Daily NCSC-FI news followup 2021-07-29

APT trends report Q2 2021

securelist.com/apt-trends-report-q2-2021/103517/ We have reported several supply-chain attacks in recent months.. While some were major and have attracted worldwide attention, we observed equally successful low-tech attacks, such as BountyGlad, CoughingDown and the attack targeting Codecov.

Cyber-attack on Iranian railway was a wiper incident, not ransomware

therecord.media/cyber-attack-on-iranian-railway-was-a-wiper-incident-not-ransomware/ The cyber-attack that paralyzed Irans national railway system at the start of the month was caused by a disk-wiping malware strain named Meteor and not by a ransomware attack, according to research published by security firms Amnpardaz and SentinelOne, which managed to obtain a copy of the malware.. Also

labs.sentinelone.com/meteorexpress-mysterious-wiper-paralyzes-iranian-trains-with-epic-troll/

Disentangling Disinformation: Not as Easy as it Looks

www.eff.org/deeplinks/2021/07/disentangling-disinformation-not-easy-it-looks But while disinformation superspreaders are easy to identify based on the sheer amount of information they disseminate, tackling disinformation at a systemic level is not an easy task, and some of the policy proposals were seeing have us concerned. Heres why.

Google Play Protect fails Android security tests once more

www.bleepingcomputer.com/news/security/google-play-protect-fails-android-security-tests-once-more/ Google Play Protect, the Android built-in malware defense system, has failed the real-world tests of antivirus testing lab AV-TEST after detecting just over two thirds out of more than 20,000 malicious apps it was pitted against.

New Android malware records smartphones via VNC to steal passwords

therecord.media/new-android-malware-records-smartphones-via-vnc-to-steal-passwords/ Security researchers have discovered a novel piece of Android malware that uses the VNC technology to record and broadcast a victims smartphone activity, allowing threat actors to collect keyboard presses and app passwords.. Also

www.cleafy.com/cleafy-labs/ubel-oscorp-evolution

thehackernews.com/2021/07/ubel-is-new-oscorp-android-credential.html

Malicious Content Delivered Through archive.org

isc.sans.edu/diary/rss/27688 That’s the wild Internet today: If you allow users to create an account and upload some data, chances are big that the feature will be (ab)used to host malicious content. Indeed, archive.org is a top domain and is usually not blocked or tagged as malicious.

‘Woefully insufficient’: Biden administration’s assessment of critical infrastructure infosec protection

www.theregister.com/2021/07/29/biden_memo_on_critical_infrastructure_control_systems_security/ The Memorandum was accompanied by transcripts of remarks made by a “Senior administration official” who said the edicts are needed because “We have a patchwork of sector-specific statutes that have been adopted piecemeal, typically in response to discrete security threats in particular sectors that gained public attention.

Israel begins investigation into NSO Group spyware abuse

www.technologyreview.com/2021/07/28/1030244/israel-investigation-nso-group-pegasus-spyware/ Israeli government officials visited the offices of the hacking company NSO Group on Wednesday to investigate allegations that the firms spyware has been used to target activists, politicians, business executives, and journalists, the countrys defense ministry said in a statement today.. Also in NSO coverage

www.ft.com/content/24f22b28-56d1-4d66-8f76-c9020b1b5cb1 “How Israel used NSO spyware as diplomatic calling card”, and BSI guidance at

www.bsi.bund.de/SharedDocs/Cybersicherheitswarnungen/DE/2021/2021-234348-1032.pdf

Microsoft researcher found Apple 0-day in March, didnt report it

nakedsecurity.sophos.com/2021/07/29/microsoft-researcher-found-apple-0-day-in-march-didnt-report-it/ With this in mind, of course, you could argue that putting the bug on ice for an expected five months (March to August) created a realistic risk that someone else would find it in the meantime, and that the bug-hunter who rediscovered it might decide to use it as a zero-day, and not for the purposes of responsible research. (Indeed, that seems to be what happened.)

Understanding the increase in Supply Chain Security Attacks

www.enisa.europa.eu/news/enisa-news/understanding-the-increase-in-supply-chain-security-attacks The European Union Agency for Cybersecurity mapping on emerging supply chain attacks finds 66% of attacks focus on the suppliers code.. Report at

www.enisa.europa.eu/publications/threat-landscape-for-supply-chain-attacks/at_download/fullReport

Mid-Year Attack Trends Report Reveals A 29% Increase In Cyberattacks Against Organizations Globally

research.checkpoint.com/2021/check-point-softwares-mid-year-attack-trends-report-reveals-a-29-increase-in-cyberattacks-against-organizations-globally/ Cyber Attack Trends: 2021 Mid-Year Report uncovers how cybercriminals have continued to exploit the Covid-19 pandemic and highlights a dramatic global 93% increase in the number of ransomware attacks

IBM cost of data breach report

www.ibm.com/downloads/cas/OJDVQGRY The average total cost of a data breach increased by nearly 10% year over year, the largest single year cost increase in the last seven years. Remote working and digital transformation due to the COVID-19 pandemic increased the average total cost of a data breach. Healthcare organizations experienced the highest average cost of a data breach, for the eleventh year in a row

– From stolen laptop to inside the company network

dolosgroup.io/blog/2021/7/9/from-stolen-laptop-to-inside-the-company-network To recap, we took a locked down FDE laptop, sniffed the BitLocker decryption key coming out of the TPM, backdoored a virtualized image, and used its VPN auto-connect feature to attack the internal corporate network. That is one way to go from stolen laptop to internal compromise.

PDF as a Weapon of Choice on the Cybersecurity Battlefield

www.deepinstinct.com/2021/07/28/pdf-as-a-weapon-of-choice-on-the-cybersecurity-battlefield/ In this blog well look more closely at the PDF and a variety of ways cybercriminals are using it to fool detection and infiltrate networks. Well also show how Deep Instinct detects compromised PDFs, immediately disabling them from being opened.

Microsoft provides more mitigation instructions for the PetitPotam attack

blog.malwarebytes.com/exploits-and-vulnerabilities/2021/07/microsoft-provides-more-mitigation-instructions-for-the-petitpotam-attack/ In a revision of KnowledgeBase article KB5005413, Microsoft has provided more elaborate mitigation instructions for the PetitPotam attacks that were disclosed a week ago.. Advice at

support.microsoft.com/en-gb/topic/kb5005413-mitigating-ntlm-relay-attacks-on-active-directory-certificate-services-ad-cs-3612b773-4043-4aa9-b23d-b87910cd3429

NSA Issues Guidance on Securing Wireless Devices in Public Settings

www.nsa.gov/News-Features/Feature-Stories/Article-View/Article/2711968/nsa-issues-guidance-on-securing-wireless-devices-in-public-settings/ NSA released the Cybersecurity Information Sheet, Securing Wireless Devices in Public Settings today to help National Security System (NSS), Department of Defense (DoD), and Defense Industrial Base (DIB) teleworkers identify potential threats and minimize risks to their wireless devices and data.. Guidance at

media.defense.gov/2021/Jul/29/2002815141/-1/-1/0/CSI_SECURING_WIRELESS_DEVICES_IN_PUBLIC.PDF

Hackers Exploit Microsoft Browser Bug to Deploy VBA Malware on Targeted PCs

thehackernews.com/2021/07/hackers-exploit-microsoft-browser-bug.html An unidentified threat actor has been exploiting a now-patched zero-day flaw in Internet Explorer browser to deliver a fully-featured VBA-based remote access trojan (RAT) capable of accessing files stored in compromised Windows systems, and downloading and executing malicious payloads as part of an “unusual” campaign.. Also

blog.malwarebytes.com/threat-intelligence/2021/07/crimea-manifesto-deploys-vba-rat-using-double-attack-vectors/

Estonia says a hacker downloaded 286,000 ID photos from government database

therecord.media/estonia-says-a-hacker-downloaded-286000-id-photos-from-government-database/ Estonian officials said they arrested last week a local suspect who used a vulnerability to gain access to a government database and download government ID photos for 286,438 Estonians.. In a FAQ page published yesterday, RIA said its database usually checked with five different subsystems before returning a query to display a users government ID photo. The suspect discovered a security vulnerability in one of RIAs applications that did not sufficiently check the validity of the query, RIA said yesterday.. According to Oskar Gross, Head of the Cybercrime Bureau of the National Criminal Police, this information was discovered on the suspects computer during a house search last week, along with the downloaded photos.

Meet Paragon: An American-Funded, Super-Secretive Israeli Surveillance Startup That Hacks WhatsApp And Signal

www.forbes.com/sites/thomasbrewster/2021/07/29/paragon-is-an-nso-competitor-and-an-american-funded-israeli-surveillance-startup-that-hacks-encrypted-apps-like-whatsapp-and-signal/ Paragons product will also likely get spyware critics and surveillance experts alike rubbernecking: It claims to give police the power to remotely break into encrypted instant messaging communications, whether thats WhatsApp, Signal, Facebook Messenger or Gmail, the industry sources said. One other spyware industry executive said it also promises to get longer-lasting access to a device, even . even when its rebooted.

You might be interested in …

Daily NCSC-FI news followup 2020-03-10

Microsoft Hijacks Necurs Botnet that Infected 9 Million PCs Worldwide thehackernews.com/2020/03/necurs-botnet-takedown.html Microsoft today announced that it has successfully disrupted the botnet network of the Necurs malware, which has infected more than 9 million computers globally, and also hijacked the majority of its infrastructure. Fingridin kumppani joutui tietomurron uhriksi Verkot ovat hyvin suojassa edelleen www.is.fi/digitoday/tietoturva/art-2000006434452.html Hyökkäys […]

Read More

Daily NCSC-FI news followup 2020-09-29

Koronavilkku päivittyi ja esittää tärkeän kysymyksen avattaessa vastaa siihen myöntävästi www.is.fi/digitoday/mobiili/art-2000006652361.html Jokaisen tulisi päivittää Koronavilkku ja avata sovellus kertaalleen. Sovellus ei enää päivityksen jälkeen voi vaipua sen toimintaa häiritsevään horrostilaan. These hackers have spent months hiding out in company networks undetected www.zdnet.com/article/these-hackers-have-spent-months-hiding-out-in-company-networks-undetected/ A state-sponsored hacking group been creeping around networks for almost a year as […]

Read More

Daily NCSC-FI news followup 2019-09-15

Attack Landscape H1 2019: IoT, SMB traffic abound blog.f-secure.com/attack-landscape-h1-2019-iot-smb-traffic-abound/ To no ones surprise, internet of things (IoT) device insecurity has emerged as a top concern and top driver of internet attack traffic in the first half of 2019. According to our new report, Attack Landscape H1 2019, which details traffic measured by F-Secures global network […]

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.