Daily NCSC-FI news followup 2021-11-10

Zero-Day Disclosure: Palo Alto Networks GlobalProtect VPN CVE-2021-3064

www.randori.com/blog/cve-2021-3064/ On November 10, 2021 Palo Alto Networks (PAN) provided an update that patched CVE-2021-3064 which was discovered and disclosed by Randori. This vulnerability affects PAN firewalls using the GlobalProtect Portal VPN and allows for unauthenticated remote code execution on vulnerable installations of the product. The issue affects multiple versions of PAN-OS 8.1 prior to 8.1.17 and Randori has found numerous vulnerable instances exposed on internet-facing assets, in excess of 70, 000 assets.. The Randori Attack Team developed a reliable working exploit and leveraged the capability as part of Randori’s continuous and automated red team platform. Our team was able to gain a shell on the affected target, access sensitive configuration data, extract credentials, and more. Once an attacker has control over the firewall, they will have visibility into the internal network and can proceed to move laterally. In an effort to avoid enabling misuse, technical details related to CVE-2021-3064 will be withheld from public dissemination for a period of 30 days from the date of this publication. In order to exploit this vulnerability, an attacker must have network access to the device on the GlobalProtect service port (default port 443). As the affected product is a VPN portal, this port is often accessible over the Internet. On devices with ASLR enabled (which appears to be the case in most hardware devices), exploitation is difficult but possible. On virtualized devices (VM-series firewalls), exploitation is significantly easier due to lack of ASLR and Randori expects public exploits will surface. Randori recommends affected organizations apply the patches provided by PAN. Additionally, PAN has made available Threat Prevention signatures 91820 and 91855 that can be enabled to thwart exploitation while organizations plan for the software upgrade. For organizations not using the VPN capability as part of the firewall, we recommend disabling GlobalProtect.

THREAT ANALYSIS REPORT: From Shatak Emails to the Conti Ransomware

www.cybereason.com/blog/threat-analysis-report-from-shatak-emails-to-the-conti-ransomware In this Threat Analysis report, the GSOC investigates recent attack campaigns that reflect the current developments of the ITG23 threat group (also known as the TrickBot Gang or Wizard Spider). The ITG23 group is partnering with the TA551 (Shatak) threat group to distribute ITG23’s TrickBot and BazarBackdoor malware, which malicious actors use to deploy ITG23’s Conti ransomware on compromised systems.

The hunt for NOBELIUM, the most sophisticated nation-state attack in history

www.microsoft.com/security/blog/2021/11/10/the-hunt-for-nobelium-the-most-sophisticated-nation-state-attack-in-history/ This is the second in a four-part blog series on the NOBELIUM nation-state cyberattack. In December 2020, Microsoft began sharing details with the world about what became known as the most sophisticated nation-state cyberattack in history. Microsoft’s four-part video series “Decoding NOBELIUM” pulls the curtain back on the NOBELUM incident and how world-class threat hunters from Microsoft and around the industry came together to take on the most sophisticated nation-state attack in history. In this second post, we’ll explore the investigation in the second episode of the docuseries.

Lazarus hackers target researchers with trojanized IDA Pro

www.bleepingcomputer.com/news/security/lazarus-hackers-target-researchers-with-trojanized-ida-pro/ A North Korean state-sponsored hacking group known as Lazarus is again trying to hack security researchers, this time with a trojanized pirated version of the popular IDA Pro reverse engineering application.

PhoneSpy: The App-Based Cyberattack Snooping South Korean Citizens

blog.zimperium.com/phonespy-the-app-based-cyberattack-snooping-south-korean-citizens/ Recently, we discovered and began monitoring the activity behind PhoneSpy, a spyware aimed at South Korean residents with Android devices. With more than a thousand South Korean victims, the malicious group behind this invasive campaign has had access to all the data, communications, and services on their devices. PhoneSpy hides in plain sight, disguising itself as a regular application with purposes ranging from learning Yoga to watching TV and videos, or browsing photos. But in reality, the application is stealing data, messages, images, and remote control of Android phones. In this blog, we will: Cover the capabilities of the Android spyware; Discuss the techniques used to collect and store data; and Show the communication with the C&C server to exfiltrate stolen data.

Walking on APT31 infrastructure footprints

www.sekoia.io/en/walking-on-apt31-infrastructure-footprints/ SEKOIA.IO’s Cyber Threat Intelligence team had an in-depth look at the APT31 intrusion set at the beginning of 2021 when the BfV (Bundesamt fr Verfassungsschutz)¹ and McAfee² released some new information. A few months later, the French National Cybersecurity Agency (ANSSI) also released a short publication with several IoCs³, showing that the intrusion set was still active and of concern as multiple national agencies had been involved. All of these IoCs were mainly IP addresses, and many of them seemed to be linked to SOHO routers, mostly Pakedge routers at the time. With that observation, we investigated more deeply to see if we could find more infrastructure and implants used by this intrusion set.

Compromised Docker Hub Accounts Abused for Cryptomining Linked to TeamTNT

www.trendmicro.com/en_us/research/21/k/compromised-docker-hub-accounts-abused-for-cryptomining-linked-t.html In October 2021, we observed threat actors targeting poorly configured servers with exposed Docker REST APIs by spinning up containers from images that execute malicious scripts. We identified Docker Hub registry accounts that were either compromised or belong to TeamTNT. These accounts were being used to host malicious images and were an active part of botnets and malware campaigns that abused the Docker REST API. Exposed Docker APIs have become prevalent targets for attackers as these allow them to execute their own malicious code with root privileges on a targeted host if security considerations are not accounted for. This recent attack only highlights the increasing sophistication with which exposed servers are targeted, especially by capable threat actors like TeamTNT that use compromised user credentials to fulfill their malicious motives.

CERT-PL employees rally around politically-dismissed chief

therecord.media/cert-pl-employees-rally-around-politically-dismissed-chief/ The Polish government has fired the head of CERT-PL, the country’s official computer emergency response team, in what the organization’s employees have described as a dismissal based on the manager’s personal political views. Przemysaw “Prezmek” Jaroszewski, who has been the head of CERT-PL since July 2016, was dismissed last week after he was summoned to a meeting with Janusz Cieszyski, the Secretary of State for Digital Affairs in the Prime Minister’s office. Cieszyski told Jaroszewski that higher-ups became aware of the CERT-PL’s head criticism of the Polish government on his personal Facebook account, according to sources in the Prime Minister’s office and the Ministry of Interior and Administration, who spoke with Polish TV station TVN24.

Fake LinkedIn notifications

www.kaspersky.com/blog/linkedin-phishing/42861/ We look at some examples of LinkedIn phishing and explain how everyone can avoid taking the bait.

Are cybercriminals turning away from the US and targeting Europe instead?

blog.malwarebytes.com/malwarebytes-news/2021/11/are-cybercriminals-turning-away-from-the-us-and-targeting-europe-instead/ Significant cyberattacks against critical targets in Europe have doubled in the past year, according to EU figures obtained by CNN. And with the announced pressure from the US against major ransomware gangs we can expect these figures to go up even more. For now it is hard to tell whether the increased amount of attacks in Europe is some sort of waterbed effect due to the US government’s harder stance against cybercriminals and ransomware in particular. It could be that it is simply ransomware groups expanding to new markets due to more competition among themselves and greener pastures on the other side of the pond. In the ransomware industry, the time of “spray and pray” is long gone. Most of the well known groups know exactly which kind of targets they want to go after and even when the best time to strike is. So it’s not unlikely that we will see more of these attacks on online shops and large retailers with the shopping season around the corner.

The Far-Reaching Attacks of the Void Balaur Cybermercenary Group

www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/the-far-reaching-attacks-of-the-void-balaur-cybermercenary-group As cyberattacks have become a common tool in the offensive arsenals of powerful organizations, an industry has developed that is based around providing cyberattack services, tools, and even training to potential customers. One of the major players in this industry are the so-called “cybermercenaries” groups or individuals that, as the name suggests, offer different kinds of internet-based products and services to their clients, such as governments, crime organizations, and even businesses, for a price. We have been investigating one of these cybermercenaries a threat actor known as Void Balaur (aka Rockethack) for more than a year and discovered that the group has been launching cyberattacks against prominent targets, some of which have even resulted in real-life consequences. Our research paper, titled Void Balaur: Tracking a Cybermercenary’s Activities, provides a deep dive into the group’s activities, offerings, targets, connections with other threat actors, and the potential consequences its attacks might have on its victims. Research (PDF):


Stor-a-File hit by ransomware after crooks target SolarWinds Serv-U FTP software

www.theregister.com/2021/11/10/stor_a_file_ransomware_attack_solarwinds_serv_u/ Stor-a-File, a British data capture and storage company, suffered a ransomware attack in August that exploited an unpatched instance of SolarWinds’ Serv-U FTP software.

Ploutus ATM Malware Case Study: Automated Deobfuscation of a Strongly Obfuscated.NET Binary

www.crowdstrike.com/blog/ploutus-atm-malware-deobfuscation-case-study/ As demonstrated throughout this post, Ploutus obfuscation represents a real challenge for the analyst. The obfuscation of the method’s body can hinder both static and dynamic analysis. Deobfuscating this technique requires a good understanding of the inner functionality of the.NET framework and its core structures. Writing a full deobfuscator requires a considerable amount of time, in particular due to some design choices adopted by the developer (such as using only local variables without referencing external methods). Nevertheless, it is possible to create a deobfuscator that takes in input information that can be extracted by debugging the code, obtaining as a result a binary with the real method’s body.

How Artificial intelligence (AI) Stops Cybercriminals

www.hackread.com/how-artificial-intelligence-ai-stops-cybercriminals/ Newer AI algorithms are extremely good at analyzing data traffic, access, and transfer, as well as detecting outliers or anomalies in data trends. Below are some of the ways AI can prevent and mitigate the damage caused by cybercrime.

Businesses don’t know how to manage VPN security properly – and cyber criminals are taking advantage

www.zdnet.com/article/many-organisations-dont-know-how-to-manage-vpn-security-properly-and-cyber-criminals-are-taking-advantage/ Remote working has resulted in a rise in the use of corporate VPNs. But inexperience means many businesses aren’t equipped to look for and patch security vulnerabilities being exploited by malicious hackers.

You might be interested in …

Daily NCSC-FI news followup 2020-10-22

Psykoterapiakeskus Vastaamon kiristäjä julkaisi yöllä lisää erittäin arkaluontoisia potilaskertomuksia yle.fi/uutiset/3-11606925 Psykoterapiakeskus Vastaamoa kiristävä henkilö on julkaissut yöllä Tor-verkossa lisää varastamiaan potilastietoja. Potilastiedoista ilmenee Vastaamon asiakkaiden nimet, osoitteet, henkilötunnukset ja potilaskertomukset.. katso myös www.poliisi.fi/tietoa_poliisista/tiedotteet/1/1/poliisi_jatkaa_epaillyn_torkean_tietomurron_tutkintaa_uhreja_pyydetaan_tekemaan_rikosilmoitus_94140?language=fi Toimi näin, jos epäilet joutuneesi tietovuodon uhriksi yle.fi/uutiset/3-11608585 Kyberturvallisuuskeskus ja rikosuhripäivystys ovat koonneet toimintaohjeet tietovuodon uhriksi joutuneille.. katso myös www.kyberturvallisuuskeskus.fi/fi/ajankohtaista/neuvoja-identiteettivarkauden-tai-tietovuodon-uhrille US govt: […]

Read More

Daily NCSC-FI news followup 2021-03-20

Office 365 Phishing Attack Targets Financial Execs threatpost.com/office-365-phishing-attack-financial-execs/164925/ Attackers move on new CEOs, using transition confusion to harvest Microsoft credentials. Also: www.area1security.com/blog/microsoft-365-spoof-targets-financial-departments/ Hackers are exploiting a server vulnerability with a severity of 9.8 out of 10 arstechnica.com/gadgets/2021/03/to-security-pros-dread-another-critical-server-vulnerability-is-under-exploit/ As if the mass-exploitation of Exchange servers wasn’t enough, now there’s BIG-IP. Last week, F5 disclosed and patched […]

Read More

Daily NCSC-FI news followup 2019-11-08

Sure, we made your Wi-Fi routers phone home with telemetry, says Ubiquiti. What of it? www.theregister.co.uk/2019/11/07/ubiquiti_networks_phone_home/ Ubiquiti Networks is fending off customer complaints after emitting a firmware update that caused its UniFi wireless routers to quietly phone HQ with telemetry.. It all kicked off when the US-based manufacturer confirmed that a software update released this […]

Read More