Daily NCSC-FI news followup 2021-06-29

Russian hackers had months-long access to Denmark’s central bank

www.bleepingcomputer.com/news/security/russian-hackers-had-months-long-access-to-denmarks-central-bank/ Russian state hackers compromised Denmark’s central bank (Danmarks Nationalbank) and planted malware that gave them access to the network for more than half a year without being detected.

The “WayBack” Campaign: a Large Scale Operation Hiding in Plain Sight

yoroi.company/research/the-wayback-campaign-a-large-scale-operation-hiding-in-plain-sight/ Yoroi Malware ZLAB is reporting extensively on a large scale operation by an actor that has been active since 2019 and targeting Italian and European organizations.

REvil ransomware’s new Linux encryptor targets ESXi virtual machines

www.bleepingcomputer.com/news/security/revil-ransomwares-new-linux-encryptor-targets-esxi-virtual-machines/ The REvil ransomware operation is now using a Linux encryptor that targets and encrypts Vmware ESXi virtual machines.

Tesorion announces a free decryptor for Lorenz ransomware

www.tesorion.nl/en/posts/lorenz-ransomware-analysis-and-a-free-decryptor/ Report from security researchers at Tesorion give some insight into encryption used by the Lorenz ransomware. Decryptor available for download from nomoreransom.org.

700 million LinkedIn records for sale on hacker forum

www.privacysharks.com/exclusive-700-million-linkedin-records-for-sale-on-hacker-forum-june-22nd-2021/ After 500 million LinkedIn users were affected by data scraping in April, it happened again. The information includes full names, gender, email addresses, phone numbers, and industry information.

NCSC UK – Device Security Guidance for public sector and large organisations

www.ncsc.gov.uk/blog-post/securing-your-devices-future National Cyber Security Centre UK has published “Device Security Guidance” for organisations on how to choose, configure and use devices securely

An unpatched security vulnerability affecting Google’s Compute Engine platform could be abused by an attacker to take over virtual machines over the network

thehackernews.com/2021/06/unpatched-virtual-machine-takeover-bug.html PoC available: github.com/irsl/gcp-dhcp-takeover-code-exec

Microsoft’s Halo game development servers breached by a security researcher

www.bleepingcomputer.com/news/security/microsofts-halo-dev-site-breached-using-dependency-hijacking/ Microsoft has had trouble with npm dependency confusion earlier this year, this time another researcher found out that the problem still exists because some packages have dependencies not present on npmjs-registry.

Remote code execution vulnerability in Microsoft Intune management extension

www.nixu.com/blog/remote-code-execution-vulnerability-microsoft-intune-managed-windows-devices Aapo Oksman, a Senior Security Specialist at Nixu Corporation, found a critical bug in the Microsoft Intune Management Extension (IME) that allows for a remote attacker in privileged network position to execute arbitrary code with system privileges on the Windows operating system enrolled into Intune running IME.

You might be interested in …

Daily NCSC-FI news followup 2021-04-12

Israel appears to confirm it carried out cyberattack on Iran nuclear facility www.theguardian.com/world/2021/apr/11/israel-appears-confirm-cyberattack-iran-nuclear-facility Israel appeared to confirm claims that it was behind a cyber-attack on Irans main nuclear facility on Sunday, which Tehrans nuclear energy chief described as an act of terrorism that warranted a response against its perpetrators. Sisä-Suomen poliisilaitoksella on tutkittavana useita WhatsApp-sovelluksen […]

Read More

Daily NCSC-FI news followup 2021-07-09

Banking Trojans in a business wrapper www.kaspersky.com/blog/icedid-qbot-banking-trojans-in-spam/40552/ Spammers are using malicious macros to distribute IcedID and Qbot banking malware in seemingly important documents. For employees facing hundreds of e-mails, the temptation to speed-read and download attachments on autopilot can be great. Cybercriminals, of course, take advantage, sending out seemingly important documents that might contain just […]

Read More

Daily NCSC-FI news followup 2019-11-09

Titanium: the Platinum group strikes again securelist.com/titanium-the-platinum-group-strikes-again/94961/ Platinum is one of the most technologically advanced APT actors with a traditional focus on the APAC region. During recent analysis we discovered Platinum using a new backdoor that we call Titanium (named after a password to one of the self-executable archives). Titanium is the final result of […]

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.