Daily NCSC-FI news followup 2021-08-17

BadAlloc Vulnerability Affecting BlackBerry QNX RTOS

us-cert.cisa.gov/ncas/alerts/aa21-229a On August 17, 2021, BlackBerry publicly disclosed that its QNX Real Time Operating System (RTOS) is affected by a BadAlloc vulnerabilityCVE-2021-22156. BadAlloc is a collection of vulnerabilities affecting multiple RTOSs and supporting libraries. myös: www.kyberturvallisuuskeskus.fi/fi/haavoittuvuus_24/2021

Mandiant Discloses Critical Vulnerability Affecting Millions of IoT Devices

www.fireeye.com/blog/threat-research/2021/08/mandiant-discloses-critical-vulnerability-affecting-iot-devices.html Today, Mandiant disclosed a critical risk vulnerability in coordination with the Cybersecurity and Infrastructure Security Agency (“CISA”) that affects millions of IoT devices that use the ThroughTek “Kalay” network. This vulnerability, discovered by researchers on Mandiant’s Red Team in late 2020, would enable adversaries to remotely compromise victim IoT devices, resulting in the ability to listen to live audio, watch real time video data, and compromise device credentials for further attacks based on exposed device functionality. These further attacks could include actions that would allow an adversary to remotely control affected devices. At the time of writing this blog post, ThroughTek advertises having more than 83 million active devices and over 1.1 billion monthly connections on their platform.

Fortinet FortiWeb OS Command Injection

www.rapid7.com/blog/post/2021/08/17/fortinet-fortiweb-os-command-injection/ An OS command injection vulnerability in FortiWeb’s management interface (version 6.3.11 and prior) can allow a remote, authenticated attacker to execute arbitrary commands on the system, via the SAML server configuration page. An attacker, who is first authenticated to the management interface of the FortiWeb device, can smuggle commands using backticks in the “Name” field of the SAML Server configuration page. In the absence of a patch, users are advised to disable the FortiWeb device’s management interface from untrusted networks, which would include the internet. Generally speaking, management interfaces for devices like FortiWeb should not be exposed directly to the internet anyway

T-Mobile Investigating Claims of Massive Data Breach

krebsonsecurity.com/2021/08/t-mobile-investigating-claims-of-massive-data-breach/ On Sunday, Vice.com broke the news that someone was selling data on 100 million people, and that the data came from T-Mobile. In a statement published on its website today, the company confirmed it had suffered an intrusion involving “some T-Mobile data, ” but said it was too soon in its investigation to know what was stolen and how many customers might be affected. also:

www.wired.com/story/t-mobile-hack-data-phishing/

Hospitals hamstrung by ransomware are turning away patients

arstechnica.com/gadgets/2021/08/hospitals-hamstrung-by-ransomware-are-turning-away-patients/ Dozens of hospitals and clinics in West Virginia and Ohio are canceling surgeries and diverting ambulances following a ransomware attack that has knocked out staff access to IT systems across virtually all of their operations.

Healthcare provider expected to lose $106.8 million following ransomware attack

therecord.media/healthcare-provider-expected-to-lose-106-8-million-following-ransomware-attack/ Scripps Health, a California-based nonprofit healthcare provider that runs five hospitals and 19 outpatient facilities, said it expects to lose an estimated $106.8 million following a ransomware attack that hit the organization in May 2021. “Operating revenues and operating expenses for the quarter ended June 30, 2021 were significantly impacted by lost revenues and incremental expense incurred during the cyber security incident that occurred in May 2021, ” the company said in its quarterly financial and operating filings last week.

Japan’s Tokio Marine is the latest insurer to be victimized by ransomware

www.cyberscoop.com/tokio-marine-ryan-specialty-group-ransomware-cyber-insurance/ Ransomware struck Japan’s largest property and casualty insurer, Tokio Marine Holdings, at its Singapore branch, the company disclosed on Monday.

Brazilian National Treasury hit with ransomware attack

www.zdnet.com/article/brazilian-national-treasury-hit-with-ransomware-attack/ The Brazilian government has released a note stating the National Treasury has been hit with a ransomware attack on Friday (13).

Colonial Pipeline sends breach letters to more than 5, 000 after ransomware group accessed SSNs, more

www.zdnet.com/article/colonial-pipeline-sends-breach-letters-to-more-than-5000-after-ransomware-group-accessed-ssns-more/ Colonial Pipeline said the leaks involved the personal information of current and former employees.

New HolesWarm botnet targets Windows and Linux servers

therecord.media/new-holeswarm-botnet-targets-windows-and-linux-servers/ A new botnet named HolesWarm has been slowly growing in the shadows since June this year, exploiting more than 20 known vulnerabilities to break into Windows and Linux servers and then deploy cryptocurrency-mining malware.

How to Defend vs Go365 – The Microsoft 365 Password Spraying Tool

www.msspalert.com/cybersecurity-breaches-and-attacks/how-to-defend-vs-go365-the-microsoft-365-password-spraying-tool/ Go365 is a password-guessing cyberattack tool used to target Microsoft 365 customers. Optiv Security recommends these Office 365 security steps.

How to Reduce Exchange Server Downtime in Case of a Disaster?

threatpost.com/how-to-reduce-exchange-server-downtime/168344/ Exchange downtime can have serious implications on businesses. Thus, it’s important to maintain backups and implement best practices for Exchange servers that can help restore the Exchange server when a disaster strikes with minimal impact and downtime.

Confucius Uses Pegasus Spyware-related Lures to Target Pakistani Military

www.trendmicro.com/en_us/research/21/h/confucius-uses-pegasus-spyware-related-lures-to-target-pakistani.html While investigating the Confucius threat actor, we found a recent spear phishing campaign that utilizes Pegasus spyware-related lures to entice victims into opening a malicious document downloading a file stealer.

Access Brokers: Just 10 Vendors List 46% of All Offers

www.databreachtoday.com/blogs/access-brokers-just-10-vendors-list-46-all-offers-p-3083 For a price – $5, 400 is the average, while the median is $1, 000, according to Israeli threat intelligence firm Kela – criminals can choose from a menu of victims, buy system access and then monetize their purchase by deploying ransomware or pursuing other types of attacks

Chinese espionage tool exploits vulnerabilities is 58 widely used websites

therecord.media/chinese-espionage-tool-exploits-vulnerabilities-is-58-widely-used-websites/ A security researcher has discovered a web attack framework developed by a suspected Chinese government hacking group and used to exploit vulnerabilities in 58 popular websites to collect data on possible Chinese dissidents. Named Tetris, the tool was found secretly uploaded on two websites with a Chinese readership. “The sites both appear to be independent newsblogs, ” said a security researcher going online under the pseudonym of Imp0rtp3, who analyzed the Tetris attack framework for the first time in a blog post earlier this month. also:

imp0rtp3.wordpress.com/2021/08/12/tetris/

Analysis of Diavol Ransomware Reveals Possible Link to TrickBot Gang

securityintelligence.com/posts/analysis-of-diavol-ransomware-link-trickbot-gang/ IBM X-Force Threat Intelligence recently located and analyzed a ransomware strain that appeared to be a work in progress. Upon publication of a recent report, it became clear that what IBM had found was in fact an early development version of the Diavol ransomware. Additionally, the ransomware code is configured in such a way that suggests a possible link to the infamous TrickBot group, tracked by X-Force as ITG23.

Operation Secondary Infektion Continues Targeting Democratic Institutions and Regional Geopolitics

www.recordedfuture.com/secondary-infektion-targeting-democratic-institutions/ The following report is an update to Insikt Group’s April 2020 publication “Intent to Infekt: Operation Pinball’ Tactics Reminiscent of Operation Secondary Infektion”, which investigates a long-running, Russian-linked information operation coined by the broader research community as “Operation Secondary Infektion”. This report examines new findings, recent case studies, and analysis into the Tactics, Techniques, and Procedures (TTPs) as well as motivations of those responsible for this information operation against international audiences.

You might be interested in …

Daily NCSC-FI news followup 2021-02-04

Cybersecurity firm Stormshield hacked. Data (including source code) stolen grahamcluley.com/cybersecurity-firm-stormshield-hacked-data-including-source-code-stolen/ French cybersecurity firm Stormshield has revealed that it has suffered a security breach, and hackers have accessed sensitive information. The company, which is a major provider to the French government, says that a hacker managed to steal data after gaining access to a portal used […]

Read More

Daily NCSC-FI news followup 2021-03-24

Rauli Paananen: Tehdään kyberturvallisuudesta kansalaistaito ja vientituote www.erillisverkot.fi/rauli-paananen-tehdaan-kyberturvallisuudesta-kansalaistaito-ja-vientituote/ Asia on yhteinen: kansallinen kyberturvallisuus rakentuu viranomaisten, elinkeinoelämän, järjestöjen ja kansalaisten yhteistyönä. Tarvitsemme lisää suomalaista osaamista ja alan yritystoimintaa näille on kysyntää maailmallakin, kirjoittaa blogivieraamme valtion kyberturvallisuusjohtaja Rauli Paananen liikenne- ja viestintäministeriöstä. Microsoftin Exchange-palvelimen haavoittuvuudesta johtuvasta henkilötietojen tietoturvaloukkauksesta tulee ilmoittaa rekisteröidyille ja tietosuojavaltuutetun toimistolle tietosuoja.fi/-/microsoftin-exchange-palvelimen-haavoittuvuudesta-johtuvasta-henkilotietojen-tietoturvaloukkauksesta-tulee-ilmoittaa-rekisteroidyille-ja-tietosuojavaltuutetun-toimistolle Tietosuojavaltuutetun toimisto […]

Read More

Daily NCSC-FI news followup 2021-06-30

Public Windows PrintNightmare 0-day exploit allows domain takeover www.bleepingcomputer.com/news/security/public-windows-printnightmare-0-day-exploit-allows-domain-takeover/ Another vulnerability, CVE-2021-1675 also regarding Print Spooler, was fixed in the Microsoft June update. Researchers from Chinese security company Sangfor, decided to release their writeup and demo exploit called PrintNightmareand believed to release information about the same issue. As it turns out PrintNightmare is not the […]

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.