Daily NCSC-FI news followup 2021-09-17

NSO Group iMessage Zero-Click Exploit Captured in the Wild

citizenlab.ca/2021/09/forcedentry-nso-group-imessage-zero-click-exploit-captured-in-the-wild/ The Citizen Lab disclosed the vulnerability and code to Apple, which has assigned the FORCEDENTRY vulnerability CVE-2021-30860 and describes the vulnerability as “processing a maliciously crafted PDF may lead to arbitrary code execution.”. In this article, Citizen Lab analyses the exploit chain in detail.

Mitigating malware and ransomware attacks

www.ncsc.gov.uk/guidance/mitigating-malware-and-ransomware-attacks The guidance document helps private and public sector organisations deal with the effects of malware (which includes ransomware). It provides actions to help organisations prevent a malware infection, and also steps to take if you’re already infected.

Microsoft MSHTML Flaw Exploited by Ryuk Ransomware Gang

threatpost.com/microsoft-mshtml-ryuk-ransomware/174780/ Microsoft and RiskIQ researchers have identified several campaigns using the recently patched zero-day, reiterating a call for organizations to update affected systems. Criminals behind the Ryuk ransomware were early exploiters of the Windows MSHTML flaw, actively leveraging the bug in campaigns ahead of a patch released by Microsoft this week.

Malware samples found trying to hack Windows from its Linux subsystem

therecord.media/malware-samples-found-trying-to-hack-windows-from-its-linux-subsystem/ Security researchers at Lumen’s Black Lotus Labs have found a series of malware samples that were configured to infect the Windows Subsystem for Linux and then pivot to its native Windows environment. Researchers claim the samples are the first of their kind, albeit security experts have theorized as far back as 2017 that such attacks would be possible at one point.

OMIGOD: Microsoft Azure VMs exploited to drop Mirai, miners

www.bleepingcomputer.com/news/security/omigod-microsoft-azure-vms-exploited-to-drop-mirai-miners/ Threat actors started actively exploiting the critical Azure OMIGOD vulnerabilities two days after Microsoft disclosed them during this month’s Patch Tuesday. The four security flaws (allowing privilege escalation and remote code execution) were found in the Open Management Infrastructure (OMI) software agent silently installed by Microsoft on more than half of all Azure instances.

Microsoft asks Azure Linux admins to manually patch OMIGOD bugs

www.bleepingcomputer.com/news/microsoft/microsoft-asks-azure-linux-admins-to-manually-patch-omigod-bugs/ Microsoft has issued additional guidance on securing Azure Linux machines impacted by recently addressed critical OMIGOD vulnerabilities. The four security flaws (allowing remote code execution and privilege escalation) were found in the Open Management Infrastructure (OMI) software agent silently installed on more than half of Azure instances.

Malware Attack on Aviation Sector Uncovered After Going Unnoticed for 2 Years

thehackernews.com/2021/09/malware-attack-on-aviation-sector.html A targeted phishing campaign aimed at the aviation industry for two years may be spearheaded by a threat actor operating out of Nigeria, highlighting how attackers can carry out small-scale cyber offensives for extended periods of time while staying under the radar.

Väärennettyjä rokotetodistuksia kaupitellaan viestisovellus Telegramissa suomalainen “todistus” 150:llä eurolla

yle.fi/uutiset/3-12101786 Viestisovellus Telegramiin on pesiytynyt väärennettyjen rokotetodistusten musta pörssi, ilmenee kansainvälisen tietoturvayhtiö Check Point Researchin tekemästä selvityksestä(siirryt toiseen palveluun). Selvityksen mukaan viestisovelluksessa kaupitellaan kaikkiaan 28:n maan koronarokotetodistuksia esittäviä väärennöksiä. Joukossa on monia EU-maita Suomi mukaan lukien. Suomen ja useimpien muidenkin EU-maiden väärennetyn rokotetodistuksen hinta on selvityksen mukaan 150 euroa.

Trial Ends in Guilty Verdict for DDoS-for-Hire Boss – downthem / ampnode

krebsonsecurity.com/2021/09/trial-ends-in-guilty-verdict-for-ddos-for-hire-boss/ A jury in California today reached a guilty verdict in the trial of Matthew Gatrel, a St. Charles, Ill. man charged in 2018 with operating two online services that allowed paying customers to launch powerful distributed denial-of-service (DDoS) attacks against Internet users and websites. Gatrel’s conviction comes roughly two weeks after his co-conspirator pleaded guilty to criminal charges related to running the services.

Router protection for MikroTik users

www.kaspersky.com/blog/how-to-protect-mikrotik-from-meris-botnet/41972/ Recent large-scale DDoS attacks using a new botnet called Mris peaked at almost 22 million requests per second. According to Qrator research, MikroTik’s network devices generated a fair share of the botnet’s traffic. Having analyzed the situation, MikroTik experts found no new vulnerabilities in the company’s routers; however, old ones may still pose a threat. Therefore, to ensure your router has not joined the Mris botnet (or any other botnet, for that matter), you need to follow a few recommendations.

Jyväskylän ammattikorkeakoulun virtuaalisairaalassa harjoitellaan terveydenhuoltoalan toimijoiden kyberturvallisuusvalmiutta

www.epressi.com/tiedotteet/terveys/jyvaskylan-ammattikorkeakoulun-virtuaalisairaalassa-harjoitellaan-terveydenhuoltoalan-toimijoiden-kyberturvallisuusvalmiutta.html Terveydenhuollon työn luonne tekee alasta äärimmäisen herkän palveluiden häiriöille. Sairaalan tietojärjestelmiin tai tietoliikenneverkkoon kohdistuneen hyökkäyksen vuoksi toimenpiteet voivat viivästyä tai pysähtyä vaikuttaen haitallisesti potilasturvallisuuteen. Terveydenhuollon kansallisia toimijoita ja sairaanhoitopiirejä kokoontuu 21. – 23.9. Jyväskylän ammattikorkeakouluun harjoittelemaan ja kehittämään kyberturvallisuusvalmiuttaan Healthcare Cyber Range -hankkeen pilottiharjoitukseen.

Fake Walmart press release causes cryptocurrency price surge

www.bitdefender.com/blog/hotforsecurity/fake-walmart-press-release-causes-cryptocurrency-price-surge/ The cryptocurrency Litecoin soared in value earlier this week upon the news that supermarket giant Walmart would accept it as a form of payment at its retail stores across America. The only problem was… it simply wasn’t true.

Telegram emerges as new dark web for cyber criminals

arstechnica.com/information-technology/2021/09/telegram-emerges-as-new-dark-web-for-cyber-criminals/ Telegram has exploded as a hub for cybercriminals looking to buy, sell, and share stolen data and hacking tools, new research shows, as the messaging app emerges as an alternative to the dark web.

Exploitation of the CVE-2021-40444 vulnerability in MSHTML

securelist.com/exploitation-of-the-cve-2021-40444-vulnerability-in-mshtml/104218/ Last week, Microsoft reported the remote code execution vulnerability CVE-2021-40444 in the MSHTML browser engine. According to the company, this vulnerability has already been used in targeted attacks against Microsoft Office users. In attempt to exploit this vulnerability, attackers create a document with a specially-crafted object. If a user opens the document, MS Office will download and execute a malicious script. According to our data, the same attacks are still happening all over the world. We are currently seeing attempts to exploit the CVE-2021-40444 vulnerability targeting companies in the research and development sector, the energy sector and large industrial sectors, banking and medical technology development sectors, as well as telecommunications and the IT sector.

You might be interested in …

Daily NCSC-FI news followup 2021-08-28

Update on the vulnerability in the Azure Cosmos DB Jupyter Notebook Feature msrc-blog.microsoft.com/2021/08/27/update-on-vulnerability-in-the-azure-cosmos-db-jupyter-notebook-feature/ On August 12, 2021, a security researcher reported a vulnerability in the Azure Cosmos DB Jupyter Notebook feature that could potentially allow a user to gain access to another customers resources by using the accounts primary read-write key. We mitigated the vulnerability […]

Read More

[NCSC-FI News] Uutta tietoa verkkohyökkäyksestä Helsingin yliopistoon: Osa viesteistä vaikuttaakin olevan bottien sijaan ukrainalaisilta ihmisiltä

Helsingin yliopiston sosiaalisen median asiantuntijoiden tilannekuva alkuviikon verkkohyökkäyksestä on päivittynyt. Monet sosiaaliseen mediaan lähetetyistä viesteistä ovatkin mahdollisesti oikeilta ukrainalaisilta henkilöiltä. Maanantai- ja tiistai-iltapäivän aikana yliopiston sosiaaliseen mediaan vyöryi ennennäkemätön määrä, jopa 2 500 viestiä Niiden sisältö oli venäläisvastaista. Vihamieliset viestit kohdistuivat yliopiston venäläisiin opiskelijoihin sekä tutkijoihin. Viesteissä toivottiin muun muassa sanktioita venäläisiä kohtaan Yliopistolla on […]

Read More

Daily NCSC-FI news followup 2021-11-03

US sanctions four companies selling hacking tools, including NSO Group & Candiru therecord.media/us-sanctions-four-companies-selling-hacking-tools-including-nso-group-candiru/ The US government has sanctioned today four companies that develop and sell spyware and other hacking tools, the US Department of Commerce announced today. The four companies include Israel’s NSO Group and Candiru, Russian security firm Positive Technologies, and Singapore-based Computer Security […]

Read More

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.