Daily NCSC-FI news followup 2021-11-11

Critical Citrix DDoS Bug Shuts Down Network, Cloud App Access

threatpost.com/critical-citrix-bug-etwork-cloud-app-access/176183/ The distributed computing vendor patched the flaw, affecting Citrix ADC and Gateway, along with another flaw impacting availability for SD-WAN appliances.

HTML smuggling surges: Highly evasive loader technique increasingly used in banking malware, targeted attacks

www.microsoft.com/security/blog/2021/11/11/html-smuggling-surges-highly-evasive-loader-technique-increasingly-used-in-banking-malware-targeted-attacks/ HTML smuggling, a highly evasive malware delivery technique that leverages legitimate HTML5 and JavaScript features, is increasingly used in email campaigns that deploy banking malware, remote access Trojans (RATs), and other payloads related to targeted attacks. . Notably, this technique was observed in a spear-phishing campaign from the threat actor NOBELIUM in May. More recently, we have also seen this technique deliver the banking Trojan Mekotio, as well as AsyncRAT/NJRAT and Trickbot, malware that attackers utilize to gain control of affected devices and deliver ransomware payloads and other threats.

North Korean attackers use malicious blogs to deliver malware to high-profile South Korean targets

blog.talosintelligence.com/2021/11/kimsuky-abuses-blogs-delivers-malware.html Cisco Talos recently discovered a campaign operated by the North Korean Kimsuky APT group delivering malware to high-value South Korean targets namely geopolitical and aerospace research agencies. This campaign has been active since at least June 2021 deploying a constantly evolving set of implants derived from the Gold Dragon/Brave Prince family of implants.

Hackers Targeted Apple Devices in Hong Kong for Widespread Attack

www.wired.com/story/ios-macos-hacks-hong-kong-watering-hole/ Visitors to pro-democracy and media sites in the region were infected with malware that could download files, steal data, and more.. see also

blog.google/threat-analysis-group/analyzing-watering-hole-campaign-using-macos-exploits/

Poliisi varoittaa Google-huijauksesta kohteena kryptovaluutat

www.iltalehti.fi/tietoturva/a/4c86dc1b-15a7-48ca-b3a9-6afc9b96460c Keskusrikospoliisin Kyberrikostorjuntakeskus varoittaa valesivustoista, jotka imitoivat virtuaalivaluuttojen vaihtopalveluita sekä virtuaalilompakoita.

King of fraud sentenced to 10 years in prison for role in Methbot/3ve botnet

therecord.media/king-of-fraud-sentenced-to-10-years-in-prison-for-role-in-methbot-3ve-botnet/ A US judge sentenced a Russian national to 10 years in prison for running Methbot, a giant ad fraud botnet that stole more than $7 million from ad publishers and ad networks between 2014 and 2018.

thehackernews.com/2021/11/researchers-uncover-hacker-for-hire.html Researchers Uncover Hacker-for-Hire Group That’s Active Since 2015. A new cyber mercenary hacker-for-hire group dubbed “Void Balaur” has been linked to a string of cyberespionage and data theft activities targeting thousands of entities as well as human rights activists, politicians, and government officials around the world at least since 2015 for financial gain while lurking in the shadows.

USA signs internet freedom and no-hack pact it’s ignored since 2018

www.theregister.com/2021/11/11/usa_supports_paris_call/ Joins 79 nations supporting Paris Call for Trust and Security in Cyberspace China and Russia aren’t on the list

FBI: Iranian threat actor trying to acquire leaked data on US organizations

therecord.media/fbi-iranian-threat-actor-trying-to-acquire-leaked-data-on-us-organizations/ The US Federal Bureau of Investigation says that a threat actor known to be associated with Iran is currently seeking to acquire data from organizations across the globe, including US targets.

Tiny Font Size Fools Email Filters in BEC Phishing

threatpost.com/tiny-font-size-email-filters-bec-phishing/176198/ The One Font BEC campaign targets Microsoft 365 users and uses sophisticated obfuscation tactics to slip past security protections to harvest credentials.

Congress Mulls Ban on Big Ransom Payouts Unless Victims Get Official Say-So

threatpost.com/congress-ban-ransomware-payouts/176213/ A U.S. lawmaker has introduced a bill the Ransomware and Financial Stability Act (H.R.5936) (PDF) that would make it illegal for financial firms to pay ransoms over $100,000 without first getting the governments permission.

Telnyx is the latest VoIP provider hit with DDoS attacks

www.bleepingcomputer.com/news/security/telnyx-is-the-latest-voip-provider-hit-with-ddos-attacks/ Telnyx is the latest VoIP telephony provider targeted with distributed denial-of-service (DDoS) attacks, causing worldwide outages since yesterday.

HPE says hackers breached Aruba Central using stolen access key

www.bleepingcomputer.com/news/security/hpe-says-hackers-breached-aruba-central-using-stolen-access-key/ HPE has disclosed that data repositories for their Aruba Central network monitoring platform were compromised, allowing a threat actor to access collected data about monitored devices and their locations.

Microsoft: New security updates trigger Windows Server auth issues

www.bleepingcomputer.com/news/microsoft/microsoft-new-security-updates-trigger-windows-server-auth-issues/ Microsoft says users might experience authentication issues on Domain Controllers (DC) running Windows Server. after installing security updates released during the November Patch Tuesday.

In the spirit of open government, France dumps 9,067 repos online to show off its FOSS credentials

www.theregister.com/2021/11/11/french_government_foss/

You might be interested in …

Daily NCSC-FI news followup 2020-10-25

Presidentti Niinistö Vastaamon tietomurrosta: Tämä koskettaa meitä kaikkia yle.fi/uutiset/3-11612492 Tasavallan presidentti Sauli Niinistön mukaan jokaisen on torjuttava rikollisesti saatu tieto. Tasavallan presidentti Sauli Niinistö sanoo Vastaamon tietomurron herättävän suurta vastenmielisyyttä tekoa kohtaan, jota Niinistö kutsuu säälimättömän julmaksi. – Tämä koskettaa meitä kaikkia. Jokaisesta meistä kertyy tietoa jatkuvasti eri alustoille. Se koskee meitä myös niin, että […]

Read More

Daily NCSC-FI news followup 2021-01-04

Näin tietomurto näkyy Suomessa: “Suurehkoja organisaatioita sekä yksityiseltä että julkishallinnon puolelta” www.is.fi/digitoday/tietoturva/art-2000007719171.html Viranomaisella on tiedossa Suomessa noin kymmenen organisaatiota, joissa on käytetty haavoittuvaa SolarWindsin ohjelmistoversiota. SolarWinds Orion Platformia käytetään myös Suomessa. Liikenne- ja viestintävirasto Traficomin Kyberturvallisuuskeskuksen tietoturva-asiantuntija Helinä Turusen mukaan viranomaisilla on tiedossa “kymmenkunta organisaatiota”, joissa on käytetty haavoittuvaa ohjelmistoversiota. China’s APT hackers move to […]

Read More

Daily NCSC-FI news followup 2020-12-30

DHS orders federal agencies to update SolarWinds Orion platform www.bleepingcomputer.com/news/security/dhs-orders-federal-agencies-to-update-solarwinds-orion-platform/ The Cybersecurity and Infrastructure Security Agency (CISA) has ordered all US federal agencies to update the SolarWinds Orion platform to the latest version by the end of business hours on December 31, 2020. Microsoft: SolarWinds hackers’ goal was the victims’ cloud data www.bleepingcomputer.com/news/security/microsoft-solarwinds-hackers-goal-was-the-victims-cloud-data/ Microsoft says […]

Read More