EU selvittää väärinkäytön mahdollisuutta koronasovellusten käyttämässä rajapinnassa – Koronavilkun käyttö edelleen turvallista
thl.fi/fi/-/eu-selvittaa-vaarinkayton-mahdollisuutta-koronasovellusten-kayttamassa-rajapinnassa-koronavilkun-kaytto-edelleen-turvallista- EU selvittää mahdollista tietoturva-aukkoa Android-puhelinten koronasovelluksissa, jotka hyödyntävät Googlen valmistamaa rajapintaa ja Google Play -palveluita. Toistaiseksi ei ole tullut ilmi, että rajapintaa olisi käytetty vääriin tarkoituksiin. Myös Suomessa käytössä oleva Koronavilkku-sovellus käyttää kyseistä rajapintaa. “Koronavilkkua voi edelleen käyttää turvallisesti. Tietoomme ei ole tullut siihen tai muissa maissa käytössä oleviin koronasovelluksiin liittyviä väärinkäytöksiä. EU selvittää mahdollista tietoturva-aukkoa yhteistyössä Googlen kanssa”, sanoo THL:n tiedonhallintajohtaja Aleksi Yrttiaho.
macOS Gatekeeper Bypass (2021 Edition)
cedowens.medium.com/macos-gatekeeper-bypass-2021-edition-5256a2955508 This post will briefly discuss how a bug that I uncovered in macOS Catalina 10.15 (specifically tested on 10.15.7) and in macOS Big Sur before Big Sur 11.3 allows an attacker to very easily craft a macOS payload that is not checked by Gatekeeper. This payload can be used in phishing and all the victim has to do is double click to open the.dmg and double-click the fake app inside of the.dmg no pop ups or warnings from macOS are generated. also:
Viranomaiselta varoitus: Puhelimeen DHL:n nimissä tuleva viesti levittää haittaohjelmaa
www.is.fi/digitoday/tietoturva/art-2000007943835.html Liikenne- ja viestintävirasto Traficomin Kyberturvallisuuskeskus varoittaa kuljetusyhtiö DHL:n nimissä lähetettävistä tekstiviesteistä, joiden perimmäinen tarkoitus on asentaa Android-puhelimeen haittaohjelma.
Abusing Replication: Stealing AD FS Secrets Over the Network
www.fireeye.com/blog/threat-research/2021/04/abusing-replication-stealing-adfs-secrets-over-the-network.html Organizations are increasingly adopting cloud-based services such as Microsoft 365 to host applications and data. Sophisticated threat actors are catching on and Mandiant has observed an increased focus on long-term persistent access to Microsoft 365 as one of their primary objectives. In this blog post we will show how a threat actor, with the right privilege, can extract the encrypted Token Signing Certificate from anywhere on the internal network. Once extracted, a threat actor can easily decrypt it and begin accessing cloud services.
Anatomy of Cobalt Strike’s DLL Stager
blog.nviso.eu/2021/04/26/anatomy-of-cobalt-strike-dll-stagers/ NVISO recently monitored a targeted campaign against one of its customers in the financial sector. The attempt was spotted at its earliest stage following an employee’s report concerning a suspicious email. While no harm was done, we commonly identify any related indicators to ensure additional monitoring of the actor. This blog post will cover the payload’s anatomy, design choices and highlight ways to reduce both log footprint and time-to-shellcode.
What is C2? Command and Control Infrastructure Explained
www.varonis.com/blog/what-is-c2/ A successful cyberattack is about more than just getting your foot into the door of an unsuspecting organization. To be of any real benefit, the attacker needs to maintain persistence within the target environment, communicate with infected or compromised devices inside the network, and potentially exfiltrate sensitive data. The key to accomplishing all these tasks is a robust Command and Control Infrastructure or “C2”. What is C2? In this post, we’ll answer that question and look at how adversaries use these covert channels of communication channels to carry out highly sophisticated attacks. We’ll also look at how to spot and defend against C2-based attacks.
FBI shares 4 million email addresses used by Emotet with Have I Been Pwned
www.bleepingcomputer.com/news/security/fbi-shares-4-million-email-addresses-used-by-emotet-with-have-i-been-pwned/ Apart from computer systems, Emotet also compromised a large number of email addresses and used them for its operations. The FBI now wants to give the owners of these email addresses a quick way to check if they’ve been affected by Emotet. For this purpose, the agency and the Dutch National High Technical Crimes Unit (NHTCU) shared 4, 324, 770 email addresses that had been stolen by Emotet with the Have I Been Pwned (HIBP) data breach notification service. also:
Ransomware Attack Vectors Shift as New Software Vulnerability Exploits Abound
www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound The Coveware Quarterly Ransomware Report describes ransomware incident response trends during Q1 of 2021. Data exfiltration extortion continues to be prevalent and we have reached an inflection point where the vast majority of ransomware attacks now include the theft of corporate data. Q1 saw a reversal of average and median ransom amounts. The averages in Q1 were pulled up by a raft of data exfiltration attacks by one specific threat actor group that opportunistically leveraged a unique vulnerability.
Ransomware gang threatens to expose police informants if ransom is not paid
therecord.media/ransomware-gang-threatens-to-expose-police-informants-if-ransom-is-not-paid/ A ransomware gang is threatening to leak sensitive police files that may expose police investigations and informants unless the Metropolitan Police Department of the District of Columbia agrees to pay a ransom demand. “We are aware of unauthorized access on our server, ” Sean Hickman, a public spokesperson for DC Police, told The Record in an email today after screenshots of the department’s internal files and servers were published on the website of the Babuk Locker ransomware gang.
The State of Ransomware 2021
news.sophos.com/en-us/2021/04/27/the-state-of-ransomware-2021/ The State of Ransomware 2021 report provides fresh new insights into the frequency and impact of ransomware. PDF:
Types of Cybercrime
www.pandasecurity.com/en/mediacenter/panda-security/types-of-cybercrime/ Cybercrime is defined as a crime where a computer is the object of the crime or is used as a tool to commit an offense. A cybercriminal may use a device to access a user’s personal information, confidential business information, government information, or disable a device. It is also a cybercrime to sell or elicit the above information online. Cybercrimes are at an all time high, costing companies and individuals billions of dollars annually. What’s even more frightening is that this figure only represents the last 5 years with no end in sight.
Reliability of police mobile phone evidence questioned after hack
theferret.scot/reliability-of-police-mobile-phone-evidence-questioned-after-hack/ The reliability of information gleaned from thousands of mobile phones analysed by Police Scotland could be called into question after analysis software it uses was apparently hacked.
APT trends report Q1 2021
securelist.com/apt-trends-report-q1-2021/101967/ For four years, the Global Research and Analysis Team (GReAT) at Kaspersky has been publishing quarterly summaries of advanced persistent threat (APT) activity. The summaries are based on our threat intelligence research and provide a representative snapshot of what we have published and discussed in greater detail in our private APT reports. They are designed to highlight the significant events and findings that we feel people should be aware of. This is our latest installment, focusing on activities that we observed during Q1 2021.
Microsoft Teams worldwide outage impacts user logins, chats
www.bleepingcomputer.com/news/microsoft/microsoft-teams-worldwide-outage-impacts-user-logins-chats/ The outage impacted customers between 9:58 AM UTC and 12:05 PM UTC. According to Microsoft, it was caused by a recent configuration change that “resulted in specific feature settings to include an incorrect value, resulting in impact to the service.”
Mitä pahis tekisi? Suosittua agile-tapaa voi käyttää tietoturvaan
www.tivi.fi/uutiset/tv/276fe4bb-b9d0-4c2e-af9f-97c1ef78ca7a [TILAAJILLE]. Ketterän kehityksen käyttäjätarinoita voi käyttää myös toisilla tavoilla kuin perinteisesti.
Hackathon palasi konttorille: koronatestin kautta kaivamaan turva-aukkoja
www.tivi.fi/uutiset/hackathon-palasi-konttorille-koronatestin-kautta-kaivamaan-turva-aukkoja/8244e24c-371e-4399-8067-e4db21a5459d [TILAAJILLE]. Taitava hakkeri voi löytää tiensä yrityksen järjestelmiin turvalaitteiden kautta. LähiTapiolan hackathonin osallistujilta vaadittiin negatiivista tulosta koronatestistä ja eristäytymistä etukäteen.
Relaying Potatoes: Another Unexpected Privilege Escalation Vulnerability in Windows RPC Protocol
labs.sentinelone.com/relaying-potatoes-dce-rpc-ntlm-relay-eop/ Every Windows system is vulnerable to a particular NTLM relay attack that could allow attackers to escalate privileges from User to Domain Admin. The current status of this vulnerability is “won’t fix”. Enterprise security teams are encouraged to follow the recommendations and mitigations given below. also:
Initial analysis of PasswordState supply chain attack backdoor code
lordx64.medium.com/initial-analysis-of-passwordstate-supply-chain-attack-backdoor-code-aaff1df389e4 UPDATE 24 April 2021: The second stage payload was shared with me by Peter Kruse (@PeterKruse) thanks to him. Please find the second stage payload analysis at the end of this document.
Supply Chain Attacks via GitHub.com Releases
wwws.nightwatchcybersecurity.com/2021/04/25/supply-chain-attacks-via-github-com-releases/ Release functionality on GitHub.com allows modification of assets within a release by any project collaborator. This can occur after the release is published, and without notification or audit logging accessible in the UI to either the project owners or the public. However, some audit information may be available via the GitHub APIs. An attacker can compromise a collaborator’s account and use it to modify releases without the knowledge of project owners or the public, thus resulting in supply chain attacks against the users of the project. As a mitigation measure, project owners using GitHub.com are encouraged to use other methods for securing releases such as digitally signing releases with PGP. Users are encouraged to check digital signatures and use the GitHub.com release APIs to extract and verify release assets data.