Daily NCSC-FI news followup 2022-01-28

Ulkoministeriö on saanut selvitettyä siihen kohdistuneen vakoilutapauksen

um.fi/ajankohtaista/-/asset_publisher/gc654PySnjTX/content/ulkoministerio-on-saanut-selvitettya-siihen-kohdistuneen-vakoilutapauksen Suomalaisiin diplomaatteihin on kohdistettu kybervakoilua paljon julkisuutta saaneella NSO Groupin Pegasus -vakoiluhaittaohjelmalla. Kyseessä on erittäin kehittynyt haittaohjelma, joka on pystytty tuomaan käyttäjän Apple- tai Android-puhelimeen hänen huomaamattaan ja ilman käyttäjän toimenpiteitä. Vakoiluohjelma on voinut mahdollistaa hyvin laajasti puhelimessa olevan tiedon ja sen . ominaisuuksien hyväksikäytön. Myös www.hs.fi/kotimaa/art-2000008573488.html

yle.fi/uutiset/3-12292218

www.bleepingcomputer.com/news/security/finnish-diplomats-phones-infected-with-nso-group-pegasus-spyware/

Threat actor of in-Tur-est

www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/threat-actor-of-in-tur-est.html Our journey began when hunting for newly registered domains with TLS certificates that use the term qov, spoofing the legitimate term gov. Spoofing the word gov has previously been a favoured technique of several unrelated threat actors, such as Blue Athena (a.k.a. Sofacy, APT28)1. On 31st January 2021, we observed the subdomain mail[.]mod[.]qov[.]rs being used to phish for . Serbian Ministry of Defence credentials. The phishing page shown in Figure 1 when visited not only logged credentials, but logged visits to the phishing page itself.

Microsoft Outlook RCE zero-day exploits now selling for $400,000

www.bleepingcomputer.com/news/security/microsoft-outlook-rce-zero-day-exploits-now-selling-for-400-000/ The same conditions apply for the exploit payouts for Mozilla Thunderbird as in the case of Microsoft Outlook. An RCE in an email client would grant attackers access to all available accounts.

Popular apps left biometric data, IDs of millions of users in danger

cybernews.com/security/popular-apps-left-biometric-data-ids-of-millions-of-users-in-danger/ Service providers using Onfido, an identification verification (IDV) service, let a major flaw in their security go unchecked, in the form of an exposed admin token that potentially left app users biometric data exposed. Using this safety gap, threat actors could have downloaded personally identifiable information (PII), including copies of client-submitted IDs, passports, and driver’s licenses.

BlackCat ransomware targeting US, European retail, construction and transportation orgs

www.zdnet.com/article/blackcat-ransomware-targeting-us-european-retail-construction-and-transportation-orgs/ Palo Alto said that as of December 2021, BlackCat has the 7th largest number of victims listed on their leak site among ransomware groups that Unit 42 tracks.

After Russian Arrests, REvil Activity Persists

blog.reversinglabs.com/blog/after-russian-arrests-revil-rolls-on Almost two weeks after Russian authorities orchestrated high profile arrests of cyber criminals affiliated with the notorious ransomware group, there has been little change in the availability of malicious files and implants associated with the group, ReversingLabs data shows. Also

krebsonsecurity.com/2022/01/who-wrote-the-alphv-blackcat-ransomware-strain/

Finland warns of Facebook accounts hijacked via Messenger phishing

www.bleepingcomputer.com/news/security/finland-warns-of-facebook-accounts-hijacked-via-messenger-phishing/ Finland’s National Cyber Security Centre (NCSC-FI) warns of an ongoing phishing campaign attempting to hijack Facebook accounts by impersonating victims’ friends in Facebook Messenger chats.

Hackers are taking over CEO accounts with rogue OAuth apps

www.bleepingcomputer.com/news/security/hackers-are-taking-over-ceo-accounts-with-rogue-oauth-apps/ Threat analysts have observed a new campaign named OiVaVoii, targeting company executives and general managers with malicious OAuth apps and custom phishing lures sent from hijacked Office 365 accounts.

Merirosvot iskevät nyt laivojen ja satamien sähköisiin järjestelmiin kyberpiraatit pystyvät sekoittamaan koko maailmankaupan

yle.fi/uutiset/3-12292088 Kyberhyökkäykset ovat kasvava uhka kansainväliselle merenkululle. Asialla on perinteisiä merirosvoja ja muita rikollisia, mutta myös valtioita, joilla on poliittisia tavoitteita.

You might be interested in …

Daily NCSC-FI news followup 2021-07-08

Microsoft: PrintNightmare now patched on all Windows versions www.bleepingcomputer.com/news/security/microsoft-printnightmare-now-patched-on-all-windows-versions/ Microsoft has released the KB5004948 emergency security update to address the Windows Print Spooler PrintNightmare vulnerability on all editions of Windows 10 1607 and Windows Server 2016. Lisäksi: docs.microsoft.com/en-us/windows/release-health/windows-message-center. Lisäksi: www.bleepingcomputer.com/news/microsoft/how-to-mitigate-print-spooler-vulnerability-on-windows-10/ Microsoft’s emergency patch fails to fix critical “PrintNightmare” vulnerability arstechnica.com/gadgets/2021/07/microsofts-emergency-patch-fails-to-fix-critical-printnightmare-vulnerability/ Despite Tuesday’s out-of-band patch being […]

Read More

[NCSC-FI News] The UK government has announced plans for new laws designed to strengthen cyber security provisions across the country. Under the new laws, British businesses will have greater legal responsibility for protecting their IT systems and data

Under the new laws, the government is proposing to extend these obligations to providers of outsourced IT services too. This means that any company providing IT services – including cloud software and storage – will need to prove their cyber defence capabilities adhere to the NIS regulations. Source: Read More (NCSC-FI daily news followup)

Read More

[NCSC-FI News] Emotet reestablishes itself at the top of the malware world

Botnet infrastructure shut down last year, now central to a fast-spreading email scam, researchers say Source: Read More (NCSC-FI daily news followup)

Read More