Daily NCSC-FI news followup 2021-08-18

Pimeään verkkoon ilmestyi kaikki Vastaamo-tiedot löytävä hakukone – “Kyseessä on joku, joka haluaa vahingoittaa”

www.is.fi/digitoday/tietoturva/art-2000008200963.html PIMEÄN internetin Tor-verkkoon on ilmestynyt hakukone, joka mahdollistaa hakujen tekemisen koko Vastaamon potilastietokannasta. Tämä tarkoittaa sitä, että ihmisiä on mahdollista hakea tietokannasta esimerkiksi nimellä, paikkakunnalla tai postinumerolla. Hakukone näyttää haun jälkeen käyttäjälle Vastaamon asiakkaan terapiatiedot. F-Securen tutkimusjohtaja Mikko Hyppösen mukaan hakukone on ollut verkossa ainakin kaksi kuukautta. Sen tekijä ei ole tiedossa, mutta F-Secure epäilee, ettei kyseessä ole alkuperäinen kiristäjä. VASTAAMO-TUTKINNAN johtajan, rikosylikomisario Marko Leposen mukaan hakukoneen julkaisija voi syyllistyä yksityiselämää loukkaavan tiedon levittämiseen tai sen törkeään tekomuotoon. myös:

yle.fi/uutiset/3-12063432

T-Mobile: Breach Exposed SSN/DOB of 40M+ People

krebsonsecurity.com/2021/08/t-mobile-breach-exposed-ssn-dob-of-40m-people/ T-Mobile is warning that a data breach has exposed the names, date of birth, Social Security number and driver’s license/ID information of more than 40 million current, former or prospective customers who applied for credit with the company. The acknowledgment came less than 48 hours after millions of the stolen T-Mobile customer records went up for sale in the cybercrime underground.

New Iranian Espionage Campaign By “Siamesekitten” Lyceum

www.clearskysec.com/siamesekitten/ This report summarizes our findings regarding the latest Siamesekitten attacks and reviews the attack patterns and malware used in this campaign. PDF:

www.clearskysec.com/wp-content/uploads/2021/08/Siamesekitten.pdf

North Korean APT InkySquid Infects Victims Using Browser Exploits

www.volexity.com/blog/2021/08/17/north-korean-apt-inkysquid-infects-victims-using-browser-exploits/ Volexity recently investigated a strategic web compromise (SWC) of the website of the Daily NK (www.dailynk[.]com), a South Korean online newspaper that focuses on issues relating to North Korea. This post provides details on the different exploits used in the SWC, as well as the payload used, which Volexity calls BLUELIGHT. Volexity attributes the activity described in this post to a threat actor Volexity refers to as InkySquid, which broadly corresponds to activity known publicly under the monikers ScarCruft and APT37.

China Propaganda Network Targets BBC Media, UK in Large-Scale Influence Campaign

www.recordedfuture.com/china-propaganda-targets-bbc-uk/ Recorded Future’s Insikt Group has discovered a large-scale, likely state-sponsored influence operation against the British Broadcasting Company (BBC) and the United Kingdom (UK). The campaign involves hundreds of websites and social media accounts and thousands of comments across state-affiliated news sources, fake news websites, and Chinese and Western social media platforms.

Detecting Embedded Content in OOXML Documents

www.fireeye.com/blog/threat-research/2021/08/detecting-embedded-content-in-ooxml-documents.html On Advanced Practices, we are always looking for new ways to find malicious activity and track adversaries over time. Today we’re sharing a technique we use to detect and cluster Microsoft Office documentsspecifically those in the Office Open XML (OOXML) file format. Additionally, we’re releasing a tool so analysts and defenders can automatically generate YARA rules using this technique.

Hunting for Evidence of DLL Side-Loading With PowerShell and Sysmon

securityintelligence.com/posts/hunting-evidence-dll-side-loading-powershell-sysmon/ To provide a defensive counter-measure perspective for DLL side-loading, X-Force Incident Response has released SideLoaderHunter, which is a system profiling script and Sysmon configuration designed to identify evidence of side-loading on Windows systems. This post will talk about why IBM X-Force thinks the tool is needed, describe its functions and analyze some use cases.

This Russian Cyber Mogul Planned To Take His Company Public. Then America Accused It Of Hacking For Putin’s Spies

www.forbes.com/sites/thomasbrewster/2021/08/18/this-russian-cyber-mogul-planned-to-take-his-company-public-then-america-accused-it-of-hacking-for-putins-spies/ The tycoon whose Positive Technologies was recently hit with U.S. sanctions insists he just wants to help protect all companies from hackers. U.S. security officials don’t buy it.

Protecting Sensitive And Personal Information From Ransomware-caused Data Breach

www.cisa.gov/publication/protecting-sensitive-and-personal-information CISA has released this fact sheet to address the increase in malicious cyber actors using ransomware to exfiltrate data and then threatening to sell or leak the exfiltrated data if the victim does not pay the ransom. Fact Sheet (PDF):

www.cisa.gov/sites/default/files/publications/CISA_Fact_Sheet-Protecting_Sensitive_and_Personal_Information_from_Ransomware-Caused_Data_Breaches-508C.pdf

Turvallisuuden työelämäprofessori varoittaa: “Ei ole olemassa viatonta dataa” Näihin kolmeen kysymykseen Suomen tulisi vastata

www.kauppalehti.fi/uutiset/turvallisuuden-tyoelamaprofessori-varoittaa-ei-ole-olemassa-viatonta-dataa-naihin-kolmeen-kysymykseen-suomen-tulisi-vastata/bb4b55e6-3d98-43b2-9242-081928c65953 Suomi on muun maailman ohella joutumassa yhä hektisemmin muuttuvan teknologian pyöritykseen, joka muuttaa turvallisuusympäristöä jatkuvasti. “Varautumisemme turvallisuusuhkiin perustuu hitaampaan maailmaan”, työelämäprofessori Valtteri Vuorisalo toteaa.

China orders annual security reviews for all critical information infrastructure operators

www.theregister.com/2021/08/18/china_critical_information_infrastructure_rules/ China’s government has introduced rules for protection of critical information infrastructure. An announcement by the Cyberspace Administration of China (CAC) said that cyber attacks are currently frequent in the Middle Kingdom, and the security challenges facing critical information infrastructure are severe. The announcement therefore defines infosec regulations and and responsibilities.

Poliisi varoittaa: pankkitunnukset varastava haittaohjelma leviää sähköpostissa

www.iltalehti.fi/tietoturva/a/365c371d-03ff-4b68-993a-9d66e08dde3d Poliisi varoittaa liikkeellä olevista huijausviesteistä. Rikolliset lähestyvät suomalaisia sähköpostiviesteillä, joissa yritetään saada avaamaan liitetiedosto tai linkki. – Linkin tai liitteen avaaminen asentaa laitteeseen haittaohjelman, jolla pystytään saamaan haltuun käyttäjän pankkitunnukset, Poliisin tiedotteessa kerrotaan.

FBI warns of credential stuffing attacks against grocery and food delivery services

therecord.media/fbi-warns-of-credential-stuffing-attacks-against-grocery-and-food-delivery-services/ The FBI says that hackers are using credential stuffing attacks to hijack online accounts at grocery stores, restaurants, and food delivery services in order to drain user funds through fraudulent orders and to steal personal or financial data.

Malicious Ads Target Cryptocurrency Users With Cinobi Banking Trojan

thehackernews.com/2021/08/malicious-ads-target-cryptocurrency.html A new social engineering-based malvertising campaign targeting Japan has been found to deliver a malicious application that deploys a banking trojan on compromised Windows machines to steal credentials associated with cryptocurrency accounts.

You might be interested in …

[NCSC-FI News] Pääkirjoitus: Pankkipalveluiden häiriöihin tulee varautua

Venäjän Ukrainaan kohdistaman hyökkäyssodan seurauksena kyberhyökkäysten riski on kohonnut myös Suomessa Yhtenä niin sanotun hybridisodankäynnin muotona ovat kyberiskut kriittistä infrastruktuuria vastaan. Kriittistä infrastruktuuria ovat esimerkiksi sähkönjakelu, telekommunikaatio ja pankkitoiminnot. Source: Read More (NCSC-FI daily news followup)

Read More

[NCSC-FI News] FBI Flash – BlackCat/ALPHV Ransomware Indicators of Compromise

This FLASH is part of a series of FBI reports to disseminate known indicators of compromise (IOCs) and tactics, techniques and procedures (TTPs) associated with ransomware variants identified through FBI investigations. As of March 2022, BlackCat/ALPHV ransomware as a service (RaaS) had compromised at least 60 entities worldwide. Source: Read More (NCSC-FI daily news followup)

Read More

Daily NCSC-FI news followup 2020-01-13

Citrix ADC Exploits: Overview of Observed Payloads isc.sans.edu/forums/diary/Citrix+ADC+Exploits+Overview+of+Observed+Payloads/25704/ Now that there are public exploits for Citrix ADC, we are seeing many attacks and are observing various payloads. For the moment, after normalization, we observed 37 different payloads Who else works for this cover company network? intrusiontruth.wordpress.com/2020/01/13/who-else-works-for-this-cover-company-network/ In our previous articles we identified a network of […]

Read More

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.