Daily NCSC-FI news followup 2021-03-06

Chinas RedEcho accused of targeting Indias power grids

blog.malwarebytes.com/vital-infrastructure/2021/03/chinas-redecho-accused-of-targeting-indias-power-grids/ RedEcho, an advanced persistent threat (APT) group from China, has attempted to infiltrate the systems behind Indias power grids, according to a threat analysis report from Recorded Future [PDF].. It appears that what triggered this attempt to gain a foothold in Indias critical power generation and transmission infrastructure, was a tense standoff at Pangong Tso lake in May 2020. However, the report by Recorded Future, a cybersecurity company specializing in threat intelligence, claims that RedEcho were on the prowl way before this time.

Ransomware gang plans to call victim’s business partners about attacks

www.bleepingcomputer.com/news/security/ransomware-gang-plans-to-call-victims-business-partners-about-attacks/ The REvil ransomware operation announced this week that they are using DDoS attacks and voice calls to journalists and victim’s business partners to generate ransom payments. The REvil ransomware operation, also known as Sodinokibi, is a ransomware-as-a-service (RaaS) where the ransomware operators develop the malware and payment site, and affiliates (adverts) compromise corporate networks to deploy the ransomware.

Countering Cyber Proliferation: Zeroing in on Access-as-a-Service (PDF)

www.atlanticcouncil.org/wp-content/uploads/2021/03/Offensive-Cyber-Capabilities-Proliferation-Report.pdf ENFER (a cryptonym), is a contractor operating in the Russian Marketplace, which allegedly partakes in offensive operations under the direct instruction of the Russian Federal Security Service (FSB).

Microsoft IOC Detection Tool for Exchange Server Vulnerabilities

us-cert.cisa.gov/ncas/current-activity/2021/03/06/microsoft-ioc-detection-tool-exchange-server-vulnerabilities Microsoft has released an updated script that scans Exchange log files for indicators of compromise (IOCs) associated with the vulnerabilities disclosed on March 2, 2021. CISA is aware of widespread domestic and international exploitation of these vulnerabilities and strongly recommends organizations run the Test-ProxyLogon.ps1 scriptas soon as possibleto help determine whether their systems are compromised. For additional information on the script, see Microsofts blog HAFNIUM targeting Exchange Servers with 0-day exploits.

Spotting the Red Team on VirusTotal!

isc.sans.edu/forums/diary/Spotting+the+Red+Team+on+VirusTotal/27174/ Many security researchers like to use the VirusTotal platform. The provided services are amazing: You can immediately have a clear overview of the dangerousness level of a file but…. VirusTotal remains a cloud service. It means that, once you uploaded a file to scan it, you have to consider it as “lost” and available to a lot of (good or bad) people! In the SANS FOR610 training (“Reverse Engineering Malware”), we insist on the fact that you should avoid uploading a file to VT!

Check to see if youre vulnerable to Microsoft Exchange Server zero-days using this tool

www.zdnet.com/article/check-to-see-if-youre-vulnerable-to-microsoft-exchange-server-zero-days-using-this-tool/ Microsoft’s Exchange Server team has released a script for IT admins to check if systems are vulnerable to recently-disclosed zero-day bugs. As noted in an alert published by the US Cybersecurity and Infrastructure Security Agency (CISA) on Saturday, Microsoft’s team has published a script on GitHub that can check the security status of Exchange servers.

A new type of supply-chain attack with serious consequences is flourishing

arstechnica.com/gadgets/2021/03/more-top-tier-companies-targeted-by-new-type-of-potentially-serious-attack/ A new type of supply chain attack unveiled last month is targeting more and more companies, with new rounds this week taking aim at Microsoft, Amazon, Slack, Lyft, Zillow, and an unknown number of others. In weeks past, Apple, Microsoft, Tesla, and 32 other companies were targeted by a similar attack that allowed a security researcher to execute unauthorized code inside their networks.. The latest attack against Microsoft was also carried out as a proof-of-concept by a researcher. Attacks targeting Amazon, Slack, Lyft, and Zillow, by contrast, were malicious, but its not clear if they succeeded in executing the malware inside their networks.

You might be interested in …

Daily NCSC-FI news followup 2021-04-08

Researchers uncover a new Iranian malware used in recent cyberattacks thehackernews.com/2021/04/researchers-uncover-new-iranian-malware.html An Iranian threat actor has unleashed a new cyberespionage campaign against a possible Lebanese target with a backdoor capable of exfiltrating sensitive information from compromised systems. APT34 (aka OilRig) is known for its reconnaissance campaigns aligned with the strategic interests of Iran, primarily hitting […]

Read More

Daily NCSC-FI news followup 2021-06-02

Ransomware: What board members should know and what they should be asking their technical experts www.ncsc.gov.uk/blog-post/what-board-members-should-know-about-ransomware Ransomware is the subject of this spotlight topic for board members, building on the guidance given in the Cyber Security Toolkit for Boards. This blog, part of the Cyber Security Toolkit for Boards, explains the basics of ransomware, and […]

Read More

Daily NCSC-FI news followup 2020-04-28

WordPress plugin bug lets hackers create rogue admin accounts www.bleepingcomputer.com/news/security/wordpress-plugin-bug-lets-hackers-create-rogue-admin-accounts/ WordPress owners are advised to secure their websites by updating the Real-Time Find and Replace plugin to prevent attackers from injecting malicious code into their sites and creating rogue admin accounts by exploiting a Cross-Site Request Forgery flaw. The security vulnerability is a Cross-Site Request […]

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.