Daily NCSC-FI news followup 2021-08-24

Bahraini activists targeted with new iOS zero-click exploit

therecord.media/bahraini-activists-targeted-with-new-ios-zero-click-exploit/ A new Citizen Lab investigation published today has revealed the existence of a new iOS zero-click exploit that has been abused since at least February this year to hack into the iPhones of several Bahraini activists and political dissidents. Citizen Lab, a political, human rights, and cybersecurity research center at the University of Toronto, said it linked the new iOS exploit to NSO Group, a well-known Israeli company specializing in the sale of offensive hacking and surveillance technologies. Named FORCEDENTRY, the exploit was one of many offensive tools that were used to infect the devices with Pegasus, a surveillance tool developed by NSO Group. Citizen Lab said FORCEDENTRY had been used in a broader hacking campaign that began in July 2021 and targeted the devices of at least nine Bahraini activists.

Bahraini Government Hacks Activists with NSO Group Zero-Click iPhone Exploits

citizenlab.ca/2021/08/bahrain-hacks-activists-with-nso-group-zero-click-iphone-exploits/ We [Citizen Lab] identified nine Bahraini activists whose iPhones were successfully hacked with NSO Group’s Pegasus spyware between June 2020 and February 2021. Some of the activists were hacked using two zero-click iMessage exploits: the 2020 KISMET exploit and a 2021 exploit that we call FORCEDENTRY.

FBI sends its first-ever alert about a ransomware affiliate’

therecord.media/fbi-sends-its-first-ever-alert-about-a-ransomware-affiliate/ The US Federal Bureau of Investigations has published today its first-ever public advisory detailing the modus operandi of a “ransomware affiliate.”. A relatively new term, a ransomware affiliate refers to a person or group who rents access to Ransomware-as-a-Service (RaaS) platforms, orchestrates intrusions into corporate networks, encrypt files with the “rented ransomware, ” and then earn a commission from successful extortions. Going by the name of OnePercent Group, the FBI said today this threat actor has been active since at least November 2020.

Modified Version of WhatsApp for Android Spotted Installing Triada Trojan

thehackernews.com/2021/08/modified-version-of-whatsapp-for.html A modified version of the WhatsApp messaging app for Android has been trojanized to serve malicious payloads, display full-screen ads, and sign up device owners for unwanted premium subscriptions without their knowledge. Modified versions of legitimate Android apps aka Modding are designed to perform functions not originally conceived or intended by the app developers, and FMWhatsApp allows users to customize the app with different themes, personalize icons, and hide features like last seen, and even deactivate video calling features. The tampered variant of the app detected by Kaspersky comes equipped with capabilities to gather unique device identifiers, which are sent to a remote server that responds back with a link to a payload that’s subsequently downloaded, decrypted, and launched by the Triada trojan.

CISA Releases Five Pulse Secure-Related MARs

us-cert.cisa.gov/ncas/current-activity/2021/08/24/cisa-releases-five-pulse-secure-related-mars As part of CISA’s ongoing response to Pulse Secure compromises, CISA has analyzed five malware samples related to exploited Pulse Secure devices. CISA encourages users and administrators to review the following five malware analysis reports (MARs) for threat actor tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs), and review CISA’s Alert, Exploitation of Pulse Connect Secure Vulnerabilities, for more information.

38 million records exposed by misconfigured Microsoft Power Apps. Redmond’s advice? RTFM

www.theregister.com/2021/08/23/power_shell_records/ Forty-seven government entities and privacy companies, including Microsoft, exposed 38 million sensitive data records online by misconfiguring the Windows giant’s Power Apps, a low-code service that promises an easy way to build professional applications. Security biz UpGuard said that in May one of its analysts found that the OData API for a Power Apps portal offered anonymously accessible database records that included personal details. As Microsoft explains in its documentation, “To secure a list, you must configure Table Permissions for the table for which records are being displayed and also set the Enable Table Permissions Boolean value on the list record to true.”

“Petos on havaittu” vatsaa vääntävä huijausyritys leviää suomalaispankin nimissä

www.tivi.fi/uutiset/tv/e6677305-e2ac-4923-8a32-28ebeee94e44 OP:n nimissä levitetään kalasteluviestejä, joiden avulla huijarit yrittävät onkia pahaa-aavistamattomien asiakkaiden pankkitietoja. Vastaavia huijausviestejä on saapunut myös Tivin toimituksen lähipiirille. “Petos on havaittu. Tilisi on estetty turvallisuussyistä. Siirry osoitteeseen [vakuuttavalta vaikuttava osoite] vahvistaaksesi henkilöllisyytesi ja peruuttaaksesi maksun”, viestissä kirjoitetaan. Viestissä oleva linkki vaikuttaa ensisilmäyksellä uskottavalta, mutta viestissä olevat kirjoitusvirheet herättävät onneksi huomiota, jos osaa olla riittävän valpas.

Threat Modeling: The Key to Dealing With 5G Security Challenges

securityintelligence.com/articles/threat-modeling-5g-security-challenges/ With 5G reshaping the smartphone market, 5G security needs to keep up. Almost one in three smartphones sold in the first quarter of 2021 can connect to a 5G network. Threat modeling is critical in the age of 5G because it’s essential in any telecommunications revolution. If 5G is going to catch on, security teams need to prevent malicious actors from misusing it. It also means that operators need to address the privacy concerns of 5G from the start. These efforts require a proactive approach that only threat modeling can provide.That’s just one year after the world’s first commercial 5G network emerged in South Korea. Such growth helped annual shipment numbers of 5G-enabled smartphones exceed 200 million units in just one year.

Tutkimus: pandemia laski kuluttajien kynnystä jakaa tietojaan yritysten kanssa

www.epressi.com/tiedotteet/teknologia/tutkimus-pandemia-laski-kuluttajien-kynnysta-jakaa-tietojaan-yritysten-kanssa.html Maailman johtavan analytiikkayritys SAS Instituten teettämästä kyselystä käy ilmi, että kuluttajat EMEA-alueella ovat yhä aiempaa halukkaampia antamaan henkilökohtaisia tietojaan yrityksille. Noin kolmannes asiakkaasta kertoi, että jakaa henkilökohtaista dataa yritysten kanssa todennäköisemmin nyt kuin ennen pandemiaa. Kuluttajat ovat yhä valmiimpia jakamaan henkilökohtaista dataansa yritysten kanssa. Kolmannes kuluttajista (32 %) antaa nyt aiempaa todennäköisemmin omaa dataansa organisaatioiden käyttöön. Kuluttajien tietoisuus petoksista on lisääntynyt merkittävästi pandemian aikana. 60 % kaikista kuluttajista kertoo olevansa aiempaa varovaisia tai kokeneensa huijauksen. 19 % vastaajista on huomannut, että huijausviestien määrä on lisääntynyt.

ALTDOS hacking group wreaks havoc across Southeast Asia

therecord.media/altdos-hacking-group-wreaks-havoc-across-southeast-asia/ For the past eight months, a cybercrime group calling itself ALTDOS has been wreaking havoc across Southeast Asia, hacking companies left and right, in order to pilfer their data and ransom it back or sell it on underground forums. First spotted in December 2020, the group has been linked to intrusions at companies in Bangladesh, Singapore, and Thailand. Among the group’s targets are companies like OrangeTee, 3BB, Audio House, Vhive, CGSEC, and others. According to a series of government cybersecurity alerts and reporting done by DataBreaches.net, which has had extensive direct contact and conversations with the group, ALTDOS’ modus operandi can only be described as chaotic. In some past instances, the group has been seen deploying ransomware to encrypt a victim’s data, while in others, they only resorted to stealing sensitive information. Additionally, in some cases, the group engaged with victims and demanded ransom payments, while in others, the group did not bother and simply auctioned or released the victim’s data for free online.

You might be interested in …

Daily NCSC-FI news followup 2020-01-13

Citrix ADC Exploits: Overview of Observed Payloads isc.sans.edu/forums/diary/Citrix+ADC+Exploits+Overview+of+Observed+Payloads/25704/ Now that there are public exploits for Citrix ADC, we are seeing many attacks and are observing various payloads. For the moment, after normalization, we observed 37 different payloads Who else works for this cover company network? intrusiontruth.wordpress.com/2020/01/13/who-else-works-for-this-cover-company-network/ In our previous articles we identified a network of […]

Read More

[NCSC-FI News] Companies are more prepared to pay ransoms than ever before

The ninth annual Cyberthreat Defense Report (CDR), produced by CyberEdge Group, shows that not only has there been a substantial increase in the percentage of companies that pay ransoms, but the average size of ransomware payments also increased significantly. Source: Read More (NCSC-FI daily news followup)

Read More

[NCSC-FI News] IsaacWiper and HermeticWizard: New wiper and worm targeting Ukraine

As the recent hostilities started between Russia and Ukraine, ESET researchers discovered several malware families targeting Ukrainian organizations As stated in this ESETResearch tweet and WLS blogpost, we uncovered a destructive attack against computers in Ukraine that started around 14:52 on February 23rd, 2022 UTC. This followed distributed denial-of-service (DDoS) attacks against major Ukrainian websites […]

Read More

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.