Daily NCSC-FI news followup 2021-12-07

Windows 10 Drive-By RCE Triggered by Default URI Handler

threatpost.com/windows-10-rce-url-handler/176830/ According to a report posted Tuesday by Positive Security, the vulnerability is triggered by an argument injection, which is a type of attack that involves tampering with a page’s input parameters. It can enable attackers to see or to modify data via the user interface that they normally can’t get at. The researchers have been going back and forth with Microsoft about this for months, having initially disclosed the weakness to Microsoft in March. Microsoft closed Positive Security’s initial report the very next day, based on what Positive Security called Microsoft’s “erroneous” belief that the exploit relies on social engineering. Positive Security’s report:


An Amazon server outage is causing problems for Alexa, Ring, Disney Plus, and deliveries

www.theverge.com/2021/12/7/22822332/amazon-server-aws-down-disney-plus-ring-outage Problems with some Amazon Web Services cloud servers are causing slow loading or failures for significant chunks of the internet. Amazon’s widespread network of data centers powers many of the things you interact with online, including this website, so as we’ve seen in previous AWS outage incidents, any problem has massive rippling effects. While some affected services that rely on AWS have been restored, the internet is still a bit slower and more unsteady than usual. The most important app impacted by the outage might be the ones that Amazon employees use.

Using secure messaging, voice and collaboration apps

www.ncsc.gov.uk/blog-post/using-secure-messaging-voice-and-collaboration-apps With ‘hybrid working’ (a combination of working from home and the office) now a way of life for many, the NCSC is frequently asked if the various ‘secure voice and messaging’ apps available from Google Play or the Apple App Store are suitable. What we can do is provide some risk management advice on what organisations should think about before choosing and using such apps for use on ‘corporately provisioned and managed’ devices.

Multi-party disclosure – how does it work?

english.ncsc.nl/latest/weblog/weblog/2021/multi-party-disclosure In this blog, I explain the difference between ‘normal’ coordinated vulnerability disclosure and multi-party disclosure processes. I describe what the different roles are in such a disclosure process and which role NCSC-NL can have. I end with some complications that may come up in such a process.

Alleged ransomware affiliate arrested for healthcare attacks

www.bleepingcomputer.com/news/security/alleged-ransomware-affiliate-arrested-for-healthcare-attacks/ A 31-year old Canadian national has been charged in connection to ransomware attacks against organizations in the United States and Canada, a federal indictment unsealed today shows. Parallel investigations from the Federal Bureau of Investigation and the Ontario Provincial Police (OPP) revealed that Matthew Philbert of Ottawa was involved in various cyberattacks.

Nordic Choice Hotels hit by Conti ransomware, no ransom demand yet

www.bleepingcomputer.com/news/security/nordic-choice-hotels-hit-by-conti-ransomware-no-ransom-demand-yet/ Nordic Choice Hotels has now confirmed a cyber attack on its systems from the Conti ransomware group. The incident primarily impacts the hotel’s guest reservation and room key card systems. Although there is no indication of passwords or payment information being affected, information pertaining to guest bookings was potentially leaked. The Scandinavian hotel chain, with its brandsComfort, Quality, and Clarion, employs over 16, 000 staff members and has 200 properties across Scandinavia, Finland, and the Baltics.

QNAP warns of new crypto-miner targeting its NAS devices

therecord.media/qnap-warns-of-new-crypto-miner-targeting-its-nas-devices/ Taiwanese hardware vendor QNAP has released a new security advisory today warning users that a new strain of crypto-mining malware is targeting its network-attached storage (NAS) devices. The company did not share any information on how the devices were being compromised but said that once the malware got a foothold on infected systems, it would create a process named [oom_reaper] that would take up around 50% of the CPU’s total usage.

New Cerber ransomware targets Confluence and GitLab servers

www.bleepingcomputer.com/news/security/new-cerber-ransomware-targets-confluence-and-gitlab-servers/ Cerber ransomware is back, as a new ransomware family adopts the old name and targets Atlassian Confluence and GitLab servers using remote code execution vulnerabilities. Starting last month, a ransomware called Cerber once again reared its ugly head, as it began infecting victims worldwide with both a Windows and Linux encryptor.

Google disrupts Glupteba botnet, files lawsuit against two Russians

therecord.media/google-disrupts-glupteba-malware-botnet-files-lawsuit-against-two-russians/ Google has announced today that it has disrupted the operations of the Glupteba botnet and has filed a lawsuit against two Russian nationals it believes have created and helped run the malware for the past few years. The company said it removed around 63 million Google Docs files used by the Glupteba gang to distribute its malware to unsuspecting victims, along with 1, 183 Google accounts, 908 cloud projects, and 870 Google Ads accounts used by the gang to create and host parts of their botnet.

Israeli govt pledges greater oversight of cyber-exports after NSO tools hacked US officials

www.zdnet.com/article/israeli-govt-pledges-greater-oversight-of-cyber-exports-after-nso-tools-used-to-spy-on-us-officials/ The Israeli government’s Defense Exports Control Agency sent out a notice late on Monday indicating it would be enforcing stricter rules governing the export of offensive cyber tools. The Jerusalem Post reported on Monday that the agency published a revised version of its “Final Customer Declaration”, which countries will have to sign before they can get access to powerful spyware technology like the NSO Group’s Pegasus. The declaration says countries will not use the tools to attack government critics or “political speech” and will only use it to prevent terrorism and “serious crimes.” Any country that ignores the declaration will lose access to cyber-tools, according to the document.

Suosittu perhesovellus myy lasten tarkan sijainnin kenelle tahansa “Auttaa pitämään palvelut ilmaisena”

www.tivi.fi/uutiset/tv/250d6775-6860-43bb-b046-a1c111409127 Lapsiperheissä suosittu turvasovellus Life360 myy lasten ja perheenjäsenten tarkkaa sijaintidataa kaikille halukkaille ostajille, kertovat The Markup ja Inputmag.com. Sovelluksella on yli 33 miljoonaa käyttäjää ja vanhemmat käyttävät sitä lastensa liikkeiden seuraamiseen. Teknologialehti The Markup haastatteli kahta sovelluksen kanssa työskennellyttä sekä kahta datakaupassa toimivaa henkilöä. Työntekijät paljastavat, että sovellus toimii yhtenä suurimpana materiaalin kerääjänä varjoissa toimivalle datakaupalle. Dataa voi ostaa melkein kuka tahansa, eikä sen yksityisyydestä tai turvallisuudesta juuri huolehdita.

Cybersecurity Takes the Wheel as Auto Industry’s Top Priority

www.darkreading.com/vulnerabilities-threats/cybersecurity-takes-the-wheel-as-auto-industry-s-top-priority Vehicle safety, which has long been a top concern for automotive companies, today equates to cybersecurity. That’s because now more than ever, vehicles run on software. They are fast-moving, highly connected data centers, part mainframe, and part mobile device, loaded with Internet of Things (IoT) devices. They are effectively mobile nodes operating at the edge of massive cloud infrastructure. And they will increasingly become targets for cyberattackers.

When Scammers Get Scammed, They Take It to Cybercrime Court

threatpost.com/scammers-cybercrime-court/176834/ Blocked from legitimate courts, cybercriminals have set up their own system for settling disputes, handing over ultimate decision-making to senior underground forum administrators who have awarded claims totaling as much as $20 million. A new report from Analyst1 details activities inside these underground systems and found more than 600 requests for mediation on just one Russian-language forum alone, tackling disputes ranging from missing affiliate payments to contract violations.

Flaws in Tonga’s top-level domain left Google, Amazon, Tether web services vulnerable to takeover

portswigger.net/daily-swig/flaws-in-tongas-top-level-domain-left-google-amazon-tether-web-services-vulnerable-to-takeover Attackers could have modified the nameservers of any domain under Tonga’s country code top-level domain (ccTLD) due to a vulnerability in the TLD registrar’s website, security researchers have revealed. Fortunately, malicious exploitation was averted because the Tonga Network Information Center (Tonic) was “very responsive” in fixing the bug in under 24 hours after web security firm Palisade alerted them on October 8, 2021, a Palisade blog post reveals.

Defending Against the Use of Deepfakes for Cyber Exploitation

www.darkreading.com/attacks-breaches/defending-against-the-use-of-deepfakes-for-cyber-exploitation Cybercrime has risen precipitously this year. From July 2020 to June 2021, there was an almost 11x increase in ransomware attacks, we have found. We’re also seeing an increase in attacks on high-profile targets and the rise of new methodologies. Deepfakes, which really started to gain prominence in 2017, have largely been popularized for entertainment purposes. There have also been beneficial use cases for deep fake technology in the medical field. Unfortunately, once again, the maturity of deepfake technology hasn’t gone unnoticed by the bad guys. In the cybersecurity world, deepfakes are an increasing cause for concern because they use artificial intelligence to imitate human activities and can be used to augment social engineering attacks.

The story of the year: ransomware in the headlines

securelist.com/the-story-of-the-year-ransomware-in-the-headlines/105138/ In the past twelve months, the word “ransomware” has popped up in countless headlines worldwide across both print and digital publications: The Wall Street Journal, the BBC, the New York Times. It is no longer just being discussed by CISOs and security professionals, but politicians, school administrators, and hospital directors. Words like Babuk and REvil have entered the everyday lexicon. This is a threat that seems almost inescapable, regardless of whether or not users occupy the cybersecurity or tech space and it is having a direct impact on lives. That is precisely why we have chosen ransomware as our story of the year for Kaspersky’s annual Security Bulletin. But how did we get here and what has changed about the ransomware landscape since it was first our story of the year in 2019?

What are buffer overflow attacks and how are they thwarted?

www.welivesecurity.com/2021/12/06/what-are-buffer-overflow-attacks-how-are-they-thwarted/ The Morris worm of 1988 was one of those industry-shaking experiences that revealed how quickly a worm could spread using a vulnerability known as a buffer overflow or buffer overrun. Around 6, 000 of the 60, 000 computers connected to ARPANET, a precursor to the Internet, were infected with the Morris worm. More than thirty years on from the Morris worm, we are still plagued by buffer overflow vulnerabilities with all their negative consequences. To understand how buffer overflows happen, we need to know a little about memory, especially the stack, and about how software developers need to manage memory carefully when writing code.

Critical Hit: How DoppelPaymer Hunts and Kills Windows Processes

www.crowdstrike.com/blog/how-doppelpaymer-hunts-and-kills-windows-processes/ In a July 2019 blog post about DoppelPaymer, Crowdstrike Intelligence reported that ProcessHacker was being hijacked to kill a list of targeted processes and gain access, delivering a “critical hit.” Although the blog is now a couple of years old, the hijacking technique is interesting enough to dig into its implementation.

USB Over Ethernet | Multiple Vulnerabilities in AWS and Other Major Cloud Services

www.sentinelone.com/labs/usb-over-ethernet-multiple-privilege-escalation-vulnerabilities-in-aws-and-other-major-cloud-services/ SentinelLabs has discovered a number of high severity flaws in driver software affecting numerous cloud services. These vulnerabilities allow attackers to escalate privileges enabling them to disable security products, overwrite system components, corrupt the operating system, or perform malicious operations unimpeded.

You might be interested in …

Daily NCSC-FI news followup 2021-02-26

Ransomware gang hacks Ecuador’s largest private bank, Ministry of Finance www.bleepingcomputer.com/news/security/ransomware-gang-hacks-ecuadors-largest-private-bank-ministry-of-finance/ A hacking group called ‘Hotarus Corp’ has hacked Ecuador’s Ministry of Finance and the country’s largest bank, Banco Pichincha, where they claim to have stolen internal data. Ryuk ransomware now self-spreads to other Windows LAN devices www.bleepingcomputer.com/news/security/ryuk-ransomware-now-self-spreads-to-other-windows-lan-devices/ “Through the use of scheduled tasks, the […]

Read More

[NCSC-FI News] Alert (AA22-108A) – TraderTraitor: North Korean State-Sponsored APT Targets Blockchain Companies

The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the U.S. Treasury Department (Treasury) are issuing this joint Cybersecurity Advisory (CSA) to highlight the cyber threat associated with cryptocurrency thefts and tactics used by a North Korean state-sponsored advanced persistent threat (APT) group since at least 2020 This group is […]

Read More

[NCSC-FI News] Näin moni yritys Suomessa joutuu kiristyshaitakkeen uhriksi: vahingot kohoavat merkittäviksi

Tietoturvayhtiö Check Point Software arvioi, että Suomessa joka viikko yksi 33 yrityksestä joutuu tänä vuonna kiristysiskun kohteeksi. Vielä 2021 vastaava luku oli yksi 93:sta. Source: Read More (NCSC-FI daily news followup)

Read More