Dangerous Malware Dropper Found in 9 Utility Apps on Googles Play Store
blog.checkpoint.com/2021/03/09/dangerous-malware-dropper-found-in-9-utility-apps-on-googles-play-store/ Check Point Research (CPR) recently discovered a new dropper spreading via the Google Play store. The dropper, dubbed Clast82, has the ability to avoid detection by Google Play Protect, complete the evaluation period successfully, and change the payload dropped from a non-malicious payload to the AlienBot Banker and MRAT. The AlienBot malware family is a Malware-as-a-Service (MaaS) for Android devices that allows a remote attacker to inject malicious code into legitimate financial applications.
Fortinet Addresses Latest Microsoft Exchange Server Exploits
www.fortinet.com/blog/threat-research/fortinet-addresses-latest-microsoft-exchange-server-exploits As many as 30,000 businesses and government agencies across the US have been targeted by an aggressive hacking campaign that exploits vulnerabilities in versions of Microsoft Exchange Server, with some experts claiming that hundreds of thousands of Exchange Servers have been exploited worldwide. Microsoft is attributing these exploits to a cyber espionage organization known as HAFNIUM, operating out of mainland China. Microsoft Exchange Server is used by millions of organizations for email and calendar, as well as a collaboration solution.
Serious Security: Webshells explained in the aftermath of HAFNIUM attacks
nakedsecurity.sophos.com/2021/03/09/serious-security-webshells-explained-in-the-aftermath-of-hafnium-attacks/ The cybersecurity meganews of the week, of course, is anything to do with HAFNIUM. (To be clear, were going to write it as Hafnium from now on, as Microsoft does in its top-level incident disclosure document, so that it doesnt look as though were shouting all the time.). Strictly speaking, Hafnium is the name that Microsoft uses to denote a specific gang of cybercriminals, allegedly operating out China via cloud services in the US.
Threat Alert: z0Miner Is Spreading quickly by Exploiting ElasticSearch and Jenkins Vulnerabilities
blog.netlab.360.com/threat-alert-z0miner-is-spreading-quickly-by-exploiting-elasticsearch-and-jenkins-vulnerabilities/ In recent months, with the huge rise of Bitcoin and Monroe, various mining botnet have kicked into high gear, and our BotMon system detects dozens of mining Botnet attacks pretty much every day, most of them are old families, some just changed their wallets or propagation methods, and z0Miner is one of them. z0Miner is a malicious mining family that became active last year and has been publicly analyzed by the Tencent Security Team. z0Miner was initially active when it exploited the Weblogic unauthorized remote command execution vulnerability for propagation.
Remediating Microsoft Exchange Vulnerabilities
us-cert.cisa.gov/remediating-microsoft-exchange-vulnerabilities On March 2, 2021, Microsoft released out-of-band security updates to address vulnerabilities affecting Microsoft Exchange Server products. On March 3, after CISA and partners observed active exploitation of vulnerabilities, CISA issued Emergency Directive 21-02: Mitigate Microsoft Exchange On-Premises Product Vulnerabilities and Alert AA21-062A: Mitigate Microsoft Exchange Server Vulnerabilities.
SUPERNOVA Web Shell Deployment Linked to SPIRAL Threat Group
www.secureworks.com/blog/supernova-web-shell-deployment-linked-to-spiral-threat-group In late 2020, Secureworks® Counter Threat Unit (CTU) researchers observed a threat actor exploiting an internet-facing SolarWinds server to deploy the SUPERNOVA web shell. Additional analysis revealed similarities to intrusion activity identified on the same network earlier in 2020, suggesting the two intrusions are linked. CTU researchers attribute the intrusions to the SPIRAL threat group. Characteristics of the activity suggest the group is based in China.
Microsoft shares detection, mitigation advice for Azure LoLBins
www.bleepingcomputer.com/news/security/microsoft-shares-detection-mitigation-advice-for-azure-lolbins/ Azure LoLBins can be used by attackers to bypass network defenses, deploy cryptominers, elevate privileges, and disable real-time protection on a targeted device. On Windows systems, LoLBins (short for living-off-the-land binaries) are Microsoft-signed executables (downloaded or pre-installed) that threat actors can abuse to evade detection while performing various malicious tasks such as downloading, installing, or executing malicious code.
Apple Plugs Severe WebKit Remote Code-Execution Hole
threatpost.com/apple-webkit-remote-code-execution/164595/ Apple is rolling out fixes for a high-severity vulnerability in its WebKit browser engine that, if exploited, could allow remote attackers to completely compromise affected systems. The mobile giant released security updates on Monday for the flaw, for its Safari browser, as well as devices running macOS, watchOS and iOS.
Clast82 A new Dropper on Google Play Dropping the AlienBot Banker and MRAT
research.checkpoint.com/2021/clast82-a-new-dropper-on-google-play-dropping-the-alienbot-banker-and-mrat/ Check Point Research (CPR) recently discovered a new Dropper spreading via the official Google Play store, which downloads and installs the AlienBot Banker and MRAT. This Dropper, dubbed Clast82, utilizes a series of techniques to avoid detection by Google Play Protect detection, completes the evaluation period successfully, and changes the payload dropped from a non-malicious payload to the AlienBot Banker and MRAT.
Kiinalaiset vakoilijat iskivät Suomeen tietomurtojen sarjassa yksi yhdistävä seikka
www.is.fi/digitoday/tietoturva/art-2000007849827.html Maailmanlaajuisen Microsoft Exchange -sähköpostipalvelimiin tehdyn hyökkäyksen seuraukset Suomessa alkavat vähitellen hahmottua. Liikenne- ja viestintävirasto Traficomin alainen Kyberturvallisuuskeskus antoi hyökkäyksestä harvinaisen punaisen varoituksen. Keskus painotti varoituksessaan hyvin suorasanaisesti, että jos organisaatiossa on käytetty tai käytetään Exchange-palvelinta, tulee oletuksena olla että murto on hyvin todennäköisesti tapahtunut.
Microsoft releases ProxyLogon updates for unsupported Exchange Servers
www.bleepingcomputer.com/news/security/microsoft-releases-proxylogon-updates-for-unsupported-exchange-servers/ Microsoft has released security updates for Microsoft Exchange servers running unsupported Cumulative Update versions vulnerable to ProxyLogon attacks. These additional security updates are meant to be installed only on machines running Exchange Server versions not supported by the original Match 2021 security patches released a week ago, only if the admin can’t find an update path to a supported version.
Teinejä kosiskellaan valkohattuhakkereiksi kampanja alkoi
www.tivi.fi/uutiset/tv/35f162e5-b47e-41da-90e5-331a72d767e5 Nyt alkaneessa Generation Z Hack -haasteessa nuoria kannustetaan mukaan valkohattuhaastekampanjaan, jossa he pääsevät kehittämään hakkerointitaitoja turvallisessa ympäristössä. Haaste on suunnattu 13-18 -vuotiaille hakkereille. Ilmoittautumisessa ei kuitenkaan käytetä vahvaa tunnistautumista, joten periaatteessa kuka tahansa pääsee halutessaan mukaan. Vanhempien osallistujien on kuitenkaan turha elätä toiveita palkkioiden saamisesta.
European Banking Authority restores email service in wake of Microsoft Exchange hack
www.theregister.com/2021/03/09/eba_exchange_breach/ The European Banking Authority (EBA) has confirmed it is another victim on the list of organisations affected by vulnerabilities in Microsoft Exchange. The EBA hurriedly pulled its email servers offline over the weekend as it realised that it was among the ranks of those hit by flaws in Microsoft Exchange being targeted by miscreants.. While worries about personal data held in emails were a factor in the move, by Monday the authority was feeling confident that the data leaks stopped with its email servers and that no additional information extraction had occurred.
Microsoft Exchange Server Attack Escalation Prompts Patching Panic
www.darkreading.com/attacks-breaches/microsoft-exchange-server-attack-escalation-prompts-patching-panic/d/d-id/1340349 US government officials weigh in on the attacks and malicious activity, which researchers believe may be the work of multiple groups. The critical Exchange Server vulnerabilities patched last week by Microsoft are being weaponized in widespread attacks against organizations worldwide. Attacks have escalated over the past two weeks, prompting responses from US government and the security community
Päijät-Hämeen pelastuslaitoksen sähköpostipalvelimelle tehty tietomurto murron taustalla Microsoft Exchangen haavoittuvuus
yle.fi/uutiset/3-11827592 Päijät-Hämeen pelastuslaitoksen sähköpostipalvelimelle on tehty tietomurto. Tietomurtoa selvitellään parhaillaan ja murrosta on tehty ilmoitus kyberturvallisuuskeskukselle. Siitä milloin murto on tapahtunut ei ole vielä varmuutta. Pelastuslaitoksen tietotekniikkaosasto sai murrosta ilmoituksen eilen aamulla, ja sulki sähköpostipalvelimen välittömästi.. Vielä ei ole selvää, onko murrossa päästy pelastuslaitoksen sisäverkkoon ja onko käyttäjätunnuksia tai salasanoja päätynyt vääriin käsiin.
Critical updates dominate March, 2021 Patch Tuesday releases
news.sophos.com/en-us/2021/03/09/critical-updates-dominate-march-2021-patch-tuesday-releases/ After several months of monthly updates that fix fewer-than-average bugs in Windows and other Microsoft products, the March edition of Patch Tuesday once again repairs a raft of urgently-needed fixes affecting both enterprise services and software common to most Windows desktop installations. Microsoft also published a series of fixes ahead of the normal release schedule to address critical vulnerabilities that have been actively exploited against Exchange, the mail server software widely used by large organizations and hosted both in cloud services and in on-premises installations.. Also: