Daily NCSC-FI news followup 2021-08-21

Urgent: Protect Against Active Exploitation of ProxyShell Vulnerabilities

us-cert.cisa.gov/ncas/current-activity/2021/08/21/urgent-protect-against-active-exploitation-proxyshell Malicious cyber actors are actively exploiting the following ProxyShell vulnerabilities: CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207. An attacker exploiting these vulnerabilities could execute arbitrary code on a vulnerable machine. CISA strongly urges organizations to identify vulnerable systems on their networks and immediately apply Microsoft’s Security Update from May 2021which remediates all three ProxyShell vulnerabilitiesto protect against these attacks.

Almost 2, 000 Exchange servers hacked using ProxyShell exploit

therecord.media/almost-2000-exchange-servers-hacked-using-proxyshell-exploit/ Almost 2, 000 Microsoft Exchange email servers have been hacked over the past two days and infected with backdoors after owners did not install patches for a collection of vulnerabilities known as ProxyShell. The attacks, detected by security firm Huntress Labs, come after proof-of-concept exploit code was published online earlier this month, and scans for vulnerable systems began last week.

LockFile ransomware uses PetitPotam attack to hijack Windows domains

www.bleepingcomputer.com/news/security/lockfile-ransomware-uses-petitpotam-attack-to-hijack-windows-domains/ At least one ransomware threat actor has started to leverage the recently discovered PetitPotam NTLM relay attack method to take over the Windows domain on various networks worldwide. Behind the attacks appears to be a new ransomware gang called LockFile that was first seen in July, which shows some resemblance and references to other groups in the business. Security researchers at Symantec, a division of Broadcom, said that the actor’s initial access on the network is through Microsoft Exchange servers but the exact method remains unknown at the moment. Next, the attacker takes over the organization’s domain controller by leveraging the new PetitPotam method, which forces authentication to a remote NTLM relay under LockFile’s control. LockFile threat actor seems to rely on publicly available code to exploit the original PetitPotam (tracked as CVE-2021-36942) variant.

Ransomware hits Lojas Renner, Brazil’s largest clothing store chain

therecord.media/ransomware-hits-lojas-renner-brazils-largest-clothing-store-chain/ Lojas Renner, Brazil’s largest clothing department store chain, said it suffered a ransomware attack that impacted its IT infrastructure and resulted in the unavailability of some of its systems, including its official web store. Several Brazilian bloggers and news outlets blew the incident out of proportion by claiming that the attack had forced the company to shut down all its physical stores across the country. Details about the ransomware incident remain to be confirmed, but one Brazilian blog claimed that the attack on Renner’s infrastructure was carried out by the RansomExx gang, which gained access to Renner servers via Tivit, a major Brazilian IT and digital services provider.

Hackers swipe almost $100 million from major cryptocurrency exchange

www.welivesecurity.com/2021/08/20/hackers-swipe-100million-cryptocurrency-exchange/ Japanese cryptocurrency exchange platform Liquid has fallen victim to enterprising hackers who compromised its warm wallets and made off with more than US$97 million in various cryptocurrency assets. “At roughly 7:50 AM SGT on August 19th, Liquid’s Operations and Technology teams detected unauthorized access of some of the crypto wallets managed at Liquid, ” reads the company’s incident report. The culprit or culprits behind the attack haven’t been identified yet; however, according to Liquid’s blog (in Japanese), the attack vector could be traced back to a compromised wallet used by its Singaporean subsidiary QUOINE.

China pushes through data protection law that applies cross-border

www.zdnet.com/article/china-pushes-through-data-protection-law-that-applies-cross-border/ China has pushed through a new personal data protection law that details regulations around collection, use, and storage. It includes data processing by companies based outside of China and encompasses requirements for organisations, including multinational cooperations, operating China to appoint someone responsible for its compliance. If a business refused to correct the violation, it could be fined up to 1 million yuan ($150, 000). Employees directly responsible and overseeing the data violation also might be slapped with a fine of 10, 000 yuan ($1, 500) to 100, 000 yuan ($15, 000). In more serious violations, financial penalties could go up to 50 million yuan ($7.5 million) or 5% of annual revenue in the company’s previous fiscal year.

You might be interested in …

Daily NCSC-FI news followup 2020-11-05

Hakkerit löysivät testivaiheessa aukkoja uudesta Apotti-potilasjärjestelmästä ovatko kahden miljoonan ihmisen arkaluontoiset tiedot varmasti turvassa? yle.fi/uutiset/3-11630403 Suomalaisen it-johtajan mukaan pelkästään Yhdysvalloissa on varastettu tänä vuonna jo kymmeniä miljoonia potilastietoja. Poliisi selvitti netin välityksellä tehdyn uhkauksen Oulussa www.poliisi.fi/tietoa_poliisista/tiedotteet/1/1/poliisi_selvitti_netin_valityksella_tehdyn_uhkauksen_oulussa_94446 Poliisi on tutkinut kouluun kohdistunutta internetin välityksellä tehtyä uhkausta Oulussa. Poliisi sai selville ja kuulusteli uhkauksesta epäiltyä henkilöä keskiviikkona […]

Read More

Daily NCSC-FI news followup 2020-10-31

Code of Practice for Cyber Security and Safety in Engineering www.ncsc.gov.uk/news/code-of-practice-cyber-security-and-safety-in-engineering The Institution of Engineering and Technology has published a Code of Practice with the support of the NCSC. A Code of Practice to help the engineering sector implement effective cyber security has been published today. The Code, developed by the Institution of Engineering and […]

Read More

Daily NCSC-FI news followup 2019-09-05

FunkyBot: A New Android Malware Family Targeting Japan www.fortinet.com/blog/threat-research/funkybot-malware-targets-japan.html Last year, FortiGuard Labs identified a malware campaign targeting Japanese users. The campaign impersonated a logistics company and deployed an Android malware called FakeSpy. We have been monitoring these actors and the phishing websites they created, and recently we noticed that they have started deploying a […]

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.