Daily NCSC-FI news followup 2021-08-21

Urgent: Protect Against Active Exploitation of ProxyShell Vulnerabilities

us-cert.cisa.gov/ncas/current-activity/2021/08/21/urgent-protect-against-active-exploitation-proxyshell Malicious cyber actors are actively exploiting the following ProxyShell vulnerabilities: CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207. An attacker exploiting these vulnerabilities could execute arbitrary code on a vulnerable machine. CISA strongly urges organizations to identify vulnerable systems on their networks and immediately apply Microsoft’s Security Update from May 2021which remediates all three ProxyShell vulnerabilitiesto protect against these attacks.

Almost 2, 000 Exchange servers hacked using ProxyShell exploit

therecord.media/almost-2000-exchange-servers-hacked-using-proxyshell-exploit/ Almost 2, 000 Microsoft Exchange email servers have been hacked over the past two days and infected with backdoors after owners did not install patches for a collection of vulnerabilities known as ProxyShell. The attacks, detected by security firm Huntress Labs, come after proof-of-concept exploit code was published online earlier this month, and scans for vulnerable systems began last week.

LockFile ransomware uses PetitPotam attack to hijack Windows domains

www.bleepingcomputer.com/news/security/lockfile-ransomware-uses-petitpotam-attack-to-hijack-windows-domains/ At least one ransomware threat actor has started to leverage the recently discovered PetitPotam NTLM relay attack method to take over the Windows domain on various networks worldwide. Behind the attacks appears to be a new ransomware gang called LockFile that was first seen in July, which shows some resemblance and references to other groups in the business. Security researchers at Symantec, a division of Broadcom, said that the actor’s initial access on the network is through Microsoft Exchange servers but the exact method remains unknown at the moment. Next, the attacker takes over the organization’s domain controller by leveraging the new PetitPotam method, which forces authentication to a remote NTLM relay under LockFile’s control. LockFile threat actor seems to rely on publicly available code to exploit the original PetitPotam (tracked as CVE-2021-36942) variant.

Ransomware hits Lojas Renner, Brazil’s largest clothing store chain

therecord.media/ransomware-hits-lojas-renner-brazils-largest-clothing-store-chain/ Lojas Renner, Brazil’s largest clothing department store chain, said it suffered a ransomware attack that impacted its IT infrastructure and resulted in the unavailability of some of its systems, including its official web store. Several Brazilian bloggers and news outlets blew the incident out of proportion by claiming that the attack had forced the company to shut down all its physical stores across the country. Details about the ransomware incident remain to be confirmed, but one Brazilian blog claimed that the attack on Renner’s infrastructure was carried out by the RansomExx gang, which gained access to Renner servers via Tivit, a major Brazilian IT and digital services provider.

Hackers swipe almost $100 million from major cryptocurrency exchange

www.welivesecurity.com/2021/08/20/hackers-swipe-100million-cryptocurrency-exchange/ Japanese cryptocurrency exchange platform Liquid has fallen victim to enterprising hackers who compromised its warm wallets and made off with more than US$97 million in various cryptocurrency assets. “At roughly 7:50 AM SGT on August 19th, Liquid’s Operations and Technology teams detected unauthorized access of some of the crypto wallets managed at Liquid, ” reads the company’s incident report. The culprit or culprits behind the attack haven’t been identified yet; however, according to Liquid’s blog (in Japanese), the attack vector could be traced back to a compromised wallet used by its Singaporean subsidiary QUOINE.

China pushes through data protection law that applies cross-border

www.zdnet.com/article/china-pushes-through-data-protection-law-that-applies-cross-border/ China has pushed through a new personal data protection law that details regulations around collection, use, and storage. It includes data processing by companies based outside of China and encompasses requirements for organisations, including multinational cooperations, operating China to appoint someone responsible for its compliance. If a business refused to correct the violation, it could be fined up to 1 million yuan ($150, 000). Employees directly responsible and overseeing the data violation also might be slapped with a fine of 10, 000 yuan ($1, 500) to 100, 000 yuan ($15, 000). In more serious violations, financial penalties could go up to 50 million yuan ($7.5 million) or 5% of annual revenue in the company’s previous fiscal year.

You might be interested in …

Daily NCSC-FI news followup 2021-01-25

Kyberturvallisuus­keskus: Whatsapp-tilejä yritetään kaapata Suomessa huijausviesteillä www.hs.fi/kotimaa/art-2000007758688.html Rikolliset yrittävät kaapata tilejä muun muassa tekeytymällä Whatsappin tekniseksi tueksi. Lukijoilta: Huijari tyhjäsi netissä pankkitilini ilkkapohjalainen.fi/mielipide/yleisolta/lukijoilta-huijari-tyhjasi-netissa-pankkitilini-1.4810770 Tämä on esimerkki omasta tapauksesta, jossa hyväuskoisena luotin soittoon, jossa soittaja ilmoitti soittavansa Lontoossa sijaitsevasta Microsoft Support -tukipalvelukeskuksesta. Matkapuhelin­verkko voi kavaltaa kenen tahansa sijainnin: Siepattiinko arabi­prinsessa ja hänen suomalainen ystävänsä luksus­jahdilta kapteenin […]

Read More

[NCSC-FI News] Miten Ukraina on pärjännyt Venäjän käymää kybersotaa vastaan niin hyvin? Näin Ukraina valmistautui hyökkäyksiin vuosia

Pieni ukrainalainen it-osaajista, tiedustelupalvelun upseereista ja rikossyyttäjistä koostuva tiimi on seurannut Venäjän suojeleman, Armageddoniksi ristityn hakkeriryhmän toimintaa vuosien ajan Hakkereiden asema oli paras mahdollinen: Venäjän laittomasti miehittämä Krim. Sijainti varmisti sen, että hakkeriryhmä sai rellestää vapaasti Ukrainan turvallisuuspalvelun ulottumattomissa Ukrainan oli pakko muuttaa taktiikkaa, ja se teki sen onnistuneesti. Source: Read More (NCSC-FI daily news […]

Read More

[NCSC-FI News] The Case for War Crimes Charges Against Russia’s Sandworm Hackers

A group of human rights lawyers and investigators has called on the Hague to bring the first-ever “cyber war crimes” charges against Russia’s most dangerous hackers. Source: Read More (NCSC-FI daily news followup)

Read More

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.