Daily NCSC-FI news followup 2021-03-05


www.dubex.dk/aktuelt/nyheder/please-leave-an-exploit-after-the-beep In January 2021, Dubex investigated suspicious activity on a set of Exchange servers. Generic post exploitation activity was seen, and many POST requests were sent to webshells hosted in the OWA directory. It was initially suspected the servers might be backdoored directly through the OWA and that webshells were being used for ease of access. As a result, Dubex started its incident response efforts . and acquired system memory (RAM) and disk images to initiate a forensics investigation. This investigation revealed a zero-day exploit being used in the wild.

Ransomware, and then some

www.kaspersky.com/blog/rtm-quoter-campaign/38931/ Our experts have detected a new malicious campaign involving a fairly wide array of tools. The tools include a banking Trojan, ransomware called Quoter (which our systems had not previously encountered), and legitimate remote-access programs (LiteManager and RMS, possibly others). The cybercriminals are associated with the RTM group.

QNAP NAS users, make sure you check your system

blog.netlab.360.com/qnap-nas-users-make-sure-you-check-your-system/ On March 2, 2021, 360Netlab Threat Detection System started to report attacks targeting the widely used QNAP NAS devices via the unauthorized remote command execution vulnerability (CVE-2020-2506 & CVE-2020-2507), upon successful attack, the attacker will gain root privilege on the device and perform malicious mining activities.. Due to the possible big impact, we contacted and informed the vendor on March 3, and decided to share some information with this quick blog.

Detection and Response to Exploitation of Microsoft Exchange Zero-Day Vulnerabilities

www.fireeye.com/blog/threat-research/2021/03/detection-response-to-exploitation-of-microsoft-exchange-zero-day-vulnerabilities.html Beginning in January 2021, Mandiant Managed Defense observed multiple instances of abuse of Microsoft Exchange Server within at least one client environment. The observed activity included creation of web shells for persistent access, remote code execution, and reconnaissance for endpoint security solutions. Our investigation revealed that the files created on the Exchange servers were owned by the user NT AUTHORITY\SYSTEM, a privileged local account on the Windows operating system.

Microsoft: Exchange updates can install without fixing vulnerabilities

www.bleepingcomputer.com/news/security/microsoft-exchange-updates-can-install-without-fixing-vulnerabilities/ Due to the critical nature of recently issued Microsoft Exchange security updates, admins need to know that the updates may have installation issues on servers where User Account Control (UAC) is enabled. Microsoft has added these warnings to all Exchange security updates released throughout the last few years.

Mazafaka Elite Hacking and Cybercrime Forum Got Hacked!

thehackernews.com/2021/03/mazafaka-elite-hacking-and-cybercrime.html In what’s a case of hackers getting hacked, a prominent underground online criminal forum by the name of Maza has been compromised by unknown attackers, making it the fourth forum to have been breached since the start of the year. The intrusion is said to have occurred on March 3, with information about the forum members including usernames, email addresses, and hashed passwords publicly disclosed on a breach notification page put up by the attackers, stating “Your data has been leaked” and “This forum has been hacked.”. Also:


Gootloader Hackers Poison Websites Globally in Order to Infect Business Professionals with Ransomware, Intrusion Tools and Bank Trojans, Warns eSentire

www.esentire.com/security-advisories/gootloader-hackers-poison-websites-globally eSentire, a leading global provider of Managed Detection and Response (MDR) cybersecurity solutions, reported today that the hackers behind the malicious downloader, Gootloader, have poisoned websites across the globe to infect business professionals IT systems with ransomware, intrusion tools and bank trojans. eSentire has been tracking the Gootloader campaign since December 2020 and has

D-Link, IoT Devices Under Attack By Tor-Based Gafgyt Variant

threatpost.com/d-link-iot-tor-gafgyt-variant/164529/ A new variant of the Gafgyt botnet thats actively targeting vulnerable D-Link and Internet of Things devices is the first variant of the malware to rely on Tor communications, researchers say. Gafgyt, a botnet that was uncovered in 2014, has become infamous for launching large-scale distributed denial-of-service (DDoS) attacks. Researchers first discovered activity from the newest variant, which they call Gafgyt_tor, on Feb. 15.

These two unusual versions of ransomware tell us a lot about how attacks are evolving

www.zdnet.com/article/these-two-unusual-versions-of-ransomware-tell-us-a-lot-about-how-attacks-are-evolving/ Two newly discovered forms of ransomware with very different traits show just how diverse the world of ransomware has become as more cyber criminals attempt to join in with cyber extortion. Both forms of ransomware emerged in February and have been detailed by cybersecurity researchers at Trend Micro AlumniLocker and Humble – with the two versions attempting to extort a bitcoin ransom in different ways.

Varo tällaista viestiä haittaohjelma saattaa lähettää laskuusi tuhansia viestejä sekä vaarantaa pankkitilisi

www.tivi.fi/uutiset/tv/e4a64a51-b6c1-4868-8ea2-e3f0964dbd54 Rikolliset kiusaavat suomalaisia jälleen huijausviesteillä, joita lähetetään Postin tai PostNordin nimissä. Poliisi kertoo tiedotteessaan, että huijausviesti voi tulla tekstiviestillä, jossa pyydetään asentamaan puhelimeen sovellus viestissä olevan linkin kautta. Jos vastaanottajan matkapuhelimessa on Android-käyttöjärjestelmä, asentuu käyttäjien puhelimiin linkistä painamalla haittaohjelma, joka lähettää laitteesta ulkomaille satoja tai tuhansia viestejä asiakkaan laskuun. Haittaohjelma on vaikea huomata, ennen kuin laite alkaa lähettämään runsaasti viestejä itsenäisesti, Poliisi kertoo.

Microsoft Exchange Server Vulnerabilities Mitigations March 2021

msrc-blog.microsoft.com/2021/03/05/microsoft-exchange-server-vulnerabilities-mitigations-march-2021/ Microsoft previously blogged our strong recommendation that customers upgrade their on-premises Exchange environments to the latest supported version. For customers that are not able to quickly apply updates, we are providing the following alternative mitigation techniques to help Microsoft Exchange customers who need more time to patch their deployments and are willing to make risk and service function trade-offs. These mitigations are not a remediation if your Exchange servers have already been compromised, nor are they full protection against attack.

At Least 30,000 U.S. Organizations Newly Hacked Via Holes in Microsofts Email Software

krebsonsecurity.com/2021/03/at-least-30000-u-s-organizations-newly-hacked-via-holes-in-microsofts-email-software/ At least 30,000 organizations across the United States including a significant number of small businesses, towns, cities and local governments have over the past few days been hacked by an unusually aggressive Chinese cyber espionage unit thats focused on stealing email from victim organizations, multiple sources tell KrebsOnSecurity.. The espionage group is exploiting four newly-discovered flaws in Microsoft Exchange Server email software, and has seeded hundreds of thousands of victim organizations worldwide with tools that give the attackers total, remote control over affected systems.

Microsoft Adopted an ‘Aggressive’ Strategy for Sharing SolarWinds Attack Intel

www.darkreading.com/operations/microsoft-adopted-an-aggressive-strategy-for-sharing-solarwinds-attack-intel/d/d-id/1340327 Rob Lefferts, corporate vice president for Microsoft 365 Security in Security and Compliance, explains the company’s approach to keeping its customers and the industry apprised and updated on its findings from the now-infamous attack. In the wake of a widespread cyberattack, enterprise IT providers can play a key role in how businesses learn about and mitigate the security threat. That role has evolved as attacks grow more complex – and it presents a tricky challenge when a provider must keep businesses informed of an attack that has infiltrated its own walls and affected tens of thousands of its customers, as Microsoft experienced during the recent SolarWinds incident.

www.dragos.com/blog/industry-news/risky-business-maturing-ot-security-with-executives/ Risky Business: Maturing OT Security With Executives. For many of us, the phrase invokes memories of continuous security assessments, meaningless heat maps, and constantly telling people were not IT, we dont do that. Its political battles between IT and OT, budget wars, and oversimplifying years of work into maybe two PowerPoint slides. There is a reason why, as practitioners, were constantly in the cross hairs when it comes to cyber risk and cyber program managementbecause, compared to other operational areas, we are, without a doubt, the least mature in communicating and documenting risk. Thats not a criticism, but an observation.

Pitäisikö nettiäänestystä kiirehtiä epidemian vuoksi? Vaakakupissa painavat vaalisalaisuus ja helppous molempia ei saa, sanoo kyberturvallisuuden asiantuntija

yle.fi/uutiset/3-11809803 Uusinkaan teknologia ei kyberturvallisuuteen erikoistuneen asiantuntijan mukaan kykene poistamaan vaalisalaisuutta uhkaavia ongelmia. Edessä olevat kuntavaalit ovat herättäneet paljon huolta ja keskustelua pahenevan epidemiatilanteen keskellä: Miten kansalaisille tarjotaan terveysturvallinen pääsy vaaliuurnille? Miten hillitään jonot kunnantalojen edessä? Entä miten järjestetään koronaan sairastuneelle mahdollisuus käyttää äänioikeuttaan?

You might be interested in …

Daily NCSC-FI news followup 2021-05-24

Cyber Insurance Is Not a Substitute for Cybersecurity www.crowdstrike.com/blog/why-cyber-insurance-is-not-a-substitute-for-cybersecurity/ Attacks are increasing in frequency, ransom demands are rising and the cyber insurance industry has reached a crossroad where cyber insurance cannot be used by victims of a ransomware attack as a substitute for inadequate cybersecurity solutions and practices Subscription ransomware – Zeppelin ransomware comes back […]

Read More

Daily NCSC-FI news followup 2020-02-29

TRICKBOT DELIVERY METHOD GETS A NEW UPGRADE FOCUSING ON WINDOWS 10 blog.morphisec.com/trickbot-delivery-method-gets-a-new-upgrade-focusing-on-windows Over the past few weeks, Morphisec Labs researchers identified a couple dozen documents that execute the OSTAP javascript downloader.. This time we have identified the use of the latest version of the remote desktop activeX control class that was introduced for Windows 10. […]

Read More

Daily NCSC-FI news followup 2020-02-05

Malware infection attempts appear to be shrinking… possibly because miscreants are less spammy and more focused on specific targets www.theregister.co.uk/2020/02/04/sonicwall_threat_report/ Attempts to infect computers with ransomware and other malware over networks are decreasing, reckons infosec outfit Sonicwall. FBI Warns of DDoS Attack on State Voter Registration Site www.bleepingcomputer.com/news/security/fbi-warns-of-ddos-attack-on-state-voter-registration-site/ The US Federal Bureau of Investigation (FBI) […]

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.