Daily NCSC-FI news followup 2021-04-27

EU selvittää väärinkäytön mahdollisuutta koronasovellusten käyttämässä rajapinnassa – Koronavilkun käyttö edelleen turvallista

thl.fi/fi/-/eu-selvittaa-vaarinkayton-mahdollisuutta-koronasovellusten-kayttamassa-rajapinnassa-koronavilkun-kaytto-edelleen-turvallista- EU selvittää mahdollista tietoturva-aukkoa Android-puhelinten koronasovelluksissa, jotka hyödyntävät Googlen valmistamaa rajapintaa ja Google Play -palveluita. Toistaiseksi ei ole tullut ilmi, että rajapintaa olisi käytetty vääriin tarkoituksiin. Myös Suomessa käytössä oleva Koronavilkku-sovellus käyttää kyseistä rajapintaa. “Koronavilkkua voi edelleen käyttää turvallisesti. Tietoomme ei ole tullut siihen tai muissa maissa käytössä oleviin koronasovelluksiin liittyviä väärinkäytöksiä. EU selvittää mahdollista tietoturva-aukkoa yhteistyössä Googlen kanssa”, sanoo THL:n tiedonhallintajohtaja Aleksi Yrttiaho.

macOS Gatekeeper Bypass (2021 Edition)

cedowens.medium.com/macos-gatekeeper-bypass-2021-edition-5256a2955508 This post will briefly discuss how a bug that I uncovered in macOS Catalina 10.15 (specifically tested on 10.15.7) and in macOS Big Sur before Big Sur 11.3 allows an attacker to very easily craft a macOS payload that is not checked by Gatekeeper. This payload can be used in phishing and all the victim has to do is double click to open the.dmg and double-click the fake app inside of the.dmg no pop ups or warnings from macOS are generated. also:

objective-see.com/blog/blog_0x64.html. also:


Viran­omaiselta varoitus: Puhelimeen DHL:n nimissä tuleva viesti levittää haitta­ohjelmaa

www.is.fi/digitoday/tietoturva/art-2000007943835.html Liikenne- ja viestintävirasto Traficomin Kyberturvallisuuskeskus varoittaa kuljetusyhtiö DHL:n nimissä lähetettävistä tekstiviesteistä, joiden perimmäinen tarkoitus on asentaa Android-puhelimeen haittaohjelma.

Abusing Replication: Stealing AD FS Secrets Over the Network

www.fireeye.com/blog/threat-research/2021/04/abusing-replication-stealing-adfs-secrets-over-the-network.html Organizations are increasingly adopting cloud-based services such as Microsoft 365 to host applications and data. Sophisticated threat actors are catching on and Mandiant has observed an increased focus on long-term persistent access to Microsoft 365 as one of their primary objectives. In this blog post we will show how a threat actor, with the right privilege, can extract the encrypted Token Signing Certificate from anywhere on the internal network. Once extracted, a threat actor can easily decrypt it and begin accessing cloud services.

Anatomy of Cobalt Strike’s DLL Stager

blog.nviso.eu/2021/04/26/anatomy-of-cobalt-strike-dll-stagers/ NVISO recently monitored a targeted campaign against one of its customers in the financial sector. The attempt was spotted at its earliest stage following an employee’s report concerning a suspicious email. While no harm was done, we commonly identify any related indicators to ensure additional monitoring of the actor. This blog post will cover the payload’s anatomy, design choices and highlight ways to reduce both log footprint and time-to-shellcode.

What is C2? Command and Control Infrastructure Explained

www.varonis.com/blog/what-is-c2/ A successful cyberattack is about more than just getting your foot into the door of an unsuspecting organization. To be of any real benefit, the attacker needs to maintain persistence within the target environment, communicate with infected or compromised devices inside the network, and potentially exfiltrate sensitive data. The key to accomplishing all these tasks is a robust Command and Control Infrastructure or “C2”. What is C2? In this post, we’ll answer that question and look at how adversaries use these covert channels of communication channels to carry out highly sophisticated attacks. We’ll also look at how to spot and defend against C2-based attacks.

FBI shares 4 million email addresses used by Emotet with Have I Been Pwned

www.bleepingcomputer.com/news/security/fbi-shares-4-million-email-addresses-used-by-emotet-with-have-i-been-pwned/ Apart from computer systems, Emotet also compromised a large number of email addresses and used them for its operations. The FBI now wants to give the owners of these email addresses a quick way to check if they’ve been affected by Emotet. For this purpose, the agency and the Dutch National High Technical Crimes Unit (NHTCU) shared 4, 324, 770 email addresses that had been stolen by Emotet with the Have I Been Pwned (HIBP) data breach notification service. also:


Ransomware Attack Vectors Shift as New Software Vulnerability Exploits Abound

www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound The Coveware Quarterly Ransomware Report describes ransomware incident response trends during Q1 of 2021. Data exfiltration extortion continues to be prevalent and we have reached an inflection point where the vast majority of ransomware attacks now include the theft of corporate data. Q1 saw a reversal of average and median ransom amounts. The averages in Q1 were pulled up by a raft of data exfiltration attacks by one specific threat actor group that opportunistically leveraged a unique vulnerability.

Ransomware gang threatens to expose police informants if ransom is not paid

therecord.media/ransomware-gang-threatens-to-expose-police-informants-if-ransom-is-not-paid/ A ransomware gang is threatening to leak sensitive police files that may expose police investigations and informants unless the Metropolitan Police Department of the District of Columbia agrees to pay a ransom demand. “We are aware of unauthorized access on our server, ” Sean Hickman, a public spokesperson for DC Police, told The Record in an email today after screenshots of the department’s internal files and servers were published on the website of the Babuk Locker ransomware gang.

The State of Ransomware 2021

news.sophos.com/en-us/2021/04/27/the-state-of-ransomware-2021/ The State of Ransomware 2021 report provides fresh new insights into the frequency and impact of ransomware. PDF:


Types of Cybercrime

www.pandasecurity.com/en/mediacenter/panda-security/types-of-cybercrime/ Cybercrime is defined as a crime where a computer is the object of the crime or is used as a tool to commit an offense. A cybercriminal may use a device to access a user’s personal information, confidential business information, government information, or disable a device. It is also a cybercrime to sell or elicit the above information online. Cybercrimes are at an all time high, costing companies and individuals billions of dollars annually. What’s even more frightening is that this figure only represents the last 5 years with no end in sight.

Reliability of police mobile phone evidence questioned after hack

theferret.scot/reliability-of-police-mobile-phone-evidence-questioned-after-hack/ The reliability of information gleaned from thousands of mobile phones analysed by Police Scotland could be called into question after analysis software it uses was apparently hacked.

APT trends report Q1 2021

securelist.com/apt-trends-report-q1-2021/101967/ For four years, the Global Research and Analysis Team (GReAT) at Kaspersky has been publishing quarterly summaries of advanced persistent threat (APT) activity. The summaries are based on our threat intelligence research and provide a representative snapshot of what we have published and discussed in greater detail in our private APT reports. They are designed to highlight the significant events and findings that we feel people should be aware of. This is our latest installment, focusing on activities that we observed during Q1 2021.

Microsoft Teams worldwide outage impacts user logins, chats

www.bleepingcomputer.com/news/microsoft/microsoft-teams-worldwide-outage-impacts-user-logins-chats/ The outage impacted customers between 9:58 AM UTC and 12:05 PM UTC. According to Microsoft, it was caused by a recent configuration change that “resulted in specific feature settings to include an incorrect value, resulting in impact to the service.”

Mitä pahis tekisi? Suosittua agile-tapaa voi käyttää tietoturvaan

www.tivi.fi/uutiset/tv/276fe4bb-b9d0-4c2e-af9f-97c1ef78ca7a [TILAAJILLE]. Ketterän kehityksen käyttäjätarinoita voi käyttää myös toisilla tavoilla kuin perinteisesti.

Hackathon palasi konttorille: koronatestin kautta kaivamaan turva-aukkoja

www.tivi.fi/uutiset/hackathon-palasi-konttorille-koronatestin-kautta-kaivamaan-turva-aukkoja/8244e24c-371e-4399-8067-e4db21a5459d [TILAAJILLE]. Taitava hakkeri voi löytää tiensä yrityksen järjestelmiin turva­laitteiden kautta. LähiTapiolan hackathonin osallistujilta vaadittiin negatiivista tulosta korona­testistä ja eristäytymistä etukäteen.

Relaying Potatoes: Another Unexpected Privilege Escalation Vulnerability in Windows RPC Protocol

labs.sentinelone.com/relaying-potatoes-dce-rpc-ntlm-relay-eop/ Every Windows system is vulnerable to a particular NTLM relay attack that could allow attackers to escalate privileges from User to Domain Admin. The current status of this vulnerability is “won’t fix”. Enterprise security teams are encouraged to follow the recommendations and mitigations given below. also:


Initial analysis of PasswordState supply chain attack backdoor code

lordx64.medium.com/initial-analysis-of-passwordstate-supply-chain-attack-backdoor-code-aaff1df389e4 UPDATE 24 April 2021: The second stage payload was shared with me by Peter Kruse (@PeterKruse) thanks to him. Please find the second stage payload analysis at the end of this document.

Supply Chain Attacks via GitHub.com Releases

wwws.nightwatchcybersecurity.com/2021/04/25/supply-chain-attacks-via-github-com-releases/ Release functionality on GitHub.com allows modification of assets within a release by any project collaborator. This can occur after the release is published, and without notification or audit logging accessible in the UI to either the project owners or the public. However, some audit information may be available via the GitHub APIs. An attacker can compromise a collaborator’s account and use it to modify releases without the knowledge of project owners or the public, thus resulting in supply chain attacks against the users of the project. As a mitigation measure, project owners using GitHub.com are encouraged to use other methods for securing releases such as digitally signing releases with PGP. Users are encouraged to check digital signatures and use the GitHub.com release APIs to extract and verify release assets data.

You might be interested in …

Daily NCSC-FI news followup 2021-03-08

A Basic Timeline of the Exchange Mass-Hack krebsonsecurity.com/2021/03/a-basic-timeline-of-the-exchange-mass-hack/ Sometimes when a complex story takes us by surprise or knocks us back on our heels, it pays to revisit the events in a somewhat linear fashion. Heres a brief timeline of what we know leading up to last weeks mass-hack, when hundreds of thousands of Microsoft […]

Read More

Daily NCSC-FI news followup 2020-02-05

Malware infection attempts appear to be shrinking… possibly because miscreants are less spammy and more focused on specific targets www.theregister.co.uk/2020/02/04/sonicwall_threat_report/ Attempts to infect computers with ransomware and other malware over networks are decreasing, reckons infosec outfit Sonicwall. FBI Warns of DDoS Attack on State Voter Registration Site www.bleepingcomputer.com/news/security/fbi-warns-of-ddos-attack-on-state-voter-registration-site/ The US Federal Bureau of Investigation (FBI) […]

Read More

Daily NCSC-FI news followup 2020-01-28

RCE Exploit for Windows RDP Gateway Demoed by Researcher www.bleepingcomputer.com/news/security/rce-exploit-for-windows-rdp-gateway-demoed-by-researcher/ Cisco Webex bug allowed anyone to join a password-protected meeting www.theregister.co.uk/2020/01/27/cisco_webex_bug_let_anyone_join_a_passwordprotected_meeting/ Patched vuln was ‘in active use’, firm reveals. Cisco has confessed to a vulnerability in its Webex Meetings Suite sites and Webex Meetings Online sites that allowed an “unauthenticated” attendee sitting on a workstation […]

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.