Daily NCSC-FI news followup 2021-11-12

‘Lyceum’ Threat Group Broadens Focus to ISPs

www.darkreading.com/attacks-breaches/-lyceum-threat-group-broadens-focus-to-isps “Lyceum, ” an advanced persistent threat actor associated with numerous attacks on telecom organizations and oil and natural gas companies in the Middle East since 2017, has recently begun targeting Internet service providers (ISPs) and government organizations. The increased focus on ISPs appears to be part of the group’s effort to compromise organizations in order to gain access to a broad set of customers and subscribers, according to a new report this week from Accenture and Prevailion on Lyceum’s activities. Researchers from Prevailion’s adversarial counterintelligence team and Accenture’s cyber defense group analyzed recently publicized campaigns attributed to Lyceum by Kaspersky and ClearSky. The focus of the study was Lyceum’s operational infrastructure and the group’s victim profile.

macOS zero-day deployed via Hong Kong pro-democracy news sites

therecord.media/macos-zero-day-deployed-via-hong-kong-pro-democracy-news-sites/ A suspected state-sponsored threat actor has used Hong Kong pro-democracy news sites to deploy a macOS zero-day exploit chain that installed a backdoor on visitors’ computers. The attacks have been taking place since at least August 2021. The exploit chain combined a remote code execution bug in WebKit (CVE-2021-1789, patched on Jan 5, 2021) with a local privilege escalation in the XNU kernel component (CVE-2021-30869, later patched on Sept 23, 2021). The attackers used the exploit chain to gain root access to the macOS operating system and download and install a malware strain named MACMA or OSX.CDDS.

ChaosDB: Infosec bods could pull anyone’s plaintext Azure Cosmos DB keys at will from Microsoft admin tools

www.theregister.com/2021/11/12/chaos_db_wiz_azure_cosmos_research_pwnage/ An astonishing piece of vulnerability probing gave infosec researchers a way into to Microsoft’s management controls for Azure Cosmos DB with full read and write privileges over customer databases. The so-called ChaosDB vuln gave Wiz researchers “access to the control panel of the underlying service” that hosts Azure Cosmos, Microsoft’s managed cloudy document database service, they said. Wiz was able to obtain plaintext Primary Keys “for anyCosmos DBinstance running in our cluster” as well as executing arbitrary code in any other customer’s Jupyter Notebook instances. Worse than that, the researcher claimed: “Using just one certificate, we managed to authenticate to internal Service Fabric instances of multiple [Azure Cosmos] regions that were accessible from the internet.” Service Fabric, as Reg readers may know, is Microsoft’s home-grown microservice platform and one of the core services in Azure.

Windows 10 Privilege-Escalation Zero-Day Gets an Unofficial Fix

threatpost.com/windows-10-privilege-escalation-zero-day-unofficial-fix/176313/ A partially unpatched security bug in Windows that could allow local privilege escalation from a regular user to System remains unaddressed fully by Microsoft but an unofficial micropatch from oPatch has hit the scene. The bug (CVE-2021-34484) was originally disclosed and patched as part of Microsoft’s August Patch Tuesday updates. At the time, it was categorized as an arbitrary directory-deletion issue that was considered low-priority because an attacker would need to locally log into the targeted computer to exploit it, which, in theory, would allow the adversary to delete file folders anyway. However, the security researcher who discovered it, Abdelhamid Naceri, soon uncovered that it could also be used for privilege escalation, which is a whole other ball of wax. System-level users have access to resources, databases and servers on other parts of the network. The micropatch fixes this by extending the security check for symbolic links to the entire destination path by calling the “GetFinalPathNameByHandle” function.

To Joke or Not to Joke: COVID-22 Brings Disaster to MBR

www.fortinet.com/blog/threat-research/to-joke-or-not-to-joke-covid-22-brings-disaster-to-mbr Even now, almost two years after the COVID-19 pandemic started, there is no sign that cybercriminals will stop taking advantage of the situation as an attack vector. This time, however, this attacker uses a COVID pandemic that has not yet happened as bait. FortiGuard Labs recently discovered a new malware posing as a mysterious COVID22 installer. While containing many of the features of “joke” malware, it is also destructive, causing infected machines to fail to boot. Because it has no features for encrypting data demanding a ransom to undo the damage it inflicts, it is instead a new destructive malware variant designed to render affected systems inoperable. This blog explains how this malware works.

QBot returns for a new wave of infections using Squirrelwaffle

www.bleepingcomputer.com/news/security/qbot-returns-for-a-new-wave-of-infections-using-squirrelwaffle/ The activity of the QBot (also known as Quakbot) banking trojan is spiking again, and analysts from multiple security research firms attribute this to the rise of Squirrelwaffle. Squirrelwaffle emerged last month as one of the most likely candidates to fill the void left by the take-down of Emotet, and unfortunately, these predictions are quickly being confirmed.

Abcbot – A New Evolving Wormable Botnet Malware Targeting Linux

thehackernews.com/2021/11/abcbot-new-evolving-wormable-botnet.html Researchers from Qihoo 360’s Netlab security team have released details of a new evolving botnet called “Abcbot” that has been observed in the wild with worm-like propagation features to infect Linux systems and launch distributed denial-of-service (DDoS) attacks against targets. While the earliest version of the botnet dates back to July 2021, new variants observed as recently as October 30 have been equipped with additional updates to strike Linux web servers with weak passwords and are susceptible to N-day vulnerabilities, including a custom implementation of DDoS functionality, indicating that the malware is under continuous development. Netlab’s findings also build on a report from Trend Micro early last month, which publicized attacks targeting Huawei Cloud with cryptocurrency-mining and cryptojacking malware. The intrusions were also notable for the fact that the malicious shell scripts specifically disabled a process designed to monitor and scan the servers for security issues as well as reset users’ passwords to the Elastic cloud service. Now according to the Chinese internet security company, these shell scripts are being used to spread Abcbot. A total of six versions of the botnet have been observed to date.

Costco discloses data breach after finding credit card skimmer

www.bleepingcomputer.com/news/security/costco-discloses-data-breach-after-finding-credit-card-skimmer/ Costco Wholesale Corporation has warned customers in notification letters sent this month that their payment card information might have been stolen while recently shopping at one of its stores. Costco discovered the breach after finding a payment card skimming device in one of its warehouses during a routine check conducted by Costco personnel. The company removed the device, notified the authorities, and is now working with law enforcement agents who are investigating the incident. Costco added that individuals impacted by this incident might have had their payment information stolen if those who planted the card theft device were able to gain access to the info before the skimmer was found and removed.

Number of Malicious Shopping Websites Jumps 178% ahead of November e-Shopping Holidays, Breaking Records

blog.checkpoint.com/2021/11/12/number-of-malicious-shopping-websites-jumps-178-ahead-of-november-e-shopping-holidays-breaking-records/ Check Point Research (CPR) spots over 5300 different malicious websites per week, marking the highest since the beginning of 2021. Numbers show a 178% increase compared to 2021 so far. 1 out of 38 corporate networks are being impacted on average per week in November, compared to 1 in 47 in October, and 1 in 352 earlier in 2021

Varo kaverilta tulevaa viestiä tilisi yritetään kaapata

www.iltalehti.fi/tietoturva/a/c54d3bf9-3ac5-4634-b014-ccfb1246ba3f Instagramissa ja Facebookin Messengerissä kiertää nyt huijausaalto, jossa käytetään hyväksi kaapattuja sometilejä. Kyseisten tilien kautta jaetaan suomenkielistä viestiä, jonka tarkoituksena on saada urkittua käyttäjän puhelinnumero sekä varmistuskoodi, ja käyttää näitä rahallisen hyödyn tavoitteluun. Meille on tullut noin 30 ilmoitusta Messengerin ja Instagramin kautta tulleista oudoista viesteistä. Todellisuudessa näiden tapausten määrä on varmaan paljon suurempi, tietoturva-asiantuntija Ville Kontinen Liikenne- ja viestintävirasto Traficomin Kyberturvallisuuskeskuksesta kertoo. Huijari yrittää ovelasti käyttää hyväksi Instagramin ja Facebookin palautustoimintoa, jolla kaapattu tili voidaan sen oikealla käyttötarkoituksella palauttaa sen oikealle omistajalle tekstiviestinä lähetettävän koodin avulla. Jos koodin jakaa, voi tili päätyä huijarin haltuun, jonka jälkeen tämä alkaa tehdä tilin tietoihin muutoksia ja käyttää sitä huijausviestin . Huijari ei kuitenkaan tyydy pelkkään kaapattuun tiliin, vaan hän haluaa saada huijauksella rahaa itselleen. Tämän vuoksi henkilölle, joka on luovuttanut numeronsa sekä vahvistuskoodin, lähetetään uusi viesti, jossa väitetään, että kilpailuun liittyvän voiton lunastamiseen tarvitaan luottokorttitietoja.

Aleksin yli 13 000 euron sijoitus katosi yön aikana tässä on huijaus, johon haksahtavat nuoret miehet

www.iltalehti.fi/tietoturva/a/30555c54-fe89-442a-84ac-9ee1d175e1f4 Aleksi törmäsi uuteen kryptovaluuttaan, josta pystyi käymään kauppaa SpookySwap-alustalla, ja siirtyi sinne Google-haun kautta tai ainakin luuli siirtyvänsä. Aleksi avasi sivuston ja alkoi yhdistää virtuaalilompakkoaan palvelimelle. Sivusto kysyi yllättäen palautusavainta, mikä yllätti. Aleksi oli kuitenkin toiminut aiemmin samalla tavalla toista lompakkoa yhdistäessä, joten hän ei huolestunut tästä. Rikolliset olivat perustaneet identtisen valesivuston, jonka osoitteessa oleva W oli korvattu VV:llä. Tällaista eroa voi olla vaikea huomata. Valesivusto oli saatu mainostamalla nostettua ylimmälle paikalle Google-haussa.

Elisa suodattaa Suomeen tulevia soittoja suomalais­firmojen puheluita jää vastaamatta

www.is.fi/digitoday/art-2000008392571.html Teleoperaattori Elisan tekemä ulkomailta tulevien puheluiden suodattaminen aiheuttaa haittaa joillekin suomalaisyrityksille. Puhelinyhteytensä ulkomailta kytkettävinä internet-puheluina toteuttavien yritysten soitot näkyvät Elisan liittymän omistajille tuntemattomasta numerosta tulevana. Tämä saa monen jättämään vastaamatta puheluihin. Elisa kertoi IS Digitodaylle, että se torjuu ulkomailta tulevia huijauspuheluita soittajia paikantamalla. Ulkomailta Elisan liittymään tulevan puhelun osalta tehdään tarkastus, kun soittajalla vaikuttaa olevan Elisan matkapuhelinnumero. Tällöin Elisa tarkistaa, onko soittajan liittymä todella Suomessa vai ulkomailla. Mikäli soittajan käyttämä aito numero on verkossa Suomessa, vaikka puhelu tulee ulkomailta, Elisa ei välitä numeroa vastaanottajalle. Itse puhelu kyllä menee läpi, mutta se näyttää tulevan tuntemattomasta numerosta.

Millions of Routers, IoT Devices at Risk from New Open-Source Malware

threatpost.com/routers-iot-open-source-malware/176270/ Discovered by researchers at AT&T AlienLabs, BotenaGo can exploit more than 30 different vulnerabilities to attack a target, Ofer Caspi, a security researcher at Alien Labs, wrote in a blog post published Thursday. The malware, which is written in Golanga language Google first published in 2007works by creating a backdoor to the device. It then waits to either receive a target to attack from a remote operator through port 19412 or from another related module running on the same machine, he wrote. BotenaGo commences its work with some exploratory moves to see if a device is vulnerable to attack, Caspi wrote. It starts by initializing global infection counters that will be printed to the screen, informing the attacker about total successful infections. The malware then looks for the dlrs’ folder in which to load shell scripts files. If this folder is missing, BotenaGo stops the infection process. In its last step before fully engaging, BotenaGo calls the function scannerInitExploits’, “which initiates the malware attack surface by mapping all offensive functions with its relevant string that represent the targeted system, ” Caspi wrote.

You might be interested in …

Daily NCSC-FI news followup 2021-09-05

Malware found preinstalled in classic push-button phones sold in Russia therecord.media/malware-found-preinstalled-in-classic-push-button-phones-sold-in-russia/ In a report published this week by a Russian security researcher named ValdikSS, push-button phones such as DEXP SD2810, Itel it2160, Irbis SF63, and F+ Flip 3 were caught subscribing users to premium SMS services and intercepting incoming SMS messages to prevent detection. PST, […]

Read More

Daily NCSC-FI news followup 2020-09-05

Suomi ennakoi 5g:n tuomia riskejä – Supo mukana arvioimassa laitteita www.kauppalehti.fi/uutiset/suomi-ennakoi-5gn-tuomia-riskeja-supo-mukana-arvioimassa-laitteita/15541875-2408-4a72-9f79-7e8f1922ef38 Tuleva lakimuutos mahdollistaa verkoista kansallisesti vaaralliseksi arvioitavien verkkolaitteiden poistamisen. “Tämä on osittain liitoksissa 5g-turvallisuuteen, mutta laissa ei ole tarkoituksena millään tavalla jonkin verkkolaitevalmistajan säänteleminen tai markkinoilta poistaminen. Laki lähtee aivan neutraalista näkökulmasta”, johtaja Jukka-Pekka Juutinen Traficomista kertoo. Australian Cyber Security Centre (ACSC) releases cyber […]

Read More

Daily NCSC-FI news followup 2021-01-16

BugTraq Shutdown www.securityfocus.com/archive/1/542247 At this time, resources for the BugTraq mailing list have not been prioritized, and this will be the last message to the list. The archive will be shut down January 31st, 2021. Also: www.zdnet.com/article/iconic-bugtraq-security-mailing-list-shuts-down-after-27-years/ Massive stolen credit card shop Joker’s Stash shuts down www.bleepingcomputer.com/news/security/massive-stolen-credit-card-shop-jokers-stash-shuts-down/ The administrator of Joker’s Stash, one of the […]

Read More