Daily NCSC-FI news followup 2021-03-09

Dangerous Malware Dropper Found in 9 Utility Apps on Googles Play Store

blog.checkpoint.com/2021/03/09/dangerous-malware-dropper-found-in-9-utility-apps-on-googles-play-store/ Check Point Research (CPR) recently discovered a new dropper spreading via the Google Play store. The dropper, dubbed Clast82, has the ability to avoid detection by Google Play Protect, complete the evaluation period successfully, and change the payload dropped from a non-malicious payload to the AlienBot Banker and MRAT. The AlienBot malware family is a Malware-as-a-Service (MaaS) for Android devices that allows a remote attacker to inject malicious code into legitimate financial applications.

Fortinet Addresses Latest Microsoft Exchange Server Exploits

www.fortinet.com/blog/threat-research/fortinet-addresses-latest-microsoft-exchange-server-exploits As many as 30,000 businesses and government agencies across the US have been targeted by an aggressive hacking campaign that exploits vulnerabilities in versions of Microsoft Exchange Server, with some experts claiming that hundreds of thousands of Exchange Servers have been exploited worldwide. Microsoft is attributing these exploits to a cyber espionage organization known as HAFNIUM, operating out of mainland China. Microsoft Exchange Server is used by millions of organizations for email and calendar, as well as a collaboration solution.

Serious Security: Webshells explained in the aftermath of HAFNIUM attacks

nakedsecurity.sophos.com/2021/03/09/serious-security-webshells-explained-in-the-aftermath-of-hafnium-attacks/ The cybersecurity meganews of the week, of course, is anything to do with HAFNIUM. (To be clear, were going to write it as Hafnium from now on, as Microsoft does in its top-level incident disclosure document, so that it doesnt look as though were shouting all the time.). Strictly speaking, Hafnium is the name that Microsoft uses to denote a specific gang of cybercriminals, allegedly operating out China via cloud services in the US.

Threat Alert: z0Miner Is Spreading quickly by Exploiting ElasticSearch and Jenkins Vulnerabilities

blog.netlab.360.com/threat-alert-z0miner-is-spreading-quickly-by-exploiting-elasticsearch-and-jenkins-vulnerabilities/ In recent months, with the huge rise of Bitcoin and Monroe, various mining botnet have kicked into high gear, and our BotMon system detects dozens of mining Botnet attacks pretty much every day, most of them are old families, some just changed their wallets or propagation methods, and z0Miner is one of them. z0Miner is a malicious mining family that became active last year and has been publicly analyzed by the Tencent Security Team. z0Miner was initially active when it exploited the Weblogic unauthorized remote command execution vulnerability for propagation.

Remediating Microsoft Exchange Vulnerabilities

us-cert.cisa.gov/remediating-microsoft-exchange-vulnerabilities On March 2, 2021, Microsoft released out-of-band security updates to address vulnerabilities affecting Microsoft Exchange Server products. On March 3, after CISA and partners observed active exploitation of vulnerabilities, CISA issued Emergency Directive 21-02: Mitigate Microsoft Exchange On-Premises Product Vulnerabilities and Alert AA21-062A: Mitigate Microsoft Exchange Server Vulnerabilities.

SUPERNOVA Web Shell Deployment Linked to SPIRAL Threat Group

www.secureworks.com/blog/supernova-web-shell-deployment-linked-to-spiral-threat-group In late 2020, Secureworks® Counter Threat Unit (CTU) researchers observed a threat actor exploiting an internet-facing SolarWinds server to deploy the SUPERNOVA web shell. Additional analysis revealed similarities to intrusion activity identified on the same network earlier in 2020, suggesting the two intrusions are linked. CTU researchers attribute the intrusions to the SPIRAL threat group. Characteristics of the activity suggest the group is based in China.

Microsoft shares detection, mitigation advice for Azure LoLBins

www.bleepingcomputer.com/news/security/microsoft-shares-detection-mitigation-advice-for-azure-lolbins/ Azure LoLBins can be used by attackers to bypass network defenses, deploy cryptominers, elevate privileges, and disable real-time protection on a targeted device. On Windows systems, LoLBins (short for living-off-the-land binaries) are Microsoft-signed executables (downloaded or pre-installed) that threat actors can abuse to evade detection while performing various malicious tasks such as downloading, installing, or executing malicious code.

Apple Plugs Severe WebKit Remote Code-Execution Hole

threatpost.com/apple-webkit-remote-code-execution/164595/ Apple is rolling out fixes for a high-severity vulnerability in its WebKit browser engine that, if exploited, could allow remote attackers to completely compromise affected systems. The mobile giant released security updates on Monday for the flaw, for its Safari browser, as well as devices running macOS, watchOS and iOS.

Clast82 A new Dropper on Google Play Dropping the AlienBot Banker and MRAT

research.checkpoint.com/2021/clast82-a-new-dropper-on-google-play-dropping-the-alienbot-banker-and-mrat/ Check Point Research (CPR) recently discovered a new Dropper spreading via the official Google Play store, which downloads and installs the AlienBot Banker and MRAT. This Dropper, dubbed Clast82, utilizes a series of techniques to avoid detection by Google Play Protect detection, completes the evaluation period successfully, and changes the payload dropped from a non-malicious payload to the AlienBot Banker and MRAT.

Kiinalaiset vakoilijat iskivät Suomeen tieto­murtojen sarjassa yksi yhdistävä seikka

www.is.fi/digitoday/tietoturva/art-2000007849827.html Maailmanlaajuisen Microsoft Exchange -sähköpostipalvelimiin tehdyn hyökkäyksen seuraukset Suomessa alkavat vähitellen hahmottua. Liikenne- ja viestintävirasto Traficomin alainen Kyberturvallisuuskeskus antoi hyökkäyksestä harvinaisen punaisen varoituksen. Keskus painotti varoituksessaan hyvin suorasanaisesti, että jos organisaatiossa on käytetty tai käytetään Exchange-palvelinta, tulee oletuksena olla että murto on hyvin todennäköisesti tapahtunut.

Microsoft releases ProxyLogon updates for unsupported Exchange Servers

www.bleepingcomputer.com/news/security/microsoft-releases-proxylogon-updates-for-unsupported-exchange-servers/ Microsoft has released security updates for Microsoft Exchange servers running unsupported Cumulative Update versions vulnerable to ProxyLogon attacks. These additional security updates are meant to be installed only on machines running Exchange Server versions not supported by the original Match 2021 security patches released a week ago, only if the admin can’t find an update path to a supported version.

Teinejä kosiskellaan valkohattuhakkereiksi kampanja alkoi

www.tivi.fi/uutiset/tv/35f162e5-b47e-41da-90e5-331a72d767e5 Nyt alkaneessa Generation Z Hack -haasteessa nuoria kannustetaan mukaan valkohattuhaastekampanjaan, jossa he pääsevät kehittämään hakkerointitaitoja turvallisessa ympäristössä. Haaste on suunnattu 13-18 -vuotiaille hakkereille. Ilmoittautumisessa ei kuitenkaan käytetä vahvaa tunnistautumista, joten periaatteessa kuka tahansa pääsee halutessaan mukaan. Vanhempien osallistujien on kuitenkaan turha elätä toiveita palkkioiden saamisesta.

European Banking Authority restores email service in wake of Microsoft Exchange hack

www.theregister.com/2021/03/09/eba_exchange_breach/ The European Banking Authority (EBA) has confirmed it is another victim on the list of organisations affected by vulnerabilities in Microsoft Exchange. The EBA hurriedly pulled its email servers offline over the weekend as it realised that it was among the ranks of those hit by flaws in Microsoft Exchange being targeted by miscreants.. While worries about personal data held in emails were a factor in the move, by Monday the authority was feeling confident that the data leaks stopped with its email servers and that no additional information extraction had occurred.

Microsoft Exchange Server Attack Escalation Prompts Patching Panic

www.darkreading.com/attacks-breaches/microsoft-exchange-server-attack-escalation-prompts-patching-panic/d/d-id/1340349 US government officials weigh in on the attacks and malicious activity, which researchers believe may be the work of multiple groups. The critical Exchange Server vulnerabilities patched last week by Microsoft are being weaponized in widespread attacks against organizations worldwide. Attacks have escalated over the past two weeks, prompting responses from US government and the security community

Päijät-Hämeen pelastuslaitoksen sähköpostipalvelimelle tehty tietomurto murron taustalla Microsoft Exchangen haavoittuvuus

yle.fi/uutiset/3-11827592 Päijät-Hämeen pelastuslaitoksen sähköpostipalvelimelle on tehty tietomurto. Tietomurtoa selvitellään parhaillaan ja murrosta on tehty ilmoitus kyberturvallisuuskeskukselle. Siitä milloin murto on tapahtunut ei ole vielä varmuutta. Pelastuslaitoksen tietotekniikkaosasto sai murrosta ilmoituksen eilen aamulla, ja sulki sähköpostipalvelimen välittömästi.. Vielä ei ole selvää, onko murrossa päästy pelastuslaitoksen sisäverkkoon ja onko käyttäjätunnuksia tai salasanoja päätynyt vääriin käsiin.

Critical updates dominate March, 2021 Patch Tuesday releases

news.sophos.com/en-us/2021/03/09/critical-updates-dominate-march-2021-patch-tuesday-releases/ After several months of monthly updates that fix fewer-than-average bugs in Windows and other Microsoft products, the March edition of Patch Tuesday once again repairs a raft of urgently-needed fixes affecting both enterprise services and software common to most Windows desktop installations. Microsoft also published a series of fixes ahead of the normal release schedule to address critical vulnerabilities that have been actively exploited against Exchange, the mail server software widely used by large organizations and hosted both in cloud services and in on-premises installations.. Also:


You might be interested in …

Daily NCSC-FI news followup 2021-08-04

Microsoft Exchange Used to Hack Diplomats Before 2021 Breach www.bloomberg.com/news/articles/2021-08-04/microsoft-exchange-used-to-hack-diplomats-before-2021-breach Researchers say attacks a prequel to this year’s cyber-assault. Foreign ministries, energy companies said to be compromised ITG18: Operational Security Errors Continue to Plague Sizable Iranian Threat Group securityintelligence.com/posts/itg18-operational-security-errors-plague-iranian-threat-group/ IBM Security X-Force threat intelligence researchers continue to track the infrastructure and activity of a suspected […]

Read More

Daily NCSC-FI news followup 2019-08-23

Fortinet SSL VPN vulnerability from May 2019 being exploited in wild opensecurity.global/forums/topic/181-fortinet-ssl-vpn-vulnerability-from-may-2019-being-exploited-in-wild/ CVE-2018-13379 is being exploited in the wild on Fortigate SSL VPN firewalls. These exist as a perimeter security control, so it’s a bad vulnerability.. Also: https://twitter.com/GossiTheDog/status/1164536461665996800. Original security advisory (2019-05-24) fortiguard.com/psirt/FG-IR-18-384 Cisco Warns of Public Exploit Code for Critical Switch Flaws www.bleepingcomputer.com/news/security/cisco-warns-of-public-exploit-code-for-critical-switch-flaws/ Cisco […]

Read More

Daily NCSC-FI news followup 2021-04-12

Israel appears to confirm it carried out cyberattack on Iran nuclear facility www.theguardian.com/world/2021/apr/11/israel-appears-confirm-cyberattack-iran-nuclear-facility Israel appeared to confirm claims that it was behind a cyber-attack on Irans main nuclear facility on Sunday, which Tehrans nuclear energy chief described as an act of terrorism that warranted a response against its perpetrators. Sisä-Suomen poliisilaitoksella on tutkittavana useita WhatsApp-sovelluksen […]

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.