Daily NCSC-FI news followup 2021-09-10

Indonesian intelligence agency compromised in suspected Chinese hack

therecord.media/indonesian-intelligence-agency-compromised-in-suspected-chinese-hack/ Chinese hackers have breached the internal networks of at least ten Indonesian government ministries and agencies, including computers from Indonesia’s primary intelligence service, the Badan Intelijen Negara (BIN). The intrusion, discovered by Insikt Group, the threat research division of Recorded Future, has been linked to Mustang Panda, a Chinese threat actor known for its cyber-espionage campaigns targeting the Southeast Asian region[1, 2]. Insikt researchers first discovered this campaign in April this year, when they detected PlugX malware command and control (C&C) servers, operated by the Mustang Panda group, communicating with hosts inside the networks of the Indonesian government. These communications were later traced back to at least March 2021. The intrusion point and delivery method of the malware are still unclear.

Healthcare orgs in California, Arizona send out breach letters for nearly 150, 000 after SSNs accessed during ransomware attacks

www.zdnet.com/article/healthcare-orgs-in-california-arizona-send-out-breach-notice-letters-for-nearly-150000-after-ssns-accessed-during-ransomware-attacks/#ftag=RSSbaffb68 Two healthcare organizations have begun sending out breach notification letters to thousands of people in California and Arizona after both revealed that sensitive information — including social security numbers, treatment information and diagnosis data — were accessed during recent cyberattacks. LifeLong Medical Care, a California health center, is sending letters to about 115, 000 people about a ransomware attack that took place on November 24, 2020. The letter does not say which ransomware group was involved but said Netgain, a third-party vendor that provides services to LifeLong Medical Care, “discovered anomalous network activity” and only determined it was a ransomware attack by February 25, 2021.

Stolen Credentials Led to Data Theft at United Nations

threatpost.com/data-theft-united-nations/169357/ A threat actor used stolen credentials from a United Nations employee to breach parts of the UN’s network in April and steal critical data, a spokesman for the intergovernmental organization has confirmed. That data lifted from the network can be used to target agencies within the UN, which already has experienced and responded to “further attacks” linked to the breach, St©phane Dujarric, spokesman for the UN Secretary-General, told Bloomberg, which broke the news in a report published Thursday. In another high-profile attack in January 2020, the operators behind the notorious Emotet malware took aim at the UN with a concerted phishing campaign, the intent of which was to steal credentials and deliver the TrickBot trojan. The attack ultimately was found to be the result of a Microsoft SharePoint flaw, allowing attackers to steal 400 GB of sensitive data.

Meet Meris, the new 250, 000-strong DDoS botnet terrorizing the internet

therecord.media/meet-meris-the-new-250000-strong-ddos-botnet-terrorizing-the-internet/ A new botnet consisting of an estimated 250, 000 malware-infected devices has been behind some of the biggest DDoS attacks over the summer, breaking the record for the largest volumetric DDoS attack twice, once in June and again this month. Named Mris, the Latvian word for “plague, ” the botnet has been primarily used as part of a DDoS extortion campaign against internet service providers and financial entities across several countries, such as Russia, the UK, the US, and New Zealand. The group behind the botnet typically sends menacing emails to large companies asking for a ransom payment. The emails, which target companies with extensive online infrastructure and which can’t afford any downtime, contain threats to take down crucial servers if the group is not paid a certain amount of cryptocurrency by a deadline.

Facebook puts on Ray-Bans, struts into the privacy minefield of smart glasses

blog.malwarebytes.com/privacy-2/2021/09/facebook-puts-on-ray-bans-struts-into-the-privacy-minefield-of-smart-glasses/ Facebook, neck-deep in virtual / augmented reality with the Oculus headset, continues to move things up a gear. It’s announced “Ray-Ban stories”, smart glasses which take video and photos. The company may yet go one step further and incorporate these features into Augmented Reality (AR) specs which a Facebook rep said were in development. Facebook’s decision to enter the smart glass market is remarkable considering what’s come before. About ten years ago, another tech giant with a similarly-tarnished reputation for gathering personal data tried it with Google Glass. This was the first mainstream attempt to put glasses with cameras on our heads. It didn’t work. Famously. As you’ll see from the video in the BBC article linked at the beginning of this article, both the presenter and Facebook rep dive into the privacy angle. “Can people film me without me knowing about it?” is absolutely a valid question.

Atlassian Confluence WebWork OGNL Injection

packetstormsecurity.com/files/164122/atlassian_confluence_webwork_ognl_injection.rb.txt This Metasploit module exploits an OGNL injection in Atlassian Confluence’s WebWork component to execute commands as the Tomcat user.

You might be interested in …

Daily NCSC-FI news followup 2021-10-22

Ransomware: Looking for weaknesses in your own network is key to stopping attacks www.zdnet.com/article/ransomware-looking-for-weaknesses-in-your-own-network-is-key-to-stopping-attacks/ Ransomware is a major cybersecurity threat to organisations around the world, but it’s possible to reduce the impact of an attack if you have a thorough understanding of your own network and the correct protections are in place. While the best […]

Read More

[NCSC-FI News] APT34 targets Jordan Government using new Saitama backdoor

On April 26th, we identified a suspicious email that targeted a government official from Jordan’s foreign ministry. The email contained a malicious Excel document that drops a new backdoor named Saitama. Following our investigation, we were able to attribute this attack to the known Iranian Actor APT34 Also known as OilRig/COBALT GYPSY/IRN2/HELIX KITTEN, APT34 is […]

Read More

Daily NCSC-FI news followup 2019-12-29

UK Government exposes addresses of new year honours recipients www.theguardian.com/uk-news/2019/dec/28/government-exposes-addresses-of-new-year-honours-recipients More than 1,000 celebrities, government employees and politicians recognized in the U.K.’s traditional New Year’s Honours list this year “have had their home and work addresses posted on a government website.” IoT vendor Wyze confirms server leak www.zdnet.com/article/iot-vendor-wyze-confirms-server-leak/ Wyze, a company that sells smart devices […]

Read More

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.