Daily NCSC-FI news followup 2022-01-12

New Windows Server updates cause DC boot loops, break Hyper-V

www.bleepingcomputer.com/news/microsoft/new-windows-server-updates-cause-dc-boot-loops-break-hyper-v/ The latest Windows Server updates are causing severe issues for administrators, with domain controllers having spontaneous reboots, Hyper-V not starting, and inaccessible ReFS volumes until the updates are rolled back. Yesterday, Microsoft released the Windows Server 2012 R2 KB5009624 update, the Windows Server 2019 KB5009557 update, and the Windows Server 2022 KB5009555 update as part of the January 2022 Patch Tuesday. After installing these updates, administrators have been battling multiple issues that are only resolved after removing the updates. also:

borncity.com/win/2022/01/12/windows-server-januar-2022-sicherheitsupdates-verursachen-boot-schleife/

Wormable Windows HTTP hole what you need to know

nakedsecurity.sophos.com/2022/01/12/wormable-windows-http-hole-what-you-need-to-know/ We wrote up an overview of the updates, as we do every month, over on our sister site news.sophos.com: First Patch Tuesday of 2022 repairs 102 bugs. For better or for worse, one update has caught the media’s attention more than any other, namely CVE-2022-21907, more fully known as HTTP Protocol Stack Remote Code Execution Vulnerability. This bug was one of seven of this month’s security holes that could lead to remote code execution (RCE), the sort of bug that means someone outside your network could trick a computer inside your network into running some sort of program without asking for permission first. also:

isc.sans.edu/forums/diary/A+Quick+CVE202221907+FAQ+work+in+progress/28234/

Tori- ja Facebook-huijarit kaappaavat suomalaisten korttitietoja “Ilmoituksia tulee päivittäin”

www.iltalehti.fi/tietoturva/a/66b2c4ed-fc35-4c9b-b9bd-cbbf98ff9eee Tori.fissä sekä Facebookin Marketplace-kauppapaikalla liikkuu tällä hetkellä todella paljon huijareita. Kauppaa näillä alustoilla käyvän kannattaa miettiä tarkkaan, ilmoittaako puhelinnumeronsa myynti-ilmoituksen yhteydessä, sillä yhteydenotot tapahtuvat pääosin Whatsappin välityksellä. Liikenne- ja viestintäviraston Kyberturvallisuuskeskuksen erityisasiantuntija Juha Tretjakov kertoo, että keskus on saanut viimeisen kahden viikon aikana useita ilmoituksia päivässä myyntipalstoilla tapahtuvista huijausyrityksistä.

Ole tarkkana, jos saat tällaisen puhelun huijaustilanteeseen yksi selkeä neuvo

www.iltalehti.fi/tietoturva/a/0d289d8b-27e8-4e90-aa1b-bf2a92290ac5 Vajaa kahden vuoden ajan suomalaisia ovat kiusanneet huijarisoittajat, jotka ovat aiemmin esiintyneet Microsoftin tukena. Nyt huijarit ovat muuttaneet lähestymistapaansa esiintyen operaattorien edustajina. Liikenne- ja viestintäviraston Kyberturvallisuuskeskuksen erityisasiantuntija Juha Tretjakov kertoo, että keskus on saanut huijauspuheluista ilmoituksia. Puhelut ovat osa suurempaa Microsoft-huijausaaltoa ja ne voivat tulla myös suomalaisista numeroista. – Kun “operaattorilta” soitetaan suomenkieliselle “asiakkaalle” ja puhutaan englantia, on se jo iso tunnusmerkki siitä, että kyseessä on huijaus, Tretjakov toteaa. Tretjakovin ohjeet tilanteisiin, joissa saa oudon puhelun, ovat yksinkertaiset: – Vaikka se tylyltä tuntuisikin, luurin saa lyödä suoraan tällaisen soittajan korvaan.

The Nightmare Before Christmas: Looking Back at Log4j Vulnerabilities

blog.aquasec.com/log4j-vulnerabilities-overview In this blog, we summarize what has happened, examine the implications of the Log4j vulnerabilities for the future, and outline how organizations can better protect their systems.

Nanocore, Netwire and AsyncRAT spreading campaign uses public cloud infrastructure

blog.talosintelligence.com/2022/01/nanocore-netwire-and-asyncrat-spreading.html Threat actors are increasingly using cloud technologies to achieve their objectives without having to resort to hosting their own infrastructure. These types of cloud services like Azure and AWS allow attackers to set up their infrastructure and connect to the internet with minimal time or monetary commitments. It also makes it more difficult for defenders to track down the attackers’ operations. Organizations should be inspecting outgoing connections to cloud computing services for malicious traffic. The campaigns described in this post demonstrate increasing usage of popular cloud platforms for hosting malicious infrastructure.

OceanLotus hackers turn to web archive files to deploy backdoors

www.bleepingcomputer.com/news/security/oceanlotus-hackers-turn-to-web-archive-files-to-deploy-backdoors/ The OceanLotus group of state-sponsored hackers are now using the web archive file format (.MHT and.MHTML) to deploy backdoors to compromised systems. The goal is to evade detection by antivirus solutions tools which are more likely to catch commonly abused document formats and stop the victim from opening them on Microsoft Office. A report from Netskope Threat Labs shared with Bleeping Computer in advance notes that OceanLotus’ campaign using web archive files is still active, although the targeting scope is narrow and despite the command and control (C2) server being disrupted. also:

www.netskope.com/blog/abusing-microsoft-office-using-malicious-web-archive-files

Kybervitsausten kolme kovaa: Emotet, Trickbot ja Log4j “Todennäköisesti harmia vielä monen vuoden ajan”

www.epressi.com/tiedotteet/tietotekniikka/kybervitsausten-kolme-kovaa-emotet-trickbot-ja-log4j-todennakoisesti-harmia-viela-monen-vuoden-ajan.html Check Point Research kertoo haittaohjelmakatsauksessaan, että Emotet on noussut jo Suomen ja koko maailman toiseksi yleisimmäksi haittaohjelmaksi. Suomessa listaykkösenä on yhä Netwalker, globaalisti Trickbot. Apache Log4j on eniten hyödynnetty haavoittuvuus.

Who is the Network Access Broker Wazawaka?’

krebsonsecurity.com/2022/01/who-is-the-network-access-broker-wazawaka/ In a great many ransomware attacks, the criminals who pillage the victim’s network are not the same crooks who gained the initial access to the victim organization. More commonly, the infected PC or stolen VPN credentials the gang used to break in were purchased from a cybercriminal middleman known as an initial access broker. This post examines some of the clues left behind by “Wazawaka, ” the hacker handle chosen by a major access broker in the Russian-speaking cybercrime scene.

Signed kernel drivers Unguarded gateway to Windows’ core

www.welivesecurity.com/2022/01/11/signed-kernel-drivers-unguarded-gateway-windows-core/ ESET researchers look at malware that abuses vulnerabilities in kernel drivers and outline mitigation techniques against this type of exploitation

Check your SPF records: Wide IP ranges undo email security and make for tasty phishes

www.zdnet.com/article/check-your-spf-records-wide-ip-ranges-undo-email-security-and-make-for-tasty-phishes/ With parts of the Australian private sector, governments at all levels, and a university falling foul of wide IP ranges in a SPF record, it might be time to check yours.

Ransomware targets Edge users

blog.malwarebytes.com/threat-intelligence/2022/01/ransomware-targets-edge-users/ Last week, Malwarebytes’ Threat Intelligence worked with nao_sec researchers to investigate a recently-discovered update to the Magnitude Exploit Kit that was duping users with a fake Microsoft Edge browser update. The Magnitude exploit kit uses a grab-bag of social engineering lures and exploits to attack web users and install ransomware on their computers. Although Magnitude has been used to target different geographies and deliver different kinds of ransomware in the past, these days it is strictly focussed on installing Magniber ransomware on targets in South Korea. also:

asec.ahnlab.com/en/30645/

SAP-järjestelmät loikkaavat pilveen “kiistattomia etuja myös tietoturvamielessä” [TILAAJILLE]

www.tivi.fi/uutiset/tv/99eba20a-b494-4ff7-b7dc-2317e2ffcd28 Pilvi-SAP:n tietoturva vaatii uudenlaista osaamista, mutta monoliittisen järjestelmän siirtäminen julkipilveen tarjoaa myös parempaa tietoturvaa, sanoo TietoEvryn Pete Nieminen.

Patch Management Today: A Risk-Based Strategy to Defeat Cybercriminals

www.darkreading.com/vulnerabilities-threats/patch-management-today-a-risk-based-strategy-to-defeat-cybercriminals By combining risk-based vulnerability prioritization and automated patch intelligence, organizations can apply patches based on threat level. Part 2 of 3.

How to Analyze Malicious Microsoft Office Files

www.intezer.com/blog/malware-analysis/analyze-malicious-microsoft-office-files/ In this article, we will explain the different types of Microsoft Office file formats and how attackers abuse these documents to deliver malware. You will also be presented with tools and techniques that can help you better identify and classify malicious Microsoft Office files.

Dutch athletes warned to keep phones and laptops out of China -media

www.reuters.com/lifestyle/sports/dutch-athletes-warned-keep-phones-laptops-out-china-media-2022-01-11/ Dutch athletes competing in next month’s Beijing Winter Olympics will need to leave their phones and laptops at home in an unprecedented move to avoid Chinese espionage, Dutch newspaper De Volkskrant reported on Tuesday. The urgent advice to athletes and supporting staff to not bring any personal devices to China was part of a set of measures proposed by the Dutch Olympic Committee (NOCNSF) to deal with any possible interference by Chinese state agents, the paper said citing sources close to the matter.

You might be interested in …

Daily NCSC-FI news followup 2020-05-31

Nettipetoksia tehnyt vangittiin www.poliisi.fi/tietoa_poliisista/tiedotteet/1/1/nettipetoksia_tehnyt_vangittiin_90541?language=fi Petokset ovat olleet enimmäkseen tyypillisiä nettipetoksia, joissa myydään olematonta tavaraa hyväuskoisille ihmisille lähinnä Tori.fi-sivustolla. Hacker leaks database of dark web hosting provider www.zdnet.com/article/hacker-leaks-database-of-dark-web-hosting-provider/ “This information could substantially help law enforcement track the individuals running or taking part in illegal activities on these darknet sites, ” Under the Breach told ZDNet. The […]

Read More

Daily NCSC-FI news followup 2020-11-26

ENISA Report Highlights Resilience of Telecom Sector in Facing the Pandemic www.enisa.europa.eu/news/enisa-news/telecom-security-and-resilience-during-covid19 ENISA is releasing its Telecom Security During a Pandemic report at the 32nd meeting of EU telecom security authorities. Underlining the current strength of the sector in the face of the pandemic, the report also calls for increased cooperation, as telecommunications become more […]

Read More

Daily NCSC-FI news followup 2020-10-15

Introducing a new phishing technique for compromising Office 365 accounts o365blog.com/post/phishing/ Multiple members of QQAAZZ, a multinational cybercriminal group, were charged today in the US, Portugal, Spain, and the UK for providing money-laundering services to several high-profile malware operations including Dridex, Trickbot, and GozNym. www.bleepingcomputer.com/news/security/qqaazz-group-charged-for-laundering-money-stolen-by-malware-gangs/ U.S. Bookstore giant Barnes & Noble has disclosed that they […]

Read More