Daily NCSC-FI news followup 2021-11-09

Threat actor DEV-0322 exploiting ZOHO ManageEngine ADSelfService Plus

www.microsoft.com/security/blog/2021/11/08/threat-actor-dev-0322-exploiting-zoho-manageengine-adselfservice-plus/ Microsoft has detected exploits being used to compromise systems running the ZOHO ManageEngine ADSelfService Plus software versions vulnerable to CVE-2021-40539 in a targeted campaign. Our colleagues at Palo Alto Unit 42 have also highlighted this activity in their recent blog. We thank Unit 42 for their collaboration as industry partners and ongoing efforts to protect customers. This blog shares what Microsoft has observed in the latest DEV-0322 campaign and inform our customers of protections in place through our security products. We have not observed any exploit of Microsoft products in this activity.

Microsoft November 2021 Patch Tuesday

isc.sans.edu/forums/diary/Microsoft+November+2021+Patch+Tuesday/28018/ This month we got patches for 55 vulnerabilities. Of these, 6 are critical, 4 were previously disclosed and 2 are being exploited according to Microsoft. One of the exploited vulnerabilities is a remote code execution affecting Microsoft Exchange Server (CVE-2021-42321). According to the advisory, the vulnerability occurs due to improper validation of cmdlet arguments and, to exploit the vulnerability, an attacker need to be in an authenticated role in the Exchange Server. The CVSS v3 score for this vulnerability is 8.8 (out of 10). The other exploited vulnerability is a security feature bypass affecing Microsoft Excel (CVE-2021-42292). According to the advisory, to sucessfully exploit the vulnerability, an attacker requres user interaction. This vulnerabilty affects Microsoft Excel in different product bundles, including Excel for Mac OS. also:

patchtuesdaydashboard.com/

Who are latest targets of cyber group Lyceum?

www.accenture.com/us-en/blogs/cyber-defense/iran-based-lyceum-campaigns Accenture’s Cyber Threat Intelligence (ACTI) group and Prevailion’s Adversarial Counterintelligence Team (PACT) dug into recently publicized campaigns of the cyber espionage threat group Lyceum (aka HEXANE, Spirlin) to further analyze the operational infrastructure and victimology of this actor. The team’s findings corroborate and reinforce previous ClearSky and Kaspersky research indicating a primary focus on computer network intrusion events aimed at telecommunications providers in the Middle East. Additionally, the research expands on this victim set by identifying additional targets within internet service providers (ISPs) and government agencies. Although all victim-identifying information has been redacted, this report seeks to provide these targeted industry and geographic verticals with additional knowledge of the threat and mitigation opportunities.

New Critical Vulnerabilities Found on Nucleus TCP/IP Stack

www.forescout.com/blog/new-critical-vulnerabilities-found-on-nucleus-tcp-ip-stack/ Forescout Research Labs, with support from Medigate Labs, have discovered a set of 13 new vulnerabilities affecting the Nucleus TCP/IP stack, which we are collectively calling NUCLEUS:13. The new vulnerabilities allow for remote code execution, denial of service, and information leak. Nucleus is used in safety-critical devices, such as anesthesia machines, patient monitors and others in healthcare. Forescout Research Labs is committed to supporting vendors in identifying affected products (our open-source TCP/IP stack detector can be helpful in this respect) and to sharing our findings with the cybersecurity community.

Abcbot, an evolving botnet

blog.netlab.360.com/abcbot_an_evolving_botnet_en/ On July 14, 2021, our BotMon system identified an unknown ELF file (a14d0188e2646d236173b230c59037c7) generating a lot of scanning traffic, after analysis, we determined that this is a Go language implementation of Scanner, based on its source path “abc-hello” string, we named it Abcbot internally. As time passed, Abcbot has continued to evolve, and as we expected, it added the DGA feature in subsequent samples. Today Abcbot has the ability to self-updating, setting up Webserver, laughing DDoS, as well as worm like propagation. Given that Abcbot is under continuous development, its features are constantly being updated, we decided to write this article to share our findings with the community.

Medical software firm urges password resets after ransomware attack

www.bleepingcomputer.com/news/security/medical-software-firm-urges-password-resets-after-ransomware-attack/ Medatixx, a German medical software vendor whose products are used in over 21, 000 health institutions, urges customers to change their application passwords following a ransomware attack that has severely impaired its entire operations.

NSO’s Pegasus spyware found on the devices of six Palestinian activists

therecord.media/nsos-pegasus-spyware-found-on-devices-of-six-palestinian-activists/ The mobile phones of six Palestinian human rights activists have been infected with Pegasus, a spyware strain developed and sold by Israeli surveillance company NSO Group. The malware was found by members of Frontline Defenders, a non-profit organization that works to protect human rights activists. Their findings were independently verified and confirmed by security researchers from Amnesty International and Citizen Lab.

12 New Flaws Used in Ransomware Attacks in Q3

threatpost.com/12-new-flaws-used-in-ransomware-attacks-in-q3/176137/ A dozen new vulnerabilities were used in ransomware attacks this quarter, bringing the total number of bugs associated with ransomware to 278. That’s a 4.5 percent increase over Q2, according to researchers.

Multiple BusyBox Security Bugs Threaten Embedded Linux Devices

threatpost.com/busybox-security-bugs-linux-devices/176098/ Researchers discovered 14 vulnerabilities in the Swiss Army Knife’ of the embedded OS used in many OT and IoT environments. They allow RCE, denial of service and data leaks.

Robinhood Announces Data Security Incident

blog.robinhood.com/news/2021/11/8/data-security-incident Late in the evening of November 3, we experienced a data security incident. An unauthorized third party obtained access to a limited amount of personal information for a portion of our customers. Based on our investigation, the attack has been contained and we believe that no Social Security numbers, bank account numbers, or debit card numbers were exposed and that there has been no financial loss to any customers as a result of the incident.

Varo tätä kaverilta tulevaa yksityisviestiä päättyy Instagram- tai Facebook-tilisi kaappaamiseen

www.is.fi/digitoday/tietoturva/art-2000008389877.html FACEBOOKIN pikaviestimessä Messengerissä ja Instagramin yksityisviesteissä leviää huijaus, jolla pyritään kaappaamaan ihmisten käyttäjätilejä. Hyökkäys alkaa suomeksi kirjoitetulla viestillä, joka tulee kaverin tunnukselta käsin. Viestissä tiedustellaan vastaanottajan puhelinnumeroa. Liikenne- ja viestintävirasto Traficomin Kyberturvallisuuskeskuksen tietoturva-asiantuntija Ville Kontinen kertoo, että viranomaiset ovat saaneet ilmoituksia huijauskampanjasta noin parin viikon ajan. TILIN palauttaminen voi olla hankalaa. Petoksessa on Facebookin tai Instagramin näkökulmasta kaksi tahoa, jotka väittävät tiliä omakseen. Kontinen kehottaakin pitämään tilinpalautustiedot ajan tasalla. Näihin kuuluu muun muassa vaihtoehtoinen sähköpostiosoite. – Jos hyökkääjä saa vietyä kaappauksen puhelinnumerolla ja luovutetulla pin-koodilla läpi, joudut uhrina tekemään samanlaisen ilmoituksen. Facebook saa tällöin kaksi ilmoitusta lyhyen ajan sisään tilin hakkeroinnista. Mitä paremmin tiedot ovat ajan tasalla, sitä paremmin pystyt todentamaan olevasi profiilin omistaja, Kontinen sanoo.

The future of OT security in an IT-OT converged world

www.theregister.com/2021/11/09/securing_ics_in_the_cloud/ Securing ICS in the cloud requires ‘fundamentally different’ approach

83% of Critical Infrastructure Organizations Suffered Breaches, 2021 Cybersecurity Research Reveals

www.darkreading.com/vulnerabilities-threats/83-of-critical-infrastructure-organizations-suffered-breaches-2021-cybersecurity-research-reveals A new research study by Skybox Security found that 83% of organizations suffered an operational technology (OT) cybersecurity breach in the prior 36 months. The research also uncovered that organizations underestimate the risk of a cyberattack, with 73% of CIOs and CISOs “highly confident” their organizations will not suffer an OT breach in the next year.

Scheming with URLs: One-Click Attack Surface in Linux Desktop Environments

www.crowdstrike.com/blog/one-click-attack-surface-in-linux-desktop-environments/ The Advanced Research Team at CrowdStrike Intelligence discovered multiple vulnerabilities affecting libvncclient. In some widely used desktop environments, such as GNOME, these vulnerabilities can be triggered in a one-click fashion.

Rikolliset pyrkivät nyt kaappaamaan koko älypuhelimen pahimmillaan tunkeutuja voi äänittää puhelimellasi huoneessa käymääsi keskustelua

yle.fi/uutiset/3-12172880 Tietoturva-ammattilaisten mukaan pankkihuijaukset ja henkilön tunnistamistietojen kalasteluyritykset ovat lisääntyneet selvästi. Erilaiset huijausyritykset keskittyvät jatkossa yhä enemmän mobiiliin.

Suojelupoliisilla on vahva epäily, että sitä on vakoiltu työntekijöiden palkkauksesta löytyi aukko

yle.fi/uutiset/3-12174055 Epäilyn mukaan joihinkin Supon työpaikkoihin on haettu vain siksi, että hakija pääsisi urkkimaan tehtäviin valittujen henkilöiden nimiä ja muita tietoja. Tiedustelussa on käytetty hyväksi julkisen virantäytön asianosaisjulkisuutta.

Sophos 2022 Threat Report: Malware, Mobile, Machine learning and more!

nakedsecurity.sophos.com/2021/11/09/2022-threat-report/ we’ve covered five main topics: 1 Malware, 2 Mobile, 3 Machine Learning and AI, 4 Ransomware (because we simply couldn’t not give it a section of its own), and 5 Where next?. PDF:

www.sophos.com/en-us/medialibrary/pdfs/technical-papers/sophos-2022-threat-report.pdf

New Quarterly Threat Trends & Intelligence Report Available

www.phishlabs.com/blog/new-quarterly-threat-trends-intelligence-report-available/ Vishing attacks have more than doubled for the second consecutive quarter, according to the PhishLabs Quarterly Threat Trends & Intelligence Report. The November 2021 report uses hundreds of thousands of attacks analyzed and mitigated by PhishLabs to identify the top threats targeting brands and determine emerging trends throughout the threat landscape.

Hacking group says it has found encryption keys needed to unlock the PS5

arstechnica.com/gaming/2021/11/uncovered-ps5-encryption-keys-are-the-first-step-to-unlocking-the-console/ Hacking group Fail0verflow announced Sunday evening that it had obtained the encryption “root keys” for the PlayStation 5, an important first step in any effort to unlock the system and allow users to run homebrew software.

FinCEN Releases Updated Advisory on Ransomware and the Use of the Financial System to Facilitate Ransom Payments

www.fincen.gov/news/news-releases/fincen-releases-updated-advisory-ransomware-and-use-financial-system-facilitate In connection with a set of actions announced today by the Department of the Treasury and focused on disrupting criminal ransomware actors, FinCEN has released an update to its 2020 advisory on ransomware and the use of the financial system to facilitate ransom payments. PDF:

www.fincen.gov/sites/default/files/2021-11/FinCEN%20Ransomware%20Advisory_FINAL_508_.pdf

You might be interested in …

Daily NCSC-FI news followup 2020-01-26

Teenagers today. Can’t take them anywhere, eh? 18-year-old kid accused of $50m SIM-swap cryptocurrency heist www.theregister.co.uk/2020/01/25/security_roundup/ Also, Cisco, Citrix emit patches, US army advises using Signal Patching the Citrix ADC Bug Doesn’t Mean You Weren’t Hacked www.bleepingcomputer.com/news/security/patching-the-citrix-adc-bug-doesnt-mean-you-werent-hacked/ Citrix on Friday released the final patch for the critical vulnerability tracked as CVE-2019-19781 in its affected appliances. […]

Read More

Daily NCSC-FI news followup 2019-10-06

HildaCrypt Ransomware Developer Releases Decryption Keys www.bleepingcomputer.com/news/security/hildacrypt-ransomware-developer-releases-decryption-keys/ The developer behind the HildaCrypt Ransomware has decided to release the ransomware’s private decryption keys. With these keys a decryptor can be made that would allow any potential victims to recover their files for free.. BleepingComputer had a conversation with the ransomware developer last night and was told […]

Read More

Daily NCSC-FI news followup 2020-12-03

Widespread android applications still exposed to vulnerability on google play core library blog.checkpoint.com/2020/12/03/widespread-android-applications-still-exposed-to-vulnerability-on-google-play-core-library/ A new vulnerability for the Google Play Core Library was published late August, given the CVE-2020-8913, which allows Local-Code-Execution (LCE) within the scope of any application that has the vulnerable version of the Google Play Core Library. Code execution is an attackers […]

Read More