Daily NCSC-FI news followup 2021-04-28

Jos puhelin näyttää tällaisen ilmoituksen, älä missään nimessä vastaa myöntävästi

www.is.fi/digitoday/tietoturva/art-2000007945801.html Verkkosivuilta Android-puhelimiin syötetyt haittaohjelmat ovat yleinen riesa. Opi tunnistamaan tilanteet, joissa puhelimellesi yritetään ujuttaa ulkopuolisia sovelluksia.

Cybercriminals Widely Abusing Excel 4.0 Macro to Distribute Malware

thehackernews.com/2021/04/cybercriminals-widely-abusing-excel-40.html Threat actors are increasingly adopting Excel 4.0 documents as an initial stage vector to distribute malware such as ZLoader and Quakbot, according to new research. The findings come from an analysis of 160, 000 Excel 4.0 documents between November 2020 and March 2021, out of which more than 90% were classified as malicious or suspicious.

Security firm Kaspersky believes it found new CIA malware

therecord.media/security-firm-kaspersky-believes-it-found-new-cia-malware/ Cybersecurity firm Kaspersky said today it discovered new malware that appears to have been developed by the US Central Intelligence Agency. Kaspersky said it discovered the malware in “a collection of malware samples” that its analysts and other security firms received in February 2019.

RotaJakiro: A long live secret backdoor with 0 VT detection

blog.netlab.360.com/stealth_rotajakiro_backdoor_en/ On March 25, 2021, 360 NETLAB’s BotMon system flagged a suspiciousELF file (MD5=64f6cfe44ba08b0babdd3904233c4857) with 0 VT detection, the sample communicates with 4 domains on TCP 443 (HTTPS), but the traffic is not of TLS/SSL. A close look at the sample revealed it to be a backdoor targeting Linux X64 systems, a family that has been around for at least 3 years.

Two million database servers are currently exposed across cloud providers

therecord.media/two-million-database-servers-are-currently-exposed-across-cloud-providers/ Last month, Censys, a security firm specializing in internet-wide census-like scans, took a closer look at the services that were left exposed on the infrastructure of cloud providers, seeking to discover what would be the most possible source of a misconfiguration for companies running cloud-based systems. According to its report, published this week, Censys said it found more than 1.93 million databases on cloud servers that were exposed online without a firewall or other security protections. But the security firm also scanned if cloud service providers were exposing ports typically used by remote management software, such as SSH, RDP, VNC, SMB, Telnet, Team Viewer, and PC Anywhere. The most notable discovery was that more than 1.93 million servers were exposing RDP login screens online.

F5 BIG-IP Found Vulnerable to Kerberos KDC Spoofing Vulnerability

thehackernews.com/2021/04/f5-big-ip-found-vulnerable-to-kerberos.html Cybersecurity researchers on Wednesday disclosed a new bypass vulnerability in the Kerberos Key Distribution Center (KDC) security feature impacting F5 Big-IP application delivery services.

Deep Analysis: FormBook New Variant Delivered in Phishing Campaign Part III

www.fortinet.com/blog/threat-research/deep-analysis-formbook-new-variant-delivered-in-phishing-campaign-part-iii In this final part, I explain what the tasks are performed once FormBook has injected malicious code into a Windows process (like ipconfig.exe), and the processes of various targets. I explain how inline hooks are set to the target processes from which FormBook steals its victim’s sensitive information. I will also demonstrate how that stolen data is sent to C2 server. At finally, I provide the control commands that are used in this variant of FormBook.

F-Secure R&D discovers exploitable vulnerability in Apple’s macOS Gatekeeper

blog.f-secure.com/vulnerability-macos-gatekeeper/ F-Secure R&D has discovered a vulnerability in macOS Gatekeeper that an attacker can exploit to infect unsuspecting users with malware. F-Secure has seen no evidence of this vulnerability being exploited in attacks, nor is it aware of any reports from third parties. However, there are other vulnerabilities addressed by the updates, so it’s important for users to patch as soon as possible.

Ghostwriter Update: Cyber Espionage Group UNC1151 Likely Conducts Ghostwriter Influence Activity

www.fireeye.com/blog/threat-research/2021/04/espionage-group-unc1151-likely-conducts-ghostwriter-influence-activity.html A new report by our Information Operations analysis, Cyber Espionage analysis, and Mandiant Research teams provides an update on Ghostwriter, highlighting two significant developments. PDF:


Cyberspies target military organizations with new Nebulae backdoor

www.bleepingcomputer.com/news/security/cyberspies-target-military-organizations-with-new-nebulae-backdoor/ A Chinese-speaking threat actor has deployed a new backdoor in multiple cyber-espionage operations spanning roughly two years and targeting military organizations from Southeast Asia.

Meet critical infrastructure security compliance requirements with Microsoft 365

www.microsoft.com/security/blog/2021/04/27/meet-critical-infrastructure-security-compliance-requirements-with-microsoft-365/ IT environments, with their large attack surface, can be the entryway to attack critical infrastructure even where those IT systems are not critical infrastructure themselves. Security and compliance failures may include life safety, environmental, or national security consequencesa different risk management challenge from other enterprise IT systems.

Ransomware gang targets Microsoft SharePoint servers

therecord.media/ransomware-gang-targets-microsoft-sharepoint-servers/ Microsoft SharePoint servers have now joined the list of network devices being abused as an entry vector into corporate networks by ransomware gangs.

Cybercrime is (still) (often) boring

www.lightbluetouchpaper.org/2021/04/28/cybercrime-is-still-often-boring/ Depictions of cybercrime often revolve around the figure of the lone hacker’, a skilled artisan who builds their own tools and has a deep mastery of technical systems. However, much of the work involved is now in fact more akin to a deviant customer service or maintenance job. This means that exit from cybercrime communities is less often via the justice system, and far more likely to be a simple case of burnout.

Feds Arrest an Alleged $336M Bitcoin-Laundering Kingpin

www.wired.com/story/bitcoin-fog-dark-web-cryptocurrency-arrest/ The alleged administrator of Bitcoin Fog kept the dark web service running for 10 years before the IRS caught up with him.

Do Cyberattacks Affect Stock Prices? It Depends on the Breach

beta.darkreading.com/threat-intelligence/do-cyberattacks-affect-stock-prices-it-depends-on-the-breach A security researcher explores how data breaches, ransomware attacks, and other types of cybercrime influence stock prices.

Was the email account of Merseyrail’s MD hacked to spread word of ransomware attack?

grahamcluley.com/merseyrail-ransomware/ The supposition is that the MD of Merseyrail’s Office 365 email account had been compromised the hackers in an attempt to spread word of the security breach, and apply pressure on the organisation to pay up.

Microsoft mulls over tweaks to threat data, code-sharing scheme following Exchange Server debacle

www.zdnet.com/article/microsoft-mulls-over-threat-data-code-sharing-scheme-following-exchange-server-debacle/ Microsoft is reportedly considering revisions to a threat and vulnerability sharing program suspected of being a key factor in widespread attacks against Exchange servers. According to six people close to the matter, as reported by Bloomberg, Microsoft is considering revisions to the program that could alter how and when information concerning vulnerabilities in the vendor’s products are shared.. The publication says that Microsoft fears participants may have “tipped off” threat actors after critical Exchange Server vulnerabilities were shared with partners privately in February. At least two Chinese companies are involved in the probe.


blogs.akamai.com/2021/04/reflecting-on-the-cybersecurity-threat.html Reflecting on the cybersecurity threat landscape in 2020, we can’t overlook the massive changes that landed on us. Global security attacks increased at a significant pace between 2019 and 2020, and the COVID-19 pandemic only deepened these troubling conditions. As corporations tried to adapt to remote working practices and other environmental changes, cybercriminals ramped up their attacks.

Google Promised Its Contact Tracing App Was Completely PrivateBut It Wasn’t

themarkup.org/privacy/2021/04/27/google-promised-its-contact-tracing-app-was-completely-private-but-it-wasnt Researchers say hundreds of preinstalled apps can access a log found on Android devices where sensitive contact tracing information is stored

Why Google Should Stop Logging Contact-Tracing Data

blog.appcensus.io/2021/04/27/why-google-should-stop-logging-contact-tracing-data/ Recently, we found that Google’s implementation of GAEN logs crucial pieces of information to the system log, which can be read by hundreds of third-party apps and used for the privacy attacks that we previously warned about.

You might be interested in …

Daily NCSC-FI news followup 2019-10-23

NCSC-UK Annual Review 2019 www.ncsc.gov.uk/news/annual-review-2019 Single-page version PDF: www.ncsc.gov.uk/files/NCSC_Annual%20Review_2019%20single%20pagination.pdf Virus Bulletin confernce 2019: Papers on Emotet and Ryuk www.virusbulletin.com/blog/2019/10/vb2019-papers-emotet-and-ryuk/ Targeted ransomware has become one of the biggest and most damaging cybercrime trends in recent years. ‘Targeted’ is a bit of a misnomer though: the operators of the ransomware rarely choose the victim organisations. Instead, they […]

Read More

Daily NCSC-FI news followup 2019-10-04

COMpfun successor Reductor infects files on the fly to compromise TLS traffic securelist.com/compfun-successor-reductor/93633/ In April 2019, we discovered new malware that compromises encrypted web communications in an impressive way. Analysis of the malware allowed us to confirm that the operators have some control over the targets network channel and could replace legitimate installers with infected […]

Read More

Daily NCSC-FI news followup 2019-10-30

Major vulnerability patched in the EU’s eIDAS authentication system www.zdnet.com/article/major-vulnerability-patched-in-the-eus-eidas-authentication-system/ Vulnerability would have allowed attackers to pose as any EU citizen or business. SEC Consult researchers said they found that current versions of the eIDAS-Node package fail to validate certificates used in eIDAS operations, allowing attackers to fake the certificate of any other eIDAS citizen […]

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.