Daily NCSC-FI news followup 2021-09-30

Rikolliset urkkivat suomalaisten pankkitunnuksia ota talteen vinkit turvalliseen asiointiin

www.kyberturvallisuuskeskus.fi/fi/ajankohtaista/rikolliset-urkkivat-suomalaisten-pankkitunnuksia Kela, Keskusrikospoliisi ja Kyberturvallisuuskeskus kehottavat huolellisuuteen verkkopalveluihin kirjautumisessa. Rikolliset kalastelevat pankkitunnuksia suomalaisten pankkien ja Omakanta-palvelun nimissä. Asioithan verkossa turvallisesti ja tunnista huijaukset. Kerro huijauksista myös läheisillesi.

GhostEmperor: From ProxyLogon to kernel mode

securelist.com/ghostemperor-from-proxylogon-to-kernel-mode/104407/ While investigating a recent rise of attacks against Exchange servers, we noticed a recurring cluster of activity that appeared in several distinct compromised networks. This cluster stood out for its usage of a formerly unknown Windows kernel mode rootkit that we dubbed Demodex, and a sophisticated multi-stage malware framework aimed at providing remote control over the attacked servers. With a long-standing operation, high profile victims, advanced toolset and no affinity to a known threat actor, we decided to dub the underlying cluster GhostEmperor. Our investigation into this activity leads us to believe that the underlying actor is highly skilled and accomplished in their craft, both of which are evident through the use of a broad set of unusual and sophisticated anti-forensic and anti-analysis techniques. also:

media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/09/30094337/GhostEmperor_technical-details_PDF_eng.pdf

How nation-state attackers like NOBELIUM are changing cybersecurity

www.microsoft.com/security/blog/2021/09/28/how-nation-state-attackers-like-nobelium-are-changing-cybersecurity/ This is the first post in a four-part series on the NOBELIUM nation-state cyberattack. Microsoft started telling the industry about this extremely advanced cyberattack in December 2020. The NOBELIUM blog series – which mirrors Microsoft’s four-part video series “Decoding NOBELIUM”will pull the curtain back on the world of threat detection and showcase insights from cybersecurity professionals on the front lines, both Microsoft defenders and other industry experts. also: Decoding NOBELIUM: The Docuseries –

www.microsoft.com/en-us/security/business/nation-state-attacks

A wolf in sheep’s clothing: Actors spread malware by leveraging trust in Amnesty International and fear of Pegasus

blog.talosintelligence.com/2021/09/fakeantipegasusamnesty.html Threat actors are impersonating the group Amnesty International and promising to protect against the Pegasus spyware as part of a scheme to deliver malware. The campaign targets people who might be concerned that they are targeted by the Pegasus spyware. This targeting raises issues of possible state involvement, but there is insufficient information available to Talos to make any determination on which state or nation. It is possible that this is simply a financially motivated actor looking to leverage headlines to gain new access.

Ransomware attack disrupts hundreds of bookstores across France, Belgium, and the Netherlands

therecord.media/ransomware-attack-disrupts-hundreds-of-bookstores-across-france-belgium-and-the-netherlands/ Hundreds of bookstores across France, Belgium, and the Netherlands have had their operations disrupted this week after a ransomware attack crippled the IT systems of TiteLive, a French company that operates a SaaS platform for book sales and inventory management.

JVCKenwood hit by Conti ransomware claiming theft of 1.5TB data

www.bleepingcomputer.com/news/security/jvckenwood-hit-by-conti-ransomware-claiming-theft-of-15tb-data/ JVCKenwood has suffered a Conti ransomware attack where the threat actors claim to have stolen 1.7 TB of data and are demanding a $7 million ransom.

Undetected Azure Active Directory Brute-Force Attacks

www.secureworks.com/research/undetected-azure-active-directory-brute-force-attacks

TA544 Targets Italian Organizations with Ursnif Malware

www.proofpoint.com/us/blog/security-briefs/ta544-targets-italian-organizations-ursnif-malware Proofpoint threat researchers identified an increase in targeted threats impacting Italian organizations in 2021. This spike in observed threats is largely driven by a group called TA544 leveraging the Ursnif banking trojan.

All your hashes are belong to us: An overview of malware hashing algorithms

www.gdatasoftware.com/blog/2021/09/an-overview-of-malware-hashing-algorithms VirusTotal’s “Basic Properties” tab alone lists eight different hashes and supports even more to use them for queries and hunt signatures. Hashes are important for malware analysis, as well as identification, description and detection. But why do so many of them exist and when should you use which hash function?

API Threat Research: Elastic Stack Misconfiguration Allows Data Extraction

salt.security/blog/api-threat-research-elastic-vuln Salt Labs researchers investigated a large business-to-consumer (B2C) online platform that provides API-based mobile applications and software as a service to millions of users globally. As a result of API vulnerabilities our researchers identified in the Elastic Stack implementation, they were able to launch attacks where:. 1. Any user could extract sensitive customer and system data. 2. Any user could create a denial of service condition that would render the system unavailable

50% of Servers Have Weak Security Long After Patches Are Released

www.darkreading.com/vulnerabilities-threats/50-of-servers-have-weak-security-long-after-patches-are-released Many servers remain vulnerable to high-severity flaws in Microsoft Exchange Server, VMware vCenter, Oracle WebLogic, and other popular products and services.

The New Security Basics: 10 Most Common Defensive Actions

www.darkreading.com/application-security/the-new-security-basics-10-most-common-defensive-actions Companies now commonly collect security metrics from their software development life cycle, implement basic security measures, and define their obligations to protect user data as part of a basic security strategy.

German IT security watchdog examines Xiaomi mobile phone

www.reuters.com/article/germany-security-china-idUSKBN2GP1BQ Germany’s federal cybersecurity watchdog, the BSI, is conducting a technical examination of a mobile phone manufactured by China’s Xiaomi Corp, a spokesperson for the interior ministry told Reuters on Wednesday.

Turkish national charged for DDoS attacks with the WireX botnet

therecord.media/turkish-national-charged-for-ddos-attacks-with-the-wirex-botnet/ US authorities have indicted today a Turkish national for using a now-defunct malware botnet to launch distributed denial-of-service (DDoS) attacks against a Chicago-based multinational hospitality company.

Uusi huijaus kiusaa nettikirppisten käyttäjiä “Kortti niistetään niin tyhjäksi kuin pystytään”, varoittaa asiantuntija

yle.fi/uutiset/3-12119203 Verkon vertaiskauppasivustoilla leviää uusi huijaus, jonka tarkoituksena on kalastella käyttäjien luottokorttitietoja.

Huijari on kalastellut henkilökohtaisia tietoja Kelan nimissä

www.is.fi/digitoday/art-2000008301415.html Kelan nimissä on kalasteltu puhelimitse muun muassa pankkitietoja.

Digituki on edelleen tuntematon käsite monelle

www.epressi.com/tiedotteet/sosiaaliset-kysymykset/digituki-on-edelleen-tuntematon-kasite-monelle.html Ärsyttääkö digilaitteet? Tuntuuko, ettei ne tottele lainkaan? Harmittaako, kun ei saa apua niiden kanssa? Nyt on ilo kertoa, että olet todennäköisesti väärässä. Digitukea nimittäin on tarjolla monella paikkakunnalla, usein ihan maksutta.

Kyberturvallisuuskeskus saamassa uusia tehtäviä

www.tivi.fi/uutiset/tv/3b9e608c-3841-46a7-b811-d95ee2a4b034 Hallitus esittää Kyberturvallisuuskeskusta nimettäväksi EU:n laajuiseen kyberturvallisuuden koordinointikeskusten verkostoon.

Ranion Ransomware – Quiet and Persistent RaaS

www.fortinet.com/blog/threat-research/ranion-ransomware-quiet-and-persistent-raas Ranion is a Ransom-as-a-Service (RaaS) that has enjoyed unusual longevity as it has been active since at least February 2017. In this blog, FortiGuard Labs will explain how Ranion RaaS works.

Russian hacker Q&A: An Interview With REvil-Affiliated Ransomware Contractor

www.flashpoint-intel.com/blog/interview-with-revil-affiliated-ransomware-contractor/ A threat actor who claims to work with REvil and other sophisticated ransomware collectivesrecently spoke with Russian-language website Lenta[.]ru on the condition of anonymity.

Researchers Trick Locked iPhones Into Making $1300 Purchases

www.forbes.com/sites/leemathews/2021/09/30/researchers-trick-locked-iphones-into-making-1300-purchases/ A team of academics figured out a way to trick the combination of Apple Pay and Visa cards into silently authorizing massive payments. Even though the iPhones the researchers tested were locked during the transactions they were able to pilfer £1, 000 (about $1340). also:

practical_emv.gitlab.io/

You might be interested in …

Daily NCSC-FI news followup 2019-12-21

170m passwords stolen in September Zynga hack www.theguardian.com/games/2019/dec/19/170m-passwords-stolen-in-zynga-words-with-friends-hack-monitor-says Words With Friends company admitted hack in September but size only now revealed Siemens Contractor Jailed for Sabotage With Logic Bombs www.bleepingcomputer.com/news/security/siemens-contractor-jailed-for-sabotage-with-logic-bombs/ While his spreadsheets worked without flaw for years, starting in 2014 they suddenly began randomly crashing and glitching because of the logic bombs he inserted […]

Read More

Daily NCSC-FI news followup 2021-06-24

FIN7 manager sentenced to 7 years for role in global hacking scheme therecord.media/fin7-manager-sentenced-to-7-years-for-role-in-global-hacking-scheme/ A key member of the international cybercrime group FIN7 was sentenced to 84 months in prison and ordered to pay $2.5 million in restitution Hacker wipes database of NewsBlur RSS reader therecord.media/hacker-wipes-database-of-newsblur-rss-reader/ NewsBlur was in process of a database migration when MongoDB […]

Read More

Daily NCSC-FI news followup 2021-02-25

Attackers scan for vulnerable VMware servers after PoC exploit release www.bleepingcomputer.com/news/security/attackers-scan-for-vulnerable-vmware-servers-after-poc-exploit-release/ After security researchers have developed and published proof-of-concept (PoC) exploit code targeting a critical vCenter remote code execution (RCE) vulnerability, attackers are now actively scanning for vulnerable Internet-exposed VMware servers. Lisäksi: www.zdnet.com/article/more-than-6700-vmware-servers-exposed-online-and-vulnerable-to-major-new-bug Health Website Leaks 8 Million COVID-19 Test Results threatpost.com/health-website-leaks-covid-19-test/164274/ A teenaged ethical […]

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.