Daily NCSC-FI news followup 2021-07-13

June 2021s Most Wanted Malware: Trickbot Remains on Top

blog.checkpoint.com/2021/07/13/june-2021s-most-wanted-malware-trickbot-remains-on-top/ Our latest Global Threat Index for June 2021 has revealed that Trickbot is still the most prevalent malware, having first taken the top spot in May. Trickbot is a botnet and banking trojan that can steal financial details, account credentials, and personally identifiable information, as well as spread within a network and drop ransomware. Last month CPR reported that the average weekly number of ransomware attacks increased 93% over the past 12 months, and also warned that ransomware attacks often dont start with ransomware.

DLL Side-Loading Technique Used in the Recent Kaseya Ransomware Attack

www.fortinet.com/blog/threat-research/dll-side-loading-technique-used-in-recent-kaseya-ransomware-attack In this article we examine the ransomware used in the recent Kaseya attack. We will see what happens when a machine is infected by this ransomware by looking at some of the visible Indicators of Compromise, such as modified wallpaper, several -readme.txt files in different folders, and changes in the filenames with extensions. We will also discuss in more details how DLL side-loading was implemented along with other malware tricks that the ransomware used.

How Zoom moved toward end-to-end encryption

www.kaspersky.com/blog/rsa2021-zoom-end-to-end-encryption/40562/ Zooms presentation at RSA Conference 2021 focused on end-to-end encryption in Zoom Cloud Meetings. The company explained why its developers are focusing on the issue, how they plan to make calls more secure, and what other new, security-related features users can expect. The pandemic forced many of us to switch to long-term remote work and communicate with colleagues and loved ones through teleconferencing software. Zooms high popularity aroused the interest of security experts and cybercriminals alike, whereupon many quickly learned that not all was well with the platforms security.

British spy chief declares ransomware biggest online threat

www.pandasecurity.com/en/mediacenter/security/ransomware-biggest-threat/ The digital world is full of risks and pitfalls but one is more dangerous than others. According to Lindy Cameron, chief executive of the UKs National Cyber Security Centre, computerised extortion is the one to watch out for. Camerons job is to protect the UK from cyberthreats including major attacks by hostile foreign governments. During a recent speech however, she claimed that ransomware presents the most immediate threat and disruptive potential.

CISA orders federal agencies to patch Windows PrintNightmare bug

www.bleepingcomputer.com/news/security/cisa-orders-federal-agencies-to-patch-windows-printnightmare-bug/ A new emergency directive ordered by the Cybersecurity and Infrastructure Security Agency (CISA) orders federal agencies to mitigate an actively exploited vulnerability in Pulse Connect Secure (PCS) VPN appliances on their networks by Friday. CISA issued the Emergency Directive 21-04 after Microsoft released security updates on Friday to address an actively exploited Print Spooler vulnerability dubbed PrintNightmare in all supported Windows versions. The security vulnerability (tracked as CVE-2021-34527) enables attackers to take over affected servers via remote code execution (RCE) with SYSTEM privileges. Emergency Directive 21-04:.


Trickbot Malware Returns with a new VNC Module to Spy on its Victims

thehackernews.com/2021/07/trickbot-malware-returns-with-new-vnc.html Cybersecurity researchers have opened the lid on the continued resurgence of the insidious Trickbot malware, making it clear that the Russia-based transnational cybercrime group is working behind the scenes to revamp its attack infrastructure in response to recent counter efforts from law enforcement. The new capabilities discovered are used to monitor and gather intelligence on victims, using a custom communication protocol to hide data transmissions between [command-and-control] servers and victims making attacks difficult to spot.

Inglis sworn in as first national cyber czar

therecord.media/inglis-sworn-in-as-first-national-cyber-czar/ Chris Inglis was sworn into office on Monday as the countrys first ever National Cyber Director, according to a White House spokesperson. Inglis, a former NSA deputy director, was unanimously confirmed by the Senate last month. He will advise President Joe Biden on digital issues, as well as play a key role in coordinating the federal governments response to hacks and other digital threats. The creation of the new White House office was a major policy recommendation of the Cyberspace Solarium Commission which Inglis served on and was enshrined into law in last years defense policy bill out of a bipartisan desire to see cybersecurity issues elevated within the executive branch and to have someone with the authority to coordinate the governments various digital missions.

Microsoft July 2021 Patch Tuesday

isc.sans.edu/forums/diary/Microsoft+July+2021+Patch+Tuesday/27628/ This month we got patches for 117 vulnerabilities. Of these, 13 are critical, 6 were previously disclosed and 4 are being exploited according to Microsoft. The known Printnightmare vulnerability (CVE-2021-34527) is one of the 4 exploited. Microsoft released an out of bound emergency security fix for it (KB5004945) on July 6 but it is worth stressing the importance of applying this update. Remember to confirm if the PointAndPrint Windows registry is set to zero as well. Please, refer to the security advisory and a diary from Johannes detailing the vulnerability. The other 3 exploited vulnerabilities comprises two elevation of privilege affecting Windows Kernel (CVE-2021-31979 and CVE-2021-33771) and a remote code execution (RCE) affecing Windows Scripting Engine. Also:





Operation SpoofedScholars: A Conversation with TA453

www.proofpoint.com/us/blog/threat-insight/operation-spoofedscholars-conversation-ta453 Masquerading as UK scholars with the University of Londons School of Oriental and African Studies (SOAS), the threat actor TA453 has been covertly approaching individuals since at least January 2021 to solicit sensitive information. The threat actor, an APT who we assess with high confidence supports Islamic Revolutionary Guard Corps (IRGC) intelligence collection efforts, established backstopping for their credential phishing infrastructure by compromising a legitimate site of a highly regarded academic institution to deliver personalized credential harvesting pages disguised as registration links.

BIOPASS RAT Uses Live Streaming Steal Victims Data

threatpost.com/biopass-rat-live-streaming/167695/ Online gambling companies in China are being targeted by a new remote access trojan (RAT) which, in addition to its predictable features like file assessment and exfiltration takes the novel approach of using live streaming to spy on the screens of its victims. What makes BIOPASS RAT particularly interesting is that it can sniff its victims screen by abusing the framework of Open Broadcaster Software (OBS) Studio, a popular live streaming and video recording app, to establish live streaming to a cloud service via real-time messaging protocol (RTMP),

REvil websites down after governments pressured to take action following Kaseya attack

www.zdnet.com/article/revil-websites-down-after-governments-pressured-to-take-action-following-kaseya-attack/ Security researchers are reporting that all of the dark web sites for prolific ransomware group REvil — including the payment site, the group’s public site, the ‘helpdesk’ chat and their negotiation portal – — are offline. It is still unclear what caused the outages but dozens of theories were floated online. On Friday, US President Joe Biden made news when he said he spoke directly to Russian President Vladmir Putin following REvil’s massive ransomware attack on Kaseya that affected almost 1,500 organizations. Also:


Puhelimissa leviää huijaus, joka kehottaa avaamaan vastaajaviestin tulee tavallisista suomalaisista numeroista ja selvällä suomen kielellä

yle.fi/uutiset/3-12018913 Huijaustekstiviesti kehottaa vastaanottajaansa kuuntelemaan vastaajaviestin. Kyberturvallisuuskeskuksen mukaan kyse on alkukesän huijauskampanjan jatkeesta eli niin sanotusta flubot-ilmiöstä. Tekstiviestin linkkiä ei pidä avata. Huijausviestissä olevan linkin takaa asentuva ohjelma mahdollistaa myös huijausviestien lähettämisen saastuneen puhelimen kautta. Ja se juuri tekee tästä huijauskampanjasta tehokkaan, tietää Kyberturvallisuuskeskuksen tietoturva-asiantuntija Matias Mesiä. Myös:





KRP varoittaa huijauksesta: Virallisen oloinen viesti on ansa

www.is.fi/digitoday/art-2000008122901.html SUOMALAISILLE tulee nyt huijausviestejä kansainvälisen rikospoliisijärjestö Interpolin nimissä, kertoo Suomen keskusrikospoliisi (KRP). Huijari lähestyy Interpolin nimissä jo kertaalleen petoksen uhriksi joutunutta henkilöä ja tarjoaa tälle mahdollisuutta saada takaisin huijauksessa menettämänsä rahat. Viestit ovat tulleet sähköpostitse. KRP muistuttaa Twitterissä, ettei Interpol koskaan ota suoraan yhteyttä yksityishenkilöihin, tai kysele heidän tilitietojaan.

Maksufirma Klarnan kautta pystyy tilaamaan tavaraa toisen nimiin MOT:n testi osoittaa, kuinka pahasti ruotsalaisyhtiön tietoturva vuotaa

yle.fi/uutiset/3-12014974 Pohjoismaiden suurimpiin kuuluvan maksunvälitysyhtiö Klarnan järjestelmässä on vakava tietoturvaongelma, joka mahdollistaa yhtiön asiakkaiden tilien käyttämisen petoksiin, identiteettivarkauksiin ja kiusantekoon. Ongelma on ollut tiedossa useiden vuosien ajan. Heikon tietoturvan takia Klarnan palvelua on myös hyödynnetty toistuvasti rikosten tekemiseen. Näyttää aika pahalta. Tietosuoja on niin kriittinen asia, että ei pitäisi olla mahdollista tilata tavaroita toisen nimiin. Vaikka yrityksellä on jonkinlaista valvontaa, niin selvästikin se vuotaa, sanoo tietotekniikan asiantuntija ja tietokirjailija Petteri Järvinen.

Kaseya Ransomware Attack: Guidance and Resources

us-cert.cisa.gov/ncas/current-activity/2021/07/13/kaseya-ransomware-attack-guidance-and-resources CISA has created a webpage to provide information and guidance for the recent ransomware attack against Kaseya customers that include managed service providers (MSPs) and customers of those MSPs.

Microsoft fixes Windows Hello authentication bypass vulnerability

www.bleepingcomputer.com/news/security/microsoft-fixes-windows-hello-authentication-bypass-vulnerability/ Microsoft has addressed a security feature bypass vulnerability in the Windows Hello authentication biometrics-based tech, letting threat actors spoof a target’s identity and trick the face recognition mechanism into giving them access to the system. According to Microsft, the number of Windows 10 customers using Windows Hello to sign in to their devices instead of a password grew from 69.4% to 84.7% during 2019.

New CISA Director Confirmed, White House Gains Cyber-Director

threatpost.com/cisa-director-confirmed-white-house-cyber-director/167710/ The U.S. has made a key move to shore up its cybersecurity strategy, with the confirmation of Jen Easterly as the director of the Cybersecurity and Infrastructure Security Agency (CISA) on Monday. Easterly, a former official at the National Security Agency from 2011 to 2013 and two-time Bronze Star winner, fills the empty position left by Chris Krebs, who was fired from the post under then-President Trump in 2020. Easterly comes to the role fresh from the private sector: She was most recently responsible for Morgan Stanleys resilience strategy. Before that, she worked to set up the U.S. Cyber Command.

Modipwn: code execution vulnerability discovered in Schneider Electric Modicon PLCs

www.zdnet.com/article/modipwn-critical-vulnerability-discovered-in-schneider-electric-modicon-plcs/ A vulnerability discovered in Schneider Electric (SE) Modicon programmable logic controllers (PLCs) allows full takeover of the industrial chips. Discovered by Armis researchers, the vulnerability can be used to bypass existing security mechanisms in PLCs to hijack the devices and potentially impact wider industrial setups. The authentication bypass vulnerability, dubbed Modipwn, has been assigned as CVE-2021-22779. Also:



Can Government Effectively Help Businesses Fight Cybercrime?

beta.darkreading.com/attacks-breaches/can-government-effectively-help-businesses-fight-cybercrime- When Team Cymru’s James Shank worked with the Ransomware Task Force to come up with the worst-case scenarios for a ransomware attack, the group focused heavily on impacts: How could attackers endanger people or cause significant damage to infrastructure?. However, the group also focused on vectors – including an exploitation chain that amplifies attacks by compromising the software supply chain, infecting managed service providers and propagating too quickly for defenders to react.. In short, the scenarios the group came up with looked very similar to the attack against managed service providers using a vulnerability in the Kaseya Virtual System Administrator (VSA) servers that happened on July 2.

How to Avoid Being Impacted by a Managed Service Provider (MSP) Breach

www.crowdstrike.com/blog/how-to-avoid-being-a-victim-of-a-msp-breach/ Managed service providers (MSPs) provide extremely important and valuable services by assisting organizations with information technology related tasks such as provisioning software or Active Directory accounts. Yet despite all of the benefits an MSP can provide, theres also an inherent risk: if an MSP is breached, its customers may also be. This scenario played out on the world stage July 2 with the REvil ransomware attack that targeted Kaseya a key software provider to MSPs and as a result, the MSPs themselves (fewer than 60 Kaseya customers) and just under 1,500 downstream companies, according to Kaseyas public statement at noon on July 6.

DNS Provider Hit With Outrageous Blocking Order Is Your Provider Next?

www.eff.org/deeplinks/2021/07/dns-provider-hit-outrageous-blocking-order-your-provider-next The seemingly endless battle against copyright infringement has caused plenty of collateral damage. But now that damages is reaching new levels, as copyright holders target providers of basic internet services. For example, Sony Music has persuaded a German court to order a Swiss domain name service (DNS) provider, Quad9, to block a site that simply indexes other sites suspected of copyright . Quad9 has no special relationships with any of the alleged infringers. It simply resolves domain names, conveying the public information of which web addresses direct to which server, on the public internet, like many other service providers.

You might be interested in …

Daily NCSC-FI news followup 2021-08-19

Health authorities in 40 countries targeted by COVID19 vaccine scammers www.welivesecurity.com/2021/08/18/health-authorities-40-countries-targeted-covid19-vaccine-scammers/ INTERPOL has issued a global warning about organized crime groups targeting governments with bogus offers peddling COVID-19 vaccines. The warning was issued to all of INTERPOL’s 194 member countries after the international law enforcement agency registered roughly 60 cases from 40 countries. Does Abandoning […]

Read More

Daily NCSC-FI news followup 2020-08-07

The Secret Life of an Initial Access Broker ke-la.com/the-secret-life-of-an-initial-access-broker/ Recently, ZDNet exclusively reported a leak posted on a cybercrime community containing details and credentials of over 900 enterprise Secure Pulse servers exploited by threat actors. Since this leak represents an ever-growing ransomware risk, KELA delved into both the leaks content and the actors who were […]

Read More

Daily NCSC-FI news followup 2021-01-12

Going Rogue a Mastermind Behind Android Malware Returns with a New RAT blog.checkpoint.com/2021/01/12/going-rogue-a-mastermind-behind-android-malware-returns-with-a-new-rat/ Now more than ever, we rely on our smartphones to keep in touch with our work, our families and the world around us. There are over 3.5 billion smartphone users worldwide, and it is estimated that over 85% of those devices around […]

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.