Daily NCSC-FI news followup 2021-08-31

Attracting flies with Honey(gain): Adversarial abuse of proxyware

blog.talosintelligence.com/2021/08/proxyware-abuse.html With internet-sharing applications, or “proxyware,” users download software that allows them to share a percentage of their bandwidth with other internet users for a fee, with the companies that created this software acting as a go-between. As proxyware has grown in popularity, attackers have taken notice and are now attempting to exploit this interest to monetize their malware campaigns. Malware is currently leveraging these platforms to monetize the internet bandwidth of victims, similar to how malicious cryptocurrency mining attempts to monetize the CPU cycles of infected systems.

Skimming the CREAM recursive withdrawals loot $13M in cryptocash

nakedsecurity.sophos.com/2021/08/31/skimming-the-cream-recursive-withdrawals-loot-13m-in-cryptocash/ You must have had that happy feeling (happiest of all when its still a day or two to payday and you know that your balance is paper-thin) when youre withdrawing money from a cash machine and, even though youre still nervously watching the ATM screen telling you that your request is being processed, you hear the motors in the cash dispensing machinery start to spin up. That means, even before any banknotes get counted out or the display tells you the final verdict, that [a] youve got enough funds, [b] the transaction has been approved, [c] the machine is working properly, and [d] youre about to get the money.

H1 2021: Malware and Vulnerability Trends Report

www.recordedfuture.com/malware-vulnerability-trends-report/ This report examines trends in malware use, distribution, and development, and high-risk vulnerabilities disclosed by major hardware and software vendors between January 1 and June 30, 2021. Data was assembled from the Recorded Future® Platform, open-source intelligence (OSINT), and public reporting on NVD data. This report will assist threat hunters and security operations center (SOC) teams in strengthening their security posture by prioritizing hunting techniques and detection methods based on this research and data along with vulnerability teams looking for ways to prioritize patching and identify trends in vulnerability targeting.

Cyberattacks Use Office 365 to Target Supply Chain

securityintelligence.com/articles/cyberattacks-office-365-supply-chain/ Malicious actors have a history of trying to compromise users Office 365 accounts. By doing so, they can tunnel into a network and use their access to steal sensitive information. But they need not stop there. They can also single out other entities with which the target does business for supply chain cyberattacks. In the summer of 2019, phishers used fake alerts to trick admins into thinking that their Office 365 licenses had expired. Those messages instructed the admins to click on a link so that they could sign into the Office 365 Admin Center and review the payment details. Instead, that sign-in page stole their account credentials.

Financial Institutions in the Sight of New JsOutProx Attack Waves

yoroi.company/research/financial-institutions-in-the-sight-of-new-jsoutprox-attack-waves/ When threat actors evolve, their tools do so. Observing the evolution of the threats we track during our cyber defense operations is part of what we do to secure our customers. Back in 2019, the Yorois Malware ZLAB unit discovered a complete new malware implant named JsOutProx (TH-264), a complex JavaScript-based RAT used to attack financial institutions in the APAC area.

Cybercriminal sells tool to hide malware in AMD, NVIDIA GPUs

www.bleepingcomputer.com/news/security/cybercriminal-sells-tool-to-hide-malware-in-amd-nvidia-gpus/ Cybercriminals are making strides towards attacks with malware that can execute code from the graphics processing unit (GPU) of a compromised system. While the method is not new and demo code has been published before, projects so far came from the academic world or were incomplete and unrefined. Earlier this month, the proof-of-concept (PoC) was sold on a hacker forum, potentially marking cybercriminals transition to a new sophistication level for their attacks.

FBI-CISA Advisory on Ransomware Awareness for Holidays and Weekends

us-cert.cisa.gov/ncas/current-activity/2021/08/31/fbi-cisa-advisory-ransomware-awareness-holidays-and-weekends Today, the Federal Bureau of Investigation (FBI) and CISA released a Joint Cybersecurity Advisory (CSA) to urge organizations to ensure they protect themselves against ransomware attacks during holidays and weekendswhen offices are normally closed. Although FBI and CISA do not currently have any specific threat reporting indicating a cyberattack will occur over the upcoming Labor Day holiday, malicious cyber actors have launched serious ransomware attacks during other holidays and weekends in 2021. Alert (AA21-243A):

us-cert.cisa.gov/ncas/alerts/aa21-243a

Attackers Can Remotely Disable Fortress Wi-Fi Home Security Alarms

thehackernews.com/2021/08/attackers-can-remotely-disable-fortress.html New vulnerabilities have been discovered in Fortress S03 Wi-Fi Home Security System that could be potentially abused by a malicious party to gain unauthorized access with an aim to alter system behavior, including disarming the devices without the victim’s knowledge. The two unpatched issues, tracked under the identifiers CVE-2021-39276 (CVSS score: 5.3) and CVE-2021-39277 (CVSS score: 5.7), were discovered and reported by cybersecurity firm Rapid7 in May 2021 with a 60-day deadline to fix the weaknesses.

BrakTooth: Impacts, Implications and Next Steps

isc.sans.edu/forums/diary/BrakTooth+Impacts+Implications+and+Next+Steps/27802/ In a previous diary entry, I had written about the increasing trend of Bluetooth vulnerabilities being reported in the recent years. oday, the Automated Systems SEcuriTy (ASSET) Research Group from the Singapore University of Technology and Design (SUTD) revealed the BrakTooth family of vulnerabilities in commercial Bluetooth (BT) Classic stacks for various System-on-Chips (SoC).. In this diary, I will be giving a brief background on BrakTooth, highlight affected products and also discuss next steps affected users/vendors could consider.

Top 3 API Vulnerabilities: Why Apps are Pwned by Cyberattackers

threatpost.com/top-3-api-vulnerabilities-cyberattackers/169048/ Application programming interfaces (APIs) have become the glue that holds todays apps together. Theres an API to turn on the kitchen lights while still in bed. Theres an API to change the song playing on your house speakers. Whether the app is on your mobile device, entertainment system or garage door, APIs are what developers use to make applications function. There are three major vulnerability types that cyberattackers target in order to own apps. But first, some background on what makes APIs such a security concern.

Ransomware attacks on US schools and colleges cost $6.62bn in 2020

www.comparitech.com/blog/information-security/school-ransomware-attacks/ In 2020, 77 individual ransomware attacks affected over 1,740 schools and colleges, potentially impacting 1.36 million students. We estimate that these attacks cost education institutions $6.62 billion in downtime alone. Most schools will have also faced astronomical recovery costs as they tried to restore computers, recover data, and shore up their systems to prevent future attacks. Over the last few years, ransomware attacks have become an increasing concern for schools and colleges worldwide.

Initial Access Broker use, stolen account sales spike in cloud service cyberattacks

www.zdnet.com/article/initial-access-broker-use-stolen-account-sales-spike-in-cloud-service-cyberattacks/ There is rising demand for the services of Initial Access Brokers (IABs) and access credentials in cloud-based cyberattacks. On Tuesday, Lacework published its 2021 Cloud Threat Report vol.2, outlining how today’s cybercriminals are attempting to cut out some of the legwork involved in campaigns against cloud service providers.. Over this year, the cloud security firm’s team has observed a number of trends of note in the cloud space, including increased demand for IABs.

Tässä ovat julkishallinnon it-järjestelmien yleisimmät haitat

www.tivi.fi/uutiset/tv/a0b4bc97-9049-4c99-aadd-df99d12ec721 Digi- ja väestötietoviraston (DVV) toteuttaman kyselyn tulokset osoittavat, että julkisen hallinnon organisaatiot ovat kehittäneet järjestelmällisesti tietoturvaa, tietosuojaa ja häiriötilanteisiin varautumista viimeisen kahden vuoden aikana. Vaikka digiturvallisuus on kehittynyt, on myös uusia uhkia ilmennyt. Positiiviseen kehitykseen ovat DVV:n tiedotteen mukaan vaikuttaneet lainsäädännön tuomat vaatimukset, mutta myös toimintaympäristön nopeat muutokset, kuten koronapandemian aiheuttama etätöihin siirtyminen sekä tietoverkkorikollisuuden ja kybervakoilun yleistyminen. DVV kartoitti hallinnollista digiturvallisuutta kyselyllä keväällä 2021. Suurimmat vastaajaryhmät olivat valtionhallinto, kunnat ja kuntayhtymät, korkeakoulut sekä julkishallinnon omistamat sosiaali- ja terveysalan toimijat.

US officials, experts fear China ransacked Exchange servers for data to train AI systems

www.theregister.com/2021/08/31/in_brief_security/ The massive attack on Microsoft Exchange servers in March may have been China harvesting information to train AI systems, according to US government officials and computer-security experts who talked to NPR. The plundering of these Exchange systems was attributed to Chinese government cyber-spies known as Hafnium; Beijing denied any involvement. It’s said the crew exploited four zero-days in Redmond’s mail software in a chain to hijack the servers and siphon off data. And what started small turned into what Chang Kawaguchi, CISO for Microsoft 365, told NPR this month was the fastest scale-up of a cyber-attack he’d ever seen.

Verkkorikolliset iskevät nyt pieniinkin suomalaisiin yrityksiin ovat saaneet ennen olla rauhassa

www.tivi.fi/uutiset/tv/5b2cc6d6-0f04-45b0-841c-242a4b4fc3e1 Olemme viime aikoina nähneet kohdistettuja hyökkäyksiä esimerkiksi suomalaisiin teollisuusyrityksiin ja pieniin yrityksiin. Näissä hyökkäyksissä voi olla kyse silkasta kiusanteosta, mutta vaikuttimet voivat olla myös poliittis-taloudellisia taustaltaan, Telia Cygaten palveluliiketoiminnan johtaja Toni Vartiainen kertoo tiedotteessa. Vartiaisen mukaan suomalaisyritykset eivät ole riittävän valmistautuneita uuteen tietoturvaympäristöön. Varsinkin liikkuminen etätyömalliin on aiheuttanut ongelmia tietoturvalle.

Fortress Home Security Open to Remote Disarmament

threatpost.com/fortress-home-security-remote-disarmament/169069/ A pair of vulnerabilities in the Fortress S03 WiFi Home Security System could allow cyberattackers to remotely disarm the system, leaving homes open to unlawful entry. The Fortress platform is a consumer-grade home security system that allows users to mix and match various sensors, IP cameras and accessories, connecting them via Wi-Fi to create a personalized security system. RF fobs are used for system control, arming and disarming monitors on doors, windows and motion detectors.

The SEC Exposed Cybersecuritys Fatal Flaw Executive Resistance To Bad News

www.forbes.com/sites/noahbarsky/2021/08/31/the-sec-exposed-cybersecuritys-fatal-flaw—executive-resistance-to-bad-news/ As companies chase emerging cybersecurity threats, regulators are increasingly scrutinizing breach disclosure speed, accuracy and informativeness. For instance, the SEC recently cited real estate title insurance company First American Financial for disclosure controls and procedures violations related to a cybersecurity vulnerability that exposed over 800 million images of highly sensitive customer data. Without admitting guilt, First American Financial settled the case and agreed to a $487,616 fine.

WooCommerce Pricing Plugin Allows Malicious Code-Injection

threatpost.com/woocommerce-plugin-malicious/169063/ A pair of security vulnerabilities in the WooCommerce Dynamic Pricing and Discounts plugin from Envato could allow unauthenticated attackers to inject malicious code into websites running unpatched versions. This can result in a variety of attacks, including website redirections to phishing pages, insertion of malicious scripts on product pages and more. The plugin, which has 19,700+ sales on Envato Market, offers a variety of pricing and promotion tools for online retailers, including special offers, bulk pricing, tiered pricing, bundle pricing, deals of the day, flash sales, wholesale pricing, member pricing, individual pricing, loyalty programs, behavioral pricing, location-based pricing and so on.

Viranomainen antaa evästeiden käytölle uudet ohjeet tarkoitettu suositusluonteiseksi dokumentiksi

www.tivi.fi/uutiset/tv/257a12d0-e6f1-45e8-8ed6-02a726639afa Liikenne- ja viestintävirasto Traficom on valmistellut palveluntarjoajille ja loppukäyttäjille tarkoitettuja ohjeistuksia yhteistyössä tietosuojavaltuutetun toimiston kanssa. Hankkiakseen lisäviisautta se pyysi kesän mittaan julkisia kommentteja valmisteilla oleviin ohjeisiin. Ohjeistuksen piti alun alkaen valmistua kesän aikana, mutta vielä ei ole aivan valmista. Kommenttien alkuperäinen määräaika oli elokuun 9. päivä. Osa toimijoista pyysi kesälomien takia lisäaikaa lausunnon toimittamiseen.

You might be interested in …

Daily NCSC-FI news followup 2019-08-21

Group-IBs new report on Silence: Damage from Silence APT operations increases fivefold. The gang deploys new tools on its worldwide tour www.group-ib.com/media/silence-attacks/ Group-IB, a Singapore-based cybersecurity company that specializes in preventing cyberattacks, has exposed the most recent campaigns carried out by Silence, a Russian-speaking APT group, in the new “Silence 2.0: Going Global” report. Group-IB […]

Read More

Daily NCSC-FI news followup 2019-12-24

Google Chrome impacted by new Magellan 2.0 vulnerabilities www.zdnet.com/article/google-chrome-impacted-by-new-magellan-2-0-vulnerabilities/ A new set of SQLite vulnerabilities can allow attackers to remotely run malicious code inside Google Chrome, the world’s most popular web browser.. All apps that use an SQLite database to store data are vulnerable, although, the vector for “remote attacks over the internet” is How […]

Read More

Daily NCSC-FI news followup 2021-09-15

Patch now! PrintNightmare over, MSHTML fixed, a new horror appears OMIGOD blog.malwarebytes.com/exploits-and-vulnerabilities/2021/09/patch-now-printnightmare-over-mshtml-fixed-a-new-horror-appears-omigod/ The September 2021 Patch Tuesday could be remembered as the final patching attempt in the PrintNightmare nightmare. The ease with which the vulnerabilities shrugged off the August patches doesn’t look to get a rerun. So far we haven’t seen any indications that this […]

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.