Daily NCSC-FI news followup 2021-08-27

Big bad decryption bug in OpenSSL but no cause for alarm

nakedsecurity.sophos.com/2021/08/27/big-bad-decryption-bug-in-openssl-but-no-cause-for-alarm/ The well-known and widely-used encryption library OpenSSL released a security patch earlier this week. OpenSSL, as its name suggests, is mainly used by network software that uses the TLS protocol (transport layer security), formerly known as SSL (secure sockets layer), to protect data in transit. Although TLS has now replaced SSL, removing a huge number of cryptographic flaws along the way, many of the popular open source programming libraries that support it, such as OpenSSL, LibreSSL and BoringSSL, have kept old-school product names for the sake of familiarity

Widespread credential phishing campaign abuses open redirector links

www.microsoft.com/security/blog/2021/08/26/widespread-credential-phishing-campaign-abuses-open-redirector-links/ Microsoft has been actively tracking a widespread credential phishing campaign using open redirector links. Attackers combine these links with social engineering baits that impersonate well-known productivity tools and services to lure users into clicking. Doing so leads to a series of redirectionsincluding a CAPTCHA verification page that adds a sense of legitimacy and attempts to evade some automated analysis systemsbefore taking the user to a fake sign-in page. This ultimately leads to credential compromise, which opens the user and their organization to other attacks.

Man impersonates Apple support, steals 620,000 photos from iCloud accounts

www.welivesecurity.com/2021/08/26/man-impersonates-apple-support-steals-620000-photos-icloud/ A California man has fessed up to breaking into the Apple iCloud accounts of hundreds of individuals and downloading more than 620,000 images and 9,000 videos while on the prowl for nude photos of young women. He would then share or trade these images online or keep them for his own collection. Hao Kuo Chi, a 40-year-old citizen of La Puente, Los Angeles County, pleaded guilty to four counts including committing computer fraud, according to a report by the Los Angeles Times. Going by the online handle icloudripper4you, he billed himself as being adept at infiltrating iCloud accounts and pilfering their content, an activity he referred to as ripping.

Fake DMCA complaints, DDoS threats lead to BazaLoader malware

www.bleepingcomputer.com/news/security/fake-dmca-complaints-ddos-threats-lead-to-bazaloader-malware/ Cybercriminals behind the BazaLoader malware came up with a new lure to trick website owners into opening malicious files: fake notifications about the site being engaged in distributed denial-of-service (DDoS) attacks. The messages contain a legal threat and a file stored in a Google Drive folder that allegedly provides evidence of the source of the attack. The DDoS theme is a variation of another lure, a Digital Millennium Copyright Act (DMCA) infringement complaint linking to a file that supposedly contains evidence about stealing images.

FBI Releases Indicators of Compromise Associated with Hive Ransomware

us-cert.cisa.gov/ncas/current-activity/2021/08/27/fbi-releases-indicators-compromise-associated-hive-ransomware The Federal Bureau of Investigation (FBI) has released a Flash report detailing indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) associated with ransomware attacks by Hive, a likely Ransomware-as-a-Service organization consisting of a number of actors using multiple mechanisms to compromise business networks, exfiltrate data and encrypt data on the networks, and attempt . to collect a ransom in exchange for access to the decryption software.

Microsoft varoittaa tuhansia asiakkaita Azure-pilvipalvelun tietokannan vuodosta

www.hs.fi/talous/art-2000008221497.html OHJELMISTOYHTIÖ Microsoft varoitti torstaina tuhansia pilvipalveluasiakkaitaan tietokantojen vuodosta. Haavoittuvuus on Microsoftin Azure -pilvipalvelun Cosmos DB -tietokannassa. Aukko löytyi, kun tietoturvayhtiö Wizin tutkimusryhmä havaitsi pystyvänsä käyttämään avaimia, jotka ohjaavat tuhansien yritysten hallussa olevia tietokantoja. Wizin teknologiajohtajan Ami Luttwakin mukaan kyseessä on pahin mahdollinen pilvipalvelun haavoittuvuus. Also:







Kaseya Issues Patches for Two New 0-Day Flaws Affecting Unitrends Servers

thehackernews.com/2021/08/kaseya-issues-patches-for-two-new-0-day.html U.S. technology firm Kaseya has released security patches to address two zero-day vulnerabilities affecting its Unitrends enterprise backup and continuity solution that could result in privilege escalation and authenticated remote code execution. The two weaknesses are part of a trio of vulnerabilities discovered and reported by researchers at the Dutch Institute for Vulnerability Disclosure (DIVD) on July 3, 2021.

Ragnarok ransomware operation shuts down and releases free decrypter

therecord.media/ragnarok-ransomware-operation-shuts-down-and-releases-free-decrypter/ The Ragnarok (or Asnarök) ransomware gang shut down their operation today and released a free decryption utility to help victims recover their files. The free decrypter, hardcoded with a master decryption key, was released today on the gangs dark web portal, where the group previously used to publish files from victims who refused to pay. The decrypter, which has been confirmed to work by multiple security researchers, is currently being analyzed before security firms will rewrite a clean and safe-to-use version that will be made publicly available through Europols NoMoreRansom portal. Also:



FIN8 Targets US Bank With New Sardonic Backdoor

threatpost.com/fin8-bank-sardonic-backdoor/168982/ The financially motivated FIN8 cybergang used a brand-new backdoor dubbed Sardonic by the Bitdender researchers who first spotted it in attempted (but unsuccessful) breaches of networks belonging to two unidentified U.S. financial organizations. Its a nimble newcomer, researchers wrote: The Sardonic backdoor is extremely potent and has a wide range of capabilities that help the threat actor leverage new malware on the fly without updating components, according to Bitdefenders report.

T-Mobile CEO: Hacker brute-forced his way through our network

www.bleepingcomputer.com/news/security/t-mobile-ceo-hacker-brute-forced-his-way-through-our-network/ Today, T-Mobile’s CEO Mike Sievert said that the hacker behind the carrier’s latest massive data breach brute forced his way through T-Mobile’s network after gaining access to testing environments. The attacker could not exfiltrate customer financial information, credit card information, debit or other payment information during the incident. However, T-Mobile says that he stole records belonging to 54.6 million current, former, or prospective customers, containing Social Security numbers, phone numbers, names, addresses, dates of birth, T-Mobile prepaid PINs, and driver license/ID information.

Google: Here’s how our $10bn investment will boost US cybersecurity

www.zdnet.com/article/software-supply-chain-security-google-touts-its-10bn-investment-and-zero-trust-work/ Google has outlined its efforts to shape the US government’s zero-trust initiative, based on Biden’s May Executive Order on cybersecurity. Google’s $10 billion commitment to beefing up critical US infrastructure includes expanding zero-trust programs, helping to secure software supply chains, and enhancing open-source security. Its contributions will see the company leverage initiatives that have been underway at Google for many years, spanning open-source fuzzing tools to funding Linux kernel developers to work on security, and pushing for the use of memory-safe languages in Linux.

Yritykset maksavat lunnaita kiristysohjelmien levittäjille Se on kypsää liiketoimintaa se homma

www.kauppalehti.fi/uutiset/yritykset-maksavat-lunnaita-kiristysohjelmien-levittajille-se-on-kypsaa-liiketoimintaa-se-homma/40805c8c-168d-4813-9c19-3578e8da6494 Kun Yhdysvaltain suurin puhdistettujen öljytuotteiden putkijärjestelmä Colonial Pipeline joutui toukokuussa kiristyshaittaohjelman uhriksi, yritys päätti maksaa. Laskutusjärjestelmä oli jumissa, eikä bensaa kannattanut toimittaa ilmaiseksi Texasista New Yorkiin. Kannattaako joskus siis maksaa kiristäjille? Kysymys saa Viria Securityn kyberturvallisuudesta vastaavan johtajan Benjamin Särkän huokaamaan.

Phorpiex botnet shuts down, source code goes up for sale

therecord.media/phorpiex-botnet-shuts-down-source-code-goes-up-for-sale/ The operators of the Phorpiex malware have shut down their botnet and put its source code for sale on a dark web cybercrime forum, The Record has learned. The ad, posted earlier today by an individual previously linked to the botnets operation, claims that none of the malwares two original authors are involved in running the botnet, hence the reason they decided to sell its source code. As I no longer work and my friend has left the biz, Im here to offer Trik (name from coder) / Phorpiex (name fomr AV firms) source for sell [sic], the individual said today in a forum post spotted by British security firm Cyjax.

You might be interested in …

[NCSC-FI News] Tracking cyber activity in Eastern Europe

In early March, Google’s Threat Analysis Group (TAG) published an update on the cyber activity it was tracking with regard to the war in Ukraine. Since our last update, TAG has observed a continuously growing number of threat actors using the war as a lure in phishing and malware campaigns Government-backed actors from China, Iran, […]

Read More

Daily NCSC-FI news followup 2020-10-06

Myöhästyykö odotettu koronarokote? Ongelmat liittyvät keskeiseen sovellukseen www.tivi.fi/uutiset/tv/a758c9c3-96cc-4861-86bd-00adc7544339 New York Times kirjoittaa eResearch Technologyyn (ERT) kohdistuneesta kiristyshaittaohjelmasta. ERT:n ohjelmistoa käyttävät monet lääkevalmistajat muun muassa koronarokotteiden kliinisissä testeissä Euroopassa, Aasiassa ja Pohjois-Amerikassa. Lisäksi: www.nytimes.com/2020/10/03/technology/clinical-trials-ransomware-attack-drugmakers.html. Lisäksi: threatpost.com/covid-19-clinical-trials-ransomware/159877/ Emotet Malware us-cert.cisa.gov/ncas/alerts/aa20-280a To secure against Emotet, CISA and MS-ISAC recommend implementing the mitigation measures described in this Alert, which […]

Read More

[NCSC-FI News] What’s up with in-the-wild exploits? Plus, what we’re doing about it

If you are a regular reader of our Chrome release blog, you may have noticed that phrases like ‘exploit for CVE-1234-567 exists in the wild’ have been appearing more often recently In this post we’ll explore why there seems to be such an increase in exploits, and clarify some misconceptions in the process. We’ll then […]

Read More

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.