Daily NCSC-FI news followup 2021-12-08

Huijauspuhelut tulevat yhä useammin väärennetystä numerosta Näin Elisa ja Traficom kitkevät huijauksia

www.tivi.fi/uutiset/tv/31f2dc55-c825-4b0a-bee3-c17fd2899325 Liikenne- ja viestintävirasto Traficom valmistelee keinoja estää huijauspuheluissa yleistynyt soittajan numeron väärentäminen. Keinoja etsitään yhdessä Suomessa toimivien teleoperaattoreiden kanssa. Tavoite on kansainvälisten rikollisten toiminnan vaikeuttaminen ja estäminen.

New German government coalition promises not to buy exploits

therecord.media/new-german-government-coalition-promises-not-to-buy-exploits/ The three political parties set to form the new German government have agreed to stop buying zero-day vulnerabilities and limit the government’s future use of monitoring software (spyware). “The exploitation of weak points in IT systems is in a highly problematic relationship to IT security and civil rights, ” the three parties said in the section dedicated to national and internal security.

Chinese State-Sponsored Cyber Espionage Activity Supports Expansion of Regional Power and Influence in Southeast Asia

www.recordedfuture.com/chinese-state-sponsored-cyber-espionage-expansion-power-influence-southeast-asia/ This report profiles trends in Chinese state-sponsored cyber espionage activity targeting Southeast Asian countries. The activity was identified through large-scale automated network traffic analytics and expert analysis. Data sources include the Recorded Future Platform, SecurityTrails, DomainTools, PolySwarm, Farsight, Team Cymru, and common open-source tools and techniques. The research will be of most interest to individuals engaged in strategic and operational intelligence relating to the activities of Chinese military and foreign intelligence agencies in cyberspace and network defenders with a presence in Southeast Asia.

Digikompassi ja digitoimisto mistä on kyse?

impulssilvm.fi/2021/12/08/digikompassi-ja-digitoimisto-mista-on-kyse/ Digitaalinen kompassi eli digikompassi on työkalu, johon kootaan Suomen digitalisaatiotavoitteet vuoteen 2030 saakka. Digikompassin tarkoituksena on rakentaa parempaa arkea ja digitaalisen toiminnan edellytyksiä yhteiskunnan eri aloille. Digikompassin toteuttamiseen tarvitaan kokonaiskuvaa ja kykyjen kohdistamista sinne, missä saadaan aikaan merkittävimmät tulokset. Digitoimisto tuottaa tietoa, jonka avulla ministerit ja ministeriöt voivat suunnata digitalisaatiokehitystä, poistaa sujuvan digiarjen esteitä ja ratkaista havaittuja ongelmia esimerkiksi lainsäädännössä, teknologioissa ja toimijoiden välisessä

Tor’s main site blocked in Russia as censorship widens

www.bleepingcomputer.com/news/security/tor-s-main-site-blocked-in-russia-as-censorship-widens/ The Tor Project’s main website, torproject.org, is actively blocked by Russia’s largest internet service providers, and sources from the country claim that the government is getting ready to conduct an extensive block of the project. Russia’s censorship of Tor’s site started on December 1, 2021, but many initially disregarded it by suggesting it was merely a side effect of experimentation with the Runet, Russia’s sovereign internet project. However, as it now seems to be the case, Russia is undergoing a coordinated action against Tor, orchestrated by Roskomnadzor, the Federal Service for Supervision of Communications, Information Technology and Mass Media.

Emotet now drops Cobalt Strike, fast forwards ransomware attacks

www.bleepingcomputer.com/news/security/emotet-now-drops-cobalt-strike-fast-forwards-ransomware-attacks/ Today, Emotet research group Cryptolaemus warned that Emotet is now skipping their primary malware payload of TrickBot or Qbot and directly installing Cobalt Strike beacons on infected devices. This is a significant change in tactics as after Emotet installed its primary payload of TrickBot or Qbot, victims typically had some time to detect the infection before Cobalt Strike was deployed.

When old friends meet again: why Emotet chose Trickbot for rebirth

research.checkpoint.com/2021/when-old-friends-meet-again-why-emotet-chose-trickbot-for-rebirth/ Trickbot and Emotet are considered some of the largest botnets in history. They both share a similar story: they were taken down and made a comeback. Trickbot has been involved in different ransomware campaigns such as infamous Ryuk and Conti attacks. Trickbot is constantly being updated with new capabilities, features and distribution vectors, which enables it to be a flexible and customizable malware that can be distributed as part of multi-purpose campaigns. It is known since 2016 and is continuing to live and evolve 5 years later despite even the most serious attempts to disrupt the botnet, like the one in October 2020. Recently CPR noticed that Trickbot infected machines started to drop Emotet samples, for the first time since the takedown of Emotet in January 2021. This research will analyze the Trickbot malware, describe its activity after the takedown, and explain why Emotet chose Trickbot when it came to Emotet’s rebirth. We will also dive into the technical details of Emotet infection.

What to Do When a Ransomware Group Disappears

securityintelligence.com/articles/when-ransomware-attack-disappears/ It’s your company’s worst nightmare: attackers managed to sneak ransomware onto your servers. Now, you’re locked out of every file unless you agree to pay whatever price they’re asking. As if the situation couldn’t get any worse, the attackers disappear without a trace and you can’t even pay their ransom to unlock your files. What do you do now?

Not with a Bang but a Whisper: The Shift to Stealthy C2

threatpost.com/tactics-attackers-stealthy-c2/176853/ As defensive tools have evolved to detect more and more traditional attack techniques, it should come as no surprise that attackers have shifted tactics. This ever-evolving arms race between offensive security toolsets, bespoke advanced persistent threat (APT) malware and the billion-dollar infosec industry is hard to keep up with, so today we’re going to take a closer look at the new tactics threat actors are using for command-and-control (C2) obfuscation.

Burnout: The next great security threat at work

blog.1password.com/state-of-access-report-burnout-breach/ Many companies feel like they’ve successfully pivoted to remote and hybrid work. Team members have learned the tools and processes required to be successful outside the office, and IT departments have adjusted their security rules and policies accordingly. But now, nearly two years into the pandemic, another cybersecurity threat has emerged: employee burnout.

But why that VPN? How WireGuard made it into Linux

www.theregister.com/2021/12/08/wireguard_linux/ Maybe someday maybe Zero Trust will solve many of our network security problems. But for now, if you want to make sure you don’t have an eavesdropper on your network, you need a Virtual Private Network (VPN). Why WireGuard rather than OpenVPN or IKEv2? Because it’s simpler to implement while maintaining security and delivering faster speeds. And, when it comes to VPNs, it’s all about balancing speed and security. So, if WireGuard is all that, why did it take so long to make it into the Linux kernel? After all, its creator, Jason Donenfeld, first came up with the ideas behind WireGuard in 2015.

Why Cloud Service Providers Are a Single Point of Failure

www.darkreading.com/cloud/why-cloud-service-providers-are-a-single-point-of-failure The use of cloud computing services is expanding, so it’s no surprise that the number and complexity of cyberattacks are also on the rise. Making matters worse is the fact that the global cloud market is essentially an oligopoly with a handful of providers dominating the space, creating systemic risk.

Connectivity providers eye redistribution of responsibilities with the DSA

www.euractiv.com/section/digital/news/connectivity-providers-eye-redistribution-of-responsibilities-with-the-dsa/ For 20 years, internet service providers have been tasked by relevant authorities with taking down illegal content. With the Digital Services Act (DSA), obligations are largely moving to online platforms.

Edge Computing and 5G: Will Security Concerns Outweigh Benefits?

securityintelligence.com/articles/edge-computing-5g-security-concerns-benefits/ You’re probably hearing a bunch of chatter about edge computing these days and how it, along with 5G, are the latest pieces of technology to redefine how we conduct our business. In fact, you may even be hearing people say that edge computing will replace cloud computing. Let’s separate the facts from the speculation.

SSRF vulnerability patched in Jamf Pro mobile security platform

portswigger.net/daily-swig/ssrf-vulnerability-patched-in-jamf-pro-mobile-security-platform A vulnerability in Jamf Pro, a popular mobile device management (MDM) platform for Apple devices, allowed attackers to stage server-side request forgery (SSRF) attacks on the application’s servers, security researchers at Assetnote have found.

Suomalainen tietoturvatalo myytiin Norjaan

www.tivi.fi/uutiset/tv/61302c25-a5c7-4450-9684-9fb5a5a98585 Tietoturvakeskuspalveluita (security operation center, soc) tarjoava Fiarone on myyty Oslossa päämajaansa pitävälle NetNordicille. Fiaronen mukaan kyberturvallisuus on yhä keskeisemmässä osassa yrityksissä. Yhtiö on tarjonnut palvelujaan niin yksityisen kuin julkisen sektorin asiakkaille vuodesta 2010.

December 2021 Forensic Challenge

isc.sans.edu/diary/rss/28108 Today’s diary is a forensic challenge for December 2021. This month’s challenge is based on network traffic from an Active Directory (AD) environment where a Windows client becomes infected. The prize for this contest is a Raspberry Pi.

You might be interested in …

Daily NCSC-FI news followup 2019-07-05

Google Chrome to Unload Heavy Ads With Intensive Resource Usage www.bleepingcomputer.com/news/google/google-chrome-to-unload-heavy-ads-with-intensive-resource-usage/ Google is currently working on adding a new feature to the Chrome web browser designed to automatically unload ads which use an outrageous amount of system resources in an effort to shrink the browser’s CPU and network footprint. Samsung Update App with 10M+ Installs […]

Read More

Daily NCSC-FI news followup 2019-06-06

Microsoft and Oracle link up their clouds techcrunch.com/2019/06/05/microsoft-and-oracle-link-up-their-clouds/ Microsoft and Oracle announced a new alliance today that will see the two companies directly connect their clouds over a direct network connection so that their users can then move workloads and data seamlessly between the two. This alliance goes a bit beyond just basic direct connectivity […]

Read More

Daily NCSC-FI news followup 2020-02-20

U.S. agency responsible for Trump’s secure communication suffered data breach: letter www.reuters.com/article/us-usa-defense-breach/u-s-agency-responsible-for-trumps-secure-communication-suffered-data-breach-letter-idUSKBN20E27A The letter, dated Feb. 11, 2020, says that between May and July 2019, personal data may have been compromised in a data breach on a system hosted by the Defense Information Systems Agency.. The agency says it provides direct telecommunications and IT support […]

Read More