Daily NCSC-FI news followup 2021-12-02

Suur­isku verkko­rikollisuuteen: 1­803 pidätetty, 67, 5 miljoonaa euroa pelastettu

www.is.fi/digitoday/tietoturva/art-2000008447466.html Euroopan poliisivirasto Europol tiedottaa kansainvälisestä suuroperaatiosta verkkorikollisuutta vastaan. Sarjassaan seitsemäs Emma-operaatio (European Money Mule Action) käsitti 27 maata, Suomi mukaan lukien, ja keskittyi rikollisuuden avulla hankittujen rahojen pesemiseen niin sanottujen muulien avulla. See also:


Emotet now spreads via fake Adobe Windows App Installer packages

www.bleepingcomputer.com/news/security/emotet-now-spreads-via-fake-adobe-windows-app-installer-packages/ The threat actors behind Emotet are now infecting systems by installing malicious packages using a built-in feature of Windows 10 and Windows 11 called App Installer. Researchers previously saw this same method being used to distribute the BazarLoader malware where it installed malicious packages hosted on Microsoft Azure.

Critical Bug in Mozilla’s NSS Crypto Library Potentially Affects Several Other Software

thehackernews.com/2021/12/critical-bug-in-mozillas-nss-crypto.html Mozilla has rolled out fixes to address a critical security weakness in its cross-platform Network Security Services (NSS) cryptographic library that could be potentially exploited by an adversary to crash a vulnerable application and even execute arbitrary code.

Disclosing state-linked information operations we’ve removed

blog.twitter.com/en_us/topics/company/2021/disclosing-state-linked-information-operations-we-ve-removed Today, we’re disclosing an additional 3, 465 accounts to our archive of state-linked information operations the only one of its kind in the industry. The account sets include eight distinct operations we’ve attributed to six countries Mexico, the People’s Republic of China (PRC), Russia, Tanzania, Uganda, and Venezuela, respectively. Every account and piece of content associated with these operations has been permanently removed from the service.

Hackers use in-house Zoho ServiceDesk exploit to drop webshells

www.bleepingcomputer.com/news/security/hackers-use-in-house-zoho-servicedesk-exploit-to-drop-webshells/ An advanced persistent threat (APT) group that had been exploiting a flaw in the Zoho ManageEngine ADSelfService Plus software has pivoted to leveraging a different vulnerability in another Zoho product. The actor has been seen exploiting an unauthenticated remote code execution issue in Zoho ServiceDesk Plus versions 11305 and older, currently tracked as CVE-2021-44077. See also:


Iskikö tietomurto itseesi tai firmaasi? Toimi näin

www.tivi.fi/uutiset/tv/883ce01d-e56f-4b00-985b-b2792e8e13af Digi- ja väestötietovirasto on julkaissut Suomi.fi-verkkopalveluun sähköisen oppaan tietomurron tai tietovuodon kohteeksi joutuneelle organisaatiolle. Oppaasta yritykset, yhteisöt ja muut organisaatiot saavat tietoa, kuinka toimia, jos epäilevät organisaationsa joutuneen tietomurron uhriksi tai jos organisaation hallussa olevia salassa pidettäviä tietoja on vuotanut julkisuuteen.

Jumping the air gap: 15 years of nationstate effort

www.welivesecurity.com/2021/12/01/jumping-air-gap-15-years-nation-state-effort/ Air-gapping is used to protect the most sensitive of networks. In the first half of 2020 alone, four previously unknown malicious frameworks designed to breach air-gapped networks emerged, bringing the total, by our count, to 17. ESET Research decided to revisit each framework known to date and to put them in perspective, side by side. Despite some differences and nuances found across all frameworks studied, our analysis shows how most differ on many of those aspects only from an implementation perspective, mostly due to the severe constraints imposed by air-gapped environments. Armed with this information, we will highlight some detection opportunities specific to the actual techniques observed in the wild.

Former Ubiquiti dev charged for trying to extort his employer

www.bleepingcomputer.com/news/security/former-ubiquiti-dev-charged-for-trying-to-extort-his-employer/ Nickolas Sharp, a former employee of networking device maker Ubiquiti, was arrested and charged today with data theft and attempting to extort his employer while posing as a whistleblower and an anonymous hacker.

Facebook’s Secret “Dangerous Organizations and Individuals” List Creates Problems for the Companyand Its Users

www.eff.org/deeplinks/2021/12/facebooks-secret-dangerous-organizations-and-individuals-list-creates-problems Along with the trove of “Facebook Papers” recently leaked to press outlets was a document that Facebook has, until now, kept intentionally secret: its list of “Dangerous Organizations and Individuals.” This list comprises supposed terrorist groups, hate groups, criminal groups, and individuals associated with each, and is used to filter and remove speech on the platform. While the list included many of the usual suspects, it also contained a number of charities and hospitals, as well as several musical groups, some of whom were likely surprised to find themselves lumped together with state-designated terrorist organizations.

Meta Expands Facebook Protect Program to Activists, Journalists, Government Officials

thehackernews.com/2021/12/meta-expands-facebook-protect-program.html Meta, the company formerly known as Facebook, on Thursday announced an expansion of its Facebook Protect security program to include human rights defenders, activists, journalists, and government officials who are more likely to be targeted by bad actors across its social media platforms.

Australia passes bill allowing it to impose sanctions for cyber-attacks

therecord.media/australia-passes-bill-allowing-it-to-impose-sanctions-for-cyber-attacks/ The Australian version of the Magnitsky Act, which passed unanimously this week, can also be used to sanction corrupt politicians and human rights abuses but also includes a clause to punish foreign hackers as well.

Exploring Container Security: A Storage Vulnerability Deep Dive

security.googleblog.com/2021/12/exploring-container-security-storage.html Recently, the GKE Security team discovered a high severity vulnerability that allowed workloads to have access to parts of the host filesystem outside the mounted volumes boundaries. Although the vulnerability was patched back in September we thought it would be beneficial to write up a more in-depth analysis of the issue to share with the community.

New malware hides as legit nginx process on e-commerce servers

www.bleepingcomputer.com/news/security/new-malware-hides-as-legit-nginx-process-on-e-commerce-servers/ The threat received the name NginRAT, a combination of the application it targets and the remote access capabilities it provides and is being used in server-side attacks to steal payment card data from online stores. NginRAT was found on eCommerce servers in North America and Europe that had been infected with CronRAT, a remote access trojan (RAT) that hides payloads in tasks scheduled to execute on an invalid day of the calendar.

SideCopy APT: Connecting lures to victims, payloads to infrastructure

blog.malwarebytes.com/threat-intelligence/2021/12/sidecopy-apt-connecting-lures-to-victims-payloads-to-infrastructure/ Last week, Facebook announced that back in August it had taken action against a Pakistani APT group known as SideCopy. Facebook describes how the threat actors used romantic lures to compromise targets in Afghanistan. In this blog post we are providing additional details about SideCopy that have not been published before. We were able to have unique insights about victims and targeted countries as well as the kind of data the APT group was able to successfully exfiltrate. Among the information that was stolen is access to government portals, Facebook, Twitter and Google credentials, banking information, and password-protected documents.

FIN7 hacker trialed in Russia gets no prison time

therecord.media/fin7-hacker-trialed-in-russia-gets-no-prison-time/ A Russian court handed down a mild one-year suspended prison sentence to a member of the FIN7 hacking group, a notorious cybercrime cartel that has hacked more than 100 US companies between 2015 and 2018.

CONTInuing the Bazar Ransomware Story

thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/ In August, we witnessed an intrusion that started from a BazarLoader infection. A Phishing campaign distributing password-protected zip files with weaponized documents to victims was the likely delivery source. Macros inside the word document extracted and executed a malicious.HTA document, which downloaded and loaded the BazarLoader DLL in memory. It is now apparent to the information security community that intrusions starting with BazarLoader frequently end with Conti ransomware. This case saw such a conclusion. There are some evident similarities in cases that involve Conti ransomware. Ransomware operators’ tooling and overall tasks performed tend to match across the cluster. When we look at our earlier Conti case, this becomes noticeable. This could be due to the widely circulated Conti manual that was leaked by an affiliate. In this case, we saw the same pattern of events with tools like net, nltest, ShareFinder for discovery, Cobalt Strike for C2, and WMIC remote process creation for expanding their access within the network.

Encryption Does Not Equal Invisibility Detecting Anomalous TLS Certificates with the Half-Space-Trees Algorithm

research.nccgroup.com/2021/12/02/encryption-does-not-equal-invisibility-detecting-anomalous-tls-certificates-with-the-half-space-trees-algorithm/ There is often (meta)data to consider when looking at encrypted traffic which still has operational value. In this blogpost, we describe the research on the characteristics of TLS certificates that we conducted and the incremental machine learning model that we applied to detect the anomalous certificates.

Kauppakamarit ja HVK yhteistyöhön yritysten jatkuvuudenhallinnan vahvistamiseksi

www.huoltovarmuuskeskus.fi/a/kauppakamarit-ja-hvk-yhteistyohon-yritysten-jatkuvuudenhallinnan-vahvistamiseksi Jatkuvuudenhallinnan merkitys on auennut monille yrityksille pandemian myötä uudella tavalla. Keskuskauppakamari, kauppakamarit ja HVK painottavat varautumisen merkitystä ja pyrkivät yhdessä luomaan yrityksille keinoja tähän työhön aloittamalla Luotettava jatkuvuus eli Lujat-kehityshankkeen.

Inside Intel’s Secret Warehouse in Costa Rica

www.wsj.com/articles/inside-intels-secret-warehouse-in-costa-rica-11638181801?mod=djemalertNEWS Legacy technology can introduce cybersecurity weaknesses. Tech makers constantly improve their products to take advantage of speed and power increases, but customers don’t always upgrade at the same pace. Intel’s answer to this conundrum was to create a warehouse and laboratory in Costa Rica, where the company already had a research-and-development lab, to store the breadth of its technology and make the devices available for remote testing.

You might be interested in …

[NCSC-FI News] Cyberattacks Rage in Ukraine, Support Military Operations

At least five APTs are believed involved with attacks tied ground campaigns and designed to damage Ukraine’s digital infrastructure. Source: Read More (NCSC-FI daily news followup)

Read More

Daily NCSC-FI news followup 2020-07-07

F5 BigIP vulnerability exploitation followed by a backdoor implant attempt isc.sans.edu/diary/rss/26322 While monitoring SANS Storm Center’s honeypots today, I came across the second F5 BIGIP CVE-2020-5902 vulnerability exploitation followed by a backdoor deployment attempt. The first one was seen by Johannes yesterday. www.bleepingcomputer.com/news/security/mitigating-critical-f5-big-ip-rce-flaw-not-enough-bypass-found/ Mac ThiefQuest malware may not be ransomware after all blog.malwarebytes.com/mac/2020/07/mac-thiefquest-malware-may-not-be-ransomware-after-all/ The ThiefQuest […]

Read More

Daily NCSC-FI news followup 2021-06-21

The Lazarus heist: How North Korea almost pulled off a billion-dollar hack www.bbc.com/news/stories-57520169 In 2016 North Korean hackers planned a $1bn raid on Bangladesh’s national bank and came within an inch of success – it was only by a fluke that all but $81m of the transfers were halted, report Geoff White and Jean H […]

Read More