Daily NCSC-FI news followup 2021-09-13

Varo Office-tiedostoja jo esi­katselu voi olla vaarallista

www.is.fi/digitoday/tietoturva/art-2000008260361.html Microsoftin Office-asiakirjoissa, eli Wordilla, Excelillä ja PowerPointilla tehdyissä tiedostoissa piilee luultua suurempi vaara, kertovat muun muassa Traficomin Kyberturvallisuuskeskus sekä Kaspersky Lab. Aiemmin kerrottiin, että Windowsiin kuuluvassa MSHTML-nimisessä ohjelmistokomponentissa oleva haavoittuvuus mahdollistaa haittaohjelman ujuttamisen tietokoneelle Office-asiakirjan mukana. Tällöin uskottiin haittaohjelman aktivoitumisen edellyttävän asiakirjan avaamista ja suojausvaroituksen klikkaamista. Nyt on käynyt ilmi, että nimellä CVE-2021-40444 tunnettu haavoittuvuus on oletettua pahempi. Onnistuneeseen hyökkäykseen riittää se, että vastaanottaja esikatselee saastutettua asiakirjaa. Lopputuloksena hyökkääjä pääsee suorittamaan omia ohjelmiaan uhrin tietokoneella. Haavoittuvuutta käytetään jo hyväksi hyökkäyksiin.

APT-C-36 Updates Its Spam Campaign Against South American Entities With Commodity RATs

www.trendmicro.com/en_us/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-ameri.html In 2019, we wrote a blog entry about a threat actor, likely based in Colombia, targeting entities in Colombia and other South American countries with spam emails. This threat actor is sometimes referred to as APT-C-36 or Blind Eagle. Since then, we have continued tracking this threat actor. In this blog entry, we share our new findings about APT-C-36’s ongoing spam campaign during that monitoring phase. APT-C-36 has been known to send phishing emails to various entities in South America using publicly available remote access tools (RATs). Over time, the threat actor switches from one RAT to another.

BlackMatter ransomware hits medical technology giant Olympus

www.bleepingcomputer.com/news/security/blackmatter-ransomware-hits-medical-technology-giant-olympus/ Olympus, a leading medical technology company, is investigating a “potential cybersecurity incident” that impacted some of its EMEA (Europe, Middle East, Africa) IT systems last week. Olympus has more than 31, 000 employees worldwide and over 100 years of history developing for the medical, life sciences, and industrial equipment industries. The company’s camera, audio recorder, and binocular divisions have been transferred to OM Digital Solutions, which has been selling and distributing these products starting with January 2021.

Threat actor ports Cobalt Strike beacon to Linux, uses it in attacks

therecord.media/threat-actor-ports-cobalt-strike-beacon-to-linux-uses-it-in-attacks/ A newly discovered hacking group has used a customized and enhanced version of a popular security tool to orchestrate attacks against a wide range of targets across the world over the month of August 2021. The attacks targeted telecom companies, government agencies, IT companies, financial institutions, and advisory companies. Codenamed Vermilion, the threat actor modified a version of Cobalt Strike, a penetration testing toolkit developed by security software firm HelpSystems. While the tool was developed to help security firms emulate techniques used by threat actors as part of penetration tests, the tool’s advanced features have also made it a favorite among cybercrime groups.

Hackers stole Puma source code, no customer data, company says

therecord.media/hackers-stole-puma-source-code-no-customer-data-company-says/ Hackers have stolen information from sportswear maker Puma and are currently trying to extort the German company into paying a ransom demand, threatening to release the stolen files on a dark web portal specialized in the leaking and selling of stolen information. The entry advertising the Puma data was added on the site more than two weeks ago, at the end of August, The Record has learned. “It was a PUMA source code for an internal application, which was leaked, ” Robert-Jan Bartunek, head for Puma’s corporate communications, told The Record last week. “No consumer or employee data was affected, ” Bartunek added.

Open redirect on UK council website was being used for Royal Mail-themed parcel payments scam

www.theregister.com/2021/09/13/open_redirect_council_property_website_spam/ An open redirect on a UK council-backed property website allowed low-level miscreants to evade filters. The website operated by tech services biz Civica had an open redirect being actively abused by spammers, piggybacking off the website’s domain authority so their messages weren’t flagged up by scanning tools. Fortuitously, one of the spam emails that bounced through the Homes4Wiltshire website ended up in the mailbox of ethical hacker Scott Helme, who was intrigued enough to track down how it had got through his defences. The message itself was a Royal Mail-themed spam campaign urging Helme to pay for a delivery a very familiar scam from the past couple of years. On clicking the “proceed now” button in the email, he saw it linked to Homes4Wiltshire’s website and traced the full number of hops back to a domain called package-royamail[.]co[.]uk. (Did you spot the missing L? Plenty wouldn’t have.). Helme blogged about his detective work tracking down the root cause of the redirect, which he attributed to a configuration problem in a web app deployed by Civica to its customers’ websites. Some brief Google-enabled sleuthing helped him find other domains using the same unique ViewSwitcherSwitchView?mobile=True&returnUrl= string.

How To Minimize Cybersecurity Risks on Business Travels

quointelligence.eu/2021/09/travel-risk-security-for-business-travels/ Business travelers face a unique risk of being targeted by cybercriminals. Not only do they carry multiple devices like business phone, private phone, laptop, tablet. They also they find themselves in unfamiliar places, away from the security of their company’s infrastructure, information technology, and potentially exposed to security threats. This article collects our most valuable tips for your organization’s travel security model. We summarize how to keep yourself and your devices secure.

Incident response analyst report 2020

securelist.com/incident-response-analyst-report-2020/104080/ The Incident response analyst report provides insights into incident investigation services conducted by Kaspersky in 2020. We deliver a range of services to help organizations when they are in need: incident response, digital forensics and malware analysis. Data in the report comes from our daily practices with organizations seeking assistance with full-blown incident response or complementary expert activities for their internal incident response teams. In 2020, the pandemic forced companies to restructure their information security practices, accommodating a work-from-home (WFH) approach. Although key trends in terms of threats have stayed the same, our service approach moved to a near-complete 97% of all cases remote delivery.

This is how a cybersecurity researcher accidentally broke Apple Shortcuts

www.zdnet.com/article/this-is-how-a-cybersecurity-researcher-accidentally-broke-apple-shortcuts/#ftag=RSSbaffb68 A Detectify researcher has explained how an investigation into Apple CloudKit led to the accidental downtime of Shortcuts functionality for users. In March, Apple users began to report error messages when they attempted to open shared shortcuts. As noted by 9to5Mac, this bizarre issue was of particular concern to content creators who shared shortcuts with their followers via iCloud, who suddenly found their links were broken. . Reports began to surface on March 24, and a day later, the iPad and iPhone maker told MacStories editor-in-chief Federico Viticci that the company was “working to restore previously shared shortcuts as quickly as possible.”. According to Detectify Knowledge Advisor and bug bounty hunter Frans Rosén, the root cause of the issue was a misconfiguration flaw he accidentally stumbled upon — and triggered — in Apple CloudKit.

WhatsApp’s End-to-End Encryption Isn’t Actually Broken

threatpost.com/whatsapp-end-encryption-broken/169399/ WhatsApp’s moderators sent messages flagged by intended recipients. Researchers say this isn’t concerning yet. New revelations about WhatsApp’s moderator access to messages last week might seem like they run counter to the company’s privacy-forward brand, but a closer look shows the messaging service’s privacy protections remain in place and are operating as intended. Taylor Gulley with nVisium told Threatpost that he too agrees WhatsApp isn’t violating user privacy with its reporting feature.

Apple releases patches for NSO Group’s ForcedEntry zero-day

support.apple.com/en-us/HT212807 Apple has released security updates today to patch ForcedEntry, a professional exploit developed by Israeli spyware maker NSO Group, and which has been abused to hack into the phones of multiple activists since February this year. Patches are available today for macOS, iOS, iPadOS, and watchOS. Tracked as CVE-2021-30860, the ForcedEntry zero-day exploits a bug in CoreGraphics, an Apple component for drawing 2D graphics. In addition, Apple’s security updates today also include a patch for a second zero-day, tracked as CVE-2021-30858. These two zero-days represent the 14th and 15th zero-days Apple has patched this year. More information:.

therecord.media/apple-releases-patches-for-nso-groups-forcedentry-zero-day/.

www.bleepingcomputer.com/news/apple/apple-fixes-ios-zero-day-used-to-deploy-nso-iphone-spyware/

You might be interested in …

Daily NCSC-FI news followup 2021-08-14

Russian cyberspies targeted the Slovak government for months therecord.media/russian-cyberspies-targeted-slovak-government-for-months/ A Russian cyber-espionage group linked to one of Russia’s intelligence forces has targeted the Slovak government for months, Slovak security firms ESET and IstroSec said this week. The attacks were attributed to a group known as the Dukes, Nobelium, or APT29, which cyber-security agencies from the […]

Read More

Daily NCSC-FI news followup 2021-04-22

CISA Identifies SUPERNOVA Malware During Incident Response us-cert.cisa.gov/ncas/analysis-reports/ar21-112a SUPERNOVA is a malicious webshell backdoor that allows a remote operator to dynamically inject C# source code into a web portal to subsequently inject code. APT actors use SUPERNOVA to perform reconnaissance, conduct domain mapping, and steal sensitive information and credentials. SolarWinds hack analysis reveals 56% boost […]

Read More

Daily NCSC-FI news followup 2021-06-24

FIN7 manager sentenced to 7 years for role in global hacking scheme therecord.media/fin7-manager-sentenced-to-7-years-for-role-in-global-hacking-scheme/ A key member of the international cybercrime group FIN7 was sentenced to 84 months in prison and ordered to pay $2.5 million in restitution Hacker wipes database of NewsBlur RSS reader therecord.media/hacker-wipes-database-of-newsblur-rss-reader/ NewsBlur was in process of a database migration when MongoDB […]

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.