Daily NCSC-FI news followup 2021-05-07

Connected Places: new NCSC security principles for ‘Smart Cities’

www.ncsc.gov.uk/blog-post/connected-places-new-ncsc-security-principles-for-smart-cities NCSC Technical Director warns that ‘Connected Places’ will likely be a target for malicious actors. It wasnt a teenager accidentally taking control of nuclear command and control, or a magic box that can decrypt anything stolen and used by shady Bond villains intent on taking over the world. It was an attack against a citys centralised traffic management system in the 1969 film ‘The Italian Job’. As part of an elaborate heist, a dodgy computer professor (played by Benny Hill) switches magnetic storage tapes for the Turin traffic control to create a gridlock. Chaos ensues, they blow the bloody doors off, and the thieves escape with the gold.

Google Docs used for Office 365 credential phishing

www.kaspersky.com/blog/office-365-phishing-via-gdocs/39828/ Since the onset of the COVID-19 pandemic, many companies have moved much of their workflows online and learned to use new collaboration tools. In particular, Microsofts Office 365 suite has seen a lot more use and, to no ones surprise, phishing now increasingly targets those user accounts. Scammers have been resorting to all sorts of tricks to get business users to enter their passwords on a website made to look like Microsofts sign-in page. Here is another phishing scheme that makes use of Google services.

Popular routers found vulnerable to hacker attacks

www.welivesecurity.com/2021/05/07/popular-routers-vulnerable-hacker-attacks/ Millions of Brits use Wi-Fi routers that contain various security flaws and may put them at risk of cyberattacks, an investigation by British consumer watchdog Which? has found. Together with Red Maple Technologies, Which? looked at 13 commonly used older router models offered by various British internet service providers (ISPs) and found that over half of them didnt meet the security standards of today.. The main issues affecting routers suplied by ISPs such as Virgin, EE, Sky, TalkTalk, and Vodafone were weak default passwords, local network vulnerabilities, and the lack of firmware updates to patch security loopholes.

Joint advisory: Further TTPs associated with SVR cyber actors

www.ncsc.gov.uk/news/joint-advisory-further-ttps-associated-with-svr-cyber-actors The NCSC, CISA, FBI and NSA publish advice on detection and mitigation of SVR activity following the attribution of the SolarWinds compromise. The NCSC, alongside the US Department for Homeland Securitys Cybersecurity Infrastructure Security Agency (CISA), FBI and the National Security Agency (NSA), has today published a report to provide further details of Tactics, Techniques and Procedures (TTPs) associated with SVR cyber actors. SVR cyber actors are known and tracked in open source as APT29, Cozy Bear, and The Dukes.. Also:

www.bleepingcomputer.com/news/security/russian-state-hackers-switch-targets-after-us-joint-advisories/.

www.zdnet.com/article/cybersecurity-warning-russian-hackers-are-targeting-these-vulnerabilities-so-patch-now/

Cuba Ransomware partners with Hancitor for spam-fueled attacks

www.bleepingcomputer.com/news/security/cuba-ransomware-partners-with-hancitor-for-spam-fueled-attacks/ The Cuba Ransomware gang has teamed up with the spam operators of the Hancitor malware to gain easier access to compromised corporate networks. The Hancitor (Chancitor) downloader has been in operation since 2016 when Zscaler saw it distributing the Vawtrak information-stealing Trojan. Since then, numerous campaigns have been seen over the years where Hancitor installs password-stealers, such as Pony, Ficker, and more recently, Cobalt Strike.

New Stealthy Rootkit Infiltrated Networks of High-Profile Organizations

thehackernews.com/2021/05/new-stealthy-rootkit-infiltrated.html An unknown threat actor with the capabilities to evolve and tailor its toolset to target environments infiltrated high-profile organizations in Asia and Africa with an evasive Windows rootkit since at least 2018. Called ‘Moriya,’ the malware is a “passive backdoor which allows attackers to inspect all incoming traffic to the infected machine, filter out packets that are marked as designated for the malware and respond to them,” said Kaspersky researchers Mark Lechtik and Giampaolo Dedola in a Thursday deep-dive.

Exposed Azure Storage Containers

isc.sans.edu/forums/diary/Exposed+Azure+Storage+Containers/27396/ A couple months ago, we already covered the topic of exposed Azure Blob Storage in two separate ISC diaries, “Exposed Blob Storage in Azure” and “Preventing Exposed Blob Storage in Azure”. The information therein is still relevant and valid, so if you are using Azure Storage, and haven’t read these two diaries yet, please do.

Cisco publishes solutions to SD-WAN and HyperFlex software security vulnerabilities

www.zdnet.com/article/cisco-publishes-solutions-to-sd-wan-and-hyperflex-software-security-vulnerabilities/ Cisco released software updates this week addressing multiple vulnerabilities the company says “could allow an unauthenticated, remote attacker to execute arbitrary code or gain access to sensitive information, or allow an authenticated, local attacker to gain escalated privileges or gain unauthorized access to the application.”

Bulletproof hosting admins plead guilty to running cybercrime safe haven

www.bleepingcomputer.com/news/security/bulletproof-hosting-admins-plead-guilty-to-running-cybercrime-safe-haven/ Four individuals from Eastern Europe face 20 years in prison for Racketeer Influenced Corrupt Organization (RICO) charges after pleading guilty to running a bulletproof hosting service as a safe haven for cybercrime operations targeting US entities. The bulletproof hosting service was founded by Russian citizens Aleksandr Grichishkin and Andrei Skvortsov, who hired Lithuanian Aleksandr Skorodumov and Estonian Pavel Stassi as the organization’s system admin and administrator, respectively.

Kiero OP-huijaustekstari muuttui näin pankkihyökkäys toimii

www.is.fi/digitoday/tietoturva/art-2000007963272.html Suomalaisille lähetetään jälleen huijaustekstiviestejä OP:n nimissä. Tuoreessa tekstiviestissä on linkki, joka johtaa pankkitunnuksia kalastelevalle sivulle. Viestin teksti on seuraava:. Varotoimenpiteenä korttisi on estetty. Vahvista henkilöllisyytesi aktivoidaksesi kortti uudelleen. Tekstiä seuraa huijaussivulle vievä osoite.. Huijaus on osoitetta lukuun ottamatta identtinen alkuviikosta nähdyn kanssa. Linkin takana oleva verkkosivu muistuttaa suuresti OP:n sivuja.

Saitko sinäkin ilmoituksen Microsoftilta? Sähköpostisi ei ole jäädytetty, vaan tietosi ovat vaarassa

www.iltalehti.fi/tietoturva/a/af5b0b7a-db54-4208-b3e2-a12d580aeb2b Microsoftin nimissä liikkuu paljon erilaisia huijausviestejä. Viimeisimpien tapausten joukkoon lukeutuu huijausviesti, jossa väitetään, että Microsoft-sähköpostin palvelusopimusta on päivitetty. Vastaanottajalle kerrotaan, että tämän tulisi vahvistaa tilinsä, tai sähköposti jäädytetään. Huijausviestissä on linkki, jonka kautta vastaanottaja yritetään saada kalastelusivustolle.

Hyvästi tietomurrot testissä kolme 2fa-sovellusta

www.tivi.fi/uutiset/hyvasti-tietomurrot-testissa-kolme-2fa-sovellusta/8ad6267f-575d-4d32-8852-b3271b0168e7 Kaksivaiheisella tunnistuksella voi lisätä käyttäjätilien turvallisuutta helposti. Se vähentää tietomurron todennäköisyyden äärimmäisen pieneksi. Salasanojen ongelmat eivät ole mikään erityinen uutinen. Niitä varastetaan jatkuvasti joko palveluntarjoajien tietokannoista tai haittaohjelmilla käyttäjien koneilta. Siksi käyttäjätiliä ei kannata jättää vain salasanan taakse etenkin, kun suosituimpia salasanoja ovat edelleen muun muassa password, 12345 ja qwerty. Kun käyttäjätunnus ja salasana ovat kerran vuotaneet, murtautuja voi saada haltuunsa kaiken mahdollisen palvelussa olevan tiedon ja materiaalin. Pahimmillaan myös ostosten teko esimerkiksi palveluihin tallennetuilla luottokorteilla onnistuu.

Google will make you use two-step verification to login

www.theregister.com/2021/05/07/google_password_purge/ Google has marked World Password Day by declaring “passwords are the single biggest threat to your online security,” and announcing plans to automatically add multi-step authentication to its users’ accounts. A mere eight years after Intel began promoting World Password Day as a way to raise awareness about the importance of strong passwords, Google is ready to wipe them from memory.

New Techniques Emerge for Abusing Windows Services to Gain System Control

www.darkreading.com/threat-intelligence/new-techniques-emerge-for-abusing-windows-services-to-gain-system-control/d/d-id/1340948 Several new techniques have become available recently that give attackers a way to abuse legitimate Windows services and relatively easily escalate low-level privileges on a system to gain full control of it. The newer exploits take advantage of the same or similar Windows services capabilities that attackers have abused previously and work on even some of the more recent versions of the operating system, warns Antonio Cocomazzi, system engineer at SentinelOne. Cocomazzi described some of the techniques in a briefing at the Black Hat Asia 2021 virtual conference this week.

Foxit Reader bug lets attackers run malicious code via PDFs

www.bleepingcomputer.com/news/security/foxit-reader-bug-lets-attackers-run-malicious-code-via-pdfs/ Foxit Software, the company behind the highly popular Foxit Reader, has published security updates to fix a high severity remote code execution (RCE) vulnerability affecting the PDF reader. This security flaw could allow attackers to run malicious code on users’ Windows computers and, potentially, take over control. Foxit claims to have more than 650 million users from 200 countries, with its software currently being used by over 100,000 customers.

Are The Notorious Cyber Criminals Evil Corp actually Russian Spies?

blog.truesec.com/2021/05/05/are-the-notorious-cyber-criminals-evil-corp-actually-russian-spies/ Truesec has documented how Russian ransomware gangs profit from being left alone by Russian law enforcement, but connections seem to go even deeper. In October 2020, the Russian-based threat actor known as Evil Corp conducted a ransomware attack against a major corporation. The attack vector to gain initial access was a drive-by compromise: a legitimate website was compromised and visitors to the website were prompted to download a fake Chrome update; a ZIP file, containing a JavaScript file.

You might be interested in …

Daily NCSC-FI news followup 2020-10-07

BAHAMUT Spies-for-Hire Linked to Extensive Nation-State Activity threatpost.com/bahamut-spies-nation-state/159925/ Researchers uncovered a sophisticated, incredibly well-resourced APT that has its fingers in wide-ranging espionage and disinformation campaigns. QNAP fixes critical flaws that could lead to device takeover www.bleepingcomputer.com/news/security/qnap-fixes-critical-flaws-that-could-lead-to-device-takeover/ QNAP has addressed two critical security vulnerabilities in the Helpdesk app that could enable potential attackers to take over […]

Read More

Daily NCSC-FI news followup 2021-05-25

– From Wiper to Ransomware – The Evolution of Agrius labs.sentinelone.com/from-wiper-to-ransomware-the-evolution-of-agrius/ Researchers say they’ve uncovered a new disk-wiping malware (wiper) that’s disguising itself as ransomware as it unleashes destructive attacks on Israeli targets. Full report as PDF: assets.sentinelone.com/sentinellabs/evol-agrius Evolution of JSWorm ransomware securelist.com/evolution-of-jsworm-ransomware/102428/ JSWorm ransomware was discovered in 2019 and since then different variants have […]

Read More

Daily NCSC-FI news followup 2020-08-14

NSA and FBI Cybersecurity Advisory – Russian GRU 85th GTsSS Deploys Previously Undisclosed Drovorub Malware media.defense.gov/2020/Aug/13/2002476465/-1/-1/0/CSA_DROVORUB_RUSSIAN_GRU_MALWARE_AUG_2020.PDF Drovorub is a Linux malware toolset consisting of an implant coupled with a kernel module rootkit, a file transfer and port forwarding tool, and a Command and Control (C2) server. When deployed on a victim machine, the Drovorub implant […]

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.