Daily NCSC-FI news followup 2021-10-28

German investigators identify REvil ransomware gang core member

www.bleepingcomputer.com/news/security/german-investigators-identify-revil-ransomware-gang-core-member/ German investigators have reportedly identified a Russian man whom they believe to be one of REvil ransomware gang’s core members, one of the most notorious and successful ransomware groups in recent years. While the suspect’s real identity has not been revealed, German media is calling him by the fictitious name ‘Nikolay K.’, and report that investigators linked him to Bitcoin ransom payments associated with the GandCrab ransomware group.

Dark HunTOR: 150 arrested, $31 million seized in major dark web bust

www.welivesecurity.com/2021/10/27/dark-huntor-150-arrested-31-million-seized-major-dark-web-bust/ The police sting spanned three continents and involved crackdowns in nine countries. Law enforcement agencies from Europe, the United States and Australia have teamed up to arrest some 150 people who are believed to have sold and bought illegal drugs and other illicit goods on the dark web.

Hackers steal $130 million from Cream Finance; the company’s 3rd hack this year

therecord.media/hackers-steal-130-million-from-cream-finance-the-companys-3rd-hack-this-year/ Hackers have stolen an estimated $130 million worth of cryptocurrency assets from Cream Finance, a decentralized finance (DeFi) platform that allows users to loan and speculate on cryptocurrency price variations.

Ransomware gangs use SEO poisoning to infect visitors

www.bleepingcomputer.com/news/security/ransomware-gangs-use-seo-poisoning-to-infect-visitors/ Researchers have spotted two campaigns linked to either the REvil ransomware gang or the SolarMarker backdoor that use SEO poisoning to serve payloads to targets. SEO poisoning, also known as “search poisoning, ” is an attack method that relies on optimizing websites using ‘black hat’ SEO techniques to rank higher in Google search results.

Indian supreme court orders inquiry into state’s use of Pegasus spyware

www.theguardian.com/news/2021/oct/27/indian-supreme-court-orders-inquiry-into-states-use-of-pegasus-spyware India’s supreme court has ordered an independent inquiry into whether the government used the surveillance software Pegasus to spy illegally on journalists, activists and political opponents.

Android smartphones infected with rare rooting malware

therecord.media/android-smartphones-infected-with-rare-rooting-malware/ Security researchers at Lookout have discovered a new Android malware strain that contains the ability to root smartphones, a feature that has become quite rare in Android malware strains in recent years. The AbstractEmu malware was distributed hidden inside 19 Android applications that were uploaded on Google Play, the Amazon Appstore, the Samsung Galaxy Store, and other unofficial third-party app stores.

Android spyware apps target Israel in three-year-long campaign

www.bleepingcomputer.com/news/security/android-spyware-apps-target-israel-in-three-year-long-campaign/ A set of seemingly innocuous Android apps have been infecting Israeli users with spyware since 2018, and the campaign continues to this day. The spyware-laden apps were discovered by researchers at Qihoo 360 who found various apps disguised as social applications, Threema, Al-Aqsa Radio, Al-Aqsa Mosque, Jerusalem Guide, PDF viewer, Wire, and other applications.

Android spyware spreading as antivirus software in Japan

www.bleepingcomputer.com/news/security/android-spyware-spreading-as-antivirus-software-in-japan/ A new variant of the Android info-stealer called FakeCop has been spotted by Japanese security researchers, who warn that the distribution of the malicious APK is picking up pace.

Cybersecurity researchers on Wednesday took the wraps off a “simple yet remarkable” malware loader for malicious Windows binaries targeting Central Europe, North America and the Middle East

thehackernews.com/2021/10/new-wslink-malware-loader-runs-as.html Codenamed “Wslink” by ESET, this previously undocumented malware stands apart from the rest in that it runs as a server and executes received modules in memory. There are no specifics available on the initial compromise vector and there are no code or operational overlaps that tie this tool to a known threat actor group.

Israeli Researcher Cracked Over 3500 Wi-Fi Networks in Tel Aviv City

thehackernews.com/2021/10/israeli-researcher-cracked-over-3500-wi.html Over 70% of Wi-Fi networks from a sample size of 5, 000 were hacked with “relative ease” in the Israeli city of Tel Aviv, highlighting how unsecure Wi-Fi passwords can become a gateway for serious threats to individuals, small businesses, and enterprises alike.

NRA: No comment on Russian ransomware gang attack claims

www.bleepingcomputer.com/news/security/nra-no-comment-on-russian-ransomware-gang-attack-claims/ The Grief ransomware gang claims to have attacked the National Rifle Association (NRA) and released stolen data as proof of the attack. Today, the ransomware gang added the NRA as a new victim on their data leak site while displaying screenshots of Excel spreadsheets containing US tax information and investments amounts.

All Windows versions impacted by new LPE zero-day vulnerability

www.bleepingcomputer.com/news/security/all-windows-versions-impacted-by-new-lpe-zero-day-vulnerability/ A security researcher has disclosed technical details for a Windows zero-day privilege elevation vulnerability and a public proof-of-concept (PoC) exploit that gives SYSTEM privileges under certain conditions. As this bug requires a threat actor to know a user name and password for another user, it will not be as heavily abused as other privilege elevation vulnerabilities we have seen recently, such as PrintNightmare.

Microsoft finds new macOS vulnerability, Shrootless, that could bypass System Integrity Protection

www.microsoft.com/security/blog/2021/10/28/microsoft-finds-new-macos-vulnerability-shrootless-that-could-bypass-system-integrity-protection/ Microsoft has discovered a vulnerability that could allow an attacker to bypass System Integrity Protection (SIP) in macOS and perform arbitrary operations on a device. We also found a similar technique that could allow an attacker to elevate their privileges to root an affected device. We shared these findings with Apple through Coordinated Vulnerability Disclosure (CVD) via Microsoft Security Vulnerability Research (MSVR). A fix for this vulnerability, now identified as CVE-2021-30892, was included in the security updates released by Apple on October 26, 2021.

How we took part in MLSEC and (almost) won

securelist.com/how-we-took-part-in-mlsec-and-almost-won/104699/ This summer Kaspersky experts took part in the Machine Learning Security Evasion Competition (MLSEC) a series of trials testing contestants’ ability to create and attack machine learning models. The event is comprised of two main challenges one for attackers, and the other for defenders. The attacker challenge was split into two tracks Anti-Malware Evasion and Anti-Phishing Evasion.

A Guide to Shift Away from Legacy Authentication Protocols in Microsoft 365

thehackernews.com/2021/10/a-guide-to-shift-away-from-legacy.html Microsoft 365 (M365), formerly called Office 365 (O365), is Microsoft’s cloud strategy flagship product with major changes ahead, such as the deprecation of their legacy authentication protocols.

NSA and CISA share guidance on securing 5G cloud infrastructure

www.bleepingcomputer.com/news/security/nsa-and-cisa-share-guidance-on-securing-5g-cloud-infrastructure/ CISA and the NSA shared guidance on securing cloud-native 5G networks from attacks seeking to compromise information or deny access by taking down cloud infrastructure.

You might be interested in …

Daily NCSC-FI news followup 2020-08-14

NSA and FBI Cybersecurity Advisory – Russian GRU 85th GTsSS Deploys Previously Undisclosed Drovorub Malware media.defense.gov/2020/Aug/13/2002476465/-1/-1/0/CSA_DROVORUB_RUSSIAN_GRU_MALWARE_AUG_2020.PDF Drovorub is a Linux malware toolset consisting of an implant coupled with a kernel module rootkit, a file transfer and port forwarding tool, and a Command and Control (C2) server. When deployed on a victim machine, the Drovorub implant […]

Read More

Daily NCSC-FI news followup 2020-04-22

Google Sees State-Sponsored Hackers Ramping Up Coronavirus Attacks www.wired.com/story/google-state-sponsored-hackers-coronavirus-phishing-malware/ More than 12 government-backed groups are using the pandemic as cover for digital reconnaissance and espionage, according to a new report. Report: blog.google/technology/safety-security/threat-analysis-group/findings-covid-19-and-online-security-threats/ Chinese Agents Helped Spread Messages That Sowed Virus Panic in U.S., Officials Say www.nytimes.com/2020/04/22/us/politics/coronavirus-china-disinformation.html American officials were alarmed by fake text messages and […]

Read More

Daily NCSC-FI news followup 2021-02-26

Ransomware gang hacks Ecuador’s largest private bank, Ministry of Finance www.bleepingcomputer.com/news/security/ransomware-gang-hacks-ecuadors-largest-private-bank-ministry-of-finance/ A hacking group called ‘Hotarus Corp’ has hacked Ecuador’s Ministry of Finance and the country’s largest bank, Banco Pichincha, where they claim to have stolen internal data. Ryuk ransomware now self-spreads to other Windows LAN devices www.bleepingcomputer.com/news/security/ryuk-ransomware-now-self-spreads-to-other-windows-lan-devices/ “Through the use of scheduled tasks, the […]

Read More