Daily NCSC-FI news followup 2021-06-16

Ukrainian Police Nab Six Tied to CLOP Ransomware

krebsonsecurity.com/2021/06/ukrainian-police-nab-six-tied-to-clop-ransomware/ Authorities in Ukraine this week charged six people alleged to be part of the CLOP ransomware group, a cybercriminal gang said to have extorted more than half a billion dollars from victims. Some of CLOPs victims this year alone include Stanford University Medical School, the University of California, and University of Maryland. According to a statement and videos released today, the Ukrainian Cyber Police charged six defendants with various computer crimes linked to the CLOP gang, and conducted 21 searches throughout the Kyiv region.. Also:







Introducing SLSA, an End-to-End Framework for Supply Chain Integrity

security.googleblog.com/2021/06/introducing-slsa-end-to-end-framework.html Supply chain integrity attacksunauthorized modifications to software packageshave been on the rise in the past two years, and are proving to be common and reliable attack vectors that affect all consumers of software. The software development and deployment supply chain is quite complicated, with numerous threats along the source build publish workflow. While point solutions do exist for some specific vulnerabilities, there is no comprehensive end-to-end framework that both defines how to mitigate threats across the software supply chain, and provides reasonable security guarantees.. Our proposed solution is Supply chain Levels for Software Artifacts (SLSA, pronounced salsa), an end-to-end framework for ensuring the integrity of software artifacts throughout the software supply chain.

Ferocious Kitten: 6 years of covert surveillance in Iran

securelist.com/ferocious-kitten-6-years-of-covert-surveillance-in-iran/102806/ Ferocious Kitten is an APT group that since at least 2015 has been targeting Persian-speaking individuals who appear to be based in Iran. Although it has been active for a long time, the group has mostly operated under the radar and has not been covered by security researchers to the best of our knowledge. It is only recently that it drew attention when a lure document was uploaded to VirusTotal and went public thanks to researchers on Twitter. Since then, one of its implants has been analyzed by a Chinese threat intelligence firm.

Smoking Out a DARKSIDE Affiliates Supply Chain Software Compromise

www.fireeye.com/blog/threat-research/2021/06/darkside-affiliate-supply-chain-software-compromise.html Mandiant observed DARKSIDE affiliate UNC2465 accessing at least one victim through a Trojanized software installer downloaded from a legitimate website. While this victim organization detected the intrusion, engaged Mandiant for incident response, and avoided ransomware, others may be at risk. As reported in the Mandiant post, “Shining a Light on DARKSIDE Ransomware Operations,” Mandiant Consulting has investigated intrusions involving several DARKSIDE affiliates. UNC2465 is one of those DARKSIDE affiliates that Mandiant believes has been active since at least March 2020.

US convicts Russian national behind Kelihos botnet crypting service

www.bleepingcomputer.com/news/security/us-convicts-russian-national-behind-kelihos-botnet-crypting-service/ Russian national Oleg Koshkin was convicted for charges related to the operation of a malware crypter service used by the Kelihos botnet to obfuscate malware payloads and evade detection. Koshkin has been detained since he was arrested in California in September 2019, and he is facing a maximum penalty of 15 years in prison after September 20, 2021, when his sentencing is due. Pavel Tsurkan, his co-defendant, was also indicted with conspiring to cause damage to protected computers, and for aiding and abetting Peter Levashov, Kelihos botnet main operator, in damaging protected computers.

The First Step: Initial Access Leads to Ransomware

www.proofpoint.com/us/blog/threat-insight/first-step-initial-access-leads-ransomware Ransomware attacks still use email — but not in the way you might think. Ransomware operators often buy access from independent cybercriminal groups who infiltrate major targets and then sell access to the ransomware actors for a slice of the ill-gotten gains. Cybercriminal threat groups already distributing banking malware or other trojans may also become part of a ransomware affiliate network. The result is a robust and lucrative criminal ecosystem in which different individuals and organizations increasingly specialize to the tune of greater profits for allexcept, of course, the victims.

New IoT Security Risk: ThroughTek P2P Supply Chain Vulnerability

www.nozominetworks.com/blog/new-iot-security-risk-throughtek-p2p-supply-chain-vulnerability/ Today we announced the discovery and responsible disclosure of a new security camera vulnerability, the latest in a series of Nozomi Networks research discoveries regarding IoT security. This particular vulnerability affects a software component from a company called ThroughTek. The component is part of the supply chain for many original equipment manufacturers (OEMs) of consumer-grade security cameras and IoT devices. ThroughTek states that its solution is used by several million connected devices.

NFT creators tricked into installing malware in highly targeted attack

therecord.media/nft-creators-tricked-into-installing-malware-in-highly-targeted-attack/ Multiple digital artists and creators of non-fungible tokens (NFT) were at the center of a highly targeted malware campaign last week during which a threat actor tried to swipe their hard-earned profits. The attacks, which began last week and continued through the weekend, were widely reported on Twitter after several victims caught on to the scheme or noticed the theft of cryptocurrency assets from their private wallets.. According to public reports, the threat actor used multiple identities to approach Twitter users advertising themselves as NFT creators with business deals and trick them into downloading and running a malware-laced file.

Ransomware Poll: 80% of Victims Dont Pay Up

threatpost.com/ransomware-victims-dont-pay-up/166989/ Ransomware is on the rise, but what toll does it take on the real world?. Threatpost set out to answer that question in an exclusive poll aimed at taking the pulse of organizations wrestling with attacks, including looking at mitigations and the defenses organizations have in place. When viewed against the backdrop of complementary reports from Cybereason and Group Salus, a nice picture emerges of how ransomware-related attitudes and security practices are evolving.

A New Program for Your Peloton Whether You Like It or Not

www.mcafee.com/blogs/other-blogs/mcafee-labs/a-new-program-for-your-peloton-whether-you-like-it-or-not/ The McAfee Advanced Threat Research team (ATR) is committed to uncovering security issues in both software and hardware to help developers provide safer products for businesses and consumers. As security researchers, something that we always try to establish before looking at a target is what our scope should be. More specifically, we often assume well-vetted technologies like network stacks or the OS layers are sound and instead focus our attention on the application layers or software that is specific to a target. Whether that approach is comprehensive sometimes doesnt matter; and its what we decided to do for this project as well, bypassing the Android OS itself and with a focus on the Peloton code and implementations.

Suomi turvautui suosittuun tietoturvasivustoon selvittää valtionhallinnon salasanavuotoja

www.tivi.fi/uutiset/tv/c4cedd04-d109-47c0-9748-5e27432fcbff Kyberturvallisuuskeskus on ottanut käyttöön Have I Been Pwned – -sivuston rajapinnan, jonka avulla voi tarkastaa käyttäjätietojen vuotoja. Suositun Have I Been Pwned -sivuston (HIBP) luoja Troy Hunt toivottaa blogissaan tervetulleeksi Suomen Kyberturvallisuuskeskuksen. Kyberturvallisuuskeskukselle on annettu pääsy HIBP:n rajapintaan, jonka avulla voidaan tarkastaa, onko valtionhallinnon työntekijöiden käyttäjätietoja vuotanut ulkopuolisille. Huntin mukaan Suomi on viides Pohjois-Euroopan maa ja kaiken kaikkiaan 21. valtiollinen toimija, joka kyseisen rajapinnan ottaa käyttöön. Monia muita julkistetaan Huntin mukaan lähiaikoina.

Ryuk ransomware recovery cost us $8.1m and counting, says Baltimore school authority

www.theregister.com/2021/06/16/baltimore_ryuk_ransomware_dollars_8_1m_recovery_cost/ An organisation whose network was infected by Ryuk ransomware has spent $8.1m over seven months recovering from it and thats still not the end of it, according to US news reports. The sum, spent by Baltimore County Public Schools, will doubtless raise some eyebrows and the public breakdown of the costs will be eye-opening for the infosec industry and potential corporate ransomware victims alike.

You might be interested in …

Daily NCSC-FI news followup 2021-01-25

Kyberturvallisuus­keskus: Whatsapp-tilejä yritetään kaapata Suomessa huijausviesteillä www.hs.fi/kotimaa/art-2000007758688.html Rikolliset yrittävät kaapata tilejä muun muassa tekeytymällä Whatsappin tekniseksi tueksi. Lukijoilta: Huijari tyhjäsi netissä pankkitilini ilkkapohjalainen.fi/mielipide/yleisolta/lukijoilta-huijari-tyhjasi-netissa-pankkitilini-1.4810770 Tämä on esimerkki omasta tapauksesta, jossa hyväuskoisena luotin soittoon, jossa soittaja ilmoitti soittavansa Lontoossa sijaitsevasta Microsoft Support -tukipalvelukeskuksesta. Matkapuhelin­verkko voi kavaltaa kenen tahansa sijainnin: Siepattiinko arabi­prinsessa ja hänen suomalainen ystävänsä luksus­jahdilta kapteenin […]

Read More

Daily NCSC-FI news followup 2021-09-11

The Week in Ransomware – September 10th 2021 – REvil returns www.bleepingcomputer.com/news/security/the-week-in-ransomware-september-10th-2021-revil-returns/ This week marked the return of the notorious REvil ransomware group, who disappeared in July after conducting a massive attack using a Kaseya zero-day vulnerability. Their July attack affected over 1, 500 businesses and drew the full attention of international law enforcement and […]

Read More

Daily NCSC-FI news followup 2020-03-29

Source code of Dharma ransomware pops up for sale on hacking forums www.zdnet.com/article/source-code-of-dharma-ransomware-pops-up-for-sale-on-hacking-forums/ The source code of a major ransomware strain named Dharma has been put up for sale on two Russian hacker forums over the weekend.. The FBI, in a talk at the RSA security conference this year, ranked Dharma the second most lucrative […]

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.