Daily NCSC-FI news followup 2021-11-22

Ecommerce platforms (cough, Magento) need patching before Black Friday, warns UK’s National Cyber Security Centre

www.theregister.com/2021/11/22/ncsc_magento_updates_black_friday_reminder/ If you run a small online business powered by the Magento ecommerce platform, Britain’s National Cyber Security Centre (NCSC) is begging you to make sure it’s fully patched ahead of Black Friday. “Retailers are urged to ensure that Magento and any other software they use is up to date, ” said the GCHQ offshoot in a statement today, adding it had notified 4, 151 online stores that their Magento installations were vulnerable to compromise by criminals. “The majority of the online shops used for skimming identified by the NCSC had been compromised via a known vulnerability in Magento, a popular e-commerce platform, ” said the cybersecurity agency.

Turbine maker Vestas Wind Systems admits to cyber incident, refuses to confirm if ransomware is at play

www.theregister.com/2021/11/22/vestas_wind_systems/ Vestas Wind Systems, one of the world’s largest makers of wind turbines, today confirmed company data has been compromised in a “cyber security incident” that forced the firm to isolate parts of its IT infrastructure. Vestas, which employs 29, 000 people globally, says it has installed more than 145GW of wind turbines in 85 countries, and that its sustainable energy solutions have prevented 1.5 billion tonnes of CO2 from being released into the atmosphere. In the latest update, Vestas said that according to preliminary findings, the incident “impacted all parts of Vestas’ internal IT infrastructure and that data has been compromised.”. The attack bears the hallmarks of ransomware, but a spokesperson at the Vestas refused to be drawn on the specific nature of the attack at this stage.

New Golang-based Linux Malware Targeting eCommerce Websites

thehackernews.com/2021/11/new-golang-based-linux-malware.html Weaknesses in e-commerce portals are being exploited to deploy a Linux backdoor as well as a credit card skimmer that’s capable of stealing payment information from compromised websites. “The attacker started with automated e-commerce attack probes, testing for dozens of weaknesses in common online store platforms, ” researchers from Sansec Threat Research said in an analysis. “After a day and a half, the attacker found a file upload vulnerability in one of the store’s plugins.” The name of the affected vendor was not revealed. The initial foothold was then leveraged to upload a malicious web shell and alter the server code to siphon customer data. Additionally, the attacker delivered a Golang-based malware called “linux_avp” that serves as a backdoor to execute commands remotely sent from a command-and-control server hosted in Beijing.

Hackers breach corporate email servers to send spam to employees

therecord.media/hackers-breach-corporate-email-servers-to-send-spam-on-employees/ A threat actor has hacked Microsoft Exchange email servers across the world in order to gain access to their internal messaging capabilities and send malicious emails to company customers and employees in the hopes of infecting them with malware. In a report on Friday, security firm Trend Micro said the attackers specifically targeted Exchange servers that haven’t been patched for old vulnerabilities like ProxyLogon (CVE-2021-26855) and ProxyShell (CVE-2021-34473 and CVE-2021-34523). Once the attackers gained access to the server, Trend Micro said they used a Powershell feature to read and interact with the server email storage system, and they hijacked existing conversations by inserting and sending new replies to all participants.

GoDaddy data breach impacts 1.2 million WordPress site owners

therecord.media/godaddy-data-breach-impacts-1-2-million-wordpress-site-owners/ Internet infrastructure company GoDaddy said on Monday that a hacker gained access to the personal information of more than 1.2 million customers of its WordPress hosting service. In documents filed with the US Securities and Exchange Commission earlier today, GoDaddy said it discovered the breach last week, on November 17, after noticing “suspicious activity” on its Managed WordPress hosting environment. The subsequent investigation found that a hacker had access to its servers for more than two months, since at least September 6. GoDaddy said it already reset sFTP and database passwords exposed in the hack. It also reset the admin account password for customers who were still using the default one that GoDaddy issued when their sites were created. GoDaddy statement:

www.sec.gov/Archives/edgar/data/1609711/000160971121000122/gddyblogpostnov222021.htm

Reminder for Critical Infrastructure to Stay Vigilant Against Threats During Holidays and Weekends

us-cert.cisa.gov/ncas/current-activity/2021/11/22/reminder-critical-infrastructure-stay-vigilant-against-threats Recent history tells us that this could be a time when these persistent cyber actors halfway across the world are looking for waysbig and smallto disrupt the critical networks and systems belonging to organizations, businesses, and critical infrastructure. There are actions that executives, leaders, and workers in any organization can take proactively to protect themselves against cyberattacks, including possible ransomware attacks, during the upcoming holiday seasona time during which offices are often closed, and employees are home with their friends and families. Although neither CISA nor the FBI currently have identified any specific threats, recent 2021 trends show malicious cyber actors launching serious and impactful ransomware attacks during holidays and weekends, including Independence Day and Mother’s Day weekends. CISA and the FBI strongly urge all entitiesespecially critical infrastructure partnersto examine their current cybersecurity posture and implement best practices and mitigations to manage the risk posed by cyber threats.

How to defend your website against card skimmers

blog.malwarebytes.com/web-threats/2021/11/how-to-defend-your-website-against-card-skimmers/ Black Friday and the holiday season are approaching, and shoppers are forecast to spend record amounts again this year. Retail websites big and small can expect a lot of interest from shoppers looking for deals, and a lot of interest from cybercriminals looking to cash in on those shoppers, by stealing their credit card details with stealthy card skimmers. Card skimmers, or web skimmers, are pieces of malicious software that criminals piggyback on to legitimate websites, so they can steal shoppers’ credit card details. The skimmers read the details as users type them into the sites’ payment forms, or replace the payment forms with convincing fakes. Attackers have even been seen adding entire checkout pages to sites that don’t take payments. Skimmers can steal card details in real time, as they are typed, even before the victim clicks “submit” on the payment form. Skimmers allow criminal hackers to silently rob every customer that makes a purchase on an infected website, until they are discovered and removed. Malwarebytes products detect card skimmers, and our Threat Intelligence team tracks and investigates them. We know that card skimming activity tends to increase inline with busy shopping days, and shop owners need to be extra-vigilant heading in to the holiday season.

Jarno Limnéll varoittaa “kyberpandemiasta” internetin häiriö voi panna maailman taas sekaisin

www.tivi.fi/uutiset/tv/211df5c9-7909-47b7-842b-719f6a496206 MAKSUMUURI. Kyberhäirinnässä ja urheilun dopingissa on paljon yhteistä. Jäljitys ja testausmenetelmät kehittyvät, mutta niin kehittyy huijauskin. Ja huijarit tuntuvat olevan aina askelen verran edellä. Joskus he paljastuvat vasta vuosia myöhemmin. “Maailma on matkalla siihen suuntaan, että teknologia kehittyy yhä nopeammin ja lisääntyessään pikemminkin lisää erilaisten häiriötilojen mahdollisuutta ja luo uudenlaisia haavoittuvuuksia. Ei ole olemassa aukotonta turvallisuutta”, Limnéll sanoo. Teknologiankaan avulla maailmaa ei siis saada valmiiksi. Lisäksi kriisit tuppaavat aina tulemaan yllätyksenä: New York 11. syyskuuta, Bosnian sota, Hitlerin valtaantulo, Sarajevon laukaukset. “Historian valossa meidät yllätetään aina. Ja jos teknologian kannalta asiaa miettii, niin teknologia vain lisää kriisien monimutkaisuutta ja yllätyksellisyyttä.”

Biometric auth bypassed using fingerprint photo, printer, and glue

www.bleepingcomputer.com/news/security/biometric-auth-bypassed-using-fingerprint-photo-printer-and-glue/ Researchers demonstrated that fingerprints could be cloned for biometric authentication for as little as $5 without using any sophisticated or uncommon tools. Although fingerprint-based biometric authentication is generally considered superior to PINs and passwords in terms of security, the fact that imprints can be left in numerous public places makes it ripe for abuse. It has been previously proven that there are ways to collect and use people’s fingerprints to fool even the most sophisticated sensors. However, these typically involve using niche tools such as DSLR cameras and high-fidelity 3D printers. If only there was a cheap way to retrieve these imprints and convert them to usable fingerprints, it would severely and negatively impact the security of this particular authentication method.

You might be interested in …

Daily NCSC-FI news followup 2019-11-17

Indian officials acknowledged on October 30th that a cyberattack occurred at the countrys Kudankulam nuclear power plant. thebulletin.org/2019/11/lessons-from-the-cyberattack-on-indias-largest-nuclear-power-plant/ While reactor operations at Kudankulam were reportedly unaffected, this incident should serve as yet another wake-up call that the nuclear power industry needs to take cybersecurity more seriously.. The problem of cybersecurity is not new to the […]

Read More

Daily NCSC-FI news followup 2021-07-04

Kaseya zero-day involved in ransomware attack, patches coming therecord.media/kaseya-zero-day-involved-in-ransomware-attack-patches-coming/ Remote management software vendor Kaseya said it identified and is currently mitigating a vulnerability that was abused in a recent incident that saw ransomware deployed on the networks of thousands of companies worldwide. Lisäksi: www.reuters.com/technology/cyber-attack-against-us-it-provider-forces-swedish-chain-close-800-stores-2021-07-03/ Kaseya was fixing zero-day just as REvil ransomware sprung their attack […]

Read More

Daily NCSC-FI news followup 2021-08-22

Applen tietoja vuotanut työntekijä tuli katumapäälle Paljasti yhteisönsä jäseniä, jäi ilman minkäänlaista korvausta www.kauppalehti.fi/uutiset/applen-tietoja-vuotanut-tyontekija-tuli-katumapaalle-paljasti-yhteisonsa-jasenia-jai-ilman-minkaanlaista-korvausta/8cea66c6-e206-47b6-acb3-879f856c7445 Tiedot uusista, vielä julkaisemattomista Apple-tuotteista ovat kuumaa kamaa internetissä, koska laitteet ovat niin suosittuja ympäri maailman. Siksi niistä myös maksetaan, ja moni pyrkii saamaan haltuunsa salaisia tietoja. Tietovuotajien toiminta kiinnostaa luonnollisesti myös Applea. Motherboard on julkaissut artikkelin Apple-vuotajana pitkään toimineesta Andrej […]

Read More