Daily NCSC-FI news followup 2021-10-05

Understanding How Facebook Disappeared from the Internet

blog.cloudflare.com/october-2021-facebook-outage/ The Internet is literally a network of networks, and it’s bound together by BGP. BGP allows one network (say Facebook) to advertise its presence to other networks that form the Internet. As we write Facebook is not advertising its presence, ISPs and other networks can’t find Facebook’s network and so it is unavailable. With those withdrawals, Facebook and its sites had effectively disconnected themselves from the Internet. As a direct consequence of this, DNS resolvers all over the world stopped resolving their domain names. also: engineering.fb.com/2021/10/04/networking-traffic/outage/

Drawing a Dragon: Connecting the Dots to Find APT41

blogs.blackberry.com/en/2021/10/drawing-a-dragon-connecting-the-dots-to-find-apt41 The BlackBerry Research & Intelligence Team recently connected seemingly disparate malware campaigns, which began with an unusual Cobalt Strike configuration that was first included in a blog post published the same month as COVID-19 lockdowns began in Europe and the U.S. What we found led us through a malicious infrastructure that had been partially documented in articles by several other research organizations. The image we uncovered was that of a state-sponsored campaign that plays on people’s hopes for a swift end to the pandemic as a lure to entrap its victims. And once on a user’s machine, the threat blends into the digital woodwork by using its own customized profile to hide its network traffic.

UEFI threats moving to the ESP: Introducing ESPecter bootkit

www.welivesecurity.com/2021/10/05/uefi-threats-moving-esp-introducing-especter-bootkit/ ESET researchers analyze a previously undocumented, real-world UEFI bootkit that persists on the EFI System Partition (ESP). The bootkit, which we’ve named ESPecter, can bypass Windows Driver Signature Enforcement to load its own unsigned driver, which facilitates its espionage activities. Alongside Kaspersky’s recent discovery of the unrelated FinSpy bootkit, it is now safe to say that real-world UEFI threats are no longer limited to SPI flash implants, as used by Lojax. ESPecter was encountered on a compromised machine along with a user-mode client component with keylogging and document-stealing functionalities, which is why we believe ESPecter is mainly used for espionage.

Company That Routes Billions of Text Messages Quietly Says It Was Hacked

www.vice.com/en/article/z3xpm8/company-that-routes-billions-of-text-messages-quietly-says-it-was-hacked A company that is a critical part of the global telecommunications infrastructure used by AT&T, T-Mobile, Verizon and several others around the world such as Vodafone and China Mobile, quietly disclosed that hackers were inside its systems for years, impacting more than 200 of its clients and potentially millions of cellphone users worldwide. Syniverse repeatedly declined to answer specific questions from Motherboard about the scale of the breach and what specific data was affected,. but according to a person who works at a telephone carrier, whoever hacked Syniverse could have had access to metadata such as length and cost, caller and receiver’s numbers, the location of the parties in the call, as well as the content of SMS text messages.

Mobile Malware: TangleBot Untangled

www.proofpoint.com/us/blog/threat-insight/mobile-malware-tanglebot-untangled TangleBot is leveraging COVID-19 and electricity-themed lures in its effort to convince users to click on the malicious link and install the malware. The SMS links are only malicious via Android mobile devices and are currently only being sent to US and Canadian users. TangleBot, while sharing some similarities with the Medusa malware, has some key distinguishing features that make it particularly threatening, such as its advanced behaviors and transmission abilities and its use of a string decryption routine as part of its obfuscation.

NSA chief predicts U.S. will face ransomware every single day’ for years to come

therecord.media/nsa-chief-predicts-u-s-will-face-ransomware-every-single-day-for-years-to-come/ The U.S. will have to contend with the threat of ransomware daily for at least the next several years, the leader of the country’s premier digital spy agency said Tuesday. “Every single day, ” Gen. Paul Nakasone, the director of the National Security Agency and the head of U.S. Cyber Command, answered during a discussion at the Mandiant Cyber Defense Summit in Washington when asked if the threat would persist for the next five years.

Ransomware in a global context

blog.virustotal.com/2021/10/ransomware-in-global-context.html Today we are proud to announce our very first VirusTotal Ransomware Activity Report. This initiative is designed to help researchers, security practitioners and the general public better understand the nature of ransomware attacks by sharing VirusTotal’s visibility.

How to Build an Incident-Response Plan, Before Security Disaster Strikes

threatpost.com/incident-response-plan-security-disaster/175335/ A strong incident-response plan can help a company recover quickly and reduce incident costs. It’s also critical to not only have an incident-response plan, but also to be “incident-response ready, ” which means that the plan is periodically tested, similar to a fire drill.

Arvio mobiililaitteiden turvallisuuden selvityksestä

www.kyberturvallisuuskeskus.fi/fi/ajankohtaista/arvio-mobiililaitteiden-turvallisuuden-selvityksesta Liikenne- ja viestintävirasto Traficomin Kyberturvallisuuskeskus on tutustunut Liettuan kyberturvallisuuskeskuksen tekemän selvityksen raporttiin kolmen älypuhelinvalmistajan mobiililaitteista. Kyberturvallisuuskeskus on todennut sen olevan pääosin sisällöllisesti paikkansa pitävä. Kyberturvallisuuskeskuksen arviolla kolmansien osapuolten verkkokaupoista voi olla kyberturvallisuuteen liittyviä vaikutuksia.

Apache fixes zero-day vulnerability exploited in the wild, patch now

www.bleepingcomputer.com/news/security/apache-fixes-zero-day-vulnerability-exploited-in-the-wild-patch-now/ The Apache Software Foundation has released version 2.4.50 of the HTTP Web Server to address two vulnerabilities, one of which is an actively exploited path traversal and file disclosure flaw. The actively exploited zero-day vulnerability is tracked as CVE-2021-41773 and it enables actors to map URLs to files outside the expected document root by launching a path traversal attack.

Android October patch fixes three critical bugs, 41 flaws in total

www.bleepingcomputer.com/news/security/android-october-patch-fixes-three-critical-bugs-41-flaws-in-total/ Google has released the Android October security updates, addressing 41 vulnerabilities, all ranging between high and critical severity. None of the 41 flaws addressed this month have been reported to be under active exploitation in the wild, so there should be no working exploits for them circulating out there.

Phish, Phished, Phisher: A Quick Peek Inside a Telegram Harvester

blog.nviso.eu/2021/10/04/phish-phished-phisher-a-quick-peek-inside-a-telegram-harvester/ In one of the smaller campaigns we monitored last month (September 2021), the threat actor inadvertently exposed Telegram credentials to their harvester. This opportunity provided us some insight into their operations; a peek behind the curtains we wanted to share.

What 10, 000 Analysts Showed Us About the State of Threat Hunting

www.riskiq.com/blog/external-threat-management/state-of-threat-hunting/ As cyberthreats increase, security analysts are our first line of defense. Their skills, know-how, and passion for their work meet attackers head-on. Unfortunately, these analysts often lack the resources, technology, and latest techniques to defeat them. After speaking with thousands of analysts, here are the top five things Benjamin wants all threat hunters and incident responders to know.

AvosLocker ransomware gang to auction the data of victims who don’t pay

therecord.media/avoslocker-ransomware-gang-to-auction-the-data-of-victims-who-dont-pay/ The operators of the AvosLocker ransomware gang have updated their website to create a system through which they plan to auction off the data of hacked companies that refuse to pay ransom demands.

Python ransomware script targets ESXi server for encryption

news.sophos.com/en-us/2021/10/05/python-ransomware-script-targets-esxi-server-for-encryption/ A recently-concluded investigation into a ransomware attack revealed that the attackers executed a custom Python script on the target’s virtual machine hypervisor to encrypt all the virtual disks, taking the organization’s VMs offline. In what was one of the quickest attacks Sophos has investigated, from the time of the initial compromise until the deployment of the ransomware script, the attackers only spent just over three hours on the target’s network before encrypting the virtual disks in a VMware ESXi server.

Windows 11 is out. Is it any good for security?

blog.malwarebytes.com/malwarebytes-news/2021/10/windows-11-security/ Windows 11, the latest operating system (OS) from Microsoft, launches today, and organizations have begun asking themselves when and if they should upgrade from Windows 10 or older versions. The requirements and considerations of each organization will be different, and many things will inform the decisions they make about whether to stick or twist. One of those things will be whether or not Windows 11 makes them safer and more secure. I spoke to Malwarebytes’ Windows experts Alex Smith and Charles Oppermann to understand what’s changed in Windows 11 and what impact it could have on security.

Telegraph newspaper bares 10TB of subscriber data and server logs to world+dog

www.theregister.com/2021/10/05/telegraph_newspaper_10tb_data_breach/ The Telegraph newspaper managed to leak 10TB of subscriber data and server logs after leaving an Elasticsearch cluster unsecured for most of September, according to the researcher who found it online.

F-Securen Mikko Hyppönen: Verkkopalvelujen keskittyminen Piilaaksoon on netin heikko kohta Facebookin kyykkäys “aivan poikkeuksellinen”

yle.fi/uutiset/3-12128657 Facebookin palveluiden kaatuminen kuudeksi tunniksi osoitti sen, miten haavoittuvaisessa tilanteessa olemme. Tulevaisuudessa internet on yhtä tärkeä kuin sähköverkko, ja se pelottaa jopa F-Securen tutkimusjohtajaa Mikko Hyppöstä.

Jopa 1, 5 miljardin Facebook-käyttäjän tiedot väitetysti myynnissä pimeässä verkossa

www.tivi.fi/uutiset/tv/0169a572-011f-440c-839c-8c89267d6a00 Peräti 1, 5 miljardin Facebook-käyttäjän tietoja väitetysti kaupitellaan pimeän verkon hakkerifoorumeilla, Privacy Affairs kirjoittaa. Tämä ei liity vastikään tapahtuneeseen Facebook-palveluiden käyttökatkokseen, vaan on yhtiön kannalta vain ikävä yhteensattuma. Kaupiteltava data ei sinänsä pidä sisällään mitään sellaista, mihin urkkija ei pääsisi muutenkin käsiksi, vaan siihen on koottu Facebook-käyttäjien julkiseksi jättämiä tietoja. Tietojen mukana on ilmeisesti nimi, sähköposti, paikkadataa, sukupuoli, puhelinnumero sekä käyttäjätunnus. Facebook-käyttäjien on syytä miettiä, mitä tietoja he haluavat itsestään jakaa kyseisessä palvelussa. Käyttäjätietojen muuttaminen yksityiseksi voi olla tässä mielessä järkevää.

Illegal Activities Endure on China’s Dark Web Despite Strict Internet Control

www.recordedfuture.com/illegal-activities-endure-chinas-dark-web/ This report analyzes the structure of internet sources used by Chinese-speaking threat actors to facilitate cybercriminal activities, specifically Chinese-language dark web sources, clearnet hacking forums and blogs, instant messaging platforms, and well-established criminal sources. This report aims to provide a general understanding of the Chinese-speaking cybercriminal landscape and the threat it presents under the context of its distinct cultural, political, and legal characteristics. Report (PDF):


You might be interested in …

[NCSC-FI News] Russia May Use Ransomware Payouts to Avoid Sanctions

FinCEN warns financial institutions to beware of unusual cryptocurrency payments or illegal transactions Russia may use to evade restrictions imposed due to its invasion of Ukraine FinCEN Alert: https://www.fincen.gov/sites/default/files/2022-03/FinCEN%20Alert%20Russian%20Sanctions%20Evasion%20FINAL%20508.pdf Source: Read More (NCSC-FI daily news followup)

Read More

[NCSC-FI News] Xenomorph: A newly hatched Banking Trojan

Based on the intelligence gathered, users of 56 different European banks are among the targets of this new Android malware trojan, distributed on the official Google Play Store, with more than 50.000 installations. Source: Read More (NCSC-FI daily news followup)

Read More

Daily NCSC-FI news followup 2020-08-27

Confessions of an ID Theft Kingpin, Part II krebsonsecurity.com/2020/08/confessions-of-an-id-theft-kingpin-part-ii/ Yesterdays piece told the tale of Hieu Minh Ngo, a hacker the U.S. Secret Service described as someone who caused more material financial harm to more Americans than any other convicted cybercriminal. Ngo was recently deported back to his home country after serving more than seven […]

Read More

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.