Daily NCSC-FI news followup 2021-07-12

DNS-over-HTTPS takes another small step towards global domination

blog.malwarebytes.com/privacy-2/2021/07/dns-over-https-takes-another-small-step-towards-global-domination/ Firefox recently announced that it will be rolling out DNS-over-HTTPS (or DoH) soon to one percent of its Canadian users as part of its partnership with CIRA (the Canadian Internet Registration Authority), the Ontario-based organization responsible for managing the .ca top-level domain for Canada and a local DoH provider. The rollout will begin on 20 July until every Firefox Canada user is reached in late September 2021. This announcement came five months after Firefox rolled out DoH by default for its US-based users.

Diagnosing the Ransomware Deployment Protocol (RDP)

www.paloaltonetworks.com/blog/2021/07/diagnosing-the-ransomware-deployment-protocol/ Remote Desktop Protocol (RDP) is the most popular initial ransomware attack vector and has been for years. For the 2020 Unit 42 Incident Response and Data Breach Report, Unit 42 studied data from over 1,000 incidents and found in 50% of ransomware deployment cases, RDP was the initial attack vector. In the 2021 Cortex Xpanse Attack Surface Threat Report, Cortex Xpanse researchers found that RDP accounted for 30% of total exposures, which more than doubles the next most common exposure.

RoboSki and Global Recovery: Automation to Combat Evolving Obfuscation

securityintelligence.com/posts/roboski-global-recovery-automation/ In a recent collaboration to investigate a rise in malware infections featuring a commercial remote access trojan (RAT), IBM Security X-Force and Cipher Tech Solutions (CT), a defense and intelligence security firm, investigated malicious activity that spiked in the first quarter of 2021. With over 1,300 malware samples collected, the teams analyzed the delivery of a new variant of the RoboSki packer, which is widely used to thwart detection and deliver commodity RATs to enterprise networks.

Kaseya patches VSA vulnerabilities used in REvil ransomware attack

www.bleepingcomputer.com/news/security/kaseya-patches-vsa-vulnerabilities-used-in-revil-ransomware-attack/ Kaseya has released a security update for the VSA zero-day vulnerabilities used by the REvil ransomware gang to attack MSPs and their customers. Kaseya VSA is a remote management and monitoring solution commonly used by managed service providers to support their customers. MSPs can deploy VSA on-premise using their servers or utilize Kaseya’s cloud-based SaaS solution.. Also:

thehackernews.com/2021/07/kaseya-releases-patches-for-flaws.html.

threatpost.com/kaseya-patches-zero-days-revil-attacks/167670/.

www.zdnet.com/article/kaseya-issues-patch-for-on-premise-customers-saas-rollout-underway/

Hackers Spread BIOPASS Malware via Chinese Online Gambling Sites

thehackernews.com/2021/07/hackers-spread-biopass-malware-via.html Cybersecurity researchers are warning about a new malware that’s striking online gambling companies in China via a watering hole attack to deploy either Cobalt Strike beacons or a previously undocumented Python-based backdoor called BIOPASS RAT that takes advantage of Open Broadcaster Software (OBS) Studio’s live-streaming app to capture the screen of its victims to attackers. The attack involves deceiving gaming website visitors into downloading a malware loader camouflaged as a legitimate installer for popular-but-deprecated apps such as Adobe Flash Player or Microsoft Silverlight, only for the loader to act as a conduit for fetching next-stage payloads.

ACSC: Australian organizations compromised through ForgeRock vulnerability

therecord.media/acsc-australian-organizations-compromised-through-forgerock-zero-day/ Australias main cyber-security agency said on Friday that it identified a number of Australian organizations that have been compromised through the exploitation of a vulnerability in ForgeRock OpenAM, an open-source application used by large corporations as an identity access management solution across internal applications. The vulnerability, tracked as CVE-2021-35464, was discovered and disclosed on June 29, last month, by Michael Stepankin, a security researcher at PortSwigger.. Also:

threatpost.com/critical-vulnerability-rce-forgerock-openam/167679/

Fashion retailer Guess discloses data breach after ransomware attack

www.bleepingcomputer.com/news/security/fashion-retailer-guess-discloses-data-breach-after-ransomware-attack/ American fashion brand and retailer Guess is notifying affected customers of a data breach following a February ransomware attack that led to data theft. “A cybersecurity forensic firm was engaged to assist with the investigation and identified unauthorized access to Guess systems between February 2, 2021 and February 23, 2021,” the company said in breach notification letters mailed to impacted customers.

Aussies have lost over AU$7 million to remote access scams already this year

www.zdnet.com/article/aussies-have-lost-over-au7-million-to-remote-access-scams-already-this-year/ In the first six months of 2021, Australians lost over AU$7 million by letting scammers access their home computers — up 184% when compared to last year. The latest data from the ACCC’s Scamwatch reveals so far this year almost 6,500 Australians have reported phone calls from scammers trying to convince them to download software that gives access to home computers and their bank accounts.. “Remote access scams are one of the largest growing scam types in Australia. Scammers take advantage of the digital world and the fear of fraud and cybercrime to access people’s devices and steal their money,” ACCC deputy chair Delia Rickard said.

SolarWinds patches critical Serv-U vulnerability exploited in the wild

www.bleepingcomputer.com/news/security/solarwinds-patches-critical-serv-u-vulnerability-exploited-in-the-wild/ SolarWinds is urging customers to patch a Serv-U remote code execution vulnerability exploited in the wild by “a single threat actor” in attacks targeting a limited number of customers. “Microsoft has provided evidence of limited, targeted customer impact, though SolarWinds does not currently have an estimate of how many customers may be directly affected by the vulnerability,” the company said in an advisory published on Friday. “To the best of our understanding, no other SolarWinds products have been affected by this vulnerability. [..] SolarWinds is unaware of the identity of the potentially affected customers.”. Also:

therecord.media/microsoft-discovers-a-solarwinds-zero-day-exploited-in-the-wild/.

arstechnica.com/gadgets/2021/07/microsoft-discovers-critical-solarwinds-zero-day-under-active-attack/

Suomalaisten puhelimia piinannut vitsaus yltyi uudestaan: Varo vastaaja­viestejä

www.is.fi/digitoday/tietoturva/art-2000008120427.html SUOMESSA viime aikoina aktiivisesti levitetty FluBot-haittaohjelma on taas ajankohtainen. Haittaohjelmaa on naamioitu muun muassa vastaajaviesteiksi. Niillä tarkoitetaan automaattisia tekstiviestejä, jotka voi asettaa lähtemään yhteyttä ottavalle käyttäjän ollessa tavoittamattomissa. KYBERTURVALLISUUSKESKUKSEN mukaan FluBotin levittäminen on jälleen yltynyt. Keskukselle on viikonlopun ja maanantain aikana tullut kymmenittäin ilmoituksia vastaajaviesteistä. Uusissa tekstiviesteissä on tyypillistä juuri niiden lyhyt väite yhden vastaajaviestin odottamisesta. Muilta osin kampanja toimii niin kuin ennenkin.

Kyberrikollista syytetään vuosia vanhoista teoista myi pörssivinkkejä salaisille agenteille

www.tivi.fi/uutiset/tv/dd1a05e0-89c9-46fd-aa37-4e71d544ffbd Lähes neljä vuotta AlphaBay-kauppapaikan sulkemisen jälkeen poliisit syyttävät vieläkin ihmisiä pimeän verkon markkinapaikkaan liittyvistä rikoksista. Perjantaina Yhdysvaltain arvopaperi- ja pörssikomissio ja oikeusministeriö ilmoittivat nostavansa syytteet kreikkalaista Apostolos Troviasta vastaan, joka on virastojen mukaan toiminut markkinapaikoilla nimimerkillä The Bull eli härkä. Toisin kuin aiemmin kohteena olleita huumekauppiaita viranomaiset syyttävät Troviasta foorumeiden käyttämisestä tietojen myymiseen. Troviaksen kohteena olivat sisäpiirikauppatietoja myyvät ja ostavat ihmiset.

2021 MITRE ATT&CK for ICS Evaluation Results Coming Soon

www.dragos.com/blog/industry-news/2021-mitre-attck-for-ics-evaluation-results-coming-soon/ Last January, MITRE released the ATT&CK for ICS framework which organizes and codifies the malicious threat behaviors affecting industrial control systems (ICS). The MITRE ATT&CK for ICS framework is a critical development in the defense of industrial environments which evolves cyber defensive from low-level tactics to detecting and defending against strategic behaviors of real-world threats. Dragos is proud to have played a role in its founding and continues as a key contributor to improving the ongoing work to better understand ICS-focused threats. Later this month, MITRE will publicly announce their ATT&CK for ICS evaluation results.

You might be interested in …

Daily NCSC-FI news followup 2021-01-04

Näin tietomurto näkyy Suomessa: “Suurehkoja organisaatioita sekä yksityiseltä että julkishallinnon puolelta” www.is.fi/digitoday/tietoturva/art-2000007719171.html Viranomaisella on tiedossa Suomessa noin kymmenen organisaatiota, joissa on käytetty haavoittuvaa SolarWindsin ohjelmistoversiota. SolarWinds Orion Platformia käytetään myös Suomessa. Liikenne- ja viestintävirasto Traficomin Kyberturvallisuuskeskuksen tietoturva-asiantuntija Helinä Turusen mukaan viranomaisilla on tiedossa “kymmenkunta organisaatiota”, joissa on käytetty haavoittuvaa ohjelmistoversiota. China’s APT hackers move to […]

Read More

Daily NCSC-FI news followup 2019-09-16

Undersøgelsesrapport: Statsstøttet hackergruppe forsøger at kompromittere netværksudstyr fe-ddis.dk/cfcs/nyheder/arkiv/2019/Pages/undersoegelsesrapport-hackergruppe-forsoeger-kompromittere-netvaerksudstyr.aspx En statsstøttet aktør har forsøgt at gennemføre flere angreb på udvalgte danske myndigheder med henblik på spionage. CFCS udsendte den 18. april 2018 et offentligt varsel i forbindelse med hændelserne, og CFCS arbejdede efterfølgende videre og håndterede sagerne i samarbejde med relevante myndigheder.. [PDF] fe-ddis.dk/cfcs/publikationer/Documents/Undersoegelsesrapport-kompromittering-netvaerksudstyr.pdf Exclusive: Russia […]

Read More

Daily NCSC-FI news followup 2021-09-07

Important clarifications regarding arrest of climate activist protonmail.com/blog/climate-activist-arrest/ We would like to provide important clarifications regarding the case of the climate activist who was recently arrested by French police on criminal charges. […] In this case, Proton received a legally binding order from Swiss authorities which we are obligated to comply with. There was no […]

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.