Daily NCSC-FI news followup 2021-11-20

Updated: APT Exploitation of ManageEngine ADSelfService Plus Vulnerability

us-cert.cisa.gov/ncas/current-activity/2021/11/19/updated-apt-exploitation-manageengine-adselfservice-plus The Federal Bureau of Investigation (FBI), CISA, and Coast Guard Cyber Command (CGCYBER) have updated the Joint Cybersecurity Advisory (CSA) published on September 16, 2021, which details the active exploitation of an authentication bypass vulnerability (CVE-2021-40539) in Zoho ManageEngine ADSelfService Plusa self-service password management and single sign-on solution. The update provides details on a suite of tools APT actors are using to enable this campaign: Dropper: a dropper trojan that drops Godzilla webshell on a system, Godzilla: a Chinese language web shell, NGLite: a backdoor trojan written in Go, and KdcSponge: a tool that targets undocumented APIs in Microsoft’s implementation of Kerberos for credential exfiltration.

RedCurl Corporate Espionage Hackers Return With Updated Hacking Tools

thehackernews.com/2021/11/redcurl-corporate-espionage-hackers.html A corporate cyber-espionage hacker group has resurfaced after a seven-month hiatus with new intrusions targeting four companies this year, including one of the largest wholesale stores in Russia, while simultaneously making tactical improvements to its toolset in an attempt to thwart analysis. “In every attack, the threat actor demonstrates extensive red teaming skills and the ability to bypass traditional antivirus detection using their own custom malware, ” Group-IB’s Ivan Pisarev said. Active since at least November 2018, the Russian-speaking RedCurl hacking group has been linked to 30 attacks to date with the goal of corporate cyber espionage and document theft aimed at 14 organizations spanning construction, finance, consulting, retail, insurance, and legal sectors and located in the U.K., Germany, Canada, Norway, Russia, and Ukraine.

North Korean Hackers Found Behind a Range of Credential Theft Campaigns

thehackernews.com/2021/11/north-korean-hackers-found-behind-range.html A threat actor with ties to North Korea has been linked to a prolific wave of credential theft campaigns targeting research, education, government, media and other organizations, with two of the attacks also attempting to distribute malware that could be used for intelligence gathering. Enterprise security firm Proofpoint attributed the infiltrations to a group it tracks as TA406, and by the wider threat intelligence community under the monikers Kimsuky (Kaspersky), Velvet Chollima (CrowdStrike), Thallium (Microsoft), Black Banshee (PwC), ITG16 (IBM), and the Konni Group (Cisco Talos). Policy experts, journalists and nongovernmental organizations (NGOs) were targeted as part of weekly campaigns observed between from January through June 2021. Proofpoint researchers Darien Huss and Selena Larson disclosed the actor’s tactics, techniques, and procedures (TTPs), with the attacks spread across North America, Russia, China, and South Korea.

Conti ransomware gang suffers security breach

therecord.media/conti-ransomware-gang-suffers-security-breach/ The Conti ransomware group has suffered an embarrassing data breach after a security firm was able to identify the real IP address of one of its most sensitive servers and then gain console access to the affected system for more than a month. The exposed server, called a payment portal or recovery site, is where the Conti gang tells victims to visit in order to negotiate ransom payments. “Our team detected a vulnerability in the recovery servers that Conti uses, and leveraged that vulnerability to discover the real IP addresses of the hidden service hosting the group’s recovery website, “. Swiss security firm Prodaft said in a 37-page report published on Thursday, identifying the server as hosted on, an IP address owned by Ukrainian web hosting company ITL LLC.

Businesses’ proxyware headache

www.kaspersky.com/blog/proxyware/42947/ Employees can install proxyware without their employer’s knowledge, introducing additional business cyberrisks. Researchers at Cisco Talos coined the term proxyware and have reported on the phenomenon in depth. Essentially, a proxyware service acts as a proxy server. Your best way to combat criminal exploitation through proxyware is to install a reliable antivirus solution on every computer that has Internet access. Not only will that protect your company from the harmful effects of proxyware, but if said proxyware includes, or is included with, other malware, you’ll still be covered.

Some Tesla owners unable to unlock cars due to server errors

www.bleepingcomputer.com/news/technology/some-tesla-owners-unable-to-unlock-cars-due-to-server-errors/ Some Tesla owners worldwide are unable to unlock or communicate with their cars using the app due to an outage of the company’s servers. Starting around 4 PM EST, Tesla owners have taken to social media reporting that the Tesla app is returning a “500 server error” when attempting to communicate with the car. This outage prevents owners from using the app to get into the car and it reports an incorrect location of the car. Owners have reported the issue to Elon Musk on Twitter, who has stated that he is looking into the matter.

You might be interested in …

Daily NCSC-FI news followup 2021-06-13

Malware disguised as antivirus protection www.kaspersky.com/blog/malware-disguised-as-antivirus/40252/ In almost every post about Android, we recommend installing apps from official sources only, and that wont change anytime soon. A recent example illustrates why: Scammers were spreading a banking Trojan disguised as popular media players, a fitness app, a book reader, and one that hit close to home, […]

Read More

Daily NCSC-FI news followup 2021-05-11

Companies 5 Million Personal identifiable information records detected on an AWS service due to misconception of users blog.checkpoint.com/2021/05/11/companies-5-million-personal-identifiable-information-records-detected-on-an-aws-service-due-to-misconception-of-users/ CPR was able to detect personal records in Amazon Web Services (AWS). By analyzing and enumerating public AWS Systems Manager (SSM) documents, CPR retrieved over five million personally identifiable information records and credit card transactions of companies, […]

Read More

Daily NCSC-FI news followup 2019-06-09

Microsoft warns about email spam campaign abusing Office vulnerability www.zdnet.com/article/microsoft-warns-about-email-spam-campaign-abusing-office-vulnerability/ Microsoft’s security researchers have issued a warning on Friday afternoon about an ongoing spam wave that is spreading emails carrying malicious RTF documents that infect users with malware without user interaction, once users open the RTF documents. Microsoft said the spam wave appears to target […]

Read More