Daily NCSC-FI news followup 2021-10-08

September 2021s Most Wanted Malware: Trickbot Once Again Tops the List

blog.checkpoint.com/2021/10/08/september-2021s-most-wanted-malware-trickbot-once-again-tops-the-list/ Check Point Research reports that Trickbot is the most prevalent malware while remote access trojan, njRAT, has entered the index for the first time. The remote access trojan, njRAT, has entered the top ten for the first time, taking the place of Phorpiex which is no longer active. Trickbot is a banking trojan that can steal financial details, account credentials, and personally identifiable information, as well as spread within a network and drop ransomware.

Common initial attack vectors

www.kaspersky.com/blog/most-common-initial-attack-vectors/42379/ Other companies frequently call in our experts for emergency assistance with incident response, to conduct (or help conduct) investigations, or to analyze cybercriminals tools. Throughout 2020, we collected a wealth of data for a view on the modern threat landscape that helps us predict the most likely attack scenarios including the most common initial attack vectors and choose the best defensive tactics.

Discord scammers lure victims with promise of free Nitro subscriptions

blog.malwarebytes.com/scams/2021/10/discord-scammers-lure-victims-with-promise-of-free-nitro-subscriptions/ A number of bogus offers are doing the rounds in Discord land at the moment. Discord, a group text chat/VoiP app of choice for many gaming communities, is having a bit of trouble with phishing links. You may recall weve covered a lot of Discord scams previously. Service users can create bots, those bots can be invited into channels, and then they get to work spamming. The messages run the range of free games, discount sign-ups for services, or just plain old fake login screens.

Apache patch proves patchy now you need to patch the patch

nakedsecurity.sophos.com/2021/10/08/apache-patch-proves-patchy-now-you-need-to-patch-the-patch/ Software patches are sometimes a bit like buses. You dont get one for a while, and then three come at once. For buses on busy urban routes, at least, the explanation of the phenomenon goes something like this. If three buses start out travelling the same route together in a nicely spaced sequence, then the first one is most likely to be the slowest, because it will be stopping to scoop up most of the waiting passengers, while the ones behind will tend to travel faster because they need to stop less often or for shorter periods.

FontOnLake: Previously unknown malware family targeting Linux

securityintelligence.com/articles/case-for-cybersecurity-education-engineers/ Engineering and cybersecurity are two distinct disciplines, each demanding its own rigorous education and training. But should there be crossover? Should engineers or engineering students invest in cybersecurity education as well? What are the opportunities for engineers to gain expertise in protecting against threat actors in the software realm?.

www.welivesecurity.com/2021/10/07/fontonlake-previously-unknown-malware-family-targeting-linux/. ESET researchers have discovered a previously unknown malware family that utilizes custom and well-designed modules, targeting systems running Linux. Modules used by this malware family, which we dubbed FontOnLake. are constantly under development and provide remote access to the operators, collect credentials, and serve as a proxy server. In this blogpost, we summarize the findings published in full in our white paper.

EDR Bypasses

windowsir.blogspot.com/2021/10/edr-bypasses.html During my time in the industry, I’ve been blessed to have opportunities to engage with a number of different EDR tools/frameworks at different levels. Mike Tanji offered me a look at Carbon Black before carbonblack.com existed, while it still used an on-prem database. I spent a very good deal of time working directly with Secureworks Red Cloak, and I’ve seen CrowdStrike Falcon and Digital Guardian’s framework up close. I’ve seen the birth and growth of Sysmon, as well as MS’s “internal” Process Tracking (which requires an additional Registry modification to record full command lines).

Microsoft: Russian state hackers behind 53% of attacks on US govt agencies

www.bleepingcomputer.com/news/security/microsoft-russian-state-hackers-behind-53-percent-of-attacks-on-us-govt-agencies/ Microsoft says that Russian-sponsored hacking groups are increasingly targeting US government agencies, with roughly 58% of all nation-state attacks observed by Microsoft between July 2020 and June 2021 coming from Russia. “Russian nation-state actors are increasingly targeting government agencies for intelligence gathering, which jumped from 3% of their targets a year ago to 53% largely agencies involved in foreign policy, national security or defense,” said Tom Burt, Microsoft’s Corporate Vice President for Customer Security & Trust.. Report:


NSA Releases Guidance on Avoiding the Dangers of Wildcard TLS Certificates and ALPACA Techniques

us-cert.cisa.gov/ncas/current-activity/2021/10/08/nsa-releases-guidance-avoiding-dangers-wildcard-tls-certificates The National Security Agency (NSA) has released a Cybersecurity Information (CSI) sheet with guidance to help secure the Department of Defense, National Security Systems, and Defense Industrial Base organizations from poorly implemented wildcard Transport Layer Security (TLS) certificates and the exploitation of Application Layer Protocols Allowing Cross-Protocol Attacks (ALPACA). A malicious cyber actor with network access can exploit this vulnerability to access sensitive information.

New Patch Released for Actively Exploited 0-Day Apache Path Traversal to RCE Attacks

thehackernews.com/2021/10/new-patch-released-for-actively.html The Apache Software Foundation on Thursday released additional security updates for its HTTP Server product to remediate what it says is an “incomplete fix” for an actively exploited path traversal and remote code execution flaw that it patched earlier this week. CVE-2021-42013, as the new vulnerability is identified as, builds upon CVE-2021-41773, a flaw that impacted Apache web servers running version 2.4.49 and involved a path normalization bug that could enable an adversary to access and view arbitrary files stored on a vulnerable server.

Google notifies 14,000 Gmail users of targeted APT28 attacks

therecord.media/google-notifies-14000-gmail-users-of-targeted-apt28-attacks/ Google has sent email notifications to more than 14,000 Gmail users that theyve been the target of a spear-phishing attack orchestrated by a state-sponsored hacking group. In late September, we detected an APT28 phishing campaign targeting a large volume of Gmail users (approx 14,000) across a wide variety of industries, Shane Huntley, Director of Googles Threat Analysis Group, told The Record in an email, following an inquiry about the number of users who took to social media to post the message they received from Google.

BrewDog exposed data for over 200,000 shareholders and customers

www.bleepingcomputer.com/news/security/brewdog-exposed-data-for-over-200-000-shareholders-and-customers/ BrewDog, the Scottish brewery and pub chain famous for its crowd-ownership model and the tasty IPAs, has irreversibly exposed the details of 200,000 of its shareholders and customers. The exposure lasted for over 18 months and the point of the leak was the firms mobile app, which gives the Equity Punks community access to information, discounts at bars, and more.

Actors Target Huawei Cloud Using Upgraded Linux Malware

www.trendmicro.com/en_us/research/21/j/actors-target-huawei-cloud-using-upgraded-linux-malware-.html We have recently noticed another Linux threat evolution that targets relatively new cloud service providers (CSPs) with cryptocurrency-mining malware and cryptojacking attacks. In this article, we discuss a new Linux malware trend in which malicious actors deploy code that removes applications and services present mainly in Huawei Cloud. Specifically, the malicious code disables the hostguard service, a Huawei Cloud Linux agent process that detects security issues, protects the system, and monitors the agent.

Singapore tweaks cybersecurity strategy with OT emphasis

www.zdnet.com/article/singapore-tweaks-cybersecurity-strategy-with-ot-emphasis/ Singapore has tweaked its cybersecurity strategy to beef up its focus on operational technology (OT), offering a new competency framework to provide guidance on skillsets and technical competencies required for OT industry sectors. The revised national cybersecurity roadmap also looks to bolster the overall cybersecurity posture and foster international cyber cooperation. The 2021 cybersecurity strategy also would build on efforts to safeguard Singapore’s critical information infrastructure (CII) and other digital infrastructure, said Cyber Security Agency (CSA). The government organization said it would work with CII operators to beef up the cybersecurity of OT systems where cyber attacks could pose physical and economic risks.

Engineering giant Weir Group hit by ransomware attack

www.bleepingcomputer.com/news/security/engineering-giant-weir-group-hit-by-ransomware-attack/ Scottish multinational engineering firm Weir Group has disclosed an “attempted ransomware attack” that led to “significant temporary disruption” in September. “The Group is currently managing the consequences of a sophisticated attempted ransomware attack that occurred in the second half of September,” the firm said in a Q3 trading update published Thursday. “Weir’s cybersecurity systems and controls responded quickly to the threat and took robust action. This included isolating and shutting down IT systems including core Enterprise Resource Planning (ERP) and engineering applications.”

Togo: Prominent activist targeted with Indian-made spyware linked to notorious hacker group

www.amnesty.org/en/latest/news/2021/10/togo-activist-targeted-with-spyware-by-notorious-hacker-group/ Togolese activist targeted with spyware by the Donot Team hacker group. Amnesty International exposes links between the Donot Team attacks and Innefu Labs, a cybersecurity company based in India. First time Donot Team publicly linked to cyberattacks targeting activists outside of South Asia. Spyware-loaded emails and fake Android applications could access devices camera and microphone, steal photos and files, and read WhatsApp messages.

Suomi arvioi kohua herättäneen raportin kiinalaisista puhelimista: Pää­osin paikkansa pitävä

www.is.fi/digitoday/tietoturva/art-2000008315834.html LIIKENNE- ja viestintävirasto Traficomin Kyberturvallisuuskeskus on antanut arvionsa Liettuan viranomaisten syyskuun lopulla kohua aiheuttaneesta kehotuksesta lopettaa kiinalaisten puhelimien käyttö. Liettuan puolustusministeriö tutki perinpohjaisesti Xiaomi Mi 10T 5G:n, Huawei P40 5G:n sekä OnePlus 8T 5G:n. Xiaomista löytyi käyttäjän viestintää avainsanojen perusteella seuraavia ominaisuuksia ja Huaweista tietoturva-aukko.

Suojaa kotisi kyberhyökkäykseltä toimi näin

www.iltalehti.fi/tietoturva/a/117519ec-954a-40ae-ac3a-d46cde340a26 Lokakuussa vietetään Euroopan kyberturvallisuuskuukautta, jonka tarkoitus on nostaa esiin tärkeitä tietoturvaan liittyviä aiheita. Vaikka joskus tietoturvaloukkaukseen ei voi itse vaikuttaa mitenkään, on kuitenkin paljon sellaista, johon voi ja pitääkin vaikuttaa itse. Kyberturvallisuuskeskus jakoi sivuillaan viisi vinkkiä kodin kyberturvallisuudesta huolehtimiseen.

Kolumni: Rahaa kyber­puolustukseen

www.tivi.fi/uutiset/tv/4513a081-af60-48f7-8e63-7843f2bc563e Neljän vuoden välein julkaistava puolustusselonteko ilmestyi 9. syyskuuta. Se kuvastaa Suomen näkemystä turvallisuustilanteesta ja tulevaisuuden uhkista. Kyber-alkuisia sanoja löytyy yhteensä 56 kappaletta. Uusi muotitermi näyttää olevan sanahirviö informaatiotoimintaympäristö, joka esiintyy peräti viisi kertaa. Informaatioturvallisuus voidaan laskea osaksi kyberturvallisuutta, joten yhteensä uudet uhkakuvat mainitaan 61 kertaa. Edellisessä, vuoden 2017 selonteossa, kyber-alkuisia sanoja oli 17 kappaletta. Informaatiovaikuttaminen esiintyi kahdesti, yhteensä siis 19 osumaa.

You might be interested in …

[NCSC-FI News] Hero hackers claim to have breached Belarusian weapons firm

The international hacker collective Anonymous appears to have made good on its declaration of cyberwar against Russia and its allies, apparently exposing 200GB of emails from Belarusian weapons manufacturer Tetraedr Anonymous breached the firm’s defenses and released the most recent 1,000 emails from inboxes belonging to Tetraedr employees, passing them over in .EML format to […]

Read More

[NCSC-FI News] Five zero days affecting Aethon hospital autonomous robots patched

Multibillion-dollar engineering firm ST Engineering said it has patched five zero day vulnerabilities affecting its Aethon TUG autonomous mobile robots, devices that are now used widely in hospitals across the world. Source: Read More (NCSC-FI daily news followup)

Read More

Daily NCSC-FI news followup 2021-04-13

Microsoft April 2021 Patch Tuesday fixes 108 flaws, 5 zero-days www.bleepingcomputer.com/news/microsoft/microsoft-april-2021-patch-tuesday-fixes-108-flaws-5-zero-days/ Today is Microsoft’s April 2021 Patch Tuesday, and with it comes five zero-day vulnerabilities and more Critical Microsoft Exchange vulnerabilities. It has been a tough couple of months for Windows and Microsoft Exchange admins, and it looks like April won’t be any easier, so […]

Read More

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.