Daily NCSC-FI news followup 2021-05-17

Lukiolaiskolmikko huomasi tietoturva-aukon sähköisessä yo-kirjoitus­järjestelmässä: Oli iso yllätys, että saimme toimimaan näin ison hyökkäys­ketjun

www.hs.fi/kotimaa/art-2000007980520.html TÄMÄN kevään ylioppilaskirjoitusten aikana maaliskuun loppupuolella Ylioppilastutkintolautakunta (YTL) sai vinkin, että sen Abitti-järjestelmässä on erittäin vakava tietoturva-aukko. Abitti on nykyisin sähköisissä ylioppilaskirjoituksissa käytettävä järjestelmä.. Alkuperäinen blogikirjoitus

www.abitti.fi/blogi/2021/05/abitista-on-korjattu-kaksi-tietoturvahaavoittuvuutta/. Abitista on korjattu kaksi vakavaa tietoturva-aukkoa. Ensimmäinen, merkitykseltään vähäisempi haavoittuvuus koskee kokelaan tikkua. […] Huomattavasti vakavampi haavoittuvuus koskee palvelintikkua.. [Palvelintikun] tietoturvahavainto koskee kolmea haavoittuvuutta Abitti-järjestelmässä, joita ketjuttamalla […] saavutetaan root-tason oikeudet koetilan palvelimella.. Bugin löytäjien raportti


Ransomware Attack on [Irish] Health Sector – UPDATE 2021-05-16

www.ncsc.gov.ie/pdfs/HSE_Conti_140521_UPDATE.pdf Recent news coverage on the situation includes


Bizarro banking Trojan expands its attacks to Europe

securelist.com/bizarro-banking-trojan-expands-its-attacks-to-europe/102258/ Bizarro is yet another banking Trojan family originating from Brazil that is now found in other regions of the world. We have seen users being targeted in Spain, Portugal, France and Italy. Attempts have now been made to steal credentials from customers of 70 banks from different European and South American countries. Following in the footsteps of Tetrade, Bizarro is using affiliates or recruiting . money mules to operationalize their attacks, cashing out or simply to helping with transfers. . Bizarro has x64 modules and is able to trick users into entering two-factor authentication codes in fake pop-ups. It may also use social engineering to convince victims to download a smartphone app. The group behind Bizzaro uses servers hosted on Azure and Amazon (AWS) and compromised WordPress servers to store the malware and collect telemetry.


blog.morphisec.com/ahk-rat-loader-leveraged-in-unique-delivery-campaigns The Morphisec Labs team has tracked a unique and ongoing RAT delivery campaign that started in February of this year. This campaign is unique in that it heavily uses the AutoHotKey scripting languagea fork of the AutoIt language that is frequently used for testing purposes.

Scammers Target Families Who Post Missing Persons on Social Media

www.ic3.gov/Media/Y2021/PSA210514 The FBI warns the public of scammers seeking to extort family members of missing persons. These actors identify missing persons through social media posts and gather information about the missing person and family to legitimize their ransom demands without ever having physical contact with the missing person.

Apple’s Find My Network Can be Abused to Exfiltrate Data From Nearby Devices

thehackernews.com/2021/05/apples-find-my-network-can-be-abused-to.html “In the world of high-security networks, where combining lasers and scanners seems to be a noteworthy technique to bridge the air gap, the visitor’s Apple devices might also become feasible intermediaries to exfiltrate data from certain air gapped systems or Faraday caged rooms,” Bräunlein said.. Original at


www.welivesecurity.com/2021/05/17/android-stalkerware-threatens-victims-further-exposes-snoopers-themselves/ Based on our telemetry, stalkerware apps have become more and more popular in the last couple of years. In 2019 we saw almost five times more Android stalkerware detections than in 2018, and in 2020 there were 48% more than in 2019. Stalkerware can track the GPS location of a victims device, conversations, images, browser history and more. It also stores and transmits all this data, which is why . we decided to forensically analyze how these apps handle the protection of the data.. Hence, we manually analyzed 86 stalkerware apps for the Android platform, provided by 86 different vendors.. Across 58 of these Android applications we discovered a total of 158 security and privacy issues that can have a serious impact on a victim; indeed, even the stalker or the apps vendor may be at some risk.

Try This One Weird Trick Russian Hackers Hate

krebsonsecurity.com/2021/05/try-this-one-weird-trick-russian-hackers-hate/ In a Twitter discussion last week on ransomware attacks, KrebsOnSecurity noted that virtually all ransomware strains have a built-in failsafe designed to cover the backsides of the malware purveyors: They simply will not install on a Microsoft Windows computer that already has one of many types of virtual keyboards installed such as Russian or Ukrainian. . [Lance] James says he loves the idea of everyone adding a language from the CIS country list so much hes produced his own clickable two-line Windows batch script that adds a Russian language reference in the specific Windows registry keys that are checked by malware. The script effectively allows ones Windows PC to look like it has a Russian keyboard installed without actually downloading the . added script libraries from Microsoft.

Ransomware Defenses

isc.sans.edu/diary/rss/27420 – From what became known of recent successful attacks, it looks like lack of 2-factor authentication (2FA) is still the most prevalent root cause. If you still have any remote access or remote desktop connections that rely on userid/password only, switch them to 2FA now! And if you still have any webmail or the like without 2FA, make the change there as well.

iPhone calendar spam attacks on the rise

blog.malwarebytes.com/malwarebytes-news/2021/05/iphone-calendar-spam-attacks-on-the-rise/ Recently, we have seen an increasing number of reports from iPhone users about their calendars filling up with junk events. These events are most often either pornographic in nature, or claim that the device has been infected or hacked, and in all cases they contain malicious links. This phenomenon is known as calendar spam.. […] For this particular page, tapping the Im not a robot box (or, really, anywhere else on the page) results in a prompt attempting to trick the user into subscribing to a calendar.

A botched server upgrade exposed Eufy video camera feeds to random users

therecord.media/a-botched-server-upgrade-exposed-eufy-video-camera-feeds-to-random-users/ Chinese electronics company Anker has patched a bug today that mistakenly connected users of its Eufy security cameras with video streams of random accounts from across the world.

AI security risk assessment using Counterfit

www.microsoft.com/security/blog/2021/05/03/ai-security-risk-assessment-using-counterfit/ This tool was born out of our own need to assess Microsofts AI systems for vulnerabilities with the goal of proactively securing AI services, in accordance with Microsofts responsible AI principles and Responsible AI Strategy in Engineering (RAISE) initiative. Counterfit started as a corpus of attack scripts written specifically to target individual AI models, and then morphed into a generic . automation tool to attack multiple AI systems at scale.

Ransomwares Dangerous New Trick Is Double-Encrypting Your Data

www.wired.com/story/ransomware-double-encryption/ But antivirus company Emsisoft says it is aware of dozens of incidents in which the same actor or group intentionally layers two types of ransomware on top of each other.. Emsisoft has identified two distinct tactics. In the first, hackers encrypt data with ransomware A and then re-encrypt that data with ransomware B. The other path involves what Emsisoft calls a side-by-side encryption attack, in which attacks encrypt some of an organization’s systems with ransomware A and others with ransomware B. In that case, data is only encrypted once, but a victim would . need both decryption keys to unlock everything. The researchers also note that in this side-by-side scenario, attackers take steps to make the two distinct strains of ransomware look as similar as possible, so it’s more difficult for incident responders to sort out what’s going on.

Exploit released for wormable Windows HTTP vulnerability

www.bleepingcomputer.com/news/security/exploit-released-for-wormable-windows-http-vulnerability/ Proof-of-concept exploit code has been released over the weekend for a critical wormable vulnerability in the latest Windows 10 and Windows Server versions.. Microsoft has patched the vulnerability during this month’s Patch Tuesday, and it impacts ONLY Windows 10 versions 2004/20H2 and Windows Server versions 2004/20H2.

You might be interested in …

Daily NCSC-FI news followup 2019-10-17

Security researcher publishes proof-of-concept code for recent Android zero-day www.zdnet.com/article/security-researcher-publishes-proof-of-concept-code-for-recent-android-zero-day/ Qu1ckR00t app can root an Android device using the CVE-2019-2215 zero-day. Operation Ghost: The Dukes arent back they never left www.welivesecurity.com/2019/10/17/operation-ghost-dukes-never-left/ ESET researchers describe recent activity of the infamous espionage group, the Dukes, including three new malware families. We believe Operation Ghost started in 2013 […]

Read More

Daily NCSC-FI news followup 2021-01-21

Digitaalinen turvallisuus 2030 -ohjelma kehittää yhteiskunnan kyberhäiriöiden sietokykyä www.huoltovarmuuskeskus.fi/digitaalinen-turvallisuus-2030-ohjelma-kehittaa-yhteiskunnan-kyberhairioiden-sietokykya/ Huoltovarmuuskeskus käynnistää laajan ohjelmakokonaisuuden, jonka tarkoituksena on kehittää yhteiskunnan sietokykyä kyberhäiriöitä vastaan. Digitaalinen turvallisuus 2030 -ohjelman painopisteet ovat kyberhäiriöihin varautuminen, toimintakyky häiriöiden sattuessa, yhteistyö yhteiskunnan ja yritysmaailman eri toimijoiden välillä sekä tulevaisuuden ilmiöiden ennakointi. Ohjelma on osa Suomen kansallisen kyberturvallisuusstrategian toteutusta. Ransomware is now the biggest […]

Read More

Daily NCSC-FI news followup 2021-06-28

Critical vulnerability security incident alert and mitigation firmware update support.zyxel.eu/hc/en-us/articles/4402786248466-Security-Incident-Alert-Firewall-Series Zyxel devices with remote management are being targeted and there is active exploitation of the vulnerability. No CVE has been issued. Hotfix is being worked on. Mitigation is to separate remote management from other functions and restrict access to the remote management port. Mitigation firmware […]

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.