Daily NCSC-FI news followup 2021-02-23

Cyber Criminals Exploit Accellion FTA for Data Theft and Extortion

www.fireeye.com/blog/threat-research/2021/02/accellion-fta-exploited-for-data-theft-and-extortion.html “”. Starting in mid-December 2020, malicious actors that Mandiant tracks as UNC2546 exploited multiple zero-day vulnerabilities in Accellion’s legacy File Transfer Appliance (FTA) to install a newly discovered web shell named DEWMODE. The motivation of UNC2546 was not immediately apparent, but starting in late January 2021, several organizations that had been impacted by UNC2546 in the prior month began receiving extortion emails from actors threatening to publish stolen data on the “CL0P^_- LEAKS”.onion website. Some of the published victim data appears to have been stolen using the DEWMODE web shell. Lisäksi:

www.zdnet.com/article/fireeye-links-0-day-attacks-on-fta-servers-extortion-campaign-to-fin11-group. Lisäksi:

thehackernews.com/2021/02/hackers-exploit-accellion-zero-days-in.html

Information about ransomware attack in Norway

www.tietoevry.com/en/newsroom/all-news-and-releases/other-news/2021/02/information-about-ransomware-attack-in-norway/ Monday 22nd of February 2021 TietoEVRY experienced technical challenges in several services that we deliver to 25 customers within retail, manufacturing and service-related industries. Investigations showed that the incident was caused by a ransomware attack, and hence we consider it as a serious criminal act. Lisäksi:

www.bleepingcomputer.com/news/security/finnish-it-giant-tietoevry-discloses-ransomware-attack/. Lisäksi:

www.tivi.fi/uutiset/tv/14c047ae-8727-4770-9b7e-9d48976dca0f

The bitcoin blockchain is helping keep a botnet from being taken down

arstechnica.com/information-technology/2021/02/crooks-use-the-bitcoin-blockchain-to-protect-their-botnets-from-takedown/ Wallet transactions camouflage the IP address of the botnet’s control server. When hackers corral infected computers into a botnet, they take special care to ensure they don’t lose control of the server that sends commands and updates to the compromised devices. The precautions are designed to thwart security defenders who routinely dismantle botnets by taking over the command-and-control server that administers them in a process known as sinkholing.

How Does Triton Attack Triconex Industrial Safety Systems?

blogs.cisco.com/security/how-does-triton-attack-triconex-industrial-safety-systems Triton is malware developed to affect industrial systems, particularly the Triconex safety system from Schneider. This is deployed at over 15, 000 sites across the world, but the malware allegedly only targeted a critical energy industrial site in the Middle East in 2017.

Ukraine: DDoS attacks on govt sites originated from Russia

www.bleepingcomputer.com/news/security/ukraine-ddos-attacks-on-govt-sites-originated-from-russia/ The National Security and Defense Council (NSDC) of Ukraine is accusing threat actors located on Russia networks of performing DDoS attacks on Ukrainian government websites since February 18th. The National Coordination Center for Cybersecurity (NCCC) at the NSDC state that these DDoS attacks have been massive and have targeted government websites in the defense and security sector.

Keybase secure messaging fixes photo-leaking bug patch now!

nakedsecurity.sophos.com/2021/02/23/keybase-secure-messaging-fixes-photo-leaking-bug-patch-now/ Keybase, owned by online meeting and teleconferencing behemoth Zoom, is a secure messaging and file sharing service that describes itself as providing “end-to-end encryption for things that matter.”

Shadow Attacks Let Attackers Replace Content in Digitally Signed PDFs

thehackernews.com/2021/02/shadow-attacks-let-attackers-replace.html Researchers have demonstrated a novel class of attacks that could allow a bad actor to potentially circumvent existing countermeasures and break the integrity protection of digitally signed PDF documents.

You might be interested in …

Daily NCSC-FI news followup 2020-05-01

Ransomware mentioned in 1,000+ SEC filings over the past year www.zdnet.com/article/ransomware-mentioned-in-1000-sec-filings-over-the-past-year/#ftag=RSSbaffb68 A growing number of public companies are now listing ransomware as a forward-looking risk factor in documents filed with the US Securities Exchange Commission. Listing ransomware as a risk factor in SEC filings shows that companies now understand the danger posed by a ransomware […]

Read More

Daily NCSC-FI news followup 2020-12-25

SUNBURST Additional Technical Details www.fireeye.com/blog/threat-research/2020/12/sunburst-additional-technical-details.html FireEye has discovered additional details about the SUNBURST backdoor since our initial publication on Dec. 13, 2020. Before diving into the technical depth of this malware, we recommend readers familiarize themselves with our blog post about the SolarWinds supply chain compromise, which revealed a global intrusion campaign by a sophisticated […]

Read More

Daily NCSC-FI news followup 2020-07-10

Mitigating a 754 Million PPS DDoS Attack Automatically blog.cloudflare.com/mitigating-a-754-million-pps-ddos-attack-automatically/ On June 21, Cloudflare automatically mitigated a highly volumetric DDoS attack that peaked at 754 million packets per second. This DDoS campaign, the attack peaked at a mere 250 Gbps so it does not seem as the attacker intended to saturate our Internet links, perhaps because […]

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.