Daily NCSC-FI news followup 2021-09-16

APT Actors Exploiting Newly Identified Vulnerability in ManageEngine ADSelfService Plus

us-cert.cisa.gov/ncas/alerts/aa21-259a The FBI, CISA, and CGCYBER assess that advanced persistent threat (APT) cyber actors are likely among those exploiting the vulnerability. The exploitation of ManageEngine ADSelfService Plus poses a serious risk to critical infrastructure companies, U.S.-cleared defense contractors, academic institutions, and other entities that use the software. Successful exploitation of the vulnerability allows an attacker to place webshells, which enable the adversary to conduct post-exploitation activities, such as compromising administrator credentials, conducting lateral movement, and exfiltrating registry hives and Active Directory files. CVE-2021-40539, rated critical by the Common Vulnerability Scoring System (CVSS), is an authentication bypass vulnerability affecting representational state transfer (REST) application programming interface (API) URLs that could enable remote code execution.

Bitdefender Offers Free Universal Decryptor for REvil/Sodinokibi Ransomware

www.bitdefender.com/blog/labs/bitdefender-offers-free-universal-decryptor-for-revil-sodinokibi-ransomware/ Bitdefender announced the availability of a universal decryptor for REvil/Sodinokibi. Created in collaboration with a trusted law enforcement partner, this tool helps victims encrypted by REvil ransomware to restore their files and recover from attacks made before July 13, 2021.

Customer Care Giant TTEC Hit By Ransomware

krebsonsecurity.com/2021/09/customer-care-giant-ttec-hit-by-ransomware/ TTEC, a company used by some of the world’s largest brands to help manage customer support and sales online and over the phone, is dealing with disruptions from a network security incident resulting from a ransomware attack. TTEC’s own message to employees suggests the company’s network may have been hit by the ransomware group “Ragnar Locker”.

Ransomware scammers target artists with fake Krita revenue deals

blog.malwarebytes.com/cybercrime/2021/09/ransomware-scammers-target-artists-with-fake-krita-revenue-deals/ The Krita digital painting application is currently being targeted by ransomware authors. Ransomware scammers send out mails to artists. Those mails claim to be from the team behind the Krita tool, and contain links which redirect potential victims to the real domain. This is to make everything look above board and legitimate. Regardless of how the emails present themselves, there’s one common factor. They claim to link to a “mediabank” which contains icons, screenshots and previous video campaigns. The contents are “confidential”, which is a sneaky way to prevent potential victims telling anybody about it. Some folks have reported the contents of the zip as.scr files masquerading as images/videos.

Anonymous hacks and leaks data from domain registrar Epik

therecord.media/anonymous-hacks-and-leaks-data-from-domain-registrar-epik/ Hacktivist group Anonymous has successfully breached and leaked the database of Epik, a controversial web hosting provider and domain registrar that has given shelter to many right-wing websites over the past few years, such as Gab, Parler, and The Donald. The hack, which based on timestamps in the leaked data took place on February 28, was announced on Monday via a dedicated website and posts on internet forum 4chan.

Travis CI Flaw Exposes Secrets of Thousands of Open Source Projects

thehackernews.com/2021/09/travis-ci-flaw-exposes-secrets-of.html Continuous integration vendor Travis CI has patched a serious security flaw that exposed API keys, access tokens, and credentials, potentially putting organizations that use public source code repositories at risk of further attacks. The issue tracked as CVE-2021-41077 concerns unauthorized access and plunder of secret environment data associated with a public open-source project during the software build process. The problem is said to have lasted during an eight-day window between September 3 and September 10. Felix Lange of Ethereum has been credited with discovering the leakage on September 7, with the company’s Péter Szilágyi pointing out that “anyone could exfiltrate these and gain lateral movement into 1000s of organizations.”

Suomalaiset jakavat kieroa huijausta Facebookissa hairahduksen hinta 67 /kk

www.is.fi/digitoday/tietoturva/art-2000008267817.html Facebookissa on käynnissä huijauskampanja, jolla houkutellaan suomalaisia tilausansaan. Huijauksen takana on Finnkino Suomi -niminen valesivu Facebookissa. Sivu on väärennetty, ja sillä käytetään Finnkinon tuotemerkkiä. Sekä mainos että huijausviesti ovat hyvää suomen kieltä. Huijaus on kauttaaltaan poikkeuksellisen uskottava.

New Windows security updates break network printing

www.bleepingcomputer.com/news/security/new-windows-security-updates-break-network-printing/ Windows administrators report wide-scale network printing problems after installing this week’s September 2021 Patch Tuesday security updates. On Tuesday, Microsoft released sixty security updates and fixes for numerous bugs as part of their monthly Patch Tuesday updates, including a fix for the last remaining PrintNightmare vulnerability tracked as CVE-2021-36958. However, many Windows system administrators are now reporting that their computers can no longer print to network printers after installing the PrintNightmare fixes on their print servers.

You might be interested in …

[NCSC-FI News] China-linked Moshen Dragon abuses security software to sideload malware

A China-linked APT group, tracked as Moshen Dragon, is exploiting antivirus products to target the telecom sector in Asia. Source: Read More (NCSC-FI daily news followup)

Read More

Daily NCSC-FI news followup 2021-10-21

Cybercrime gang sets up fake company to hire security experts to aid in ransomware attacks therecord.media/cybercrime-gang-sets-up-fake-company-to-hire-security-experts-to-aid-in-ransomware-attacks/ A cybercrime group known as FIN7 has created a fake security firm earlier this year, used it to hire security researchers, and then trick them into participating in ransomware attacks. Named Bastion Secure, the company claims to provide penetration […]

Read More

Daily NCSC-FI news followup 2021-03-20

Office 365 Phishing Attack Targets Financial Execs threatpost.com/office-365-phishing-attack-financial-execs/164925/ Attackers move on new CEOs, using transition confusion to harvest Microsoft credentials. Also: www.area1security.com/blog/microsoft-365-spoof-targets-financial-departments/ Hackers are exploiting a server vulnerability with a severity of 9.8 out of 10 arstechnica.com/gadgets/2021/03/to-security-pros-dread-another-critical-server-vulnerability-is-under-exploit/ As if the mass-exploitation of Exchange servers wasn’t enough, now there’s BIG-IP. Last week, F5 disclosed and patched […]

Read More

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.