Daily NCSC-FI news followup 2021-08-13

Microsoft Exchange servers are getting hacked via ProxyShell exploits

www.bleepingcomputer.com/news/microsoft/microsoft-exchange-servers-are-getting-hacked-via-proxyshell-exploits/ Threat actors are actively exploiting Microsoft Exchange servers using the ProxyShell vulnerability to install backdoors for later access. ProxyShell is the name of an attack that uses three chained Microsoft Exchange vulnerabilities to perform unauthenticated, remote code execution.

Vice Society Leverages PrintNightmare In Ransomware Attacks

blog.talosintelligence.com/2021/08/vice-society-ransomware-printnightmare.html Another threat actor is actively exploiting the so-called PrintNightmare vulnerability (CVE-2021-1675 / CVE-2021-34527) in Windows’ print spooler service to spread laterally across a victim’s network as part of a recent ransomware attack, according to Cisco Talos Incident Response research. While previous research found that other threat actors had been exploiting this vulnerability, this appears to be new for the threat actor Vice Society.

Attackers use Morse code, other encryption methods in evasive phishing campaign

www.microsoft.com/security/blog/2021/08/12/attackers-use-morse-code-other-encryption-methods-in-evasive-phishing-campaign/ Cybercriminals attempt to change tactics as fast as security and protection technologies do. During our year-long investigation of a targeted, invoice-themed XLS.HTML phishing campaign, attackers changed obfuscation and encryption mechanisms every 37 days on average, demonstrating high motivation and skill to constantly evade detection and keep the credential theft operation running.

Classified info leaked during cyber attack against Foreign Ministry

m.delfi.lt/en/article.php?id=87937063 There are certain signs that classified information leaked during a cyber attack against the Foreign Ministry, Lithuanian President Gitanas Nauseda says. “An investigation is ongoing, with no doubt, we well asses that damage done during this cyber attack. But there are certain signs showing that certain information leaked. And that information is deemed classified, ” the president said in an interview with the delfi.lt news website. In his words, the leaked information “might cause serious damage, first of all, for allies”. “But that’s potential damage I still cannot publicly disclose, ” the president said.

Philips study finds hospitals struggling to manage thousands of IoT devices

www.zdnet.com/article/philips-study-finds-hospitals-struggling-to-manage-thousands-of-devices/ Working with cybersecurity company CyberMDX, researchers with Philips surveyed 130 IT healthcare decision-makers to figure out how they were managing the thousands of medical devices that populate most hospitals today.

SynAck ransomware gang releases decryption keys for old victims

therecord.media/synack-ransomware-gang-releases-decryption-keys-for-old-victims/ The El_Cometa ransomware gang, formerly known as SynAck, has released today master decryption keys for the victims they infected between July 2017 and early 2021.

Hackers tried to exploit two zero-days in Trend Micro’s Apex One EDR platform

therecord.media/hackers-tried-to-exploit-two-zero-days-in-trend-micros-apex-one-edr-platform/ Cyber-security firm Trend Micro said hackers tried to exploit two zero-day vulnerabilities in its Apex One EDR platform in an attempt to go after its customers in attacks that took place earlier this year. While details about the attacks are currently being kept under wraps, patches for both issues were made available at the end of July.

Example of Danabot distributed through malspam

isc.sans.edu/forums/diary/Example+of+Danabot+distributed+through+malspam/27744/ Danabot is an information stealer known for targeting banking data on infected Windows hosts. According to Proofpoint, Danabot version 4 started appearing in the wild in October 2020. We recently discovered a Danabot sample during an infection kicked off by an email attachment sent on Thursday 2021-08-12. Today’s diary reviews this Danabot infection.

United Nations calls for moratorium on sale of surveillance tech like NSO Group’s Pegasus

www.theregister.com/2021/08/13/un_wants_surveillance_tech_sales_moratorium/ The United Nations has called for a moratorium on the sale of “life threatening” surveillance technology and singled out the NSO Group and Israel for criticism. Which sounds lovely but is likely impractical. While several efforts are underway to define norms governing acceptable use of information technology in cross-border and in-country conflicts, few are binding, some major governments have not signed up, and any government can in any case use plausibly detached crime gangs to do its work for it. Throw in the fact that several nations are increasingly letting it be known their military and electronic warfare agencies have offensive capabilities and will not be afraid to use them when it is felt to be justified,. and it is clear the UN’s call may make life more difficult still for NSO Group but has little chance of stamping out the use of surveillance tech whenever a government wants to us it.

Huawei stole our tech and created a ‘backdoor’ to spy on Pakistan, claims IT biz

www.theregister.com/2021/08/13/huawei_accused_of_trade_secret/ A California-based IT consultancy has sued Huawei and its subsidiary in Pakistan alleging the Chinese telecom firm stole its trade secrets and failed to honor a contract to develop technology for Pakistani authorities.

Ennakkoluuloja kryptovaluutoista

www.tivi.fi/uutiset/tv/b814a9bf-4e3e-494c-8ac3-06cfe09d5e0d Suomalaisten väitetään omaksuvan nopeasti uusia teknisiä asioita, mutta kryptovaluuttojen kohdalla tilanne on päinvastainen. Euroopan keskuspankin tuoreen tutkimuksen mukaan vain kahdella prosentilla suomalaisista oli varoja kryptovaluutoissa, kun euromaiden keskiarvo on 3, 6 prosenttia. Kärjessä ovat Saksa ja Kypros, joissa osuus on seitsemän prosenttia. Suomalaisten nihkeä asenne heijastuu uutisointiin, joka käsittelee kryptoja usein negatiivisessa sävyssä rikollisten rahana ja keinottelun välineenä. Bitcoinin tuhlaava sähkönkulutus on tehnyt siitä ympäristöpahiksen, johon nimekkäät kotimaiset sijoittajat eivät halua koskea.

Entä jos bitcoin romahtaa täysin?

www.tivi.fi/uutiset/tv/bad3a6a1-b2c8-4b70-9bbe-699d03f8a40b Kryptovaluuttojen määrä kasvaa jatkuvasti ja yhä useammat sijoittajat seuraavat niiden liikkeitä.

Massive New AdLoad Campaign Goes Entirely Undetected By Apple’s XProtect

labs.sentinelone.com/massive-new-adload-campaign-goes-entirely-undetected-by-apples-xprotect/ In this post, we detail one of several new AdLoad campaigns we are currently tracking that remain undetected by Apple’s macOS malware scanner. We describe the infection pattern and indicators of compromise for the first time and hope this information will help others to detect and remove this threat.

What Is Zero Trust and Why Does It Matter?

www.trendmicro.com/en_us/ciso/21/h/what-is-zero-trust-and-why-does-it-matter.html As the remote workforce expanded, so did the attack surface for cybercriminalsforcing security teams to pivot their strategy to effectively protect company resources. During this time of change, the hype around Zero Trust increased, but with several different interpretations of what it was and how it helps. Eric Skinner from Trend Micro gets real about the true intent of Zero Trust and how you can use it better protect your organization.

WordPress Sites Abused in Aggah Spear-Phishing Campaign

threatpost.com/aggah-wordpress-spearphishing/168657/ The Pakistan-linked threat group’s campaign uses compromised WordPress sites to deliver the Warzone RAT to manufacturing companies in Taiwan and South Korea.

Firewalls and middleboxes can be weaponized for gigantic DDoS attacks

therecord.media/firewalls-and-middleboxes-can-be-weaponized-for-gigantic-ddos-attacks/ In an award-winning paper today, academics said they discovered a way to abuse the TCP protocol, firewalls, and other network middleboxes to launch giant distributed denial of service (DDoS) attacks against any target on the internet. Research paper “Weaponizing Middleboxes for TCP Reflected Amplification”:

www.usenix.org/system/files/sec21fall-bock.pdf

Windows 365 exposes Microsoft Azure credentials in plain-text

www.bleepingcomputer.com/news/microsoft/windows-365-exposes-microsoft-azure-credentials-in-plain-text/ A security researcher has figured out a way to dump a user’s unencrypted plaintext Microsoft Azure credentials from Microsoft’s new Windows 365 Cloud PC service using Mimikatz.

New Anti Anti-Money Laundering Services for Crooks

krebsonsecurity.com/2021/08/new-anti-anti-money-laundering-services-for-crooks/ A new dark web service is marketing to cybercriminals who are curious to see how their various cryptocurrency holdings and transactions may be linked to known criminal activity. Dubbed “Antinalysis, ” the service purports to offer a glimpse into how one’s payment activity might be flagged by law enforcement agencies and private companies that try to link suspicious cryptocurrency transactions to real people.

You might be interested in …

Daily NCSC-FI news followup 2021-08-19

Health authorities in 40 countries targeted by COVID19 vaccine scammers www.welivesecurity.com/2021/08/18/health-authorities-40-countries-targeted-covid19-vaccine-scammers/ INTERPOL has issued a global warning about organized crime groups targeting governments with bogus offers peddling COVID-19 vaccines. The warning was issued to all of INTERPOL’s 194 member countries after the international law enforcement agency registered roughly 60 cases from 40 countries. Does Abandoning […]

Read More

Daily NCSC-FI news followup 2020-05-05

How Many Engineers Does It Take to Digitally Secure a Solar Panel? www.nist.gov/blogs/cybersecurity-insights/how-many-engineers-does-it-take-digitally-secure-solar-panel The headline for this blog post is not a trick question or the beginning of a bad joke. I asked this question maybe a bit facetiously when I met the National Cybersecurity Center of Excellence (NCCoE) energy sector team in late 2018. […]

Read More

Daily NCSC-FI news followup 2019-12-09

2020 is when cybersecurity gets even weirder, so get ready www.zdnet.com/article/2020-is-when-cybersecurity-gets-even-weirder-so-get-ready/ AI-powered deepfakes, ransomware, IoT, and 5G all mean that protecting your data is about to get a lot harder. Tech analyst Forrester predicts that deepfakes could end up costing businesses a lot of money next year: as much as $250m. That might happen in […]

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.