Daily NCSC-FI news followup 2021-03-17

Supon tutkija A-studiossa: Etätyö lisännyt verkkovakoilua “Kaikkia tietoturvaratkaisuja ei ole mietitty ihan täydellisesti”

yle.fi/uutiset/3-11840467 Suojelupoliisin mukaan ulkomaiset tiedustelupalvelut ovat lisänneet verkossa tapahtuvaa vakoilua pandemian aikana. Supon erikoistutkijan Veli-Pekka Kivimäen mukaan kohteiden määrä verkossa on lisääntynyt muun muassa etätyön myötä. – Kaikkia tietoturvaratkaisuja ei ole välttämättä mietitty ihan täydellisesti, kun toimintoja on siirretty etätyöhön, Kivimäki sanoi tiistaina A-studiossa.

Alert (AA21-076A) – TrickBot Malware

us-cert.cisa.gov/ncas/alerts/aa21-076a The Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) have observed continued targeting through spearphishing campaigns using TrickBot malware in North America. A sophisticated group of cybercrime actors is luring victims, via phishing emails, with a traffic infringement phishing scheme to download TrickBot.

TTP Table for Detecting APT Activity Related to SolarWinds and Active Directory/M365 Compromise

us-cert.cisa.gov/ncas/current-activity/2021/03/17/ttp-table-detecting-apt-activity-related-solarwinds-and-active CISA has released a table of tactics, techniques, and procedures (TTPs) used by the advanced persistent threat (APT) actor involved with the recent SolarWinds and Active Directory/M365 compromise. The table uses the MITRE ATT&CK framework to identify APT TTPs and includes detection recommendations. This information will assist network defenders in detecting and responding to this activity. also:

us-cert.cisa.gov/sites/default/files/publications/SolarWinds_and_AD-M365_Compromise-Detecting_APT_Activity_from_Known_TTPs.pdf

China-linked TA428 Continues to Target Russia and Mongolia IT Companies

www.recordedfuture.com/china-linked-ta428-threat-group/ Recorded Future’s Insikt Group recently identified renewed activity attributed to the suspected Chinese threat activity group TA428. The identified activity overlaps with a TA428 campaign previously reported by Proofpoint as “Operation LagTime IT”, which targeted Russian and East Asian government information technology agencies in 2019. Based on the infrastructure, tactics, and victim organization identified, we assess that TA428 likely continues to engage in intrusion activity targeting organizations in Russia and Mongolia.

Näin KRP tutkii Vastaamo-rikoksia tietopyynnöillä jokainen vastaus vie lähemmäs kiristäjää

www.is.fi/digitoday/tietoturva/art-2000007865666.html ITSE tietomurron ja kiristyksen suhteen auki ovat samat tutkintalinjat kuin aikaisemminkin, kertoo sanoo KRP:n rikoskomisario Marko Leponen. Niissä yritetään selvittää tietomurtojen tekijän ja kiristäjän henkilöllisyyttä ja sitä, onko kyseessä sama taho. – Nyt kammataan aineistoa tiheällä kammalla, ja se on hidasta. Se johdattaa meitä kuitenkin koko ajan eteenpäin ja kertoo, mitä meidän pitää tutkia seuraavaksi. Jokainen löydös kuljettaa askeleen eteenpäin ja tätä polkua kuljemme sinne, missä oletamme epäillyn tai epäiltyjen olevan. Emme etsi aineistoa summittain, Leponen sanoo.

Telian yritysasiakkaat saivat sähköpostinsa takaisin yksi suuri kysymys auki

www.is.fi/digitoday/tietoturva/art-2000007864736.html Telia Inmics-Nebula pahoittelee asiakkaille koitunutta harmia, muttei kerro suoraan, onnistuttiinko sen palvelimille tunkeutumaan.

ZERO TRUST NOLLALUOTTAMUS MODERNIN TURVALLISEN ICT-YMPÄRISTÖN PERUSTANA

yrityksille.elisa.fi/ideat/zero-trust-nollaluottamus-turvaa-ict-ymparistosi/ Zero Trust eli “luottamattomuuden periaate” on kehitetty modernien ja ketterästi kehittyvien ICT-ympäristöjen suunnitteluun. Se auttaa rakentamaan tietoturvaa nykypäivän monimutkaisessa maailmassa, jossa eri ICT-järjestelmät integroituvat toisiinsa. Zero Trust -mallin perustana on nimensä mukaisesti, että luottamus on nolla kaikilla ajan hetkillä. Laitteet ja käyttäjät tunnistetaan kaikissa tilanteissa ja päätös pääsyn sallimisesta perustuu riskiarvioon. Vahvan tunnistautumisen käyttö on yksi perusasioita.

Microsoft Exchange Server: These quarterly updates include fixes for security flaws

www.zdnet.com/article/microsoft-exchange-server-these-quarterly-updates-include-fixes-for-security-flaws/ Microsoft has released its March 2021 quarterly cumulative updates for Exchange Server 2016 and Exchange Server 2019, which include the security updates to address critical flaws that are currently under attack.. also:

techcommunity.microsoft.com/t5/exchange-team-blog/released-march-2021-quarterly-exchange-updates/ba-p/2205283

PYSA Ransomware Pillages Education Sector, Feds Warn

threatpost.com/pysa-ransomware-education-feds-warn/164832/ A major spike of attacks against higher ed, K-12 and seminaries in March has prompted the FBI to issue a special alert. In a “Flash” alert to the cybersecurity community issued on Tuesday, the Feds said that PYSA has been seen in attacks on schools in 12 U.S. states and in the United Kingdom in March alone.

Largest ransomware demand now stands at $30 million as crooks get bolder

www.zdnet.com/article/largest-ransomware-demand-now-stands-at-30-million-as-crooks-get-bolder/ Ransomware shows no sign of slowing down as the average ransom paid to cyber criminals by organisations which fall victim to these attacks has nearly tripled over the last year. also:

unit42.paloaltonetworks.com/ransomware-threat-assessments/

New global model needed to dismantle ransomware gangs, experts warn

www.cyberscoop.com/ransomware-attacks-global-hacks-diplomacy/ Ransomware gangs are making a killing they’re encrypting data at schools and hospitals around the world at an alarming rate, and they’re raking in hundreds of millions of dollars’ worth doing it, by some counts.

New ICS Threat Activity Group: VANADINITE

www.dragos.com/blog/industry-news/new-ics-threat-activity-group-vanadinite/ In this blog post, we will provide more information on one of the new groups: VANADINITE. The fundamental assessment of threats tracked by Dragos is that they are explicitly attempting to gain access to ICS networks and operations or are successful in achieving access, not simply trying to gain access to an industrial organization. The new VANADINITE activity group targets electric utilities, oil and gas, manufacturing, telecommunications, and transportation. VANADINITE targets a geographically broad region including North America, Europe, and with evidence of activity in Asia and Australia.

To Patch or Not to Patch in OT That Is the Real Challenge

www.tripwire.com/state-of-security/ics-security/to-patch-or-not-to-patch-in-ot-that-is-the-real-challenge/ What do you think of when your mind goes to an OT environment? Is it all about old legacy machines and some specialized devices such as Programmable Logic Controllers (PLC), Servos, Variable Frequency Drives (VFD), RTUs and other remote IO devices?. If so, you are almost right. But also remember there is a fair number of IT like assets in that environment, too. As a result, patching in the OT environment is not altogether a wrong or far-fetched notion. It’s just not a blanket one.

Defenders, Know Your Operating System Like Attackers Do!

isc.sans.edu/forums/diary/Defenders+Know+Your+Operating+System+Like+Attackers+Do/27212/ Not a technical diary today but more a reflection When I’m teaching FOR610[1], I always remind students to “RTFM” or “Read the F Manual”. I mean to not hesitate to have a look at the Microsoft document when they meet an API call for the first time or if they are not sure about the expected parameters. Many attackers have a very deep knowledge of how targeted operating systems are behaving and what are the controls in place or features that could be (ab)used by malicious code.

Microsoft’s Azure SDK site tricked into listing fake package

www.bleepingcomputer.com/news/security/microsofts-azure-sdk-site-tricked-into-listing-fake-package/ A security researcher was able to add a counterfeit test package to the official list of Microsoft Azure SDK latest releases. The simple trick if abused by an attacker can give off the impression that their malicious package is part of the Azure SDK suite.

Can We Stop Pretending SMS Is Secure Now?

krebsonsecurity.com/2021/03/can-we-stop-pretending-sms-is-secure-now/ SMS text messages were already the weakest link securing just about anything online, mainly because there are tens of thousands of employees at mobile stores who can be tricked or bribed into swapping control over a mobile phone number to someone else. Now we’re learning about an entire ecosystem of companies that anyone could use to silently intercept text messages intended for other mobile users.

Mastermind of 2020’s top celebrity Twitter hack sentenced to 3 years

www.hackread.com/twitter-hack-mastermind-jailed-2020-celebrity-hack/ Graham Ivan Clark, the mastermind of the high-profile Twitter hack leading to the Bitcoin scam on July 15th, 2020 has been sentenced to 3 years in prison. Clark was arrested on July 31st, 2020 from Tampa, Florida when he was 17 and charged with multiple counts of organized fraud, communications fraud, fraudulent use of personal information, and accessing computer or electronic device without authority.

FINDING THE CRACKS IN THE WALL – HOW MODERN SCAMS BYPASS MFA

blogs.akamai.com/2021/03/finding-the-cracks-in-the-wall-how-modern-scams-bypass-mfa—blog2.html In this blog, I will cover the most prevalent techniques being used to bypass MFA factors, and I will explain how different MFA techniques present different risks for user credentials becoming compromised and, as a result, accounts being taken over.

Google toimii 24/7 miksi suomalaiset verkkopankit takkuavat?

www.tivi.fi/uutiset/google-toimii-24-7-miksi-suomalaiset-verkkopankit-takkuavat/f22bd9e2-7a72-4e81-8e67-019c60ebad89 Nettijättien palvelut on rakennettu moderneilla teknologoilla puhtaalta pöydältä. Osa pankkien järjestelmistä periytyy viime vuosituhannelta. [TILAAJILLE]

You might be interested in …

Daily NCSC-FI news followup 2020-03-24

Fortinet Security Researcher Discovers Multiple Critical Vulnerabilities in Adobe Photoshop www.fortinet.com/blog/threat-research/fortinet-security-researcher-discovers-multiple-critical-vulnerabilities-in-adobe-photoshop.html This past January, I discovered and reported multiple critical zero-day vulnerabilities in Adobe Photoshop CC 2020. This past Tuesday (Mar 17, 2020), Adobe released several out-of-band security patches that addressed those vulnerabilities. They are identified as CVE-2020-3783, CVE-2020-3784, CVE-2020-3785, CVE-2020-3786, CVE-2020-3787, CVE-2020-3788 and CVE-2020-3789. […]

Read More

Daily NCSC-FI news followup 2020-05-28

Counter Threat Unit Researchers Publish Threat Group Definitions www.secureworks.com/blog/counter-threat-unit-researchers-publish-threat-group-definitions Today, the Secureworks® Counter Threat Unit (CTU) research team began publishing Threat Group profiles on the Secureworks website. The profiles include a summary of the groups, their objectives, other aliases by which the groups are known, and the malware they use. Both criminal and government-sponsored Threat […]

Read More

Daily NCSC-FI news followup 2021-03-02

Vastaamon tietomurrosta seuraa jotain hyvääkin: suomalaisille uusi verkkopalvelu voit jo testata www.tivi.fi/uutiset/tv/fedd3f89-7853-4b68-b851-a9608706a533 Ensimmäisessä vaiheessa Suomi.fi-sivustolle kootaan identiteettivarkauksia ja tietomurtoa koskevat ohjeistukset ja palvelut helppokäyttöiseksi kansalaista toimimaan opastavaksi poluksi. Tämä kokonaisuus valmistuu huhtikuussa 2021 yhteistyössä hankkeessa mukana olevan verkoston kanssa.. Kevään aikana palveluun tuodaan myös mahdollisuus hallinnoida osaa Digi- ja väestötietovirastolle tehtävistä kielloista. Tällaisia ovat väestötietojärjestelmään […]

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.