Daily NCSC-FI news followup 2021-10-13

How Coinbase Phishers Steal One-Time Passwords

krebsonsecurity.com/2021/10/how-coinbase-phishers-steal-one-time-passwords A recent phishing campaign targeting Coinbase users shows thieves are getting smarter about phishing one-time passwords (OTPs) needed to complete the login process. It also shows that phishers are attempting to sign up for new Coinbase accounts by the millions as part of an effort to identify email addresses that are already associated with active accounts.

Romance scams with a cryptocurrency twist new research from SophosLabs

nakedsecurity.sophos.com/2021/10/13/romance-scams-with-a-cryptocurrency-twist-new-research-from-sophoslabs/ Sadly, weve needed to write and warn about romance scams and romance scammers many times in recent years. Indeed, in February 2021 we published an article entitled Romance scams at all-time high: heres what you need to know, following a report from the US Federal Trade Commission (FTC), Americas official consumer protection watchdog, warning that romance scammers are making more money than ever before.

The Anatomy of an Attack Against a Cloud Supply Pipeline

www.paloaltonetworks.com/blog/2021/10/anatomy-ci-cd-pipeline-attack/ The most recent Unit 42 Cloud Threat Report contains the high-level results of a red team exercise performed against a SaaS customers continuous integration and continuous development (CI/CD) pipeline. In other words, a customer asked our researchers to think like attackers, with the aim of revealing vulnerabilities and misconfigurations in their development operations (DevOps) processes. During the red team exercise, researchers took guidance from the strategies and techniques used by the attackers behind the SolarWinds Orion supply chain attack, in order to emulate a real-world threat and assess the security practices against known attacker techniques.

Trickbot Rising Gang Doubles Down on Infection Efforts to Amass Network Footholds

securityintelligence.com/posts/trickbot-gang-doubles-down-enterprise-infection/ IBM X-Force has been tracking the activity of ITG23, a prominent cybercrime gang also known as the TrickBot Gang and Wizard Spider. Researchers are seeing an aggressive expansion of the gangs malware distribution channels, infecting enterprise users with Trickbot and BazarLoader. This move is leading to more ransomware attacks particularly ones using the Conti ransomware. As of mid-2021, X-Force observed ITG23 partner with two additional malware distribution affiliates Hive0106 (aka TA551) and Hive0107.

The King is Dead, Long Live MyKings! (Part 1 of 2)

decoded.avast.io/janrubin/the-king-is-dead-long-live-mykings/ MyKings is a long-standing and relentless botnet which has been active from at least 2016. Since then it has spread and extended its infrastructure so much that it has even gained multiple names from multiple analysts around the world MyKings, Smominru, and DarkCloud, for example. Its vast infrastructure consists of multiple parts and modules, including bootkit, coin miners, droppers, clipboard stealers, and more.. Our research has shown that, since 2019, the operators behind MyKings have amassed at least $24 million USD (and likely more) in the Bitcoin, Ethereum, and Dogecoin cryptowallets associated with MyKings.

Australia to tackle ransomware data breaches by deleting stolen files

www.bleepingcomputer.com/news/security/australia-to-tackle-ransomware-data-breaches-by-deleting-stolen-files/ Australia’s Minister for Home Affairs has announced the “Australian Government’s Ransomware Action Plan,” which is a set of new measures the country will adopt in an attempt to tackle the rising threat. Ransomware is a global problem, and Australian businesses aren’t excluded from costly service-disrupting attacks. In July, the government warned of an escalation of LockBit activity in the country.

Check Point Research Prevents Theft of Crypto Wallets on OpenSea, the Worlds Largest NFT Marketplace

research.checkpoint.com/2021/check-point-research-prevents-theft-of-crypto-wallets-on-opensea-the-worlds-largest-nft-marketplace/ During the past few weeks, Check Point researchers spotted various cases where people tweeted reports claiming they lost their crypto wallet balance, while receiving a free gift on the OpenSea market place. OpenSea is the largest digital collectible marketplace, a peer-to-peer marketplace for crypto collectibles and non-fungible tokens, aka NFT. OpeanSea recorded $3.4 billion in transaction volume in August 2021 alone, and has grown to be the largest marketplace for non-fungible tokens of the crypto world.

Cyberattack hits Meliá, one of the largest hotel chains in the world

therecord.media/cyberattack-hits-melia-one-of-the-largest-hotel-chains-in-the-world/ A cybersecurity incident has crippled activities at Meliá Hotels International, one of the largest hotel chains in the world. The incident occurred in the early hours of Monday, October 4, and affected Meliás Spain-based operations primarily, where attackers took down parts of the internal network and some web-based servers, including its reservation system and public websites.

Incident Response: 5 Principles to Boost the Infosec/Legal Relationship

threatpost.com/incident-response-infosec-legal-relationship/175461/ As an information-security professional, would you feel ready to respond to a state attorney in the event of a cyber-incident?. Around half (47 percent) of organizations polled for Krolls The State of Incident Response 2021 report said that their teams lack clarity around when to engage legal counsel about a potential incident. The potential impact of current and emerging cyber-incidents is so great that cybersecurity can no longer remain solely within the scope of an organizations information-security team.

Apple silently fixes iOS zero-day, asks bug reporter to keep quiet

www.bleepingcomputer.com/news/apple/apple-silently-fixes-ios-zero-day-asks-bug-reporter-to-keep-quiet/ Apple has silently fixed a ‘gamed’ zero-day vulnerability with the release of iOS 15.0.2, on Monday, a security flaw that could let attackers gain access to sensitive user information. The company addressed the bug without acknowledging or crediting software developer Denis Tokarev for the discovery even though he reported the flaw seven months before iOS 15.0.2 was released.

U.S. convenes 30 countries on ransomware threat without Russia or China

therecord.media/u-s-convenes-30-countries-on-ransomware-threat-without-russia-or-china/ The Biden administration did not invite Russia to participate in the first meeting of a global effort to combat cybercrime, but could welcome the country that has become synonymous with ransomware to future gatherings. On Wednesday the White House will begin a two-day virtual event with representatives from 30 countries around the world, dubbed the Counter-Ransomware Initiative. The forum is meant to strengthen law enforcement cooperation and diplomatic ties against malicious activities, including the misuse of virtual currency to launder ransom payments.

Olympus suffers second cyberattack in 2021

www.zdnet.com/article/olympus-announces-second-cyberattack-in-2021/ On Tuesday, Japanese tech manufacturer Olympus said that it was investigating a cyberattack on its IT systems in the US, Canada, and Latin America. The company said the cybersecurity incident was detected on Sunday, but despite the help of forensics experts, they are still working to resolve the issue.. “As part of the investigation and containment, we have suspended affected systems and have informed the relevant external partners. The current results of our investigation indicate the incident was contained to the Americas with no known impact to other regions,” the company statement said.

Multiple Vulnerabilities in Brizy Page Builder Plugin Allow Site Takeover

www.wordfence.com/blog/2021/10/multiple-vulnerabilities-in-brizy-page-builder-plugin-allow-site-takeover/ On August 19, 2021, the Wordfence Threat Intelligence team initiated the Responsible Disclosure process for Brizy Page Builder, a WordPress plugin installed on over 90,000 sites. During a routine review of our firewall rules, we found traffic indicating that a vulnerability might be present in the Brizy Page Builder plugin, though it did not appear to be under active attack. This led us to discover two new vulnerabilities as well as a previously patched access control vulnerability in the plugin that had been reintroduced.

Onko koneessasi haittaohjelma? Näin tunnistat

www.iltalehti.fi/tietoturva/a/7ce42086-b3af-4008-9225-e4ab450ae93a Lokakuu on Euroopan kyberturvallisuuskuukausi. Liikenne- ja viestintävirasto Traficomin Kyberturvallisuuskeskus on jakanut sivuillaan tosielämän tapauksen, jossa Patrik Pallagin kone hakkeroitiin. Videolla Pallagi kertoo lainanneensa konettaan kaverilleen, jota hän piti luotettavana. Kun Pallagi avasi koneensa seuraavana päivänä, alkoi se toistaa musiikkia ja esiin ilmestyi ponnahdusikkuna. Ponnahdusikkunassa näkyi edullinen tarjous palvelusta, jota Pallagi käytti usein.

Kyberturvallisuuskeskus: päivitä mahdollisimman nopeasti rikolliset käyttävät hyväkseen Windows-laitteista löytynyttä aukkoa

www.tivi.fi/uutiset/tv/36297457-f733-449d-a3e4-cf4992643498 Microsoft julkaisi päivitystiistaina 12. lokakuuta korjauspäivityksiä yhteensä 81 eri haavoittuvuudelle. Yksi näistä, haavoittuvuus CVE-2021-40449, havaittiin Win32k-komponentissa ja se löytyy lähestulkoon kaikista Windows-laitteista. Haavoittuvuutta on jo alettu käyttää hyödyksi, joten päivitykset kannattaa asentaa ensi tilassa.

The cost of hiring a hacker on the dark web: report

www.comparitech.com/blog/information-security/hiring-hacker-dark-web-report/ Comparitech researchers collected more than 100 listings from 12 hacking services to find out how much these mostly illegal services cost, and which seem to be in highest demand. Many of the websites we examined have similar a la carte menus for various black hat services on offer.

You might be interested in …

Daily NCSC-FI news followup 2020-05-24

Securing smart infrastructure during the COVID-19 pandemic www.enisa.europa.eu/news/enisa-news/securing-smart-infrastructure-in-covid-19-pandemic Securing smart homes and smart buildings from cybersecurity risks becomes more relevant than ever in the light of the COVID-19 pandemic crisis. ENISA presents some fundamental measures for securing smart devices. AgentTesla Delivered via a Malicious PowerPoint Add-In isc.sans.edu/forums/diary/AgentTesla+Delivered+via+a+Malicious+PowerPoint+AddIn/26162/ Attackers are always trying to find new ways […]

Read More

Daily NCSC-FI news followup 2020-03-30

Revealed: Saudis suspected of phone spying campaign in US www.theguardian.com/world/2020/mar/29/revealed-saudis-suspected-of-phone-spying-campaign-in-us Saudi Arabia appears to be exploiting weaknesses in the global mobile telecoms network to track its citizens as they travel around the US, according to a whistleblower who has shown the Guardian millions of alleged secret tracking requests. Emotet: Dangerous Malware Keeps on Evolving medium.com/threat-intel/emotet-dangerous-malware-keeps-on-evolving-ac84aadbb8de […]

Read More

Daily NCSC-FI news followup 2020-10-29

Why the extortion of Vastaamo matters far beyond Finland and how cyber pros are responding www.cyberscoop.com/finland-vastaamo-hack-response/ Even for veterans of cybercriminal investigations, the recent extortion of a psychotherapy practice in Finland has been unusual and disturbing. Kyberturvallisuusprofessori vaatii kansallista selvitysryhmää penkomaan Vastaamon vuotoa www.tivi.fi/uutiset/tv/cd1d113a-f573-406a-9aa5-ad59bb17c117 Psykoterapiakeskuksen tietomurto ja kansalaisten laaja kiristys ovat kansallinen kriisitilanne, katsoo kyberturvallisuuden […]

Read More