Daily NCSC-FI news followup 2021-09-09

GitHub finds 7 code execution vulnerabilities in ‘tar’ and npm CLI

www.bleepingcomputer.com/news/security/github-finds-7-code-execution-vulnerabilities-in-tar-and-npm-cli/ GitHub security team has identified several high-severity vulnerabilities in npm packages, “tar” and “@npmcli/arborist,” used by npm CLI.

Zoho patches actively exploited critical ADSelfService Plus bug

www.bleepingcomputer.com/news/security/zoho-patches-actively-exploited-critical-adselfservice-plus-bug/ The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is warning that hackers are exploiting a critical vulnerability in Zohos ManageEngine ADSelfService Plus password management solution that allows them to take control of the system.

Coordinated disclosure of vulnerability in Azure Container Instances Service

msrc-blog.microsoft.com/2021/09/08/coordinated-disclosure-of-vulnerability-in-azure-container-instances-service/ Microsoft recently mitigated a vulnerability reported by a security researcher in the Azure Container Instances (ACI) that could potentially allow a user to access other customers information in the ACI service. Our investigation surfaced no unauthorized access to customer data. Out of an abundance of caution we notified customers with containers running on the same clusters as the researchers . via Service Health Notifications in the Azure Portal. If you did not receive a notification, no action is required with respect to this vulnerability.

Confluence vulnerability, a tale of catching active exploitation in the wild

sensorfleet.com/2021/09/07/confluence-vulnerability.html In this blog post I summarize how a simple test with a SensorFleet Sensor in partner infrastructure yielded the detection of exploitation of the Atlassian Confluence OGNL injection vulnerability (CVE-2021-26084).

Bounty.fi – From bounty hunters to bounty hunters!

bounty.fi/ This site contains links to materials that you can use to learn about bug bounties.

Dark web prices for stolen PayPal accounts up, credit cards down: report

www.comparitech.com/blog/vpn-privacy/dark-web-prices/ Comparitech researchers sifted through several illicit marketplaces on the dark web to find out how much our private information is worth. Where possible, well also examine how prices have changed over time.

Flowspec Bulletproof Services Enable Cybercrime Worldwide

www.riskiq.com/blog/external-threat-management/flowspec-bulletproof-hosting/ In our analysis of threat infrastructure spanning the global attack surface, we see bulletproof hosting providers continue to play an integral role in threat campaigns and provide essential services for cybercriminals. Flowspec, a bulletproof hosting provider that has been around since October 2018, is a one-stop-shop for threat groups, facilitating phishing campaigns, malware delivery, Magecart . skimmers, and large swaths of other malicious infrastructure.

2021 Threat Hunting Report

go.crowdstrike.com/rs/281-OBQ-266/images/Report2021ThreatHunting.pdf ECrime adversaries are moving with increasing speed in pursuit of their objectives. OverWatch observations show they are capable of moving laterally within a victim environment in an average of 1 hour and 32 minutes.. OverWatch has tracked a 60% increase in interactive intrusion activity in the past year. The threat of hands-on intrusion activity remains very real – OverWatch has observed and disrupted intrusions spanning all industry verticals and geographic regions. ECrime continues to dominate the threat landscape, making up 75% of interactive intrusion activity. . Targeted intrusion adversaries remain a prominent threat, particularly for the telecommunications industry.

Yandex is battling the largest DDoS in Russian Internet history

www.bleepingcomputer.com/news/security/yandex-is-battling-the-largest-ddos-in-russian-internet-history/ Russian internet giant Yandex has been targeted in a massive distributed denial-of-service (DDoS) attack that started last week and reportedly continues this week.

Threat landscape for industrial automation systems in H1 2021

securelist.com/threat-landscape-for-industrial-automation-systems-in-h1-2021/104017/ Full report at


Over 60,000 parked domains were vulnerable to AWS hijacking

www.bleepingcomputer.com/news/security/over-60-000-parked-domains-were-vulnerable-to-aws-hijacking/ Domain registrar MarkMonitor had left more than 60,000 parked domains vulnerable to domain hijacking.. The parked domains were seen pointing to nonexistent Amazon S3 bucket addresses, hinting that there existed a domain takeover weakness.

The Catalog of Carceral Surveillance: Prison Gaming and AR/VR Services

www.eff.org/deeplinks/2021/09/carceral-surveillance-catalog-prison-gaming-and-arvr-services No matter how many rights are taken away from people in prison, no matter how brutally they are treated by the prison industrial complex, there is one right so fundamental, so essential, that even controversial prison telecommunications company Securus can’t bear to see it violated: the right to find new ways to extract money from prisoners and their families. In one of their newest patents, granted February of 2021, Securus describes their latest revolutionary technology. A tablet, which would be issued to individual inmates to allow them to make video calls, access information about their case, and give them the opportunity to pay money for temporary access to video games. Global Tel-Link primarily intends for this prison VR system to be used as a replacement for prison visitation so that inmates could interact with friends and family in a controlled and monitored virtual environment.

Uusi merenkulun kyberturvallisuus­ohjeistus varustamoille ja aluksille

shipowners.fi/wp-content/uploads/2021/09/WWW_Parhaat_ka%CC%88yta%CC%88nno%CC%88t_aluksille_SU.pdf Suomen Varustamot ry ja Huoltovarmuusorganisaatioon kuuluva Vesikuljetuspooli ovat julkaisseet kyberturvallisuuden parhaat käytännöt -ohjeistuksen varustamoille ja aluksille. Ohjeistus perustuu yhdessä tehtyyn laajaan merenkulun kyberturvallisuusselvitykseen.

Fortinet warns customers after hackers leak passwords for 87, 000 VPNs

therecord.media/fortinet-warns-customers-after-hackers-leak-passwords-for-87000-vpns/ Networking equipment vendor Fortinet has notified customers today that a cybercriminal gang has assembled a collection of access credentials for more than 87, 000 FortiGate SSL-VPN devices. “This incident is related to an old vulnerability resolved in May 2019, ” the company said in a blog post following an inquiry from The Record sent on Tuesday, when a small portion of this larger list was published on a private cybercrime forum hosted on the dark web, and later on the website of a ransomware gang, known to have close affiliations with the same forum. The researchers, who publicly admit to being “gray hats” but still did not want their names included in this article for legal reasons, said that from a list of 502, 677 credentials, belonging to around 22, 500 Fortinet VPNs, the vast majority (varying from 80% to 90%, depending on scan) did not work anymore, or the login screen was protected by a two-factor authentication system.

Dark Covenant: Connections Between the Russian State and Criminal Actors

www.recordedfuture.com/russian-state-connections-criminal-actors/ The intersection of individuals in the Russian cybercriminal world and officials in the Russian government, typically from the domestic law enforcement or intelligence services, is well established yet highly diffuse. The relationships in this ecosystem are based on spoken and unspoken agreements and comprise fluid associations. Recorded Future identified 3 types of links between the Russian intelligence services and the Russian criminal underground based on historical activity and associations, as well as recent ransomware attacks: direct links, indirect affiliations, and tacit agreement. Even in cases with discernible, direct links between cybercriminal threat actors and the Russian state, indirect affiliations suggest collaboration, and a lack of meaningful punitive actions shows either a tolerance for, or tacit approval of, these efforts.

You might be interested in …

Daily NCSC-FI news followup 2020-06-12

Slovak police found wiretapping devices connected to the Govnet government network securityaffairs.co/wordpress/104567/intelligence/slovak-govnet-network-wiretapping-devices.html Slovak police seized wiretapping devices connected to Govnet government network and arrested four individuals, including the head of a government agency. Power company Enel Group suffers Snake Ransomware attack www.bleepingcomputer.com/news/security/power-company-enel-group-suffers-snake-ransomware-attack/ European energy company giant Enel Group suffered a ransomware attack a few days […]

Read More

Daily NCSC-FI news followup 2020-03-28

Two zero days are Targeting DrayTek Broadband CPE Devices blog.netlab.360.com/two-zero-days-are-targeting-draytek-broadband-cpe-devices-en/ rom December 4, 2019, 360Netlab Threat Detection System has observed two different attack groups using two 0-day vulnerabilities of DrayTek[1] Vigor enterprise routers and switch devices to conduct a series of attacks, including eavesdropping on devices network traffic, running SSH services on high ports, creating […]

Read More

Daily NCSC-FI news followup 2021-03-28

Krebs: No, I Did Not Hack Your MS Exchange Server krebsonsecurity.com/2021/03/no-i-did-not-hack-your-ms-exchange-server/ The Shadowserver Foundation says it has found 21, 248 different Exchange servers which appear to be compromised by a backdoor and communicating with brian[.]krebsonsecurity[.]top. The malware runs Windows Defender, which is a security product Microsoft ships with Windows devices that can help block attacks […]

Read More

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.