Daily NCSC-FI news followup 2021-05-07

Connected Places: new NCSC security principles for ‘Smart Cities’

www.ncsc.gov.uk/blog-post/connected-places-new-ncsc-security-principles-for-smart-cities NCSC Technical Director warns that ‘Connected Places’ will likely be a target for malicious actors. It wasnt a teenager accidentally taking control of nuclear command and control, or a magic box that can decrypt anything stolen and used by shady Bond villains intent on taking over the world. It was an attack against a citys centralised traffic management system in the 1969 film ‘The Italian Job’. As part of an elaborate heist, a dodgy computer professor (played by Benny Hill) switches magnetic storage tapes for the Turin traffic control to create a gridlock. Chaos ensues, they blow the bloody doors off, and the thieves escape with the gold.

Google Docs used for Office 365 credential phishing

www.kaspersky.com/blog/office-365-phishing-via-gdocs/39828/ Since the onset of the COVID-19 pandemic, many companies have moved much of their workflows online and learned to use new collaboration tools. In particular, Microsofts Office 365 suite has seen a lot more use and, to no ones surprise, phishing now increasingly targets those user accounts. Scammers have been resorting to all sorts of tricks to get business users to enter their passwords on a website made to look like Microsofts sign-in page. Here is another phishing scheme that makes use of Google services.

Popular routers found vulnerable to hacker attacks

www.welivesecurity.com/2021/05/07/popular-routers-vulnerable-hacker-attacks/ Millions of Brits use Wi-Fi routers that contain various security flaws and may put them at risk of cyberattacks, an investigation by British consumer watchdog Which? has found. Together with Red Maple Technologies, Which? looked at 13 commonly used older router models offered by various British internet service providers (ISPs) and found that over half of them didnt meet the security standards of today.. The main issues affecting routers suplied by ISPs such as Virgin, EE, Sky, TalkTalk, and Vodafone were weak default passwords, local network vulnerabilities, and the lack of firmware updates to patch security loopholes.

Joint advisory: Further TTPs associated with SVR cyber actors

www.ncsc.gov.uk/news/joint-advisory-further-ttps-associated-with-svr-cyber-actors The NCSC, CISA, FBI and NSA publish advice on detection and mitigation of SVR activity following the attribution of the SolarWinds compromise. The NCSC, alongside the US Department for Homeland Securitys Cybersecurity Infrastructure Security Agency (CISA), FBI and the National Security Agency (NSA), has today published a report to provide further details of Tactics, Techniques and Procedures (TTPs) associated with SVR cyber actors. SVR cyber actors are known and tracked in open source as APT29, Cozy Bear, and The Dukes.. Also:

www.bleepingcomputer.com/news/security/russian-state-hackers-switch-targets-after-us-joint-advisories/.

www.zdnet.com/article/cybersecurity-warning-russian-hackers-are-targeting-these-vulnerabilities-so-patch-now/

Cuba Ransomware partners with Hancitor for spam-fueled attacks

www.bleepingcomputer.com/news/security/cuba-ransomware-partners-with-hancitor-for-spam-fueled-attacks/ The Cuba Ransomware gang has teamed up with the spam operators of the Hancitor malware to gain easier access to compromised corporate networks. The Hancitor (Chancitor) downloader has been in operation since 2016 when Zscaler saw it distributing the Vawtrak information-stealing Trojan. Since then, numerous campaigns have been seen over the years where Hancitor installs password-stealers, such as Pony, Ficker, and more recently, Cobalt Strike.

New Stealthy Rootkit Infiltrated Networks of High-Profile Organizations

thehackernews.com/2021/05/new-stealthy-rootkit-infiltrated.html An unknown threat actor with the capabilities to evolve and tailor its toolset to target environments infiltrated high-profile organizations in Asia and Africa with an evasive Windows rootkit since at least 2018. Called ‘Moriya,’ the malware is a “passive backdoor which allows attackers to inspect all incoming traffic to the infected machine, filter out packets that are marked as designated for the malware and respond to them,” said Kaspersky researchers Mark Lechtik and Giampaolo Dedola in a Thursday deep-dive.

Exposed Azure Storage Containers

isc.sans.edu/forums/diary/Exposed+Azure+Storage+Containers/27396/ A couple months ago, we already covered the topic of exposed Azure Blob Storage in two separate ISC diaries, “Exposed Blob Storage in Azure” and “Preventing Exposed Blob Storage in Azure”. The information therein is still relevant and valid, so if you are using Azure Storage, and haven’t read these two diaries yet, please do.

Cisco publishes solutions to SD-WAN and HyperFlex software security vulnerabilities

www.zdnet.com/article/cisco-publishes-solutions-to-sd-wan-and-hyperflex-software-security-vulnerabilities/ Cisco released software updates this week addressing multiple vulnerabilities the company says “could allow an unauthenticated, remote attacker to execute arbitrary code or gain access to sensitive information, or allow an authenticated, local attacker to gain escalated privileges or gain unauthorized access to the application.”

Bulletproof hosting admins plead guilty to running cybercrime safe haven

www.bleepingcomputer.com/news/security/bulletproof-hosting-admins-plead-guilty-to-running-cybercrime-safe-haven/ Four individuals from Eastern Europe face 20 years in prison for Racketeer Influenced Corrupt Organization (RICO) charges after pleading guilty to running a bulletproof hosting service as a safe haven for cybercrime operations targeting US entities. The bulletproof hosting service was founded by Russian citizens Aleksandr Grichishkin and Andrei Skvortsov, who hired Lithuanian Aleksandr Skorodumov and Estonian Pavel Stassi as the organization’s system admin and administrator, respectively.

Kiero OP-huijaustekstari muuttui näin pankkihyökkäys toimii

www.is.fi/digitoday/tietoturva/art-2000007963272.html Suomalaisille lähetetään jälleen huijaustekstiviestejä OP:n nimissä. Tuoreessa tekstiviestissä on linkki, joka johtaa pankkitunnuksia kalastelevalle sivulle. Viestin teksti on seuraava:. Varotoimenpiteenä korttisi on estetty. Vahvista henkilöllisyytesi aktivoidaksesi kortti uudelleen. Tekstiä seuraa huijaussivulle vievä osoite.. Huijaus on osoitetta lukuun ottamatta identtinen alkuviikosta nähdyn kanssa. Linkin takana oleva verkkosivu muistuttaa suuresti OP:n sivuja.

Saitko sinäkin ilmoituksen Microsoftilta? Sähköpostisi ei ole jäädytetty, vaan tietosi ovat vaarassa

www.iltalehti.fi/tietoturva/a/af5b0b7a-db54-4208-b3e2-a12d580aeb2b Microsoftin nimissä liikkuu paljon erilaisia huijausviestejä. Viimeisimpien tapausten joukkoon lukeutuu huijausviesti, jossa väitetään, että Microsoft-sähköpostin palvelusopimusta on päivitetty. Vastaanottajalle kerrotaan, että tämän tulisi vahvistaa tilinsä, tai sähköposti jäädytetään. Huijausviestissä on linkki, jonka kautta vastaanottaja yritetään saada kalastelusivustolle.

Hyvästi tietomurrot testissä kolme 2fa-sovellusta

www.tivi.fi/uutiset/hyvasti-tietomurrot-testissa-kolme-2fa-sovellusta/8ad6267f-575d-4d32-8852-b3271b0168e7 Kaksivaiheisella tunnistuksella voi lisätä käyttäjätilien turvallisuutta helposti. Se vähentää tietomurron todennäköisyyden äärimmäisen pieneksi. Salasanojen ongelmat eivät ole mikään erityinen uutinen. Niitä varastetaan jatkuvasti joko palveluntarjoajien tietokannoista tai haittaohjelmilla käyttäjien koneilta. Siksi käyttäjätiliä ei kannata jättää vain salasanan taakse etenkin, kun suosituimpia salasanoja ovat edelleen muun muassa password, 12345 ja qwerty. Kun käyttäjätunnus ja salasana ovat kerran vuotaneet, murtautuja voi saada haltuunsa kaiken mahdollisen palvelussa olevan tiedon ja materiaalin. Pahimmillaan myös ostosten teko esimerkiksi palveluihin tallennetuilla luottokorteilla onnistuu.

Google will make you use two-step verification to login

www.theregister.com/2021/05/07/google_password_purge/ Google has marked World Password Day by declaring “passwords are the single biggest threat to your online security,” and announcing plans to automatically add multi-step authentication to its users’ accounts. A mere eight years after Intel began promoting World Password Day as a way to raise awareness about the importance of strong passwords, Google is ready to wipe them from memory.

New Techniques Emerge for Abusing Windows Services to Gain System Control

www.darkreading.com/threat-intelligence/new-techniques-emerge-for-abusing-windows-services-to-gain-system-control/d/d-id/1340948 Several new techniques have become available recently that give attackers a way to abuse legitimate Windows services and relatively easily escalate low-level privileges on a system to gain full control of it. The newer exploits take advantage of the same or similar Windows services capabilities that attackers have abused previously and work on even some of the more recent versions of the operating system, warns Antonio Cocomazzi, system engineer at SentinelOne. Cocomazzi described some of the techniques in a briefing at the Black Hat Asia 2021 virtual conference this week.

Foxit Reader bug lets attackers run malicious code via PDFs

www.bleepingcomputer.com/news/security/foxit-reader-bug-lets-attackers-run-malicious-code-via-pdfs/ Foxit Software, the company behind the highly popular Foxit Reader, has published security updates to fix a high severity remote code execution (RCE) vulnerability affecting the PDF reader. This security flaw could allow attackers to run malicious code on users’ Windows computers and, potentially, take over control. Foxit claims to have more than 650 million users from 200 countries, with its software currently being used by over 100,000 customers.

Are The Notorious Cyber Criminals Evil Corp actually Russian Spies?

blog.truesec.com/2021/05/05/are-the-notorious-cyber-criminals-evil-corp-actually-russian-spies/ Truesec has documented how Russian ransomware gangs profit from being left alone by Russian law enforcement, but connections seem to go even deeper. In October 2020, the Russian-based threat actor known as Evil Corp conducted a ransomware attack against a major corporation. The attack vector to gain initial access was a drive-by compromise: a legitimate website was compromised and visitors to the website were prompted to download a fake Chrome update; a ZIP file, containing a JavaScript file.

You might be interested in …

Daily NCSC-FI news followup 2020-04-17

China-linked Electric Panda hackers seek U.S. targets, intel agency warns www.politico.com/news/2020/04/16/china-electric-panda-hackers-seek-us-targets-191220 Nearly 40 U.S. contracting facilities with access to classified information have been targeted by a hacking group with suspected ties to the Chinese government since Feb. 1, according to a bulletin disseminated to contractors by the Defense Counterintelligence and Security Agency on Wednesday. Hacking […]

Read More

Daily NCSC-FI news followup 2020-09-02

Suomalaisyhtiö löysi vakavan tietoturva-aukon WordPress-julkaisualustasta yle.fi/uutiset/3-11524279 Suomalaisyhtiö Seravo on löytänyt merkittävän tietoturva-aukon internetin WordPress-julkaisualustasta. Haavoittuvuus koskettaa maailmanlaajuisesti yli 700 000:ta sivua. Haavoittuvuuden paikkaava päivitys on jo julkaistu, ja Seravo kehottaakin kaikkia alustan käyttäjiä asentamaan päivityksen heti. also: arstechnica.com/information-technology/2020/09/hackers-are-exploiting-a-critical-flaw-affecting-350000-wordpress-sites/ Pelkäätkö Koronavilkkua? Vielä keväällä ammattihakkeri Benjamin Särkkä sanoi, ettei asentaisi koronasovellusta – 5 syytä miksi mieli on […]

Read More

Daily NCSC-FI news followup 2020-11-14

Schools Struggling to Stay Open Get Hit by Ransomware Attacks www.wsj.com/articles/my-information-is-out-there-hackers-escalate-ransomware-attacks-on-schools-11605279160?mod=djemalertNEWS Districts around the U.S. are fighting a wave of increasingly aggressive hackers, who are publicly posting sensitive student information. Based on searches of hackers’ sites on the dark weba network of websites accessed through special software that gives users anonymityas well as publicly known […]

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.