Daily NCSC-FI news followup 2021-11-04

Ukraine links members of Gamaredon hacker group to Russian FSB

www.bleepingcomputer.com/news/security/ukraine-links-members-of-gamaredon-hacker-group-to-russian-fsb/ SSU and the Ukrainian secret service say they have identified five members of the Gamaredon hacking group, a Russian state-sponsored operation known for targeting Ukraine since 2014. This Gamaredon hacking group, tracked as Armageddon by the SSU, is allegedly operated under the FSB (Russian Federal Security Service) and is believed to be responsible for over 5, 000 attacks in Ukraine since the operation began. The five men accused of taking part in these attacks were identified by SSU investigators who claim to have unequivocal evidence of their involvement, coming from communication interceptions. also:

ssu.gov.ua/en/novyny/sbu-vstanovyla-khakeriv-fsb-yaki-zdiisnyly-ponad-5-tys-kiberatak-na-derzhavni-orhany-ukrainy. also:

ssu.gov.ua/uploads/files/DKIB/Technical%20report%20Armagedon.pdf

Jos näet tämän ilmoituksen verkkopankissa, olet välittömässä vaarassa

www.is.fi/digitoday/tietoturva/art-2000008381329.html Kehotus odottaa minuuttikaupalla on merkki valepankista, joka on rakennettu varastamaan rahasi.

GitLab servers are being exploited in DDoS attacks in excess of 1 Tbps

therecord.media/gitlab-servers-are-being-exploited-in-ddos-attacks-in-excess-of-1-tbps/ Threat actors are exploiting a security flaw in GitLab self-hosted servers to assemble botnets and launch gigantic distributed denial of service (DDoS) attacks, with some in excess of 1 terabit per second (Tbps). The DDoS attacks, disclosed today by Damian Menscher, a Security Reliability Engineer at Google Cloud responsible for Google’s DDoS defenses, are exploiting CVE-2021-22205, a vulnerability that GitLab patched back in April 2021.

Phishing emails deliver spooky zombie-themed MirCop ransomware

www.bleepingcomputer.com/news/security/phishing-emails-deliver-spooky-zombie-themed-mircop-ransomware/ A new phishing campaign pretending to be supply lists infects users with the MirCop ransomware that encrypts a target system in under fifteen minutes. The email body contains a hyperlink to a Google Drive URL, which, if clicked, downloads an MHT file (webpage archive) onto the victim’s machine. When the MHT file iis opened, it will download a RAR archive containing a.NET malware downloader. The RAR archive contains an EXE file, which uses VBS scripts to drop and execute the MirCop payload onto the infected system.

Critical RCE Vulnerability Reported in Linux Kernel’s TIPC Module

thehackernews.com/2021/11/critical-rce-vulnerability-reported-in.html Cybersecurity researchers have disclosed a security flaw in the Linux Kernel’s Transparent Inter Process Communication (TIPC) module that could potentially be leveraged both locally as well as remotely to execute arbitrary code within the kernel and take control of vulnerable machines. There is currently no evidence of in-the-wild abuse and it should also be noted that while the module is included with major distributions, it has to be loaded for the protocol to be enabled — and so only builds with this feature active may be vulnerable to exploit. also:

www.sentinelone.com/labs/tipc-remote-linux-kernel-heap-overflow-allows-arbitrary-code-execution/

Cisco fixes hard-coded credentials and default SSH key issues

www.bleepingcomputer.com/news/security/cisco-fixes-hard-coded-credentials-and-default-ssh-key-issues/ Cisco has released security updates to address critical security flaws allowing unauthenticated attackers to log in using hard-coded credentials or default SSH keys to take over unpatched devices.

Hungarian Official: Government Bought, Used Pegasus Spyware

www.usnews.com/news/world/articles/2021-11-04/hungarian-official-government-bought-used-pegasus-spyware A senior official with Hungary’s ruling party has acknowledged for the first time that the government has purchased a powerful spyware tool, which was allegedly used to target the digital devices of several journalists, businesspeople and an opposition politician.

Deep Dive into a Fresh Variant of Snake Keylogger Malware

www.fortinet.com/blog/threat-research/deep-dive-into-a-fresh-variant-of-snake-keylogger-malware Snake Keylogger is a malware developed using.NET. It first appeared in late 2020 and focused on stealing sensitive information from a victim’s device, including saved credentials, the victim’s keystrokes, screenshots of the victim’s screen, and clipboard data. In this threat research blog you will learn how the Snake Keylogger variant is downloaded and executed through a captured Excel sample, what techniques this variant uses to protect it from being analyzed, what sensitive information it steals from a victim’s machine, and how it submits that collected data to the attacker.

Win one for privacy Swiss providers don’t have to talk

www.welivesecurity.com/2021/11/03/win-one-privacy-swiss-providers-dont-have-talk/ Security and privacy get a leg up in Proton’s legal challenge against data retention and disclosure obligations

Malware signed by Slovenian companies

connect.geant.org/2021/10/29/malware-signed-by-slovenian-companies One of the measures that protects us against malicious code is digital code signing. If the operating system cannot find the code author’s digital signature verified by a trusted certificate authority, it rejects the installation of the application. The user must then perform a more or less arduous task of manually approving the exception. By doing so, the user inadvertently accepts the responsibility for installing unknown software. Computer virus creators have adapted quickly and started obtaining code-signing certificates, also in the guise of Slovenian companies.

BrakTooth Proof of Concept Tool Demonstrates Bluetooth Vulnerabilities

us-cert.cisa.gov/ncas/current-activity/2021/11/04/braktooth-proof-concept-tool-demonstrates-bluetooth On November 1, 2021, researchers publicly released a BrakTooth proof-of-concept (PoC) tool to test Bluetooth-enabled devices against potential Bluetooth exploits using the researcher’s software tools. BrakToothoriginally disclosed in August 2021is a family of security vulnerabilities in commercial Bluetooth stacks. An attacker could exploit BrakTooth vulnerabilities to cause a range of effects from denial-of-service to arbitrary code execution.

Researchers Scan the Web to Uncover Malware Infections

www.darkreading.com/security-monitoring/researchers-scan-the-web-to-uncover-malware-infections Dozens of companies and universities regularly scan the Internet to gather data on connected devices, but some firms are looking deeper to uncover the extent of detectable malware infections.

You might be interested in …

Daily NCSC-FI news followup 2021-08-26

Microsoft Breaks Silence on Barrage of ProxyShell Attacks threatpost.com/microsoft-barrage-proxyshell-attacks/168943/ Microsoft has broken its silence on the recent barrage of attacks on several ProxyShell vulnerabilities in that were highlighted by a researcher at Black Hat earlier this month. The company released an advisory late Wednesday letting customers know that threat actors may use unpatched Exchange servers […]

Read More

Daily NCSC-FI news followup 2020-01-09

Satasairaalassa jälleen tietoverkkokatkos, vika luultua pahempi myös perusturvassa ongelmia yle.fi/uutiset/3-11149405 Katkos alkoi torstaina aamupäivällä ja kesti noin 20 minuuttia. Satasairaalan tietohallintojohtaja Leena Ollonqvistin mukaan sairaalan it-osasto teki testiä, jolla estää viimeviikkoinen katkos. Testi aiheutti samankaltaisen luupin kuin viime viikolla. A lazy fix 20 years ago means the Y2K bug is taking down computers now www.newscientist.com/article/2229238-a-lazy-fix-20-years-ago-means-the-y2k-bug-is-taking-down-computers-now/ […]

Read More

Daily NCSC-FI news followup 2021-04-18

Ryuk ransomware operation updates hacking techniques www.bleepingcomputer.com/news/security/ryuk-ransomware-operation-updates-hacking-techniques/ Recent attacks from Ryuk ransomware operators show that the actors have a new preference when it comes to gaining initial access to the victim network. The trend observed in attacks this year reveals a predilection towards targeting hosts with remote desktop connections exposed on the public internet. Discord […]

Read More