Daily NCSC-FI news followup 2021-11-03

US sanctions four companies selling hacking tools, including NSO Group & Candiru

therecord.media/us-sanctions-four-companies-selling-hacking-tools-including-nso-group-candiru/ The US government has sanctioned today four companies that develop and sell spyware and other hacking tools, the US Department of Commerce announced today. The four companies include Israel’s NSO Group and Candiru, Russian security firm Positive Technologies, and Singapore-based Computer Security Initiative Consultancy.

Too early to tell’ if Russia has cracked down on ransomware gangs, Nakasone says

therecord.media/too-early-to-tell-if-russia-has-cracked-down-on-ransomware-gangs-nakasone-says/ The country’s top military cyber official on Wednesday said that is too soon to know if the Kremlin has taken action against ransomware gangs operating on Russian soil.

BlackMatter ransomware says its shutting down due to pressure from local authorities

therecord.media/blackmatter-ransomware-says-its-shutting-down-due-to-pressure-from-local-authorities/ The criminal group behind the BlackMatter ransomware have announced plans today to shut down their operation, citing pressure from local authorities.

CERT-France: Lockean ransomware group behind attacks on French companies

therecord.media/cert-france-lockean-ransomware-group-behind-attacks-on-french-companies/ French cybersecurity officials have identified today for the first time a ransomware “affiliate group” that is responsible for a long list of attacks against French companies over the past two years. Identified as Lockean, the group’s activities and modus operandi were detailed today in a comprehensive report published by France’s Computer Emergency Response Team (CERT-FR), a division of ANSSI, the country’s national cybersecurity agency.

Cybercrime underground flush with shipping companies’ credentials

intel471.com/blog/shipping-companies-ransomware-credentials The actors responsible for selling these credentials range from newcomers to the most prolific network access brokers that Intel 471 tracks.

Clearview AI slammed for breaching Australians’ privacy on numerous fronts

www.zdnet.com/article/clearview-ai-slammed-for-breaching-australians-privacy-on-numerous-fronts/ Despite uncovering Clearview AI’s intrusive practices, Australia’s Information Commissioner conceded that the number of Australians who have had their biometric information scraped by the company was unknown.

Coinbase notification scam steals US$11 million in bitcoin from a crypto account in 10 minutes

www.notebookcheck.net/Coinbase-notification-scam-steals-US-11-million-from-a-bitcoin-account-in-10-minutes.576725.0.html In a warning to Coinbase users not to fall for fake customer service representatives, a subscriber got their Bitcoin account plundered with their own helping hand.

Tortilla’ Wraps Exchange Servers in ProxyShell Attacks

threatpost.com/tortilla-exchange-servers-proxyshell/175967/ The Microsoft Exchange ProxyShell vulnerabilities are being exploited yet again for ransomware, this time with Babuk from the new “Tortilla” threat actor.

UK Labour Party discloses data breach after ransomware attack

www.bleepingcomputer.com/news/security/uk-labour-party-discloses-data-breach-after-ransomware-attack/ The U.K. Labour Party notified members that some of their information was impacted in a data breach after a ransomware attack hit a supplier managing the party’s data.

New Tool: cs-extract-key.py

blog.didierstevens.com/2021/11/03/new-tool-cs-extract-key-py/ cs-extract-key.py is a tool designed to extract cryptographic keys from Cobalt Strike beacon process memory dumps.

Stealthier version of Mekotio banking trojan spotted in the wild

www.bleepingcomputer.com/news/security/stealthier-version-of-mekotio-banking-trojan-spotted-in-the-wild/ A new version of a banking trojan known as Mekotio is being deployed in the wild, with malware analysts reporting that it’s using a new, stealthier infection flow.

Linux Foundation adds software supply chain security to LFX

www.zdnet.com/article/linux-foundation-adds-software-supply-chain-security-to-lfx/ Our software supply chains are under attack. The Linux Foundation, via its LFX tools, is set to defend them. Enhanced and free to use, LFX Security makes it easier for open source projects to secure their code. Specifically, the LFX Security module now includes automatic scanning for secrets-in-code and non-inclusive language, adding to its existing automated vulnerability detection capabilities

The Booming Underground Market for Bots That Steal Your 2FA Codes

www.vice.com/en/article/y3vz5k/booming-underground-market-bots-2fa-otp-paypal-amazon-bank-apple-venmo The bots convincingly and effortlessly help hackers break into Coinbase, Amazon, PayPal, and bank accounts. “The bot is great for people who don’t have social engineering skills, “

This Steam phish baits you with free Discord Nitro

blog.malwarebytes.com/malwarebytes-news/2021/11/this-steam-phish-baits-you-with-free-discord-nitro/ Weeks ago, we talked about the one effective lure that could get a Discord user to consider clicking on a scam link they were generously given, either by a random user or a legitimate contact who also happened to have fallen for the same ploy: free Discord Nitro subscriptions.

Credit card skimmer evades Virtual Machines

blog.malwarebytes.com/threat-intelligence/2021/11/credit-card-skimmer-evades-virtual-machines/ There are many techniques threat actors use to slow down analysis or, even better, evade detection. Perhaps the most popular method is to detect virtual machines commonly used by security researchers and sandboxing solutions.

CISA creates catalog of known exploited vulnerabilities, orders agencies to patch

therecord.media/cisa-creates-catalog-of-known-exploited-vulnerabilities-orders-agencies-to-patch/ The US Cybersecurity and Infrastructure Security Agency has established today a public catalog of vulnerabilities known to be exploited in the wild and has issued a binding operational directive ordering US federal agencies to patch affected systems within specific timeframes and deadlines. CISA Director Jen Easterly said that while the binding operational directive is can only force US federal agencies to take action, all organizations should take action and patch the listed vulnerabilities, as the same exploits are also used to attack private entities as well. Seel also:

us-cert.cisa.gov/ncas/current-activity/2021/11/03/cisa-issues-bod-22-01-reducing-significant-risk-known-exploited

Sonos, HP, and Canon devices hacked at Pwn2Own Austin 2021

www.bleepingcomputer.com/news/security/sonos-hp-and-canon-devices-hacked-at-pwn2own-austin-2021/ During the first day of Pwn2Own Austin 2021, contestants won $362, 500 after exploiting previously unknown security flaws to hack printers, routers, NAS devices, and speakers from Canon, HP, Western Digital, Cisco, Sonos, TP-Link, and NETGEAR.

Report: Cost of a Data Breach in Energy and Utilities

securityintelligence.com/articles/cost-data-breach-energy-utilities/ On average, the cost of a data breach rose by 10% from 2020 to 2021. The energy industry ranked fifth in data breach costs, surpassed only by the health care, financial, pharmaceutical and technology verticals, according to the 17th annual Cost of a Data Breach Report. Some energy cybersecurity measures can help reduce the cost of a data breach in a big way. For example, take a look at zero trust deployments, artificial intelligence and automation.

Google warns Android users of zero-day vulnerability being actively attacked

www.bitdefender.com/blog/hotforsecurity/google-warns-android-users-of-zero-day-vulnerability-being-actively-attacked/ Google’s latest monthly security patches for the Android operating system contains fixes for 39 flaws, including one security vulnerability that the tech giant says is being actively exploited in the wild.

You might be interested in …

Daily NCSC-FI news followup 2020-09-01

Norjan parlamenttiin on tehty laajamittainen kyberhyökkäys yle.fi/uutiset/3-11522222 Joidenkin kansanedustajien ja Suurkäräjien työntekijöiden sähköposteihin on murtauduttu. Otamme asian erittäin vakavasti ja analysoimme tilannetta saadaksemme kuvan tapauksesta ja haittojen laajuudesta, Suurkäräjien hallinnon johtaja Marianne Andreassen sanoo. myös: www.stortinget.no/no/Hva-skjer-pa-Stortinget/Nyhetsarkiv/Pressemeldingsarkiv/2019-2020/it-angrep-mot-stortinget/. also: www.zdnet.com/article/norwegian-parliament-discloses-cyber-attack-on-internal-email-system/ Cisco says it will issue patch as soon as possible’ for bugs hackers are trying to exploit […]

Read More

Daily NCSC-FI news followup 2020-05-07

A Deep Dive Into the Latest Maze Ransomware TTPs www.kroll.com/en/insights/publications/cyber/latest-maze-ransomware-ttps Kroll incident response (IR) practitioners worked on multiple Maze ransomware cases during the first quarter of 2020 and have new insights on the tactics, techniques and procedures (TTPs) of these actors and why organizations should revisit their IR plans. In our work with one client, […]

Read More

Daily NCSC-FI news followup 2021-08-26

Microsoft Breaks Silence on Barrage of ProxyShell Attacks threatpost.com/microsoft-barrage-proxyshell-attacks/168943/ Microsoft has broken its silence on the recent barrage of attacks on several ProxyShell vulnerabilities in that were highlighted by a researcher at Black Hat earlier this month. The company released an advisory late Wednesday letting customers know that threat actors may use unpatched Exchange servers […]

Read More