Daily NCSC-FI news followup 2021-03-18

Tiedote 18.3.2021: Timanttiteko-palkinto 2020 Kyberturvallisuuskeskukselle

www.erillisverkot.fi/timanttiteko-palkinto-2020/ Turvallisuuskomitea on myöntänyt vuoden 2020 Timanttiteko-palkinnon Kyberturvallisuuskeskukselle Yhteiskunnan turvallisuusstrategian tavoitteiden esimerkillisestä edistämisestä. Liikenne- ja viestintävirasto Traficomin Kyberturvallisuuskeskus on kansallinen tietoturvaviranomainen ja sillä on merkittävä rooli digitaalisessa yhteiskunnassa. Nopeasti muuttuvassa maailmassa tietoturvan ylläpito ja kehittäminen, tietoturvaloukkausten havainnointi ja selvittäminen sekä eri organisaatioiden kouluttaminen ja tietojärjestelmien arviointi on välttämätöntä.

Suojelupoliisi tunnisti eduskuntaan kohdistuneen kybervakoiluoperaation APT31:ksi

supo.fi/-/suojelupoliisi-tunnisti-eduskuntaan-kohdistuneen-kybervakoiluoperaation-apt31-ksi Suojelupoliisi on tunnistanut vuonna 2020 eduskuntaan kohdistuneen kybervakoiluoperaation, jossa yritettiin tunkeutua eduskunnan tietojärjestelmiin. Eduskunta vahvisti tietoturvaansa saatuaan Suojelupoliisilta ohjeita. Eduskunnan tietohallinnon varoittamisen lisäksi Suojelupoliisi toimitti asiasta tietoa toiselle toimivaltaiselle viranomaiselle eli Kyberturvallisuuskeskukselle, jotta se pystyi tehostamaan omaa havainnointiaan. myös:

poliisi.fi/-/eduskunnan-tietojarjestelmiin-kohdistuneen-tietomurron-tutkinnassa-selvitetaan-yhteytta-apt31-toimijaan. myös: yle.fi/uutiset/3-11843261. also:

www.bleepingcomputer.com/news/security/chinese-nation-state-hackers-linked-to-finnish-parliament-hack/

Aktian nimissä kalastellaan verkkopankkitunnuksia

www.aktia.fi/fi/uutisarkisto/uutinen/2021/03/18/aktian-nimiss%C3%A4-kalastellaan-verkkopankkitunnuksia Aktian nimissä lähetetään huijaussähköposteja ja -viestejä, joiden tarkoituksena on kalastella asiakkaiden verkkopankkitunnuksia. Älä koskaan kirjaudu verkkopankkiin esim. sähköpostitse saamasi linkin kautta vaan aina pankin omilta sivuilta tai kirjoittamalla osoite itse selaimen osoitekenttään. Pankki ei koskaan kysy verkkopankkitunnuksia sähköpostitse tai tekstiviestillä. Mikäli epäilet joutuneesi kalastelun kohteeksi, ota välittömästi yhteyttä Aktian asiakaspalveluun numeroon 010 247 010. Aktia ottaa asiakkaidensa tietoturvan ja palvelujen turvallisuuden äärimmäisen vakavasti. Lue lisää tietoturvasta

FBI Releases the Internet Crime Complaint Center 2020 Internet Crime Report, Including COVID-19 Scam Statistics

www.fbi.gov/news/pressrel/press-releases/fbi-releases-the-internet-crime-complaint-center-2020-internet-crime-report-including-covid-19-scam-statistics The FBI’s Internet Crime Complaint Center has released its annual report. The 2020 Internet Crime Report includes information from 791, 790 complaints of suspected internet crimean increase of more than 300, 000 complaints from 2019 – and reported losses exceeding $4.2 billion. Internet Crime Report 2020 (PDF):

www.ic3.gov/Media/PDF/AnnualReport/2020_IC3Report.pdf. also: 64 times worse than ransomware? FBI statistics underline the horrific cost of business email compromise –

www.tripwire.com/state-of-security/featured/fbi-statistics-underline-orrific-cost-of-business-email-compromise/. also: More than $4 billion in cybercrime losses reported to FBI in 2020 – www.cyberscoop.com/fbi-ic3-cybercrime-4-billion-fraud/

Breaking bad: desperate job seekers turn to the Darknet and hacking forums for opportunities

blog.checkpoint.com/2021/03/18/breaking-bad-desperate-job-seekers-turn-to-the-darknet-and-hacking-forums-for-opportunities/ Check Point Research noticed a growing trend that began towards the end of 2020 and continues to develop in 2021 people are turning to the Darknet and various hacking forums to offer their services and availability for work for any kind of work available, including less than legitimate roles.

I scrounged through the trash heaps now I’m a millionaire:’ An interview with REvil’s Unknown

therecord.media/i-scrounged-through-the-trash-heaps-now-im-a-millionaire-an-interview-with-revils-unknown/ One group that has gained prominence for its audacious and lucrative tactics is REvil, also known as Sodinokibi. The group runs a ransomware-as-a-service operation, in which developers sell malware to affiliates who use it to lock up an organization’s data and devices. According to an REvil representative that uses the alias “Unknown, ” the group has big plans for 2021. Unknown talked to Recorded Future expert threat intelligence analyst Dmitry Smilyanets recently about using ransomware as a weapon, staying out of politics, experimenting with new tactics, and much more. As a child, I scrounged through the trash heaps and smoked cigarette butts. I walked 10 km one way to the school. I wore the same clothes for six months. In my youth, in a communal apartment, I didn’t eat for two or even three days. Now I am a millionaire.

The Ransomware Threat: Bigger, Greedier, Attacking the Most Vulnerable

blog.paloaltonetworks.com/2021/03/ransomware-threat/ Today, we released the 2021 Unit 42 Ransomware Threat Report. Using data from Unit 42, as well as from our Crypsis incident response team, the report details a disturbing new watershed: Cyber extortion has reached crisis levels as cybercriminal enterprises have flourished, obtaining capabilities that rival those of nation-states.

SolarWinds-linked hacking group SilverFish abuses enterprise victims for sandbox tests

www.zdnet.com/article/solarwinds-linked-hacking-group-silverfish-abuses-enterprise-victims-in-sandbox-malware-tests/ On Thursday, Swiss cybersecurity firm Prodaft said that SilverFish (.PDF), an “extremely skilled” threat group, has been responsible for intrusions at over 4, 720 private and government organizations including “Fortune 500 companies, ministries, airlines, defense contractors, audit and consultancy companies, and automotive manufacturers.”. Report (PDF):

www.prodaft.com/m/uploads/SilverFish_TLPWHITE.pdf

~4, 300 publicly reachable servers are posing a new DDoS hazard to the Internet

arstechnica.com/gadgets/2021/03/mainstream-ddosers-are-abusing-d-tls-servers-to-up-the-potency-of-attacks/ DDoS-for-hire services adopt new technique that amplifies attacks 37 fold. DDoS mitigation provider Netscout said on Wednesday that it has observed DDoS-for-hire services adopting a new amplification vector. The vector is the Datagram Transport Layer Security, or D/TLS, which (as its name suggests) is essentially the Transport Layer Security for UDP data packets. The biggest D/TLS-based attacks Netscout has observed delivered about 45Gbps of traffic. The people responsible for the attack combined it with other amplification vectors to achieve a combined size of about 207Gbps.

Alert (AA21-077A) – Detecting Post-Compromise Threat Activity Using the CHIRP IOC Detection Tool

us-cert.cisa.gov/ncas/alerts/aa21-077a This Alert announces the CISA Hunt and Incident Response Program (CHIRP) tool. CHIRP is a forensics collection tool that CISA developed to help network defenders find indicators of compromise (IOCs) associated with activity detailed in the following CISA Alerts:. AA20-352A: Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations. AA21-008A: Detecting Post-Compromise Threat Activity in Microsoft Cloud Environments.

What exactly should we be logging?

www.ncsc.gov.uk/blog-post/what-exactly-should-we-be-logging A structured look at what data to collect for security purposes and when to collect it.

The most common on premises vulnerabilities & misconfigurations

s3cur3th1ssh1t.github.io/The-most-common-on-premise-vulnerabilities-and-misconfigurations/ In this blog post I’m gonna cover the in my opinion most common findings in a Windows Active Directory environment, which can be found and abused for Privilege Escalation and Lateral Movement in such a project. It’s about on premises vulnerabilities and misconfigurations in an internal company environment as well as mitigations.

Infrastructure the Good, the Bad and the Ugly

www.lightbluetouchpaper.org/2021/03/18/infrastructure-the-good-the-bad-and-the-ugly/ Infrastructure the Good, the Bad and the Ugly analyses the security economics of platforms and services. The existence of platforms such as the Internet and cloud services enabled startups like YouTube and Instagram soar to huge valuations almost overnight, with only a handful of staff. But criminals also build infrastructure, from botnets through malware-as-a-service. There’s also dual-use infrastructure, from Tor to bitcoins, with entangled legitimate and criminal applications. So crime can scale too.

Cybersecurity in Railways Conference: Key Takeaways

www.enisa.europa.eu/news/enisa-news/cybersecurity-in-railways-conference-key-takeaways The ENISA-ERA Conference: “Cybersecurity in Railways” presented the latest cybersecurity developments and highlighted the main challenges in the field.

New macOS malware XcodeSpy Targets Xcode Developers with EggShell Backdoor

labs.sentinelone.com/new-macos-malware-xcodespy-targets-xcode-developers-with-eggshell-backdoor/ We recently became aware of a trojanized Xcode project in the wild targeting iOS developers thanks to a tip from an anonymous researcher. The malicious project is a doctored version of a legitimate, open-source project available on GitHub.

Cybereason Exposes Campaign Targeting US Taxpayers with NetWire and Remcos Malware

www.cybereason.com/blog/cybereason-exposes-malware-targeting-us-taxpayers Cybereason detected a new campaign targeting US taxpayers with documents that purport to contain tax-related content, ultimately delivering NetWire and Remcos – two powerful and popular RATs (remote access trojans) which can allow attackers to take control of the victims’ machines and steal sensitive information.

Now You See It, Now You Don’t: CopperStealer Performs Widespread Theft

www.proofpoint.com/us/blog/threat-insight/now-you-see-it-now-you-dont-copperstealer-performs-widespread-theft On Jan 29th, 2021, a Twitter user, “TheAnalyst”, shared a sample which caught our attention after being notified it triggered an Emerging Threats Network Intrusion Detection System (NIDS) rule. A quick triage of the sample found overlap with malware tracked internally as CopperStealer. This external interest caused Proofpoint researchers to investigate further, eventually leading to coordinated disruptive actions by Facebook, Cloudflare, and other service providers.

Necro upgrades again, using Tor + dynamic domain DGA and aiming at both Windows & Linux

blog.netlab.360.com/necro-upgrades-again-using-tor-dynamic-domain-dga-and-aiming-at-both-windows-linux/

Google Cloud: Here are the six ‘best’ vulnerabilities security researchers found last year

www.zdnet.com/article/google-cloud-here-are-the-six-best-vulnerabilities-security-researchers-found-last-year/ Google has paid a researcher a total of $164, 674 for this one bug report concerning a Google Cloud Platform tool.

Google Reveals What Personal Data Chrome and Its Apps Collect On You

thehackernews.com/2021/03/google-to-reveals-what-personal-data.html Privacy-focused search engine DuckDuckGo called out rival Google for “spying” on users after the search giant updated its flagship app to spell out the exact kinds of information it collects for personalization and marketing purposes. “After months of stalling, Google finally revealed how much personal data they collect in Chrome and the Google app. No wonder they wanted to hide it, ” the company said in a tweet. “Spying on users has nothing to do with building a great web browser or search engine.”

Flaws in Two Popular WordPress Plugins Affect Over 7 Million Websites

thehackernews.com/2021/03/flaws-in-two-popular-wordpress-plugins.html Researchers have disclosed vulnerabilities in multiple WordPress plugins that, if successfully exploited, could allow an attacker to run arbitrary code and take over a website in certain scenarios. The flaws were uncovered in Elementor, a website builder plugin used on more than seven million sites, and WP Super Cache, a tool used to serve cached pages of a WordPress site.

Critical RCE Flaw Reported in MyBB Forum SoftwarePatch Your Sites

thehackernews.com/2021/03/critical-rce-flaw-reported-in-mybb.html A pair of critical vulnerabilities in a popular bulletin board software called MyBB could have been chained together to achieve remote code execution (RCE) without the need for prior access to a privileged account. The flaws, which were discovered by independent security researchers Simon Scannell and Carl Smith, were reported to the MyBB Team on February 22, following which it released an update (version 1.8.26) on March 10 addressing the issues.

Palvelinrikko voi yllättää asiakkaan “varmuuskopioinnista elää sitkeä harhakäsitys”

www.tivi.fi/uutiset/tv/7d2e1c4d-54c9-4a2d-8b47-40a01e339f55 Pienten ja keskisuurten yritysten keskuudessa elää sitkeästi harhakäsitys siitä, että varmuuskopiointi kuuluu oletuksena hosting-palveluun. Sopimusehdoista kannattaa olla tarkkana. [TILAAJILLE]

You might be interested in …

Daily NCSC-FI news followup 2020-04-09

HMR targeted by cyber criminals www.hmrlondon.com/hmr-targeted-by-cyber-criminals On Saturday 14 March 2020, HMR was subjected to a targeted and sophisticated attack by cyber criminals. We took immediate action to stop the attack, but not before the attackers had stolen copies of some of our files.. Were sorry to report that, during 2123 March 2020, the criminals […]

Read More

Daily NCSC-FI news followup 2020-01-19

Kohta kaikki tapahtuu pilvessä Amazonin evankelista vertaa pilvipalveluita sähkölaitoksiin yle.fi/uutiset/3-11151242 Pilvipalveluista on lyhyessä ajassa muodostunut perusta, jonka päälle arkemme rakentuu. Sähköpostit, valokuvat ja pikaviestit tallentuvat kaikki palvelinkeskuksiin eri puolille maailmaa.. Suomessa yritykset ovat viime vuosien aikana siirtyneet vauhdilla pilvipalveluiden asiakkaiksi. Elinkeinoelämän keskusliiton EK:n tilastojen mukaan suurista suomalaisyrityksistä 90 prosenttia käyttää maksullisia pilvipalveluita.. Suunta on aivan […]

Read More

Daily NCSC-FI news followup 2020-02-18

Active Exploits Hit Vulnerable WordPress ThemeGrill Plugin threatpost.com/active-exploits-hit-vulnerable-wordpress-themegrill-plugin/152947/ Researchers are urging users of a vulnerable WordPress plugin, ThemeGrill Demo Importer, to update as soon as possible after discovering attackers are actively exploiting a flaw in the plugin. Ole organisaatiosi tietoturvan vahvin lenkki myös matkustaessasi ek.fi/ajankohtaista/uutiset/2020/02/18/ole-organisaatiosi-tietoturvan-vahvin-lenkki-myos-matkustaessasi/ Matkustaessa korostuvat mahdollisuus henkilötiedusteluun, eli ihmisiltä tehtävään tiedonhankintaan, sekä riski […]

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.