Daily NCSC-FI news followup 2021-12-30

APT Aquatic Panda’ Targets Universities with Log4Shell Exploit Tools

threatpost.com/aquatic-panda-log4shell-exploit-tools/177312/ Researchers from CrowdStrike disrupted an attempt by the threat group to steal industrial intelligence and military secrets from an academic institution. Cyber criminals, under the moniker Aquatic Panda, are the latest advanced persistent threat group (APT) to exploit the Log4Shell vulnerability. Researchers from CrowdStrike Falcon OverWatch recently disrupted the threat actors using Log4Shell exploit tools on a vulnerable VMware installation during an attack that involved of a large undisclosed academic institution, according to research released Wednesday. “Aquatic Panda is a China-based APT with a dual mission of intelligence collection and industrial espionage, ” wrote Benjamin Wiley, the author of the CrowdStrike report.

Firmware attack can drop persistent malware in hidden SSD area

www.bleepingcomputer.com/news/security/firmware-attack-can-drop-persistent-malware-in-hidden-ssd-area/ Korean researchers have developed a set of attacks against some solid-state drives (SSDs) that could allow planting malware in a location that’s beyond the reach of the user and security solutions. The attack models are for drives with flex capacity features and target a hidden area on the device called over-provisioning, which is widely used by SSD makers these days for performance optimization on NAND flash-based storage systems. Hardware-level attacks offer ultimate persistence and stealth. Sophisticated actors have worked hard to implement such concepts against HDDs in the past, hiding malicious code in unreachable disk sectors.

Agent Tesla Updates SMTP Data Exfiltration Technique

isc.sans.edu/diary/rss/28190 Agent Tesla is a Windows-based keylogger and RAT that commonly uses SMTP or FTP to exfiltrate stolen data. This malware has been around since 2014, and SMTP is its most common method for data exfiltration. Through November 2021 Agent Tesla samples sent their emails to compromised or possibly fraudulent email accounts on mail servers established through hosting providers. Since December 2021, Agent Tesla now uses those compromised email accounts to send stolen data to Gmail addresses.

Rekisterinpitäjän tulee arvioida Log4j-haavoittuvuudesta henkilötiedoille aiheutuvat riskit

tietosuoja.fi/-/rekisterinpitajan-tulee-arvioida-log4j-haavoittuvuudesta-henkilotiedoille-aiheutuvat-riskit Rekisterinpitäjän tulee ilmoittaa Log4j-komponentin haavoittuvuudesta johtuvasta tietoturvaloukkauksesta tietosuojavaltuutetun toimistolle, jos hyökkäys on vaarantanut henkilötietoja. Loukkauksesta on ilmoitettava myös kohteeksi joutuneille henkilöille, jos tietojen vaarantuminen aiheuttaa heille korkean riskin. Apache Log4j-komponentista on löydetty useita kriittisiä haavoittuvuuksia. Kyberturvallisuuskeskus varoitti Log4shell-haavoittuvuudesta 10. joulukuuta.

LastPass VPs confirm ‘no indication’ of compromised accounts after security alerts

www.zdnet.com/article/lastpass-vp-says-no-indication-that-accounts-compromised-or-credentials-harvested-after-reports/ Two LastPass vice presidents have released statements about the situation surrounding LastPass security issues that came to light this week. Two days ago, hundreds of LastPass users took to Twitter, Reddit, and other sites to complain that they were getting alerts about their master password being used by someone who was not them. Some reported that even after changing their master password, someone tried to access their account again. On Tuesday, the company released a brief statement noting that its security team observed and received reports of potential credential stuffing attempts. Credential stuffing involves attackers stealing credentials (usernames, passwords, etc.) to access users’ accounts.

Korttihuijareiden uusi kohde: Poliisille ilmoituksia ympäri Suomea

www.iltalehti.fi/tietoturva/a/ff935b6f-15f6-4142-9563-9fb03d260acb Venäjänkieliset ovat nyt Suomessa huijauskampanjan kohteena. Kaakkois-Suomen poliisilaitos tiedottaa huijauspuheluista, joissa soittajat esiintyvät pankkien tai muiden suurten organisaatioiden nimissä. Huijauksessa toistuu kaava: “Venäjänkieliset henkilöt saavat puhelun ulkomaalaisesta numerosta tai numeroista, jotka näyttävät kuuluvan suomalaisille pankeille. Soittaja puhuu venäjää ja esiintyy joko pankin tai kansainvälisen organisaation työntekijänä”, poliisin tiedotteessa kerrotaan.

T-Mobile confirms SIM swapping attacks led to breach

www.zdnet.com/article/t-mobile-confirms-sim-swapping-attacks-led-to-breach/ T-Mobile has confirmed a data breach that was caused in part by SIM swapping attacks, according to a statement from the company. The T-Mo Report, a blog tracking T-Mobile, obtained internal reports showing that some data was leaked from a subset of customers. The customers, according to The T-Mo Report, come in three varieties. Some had their customer proprietary network information (CPNI) leaked, others had their SIMs swapped and a small group suffered from both. CPNI includes information about a customer’s plan, the number of lines, the phone numbers, the billing account and more. When pressed for comment by ZDNet, T-Mobile refused to go into detail about the attack and would not say how many customers were affected in the incident.

University loses 77TB of research data due to backup error

www.bleepingcomputer.com/news/security/university-loses-77tb-of-research-data-due-to-backup-error/ The Kyoto University in Japan has lost about 77TB of research data due to an error in the backup system of its Hewlett-Packard supercomputer. The incident occurred between December 14 and 16, 2021, and resulted in 34 million files from 14 research groups being wiped from the system and the backup file. After investigating to determine the impact of the loss, the university concluded that the work of four of the affected groups could no longer be restored. The plan is to also keep incremental backups – which cover files that have been changed since the last backup happened – in addition to full backup mirrors.

You might be interested in …

Daily NCSC-FI news followup 2021-02-12

Tori.fissä kaksi kieroa huijausta varo tällaisia yhteydenottoja www.is.fi/digitoday/tietoturva/art-2000007799557.html Meneillään on kaksi erilaista huijauskampanjaa. Tori.fi antaa kolme turvavinkkiä. After hackers blackmailed their clients, Finnish therapy firm declares bankruptcy hotforsecurity.bitdefender.com/blog/after-hackers-blackmailed-their-clients-finnish-therapy-firm-declares-bankruptcy-25313.html Vastaamo, the Finnish psychotherapy practice that covered up a horrific security breach which resulted in patients receiving blackmail threats, has declared itself bankrupt.. According to data collected […]

Read More

Daily NCSC-FI news followup 2019-09-08

Initial Metasploit Exploit Module for BlueKeep (CVE-2019-0708) blog.rapid7.com/2019/09/06/initial-metasploit-exploit-module-for-bluekeep-cve-2019-0708/

Read More

Daily NCSC-FI news followup 2021-07-18

Japan Has Shattered the Internet Speed Record at 319 Terabits per Second interestingengineering.com/japan-shattered-internet-speed-record-319-terabits The new record was made on a line of fibers more than 3, 000 km long. It’s nearly double the previous record of 178 Tb/s, which was set in 2020. And it’s seven times the speed of the earlier record of 44.2 […]

Read More