Daily NCSC-FI news followup 2021-05-14

[The Irish Health Service Executive] shuts down IT systems amid significant cyber attack

www.irishtimes.com/news/health/hse-shuts-down-it-systems-amid-significant-cyber-attack-1.4564957 There has been a significant ransomware attack on the Health Service Executives (HSE) IT systems.. The HSE said it has taken the precaution of shutting down all its IT systems in order to protect them from this attack and to allow us fully assess the situation with our own security partners.. Also




Lappeenrannan kaupungin työntekijän sähköpostiin kohdistui tietomurto tilannetta selvitetään parhaillaan

www.epressi.com/tiedotteet/kaupungit-ja-kunnat/lappeenrannan-kaupungin-tyontekijan-sahkopostiin-kohdistui-tietomurto-tilannetta-selvitetaan-parhaillaan.html Yhteen Lappeenrannan kaupungin edu.lappeenranta.fi -sähköpostitiliin on kohdistunut tietomurto. Hyökkääjä oli saanut haltuunsa sähköpostitilin, mikä huomattiin kaupungin sisäisissä tietoturvakontrolleissa kyseisen tilin epätavallisen viestiliikenteen vuoksi.

Toshiba unit hacked by DarkSide, conglomerate to undergo strategic review

www.reuters.com/business/autos-transportation/toshibas-european-business-hit-by-cyberattack-source-2021-05-14/ A Toshiba Corp (6502.T) unit said it was hacked by the DarkSide ransomware group, overshadowing an announcement of a strategic review for the Japanese conglomerate under pressure from activist shareholders to seek out suitors.


www.europol.europa.eu/newsroom/news/trading-scheme-resulting-in-%E2%82%AC30-million-in-losses-uncovered On 11 May 2021, a large criminal network involved in investment fraud and money laundering was dismantled as a result of a cross border operation supported by Europol and Eurojust. The investigation, led by Germany, involved law enforcement and judicial authorities from Bulgaria, Israel, Latvia, North-Macedonia, Poland, Spain and Sweden. . The criminal network created different trading online platforms advertising substantial profits from investments in high-risk options and cryptocurrencies. The criminal group ran at least four of such professionally looking trading platforms, luring victims through advertisements in social media and search engines.

DarkSide Ransomware Gang Quits After Servers, Bitcoin Stash Seized

krebsonsecurity.com/2021/05/darkside-ransomware-gang-quits-after-servers-bitcoin-stash-seized/ Servers were seized (country not named), money of advertisers and founders was transferred to an unknown account, reads a message from a cybercrime forum reposted to the Russian OSINT Telegram channel.

DarkSide ransomware servers reportedly seized, operation shuts down

www.bleepingcomputer.com/news/security/darkside-ransomware-servers-reportedly-seized-operation-shuts-down/ REvil’s representative, UNKN, states that affiliates are now required first to gain permission to target an organization and that they can no longer target the following entities:. 1. Work in the social sector (health care, educational institutions) is prohibited;. 2. It is forbidden to work on the gov-sector (state) of any country;

Elliptic Follows the Bitcoin Ransoms Paid by Colonial Pipeline and Other DarkSide Ransomware Victims

www.elliptic.co/blog/elliptic-follows-bitcoin-ransoms-paid-by-darkside-ransomware-victims It has been reported within the past hours that DarkSide itself has ceased operations and has had its funds seized – and indeed their wallet was emptied of the $5 million in Bitcoin it contained on Thursday afternoon.. But by tracing previous outflows from the wallet, we can gain insights into how DarkSide and its affiliates were laundering their previous proceeds. What we find is that 18% of the Bitcoin was sent to a small group of exchanges.. An additional 4% has been sent to Hydra, the worlds largest darknet marketplace, servicing customers in Russia and neighboring countries. … If youre a Russian cybercriminal and you want to cash-out your crypto, then Hydra is an attractive option.

Visiona vastuullinen vesihuolto

www.huoltovarmuuskeskus.fi/a/visiona-vastuullinen-vesihuolto Vesihuollossa varmistetaan laadukkaat ja turvalliset huoltopalvelut sekä uudistetaan alaa hiilineutraaliksi kiertotalouden edelläkävijäksi vuoteen 2030 mennessä. Näin linjataan tuoreessa kansallisen vesihuollon uudistusohjelmassa, jota myös Huoltovarmuuskeskus (HVK) oli valmistelemassa.. Ohjelma:

julkaisut.valtioneuvosto.fi/bitstream/handle/10024/163046/MMM_2021_7.pdf?sequence=4&isAllowed=y. “Vesihuoltopalvelujen häiriöttömän toiminnan turvaaminen ja riskien nykyistä parempi hallinta, mukaan lukien kyberturvallisuus, vaativat muutoksia toimintaan koko maassa. “

Eviction Guidance for Networks Affected by the SolarWinds and Active Directory/M365 Compromise

us-cert.cisa.gov/ncas/analysis-reports/ar21-134a CISA has provided this guidance to federal agencies with networks that used affected versions of SolarWinds Orion and have evidence of follow-on threat actor activity. Conducting each step in this guidance is necessary to fully evict the adversary […]. Failure to perform comprehensive and thorough remediation activity will expose enterprise networks and cloud environments to substantial risk for long-term undetected APT activity, and compromised organizations will risk further loss of sensitive data and erosion of public trust in their networks.

“Open” Access to Industrial Systems Interface is Also Far From Zero

isc.sans.edu/diary/rss/27418 I had a look at open port 5900 & 5901 and captured 655K exposed VNC servers. … Based on the sample screenshots below, you realize that many organizations are at risk, and many bad stories like the US pipeline attack will continue to raise in the news…

Magecart Hackers Now hide PHP-Based Backdoor In Website Favicons

thehackernews.com/2021/05/magecart-hackers-now-hide-php-based.html Operating with the primary intention of capturing and exfiltrating payment data, Magecart actors have embraced a wide range of attack vectors over the past several months to stay under the radar, avoid detection, and plunder data. From hiding card stealer code inside image metadata and carrying out IDN homograph attacks to plant web skimmers concealed within a website’s favicon file to using Google . Analytics and Telegram as an exfiltration channel, the cybercrime syndicate has intensified in its efforts to compromise online stores.

Rapid7 source code, alert data accessed in Codecov supply chain attack

www.zdnet.com/article/rapid7-source-code-alert-data-accessed-in-codecov-supply-chain-attack/ On April 15, 2021, Codecov, a provider of code coverage solutions, announced a supply chain incident in which a malicious party gained access to Codecovs Bash Uploader script and modified it, enabling the attacker to export data stored in environment variables on Codecov customers continuous integration (CI) systems to an attacker-controlled server.. A small subset of our source code repositories for internal tooling for our MDR service was accessed by an unauthorized party outside of Rapid7. These repositories contained some internal credentials, which have all been rotated, and alert-related data for a subset of our MDR customers

Conti Ransomware

thedfirreport.com/2021/05/12/conti-ransomware/ In April, we saw a threat actor go from an initial IcedID infection to deploying Conti ransomware domain wide in two days and 11 hours. The threat actors stayed dormant for most of this time, before jumping into action on an early Saturday morning. The hands on keyboard activity lasted for two and a half hours. They utilized RDP, PsExec, and Cobalt Strike to move laterally within the environment . before executing Conti in memory across all active systems.

QNAP warns of eCh0raix ransomware attacks, Roon Server zero-day

www.bleepingcomputer.com/news/security/qnap-warns-of-ech0raix-ransomware-attacks-roon-server-zero-day/ “The eCh0raix ransomware has been reported to affect QNAP NAS devices,” the company said. “Devices using weak passwords may be susceptible to attack.. Today, although not making a direct connection with the eCh0raix attacks, QNAP also warned of an actively exploited zero-day vulnerability impacting Roon Labs’ Roon Server 2021-02-01 and earlier versions.. Advisory at


Researchers found three flaws in ACT e-voting system that could affect election outcomes

www.zdnet.com/article/researchers-find-three-flaws-in-act-e-voting-system-that-could-affect-election-outcomes/ Although system flaws didn’t change the outcome of the ACT’s 2020 election, they could in the future, with four Australian security researchers asking for access to the tech to help prevent such a scenario.. “Secretive, unverifiable systems like the ones used in the ACT 2020 election, make it relatively easy to change the recorded list of votes cast, in a way that observers cannot notice,” they said. “It also makes accidental errors more likely to remain undetected.

You might be interested in …

Daily NCSC-FI news followup 2019-07-14

Ongoing DNS hijacking and mitigation advice www.ncsc.gov.uk/news/ongoing-dns-hijacking-and-mitigation-advice Since that alert was published we have observed further activity, with victims of DNS hijacking identified across multiple regions and sectors. This Advisory covers some of the risks for organisations around DNS hijacking activity and gives advice on ways the risks can be mitigated.. Report at s3.eu-west-1.amazonaws.com/ncsc-content/files/Advisory-DNS-hijacking.pdf Guidance […]

Read More

Daily NCSC-FI news followup 2021-01-20

Tietoturva ei ole luksustuote www.tivi.fi/uutiset/tv/465d7ff0-5446-4ca6-ac28-6d1850a26112 “Rahalla ei voi ostaa yrityksen sisäistä viestintää ja uskallusta myöntää virheet. Mikään määrä tietoturvatyökaluja ei pelasta, jos yrityksessä henkilöstö pelkää oman työnsä puolesta tai heitä ei oteta tosissaan virheen sattuessa kohdalle.”. “Lopulta monimutkaisiin ongelmiin ratkaisut voivat löytyä läheltä, omista työntekijöistä ja yrityksen omasta kulttuurista. Tietoturva on holistista ja sen pitäisi […]

Read More

Daily NCSC-FI news followup 2019-06-28

Exclusive: Western intelligence hacked ‘Russia’s Google’ Yandex to spy on accounts – sources www.reuters.com/article/us-usa-cyber-yandex-exclusive/exclusive-western-intelligence-hacked-russias-google-yandex-to-spy-on-accounts-sources-idUSKCN1TS2SX Hackers working for Western intelligence agencies broke into Russian internet search company Yandex in late 2018 deploying a rare type of malware in an attempt to spy on user accounts, four people with knowledge of the matter told Reuters.. The malware, […]

Read More

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.