Daily NCSC-FI news followup 2021-02-03

Tavoitteena lisää yhteistyötä kyberturvallisuuteen

www.maaseuduntulevaisuus.fi/mielipiteet/artikkeli-1.1306798 Erillisverkkojen toimitusjohtaja Timo Lehtimäki kirjoitti Maaseudun Tulevaisuudessa viranomaisyhteistyöstä ja sen tiivistämisestä kyberturvallisuuden saralla (MT 29.1.). Kirjoitus ei olisi voinut olla ajankohtaisempi ja oikeaan osuvampi. Vastaamon häikäilemättömän tietomurron seurauksena liikenne- ja viestintäministeriön johdolla selvitettiin pikatoimeksiannolla tietoturvan ja tietosuojan tilaa yhteiskunnan kriittisillä toimialoilla. Työryhmä jätti raporttinsa Tietoturvan ja tietosuojan parantaminen yhteiskunnan kriittisillä toimialoilla 31.1. Työryhmä esittää lukuisia parannuksia nykytilanteeseen. Ne keskittyvät erityisesti viranomaisten välisen yhteistoiminnan parantamiseen sekä resurssivajeen paikkaamiseen eri toimialoilla. Lisäksi työryhmä peräänkuuluttaa täsmällisempää ja nykyistä tiukempaa tietoturvalainsäädäntöä.

Ruotsi haluaa hävittää piraattien käyttämän savuverhon Teliaa uhataan miljoonasakoilla, ellei tottele

www.tivi.fi/uutiset/tv/c9555f64-0e35-470b-8935-300713eac402 Computer Sweden kertoo, että 1. huhtikuuta 2020 Ruotsissa otettiin käyttöön uudet säännöt koskien network address translationia eli nat-teknologiaa. Ruotsin uudet säännöt velvoittavat operaattoreita tallentamaan käyttäjistä muutakin tietoa kuin vain pelkän ip-osoitteen. Toisin sanoen, Ruotsi ei halua, että piraatit kätkeytyvät nat-verkon suoman helpon anonymiteetin suojiin. Telia ei ole näitä määräyksiä toistaiseksi totellut, joten Ruotsin posti- ja telehallitus PST uhkaa operaattoria 10 miljoonan kruunun eli 990 000 euron sakoilla, mikäli se ei suostu astumaan ruotuun 1. huhtikuuta mennessä.

Exclusive: Suspected Chinese hackers used SolarWinds bug to spy on U.S. payroll agency sources

www.reuters.com/article/us-cyber-solarwinds-china/exclusive-suspected-chinese-hackers-used-solarwinds-bug-to-spy-on-u-s-payroll-agency-sources-idUSKBN2A22K8 Suspected Chinese hackers exploited a flaw in software made by SolarWinds Corp to help break into U.S. government computers last year, five people familiar with the matter told Reuters, marking a new twist in a sprawling cybersecurity breach that U.S. lawmakers have labeled a national security emergency. While the alleged Russian hackers penetrated deep into SolarWinds network and hid a “back door” in Orion software updates which were then sent to customers, the suspected Chinese group exploited a separate bug in Orion’s code to help spread across networks they had already compromised, the sources said. SolarWinds said it was aware of a single customer that was compromised by the second set of hackers but that it had “not found anything conclusive” to show who was responsible. also:

www.wired.com/story/solarwinds-hack-china-usda/

Full System Control with New SolarWinds Orion-based and Serv-U FTP Vulnerabilities

www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/full-system-control-with-new-solarwinds-orion-based-and-serv-u-ftp-vulnerabilities/ In this blog, I will be discussing three new security issues that I recently found in several SolarWinds products. All three are severe bugs with the most critical one allowing remote code execution with high privileges. To the best of Trustwave’s knowledge, none of the vulnerabilities were exploited during the recent SolarWinds attacks or in any “in the wild” attacks. However, given the criticality of these issues, we recommend that affected users patch as soon as possible. We have purposely left out specific Proof of Concept (PoC) code in this post in order to give SolarWinds users a longer margin to patch but we will post an update to this blog that includes the PoC code on Feb. 9.

Rubbish software security patches responsible for a quarter of zero-days last year

www.theregister.com/2021/02/03/enigma_patch_zero/ To limit the impact of zero-day vulnerabilities, Google security researcher Maddie Stone would like those developing software fixes to stop delivering shoddy patches. Zero-day flaws are a problem because they may be exploited for long periods of time before they’re detected and dealt with. There were 24 of them in 2020, four more than in 2019, Stone said. “Looking at them all together as a group, the number that stuck out the most to me was that six out of the 24 zero-days exploited in 2020 are variants of previously disclosed vulnerabilities, ” she said. “On top of that, three out of the 24 vulnerabilities were incompletely patched, meaning that with just a few tweaks, you could have an exploit that still works even after the patch was applied.”

Top 10 most exploited vulnerabilities from 2020

www.helpnetsecurity.com/2021/02/03/2020-top-exploited-vulnerabilities/ Vulnerability intelligence-as-a-service outfit vFeed has compiled a list of the top 10 most exploited vulnerabilities from 2020, and among them are SMBGhost, Zerologon, and SIGRed. The company compiled the top 10 most exploited vulnerabilities from 2020 list based on how many proof-of-concept exploits are out there (per vulnerability), how easily the vulnerability can be exploited, how many malware-based campaigns are using it, and so on.

Cisco fixes critical code execution bugs in SMB VPN routers

www.bleepingcomputer.com/news/security/cisco-fixes-critical-code-execution-bugs-in-smb-vpn-routers/ Cisco has addressed multiple pre-auth remote code execution (RCE) vulnerabilities affecting several small business VPN routers and allowing attackers to execute arbitrary code as root on successfully exploited devices. Luckily, even if you cannot immediately patch vulnerable routers, the Cisco Product Security Incident Response Team (PSIRT) says that it isn’t “aware of any public announcements or malicious use of the vulnerabilities.”

Recent root-giving Sudo bug also impacts macOS

www.zdnet.com/article/recent-root-giving-sudo-bug-also-impacts-macos/ A British security researcher has discovered today that a recent security flaw in the Sudo app also impacts the macOS operating system, and not just Linux and BSD, as initially believed.

Five Critical Android Bugs Patched, Part of Feb. Security Bulletin

threatpost.com/five-critical-bugs-patched-feb-security-bulletin/163623/ Google patched five critical bugs in its Android operating system as part of its February Security Bulletin. Two of the flaws were remote code execution vulnerabilities found within the Android media framework and system. Three additional critical Qualcomm bugs were reported by Google and patched by Qualcomm part of a separate security bulletin disclosure. One of those flaws (CVE-2020-11163) has a Common Vulnerability Scoring System (CVSS) rating of 9.8 out of 10. The bug is tied to the wireless local area network (WLAN) chip used for Wi-Fi communications.

Hildegard: New TeamTNT Malware Targeting Kubernetes

unit42.paloaltonetworks.com/hildegard-malware-teamtnt/ In January 2021, Unit 42 researchers detected a new malware campaign targeting Kubernetes clusters. The attackers gained initial access via a misconfigured kubelet that allowed anonymous access. Once getting a foothold into a Kubernetes cluster, the malware attempted to spread over as many containers as possible and eventually launched cryptojacking operations. Based on the tactics, techniques and procedures (TTP) that the attackers used, we believe this is a new campaign from TeamTNT. We refer to this new malware as Hildegard, the username of the tmate account that the malware used.

Backdoored Browser Extensions Hid Malicious Traffic in Analytics Requests

decoded.avast.io/janvojtesek/backdoored-browser-extensions-hid-malicious-traffic-in-analytics-requests/ This blog post brings more technical details on CacheFlow: a threat that we first reported about in December 2020. We described a huge campaign composed of dozens of malicious Chrome and Edge browser extensions with more than three million installations in total. We alerted both Google and Microsoft about the presence of these malicious extensions on their respective extension stores and are happy to announce that both companies have since taken all of them down as of December 18, 2020.

Whitespace Steganography Conceals Web Shell in PHP Malware

blog.sucuri.net/2021/02/whitespace-steganography-conceals-web-shell-in-php-malware.html Last November, we wrote about how attackers are using JavaScript injections to load malicious code from legitimate CSS files. At first glance, these injections didn’t appear to contain anything except for some benign CSS rules. A more thorough analysis of the.CSS file revealed 56, 964 seemingly empty lines containing combinations of invisible tab (0x09), space (0x20), and line feed (0x0A) characters, which were converted to binary representation of characters and then to the text of an executable JavaScript code. It didn’t take long before we found the same approach used in PHP malware. Here’s what our malware analyst Liam Smith discovered while recently working on a site containing multiple backdoors and webshells uploaded by hackers.

Russia Is Ready’ to Disconnect from Global Internet, Medvedev Says

www.themoscowtimes.com/2021/02/01/russia-is-ready-to-disconnect-from-global-internet-medvedev-says-a72791 Russia is “legally and technologically” ready to disconnect from the global internet if needed, former President Dmitry Medvedev told Interfax Monday. While Medvedev said Russia is capable of isolating its internet from the global web, he stressed that he didn’t see any reason to do so, calling it a “double-edged weapon.”. Medvedev’s statement comes on the heels of mass protests that swept more than 100 Russian cities over the past two weekends. The rallies were sparked by the detention of Kremlin critic Alexei Navalny and the release of his “Putin’s Palace” investigation which drew over 100 million views on YouTube. Last week, Russia’s communications regulator said it would fine seven social media companies for not taking down videos promoting the protests.

Defending software build pipelines from malicious attack

www.ncsc.gov.uk/blog-post/defending-software-build-pipelines-from-malicious-attack Compromise of your software build pipeline can have wide-reaching impact; here’s how to tackle the problem.

Excel spreadsheets push SystemBC malware

isc.sans.edu/forums/diary/Excel+spreadsheets+push+SystemBC+malware/27060/

CD Projekt warns against using Cyberpunk 2077 mods until a serious security flaw is fixed

www.pcgamer.com/cd-projekt-warns-against-using-cyberpunk-2077-mods-until-a-serious-security-flaw-is-fixed/ CD Projekt Red is warning Cyberpunk 2077 players to be cautious when using mods, as a recently discovered vulnerability in a DLL file could be used to execute code on PCs and PlayStation 4 consoles running the game.

8 Top Technical Resource Providers for ICS Security Professionals

www.tripwire.com/state-of-security/ics-security/7-top-technical-resource-providers-ics-security-professionals/ Attacks against industrial control systems (ICS) are on the rise. In its 2020 X-Force Threat Intelligence Report, for instance, IBM found that digital attacks targeting organizations’ ICS had increased by more than 2, 000% between 2019 and 2018. Towards that end, here are eight providers that ICS professionals can use to train and continuously educate their teams to defend their organizations’ ICS.

You might be interested in …

Daily NCSC-FI news followup 2020-07-04

Hackers are trying to steal admin passwords from F5 BIG-IP devices www.zdnet.com/article/hackers-are-trying-to-steal-admin-passwords-from-f5-big-ip-devices/#ftag=RSSbaffb68 In an interview earlier today, [NCC group researcher] Warren told ZDNet the attacks are malicious in nature, and hackers are attempting to steal administrator passwords from the hacked devices. New Behave! extension warns of website port scans, local attacks www.bleepingcomputer.com/news/security/new-behave-extension-warns-of-website-port-scans-local-attacks/ A new browser […]

Read More

Daily NCSC-FI news followup 2019-07-12

Buhtrap group uses zeroday in latest espionage campaigns www.welivesecurity.com/2019/07/11/buhtrap-zero-day-espionage-campaigns/ ESET research reveals notorious crime group also conducting espionage campaigns for the past five years Over 17,000 Domains Infected with Code that Steals Card Data www.bleepingcomputer.com/news/security/over-17-000-domains-infected-with-code-that-steals-card-data/ Cybercriminals running Magecart operations have added payment card skimming code to more than 17,000 domains with JavaScript files in misconfigured […]

Read More

Daily NCSC-FI news followup 2020-04-30

Osataanko teillä torpata tietoturvauhkia? Kyberharjoittelusta hyötyvät kaikki www.kyberturvallisuuskeskus.fi/fi/ajankohtaista/osataanko-teilla-torpata-tietoturvauhkia-kyberharjoittelusta-hyotyvat-kaikki Nyt tehdään mielikuvitusreissu tavalliseen toimistotyöpäivään Kyberilän vesihuollossa, jossa sähköpostejaan läpikäyvä Pirjo saa varsin houkuttelevan tarjouksen. Hän on yksi tuhansista ammattilaisista, joiden työpanos on olennainen, kun varmistamme yhteiskuntamme sujuvaa toimintaa muun muassa tietoturvallisilla työtavoilla. . Tilanteita ja toimintatapoja kannattaa jokaisen harjoitella etukäteen. Me voimme auttaa. Kyberturvallisuuskeskus kartoittaa suojaamattomia […]

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.