Daily NCSC-FI news followup 2021-06-17

Black Kingdom ransomware

securelist.com/black-kingdom-ransomware/102873/ Black Kingdom ransomware appeared on the scene back in 2019, but we observed some activity again in 2021. The ransomware was used by an unknown adversary for exploiting a Microsoft Exchange vulnerability (CVE-2021-27065). The complexity and sophistication of the Black Kingdom family cannot bear a comparison with other Ransomware-as-a-Service (RaaS) or Big Game Hunting (BGH) families. The ransomware is coded in Python and compiled to an executable using PyInstaller; it supports two encryption modes: one generated dynamically and one using a hardcoded key.. Code analysis revealed an amateurish development cycle and a possibility to recover files encrypted with Black Kingdom with the help of the hardcoded key. The industry already provided a script to recover encrypted files in case they were encrypted with the embedded key.

OSINT 101: What is open source intelligence and how is it used?

www.welivesecurity.com/2021/06/16/osint-101-what-is-open-source-intelligence-how-is-it-used/ The cybersecurity industry often gets obsessed with technology: the latest exploits, hacking tools and threat hunting software. In reality, a lot comes down to people. Its people who develop malware, people that hit the red button to launch attacks and, on the other side, people who are tasked with defending against them. To this end, OSINT, or open source intelligence, is an important but often overlooked human element of cybersecurity.. The bottom line is that whatever you can find out online about your organization, so can the bad actors. That thought alone should drive ongoing OSINT efforts to mitigate cyber-risk.

NSA Releases Guidance on Securing Unified Communications and Voice and Video over IP Systems

www.nsa.gov/News-Features/Feature-Stories/Article-View/Article/2661746/nsa-releases-guidance-on-securing-unified-communications-and-voice-and-video-ov/ NSA released a Cybersecurity Technical Report today that provides best practices and mitigations for securing Unified Communications (UC) and Voice and Video over IP (VVoIP) call-processing systems. The comprehensive report, Deploying Secure Unified Communications/Voice and Video over IP Systems, also describes potential risks to UC/VVoIP systems that arent properly secured. To complement the larger report, NSA published an abridged Cybersecurity Information Sheet to capture key takeways and introduce the steps organizations should take when securing their UC/VVoIP systems.

Criminals are mailing altered Ledger devices to steal cryptocurrency

www.bleepingcomputer.com/news/cryptocurrency/criminals-are-mailing-altered-ledger-devices-to-steal-cryptocurrency/ Scammers are sending fake replacement devices to Ledger customers exposed in a recent data breach that are used to steal cryptocurrency wallets. Ledger has been a popular target by scammers lately with rising cryptocurrency prices and the popularity of hardware wallets to secure cryptofunds. In a post on Reddit, a Ledger user shared a devious scam after receiving what looks like a Ledger Nano X device in the mail.

New TA402 Molerats Malware Targets Governments in the Middle East

www.proofpoint.com/us/blog/threat-insight/new-ta402-molerats-malware-targets-governments-middle-east Proofpoint researchers identified a malware called LastConn distributed by TA402, a threat actor also known as Molerats. The malware targeted government institutions in the Middle East and global government organizations associated with geopolitics in the region. TA402 is a Middle Eastern advanced persistent threat (APT) group that often targets entities in Israel and Palestine, in addition to other regions in the Middle East. In campaigns identified throughout 2021, TA402 leveraged Middle Eastern geopolitical themes including ongoing conflict in the Gaza Strip.

What you need to know about Process Ghosting, a new executable image tampering attack

www.elastic.co/blog/process-ghosting-a-new-executable-image-tampering-attack Security teams defending Windows environments often rely on anti-malware products as a first line of defense against malicious executables. Microsoft provides security vendors with the ability to register callbacks that will be invoked upon the creation of processes on the system. Driver developers can call APIs such as PsSetCreateProcessNotifyRoutineEx to receive such events. Despite the name, PsSetCreateProcessNotifyRoutineEx callbacks are not actually invoked upon the creation of processes, but rather upon the creation of the first threads within those processes. This creates a gap between when a process is created and when security products are notified of its creation.

A New Spyware is Targeting Telegram and Psiphon VPN Users in Iran

thehackernews.com/2021/06/a-new-spyware-is-targeting-telegram-and.html Threat actors with suspected ties to Iran have been found to leverage instant messaging and VPN apps like Telegram and Psiphon to install a Windows remote access trojan (RAT) capable of stealing sensitive information from targets’ devices since at least 2015. Russian cybersecurity firm Kaspersky, which pieced together the activity, attributed the campaign to an advanced persistent threat (APT) group it tracks as Ferocious Kitten, a group that has singled out Persian-speaking individuals allegedly based in the country while successfully operating under the radar.

Network Forensics on Azure VMs (Part #1)

isc.sans.edu/forums/diary/Network+Forensics+on+Azure+VMs+Part+1/27536/ The tooling to investigate a potentially malicious event on an Azure Cloud VM is still in its infancy. We have covered before (Forensicating Azure VMs) how we can create a snapshot of the OS disk of a running VM. Snapshotting and then killing off the infected VM is very straight forward, but it also tips off an intruder that he has been found out. Sometimes, it makes sense to first watch for a while, and learn more, for example about compromised accounts, lateral movement, or other involved hosts.

Hiccup in Akamais DDoS Mitigation Service Triggers Massive String of Outages

threatpost.com/hiccup-akamais-ddos-outages/167004/ Major financial institutions, airlines and the Hong Kong stock exchange were knocked offline by a backfiring distributed denial-of-service (DDoS) mitigation service Thursday. The hour-long outage, which was triggered at approximately 1 a.m. EST Thursday, is tied to Akamai Technologys anti-DDoS Prolexic service. In a statement to Threatpost at 7:44 a.m. EST, Akamai confirm a segment of its Prolexic platform was impacted and is now back up and running. We are continuing to validate services. We will share more details of what transpired, but our first priority is ensuring all customer impact is mitigated, wrote Chris Nicholson, senior public relations manager, Akamai.. Myös: www.is.fi/digitoday/art-2000008063974.html

Attackers Take Advantage of New Google Docs Exploit

www.avanan.com/blog/attackers-take-advantage-of-new-google-doc-exploit Avanan analysts have recently discovered an exploit vector in Google Docs that attackers are using to deliver malicious phishing websites to victims

Audi, Volkswagen customer data being sold on a hacking forum

www.bleepingcomputer.com/news/security/audi-volkswagen-customer-data-being-sold-on-a-hacking-forum/ Audi and Volkswagen customer data is being sold on a hacking forum after allegedly being stolen from an exposed Azure BLOB container. Last week, the Volkswagen Group of America, Inc. (VWGoA) disclosed a data breach after a vendor left customer data unsecured on the Internet between August 2019 and May 2021. “The data included some or all of the following contact information about you: first and last name, personal or business mailing address, email address, or phone number,” disclosed VWGoA in a data breach notification.

Polazert Trojan using poisoned Google Search results to spread

blog.malwarebytes.com/awareness/2021/06/polazert-trojan-using-poisoned-google-search-results-to-spread/ Trojan.Polazert aka SolarMarker has gone back and fine-tuned an old tactic known as SEO-poisoning to plant their Remote Access Trojan (RAT) on as many systems as possible. This RAT runs in memory and is used by attackers to install additional malware on affected systems. Trojan.Polazert is specifically designed to steal credentials from browsers and provide an attacker with a backdoor that allows them to further compromise infected systems. To achieve this, collected data is sent to a C&C server.

Travel and retail industries facing wave of credential stuffing attacks

www.zdnet.com/article/travel-and-retail-industries-facing-wave-of-credential-stuffing-attacks/ A new report from Auth0 has discovered that government institutions as well as travel and retail companies continue to face an inordinate amount of credential stuffing attacks. Auth0, which was recently acquired by Okta for $6.5 billion, released startling statistics of what they are seeing in their State of Secure Identity report. In the first three months of 2021, Auth0 found that credential stuffing accounted for 16.5% of attempted login traffic on its platform, with a peak of over 40% near the end of March.

Varo saastunutta linkkiä huijarit matkivat pankkia

www.iltalehti.fi/tietoturva/a/d426784f-c79d-40a1-969d-fb922195d564 Erilaisia huijausviestejä on ollut liikkeellä viime aikoina erittäin paljon. Rikolliset yrittävät kalastella suomalaisten tietoja, kuten pankkitunnuksia sekä levittää haittaohjelmaa, joka kaappaa tietoja käyttäjän puhelimesta. Nyt huijarit esittävät Aktian asiakaspalvelua. Iltalehden käsiinsä saamassa sähköpostiviestissä väitetään, että Aktia on lähettänyt vastaanottajalle luottamuksellisen allekirjoitetun asiakirjan. Viestissä annetaan kiireentuntu sillä, että viestin voi lukea vain kahden viikon ajan. Iltalehden saamien tietojen mukaan myös POP Pankin nimissä liikkuu samanlaisia viestejä.

Biden to Putin: Get your ransomware gangs under control and dont you dare cyber-attack our infrastructure

www.theregister.com/2021/06/17/biden_putin_summit_cybersecurity_discussion/ US President Joe Biden and his Russian Federation counterpart Vladimir Putin have traded barbs over cyber-attacks at a summit meeting staged yesterday in Switzerland. The readout of Bidens post-summit press conference states that what the two presidents spent a great deal of time on was cyber and cybersecurity.. – I talked about the proposition that certain critical infrastructure should be off limits to attack period by cyber or any other means.. Biden gave Putin a list of 16 specific entities defined as critical infrastructure under US policy, from the energy sector to our water systems.

Ransomware Operators’ Strategies Evolve as Attacks Rise

beta.darkreading.com/attacks-breaches/ransomware-operators-strategies-evolve-as-attacks-rise Corporate email inboxes remain a valuable target for many cybercriminals, but ransomware operators are finding new avenues into enterprise networks as defensive tools improve, new research shows. Ransomware attackers have begun to leverage criminal organizations, mostly banking Trojan distributors, for malware deployment. These so-called “access facilitators” distribute backdoors to victims using malicious links and attachments sent via email. Once they infiltrate a target, the attackers can sell their access to ransomware groups for a cut of the profit, Proofpoint reports.

You might be interested in …

Daily NCSC-FI news followup 2020-06-22

Google Analytics as a data exfiltration channel www.kaspersky.com/blog/web-skimming-with-ga/35986/ Web skimming, a fairly common method of getting cardholder data from visitors of online stores, is a time-honored cybercriminal practice. Recently, however, our experts discovered a rather dangerous innovation involving the use of Google Analytics to exfiltrate stolen data. Lets explore why this is dangerous and how […]

Read More

Daily NCSC-FI news followup 2020-01-05

Austria: Cyberangriff auf Außenministerium orf.at/stories/3149769/ Die IT-Systeme des Außenministeriums sind derzeit offenbar Ziel eines schwerwiegenden Cyberangriffs. Der Angriff lief auch am Sonntag weiter, so Außenamtssprecher Peter Guschelbauer. Vonseiten des Ministeriums vermutet man einen Angriff eines staatlichen Akteurs.. Also www.bbc.com/news/world-europe-50997773 US announces AI software export restrictions www.theverge.com/2020/1/5/21050508/us-export-ban-ai-software-china-geospatial-analysis The ban, which comes into force on Monday, is […]

Read More

Daily NCSC-FI news followup 2020-07-25

Will Garmin Pay $10m Ransom To End Two-Day Outage? www.forbes.com/sites/barrycollins/2020/07/25/will-garmin-pay-10m-ransom-to-end-two-day-outage/ Garmin is reportedly being asked to pay a $10 million ransom to free its systems from a cyberattack that has taken down many of its services for two days. Lisäksi yle.fi/uutiset/3-11465640 Hackers actively exploit high-severity networking vulnerabilities arstechnica.com/information-technology/2020/07/hackers-actively-exploit-high-severity-networking-vulnerabilities/ Hackers are actively exploiting two unrelated high-severity […]

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.