Daily NCSC-FI news followup 2021-12-24

SFW! The Top N Cybersecurity Stories of 2021 (for small positive integer values of N)

nakedsecurity.sophos.com/2021/12/24/sfw-the-top-n-cybersecurity-stories-of-2021-for-small-positive-integer-values-of-n/ And by totally SFW, we don’t just mean Suitable For Work, but also Something For the Weekend a double bonus if you’re on official duty over the holiday break and are looking for laid-back content that nevertheless counts as genuine on-the-job learning. While everyone else was choosing their Top N Terrible Cybersecurity Incidents Of 2021, some of them for worryingly high values of N, we thought we’d pick our year-end stories in a more family-friendly way.

Android banking trojan spreads via fake Google Play Store page

www.bleepingcomputer.com/news/security/android-banking-trojan-spreads-via-fake-google-play-store-page/ An Android banking trojan targeting Ita Unibanco, a large financial services provider in Brazil with 55 million customers globally, has deployed an unusual trick to spread to devices. The actors have set up a page that looks very close to Android’s official Google Play app store to trick visitors into thinking they are installing the app from a trustworthy service. See also:

blog.cyble.com/2021/12/23/malicious-app-targets-major-brazilian-bank-itau-unibanco/

New Rook Ransomware Feeds Off the Code of Babuk

www.sentinelone.com/labs/new-rook-ransomware-feeds-off-the-code-of-babuk/ First noticed on VirusTotal on November 26th by researcher Zack Allen, Rook Ransomware initially attracted attention for the operators’ rather unorthodox self-introduction, which stated that “We desperately need a lot of money” and “We will stare at the internet”. In this post, we offer the first technical write up of the Rook ransomware family, covering both its main high-level features and its ties to the Babuk codebase.

Blackmagic fixes critical DaVinci Resolve code execution flaws

www.bleepingcomputer.com/news/security/blackmagic-fixes-critical-davinci-resolve-code-execution-flaws/ Blackmagic Software has recently addressed two security vulnerabilities in the highly popular DaVinci Resolve software that would allow attackers to gain code execution on unpatched systems. The two remote code execution (RCE) security flaws, tracked as CVE-2021-40417 and CVE-2021-40418, were discovered by Cisco Talos security researchers and are rated with a CVSSv3 severity score of 9.8/10. They’re both caused by weaknesses found in DaVinci Resolve’s DPDecoder service and are triggered by a heap-based buffer overflow when decoding a video file or an incorrect UUID when parsing video files.

FBI traces and grabs back $150 million theft that was turned into bitcoins

blog.malwarebytes.com/crypto/2021/12/fbi-traces-and-grabs-back-150-million-theft-that-was-turned-into-bitcoins/ On December 1, 2021, the Tokyo police arrested an employee of Sony Life Insurance on suspicion of fraudulently obtaining 17 billion yen through an illegal money transfer from an overseas unit. The funds were embezzled by Sony employee Rei Ishii, who pretending to conduct a legal fund transfer in May 2021. He allegedly transferred the money from SA Reinsurance Ltd’s bank account to a different bank account overseas, by falsifying transaction instructions, which caused the funds to be transferred to an account that Ishii controlled at a bank in La Jolla, California. He then quickly converted the funds to bitcoins, as criminals do.

Dridex Omicron phishing taunts with funeral helpline number

www.bleepingcomputer.com/news/security/dridex-omicron-phishing-taunts-with-funeral-helpline-number/ Over the past few weeks, one of the Dridex phishing email distributors is having fun toying with victims and researchers. In a new phishing campaign discovered by MalwareHunterTeam and 604Kuzushi, this same threat actor took it to the next level by spamming emails with a subject of “COVID-19 testing result” that states the recipient was exposed to a coworker who tested positive to the Omicron COVID-19 variant.

AvosLocker ransomware reboots in Safe Mode to bypass security tools

www.bleepingcomputer.com/news/security/avoslocker-ransomware-reboots-in-safe-mode-to-bypass-security-tools/ In recent attacks, the AvosLocker ransomware gang has started focusing on disabling endpoint security solutions that stand in their way by rebooting compromised systems into Windows Safe Mode. This tactic makes it easier to encrypt victims’ files since most security solutions will be automatically disabled after Windows devices boot in Safe Mode.

How I found the Grafana zero-day Path Traversal exploit that gave me access to your logs

labs.detectify.com/2021/12/15/zero-day-path-traversal-grafana/ On December 2, open-source analytics solution Grafana released an emergency security patch for critical zero-day Path Traversal vulnerability CVE-2021-43798, after proof-of-concept code to exploit the issue was published online. The flaw, which received a 7.5 CVSS score enabling remote access to local files, is no longer exploitable on servers that have the latest Grafana update.

Example of how attackers are trying to push crypto miners via Log4Shell

isc.sans.edu/forums/diary/Example+of+how+attackers+are+trying+to+push+crypto+miners+via+Log4Shell/28172/ While following Log4Shell’s exploit attempts hitting our honeypots, I came across another campaign trying to push a crypto miner on the victim’s machines. The previous campaign I analyzed used a simple post-exploitation Powershell script to download and launch the coin miner xmrig. The new one uses a.Net launcher to download, decrypt, and execute the binaries.

You might be interested in …

Daily NCSC-FI news followup 2021-08-19

Health authorities in 40 countries targeted by COVID19 vaccine scammers www.welivesecurity.com/2021/08/18/health-authorities-40-countries-targeted-covid19-vaccine-scammers/ INTERPOL has issued a global warning about organized crime groups targeting governments with bogus offers peddling COVID-19 vaccines. The warning was issued to all of INTERPOL’s 194 member countries after the international law enforcement agency registered roughly 60 cases from 40 countries. Does Abandoning […]

Read More

Daily NCSC-FI news followup 2021-01-04

Näin tietomurto näkyy Suomessa: “Suurehkoja organisaatioita sekä yksityiseltä että julkishallinnon puolelta” www.is.fi/digitoday/tietoturva/art-2000007719171.html Viranomaisella on tiedossa Suomessa noin kymmenen organisaatiota, joissa on käytetty haavoittuvaa SolarWindsin ohjelmistoversiota. SolarWinds Orion Platformia käytetään myös Suomessa. Liikenne- ja viestintävirasto Traficomin Kyberturvallisuuskeskuksen tietoturva-asiantuntija Helinä Turusen mukaan viranomaisilla on tiedossa “kymmenkunta organisaatiota”, joissa on käytetty haavoittuvaa ohjelmistoversiota. China’s APT hackers move to […]

Read More

Daily NCSC-FI news followup 2021-01-12

Going Rogue a Mastermind Behind Android Malware Returns with a New RAT blog.checkpoint.com/2021/01/12/going-rogue-a-mastermind-behind-android-malware-returns-with-a-new-rat/ Now more than ever, we rely on our smartphones to keep in touch with our work, our families and the world around us. There are over 3.5 billion smartphone users worldwide, and it is estimated that over 85% of those devices around […]

Read More