Daily NCSC-FI news followup 2021-06-15

Ransomware attacks continue to Surge, hitting a 93% increase year over year

blog.checkpoint.com/2021/06/14/ransomware-attacks-continue-to-surge-hitting-a-93-increase-year-over-year/ Number of organizations impacted by ransomware has risen to 1210 in June 2021. Check Point Research sees a 41% increase in attacks since the beginning of 2021 and a 93% increase year over year. Latin America and Europe saw the largest increase in ransomware attacks since the beginning of 2021, marking a 62% and a 59% increase, respectively

How Does One Get Hired by a Top Cybercrime Gang?

krebsonsecurity.com/2021/06/how-does-one-get-hired-by-a-top-cybercrime-gang/ The U.S. Department of Justice (DOJ) last week announced the arrest of a 55-year-old Latvian woman whos alleged to have worked as a programmer for Trickbot, a malware-as-a-service platform responsible for infecting millions of computers and seeding many of those systems with ransomware. Just how did a self-employed web site designer and mother of two come to work for one of the worlds most rapacious cybercriminal groups and then leave such an obvious trail of clues indicating her involvement with the gang?

Patch now! Apple fixes in-the-wild iPhone vulnerabilities

blog.malwarebytes.com/exploits-and-vulnerabilities/2021/06/patch-now-apple-fixes-in-the-wild-iphone-vulnerabilities/ Apple has fixed two vulnerabilities in Safaris WebKit component, announcing it is aware of a report that they may have been actively exploited. Both vulnerabilities could be abused by maliciously crafted web content that could lead to arbitrary code execution: In other words, the bugs let rogue websites do things on your phone without your permission. Letting users of its products know that vulnerabilities are being actively exploited is a new approach for Apple. It has always been reluctant to provide much context in its security bulletins and only recently started adding information about whether vulnerabilities are being used in the wild. Also:




Risk-Based Vulnerability Intelligence Does What CVSS Cant

www.recordedfuture.com/risk-based-vulnerability-cvss-doesnt/ Digital transformation initiatives have become a common way for organizations to not only increase business agility, but also to adapt quickly to market changes, environmental forces, and business priorities. Responses to COVID-19, for example, have massively accelerated the adoption of digital technologies by several years. This shift toward digital transformation only increases the attack surface and the number of vulnerabilities your organization is exposed to, which threat actors are quick to exploit. Theres no disputing that unpatched vulnerabilities make systems easy prey.

Andariel evolves to target South Korea with ransomware

securelist.com/andariel-evolves-to-target-south-korea-with-ransomware/102811/ In April 2021, we observed a suspicious Word document with a Korean file name and decoy. It revealed a novel infection scheme and an unfamiliar payload. While we were doing our research into these findings, Malwarebytes published a nice report with technical details about the same series of attacks, which they attributed to the Lazarus group. After a deep analysis, we came to a more precise conclusion: the Andariel group was behind these attacks. Andariel was designated by the Korean Financial Security Institute as a sub-group of Lazarus.

Vishing: What is it and how do I avoid getting scammed?

www.welivesecurity.com/2021/06/14/vishing-what-is-it-how-avoid-getting-scammed/ Weve all heard of phishing, the tried-and-tested email scam that spoofs authoritative sources to trick recipients into handing over sensitive information or downloading malware. Well, vishing is its voice call equivalent. Its a con trick with many variants that can impact individuals and organizations alike with potentially devastating consequences. Together phishing, smishing, pharming and vishing cost more than 241,000 victims over $54 million in 2020. And thats just the cases that were reported to the FBI as many cases of fraud go unreported.

Paradise Ransomware source code released on a hacking forum

www.bleepingcomputer.com/news/security/paradise-ransomware-source-code-released-on-a-hacking-forum/ The complete source code for the Paradise Ransomware has been released on a hacking forum allowing any would-be cyber criminal to develop their own customized ransomware operation. Released on the hacking forum XSS, the link to the source code is only accessible to active users on the site who have previously replied to or reacted to other posts on the site.

Experts Shed Light On Distinctive Tactics Used by Hades Ransomware

thehackernews.com/2021/06/experts-shed-light-on-distinctive.html Cybersecurity researchers on Tuesday disclosed “distinctive” tactics, techniques, and procedures (TTPs) adopted by operators of Hades ransomware that set it apart from the rest of the pack, attributing it to a financially motivated threat group called GOLD WINTER. “In many ways, the GOLD WINTER threat group is a typical post-intrusion ransomware threat group that pursues high-value targets to maximize how much money it can extort from its victims,” researchers from SecureWorks Counter Threat Unit (CTU) said in an analysis shared with The Hacker News. “However, GOLD WINTER’s operations have quirks that distinguish it from other groups.”

Multi Perimeter Device Exploit Mirai Version Hunting For Sonicwall, DLink, Cisco and more

isc.sans.edu/forums/diary/Multi+Perimeter+Device+Exploit+Mirai+Version+Hunting+For+Sonicwall+DLink+Cisco+and+more/27528/ Vulnerable perimeter devices remain a popular target, and we do see consistent exploit attempts against them. This weekend, Guy wrote about some scans for Fortinet vulnerabilities, and Xavier notes that Crowdstrike observed attacks against EoL Sonicwalls. Starting earlier this month, we did also observe a consistent trickle of requests looking for a relatively recent Sonicwall vulnerability.

Stealing tokens, emails, files and more in Microsoft Teams through malicious tabs

medium.com/tenable-techblog/stealing-tokens-emails-files-and-more-in-microsoft-teams-through-malicious-tabs-a7e5ff07b138 I recently came across an interesting bug in the Microsoft Power Apps service which, despite its simplicity, can be leveraged by an attacker to gain persistent read/write access to a victim users email, Teams chats, OneDrive, Sharepoint and a variety of other services by way of a malicious Microsoft Teams tab and Power Automate flows. The bug has since been fixed by Microsoft, but in this blog were going to see how it could have been exploited.

Utilities Concerningly at Risk from Active Exploits

threatpost.com/utilities-risk-active-exploits/166908/ The amount of time that utility networks spend exposed to a known application exploit has spiked over the past two months something analysts called out as a concerning datapoint, and an important reminder that ransomware isnt the only threat utility networks need to secure against. A new report from WhiteHat Security measured the amount of time a sector remained vulnerable to a known application exploit out in the wild, a metric they call an industrys window of exposure (WoE). They found the WoE for the utility sector climbed from 55 percent two months ago to 67 percent last month.

Critical remote code execution flaw in thousands of VMWare vCenter servers remains unpatched

www.zdnet.com/article/critical-remote-code-execution-flaw-in-thousands-of-vmware-vcenter-servers-remains-unpatched/ Researchers have warned that thousands of internet-facing VMWare vCenter servers still harbor critical vulnerabilities weeks after patches were released. The vulnerabilities impact VMWare vCenter Server, a centralized management utility. VMWare issued patches for two critical bugs, CVE-2021-21985 and CVE-2021-21986, on May 25. The first security flaw, CVE-2021-21985, impacts VMware vCenter Server and VMware Cloud Foundation and has been issued a CVSS score of 9.8.. This bug was found in a vSAN plugin, enabled by default in the application, that allows attackers to execute remote code execution (RCE) if they have access to port 443.

Nokia Deepfield global analysis shows most DDoS attacks originate from fewer than 50 hosting companies

www.nokia.com/about-us/news/releases/2021/06/14/nokia-deepfield-global-analysis-shows-most-ddos-attacks-originate-from-fewer-than-50-hosting-companies/ Nokia Deepfield today announced the results of its global DDoS traffic analysis, which examined service provider network traffic encompassing thousands of routers on the internet between January 2020 and May 2021. Among the findings, which were presented by Dr. Craig Labovitz, Nokia Deepfield CTO, at NANOG82: more than 100% increase in daily DDoS peak traffic in this time period; newly identified DDoS threat potential over 10 Tbps four to five times higher than the largest current attacks reported due to rapidly growing number of open and insecure internet services and IoT devices.

Venäjä ja Kiina saivat varoituksen Nato: kyberhyökkäykset vertautuvat aseellisiin hyökkäyksiin

www.tivi.fi/uutiset/tv/26aa1f45-6717-4fdd-8c42-8c8612904db4 Nato on tehnyt linjauksen, jonka mukaan merkittävät haitalliset kybertoimet voidaan jatkossa tietyissä tapauksissa rinnastaa aseelliseen hyökkäykseen. Tarkempaa määrittelyä ei annettu julkisuuteen. Linjaus tehtiin Naton huippukokouksessa Brysselissä maanantaina.

VPN Attacks Surged in First Quarter

www.darkreading.com/attacks-breaches/vpn-attacks-surged-in-first-quarter/d/d-id/1341300 But volume of malware, botnet, and other exploit activity declined because of the Emotet botnet takedown. Attacks against virtual private network (VPN) products from Fortinet and Pulse Secure surged dramatically in the first quarter of 2021 as threats actors tried to take advantage of previously disclosed vulnerabilities that organizations had not patched. Log data collected by Nuspire from thousands of devices at customer locations show attacks against Fortinet’s SSL-VPN increased 1,916% from the beginning of the quarter as threat actors tried to exploit a path traversal vulnerability in the technology (CVE-2018-13379) that could allow unauthenticated attackers to download files.

You might be interested in …

Daily NCSC-FI news followup 2020-06-23

Introducing the TypeRefHash (TRH) www.gdatasoftware.com/blog/2020/06/36164-introducing-the-typerefhash-trh We introduce the TypeRefHash (TRH) which is an alternative to the ImpHash that does not work with .NET binaries. Our evaluation shows that it can effectively be used to identify .NET malware families. Zoom 5 moves toward security www.kaspersky.com/blog/zoom-5-security/36001/ Zoom developers have made their service more secure. We review whats […]

Read More

Daily NCSC-FI news followup 2021-07-18

Japan Has Shattered the Internet Speed Record at 319 Terabits per Second interestingengineering.com/japan-shattered-internet-speed-record-319-terabits The new record was made on a line of fibers more than 3, 000 km long. It’s nearly double the previous record of 178 Tb/s, which was set in 2020. And it’s seven times the speed of the earlier record of 44.2 […]

Read More

Daily NCSC-FI news followup 2020-03-07

New AMD Side Channel Attacks Discovered, Impacts Zen Architecture www.tomshardware.com/news/new-amd-side-channel-attacks-discovered-impacts-zen-architecture A new paper released by the Graz University of Technology details two new “Take A Way” attacks, Collide+Probe and Load+Reload, that can leak secret data from AMD processors by manipulating the L1D cache predictor. The researchers claim that the vulnerability impacts all AMD processors from […]

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.