Daily NCSC-FI news followup 2021-10-07

Tule mukaan Tietoturvaseminaari 2021 -virtuaalitapahtumaan 24.11.2021 klo 11-16

www.traficom.fi/fi/ajankohtaista/tilaisuudet/tietoturva-2021-virtuaaliseminaari-24112021 Liikenne- ja viestintävirasto Traficomin sekä Huoltovarmuuskeskuksen yhteinen Tietoturvaseminaari juhlistaa tänä vuonna Kyberturvallisuuskeskuksen CERT-toiminnon 20-vuotista taivalta. Seminaarissa tarkastellaan kyberturvallisuutta yhteiskunnan toimivuuden ja huoltovarmuuden perustana. Tilaisuuden avaa liikenne- ja viestintäministeri Timo Harakka, ja keynote-puheenvuoron pitää F-Securen tutkimusjohtaja Mikko Hyppönen. Ohjelma ja puhujatiedot tarkentuvat tulevien viikkojen aikana. Lue lisää ja ilmoittaudu mukaan!

Ransomware in the CIS

securelist.com/cis-ransomware/104452/ These days, when speaking of cyberthreats, most people have in mind ransomware, specifically cryptomalware. In 20202021, with the outbreak of the pandemic and the emergence of several major cybercriminal groups (Maze, REvil, Conti, DarkSide, Avaddon), an entire criminal ecosystem took shape, leading to a mounting worldwide wave of attacks on large organizations with pockets deep enough to pay a ransom in the hundreds of thousands, even millions, of US dollars.

Ransom disclosure law would give firms 48 hours to disclose ransomware payments

www.tripwire.com/state-of-security/featured/ransom-disclosure-law-48-hours-disclose-payments-ransomware-gangs/ Organisations who find their networks hit by a ransomware attack may soon have to disclose within 48 hours any payments to their extortionists. Thats the intention of the Ransom Disclosure Act, a new bill proposed by US Senator Elizabeth Warren and Representative Deborah Ross. Ransomware victims are not currently required to report attacks or ransom payments to federal authorities, but the new bill would require all ransomware victims (excluding individuals) to disclose the following information within 48 hours of a ransom payment.

US Navy ship Facebook page hijacked to stream video games

blog.malwarebytes.com/hacking-2/2021/10/us-navy-ship-facebook-page-hijacked-to-stream-video-games/ The official Facebook page of the US Navys destroyer-class warship, USS Kidd, has been hijacked. According to Task & Purpose, who first reported on the incident, the account has done nothing but stream Age of Empires, an award-winning, history-based real-time strategy (RTS) video game wherein players get to grow civilizations by progressing them from one historical time frame to another. In an interview with Task & Purpose, Cmdr. Nicole Schwegman, a Navy spokesperson, confirmed the hijacking: The official Facebook page for USS Kidd (DDG 100) was hacked. We are currently working with Facebook technical support to resolve the issue.

The Real Cost of Ransomware

securityintelligence.com/articles/real-cost-of-ransomware/ Ransomware is an expensive cybercrime and getting more so all the time. Payouts have risen massively in the past few years. But while ransomware payment amounts make headlines, the real costs go far beyond whats paid to the attackers. Ransomware has always been a problem. But in recent years, attackers have gotten really good at it.

FIN12 hits healthcare with quick and focused ransomware attacks

www.bleepingcomputer.com/news/security/fin12-hits-healthcare-with-quick-and-focused-ransomware-attacks/ While most ransomware actors spend time on the victim network looking for important data to steal, one group favors quick malware deployment against sensitive, high-value targets. It can take less than two days for the FIN12 gang to execute on the target network a file-encrypting payload – most of the time Ryuk ransomware.. Report:

www.mandiant.com/resources/fin12-ransomware-intrusion-actor-pursuing-healthcare-targets. Also:


Penetration Testing Your AWS Environment – A CTO’s Guide

thehackernews.com/2021/10/penetration-testing-your-aws.html So, you’ve been thinking about getting a Penetration Test done on your Amazon Web Services (AWS) environment. Great! What should that involve exactly?. There are many options available, and knowing what you need will help you make your often limited security budget go as far as possible. Broadly, the key focus areas for most penetration tests involving AWS.

16-31 August 2021 Cyber Attacks Timeline

www.hackmageddon.com/2021/10/07/16-31-august-2021-cyber-attacks-timeline/ Here we go! The second timeline of August 2021 is out (first one here) covering the main cyber attacks occurred in the second fortnight of the same month. And it looks like that the end of Summer led to a decrease in the number of attacks with 78 events, corresponding to the minimum value of the last 12 months. Ransomware continues to dominate the threat landscape, but its percentage dropped to 24.4% (19 out of 78 events) in contrast with 39.6% of the previous fortnight.

Netherlands can use intelligence or armed forces to respond to ransomware attacks

therecord.media/netherlands-can-use-intelligence-or-armed-forces-to-respond-to-ransomware-attacks/ The Dutch government said it would use its intelligence or military services to counter cyber-attacks, including ransomware attacks, that threaten its national security. Answering a parliamentary inquiry into the countrys possible avenues of response to ransomware attacks, Ben Knapen, Dutch Minister of Foreign Affairs, said under normal circumstances, diplomatic avenues take precedence, but the countrys response could be escalated in the case of more severe incidents.

Vidar Stealer Abuses Mastadon Social Network

blog.cyberint.com/vidar-stealer-abuses-mastadon-social-network Previously used the Thumbler and Faceit gaming platforms to access dynamic configuration from threat actors, new campaigns of Vidar Stealer’s more recent versions suggesting a new venue where Vidar receives dynamic configurations and dropzone information for downloading and uploading files. First seen in October 2018, Vidar is a descendent of the former Arkei Stealer, which at the moment looks like one of the most popular stealers due to its simplicity, dynamic configuration methods and ongoing development.

Unpatched Dahua cams vulnerable to unauthenticated remote access

www.bleepingcomputer.com/news/security/unpatched-dahua-cams-vulnerable-to-unauthenticated-remote-access/ Unpatched Dahua cameras are prone to two authentication bypass vulnerabilities, and a proof of concept exploit that came out today makes the case of upgrading pressing. The authentication bypass flaws are tracked as CVE-2021-33044 and CVE-2021-33045, and are both remotely exploitable during the login process by sending specially crafted data packets to the target device. For more details on how that works, you may check out the proof of concept (PoC) that was part of todays full disclosure, which has been posted on GitHub.

Who Is Hunting For Your IPTV Set-Top Box?

isc.sans.edu/forums/diary/Who+Is+Hunting+For+Your+IPTV+SetTop+Box/27912/ Ever considered starting a company to create software for TV channel distribution over IP? It is big business with service providers “converging” their networks. Everything is better over IP. Why not TV? Having TVs and set-top boxes with two-way IP connectivity allows you to collect all kinds of data from your users. Imagine you cannot only charge people for the content, but you can also sell their data to advertisers. You will know exactly what they watch and when. Are they flipping channels during commercials?

Code Execution Bug Affects Yamale Python Package Used by Over 200 Projects

thehackernews.com/2021/10/code-execution-bug-affects-yamale.html A high-severity code injection vulnerability has been disclosed in 23andMe’s Yamale, a schema and validator for YAML, that could be trivially exploited by adversaries to execute arbitrary Python code. The flaw, tracked as CVE-2021-38305 (CVSS score: 7.8), involves manipulating the schema file provided as input to the tool to circumvent protections and achieve code execution. Particularly, the issue resides in the schema parsing function, which allows any input passed to be evaluated and executed, resulting in a scenario where a specially-crafted string within the schema can be abused for the injection of system commands.

Canopy Parental Control App Wide Open to Unpatched XSS Bugs

threatpost.com/canopy-parental-control-app-unpatched-xss-bugs/175384/ The possible cyberattacks include disabling monitoring, location-tracking of children and malicious redirects of parent-console users. Canopy, a parental control app that offers a range of features meant to protect kids online via content inspection, is vulnerable to a variety of cross-site scripting (XSS) attacks, according to researchers.

Botnet abuses TP-Link routers for years in SMS messaging-as-a-service scheme

therecord.media/botnet-abuses-tp-link-routers-for-years-in-sms-messaging-as-a-service-scheme/ Since at least 2016, a threat actor has hijacked TP-Link routers as part of a botnet that abused a built-in SMS capability to run an underground Messaging-as-a-Service operation. Across the years, these infected routers were used to send out betting tips, verification codes, confirmation for online payments and donations, and for sending cryptic messageswhich researchers have yet to crack their meaning.

U.S. to tell critical rail, air companies to report hacks, name cyber chiefs

www.reuters.com/technology/exclusive-us-tell-critical-rail-air-companies-report-hacks-name-cyber-chiefs-2021-10-06/ The Transportation Security Administration will introduce regulations that compel the most important U.S. railroad and airport operators to improve their cybersecurity procedures, Homeland Security Secretary Alejandro Mayorkas said on Wednesday. The upcoming changes will make it mandatory for “higher-risk” rail transit companies and “critical” U.S. airport and aircraft operators to do three things: name a chief cyber official, disclose hacks to the government and draft recovery plans for if an attack were to occur.

CISA Releases Guidance: TIC 3.0 Remote User Use Case

us-cert.cisa.gov/ncas/current-activity/2021/10/07/cisa-releases-guidance-tic-30-remote-user-use-case In coordination with the Office of Management and Budget (OMB), the Federal Chief Information Security Officer Council (FCISO) Trusted Internet Connections (TIC) Subcommittee, and the General Services Administration, CISA has released Trusted Internet Connections 3.0 Remote User Use Case. The Remote User Use Case provides federal agencies with guidance on applying network and multi-boundary security for agencies that permit remote users on their networks. In accordance with OMB Memorandum M-19-26, this use case builds off TIC 3.0 Interim Telework Guidance originally released in Spring 2020.

Cybercriminals threaten to hack EU hospitals in latest COVID-19 vaccine scam

www.zdnet.com/article/cybercriminals-threaten-to-hack-eu-hospitals-in-latest-covid-19-vaccine-scam/ Cybersecurity experts have uncovered a new COVID-19 vaccination scam involving hackers tricking victims into providing their personal information under the assumption that cybercriminals can hack into European Union hospitals and falsify vaccination record. DarkOwl, the cybersecurity firm that uncovered the scam, notes that the EU Digital COVID Certificate program and most EU hospitals have stringent cybersecurity measures in place to protect user data.

Twitch vahvisti laajan tieto­murron näin suojaat tilisi

www.is.fi/digitoday/esports/art-2000008315753.html AMAZONIN omistama striimauspalvelu Twitch on vahvistanut keskiviikkona uutisoidun tietomurron pitävän paikkansa. Twitchin lyhyessä lausunnossa sanottiin yhtiön tutkivan tietomurron laajuutta ja vaikutusta. Lausunnon mukaan tällä hetkellä ei ole merkkejä siitä, että käyttäjätiedot tai luottokorttitiedot olisivat väärissä käsissä.. Myös:



NSO Group’s Pegasus malware was used to spy on Dubai princess’s lawyers during child custody dispute

www.theregister.com/2021/10/07/pegasus_malware_princess_haya/ Cherie Blair tipped off a Jordanian princess that the royal’s estranged husband, the Sheikh of Dubai, had deployed NSO Group’s Pegasus malware against her and her lawyers, a series of explosive High Court judgments [PDFs] have revealed. Set against a backdrop of kidnappings, espionage and a bitterly contested child custody case, the judgments shine fresh light on the abusive uses to which NSO Group’s malware products are put by some of its customers.

Transdev denies data stolen by ransomware group, connects leak to September attack on client

www.zdnet.com/article/transdev-denies-data-stolen-by-ransomware-group/ French transportation giant Transdev has denied that any of its information was stolen by a ransomware group after cybercriminals claimed to have 200GB of data and threatened to leak it on Sunday, October 10. The LockBit ransomware group listed Transdev on its leak site next to a timer set to expire at 1:00 on Sunday. But Transdev — which calls itself the “largest private provider of multiple modes of transport in North America” — said the data being hawked by Lockbit was from one of their clients.

Vakoilu tapahtuu verkossa Suomi mainittiin useasti toimeksiantajan kotimaana: saattaa hätkäyttää monia

www.tivi.fi/uutiset/tv/ff50969f-b2cd-4e26-b6a1-0d7c1022d690 Vääräleukojen vanhan sanonnan mukaan t&k-raha tuottaa parhaiten yritysvakoiluun sijoitettuna. Korona-aika on laittanut vakoilun uusille kierroksille. Etätyö on lisännyt yrityssalaisuuksien vuotamista ulkopuolisille. Kauppakamarin selityksessä joka kymmenes yritys kertoi salaisen tiedon vaarantuneen etätyön seurauksena. Sähköpostien lukeminen ja tietoliikenteen hyödyntäminen on yleisin nykyisin yritysvakoilun yleisin muoto. Kotona suojaukset eivät ole välttämättä samaa tasoa kuin työpaikalla, Helsingin kauppakamarin asiantuntija Panu Vesterinen toteaa.

Aerospace, Telecommunications Companies Victims of Stealthy Iranian Cyber-Espionage Campaign

www.darkreading.com/attacks-breaches/aerospace-firms-telcos-victim-of-stealthy-iranian-cyber-espionage-campaign A previously unknown advanced persistent threat group likely backed by the Iranian government has been quietly carrying out a sophisticated cyber-espionage campaign against aerospace and telecommunication companies since at least 2018. The campaign has mainly targeted firms in the Middle East and more recently, the United States, Russia, and Europe. Security researchers from Cybereason who have been tracking the campaign have dubbed it Operation GhostShell and attributed it to a new threat group they are calling MalKamak.

Tietoturvan “rokkitähti” Mikko Hyppönen neuvoo: Älä jaa kavereidesi tietoja hövelisti ja verkkopankkia kannattaa käyttää kännykällä

yle.fi/uutiset/3-12134104? Kun F-securen tutkimusjohtajan ja tietoturvan asiantuntijan Mikko Hyppösen kasvot näkyvät televisioruuduissa ja lehtikuvissa, yleensä jotain ikävää on tapahtunut. Joo, kyllä se niin tahtoo olla, että kun tuolla tietoturvakentällä jotain tapahtuu jonnekin murtaudutaan tai jotain tietoja vuotaa puhelin alkaa soida. Mielellänihän näitä tietysti myös kommentoin. Olen niin monta vuotta tätä tehnyt ja pikku hiljaa alan oppimaan, miten näitä monimutkaisia nykyteknologian aiheita pitää selittää niin, että me kaikki ymmärrettäisiin, . Hyppönen sanoo.

You might be interested in …

[NCSC-FI News] CISA Adds 66 Known Exploited Vulnerabilities to Catalog

CISA has added 66 new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risk to the federal enterprise. Source: Read More (NCSC-FI daily news followup)

Read More

Daily NCSC-FI news followup 2019-10-28

800 cyberattacks an hour in the United Kingdom www.pandasecurity.com/mediacenter/security/cyberattacks-united-kingdom-councils/ In 2019, public administrations have suffered a great deal at the hands of cybercriminals. In January, the city hall of Del Rio, Texas, suffered a ransomware attack that forced its employees to carry out their work with pen and paper. This incident was first in a […]

Read More

[NCSC-FI News] Varo poikkeuksellisen häijyä huijausta – perustuu aitoon Postin seurantakoodiin

POSTIN nimissä toteutetaan uutta huijausta, jonka tarkoitus on varastaa vastaanottajan maksukortin tiedot. Huijaus on poikkeuksellisen uskottava sikäli, että se perustuu todelliseen lähetyksen seurantakoodiin. Source: Read More (NCSC-FI daily news followup)

Read More

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.