Daily NCSC-FI news followup 2021-03-27

Google’s top security teams unilaterally shut down a counterterrorism operation

www.technologyreview.com/2021/03/26/1021318/google-security-shut-down-counter-terrorist-us-ally/ Google’s Project Zero and Threat Analysis Group teams found the hacking group exploiting 11 zero-day vulnerabilities in just nine months, a high number of exploits over a short period. Software that was attacked included the Safari browser on iPhones but also many Google products, including the Chrome browser on Android phones and Windows computers. MIT Technology Review has learned that the hackers in question were actually Western government operatives actively conducting a counterterrorism operation. Google’s notes –

googleprojectzero.blogspot.com/2021/03/in-wild-series-october-2020-0-day.html

Exclusive: Software vendors would have to disclose breaches to U.S. government users under new order: draft

www.reuters.com/article/us-usa-biden-cyber-exclusive-idUSKBN2BH37I A National Security Council spokeswoman said no decision has been made on the final content of the executive order. The order could be released as early as next week.

FBI exposes weakness in Mamba ransomware, DiskCryptor

www.bleepingcomputer.com/news/security/fbi-exposes-weakness-in-mamba-ransomware-diskcryptor/ Mamba ransomware (a.k.a. HDDCryptor) relies on an open-source software solution named DiskCryptor to encrypt victim computers in the background with a key defined by the attacker. The agency further notes that the encryption key and the shutdown time variable are stored in DiskCryptor’s configuration, a plaintext file named myConf.txt. Because there is no protection around the encryption key, as it is saved in plaintext, the FBI says that this two-hour gap is an opportunity for organizations hit by Mamba ransomware to recover it.

Webshells Observed in Post-Compromised Exchange Servers

us-cert.cisa.gov/ncas/current-activity/2021/03/25/webshells-observed-post-compromised-exchange-servers CISA has added two new Malware Analysis Reports (MARs) identifying webshells observed in post-compromised Microsoft Exchange Servers.

Daily NCSC-FI news followup 2021-03-17

Supon tutkija A-studiossa: Etätyö lisännyt verkkovakoilua “Kaikkia tietoturvaratkaisuja ei ole mietitty ihan täydellisesti” yle.fi/uutiset/3-11840467 Suojelupoliisin mukaan ulkomaiset tiedustelupalvelut ovat lisänneet verkossa tapahtuvaa vakoilua pandemian aikana. Supon erikoistutkijan Veli-Pekka Kivimäen mukaan kohteiden määrä verkossa on lisääntynyt muun muassa etätyön myötä. – Kaikkia tietoturvaratkaisuja ei ole välttämättä mietitty ihan täydellisesti, kun toimintoja on siirretty etätyöhön, Kivimäki sanoi […]

Daily NCSC-FI news followup 2020-07-19

WSJ: Yhdysvaltalaistutkijat jäljittivät matkapuhelinten signaaleja lähellä venäläisiä sotilaskohteita yle.fi/uutiset/3-11455540 Kaupallisesti saatavilla olevaa paikannustietoa käytetään yhä enemmän myös valtiollisessa tiedustelussa. Amerikkalainen tutkijaryhmä Mississippin yliopistosta seurasi viime vuonna matkapuhelinten signaaleja lähellä Venäjän sotilasalueita, Wall Street Journal uutisoi. Lue myös: www.wsj.com/articles/academic-project-used-marketing-data-to-monitor-russian-military-sites-11595073601 iOS 13.6: Apple Just Gave iPhone Users 29 Security Reasons To Update Now www.forbes.com/sites/kateoflahertyuk/2020/07/19/ios-136-apple-just-gave-iphone-users-29-security-reasons-to-update-now/ Apple’s iOS 13.6 […]

Daily NCSC-FI news followup 2021-07-14

Web shells: How can we get rid of them and why law enforcement is not really the answer www.gdatasoftware.com/blog/webshells Microsoft recorded a total of 144,000 web shell attacks between August 2020 and January 2021. Web shells are very light programmes (scripts) that hackers install to either attack affected websites or web-facing services or prepare a […]