Daily NCSC-FI news followup 2021-07-09

Banking Trojans in a business wrapper

www.kaspersky.com/blog/icedid-qbot-banking-trojans-in-spam/40552/ Spammers are using malicious macros to distribute IcedID and Qbot banking malware in seemingly important documents. For employees facing hundreds of e-mails, the temptation to speed-read and download attachments on autopilot can be great. Cybercriminals, of course, take advantage, sending out seemingly important documents that might contain just about anything from phishing links to malware. Our experts recently discovered two very similar spam campaigns distributing the IcedID and Qbot banking Trojans.

Clarified Guidance for CVE-2021-34527 Windows Print Spooler Vulnerability

msrc-blog.microsoft.com/2021/07/08/clarified-guidance-for-cve-2021-34527-windows-print-spooler-vulnerability/ On Tuesday July 6, 2021, Microsoft issued CVE-2021-34527 regarding a Windows Print Spooler vulnerability. Updates were released on July 6 and 7 which addressed the vulnerability for all supported Windows versions. We encourage customers to update as soon as possible. Following the out of band release (OOB) we investigated claims regarding the effectiveness of the security update and questions around the suggested mitigations. Our investigation has shown that the OOB security update is working as designed and is effective against the known printer spooling exploits and other public reports collectively being referred to as PrintNightmare. All reports we have investigated have relied on the changing of default registry setting related to Point and Print to an insecure configuration.

Where do all those cybercrime payments go?

nakedsecurity.sophos.com/2021/07/09/where-do-all-those-cybercrime-payments-go/ Here on Naked Security, weve regularly asked the question, or at least implied it: Where do you think all those cybercrime payments go?. When a ransomware victim hands over a largely anonymous, mostly untraceable quantity of Bitcoin, for example, to pay off a multi-million dollar blackmail demand in the hope of recovering their unusable files. what happens to that money?

Factsheet ISO: Changes to ISO 27002 Include Addition of Threat Intelligence

quointelligence.eu/2021/07/factsheet-iso-changes-to-iso-27002-include-addition-of-threat-intelligence/ The International Organization for Standardization (ISO) recently presented updates to the ISO 27002 standard, which consolidates chapters and controls, as well as adding several new controls. The update to the ISO framework also includes Threat Intelligence (TI), which further highlights the growing importance of TI in an organizations security management. Dont Be Rude, Stay: Avoiding Fork&Run .NET Execution With InlineExecute-Assembly

securityintelligence.com/posts/net-execution-inlineexecute-assembly/ Some of you love it and some of you hate it, but at this point it should come as no surprise that .NET tradecraft is here to stay a little longer than anticipated. The .NET framework is an integral part of Microsofts operating system with the most recent release of .NET being .NET core. Core is the cross-platform successor to the .NET Framework that brings .NET to Linux and macOS as well. This now makes .NET more popular than ever for post exploitation tradecraft among adversaries and red teams.

Ransomware: To pay or not to pay? Legal or illegal? These are the questions

www.welivesecurity.com/2021/07/08/ransomware-pay-not-pay-legal-illegal-these-are-questions/ The recent spate of ransomware payments cannot be the best use of cybersecurity budgets or shareholder capital, nor is it the best use of insurance industry funds. So, why are companies paying and what will it take for them to stop?. In simple terms, it may just be, or at least initially seem, more cost effective to pay than not to pay. The current precedent to pay likely dates back to the ethically brave organizations who refused to pay. When WannaCryptor (a.k.a. WannaCry) inflicted its malicious payload on the world in 2017, the United Kingdoms National Health Service bore a significant hit on its infrastructure.

REvil victims are refusing to pay after flawed Kaseya ransomware attack

www.bleepingcomputer.com/news/security/revil-victims-are-refusing-to-pay-after-flawed-kaseya-ransomware-attack/ The REvil ransomware gang’s attack on MSPs and their customers last week outwardly should have been successful, yet changes in their typical tactics and procedures have led to few ransom payments. When ransomware gangs conduct an attack, they usually breach a network and take time stealing data and deleting backups before ultimately encrypting the victim’s devices. When a victim is shown proof of stolen data, backups are deleted, and their devices are encrypted, it creates a much stronger incentive for them to pay the ransom to restore their data and prevent the leak of data.

CISA Publishes Malware Analysis Report and Updates Alert on DarkSide Ransomware

us-cert.cisa.gov/ncas/current-activity/2021/07/07/cisa-publishes-malware-analysis-report-and-updates-alert-darkside CISA has published a new Malware Analysis Report (MAR) on DarkSide Ransomware and updated Alert AA21-131A: DarkSide Ransomware: Best Practices for Preventing Business Disruption from Ransomware Attacks, originally released May 11, 2021. This update adds indicators of compromise associated with a DarkSide ransomware variant that executes a dynamic-link library used to delete Volume Shadow copies available on the system.

Magecart Swiper Uses Unorthodox Concatenation

blog.sucuri.net/2021/07/magecart-swiper-uses-unorthodox-concatenation.html MageCart is the name given to the roughly one dozen groups of cyber criminals targeting e-commerce websites with the goal of stealing credit card numbers and selling them on the black market. They remain an ever-growing threat to website owners. Weve said many times on this blog that the attackers are constantly using new techniques to evade detection. In this post I will go over a case involving one such MageCart group.

Hackers Use New Trick to Disable Macro Security Warnings in Malicious Office Files

thehackernews.com/2021/07/hackers-use-new-trick-to-disable-macro.html While it’s a norm for phishing campaigns that distribute weaponized Microsoft Office documents to prompt victims to enable macros in order to trigger the infection chain directly, new findings indicate attackers are using non-malicious documents to disable security warnings prior to executing macro code to infect victims’ computers. In yet another instance of malware authors continue to evolve their techniques to evade detection, researchers from McAfee Labs stumbled upon a novel tactic that “downloads and executes malicious DLLs (ZLoader) without any malicious code present in the initial spammed attachment macro.”

Ransomwhere project wants to create a database of past ransomware payments

therecord.media/ransomwhere-project-wants-to-create-a-database-of-past-ransomware-payments/ A new website launched this week wants to create a crowdfunded, free, and open database of past ransomware payments in the hopes of expanding visibility into the broader picture of the ransomware ecosystem. Named Ransomwhere, the new portal is the personal project of Jack Cable, a Stanford University student and a security researcher for the Krebs Stamos Group. The website allows victims of ransomware attacks or cybersecurity professionals to submit a copy of a ransom note, along with the size of the ransom demand and the Bitcoin address where victims made the payment, which would then be indexed in a public database.

Hancitor tries XLL as initial malware file

isc.sans.edu/forums/diary/Hancitor+tries+XLL+as+initial+malware+file/27618/ On Thursday 2021-07-08, for a short while when Hancitor was initially active, if any victims clicked on a malicious link from the malspam, they would receive a XLL file instead of a malicious Word doc. I tried one of the email links in my lab and received the malicious XLL file. After other researchers reported they were receiving Word documents, I tried a few hours later and received a Word document instead.

Seqrite uncovers second wave of Operation SideCopy targeting Indian critical infrastructure PSUs

www.seqrite.com/blog/seqrite-uncovers-second-wave-of-operation-sidecopy-targeting-indian-critical-infrastructure-psus/ The SideCopy APT Group has expanded its activity this year and now targets critical Indian sectors this time. Quick Heal Security Labs researchers have been tracking the notorious cyber-attack group Transparent Tribe since the first SideCopy campaign in September 2020, discovered by Quick Heal. The team has recently discovered an increase in SideCopys activities targeting certain Government agencies in India. The group has added new malware tools to its arsenal.

Global Phishing Campaign Targets Energy Sector and its Suppliers

www.intezer.com/blog/research/global-phishing-campaign-targets-energy-sector-and-its-suppliers/ Our research team has found a sophisticated campaign, active for at least one year, targeting large international companies in the energy, oil & gas, and electronics industries. The attack also targets oil & gas suppliers, possibly indicating that this is only the first stage in a wider campaign. In the event of a successful breach, the attacker could use the compromised email account of the receipt to send spear phishing emails to companies that work with the supplier. Thus using the established reputation of the supplier to go after more targeted entities.

Lazarus Targets Job-Seeking Engineers with Malicious Documents

threatpost.com/lazarus-engineers-malicious-docs/167647/ The notorious Lazarus advanced persistent threat (APT) group has been identified as the cybergang behind a campaign spreading malicious documents to job-seeking engineers. The ploy involves impersonating defense contractors seeking job candidates. Researchers have been tracking Lazarus activity for months with engineering targets in the United States and Europe, according to a report published online by AT&T Alien Labs.

Microsoft’s PrintNightmare update is causing problems for some printers

www.zdnet.com/article/microsofts-printnightmare-patch-is-now-causing-problems-for-some-printers/ Microsoft’s emergency update which included a fix for the so-called PrintNightmare print spooler problem has the unexpected side-effect of causing a problem with some printers. he PrintNightmare flaw is a major security risk for enterprise, where print spoolers are used on Windows machines. Microsoft considered it serious enough to rush out a patch last week, before its usual Patch Tuesday update. The PrintNightmare bug is being tracked as CVE-2021-1675 and CVE-2021-34527. One of them is a remote code execution flaw and the other is a local privilege escalation flaw. An additional concern was that exploit code was in the public domain before Microsoft released a patch for it.

South Korea’s atomic energy think tank exposed to North Korean hacking: spy agency

www.koreatimes.co.kr/www/nation/2021/07/103_311822.html South Korea’s national think tank on nuclear power has been exposed to a hacking attack presumably launched by North Korea, but no major data was leaked, the state spy agency said Thursday. “An investigation is underway after receiving a damage report from the Atomic Energy Research Institute on June 1. … It was exposed (possibly) to North Korea for about 12 days,” Rep. Ha Tae-keung, a member of the parliamentary intelligence committee, told reporters, citing a briefing from the National Intelligence Service (NIS).

FBI warns cryptocurrency owners, exchanges of ongoing attacks

www.bleepingcomputer.com/news/security/fbi-warns-cryptocurrency-owners-exchanges-of-ongoing-attacks/ The Federal Bureau of Investigation (FBI) warns cryptocurrency owners, exchanges, and third-party payment platforms of threat actors actively targeting virtual assets in attacks that can lead to significant financial losses. The FBI issued the warning via a TLP:GREEN Private Industry Notification (PIN) designed to provide cybersecurity professionals with the information required to properly defend against these ongoing attacks.

Poliisilta varoitus: Krypto­valuutta­huijauksen uhreihin kohdistuu uusi petos

www.is.fi/digitoday/art-2000008114662.html Itä-Suomen poliisilaitos varoittaa aiempaan kryptovaluuttahuijaukseen liittyvästä jatkohuijauksesta, jossa huijarit esiintyvät viranomaisena. Nämä sanovat edustavansa eurooppalaista viranomaistahoa ja kertovat voivansa auttaa saamaan takaisin uhrin aiemmissa huijauksissa menetettyjä rahoja.

Traficom laajentaa Tietoturvamerkin käyttöä puhelimille sitä tuskin myönnetään

www.tivi.fi/uutiset/traficom-laajentaa-tietoturvamerkin-kayttoa-puhelimille-sita-tuskin-myonnetaan/103601a5-8ec3-49ff-b273-764a1c72bda8 Liikenne- ja viestintävirasto Traficomin keväällä teettämän kuluttajatutkimuksen mukaan lähes 80 prosenttia suomalaisista oli tietoisia älylaitteiden tietoturvariskeistä. Vuonna 2019 vastaava osuus oli alle 70 prosenttia. Saman tutkimuksen mukaan älylaitteen tietoturvallisuudesta kertova merkki vaikuttaisi ostopäätökseen 45 prosentilla vastaajista. Traficom lanseerasi vuonna 2019 Tietoturvamerkin, jonka tavoitteena on auttaa kuluttajia tekemään tietoturvallisia ostopäätöksiä. Ensimmäiset laitteet saivat merkinnän vuonna 2020.. Aiemmin Kyberturvallisuuskeskus on itse vastannut merkin vaatimista tietoturvatarkastuksista, mutta nyt myös yritykset voivat tehdä tarkastuksia. Taustalla on halu laajentaa merkittyjen laitteiden saamista kauppoihin ja helpottaa yritysten tuotetarkastusprosessia.

Morgan Stanley announces breach of customer SSNs through Accellion FTA vulnerability

www.zdnet.com/article/morgan-stanley-announces-breach-of-customer-ssns-through-accellion-fta-vulnerability/ Morgan Stanley has notified New Hampshire Attorney General John Formella that one of it’s vendors was attacked through the Accellion FTA vulnerability and that some customer information — including Social Security numbers — was accessed. In a letter dated July 2, Morgan Stanley said that Guidehouse, a vendor that provides account maintenance services to Morgan Stanley’s StockPlan Connect business, informed them on May 20 that it had been hacked.

Mikko Hyppönen: Ennen pitkää Suomessakin rysähtää näin järjestäytynyt verkkorikollisuus tehtailee kyberhyökkäyksiä

www.tivi.fi/uutiset/tv/aacc69d6-a01c-4bde-97ab-24f5459595c5 Venäläisen REvilin kiristyshaittaohjelma sulki ruotsalaisen Coopin 800 ruokakauppaa viikoksi. F-Securen Mikko Hyppösen mukaan vastaavaa saatetaan nähdä Suomessakin ennen pitkää. Ihan vain todennäköisyyksiä katsomalla voi sanoa, että ennen pitkää Suomessakin rysähtää. Voidaan henkisesti valmistautua siihen, että tällainen tapaus tulee Suomeen ennemmin tai myöhemmin. Jos ei tänä vuonna tule niin ihmeellistä on, Hyppönen kommentoi Tiville.

You might be interested in …

Daily NCSC-FI news followup 2019-09-15

Attack Landscape H1 2019: IoT, SMB traffic abound blog.f-secure.com/attack-landscape-h1-2019-iot-smb-traffic-abound/ To no ones surprise, internet of things (IoT) device insecurity has emerged as a top concern and top driver of internet attack traffic in the first half of 2019. According to our new report, Attack Landscape H1 2019, which details traffic measured by F-Secures global network […]

Read More

Daily NCSC-FI news followup 2020-12-19

Tietoturva NYT! – SolarWinds Orion Platformin takaovi mahdollisti vakoilun ja tietomurtoja www.kyberturvallisuuskeskus.fi/fi/ajankohtaista/solarwinds-orion-platformin-takaovi-mahdollisti-vakoilun-ja-tietomurtoja SolarWinds Orion Platform -hallintatyökaluun lisätty takaovi on merkittävä tietoturvatapaus. Tietomurron ja vakoilun mahdollistanut takaovi onnistuttiin levittämään tuhansiin organisaatioihin. Työkalun haavoittuvaa versiota käyttävien organisaatioiden pyydetään olemaan yhteydessä Kyberturvallisuuskeskukseen. Lue myös: yle.fi/uutiset/3-11707606 Google OAuth incident – 14.12.2020 status.cloud.google.com/incident/zall/20013 On Monday 14 December, 2020, for a […]

Read More

Daily NCSC-FI news followup 2020-01-04

Police Tracked a Terror Suspect Until His Phone Went Dark After a Facebook Warning www.morningstar.com/news/dow-jones/202001026663/police-tracked-a-terror-suspect-until-his-phone-went-dark-after-a-facebook-warning WhatsApp, Facebook Inc.’s popular messaging tool, had just notified about 1,400 users — among them the suspected terrorist — that their phones had been hacked by an “advanced cyber actor.” An elite surveillance team was using spyware from NSO Group, […]

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.