Daily NCSC-FI news followup 2021-02-23

Cyber Criminals Exploit Accellion FTA for Data Theft and Extortion

www.fireeye.com/blog/threat-research/2021/02/accellion-fta-exploited-for-data-theft-and-extortion.html “”. Starting in mid-December 2020, malicious actors that Mandiant tracks as UNC2546 exploited multiple zero-day vulnerabilities in Accellion’s legacy File Transfer Appliance (FTA) to install a newly discovered web shell named DEWMODE. The motivation of UNC2546 was not immediately apparent, but starting in late January 2021, several organizations that had been impacted by UNC2546 in the prior month began receiving extortion emails from actors threatening to publish stolen data on the “CL0P^_- LEAKS”.onion website. Some of the published victim data appears to have been stolen using the DEWMODE web shell. Lisäksi:

www.zdnet.com/article/fireeye-links-0-day-attacks-on-fta-servers-extortion-campaign-to-fin11-group. Lisäksi:


Information about ransomware attack in Norway

www.tietoevry.com/en/newsroom/all-news-and-releases/other-news/2021/02/information-about-ransomware-attack-in-norway/ Monday 22nd of February 2021 TietoEVRY experienced technical challenges in several services that we deliver to 25 customers within retail, manufacturing and service-related industries. Investigations showed that the incident was caused by a ransomware attack, and hence we consider it as a serious criminal act. Lisäksi:

www.bleepingcomputer.com/news/security/finnish-it-giant-tietoevry-discloses-ransomware-attack/. Lisäksi:


The bitcoin blockchain is helping keep a botnet from being taken down

arstechnica.com/information-technology/2021/02/crooks-use-the-bitcoin-blockchain-to-protect-their-botnets-from-takedown/ Wallet transactions camouflage the IP address of the botnet’s control server. When hackers corral infected computers into a botnet, they take special care to ensure they don’t lose control of the server that sends commands and updates to the compromised devices. The precautions are designed to thwart security defenders who routinely dismantle botnets by taking over the command-and-control server that administers them in a process known as sinkholing.

How Does Triton Attack Triconex Industrial Safety Systems?

blogs.cisco.com/security/how-does-triton-attack-triconex-industrial-safety-systems Triton is malware developed to affect industrial systems, particularly the Triconex safety system from Schneider. This is deployed at over 15, 000 sites across the world, but the malware allegedly only targeted a critical energy industrial site in the Middle East in 2017.

Ukraine: DDoS attacks on govt sites originated from Russia

www.bleepingcomputer.com/news/security/ukraine-ddos-attacks-on-govt-sites-originated-from-russia/ The National Security and Defense Council (NSDC) of Ukraine is accusing threat actors located on Russia networks of performing DDoS attacks on Ukrainian government websites since February 18th. The National Coordination Center for Cybersecurity (NCCC) at the NSDC state that these DDoS attacks have been massive and have targeted government websites in the defense and security sector.

Keybase secure messaging fixes photo-leaking bug patch now!

nakedsecurity.sophos.com/2021/02/23/keybase-secure-messaging-fixes-photo-leaking-bug-patch-now/ Keybase, owned by online meeting and teleconferencing behemoth Zoom, is a secure messaging and file sharing service that describes itself as providing “end-to-end encryption for things that matter.”

Shadow Attacks Let Attackers Replace Content in Digitally Signed PDFs

thehackernews.com/2021/02/shadow-attacks-let-attackers-replace.html Researchers have demonstrated a novel class of attacks that could allow a bad actor to potentially circumvent existing countermeasures and break the integrity protection of digitally signed PDF documents.

You might be interested in …

Daily NCSC-FI news followup 2020-09-01

Norjan parlamenttiin on tehty laajamittainen kyberhyökkäys yle.fi/uutiset/3-11522222 Joidenkin kansanedustajien ja Suurkäräjien työntekijöiden sähköposteihin on murtauduttu. Otamme asian erittäin vakavasti ja analysoimme tilannetta saadaksemme kuvan tapauksesta ja haittojen laajuudesta, Suurkäräjien hallinnon johtaja Marianne Andreassen sanoo. myös: www.stortinget.no/no/Hva-skjer-pa-Stortinget/Nyhetsarkiv/Pressemeldingsarkiv/2019-2020/it-angrep-mot-stortinget/. also: www.zdnet.com/article/norwegian-parliament-discloses-cyber-attack-on-internal-email-system/ Cisco says it will issue patch as soon as possible’ for bugs hackers are trying to exploit […]

Read More

Daily NCSC-FI news followup 2021-03-24

Rauli Paananen: Tehdään kyberturvallisuudesta kansalaistaito ja vientituote www.erillisverkot.fi/rauli-paananen-tehdaan-kyberturvallisuudesta-kansalaistaito-ja-vientituote/ Asia on yhteinen: kansallinen kyberturvallisuus rakentuu viranomaisten, elinkeinoelämän, järjestöjen ja kansalaisten yhteistyönä. Tarvitsemme lisää suomalaista osaamista ja alan yritystoimintaa näille on kysyntää maailmallakin, kirjoittaa blogivieraamme valtion kyberturvallisuusjohtaja Rauli Paananen liikenne- ja viestintäministeriöstä. Microsoftin Exchange-palvelimen haavoittuvuudesta johtuvasta henkilötietojen tietoturvaloukkauksesta tulee ilmoittaa rekisteröidyille ja tietosuojavaltuutetun toimistolle tietosuoja.fi/-/microsoftin-exchange-palvelimen-haavoittuvuudesta-johtuvasta-henkilotietojen-tietoturvaloukkauksesta-tulee-ilmoittaa-rekisteroidyille-ja-tietosuojavaltuutetun-toimistolle Tietosuojavaltuutetun toimisto […]

Read More

Daily NCSC-FI news followup 2019-10-02

Vulnerability in Cisco Webex and Zoom may expose online meetings to snooping www.helpnetsecurity.com/2019/10/01/prying-eye-vulnerability/ Cequence Securitys CQ Prime Threat Research Team discovered of a vulnerability in Cisco Webex and Zoom video conferencing platforms that potentially allows an attacker to enumerate or list and view active meetings that are not protected. How SMBs Can Mitigate the Growing […]

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.