Daily NCSC-FI news followup 2022-01-26

Vain joka kymmenes Vastaamon uhri antanut lausunnon poliisille

www.is.fi/digitoday/art-2000008567205.html POLIISIN alun perin määrittelemä aikaikkuna Vastaamon uhrien kuulemiselle umpeutuu vajaan viikon kuluttua. Tähän mennessä noin 3300 ihmistä on täyttänyt poliisin sähköisen kuulemislomakkeen. Se on noin 10 prosenttia siitä, mitä arvelemme rikoksen uhreja olevan. Vähänlaisesti on tähän mennessä lausumia saatu, tutkinnanjohtaja, KRP:n rikoskomisario Marko Leponen sanoo.

Valtion it-keskus kävi läpi tietoturvamankelin

www.tivi.fi/uutiset/tv/882fbca4-a8a1-45b8-b910-d568522f8e84 ISO 27001 -tietoturvasertifikaatti on voimassa kolme vuotta.

Microsoft warns of phishy OAuth apps

blog.malwarebytes.com/privacy-2/2022/01/microsoft-warns-of-phishy-oauth-apps/ Microsoft is warning Office 365 users to watch out for a phishy emails asking you to install an app called Upgrade. [..] According to Microsoft Security Intelligence, the campaign has “targeted hundreds of organisations”. The researcher who first brought the bogus app to their attention has discovered another one. This time around, it’s also called “Upgrade” but with a new verified publisher.

Evolved phishing: Device registration trick adds to phishers’ toolbox for victims without MFA

www.microsoft.com/security/blog/2022/01/26/evolved-phishing-device-registration-trick-adds-to-phishers-toolbox-for-victims-without-mfa/ We have recently uncovered a large-scale, multi-phase campaign that adds a novel technique to traditional phishing tactics by joining an attacker-operated device to an organization’s network to further propagate the campaign. We observed that the second stage of the campaign was successful against victims that did not implement multifactor authentication (MFA), an essential pillar of identity security. Without additional protective measures such as MFA, the attack takes advantage of the concept of bring-your-own-device (BYOD) via the ability to register a device using freshly stolen credentials.

New DeadBolt ransomware targets QNAP devices, asks 50 BTC for master key

www.bleepingcomputer.com/news/security/new-deadbolt-ransomware-targets-qnap-devices-asks-50-btc-for-master-key/ A new DeadBolt ransomware group is encrypting QNAP NAS devices worldwide using what they claim is a zero-day vulnerability in the device’s software. The attacks started today, January 25th, with QNAP devices suddenly finding their files encrypted and file names appended with a.deadbolt file extension. Alkup.

www.qnap.com/en/security-news/2022/take-immediate-actions-to-stop-your-nas-from-exposing-to-the-internet-and-fight-against-ransomware-together

Trickbot will now try to crash researcher PCs to stop reverse engineering attempts

www.zdnet.com/article/trickbot-will-now-try-to-crash-researcher-pcs-to-stop-reverse-engineering-attempts/ The Trickbot Trojan has been revised with a new set of anti-reverse engineering features including the capability to crash computers if analysis tools are detected. [..] The third line of defense, however, is the most interesting update. An anti-debugging script has been added to code that can trigger a memory overload if a security researcher performs “code beautifying, ” a technique use to make large swathes of code more readable and easier to analyze.

White House wants US govt to use a Zero Trust security model

www.bleepingcomputer.com/news/security/white-house-wants-us-govt-to-use-a-zero-trust-security-model/ A newly released Federal strategy wants the US government to adopt a “zero trust” security model within the next two years to defend against current threats and boost cybersecurity defenses across federal agencies. The strategy was released today by the White House’s Office of Management and Budget (OMB), which supervises the implementation of the President’s vision across the US Executive Branch.

New FluBot and TeaBot campaigns target Android devices worldwide

www.bleepingcomputer.com/news/security/new-flubot-and-teabot-campaigns-target-android-devices-worldwide/ New FluBot and TeaBot malware distribution campaigns have been spotted, using typical smishing lures or laced apps against Android users in Australia, Germany, Poland, Spain, and Romania. The SMS topics used for spreading the FluBot malware include fake courier messages, “Is this you in this video?” coaxes, phony browser updates, and fake voicemail notifications.

German govt warns of APT27 hackers backdooring business networks

www.bleepingcomputer.com/news/security/german-govt-warns-of-apt27-hackers-backdooring-business-networks/ The BfV German domestic intelligence services (short for Bun­des­amt fr Ver­fas­sungs­schutz) warn of ongoing attacks coordinated by the APT27 Chinese-backed hacking group. This active campaign is targeting German commercial organizations, with the attackers using the HyperBro remote access trojans (RAT) to backdoor their networks.

GitHub enables two-factor authentication mechanism through iOS, Android app

www.zdnet.com/article/github-enables-two-factor-authentication-mechanism-through-ios-android-app/ GitHub Mobile 2FA will be available to all GitHub users in the App Store and Play Store this week.

WhatsApp Ordered To Help U.S. Agents Spy On Chinese PhonesNo Explanation Required

www.forbes.com/sites/thomasbrewster/2022/01/17/whatsapp-ordered-to-spy-on-chinese-phones-by-america-no-explanation-given/ U.S. federal agencies have been using a 35-year-old American surveillance law to secretly track WhatsApp users with no explanation as to why and without knowing whom they are targeting.

2022.01.25 Issue with TLS-ALPN-01 Validation Method (Letsencrypt-varmenteet)

community.letsencrypt.org/t/2022-01-25-issue-with-tls-alpn-01-validation-method/170450 All active certificates that were issued and validated with the TLS-ALPN-01 challenge before 00:48 UTC on 26 January 2022 when our fix was deployed are considered mis-issued. In compliance with the Let’s Encrypt CP, we have 5-days to revoke and will begin to revoke certificates at 16:00 UTC on 28 January 2022. We estimate <1% of active certificates are affected. Subscribers affected by revocations will receive e-mail notifications if their ACME account contains a valid e-mail address.

You might be interested in …

[NCSC-FI News] Follow the Money: How eCriminals Monetize Ransomware

Cybercrime has evolved over the past several years from simple “spray and pray” attacks to a sophisticated criminal ecosystem centered around highly effective monetization techniques that enable adversaries to maximize success and profitability Monetization is the step attackers take to receive a payout when an operation is complete. Threat actors are constantly evolving their methods […]

Read More

Daily NCSC-FI news followup 2020-06-08

German Task Force for COVID-19 Medical Equipment Targeted in Ongoing Phishing Campaign securityintelligence.com/posts/german-task-force-for-covid-19-medical-equipment-targeted-in-ongoing-phishing-campaign/ During the course of ongoing research on coronavirus-related cyber activity, IBM X-Force Incident Response and Intelligence Services (IRIS) uncovered a COVID-19 related phishing campaign targeting a German multinational corporation (MNC), associated with a German government-private sector task force to procure personal protective […]

Read More

Daily NCSC-FI news followup 2019-11-15

Clampdown on US border device searches not such a big deal www.zdnet.com/article/clampdown-on-us-border-device-searches-not-such-a-big-deal/#ftag=RSSbaffb68 Alasaad v. Mcaleenan acknowledges the intrusiveness of digital searches, but it’s only about “contraband” and falls short of requiring a warrant. It’s time for SCOTUS and Congress to dig deeper, say experts. New Emotet Report Details Threats From One of the Worlds Most […]

Read More