Daily NCSC-FI news followup 2021-10-06

Actively exploited Apache 0-day also allows remote code execution

www.bleepingcomputer.com/news/security/actively-exploited-apache-0-day-also-allows-remote-code-execution/ Proof-of-Concept (PoC) exploits for the Apache web server zero-day surfaced on the internet revealing that the vulnerability is far more critical than originally disclosed. These exploits show that the scope of the vulnerability transcends path traversal, allowing attackers remote code execution (RCE) abilities. Attackers can abuse Apache servers running version 2.4.49 not only to read arbitrary files but also to execute arbitrary code on the servers. Security researcher Hacker Fantastic noted that the flaw soon turns into a Remote Code Execution (RCE) vulnerability on a Linux system if the server is configured to support CGI via mod_cgi. CERT’s vulnerability analyst Will Dormann and security researcher Tim Brown have also reported success with code execution on Windows machines. “Again, Apache needs to be the vulnerable 2.4.49 version, and mod-cgi is enabled, and it needs to be missing the default Require all denied. But if both of those are true, then CVE-2021-41773 is as RCE as it gets, ” explains Dormann.

Anonymous leaks Twitch source code and business data on 4chan

therecord.media/anonymous-leaks-twitch-source-code-and-business-data-on-4chan/ Individuals claiming to be part of the Anonymous hacker collective have leaked the source code and business data of video streaming platform Twitch via a torrent file posted on the 4chan discussion board earlier today. The source of the leak is currently believed to be an internal Git server. Git servers are typically used by companies to allow large teams of programmers to make controlled and easily reversible changes to source code repositories. The leak was also labeled as “part one, ” suggesting that more data will be leaked in the future. Although no user data was found in the leak, several security researchers have urged users to change their passwords and enable a multi-factor authentication solution for their account as a precaution.

Operation GhostShell: Novel RAT Targets Global Aerospace and Telecoms Firms

www.cybereason.com/blog/operation-ghostshell-novel-rat-targets-global-aerospace-and-telecoms-firms In July 2021, the Cybereason Nocturnus and Incident Response Teams responded to Operation GhostShell, a highly-targeted cyber espionage campaign targeting the Aerospace and Telecommunications industries mainly in the Middle East, with additional victims in the U.S., Russia and Europe. The Operation GhostShell campaign aims to steal sensitive information about critical assets, organizations’ infrastructure and technology. During the investigation, the Nocturnus Team uncovered a previously undocumented and stealthy RAT (Remote Access Trojan) dubbed ShellClient which was employed as the primary espionage tool. Assessments as to the identity of the operators and authors of ShellClient resulted in the identification of a new Iranian threat actor dubbed MalKamak that has operated since at least 2018 and remained publicly unknown thus far. In addition, our research points out possible connections to other Iranian state-sponsored APT threat actors such as Chafer APT (APT39) and Agrius APT. However, we assess that MalKamak has distinct features that separate it from the other Iranian groups.

Facebook CEO Mark Zuckerberg on putting profit before safety: ‘That’s just not true’

www.zdnet.com/article/facebook-ceo-mark-zuckerberg-on-putting-profit-before-safety-thats-just-not-true/ Facebook founder and CEO Mark Zuckerberg has publicly addressed claims that the social media giant prioritises profit over safety and wellbeing is “just not true”. “We care deeply about issues like safety, wellbeing, and mental health. It’s difficult to see coverage that misrepresents our work and our motives. At the most basic level, I think most of us just don’t recognize the false picture of the company that is being painted, ” Zuckerberg wrote in note to Facebook employees that he publicly posted on his Facebook page.

Poliisi ei saa käyttää asiakastietoja Vastaamo-tutkinnassa

www.is.fi/digitoday/tietoturva/art-2000008313809.html Psykoterapiakeskus Vastaamoa koskevan tietomurron suomalaisittain hyvin merkittävää tutkintaa joudutaan jatkamaan ilman asiakastiedot sisältävää aineistoa. Näin päätti korkein oikeus eli KKO keskiviikkona. Päätös liittyy poliisin tutkimaan epäiltyyn tietomurtoon Vastaamon tuotantopalvelimeen, jonka tutkinnan yhteydessä asiakastietokannasta eriteltiin teknisesti siihen sisältyvien henkilöiden nimet ja yhteystiedot. Etsintävaltuutettu vastusti tietojen takavarikoimista ja jäljentämistä, ja Helsingin käräjäoikeus oli samaa mieltä päätöksessään viime vuoden lopulla.

Singapore inks pact with Finland to mutually recognise IoT security labels

www.zdnet.com/article/singapore-inks-pact-with-finland-to-mutually-recognise-iot-security-labels/ Year after it introduced a security labelling programme for consumer Internet of Things devices, Singapore has signed an agreement with Finland to recognise each nation’s respective cybersecurity labels, touting it as the first such pact. Touting it as the first of such bilateral recognition, Singapore says the partnership aims to reduce the need for duplicated testing.

Loss of Intellectual Property, Customer Data Pose Greatest Business Risks

www.darkreading.com/edge-threat-monitor/loss-of-intellectual-property-customer-data-pose-greatest-business-risks Dark Reading’s “The State of Incident Response 2021” report shows that security professionals have been most concerned about breaches of intellectual property and business secrets (36%), followed by the unauthorized use of applications by credentialed users (17%). In addition, 16% said outages of internal IT systems, applications, or networks pose big organizational risks.

Ransomware Impact on the Education Sector

www.fortinet.com/blog/threat-research/ransomware-impact-on-the-education-sector FortiGuard Labs has identified at least 20 different ransomware infections targeting the education sector. Most of these infections occurred in the United States, which outnumbered the other countries by a large margin. The Pysa and Ryuk ransomware families were the most common, closely followed by Grief and Babuk ransomware. Interestingly, many notable ransomware variants, such as REvil, Blackmatter, Lockbit, DarkSide, and Ragnar Locker, were not found to be targeting schools. That may be partially explained by the policy mentioned above that some ransomware groups have imposed on affiliates, banning them from attacking specific sectors such as health and education.

The Biggest Cybersecurity Threats Facing Healthcare Organizationsand How to Protect Yourself

www.recordedfuture.com/biggest-cybersecurity-threats-facing-healthcare-organizations/ In fact, the healthcare industry is a top target for threat actors because of the unique blend of characteristics that comprise organizations within the industry. A study by the National Institute of Standards and Technology and the Office for Civil Rights found that 70% of malware attacks in 2019 were targeted at healthcare and public health organizations. The report by the Healthcare & Public Health Sector Coordinating Councils dives into the five threats facing the healthcare industry. Let’s take a look at these threats and also how you can improve your security posture to defend against these attacks.

Unit 42 Cloud Threat Report, 2H 2021

www.paloaltonetworks.com/prisma/unit42-cloud-threat-research-2h21.html Supply chain attacks in the cloud continue to grow as an emerging threat. However, much remains misunderstood about both the nature of these attacks and how to defend against them. This report draws on Unit 42’s analysis of past supply chain attacks. It explains the full scope of supply chain attacks, discusses poorly understood details about how they occur, and recommends actionable best practices organizations can adopt today to protect their supply chains in the cloud.

Medtronic urgently recalls insulin pump controllers over hacking concerns

www.bleepingcomputer.com/news/security/medtronic-urgently-recalls-insulin-pump-controllers-over-hacking-concerns/ Medtronic is urgently recalling remote controllers for insulin pumps belonging to the MiniMed Paradigm’ family of products, due to severe cybersecurity risks. The controllers that should be returned to the vendor are models MMT-500 and MMT-503, used with Medtronic MiniMed 508 insulin pump and the MiniMed Paradigm family of insulin pumps. These devices were sold in the United States between August 1999 and July 2018, and it is estimated that there are 31, 310 vulnerable units in use by diabetic patients in the country at the moment.

Google to auto-enroll 150m users, 2m YouTubers with two-factor authentication

www.theregister.com/2021/10/06/google_twofactor_authentication/ Google is going to automatically enroll 150 million users and two million YouTube creators into using two-factor authentication for their accounts by the end of the year, it announced on Tuesday. Google calls this two-step verification (2SV) and it involves being sent a code to type in, using a hardware key, or an app on your phone.

Fired IT admin revenge-hacks school by wiping data, changing passwords

www.bleepingcomputer.com/news/security/fired-it-admin-revenge-hacks-school-by-wiping-data-changing-passwords/ A 29-year old wiped data on systems of a secondary school in the U.K. and changed the passwords at an IT company, in retaliatory cyber attacks for being fired. As a result of his actions, the school’s systems could no longer be accessed and remote learning was impacted at a time when pupils were at home due to the Covid-19 pandemic.

Mandia Alerted NSA on FireEye’s SolarWinds Breach

www.darkreading.com/threat-intelligence/mandia-alerted-nsa-on-fireeye-s-solarwinds-breach “National security” concerns led former CEO Kevin Mandia to call the NSA when FireEye discovered its breach in late 2020.

How To Triage Leaked Credentials

www.recordedfuture.com/how-to-triage-leaked-credentials/ Leaked and stolen credentials pose a critical risk to organizations everywhere. In fact, 61% of breaches involve compromised credentials. Every year, billions of credentials appear on the dark web, paste sites, and in data dumps shared by cybercriminals. These credentials are often used for account takeover attacks, exposing organizations to breaches, ransomware, and more. But what do you do if you’ve discovered leaked employee or customer credentials? This step-by-step guide will show you exactly what to do.

Mana Tools: A Malware C2 Panel with a Past

www.riskiq.com/blog/external-threat-management/mana-tools-malware-c2-panel/ As part of our ongoing research into malware distribution infrastructure, we investigated “Mana Tools, ” a malware distribution and command and control (C2) panel associated with several big names in the malware world, including RevengeRat, AzoRult, Lokibot, Formbook, and Agent Tesla.

Azurescape: What You Need to Know

blog.aquasec.com/azurescape-azure-container-instances Microsoft recently disclosed a security vulnerability in its Azure Container Instances (ACI) service, referred to as Azurescape. No actual exploitations were reported and, thankfully, no Azure customers were affected by this vulnerability. To clear any doubts around risks to current environments, in this post we will examine the anatomy of a possible attack leveraging Azurescape and what it means for an effective defense-in-depth strategy for cloud native environments.

You might be interested in …

Daily NCSC-FI news followup 2020-03-01

Switzerland files criminal complaint over Crypto spying scandal www.reuters.com/article/us-swiss-spying-crypto/switzerland-files-criminal-complaint-over-crypto-spying-scandal-idUSKBN20O1VD The Swiss government has filed a criminal complaint over the U.S. Central Intelligence Agencys alleged use of a cryptography company as a front to spy on various governments secret communications, the Swiss attorney generals office said on Sunday.. The complaint against persons unknown for alleged breaches […]

Read More

Daily NCSC-FI news followup 2019-12-10

Venäjä käytti kahta eri vakoilukampanjaa tärvelläkseen Ranskan vaalit: Macronin toimisto sumutti vakoojia vitseillä www.hs.fi/ulkomaat/art-2000006337940.html Venäjän tiedustelu yritti sotkea Emmanuel Macronin vaalivoiton kahdella eri verkkovakoilukampanjalla. Kampanjaväki sumutti vakoojia jakamalla heille väärää tietoa. Snatch Ransomware Reboots to Windows Safe Mode to Bypass AV Tools www.bleepingcomputer.com/news/security/snatch-ransomware-reboots-to-windows-safe-mode-to-bypass-av-tools/ Researchers discovered a new Snatch ransomware strain that will reboot computers it […]

Read More

Daily NCSC-FI news followup 2019-08-21

Group-IBs new report on Silence: Damage from Silence APT operations increases fivefold. The gang deploys new tools on its worldwide tour www.group-ib.com/media/silence-attacks/ Group-IB, a Singapore-based cybersecurity company that specializes in preventing cyberattacks, has exposed the most recent campaigns carried out by Silence, a Russian-speaking APT group, in the new “Silence 2.0: Going Global” report. Group-IB […]

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.