Daily NCSC-FI news followup 2021-12-03

Germany warns of ransomware attacks over Christmas, citing Emotet return, unpatched Exchange servers

therecord.media/germany-warns-of-ransomware-attacks-over-christmas-citing-emotet-return-unpatched-exchange-servers/ The German cybersecurity authority has told German organizations to expect ransomware and other cyber-attacks over the Christmas and end-of-year holidays, citing the return of the Emotet botnet and the large number of Microsoft Exchange email servers that have been left unpatched.

US State Dept employees’ phones hacked using NSO spyware

www.bleepingcomputer.com/news/security/us-state-dept-employees-phones-hacked-using-nso-spyware/ Apple has warned at least nine US Department of State employees that their iPhones have been hacked by unknown attackers using an iOS exploit dubbed ForcedEntry to deploy Pegasus spyware developed by Israeli surveillance firm NSO Group. The attacks hit US officials based in or focused on matters concerning the East African country of Uganda and took place in recent months, according to anonymous sources cited by Reuters today.

What the Internet Bug Bounty Teaches About Open-Source Software Security

securityintelligence.com/articles/open-source-software-security-bug-bounty/ The security platform HackerOne recently announced the latest version of their Internet Bug Bounty (IBB) program. The IBB strives to enhance open-source software security by pooling resources and encouraging security experts (they call themselves hackers) to find flaws in open-source software (OSS). Now, the program has introduced a new crowd-funding method. This enables more organizations to use the IBB to secure open-source needs in their software. Other program partners include Elastic, Facebook, Figma, GitHub, Shopify and TikTok. These companies, like nearly every digital brand, all depend on open-source software.

FBI: Cuba ransomware breached 49 US critical infrastructure orgs

www.bleepingcomputer.com/news/security/fbi-cuba-ransomware-breached-49-us-critical-infrastructure-orgs/ “The FBI has identified, as of early November 2021 that Cuba ransomware actors have compromised at least 49 entities in five critical infrastructure sectors, including but not limited to the financial, government, healthcare, manufacturing, and information technology sectors, ” the federal law enforcement agency said.

Vulnerabilities Exploited for Monero Mining Malware Delivered via GitHub, Netlify

www.trendmicro.com/en_us/research/21/l/vulnerabilities-exploited-for-monero-mining-malware-delivered-via-gitHub-netlify.html Earlier this year, a security flaw identified as CVE-2021-41773 was disclosed to Apache HTTP Server Project, a path traversal and remote code execution (RCE) flaw in Apache HTTP Server 2.4.49. If this vulnerability is exploited, it allows attackers to map URLs to files outside the directories configured by Alias-like directives. However, when we looked at the malicious samples abusing this vulnerability, we found more of these exploits being abused to target different gaps in products and packages for malicious mining of Monero. In this blog, we look into the abuse of GitHub and Netlify repositories and platforms for hosting cryptocurrency-mining tools and scripts.

A mysterious threat actor is running hundreds of malicious Tor relays

therecord.media/a-mysterious-threat-actor-is-running-hundreds-of-malicious-tor-relays/ Since at least 2017, a mysterious threat actor has run thousands of malicious servers in entry, middle, and exit positions of the Tor network in what a security researcher has described as an attempt to deanonymize Tor users. Tracked as KAX17, the threat actor ran at its peak more than 900 malicious servers part of the Tor network, which typically tends to hover around a daily total of up to 9, 000-10, 000.

How Criminals Are Using Synthetic Identities for Fraud

www.darkreading.com/edge-articles/how-criminals-are-using-synthetic-identities-for-fraud Synthetic identity fraud was already a problem before the COVID-19 pandemic shifted spending and work online, but it is becoming a bigger problem now as criminals take advantage of looser rules around credit and the sheer amount of personal information exposed via data breaches.

Stealthy WIRTE’ Gang Targets Middle Eastern Governments

threatpost.com/wirte-middle-eastern-governments/176688/ A threat actor tracked as WIRTE has been assaulting Middle East governments since at least 2019 using “living-off-the-land” techniques and malicious Excel 4.0 macros.

How to Detect DNS Tunneling in the Network?

www.catonetworks.com/blog/how-to-detect-dns-tunneling-in-the-network/ In the past several years, we have seen multiple malware samples using DNS tunneling to exfiltrate data. APT groups also used DNS tunneling in a malware campaign to target government organizations in the Middle East. We will present a few techniques you can use to detect DNS tunneling in your network.

Tracking a P2P network related to TA505

research.nccgroup.com/2021/12/01/tracking-a-p2p-network-related-with-ta505/ For the past few months NCC Group has been closely tracking the operations of TA505 and the development of their various projects (e.g. Clop). During this research we encountered a number of binary files that we have attributed to the developer(s) of Grace’ (i.e. FlawedGrace). These included a remote administration tool (RAT) used exclusively by TA505.

Vuoden Tivi-vaikuttaja on Milja Köpsi Mimmit koodaa -ohjelma nousi muutosvoimaksi

www.tivi.fi/uutiset/tv/b8a06701-a608-4fdd-a8ca-12f2e24c2daa Mimmit koodaa on supermenestys. Sen perjantaiwebinaareihin osallistuu viidestäkymmenestä pariin sataan naista, ja pari kertaa vuodessa järjestettäviin isommissa verkkotapahtumissa heitä on yli tuhat. Yritysten järjestämissä workshopeissa on yrityksestä riippuen kymmenestä osallistujasta ylöspäin, jopa viiteenkymmeneen asti. Parhaimmillaan jonossa on ollut jopa 800 naista.

You might be interested in …

Daily NCSC-FI news followup 2021-09-13

Varo Office-tiedostoja jo esi­katselu voi olla vaarallista www.is.fi/digitoday/tietoturva/art-2000008260361.html Microsoftin Office-asiakirjoissa, eli Wordilla, Excelillä ja PowerPointilla tehdyissä tiedostoissa piilee luultua suurempi vaara, kertovat muun muassa Traficomin Kyberturvallisuuskeskus sekä Kaspersky Lab. Aiemmin kerrottiin, että Windowsiin kuuluvassa MSHTML-nimisessä ohjelmistokomponentissa oleva haavoittuvuus mahdollistaa haittaohjelman ujuttamisen tietokoneelle Office-asiakirjan mukana. Tällöin uskottiin haittaohjelman aktivoitumisen edellyttävän asiakirjan avaamista ja suojausvaroituksen klikkaamista. Nyt […]

Read More

Daily NCSC-FI news followup 2020-03-26

Coronavirus as a hook www.kaspersky.com/blog/coronavirus-corporate-phishing/34445/ We tell how the coronavirus scare is being exploited by phishers to attack companies and install malware. E-mails imitating business correspondence with malicious attachments are nothing new. Weve been observing them in junk traffic for the last three years at least. The more precise the fake, the higher the likelihood […]

Read More

Daily NCSC-FI news followup 2021-05-05

Uudistettu strategia kirkastaa HVK:n toiminnan tavoitteita www.huoltovarmuuskeskus.fi/huoltovarmuusorganisaatio/huoltovarmuuskeskus/strategia-visio-ja-missio Yritysten kyberturvallisuuden edistäminen ja dynaamisen, ennakoivan tilannekuva- ja -analyysitoiminnon tärkeys korostuvat. Varkaiden kiero tekniikka yleistyy Android-puhelimissa kohteena verkkopankit ja kryptovaluutat www.is.fi/digitoday/tietoturva/art-2000007959216.html Hyökkäyksissä haittaohjelmat piirtävät puhelimen ruudulle aidon sovelluksen päälle erittäin uskottavia ja tarkkoja kirjautumisruutuja jallittaakseen uhrin syöttämään tunnuksensa rikollisille. 882 sovellusta joutui tällaisen hyökkäyksen kohteeksi vuonna 2019, mutta […]

Read More