Daily NCSC-FI news followup 2021-06-11

Educating the Educators: Protecting Student Data

securityintelligence.com/articles/educating-educators-protecting-student-data/ I found my 17-year-old son happily playing video games last year when he was supposed to be in virtual school. But after a few questions, I learned he wasnt skipping school. His class had been canceled after his teacher fell for a phishing attack, and their computer was infected with a virus. This isnt an isolated incident. Take a look at how schools can protect student data and other important information from todays digital attacks.

BackdoorDiplomacy: Upgrading from Quarian to Turian

www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/ An APT group that we are calling BackdoorDiplomacy, due to the main vertical of its victims, has been targeting Ministries of Foreign Affairs and telecommunication companies in Africa and the Middle East since at least 2017. For initial infection vectors, the group favors exploiting vulnerable internet-exposed devices such as web servers and management interfaces for networking equipment. Once on a system, its operators make use of open-source tools for scanning the environment and lateral movement. Interactive access is achieved in two ways: (1) via a custom backdoor we are calling Turian that is derived from the Quarian backdoor; and (2) in fewer instances, when more direct and interactive access is required, certain open-source remote access tools are deployed

Avaddon ransomware shuts down and releases decryption keys

www.bleepingcomputer.com/news/security/avaddon-ransomware-shuts-down-and-releases-decryption-keys/ The Avaddon ransomware gang has shut down operation and released the decryption keys for their victims to BleepingComputer.com. This morning, BleepingComputer received an anonymous tip pretending to be from the FBI that contained a password and a link to a password-protected ZIP file. This file claimed to be the “Decryption Keys Ransomware Avaddon,” and contained the three files shown below…. Also:

therecord.media/avaddon-ransomware-operation-shuts-down-and-releases-decryption-keys/

7-Year-Old Polkit Flaw Lets Unprivileged Linux Users Gain Root Access

thehackernews.com/2021/06/7-year-old-polkit-flaw-lets.html A seven-year-old privilege escalation vulnerability discovered in the polkit system service could be exploited by a malicious unprivileged local attacker to bypass authorization and escalate permissions to the root user. Tracked as CVE-2021-3560 (CVSS score: 7.8), the flaw affects polkit versions between 0.113 and 0.118 and was discovered by GitHub security researcher Kevin Backhouse, who said the issue was introduced in a code commit made on Nov. 9, 2013.

Phishing sites reached all-time high in January 2021

therecord.media/phishing-sites-reached-all-time-high-in-january-2021/ The number of active phishing sites hit a record number earlier this year in January, according to an industry report published this week by the Anti-Phishing Working Group (APWG). A total of 245,771 phishing sites were detected in January. The number represents the unique base URLs of phishing sites found and reported by APWG members.

Keeping an Eye on Dangerous Python Modules

isc.sans.edu/forums/diary/Keeping+an+Eye+on+Dangerous+Python+Modules/27514/ With Python getting more and more popular, especially on Microsoft Operating systems, it’s common to find malicious Python scripts today. I already covered some of them in previous diaries[1][2]. I like this language because it is very powerful. You can automate boring tasks in a few lines. It can be used for offensive as well as defensive purposes, and… it has a lot of 3rd party “modules” or libraries that extend its capabilities.

Foodservice supplier Edward Don hit by a ransomware attack

www.bleepingcomputer.com/news/security/foodservice-supplier-edward-don-hit-by-a-ransomware-attack/ Foodservice supplier Edward Don has suffered a ransomware attack that has caused the company to shut down portions of the network to prevent the attack’s spread. Edward Don and Company is one of the largest distributors of foodservice equipment and supplies, such as kitchen supplies, bar supplies, flatware, and dinnerware. Today, BleepingComputer has learned that Edward Don suffered a ransomware attack earlier this week that has disrupted their business operations, including their phone systems, network, and email.

Ransom DDoS Extortion Actor Fancy Lazarus Returns

www.proofpoint.com/us/blog/threat-insight/ransom-ddos-extortion-actor-fancy-lazarus-returns As of May 12, 2021, Proofpoint researchers are tracking renewed distributed denial of service (DDoS) extortion activity targeting an increasing number of industries, including the energy, financial, insurance, manufacturing, public utilities, and retail by the threat actor Fancy Lazarus.. Proofpoint researchers have observed the activity primarily at U.S. companies or those with a global footprint. The actor took over a month-long break from April to May 2021 before returning with new campaigns that include some changes to the groups tactics, techniques, and procedures.

REvil Hits US Nuclear Weapons Contractor: Report

threatpost.com/revil-hits-us-nuclear-weapons-contractor-sol-oriens/166858/ Sol Oriens, a subcontractor for the U.S. Department of Energy (DOE) that works on nuclear weapons with the National Nuclear Security Administration (NNSA), last month was hit by a cyberattack that experts say came from the relentless REvil ransomware-as-a-service (RaaS) gang. The Albuquerque, N.M. companys website has been unreachable since at least June 3, but Sol Oriens officials confirmed to Fox News and to CNBC that the firm became aware of the breach sometime last month.

Google fixes actively exploited Chrome zeroday

www.welivesecurity.com/2021/06/10/google-fixes-actively-exploited-chrome-zero-day/ Google has rolled out an update for its Chrome web browser to fix a bunch of security flaws, including a zero-day vulnerability that is known to be actively exploited by threat actors. The bugs affect the Windows, macOS, and Linux versions of the browser. Google is aware that an exploit for CVE-2021-30551 exists in the wild, reads Googles security update describing the newly disclosed zero-day vulnerability that stems from a type confusion bug in the V8 JavaScript engine that is used in Chrome and other Chromium-based web browsers.. Digitoday:

www.is.fi/digitoday/tietoturva/art-2000008047674.html

Network security firm COO charged with medical center cyberattack

www.bleepingcomputer.com/news/security/network-security-firm-coo-charged-with-medical-center-cyberattack/ The former chief operating officer of Securolytics, a network security company providing services for the health care industry, was charged with allegedly conducting a cyberattack on Georgia-based Gwinnett Medical Center (GMC). 45-year-old Vikas Singla supposedly disrupted the health provider’s Ascom phone service and network printer service and obtained information from a Hologic R2 Digitizer digitizing device in September 2018.

Pankkitilit vaarassa poliisi varoittaa kahdesta huijauksesta: Kerro ilmiöstä läheisillesi

www.is.fi/digitoday/tietoturva/art-2000008046670.html Suomessa on meneillään tekstiviesteihin perustuva huijauskampanja sekä pankkitunnusten kalastelua. Huijaussivuille saattaa päätyä jopa hakukoneen kautta. POLIISI varoittaa kahdesta käynnissä olevasta huijauskampanjasta. Ensimmäinen niistä on Flubot-haittaohjelmakampanja, joka leviää Android-puhelimiin tekstiviestein. Seuraa lähetystäsi -tyyppisessä tekstiviestissä on verkkolinkki, jonka toisessa päässä oleva verkkosivu yrittää istuttaa puhelimeen haittaohjelman..

poliisi.fi/-/poliisi-varoittaa-kahdesta-suomessa-aktiivisesta-huijauksesta

CD Project Red does an about-face, says ransomware crooks are leaking data

arstechnica.com/gadgets/2021/06/cd-projekt-red-says-its-data-is-likely-circulating-online-after-ransom-attack/ CD Projekt Red, the maker of The Witcher series, Cyberpunk 2077, and other popular games, said on Friday that proprietary data taken in a ransomware attack disclosed four months ago is likely circulating online. Today, we have learned new information regarding the breach and now have reason to believe that internal data illegally obtained during the attack is currently being circulated on the Internet, company officials said in a statement.

UK tells UN that nation-states should retaliate against cyber badness with no warning

www.theregister.com/2021/06/11/uk_ungge_cyber_norms_submission/ Britain has told the UN that international cyber law should allow zero-notice digital punishment directed at countries that attack others’ infrastructure. A statement made by UK diplomats to the UN’s Group of Governmental Experts on Advancing Responsible State Behaviour in the Context of International Security (UN GGE) called for international law to permit retaliation for cyber attacks with no notice.

Big airline heist

blog.group-ib.com/colunmtk_apt41 APT41 likely behind massive supply chain attack. On March 4, 2021, SITA, an international provider of IT services for the air transport industry worldwide, said it had suffered a security incident. The announcement, however, was not getting the attention it deserved until Air India, one of SITA’s customers, reported a massive passenger data breach on May 21 caused by an earlier attack against SITA. Between March and May, various airline companies, including Singapore Airlines, Malaysia Airlines, and others, disclosed data breaches. All of those companies were SITA customers. After Air India revealed the details of its security breach, it became clear that the carriers were most likely dealing with one of the biggest supply chain attacks in the airline industry’s history.

Hackers Stole a Ton of EA DataIncluding Valuable Source Code

www.wired.com/story/ea-hack-fifa-frostbite-source-code/ TODAY, ELECTRONIC ARTS confirmed that hackers stole a massive amount of data from the video game publisher. A dark web forum poster claimed to have obtained 780 gigabytes of data in the attack, including the source code for FIFA 21 and EAs Frostbite game engine, used by FIFA, Madden, Battlefield, Star Wars: Squadrons and Anthem. We are investigating a recent incident of intrusion into our network where a limited amount of game source code and related tools were stolen, an EA representative said in a statement.

Authorities Seized The Largest Stolen Login Marketplace On The Dark Web

www.forbes.com/sites/leemathews/2021/06/11/authorities-seized-the-largest-stolen-login-marketplace-on-the-dark-web/ The Department of Justice announced this week that Slilpp, an infamous Dark Web marketplace where stolen credentials and identities are bought and sold, had been seized. In its press release, the DoJ revealed that Slilpp listings offered more than 80 million user credentials. That user data was harvested from around 1,400 service providers that had been victimized by hackers..

www.justice.gov/opa/pr/slilpp-marketplace-disrupted-international-cyber-operation

You might be interested in …

Daily NCSC-FI news followup 2020-06-21

Ransomware operators lurk on your network after their attack www.bleepingcomputer.com/news/security/ransomware-operators-lurk-on-your-network-after-their-attack/ When a company suffers a ransomware attack, many victims feel that the attackers quickly deploy the ransomware and leave so they won’t get caught. Unfortunately, the reality is much different as threat actors are not so quick to give up a resource that they worked […]

Read More

Daily NCSC-FI news followup 2019-10-11

Hakkeriryhmä testasi Jyväskylän yliopiston tietoturvaa www.jyu.fi/fi/ajankohtaista/arkisto/2019/10/hakkeriryhma-testasi-jyvaskylan-yliopiston-tietoturvaa Useiden Jyväskylän yliopiston tietojärjestelmien tietoturvaa testattiin syyskuussa normaalista poikkeavalla tavalla, kun valkohattuhakkeriryhmä Team ROT etsi niistä tietoturvaongelmia toteuttamassaan tietoturvatestauksessa.. Tietoturvatestaus toteutettiin viikonlopun aikana niin, että se haittasi mahdollisimman vähän yliopiston normaalia toimintaa. Testaajilla ei ollut fyysistä pääsyä yliopiston järjestelmiin, vaan yhteys niihin muodostettiin etäältä avoimen verkon kautta juuri niin […]

Read More

Daily NCSC-FI news followup 2020-05-17

Who Controls Huawei? [PDF] www.ui.se/globalassets/butiken/ui-paper/2020/ui-paper-no.-5-2020.pdf = EU member states should adopt a unitary interpretation of the toolbox. A complete ban on Huawei from the rollout of European 5G might not be necessary, but the EU and its member states should strive for a significant reduction in Huaweis market share. Putin Is Well on His Way […]

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.