Daily NCSC-FI news followup 2021-02-04

Cybersecurity firm Stormshield hacked. Data (including source code) stolen

grahamcluley.com/cybersecurity-firm-stormshield-hacked-data-including-source-code-stolen/ French cybersecurity firm Stormshield has revealed that it has suffered a security breach, and hackers have accessed sensitive information. The company, which is a major provider to the French government, says that a hacker managed to steal data after gaining access to a portal used by customers and partners, potentially accessing support tickets and communications with staff. While investigating the security breach, Stormshield also discovered that some of the source code for the Stormshield Network Security (SNS) firewall was also stolen. This raises the spectre of a malicious attacker either uncovering security holes in the firewall that might be exploited in later attacks, or the creation of malicious updates. also: www.stormshield.com/security-incident-stormshield/

Toimitusjohtajapetoksilla vietiin lähes 7 miljoonaa euroa *[Tilaajille]

www.kauppalehti.fi/uutiset/toimitusjohtajapetoksilla-vietiin-lahes-7-miljoonaa-euroa/3293a940-864d-4ef1-9cd6-cb14adc339ca Niin sanottujen toimitusjohtajapetosten rikoshyöty oli viime vuonna ainakin 6, 7 miljoonaa euroa. Poliisi kirjasi niistä yhteensä 414 rikosilmoitusta. Poliisihallituksen poliisitarkastaja Tuomas Pöyhönen esittää, että tietoturvasta tulisi yksi osa-alue vaikkapa yrittäjäkursseille. “Liian usein tietoturvan merkitys ymmärretään vasta sitten kun vahinko on jo tapahtunut”, Pöyhönen sanoo.

www.tenable.com/blog/cve-2021-20016-zero-day-vulnerability-in-sonicwall-secure-mobile-access-sma-exploited SonicWall releases a patch after researchers confirm exploitation of a zero-day vulnerability in SonicWall Secure Mobile Access. Customers that deploy any of the affected SMA devices are strongly encouraged to upgrade as soon as possible. In addition to upgrading, SonicWall recommends customers reset passwords for those users who have logged into the device through the web interface as well as enabling multi-factor authentication as an additional safeguard. SonicWall notification:

www.sonicwall.com/support/product-notification/urgent-patch-available-for-sma-100-series-10-x-firmware-zero-day-vulnerability-updated-feb-3-2-p-m-cst/210122173415410/

Blockchain Analysis Shows Connections Between Four of 2020’s Biggest Ransomware Strains

blog.chainalysis.com/reports/ransomware-connections-maze-egregor-suncrypt-doppelpaymer As we’ve covered on our blog, there may be fewer cybercriminals responsible for ransomware attacks than one would initially think given the number of individual attacks, distinct strains, and amount stolen from victims. Cybersecurity researchers point out that many RaaS affiliates carrying out attacks switch between different strains, and many believe that seemingly distinct strains are actually controlled by the same people. Using blockchain analysis, we’ll investigate potential connections between four of 2020’s most prominent ransomware strains: Maze, Egregor, SunCrypt, and Doppelpaymer.

MTR casebook: Uncovering a backdoor implant in a SolarWinds Orion server

news.sophos.com/en-us/2021/02/03/mtr-casebook-uncovering-a-backdoor-implant-in-a-solarwinds-orion-server/ A real-world story from the Sophos Managed Threat Response team. Given the recent supply chain attack on SolarWinds, this attack is certainly of note. However, we could not identify concrete evidence that the two are connected. The C2s, web shell, and DLL used in this attack are not ones we have observed before, outside of this single incident, nor have we observed them used since.

Connecting the dots inside the Italian APT Landscape

yoroi.company/research/connecting-the-dots-inside-the-italian-apt-landscape/ The news of the hack of one of the major strategic Italian companies circulated in the first half of December 2020 shocked a huge part of the national security community: Leonardo SpA (formerly Finmeccanica) runs critical services and projects directly related to the Italian defense industry and military corps. On 5th December 2020, the Italian police (CNAIPIC) published a press statement revealing the Aerostructures and Aircraft division has been hacked for a long time. The malicious APT presence was dated back to 2015 and lasted for about two years inside the Leonardo division. We have been looking at this case since December 2020 and tracked this new actor as TH-261. But in the initial weeks of 2021 we noticed something unattended: a set of similarities on recent ongoing attacks made us really suspicious about the nature and evolution of this threat.

Abusing Google Chrome extension syncing for data exfiltration and C&C

isc.sans.edu/forums/diary/Abusing+Google+Chrome+extension+syncing+for+data+exfiltration+and+CC/27066/ I had a pleasure (or not) of working on another incident where, among other things, attackers were using a pretty novel way of exfiltrating data and using that channel for C&C communication. Some of the methods observed in analyzed code were pretty scary from a defender’s point of view, as you will see further below in this diary.

Tietoturva 2021: 3 uhkaa ja 3 ratkaisua jokaiselle

www.kyberturvallisuuskeskus.fi/fi/ajankohtaista/tietoturva-2021-3-uhkaa-ja-3-ratkaisua-jokaiselle Tavallista internetin käyttäjää uhkaavat huijausansat, joita verkkorikolliset virittävät eteemme päivittäin. Kaikki ansat eivät lepää vain internetin syövereissä, sillä nettihuijari voi tarttua myös puhelimeen. Organisaatiossa uhkia aiheuttavat huterat etätyöratkaisut, haittaohjelmat ja tietojenkalastelu. Tässä tietoturvauhkien ja – -ratkaisujen TOP 3 arkeen ja työpaikoille vuonna 2021.

Rikolliset kalastelevat verkkopankkitunnuksia hakutulosten avulla

www.kyberturvallisuuskeskus.fi/fi/ajankohtaista/rikolliset-kalastelevat-verkkopankkitunnuksia-hakutulosten-avulla Rikolliset ovat kalastelleet suomalaisten verkkopankkitunnuksia ja siirtäneet suuria summia uhrien pankkitileiltä. Miten tämä on mahdollista, kun verkkopankeissa käytetään lukuisia turvatoimia? Pankin omien turvatoimien lisäksi asiakkaiden kannattaa edelleen noudattaa varovaisuutta verkkoasioinnissa.

Vulnerability Reward Program: 2020 Year in Review

security.googleblog.com/2021/02/vulnerability-reward-program-2020-year.html Despite the challenges of this unprecedented year, our vulnerability researchers have achieved more than ever before, partnering with our Vulnerability Reward Programs (VRPs) to protect Google’s users by discovering security and abuse bugs and reporting them to us for remediation. Their diligence helps us keep our users, and the internet at large, safe, and enables us to fix security issues before they can be exploited.

Major Vulnerabilities discovered and patched in Realtek RTL8195A Wi-Fi Module

www.vdoo.com/blog/realtek-rtl8195a-vulnerabilities-discovered/ In a recent supply chain security assessment, Vdoo has analyzed multiple networking devices for security vulnerabilities and exposures. During the analysis we have discovered and responsibly disclosed six major vulnerabilities in Realtek’s RTL8195A Wi-Fi module that these devices were based on. An attacker that exploits the discovered vulnerabilities can gain remote root access to the Wi-Fi module, and from there very possibly hop to the application processor as well (as the attacker has complete control of the device’s wireless communications). The RTL8195 module is an extremely compact, low-power Wi-Fi module targeted at embedded devices. It has supported software from major vendors such as ARM, Samsung, Google, Amazon and more. For example, according to AWS it is used in a myriad of industries.

Facebook, Instagram, TikTok and Twitter Target Resellers of Hacked Accounts

krebsonsecurity.com/2021/02/facebook-instagram-tiktok-and-twitter-target-resellers-of-hacked-accounts/ Facebook, Instagram, TikTok, and Twitter this week all took steps to crack down on users involved in trafficking hijacked user accounts across their platforms. The coordinated action seized hundreds of accounts the companies say have played a major role in facilitating the trade and often lucrative resale of compromised, highly sought-after usernames.

Cryptoscam in Discord

www.kaspersky.com/blog/cryptoscam-in-discord/38661/ Scammers are luring Discord users to a fake cryptocurrency exchange with the promise of free Bitcoin or Ethereum.

Clearview Facial-Recognition Technology Ruled Illegal in Canada

threatpost.com/clearview-facial-recognition-canada/163650/ The company’s controversial practice of collecting and selling billions of faceprints was dealt a heavy blow by the Privacy Commissioner that could set a precedent in other legal challenges.

Plex Media servers actively abused to amplify DDoS attacks

www.bleepingcomputer.com/news/security/plex-media-servers-actively-abused-to-amplify-ddos-attacks/ Plex Media Server systems are actively being abused by DDoS-for-hire services as a UDP reflection/amplification vector in Distributed Denial of Service (DDoS) attacks.

Myanmar blocks Facebook as resistance grows to coup

apnews.com/article/aung-san-suu-kyi-social-media-myanmar-media-civil-disobedience-08ce7dd971655e839d6a81e7391d9e4f Myanmar’s new military government blocked access to Facebook as resistance to Monday’s coup surged amid calls for civil disobedience to protest the ousting of the elected government and its leader, Aung San Suu Kyi.

How to Audit Password Changes in Active Directory

thehackernews.com/2021/02/how-to-audit-password-changes-in-active.html Active Directory accounts for any impactful changes across user accounts. We’ll assess why and how administrators might leverage these core features.

Upcoming Security Updates for Adobe Acrobat and Reader (APSB21-09)

blogs.adobe.com/psirt/?p=1967

You might be interested in …

Daily NCSC-FI news followup 2021-03-26

German Parliament targeted again by Russian state hackers www.bleepingcomputer.com/news/security/german-parliament-targeted-again-by-russian-state-hackers/ It is believed that the attackers were able to gain access to the email accounts of seven members of the German federal parliament (Bundestag) and 31 members of German regional parliaments. “The Ghostwriter campaign leverages traditional cyber threat activity and information operations tactics to promote narratives […]

Read More

Daily NCSC-FI news followup 2020-05-29

Highly-targeted attacks on industrial sector hide payload in images www.bleepingcomputer.com/news/security/highly-targeted-attacks-on-industrial-sector-hide-payload-in-images/ Attackers looking to steal employee credentials from organizations tied to the industrial sector deployed highly-targeted operations that delivered malicious PowerShell scripts in images. Victims in multiple countries (Japan, the U.K., Germany, Italy) were identified. Some of them supply equipment and software solutions to industrial enterprises. […]

Read More

Daily NCSC-FI news followup 2019-10-31

Breaches at NetworkSolutions, Register.com, and Web.com krebsonsecurity.com/2019/10/breaches-at-networksolutions-register-com-and-web-com/ Top domain name registrars NetworkSolutions.com, Register.com and Web.com are asking customers to reset their passwords after discovering an intrusion in August 2019 in which customer account information was accessed.. thehackernews.com/2019/10/domain-name-registrars-hacked.html How a months-old AMD microcode bug destroyed my weekend arstechnica.com/gadgets/2019/10/how-a-months-old-amd-microcode-bug-destroyed-my-weekend/ AMD shipped Ryzen 3000 with a serious microcode […]

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.