Daily NCSC-FI news followup 2022-01-13

How to control cookies: A real-world experiment

www.kaspersky.com/blog/how-to-control-your-cookies/43303/ These days, when you go to almost any website, youll immediately see a banner at the bottom of the screen asking you to accept all cookies. Typically, users agree, to get rid of the annoying text box without delay. Lots of people dont know if they can decline these mysterious cookies or how to configure them. We decided to conduct an experiment and show you how to control cookies and what happens if you dont bother.

Learn about 4 approaches to comprehensive security that help leaders be fearless

www.microsoft.com/security/blog/2022/01/13/learn-about-4-approaches-to-comprehensive-security-that-help-leaders-be-fearless/ The last 18 months have put unprecedented pressure on organizations to speed up their digital transformation as remote and hybrid work continue to become the new normal. Yet even with all the change and uncertainty, having the right security support system in place means your organization can still move forward confidently to turn your vision into reality. Ive seen our customers demonstrate this fearlessness every day, and I love learning from them as we stand together against ongoing threats.

10 real-world stories of how weve compromised CI/CD pipelines

research.nccgroup.com/2022/01/13/10-real-world-stories-of-how-weve-compromised-ci-cd-pipelines/ Mainstream appreciation for cyberattacks targeting continuous integration and continuous delivery/continuous deployment (CI/CD) pipelines has been gaining momentum. Attackers and defenders increasingly understand that build pipelines are highly-privileged targets with a substantial attack surface. But what are the potential weak points in a CI/CD pipeline? What does this type of attack look like in practice? NCC Group has found many attack paths through different security assessments that could have led to a compromised CI/CD pipeline in enterprises large and small.

FIN7 Uses Flash Drives to Spread Remote Access Trojan

www.recordedfuture.com/fin7-flash-drives-spread-remote-access-trojan/ Recorded Future analysts continue to monitor the activities of the FIN7 group as they adapt and expand their cybercrime operations. Gemini has conducted a more in-depth investigation into these types of attack after a Gemini source provided analysts with a file sketch_jul31a.ino, which was linked to FIN7s BadUSB attacks. The file had the extension (.INO), indicating it contained the source code for an Arduino sketch (the Arduino term for a program). BleepingComputer also recently released a public report on FIN7s use of the BadUSB attack method, outlining the activity around this type of attack.

The BlueNoroff cryptocurrency hunt is still on

securelist.com/the-bluenoroff-cryptocurrency-hunt-is-still-on/105488/ BlueNoroff is the name of an APT group coined by Kaspersky researchers while investigating the notorious attack on Bangladeshs Central Bank back in 2016. A mysterious group with links to Lazarus and an unusual financial motivation for an APT. The group seems to work more like a unit within a larger formation of Lazarus attackers, with the ability to tap into its vast resources: be it malware implants, exploits, or infrastructure. See our earlier publication about BlueNoroff attacks on the banking sector.

Cryptocurrency scams: What to know and how to protect yourself

www.welivesecurity.com/2022/01/12/cryptocurrency-scams-what-know-how-protect-yourself/ The world seems to have gone crypto-mad. Digital currencies like bitcoin, Monero, Ethereum and Dogecoin are all over the internet. Their soaring value promises big wins for investors (before the coins prices plunge, that is). And the fortunes to be made by mining for virtual money have echoes of gold rushes in the 1800s. Or at least, thats what many, including a long list of scammers, will have you believe.

Microsoft pulls new Windows Server updates due to critical bugs

www.bleepingcomputer.com/news/microsoft/microsoft-pulls-new-windows-server-updates-due-to-critical-bugs/ Microsoft has pulled the January Windows Server cumulative updates after critical bugs caused domain controllers to reboot, Hyper-V to not work, and ReFS volume systems to become unavailable. Tuesday, Microsoft released the January 2022 Patch Tuesday updates for Windows Server that includes numerous security updates and bug fixes. These updates are KB5009624 for Windows Server 2012 R2, KB5009557 for Windows Server 2019, and KB5009555 for Windows Server 2022.

GitLab shifts left to patch high-impact vulnerabilities

portswigger.net/daily-swig/gitlab-shifts-left-to-patch-high-impact-vulnerabilities GitLab has pushed out a significant security release that addresses multiple flaws including an arbitrary file read issue rated as critical and two high-impact vulnerabilities. An update to the popular version control platform released this week tackles a vulnerability involving cross-site scripting (XSS) in Notes, along with a high-impact authentication-related flaw involving a lack of state parameter on GitHub import project OAuth.

Researchers Decrypted Qakbot Banking Trojan’s Encrypted Registry Keys

thehackernews.com/2022/01/researchers-decrypted-qakbot-banking.html Cybersecurity researchers have decoded the mechanism by which the versatile Qakbot banking trojan handles the insertion of encrypted configuration data into the Windows Registry. Qakbot, also known as QBot, QuackBot and Pinkslipbot, has been observed in the wild since 2007. Although mainly fashioned as an information-stealing malware, Qakbot has since shifted its goals and acquired new functionality to deliver post-compromise attack platforms such as Cobalt Strike Beacon, with the final objective of loading ransomware on infected machines.

2021 Cyber Attacks Statistics

www.hackmageddon.com/2022/01/13/2021-cyber-attacks-statistics/ And finally I have aggregated all the data collected in 2021 from the cyber attacks timelines. In the past year I have collected 2539 events, meaning nearly a 9% increase compared with the 2332 events collected over the course of 2020. Interestingly this increase occurred mainly between January and May (maybe an effect of the pandemic), after this interval, the trend is essentially in line with the values of 2020.

US Military Ties Prolific MuddyWater Cyberespionage APT to Iran

threatpost.com/us-military-ties-muddywater-cyberespionage-apt-iran/177633/ U.S. Cyber Command has confirmed that MuddyWater an advanced persistent threat (APT) cyberespionage actor aka Mercury, Static Kitten, TEMP.Zagros or Seedworm thats historically targeted government victims in the Middle East is an Iranian intelligence outfit. The link has been suspected, and now its government-stamped. On Wednesday, USCYBERCOM not only confirmed the tie; it also disclosed the plethora of open-source tools and strategies MuddyWater uses to break into target systems and released malware samples. Also:

thehackernews.com/2022/01/us-cyber-command-links-muddywater.html.

www.bleepingcomputer.com/news/security/us-links-muddywater-hacking-group-to-iranian-intelligence-agency/.

therecord.media/cyber-command-ties-hacking-group-to-iranian-intelligence/.

www.cisa.gov/uscert/ncas/current-activity/2022/01/12/cnmf-identifies-and-discloses-malware-used-iranian-apt-muddywater

GootLoader Hackers Are Compromising Employees of Law and Accounting Firms, Warns eSentire

www.esentire.com/security-advisories/gootloader-hackers-are-compromising-employees-of-law-firms-and-accounting-agencies-warns-esentire eSentire, the industrys leading Managed Detection and Response (MDR) cybersecurity provider, is warning law and accounting firms of a wide-spread GootLoader hacker campaign. In the past three weeks and as recently as January 6, eSentires threat hunters have intercepted and shut down cyberattacks launched against three law firms and an accounting firm. The GootLoader hacking group is behind the attacks. Ironically, these attacks coincide with the one-year anniversary of the GootLoader Gangs December 2020 Website Poisoning Campaign, which eSentire first reported. GootLoader is a stealthy initial access malware, which after getting a foothold into the victims computer system, infects the system with ransomware or other lethal malware.

Microsoft Defender weakness lets hackers bypass malware detection

www.bleepingcomputer.com/news/security/microsoft-defender-weakness-lets-hackers-bypass-malware-detection/ Threat actors can take advantage of a weakness that affects Microsoft Defender antivirus on Windows to learn locations excluded from scanning and plant malware there. The issue has persisted for at least eight years, according to some users, and affects Windows 10 21H1 and Windows 10 21H2.

FCC proposes stricter data breach reporting rules

therecord.media/fcc-proposes-stricter-data-breach-reporting-rules/ Following a series of hacks and data leaks at US telecom companies, the Federal Communications Commission has proposed today a series of changes to its data breach notification requirements. FCC Chairwoman Jessica Rosenworcel, who published the proposed rules earlier today, said that the agency needs to update its existing reporting rules to fully reflect the evolving nature of data breaches and the real-time threat they pose to affected consumers, which often learn of breaches long after they have occurred.

Attacking RDP from Inside: How we abused named pipes for smart-card hijacking, unauthorized file system access to client machines and more

www.cyberark.com/resources/threat-research-blog/attacking-rdp-from-inside In this blog post we are going to discuss the details of a vulnerability in Windows Remote Desktop Services, which we recently uncovered. We reported the vulnerability to Microsoft in a coordinated disclosure process. Microsoft has released a fix in the latest security update and the vulnerability is now identified as CVE-2022-21893.

Fingers point to Lazarus, Cobalt, FIN7 as key hacking groups attacking finance industry

www.zdnet.com/article/fingers-point-to-lazarus-cobalt-fin7-as-key-hacking-groups-focused-on-finance-industry/ The Lazarus, Cobalt, and FIN7 hacking groups have been labeled as the most prevalent threat actors striking financial organizations today. According to “Follow the Money,” a new report (.PDF) published on the financial sector by Outpost24’s Blueliv on Thursday, members of these groups are the major culprits of theft and fraud in the industry today.

North Korean Hackers Have Prolific Year as Their Unlaundered Cryptocurrency Holdings Reach All-time High

blog.chainalysis.com/reports/north-korean-hackers-have-prolific-year-as-their-total-unlaundered-cryptocurrency-holdings-reach-all-time-high/ North Korean cybercriminals had a banner year in 2021, launching at least seven attacks on cryptocurrency platforms that extracted nearly $400 million worth of digital assets last year. These attacks targeted primarily investment firms and centralized exchanges, and made use of phishing lures, code exploits, malware, and advanced social engineering to siphon funds out of these organizations internet-connected hot wallets into DPRK-controlled addresses. Once North Korea gained custody of the funds, they began a careful laundering process to cover up and cash out.

BreakingFormation: Orca Security Research Team Discovers AWS CloudFormation Vulnerability

orca.security/resources/blog/aws-cloudformation-vulnerability/ Orca Securitys vulnerability researcher, Tzah Pahima, discovered a vulnerability in AWS allowing file and credential disclosure of an AWS internal service. This zero-day, which AWS completely mitigated within 6 days of our submission, was an XXE (XML External Entity) vulnerability found in the CloudFormation service. This could have been used to leak sensitive files found on the vulnerable service machine and make server-side requests (SSRF) susceptible to the unauthorized disclosure of credentials of internal AWS infrastructure services.

Uusi nettiansa panee lähettämään teksti­viestin ja se käy kalliiksi

www.is.fi/digitoday/tietoturva/art-2000008537973.html TILAUSANSAT ovat piinanneet suomalaisia netinkäyttäjiä. Kyseessä on verkkohuijauksen muoto, jossa uhri houkutellaan luovuttamaan maksukorttinsa tiedot, ja korttia aletaan veloittaa säännöllisesti. Kuukausiveloitukset saattavat olla usein 7080 euron luokkaa. Liikenne- ja viestintäviraston Kyberturvallisuuskeskus varoittaa uudenlaisesta tavasta houkutella ihmisiä ansaan. Kyseessä ovat verkkoselaimen ponnahdusikkunat, jotka ilmoittavat sovelluksen tai käyttöjärjestelmän päivitystarpeesta. Päivitystä varten vaaditaan tekstiviestin lähettämistä.

Linux-Targeted Malware Increases by 35% in 2021: XorDDoS, Mirai and Mozi Most Prevalent

www.crowdstrike.com/blog/linux-targeted-malware-increased-by-35-percent-in-2021/ Malware targeting Linux-based operating systems, commonly deployed in Internet of Things (IoT) devices, have increased by 35% in 2021 compared to 2020, according to current CrowdStrike threat telemetry, with the top three malware families accounting for 22% of all Linux-based IoT malware in 2021. XorDDoS, Mirai and Mozi are the most prevalent Linux-based malware families observed in 2021, with Mozi registering a significant tenfold increase in the number of in-the-wild samples in 2021 compared to 2020.

You might be interested in …

Daily NCSC-FI news followup 2019-11-28

Threat Spotlight: Machete Info-Stealer threatvector.cylance.com/en_us/home/threat-spotlight-machete-info-stealer.html Machete is an info-stealing malware that can harvest user credentials, chat logs, screenshots, webcam pictures, geolocation, and perform keylogging. It can also copy files to a USB device and take control of the clipboard to exfiltrate information. DHS Mandates Federal Agencies to Run Vulnerability Disclosure Policy www.schneier.com/blog/archives/2019/11/dhs_mandates_fe.html The DHS is […]

Read More

Daily NCSC-FI news followup 2021-08-23

New variant of Konni malware used in campaign targetting Russia blog.malwarebytes.com/threat-intelligence/2021/08/new-variant-of-konni-malware-used-in-campaign-targetting-russia/ In late July 2021, we [Malwarebytes] identified an ongoing spear phishing campaign pushing Konni Rat to target Russia. Konni was first observed in the wild in 2014 and has been potentially linked to the North Korean APT group named APT37. We [Malwarebytes] discovered two […]

Read More

Daily NCSC-FI news followup 2019-12-29

UK Government exposes addresses of new year honours recipients www.theguardian.com/uk-news/2019/dec/28/government-exposes-addresses-of-new-year-honours-recipients More than 1,000 celebrities, government employees and politicians recognized in the U.K.’s traditional New Year’s Honours list this year “have had their home and work addresses posted on a government website.” IoT vendor Wyze confirms server leak www.zdnet.com/article/iot-vendor-wyze-confirms-server-leak/ Wyze, a company that sells smart devices […]

Read More