Daily NCSC-FI news followup 2021-03-19

Identifying suspicious credential usage

www.ncsc.gov.uk/blog-post/identifying-suspicious-credential-usage How NCSC guidance can help organisations detect and protect themselves from credential abuse.

Weekly Threat Report 19th March 2021

www.ncsc.gov.uk/report/weekly-threat-report-19th-march-2021 The NCSC’s weekly threat report is drawn from recent open source reporting.

“Expert” hackers used 11 0-days to infect Windows, iOS, and Android users

arstechnica.com/information-technology/2021/03/expert-hackers-used-11-zerodays-to-infect-windows-ios-and-android-users/ A team of advanced hackers exploited no fewer than 11 zero-day vulnerabilities in a nine-month campaign that used compromised websites to infect fully patched devices running Windows, iOS, and Android, a Google researcher said. Also:


New macOS malware XcodeSpy Targets Xcode Developers with EggShell Backdoor

labs.sentinelone.com/new-macos-malware-xcodespy-targets-xcode-developers-with-eggshell-backdoor/ Threat actors are abusing the Run Script feature in Apple’s Xcode IDE to infect unsuspecting Apple Developers via shared Xcode Projects. XcodeSpy is a malicious Xcode project that installs a custom variant of the EggShell backdoor on the developer’s macOS computer along with a persistence mechanism. The backdoor has functionality for recording the victim’s microphone, camera and keyboard, as well as the ability to upload and download files. The XcodeSpy infection vector could be used by other threat actors, and all Apple Developers using Xcode are advised to exercise caution when adopting shared Xcode projects.

Trust your surveillance? Why hacked cameras are very bad

www.welivesecurity.com/2021/03/19/trust-your-surveillance-why-hacked-cameras-are-very-bad/ When a breach captures a part of us that is unchangeable, does it mean that we have allowed technology to pry too deeply into our lives?

FBI: Cybercrime losses topped US$4.2 billion in 2020

www.welivesecurity.com/2021/03/18/fbi-cybercrime-losses-topped-us42billion-2020/ The Bureau received over 28, 000 reports of COVID-19-themed scams last year

Facebook outage affecting WhatsApp, Messenger and Instagram

www.bleepingcomputer.com/news/technology/facebook-outage-affecting-whatsapp-messenger-and-instagram/ When attempting to access Facebook services, users worldwide have stated that the application will display a continuous “Connecting” message. In BleepingComputer tests here in the USA and India, we confirmed the outage and are unable to connect to the messaging platforms.

Critical F5 BIG-IP vulnerability now targeted in ongoing attacks

www.bleepingcomputer.com/news/security/critical-f5-big-ip-vulnerability-now-targeted-in-ongoing-attacks/ On Thursday, cybersecurity firm NCC Group said that it detected successful in the wild exploitation of a recently patched critical vulnerability in F5 BIG-IP and BIG-IQ networking devices.

REvil ransomware says they hit Acer, Acer reports “abnormal situations”

www.bleepingcomputer.com/news/security/revil-ransomware-says-they-hit-acer-acer-reports-abnormal-situations/ The REvil ransomware operation claims to have stolen unencrypted data after hacking electronics and computer giant Acer.

FBI warns of BEC attacks increasingly targeting US govt orgs

www.bleepingcomputer.com/news/security/fbi-warns-of-bec-attacks-increasingly-targeting-us-govt-orgs/ The Federal Bureau of Investigation (FBI) is warning US private sector companies about an increase in business email compromise (BEC) attacks targeting state, local, tribal, and territorial (SLTT) government entities.

Russian pleads guilty to Tesla hacking and extortion attempt

www.bleepingcomputer.com/news/security/russian-pleads-guilty-to-tesla-hacking-and-extortion-attempt/ Russian national Egor Igorevich Kriuchkov has pleaded guilty to recruiting a Tesla employee to plant malware designed to steal data within the network of Tesla’s Nevada Gigafactory.

Mysterious bug is deleting Microsoft Teams, SharePoint files

www.bleepingcomputer.com/news/microsoft/mysterious-bug-is-deleting-microsoft-teams-sharepoint-files/ Microsoft SharePoint and Microsoft Teams users report files are missing or moved to the Recycle Bin after the recent Azure Active Directory outage this week.

CISA releases new SolarWinds malicious activity detection tool

www.bleepingcomputer.com/news/security/cisa-releases-new-solarwinds-malicious-activity-detection-tool/ The Cybersecurity and Infrastructure Security Agency (CISA) has released a new tool to detect post-compromise malicious activity associated with the SolarWinds hackers in on-premises enterprise environments. CISA Hunt and Incident Response Program (CHIRP), the new forensics collection tool, is a Python-based tool that helps detect SolarWinds malicious activity IOCs on Windows operating systems. Also:

www.zdnet.com/article/burnt-by-solarwinds-attack-us-releases-tool-for-post-compromise-detection/. Also:


Statement on Microsoft Exchange vulnerabilities

www.enisa.europa.eu/news/enisa-news/statement-on-microsoft-exchange-vulnerabilities The EU Agency for Cybersecurity (ENISA) has provided a statement with an assessment and advice on Microsoft Exchange vulnerabilities.

Microsoft Defender Antivirus now automatically mitigates Exchange Server vulnerabilities

www.zdnet.com/article/microsoft-defender-antivirus-now-patches-exchange-server-vulnerabilities/ Mitigation fixes will be applied automatically in a renewed effort by Microsoft to contain security incidents caused by the bugs.

Bitcoin-kiristysviestit jatkuvat

poliisi.fi/-/bitcoin-kiristysviestit-jatkuvat Hämeen poliisilaitos on saanut tietoonsa jälleen kymmeniä yksityishenkilöille lähetettyjä kiristysviestejä, joissa vaaditaan vastaanottajaa maksamaan 1450 euron arvosta Bitcoineja kiristäjän lompakkoon tai muuten hänestä levitetään arkaluonteista tietoa. Myös:


Cars Have Your Location. This Spy Firm Wants to Sell It to the U.S. Military

www.vice.com/en/article/k7adn9/car-location-data-telematics-us-military-ulysses-group 15 billion car locations. Nearly any country on Earth. The Ulysses Group’ is pitching a powerful surveillance technology to the U.S. government.

Microsoft Releases Exchange On-premises Mitigation Tool

us-cert.cisa.gov/ncas/current-activity/2021/03/16/microsoft-releases-exchange-premises-mitigation-tool Microsoft has released the Exchange On-premises Mitigation Tool (EOMT.ps1) that can automate portions of both the detection and patching process. Microsoft stated the following along with the release: “[the tool is intended] to help customers who do not have dedicated security or IT teams to apply these security updates.

Uhkat Ruotsia kohtaan kasvavat eivätkä nykyiset vastatoimet riitä, arvioi Ruotsin turvallisuuspoliisi Säpo

yle.fi/uutiset/3-11844771 Ruotsiin kohdistuvat uhkat ulkomailta ja väkivaltaisista ääriliikkeistä jatkavat kasvuaan, arvioi turvallisuuspoliisi Säpo.

Norjan parlamenttia vastaan tehtiin kyberhyökkäys toista kertaa noin puolen vuoden aikana

yle.fi/uutiset/3-11831255 Verkkohyökkäys suurkäräjille käytti hyväkseen Microsoft Exchangen haavoittuvuuksia, kertoo NRK.

Safeguarding critical infrastructure

medium.com/e-tech/protecting-the-healthcare-sector-from-cyber-attacks-7b1851538e27 A UN report highlights the vulnerability of the healthcare sector and suggests a cybersecurity code of conduct for nation states

FBI warns of escalating Pysa ransomware attacks on education orgs

www.bleepingcomputer.com/news/security/fbi-warns-of-escalating-pysa-ransomware-attacks-on-education-orgs/ The CP-000142-MW flash alert issued by the FBI today was coordinated with DHS-CISA and it provides indicators of compromise to help guard against the malicious actions of this ransomware gang. Also:


Highlights from the 2021 Unit 42 Ransomware Threat Report

unit42.paloaltonetworks.com/ransomware-threat-report-highlights/ Ransomware is one of the top threats in cybersecurity and a focus area for Palo Alto Networks.. The global threat intelligence team (Unit 42) and incident response team (The Crypsis Group) have partnered to create the 2021 Unit 42 Ransomware Threat Report to provide the latest insights on the top ransomware variants, ransomware payment trends and security best practices so we can understand and manage the threat.

Polish State Websites Hacked and Used to Spread False Info

www.securityweek.com/polish-state-websites-hacked-and-used-spread-false-info Two Polish government websites were hacked Wednesday and used briefly to spread false information about a non-existent radioactive threat, in what a Polish government official said had the hallmarks of a Russian cyberattack.

China-Linked Cyber-Espionage Group Mustang Panda is Targeting Telecommunications

cybersguards.com/china-linked-cyber-espionage-group-mustang-panda-is-targeting-telecommunications/ According to McAfee security researchers, the China-linked cyber-espionage organisation Mustang Panda is targeting telecommunications companies in Asia, Europe, and the United States for espionage purposes. Also:

www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-dianxun.pdf. Also:


Beware Android trojan posing as Clubhouse app

www.welivesecurity.com/2021/03/18/beware-android-trojan-posing-clubhouse-app/ The malware can grab login credentials for more than 450 apps and bypass SMS-based two-factor authentication

NIS2 Proposal: First feedback on the normative text

cert.at/en/blog/2021/3/nis2-proposal-first-feedback-on-the-normative-text Feedback on the normative text of the NIS2 proposal.

You might be interested in …

Daily NCSC-FI news followup 2019-11-11

Threat Alert: TCP Reflection Attacks blog.radware.com/security/2019/11/threat-alert-tcp-reflection-attacks/ Independent research in the behavior of a multitude of systems and devices on the internet exposed more than 4.8 million devices vulnerable to an average amplification factor of 112x and thousands of hosts that could be abused for amplification up to a factor of almost 80,000x, respectively, reflect more […]

Read More

Daily NCSC-FI news followup 2020-05-14

Spam campaign: Netwire RAT via paste.ee and MS Excel to German users www.gdatasoftware.com/blog/netwire-rat-via-pasteee-and-ms-excel G DATA discovered an email spam campaign in Germany that delivers NetWire RAT via PowerShell in Excel documents. The emails mimick the German courier, parcel and express mail service DHL. Sodinokibi drops greatest hits collection, and crime is the secret ingredient blog.malwarebytes.com/cybercrime/2020/05/sodinokibi-drops-greatest-hits-collection-and-crime-is-the-secret-ingredient/ […]

Read More

Daily NCSC-FI news followup 2021-08-07

Microsoft Exchange servers scanned for ProxyShell vulnerability, Patch Now www.bleepingcomputer.com/news/microsoft/microsoft-exchange-servers-scanned-for-proxyshell-vulnerability-patch-now/ Threat actors are now actively scanning for the Microsoft Exchange ProxyShell remote code execution vulnerabilities after technical details were released at the Black Hat conference. ProxyShell is the name for three vulnerabilities that perform unauthenticated, remote code execution on Microsoft Exchange servers when chained together. […]

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.