Daily NCSC-FI news followup 2021-05-13

April 2021s Most Wanted Malware: Dridex Remains in Top Position Amidst Global Surge in Ransomware Attacks

blog.checkpoint.com/2021/05/13/april-2021s-most-wanted-malware-dridex-remains-in-top-position-amidst-global-surge-in-ransomware-attacks/ Our latest Global Threat Index for April 2021 has revealed that for the first time, AgentTesla has ranked second in the Index, while the established Dridex trojan is still the most prevalent malware, having risen to the top spot in March after being seventh in February. This month, Dridex, a Trojan that targets the Windows platform, spread via QuickBooks Malspam Campaign. The phishing emails used QuickBookss branding and were trying to lure the user with fake payment notifications and invoices. The email content asked to download a malicious Microsoft Excel attachment that could cause the system to be infected with Dridex.

Using iPhones and AirTags to sneak data out of air-gapped networks

blog.malwarebytes.com/reports/2021/05/using-iphones-and-airtags-to-sneak-data-out-of-air-gapped-networks/ Someone has found an extraordinary way to exfiltrate data by piggybacking data on the backs of unsuspecting iPhones. A researcher has found out that it is possible to upload arbitrary data from non-internet-connected devices by sending Bluetooth Low Energy (BLE) broadcasts to nearby Apple devices that will happily upload the data for you. To demonstrate their point, they released an ESP32 firmware that turns the micro-controller into an (upload only) modem. They also created a macOS application to retrieve, decode and display the uploaded data.

Colonial Pipeline restores operations, $5 million ransom demanded

www.bleepingcomputer.com/news/security/colonial-pipeline-restores-operations-5-million-ransom-demanded/ Colonial Pipeline has recovered quickly from the ransomware attack suffered less than a week ago and expects all its infrastructure to be fully operational today. The company has already brought much of the pipeline system online and is currently delivering refined petroleum products to most of the markets it services. Multiple media publications on Wednesday, citing people familiar with the matter, reported that the company had no plan to pay the ransom, albeit Colonial Pipeline did not communicate its official position on this.. Also:

www.zdnet.com/article/colonial-pipeline-paid-close-to-5-million-in-ransomware-blackmail-payment/.

www.theregister.com/2021/05/13/colonial_pipeline_ransom/. YLE:

yle.fi/uutiset/3-11930230

How Bidens new executive order plans to prevent another SolarWinds attack

therecord.media/how-bidens-new-executive-order-plans-to-prevent-another-solarwinds-attack/ President Biden signed a sweeping executive order on Wednesday aimed at protecting federal networks, as the East Coast continues to deal with the fallout from a ransomware attack that shut down one of the nations largest fuel pipelines for several days. The Biden administration has been drafting the order over the last few months, and is designed less to address an incident like the one experienced by Colonial Pipeline, a privately-owned critical infrastructure operator that is believed to have been hit by a criminal gang, than it is aimed at preventing a future SolarWinds-like incident.

www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/. Also:

www.bleepingcomputer.com/news/security/biden-issues-executive-order-to-increase-us-cybersecurity-defenses/.

arstechnica.com/information-technology/2021/05/biden-signs-executive-order-to-strengthen-us-cybersecurity/

Phishing, ransomware, web app attacks dominate data breaches in 2021, says Verizon Business DBIR

www.zdnet.com/article/phishing-ransomware-web-app-attacks-dominate-data-breaches-in-2021-says-verizon-business-dbir/ Web applications represented 39% of all data breaches in the last year with phishing attacks jumping 11% and ransomware up 6% from a year ago, according to the Verizon Business Data Breach Investigations Report. The report, based on 5,358 breaches from 83 contributors around the world, highlights how the COVID-19 pandemic move to the cloud and remote work opened up a few avenues for cybercrime. Verizon Business found that 61% of all breaches involved credential data. Consistent with previous years, human negligence was the biggest threat to security.

Threat Actors Use MSBuild to Deliver RATs Filelessly

www.anomali.com/blog/threat-actors-use-msbuild-to-deliver-rats-filelessly Anomali Threat Research discovered a campaign in which threat actors used MSBuild – a tool used for building apps and gives users an XML schema that controls how the build platform processes and builds software – to filelessly deliver RemcosRAT, and RedLine stealer using callbacks. The malicious MSBuild files we observed in this campaign contained encoded executables and shellcode, with some, hosted on Russian image-hosting site, joxi[.]net. While we were unable to determine the distribution method of the .proj files, the objective of these files was to execute either Remcos or RedLine Stealer. The majority of the samples we analyzed deliver Remcos as the final payload.

Meet Lorenz A new ransomware gang targeting the enterprise

www.bleepingcomputer.com/news/security/meet-lorenz-a-new-ransomware-gang-targeting-the-enterprise/ A new ransomware operation known as Lorenz targets organizations worldwide with customized attacks demanding hundreds of thousands of dollars in ransoms. The Lorenz ransomware gang began operating last month and has since amassed a growing list of victims whose stolen data has been published on a ransomware data leak site. Michael Gillespie of ID Ransomware has told BleepingComputer that the Lorenz ransomware encryptor is the same as a previous operation known as ThunderCrypt.

Newly observed PHP-based skimmer shows ongoing Magecart Group 12 activity

blog.malwarebytes.com/cybercrime/2021/05/newly-observed-php-based-skimmer-shows-ongoing-magecart-group-12-activity/ Web skimming continues to be a real and impactful threat to online merchants and shoppers. The threat actors in this space greatly range in sophistication from amateurs all the way to nation state groups like Lazarus. In terms of security, many e-commerce shops remain vulnerable because they have not upgraded their content management software (CMS) in years. The campaign we are looking at today is about a number of Magento 1 websites that have been compromised by a very active skimmer group.

DNA selvitti: Tässä suomalaisten 3 suurinta pelkoa verkossa

www.is.fi/digitoday/tietoturva/art-2000007973955.html Teleoperaattori DNA:n Digitaaliset elämäntavat -tutkimuksessa vastaajilta kysyttiin muun muassa erilaisista digitaaliseen turvallisuuteen liittyvistä aiheista. DNA:n tiedotteen mukaan tutkimuksessa nousi esiin etenkin kolme asiaa, joita suomalaiset pitivät verkossa uhkina. Vastaajista 37 prosenttia huoletti henkilötietojen menettäminen tietomurron yhteydessä. Toiseksi ja kolmanneksi kyselyssä sijoittuivat identiteettivarkauksiin liittyvät huolet. Aiheutuneiden haittojen selvittäminen ja korjaaminen huoletti 36 prosenttia vastaajista. Taloudellisia haittoja uhkana piti 34 prosenttia vastaajista.

Cisco fixes 6-month-old AnyConnect VPN zero-day with exploit code

www.bleepingcomputer.com/news/security/cisco-fixes-6-month-old-anyconnect-vpn-zero-day-with-exploit-code/ Cisco has fixed a six-month-old zero-day vulnerability found in the Cisco AnyConnect Secure Mobility Client VPN software, with publicly available proof-of-concept exploit code. The company’s AnyConnect Secure Mobility Client allows working on corporate devices connected to a secure Virtual Private Network (VPN) through Secure Sockets Layer (SSL) and IPsec IKEv2 using VPN clients available for all major desktop and mobile platforms.

Ransomware: How the NHS learned the lessons of WannaCry to protect hospitals from attack

www.zdnet.com/article/ransomware-how-the-nhs-learned-the-lessons-of-wannacry-to-protect-hospitals-from-attack/ Four years ago, the UK’s National Health Service suddenly found itself one of the most high profile victims of a global cyber attack. On 12 May 2017, WannaCry ransomware hit organisations around the world, but hospitals and GP surgeries throughout England and Scotland were particularly badly affected. A significant number of services were disrupted as malware encrypted computers used by NHS trusts, forcing thousands of appointments to be cancelled and ambulances to be rerouted.

Despite Heightened Breach Fears, Incident Response Capabilities Lag

www.darkreading.com/attacks-breaches/despite-heightened-breach-fears-incident-response-capabilities-lag/d/d-id/1341000 Heightened data breach concerns especially since the global COVID-19 outbreak early last year don’t appear to have prompted significantly improved incident response (IR) plans or capabilities at many organizations. A new survey of 500 security and risk leaders conducted by Wakefield Research on behalf of Red Canary, Kroll, and VMware shows more than one-third (36%) of organizations still don’t have a structured IR process in place.. Report:

redcanary.com/resources/guides/the-state-of-incident-response-2021/

You might be interested in …

Daily NCSC-FI news followup 2020-08-14

NSA and FBI Cybersecurity Advisory – Russian GRU 85th GTsSS Deploys Previously Undisclosed Drovorub Malware media.defense.gov/2020/Aug/13/2002476465/-1/-1/0/CSA_DROVORUB_RUSSIAN_GRU_MALWARE_AUG_2020.PDF Drovorub is a Linux malware toolset consisting of an implant coupled with a kernel module rootkit, a file transfer and port forwarding tool, and a Command and Control (C2) server. When deployed on a victim machine, the Drovorub implant […]

Read More

Daily NCSC-FI news followup 2020-05-31

Nettipetoksia tehnyt vangittiin www.poliisi.fi/tietoa_poliisista/tiedotteet/1/1/nettipetoksia_tehnyt_vangittiin_90541?language=fi Petokset ovat olleet enimmäkseen tyypillisiä nettipetoksia, joissa myydään olematonta tavaraa hyväuskoisille ihmisille lähinnä Tori.fi-sivustolla. Hacker leaks database of dark web hosting provider www.zdnet.com/article/hacker-leaks-database-of-dark-web-hosting-provider/ “This information could substantially help law enforcement track the individuals running or taking part in illegal activities on these darknet sites, ” Under the Breach told ZDNet. The […]

Read More

Daily NCSC-FI news followup 2021-09-27

AWS EC2 North Virginia outage makes the net blippy www.zdnet.com/article/aws-ec2-north-virginia-outage-makes-the-net-blippy/ Signal falls over while Xero and Nest got a bit iffy when the main AWS EC2 region had degraded performance. FoggyWeb: Targeted NOBELIUM malware leads to persistent backdoor www.microsoft.com/security/blog/2021/09/27/foggyweb-targeted-nobelium-malware-leads-to-persistent-backdoor/ NOBELIUM uses FoggyWeb to remotely exfiltrate the configuration database of compromised AD FS servers, decrypted token-signing […]

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.