Daily NCSC-FI news followup 2021-11-19

Patch now! FatPipe VPN zero-day actively exploited

blog.malwarebytes.com/exploits-and-vulnerabilities/2021/11/patch-now-fatpipe-vpn-zero-day-actively-exploited/ Older versions of the device software used by FatPipe’s MPVPN, WARP, and IPVPN products, are all vunerable to a serious zero-day exploit that has been actively exploited in the wild for at least six months. FatPipe advises that versions 10.1.2r60p93 and 10.2.2r44p1 of its software, or later, are the ones you need. If you are unable to update immediately, FatPipe recommends you cut off access to your admin console from the Internet at large: “disable UI access on all the WAN interfaces or configure Access Lists on the interface page to allow access only from trusted sources.”

Malicious Python packages caught stealing Discord tokens, installing shells

therecord.media/malicious-python-packages-caught-stealing-discord-tokens-installing-shells/ The operators of the Python Package Index (PyPI) have removed this week 11 Python libraries from their portal for various malicious behaviors, including the collection and theft of user data, passwords, and Discord access tokens and the installation of remote access shells for remote access to infected systems. According to the security team at DevOps platform JFrog, which discovered this set of malicious libraries, the 11 packages had been downloaded and installed more than 30, 000 times before the packages were spotted and reported. Infected / malicious packages: importantpackage, important-package, pptest, ipboards, owlmoon, DiscordSafety, trrfab, 10Cent10, 10Cent11, yandex-yt, and yiffparty.

Squirrelwaffle Exploits ProxyShell and ProxyLogon to Hijack Email Chains

www.trendmicro.com/en_us/research/21/k/Squirrelwaffle-Exploits-ProxyShell-and-ProxyLogon-to-Hijack-Email-Chains.html In September, Squirrelwaffle emerged as a new loader that is spread through spam campaigns. It is known for sending its malicious emails as replies to preexisting email chains, a tactic that lowers a victim’s guard against malicious activities. To be able to pull this off, we believe it involved the use of a chain of both ProxyLogon and ProxyShell exploits. The Trend Micro Incident Response team looked into several intrusions related to Squirrelwaffle, that happened in the Middle East. This led to a deeper investigation into the initial access of these attacks. We wanted to see if the attacks involved the said exploits.

Experts Expose Secrets of Conti Ransomware Group That Made 25 Million from Victims

thehackernews.com/2021/11/experts-expose-secrets-of-conti.html The clearnet and dark web payment portals operated by the Conti ransomware group have gone down in what appears to be an attempt to shift to new infrastructure after details about the gang’s inner workings and its members were made public. According to MalwareHunterTeam, “while both the clearweb and Tor domains of the leak site of the Conti ransomware gang is online and working, both their clearweb and Tor domains for the payment site (which is obviously more important than the leak) is down.”. Three members of the Conti team have been identified so far, each playing the roles of admin (“Tokyo”), assistant (“[email protected][.]jp”), and recruiter (“IT_Work”) to attract new affiliates into their network.

Zero Trust: An Answer to the Ransomware Menace?

www.darkreading.com/vulnerabilities-threats/zero-trust-an-answer-to-the-ransomware-menace- Zero trust is the latest buzzword thrown around by security vendors, consultants, and policymakers as the panacea to all cybersecurity problems. Some 42% of global organizations say they have plans in place to adopt zero trust. The Biden administration also outlined the need for federal networks and systems to adopt a zero-trust architecture. At a time when ransomware continues to make headlines and break new records, could zero trust be the answer to ransomware woes? Before we answer this question, let’s first understand zero trust and its core components.

Näin suojaudut nettihuijauksilta suomalaisilta viety tänä vuonna jo kymmeniä miljoonia euroja

www.tivi.fi/uutiset/tv/86a47977-d868-465f-a515-1d3dd0434da4 Tänä vuonna poliisin tilastojen mukaan suomalaiset ovat menettäneet nettihuijauksissa yli 35 miljoonaa euroa. Nyt finanssialan toimijat, Liikenne- ja viestintäviraston Kyberturvallisuuskeskus, Kuluttajaliitto, poliisi, Digi- ja väestötietovirasto, Kela ja Microsoft ryhtyvät yhteistyöhön, jotta entistä harvemmat lankeaisivat huijauksiin. Poliisi kertoo, että sijoitushuijauksilla on viety 13 miljoonaa, it-tuki-, toimitusjohtaja- ja rakkaushuijauksilla yli 13 miljoonaa ja pankkihuijauksilla yli yhdeksän miljoonaa euroa.

NSA and CISA Release Guidance on Securing 5G Cloud Infrastructures

us-cert.cisa.gov/ncas/current-activity/2021/11/19/nsa-and-cisa-release-guidance-securing-5g-cloud-infrastructures CISA has announced the joint National Security Agency (NSA) and CISA publication of the second of a four-part series, Security Guidance for 5G Cloud Infrastructures. Part II: Securely Isolate Network Resources examines threats to 5G container-centric or hybrid container/virtual network, also known as Pods. The guidance provides several aspects of pod security including limiting permissions on deployed containers, avoiding resource contention and denial-of-service attacks, and implementing real-time threat detection.

Milloin tietovuodosta pitää kertoa myös potilaalle? Tietosuojavaltuutettu antoi ohjeen

www.tivi.fi/uutiset/tv/64a2bb65-4bf3-4480-b8e5-ff4980d1adec Apulaistietosuojavaltuutettu on lähettänyt sosiaali- ja terveydenhuollon toimijoille ohjekirjeen, jonka tarkoituksena on yhdenmukaistaa tietoturvaloukkausten ilmoituskäytäntöjä. Tietosuojavaltuutetun toimisto on havainnut, että toimialalla on tarve tarkentavalle ohjeistukselle tietoturvaloukkauksista ilmoittamiseen. Kirjeessä annetaan muun muassa esimerkkejä ilmoitusvelvollisuudesta erilaisissa tilanteissa. Kirje:

tietosuoja.fi/documents/6927448/58640544/TSV_Tietoturvaloukkauksia+koskeva+kirje.pdf/17b870d9-3d04-6dee-e294-c47be48a42c0/TSV_Tietoturvaloukkauksia+koskeva+kirje.pdf

The House passes Biden’s $1.7 trillion budget plan, with millions in cybersecurity spending

therecord.media/the-house-passes-bidens-1-7-trillion-budget-plan-with-millions-in-cybersecurity-spending/ The House on Friday voted along mostly party lines to approve President Joe Biden’s $1.7 trillion social and climate change bill, which devotes millions to cybersecurity programs throughout the federal government. The House voted 220 to 213 to pass Biden’s Build Back Better bill. One Democrat joined all Republicans in opposing the measure. The legislation now goes to the Senate, where its future is murky.

Clop gang exploiting SolarWinds Serv-U flaw in ransomware attacks

www.bleepingcomputer.com/news/security/clop-gang-exploiting-solarwinds-serv-u-flaw-in-ransomware-attacks/ The Clop ransomware gang, also tracked as TA505 and FIN11, is exploiting a SolarWinds Serv-U vulnerability to breach corporate networks and ultimately encrypt its devices. The Serv-U Managed File Transfer and Serv-U Secure FTP remote code execution vulnerability, tracked as CVE-2021-35211, allows a remote threat actor to execute commands on a vulnerable server with elevated privileges. SolarWinds released an emergency security update in July 2021 after discovering a “a single threat actor” exploiting it in attacks. The company also warned that this vulnerability only affects customers who have enabled the SSH feature, which is commonly used to further protect connections to the FTP server.

Tor Project sees decline in server numbers, will offer rewards for new bridge operators

therecord.media/tor-project-sees-decline-in-server-numbers-will-offer-rewards-for-new-bridge-operators/ The Tor Project said this week that it has seen a drop in the number of Tor relays and bridge servers and is now offering various rewards to users who help bring the number back up. Rewards include the likes of hoodies, t-shirts, and stickers and are meant to provide some sort of meaningful gift to those who help keep the Tor anonymity network alive and resilient to censorship. More specifically, the rewards will be provided to those who run Tor “bridges, ” which serve as entry points into the Tor network for users located in countries that block access to Tor servers. “We currently have approximately 1, 200 bridges, 900 of which support the obfs4 obfuscation protocol, ” said Gustavo Gus, Community Team Lead for the Tor Project.

Ransomware is now a giant black hole that is sucking in all other forms of cybercrime

www.zdnet.com/article/ransomware-is-now-a-giant-black-hole-that-is-sucking-in-all-other-forms-of-cybercrime/ Ransomware is so lucrative for the gangs involved that other parts of the cybercrime ecosystem are being repurposed into a system for delivering potential victims. “The gravitational force of ransomware’s black hole is pulling in other cyberthreats to form one massive, interconnected ransomware delivery system — with significant implications for IT security, ” said security company Sophos in a report. Ransomware is considered by many experts to be most pressing security risk facing businesses — and its extremely lucrative for the gangs involved, with ransom payouts increasing significantly.

Tällaisia lunnaita nettikiristäjät vaativat suomalaisyrityksiltä “Gdpr on vain pahentanut tilannetta”

www.tivi.fi/uutiset/tallaisia-lunnaita-nettikiristajat-vaativat-suomalaisyrityksilta-gdpr-on-vain-pahentanut-tilannetta/1f13080d-0204-4809-b0e3-094937e53c52

Microsoft warning: Now Iran’s hackers are attacking IT companies, too

www.zdnet.com/article/microsoft-warning-now-irans-hackers-are-attacking-it-companies-too/ Microsoft has raised an alarm about a massive surge in Iranian state-sponsored hacking attempts against IT services firms. According to Microsoft, attacks from state-sponsored Iranian hackers on IT services firms were virtually non-existent in 2020, but this year exceeded 1, 500 potential attacks. “Microsoft has observed multiple Iranian threat actors targeting the IT services sector in attacks that aim to steal sign-in credentials belonging to downstream customer networks to enable further attacks, ” it said.

Iranians Charged in Cyberattacks Against U.S. 2020 Election

threatpost.com/iranians-charged-cyberattacks-2020-election/176488/ The U.S. Department of Justice has unsealed charges against two Iranian nationals for cyberattacks against the U.S. 2020 presidential campaign, and there’s a $10 million reward offered for information on their activities. The two men, Seyyed Mohammad Hosein Musa Kazemi and Sajjad Kashian, allegedly stole voter information and engaged in intimidation and disinformation aimed at undermining confidence in the election, according to a newly unsealed indictment. The Department of Justice identified the two as contractors for Iran-based cybersecurity company Emennet Pasargad, formerly Eleyanet Gostar, reportedly a known vendor for the Iranian government.

Nft-huumalle tylytystä Pirate Bayta ihannoiva projekti sisältää 15 teratavua kuvia

www.tivi.fi/uutiset/tv/16324a12-6c42-4b68-9d58-fe623b4f6a5e Non-fungible tokenit eli nft:t ovat olleet suuressa huudossa tänä vuonna. Näitä digitaalisia keräilykohteita on myyty jopa kymmenillä miljoonilla ja kuplimista on ollut havaittavissa. Hienoisena vastaiskuna tälle huumalle on synnytetty The NFT Bay, joka on samalla myös kunnianosoitus tunnetulle piratismisivu Pirate Baylle. Nft Bayn kuvauksessa jäljitellään Pirate Bayn ulkoasua ja kysytään seuraavaa: “Tiesitkö, että nft on vain hyperlinkki kuvaan, joka on yleensä tallennettu Google Driveen tai muulle web 2.0 -alustalle?”

Your Smartphone May Soon Be Able To Detect Hidden Spy Cameras

www.forbes.com/sites/leemathews/2021/11/19/your-smartphone-may-soon-be-able-to-detect-hidden-spy-cameras/ This new ability is thanks to the addition of a time-of-flight (ToF) sensor to many new models. The sensor helps a smartphone analyze depth information about a scene that’s being photographed. It does that by beaming out a laser. The laser bounces off objects and then returns to the sensor, and the phone can then analyze the data that’s been gathered and use it to optimize camera settings. A team of researchers discovered that the laser from the ToF sensor can do more than produce better-looking pictures. It turns out that the intense beam causes abnormal reflections when it hits something like the lens of a camera.

Emotet botnet comeback orchestrated by Conti ransomware gang

www.bleepingcomputer.com/news/security/emotet-botnet-comeback-orchestrated-by-conti-ransomware-gang/ The Emotet botnet is back by popular demand, resurrected by its former operator, who was convinced by members of the Conti ransomware gang. Security researchers at intelligence company Advanced Intelligence (AdvIntel) believe that restarting the project was driven by the void Emotet itself left behind on the high-quality initial access market after law enforcement took it down ten months ago. The revival of the botnet follows a long period of malware loader shortage and the decline of decentralized ransomware operations that allowed organized crime syndicates to rise again.

Fake TSA PreCheck sites scam US travelers with fake renewals

www.bleepingcomputer.com/news/security/fake-tsa-precheck-sites-scam-us-travelers-with-fake-renewals/ There has been a surge in reports of people getting scammed after visiting TSA PreCheck, Global Entry, and NEXUS application service sites, being charged $140 only to get nothing in return. Reports about these scams first appeared in March 2021, and by July, threat actors were abusing Google Ads to promote the fake sites on Google Search and increase their traffic. A report by Abnormal Security confirms that the scams are still ongoing, and as we’re heading to the Christmas travel season, the chances of more people falling victim to them multiply.

You might be interested in …

Daily NCSC-FI news followup 2020-07-27

Alert (AA20-209A) Potential Legacy Risk from Malware Targeting QNAP NAS Devices us-cert.cisa.gov/ncas/alerts/aa20-209 CISA and NCSC are investigating a strain of malware known as QSnatch, which attackers used in late 2019 to target Network Attached Storage (NAS) devices manufactured by the firm QNAP.. All QNAP NAS devices are potentially vulnerable to QSnatch malware if not updated […]

Read More

Daily NCSC-FI news followup 2019-10-14

Laajamittainen häiriö Nesteen IT-järjestelmissä www.neste.com/fi/tiedotteet-ja-uutiset/laajamittainen-hairio-nesteen-it-jarjestelmissa Nesteen IT-järjestelmissä on havaittu laajamittainen häiriö. Häiriö vaikuttaa Nesteen Suomen ja Baltian toimintoihin laajasti prosessi-, säiliö- ja terminaalialueella, ja aiheuttaa viivästyksiä tuotejakelussa. Häiriön syytä tutkitaan parhaillaan yhteistyössä palveluntarjoajien kanssa. Connecting the dots: Exposing the arsenal and methods of the Winnti Group www.welivesecurity.com/2019/10/14/connecting-dots-exposing-arsenal-methods-winnti/ New ESET white paper released describing updates to […]

Read More

Daily NCSC-FI news followup 2021-07-12

DNS-over-HTTPS takes another small step towards global domination blog.malwarebytes.com/privacy-2/2021/07/dns-over-https-takes-another-small-step-towards-global-domination/ Firefox recently announced that it will be rolling out DNS-over-HTTPS (or DoH) soon to one percent of its Canadian users as part of its partnership with CIRA (the Canadian Internet Registration Authority), the Ontario-based organization responsible for managing the .ca top-level domain for Canada and a […]

Read More