Daily NCSC-FI news followup 2021-11-13

Security company faces backlash for waiting 12 months to disclose Palo Alto 0-day

www.zdnet.com/article/security-company-faces-backlash-for-waiting-12-months-to-disclose-palo-alto-0-day/ Randori has faced a barrage of criticism for its decision to wait one year to publish a notice about a vulnerability it found in 2020.. see also www.randori.com/blog/cve-2021-3064/

A multi-stage PowerShell based attack targets Kazakhstan

blog.malwarebytes.com/threat-intelligence/2021/11/a-multi-stage-powershell-based-attack-targets-kazakhstan/ On November 10 we identified a multi-stage PowerShell attack using a document lure impersonating the Kazakh Ministry of Health Care, leading us to believe it targets Kazakhstan.

US detains crypto-exchange exec for helping Ryuk ransomware gang launder profits

therecord.media/us-detains-crypto-exchange-exec-for-helping-ryuk-ransomware-gang-launder-profits/ A Russian national and the co-founder of two cryptocurrency exchanges was arrested at the request of US law enforcement on accusations of helping the Ryuk ransomware gang launder funds obtained from extorting US companies.

Golang Malware Is More than a Fad: Financial Motivation Drives Adoption

www.crowdstrike.com/blog/financial-motivation-drives-golang-malware-adoption/ CrowdStrike researchers uncovered an 80% increase in Golang (Go)-written malware samples from June to August 2021, according to CrowdStrike threat telemetry. In terms of malware type, first place goes to coin miners, accounting for 70% of the malware spectrum in August 2021.

TeamTNT Upgrades Arsenal, Refines Focus on Kubernetes and GPU Environments

www.trendmicro.com/en_us/research/21/k/teamtnt-upgrades-arsenal-refines-focus-on-kubernetes-and-gpu-env.html Using a new batch of campaign samples, we take a look at its more recent cybercrime contributions and compare them with its previous deployments to demonstrate the groups use of upgraded tools and payloads.

Hackers undetected on Queensland water supplier server for 9 months

www.bleepingcomputer.com/news/security/hackers-undetected-on-queensland-water-supplier-server-for-9-months/ Hackers stayed hidden for nine months on a server holding customer information for a Queensland water supplier, illustrating the need of better cyberdefenses for critical infrastructure.

Comic book distributor struggling with shipments after ransomware attack

www.zdnet.com/article/comic-book-distributor-struggling-with-shipments-after-ransomware-attack/ On Sunday, Diamond Comic Distributors said a ransomware attack was affecting its order processing systems and its internal communications platforms.

Living off the Land (LotL) Classifier Open-Source Project


Hus: Tietojärjestelmä hyökkäyksen kohteena palveluissa katkoksia viikon ajan

www.is.fi/digitoday/art-2000008403507.html Husin mukaan potilasturvallisuus ei ole vaarantunut, mutta koronavirusrokotus- ja testausjärjestelmässä on ollut katkoksia.

Fake end-to-end encrypted chat app distributes Android spyware

www.bleepingcomputer.com/news/security/fake-end-to-end-encrypted-chat-app-distributes-android-spyware/ The GravityRAT remote access trojan is being distributed in the wild again, this time under the guise of an end-to-end encrypted chat application called SoSafe Chat.

Surveillance firm pays $1 million fine after ‘spy van’ scandal

www.bleepingcomputer.com/news/security/surveillance-firm-pays-1-million-fine-after-spy-van-scandal/ The Office of the Commissioner for Personal Data Protection in Cyprus has collected a $1 million fine from intelligence company WiSpear for gathering mobile data from various individuals arriving at the airport in Larnaca.

QAKBOT Loader Returns With New Techniques and Tools

www.trendmicro.com/en_us/research/21/k/qakbot-loader-returns-with-new-techniques-and-tools.html Toward the end of September 2021, we noted that QAKBOT operators resumed email spam operations after an almost three-month hiatus. Specifically, we saw that the malware distributor TR was sending malicious spam leading victims to SquirrelWaffle (another malware loader) and QAKBOT.

You might be interested in …

Daily NCSC-FI news followup 2021-05-15

Irelands Health Services hit with $20 million ransomware demand www.bleepingcomputer.com/news/security/ireland-s-health-services-hit-with-20-million-ransomware-demand/ Yesterday, a cybersecurity researcher shared a screenshot of a chat between Conti and Ireland’s HSE with BleepingComputer.. In the screenshot, the Conti gang claims to have had access to the HSE network for two weeks. During this time, they claim to have stolen 700 GB […]

Read More

Daily NCSC-FI news followup 2021-06-12

Tracking ransomware cryptocurrency payments: What now for Bitcoin? www.welivesecurity.com/2021/06/11/tracking-ransomware-cryptocurrency-payments/ Earlier this week, the Department of Justice announced it seized around $2.3 million worth of bitcoin (BTC 63.7) collected in the BTC 75 payment for Colonial Pipeline ransomware. Does this mean Bitcoin is hackable given enough computation horsepower?. For years Bitcoins weaknesses (or strengths, depending on […]

Read More

Daily NCSC-FI news followup 2020-08-23

Remote Desktop (TCP/3389) and Telnet (TCP/23), What might they have in Common? isc.sans.edu/forums/diary/Remote+Desktop+TCP3389+and+Telnet+TCP23+What+might+they+have+in+Common/26492/ I’m glad you asked. I’m always interested in trends and reviewing the activity capture by my honeypot over this past week, it shows that no matter what port the RDP service is listening on, a specific RDP string (Cookie: mstshash=) might be […]

Read More