Daily NCSC-FI news followup 2021-11-24

Tietoturvan suunnannäyttäjä -tunnustus LähiTapiolalle – Erityiskiitos nuorten hakkeritaitojen kanavoinnista yhteiskunnan hyväksi

www.epressi.com/tiedotteet/tietoturva/tietoturvan-suunnannayttaja-tunnustus-lahitapiolalle-erityiskiitos-nuorten-hakkeritaitojen-kanavoinnista-yhteiskunnan-hyvaksi.html Tietoturvan suunnannäyttäjä -tunnustus myönnettiin LähiTapiolalle ansiokkaasta yhteiskunnallisesta aktiivisuudesta tietoturva-alalla. Tunnustuksen vastaanotti LähiTapiolan vastuullisuus- ja yhteiskuntasuhdejohtaja Eeva Salmenpohja Tietoturva 2021 – -virtuaaliseminaarissa. Liikenne- ja viestintävirasto Traficomin Kyberturvallisuuskeskuksen jakama tunnustus esimerkillisestä tietoturvaa edistävästä työstä jaettiin nyt kuudetta kertaa. Tietoturva 2021 -virtuaaliseminaari järjestettiin 24.11.2021. Tapahtumaan oli ilmoittautunut lähes 2000 osallistujaa.

APT C-23 Hackers Using New Android Spyware Variant to Target Middle East Users

thehackernews.com/2021/11/apt-c-23-hackers-using-new-android.html A threat actor known for striking targets in the Middle East has evolved its Android spyware yet again with enhanced capabilities that allow it to be stealthier and more persistent while passing off as seemingly innocuous app updates to stay under the radar. The new variants have “incorporated new features into their malicious apps that make them more resilient to actions by users, who might try to remove them manually, and to security and web hosting companies that attempt to block access to, or shut down, their command-and-control server domains, ” Sophos threat researcher Pankaj Kohli said in a report published Tuesday. The mobile spyware has been a preferred tool of choice for the APT-C-23 threat group since at least 2017, with successive iterations featuring extended surveillance functionality to vacuum files, images, contacts and call logs, read notifications from messaging apps, record calls (including WhatsApp), and dismiss notifications from built-in Android security apps.

Malware now trying to exploit new Windows Installer zero-day

www.bleepingcomputer.com/news/security/malware-now-trying-to-exploit-new-windows-installer-zero-day/ Malware creators have already started testing a proof-of-concept exploit targeting a new Microsoft Windows Installer zero-day publicly disclosed by security researcher Abdelhamid Naceri over the weekend. “Talos has already detected malware samples in the wild that are attempting to take advantage of this vulnerability, ” said Jaeson Schultz, Technical Leader for Cisco’s Talos Security Intelligence & Research Group. However, as Cisco Talos’ Head of Outreach Nick Biasini told BleepingComputer, these exploitation attempts are part of low volume attacks likely focused on testing and tweaking exploits for full-blown campaigns. “During our investigation, we looked at recent malware samples and were able to identify several that were already attempting to leverage the exploit, ” Biasini told BleepingComputer. “Since the volume is low, this is likely people working with the proof of concept code or testing for future campaigns. This is just more evidence on how quickly adversaries work to weaponize a publicly available exploit.”

More than 9 million smartphones infected with Cynos malware

therecord.media/more-than-9-million-smartphones-infected-with-cynos-malware/ Chinese smartphone vendor Huawei has temporarily removed 190 Android games from its official AppGallery app store after it received a report from Russian security firm Dr.Web that the apps contained an overly aggressive monetization library that was collecting extensive details from users’ devices. Huawei said it is now working with the app developers to investigate if the data collection has been taking place behind their backs and find replacement monetization libraries. More than 9.3 million users have installed one of these 190 Android games, according to download stats listed on the AppGallery store.

Hackers exploit Microsoft MSHTML bug to steal Google, Instagram creds

www.bleepingcomputer.com/news/security/hackers-exploit-microsoft-mshtml-bug-to-steal-google-instagram-creds/ A newly discovered Iranian threat actor is stealing Google and Instagram credentials belonging to Farsi-speaking targets worldwide using a new PowerShell-based stealer dubbed PowerShortShell by security researchers at SafeBreach Labs. The info stealer is also used for Telegram surveillance and collecting system information from compromised devices that get sent to attacker-controlled servers together with the stolen credentials. As SafeBreach Labs discovered, the attacks (publicly reported in September on Twitter by the Shadow Chaser Group) started in July as spear-phishing emails. They target Windows users with malicious Winword attachments that exploit a Microsoft MSHTML remote code execution (RCE) bug tracked as CVE-2021-40444.

New JavaScript malware works as a “RAT dispenser”

therecord.media/new-javascript-malware-works-as-a-rat-dispenser/ Cybersecurity experts from HP said they discovered a new strain of JavaScript malware that criminals are using as a way to infect systems and then deploy dangerous remote access trojans (RATs). Cleverly named RATDispenser, the malware has been distributed in the wild for at least three months in the form of email messages carrying malicious file attachments. These files abuse the classic double-extension trick (filename.txt.js) to pose as text files but run JavaScript code when users try to open them. Once this happens, HP says the RATDispenser malware decodes itself and runs a self-contained VBScript file that then installs a commodity remote access trojan on the infected device. Over the past three months, HP said the malware had been used to drop at least eight different RAT strains, such as STTRAT, WSHRAT, AdWind, Formbook, Remcos, Panda Stealer, GuLoader, and Ratty.

Hospital Ransomware Attacks Go Beyond Health Care Data

securityintelligence.com/hospital-ransomware-health-care-data/ The health care industry has been on the front lines a lot lately. Along with helping control the effects of COVID-19, it has been a prime target for ransomware. In a 2021 survey conducted of 597 health delivery organizations (HDOs), 42% had faced two ransomware attacks in the past couple of years. Over a third (36%) attributed those ransomware incidents to a third party, such as what happened earlier this year with Kaseya. The effects go beyond stolen health care data, although that is important, too. What does it mean when a health care organization faces an attack? And what can they do to protect themselves?

Instagramissa leviää ärhäkkä huijaus Dyson varoittaa suomalaisia

www.iltalehti.fi/tietoturva/a/244e720c-1c29-4caa-a815-afcccb773797 Iltalehti kertoi viime viikolla, miten huijarit ovat häirinneet suomalaisia Instagramissa. Huijarit merkitsevät käyttäjiä julkaisuun, jossa väitetään, että nämä olisivat voittaneet Dysonin hiustenkuivaajan. Liikenne- ja viestintävirasto Traficomin Kyberturvallisuuskeskuksen tietoturva-asiantuntija Ville Kontinen kertoi Iltalehdelle, että kyseessä on tuttu ilmiö, jossa bottitilejä käytetään huijauksen levittämiseen. Huijarit yrittävät saada siirtymään toiselle valetilille ja sen kautta valesivustolle. Tarkoitus on saada uhri tilausansaan. Kyseessä on arvontateemainen huijaus, jossa väitetään, että henkilö on voittanut jotain. Tällä yritetään saada henkilö avaamaan nopeasti linkkejä. Kun näitä avaa tarpeeksi, törmää lopulta pyyntöön hyväksyä luottokortilla pienimuotoinen tilaus. Kyse on siis tilausansasta, joka johtaa tavallisesti 50100 euron hintaiseen kuukausitilaukseen, Kontinen kertoi.

Ukraine arrests Phoenix’ hackers behind Apple phishing attacks

www.bleepingcomputer.com/news/security/ukraine-arrests-phoenix-hackers-behind-apple-phishing-attacks/ The Security Service of Ukraine (SSU) has arrested five members of the international ‘Phoenix’ hacking group who specialize in the remote hacking of mobile devices. The SSU’s announcement states that all five suspects live in Kyiv or Kharkiv and are higher technical education institutes graduates. The goal of ‘Phoenix’ was to gain remote access to the accounts of mobile device users and then monetize them by hijacking their e-payment or bank accounts or selling their private information to third parties. To steal mobile accounts of mobile device users, the actors used phishing sites that were clones of Apple’s and Samsung’s login portals. This activity went on for at least two years, during which Phoenix hacked several hundred people’s accounts. The hackers also offered remote mobile phone hacking services to others, charging between $100 and $200.

How the pandemic pulled Nigerian university students into cybercrime

therecord.media/how-the-pandemic-pulled-nigerian-university-students-into-cybercrime/ ILORIN, NigeriaAround November 2020, Kayode said he was invited to a house partythe kind attended mostly by others involved in the country’s illicit digital economy. The college sophomore studying towards a hard sciences degree had reservations about attending a party during a global pandemic, but he didn’t have much other to do than spend time with other so-called “yahoo boys”an archaic nickname that recalls when Nigerian cyber fraudsters were synonymous with Yahoo Mail and “Nigerian Prince” spam.

Eavesdropping bug impacts roughly a third of the world’s smartphones

therecord.media/eavesdropping-bug-impacts-roughly-a-third-of-the-worlds-smartphones/ MediaTek, a Taiwanese company that manufactures a wide array of chips for smartphones and other smart devices, has released security updates last month to address severe vulnerabilities that could allow malicious Android apps to record audio and spy on phone owners. Three issues were patched in October (CVE-2021-0661, CVE-2021-0662, CVE-2021-0663), and a fourth (CVE-2021-0673) will be fixed next month, in December, according to security firm Check Point, whose researchers found the issues earlier this year. “MediaTek chips contain a special AI processing unit (APU) and audio Digital signal processor (DSP) to improve media performance and reduce CPU usage, ” a Check Point spokesperson said in an email this week. “Both the APU and the audio DSP have custom microprocessor architectures, making MediaTek DSP a unique and challenging target for security research. Check Point grew curious around the degree to which MediaTek DSP could be used as an attack vector for threat actors, ” the company added. “For the first time, CPR was able to reverse engineer the MediaTek audio processor, revealing several security flaws, ” it added.

Password usage analysis of brute force attacks on honeypot servers

blog.malwarebytes.com/reports/2021/11/password-usage-analysis-of-brute-force-attacks-on-honeypot-servers/ As Microsoft’s Head of Deception, Ross Bevington is responsible for setting up and maintaining honeypots that look like legitimate systems and servers. Honeypot systems are designed to pose as an attractive target for attackers. Sometimes they are left vulnerable to create a controllable and safe environment to study ongoing attacks. This provides researchers with data on how attackers operate and enables them to study different threats. Now, Bevington has released information gathered from Microsoft honeypots of over 25 million brute force attacks against SSH. Some highlights of these results: 77% of the passwords were between 1 and 7 characters long, Only 6% of the passwords were longer than 10 characters, 39% of the passwords contained at least one number, and None of the attempted passwords contained a space

You might be interested in …

Daily NCSC-FI news followup 2019-09-25

This vBulletin vBug is vBad: Zero-day exploit lets miscreants hijack vulnerable web forums www.theregister.co.uk/2019/09/24/vbulletin_vbug_zeroday/ Hackers can inject system commands via version 5 of software, no patch available. An anonymous bug hunter has publicly disclosed a zero-day flaw in the version 5 of the popular vBulletin forum software than can be exploited over the internet to […]

Read More

Daily NCSC-FI news followup 2019-06-24

How to remove Ryuk Ransomware (Uninstall guide) csirt.cy/how-to-remove-ryuk-ransomware-uninstall-guide/ Ryuk ransomware is the cryptovirus that targets companies with large ransom demands to make more profit from one attack. However, ransomware can also affect everyday users and corrupt or delete their data. You need a thorough system scan to terminate the malware in time.. According to the […]

Read More

Daily NCSC-FI news followup 2020-09-24

#InstaHack: how researchers were able to take over the Instagram App using a malicious image blog.checkpoint.com/2020/09/24/instahack-how-researchers-were-able-to-take-over-the-instagram-app-using-a-malicious-image/ Instagram is one of the most popular social media platforms globally, with over 100+ million photos uploaded every day, and nearly 1 billion monthly active users. Individuals and companies share photos and messages about their lives and products to […]

Read More