Daily NCSC-FI news followup 2021-09-01

Cryptophishing on the Luno exchange

www.kaspersky.com/blog/cryptophishing-in-luno/41538/ Since the advent of cryptocurrency, scammers of every stripe have sought to get rich from stealing virtual coins. With cybercriminals duping both buyers of mining equipment and cryptoinvestors, we spotlight a scam targeting users of the Luno cryptoexchange. The Luno cryptocurrency exchange has been in existence since 2013, and today it serves more than 5 million clients in 40 countries. Lunos primary focus is on emerging markets, allowing users from countries such as Singapore, Malaysia, Indonesia, South Africa, and Nigeria to purchase tokens with local currency.

Macs turn on apps signed by Symantec, treat them as malware

blog.malwarebytes.com/malwarebytes-news/2021/09/macs-turn-on-apps-signed-by-symantec-treat-them-as-malware/ On August 23, following an update to Apples XProtect systemone of the security features built into macOSsome Mac users began to see security alerts about some of their apps, claiming that they will damage your computer, and offering users the option to report malware to Apple.. This has led to much confusion online, and to an influx of requests in our support system asking about this malware. The most common so far has been from an app named ReceiverHelper.

What Has Changed Since the 2017 WannaCry Ransomware Attack?

securityintelligence.com/articles/what-has-changed-since-wannacry-ransomware-attack/ The cybersecurity world is still feeling the effects of the 2017 WannaCry ransomware attack today. While the majority of the damage occurred in the weeks after May 12, 2017, WannaCry ransomware attacks actually increased 53% from January 2021 to March 2021. While researching my in-depth article WannaCry: How the Widespread Ransomware Changed Cybersecurity, I learned that WannaCry attacks are still found today. Even so, I was surprised that it is still such an active issue. So, what has happened since then? What are these attackers doing today? How have organizations responded to these threats? And will an attack like this happen again?

Too Log; Didn’t Read Unknown Actor Using CLFS Log Files for Stealth

www.fireeye.com/blog/threat-research/2021/09/unknown-actor-using-clfs-log-files-for-stealth.html The Mandiant Advanced Practices team recently discovered a new malware family we have named PRIVATELOG and its installer, STASHLOG. In this post, we will share a novel and especially interesting technique the samples use to hide data, along with detailed analysis of both files that was performed with the support of FLARE analysts. We will also share sample detection rules, and hunting . Mandiant has yet to observe PRIVATELOG or STASHLOG in any customer environments or to recover any second-stage payloads launched by PRIVATELOG. This may indicate malware that is still in development, the work of a researcher, or targeted activity.

Flaw in the Quebec vaccine passport: analysis

www.welivesecurity.com/2021/08/31/flaw-quebec-vaccine-passport-vaxicode-verif-analysis/ The launch of the mobile applications allowing the storage and verification of the vaccination passport by the Quebec government (VaxiCode and VaxiCode Verif) has caused a lot of ink to flow last week. It is with good reason; the VaxiCode Verif app will be used by all non-essential service merchants as of September 1, 2021. Like many other experts, I analyzed the contents of the QR code as soon as I received it during my first vaccination last May. Last week, I also analyzed the two applications established by the Quebec government and developed by Akinox.

Fired NY credit union employee nukes 21GB of data in revenge

www.bleepingcomputer.com/news/security/fired-ny-credit-union-employee-nukes-21gb-of-data-in-revenge/ Juliana Barile, the former employee of a New York credit union, pleaded guilty to accessing the financial institution’s computer systems without authorization and destroying over 21 gigabytes of data in revenge after being fired. “In an act of revenge for being terminated, Barile surreptitiously accessed the computer system of her former employer, a New York Credit Union, and deleted mortgage loan applications and other sensitive information maintained on its file server,” Acting U.S. Attorney Jacquelyn M. Kasulis said.

Linphone SIP Stack Bug Could Let Attackers Remotely Crash Client Devices

thehackernews.com/2021/09/linphone-sip-stack-bug-could-let.html Cybersecurity researchers on Tuesday disclosed details about a zero-click security vulnerability in Linphone Session Initiation Protocol (SIP) stack that could be remotely exploited without any action from a victim to crash the SIP client and cause a denial-of-service (DoS) condition. Tracked as CVE-2021-33056 (CVSS score: 7.5), the issue concerns a NULL pointer dereference vulnerability in the “belle-sip” component, a C-language library used to implement SIP transport, transaction, and dialog layers, with all versions prior to 4.5.20 affected by the flaw. The weakness was discovered and reported by industrial cybersecurity company Claroty.. Report:

www.claroty.com/2021/08/31/blog-research-crashing-sip-clients-with-a-single-slash/

Confluence enterprise servers targeted with recent vulnerability

therecord.media/confluence-enterprise-servers-targeted-with-recent-vulnerability/ A major vulnerability in Confluences team collaboration server software is currently on the cusp of widespread abuse after mass scanning and initial exploitation was spotted this week. Tracked as CVE-2021-26084, the vulnerability impacts Confluence Server and Confluence Data Center software thats usually installed on Confluence self-hosted project management, wiki, and team collaboration platforms. Under the hood, the vulnerability resides in OGNL (Object-Graph Navigation Language), a simple scripting language for interacting with Java code, the underlying technology in which most Confluence software has been written.

STRRAT: a Java-based RAT that doesn’t care if you have Java

isc.sans.edu/forums/diary/STRRAT+a+Javabased+RAT+that+doesnt+care+if+you+have+Java/27798/ STRRAT was discovered earlier this year as a Java-based Remote Access Tool (RAT) that does not require a preinstalled Java Runtime Environment (JRE). It has been distributed through malicious spam (malspam) during 2021. Today’s diary reviews an infection generated using an Excel spreadsheet discovered on Monday, 2021-08-30.. During this infection, STRRAT was installed with its own JRE environment. It was part of a zip archive that contained JRE version 8 update 261, a .jar file for STRRAT, and a command script to run STRRAT using JRE from the zip archive.

BEC Scammers Seek Native English Speakers on Underground

threatpost.com/bec-scammers-native-english-speakers/169092/ Looking for work? Speak fluent English? Capable of convincingly portraying a professional as in, somebody a highly ranked corporate leader would talk to?. If you lack scruples and disregard those pesky things called laws, it could be your lucky day: Cybercrooks are putting up help-wanted ads, looking for native English speakers to carry out the social-engineering elements of business email compromise (BEC) attacks. Its easy work, they promise: Theyll do the heavy lifting of getting unauthorized access to Microsoft Office 365 domains. All that their English-speaking conspirators need to do is sound convincing.

Half of businesses can’t spot these signs of insider cybersecurity threats

www.zdnet.com/article/half-of-businesses-cant-spot-these-signs-of-insider-cybersecurity-threats/ Most businesses are struggling to identify and detect early indicators that could suggest an insider is plotting to steal data or carry out other cyberattacks. Research by security think tank the Ponemon Institute and cybersecurity company DTEX Systems suggests that over half of companies find it impossible or very difficult to prevent insider attacks. These businesses are missing indicators that something might be wrong. Those include unusual amounts of files being opened, attempts to use USB devices, staff purposefully circumventing security controls, masking their online activities, or moving and saving files to unusual locations. All these and more might suggest that a user is planning malicious activity, including the theft of company data.

Etsintäkuulutettu ammattirikollinen murtautui F-Securen pääkonttoriin sisään pääsi häiritsevän helposti

www.tivi.fi/uutiset/tv/420aeddf-e34a-4c24-a0fe-7ad0866f5e0d Harvemmin ison yrityksen pääkonttorille onnistutaan murtautumaan, ja vielä harvemmin niin, ettei murtautuja vie mennessään yhtään mitään. Näin kuitenkin kävi Suomessa eräänä salaperäisenä yönä. Asialla oli tunnettu ammattirikollinen. Teknisen tietoturvakonsultoinnin johtaja Tomi Tuominen on kirjoittanut F-Securen sivuille lähes kaunokirjallisen blogitekstin tapauksesta. Se nousi tänä kesänä puheenaiheeksi it-alalla, koska konttorilla oli F-Securen mukaan siivouskomeroksi luultu, kansallisen infrastruktuurin kannalta kriittinen tietoliikennehuone. F-Securen teksti herätti keskustelua it-alalla erityisesti tietoliikennehuoneen takia. Kysyimme Liikenne- ja viestintäviraston Kyberturvallisuuskeskuksen asiantuntijalta Tapio Sokuralta, millaisia tavoitteita tietoliikennehuoneisiin tähtäävillä hyökkääjillä voi olla. Sokura kommentoi asiaa yleisellä tasolla.

Report: Indonesian Governments Covid-19 App Accidentally Exposes Over 1 Million People in Massive Data Leak

www.vpnmentor.com/blog/report-ehac-indonesia-leak/ Led by Noam Rotem and Ran Locar, vpnMentors research team discovered a data breach in the Indonesian governments eHAC program created to tackle the COVID-19 pandemic spread in the country. eHAC is a test and trace app for people entering Indonesia to ensure theyre not carrying the virus into the country. The app was established in 2021 by the Indonesian Ministry of Health. However, the app developers failed to implement adequate data privacy protocols and left the data of over 1 million people exposed on an open server.

Gutenberg Template Library & Redux Framework Bugs Plague WordPress Sites

threatpost.com/gutenberg-template-library-redux-bugs-wordpress/169111/ Two vulnerabilities have been found in the Gutenberg Template Library & Redux Framework plugin for WordPress, which is installed on more than 1 million websites. They could allow arbitrary plugin installation, post deletions and access to potentially sensitive information about a sites configuration, researchers said. The plugin, from developer Redux.io, offers various templates and building blocks for creating web pages within WordPress Gutenberg editor:

You might be interested in …

Daily NCSC-FI news followup 2020-05-14

Spam campaign: Netwire RAT via paste.ee and MS Excel to German users www.gdatasoftware.com/blog/netwire-rat-via-pasteee-and-ms-excel G DATA discovered an email spam campaign in Germany that delivers NetWire RAT via PowerShell in Excel documents. The emails mimick the German courier, parcel and express mail service DHL. Sodinokibi drops greatest hits collection, and crime is the secret ingredient blog.malwarebytes.com/cybercrime/2020/05/sodinokibi-drops-greatest-hits-collection-and-crime-is-the-secret-ingredient/ […]

Read More

Daily NCSC-FI news followup 2020-01-25

Kyberhäiriötilanteisiin kannattaa valmistautua jo etukäteen varautumista koskevat suositukset ja sääntely koottiin yhteen www.epressi.com/tiedotteet/tietoturva/kyberhairiotilanteisiin-kannattaa-valmistautua-jo-etukateen-varautumista-koskevat-suositukset-ja-saantely-koottiin-yhteen.html Huoltovarmuusorganisaation Digipooli ja Tietoliikenteen ja tietotekniikan keskusliitto FiCom ry ovat julkaisseet suositukset kyberturvallisuudestaan huolehtiville yrityksille sekä IT- ja tietoturvapalveluiden tarjoajille. Suosituksia tarjoillaan kolmeen vaiheeseen: ennen sopimista, palvelun ylläpidossa ja häiriötilanteissa huomioitaviin asioihin. Does Your Domain Have a Registry Lock? krebsonsecurity.com/2020/01/does-your-domain-have-a-registry-lock/ Hackers target […]

Read More

Daily NCSC-FI news followup 2020-08-02

Telstra DNS falls over after denial of service attack www.zdnet.com/article/telstra-dns-falls-over-after-denial-of-service-attack/ Customers with Telstra’s default DNS settings found themselves seemingly unable to access the internet on Sunday morning, as the telco was facing a denial of service attack. The attack kicked off some time before 10:30am on the Australian east coast. Some of our Domain Name […]

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.