Daily NCSC-FI news followup 2021-02-02

Liikkeellä erittäin uskottavia huijaussivuja älä mene verkkopankkiin Google-haun kautta

www.finanssiala.fi/uutismajakka/Sivut/Liikkeella-uskottavia-huijaussivuja-ala-mene-verkkopankkiin-Google-haun-kautta.aspx Huijarit pyrkivät tällä hetkellä erittäin aktiivisesti verkkopankkeihin tuttujen sähköpostilinkkien avulla. Lisäksi pankit ovat havainneet uuden huijauskampanjan, jossa rikolliset ovat tavalla tai toisella saaneet ujutettua huijaussivustojaan Googlen hakutuloksiin. Pankeista neuvotaan, että ainakaan toistaiseksi ei kannata mennä verkkopankkiin hakemalla pankkinsa nimeä Googlesta, vaan kirjoittamalla osoite selaimen osoitekenttään. myös:

yle.fi/uutiset/3-11768716

Viranomainen poistattaa Vastaamo-tietoja verkosta, mutta eroon niistä ei pääse “Todennäköisesti näin siinä käy”

www.is.fi/digitoday/tietoturva/art-2000007776531.html Vastaamon asiakasrekisteri päätyi verkkoon viime viikolla, ja se on tämän jälkeen ilmestynyt useille tiedostonjakopalvelimille internetiin. Latauslinkkejä on jaeltu muun muassa Tor-verkon keskusteluissa ja mahdollisesti myös pikaviestimillä. Liikenne- ja viestintävirasto Traficomin Kyberturvallisuuskeskuksen tietoturva-asiantuntija Ville Kontisen mukaan tiedostoista on tehty poistopyyntöjä “useita, muttei kymmeniä”. Käytännössä on melkein mahdotonta pitää kirjaa siitä, moniko tiedoston on ladannut.

Lahtelaismies tempaisi Tor-verkossa: puolessa vuodessa Suomen huumekaupan kärkeen tienasi miljoonan

www.tivi.fi/uutiset/tv/0af19922-3a80-4a54-bb87-0a786a4aa85c Krp paljasti 24-vuotiaan lahtelaismiehen harjoittamaa laajamittaista ja jatkuvaa huumausaineiden levitystä. Tapaus osoittaa, että rikolliset eivät ole Tor-verkossa niin hyvässä turvassa kuin kuvittelevat. Poliisihallituksen esityksestä eduskunta on hiljattain myöntänyt poliisille lisärahoitusta pimeän verkon seurantaan ja tilannekuvan muodostamiseen. Saadut lisäresurssit sijoitetaan Keskusrikospoliisin internettiedusteluun.

Puhemies Vehviläinen: Kyberhyökkäyksen takia kansanedustajat saavat tietoturvakoulutusta, myös edustajien uhkailua selvitetään

yle.fi/uutiset/3-11767479 Eduskuntaan kohdistui kyberhyökkäys joulun alla. Keskusrikospoliisi tutkii hyökkäystä törkeänä tietomurtona ja vakoiluna. – Emme voi vähätellä tätä hyökkäystä, joka on kohdistunut demokratiaamme vastaan. Kansanedustajille tullaan antamaan tietoturvakoulusta kyberturvallisuuskeskuksen toimesta, Vehviläinen kertoo.

Kobalos A complex Linux threat to high performance computing infrastructure

www.welivesecurity.com/2021/02/02/kobalos-complex-linux-threat-high-performance-computing-infrastructure/ ESET researchers have analyzed malware that has been targeting high performance computing (HPC) clusters, among other high-profile targets. We reverse engineered this small, yet complex, malware that is portable to many operating systems including Linux, BSD, Solaris, and possibly AIX and Windows. PDF report:

www.welivesecurity.com/wp-content/uploads/2021/01/ESET_Kobalos.pdf

Cloudy With A Chance Of Persistent Email Access

www.aon.com/cyber-solutions/aon_cyber_labs/cloudy-with-a-chance-of-persistent-email-access/ How an Advanced Threat Group Leveraged Microsoft Azure to Gain Persistent Access to Emails. In this post, we’re going to enumerate (1) the attack chain wherein the threat group gains long-term access to all users’ mailboxes within an O365 tenant and (2) the evidence sources that track such activity.

Agent Tesla amps up information stealing attacks

news.sophos.com/en-us/2021/02/02/agent-tesla-amps-up-information-stealing-attacks/ Recent updates to this common RAT add new communications methods and subvert the operating system’s own defenses. In this report, we will delve into the two currently active versions we’ve identified, which we’ve identified as Agent Tesla version 2 and version 3. The differences between the two demonstrate how the RAT has evolved, employing multiple types of defense evasion and obfuscation to avoid detectionincluding options to install and use the Tor anonymizing network client, and the Telegram messaging API, for command and control (C2) communications. The differences we see between v2 and v3 of Agent Tesla appear to be focused on improving the success rate of the malware against sandbox defenses and malware scanners, and on providing more C2 options to their attacker customers.

Interview With a Russian Cybercriminal

www.darkreading.com/endpoint/interview-with-a-russian-cybercriminal/d/d-id/1340029 To better understand the attacker’s perspective, Cisco Talos researchers interviewed a LockBit ransomware operator. Their interaction, as with many in the security world, began on Twitter. This operator, who would not share his name but is referred to as “Aleks, ” tagged a member of the Talos team in a tweet promoting his compromise of a Latin American financial institution. also:

blog.talosintelligence.com/2021/02/interview-with-lockbit-ransomware.html. PDF:

talos-intelligence-site.s3.amazonaws.com/production/document_files/files/000/095/481/original/010421_LockBit_Interview.pdf

Ransomware gangs are abusing VMWare ESXi exploits to encrypt virtual hard disks

www.zdnet.com/article/ransomware-gangs-are-abusing-vmware-esxi-exploits-to-encrypt-virtual-hard-disks/ Two VMWare ESXi vulnerabilities, CVE-2019-5544 and CVE-2020-3992, reported as abused in the wild. System administrators at companies that rely on VMWare ESXi to manage the storage space used by their virtual machines are advised to either apply the necessary ESXi patches or disable SLP support to prevent attacks if the protocol isn’t needed.

Ransomware gangs now have industrial targets in their sights. That raises the stakes for everyone

www.zdnet.com/article/ransomware-gangs-now-have-industrial-targets-in-their-sights-that-raises-the-stakes-for-everyone/ Manufacturers and infrastructure can make a tempting targeted for ransomware attacks because the organisations in these sectors need to be in operation around the clock, whether that’s running a factory production line or operating a utilities plant. If they can’t provide these services, there can be wide-ranging impacts further down the supply chain. “Industrial organisations will feel more pressure to pay the ransom as periods of inoperability have significant impacts to their customers. This may result in a perception that organizations in this area are more likely to pay a ransom demand compared to organizations in other sectors, ” says Jamie Hart, cyber-threat intelligence analyst at Digital Shadows. also:

www.digitalshadows.com/blog-and-research/ransomware-analyzing-the-data-from-2020/

Ransomware Payments Fall as Fewer Companies Pay Data Exfiltration Extortion Demands

www.coveware.com/blog/ransomware-marketplace-report-q4-2020 The Coveware Quarterly Ransomware Report describes ransomware incident response trends during Q4 of 2020. Ransomware groups continue to leverage data exfiltration as a tactic. However, the trust that stolen data will be deleted is eroding; defaults are becoming more frequent when exfiltrated data is made public despite the victim paying. In Q4, email phishing overtook RDP compromises as the dominant attack vector. This is the first quarter since Coveware has been tracking data that RDP compromise has not been the primary attack vector. Precursor malware, like Trickbot / Emotet, favor widespread phishing campaigns as their primary delivery mechanism.

New Threat: Matryosh Botnet Is Spreading

blog.netlab.360.com/matryosh-botnet-is-spreading-en/ On January 25, 2021, 360 netlab BotMon system labeled a suspicious ELF file as Mirai, but the network traffic did not match Mirai’s characteristics. This anomaly caught our attention, and after analysis, we determined that it was a new botnet that reused the Mirai framework, propagated through the ADB interface, and targeted Android-like devices with the main purpose of DDoS attacks. It redesigns the encryption algorithm and obtains TOR C2 and the TOR proxys from remote hosts via DNS TXT.

What tracking an attacker email infrastructure tells us about persistent cybercriminal operations

www.microsoft.com/security/blog/2021/02/01/what-tracking-an-attacker-email-infrastructure-tells-us-about-persistent-cybercriminal-operations/ – From March to December 2020, we tracked segments of a dynamically generated email infrastructure that attackers used to send more than a million emails per month, distributing at least seven distinct malware families in dozens of campaigns using a variety of phishing lures and tactics. By tracing these campaigns, we uncovered a sprawling infrastructure that is robust enough to seem legitimate to many mail providers, while flexible enough to allow the dynamic generation of new domain names and remain evasive.

ValidCC, ‘ a Major Payment Card Bazaar and Looter of E-Commerce Sites, Shuttered

krebsonsecurity.com/2021/02/validcc-a-major-payment-card-bazaar-and-looter-of-e-commerce-sites-shuttered/ ValidCC, a dark web bazaar run by a cybercrime group that for more than six years hacked online merchants and sold stolen payment card data, abruptly closed up shop last week. The proprietors of the popular store said their servers were seized as part of a coordinated law enforcement operation designed to disconnect and confiscate its infrastructure.

Coming soon to ACD users…the ‘MyNCSC’ platform

www.ncsc.gov.uk/blog-post/myncsc-coming-soon MyNCSC brings together a range of NCSC cyber security services within a single, accessible platform.

New Example of XSL Script Processing aka “Mitre T1220”

isc.sans.edu/forums/diary/New+Example+of+XSL+Script+Processing+aka+Mitre+T1220/27056/

Credit card skimmer piggybacks on Magento 1 hacking spree

blog.malwarebytes.com/cybercrime/2021/02/credit-card-skimmer-piggybacks-on-magento-1-hacking-spree/ Back in the fall of 2020 threat actors started to massively exploit a vulnerability in the no-longer maintained Magento 1 software branch. As a result, thousands of e-commerce shops were compromised and many of them injected with credit card skimming code. In the incident we describe in this post, the threat actors also took into account that an e-commerce site may get cleaned up from a Magento 1 hack. When that happens, an alternate version of their skimmer injects its own fields that mimic a legitimate payments platform.

You might be interested in …

Daily NCSC-FI news followup 2021-01-31

5 Insights From NSA’s 2020 Cybersecurity Year In Review www.forbes.com/sites/louiscolumbus/2021/01/30/5-insights-from-nsas-2020-cybersecurity-year-in-review/ The report provides insights into the many accomplishments of the NSA Cybersecurity Directorate’s first full year of operations under the leadership of Ms. Anne Neuberger, Director of Cybersecurity. also: www.nsa.gov/News-Features/Feature-Stories/Article-View/Article/2466179/nsa-cybersecurity-2020-year-in-review/ Regulator Blasts NZ’s Stock Exchange Over DDoS Meltdown www.databreachtoday.co.uk/regulator-blasts-nzs-stock-exchange-over-ddos-meltdown-a-15881 New Zealand’s financial regulator has issued […]

Read More

Daily NCSC-FI news followup 2019-07-19

Security Lessons From a New Programming Language www.darkreading.com/application-security/security-lessons-from-a-new-programming-language/d/d-id/1335300?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple A security professional needed a secure language for IoT development. So he wrote his own, applying learned lessons about memory and resources in the process. It’s never good when ‘Magecart’ and ‘bulletproof’ appear in the same sentence, but here we are www.theregister.co.uk/2019/07/18/magecart_ukraine_hosting/ Researchers with security shop Malwarebytes […]

Read More

Daily NCSC-FI news followup 2021-02-20

Safety Certification Giant UL Has Been Hit By Ransomware www.forbes.com/sites/leemathews/2021/02/19/safety-certification-giant-ul-has-been-hit-by-ransomware/ UL, which you may know better as Underwriters Laboratories, has overcome countless obstacles in its 127-year run as the world’s leading safety testing authority. Now they’re facing down a true 21st century menace: ransomware. Lisäksi: www.bleepingcomputer.com/news/security/underwriters-laboratories-ul-certification-giant-hit-by-ransomware/ Recently fixed Windows zero-day actively exploited since mid-2020 www.bleepingcomputer.com/news/security/recently-fixed-windows-zero-day-actively-exploited-since-mid-2020/ […]

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.