Daily NCSC-FI news followup 2021-02-23

Cyber Criminals Exploit Accellion FTA for Data Theft and Extortion

www.fireeye.com/blog/threat-research/2021/02/accellion-fta-exploited-for-data-theft-and-extortion.html “”. Starting in mid-December 2020, malicious actors that Mandiant tracks as UNC2546 exploited multiple zero-day vulnerabilities in Accellion’s legacy File Transfer Appliance (FTA) to install a newly discovered web shell named DEWMODE. The motivation of UNC2546 was not immediately apparent, but starting in late January 2021, several organizations that had been impacted by UNC2546 in the prior month began receiving extortion emails from actors threatening to publish stolen data on the “CL0P^_- LEAKS”.onion website. Some of the published victim data appears to have been stolen using the DEWMODE web shell. Lisäksi:

www.zdnet.com/article/fireeye-links-0-day-attacks-on-fta-servers-extortion-campaign-to-fin11-group. Lisäksi:

thehackernews.com/2021/02/hackers-exploit-accellion-zero-days-in.html

Information about ransomware attack in Norway

www.tietoevry.com/en/newsroom/all-news-and-releases/other-news/2021/02/information-about-ransomware-attack-in-norway/ Monday 22nd of February 2021 TietoEVRY experienced technical challenges in several services that we deliver to 25 customers within retail, manufacturing and service-related industries. Investigations showed that the incident was caused by a ransomware attack, and hence we consider it as a serious criminal act. Lisäksi:

www.bleepingcomputer.com/news/security/finnish-it-giant-tietoevry-discloses-ransomware-attack/. Lisäksi:

www.tivi.fi/uutiset/tv/14c047ae-8727-4770-9b7e-9d48976dca0f

The bitcoin blockchain is helping keep a botnet from being taken down

arstechnica.com/information-technology/2021/02/crooks-use-the-bitcoin-blockchain-to-protect-their-botnets-from-takedown/ Wallet transactions camouflage the IP address of the botnet’s control server. When hackers corral infected computers into a botnet, they take special care to ensure they don’t lose control of the server that sends commands and updates to the compromised devices. The precautions are designed to thwart security defenders who routinely dismantle botnets by taking over the command-and-control server that administers them in a process known as sinkholing.

How Does Triton Attack Triconex Industrial Safety Systems?

blogs.cisco.com/security/how-does-triton-attack-triconex-industrial-safety-systems Triton is malware developed to affect industrial systems, particularly the Triconex safety system from Schneider. This is deployed at over 15, 000 sites across the world, but the malware allegedly only targeted a critical energy industrial site in the Middle East in 2017.

Ukraine: DDoS attacks on govt sites originated from Russia

www.bleepingcomputer.com/news/security/ukraine-ddos-attacks-on-govt-sites-originated-from-russia/ The National Security and Defense Council (NSDC) of Ukraine is accusing threat actors located on Russia networks of performing DDoS attacks on Ukrainian government websites since February 18th. The National Coordination Center for Cybersecurity (NCCC) at the NSDC state that these DDoS attacks have been massive and have targeted government websites in the defense and security sector.

Keybase secure messaging fixes photo-leaking bug patch now!

nakedsecurity.sophos.com/2021/02/23/keybase-secure-messaging-fixes-photo-leaking-bug-patch-now/ Keybase, owned by online meeting and teleconferencing behemoth Zoom, is a secure messaging and file sharing service that describes itself as providing “end-to-end encryption for things that matter.”

Shadow Attacks Let Attackers Replace Content in Digitally Signed PDFs

thehackernews.com/2021/02/shadow-attacks-let-attackers-replace.html Researchers have demonstrated a novel class of attacks that could allow a bad actor to potentially circumvent existing countermeasures and break the integrity protection of digitally signed PDF documents.

You might be interested in …

Daily NCSC-FI news followup 2020-06-07

Fake ransomware decryptor double-encrypts desperate victims’ files www.bleepingcomputer.com/news/security/fake-ransomware-decryptor-double-encrypts-desperate-victims-files/ A fake decryptor for the STOP Djvu Ransomware is being distributed that lures already desperate people with the promise of free decryption. Instead of getting their files back for free, they are infected with another ransomware that makes their situation even worse. New Tekya Ad Fraud Found […]

Read More

Daily NCSC-FI news followup 2020-12-27

A New SolarWinds Flaw Likely Had Let Hackers Install SUPERNOVA Malware thehackernews.com/2020/12/a-new-solarwinds-flaw-likely-had-let.html An authentication bypass vulnerability in the SolarWinds Orion software may have been leveraged by adversaries as zero-day to deploy the SUPERNOVA malware in target environments. Koei Tecmo discloses data breach after hacker leaks stolen data www.bleepingcomputer.com/news/security/koei-tecmo-discloses-data-breach-after-hacker-leaks-stolen-data/ Japanese game developer Koei Tecmo has disclosed […]

Read More

Daily NCSC-FI news followup 2021-02-16

France Ties Russia’s Sandworm to a Multiyear Hacking Spree www.wired.com/story/sandworm-centreon-russia-hack/ A French security agency warns that the destructively minded group has exploited an IT monitoring tool from Centreon.. Centreon writes in its statement that “this is not a supply chain type attack and no parallel with other attacks of this type can be made in […]

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.