Daily NCSC-FI news followup 2021-03-05


www.dubex.dk/aktuelt/nyheder/please-leave-an-exploit-after-the-beep In January 2021, Dubex investigated suspicious activity on a set of Exchange servers. Generic post exploitation activity was seen, and many POST requests were sent to webshells hosted in the OWA directory. It was initially suspected the servers might be backdoored directly through the OWA and that webshells were being used for ease of access. As a result, Dubex started its incident response efforts . and acquired system memory (RAM) and disk images to initiate a forensics investigation. This investigation revealed a zero-day exploit being used in the wild.

Ransomware, and then some

www.kaspersky.com/blog/rtm-quoter-campaign/38931/ Our experts have detected a new malicious campaign involving a fairly wide array of tools. The tools include a banking Trojan, ransomware called Quoter (which our systems had not previously encountered), and legitimate remote-access programs (LiteManager and RMS, possibly others). The cybercriminals are associated with the RTM group.

QNAP NAS users, make sure you check your system

blog.netlab.360.com/qnap-nas-users-make-sure-you-check-your-system/ On March 2, 2021, 360Netlab Threat Detection System started to report attacks targeting the widely used QNAP NAS devices via the unauthorized remote command execution vulnerability (CVE-2020-2506 & CVE-2020-2507), upon successful attack, the attacker will gain root privilege on the device and perform malicious mining activities.. Due to the possible big impact, we contacted and informed the vendor on March 3, and decided to share some information with this quick blog.

Detection and Response to Exploitation of Microsoft Exchange Zero-Day Vulnerabilities

www.fireeye.com/blog/threat-research/2021/03/detection-response-to-exploitation-of-microsoft-exchange-zero-day-vulnerabilities.html Beginning in January 2021, Mandiant Managed Defense observed multiple instances of abuse of Microsoft Exchange Server within at least one client environment. The observed activity included creation of web shells for persistent access, remote code execution, and reconnaissance for endpoint security solutions. Our investigation revealed that the files created on the Exchange servers were owned by the user NT AUTHORITY\SYSTEM, a privileged local account on the Windows operating system.

Microsoft: Exchange updates can install without fixing vulnerabilities

www.bleepingcomputer.com/news/security/microsoft-exchange-updates-can-install-without-fixing-vulnerabilities/ Due to the critical nature of recently issued Microsoft Exchange security updates, admins need to know that the updates may have installation issues on servers where User Account Control (UAC) is enabled. Microsoft has added these warnings to all Exchange security updates released throughout the last few years.

Mazafaka Elite Hacking and Cybercrime Forum Got Hacked!

thehackernews.com/2021/03/mazafaka-elite-hacking-and-cybercrime.html In what’s a case of hackers getting hacked, a prominent underground online criminal forum by the name of Maza has been compromised by unknown attackers, making it the fourth forum to have been breached since the start of the year. The intrusion is said to have occurred on March 3, with information about the forum members including usernames, email addresses, and hashed passwords publicly disclosed on a breach notification page put up by the attackers, stating “Your data has been leaked” and “This forum has been hacked.”. Also:


Gootloader Hackers Poison Websites Globally in Order to Infect Business Professionals with Ransomware, Intrusion Tools and Bank Trojans, Warns eSentire

www.esentire.com/security-advisories/gootloader-hackers-poison-websites-globally eSentire, a leading global provider of Managed Detection and Response (MDR) cybersecurity solutions, reported today that the hackers behind the malicious downloader, Gootloader, have poisoned websites across the globe to infect business professionals IT systems with ransomware, intrusion tools and bank trojans. eSentire has been tracking the Gootloader campaign since December 2020 and has

D-Link, IoT Devices Under Attack By Tor-Based Gafgyt Variant

threatpost.com/d-link-iot-tor-gafgyt-variant/164529/ A new variant of the Gafgyt botnet thats actively targeting vulnerable D-Link and Internet of Things devices is the first variant of the malware to rely on Tor communications, researchers say. Gafgyt, a botnet that was uncovered in 2014, has become infamous for launching large-scale distributed denial-of-service (DDoS) attacks. Researchers first discovered activity from the newest variant, which they call Gafgyt_tor, on Feb. 15.

These two unusual versions of ransomware tell us a lot about how attacks are evolving

www.zdnet.com/article/these-two-unusual-versions-of-ransomware-tell-us-a-lot-about-how-attacks-are-evolving/ Two newly discovered forms of ransomware with very different traits show just how diverse the world of ransomware has become as more cyber criminals attempt to join in with cyber extortion. Both forms of ransomware emerged in February and have been detailed by cybersecurity researchers at Trend Micro AlumniLocker and Humble – with the two versions attempting to extort a bitcoin ransom in different ways.

Varo tällaista viestiä haittaohjelma saattaa lähettää laskuusi tuhansia viestejä sekä vaarantaa pankkitilisi

www.tivi.fi/uutiset/tv/e4a64a51-b6c1-4868-8ea2-e3f0964dbd54 Rikolliset kiusaavat suomalaisia jälleen huijausviesteillä, joita lähetetään Postin tai PostNordin nimissä. Poliisi kertoo tiedotteessaan, että huijausviesti voi tulla tekstiviestillä, jossa pyydetään asentamaan puhelimeen sovellus viestissä olevan linkin kautta. Jos vastaanottajan matkapuhelimessa on Android-käyttöjärjestelmä, asentuu käyttäjien puhelimiin linkistä painamalla haittaohjelma, joka lähettää laitteesta ulkomaille satoja tai tuhansia viestejä asiakkaan laskuun. Haittaohjelma on vaikea huomata, ennen kuin laite alkaa lähettämään runsaasti viestejä itsenäisesti, Poliisi kertoo.

Microsoft Exchange Server Vulnerabilities Mitigations March 2021

msrc-blog.microsoft.com/2021/03/05/microsoft-exchange-server-vulnerabilities-mitigations-march-2021/ Microsoft previously blogged our strong recommendation that customers upgrade their on-premises Exchange environments to the latest supported version. For customers that are not able to quickly apply updates, we are providing the following alternative mitigation techniques to help Microsoft Exchange customers who need more time to patch their deployments and are willing to make risk and service function trade-offs. These mitigations are not a remediation if your Exchange servers have already been compromised, nor are they full protection against attack.

At Least 30,000 U.S. Organizations Newly Hacked Via Holes in Microsofts Email Software

krebsonsecurity.com/2021/03/at-least-30000-u-s-organizations-newly-hacked-via-holes-in-microsofts-email-software/ At least 30,000 organizations across the United States including a significant number of small businesses, towns, cities and local governments have over the past few days been hacked by an unusually aggressive Chinese cyber espionage unit thats focused on stealing email from victim organizations, multiple sources tell KrebsOnSecurity.. The espionage group is exploiting four newly-discovered flaws in Microsoft Exchange Server email software, and has seeded hundreds of thousands of victim organizations worldwide with tools that give the attackers total, remote control over affected systems.

Microsoft Adopted an ‘Aggressive’ Strategy for Sharing SolarWinds Attack Intel

www.darkreading.com/operations/microsoft-adopted-an-aggressive-strategy-for-sharing-solarwinds-attack-intel/d/d-id/1340327 Rob Lefferts, corporate vice president for Microsoft 365 Security in Security and Compliance, explains the company’s approach to keeping its customers and the industry apprised and updated on its findings from the now-infamous attack. In the wake of a widespread cyberattack, enterprise IT providers can play a key role in how businesses learn about and mitigate the security threat. That role has evolved as attacks grow more complex – and it presents a tricky challenge when a provider must keep businesses informed of an attack that has infiltrated its own walls and affected tens of thousands of its customers, as Microsoft experienced during the recent SolarWinds incident.

www.dragos.com/blog/industry-news/risky-business-maturing-ot-security-with-executives/ Risky Business: Maturing OT Security With Executives. For many of us, the phrase invokes memories of continuous security assessments, meaningless heat maps, and constantly telling people were not IT, we dont do that. Its political battles between IT and OT, budget wars, and oversimplifying years of work into maybe two PowerPoint slides. There is a reason why, as practitioners, were constantly in the cross hairs when it comes to cyber risk and cyber program managementbecause, compared to other operational areas, we are, without a doubt, the least mature in communicating and documenting risk. Thats not a criticism, but an observation.

Pitäisikö nettiäänestystä kiirehtiä epidemian vuoksi? Vaakakupissa painavat vaalisalaisuus ja helppous molempia ei saa, sanoo kyberturvallisuuden asiantuntija

yle.fi/uutiset/3-11809803 Uusinkaan teknologia ei kyberturvallisuuteen erikoistuneen asiantuntijan mukaan kykene poistamaan vaalisalaisuutta uhkaavia ongelmia. Edessä olevat kuntavaalit ovat herättäneet paljon huolta ja keskustelua pahenevan epidemiatilanteen keskellä: Miten kansalaisille tarjotaan terveysturvallinen pääsy vaaliuurnille? Miten hillitään jonot kunnantalojen edessä? Entä miten järjestetään koronaan sairastuneelle mahdollisuus käyttää äänioikeuttaan?

You might be interested in …

Daily NCSC-FI news followup 2019-12-22

Florida man jailed for over five years after cyberstalking schoolmate, posting threats www.zdnet.com/article/man-jailed-for-over-five-years-after-cyberstalking-schoolmate-posting-threats/ One Day, Three Credit Card Data Breach Notifications www.bleepingcomputer.com/news/security/one-day-three-credit-card-data-breach-notifications/ On the same day this week, two restaurants and a convenience store, all with locations across the U.S., disclosed security breach incidents that may have enabled attackers to steal customer payment card data.. […]

Read More

Daily NCSC-FI news followup 2019-12-29

UK Government exposes addresses of new year honours recipients www.theguardian.com/uk-news/2019/dec/28/government-exposes-addresses-of-new-year-honours-recipients More than 1,000 celebrities, government employees and politicians recognized in the U.K.’s traditional New Year’s Honours list this year “have had their home and work addresses posted on a government website.” IoT vendor Wyze confirms server leak www.zdnet.com/article/iot-vendor-wyze-confirms-server-leak/ Wyze, a company that sells smart devices […]

Read More

Daily NCSC-FI news followup 2020-06-02

Varo tätä ilmiötä: huijarit tehtailevat oikeista konserttistriimeistä valetapahtumia, joiden avulla yritetään kalastaa luottokorttitietoja yle.fi/uutiset/3-11380829 Idea on yksinkertainen. Huijari luo aidon näköisen Facebook-eventin ja tarjoaa klikattavaksi linkkiä, jossa muka voisi ostaa lipun konserttistriimiin. Entä jos huomaa tulleensa huijatuksi? Miten toimia?. – Ihan ensimmäisenä ja aika nopeasti pitäisi ottaa yhteyttä pankkiin. Parhaassa tapauksessa sieltä pystytään vielä estämään […]

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.