Daily NCSC-FI news followup 2021-03-18

Tiedote 18.3.2021: Timanttiteko-palkinto 2020 Kyberturvallisuuskeskukselle

www.erillisverkot.fi/timanttiteko-palkinto-2020/ Turvallisuuskomitea on myöntänyt vuoden 2020 Timanttiteko-palkinnon Kyberturvallisuuskeskukselle Yhteiskunnan turvallisuusstrategian tavoitteiden esimerkillisestä edistämisestä. Liikenne- ja viestintävirasto Traficomin Kyberturvallisuuskeskus on kansallinen tietoturvaviranomainen ja sillä on merkittävä rooli digitaalisessa yhteiskunnassa. Nopeasti muuttuvassa maailmassa tietoturvan ylläpito ja kehittäminen, tietoturvaloukkausten havainnointi ja selvittäminen sekä eri organisaatioiden kouluttaminen ja tietojärjestelmien arviointi on välttämätöntä.

Suojelupoliisi tunnisti eduskuntaan kohdistuneen kybervakoiluoperaation APT31:ksi

supo.fi/-/suojelupoliisi-tunnisti-eduskuntaan-kohdistuneen-kybervakoiluoperaation-apt31-ksi Suojelupoliisi on tunnistanut vuonna 2020 eduskuntaan kohdistuneen kybervakoiluoperaation, jossa yritettiin tunkeutua eduskunnan tietojärjestelmiin. Eduskunta vahvisti tietoturvaansa saatuaan Suojelupoliisilta ohjeita. Eduskunnan tietohallinnon varoittamisen lisäksi Suojelupoliisi toimitti asiasta tietoa toiselle toimivaltaiselle viranomaiselle eli Kyberturvallisuuskeskukselle, jotta se pystyi tehostamaan omaa havainnointiaan. myös:

poliisi.fi/-/eduskunnan-tietojarjestelmiin-kohdistuneen-tietomurron-tutkinnassa-selvitetaan-yhteytta-apt31-toimijaan. myös: yle.fi/uutiset/3-11843261. also:


Aktian nimissä kalastellaan verkkopankkitunnuksia

www.aktia.fi/fi/uutisarkisto/uutinen/2021/03/18/aktian-nimiss%C3%A4-kalastellaan-verkkopankkitunnuksia Aktian nimissä lähetetään huijaussähköposteja ja -viestejä, joiden tarkoituksena on kalastella asiakkaiden verkkopankkitunnuksia. Älä koskaan kirjaudu verkkopankkiin esim. sähköpostitse saamasi linkin kautta vaan aina pankin omilta sivuilta tai kirjoittamalla osoite itse selaimen osoitekenttään. Pankki ei koskaan kysy verkkopankkitunnuksia sähköpostitse tai tekstiviestillä. Mikäli epäilet joutuneesi kalastelun kohteeksi, ota välittömästi yhteyttä Aktian asiakaspalveluun numeroon 010 247 010. Aktia ottaa asiakkaidensa tietoturvan ja palvelujen turvallisuuden äärimmäisen vakavasti. Lue lisää tietoturvasta

FBI Releases the Internet Crime Complaint Center 2020 Internet Crime Report, Including COVID-19 Scam Statistics

www.fbi.gov/news/pressrel/press-releases/fbi-releases-the-internet-crime-complaint-center-2020-internet-crime-report-including-covid-19-scam-statistics The FBI’s Internet Crime Complaint Center has released its annual report. The 2020 Internet Crime Report includes information from 791, 790 complaints of suspected internet crimean increase of more than 300, 000 complaints from 2019 – and reported losses exceeding $4.2 billion. Internet Crime Report 2020 (PDF):

www.ic3.gov/Media/PDF/AnnualReport/2020_IC3Report.pdf. also: 64 times worse than ransomware? FBI statistics underline the horrific cost of business email compromise –

www.tripwire.com/state-of-security/featured/fbi-statistics-underline-orrific-cost-of-business-email-compromise/. also: More than $4 billion in cybercrime losses reported to FBI in 2020 – www.cyberscoop.com/fbi-ic3-cybercrime-4-billion-fraud/

Breaking bad: desperate job seekers turn to the Darknet and hacking forums for opportunities

blog.checkpoint.com/2021/03/18/breaking-bad-desperate-job-seekers-turn-to-the-darknet-and-hacking-forums-for-opportunities/ Check Point Research noticed a growing trend that began towards the end of 2020 and continues to develop in 2021 people are turning to the Darknet and various hacking forums to offer their services and availability for work for any kind of work available, including less than legitimate roles.

I scrounged through the trash heaps now I’m a millionaire:’ An interview with REvil’s Unknown

therecord.media/i-scrounged-through-the-trash-heaps-now-im-a-millionaire-an-interview-with-revils-unknown/ One group that has gained prominence for its audacious and lucrative tactics is REvil, also known as Sodinokibi. The group runs a ransomware-as-a-service operation, in which developers sell malware to affiliates who use it to lock up an organization’s data and devices. According to an REvil representative that uses the alias “Unknown, ” the group has big plans for 2021. Unknown talked to Recorded Future expert threat intelligence analyst Dmitry Smilyanets recently about using ransomware as a weapon, staying out of politics, experimenting with new tactics, and much more. As a child, I scrounged through the trash heaps and smoked cigarette butts. I walked 10 km one way to the school. I wore the same clothes for six months. In my youth, in a communal apartment, I didn’t eat for two or even three days. Now I am a millionaire.

The Ransomware Threat: Bigger, Greedier, Attacking the Most Vulnerable

blog.paloaltonetworks.com/2021/03/ransomware-threat/ Today, we released the 2021 Unit 42 Ransomware Threat Report. Using data from Unit 42, as well as from our Crypsis incident response team, the report details a disturbing new watershed: Cyber extortion has reached crisis levels as cybercriminal enterprises have flourished, obtaining capabilities that rival those of nation-states.

SolarWinds-linked hacking group SilverFish abuses enterprise victims for sandbox tests

www.zdnet.com/article/solarwinds-linked-hacking-group-silverfish-abuses-enterprise-victims-in-sandbox-malware-tests/ On Thursday, Swiss cybersecurity firm Prodaft said that SilverFish (.PDF), an “extremely skilled” threat group, has been responsible for intrusions at over 4, 720 private and government organizations including “Fortune 500 companies, ministries, airlines, defense contractors, audit and consultancy companies, and automotive manufacturers.”. Report (PDF):


~4, 300 publicly reachable servers are posing a new DDoS hazard to the Internet

arstechnica.com/gadgets/2021/03/mainstream-ddosers-are-abusing-d-tls-servers-to-up-the-potency-of-attacks/ DDoS-for-hire services adopt new technique that amplifies attacks 37 fold. DDoS mitigation provider Netscout said on Wednesday that it has observed DDoS-for-hire services adopting a new amplification vector. The vector is the Datagram Transport Layer Security, or D/TLS, which (as its name suggests) is essentially the Transport Layer Security for UDP data packets. The biggest D/TLS-based attacks Netscout has observed delivered about 45Gbps of traffic. The people responsible for the attack combined it with other amplification vectors to achieve a combined size of about 207Gbps.

Alert (AA21-077A) – Detecting Post-Compromise Threat Activity Using the CHIRP IOC Detection Tool

us-cert.cisa.gov/ncas/alerts/aa21-077a This Alert announces the CISA Hunt and Incident Response Program (CHIRP) tool. CHIRP is a forensics collection tool that CISA developed to help network defenders find indicators of compromise (IOCs) associated with activity detailed in the following CISA Alerts:. AA20-352A: Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations. AA21-008A: Detecting Post-Compromise Threat Activity in Microsoft Cloud Environments.

What exactly should we be logging?

www.ncsc.gov.uk/blog-post/what-exactly-should-we-be-logging A structured look at what data to collect for security purposes and when to collect it.

The most common on premises vulnerabilities & misconfigurations

s3cur3th1ssh1t.github.io/The-most-common-on-premise-vulnerabilities-and-misconfigurations/ In this blog post I’m gonna cover the in my opinion most common findings in a Windows Active Directory environment, which can be found and abused for Privilege Escalation and Lateral Movement in such a project. It’s about on premises vulnerabilities and misconfigurations in an internal company environment as well as mitigations.

Infrastructure the Good, the Bad and the Ugly

www.lightbluetouchpaper.org/2021/03/18/infrastructure-the-good-the-bad-and-the-ugly/ Infrastructure the Good, the Bad and the Ugly analyses the security economics of platforms and services. The existence of platforms such as the Internet and cloud services enabled startups like YouTube and Instagram soar to huge valuations almost overnight, with only a handful of staff. But criminals also build infrastructure, from botnets through malware-as-a-service. There’s also dual-use infrastructure, from Tor to bitcoins, with entangled legitimate and criminal applications. So crime can scale too.

Cybersecurity in Railways Conference: Key Takeaways

www.enisa.europa.eu/news/enisa-news/cybersecurity-in-railways-conference-key-takeaways The ENISA-ERA Conference: “Cybersecurity in Railways” presented the latest cybersecurity developments and highlighted the main challenges in the field.

New macOS malware XcodeSpy Targets Xcode Developers with EggShell Backdoor

labs.sentinelone.com/new-macos-malware-xcodespy-targets-xcode-developers-with-eggshell-backdoor/ We recently became aware of a trojanized Xcode project in the wild targeting iOS developers thanks to a tip from an anonymous researcher. The malicious project is a doctored version of a legitimate, open-source project available on GitHub.

Cybereason Exposes Campaign Targeting US Taxpayers with NetWire and Remcos Malware

www.cybereason.com/blog/cybereason-exposes-malware-targeting-us-taxpayers Cybereason detected a new campaign targeting US taxpayers with documents that purport to contain tax-related content, ultimately delivering NetWire and Remcos – two powerful and popular RATs (remote access trojans) which can allow attackers to take control of the victims’ machines and steal sensitive information.

Now You See It, Now You Don’t: CopperStealer Performs Widespread Theft

www.proofpoint.com/us/blog/threat-insight/now-you-see-it-now-you-dont-copperstealer-performs-widespread-theft On Jan 29th, 2021, a Twitter user, “TheAnalyst”, shared a sample which caught our attention after being notified it triggered an Emerging Threats Network Intrusion Detection System (NIDS) rule. A quick triage of the sample found overlap with malware tracked internally as CopperStealer. This external interest caused Proofpoint researchers to investigate further, eventually leading to coordinated disruptive actions by Facebook, Cloudflare, and other service providers.

Necro upgrades again, using Tor + dynamic domain DGA and aiming at both Windows & Linux


Google Cloud: Here are the six ‘best’ vulnerabilities security researchers found last year

www.zdnet.com/article/google-cloud-here-are-the-six-best-vulnerabilities-security-researchers-found-last-year/ Google has paid a researcher a total of $164, 674 for this one bug report concerning a Google Cloud Platform tool.

Google Reveals What Personal Data Chrome and Its Apps Collect On You

thehackernews.com/2021/03/google-to-reveals-what-personal-data.html Privacy-focused search engine DuckDuckGo called out rival Google for “spying” on users after the search giant updated its flagship app to spell out the exact kinds of information it collects for personalization and marketing purposes. “After months of stalling, Google finally revealed how much personal data they collect in Chrome and the Google app. No wonder they wanted to hide it, ” the company said in a tweet. “Spying on users has nothing to do with building a great web browser or search engine.”

Flaws in Two Popular WordPress Plugins Affect Over 7 Million Websites

thehackernews.com/2021/03/flaws-in-two-popular-wordpress-plugins.html Researchers have disclosed vulnerabilities in multiple WordPress plugins that, if successfully exploited, could allow an attacker to run arbitrary code and take over a website in certain scenarios. The flaws were uncovered in Elementor, a website builder plugin used on more than seven million sites, and WP Super Cache, a tool used to serve cached pages of a WordPress site.

Critical RCE Flaw Reported in MyBB Forum SoftwarePatch Your Sites

thehackernews.com/2021/03/critical-rce-flaw-reported-in-mybb.html A pair of critical vulnerabilities in a popular bulletin board software called MyBB could have been chained together to achieve remote code execution (RCE) without the need for prior access to a privileged account. The flaws, which were discovered by independent security researchers Simon Scannell and Carl Smith, were reported to the MyBB Team on February 22, following which it released an update (version 1.8.26) on March 10 addressing the issues.

Palvelinrikko voi yllättää asiakkaan “varmuuskopioinnista elää sitkeä harhakäsitys”

www.tivi.fi/uutiset/tv/7d2e1c4d-54c9-4a2d-8b47-40a01e339f55 Pienten ja keskisuurten yritysten keskuudessa elää sitkeästi harhakäsitys siitä, että varmuuskopiointi kuuluu oletuksena hosting-palveluun. Sopimusehdoista kannattaa olla tarkkana. [TILAAJILLE]

You might be interested in …

Daily NCSC-FI news followup 2021-03-19

Identifying suspicious credential usage www.ncsc.gov.uk/blog-post/identifying-suspicious-credential-usage How NCSC guidance can help organisations detect and protect themselves from credential abuse. Weekly Threat Report 19th March 2021 www.ncsc.gov.uk/report/weekly-threat-report-19th-march-2021 The NCSC’s weekly threat report is drawn from recent open source reporting. “Expert” hackers used 11 0-days to infect Windows, iOS, and Android users arstechnica.com/information-technology/2021/03/expert-hackers-used-11-zerodays-to-infect-windows-ios-and-android-users/ A team of advanced hackers […]

Read More

Daily NCSC-FI news followup 2020-02-05

Malware infection attempts appear to be shrinking… possibly because miscreants are less spammy and more focused on specific targets www.theregister.co.uk/2020/02/04/sonicwall_threat_report/ Attempts to infect computers with ransomware and other malware over networks are decreasing, reckons infosec outfit Sonicwall. FBI Warns of DDoS Attack on State Voter Registration Site www.bleepingcomputer.com/news/security/fbi-warns-of-ddos-attack-on-state-voter-registration-site/ The US Federal Bureau of Investigation (FBI) […]

Read More

Daily NCSC-FI news followup 2019-09-06

Critical Exim TLS Flaw Lets Attackers Remotely Execute Commands as Root www.bleepingcomputer.com/news/security/critical-exim-tls-flaw-lets-attackers-remotely-execute-commands-as-root/ The bug allows local or unauthenticated remote attackers to execute programs with root privileges on servers that accept TLS connections. Metasploit team releases BlueKeep exploit www.zdnet.com/article/metasploit-team-releases-bluekeep-exploit/ Metasploit BlueKeep module can achieve code execution, is easy to use.. BlueKeep, also known as CVE-2019-0708, is […]

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.