Daily NCSC-FI news followup 2021-05-19

Email attachment believed to have opened door to cyber-attack on Waikato hospitals

www.stuff.co.nz/national/125175283/email-attachment-believed-to-have-opened-door-to-cyberattack-on-waikato-hospitals This crashed phone lines and computers on Tuesday morning, blocking all information technology (IT) services except email in Waikato, Thames, Tokoroa, Te Kiti and Taumarunui hospitals.

Evil Logitech – erm I ment USB cable

luemmelsec.github.io/Building-An-Evil-USB-Cable/ I already heared about something like this in the past, which reminded me of the expensive O.MG cable from HAK5 or the USB Ninja.. But If you like to tinker a little bit and are on a budget, you can pretty much get the same results for like 30 bucks.

Mercedes Benz MBUX security research report

keenlab.tencent.com/en/whitepapers/Mercedes_Benz_Security_Research_Report_Final.pdf This report showed how we performed our security research on MercedesBenzs newest infotainment system, MBUX. . we demonstrated what the attacked could do […] for two attack scenarios, the removed head units and the real-world vehicles [… to …] send arbitrary CAN messages on T-Box and how to bypass the code signing mechanism to flash a custom SH2A MCU firmware

Recycle Your Phone, Sure, But Maybe Not Your Number

krebsonsecurity.com/2021/05/recycle-your-phone-sure-but-maybe-not-your-number/ Researchers in the computer science department at Princeton University say they sampled 259 phone numbers at two major wireless carriers, and found 171 of them were tied to existing accounts at popular websites, potentially allowing those accounts to be hijacked.. Paper at


Royal Mail phish deploys evasion tricks to avoid analysis

blog.malwarebytes.com/scams/2021/05/royal-mail-phish-deploys-evasion-tricks-to-avoid-analysis/ The below code tests for WebGL renders which it may associate with (for example) VirtualBox or RDP (Remote Desktop Protocol). It also wants to know if site visitors have a display or not. Remember, not having a screen is a possible sign of automated research tools in virtual machines. This is a tactic pulled right out of malware analysis evasion land.

Six Ransomware Gangs Claim 290+ New Victims in 2021, Potentially Reaping $45M for the Hackers

s3.ca-central-1.amazonaws.com/esentire-dot-com-assets/assets/resourcefiles/esentire_threat-report_Six-Ransomware-Gangs-Claim-290-New-Victims.pdf In order to get a better handle on the true scope of ransomware, eSentires security research team, the Threat Response Unit (TRU) decided to focus on the current activity of four of the top ransomware gangs and two emerging ransomware groups.. (Ryuk/Conti, Sodin/REvil, CLOP, DoppelPaymer, DarkSide and Avaddon)

That Salesforce outage: Global DNS downfall started by one engineer trying a quick fix

www.theregister.com/2021/05/19/salesforce_root_cause/ To recap, on May 11 around 2100 UTC, a configuration change was applied to Salesforce’s Domain Name System (DNS) servers that resulted in folks unable to access the software-as-a-service titan’s products. For about five hours, clients could not log in, and things got so bad that even the status page was unavailable.. Root cause analysis at

help.salesforce.com/articleView?id=000358392&type=1&mode=1 . “The configuration change was applied on Domain Name System (DNS) servers, and the change subsequently exposed a design issue in the shutdown process that resulted in a failed restart of DNS services across multiple Salesforce data centers, thus causing any applications or services that rely on DNS to become unavailable.”

Microsoft is finally retiring Internet Explorer in 2022

www.theverge.com/2021/5/19/22443997/microsoft-internet-explorer-end-of-support-date We are announcing that the future of Internet Explorer on Windows 10 is in Microsoft Edge, says Sean Lyndersay, a Microsoft Edge program manager. The Internet Explorer 11 desktop application will be retired and go out of support on June 15, 2022, for certain versions of Windows 10.

US introduces bills to secure critical infrastructure from cyber attacks

www.bleepingcomputer.com/news/security/us-introduces-bills-to-secure-critical-infrastructure-from-cyber-attacks/ “Other measures passed in todays markup include bills to help State and Local governments protect their networks, provide critical infrastructure owners and operators with mitigation strategies against critical vulnerabilities, and establish a national cyber exercise program to promote more regular testing of preparedness and resilience to cyber attacks against critical infrastructure,” the . Committee said in a press release.

The Active Adversary Playbook 2021

news.sophos.com/en-us/2021/05/18/the-active-adversary-playbook-2021/ The median time that attackers were able to remain in the target network before detection dwell time was 11 days. The longest intruder dwell time observed by rapid responders was 439 days (more than 15 months.). The release of ransomware is often the point at which an attack becomes visible to the IT security team. It is therefore not surprising that 81% of the incidents Sophos responded to involved ransomware. Ransomware attacks tend to have shorter dwell time than stealth attacks, because they are all about destruction.. RDP played a part in 90% of attacks. However, the way in which attackers used RDP is worth noting. In incidents that involved RDP, it was used for external access only in just 4% of cases.

Nyt kaikki neuvot ovat yhdessä paikassa tietomurron uhri, suuntaa tänne

www.is.fi/digitoday/tietoturva/art-2000007986451.html Digi- ja väestötietovirasto on julkaissut Suomi.fi-verkkopalveluun tieto- ja asiointikokonaisuuden, joka kertoo, kuinka toimia, jos epäilee henkilötietojensa joutuneen vääriin käsiin.. Sivusto:


Miscreants started scanning for Exchange Hafnium vulns five minutes after Microsoft told world about zero-days

www.theregister.com/2021/05/19/hafnium_scans_5_mins_post_disclosure/ Although research director Rob Rachwald did not elaborate when The Register asked for more detail on its findings, a released report reckoned “scans began within 15 minutes after Common Vulnerabilities and Exposures (CVE) announcements were released between January and March.”

The Microsoft Authenticator extension in the Chrome store wasn’t actually made by Microsoft. Oops, Google

www.theregister.com/2021/05/19/chrome_extension_microsoft_authenticator_fake/ The trustworthiness of Google’s Chrome Store was again called into question after an extension billing itself as Microsoft Authenticator was published by the software souk without the simplest of checks.

GitLab tries to address crypto-mining abuse by requiring card details for free stuff

www.theregister.com/2021/05/19/gitlab_crypto/ In a bid to tackle cryptocurrency miners slurping free pipeline minutes, GitLab will expect users to provide a valid credit or debit card number to use shared runners on its platform.

How Attackers Weigh the Pros and Cons of BEC Techniques

www.darkreading.com/threat-intelligence/how-attackers-weigh-the-pros-and-cons-of-bec-techniques/d/d-id/1341060 Another upcoming tactic involves the aging report, or a financial report that lists outstanding payments due for a vendor or supplier. It contains data on payments overdue, points of contact for each customer, and other information. Some BEC attackers now request an aging report instead of a wire transfer because they can use it to send convincing payment requests.

MountLocker ransomware uses Windows API to worm through networks

www.bleepingcomputer.com/news/security/mountlocker-ransomware-uses-windows-api-to-worm-through-networks/ “Many corporate environments rely on complex active directory forests and computer within then. Now MountLocker is the first known ransomware to leverage unique corporate architectural insight for the benefit of identifying additional targets for encryption operation outside of the normal network and share scan,” Kremez told BleepingComputer in a conversation about the malware.

Chrome now automatically fixes breached passwords on Android

www.bleepingcomputer.com/news/security/chrome-now-automatically-fixes-breached-passwords-on-android/ Now, whenever checking for stolen passwords on supported sites and apps, Google Assistant will display a “Change password” button that will instruct Chrome to navigate to the website and go through the entire password change process on its own.

Report highlights top 10 threat detections seen across Microsoft Azure AD and Office 365

www.zdnet.com/article/report-highlights-top-10-threat-detections-seen-across-microsoft-azure-ad-and-office-365/ The list in the “2021 Q2 Spotlight Report: Top 10 Threat Detections for Microsoft Azure AD and Office 365” is topped by O365 risky exchange operations, Azure AD suspicious operations and O365 suspicious download activity. . Report at


When Intrusions Dont Align: A New Water Watering Hole and Oldsmar

www.dragos.com/blog/industry-news/a-new-water-watering-hole/ During our investigation into the infamous water poisoning attempt against the citizens of Oldsmar, Florida Dragos discovered a Florida water utility contractor hosting malicious code on their website (i.e., a watering hole). This malicious code seemingly targeted water utilities, particularly in Florida, and more importantly, was visited by a browser from the city of Oldsmar on the same day of the . poisoning event.. Using telemetry from Team Cymru Pure Signal Recon, Dragos determined that a user on a computer system on a network belonging to the City of Oldsmar, Florida browsed the compromised site at exactly 14:49 Coordinated Universal Time (UTC), or 9:49 am in the morning on 05 February 2021. This is the same network where an unknown actor reportedly compromised a water treatment control plant computer on

The Unified Kill Chain

www.unifiedkillchain.com/assets/The-Unified-Kill-Chain.pdf Research shows that the traditional Cyber Kill Chain® (CKC), as presented by researchers of Lockheed Martin, is perimeter- and malware-focused. As such, the traditional model fails to cover other attack vectors and attacks that occur behind the organizational perimeter. The Unified Kill Chain offers significant improvements over these scope limitations of the CKC and the time-agnostic nature of . Research shows that the traditional Cyber Kill Chain® (CKC), as presented by researchers of Lockheed Martin, is perimeter- and malware-focused. As such, the traditional model fails to cover other attack vectors and attacks that occur behind the organizational perimeter. The Unified Kill Chain offers significant improvements over these scope limitations of the CKC and the time-agnostic nature of

Phishing for Finance

www.akamai.com/us/en/multimedia/documents/state-of-the-internet/soti-security-phishing-for-finance-report-2021.pdf In 2020, there were 193 billion credential stuffing attacks globally, with 3.4 billion of them in the financial services space, representing a 45% growth over 2019.. The number of web attacks targeting the financial services industry grew by 62%.. Targeting organizations that do leverage 2FA and MFA isnt worth the energy or effort for most low-level, opportunistic attackers.

Record-breaking DDoS activity surged into the first quarter of 2021.

www.netscout.com/blog/asert/beat-goes According to research from NETSCOUTs ATLAS Security Engineering & Response Team (ASERT), threat actors launched approximately 2.9 million DDoS attacks in the first quarter of 2021, a 31% increase from the same time in 2020.

Japan to restrict private sector use of foreign equipment and tech: Report

www.zdnet.com/article/japan-to-restrict-private-sector-use-of-foreign-equipment-and-tech-report/ The Japanese government will reportedly introduce new regulations across 44 sectors to bolster national cyber defence, partly in response to the Colonial Pipeline hack that occurred last week.. Three years ago, Japanese government agencies agreed to stop procuring equipment that could pose national security risks, such as those from Huawei and ZTE. With the latest mandate, the Japanese government now wants to extend that level of stringency to the private sector.

Cryptocurrency buzz drives record investment scam losses

www.ftc.gov/news-events/blogs/data-spotlight/2021/05/cryptocurrency-buzz-drives-record-investment-scam-losses Investing in cryptocurrency means taking on risks, but getting scammed shouldnt be one of them. Reports to the FTCs Consumer Sentinel1 suggest scammers are cashing in on the buzz around cryptocurrency and luring people into bogus investment opportunities in record numbers. Since October 2020, reports have skyrocketed, with nearly 7,000 people reporting losses of more than $80 million on these . scams. Their reported median loss? $1,900. Compared to the same period a year earlier, thats about twelve times the number of reports and nearly 1,000% more in reported losses.

Fools Gold: Questionable Vaccines, Bogus Results, and Forged Cards

www.mcafee.com/blogs/other-blogs/mcafee-labs/fools-gold-questionable-vaccines-bogus-results-and-forged-cards/ In addition to selling COVID-19 vaccines, vaccination cards, and fake test results, cybercriminals can also benefit by reselling the names, dates of birth, home addresses, contact details, and other personally indefinable information of their customers.

CIS Controls Version 8

www.cisecurity.org/controls/v8/ CIS Controls v8 has been enhanced to keep up with modern systems and software. Movement to cloud-based computing, virtualization, mobility, outsourcing, Work-from-Home, and changing attacker tactics prompted the update and supports an enterprise’s security as they move to both fully cloud and hybrid environments.

Colonial Pipeline says ransomware recovery efforts caused network outage for shippers

www.cyberscoop.com/colonial-pipeline-hack-recovery-disruption/ Our internal server that runs our nomination system experienced intermittent disruptions this morning due to some of the hardening efforts that are ongoing and part of our restoration process, Colonial Pipeline said in a statement. These issues were not related to the ransomware or any type of reinfection.

Israel bombed two Hamas cyber targets

therecord.media/israel-bombed-two-hamas-cyber-targets/ According to the official Israel Air Force Twitter account, the first strike hit a cyber-equipment storage site in the northern Gaza Strip belonging to Hamas military intelligence that was apparently being used as an impromptu data center.

therecord.media/solarwinds-ceo-apologizes-for-blaming-an-intern-says-attack-may-have-started-in-january-2019/ On the topic of the breach itself, [CEO] Ramakrishna also gave additional details about the timeline of the attack. The group behind the compromise, which the U.S. government has attributed to Russias foreign intelligence service, may have been in our environment as early as jan 2019 doing very early recon activities, Ramakrishna said. The company has said that it believed hackers . initially accessed SolarWinds systems as early as September 2019.

You might be interested in …

Daily NCSC-FI news followup 2021-10-21

Cybercrime gang sets up fake company to hire security experts to aid in ransomware attacks therecord.media/cybercrime-gang-sets-up-fake-company-to-hire-security-experts-to-aid-in-ransomware-attacks/ A cybercrime group known as FIN7 has created a fake security firm earlier this year, used it to hire security researchers, and then trick them into participating in ransomware attacks. Named Bastion Secure, the company claims to provide penetration […]

Read More

Daily NCSC-FI news followup 2021-08-31

Attracting flies with Honey(gain): Adversarial abuse of proxyware blog.talosintelligence.com/2021/08/proxyware-abuse.html With internet-sharing applications, or “proxyware,” users download software that allows them to share a percentage of their bandwidth with other internet users for a fee, with the companies that created this software acting as a go-between. As proxyware has grown in popularity, attackers have taken notice […]

Read More

Daily NCSC-FI news followup 2021-03-01

T-Mobile discloses data breach after SIM swapping attacks www.bleepingcomputer.com/news/security/t-mobile-discloses-data-breach-after-sim-swapping-attacks/ The attackers used an internal T-Mobile application to target up to 400 customers in SIM swap attack attempts, BleepingComputer has learned. The information accessed by the hackers might have included customers’ full names, addresses, email addresses, account numbers, social security numbers (SSNs), account personal identification numbers […]

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.