Daily NCSC-FI news followup 2021-08-16

Indra – Hackers Behind Recent Attacks on Iran

research.checkpoint.com/2021/indra-hackers-behind-recent-attacks-on-iran/ These days, when we think of nation-state level damage, we immediately think of the nation-state level actor that must be responsible for it. While most attacks against a nation’s sensitive networks are indeed the work of other governments, the truth is that there is no magic shield that prevents a non-state sponsored entity from creating the same kind of havoc, and harming critical infrastructure in order to make a statement. In this piece, we present an analysis of a successful politically motivated attack on Iranian infrastructure that is suspected to be carried by a non-state sponsored actor. This specific attack happened to be directed at Iran, but it could as easily have happened in New York or Berlin. We’ll look at some of the technical details and expose the actor behind the attack – thereby linking it to several other politically motivated attacks from earlier years.

Ransomware gangs are working with Russian intelligence services, report says

www.cbsnews.com/news/ransomware-gang-russia/ Russian intelligence services worked with prominent ransomware gangs to compromise U.S. government and government-affiliated organizations, according to new research from cybersecurity firm Analyst1. Two Russian intelligence bureaus – the Federal Security Service, or FSB, and Foreign Intelligence Service, or SVR – collaborated with individuals in “multiple cybercriminal organizations, ” security analysts with the firm say in the report. The research indicates these cybercriminals helped Russian intelligence develop and deploy custom malware targeting American companies that serve U.S. military clients. report:

analyst1.com/file-assets/Nationstate_ransomware_with_consecutive_endnotes.pdf

Secret terrorist watchlist with 2 million records exposed online

www.bleepingcomputer.com/news/security/secret-terrorist-watchlist-with-2-million-records-exposed-online/ A secret terrorist watchlist with 1.9 million records, including classified “no-fly” records was exposed on the internet. The list was left accessible on an Elasticsearch cluster that had no password on it.

Korona kasvatti palveluyritysten digi-investointeja ja lisäsi tietoturvauhkia, tuore tutkimus paljastaa

www.epressi.com/tiedotteet/talous/korona-kasvatti-palveluyritysten-digi-investointeja-ja-lisasi-tietoturvauhkia-tuore-tutkimus-paljastaa.html Lähes kaksi kolmesta palveluyrityksestä investoi viime vuonna vähintään yhteen digikehityskohteeseen edellisvuotta enemmän, selviää Palvelualojen työnantajat Paltan tuoreesta Digitaloudesta kasvua – -tutkimuksesta. Koronan myötä lisääntynyt digitaalisuus ja etätyöt ovat tuoneet mukanaan myös uusia tietoturvauhkia. Yhteensä neljäsosa palveluyrityksistä on kokenut huijausyrityksiä tai muiden tietoturvauhkien yleistymistä korona-aikana. Etenkin huijausviestejä ja -puheluita on vastaajien mukaan tullut aiempaa enemmän. Lähes kolmannes onkin investoinut etätyön yleistymisen myötä uusiin tietoturvaratkaisuihin, ja suurista yli 250 henkeä työllistävistä yrityksistä jopa 80 prosenttia.

Tietotovuoto voi johtaa sähköpostisi kaappaamiseen toimi silloin näin

www.iltalehti.fi/tietoturva/a/c0d4e26c-de07-4c1a-bf87-9aadaa96c747 Tietovuotojen myötä vuotaa myös ihmisten käyttäjätunnuksia rikollisiin käsiin, eikä niitä pelätä käyttää väärin. Vahingoilta voi onneksi suojautua. Näin voit yrittää saada Gmail-tilisi takaisin.

LockBit Resurfaces With Version 2.0 Ransomware Detections in Chile, Italy, Taiwan, UK

www.trendmicro.com/en_us/research/21/h/lockbit-resurfaces-with-version-2-0-ransomware-detections-in-chi.html The ransomware group LockBit resurfaced in July with LockBit 2.0, with reports indicating an increased number of targeted companies and the incorporation of double extortion features. Our detections followed attack attempts in Chile, Italy, Taiwan, and the UK from July to August.

New AdLoad Variant Bypasses Apple’s Security Defenses to Target macOS Systems

thehackernews.com/2021/08/new-adload-variant-bypasses-apples.html A new wave of attacks involving a notorious macOS adware family has evolved to leverage around 150 unique samples in the wild in 2021 alone, some of which have slipped past Apple’s on-device malware scanner and even signed by its own notarization service, highlighting the malicious software ongoing attempts to adapt and evade detection.

New Trickbot attack setup fake 1Password installer to extract data

www.hackread.com/trickbot-installs-fake-1password-manager-extract-data/ The fake 1Password installer is used to launch Cobalt Strike allowing attackers to collect information about multiple systems in the network.

Microsoft 365: This new one-click button lets businesses report scam emails

www.zdnet.com/article/microsoft-365-this-new-one-click-button-lets-businesses-report-scam-emails/ A new button and add-on for Microsoft 365/Office 365 accounts and Outlook allows employees to report scam emails directly to the UK’s National Cyber Security Centre (NCSC). The button is an upgrade to the NCSC’s existing Suspicious Email Reporting Service (SERS), which has received over 6.6 million reports since launching in April 2020. As of 30 June, NCSC had removed over 50, 500 scams and 97, 500 URLs.

Advisory: Multiple Issues in Realtek SDK Affects Hundreds of Thousands of Devices Down the Supply Chain

www.iot-inspector.com/blog/advisory-multiple-issues-realtek-sdk-iot-supply-chain/ At least 65 vendors affected by severe vulnerabilities that enable unauthenticated attackers to fully compromise the target device and execute arbitrary code with the highest level of privilege. Affected devices implement wireless capabilities and cover a wide spectrum of use cases: from residential gateways, travel routers, Wi-Fi repeaters, IP cameras to smart lightning gateways or even connected toys.

Dozens of STARTTLS Related Flaws Found Affecting Popular Email Clients

thehackernews.com/2021/08/dozens-of-starttls-related-flaws-found.html Security researchers have disclosed as many as 40 different vulnerabilities associated with an opportunistic encryption mechanism in mail clients and servers that could open the door to targeted man-in-the-middle (MitM) attacks, permitting an intruder to forge mailbox content and steal credentials. The now-patched flaws, identified in various STARTTLS implementations, were detailed by a group of researchers Damian Poddebniak, Fabian Ising, Hanno Böck, and Sebastian Schinzel at the 30th USENIX Security Symposium. The attacks require that the malicious party can tamper connections established between an email client and the email server of a provider and has login credentials for their own account on the same server. also:

nostarttls.secvuln.info/

XSS Bug in SEOPress WordPress Plugin Allows Site Takeover

threatpost.com/xss-bug-seopress-wordpress-plugin/168702/ A stored cross-site scripting (XSS) vulnerability in the SEOPress WordPress plugin could allow attackers to inject arbitrary web scripts into websites, researchers said. SEOPress is a search engine optimization (SEO) tool that lets site owners manage SEO metadata, social-media cards, Google Ad settings and more. It’s installed on more than 100, 000 sites. To protect their websites, users should upgrade to version 5.0.4 of SEOPress.

You might be interested in …

Daily NCSC-FI news followup 2020-05-12

Coronavirus cyber-attacks update: beware of the phish blog.checkpoint.com/2020/05/12/coronavirus-cyber-attacks-update-beware-of-the-phish/ While we all try to get used to the Covid-19 pandemics new normal in our work and home lives, this year has been a time of unprecedented opportunity for cyber-criminals. The global response to the pandemic, and our desire for the latest information about it, has supercharged […]

Read More

Daily NCSC-FI news followup 2019-10-02

Vulnerability in Cisco Webex and Zoom may expose online meetings to snooping www.helpnetsecurity.com/2019/10/01/prying-eye-vulnerability/ Cequence Securitys CQ Prime Threat Research Team discovered of a vulnerability in Cisco Webex and Zoom video conferencing platforms that potentially allows an attacker to enumerate or list and view active meetings that are not protected. How SMBs Can Mitigate the Growing […]

Read More

Daily NCSC-FI news followup 2020-06-02

Varo tätä ilmiötä: huijarit tehtailevat oikeista konserttistriimeistä valetapahtumia, joiden avulla yritetään kalastaa luottokorttitietoja yle.fi/uutiset/3-11380829 Idea on yksinkertainen. Huijari luo aidon näköisen Facebook-eventin ja tarjoaa klikattavaksi linkkiä, jossa muka voisi ostaa lipun konserttistriimiin. Entä jos huomaa tulleensa huijatuksi? Miten toimia?. – Ihan ensimmäisenä ja aika nopeasti pitäisi ottaa yhteyttä pankkiin. Parhaassa tapauksessa sieltä pystytään vielä estämään […]

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.