Daily NCSC-FI news followup 2021-05-17

Lukiolaiskolmikko huomasi tietoturva-aukon sähköisessä yo-kirjoitus­järjestelmässä: Oli iso yllätys, että saimme toimimaan näin ison hyökkäys­ketjun

www.hs.fi/kotimaa/art-2000007980520.html TÄMÄN kevään ylioppilaskirjoitusten aikana maaliskuun loppupuolella Ylioppilastutkintolautakunta (YTL) sai vinkin, että sen Abitti-järjestelmässä on erittäin vakava tietoturva-aukko. Abitti on nykyisin sähköisissä ylioppilaskirjoituksissa käytettävä järjestelmä.. Alkuperäinen blogikirjoitus

www.abitti.fi/blogi/2021/05/abitista-on-korjattu-kaksi-tietoturvahaavoittuvuutta/. Abitista on korjattu kaksi vakavaa tietoturva-aukkoa. Ensimmäinen, merkitykseltään vähäisempi haavoittuvuus koskee kokelaan tikkua. […] Huomattavasti vakavampi haavoittuvuus koskee palvelintikkua.. [Palvelintikun] tietoturvahavainto koskee kolmea haavoittuvuutta Abitti-järjestelmässä, joita ketjuttamalla […] saavutetaan root-tason oikeudet koetilan palvelimella.. Bugin löytäjien raportti


Ransomware Attack on [Irish] Health Sector – UPDATE 2021-05-16

www.ncsc.gov.ie/pdfs/HSE_Conti_140521_UPDATE.pdf Recent news coverage on the situation includes


Bizarro banking Trojan expands its attacks to Europe

securelist.com/bizarro-banking-trojan-expands-its-attacks-to-europe/102258/ Bizarro is yet another banking Trojan family originating from Brazil that is now found in other regions of the world. We have seen users being targeted in Spain, Portugal, France and Italy. Attempts have now been made to steal credentials from customers of 70 banks from different European and South American countries. Following in the footsteps of Tetrade, Bizarro is using affiliates or recruiting . money mules to operationalize their attacks, cashing out or simply to helping with transfers. . Bizarro has x64 modules and is able to trick users into entering two-factor authentication codes in fake pop-ups. It may also use social engineering to convince victims to download a smartphone app. The group behind Bizzaro uses servers hosted on Azure and Amazon (AWS) and compromised WordPress servers to store the malware and collect telemetry.


blog.morphisec.com/ahk-rat-loader-leveraged-in-unique-delivery-campaigns The Morphisec Labs team has tracked a unique and ongoing RAT delivery campaign that started in February of this year. This campaign is unique in that it heavily uses the AutoHotKey scripting languagea fork of the AutoIt language that is frequently used for testing purposes.

Scammers Target Families Who Post Missing Persons on Social Media

www.ic3.gov/Media/Y2021/PSA210514 The FBI warns the public of scammers seeking to extort family members of missing persons. These actors identify missing persons through social media posts and gather information about the missing person and family to legitimize their ransom demands without ever having physical contact with the missing person.

Apple’s Find My Network Can be Abused to Exfiltrate Data From Nearby Devices

thehackernews.com/2021/05/apples-find-my-network-can-be-abused-to.html “In the world of high-security networks, where combining lasers and scanners seems to be a noteworthy technique to bridge the air gap, the visitor’s Apple devices might also become feasible intermediaries to exfiltrate data from certain air gapped systems or Faraday caged rooms,” Bräunlein said.. Original at


www.welivesecurity.com/2021/05/17/android-stalkerware-threatens-victims-further-exposes-snoopers-themselves/ Based on our telemetry, stalkerware apps have become more and more popular in the last couple of years. In 2019 we saw almost five times more Android stalkerware detections than in 2018, and in 2020 there were 48% more than in 2019. Stalkerware can track the GPS location of a victims device, conversations, images, browser history and more. It also stores and transmits all this data, which is why . we decided to forensically analyze how these apps handle the protection of the data.. Hence, we manually analyzed 86 stalkerware apps for the Android platform, provided by 86 different vendors.. Across 58 of these Android applications we discovered a total of 158 security and privacy issues that can have a serious impact on a victim; indeed, even the stalker or the apps vendor may be at some risk.

Try This One Weird Trick Russian Hackers Hate

krebsonsecurity.com/2021/05/try-this-one-weird-trick-russian-hackers-hate/ In a Twitter discussion last week on ransomware attacks, KrebsOnSecurity noted that virtually all ransomware strains have a built-in failsafe designed to cover the backsides of the malware purveyors: They simply will not install on a Microsoft Windows computer that already has one of many types of virtual keyboards installed such as Russian or Ukrainian. . [Lance] James says he loves the idea of everyone adding a language from the CIS country list so much hes produced his own clickable two-line Windows batch script that adds a Russian language reference in the specific Windows registry keys that are checked by malware. The script effectively allows ones Windows PC to look like it has a Russian keyboard installed without actually downloading the . added script libraries from Microsoft.

Ransomware Defenses

isc.sans.edu/diary/rss/27420 – From what became known of recent successful attacks, it looks like lack of 2-factor authentication (2FA) is still the most prevalent root cause. If you still have any remote access or remote desktop connections that rely on userid/password only, switch them to 2FA now! And if you still have any webmail or the like without 2FA, make the change there as well.

iPhone calendar spam attacks on the rise

blog.malwarebytes.com/malwarebytes-news/2021/05/iphone-calendar-spam-attacks-on-the-rise/ Recently, we have seen an increasing number of reports from iPhone users about their calendars filling up with junk events. These events are most often either pornographic in nature, or claim that the device has been infected or hacked, and in all cases they contain malicious links. This phenomenon is known as calendar spam.. […] For this particular page, tapping the Im not a robot box (or, really, anywhere else on the page) results in a prompt attempting to trick the user into subscribing to a calendar.

A botched server upgrade exposed Eufy video camera feeds to random users

therecord.media/a-botched-server-upgrade-exposed-eufy-video-camera-feeds-to-random-users/ Chinese electronics company Anker has patched a bug today that mistakenly connected users of its Eufy security cameras with video streams of random accounts from across the world.

AI security risk assessment using Counterfit

www.microsoft.com/security/blog/2021/05/03/ai-security-risk-assessment-using-counterfit/ This tool was born out of our own need to assess Microsofts AI systems for vulnerabilities with the goal of proactively securing AI services, in accordance with Microsofts responsible AI principles and Responsible AI Strategy in Engineering (RAISE) initiative. Counterfit started as a corpus of attack scripts written specifically to target individual AI models, and then morphed into a generic . automation tool to attack multiple AI systems at scale.

Ransomwares Dangerous New Trick Is Double-Encrypting Your Data

www.wired.com/story/ransomware-double-encryption/ But antivirus company Emsisoft says it is aware of dozens of incidents in which the same actor or group intentionally layers two types of ransomware on top of each other.. Emsisoft has identified two distinct tactics. In the first, hackers encrypt data with ransomware A and then re-encrypt that data with ransomware B. The other path involves what Emsisoft calls a side-by-side encryption attack, in which attacks encrypt some of an organization’s systems with ransomware A and others with ransomware B. In that case, data is only encrypted once, but a victim would . need both decryption keys to unlock everything. The researchers also note that in this side-by-side scenario, attackers take steps to make the two distinct strains of ransomware look as similar as possible, so it’s more difficult for incident responders to sort out what’s going on.

Exploit released for wormable Windows HTTP vulnerability

www.bleepingcomputer.com/news/security/exploit-released-for-wormable-windows-http-vulnerability/ Proof-of-concept exploit code has been released over the weekend for a critical wormable vulnerability in the latest Windows 10 and Windows Server versions.. Microsoft has patched the vulnerability during this month’s Patch Tuesday, and it impacts ONLY Windows 10 versions 2004/20H2 and Windows Server versions 2004/20H2.

You might be interested in …

Daily NCSC-FI news followup 2020-08-11

Viittä nuorta miestä epäillään tietomurroista yritysten verkkopalveluihin poliisin mukaan yksittäisiä tietomurtoja paljastui useita miljoonia yle.fi/uutiset/3-11487798 Poliisin esitutkinta kesti lähes kolme vuotta. Tutkinnassa oli jopa 10 miljoonaa yksittäistä tekoa. Lue myös: www.poliisi.fi/tietoa_poliisista/tiedotteet/1/1/esitutkinta_tietomurtojen_tehtailusta_valmistui_epaillyt_nuoret_miehet_tekoaikaan_alaikaisia_92557. Sekä: www.is.fi/digitoday/tietoturva/art-2000006598167.html NCC Group admits its training data was leaked online after folders full of Crest pentest certification exam notes posted to Github www.theregister.com/2020/08/11/ncc_group_crest_cheat_sheets/ […]

Read More

Daily NCSC-FI news followup 2019-07-13

Brazil is at the forefront of a new type of router attack www.zdnet.com/article/brazil-is-at-the-forefront-of-a-new-type-of-router-attack/ On these sites, malicious ads (malvertising) run special code inside users’ browsers to search and detect the IP address of a home router, the router’s model. When they detect the router’s IP and model, the malicious ads then use a list of […]

Read More

Daily NCSC-FI news followup 2021-05-28

APT29: Suspected APT29 Operation Launches Election Fraud Themed Phishing Campaigns www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/ The campaign’s phishing e-mails purported to originate from the USAID government agency and contained a malicious link that resulted in an ISO file being delivered. This file contained a malicious LNK file, a malicious DLL file, and a legitimate lure referencing foreign threats to […]

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.