Daily NCSC-FI news followup 2021-11-18

FBI: An APT abused a zero-day in FatPipe VPNs for six months

therecord.media/fbi-an-apt-abused-a-zero-day-in-fatpipe-vpns-for-six-months/ The US Federal Bureau of Investigation said it discovered an advanced persistent threat (APT) abusing a zero-day vulnerability in FatPipe networking devices as a way to breach companies and gain access to their internal networks.

Philips IntelliBridge EC 40 and EC 80 Hub

krebsonsecurity.com/2021/11/tech-ceo-pleads-to-wire-fraud-in-ip-address-scheme/ The CEO of a South Carolina technology firm has pleaded guilty to 20 counts of wire fraud in connection with an elaborate network of phony companies set up to obtain more than 735, 000 Internet Protocol (IP) addresses from the nonprofit organization that leases the digital real estate to entities in North America.. C U U

Philips Patient Information Center iX (PIC iX) and Efficia CM Series

blog.netlab.360.com/the-pitfall-of-threat-intelligence-whitelisting-specter-botnet-is-taking-over-top-legit-dns-domains-by-using-cloudns-service/ In order to reduce the possible impact of false positives, it is pretty common practice for security industry to whitelist the top Alexa domains such as www.google.com, www.apple.com, www.qq.com,

www.alipay.com. And we have seen various machine learning detection models that bypass data when they sees these popular Internet business domains. Theoretically, we can register any Zone on ClouDNS that is not registered or not restricted by ClouDNS, and the aforementioned Specter C2 api.github.com is a domain name generated in this way.. S U U

North Korean cyberspies target govt officials with custom malware

www.bleepingcomputer.com/news/security/north-korean-cyberspies-target-govt-officials-with-custom-malware/ A state-sponsored North Korean threat actor tracked as TA406 was recently observed deploying custom info-stealing malware in espionage campaigns. The particular actor is attributed as one of several groups known as Kimsuky (aka Thallium). TA406has left traces of low-volume activity since 2018, primarily focusing on espionage, money-grabbing scams, and extortion. However, in March and June 2021, TA406 launched two distinct malware distribution campaigns that targeted foreign policy experts, journalists, and members of NGOs (non-governmental organizations). report:

www.proofpoint.com/us/blog/threat-insight/triple-threat-north-korea-aligned-ta406-scams-spies-and-steals

RedCurl hacking group returns with new attacks

therecord.media/redcurl-hacking-group-returns-with-new-attacks/ Even after its operations were publicly exposed in August 2020, the RedCurl hacking group has continued to carry out new intrusions and has breached at least four companies this year, according to a new report from security firm Group-IB.

CISA Adds Four Known Exploited Vulnerabilities to Catalog

us-cert.cisa.gov/ncas/current-activity/2021/11/17/cisa-adds-four-known-exploited-vulnerabilities-catalog CISA has added four new vulnerabilities to its Known Exploited Vulnerabilities Catalog, which require remediation from federal civilian executive branch (FCEB) agencies by December 1, 2021. CISA has evidence that threat actors are actively exploiting the vulnerabilities listed in the table below. These types of vulnerabilities are a frequent attack vector for malicious cyber actors of all types and pose significant risk to the federal enterprise.

Conti gang has made at least $25.5 million since July 2021

therecord.media/conti-gang-has-made-at-least-25-5-million-since-july-2021/ The operators of the Conti ransomware have earned at least $25.5 million from attacks and subsequent ransoms carried out since July 2021, Swiss security firm Prodaft said in a report today.

Spear-Phishing Campaign Exploits Glitch Platform to Steal Credentials

threatpost.com/spear-phishing-exploits-glitch-steal-credentials/176449/ Threat actors are targeting Middle-East-based employees of major corporations in a scam that uses a specific ephemeral’ aspect of the project-management tool to link to SharePoint phishing pages.

Dark web crooks are now teaching courses on how to build botnets

www.zdnet.com/article/college-for-cyber-criminals-dark-web-crooks-are-teaching-courses-on-how-to-build-botnets/ Security researchers are warning that the botnet threat could increase as more would-be crooks learn how to build their own.

Huijarit tägäävät suomalaisia Instagramissa hinnaksi voi tulla 72 /kk

www.is.fi/digitoday/tietoturva/art-2000008413847.html SUOMALAISIA huijataan parhaillaan Instagramissa valetileillä, jotka merkitsevät käyttäjiä julkaisuihinsa ja ohjaavat käyttäjiä petollisille verkkosivuille.

Canadian teen nabbed in $36.5M crypto heist possibly the biggest haul yet by a single individual

www.theregister.com/2021/11/18/canadian_cryptocurrency_heist/ A Canadian teenager has been arrested for allegedly stealing $37 million worth of cryptocurrency ($46M Canadian) via a SIM swap scam, making it the largest virtual cash heist affecting a single person yet, according to police.

Iranian targeting of IT sector on the rise

www.microsoft.com/security/blog/2021/11/18/iranian-targeting-of-it-sector-on-the-rise/ Iranian threat actors are increasing attacks against IT services companies as a way to access their customers’ networks. This activity is notable because targeting third parties has the potential to exploit more sensitive organizations by taking advantage of trust and access in a supply chain. Microsoft has observed multiple Iranian threat actors targeting the IT services sector in attacks that aim to steal sign-in credentials belonging to downstream customer networks to enable further attacks.

You might be interested in …

Daily NCSC-FI news followup 2021-01-12

Going Rogue a Mastermind Behind Android Malware Returns with a New RAT blog.checkpoint.com/2021/01/12/going-rogue-a-mastermind-behind-android-malware-returns-with-a-new-rat/ Now more than ever, we rely on our smartphones to keep in touch with our work, our families and the world around us. There are over 3.5 billion smartphone users worldwide, and it is estimated that over 85% of those devices around […]

Read More

Daily NCSC-FI news followup 2019-09-24

New NetWire RAT Variant Being Spread Via Phishing www.fortinet.com/blog/threat-research/new-netwire-rat-variant-spread-by-phishing.html NetWire is a Remote Access Trojan (RAT) malware that has been widely used for many years. Recently, FortiGuard Labs noticed a malware spreading via phishing email, and during the analysis on it, we discovered that it was a new variant of NetWire RAT. LookBack Forges Ahead: […]

Read More

Daily NCSC-FI news followup 2020-10-04

Ttint is a new form of IoT botnet that also includes remote access tools-like (RAT) features, rarely seen in these types of botnets before www.zdnet.com/article/new-ttint-iot-botnet-caught-exploiting-two-zero-days-in-tenda-routers For almost a year, a threat actor has been using zero-day vulnerabilities to install malware on Tenda routers and build a so-called IoT (Internet of Things) botnet. Google offers up […]

Read More