Daily NCSC-FI news followup 2021-10-12

Farm equipment security at DEF CON 29

www.kaspersky.com/blog/hacking-agriculture-defcon29/42402/ One of the most unusual presentations at the DEF CON 29 conference, held in early August, covered farm equipment vulnerabilities found by an Australian researcher who goes by the alias Sick Codes. Vulnerabilities affecting the major manufacturers John Deere and Case IH were found not in tractors and combine harvesters, but in web services more familiar to researchers.

Inside Apple: How macOS attacks are evolving

blog.malwarebytes.com/malwarebytes-news/2021/10/inside-apple-how-macos-attacks-are-evolving/ The start of fall 2021 saw the fourth Objective by the Sea (OBTS) security conference, which is the only security conference to focus exclusively on Apples ecosystem. As such, it draws many of the top minds in the field. This year, those minds, having been starved of a good security conference for so long, were primed and ready to share all kinds of good information. Conferences like this are important for understanding how attackers and their methods are evolving. Like all operating systems, macOS presents a moving target to attackers as it acquires new features and new forms of protection over time.

Azure network security helps reduce cost and risk according to Forrester TEI study

www.microsoft.com/security/blog/2021/10/12/azure-network-security-helps-reduce-cost-and-risk-according-to-forrester-tei-study/ As organizations move their computing from on-premises to the cloud, they realize that leveraging cloud-native security tools can provide additional cost savings and business benefits to their security infrastructure. Microsoft Azure network security offers a suite of cloud-native security tools to protect Azure workloads while automating network management, implementing developer security operations (DevSecOps) practices, and reducing the risk of a material security breach.

MysterySnail attacks with Windows zero-day

securelist.com/mysterysnail-attacks-with-windows-zero-day/104509/ In late August and early September 2021, Kaspersky technologies detected attacks with the use of an elevation of privilege exploit on multiple Microsoft Windows servers. The exploit had numerous debug strings from an older, publicly known exploit for vulnerability CVE-2016-3309, but closer analysis revealed that it was a zero-day. We discovered that it was using a previously unknown vulnerability in the Win32k driver and exploitation relies heavily on a technique to leak the base addresses of kernel modules.

Ransomware cost US companies almost $21 billion in downtime in 2020

www.welivesecurity.com/2021/10/11/ransomware-cost-us-companies-almost-21billion-downtime-2020 An analysis of 186 successful ransomware attacks against businesses in the United States in 2020 has shown that the companies lost almost US$21 billion due to attack-induced downtime, according to technology website Comparitech. Compared to 2019, the number of disclosed ransomware attacks skyrocketed by 245%.

Necro Python Botnet Goes After Vulnerable VisualTools DVR

blogs.juniper.net/en-us/threat-research/necro-python-botnet-goes-after-vulnerable-visualtools-dvr In the last week of September 2021, Juniper Threat Labs detected a new activity from Necro Python (a.k.a N3Cr0m0rPh , Freakout, Python.IRCBot) that is actively exploiting some services, including a new exploit added to its arsenal. This new exploit targets Visual Tools DVR VX16 4.2.28.0 from visual-tools.com (no CVE number is assigned to this vulnerability). Successful exploitation will download the bot into the system and install a Monero miner.

Microsoft October 2021 Patch Tuesday: 71 vulnerabilities, four zero-days squashed

www.zdnet.com/article/microsoft-october-2021-patch-tuesday-71-vulnerabilities-four-zero-days-squashed/ Microsoft has released 71 security fixes for software including an actively-exploited zero-day bug in Win32k. The Redmond giant’s latest round of patches, usually released on the second Tuesday of each month in what is known as Patch Tuesday, includes fixes for a total of four zero-day flaws, three of which are public. Products impacted by October’s security update include Microsoft Office, Exchange Server, MSHTML, Visual Studio, and the Edge browser. Also

www.bleepingcomputer.com/news/microsoft/microsoft-october-2021-patch-tuesday-fixes-4-zero-days-71-flaws/.

isc.sans.edu/forums/diary/Microsoft+October+2021+Patch+Tuesday/27928/.

blog.talosintelligence.com/2021/10/microsoft-patch-tuesday-for-oct-2021.html.

www.tenable.com/blog/microsoft-s-october-2021-patch-tuesday-addresses-74-cves-cve-2021-40449

Business as usual for Azure customers despite 2.4 Tbps DDoS attack

azure.microsoft.com/en-us/blog/business-as-usual-for-azure-customers-despite-24-tbps-ddos-attack/ In early August, we shared Azures Distributed Denial-of-Service (DDoS) attack trends for the first half of 2021. We reported a 25 percent increase in the number of attacks compared to Q4 of 2020, albeit a decline in maximum attack throughput, from one terabyte per second (Tbps) in Q3 of 2020 to 625 Mbps in the first half of 2021. The last week of August, we observed a 2.4 Tbps DDoS attack targeting an Azure customer in Europe. This is 140 percent higher than 2020s 1 Tbps attack and higher than any network volumetric event previously detected on Azure.

Cyberattack shuts down Ecuador’s largest bank, Banco Pichincha

www.bleepingcomputer.com/news/security/cyberattack-shuts-down-ecuadors-largest-bank-banco-pichincha/ Ecuador’s largest private bank Banco Pichincha has suffered a cyberattack that disrupted operations and taken the ATM and online banking portal offline. The cyberattack occurred over the weekend, causing the bank to shut down portions of their network to prevent the attack’s spread to other systems. The shut down of systems has led to widespread disruption for the bank, with ATMs no longer working and the online banking portals showing maintenance messages.

GitHub Revoked Insecure SSH Keys Generated by a Popular git Client

thehackernews.com/2021/10/github-revoked-insecure-ssh-keys.html Code hosting platform GitHub has revoked weak SSH authentication keys that were generated via the GitKraken git GUI client due to a vulnerability in a third-party library that increased the likelihood of duplicated SSH keys. As an added precautionary measure, the Microsoft-owned company also said it’s building safeguards to prevent vulnerable versions of GitKraken from adding newly generated weak keys.

August 2021 Cyber Attacks Statistics

www.hackmageddon.com/2021/10/12/august-2021-cyber-attacks-statistics/ During August 2021, I have collected 170 events that I can finally aggregate into (hopefully useful) statistics. This number represents a 10% decrease in comparison to the 186 events collected in July that confirms a generally decreasing Summer trend.

Blue OLEx 2021 : Testing the Response to Large Cyber Incidents

www.enisa.europa.eu/news/blue-olex-2021-testing-the-response-to-large-cyber-incidents Together with the Romanian National Cyber Security Directorate, the European Union Agency for Cybersecurity organised the third Blue OLEx exercise to test the operating procedures for the EU Cyber Crisis Liaison Organisation Network (CyCLONe). The Blue OLEx exercise of 12th October was designed to test the Standard Operating Procedures (SOP) of the EU CyCLONe at executive level in case of a large-scale cross-border cyber crisis or incident affecting EU citizens and businesses. Organised by the Romanian National Cyber Security Directorate with the support of the ENISA, the event took place in Bucharest as well as online.

SnapMC skips ransomware, steals data

research.nccgroup.com/2021/10/11/snapmc-skips-ransomware-steals-data/ Over the past few months NCC Group has observed an increasing number of data breach extortion cases, where the attacker steals data and threatens to publish said data online if the victim decides not to pay. Given the current threat landscape, most notable is the absence of ransomware or any technical attempt at disrupting the victims operations.

Olympus US systems hit by cyberattack over the weekend

www.bleepingcomputer.com/news/security/olympus-us-systems-hit-by-cyberattack-over-the-weekend/ Olympus, a leading medical technology company, was forced to take down IT systems in the Americas (U.S., Canada, and Latin America) following a cyberattack that hit its network Sunday, October 10, 2021. “Upon detection of suspicious activity, we immediately mobilized a specialized response team including forensics experts, and we are currently working with the highest priority to resolve this issue,” Olympus says in a statement published today, two days after the attack.

Dutch police send warning letters to customers of DDoS booter service

therecord.media/dutch-police-send-warning-letters-to-customers-of-ddos-booter-service/ Dutch police have taken a rare step this week and sent letters to 29 individuals who used a now-defunct DDoS-for-hire service also known as a DDoS booter to launch DDoS attacks against various targets. In the letters, Dutch officials warned users that theyd been added to a database of past miscreants, and any involvement in new DDoS attacks will lead to a criminal case.

Zero-day hunters seek laws to prevent vendors suing them for helping out and doing their jobs

www.theregister.com/2021/10/11/cyan_zero_day_legislative_project/ Cybersecurity Advisors Network (CyAN), the Paris-based body that represents infosec pros, has created a new working group to advocate for legislation that stops vendors from suing when security researchers show them zero-day bugs in their kit. Peter Coroneos, CyAN international veep and leader of its new “Zero Day Legislative Project” told The Register the organisation recently staged a virtual meeting of 150-plus security researchers and the topic of aggressive legal responses to disclosures was high on their list of worries.

Why Choke-Point Analysis Is Essential in Active Directory Security

www.darkreading.com/application-security/why-choke-point-analysis-is-essential-in-active-directory-security Attackers that want to steal data, deploy ransomware, or conduct espionage must go through a series of steps, from initial access through establishing persistence and lateral movement to eventually exfiltrating the data. Abusing identity attack paths in Microsoft Active Directory (AD) is a popular method for attackers to accomplish several of these steps, including achieving persistence, privilege escalation, defensive evasion, credential access, discovery, and lateral movement.

Developing a Cybersecurity Plan of Action: Lessons Learned From Our Pipeline Customers

www.dragos.com/blog/industry-news/developing-a-cybersecurity-plan-of-action/ In light of the recent high-profile cyber attacks on U.S. critical infrastructure, the Biden Administration continues to take steps to safeguard this infrastructure from growing, persistent, and sophisticated cyber threats. Recently, the Administration released a 100-day initiative to improve cybersecurity across hazardous liquid and natural gas pipelines. The initiative complements the Department of Homeland Security Transportation Security Administrations (TSA) recently released security directives that require pipeline owners and operators to implement a number of urgently needed cybersecurity protections in their IT and OT environments.

Why does the internet keep breaking?

www.bbc.com/news/business-58873472 I doubt Mark Zuckerberg reads the comments people leave on his Facebook posts. But, if he did, it would take him approximately 145 days, without sleep, to wade through the deluge of comments left for him after he apologised for the meltdown of services last week. “Sorry for the disruption today” the Facebook founder and chief executive posted, following almost six hours of Facebook, WhatsApp and Instagram being offline. Facebook blamed a routine maintenance job for the disruption – its engineers had issued a command that unintentionally disconnected Facebook data centres from the wider internet.

How Quantum Computers Can Impact Security

www.trendmicro.com/en_us/research/21/j/how-quantum-computers-can-impact-security.html If youve been following technology trends over the past few years, youve no doubt heard of the term quantum computing, which many call the next frontier for computing technologies. The promise of a computer that, on paper, has the potential to surpass the capabilities of even todays fastest supercomputers has many players in the tech industry excited, leading to many new startups focusing their efforts on the quantum computing field.

Hackers target the Swiss town of Montreux

www.swissinfo.ch/eng/hackers-target-the-swiss-town-of-montreux/47017914 Hackers have carried out a cyber attack against databases belonging to the Montreux authorities in southwestern Switzerland. This follows a similar hack earlier this year against the Rolle municipal authorities, also in canton Vaud. It is unclear whether the latest attack, which was identified on October 10, resulted in data being stolen, Swiss public radio, RTS, reportedExternal link on Monday.

You might be interested in …

Daily NCSC-FI news followup 2019-07-14

Ongoing DNS hijacking and mitigation advice www.ncsc.gov.uk/news/ongoing-dns-hijacking-and-mitigation-advice Since that alert was published we have observed further activity, with victims of DNS hijacking identified across multiple regions and sectors. This Advisory covers some of the risks for organisations around DNS hijacking activity and gives advice on ways the risks can be mitigated.. Report at s3.eu-west-1.amazonaws.com/ncsc-content/files/Advisory-DNS-hijacking.pdf Guidance […]

Read More

Daily NCSC-FI news followup 2019-12-16

Inside Evil Corp, a $100M Cybercrime Menace krebsonsecurity.com/2019/12/inside-evil-corp-a-100m-cybercrime-menace/ The U.S. Justice Department this month offered a $5 million bounty for information leading to the arrest and conviction of a Russian man indicted for allegedly orchestrating a vast, international cybercrime network that called itself Evil Corp and stole roughly $100 million from businesses and consumers. As […]

Read More

Daily NCSC-FI news followup 2020-02-13

US says it can prove Huawei has backdoor access to mobile-phone networks arstechnica.com/tech-policy/2020/02/us-gave-allies-evidence-that-huawei-can-snoop-on-phone-networks-wsj-says/ “We have evidence that Huawei has the capability secretly to access sensitive and personal information in systems it maintains and sells around the world,” US National Security Adviser Robert O’Brien told the Journal.. The US kept the intelligence highly classified until late […]

Read More