Daily NCSC-FI news followup 2021-05-12

The New Ransomware Threat: Triple Extortion

blog.checkpoint.com/2021/05/12/the-new-ransomware-threat-triple-extortion/ Global surge in ransomware attacks hits 102% increase this year compared to the beginning of 2020, and shows no sign of slowing down. Number of organizations impacted by ransomware globally has more than doubled in the first half of 2021 compared with 2020. The healthcare and utilities sectors are the most targeted sectors since the beginning of April 2021. Organizations in Asia Pacific are targeted more than any other region. Check Point Research (CPR) warns of new ransomware threat: Triple Extortion.

FragAttack: New Wi-Fi vulnerabilities that affect basically everything

blog.malwarebytes.com/exploits-and-vulnerabilities/2021/05/fragattack-new-wi-fi-vulnerabilities-that-affect-basically-everything/ A new set of vulnerabilities with an aggressive name and their own website almost always bodes ill. The name FragAttack is a contraction of fragmentation and aggregation attacks, which immediately indicates the main area where the vulnerabilities were found. The vulnerabilities are mostly in how Wi-Fi and connected devices handle data packets, and more particularly in how they handle fragments and frames of data packets. As far as the researcher is aware every Wi-Fi product is affected by at least one vulnerability.. Also:

www.bleepingcomputer.com/news/security/all-wi-fi-devices-impacted-by-new-fragattacks-vulnerabilities/.

thehackernews.com/2021/05/nearly-all-wifi-devices-are-vulnerable.html.

therecord.media/wifi-devices-going-back-to-1997-vulnerable-to-new-frag-attacks/.

threatpost.com/fragattacks-wifi-bugs-millions-devices/166080/

Ransomware world in 2021: who, how and why

securelist.com/ransomware-world-in-2021/102169/ As the world marks the second Anti-Ransomware Day, theres no way to deny it: ransomware has become the buzzword in the security community. And not without good reason. The threat may have been around a long time, but its changed. Year after year, the attackers have grown bolder, methodologies have been refined and, of course, systems have been breached. Yet, much of the media attention ransomware gets is focused on chronicling which companies fall prey to it. In this report, we take a step back from the day-to-day ransomware news cycle and follow the ripples back into the heart of the ecosystem to understand how it is organized.

Shining a Light on DARKSIDE Ransomware Operations

www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html Since initially surfacing in August 2020, the creators of DARKSIDE ransomware and their affiliates have launched a global crime spree affecting organizations in more than 15 countries and multiple industry verticals. Like many of their peers, these actors conduct multifaceted extortion where data is both exfiltrated and encrypted in place, allowing them to demand payment for unlocking and the non-release of stolen data to exert more pressure on victims.

Microsoft: Threat actors target aviation orgs with new malware

www.bleepingcomputer.com/news/security/microsoft-threat-actors-target-aviation-orgs-with-new-malware/ Microsoft warns of an ongoing spear-phishing campaign targeting aerospace and travel organizations with multiple remote access trojans (RATs) deployed using a new and stealthy malware loader. “In the past few months, Microsoft has been tracking a dynamic campaign targeting the aerospace and travel sectors with spear-phishing emails that distribute an actively developed loader, which then delivers RevengeRAT or AsyncRAT,” Microsoft said.

DarkSide Ransomware: Best Practices for Preventing Business Disruption from Ransomware Attacks

us-cert.cisa.gov/ncas/alerts/aa21-131a The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) are aware of a ransomware attack affecting a critical infrastructure (CI) entitya pipeline companyin the United States. Malicious cyber actors deployed DarkSide ransomware against the pipeline companys information technology (IT) network. At this time, there is no indication that the entitys operational technology (OT) networks have been directly affected by the ransomware.

Ransomware Gang Leaks Metropolitan Police Data After Failed Negotiations

thehackernews.com/2021/05/ransomware-gang-leaks-metropolitan.html The cybercrime syndicate behind Babuk ransomware has leaked more personal files belonging to the Metropolitan Police Department (MPD) after negotiations with the DC Police broke down, warning that they intend to publish all data if their ransom demands are not met. “The negotiations reached a dead end, the amount we were offered does not suit us, we are posting 20 more personal files on officers, you can download this archive, the password will be released tomorrow. if during tomorrow they do not raise the price, we will release all the data,” the gang said in a statement on their data leak site.

Number of industrial control systems on the internet is lower then in 2020…but still far from zero

isc.sans.edu/forums/diary/Number+of+industrial+control+systems+on+the+internet+is+lower+then+in+2020but+still+far+from+zero/27412/ With the recent ransomware attack that impacted operation of one of the major US pipelines[1], I thought it might be a good time to revisit the old topic of internet-connected industrial systems. Since operational technologies are generally used to support/control processes that directly impact the physical world, the danger of successful attacks on them should be self-evident, as should the need to protect them.

Microsofts May Patch Tuesday release addressed a modest 55 cybersecurity vulnerabilities, including just four critical bugs. Its the smallest monthly update from the computing giant since 2020, but it does contain a patch for a concerning wormable vulnerability found in the Windows OS

threatpost.com/wormable-windows-bug-dos-rce/166057/ The good news is that none of the vulnerabilities are being actively exploited in the wild, according to Microsoft, though three are listed as publicly known.

App Store stopped more than $1.5 billion in potentially fraudulent transactions in 2020

www.apple.com/newsroom/2021/05/app-store-stopped-over-1-5-billion-in-suspect-transactions-in-2020/ Apple helps keep the App Store a safe and trusted place for users to discover apps by detecting and taking action against fraudulent developers and users. Threats have been present since the first day the App Store launched on iPhone, and theyve increased in both scale and sophistication in the years since. Apple has likewise scaled its efforts to meet those threats, taking relentless steps forward to combat these risks to users and developers alike.

Microsoft fixes WSUS bug blocking May Windows security updates

www.bleepingcomputer.com/news/microsoft/microsoft-fixes-wsus-bug-blocking-may-windows-security-updates/ Microsoft has resolved a known issue preventing managed devices from receiving the May 2021 Patch Tuesday Windows security updates. “When checking for updates within Windows Server Update Services (WSUS) or Microsoft Endpoint Configuration Manager and managed devices that connect to these servers,” this month’s security updates “might not be available or offered,” as Microsoft explained on the Windows Health Dashboard.

FBI warns of cybercriminals abusing search ads to promote phishing sites

therecord.media/fbi-warns-of-cybercriminals-abusing-search-ads-to-promote-phishing-sites/ The Federal Bureau of Investigation says that cybercrime gangs are using search results and search engine ads to lure victims on phishing sites for financial institutions in order to collect their login credentials. The schemes resulted in illicit ACH transfers amounting to hundreds of thousands of dollars in financial losses, the FBI said in a private industry notification (PIN) send to the US private sector on Tuesday.

Hakkerit estivät koulujen avaamisen Venäjää syytetään rikollisten suojelusta

www.tivi.fi/uutiset/tv/eecee20f-3e14-44af-adb0-ca65a1c4a9be Venäläisten hakkereiden toiminta on ollut tällä viikolla puheenaiheena, kun palvelunestohyökkäys sotki polttoainetoimitukset Yhdysvalloissa. BBC kirjoittaa, että Britannian ulkoministeri Dominic Raab on ladellut tiukkoja sanoja Moskovan suuntaan tästä huolimatta. Hän puhui asiasta brittien kyberturvallisuuskeskuksen (National Cyber Security Centre, NCSC) konferenssissa. Kun rikolliset toimivat Venäjän kaltaisten valtioiden maaperällä, maalla on velvollisuus saattaa heidät oikeuden eteen, ei suojella heitä, Raab sanoi. Hänen mukaansa demokraattiset ja autoritääriset valtiot seisovat eri puolilla rintamalinjaa tässäkin asiassa.

Vulnerable Protocols Leave Firms Open to Further Compromises

www.darkreading.com/risk/vulnerable-protocols-leave-firms-open-to-further-compromises/d/d-id/1340993 Companies may no longer have Internet-facing file servers or weakly secured Web servers, but attackers that get by the perimeter have a wide-open landscape of vulnerability. Nearly nine out of every 10 companies have devices that use outdated protocols, such as Microsoft’s Server Message Block version 1 for sharing files, giving attackers that breach the network perimeter an easy avenue to extend a compromise, according to a new report by network security firm ExtraHop.

Venäjä kiisti olevansa USA:ssa öljyputkeen kohdistetun kyberhyökkäyksen takana

yle.fi/uutiset/3-11927157 Yhdysvaltojen tiedustelun mukaan kiristysohjelman alkuperä on Venäjällä. Venäjä on kiistänyt, että se olisi vastuussa öljyputkijärjestelmään Yhdysvalloissa kohdistetusta kyberhyökkäyksestä. Kiistämme kategorisesti kaikki journalistien esittämät kuvitelmat. Toistamme, että Venäjä ei harjoita “pahantahtoista” toimintaa virtuaalisissa tiloissa, Venäjän Yhdysvaltain-suurlähetystö ilmoitti lausunnossa.

You might be interested in …

Daily NCSC-FI news followup 2021-01-19

DNSpooq – 7 vulnerabilities found in dnsmasq, an open-source DNS forwarding software in common use www.jsof-tech.com/disclosures/dnspooq/ The Dnspooq vulnerabilities include DNS cache poisoning vulnerabilities as well as a potential Remote code execution and others. The list of devices using dnsmasq is long and varied. According to our internet-based research, prominent users of dnsmasq seem to […]

Read More

Daily NCSC-FI news followup 2020-12-26

SolarWinds releases updated advisory for new SUPERNOVA malware www.bleepingcomputer.com/news/security/solarwinds-releases-updated-advisory-for-new-supernova-malware/ SolarWinds has released an updated advisory for the additional SuperNova malware discovered to have been distributed through the company’s network management platform.. see also www.solarwinds.com/securityadvisory. and kb.cert.org/vuls/id/843464 Apple iCloud outage prevents device activations, access to data www.bleepingcomputer.com/news/apple/apple-icloud-outage-prevents-device-activations-access-to-data/ Apple users are experiencing problems setting up new devices […]

Read More

Daily NCSC-FI news followup 2019-07-22

Fuzz rising www.cloudatomiclab.com/fuzz/ – From the Debian stats, of the billion or so lines of code, 43% is ANSI C and 24% is C++ which has many of the same problems in many codebases. So 670 million lines of code, in general without enough maintainers to deal with the existing and coming waves of security […]

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.