Daily NCSC-FI news followup 2021-10-11

Iran-linked DEV-0343 targeting defense, GIS, and maritime sectors

www.microsoft.com/security/blog/2021/10/11/iran-linked-dev-0343-targeting-defense-gis-and-maritime-sectors/  DEV-0343 is a new activity cluster that the Microsoft Threat Intelligence Center (MSTIC) first observed and began tracking in late July 2021. MSTIC has observed DEV-0343 conducting extensive password spraying against more than 250 Office 365 tenants, with a focus on US and Israeli defense technology companies, Persian Gulf ports of entry, or global maritime transportation companies with business presence in the Middle East. Less than 20 of the targeted tenants were successfully compromised, but DEV-0343 continues to evolve their techniques to refine its attacks. MSTIC noted that Office 365 accounts with multifactor authentication (MFA) enabled are resilient against password sprays.

Cybersecurity awareness month: Fight the phish!

nakedsecurity.sophos.com/2021/10/11/becybersmart-2021-week2/ Its the second week of Cybersecurity Awareness Month 2021, and this weeks theme is an alliterative reminder: Fight the Phish!. Unfortunately, anti-phishing advice often seems to fall on deaf ears, because phishing is an old cybercrime trick, and lots of people seem to think its what computer scientists or mathematical analysts call a solved game.

Is this the first ransomware death in the USA?

www.pandasecurity.com/en/mediacenter/security/first-ransomware-death/ A baby born in Alabama might be the first-ever death in the USA caused by a ransomware attack. According to a lawsuit filed in Alabama, a newborn baby ended up with severe brain injury because an expecting mother did not receive all necessary tests when admitted to a hospital to deliver her baby. The lawsuit alleges that if the hospital was functioning correctly, the tests she missed because of an ongoing cyber-attack would have shown that the babys umbilical cord was wrapped around the fetus neck that eventually caused brain damages. The baby died nine months later.

Cybersecurity Awareness: How Much Data Can An Attacker Get From an Employee ID?

securityintelligence.com/articles/cybersecurity-awareness-data-attacker-employee-id/ Cyber awareness may seem fairly obvious, but its not always. For example, you would never post a photo of your drivers license on Facebook, right? How about your company ID card?. Then theres that selfie you took at the office. Were you wearing your work badge? Not a good idea. Part of cybersecurity awareness is knowing what not to post.

Data Exfiltration, Revisited

windowsir.blogspot.com/2021/10/data-exfiltration-revisited.html I’ve posted on the topic of data exfiltration before (here, etc.) but often it’s a good idea to revisit the topic. After all, it was almost two years ago that we saw the first instance of ransomware threat actors stating publicly that they’d exfiltrated data from systems, using this a secondary means of extortion. Since then, we’ve continued to see this tactic used, along with other tertiary means of extortion based on data exfiltration. We’ve also seen several instances where the threat actor ransom notes have stated that data was exfiltrated but the public “shaming” sites were noticeably empty.

Ukrainian police arrest DDoS operator controlling 100,000 bots

www.bleepingcomputer.com/news/security/ukrainian-police-arrest-ddos-operator-controlling-100-000-bots/ Ukrainian police have arrested a hacker who controlled a 100,000 device botnet used to perform DDoS attacks on behalf of paid customers. The threat actor was arrested at his home in Prykarpattia where he was allegedly using the botnet to perform DDoS attacks or to support other malicious activity for his clients. This activity included brute-forcing login credentials at web sites, performing spamming operations, and to penetration testing on remote devices to identify and exploit vulnerabilities.

Verify End-Users at the Helpdesk to Prevent Social Engineering Cyber Attack

thehackernews.com/2021/10/verify-end-users-at-helpdesk-to-prevent.html Although organizations commonly go to great lengths to address security vulnerabilities that may exist within their IT infrastructure, an organization’s helpdesk might pose a bigger threat due to social engineering attacks. Social engineering is “the art of manipulating people so they give up confidential information,” according to Webroot. There are many different types of social engineering schemes but one is area of vulnerability is how social engineering might be used against a helpdesk technician to steal a user’s credentials.

Pacific City Bank discloses ransomware attack claimed by AvosLocker

www.bleepingcomputer.com/news/security/pacific-city-bank-discloses-ransomware-attack-claimed-by-avoslocker/ Pacific City Bank (PCB), one of the largest Korean-American community banking service providers in America, has disclosed a ransomware incident that took place last month. The bank is circulating notices to inform its clients of a security breach it identified on August 30, 2021, which they claim to have addressed promptly.

Things that go “Bump” in the Night: Non HTTP Requests Hitting Web Servers

isc.sans.edu/forums/diary/Things+that+go+Bump+in+the+Night+Non+HTTP+Requests+Hitting+Web+Servers/27924/ If you are reviewing your web server logs periodically, you may notice some odd requests that are not HTTP requests in your logs. In particular if you have a web server listening on a non standard port. I want to quickly review some of the most common requests like that, that I am seeing…

Apple patches iPhone zero-day in iOS 15.0.2

therecord.media/apple-patches-iphone-zero-day-in-ios-15-0-2/ Apple has released a security update on Monday for iPhone users to address a vulnerability in the iOS operating system that has been exploited in the wild. Tracked as CVE-2021-30883, the zero-day resides in IOMobileFramebuffer, a kernel extension that allows developers to control how a devices memory handles the screen displaythe screen framebuffer, to be more exact. According to Apple, a malicious application may be able to execute arbitrary code with kernel privileges using this vulnerability. Gaining access to kernel privileges gives attackers full control over the iOS device.

Ransomware is the biggest cyber threat to business. But most firms still aren’t ready for it

www.zdnet.com/article/ransomware-is-now-the-most-urgent-cyber-threat-to-business-but-most-firms-arent-ready-for-it/ Ransomware is the most significant cybersecurity threat facing organisations ranging from critical national infrastructure providers and large enterprises to schools and local businesses but it’s a threat which can be countered. In a speech at the Chatham House Cyber 2021 Conference, Lindy Cameron, CEO of the UK’s National Cyber Security Centre (NCSC) warned about several cybersecurity threats facing the world today, including supply chain attacks, the threat of cyber espionage and cyber aggression by hostile nation-states and cybersecurity exploits and vulnerabilities being sold to whoever wants to buy them.

A Pentagon official said he resigned because US cybersecurity is no match for China, calling it ‘kindergarten level’

www.businessinsider.com/pentagon-official-quit-saying-us-cybersecurity-no-match-china-2021-10?r=US&IR=T A senior cybersecurity official at the Pentagon said he quit because he thought it was impossible for the US to compete with China on AI. Nicolas Chaillan joined the US Air Force as its first chief software officer in August 2018. He worked to equip it and the Pentagon with the most secure and advanced software available. But Chaillan quit on September 2. In his departing LinkedIn post, he cited the Pentagon’s reluctance to make cybersecurity and AI a priority as a reason for his resignation.

Julkishallinto auditoi tietoturvaa urakalla 50 miljoonan kilpailutus starttaa

www.tivi.fi/uutiset/tv/aaf46e5c-fc5b-4dc9-a833-70401f64425f Valtion ja kuntien yhteishankintayhtiö Hansel kilpailuttaa asiakkailleen tietoturvan auditointipalveluja. Arviointipalvelujen tulee täyttää tietoturvallisuuden arviointilaitoksia koskevan lain vaatimukset.. Hansel arvioi, että perustettavan dynaamisen hankintajärjestelmän arvo on 50 miljoonaa euroa. Tiedot käyvät ilmi julkisten hankintojen Hilma-tietokannasta.. It enables SecOps teams to detect and investigate compromised advanced threats, identities, and malicious insider activity targeting enrolled organizations.

Microsoft Defender for Identity to detect Windows Bronze Bit attacks

www.bleepingcomputer.com/news/microsoft/microsoft-defender-for-identity-to-detect-windows-bronze-bit-attacks/ Microsoft is working on adding support for Bronze Bit attacks detection to Microsoft Defender for Identity to make it easier for Security Operations teams to detect attempts to abuse a Windows Kerberos security bypass bug tracked as CVE-2020-17049. Microsoft Defender for Identity (previously Azure Advanced Threat Protection or Azure ATP) is a cloud-based security solution that leverages on-premises Active Directory signals

When criminals go corporate: Ransomware-as-a-service, bulk discounts and more

www.theregister.com/2021/10/11/ransomware_as_a_service/ This summer, Abnormal Security discovered that some of its customers’ staff were receiving emails inviting them to install ransomware on a company computer in return for a $1m share of the “profits”. When Abnormal staff set up a fake persona and contacted the criminals to play along, though, things started to fall apart. While the criminal initially discussed a potential ransom of $2.5m, this figure fell and fell as talks went on, first to $250,000 and then to just $120,000.

Applying Behavioral Psychology to Strengthen Your Incident Response Team

www.darkreading.com/endpoint/how-behavioral-psychology-can-strengthen-your-incident-response-team Cybersecurity incident response teams (CSIRTs) rely on technical and social skills. But focusing mostly on technical knowledge can come at the expense of communication and teamwork, according to a new study. This idea was the focus of a five-year study analyzing incident response teams from a social-behavioral perspective. From 2012 to 2017, a team of researchers funded by the US Department of Homeland Security interviewed more than 200 people and led 80 focus groups across 17 international organizations to identify the key drivers of teamwork within and between teams.

The Security Challenge Of Protecting Smart Cities

www.forbes.com/sites/chuckbrooks/2021/10/10/the-security-challenge-of-protecting-smart-cities/ As we continue to move forward in the Industry 4.0 era of greater connectivity between the physical and digital, the promise and development of smart cities become a more likely vision. While the term may have differing definitions, the term smart city usually connotes creating a public/private infrastructure to orchestrate the integration of transportation, energy, water resources, waste collections, smart-building technologies, and security technologies and services in a central location.

Useat suomalaiset ovat haksahtaneet Omakanta-huijaukseen Kelan mukaan huijaussivustot saatu poistettua netistä

yle.fi/uutiset/3-12138550 Omakanta-sivusto joutui huijauksen uhriksi syyskuussa. Ulkomaiset rikollisliigat avasivat Omakantaa muistuttavan huijaussivuston ja kalastelivat sen kautta rahaa. Nyt huijaussivustot on saatu poistettua hakukoneista, Kelasta vakuutetaan.

LibreOffice, OpenOffice bug allows hackers to spoof signed docs

www.bleepingcomputer.com/news/security/libreoffice-openoffice-bug-allows-hackers-to-spoof-signed-docs/ LibreOffice and OpenOffice have pushed updates to address a vulnerability that makes it possible for an attacker to manipulate documents to appear as signed by a trusted source. Although the severity of the flaw is classified as moderate, the implications could be dire. The digital signatures used in document macros are meant to help the user verify that the document hasnt been altered and can be trusted.

You might be interested in …

Daily NCSC-FI news followup 2020-04-25

Cybercrime Group Steals $1.3M from Banks www.darkreading.com/attacks-breaches/cybercrime-group-steals-$13m-from-banks-/d/d-id/1337646 Keywords: finanssi A look at how the so-called Florentine Banker Group lurked for two months in a sophisticated business email compromise attack on Israeli and UK financial companies. = Sextortion Campaigns Net Cybercriminals Nearly $500K in Five Months www.darkreading.com/threat-intelligence/sextortion-campaigns-net-cybercriminals-nearly-$500k-in-five-months/d/d-id/1337645 Tracking the cryptocurrency paid by victims finds that, even […]

Read More

Daily NCSC-FI news followup 2020-01-21

Infiltrating Networks: Easier Than Ever Due to Evil Markets www.bleepingcomputer.com/news/security/infiltrating-networks-easier-than-ever-due-to-evil-markets/ Attackers don’t always need to breach the networks of their victims themselves to plant malware as there are plenty of professional intruders offering their services on underground markets.. Various levels of access are offered for prices starting $1,000 and increasing depending on how deep the […]

Read More

[NCSC-FI News] Parrot TDS takes over web servers and threatens millions

A new Traffic Direction System (TDS) we are calling Parrot TDS, using tens of thousands of compromised websites, has emerged in recent months and is reaching users from around the world. The TDS has infected various web servers hosting more than 16,500 websites, ranging from adult content sites, personal websites, university sites, and local government […]

Read More