Daily NCSC-FI news followup 2021-03-03

HAFNIUM targeting Exchange Servers with 0-day exploits

www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/ Microsoft has detected multiple 0-day exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks. In the attacks observed, the threat actor used these vulnerabilities to access on-premises Exchange servers which enabled access to email accounts, and allowed installation of additional malware to facilitate long-term access to victim environments.. Also

us-cert.cisa.gov/ncas/alerts/aa21-062a. Also


Operation Exchange Marauder: Active Exploitation of Multiple Zero-Day Microsoft Exchange Vulnerabilities

www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/ Following the discovery of CVE-2021-26855, Volexity continued to monitor the threat actor and work with additional impacted organizations. During the course of multiple incident response efforts, Volexity identified that the attacker had managed to chain the SSRF vulnerability with another that allows remote code execution (RCE) on the targeted Exchange servers. In all cases of RCE, Volexity has . observed the attacker writing webshells (ASPX files) to disk and conducting further operations to dump credentials, add user accounts, steal copies of the Active Directory database (NTDS.DIT), and move laterally to other systems and environments.. Also https://twitter.com/ESETresearch/status/1366862948057178115

Qualys hit with ransomware: Customer invoices leaked on extortionists’ Tor blog

www.theregister.com/2021/03/03/qualys_ransomware_clop_gang/ Infosec outfit Qualys, its cloud-based vuln detection tech, and its SSL server test webpage, have seemingly fallen victim to a ransomware attack.

Fbot is now riding the traffic and transportation smart devices

blog.netlab.360.com/fbot-is-now-riding-the-traffic-and-transportation-smart-devices-en/ On February 20, 2021, the 360Netlab Threat Detection System captured attackers were using a remote command execution vulnerability (CVE-2020-9020)[3][4] in the Vantage Velocity product from Iteris to spread Fbot botnet samples.

It’s not easy being green: EV HTTPS cert seller Sectigo questions Chrome’s logic in burying EV HTTPS cert info

www.theregister.com/2021/03/03/sectigo_google_certificates/ Google all but hid these extra details in a Chrome update a couple of years ago, arguing that netizens couldn’t care less if a site is protected by an EV or a vanilla HTTPS cert it won’t stop them putting in their credit card number or password. Others in the industry have questioned the usefulness of EV certs.

Not all cybercriminals are sophisticated

www.welivesecurity.com/2021/03/03/not-all-cybercriminals-are-sophisticated/ Some perpetrators of online crime and fraud dont use advanced methods to profit at the expense of unsuspecting victims and to avoid getting caught. … But surely no one would send a stolen laptop to the High-Tech Crime Unit at a police station?! Sophisticated? I thought this required more digging.

Rookie coding mistake prior to Gab hack came from sites CTO

arstechnica.com/gadgets/2021/03/rookie-coding-mistake-prior-to-gab-hack-came-from-sites-cto/ Besides questions about secure coding and license compliance, the Gab git commits also appear to show company developers struggling to fix their vulnerable code. The image below shows someone using the username developer trying unsuccessfully to fully fix the code containing the SQL injection vulnerability.

Qakbot infection with Cobalt Strike

isc.sans.edu/diary/rss/27158 On Tuesday 2021-03-02, I generated a Qakbot (Qbot) infection on a Windows host in one of my Active Directory (AD) test environments, where I saw Cobalt Strike as follow-up activity. I’ve seen Cobalt Strike from Qakbot infections before.

Eugene Kaspersky says cyber-crooks coined it during COVID and will take a break to spend their loot

www.theregister.com/2021/03/03/eugene_kaspersky_post_covid_security_predictions/ Kaspersky Lab CEO Eugene Kaspersky has suggested that the end of the COVID-19 pandemic will bring a slowdown in cyber-crime.. Speaking yesterday at the Kaspersky-sponsored Asia Pacific Online Policy Forum, the CEO said: “If the pandemic goes away, criminals will go away and on vacation. He added that one reason for the slowdown would be taking time to spend all the money they stole during the pandemic, and that a return to robbery-as-usual can be expected a few months later.. [A] counter-argument asserted that as workers return to offices, risky behaviour like falling for phishing emails will follow. He described cyber-criminals as opportunists who will take advantage of changes in group behavior and called for a renewed emphasis on security training and education.. At the onset of the forum, Kaspersky said COVID-19 has seen new entrants to the online crime industry.. More junior criminals are joining cyberspace, said Kaspersky …


www.accellion.com/sites/default/files/trust-center/accellion-fta-attack-mandiant-report-full.pdf Mandiant did not identify any additional vulnerabilities that were exploited by the attackers. Mandiant also validated the efficacy of the patches Accellion released to address the Exploited Vulnerabilities, which Accellion made available to FTA customers soon after each Exploit was identified


www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-007.pdf Since mid-September 2020, the ANSSI (French National Cyber Security Agency) has observed a vast campaign of attacks using the Egregor ransomware. At least 69 organisations, including some French companies, are believed to have been targeted. As ransomware, Egregor poses a significant threat since the activity of victim organisations is deeply affected. Bitcoin ransom demands can be in excess of . $4,000,000.

www.techjuice.pk/indian-hackers-could-be-infecting-pakistani-users-with-malware-through-fake-apps-warns-nitb/ The National Information Technology Board (NITB) has warned Pakistani users of an Indian malware, Hackshaw, through a tweet. According to the NITB, fake versions of popular apps such as Signal, Babble, TeleChatty & Filos could be tainted with Indian-based malware Hawkshaw and used to carry out phishing attacks.

The Ursnif banking Trojan has hit over 100 Italian banks

blog.avast.com/ursnif-victim-data On analyzing the information, our researchers found information that could be used to help protect past and current victims of Ursnif. Specifically we found usernames, passwords, credit card, banking and payment information that appears to have been stolen from Ursnif victims by the malware operators. We saw evidence of over 100 Italian banks targeted in the information we obtained. We also saw . over 1,700 stolen credentials for a single payment processor.

Oxfam Australia data incident: update

media.oxfam.org.au/2021/03/oxfam-australia-data-incident-update-2/ Following an independent IT forensic investigation, Oxfam Australia announced today that it has found that supporters information on one of its databases was unlawfully accessed by an external party on 20 January 2021.. Given the nature of the information accessed, there may be risks relating to scam communications via unsolicited emails, phone calls or text messages.

IRS Phishing Email Up and Coming Phishing Campaign Is Taxing to Users

cofense.com/blog/up-and-coming-phishing-taxing With U.S. tax season upon us, its time to remind our users to watch for emails hitting their inboxes related to tax documents. Threat actors are tuned to the seasonal theme to lure users. The Cofense Phishing Defense Center (PDC) has observed a new phishing campaign that steals Microsoft credentials by acting as a file share from the U.S. Internal Revenue Service.

Fast Flux 101: How Cybercriminals Improve the Resilience of Their Infrastructure to Evade Detection and Law Enforcement Takedowns

unit42.paloaltonetworks.com/fast-flux-101/ In this blog, we provide a fictional scenario of a cat-and-mouse game between cybercriminals and law enforcement. We illustrate how cybercriminals use single fast flux networks and more advanced techniques such as double flux (when the domain name resolution becomes part of the fast flux network) and Domain Generation Algorithms (DGAs) to hamper domain blocklisting and takedown efforts.

Why Cloud Security Risks Have Shifted to Identities and Entitlements

www.darkreading.com/cloud/why-cloud-security-risks-have-shifted-to-identities-and-entitlements/a/d-id/1340194 Gartner predicts that by 2023, 75% of cloud security failures will result from inadequate management of identities, access, and privileges, up from 50% in 2020. There are several factors driving these cloud security deficiencies.. Traditional cloud security tools such as CASB, CSPM, and CWPP weren’t designed to provide these capabilities or address what Gartner calls Cloud Infrastructure Entitlement Management (CIEM) and Forrester dubs Cloud Infrastructure Governance (CIG). What’s needed are cloud-native capabilities to enforce the concept of least privilege.

You might be interested in …

Daily NCSC-FI news followup 2019-12-16

Inside Evil Corp, a $100M Cybercrime Menace krebsonsecurity.com/2019/12/inside-evil-corp-a-100m-cybercrime-menace/ The U.S. Justice Department this month offered a $5 million bounty for information leading to the arrest and conviction of a Russian man indicted for allegedly orchestrating a vast, international cybercrime network that called itself Evil Corp and stole roughly $100 million from businesses and consumers. As […]

Read More

Daily NCSC-FI news followup 2019-12-20

267 miljoonan Facebook-käyttäjän tiedot päätyivät nettiin – älä silti hätäile www.is.fi/digitoday/tietoturva/art-2000006350462.html Vuoto ei kuitenkaan ole hälyttävin mahdollinen, vaikka koskeekin suurta määrää käyttäjiä. Tietueessa ei esimerkiksi ole salasanoja tai maksukortin tietoja. Lisäksi tiedot ovat enimmäkseen amerikkalaisilta käyttäjiltä.. Src: www.comparitech.com/blog/information-security/267-million-phone-numbers-exposed-online/ Supo: 5g-verkkotoimijat arvioitava ja poliittinen keskustelu käytävä www.is.fi/digitoday/tietoturva/art-2000006348909.html Cisco ASA DoS Bug Attacked in Wild blogs.cisco.com/security/talos/cisco-asa-dos-bug-attacked-in-wild Cisco […]

Read More

Daily NCSC-FI news followup 2021-03-09

Dangerous Malware Dropper Found in 9 Utility Apps on Googles Play Store blog.checkpoint.com/2021/03/09/dangerous-malware-dropper-found-in-9-utility-apps-on-googles-play-store/ Check Point Research (CPR) recently discovered a new dropper spreading via the Google Play store. The dropper, dubbed Clast82, has the ability to avoid detection by Google Play Protect, complete the evaluation period successfully, and change the payload dropped from a non-malicious […]

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.