Daily NCSC-FI news followup 2021-10-21

Cybercrime gang sets up fake company to hire security experts to aid in ransomware attacks

therecord.media/cybercrime-gang-sets-up-fake-company-to-hire-security-experts-to-aid-in-ransomware-attacks/ A cybercrime group known as FIN7 has created a fake security firm earlier this year, used it to hire security researchers, and then trick them into participating in ransomware attacks. Named Bastion Secure, the company claims to provide penetration testing services for private companies and public sector organizations across the world.

Detections That Can Help You Identify Ransomware

securityintelligence.com/posts/detections-help-identify-ransomware/ One of the benefits of being part of a global research-driven incident response firm like X-Force Incidence Response (IR) is that the team has the ability to take a step back and analyze incidents, identifying trends and commonalities that span geographies, industries and affiliations. Leveraging that access and knowledge against the ransomware threat has revealed tools, techniques and procedures that can often be detected through the default Windows event logs.

Chrome targeted by Magnitude exploit kit

blog.malwarebytes.com/exploits-and-vulnerabilities/2021/10/magnitude-ek-has-been-spotted-targeting-the-chrome-browser/ Exploit kits (EK) are not as widespread as they used to be. One of the reasons is likely that most exploit kits targeted software that is hardly ever used anymore. Internet Explorer, Silverlight, and Flash Player to name a few, have been deprecated, replaced, and quickly lost their user-base. Enter the Magnitude exploit kit. Researchers have found that the Magnitude EK is actively using two vulnerabilities to exploit Chromium-based browsers. Magnitude is used in malvertising attacks to infect victims who visit compromised websites and its payload of choice is the Magniber ransomware.

What is killware?

www.pandasecurity.com/en/mediacenter/security/what-is-killware/ Killware is a type of malware that is being deployed with the sole intention of causing physical harm, even death. Cyber psychopaths deploying such malicious code have one goal to case pure real-life destruction.

Microsoft-Signed Rootkit Targets Gaming Environments in China

www.darkreading.com/attacks-breaches/microsoft-signed-rootkit-targets-gaming-environments-in-china FiveSys is the second publicly known rootkit since June that attackers have managed to sneak past Microsoft’s driver certification process. Researchers have identified a rootkit with a valid digital signature from Microsoft being distributed within gaming environments in China.

Cybercrime matures as hackers are forced to work smarter

www.bleepingcomputer.com/news/security/cybercrime-matures-as-hackers-are-forced-to-work-smarter/ An analysis of 500 hacking incidents across a wide range of industries has revealed trends that characterize a maturity in the way hacking groups operate today. Researchers at Kaspersky have focused on the Russian cybercrime underground, which is currently one of the most prolific ecosystems, but many elements in their findings are common denominators for all hackers groups worldwide. One key finding of the study is that the level of security on office software, web services, email platforms, etc., is getting better.

Google disrupts massive phishing and malware campaign

www.zdnet.com/article/google-disrupts-massive-phishing-and-malware-campaign/#ftag=RSSbaffb68 Google has blocked 1.6 million phishing emails since May 2021 that were part of a malware campaign to hijack YouTube accounts and promote cryptocurrency scams. According to Google’s Threat Analysis Group (TAG), since late 2019 it’s been disrupting phishing campaigns run by a network of Russian hacker subcontractors who’ve been targeting YouTubers with “highly customized” phishing emails and cookie-stealing malware.

Franken-phish: TodayZoo built from other phishing kits

www.microsoft.com/security/blog/2021/10/21/franken-phish-todayzoo-built-from-other-phishing-kits/ A phishing kit built using pieces of code copied from other kits, some available for sale through publicly accessible scam sellers or are reused and repackaged by other kit resellers, provides rich insight into the state of the economy that drives phishing and email threats today. We uncovered this phishing kit while examining an extensive series of credential phishing campaigns that all sent credentials to a set of endpoints operated by the attackers. We named the kit “TodayZoo” because of its curious use of these words in its credential harvesting component in earlier campaigns, likely a reference to phishing pages that spoofed a popular video conferencing application. Our prior research on phishing kits told us TodayZoo contained large pieces of code copied from widely circulated ones. The copied code segments even have the comment markers, dead links, and other holdovers from the previous kits.

GPS Daemon (GPSD) Rollover Bug

us-cert.cisa.gov/ncas/current-activity/2021/10/21/gps-daemon-gpsd-rollover-bug On October 24, 2021, Network Time Protocol (NTP) servers using bugged GPSD versions 3.20-3.22 may rollback the date 1, 024 weeks, to March 2002, which may cause systems and services to become unavailable or unresponsive.

Hands on with Microsoft’s Android app support in Windows 11

www.bleepingcomputer.com/news/microsoft/hands-on-with-microsofts-android-app-support-in-windows-11/ Microsoft has released its first preview build of the Windows Subsystem for Android, allowing you to run Android apps directly on your desktop. Like the Windows Subsystem for Linux, the Windows Subsystem for Android allows you to run native Android apps in a virtualized environment with sound, graphics, and network connectivity.

U.S. Government Bans Sale of Hacking Tools to Authoritarian Regimes

thehackernews.com/2021/10/us-government-bans-sale-of-hacking.html The U.S. Commerce Department on Wednesday announced new rules barring the sales of hacking software and equipment to authoritarian regimes and potentially facilitate human rights abuse for national security (NS) and anti-terrorism (AT) reasons. The mandate, which is set to go into effect in 90 days, will forbid the export, reexport and transfer of “cybersecurity items” to countries of “national security or weapons of mass destruction concern” such as China and Russia without a license from the department’s Bureau of Industry and Security (BIS).

Two Eastern Europeans Sentenced for Providing Bulletproof Hosting to Cyber Criminals

thehackernews.com/2021/10/two-eastern-europeans-sentenced-for.html Two Eastern European nationals have been sentenced in the U.S. for offering “bulletproof hosting” services to cybercriminals, who used the technical infrastructure to distribute malware and attack financial institutions across the country between 2009 to 2015.

Update now! Chrome fixes more security issues

blog.malwarebytes.com/exploits-and-vulnerabilities/2021/10/update-now-chrome-fixes-more-security-issues/ For the third time in a month Google has issued an update to patch for several security issues. This time the update patches 19 vulnerabilities, of which 5 are classified as “high” risk vulnerabilities. In an update announcement for Chrome 95.0.4638.54, Google specifies the 16 vulnerabilities that were found by external researchers.

You might be interested in …

[NCSC-FI News] Adafruit discloses data leak from ex-employee’s GitHub repo

On Friday, March 4th, Adafruit announced that a publicly-accessible GitHub repository contained a data set comprising information on some user accounts The data set, according to Adafruit, did not contain any user passwords or financial information such as credit cards. However, the exposure of real user data, including order details, could be used by spammers […]

Read More

[NCSC-FI News] Microsoft emergency updates fix Windows AD authentication issues

Microsoft has released emergency out-of-band (OOB) updates to address Active Directory (AD) authentication issues after installing Windows Updates issued during the May 2022 Patch Tuesday on domain controllers. Source: Read More (NCSC-FI daily news followup)

Read More

Daily NCSC-FI news followup 2020-08-13

Alert (AA20-225A) – Malicious Cyber Actor Spoofing COVID-19 Loan Relief Webpage via Phishing Emails us-cert.cisa.gov/ncas/alerts/aa20-225a The Cybersecurity and Infrastructure Security Agency (CISA) is currently tracking an unknown malicious cyber actor who is spoofing the Small Business Administration (SBA) COVID-19 loan relief webpage via phishing emails. These emails include a malicious link to the spoofed SBA […]

Read More