Daily NCSC-FI news followup 2021-11-15

FBI Statement on Incident Involving Fake Emails

www.fbi.gov/news/pressrel/press-releases/fbi-statement-on-incident-involving-fake-emails The FBI is aware of a software misconfiguration that temporarily allowed an actor to leverage the Law Enforcement Enterprise Portal (LEEP) to send fake emails.. No actor was able to access or compromise any data or PII on the FBIs network.

Emotet botnet returns after law enforcement mass-uninstall operation

therecord.media/emotet-botnet-returns-after-law-enforcement-mass-uninstall-operation/ The Emotet malware botnet is back up and running once again almost ten months after an international law enforcement operation took down its command and control servers earlier this year in January.

New Microsoft emergency updates fix Windows Server auth issues

www.bleepingcomputer.com/news/microsoft/new-microsoft-emergency-updates-fix-windows-server-auth-issues/ Microsoft has released out-of-band updates to address authentication failures related to Kerberos delegation scenarios impacting Domain Controllers (DC) running supported versions of Windows Server.

Uncovering MosesStaff techniques: Ideology over Money

research.checkpoint.com/2021/mosesstaff-targeting-israeli-companies/ In September 2021, the hacker group MosesStaff began targeting Israeli organizations, joining a wave of attacks which was started about a year ago by the Pay2Key and BlackShadow attack groups. Those actors operated mainly for political reasons in attempt to create noise in the media and damage the countrys image, demanding money and conducting lengthy and public negotiations with the victims.

AT&T Alien Labs finds new Golang malware (BotenaGo) targeting millions of routers and IoT devices with more than 30 exploits

cybersecurity.att.com/blogs/labs-research/att-alien-labs-finds-new-golang-malwarebotenago-targeting-millions-of-routers-and-iot-devices-with-more-than-30-exploits AT&T Alien Labs has found new malware written in the open source programming language Golang. Deployed with more than 30 exploits, it has the potential of targeting millions of routers and IoT devices.

7 million Robinhood user email addresses for sale on hacker forum

www.bleepingcomputer.com/news/security/7-million-robinhood-user-email-addresses-for-sale-on-hacker-forum/ The data for approximately 7 million Robinhood customers stolen in a recent data breach are being sold on a popular hacking forum and marketplace.

A new Android banking trojan named SharkBot is makings its presence felt

therecord.media/a-new-android-banking-trojan-named-sharkbot-is-makings-its-presence-felt/ Security researchers have discovered a new Android banking trojan capable of hijacking users smartphones and emptying out e-banking and cryptocurrency accounts.

Chinas cyber watchdog unveils new draft data management regulations

therecord.media/chinaa-cyber-watchdog-unveils-new-draft-data-management-regulations/ The Cyberspace Administration of China, the nations cybersecurity watchdog, issued a set of draft regulations on Sunday aimed at protecting the nations internet data security.

North Korean Hackers Target Cybersecurity Researchers with Trojanized IDA Pro

thehackernews.com/2021/11/north-korean-hackers-target.html Lazarus, the North Korea-affiliated state-sponsored group, is attempting to once again target security researchers with backdoors and remote access trojans using a trojanized pirated version of the popular IDA Pro reverse engineering software.

Researchers Demonstrate New Fingerprinting Attack on Tor Encrypted Traffic

thehackernews.com/2021/11/researchers-demonstrate-new.html A new analysis of website fingerprinting (WF) attacks aimed at the Tor web browser has revealed that it’s possible for an adversary to glean a website frequented by a victim, but only in scenarios where the threat actor is interested in a specific subset of the websites visited by users.

How Attackers Exploit the Remote Desktop Protocol

securityintelligence.com/articles/exploiting-remote-desktop-protocol/

Exchange Exploit Leads to Domain Wide Ransomware

thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/ We observed an intrusion where an adversary exploited multiple Exchange vulnerabilities (ProxyShell) to drop multiple web shells. Over the course of three days, three different web shells were dropped in publicly accessible directories. These web shells, exposed to the internet, were used to execute arbitrary code on the Microsoft Exchange Server utilizing PowerShell and cmd.

We wait, because we know you. Inside the ransomware negotiation economics.

research.nccgroup.com/2021/11/12/we-wait-because-we-know-you-inside-the-ransomware-negotiation-economics/

Alibaba ECS instances actively hijacked by cryptomining malware

www.bleepingcomputer.com/news/security/alibaba-ecs-instances-actively-hijacked-by-cryptomining-malware/ Threat actors are hijacking Alibaba Elastic Computing Service (ECS) instances to install cryptominer malware and harness the available server resources for their own profit.

ProxyShell, QBot, and Conti Ransomware Combined in a Series of Cyberattacks

www.truesec.com/hub/blog/proxyshell-qbot-and-conti-ransomware-combined-in-a-series-of-cyber-attacks We are investigating a series of cyberattacks that result in encryption with the Conti ransomware. This post describes some of the indicators that can be used to detect these attacks.

You might be interested in …

Daily NCSC-FI news followup 2020-09-26

ThunderX ransomware silenced with release of a free decryptor www.bleepingcomputer.com/news/security/thunderx-ransomware-silenced-with-release-of-a-free-decryptor/ A decryptor for the ThunderX ransomware has been released by cybersecurity firm Tesorion that lets victims recover their files for free. When coffee makers are demanding a ransom, you know IoT is screwed arstechnica.com/information-technology/2020/09/how-a-hacker-turned-a-250-coffee-maker-into-ransom-machine/ Watch along as hacked machine grinds, beeps, and spews water. Threat […]

Read More

Daily NCSC-FI news followup 2020-07-01

Experts: COVID Multiplying Risks To Critical Infrastructure www.forbes.com/sites/paulfroberts/2020/07/01/experts-covid-multiplying-risks-to-critical-infrastructure/ Former DHS Secretary Michael Chertoff warned on Tuesday that changes wrought by the COVID global pandemic are exacerbating vulnerabilities in the global economy, including the risk of crippling cyber attacks on critical infrastructure like the electric grid. China’s Software Stalked Uighurs Earlier and More Widely, Researchers Learn […]

Read More

Daily NCSC-FI news followup 2021-03-21

Puolustusministeri Kaikkonen: Digitaalinen itsenäisyys on puolustamisen arvoinen www.erillisverkot.fi/puolustusministeri-kaikkonen-digitaalinen-itsenaisyys-on-puolustamisen-arvoinen/ Digitaalisen itsenäisyyden turvaaminen on osa modernia maanpuolustusta. Kyberpuolustus ja kyberhyökkäysten torjuminen kuuluu olennaisesti siihen, linjasi puolustusministeri Antti Kaikkonen Erve Foorumi 2021 -tervehdyksessään. Samsung Investigation Part 2: Exploiting Trusted Applications (TAs) www.riscure.com/blog/samsung-investigation-part2 In this second blog post, we will continue to explore TEEGRIS by reverse engineering TAs in […]

Read More