Daily NCSC-FI news followup 2022-01-14

Ukraina saa apua kyberhyökkäyksen torjumiseen Natolta

yle.fi/uutiset/3-12270497 Yhdysvallat ja sen liittolaiset aikovat antaa kaiken avun Ukrainalle kyberhyökkäyksestä toipumiseksi tutkimusten edetessä, kertoi Valkoinen talo perjantaina. Valkoisen talon tiedotuksen mukaan Yhdysvallat “antaa kaiken tarpeellisen tuen hyökkäyksestä toipumisessa”. Yhdysvaltojen presidentti Joe Biden on saanut tiedot tapahtuneesta.. Sotilasliitto Naton pääsihteeri Jens Stoltenberg kertoi aiemmin perjantaina, että sotilasliitto syventää kyberyhteistyötään kumppaninsa Ukrainan kanssa.. Also:

www.bleepingcomputer.com/news/security/multiple-ukrainian-government-websites-hacked-and-defaced/.

therecord.media/hackers-deface-ukrainian-government-websites/.

threatpost.com/be-afraid-massive-cyberattack-downs-ukrainian-govt-sites/177659/.

www.zdnet.com/article/a-massive-hacking-attack-has-hit-government-websites-in-ukraine/. Myös: www.is.fi/digitoday/tietoturva/art-2000008539389.html.

www.kauppalehti.fi/uutiset/ukraina-joutui-valtavan-kyberhyokkayksen-kohteeksi-kaikki-tieto-teista-on-nyt-julkista/8335be80-edac-499e-a445-e0d2723d5c3f

Ransomware cyberattack forces New Mexico jail to lock down

blog.malwarebytes.com/ransomware/2022/01/ransomware-cyberattack-forces-new-mexico-jail-to-lock-down/ Five days after the new year, the Metropolitan Detention Center (MDC) in Bernalillo County, New Mexico suddenly went on lockdown. The reason? A ransomware cyberattack has knocked the jails internet connection offline, rendering most of their data systems, security cameras, and automatic doors unusable. Prisoners were confined in their cells while MDC technicians struggled to get everything back up and running again.

REvil ransomware crew allegedly busted in Russia, says FSB

nakedsecurity.sophos.com/2022/01/14/revil-ransomware-crew-allegedly-busted-in-russia-says-fsb/ According to the FSB, Russias Federal Security Bureau (), the ransomware gang known in both Russian and English by the nickname REvil has been taken down. The FSB report explicitly mentions that the investigation and the raid were initiated by a request received from US law enforcement, which had apparently identified the REvil ringleader and provided evidence of the gangs involvement in criminal extortion against US victims.. Also:

www.bleepingcomputer.com/news/security/russian-government-arrests-revil-ransomware-gang-members/.

therecord.media/fsb-raids-revil-ransomware-gang-members/.

threatpost.com/russian-security-revil-ransomware/177660/.

www.zdnet.com/article/russian-authorities-take-down-revil-ransomware-gang/.

arstechnica.com/information-technology/2022/01/russia-says-it-has-neutralized-the-cutthroat-revil-ransomware-gang/

How to Make the Attack Lifecycle Actionable with Intelligence

www.recordedfuture.com/attack-lifecycle-actionable-intelligence/ The Cyber Attack Lifecycle and Cyber Kill Chain are time and again used as the primary reference for understanding how a cyber attack happens from the perspective of an adversary. However, just leveraging them as educational reference documents doesnt tap into their true powerguides to enabling defensive and proactive action against attackers.

The Great Resignation: How to Acquire and Retain Cybersecurity Talent

securityintelligence.com/articles/great-resignation-cybersecurity-talent/ If youve been following reports and whispering with industry colleagues, you know whats going on: the cybersecurity skills gap is difficult to close, and the Great Resignation is here. Before 2021, the skills gap could be generally said to stem from growing threats, workforce/talent availability and worker burnout. But 2021 has turned the world a bit topsy-turvy.

White House reminds tech giants open source is a national security issue

www.bleepingcomputer.com/news/security/white-house-reminds-tech-giants-open-source-is-a-national-security-issue/ The White House wants government and private sector organizations to rally their efforts and resources to secure open-source software and its supply chain after the Log4J vulnerabilities exposed critical infrastructure to threat actors’ attacks. Discussions on this topic took place during the Open Source Software Security Summit convened by the Biden administration on Thursday.

Researcher discloses alleged zero-day vulnerabilities in NUUO NVRmini2 recording device

portswigger.net/daily-swig/researcher-discloses-alleged-zero-day-vulnerabilities-in-nuuo-nvrmini2-recording-device A critical zero-day vulnerability in network video recording equipment made by NUUO has been made public, as a researcher claims unpatched issues could lead to remote code execution (RCE). Discovered by Agile Information Security founder Pedro Ribeiro, the issues have allegedly been present in the NUUO NVRmini2 device since 2016. NVRmini2 is a network video recorder (NVR) from Taiwanese vendor NUU that is able to record and store security footage in a digital format.

Husband-Wife Arrested in Ukraine for Ransomware Attacks on Foreign Companies

thehackernews.com/2022/01/husband-wife-arrested-in-ukraine-for.html Ukrainian police authorities have nabbed five members of a gang that’s believed to have helped orchestrate attacks against more than 50 companies across Europe and the U.S and caused losses to the tune of more than $1 million. The special operation, which was carried out in assistance with law enforcement officials from the U.K. and U.S., saw the arrest of an unnamed 36-year-old individual from the capital city of Kyiv, along with his wife and three other accomplices.

Use of Alternate Data Streams in Research Scans for index.jsp.

isc.sans.edu/forums/diary/Use+of+Alternate+Data+Streams+in+Research+Scans+for+indexjsp/28240/ Our network of web application honeypots delivered some odd new URLs in the last 24 hrs. I am not 100% sure what these scans are after, but my best guess right now is that they are attempting to bypass filters using NTFS alternate data streams. The Windows NTFS file system includes the ability to connect to alternate data streams. This has been documented in the past as a technique to hide data or to bypass URL filters.

Three Plugins with Same Bug Put 84K WordPress Sites at Risk

threatpost.com/plugins-vulnerability-84k-wordpress-sites/177654/ Researchers have discovered three WordPress plug-ins with the same vulnerability that allows an attacker to update arbitrary site options on a vulnerable site and completely take it over. Exploiting the flaw does require some action from the site administrator, however. On Nov. 5, 2021, the Wordfence Threat Intelligence team started a process to disclose a vulnerability researchers had found in Login/Signup Popup, a WordPress plug-in installed on more than 20,000 sites, Wordfences Chloe Chamberland wrote in a post published online Thursday.

Defense contractor Hensoldt confirms Lorenz ransomware attack

www.bleepingcomputer.com/news/security/defense-contractor-hensoldt-confirms-lorenz-ransomware-attack/ Hensoldt, a multinational defense contractor headquartered in Germany, has confirmed that some of its UK subsidiary’s systems were compromised in a ransomware attack. The defense multinational develops sensor solutions for defense, aerospace, and security applications, is listed on the Frankfurt Stock Exchange, and had a turnover of 1.2 billion euros in 2020. It operates in the US under a special agreement that allows it to apply for classified and sensitive US government contracts.

Analyzing an Old Bug and Discovering CVE-2021-30995

www.trendmicro.com/en_us/research/22/a/analyzing-an-old-bug-and-discovering-cve-2021-30995-.html On April 26, 2021 Apple patched CVE-2021-1740, which was a vulnerable function inside the system daemon process cfprefsd (these types of processes usually run in the background and handle system tasks). The bug could have been exploited to read arbitrary files, write arbitrary files, and get root privilege escalation. It was addressed in Apples Security Update 2021-002 (Catalina) for a variety of Apple operating systems, including iOS and macOS. However, in early August 2021, Zhipeng Huo, Yuebin Sun, and Chuanda Ding (all from XuanwuLab) presented an exploitation demonstration for the vulnerability during the DEF CON 29 security conference.

Dark web carding platform UniCC shuts up shop after making millions

www.zdnet.com/article/dark-web-carding-platform-unicc-shuts-up-shop-after-making-millions/ One of the largest carding platforms in the Dark Web, UniCC, has announced its “retirement” from the criminal industry. UniCC has been active since 2013. The platform specialized in what is known as ‘carding’: credit card fraud and the sale of stolen details which can then be used to make unauthorized transactions, to clone cards, and to potentially facilitate identity theft.. The retirement notice was posted in both Russian and English on a number of dark web forums.

Polish army database leaked to internet, website reports

www.thefirstnews.com/article/polish-army-database-leaked-to-internet-website-reports-27259 A comprehensive list containing over 1.7 million items of equipment and supplies used or requested by the Polish armed forces has been leaked to the internet, the Onet.pl website has reported. Poland’s Ministry of National Defence commented on the matter on Friday. “The case is being analysed in details by our services,” the ministry said.

You might be interested in …

Daily NCSC-FI news followup 2019-12-27

Yli puolet haittaohjelmista muhii kodin älylaitteissa – kaksi asiaa, joilla tukit helpoimmat vuotopaikat yle.fi/uutiset/3-11127237?origin=rss Kotirauhaasi häiritsevät uhat ovat varsin yksinkertaisia haittaohjelmia. Kun perusasiat ovat kunnossa, saadaan tietoturva paljon paremmaksi. Muista nämä: salasana ja laitteen päivitykset.. Nämä kaksi kriteeriä ovat myös tietoturvamerkin ehtoja laitevalmistajille – tietoturvamerkki.fi/ Kunnilla heikkoja salasanoja ja huteria palomuureja – Lahti maksoi kyberhyökkäyksen […]

Read More

Daily NCSC-FI news followup 2020-06-27

DarkCrewFriends Returns with Botnet Strategy threatpost.com/darkcrewfriends-returns-botnet/156963/ The botnet can be used to mount different kinds of attacks, including code-execution and DDoS. 8 U.S. City Websites Targeted in Magecart Attacks threatpost.com/8-city-gov-websites-magecart/156954/ Researchers believe that Click2Gov, municipal payment software, may be at the heart of this most recent government security incident. Admin of carding portal behind $568M […]

Read More

Daily NCSC-FI news followup 2021-08-25

Ransomware: These four rising gangs could be your next major cybersecurity threat www.zdnet.com/article/ransomware-these-four-rising-threats-could-be-the-next-major-cybersecurity-risk-facing-your-business/#ftag=RSSbaffb68 Cybersecurity researchers have warned of four emerging families of ransomware that could pose a significant cybersecurity threat to businesses. . Ransomware remains one of the key cybersecurity threats facing businesses around the world as cyber criminals try to compromise networks and encrypt […]

Read More