of-this-active-uk-nhs-covid-19-vaccination-phishing-attack/ The phishing email asks the recipient if they want to accept or decline the invitation to schedule their COVID-19 vaccination.

CYBER ATTACK AT PALFINGER GROUP

www.palfinger.ag/en/news/cyber-attack-at-palfinger-group_nag_832121 PALFINGER Group is currently the target of an ongoing global cyber attack. IT infrastructure is disrupted at the moment (including sending and receiving emails, ERP systems). A large proportion of the group’s worldwide locations are affected. It is not possible to estimate the precise extent and duration of the attack or its consequences at this time. Work is being carried out intensively on a solution. Also:

www.bleepingcomputer.com/news/security/leading-crane-maker-palfinger-hit-in-global-cyberattack/. Also:

www.govinfosecurity.com/cyber-incident-knocks-construction-firm-palfinger-offline-a-15849. Also:

www.itsecuritynews.info/crane-maker-palfinger-says-cyberattack-had-massive-impact-on-it-infrastructure/

The latest research to uncover further targets came from Erik Hjelmvik, founder of network security company Netresec. Hjelmvik created a decoder to determine which domains were targeted by the so-called Sunburst malware used by the hackers

www.forbes.com/sites/thomasbrewster/2021/01/25/solarwinds-hacks-virginia-regulator-and-5-billion-cybersecurity-firm-confirmed-as-targets/ His tool shows which domains were targeted by the second stage of the attacks, in which the attackers tried to use a backdoor that had been installed in phase one. He was able to find new targets by looking at encoded lists of domains that were being targeted by one of the hackers’ servers – avsvmcloud[.]com.

Tesla claims a software engineer stole critical automated software from its WARP Drive system

electrek.co/2021/01/23/tesla-claims-software-engineer-stolen-critical-automated-software-warp-drive-system/ Tesla is suing a recently hired software engineer who the company claims has stolen critical automated software from its WARP Drive ERP system.

Google fixes severe Golang Windows RCE vulnerability

www.bleepingcomputer.com/news/security/google-fixes-severe-golang-windows-rce-vulnerability/

Fake Office 365 Used for Phishing Attacks on C-Suite Targets

www.trendmicro.com/en_us/research/21/a/fake-office-365-used-for-phishing-attacks-on-c-suite-targets.html As of this writing, we found over 300 unique compromised URLs and 70 email addresses from eight compromised sites, including 40 legitimate emails of company CEOs, directors, owners, and founders, among other enterprise employee targets. We are now working with the respective authorities for further investigation. Also:

thehackernews.com/2021/01/targeted-phishing-attacks-target-high.html

Training Together to Fight Cybercrime: Improving Cooperation

www.enisa.europa.eu/news/enisa-news/training-together-to-fight-cybercrime-improving-cooperation The European Union Agency for Cybersecurity releases a new report and training material to support the cooperation among CSIRTs, Law Enforcement Agencies (LEAs) and their interaction with the judiciary.

Pan-Asian retail giant Dairy Farm suffers REvil ransomware attack

www.bleepingcomputer.com/news/security/pan-asian-retail-giant-dairy-farm-suffers-revil-ransomware-attack/ Massive pan-Asian retail chain operator Dairy Farm Group was attacked this month by the REvil ransomware operation. The attackers claim to have demanded a $30 million ransom.

Nefilim Ransomware Attack Uses “Ghost” Credentials

news.sophos.com/en-us/2021/01/26/nefilim-ransomware-attack-uses-ghost-credentials/ The company reached out to Rapid Response to get help with a Nefilim (also known as Nemty) ransomware attack in which more than 100 systems were impacted. Nefilim ransomware, like virtually all major ransomware, replaces the original files with encrypted versions, making recovery impossible without either the decryption key or a recent backup. Also:

www.zdnet.com/article/cybercriminals-use-deceased-staff-accounts-to-spread-nemty-ransomware/. Also: threatpost.com/nefilim-ransomware-ghost-account/163341/. Also:

nakedsecurity.sophos.com/2021/01/26/ghost-hack-criminals-use-deceased-employees-account-to-wreak-havoc/

ARM Exploitation Defeating NX By Invoking mprotect() Using ROP

medium.com/bugbountywriteup/arm-exploitation-defeating-nx-by-invoking-mprotect-using-rop-1450b6667c16 In this write-up, I will detail my walkthrough on exploiting a vulnerable HTTP web server with a non-executable stack using the return-to-libc attack.

CISA LAUNCHES CAMPAIGN TO REDUCE THE RISK OF RANSOMWARE

www.cisa.gov/news/2021/01/21/cisa-launches-campaign-reduce-risk-ransomware

TikTokin haavoittuvuus vaaransi käyttäjien yksityisiä tietoja Päivitä sovellus

www.epressi.com/tiedotteet/tietotekniikka/tiktokin-haavoittuvuus-vaaransi-kayttajien-yksityisia-tietoja-paivita-sovellus.html Check Point Research löysi nyt jo toisen kerran TikTokista tietoturva-aukkoja. Viimeksi se löysi tammikuussa 2020 TikTokista useita haavoittuvuuksia, jotka olisivat sallineet pääsyn käyttäjätileille. Tuolloin hyökkääjät olisivat voineet muokata käyttäjätilien sisältöä ja poimia niille tallennettuja luottamuksellisia, henkilökohtaisia tietoja.

RITICS: Securing cyber-physical systems

www.ncsc.gov.uk/blog-post/ritics-securing-cyber-physical-systems Discover the Research Institute in Trustworthy Inter-connected Cyber-physical Systems.

More trouble for WhatsApp: nasty new malware is spreading amongst chat app users

www.express.co.uk/life-style/science-technology/1388850/More-Trouble-For-WhatsApp-New-Malware-Spreading-Amongst-Chat-App-Users

Man arrested after ‘sophisticated cyber attack’ at Leicestershire school

www.leicestermercury.co.uk/news/local-news/man-arrested-after-sophisticated-cyber-4917361 The alleged hack affected home computers and laptops being used by students for remote learning, with reports of hard drives being completely wiped. It is not believed any personal data was taken.

Report: Data Breach Exposed 323K Records Including Sensitive Court Files

www.websiteplanet.com/blog/court-records-leak-report/ On September 26th, 2020 the WebsitePlanet research team in cooperation with Security Researcher Jeremiah Fowler discovered a non-password protected database that contained over 323, 277 court related records. Upon further investigation we noticed that the records were all related to Cook County, Illinois, the second most populous county in the United States after Los Angeles County.

You might be interested in …

Daily NCSC-FI news followup 2019-12-12

Hackers in Finland Test 5G Networks, Devices in Security Exercise www.wsj.com/articles/hackers-in-finland-test-5g-networks-devices-in-security-exercise-11576146601 We understand better how we need to change our approach from 4G to 5G, says government official. Read also: www.synopsys.com/blogs/software-security/5g-cyber-security-hackathon/, www.tivi.fi/uutiset/tv/32850776-f76d-4bdd-91af-445d5e3efefa and www.oulu.fi/yliopisto/uutiset/5ghack Microsoft details the most clever phishing techniques it saw in 2019 www.zdnet.com/article/microsoft-details-the-most-clever-phishing-techniques-it-saw-in-2019/ Earlier this month, Microsoft released a report on this […]

Read More

Daily NCSC-FI news followup 2020-11-11

Play Store identified as main distribution vector for most Android malware www.zdnet.com/article/play-store-identified-as-main-distribution-vector-for-most-android-malware The official Google Play Store has been identified as the primary source of malware installs on Android devices in a recent academic study considered the largest one of its kind carried out to date. Lisäksi: arxiv.org/pdf/2010.10088.pdf Facebook link preview feature used as a […]

Read More

Daily NCSC-FI news followup 2021-02-25

Attackers scan for vulnerable VMware servers after PoC exploit release www.bleepingcomputer.com/news/security/attackers-scan-for-vulnerable-vmware-servers-after-poc-exploit-release/ After security researchers have developed and published proof-of-concept (PoC) exploit code targeting a critical vCenter remote code execution (RCE) vulnerability, attackers are now actively scanning for vulnerable Internet-exposed VMware servers. Lisäksi: www.zdnet.com/article/more-than-6700-vmware-servers-exposed-online-and-vulnerable-to-major-new-bug Health Website Leaks 8 Million COVID-19 Test Results threatpost.com/health-website-leaks-covid-19-test/164274/ A teenaged ethical […]

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.