Daily NCSC-FI news followup 2021-09-14

Microsoft September 2021 Patch Tuesday: Remote code execution flaws in MSHTML, OMI fixed

www.zdnet.com/article/microsoft-september-2021-patch-tuesday-remote-code-execution-flaws-in-mshtml-open-management-fixed/ This month’s round of security fixes tackles critical software issues including a zero-day flaw known to be exploited in the wild. Microsoft has released over 60 security fixes and updates resolving issues including a remote code execution (RCE) flaw in MSHTML and other critical bugs. The Redmond giant’s latest round of patches, usually released on the second Tuesday of each month in what is known as Patch Tuesday, landed on September 14. Products impacted by September’s security update include Azure Open Management Infrastructure, Azure Sphere, Office Excel, PowerPoint, Word, and Access; the kernel, Visual Studio, Microsoft Windows DNS, and BitLocker, among other software. . More information:

www.bleepingcomputer.com/news/microsoft/microsoft-september-2021-patch-tuesday-fixes-2-zero-days-60-flaws/

New Zloader attacks disable Windows Defender to evade detection

www.bleepingcomputer.com/news/security/new-zloader-attacks-disable-windows-defender-to-evade-detection/ An ongoing Zloader campaign uses a new infection chain to disable Microsoft Defender Antivirus (formerly Windows Defender) on victims’ computers to evade detection. According to Microsoft’s stats, Microsoft Defender Antivirus is the anti-malware solution pre-installed on more than 1 billion systems running Windows 10. The attackers have also changed the malware delivery vector from spam or phishing emails to TeamViewer Google ads published through Google Adwords, redirecting the targets to fake download sites. From there, they are tricked into downloading signed and malicious MSI installers designed to install Zloader malware payloads on their computers.

How to Detect Cobalt Strike: An Inside Look at the Popular Commercial Post-Exploitation Tool

www.recordedfuture.com/detect-cobalt-strike-inside-look/ Throughout history there are many examples of inventions created with good intentions (and maybe still are used for the right purposes) but when in the wrong hands, are used for something more malicious than their original intent. The commercially available adversary emulation software called Cobalt Strike is a perfect example. It was created in 2012 with the intention of aiding pentesters and red teams. Its purpose was to help these teams become more advanced in their work to conduct intrusions where they were allowed to carry out an authorized cyber attack on their company or in a consultative role. It quickly gained popularity in the community because of its full suite of functionality from payloads and exploitation to command & control. This allowed (and still allows) red teams to conduct an incredibly advanced and wide-ranging attack scenario that wasn’t possibleor as easyprior to Cobalt Strike. To take a deeper look at the features and the various ways that detecting Cobalt Strike is possible even with the embedded advanced evasion features, the Recorded Future Insikt Group purchased Cobalt Strike and tried to detect it themselves. They found that using full-spectrum detection techniques, there are actually multiple ways and times to detect Cobalt Strike.

Huijarit lähettivät tekstiviestejä saapuneesta paketista: onnistuivat huijaamaan ihmisiltä alle vuodessa 375 000 euroa

yle.fi/uutiset/3-12098399 Poliisin mukaan epäillyt valmistelivat rikokset huolellisesti ja tekotapa oli poikkeuksellisen suunnitelmallinen ja monimutkainen. Kokonaisuudessa on yli 40 epäiltyä. Helsingin poliisi on saanut valmiiksi kuuden eri petosvyyhdin esitutkinnan, poliisi tiedottaa (siirryt toiseen palveluun). Tapauksissa on kaapattu satojen yksityishenkilöiden pankki- ja henkilötietoja, ja heidän nimissään on haettu lainoja rahoitusyhtiöiltä. Epäillyt ovat saaneet henkilöiden pankkitunnukset haltuunsa huijausviesteillä, joita on lähetetty esimerkiksi Postin nimissä. Yksi petosaalto eteni syyteharkintaan jo tämän vuoden talvella. Lisäksi tutkinnassa on edelleen kolme samaan kokonaisuuteen liittyvää tapausta. Poliisin tiedote:

poliisi.fi/-/poliisi-tutkii-viime-vuonna-tapahtunutta-mittavaa-petosaaltojen-kokonaisuutta

Romance, BEC Scams Lands Soldier in Jail for 46 Months

threatpost.com/romance-bec-scams-soldier-jail/169434/ A former Army reservist was just sentenced to 46 months in prison and ordered to pay nearly $2 million in penalties and restitution, after pleading guilty to scamming dozens of people online, including the elderly and a veteran’s organization for Marines. Joseph Iorhemba Asan Jr. along with his accused co-conspirator and fellow Army Reservist Charles Infeanyi Ogozy, used two primary tactics to steal money from unsuspecting victims, according to the U.S. Attorney’s Office in the Southern District of New York. “Among the many victims of the internet scams facilitated by Joseph Asan Jr. were elderly women and men who were callously fooled into believing they were engaging online with potential romantic interests, ” Manhattan U.S. Attorney Audrey Strauss said. “This former serviceman and his co-defendant even laundered money stolen from a U.S. Marine Corps veteran’s organization in one of the conspiracy’s email-spoofing schemes. Asan’s crimes have indeed led to his own reversal of his fortune, as this former defender of this country now becomes a federal prisoner.”

Apple releases emergency update: Patch, but don’t panic

blog.malwarebytes.com/privacy-2/2021/09/apple-releases-emergency-update-patch-but-dont-panic/ Spyware developed by the company NSO Group is back in the news today after Apple released an emergency fix for iPhones, iPads, Macs, and Apple Watches. The update fixes a vulnerability silently exploited by software called Pegasus, which is often used in high-level surveillance campaigns by governments.

Warning: Update Chrome Now As Hackers Attack Two Major Vulnerabilities In Google Browser

www.forbes.com/sites/thomasbrewster/2021/09/14/google-chrome-update-now-to-stop-browser-hacks/ Google has revealed that two weaknesses in Chrome are under active attack, as users have been urged to update their browser to avoid becoming a victim. They were reported to Google via an anonymous party and were given a severity rating of “high.” Little more information was provided on where or how the vulnerabilitiesknown as zero-days, as developers have “zero days” to fix the flaw before it’s been abused by malicious hackershave been exploited. The updated version will roll out for Windows, Mac and Linux users “over the coming days/weeks, ” Google said in a blog post. When Forbes updated on Tuesday morning on an Apple Mac, it was to the latest, most secure version, 93.0.4577.82. Users can check what version they’re running by clicking the “About Google Chrome” button in the help section in the browser. Monday was a big day for significant security updates. Google also revealed nine other vulnerabilities rated “high” severity that were patched in the latest Chrome release. Two of those were deemed serious enough to warrant a $7, 500 payout to the security researchers who found them.

HP patches severe OMEN driver privilege escalation vulnerability

www.zdnet.com/article/hp-patches-omen-driver-privilege-escalation-vulnerability/ A high-impact vulnerability in OMEN Command Center driver software has been patched by HP. On Tuesday, researchers from SentinelLabs published a technical deep-dive on the bug, tracked as CVE-2021-3437 and issued with a CVSS score of 7.8. . SentinelLabs says the high-severity flaw impacts “millions of devices worldwide, ” including a wide variety of OMEN gaming laptops and desktops, as well as HP Pavilion and HP ENVY models.

OWASP Top 10 ranking has a new leader after ten years

therecord.media/owasp-top-10-ranking-has-a-new-leader-after-ten-years/ The OWASP Top 10, a list of the most dangerous web vulnerabilities, has been updated after four years, and, after more than a decade, there is a new vulnerability at the top of the ranking. New Top 3: Broken Access Control, Cryptographic Failures, Injection.

IPhone ja iPad -laitteisiin kohdistuu uhka toimi heti näin, jotta tietosi ovat turvassa

www.is.fi/digitoday/art-2000008263336.html Apple on julkaissut korjauspäivityksen kahteen kriittiseen tietoturva-aukkoon. Haavoittuvuudet kuulostavat hyvinkin arkisilta: PDF-liitteiden avaaminen ja tietyillä sivustoilla vieraileminen. Katso videolta, miten päivität iPhonesi ja turvaat tietosi. Samoja ohjeita voi soveltaa myös iPadiin. Päivityksiä ei ole saatavilla vanhoihin iPhone- ja iPad-malleihin.

Apple September 2021 Event

www.apple.com/newsroom/ Apple unveils iPhone 13 Pro, iPhone 13 Pro Max, iPhone 13, iPhone 13 mini, iPad mini, and Apple Watch Series 7.

More ProxyShell? Web Shells Lead to ZeroLogon and Application Impersonation Attacks

www.fortinet.com/blog/threat-research/more-proxyshell-web-shells-lead-to-zerologon-and-application-impersonation-attacks FortiGuard Labs recently discovered an unidentified threat actor leveraging ProxyShell exploits using techniques that have yet to be reported. Multiple instances of FortiEDR had detected malicious DLLs in memory, and we uncovered these new techniques while consulting with one of the organizations that had been compromised by ProxyShell. Through active threat hunting, we were then able to determine that other organizations had also been compromised. The DLLs, which were previously unknown based on their SHA256 file hashes, were used to perform active reconnaissance, obtain hashed passwords via Zerologon, and perform pass-the-hash authentication to establish persistence via Exchange Application Impersonation. This blog intends to provide an analysis of these DLLs. We documented the malicious activity associated with them by recreating the incidents in a lab environment. The goal is to help the public and future customers determine if they have related activity in their environment and take appropriate action.

You might be interested in …

Daily NCSC-FI news followup 2020-06-04

Cisco’s warning: Critical flaw in IOS routers allows ‘complete system compromise’ www.zdnet.com/article/ciscos-warning-critical-flaw-in-ios-routers-allows-complete-system-compromise/ Most severe vulns are remote code execution by unauthenticated attackers. French CERT (ANSSI) releases Active Directory Security Assessment Checklist www.cert.ssi.gouv.fr/uploads/guide-ad.html U.S. Nuclear Contractor Hit with Maze Ransomware, Data Leaked threatpost.com/nuclear-contractor-maze-ransomware-data-leaked/156289/ A U.S. military contractor involved in the maintenance of the country’s Minuteman III […]

Read More

Daily NCSC-FI news followup 2020-08-14

NSA and FBI Cybersecurity Advisory – Russian GRU 85th GTsSS Deploys Previously Undisclosed Drovorub Malware media.defense.gov/2020/Aug/13/2002476465/-1/-1/0/CSA_DROVORUB_RUSSIAN_GRU_MALWARE_AUG_2020.PDF Drovorub is a Linux malware toolset consisting of an implant coupled with a kernel module rootkit, a file transfer and port forwarding tool, and a Command and Control (C2) server. When deployed on a victim machine, the Drovorub implant […]

Read More

Daily NCSC-FI news followup 2019-11-28

Threat Spotlight: Machete Info-Stealer threatvector.cylance.com/en_us/home/threat-spotlight-machete-info-stealer.html Machete is an info-stealing malware that can harvest user credentials, chat logs, screenshots, webcam pictures, geolocation, and perform keylogging. It can also copy files to a USB device and take control of the clipboard to exfiltrate information. DHS Mandates Federal Agencies to Run Vulnerability Disclosure Policy www.schneier.com/blog/archives/2019/11/dhs_mandates_fe.html The DHS is […]

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.