Daily NCSC-FI news followup 2021-12-06

France warns of Nobelium cyberspies attacking French orgs

www.bleepingcomputer.com/news/security/france-warns-of-nobelium-cyberspies-attacking-french-orgs/ The French national cyber-security agency ANSSI said today that the Russian-backed Nobelium hacking group behind last year’s SolarWinds hack has been targeting French organizations since February 2021. While ANSSI (short for Agence Nationale de la Sécurité des Systèmes d’Information) has not determined how Nobelium compromised email accounts belonging to French orgs, it added that the hackers used them to deliver malicious emails targeting foreign institutions. The ANSSI report: www.cert.ssi.gouv.fr/cti/CERTFR-2021-CTI-011/

Russian hacking group uses new stealthy Ceeloader malware

www.bleepingcomputer.com/news/security/russian-hacking-group-uses-new-stealthy-ceeloader-malware/ The Nobelium hacking group continues to breach government and enterprise networks worldwide by targeting their cloud and managed service providers and using a new custom “Ceeloader” malware. Nobelium is Microsoft’s name for the threat actor behind last year’s SolarWinds supply-chain attack that led to the compromise of several US federal agencies. This group is believed to be the hacking division of the Russian Foreign Intelligence Service (SVR), commonly known as APT29, The Dukes, or Cozy Bear. The Mandiant report:

www.mandiant.com/resources/russian-targeting-gov-business

NICKEL targeting government organizations across Latin America and Europe

www.microsoft.com/security/blog/2021/12/06/nickel-targeting-government-organizations-across-latin-america-and-europe/ The Microsoft Threat Intelligence Center (MSTIC) has observed NICKEL, a China-based threat actor, targeting governments, diplomatic entities, and non-governmental organizations (NGOs) across Central and South America, the Caribbean, Europe, and North America. MSTIC has been tracking NICKEL since 2016 and observed some common activity with other actors known in the security community as APT15, APT25, and KeChang. Today, the Microsoft Digital Crimes Unit (DCU) announced the successful seizure of a set of NICKEL-operated websites and disruption of their ongoing attacks targeting organizations in 29 countries, following a court order from the U.S. District Court for the Eastern District of Virginia granting Microsoft the authority to seize these sites.

Hundreds of SPAR stores shut down, switch to cash after cyberattack

www.bleepingcomputer.com/news/security/hundreds-of-spar-stores-shut-down-switch-to-cash-after-cyberattack/ Approximately 330 SPAR shops in North East England face severe operational problems following a weekend cyberattack, forcing many stores to close or switch to cash-only payments. SPAR is an international supermarket franchise that operates 13, 320 stores in 48 countries, but the recent security incident only affected stores in the northern part of England.

Cyber Command Publicly Joins Fight Against Ransomware Groups

threatpost.com/cyber-command-ransomware-groups/176801/ Cybercriminals who launch attacks on critical U.S. companies are going to be targeted by the branch of the military known as Cyber Command, and everyone has been put on notice. Gen. Paul Nakasone, who heads up Cyber Command, told the New York Times this weekend that his team isn’t just going after state actors, but that they’re taking on any cybercriminals who attack American infrastructure.

Magecart Groups Abuse Google Tag Manager

geminiadvisory.io/magecart-google-tag-manager/ Gemini analysts continue to identify Magecart campaigns that target numerous e-commerce sites worldwide. Since February 4, 2021, analysts have observed 316 e-commerce sites infected with trojanized Google Tag Manager (GTM) containers. This technique capitalizes on the ability to place JavaScript within the GTM container. Gemini has observed two variants that abuse GTM containers: one that embeds the malicious e-skimmer script in the container and another that uses the container to download the actual e-skimmer script from a separate dual-use domain. The abuse of this legitimate Google service is concerning because it provides threat actors free infrastructure upon which they can host their scripts, while also granting enhanced capability to avoid detection. The Magecart actors behind these attacks have posted at least 88, 000 payment card records from these attacks to the dark web markets.

Misconfigured Kafdrop Puts Companies’ Apache Kafka Completely Exposed

spectralops.io/blog/misconfigured-kafdrop-puts-companies-apache-kafka-completely-exposed/ This research refers to exposed data of organizations or individuals as a result of misconfigured infrastructure, not caused by the Kafdrop project itself. Highly committed to the open-source movement and sworn contributors ourselves, we appreciate the importance of open source. This article aims to shed light on a misconfiguration that puts companies at risk and offers an immediate mitigation.

Mirai-based Botnet – Moobot Targets Hikvision Vulnerability

www.fortinet.com/blog/threat-research/mirai-based-botnet-moobot-targets-hikvision-vulnerability Last September 18th, a threat researcher released a write-up about a remote code execution vulnerability that affects various products from Hikvision, one of the largest video surveillance brands in the world. Hikvision is a CVE CNA and quickly assigned the CVE number, CVE-2021-36260 and released a patch for the vulnerability on the same day as the threat researcher’s disclosure. During our analysis, we observed numerous payloads attempting to leverage this vulnerability to probing the status of devices or extracting sensitive data from victims. One payload in particular caught our attention. It tries to drop a downloader that exhibits infection behavior and that also executes Moobot, which is a DDoS botnet based on Mirai. In this blog we explain how an attacker delivers this payload through the Hikvision vulnerability, along with details of the botnet.

Yanluowang Ransomware Tied to Thieflock Threat Actor

threatpost.com/yanluowang-ransomware-thieflock-threat-actor/176640/ A threat actor previously tied to the Thieflock ransomware operation may now be using the emerging Yanluowang ransomware in a series of attacks against U.S. corporations, researchers have found. Researchers from Symantec, a division of Broadcom Software, found ties between Thieflock and Yanluowang, the latter of which they revealed in October after observing its use against a large organization.

Hakluke: Creating the Perfect Bug Bounty Automation

labs.detectify.com/2021/11/30/hakluke-creating-the-perfect-bug-bounty-automation/ I think I have a problem. I’m addicted to building bug bounty automation. I’ve built a full bug bounty automation framework from the ground up 3 times now. It has become better every time, but I’m still not happy. I’m about to start building my 4th iteration. Every time I build something I refine the process. In this article, I am going to walk you through every attempt I have made to build a bug bounty automation framework including the wins and failures. Then I’m going to tell you exactly how I plan to build my next one.

uBlock, I exfiltrate: exploiting ad blockers with CSS

portswigger.net/research/ublock-i-exfiltrate-exploiting-ad-blockers-with-css Ad blockers like uBlock Origin are extremely popular, and typically have access to every page a user visits. Behind the scenes, they’re powered by community-provided filter lists – CSS selectors that dictate which elements to block. These lists are not entirely trusted, so they’re constrained to prevent malicious rules from stealing user data. In this post, we’ll show you how we were able to bypass these restrictions in uBlock Origin, use a novel CSS-based exploitation technique to extract data from scripts and attributes, and even steal passwords from Microsoft Edge. All vulnerabilities discussed in this post have been reported to uBlock Origin and patched.

WebAssembly and Back Again: Fine-Grained Sandboxing in Firefox 95

hacks.mozilla.org/2021/12/webassembly-and-back-again-fine-grained-sandboxing-in-firefox-95/ In Firefox 95, we’re shipping a novel sandboxing technology called RLBox developed in collaboration with researchers at the University of California San Diego and the University of Texas that makes it easy and efficient to isolate subcomponents to make the browser more secure. This technique, which uses WebAssembly to isolate potentially-buggy code, builds on the prototype we shipped last year to Mac and Linux users. Now, we’re bringing that technology to all supported Firefox platforms (desktop and mobile), and isolating five different modules: Graphite, Hunspell, Ogg, Expat and Woff2.

Näin piilotat arkaluontoiset kuvat Android-puhelimessa

www.is.fi/digitoday/mobiili/art-2000008451509.html Googlen syyskuussa lupaama ominaisuus Kuvat-palveluun on nyt käytettävissä. Voit määrittää Kuvat-sovelluksen Android-versiossa lukitun kansion, jonne voit kätkeä arkaluontoiset valokuvat ja videot.

Are You Guilty of These 8 Network-Security Bad Practices?

threatpost.com/bad-practices-network-security/176798/ The ongoing explosion of ransomware events and breaches (many of which the public never hears about) is elevating network security to a top corporate priority. Employees are constantly reminded to change their passwords frequently, watch out for phishing attacks and comply with strict security policies. But companies are also failing to address the everyday practices and mindsets that undermine traditional safeguards and increase the risk of a breach.

Public Wi-Fi Security: Is It Safe to Use for Business?

securityintelligence.com/articles/is-public-wi-fi-safe-business/ Let’s say you need to send an urgent email to a client while you’re at the store. Or, you’re traveling and need to take a Zoom call at your hotel. Maybe you need to access sensitive client data or employee information while on public Wi-Fi. You wonder how you should connect to the internet to do your task. The easiest and simplest thing to do is just pull out your phone and get the job done. But what about Wi-Fi security concerns?

Why the C-Suite Doesn’t Need Access to All Corporate Data

www.darkreading.com/vulnerabilities-threats/why-the-c-suite-doesn-t-need-access-to-all-corporate-data More than 20 months into a global pandemic, it’s become an article of faith that the best way to keep organizations and critical networks safe is to embrace zero trust. Under that umbrella, it’s assumed that all network access requests originate from an unsafe location, and every single user should be verified according to their locations, identities, and the health of their devices. But here’s the kicker: Zero-trust policies must apply to everyone even those at the top of the organizational chart, every CXO, director, and line-of-business leader. If C-level users do not need to access data to complete a task, they should not be granted access.

You might be interested in …

Daily NCSC-FI news followup 2021-06-14

Ransomware is the biggest threat, says GCHQ cybersecurity chief www.tripwire.com/state-of-security/security-data-protection/ransomware-biggest-threat-says-gchq-cybersecurity-chief/ The head of the UKs National Cyber Security Centre has warned that ransomware has become the biggest threat to British people and businesses. In a speech being given today by Lindy Cameron, chief executive of the NCSC, to the RUSI think tank, she highlights the […]

Read More

Daily NCSC-FI news followup 2021-01-18

Suomen elintarvikehuolto harjoittelee poikkeustilannetta varten www.is.fi/digitoday/art-2000007747319.html Suomen elintarvikehuollon toimijat harjoittelevat tällä viikolla poikkeustilanteita varten. Huoltovarmuuskeskuksen digipoolin järjestämässä kolmipäiväisessä harjoituksessa valmistaudutaan toimintaan kyberhäiriötilanteessa. Huomenna alkavassa harjoituksessa on mukana elintarviketeollisuuden, kaupan ja jakelun, öljynjakelun, logistiikan ja liikenteen sekä vesihuollon toimijoita. Paino on huoltoketjun osien yhteistoiminnassa ja elintarvikehuollon toiminnassa poikkeustilanteessa. Kyseessä on osa laajempaa Tieto20-harjoituskokonaisuutta, joka alkoi helmikuussa […]

Read More

Daily NCSC-FI news followup 2020-05-22

Ragnar Locker ransomware deploys virtual machine to dodge security news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/ A new ransomware attack method takes defense evasion to a new leveldeploying as a full virtual machine on each targeted device to hide the ransomware from view. In a recently detected attack, Ragnar Locker ransomware was deployed inside an Oracle VirtualBox Windows XP virtual machine.. […]

Read More