Daily NCSC-FI news followup 2021-05-10

DDoS attacks in Q1 2021

securelist.com/ddos-attacks-in-q1-2021/102166/ Q1 2021 saw the appearance of two new botnets. News broke in January of the FreakOut malware, which attacks Linux devices. Cybercriminals exploited several critical vulnerabilities in programs installed on victim devices, including the newly discovered CVE-2021-3007. Botnet operators use infected devices to carry out DDoS attacks or mine cryptocurrency. Another active bot focused on Android devices with the ADB (Android Debug Bridge) debug interface. The botnet was dubbed Matryosh (from the Russian word matryoshka nesting doll) due to the multi-step process for obtaining the C&C address.

US and Australia warn of escalating Avaddon ransomware attacks

www.bleepingcomputer.com/news/security/us-and-australia-warn-of-escalating-avaddon-ransomware-attacks/ The Federal Bureau of Investigation (FBI) and the Australian Cyber Security Centre (ACSC) are warning of an ongoing Avaddon ransomware campaign targeting organizations from an extensive array of sectors in the US and worldwide. The FBI said in a TLP:GREEN flash alert last week that Avaddon ransomware affiliates are trying to breach the networks of manufacturing, healthcare, and other private sector organizations around the world.

Over 25% Of Tor Exit Relays Spied On Users’ Dark Web Activities

thehackernews.com/2021/05/over-25-of-tor-exit-relays-are-spying.html An unknown threat actor managed to control more than 27% of the entire Tor network exit capacity in early February 2021, a new study on the dark web infrastructure revealed. “The entity attacking Tor users is actively exploiting tor users since over a year and expanded the scale of their attacks to a new record level,” an independent security researcher who goes by the name nusenu said in a write-up published on Sunday. “The average exit fraction this entity controlled was above 14% throughout the past 12 months.”

Capture-The-Flag Competitions: all you ever wanted to know!

www.enisa.europa.eu/news/enisa-news/capture-the-flag-competitions-all-you-ever-wanted-to-know The European Union Agency for Cybersecurity releases a report addressing the contemporary use of Capture-The-Flag (CTF) competitions around the world. It explores how these competitions work and provides a high-level analysis of the dataset of the most recent major public events. Based on the results of the findings, the report suggests recommendations for consideration in the design phase of these types of competitions.

DarkSide ransomware will now vet targets after pipeline cyberattack

www.bleepingcomputer.com/news/security/darkside-ransomware-will-now-vet-targets-after-pipeline-cyberattack/ The DarkSide ransomware gang posted a new “press release” today stating that they are apolitical and will vet all targets before they are attacked. Last week, the ransomware gang encrypted the network for the Colonial Pipeline, the largest fuel pipeline in the United States.. Due to the attack, Colonial shut down its network and the fuel pipeline while recovering from the cyberattack.

Pipeline cyberattack comes after years of government warnings

therecord.media/pipeline-cyberattack-comes-after-years-of-government-warnings/ Government authorities and watchdogs have warned for years that U.S. pipelines are vulnerable to cyberattacks that could potentially disrupt operationsand an attack against a major U.S. gasoline and jet fuel pipeline on Friday threatens to show how bad these incidents can be. Colonial Pipeline Company said yesterday that it had shut down 5,500 miles of pipeline supplying the East Coast with fuel in an effort to contain a breach of its computer networks. Earlier in the day the company said network issues were causing disruptions in its pipeline system, which were later blamed on ransomware.

City of Tulsa Struck by Ransomware Attack

hotforsecurity.bitdefender.com/blog/city-of-tulsa-struck-by-ransomware-attack-25798.html Tulsa, Oklahoma, is reportedly the latest in a long line of American cities to have fallen victim to a ransomware attack. The attack, which occurred on Friday evening, caused the citys IT security teams to shut down many of Tulas internal systems over the weekend out of an abundance of caution while they worked around the clock at the weekend in an attempt to restore operations from backups.

Correctly Validating IP Addresses: Why encoding matters for input validation

isc.sans.edu/forums/diary/Correctly+Validating+IP+Addresses+Why+encoding+matters+for+input+validation/27404/ Recently, a number of libraries suffered from a very similar security flaw: IP addresses expressed in octal were not correctly interpreted. The result was that an attacker was able to bypass input validation rules that restricted IP addresses to specific subnets.. All of these vulnerabilities were caused by a similar problem: These libraries attempted to parse IP addresses as a string. Later, standard-based “socket” libraries were used to establish the actual connection. The socket libraries have their own “inet_aton” function to convert an IP address string to a long unsigned integer.

This security project has taken down 1.5 million scam, phishing and malware URLs in just one year

www.zdnet.com/article/this-security-project-has-taken-down-1-5-million-scam-phishing-and-malware-urls-in-just-a-year/ Active Cyber Defence takes action against scammers attempting to take advantage of Covid-19 pandemic – and did so with some help from the general public. More websites hosting phishing domains and other online scams have been taken down during the last year than during the previous three years combined. The UK’s National Cyber Security Centre’s (NCSC) fourth annual Active Cyber Defence report details how it helped remove many more scams from the internet: in total, more than 1.4 million URLs responsible for 700,000 online scams have been removed by the NCSC’s takedown service during the last 12 months.

Koulujen it-palveluihin iski hyökkäysaalto Wilmalle järeämmät suojaukset

www.tivi.fi/uutiset/koulujen-it-palveluihin-iski-hyokkaysaalto-wilmalle-jareammat-suojaukset/9f24e4c3-d865-49b1-9715-534bc9a2ce01 Huhtikuussa koulujen etäkäyttöpalveluihin tehdyt palvelunestohyökkäykset lisääntyivät ja monimutkaistuivat tekotavaltaan. Opetusalan verkkopalveluita vastaan on tehty huhtikuussa poikkeuksellisen paljon palvelunestohyökkäyksiä. Liikenne-ja viestintäviraston Traficomin Kyberturvallisuuskeskuksesta vahvistetaan Tiville, että puolet huhtikuussa saaduista ilmoituksista koski opetusalan eri palveluja.. Kyberturvallisuuskeskuksen tietoturva-asiantuntija Matias Mesiä kertoo, että opetuksen etäkäyttöalustoja koskevia ilmoituksia on tullut huhtikuussa kourallinen.

Thousands of Tor exit nodes attacked cryptocurrency users over the past year

therecord.media/thousands-of-tor-exit-nodes-attacked-cryptocurrency-users-over-the-past-year/ For more than 16 months, a threat actor has been seen adding malicious servers to the Tor network in order to intercept traffic and perform SSL stripping attacks on users accessing cryptocurrency-related sites. The attacks, which began in January 2020, consisted of adding servers to the Tor network and marking them as exit relays, which are the servers through which traffic leaves the Tor network to re-enter the public internet after being anonymized.

US declares emergency after ransomware shuts oil pipeline that pumps 100 million gallons a day

www.theregister.com/2021/05/10/colonial_pipeline_ransomware/ Oil transport by road allowed after Colonial Pipeline goes down, operator says recovery is under way but offers no recovery date. One of the USAs largest oil pipelines has been shut by ransomware, leading the nation’s Federal Motor Carrier Safety Administration to issue a regional emergency declaration permitting the transport of fuel by road. The Colonial Pipeline says it carries 100 million gallons a day of refined fuels between Houston, Texas, and New York Harbor, or 45 percent of all fuel needed on the USAs East Coast. The pipeline carries fuel for cars and trucks, jet fuel, and heating oil.. Myös Yle: Kyberhyökkäys polttoaineen jakeluverkkoon Yhdysvalloissa nostanee bensan hintaa, FBI nimesi hyökkääjäksi Darksiden tämä iskusta nyt tiedetään. yle.fi/uutiset/3-11923478

Threat Explainer: Supply Chain Attacks

blogs.cisco.com/security/threat-explainer-supply-chain-attacks Lets say that youre confident in your security posture. You have endpoint protection in place, firewalls defending the perimeter, and phishing filters on incoming email. Youve leveraged tools to check for anomalies in your network traffic, rolled out an SSO solution, and implemented processes to securely connect to the network remotely. These defenses make it harder for bad actors to compromise your organization. Strong security posture is more likely to push all bad actors to move on to other, less secure targets.

4 Beckoning Cyber-Threat Challenges

www.forbes.com/sites/chuckbrooks/2021/05/09/4-beckoning-cyber-threat-challenges/ My most recent FORBES article focused on 3 big trends impacting the cybersecurity ecosystem. They included, the expanding cyber-attack surface, the use of ransomware as a cyber weapon of choice by hackers, and the growing ICS, OT/IT Cyber-Threat convergence. All the elements of that article apply to this analysis of the myriad of cyber-threat trends & challenges we are currently or will be soon facing. The following observations on 4 beckoning cyber-threat challenges are another affirmation that mitigating cyber-threats is a societal imperative and cybersecurity has become indispensable to securing our digital future.

Huijarit varastavat Instagram-tilejä ja tarjoavat luottavaisille seuraajille ilmaisia Bitcoineja somehuijaukset yleistyivät pandemia-aikana

yle.fi/uutiset/3-11908853 Somessa on viime aikoina liikkunut paljon Bitcoin-huijauksia, joissa käyttäjille luvataan ilmaista rahaa. Huijarin taskuun päätyneitä Bitcoineja ei saa takaisin. Somessa kaupitellaan myös olemattomia koronarokotteita ja lääkkeitä tartuntaa vastaan. Instagramin yksityisviesteihini kilahti jälleen hymiöillä höystetty englanninkielinen viesti, joka kuuluu vapaasti suomennettuna näin. Jätin vastaamatta, koska viesti haiskahtaa huijaukselta. Entistä useampi suomalainen on törmännyt huijausviesteihin sosiaalisessa mediassa pandemia-aikana. Verkkorikollisuus ylipäätään on lisääntynyt selkeästi. Kasvusta kertovat sekä F-Securen tietoturvajohtaja Mikko Hyppönen että kriminologian yliopistonlehtori Matti Näsi Helsingin yliopistosta.

You might be interested in …

Daily NCSC-FI news followup 2019-07-20

Iran-Linked APT34 Invites Victims to LinkedIn for Fresh Malware Infections threatpost.com/iran-apt34-linkedin-malware/146575/ The group was posing as a researcher from Cambridge, and was found to have added three new malware families to its spy arsenal. A recent phishing campaign by Iran-linked threat actor APT34 made use of a savvy approach: Asking victims to join their social […]

Read More

Daily NCSC-FI news followup 2020-05-13

Microsoft Patch Tuesday, May 2020 Edition krebsonsecurity.com/2020/05/microsoft-patch-tuesday-may-2020-edition/ Microsoft issued software updates to plug at least 111 security holes in Windows and Windows-based programs. None of the vulnerabilities were labeled as being publicly exploited or detailed prior to today, but as always if youre running Windows on any of your machines its time once again to […]

Read More

Daily NCSC-FI news followup 2020-07-08

Redirect auction securelist.com/redirect-auction/ Razor Enhanced, a legitimate assistant tool for Ultima Online, caught our eye when it started trying to access a malicious URL.. The WHOIS data told us that its owner had stopped paying for the domain name, and that it had been purchased using a service for tracking released domains, and then put […]

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.