Daily NCSC-FI news followup 2021-11-08

Targeted Attack Campaign Against ManageEngine ADSelfService Plus Delivers Godzilla Webshells, NGLite Trojan and KdcSponge Stealer

unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/ On Sept. 16, 2021, the US Cybersecurity and Infrastructure Security Agency (CISA) released an alert warning that advanced persistent threat (APT) actors were actively exploiting newly identified vulnerabilities in a self-service password management and single sign-on solution known as ManageEngine ADSelfService Plus. The alert explained that malicious actors were observed deploying a specific webshell and other techniques to maintain persistence in victim environments; however, in the days that followed, we observed a second unrelated campaign carry out successful attacks against the same vulnerability. As early as Sept. 17 the actor leveraged leased infrastructure in the United States to scan hundreds of vulnerable organizations across the internet. Subsequently, exploitation attempts began on Sept. 22 and likely continued into early October. During that window, the actor successfully compromised at least nine global entities across the technology, defense, healthcare, energy and education industries.

Varo 2 euron “tullimaksua” Postin nimissä levitetään harvinaisen petollista huijausta

www.tivi.fi/uutiset/tv/b84a3823-66d7-4d69-8c90-66fecfd16e2c Nopealla vilkaisulla suomenkielinen ja Postin tyyliä muistuttava viesti voi vaikuttaa luotettavalta. Vastaanottajalle kerrotaan, ettei pakettia pystytty toimittamaan. Uuden toimitus- tai noutopäivämäärän varaamiseksi uhria pyydetään seuraamaan viestin lopussa olevaa linkkiä.

Eikö huijauspuheluita voi estää? Näin Suomen operaattorit vastaavat

www.is.fi/digitoday/tietoturva/art-2000008378895.html Operaattorien luottamus on kova, että huijauspuheluihin voidaan puuttua tehokkaasti Suomessakin. Joitakin ratkaisuja on jo käytössä.

FIVE AFFILIATES TO SODINOKIBI/REVIL UNPLUGGED

www.europol.europa.eu/newsroom/news/five-affiliates-to-sodinokibi/revil-unplugged On 4 November, Romanian authorities arrested two individuals suspected of cyber-attacks deploying the Sodinokibi/REvil ransomware. They are allegedly responsible for 5 000 infections, which in total pocketed half a million euros in ransom payments. Since February 2021, law enforcement authorities have arrested three other affiliates of Sodinokibi/REvil and two suspects connected to GandCrab. These are some of the results of operation GoldDust, which involved 17 countries*, Europol, Eurojust and INTERPOL. All these arrests follow the joint international law enforcement efforts of identification, wiretapping and seizure of some of the infrastructure used by Sodinokibi/REvil ransomware family, which is seen as the successor of GandCrab.

US seizes $6 million from REvil ransomware, arrest Kaseya hacker

www.bleepingcomputer.com/news/security/us-seizes-6-million-from-revil-ransomware-arrest-kaseya-hacker/ The United States Department of Justice today has announced charges against a REvil ransomware affiliate responsible for the attack against the Kaseya MSP platform on July 2nd and seizing more than $6 million from another REvil partner.

US Treasury sanctions crypto-exchange Chatex for links to ransomware payments

therecord.media/us-treasury-sanctions-crypto-exchange-chatex-for-links-to-ransomware-payments/ The US Treasury Department has imposed sanctions today on cryptocurrency exchange Chatex for “facilitating financial transactions for ransomware actors.”. “Analysis of Chatex’s known transactions indicate that over half are directly traced to illicit or high-risk activities such as darknet markets, high-risk exchanges, and ransomware, ” Treasury officials said today. Officials said the exchange had “direct ties” to Suex, a Russian cryptocurrency exchange portal Suex, which the Treasury sanctioned in September for the exact same reason.

Electronics retail giant MediaMarkt hit by ransomware attack

www.bleepingcomputer.com/news/security/electronics-retail-giant-mediamarkt-hit-by-ransomware-attack/ Electronics retail giant MediaMarkt has suffered a Hive ransomware with an initial ransom demand of $240 million, causing IT systems to shut down and store operations to be disrupted in Netherlands and Germany. MediaMarkt is Europe’s largest consumer electronics retailer with over 1, 000 stores in 13 countries. MediaMarkt employs approximately 53, 000 employees and has a total sales of 20.8 billion.

CARBON SPIDER Embraces Big Game Hunting, Part 2

www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-2/ This blog discusses the Darkside ransomware incident at U.S. oil pipeline system Colonial Pipeline in May 2021 and how CARBON SPIDER responded to fallout from this event. Despite the termination of the Darkside program, the adversary continued malware distribution campaigns and subsequently introduced the BlackMatter RaaS. Due to numerous technical overlaps with Darkside, BlackMatter is attributed to CARBON SPIDER.

Computer misuse crimes in UK surge to high not seen since 2017 even as prosecutions slump 20%

www.theregister.com/2021/11/08/computer_misuse_crimes_ons_crime_survey/ The Crime Survey for England and Wales said it recorded 1.8 million computer misuse offences in the 12 months ending June 2021, matching the number it recorded in 2017. “This was an 85 per cent increase compared with the year ending June 2019, largely driven by a 161 per cent increase in ‘Unauthorised access to personal information (including hacking)’ offences, ” said the Office for National Statistics, which owns the survey.

Banking Malware Threats Surging as Mobile Banking Increases Nokia Threat Intelligence Report

www.darkreading.com/attacks-breaches/banking-malware-threats-surging-as-mobile-banking-increases-nokia-threat-intelligence-report The Nokia 2021 Threat Intelligence Report announced today shows that banking malware threats are sharply increasing as cyber criminals target the rising popularity of mobile banking on smartphones, with plots aimed at stealing personal banking credentials and credit card information.

Sitecore XP RCE flaw patched last month now actively exploited

www.bleepingcomputer.com/news/security/sitecore-xp-rce-flaw-patched-last-month-now-actively-exploited/ The Australian Cyber Security Center (ACSC) is alerting web admins of the active exploitation of CVE-2021-42237, a remote code execution flaw in the Sitecore Experience Platform (Sitecore XP). On October 13th, Sitecore disclosed and released a patch for a pre-authentication remote code execution vulnerability tracked as CVE-2021-42237 affecting the Sitecore Experience Platform. Last week, cybersecurity firm Assetnote published a technical write-up on vulnerability allowing hackers to use the details to create exploits and actively exploit vulnerable websites. “There is active exploitation of a vulnerability occurring in certain versions of Sitecore Experience Platform systems. Affected Australian organisation should apply the available security update, ” warned the ACSC in a new advisory released Friday. also:

www.cyber.gov.au/acsc/view-all-content/alerts/active-exploitation-vulnerable-sitecore-experience-platform-content-management-systems

TA505 exploits SolarWinds Serv-U vulnerability (CVE-2021-35211) for initial access

blog.fox-it.com/2021/11/08/ta505-exploits-solarwinds-serv-u-vulnerability-cve-2021-35211-for-initial-access/ NCC Group’s global Cyber Incident Response Team have observed an increase in Clop ransomware victims in the past weeks. The surge can be traced back to a vulnerability in SolarWinds Serv-U that is being abused by the TA505 threat actor. TA505 is a known cybercrime threat actor, who is known for extortion attacks using the Cl0p ransomware. We believe exploiting such vulnerabilities is a recent initial access technique for TA505, deviating from the actor’s usual phishing-based approach. NCC Group strongly advises updating systems running SolarWinds Serv-U software to the most recent version (at minimum version 15.2.3 HF2) and checking whether exploitation has happened as detailed below. We are sharing this information as a call to action for organisations using SolarWinds Serv-U software and incident responders currently dealing with Clop ransomware.

Escalating XSS to Sainthood with Nagios

blog.grimm-co.com/2021/11/escalating-xss-to-sainthood-with-nagios.html During the course of research into Nagios, GRIMM researchers discovered a number of vulnerabilities that would enable attackers to gain Remote Code Execution (RCE) as root on the primary server, which provides great potential for later lateral movement.

DDoS attacks in Q3 2021

securelist.com/ddos-attacks-in-q3-2021/104796/ Q3 proved unexpectedly fast-paced for DDoS attacks: our records show several thousand attacks per day on some days. Yet the duration of attacks both average and maximum reduced from Q2, meaning that we saw very many shorter attacks during the period.

ICS Threat Hunting: “They’re Shootin’ at the Lights!” – PART 2

www.sans.org/blog/ics-threat-hunting-they-are-shootin-at-the-lights-part-2/ Welcome to the second of our multi-part series on threat hunting for industrial control system (ICS) and operational technology (OT) environments.

Hacking of activists is latest in long line of cyber-attacks on Palestinians

www.theguardian.com/world/2021/nov/08/hacking-activists-latest-long-line-cyber-attacks-palestinians-nso-group-pegasus-spyware The disclosure that Palestinian human rights defenders were reportedly hacked using NSO’s Pegasus spyware will come as little surprise to two groups of people: Palestinians themselves and the Israeli military and intelligence cyber operatives who have long spied on Palestinians. While it is not known who was responsible for the hacking in this instance, what is very well documented is the role of the Israeli military’s 8200 cyberwarfare unit known in Hebrew as the Yehida Shmoneh-Matayim in the widespread spying on Palestinian society.

Surveillance Technology at the Fair: Proliferation of Cyber Capabilities in International Arms Markets

www.atlanticcouncil.org/in-depth-research-reports/issue-brief/surveillance-technology-at-the-fair/ State cyber capabilities are increasingly abiding by the “pay-to-play” modelboth US/NATO allies and adversaries can purchase interception and intrusion technologies from private firms for intelligence and surveillance purposes. NSO Group has repeatedly made headlines in 2021 for targeting government entities in cyberspace, but there are many more companies selling similar products that are just as detrimental. These vendors are increasingly looking to foreign governments to hawk their wares, and policymakers have yet to sufficiently recognize or respond to this emerging problem. Any cyber capabilities sold to foreign governments carry a risk: these capabilities could be used against individuals and organizations in allied countries, or even in one’s home country.

You might be interested in …

Daily NCSC-FI news followup 2021-11-29

APT37 targets journalists with Chinotto multi-platform malware www.bleepingcomputer.com/news/security/apt37-targets-journalists-with-chinotto-multi-platform-malware/ North Korean state hacking group APT37 targets South Korean journalists, defectors, and human rights activists in watering hole, spear-phishing emails, and smishing attacks delivering malware dubbed Chinotto capable of infecting Windows and Android devices. APT37 (aka Reaper) has been active since at least 2012 and is an […]

Read More

Daily NCSC-FI news followup 2020-01-30

Enterprise Hardware Still Vulnerable to Memory Lane Attacks www.darkreading.com/vulnerabilities—threats/enterprise-hardware-still-vulnerable-to-memory-lane-attacks/d/d-id/1336921 Most laptops, workstations, and servers are still vulnerable to physical attacks via direct memory access, despite mitigations often being available, report says.. Report: eclypsium.com/2020/01/30/direct-memory-access-attacks/ Dozens of companies have data dumped online by ransomware ring seeking leverage arstechnica.com/information-technology/2020/01/dozens-of-companies-have-data-dumped-online-by-ransomware-ring-seeking-leverage/ Maze operators “gift” Pensacola by removing data dump, but […]

Read More

Daily NCSC-FI news followup 2020-07-30

Hackers Broke Into Real News Sites to Plant Fake Stories www.wired.com/story/hackers-broke-into-real-news-sites-to-plant-fake-stories-anti-nato/ A disinfo operation broke into the content management systems of Eastern European media outlets in a campaign to spread misinformation about NATO. FireEye’s finding that all of those operations to plant fake news were carried out by a single group comes on the heels […]

Read More