Daily NCSC-FI news followup 2021-12-27

QNAP NAS devices hit in surge of ech0raix ransomware attacks

www.bleepingcomputer.com/news/security/qnap-nas-devices-hit-in-surge-of-ech0raix-ransomware-attacks/ Users of QNAP network-attached storage (NAS) devices are reporting attacks on their systems with the eCh0raix ransomware, also known as QNAPCrypt. The jump in the number of attacks is confirmed by the ID ransomware service, where submissions started to increase on December 19 and subsided towards December 26.

More than 1, 200 phishing toolkits capable of intercepting 2FA detected in the wild

therecord.media/more-than-1200-phishing-toolkits-capable-of-intercepting-2fa-detected-in-the-wild/ A team of academics said it found more than 1, 200 phishing toolkits deployed in the wild that are capable of intercepting and allowing cybercriminals to bypass two-factor authentication (2FA) security codes. To counter this new trend in account security protections, since at least 2017, threat actors started adopting new tools that would allow them to bypass 2FA by stealing a user’s authentication cookies, which are files created inside a web browser once the user has logged into an account after the 2FA process was completed.

Shutterfly services disrupted by Conti ransomware attack

www.bleepingcomputer.com/news/security/shutterfly-services-disrupted-by-conti-ransomware-attack/ Photography and personalized photo giant Shutterfly has suffered a Conti ransomware attack that allegedly encrypted thousands of devices and stole corporate data. On Friday, a source told BleepingComputer that Shutterfly suffered a ransomware attack approximately two weeks ago by the Conti gang, who claims to have encrypted over 4, 000 devices and 120 VMware ESXi servers. While BleepingComputer has not seen the negotiations for the attack, we are told that they are underway in progress and that the ransomware gang is demanding millions of dollars as a ransom.

Global Cyberattacks from Nation-State Actors Posing Greater Threats

threatpost.com/global-cyberattacks-nation-state-threats/177253/ Casey Ellis, CTO at Bugcrowd, outlines how international relations have deteriorated into a new sort of Cold War, with espionage playing out in the cyber-domain.

Ransomware Evolution: From WannaCry to DarkSide

medium.com/technology-hits/ransomware-evolution-from-wannacry-to-darkside-1dab07c4d890 2021 is coming to an end. And for cybersecurity, this is a busy year (which wasn’t?). Ransomware attacks are steep upward, and the gradient isn’t softening its progression. Individuals and organizations continue to fall victim to this age-old cybercrime and it’s far from a new phenomenon. If you are not new to the industry, you should remember that the last peak of attention on this issue was in 2017, when the infamous WannaCry ransomware devastated companies. However, comparing what we are facing this year with those in 2017, we saw a giant leap in the business model and the malware themselves.

Japan and US expected to boost cooperation on ransomware threats

therecord.media/japan-and-us-expected-to-boost-cooperation-on-ransomware-threats/ Japanese government officials said the US and Japan are planning to agree on ransomware collaboration measures at an upcoming security summit, according to reports from Japanese media. According to reports, cybersecurity will also be on the agendaalthough there are few details about the ransomware agreements, it is expected to involve greater information sharing, collaboration on identifying hacker groups, and enhancing private-sector resilience against attacks.

Ransomware Spotlight: REvil

www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-revil Now that the reign of REvil has come to an end, it’s time to regroup and strategize. What can organizations learn from REvil’s tactics? We review the rise, downfall, and future of its operations using insights into the group’s arsenal and inner workings. REvil, also known as Sodinokibi, had risen to notoriety for its high-profile attacks since its discovery in 2019. After being among the most active ransomware variants in 2021, it was officially shut down after garnering the attention of law enforcement agencies due to its attacks on critical industries that resulted in supply shortages and delays. The crackdown led to the arrest of two of its associates and its TOR network being taken offline. However, organizations should not let their guard down. We foresee the group reemerging under a new moniker with the REvil name now tarnished and unlikely to entice affiliates.

Mitä kyberanalyytikko tekee kyberhyökkäyksen aikana? Osallistu avoimeen kyberharjoitukseen ja kokeile!

www.epressi.com/tiedotteet/tietoturva/mita-kyberanalyytikko-tekee-kyberhyokkayksen-aikana-osallistu-avoimeen-kyberharjoitukseen-ja-kokeile.html Jyväskylän ammattikorkeakoulun (Jamk) Euroopan laajuinen Flagship 2 – -kyberharjoitus järjestetään myös avoimena harjoituksena, jossa kybertuvallisuudesta kiinnostuneet pääsevät kyberanalyytikoksi keskelle simuloitua kyberhyökkäystä. Jyväskylän ammattikorkeakoulu järjestää tammikuussa kyberturvallisuusharjoituksen, johon odotetaan osallistujia 22 Euroopan maasta. Osallistujien tehtävänä on löytää merkkejä uhkatoiminnasta ja teknisesti tutkia tapahtunutta kyberhyökkäystä, sekä pohtia sen vaikutusta organisaation ydintoimintaan. Harjoitukseen voivat osallistua ensimmäistä kertaa myös hanketoiminnan ulkopuoliset henkilöt.

Asset Visibility Maps Relationships and Communication Pathways in OT Environments

www.dragos.com/blog/industry-news/asset-visibility-maps-relationships-and-communication-pathways-in-ot-environments/ Experienced cybersecurity professionals will tell you that you can’t secure the systems you don’t know about, which is why asset visibility is so crucial no matter what kind of technology infrastructure you’re defending. Asset visibility in industrial control system (ICS) environments provides industrial asset owners and operators and security staff with the knowledge and insight necessary to build a mature operational technology (OT) cybersecurity program. When organizations can get accurate and timely views into the assets running on their industrial networks, the benefits are cascading.

In 2022, security will be Linux and open-source developers job number one

www.zdnet.com/article/in-2022-security-will-be-linux-and-open-source-developers-job-number-one/ Linux is everywhere. It’s what all the clouds, even Microsoft Azure, run. It’s what makes all 500 of the Top 500 supercomputers work. Heck, even desktop Linux is growing if you can believe Pornhub, which claims Linux users grew by 28%, while Windows users declined by 3%. Its real trouble isn’t so much with open-source itself. There’s nothing magical about open-source methodology and security. Security mistakes can still enter the code. Linus’s law is that given enough eyeballs, all bugs are shallow. But, if not enough developers are looking, security vulnerabilities will still go unnoticed. As what I’m now calling Schneier’s law, “Security is a process, not a product, ” points out constant vigilance is needed to secure all software.

Attackers are abusing MSBuild to evade defenses and implant Cobalt Strike beacons

isc.sans.edu/diary/rss/28180 Microsoft Build Engine is the platform for building applications on Windows, mainly used in environments where Visual Studio is not installed. Also known as MSBuild, the engine provides an XML schema for a project file that controls how the build platform processes and builds software. The project file element named Tasks’ designates independent executable components to run during the project building. Tasks are meant to perform build operations but are being abused by attackers to run malicious code under the MSBuild disguise. This is the second malicious campaign I got using MSBuild in less than a week. Usually, it starts with an RDP access using a valid account, spreads over the network via remote Windows Services (SCM), and pushes Cobalt Strike beacon to corporate hosts abusing the MSBuild task feature as described in today’s diary.

You might be interested in …

Daily NCSC-FI news followup 2020-12-10

Ransomware forces hosting provider Netgain to take down data centers www.bleepingcomputer.com/news/security/ransomware-forces-hosting-provider-netgain-to-take-down-data-centers/ Netgain offers hosting and cloud IT solutions, including managed IT services and desktop-as-a-service environments, to companies in the healthcare and accounting industry.. According to [a customer], thousands of Netgain servers were affected by the ransomware attack, and that Netgain is working around the clock […]

Read More

Daily NCSC-FI news followup 2019-06-20

Waterbug: Espionage Group Rolls Out Brand-New Toolset in Attacks Against Governments www.symantec.com/blogs/threat-intelligence/waterbug-espionage-governments Waterbug may have hijacked a separate espionage groups infrastructure during one attack against a Middle Eastern target.. The Waterbug espionage group (aka Turla) has continued to attack governments and international organizations over the past eighteen months in a series of campaigns that have […]

Read More

Daily NCSC-FI news followup 2021-04-23

Vakava tietomurto valtion palvelimilla rikosilmoitus tehty jo www.tivi.fi/uutiset/tv/bc5371d1-14f5-4dac-897e-0042cbf25e03 Valtion tieto- ja viestintätekniikkakeskus Valtori tiedotti torstaina valtionhallinnon yhteisessä it-ympäristössä todetusta haavoittuvuudesta. Palvelinsovelluksessa ollut haavoittuvuus kosketti useita valtionhallinnon virastoja, joihin Valtori on ollut yhteydessä. Amerikkalaismedia varoitti Suomen poliisia kiistanalaisen kasvojentunnistusohjelman käytöstä KRP kompuroi vastauksessaan yle.fi/uutiset/3-11898702 Poliisi on luopunut Clearview AI -kasvojentunnistusohjelman käytöstä. Ransomware by the numbers: Reassessing […]

Read More