Daily NCSC-FI news followup 2021-07-14

Web shells: How can we get rid of them and why law enforcement is not really the answer

www.gdatasoftware.com/blog/webshells Microsoft recorded a total of 144,000 web shell attacks between August 2020 and January 2021. Web shells are very light programmes (scripts) that hackers install to either attack affected websites or web-facing services or prepare a future attack. A web shell allows hackers to execute standard commands on web servers that have been compromised. Web shells use code such as PHP, JSP or ASP for this purpose. When the web shells are successfully installed, the hackers are able to execute the same commands as the administrators of the website can. They can also execute commands that steal data, install malicious code and provide system information that allows hackers to penetrate deeper into networks.

Home delivery scams get smarter dont get caught out

nakedsecurity.sophos.com/2021/07/14/home-delivery-scams-get-smarter-dont-get-caught-out/ Weve written several times before about home delivery scams, where cybercriminals take advantage of our ever-increasing (and, in coronavirus times, often unavoidable) use of online ordering combined with to-the-doorstep delivery. Over the past year or so, weve noticed what we must grudgingly admit is a gradual improvement in believability on the part of the scammers, with the criminals apparently improving their visual material, their spelling, their grammar and what you might call the general tenor of their fake websites.

Arrests of members of Tetrade seed groups Grandoreiro and Melcoz

securelist.com/arrests-of-members-of-tetrade-seed-groups-grandoreiro-and-melcoz/103366/ Spains Ministry of the Interior has announced the arrest of 16 individuals connected to the Grandoreiro and Melcoz (also known as Mekotio) cybercrime groups. Both are originally from Brazil and form part of the Tetrade umbrella, operating for a few years now in Latin America and Western Europe. Grandoreiro is a banking Trojan malware family that initially started its operations in Brazil. Similarly to two other malware families, Melcoz and Javali, Grandoreiro first expanded operations to other Latin American countries and then to Western Europe.

Managed service providers (MSPs) play a critical role in the IT ecosystem. By outsourcing many of their day-to-day IT requirements to these companies, smaller organizations in particular can save costs, improve service levels and focus more resources on growing the business

www.welivesecurity.com/2021/07/13/msp-kaseya-incident-third-party-cyber-risk/ In theory, they can also reduce security risk by handing over to a more capable and well-resourced provider. However, as the ransomware campaign impacting Kaseya customers has illustrated, MSPs can also be a source of cyber risk.

Chinese hackers use new SolarWinds zero-day in targeted attacks

www.bleepingcomputer.com/news/microsoft/chinese-hackers-use-new-solarwinds-zero-day-in-targeted-attacks/ China-based hackers known to target US defense and software companies are now targeting organizations using a vulnerability in the SolarWinds Serv-U FTP server. Today, SolarWinds released a security update for a zero-day vulnerability in Serv-U FTP servers that allow remote code execution when SSH is enabled. According to SolarWinds, this vulnerability was disclosed by Microsoft, who saw a threat actor actively exploiting it to execute commands on vulnerable customer’s devices. Tonight, Microsoft revealed that the attacks are attributed with high confidence to a China-based threat group tracked as ‘DEV-0322.’. Report:

www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/. Also:

thehackernews.com/2021/07/chinese-hackers-exploit-latest.html.

therecord.media/microsoft-links-serv-u-zero-day-attacks-to-chinese-hacking-group/.

www.darkreading.com/attacks-breaches/targeted-attack-activity-heightens-need-for-orgs-to-patch-new-solarwinds-flaw/d/d-id/1341530

Chinese government lays out new vulnerability disclosure rules

therecord.media/chinese-government-lays-out-new-vulnerability-disclosure-rules/ The Chinese government has published new regulation on Tuesday laying out stricter rules for vulnerability disclosure procedures inside the countrys borders. The new rules include controversial articles, such as ones introducing restrictions to prevent security researchers from disclosing bug details before a vendor had a reasonable chance to release fixes and the mandatory disclosure of bug details to state authorities within two days of a bug report.. Also:

www.scmp.com/tech/policy/article/3141098/beijing-pushes-chinese-firms-report-cybersecurity-vulnerabilities-early

CISA Insights: Guidance for MSPs and Small- and Mid-sized Businesses

us-cert.cisa.gov/ncas/current-activity/2021/07/14/cisa-insights-guidance-msps-and-small-and-mid-sized-businesses CISA has released CISA Insights: Guidance for Managed Service Providers (MSPs) and Small- and Mid-sized Businesses, which provides mitigation and hardening guidance to help these organizations strengthen their defenses against cyberattacks. Many small- and mid-sized businesses use MSPs to manage IT systems, store data, or support sensitive processes, making MSPs valuable targets for malicious cyber actors. Compromises of MSPssuch as with the recent Kaseya ransomware attackcan have globally cascading effects and introduce significant risk to MSP customers.

16 Cybercriminals Behind Mekotio and Grandoreiro Banking Trojan Arrested in Spain

thehackernews.com/2021/07/16-cybercriminals-behind-mekotio-and.html Spanish law enforcement agencies on Wednesday arrested 16 individuals belonging to a criminal network in connection with operating two banking trojans as part of a social engineering campaign targeting financial institutions in Europe. The arrests were made in Ribeira (A Coruña), Madrid, Parla and Móstoles (Madrid), Seseña (Toledo), Villafranca de los barros (Badajoz), and Aranda de Duero (Burgos) following a year-long investigation, the Civil Guard said in a statement.. Also:

therecord.media/spain-arrests-16-for-distributing-the-mekotio-and-grandoreiro-banking-trojans/

How We Protect Users From 0-Day Attacks

blog.google/threat-analysis-group/how-we-protect-users-0-day-attacks/ Zero-day vulnerabilities are unknown software flaws. Until theyre identified and fixed, they can be exploited by attackers. Threat Analysis Group (TAG) actively works to detect hacking attempts and influence operations to protect users from digital attacks, this includes hunting for these types of vulnerabilities because they can be particularly dangerous when exploited and have a high rate of success. In this blog, were sharing details about four in-the-wild 0-day campaigns targeting four separate vulnerabilities weve discovered so far this year.

SonicWall warns of ‘critical’ ransomware risk to EOL SMA 100 VPN appliances

www.bleepingcomputer.com/news/security/sonicwall-warns-of-critical-ransomware-risk-to-eol-sma-100-vpn-appliances/ SonicWall has issued an “urgent security notice” warning customers of ransomware attacks targeting unpatched end-of-life (EoL) Secure Mobile Access (SMA) 100 series and Secure Remote Access (SRA) products. Through the course of collaboration with trusted third parties, SonicWall has been made aware of threat actors actively targeting Secure Mobile Access (SMA) 100 series and Secure Remote Access (SRA) products running unpatched and end-of-life (EOL) 8.x firmware in an imminent ransomware campaign using stolen credentials.. Also:

therecord.media/sonicwall-warns-of-imminent-ransomware-campaign-targeting-its-eol-equipment/.

www.zdnet.com/article/sonicwall-releases-urgent-notice-about-imminent-ransomware-targeting-firmware/

LuminousMoth APT: Sweeping attacks for the chosen few

securelist.com/apt-luminousmoth/103332/ APT actors are known for the frequently targeted nature of their attacks. Typically, they will handpick a set of targets that in turn are handled with almost surgical precision, with infection vectors, malicious implants and payloads being tailored to the victims identities or environment. Its not often we observe a large-scale attack conducted by actors fitting this profile, usually due to such attacks being noisy, and thus putting the underlying operation at risk of being compromised by security products or researchers.

One way to fail at malspam – give recipients the wrong password for an encrypted attachment

isc.sans.edu/forums/diary/One+way+to+fail+at+malspam+give+recipients+the+wrong+password+for+an+encrypted+attachment/27634/ It is not unusual for malspam authors to encrypt the malicious files that they attach to messages they send out. Whether they encrypt the malicious file itself (as in the case of a password-protected Office document) or embed it in an encrypted archive, encryption can sometimes help attackers to get their creations past e-mail security scans. In such cases, the one thing they have to make sure of is of course that they send the right password to the user along with the encrypted file.

Updated Joker Malware Floods into Android Apps

threatpost.com/updated-joker-malware-android-apps/167776/ The Joker mobile trojan is back on Google Play, with an uptick in malicious Android applications that hide the billing-fraud malware, researchers said. Its also using new approaches to skirt past Googles app-vetting process. Joker has been around since 2017, disguising itself within common, legitimate apps like camera apps, games, messengers, photo editors, translators and wallpapers. Once installed, Joker apps silently simulate clicks and intercept SMS messages to subscribe victims to unwanted, paid premium services controlled by the attackers.

Cybersecurity organizations announce new first responder credentialing program

www.zdnet.com/article/cybersecurity-organizations-announce-new-first-responder-credentialing-program/ Cybersecurity companies and organizations are banding together to create a cybersecurity first responder credentialing program designed to support both large and small organizations dealing with cyber incidents. The ISA Global Cybersecurity Alliance is working with CISA on the effort alongside the Incident Command System for Industrial Control Systems (ICS4ICS) and more than 50 other cybersecurity companies, universities and corporations. The groups will be incorporating FEMA’s Incident Command System framework for response structure, roles, and interoperability, according to a statement from ISA.

Nämä syyt tekevät Suomesta houkuttelevan kohteen yritysvakoilijalle “tietoturvaosaaminen on rajallista

www.tivi.fi/uutiset/tv/2e808f5d-e7eb-4387-843d-e2e07abbbd8b Yritysvakoilu on uhka, johon suomalaisyritykset ovat viime vuosina alkaneet hiljalleen herätä. Asiantuntijoiden mukaan Suomi on otollinen kohde varkaille, jotka havittelevat yritysten tietopääomaa. Helsingin seudun kauppakamarin Yritysvakoilu 2021 -selvityksessä joka neljäs vastaaja on työskennellyt yrityksessä, jonka epäillään olleen yritysvakoilun kohteena. Paljastuneista tekijöistä kaksi kolmasosaa oli ulkomaalaisia ja yksi kolmasosa kotimaisia tahoja. Yli puolesta tapauksista ei tehty minkäänlaista ilmoitusta viranomaisille. Reilu viidennes selvityksen tapauksista on johtanut yli miljoonan euron vahinkoihin yritykselle.

BazarBackdoor sneaks in through nested RAR and ZIP archives

www.bleepingcomputer.com/news/security/bazarbackdoor-sneaks-in-through-nested-rar-and-zip-archives/ Security researchers caught a new phishing campaign that tried to deliver the BazarBackdoor malware by using the multi-compression technique and masking it as an image file. The multi-compression or nested archive method is not new but gained in popularity recently as it can trick email security gateways into mislabeling malicious attachments as clean. It consists of placing an archive within another. Researchers at Cofense say that this method can bypass some secure email gateways (SEGs), which can have a limit to how deep they check a compressed file.

You might be interested in …

Daily NCSC-FI news followup 2021-01-22

Weekly Threat Report 22nd January 2021 www.ncsc.gov.uk/report/weekly-threat-report-22nd-january-2021 The NCSC’s weekly threat report is drawn from recent open source reporting. A look at the NIS 2.0 Recitals cert.at/en/blog/2021/1/nis2-recitals-feedback Cyber Criminals Leave Stolen Phishing Credentials in Plain Sight blog.checkpoint.com/2021/01/21/cyber-criminals-leave-stolen-phishing-credentials-in-plain-sight/ Check Point Research recently joined forces with Otorio to analyze and take a deep dive into a large […]

Read More

Daily NCSC-FI news followup 2021-08-29

A bad solar storm could cause an Internet apocalypse arstechnica.com/science/2021/08/a-bad-solar-storm-could-cause-an-internet-apocalypse/ Scientists have known for decades that an extreme solar storm, or coronal mass ejection, could damage electrical grids and potentially cause prolonged blackouts. The repercussions would be felt everywhere from global supply chains and transportation to Internet and GPS access. Less examined until now, though, […]

Read More

Daily NCSC-FI news followup 2020-10-12

Exposing covert surveillance backdoors in children’s smartwatches www.mnemonic.no/blog/exposing-backdoor-consumer-products/ This blog post provides a technical description of how we discovered a backdoor in a smartwatch made for children. The device is a wearable smartphone, and the backdoor enables remote and covert surveillance through wiretapping, taking pictures, and location tracking. Also: arstechnica.com/information-technology/2020/10/a-watch-designed-exclusively-for-kids-has-an-undocumented-spying-backdoor/ Microsoft Uses Trademark Law to […]

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.