Daily NCSC-FI news followup 2021-03-04

Selecting a Protective DNS Service

media.defense.gov/2021/Mar/03/2002593055/-1/-1/0/CSI_PROTECTIVE%20DNS_UOO117652-21.PDF Due to the centrality of DNS for cybersecurity, the Department of Defense (DoD) included DNS filtering as a requirement in its Cybersecurity Maturity Model Certification (CMMC) standard (SC.3.192).

Three Top Russian Cybercrime Forums Hacked

krebsonsecurity.com/2021/03/three-top-russian-cybercrime-forums-hacked/ Over the past few weeks, three of the longest running and most venerated Russian-language online forums serving thousands of experienced cybercriminals have been hacked. In two of the intrusions, the attackers made off with the forums user databases, including email and Internet addresses and hashed passwords. Members of all three forums are worried the incidents could serve as a virtual Rosetta . Stone for connecting the real-life identities of the same users across multiple crime forums.. On Tuesday, someone dumped thousands of usernames, email addresses and obfuscated passwords on the dark web apparently pilfered from Mazafaka (a.k.a. Maza, MFclub), an exclusive crime forum that has for more than a decade played host to some of the most experienced and infamous Russian cyberthieves.. The compromise of Maza and Verified and possibly a third major forum has many community members concerned that their real-life identities could be exposed. Exploit perhaps the next-largest and most popular Russian forum after Verified, also experienced an apparent compromise this week.

Unsecured Cloud Configurations Exposing Information in Thousands of Mobile Apps

blog.zimperium.com/unsecured-cloud-configurations-exposing-information-in-thousands-of-mobile-apps/ In our analysis, 14% of iOS and Android apps that use cloud storage had unsecure configurations and were vulnerable to a number of significant issues that exposed PII, enabled fraud or exposed IP or internal systems.. During our review, we encountered several apps relying on both Google and Amazon storage that was accessible without any security. In one example, the information we were able to obtain included profile pictures and other PII information.. Other apps leak information that enables fraud. In one example, an app shows images containing physical payment implements such as checks. . Another category of apps exposes configuration information that could be used for further investigation or penetration. For example, one may think music apps dont have any important information to protect, however, we identified cases where the entire server infrastructures, scripts, servers and much more was exposed publicly.

Windows DNS SIGRed bug gets first public RCE PoC exploit

www.bleepingcomputer.com/news/security/windows-dns-sigred-bug-gets-first-public-rce-poc-exploit/ “If exploited carefully, attackers can execute code remotely on the vulnerable system and gain Domain Admin rights, effectively compromising the entire corporate infrastructure,” Palmiotti explained.. Details at


Cybercriminals Adapt to Bypass 3D Secure

geminiadvisory.io/cybercriminals-bypass-3ds/ While 3DS 2 is more difficult for cybercriminals to bypass, it is not impervious to well-honed social engineering skills. Gemini Advisory assesses with moderate confidence that cybercriminals will likely continue to rely on social engineering and phishing to bypass 3DS security measures

Lazarus Groups MATA Framework Leveraged to Deploy TFlower Ransomware

www.sygnia.co/mata-framework When put together, the Netlab and Kaspersky publications along with the recent Sygnia findings, the new research indicates a connection or collaboration between the Lazarus Group and TFlower. While the nature of this collaboration is not yet clear and needs to be further validated, it may reflect the continues effort by North Korea to scale its cyber extortion business, as a major source for . currency generation, including by collaborating with additional crime entities, creating such entities, outsourcing of capabilities, or selling of offensive tools to other groups.

SITA statement about security incident

www.sita.aero/pressroom/news-releases/sita-statement-about-security-incident/ SITA confirms that it was the victim of a cyber-attack, leading to a data security incident involving certain passenger data that was stored on SITA Passenger Service System (US) Inc. servers. Passenger Service System (US) Inc. (SITA PSS) operates passenger processing systems for airlines.. Myös Finnair uhrina


GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUMs layered persistence

www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/ Microsoft Threat Intelligence Center (MSTIC) is naming the actor behind the attacks against SolarWinds, the SUNBURST backdoor, TEARDROP malware, and related components as NOBELIUM.. Recent investigations have identified three new pieces of malware being used in late-stage activity by NOBELIUM. This blog provides detailed analysis of these malware strains to help defenders detect, protect, and respond to this threat. We continue to partner with FireEye to understand these threats and protect our mutual customers. FireEyes analysis of the malware used by NOBELIUM is here..

Researcher bitsquats Microsoft’s windows.com to steal traffic

www.bleepingcomputer.com/news/security/researcher-bitsquats-microsofts-windowscom-to-steal-traffic/ A researcher was able to “bitsquat” Microsoft’s windows.com domain by cybersquatting variations of windows.com.. However, this technique differs from cases where typosquatting domains are used for phishing activities in that it requires no action on the victim’s part. … “Now lets say that the computer is running too hot, a solar flare is happening, or a cosmic ray (very real thing) flips a bit on the computer,” says [the researcher] Remy.. In a 2011 Black Hat paper, titled “Bit-squatting DNS Hijacking without Exploitation,” researcher Artem Dinaburg saw when he had squatted 31 bitsquatted variations of eight legitimate domains of multiple organizations, on an average 3,434 daily DNS requests came his way, that should otherwise have gone to the DNS servers for the legitimate domains.. Likewise, as soon as Remy squatted the aforementioned domains and setup sinkholes to record any traffic, the researcher noticed an uptick in legitimate traffic coming his way.. Blog at


It only took four years and thousands of complaints but ICANN finally kills off rogue Indian domain registrar

www.theregister.com/2021/03/04/icann_domain_woes/ So when it comes to terminating a registrar under contract who breaks that contract for years, approving a registrar who fulfills all the necessary criteria, or allowing interested parties to question its decisions, ICANN has a simple approach: make the decision based on its own prejudices and then drag out telling those at the end of it for as long as humanly possible.

GAO report finds DOD’s weapons programs lack clear cybersecurity guidelines

www.zdnet.com/article/gao-report-finds-dods-weapons-programs-lack-clear-cybersecurity-guidelines/ In a new report released Thursday, the U.S. Government Accountability Office (GAO) said the Department of Defense fails to communicate clear cybersecurity guidelines to contractors tasked with building systems for its weapons programs.

Microsoft: We’re cracking down on Excel macro malware

www.zdnet.com/article/microsoft-were-cracking-down-on-malware-that-uses-excel-macros/ Now Microsoft is expanding the integration of its AMSI with Office 365 to include the scanning of Excel 4.0 XLM macros at runtime, bringing AMSI in line with VBA.

Intel 2020 Product Security Report

www.intel.com/content/dam/www/public/us/en/security-advisory/documents/intel-2020-product-security-report.pdf In 2020 we delivered mitigations for 231 product security issues. 109 (47%) were internally found by Intel employees through our efforts around offensive security research and another 105 (45%) were reported through Intels Bug Bounty program. In total, 92% (214) of the issues addressed were the direct result of our ongoing investment. The remaining 17 issues were reported to Intel by partners or . organizations who do not typically seek bounty payments.

Mitigate Microsoft Exchange Server Vulnerabilities

us-cert.cisa.gov/ncas/alerts/aa21-062a Note: This Alert was updated March 4, 2021 to provide further guidance. . (Updated March 4, 2021): CISA recommends investigating for signs of a compromise from at least September 1, 2020 through present.

Tietoturvaloukkaus asiakaspalvelusivustolla

www.sarastia.fi/tietoturvaloukkaus-asiakaspalvelusivustolla/ Asiakaspalvelusivustomme (asiakaspalvelu.sarastia.fi) on tilapäisesti pois käytöstä tietomurtoepäilyn vuoksi. Keskiviikkoaamuna 3.3.2021 sivustolla havaittiin tietoturvaloukkaus, jonka syytä ja haittoja tutkitaan. Sivusto pysyy suljettuna tutkinnan ajan, ja avataan, kun se on todettu turvalliseksi.

You might be interested in …

Daily NCSC-FI news followup 2019-07-19

Security Lessons From a New Programming Language www.darkreading.com/application-security/security-lessons-from-a-new-programming-language/d/d-id/1335300?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple A security professional needed a secure language for IoT development. So he wrote his own, applying learned lessons about memory and resources in the process. It’s never good when ‘Magecart’ and ‘bulletproof’ appear in the same sentence, but here we are www.theregister.co.uk/2019/07/18/magecart_ukraine_hosting/ Researchers with security shop Malwarebytes […]

Read More

Daily NCSC-FI news followup 2019-10-11

Hakkeriryhmä testasi Jyväskylän yliopiston tietoturvaa www.jyu.fi/fi/ajankohtaista/arkisto/2019/10/hakkeriryhma-testasi-jyvaskylan-yliopiston-tietoturvaa Useiden Jyväskylän yliopiston tietojärjestelmien tietoturvaa testattiin syyskuussa normaalista poikkeavalla tavalla, kun valkohattuhakkeriryhmä Team ROT etsi niistä tietoturvaongelmia toteuttamassaan tietoturvatestauksessa.. Tietoturvatestaus toteutettiin viikonlopun aikana niin, että se haittasi mahdollisimman vähän yliopiston normaalia toimintaa. Testaajilla ei ollut fyysistä pääsyä yliopiston järjestelmiin, vaan yhteys niihin muodostettiin etäältä avoimen verkon kautta juuri niin […]

Read More

Daily NCSC-FI news followup 2020-05-04

F-Secure varoitti äsken haavoittuvuuksista nyt alkoivat hyökkäykset www.tivi.fi/uutiset/tv/45c37640-e8d3-416b-a501-b10979428311 Salt-sovellus ei välttämättä ole tuttu suurelle yleisölle, mutta järjestelmien ylläpitäjille se on. Sitä käytetään palvelinten hallintaan datakeskuksissa, pilvessä ja yritysten omissa konesaleissa. ZDnet kirjoittaa, että viikonlopun aikana hakkerit ovat uutterasti nuuskineet verkosta Salt-asennuksia. Hyökkäyksiä on myös tehty. Kohteiksi ovat joutuneet ainakin LineageOS -mobiilikäyttöjärjestelmän kehittäjät, Ghost-blogialusta sekä sertifikaattiviranomainen […]

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.