Categories
NCSC-FI News followup

Daily NCSC-FI news followup 2020-01-16

APT40 is run by the Hainan department of the Chinese Ministry of State Security

intrusiontruth.wordpress.com/2020/01/16/apt40-is-run-by-the-hainan-department-of-the-chinese-ministry-of-state-security/ Either a Hainan intelligence officer has a side-hustle running a business empire of at least 13 fast-growing, high-tech information security companies, and that business empire has a side-hustle recruiting people with knowledge of the languages spoken in APT40 target countries coincidentally in the months preceding APT40 attacks in those countries, and on the same island that we know APT40 . runs its operations.. Or, APT40 is run by Ding Xiaoyang, an intelligence officer at the Hainan State Security Department.

CVE-2020-0601 Followup

isc.sans.edu/diary/rss/25714 Among the patches Microsoft released yesterday, the vulnerability in the CryptoAPI got by far the most attention. Here are some answers to questions we have received about this vulnerability. Many of these questions also came from our webcast audience (for a recording, see

sans.org/cryptoapi-isc )

Proof-of-concept exploits published for the Microsoft-NSA crypto bug

www.zdnet.com/article/proof-of-concept-exploits-published-for-the-microsoft-nsa-crypto-bug/ Security researchers have published earlier today proof-of-concept (PoC) code for exploiting a recently-patched vulnerability in the Windows operating system, a vulnerability that has been reported to Microsoft by the US National Security Agency (NSA).. The bug, which some have started calling CurveBall, impacts CryptoAPI (Crypt32.dll), the component that handles cryptographic operations in the Windows OS.

Using CveEventWrite From VBA (CVE-2020-0601)

blog.didierstevens.com/2020/01/15/using-cveeventwrite-from-vba-cve-2020-0601/ Microsofts patch for CVE-2020-0601 introduces a call to CveEventWrite in CryptoAPI when a faked certificate is detected.. This will write a Windows event entry in the Application event log.

Critical WordPress Bug Leaves 320,000 Sites Open to Attack

threatpost.com/wordpress-bug-leaves-sites-open-to-attack/151911/ Two WordPress plugins, InfiniteWP Client and WP Time Capsule, suffer from the same critical authorization bypass bug that allows adversaries to access a sites backend with no password.

Categories
NCSC-FI News followup

Daily NCSC-FI news followup 2020-01-15

Hainan Xiandun Technology Company is APT40

intrusiontruth.wordpress.com/2020/01/15/hainan-xiandun-technology-company-is-apt40/ You knew where this was heading.

Facebook to notify users of third-party app logins

www.zdnet.com/article/facebook-to-notify-users-of-third-party-app-logins/ Facebook launched a new feature this week that will notify users whenever they (or somebody else) logs into a third-party app or website using their Facebook account.

Have an iPhone? Use it to protect your Google Account with the Advanced Protection Program

security.googleblog.com/2020/01/have-iphone-use-it-to-protect-your.html Gmail automatically blocks more than 100 million phishing emails every day and warns people that are targeted by government-backed attackers, but you can further strengthen the security of your Google Account by enrolling in the Advanced Protection Programour strongest security protections that automatically help defend against evolving methods attackers use to gain access to your personal and . work Google Accounts and data.

Categories
NCSC-FI News followup

Daily NCSC-FI news followup 2020-01-14

Russians Hacked Ukrainian Gas Company at Center of Impeachment

www.nytimes.com/2020/01/13/us/politics/russian-hackers-burisma-ukraine.html It is not yet clear what the hackers found, or precisely what they were searching for. But the experts say the timing and scale of the attacks suggest that the Russians could be searching for potentially embarrassing material on the Bidens the same kind of information that Mr. Trump wanted from Ukraine when he pressed for an investigation of the Bidens and Burisma, setting off a chain of events

Who is Mr Ding?

intrusiontruth.wordpress.com/2020/01/14/who-is-mr-ding/ We have identified that Professor Gu Jian is connected to the front company Hainan Xiandun and supported some of their activities from his position at Hainan University. But his was more of a supporting role. Who was in charge?

New CrowdStrike Report Finds an Increase in Cyber Adversaries Turning to Business Disruption as Main Attack Objective

www.crowdstrike.com/press-releases/report-finds-business-disruption-is-main-objective-of-adversaries/ CrowdStrike® Inc. (Nasdaq: CRWD), a leader in cloud-delivered endpoint protection, today announced the release of the CrowdStrike Services Cyber Front Lines Report which provides valuable takeaways from the front lines of incident response (IR) cases spanning 2019 and shares insights that matter for 2020 and beyond. The report identifies new attack methods and challenges, while offering

3 Lessons From the Incident Response Tabletops

securityintelligence.com/posts/3-lessons-from-the-incident-response-tabletops/ Here are a few lessons Ive learned about incident response from having run tabletop exercises within IBM and alongside our clients.

9 Reasons Why Cybersecurity Stress Is an Industry Epidemic

securityintelligence.com/articles/9-reasons-why-cybersecurity-stress-is-an-industry-epidemic/ Cybersecurity stress is an industrywide epidemic among security professionals. Burnout is a hard conversation, but its necessary for CISOs to face workplace stress before it compromises productivity, talent retention or individual well-being.

5G Security

www.schneier.com/blog/archives/2020/01/china_isnt_the_.html The security risks inherent in Chinese-made 5G networking equipment are easy to understand. Because the companies that make the equipment are subservient to the Chinese government, they could be forced to include backdoors in the hardware or software to give Beijing remote access. Eavesdropping is also a risk, although efforts to listen in would almost certainly be detectable. More insidious is the

Microsoft Patch Tuesday for January 2020

isc.sans.edu/forums/diary/Microsoft+Patch+Tuesday+for+January+2020/25710/ But CVE-2020-0601 isn’t the only vulnerability you should be worried about this month. CVE-2020-0609 and CVE-2020-0610 are fixing remote code execution vulnerabilities in the Windows Remote Desktop Gateway (RD Gateway). Remember BlueKeep? The RD Gateway is used to authenticate users and allow access to internal RDP services. As a result, RD Gateway is often exposed and used to protect the actual RDP . servers from exploitation.

Categories
NCSC-FI News followup

Daily NCSC-FI news followup 2020-01-13

Citrix ADC Exploits: Overview of Observed Payloads

isc.sans.edu/forums/diary/Citrix+ADC+Exploits+Overview+of+Observed+Payloads/25704/ Now that there are public exploits for Citrix ADC, we are seeing many attacks and are observing various payloads. For the moment, after normalization, we observed 37 different payloads

Who else works for this cover company network?

intrusiontruth.wordpress.com/2020/01/13/who-else-works-for-this-cover-company-network/ In our previous articles we identified a network of front companies for APT activity in Hainan, and showed that Gu Jian, an academic at Hainan University, is listed as a contact person for one of these companies Hainan Xiandun. Additionally, Gu Jian appeared to manage a network security competition at the university and was reportedly seeking novel ways of cracking passwords, offering large

Microsoft Enables Security Defaults in Azure Active Directory

www.bleepingcomputer.com/news/microsoft/microsoft-enables-security-defaults-in-azure-active-directory/ Microsoft introduced new secure default settings dubbed ‘Security Defaults’ to Azure Active Directory (Azure AD), now available for all license levels, including trial tenants. Security Defaults in Azure AD is a set of basic Microsoft-recommended identity security mechanisms containing preconfigured security settings for common attacks such as password spray, replay, and phishing.

Categories
NCSC-FI News followup

Daily NCSC-FI news followup 2020-01-11

An Empirical Study of Wireless Carrier Authentication for SIM Swaps

www.issms2fasecure.com/ We examined the authentication procedures used by five prepaid wireless carriers when a customer attempts to change their SIM card, or SIM swap. We found that all five carriers use insecure authentication challenges that can easily be subverted by attackers. We found 17 websites on which user accounts can be compromised based on a SIM swap alone.

Hackers Are Breaking Directly Into Telecom Companies to Take Over Customer Phone Numbers

www.vice.com/en_us/article/5dmbjx/how-hackers-are-breaking-into-att-tmobile-sprint-to-sim-swap-yeh SIM swappers have escalated from bribing employees to using remote desktop software to get direct access to internal T-Mobile, AT&T, and Sprint tools.

Citrix ADC Exploits are Public and Heavily Used. Attempts to Install Backdoor

isc.sans.edu/forums/diary/Citrix+ADC+Exploits+are+Public+and+Heavily+Used+Attempts+to+Install+Backdoor/25700/ Late last night, multiple groups released working exploits for the Citrix ADC path traversal flaw. First, “Project Zero India” released a simple exploit essentially consisting of two curl commands [1]. The first one will write a template file that includes a shell command of the user’s choosing. The second curl request will download the result of the command execution. The exploit worked for me, but

Categories
NCSC-FI News followup

Daily NCSC-FI news followup 2020-01-10

Why is a 22GB database containing 56 million US folks’ personal details sitting on the open internet using a Chinese IP address? Seriously, why?

www.theregister.co.uk/2020/01/09/checkpeoplecom_data_exposed/ The information silo appears to belong to Florida-based CheckPeople.com, which is a typical people-finder website: for a fee, you can enter someone’s name, and it will look up their current and past addresses, phone numbers, email addresses, names of relatives, and even criminal records in some cases, all presumably gathered from public records.

PHA Family Highlights: Bread (and Friends)

security.googleblog.com/2020/01/pha-family-highlights-bread-and-friends.html In this edition of our PHA Family Highlights series we introduce Bread, a large-scale billing fraud family. We first started tracking Bread (also known as Joker) in early 2017, identifying apps designed solely for SMS fraud. As the Play Store has introduced new policies and Google Play Protect has scaled defenses, Bread apps were forced to continually iterate to search for gaps. They have at some . point used just about every cloaking and obfuscation technique under the sun in an attempt to go undetected. Many of these samples appear to be designed specifically to attempt to slip into the Play Store undetected and are not seen elsewhere. In this post, we show how Google Play Protect has defended against a well organized, persistent attacker and share examples of their techniques.

Valtio hämmentää tunnistautumisen markkinoita “aivan liian aikaista uudelle järjestelmälle

www.tivi.fi/uutiset/tv/4f86b33c-07e6-4732-a165-e940ac38d0a5 Valtio suunnittelee Suomeen uudenlaista mobiilihenkilökorttia. Kyseessä olisi mobiilisovellus, jota voitaisiin käyttää henkilöllisyyden todentamiseen ja sähköiseen tunnistamiseen. Tivi uutisoi asiasta ensimmäisen kerran syksyllä verkossa.

Senator unveils bill to stop the US from sharing intel with countries using Huawei 5G

www.zdnet.com/article/senator-unveils-bill-to-stop-the-us-from-sharing-intel-with-countries-using-huawei-5g/#ftag=RSSbaffb68 Sen. Tom Cotton, R-Ark., introduced legislation this week that would prohibit the US from sharing intelligence with any country allowing Huawei to operate 5G technologies within its borders. If such legislation passed, it would have a major impact on US foreign policy, as well as business for the Chinese telecom giant.

SHA-1 chosen prefix collisions and DNSSEC

www.dns.cam.ac.uk/news/2020-01-09-sha-mbles.html On the 7th January, a new more flexible and efficient collision attack against SHA-1 was announced: SHA-1 is a shambles. SHA-1 is deprecated but still used in DNSSEC, and this collision attack means that some attacks against DNSSEC are now merely logistically challenging rather than being cryptographically infeasible.

50+ orgs ask Google to take a stance against Android bloatware

www.zdnet.com/article/50-orgs-ask-google-to-take-a-stance-against-android-bloatware/#ftag=RSSbaffb68 In an open letter published yesterday, more than 50 organizations have asked Google to take action against Android smartphone vendors who ship devices with unremovable pre-installed apps, also known as bloatware.

Remote iPhone Exploitation Part 1: Poking Memory via iMessage and CVE-2019-8641

googleprojectzero.blogspot.com/2020/01/remote-iphone-exploitation-part-1.html This is the first blog post in a three-part series that will detail how a vulnerability in iMessage can be exploited remotely without any user interaction on iOS 12.4 (fixed in iOS 12.4.1 in August 2019). It is essentially a more detailed version of my 36C3 talk from December 2019.

AT&T Alien Labs analysis of an active cryptomining worm

cybersecurity.att.com/blogs/labs-research/att-alien-labs-analysis-of-an-active-cryptomining-worm#When:14:00:00Z This blog post provides an overview of the AT&T Alien Labs technical analysis of the common malicious implants used by threat actors targeting vulnerable Exim, Confluence, and WebLogic servers. Upon exploitation, malicious implants are deployed on the compromised machine. While most of the attacks described below are historical, we at Alien Labs are continuing to see new attacks

The Bug That Exposed Your PayPal Password

medium.com/@alex.birsan/the-bug-that-exposed-your-paypal-password-539fc2896da9 This is the story of a high-severity bug affecting what is probably one of PayPals most visited pages: the login form.

Who is Mr Gu?

intrusiontruth.wordpress.com/2020/01/10/who-is-mr-gu/ In our previous articles we identified thirteen companies that this blog knows are a front for APT activity in Hainan. Following further analysis, we noticed a close association between these Hainan front companies and the academic world. Multiple job adverts for the the companies are posted on university websites. Hainan Xiandun even appears to operate from the Hainan University Library!

Categories
NCSC-FI News followup

Daily NCSC-FI news followup 2020-01-09

Satasairaalassa jälleen tietoverkkokatkos, vika luultua pahempi myös perusturvassa ongelmia

yle.fi/uutiset/3-11149405 Katkos alkoi torstaina aamupäivällä ja kesti noin 20 minuuttia. Satasairaalan tietohallintojohtaja Leena Ollonqvistin mukaan sairaalan it-osasto teki testiä, jolla estää viimeviikkoinen katkos. Testi aiheutti samankaltaisen luupin kuin viime viikolla.

A lazy fix 20 years ago means the Y2K bug is taking down computers now

www.newscientist.com/article/2229238-a-lazy-fix-20-years-ago-means-the-y2k-bug-is-taking-down-computers-now/ Programmers wanting to avoid the Y2K bug had two broad options: entirely rewrite their code, or adopt a quick fix called windowing, which would treat all dates from 00 to 20, as from the 2000s, rather than the 1900s. An estimated 80 per cent of computers fixed in 1999 used the quicker, cheaper option.. Another piece of software, Splunk, which ironically looks for errors in computer systems, was found to be vulnerable to the Y2020 bug in November. The company rolled out a fix to users the same week which include 92 of the Fortune 100, the top 100 companies in the US.

2020: The Vulnerability Fujiwhara Effect Oracle and Microsoft Collide

www.riskbasedsecurity.com/2020/01/08/2020-the-vulnerability-fujiwhara-effect-oracle-and-microsoft-collide/ On the surface this may seem like a positive thing, and is certainly an improvement on uncoordinated disclosures (still referred to as irresponsible disclosure by many vendors and described as a situation that hurts customers). But as more vendors have gravitated towards releasing on Patch Tuesday, organizations are now being subjected to the routine updates of six vendors on the same . day, with the possibility of an additional seven. This is in stark contrast to the normal day of vulnerability disclosures.. It cant be ignored that there is a clear and substantial risk to organizations that do not have the necessary vulnerability intelligence and processes in place to enable the handling of the large volume of vulnerabilities being disclosed.

Yle: Puolustusvoimien nimissä huijaustekstareita kutsutaan palvelukseen, sijoituspaikka Iran

www.is.fi/digitoday/art-2000006367124.html?ref=rss Puolustusvoimien nimissä lähetetään tekstiviestejä, joissa kehotetaan saapumaan palvelukseen Lähi-idän kiristyneen tilanteen vuoksi. Viestissä kehotetaan ottamaan mukaan ainoastaan passi ja sijoituspaikaksi kerrotaan Iran, kertoo Yle.

Satasairaalan kaikki torstain kaihileikkaukset peruutettu

www.satakunnankansa.fi/a/6e3dc9f0-c603-49d0-863c-0f7e6386f42a?c=1528874183846

Satasairaalaa piinannut laaja tietoliikennekatkos ohi viimeviikkoista pahempi sulki myös puhelinkeskuksen ja maakunnan potilastietojärjestelmät

www.satakunnankansa.fi/a/09bf62bc-d88e-4aa4-a851-494e71190986 Satakunnan sairaanhoitopiirin tietohallintojohtajan Leena Ollonqvistin mukaan Satasairaalaa ja samalla koko torstaina maakuntaa piinannut tietoliikennekatkos on saatu korjattua.. Satasairaalassa oli aamusta lähtien paha tietoliikennekatkos, minkä vuoksi sairaalan puhelinkeskus ei toiminut eikä maakunnan potilastietojärjestelmiin päästy käsiksi.. Satasairaalassa tapahtui viime viikon maanantaina vastaavanlainen tietoliikennekatkos.. Silloin tietoverkko kaatui, kun uuteen paikkaan siirretyn tietokoneen verkkokaapeli liitettiin väärään kytkimeen aiheuttaen päättymättömän luupin, joka lopulta ylikuormitti verkon.. Tällä kertaa ylikuormitus syntyi, kun sairaanhoitopiirin it-toimittaja teki verkkoon testausta viime viikon ylikuormituksen estämiseksi.. Torstain virhekytkennän aiheuttama verkkoliikennekatkos oli kuitenkin viimeviikkoista pahempi, sillä se samalla kaatoi sairaalan konesalipuolella olevia palvelimia.

cablehaunt.com/ Cable Haunt is a critical vulnerability found in cable modems from various manufacturers across the world. The vulnerability enables remote attackers to gain complete control of a cable modem, through an endpoint on the modem. Your cable modem is in charge of the internet traffic for all devices on the network. Cable Haunt might therefore be exploited to intercept private messages, redirect . traffic, or participation in botnets.. […] Once the websocket has been reached, the buffer overflow vulnerability can be exploited. The websocket requests are given as JSON. The parser which interprets this JSON request, will copy the input parameters to a buffer, regardless of length, allowing values on the stack to be overwritten. Among these values are saved registers, such as the program counter and return address. With a . carefully crafted message the modem can be manipulated to execute arbitrary code specified by a remote attacker.

SAIGON, the Mysterious Ursnif Fork

www.fireeye.com/blog/threat-research/2020/01/saigon-mysterious-ursnif-fork.html Ursnif (aka Gozi/Gozi-ISFB) is one of the oldest banking malware families still in active distribution. While the first major version of Ursnif was identified in 2006, several subsequent versions have been released in large part due source code leaks. FireEye reported on a previously unidentified variant of the Ursnif malware family to our threat intelligence subscribers in September 2019 after . identification of a server that hosted a collection of tools, which included multiple point-of-sale malware families. This malware self-identified as “SaiGon version 3.50 rev 132,” and our analysis suggests it is likely based on the source code of the v3 (RM3) variant of Ursnif. Notably, rather than being a full-fledged banking malware, SAIGON’s capabilities suggest it is a more generic backdoor, . perhaps tailored for use in targeted cybercrime operations.

U.S. Funds Free Android Phones For The Poor But With Permanent Chinese Malware

www.forbes.com/sites/thomasbrewster/2020/01/09/us-funds-free-android-phones-for-the-poor—but-with-permanent-chinese-malware/#3e52a6faabab For years, low-income households have been able to get cheap cell service and even free smartphones via the U.S. government-funded Lifeline Assistance program. One provider, Assurance Wireless, offers a free Android device along with free data, texts and minutes.. It all sounds ideal for those who dont have the money to splash on fancy Apple or Google phones. But according to security researchers, theres a catch: the Android phones come with preinstalled Chinese malware, which effectively opens up a backdoor onto the device and endangers their private data. One of the malware types is impossible to remove, according to the researchers.. Original at

blog.malwarebytes.com/android/2020/01/united-states-government-funded-phones-come-pre-installed-with-unremovable-malware/

Texas Department of Agriculture website features pro-Iran image after cyberattack

thehill.com/policy/cybersecurity/477408-texas-department-of-agriculture-website-featured-pro-iran-image-after The websites homepage was replaced and instead featured a picture of Soleimani with white imagery over a black background and text that read, hacked by Iranian Hacker, according to KXAN. State and federal officials are investigating the incident, which came after Tehran vowed to retaliate for Soleimanis death.

medium.com/mitre-attack/launching-attack-for-ics-2be4d2fb9b8 Its straightforward enough to categorize the initial stages of these attacks using tactics and techniques from the Enterprise knowledge base. Adversary behavior in the later stages of these attacks, however, is not specifically addressed by ATT&CK for Enterprise. The adversarys targets, technical goals, and techniques significantly differ between the Enterprise and ICS domains. For example, . Industroyer has the capability to issue Unauthorized Command Messages to change the state of electrical substation switches and circuit breakers directly. This activity is out of scope for ATT&CK for Enterprise but is now represented as T855 in ATT&CK for ICS.. Framework at

collaborate.mitre.org/attackics/index.php/Main_Page

– From Mega to Giga: Cross-Version Comparison of Top MegaCortex Modifications

securityintelligence.com/posts/from-mega-to-giga-cross-version-comparison-of-top-megacortex-modifications/ The current version in the wild is v4, which also threatens victimized organizations that their data will be leaked online if they do not pay but can it follow through? MegaCortex itself does not feature that sort of functionality and, even if it did, loading massive amounts of company data and attempting to exfiltrate it would either make too much noise on the network and be discovered, or . take very long to exfiltrate slowly.

What the continued escalation of tensions in the Middle East means for security

blog.talosintelligence.com/2020/01/mideast-tensions-preparations.html Apt33/34 Actors have not only attacked traditional targets for espionage but have shown an interest in attacking critical infrastructure with the dam attack and have shown a willingness to be destructive in their activities. Actors in the region have also shown a willingness to attack some of the critical components of the internet, most notably DNS. These things combined make for a dangerous . adversary that is operating during heightened tensions. As such we are providing a list of the ways that we cover these various attacks and a series of IOCs for organizations to be aware.

WannaCry Virus Was the Most Common Crypto Ransomware Attack in 2019

www.precisesecurity.com/articles/wannacry-virus-was-the-most-common-crypto-ransomware-attack-in-2019/ As one of the biggest malware threats, ransomware continues to disturb the business operations and daily lives of internet users all over the world. According to PreciseSecurity.com research, 23.56 % of all encryption ransomware attacks during 2019 had encountered the WannaCry virus, making it the most ordinary type of hack in the last year.. The 2019 data show that phishing scams were the most common cause of ransomware infection globally during the last year. More than 67% of MSP users reported ransomware attacks caused by spam and phishing emails

What is the Hainan Xiandun Technology Development Company?

intrusiontruth.wordpress.com/2020/01/09/what-is-the-hainan-xiandun-technology-development-company/ APT groups in China have a common blueprint: contract hackers and specialists, front companies, and an intelligence officer. We know that multiple areas of China each have their own APT.. After a long investigation we now know that it is possible to take a province and identify front companies, from those companies identify individuals who work there, and then connect these companies and individuals to an APT and the State.. […] In summary, we have multiple companies with identical descriptions and job adverts, overlapping contact details and office locations, but different names, recruiting for offensive hacking skills. Like Boyusec, Huaying Haitai, Antorsoft, and others, these companies have very little presence on the Internet outside of these adverts.

4 Ring Employees Fired For Spying on Customers

threatpost.com/four-ring-employees-fired-spying/151689/ The disclosure comes in a recent letter to senators (in response to a November inquiry into the companys data policies) from Amazon-owned Ring as it attempts to defend the privacy of its platform (which has been plagued by data privacy incidents over the past year). n the letter, Ring said that the four former employees were authorized to view video data, but their attempted access to the data . exceeded what was necessary for their job functions.

The State of Threats to Electric Entities in North America

dragos.com/blog/industry-news/the-state-of-threats-to-electric-entities-in-north-america/ Today Dragos released a new report: The North American Electric Cyber Threat Perspective. The information in this report is based on Dragos ICS-specific threat intelligence, global Platform telemetry, and service engagements and provides an overview of threats to electric and other critical infrastructure sectors in North America.. Additionally, supply chain and third-party compromise remain real and present risk and significant threat to this sector, in addition to adversaries exploiting remote connectivity services used by organizations like vendors or contractors. PARISITE for instance a new activity group Dragos identified in 2019 largely focuses on exploiting vulnerabilities in virtual private network (VPN) . appliances to gain initial access to target ICS networks.. Report at

dragos.com/wp-content/uploads/NA-EL-Threat-Perspective-2019.pdf. Also www.wired.com/story/iran-apt33-us-electric-grid/

New Iranian data wiper malware hits Bapco, Bahrain’s national oil company

www.zdnet.com/article/new-iranian-data-wiper-malware-hits-bapco-bahrains-national-oil-company/#ftag=RSSbaffb68 Iranian state-sponsored hackers have deployed a new strain of data-wiping malware on the network of Bapco, Bahrain’s national oil company, ZDNet has learned from multiple sources.. The incident took place on December 29. The attack did not have the long-lasting effect hackers might have wanted, as only a portion of Bapco’s computer fleet was impacted, with the company continuing to operate after the malware’s detonation.. Although the Bapco incident doesn’t appear to be connected to the current US-Iranian political tensions, it does come to show Iran’s advanced technical capabilities when it comes to launching destructive cyber-attacks. Some said hackers exploited a vulnerability in Pulse Secure servers, while others pointed the finger at Fortinet VPN servers.

Sodinokibi Ransomware Says Travelex Will Pay, One Way or Another

www.bleepingcomputer.com/news/security/sodinokibi-ransomware-says-travelex-will-pay-one-way-or-another/ In a conversation with BleepingComputer, the Sodinokibi Ransomware actors state that they were demanding a $3 million ransom or they would release the data containing “DOB SSN CC and other”. According to the BBC, this ransom was later changed to $6 million, which BleepingComputer has not been able to independently confirm.

Top-Tier Russian Organized Cybercrime Group Unveils Fileless Stealthy PowerTrick Backdoor for High-Value Targets

labs.sentinelone.com/top-tier-russian-organized-cybercrime-group-unveils-fileless-stealthy-powertrick-backdoor-for-high-value-targets/ Their offensive tooling such as PowerTrick is flexible and effective which allows the TrickBot cybercrime actors to leverage them to augment on the fly and stay stealthy as opposed to using larger more open source systems such as PowerShell Empire.

Dixons fined £500,000 by ICO for crap security that exposed 5.6 million customers’ payment cards

www.theregister.co.uk/2020/01/09/dixons_store_group_fined_500000_by_ico_for_crap_security_that_exposed_56_millino_customers_payment_cards/ The fine is the maximum the ICO could levy under the previous data laws but had it occured following the roll-out of GDPR legislation Dixons may have found itself slapped with a bigger fine, he added.

Senators Prod FCC to Act on SIM Swapping

krebsonsecurity.com/2020/01/senators-prod-fcc-to-act-on-sim-swapping/ On Thursday, a half-dozen Democrats in the Senate sent a letter to FCC Chairman Ajit Pai, asking the agency to require the carriers to offer more protections for consumers against unauthorized SIM swaps.

Categories
NCSC-FI News followup

Daily NCSC-FI news followup 2020-01-08

No, the US Army isnt drafting you for WWIII by text message

www.theverge.com/2020/1/7/21055797/us-army-draft-ww3-scam-text-message-fake On Tuesday, the Army put out a news bulletin alerting the public of fraudulent text messages from people claiming to be recruiters. Some texts tell the person receiving them to head to their local recruiting office for immediate departure to Iran. Others expand on that message, saying that if the person doesnt respond, theyll be fined and sent to jail for minimum 6 years.

Tik or Tok? Is TikTok secure enough?

research.checkpoint.com/2020/tik-or-tok-is-tiktok-secure-enough/ In the recent months, Check Point Research teams discovered multiple vulnerabilities within the TikTok application. The vulnerabilities described in this research allow attackers to do the following: Get a hold of TikTok accounts and manipulate their content, Delete videos, Upload unauthorized videos, Make private hidden videos public, Reveal personal information saved on the account such as . private email addresses. Also

www.theregister.co.uk/2020/01/08/tiktok_vulns_/.

www.bbc.com/news/technology-51010408

Tricky Phish Angles for Persistence, Not Passwords

krebsonsecurity.com/2020/01/tricky-phish-angles-for-persistence-not-passwords/ As we can see from the URL in the image directly above, the link tells Microsoft to forward the authorization token produced by a successful login to the domain officesuited[.]com. From there, the user will be presented with a prompt that says an app is requesting permissions to read your email, contacts, OneNote notebooks, access your files, read/write to your mailbox settings, sign you in, read . your profile, and maintain access to that data.. […] this phishing tactic is worth highlighting because recent examples of it received relatively little press coverage. Expecting swift action from Microsoft might not be ideal: From my testing, Microsoft appears to have disabled the malicious app being served from officesuited[.]com sometime around Dec. 19 roughly one week after it went live.

Naive IoT botnet wastes its time mining cryptocurrency

www.zdnet.com/article/naive-iot-botnet-wastes-its-time-mining-cryptocurrency/ Security researchers from Romanian antivirus vendor Bitdefender have discovered a botnet that infects home routers and other Internet of Things (IoT) smart devices and then attempts to mine for cryptocurrency.. This marks the third such IoT botnet that wastes its time by attempting to mine cryptocurrency on devices that clearly don’t support these types of operations.. Original at

labs.bitdefender.com/2020/01/hold-my-beer-mirai-spinoff-named-liquorbot-incorporates-cryptomining/

Las Vegas Suffers Cyber-Attack

www.infosecurity-magazine.com/news/las-vegas-suffers-cyber-attack/ City spokesperson David Riggleman said that it was likely that the threat actors gained access to the city’s network via a malicious email.

MP Says Austria Unprepared After Cyberattack on Foreign Ministry

www.bleepingcomputer.com/news/security/mp-says-austria-unprepared-after-cyberattack-on-foreign-ministry/ “The recent and ongoing hacker attack on the Foreign Ministry clearly shows how important cyber defense is and how little Austria is apparently prepared to ward off cyberattacks,” Austrian Parliament lower house member Robert Laimer said in a statement.. Laimer, SPÖ’s (Social Democratic Party of Austria) regional defense spokesman also added that Austrian’s Armed Forces should receive funding for cybersecurity training courses.

ATM skimmer sentenced for fleecing $400,000 out of US banks

www.zdnet.com/article/atm-skimmer-sentenced-for-fleecing-400000-out-of-new-jersey-banks/ A member of an ATM skimming ring has landed in jail after participating in a criminal scheme that netted $400,000 from banks across Massachusetts, New York, and New Jersey.. Between August 2014 and November 2016, Rusu and other members of the group compromised ATMs across the US, targeting a variety of banks and areas.

Medical Info of Roughly 50K Exposed in Minnesota Hospital Breach

www.bleepingcomputer.com/news/security/medical-info-of-roughly-50k-exposed-in-minnesota-hospital-breach/ The personal and medical information of 49,351 patients was exposed following a security incident involving two employees’ email accounts as disclosed by Minnesota-based Alomere Health.

SNAKE Ransomware Is the Next Threat Targeting Business Networks

www.bleepingcomputer.com/news/security/snake-ransomware-is-the-next-threat-targeting-business-networks/ When started Snake will remove the computer’s Shadow Volume Copies and then kill numerous processes related to SCADA systems, virtual machines, industrial control systems, remote management tools, network management software, and more.

Disinformation For Hire: How A New Breed Of PR Firms Is Selling Lies Online

www.buzzfeednews.com/article/craigsilverman/disinformation-for-hire-black-pr-firms One firm promised to use every tool and take every advantage available in order to change reality according to our client’s wishes.. The emergence of black PR firms means investigators at platforms, security firms, and within the intelligence community are spending increasing amounts of time looking at the disinformation-for-hire services that are out there, said Otis.

Operation AppleJeus Sequel

securelist.com/operation-applejeus-sequel/95596/ The actor altered their macOS and Windows malware considerably, adding an authentication mechanism in the macOS downloader and changing the macOS development framework. The binary infection procedure in the Windows system differed from the previous case. They also changed the final Windows payload significantly from the well-known Fallchill malware used in the previous attack. We believe the . Lazarus groups continuous attacks for financial gain are unlikely to stop anytime soon.

INTERPOL-led action takes aim at cryptojacking in Southeast Asia

www.interpol.int/en/News-and-Events/News/2020/INTERPOL-led-action-takes-aim-at-cryptojacking-in-Southeast-Asia During the five months of the operation, cybercrime investigators and experts from police and national Computer Emergency Response Teams (CERTs) across the 10 ASEAN countries (Brunei, Cambodia, Indonesia, Laos, Malaysia, Myanmar, Philippines, Singapore, Thailand and Vietnam) worked together to locate the infected routers, alert the victims and patch the devices so they were no longer under the . control of the cybercriminals. INTERPOLs ASEAN Desk facilitated the exchange of information and follow-up actions amongst the countries involved.. When the operation concluded in late November, the number of infected devices had been reduced by 78 per cent. Efforts to remove the infections from the remaining devices continue.

Policy and Disclosure: 2020 Edition

googleprojectzero.blogspot.com/2020/01/policy-and-disclosure-2020-edition.html For vulnerabilities reported starting January 1, 2020, we are changing our Disclosure Policy: Full 90 days by default, regardless of when the bug is fixed. . The full 90 day window is available to perform root cause and variant analysis. We expect to see iterative and more thorough patching from vendors, removing opportunities that attackers currently have to make minor changes to their exploits and revive their zero-day exploits.. We’re also being explicit on improving patch adoption, since we’re incentivising that vendors should be able to offer updates and encourage installation to a large population within 90 days. . Also

www.theregister.co.uk/2020/01/07/google_project_zero/

Categories
NCSC-FI News followup

Daily NCSC-FI news followup 2020-01-07

Potential for Iranian Cyber Response to U.S. Military Strike in Baghdad

www.us-cert.gov/ncas/alerts/aa20-006a The Cybersecurity and Infrastructure Security Agency (CISA) is sharing the following information with the cybersecurity community as a primer for assisting in the protection of our Nations critical infrastructure in light of the current tensions between the Islamic Republic of Iran and the United States and Irans historic use of cyber offensive activities to retaliate against perceived harm.

SHA-1 is a Shambles

sha-mbles.github.io/ We have computed the very first chosen-prefix collision for SHA-1. In a nutshell, this means a complete and practical break of the SHA-1 hash function, with dangerous practical implications if you are still using this hash function. To put it in another way: all attacks that are practical on MD5 are now also practical on SHA-1. Check our paper here for more details.. Paper at eprint.iacr.org/2020/014.pdf

I’m the queen of Gibraltar and will never get a traffic ticket… just two of the things anyone could have written into country’s laws thanks to unsanitised SQL input vuln

www.theregister.co.uk/2020/01/07/gibraltar_sql_vuln_allowed_law_editing/ A malicious person using the information exposed by the government website could have deleted and uploaded PDF files to the official online repository of Gibraltar’s laws.

Wheelie bad end to 2019 for Canyon Bicycles as hackers puncture IT systems

www.theregister.co.uk/2020/01/07/hackers_canyon_bicycles/ German cycle-maker Canyon Bicycles GmbG has confirmed it was the victim of a security break-in over the holiday period that has all the hallmarks of a ransomware attack with parts of the infrastructure padlocked by the perpetrators.

Only 9.27% of all npm developers use 2FA

www.zdnet.com/article/only-9-27-of-all-npm-developers-use-2fa/#ftag=RSSbaffb68 Only 9.27% of all maintainers of npm JavaScript libraries use two-factor authentication to protect their accounts.. The number is incredibly low and a major issue of concern for the npm security team, who’d like to see this figure grow in the coming year.

Microsoft Phishing Scam Exploits Iran Cyberattack Scare

www.bleepingcomputer.com/news/security/microsoft-phishing-scam-exploits-iran-cyberattack-scare/ An attacker is attempting to take advantage of the recent warnings about possible Iranian cyberattacks by using it as a theme for a phishing attack that tries to collect Microsoft login credentials.

UK man sentenced to prison for hacking and spying on victims through their webcams

www.zdnet.com/article/uk-man-sentenced-to-prison-for-hacking-and-spying-on-victims-through-their-webcams/#ftag=RSSbaffb68 A UK man was sentenced this week to two years in prison for infecting at least three female victims with malware and then watching and recording victims via their webcams.

A Quick Update on Scanning for CVE-2019-19781 (Citrix ADC / Gateway Vulnerability)

isc.sans.edu/forums/diary/A+Quick+Update+on+Scanning+for+CVE201919781+Citrix+ADC+Gateway+Vulnerability/25686/ For the last week, I have been monitoring our honeypot logs for evidence of exploits taking advantage of CVE-2019-19781. Currently, I have not seen an actual “exploit” being used. But there is some evidence that people are scanning for vulnerable systems. Based on some of the errors made with these scans, I would not consider them “sophisticated.” There is luckily still no public exploit I am aware . of. But other sources I consider credible have indicated that they were able to create a code execution exploit.

Facebook: We’ll ban deepfakes but only if they break these rules

www.zdnet.com/article/facebook-well-ban-deepfakes-but-only-if-they-break-these-rules/ Facebook says it will take down a video if it has been “edited or synthesized beyond adjustments for clarity or quality in ways that aren’t apparent to an average person and would likely mislead someone into thinking that a subject of the video said words that they did not actually say”.. However, it will still allow content that is “parody or satire” or video that has been edited only to omit or change the order of words. . “If a photo or video is rated false or partly false by a fact-checker, we significantly reduce its distribution in News Feed and reject it if it’s being run as an ad. And critically, people who see it, try to share it, or have already shared it, will see warnings alerting them that it’s false,” said Bickert.

Half of the websites using WebAssembly use it for malicious purposes

www.zdnet.com/article/half-of-the-websites-using-webassembly-use-it-for-malicious-purposes/ Around half of the websites that use WebAssembly, a new web technology, use it for malicious purposes, according to academic research published last year.. Paper at

www.sec.cs.tu-bs.de/pubs/2019a-dimva.pdf. The first category was WebAssembly code used for cryptocurrency-mining. These types of Wasm modules were often found on hacked sites, part of so-called cryptojacking (drive-by mining) attacks.. The second category referred to WebAssembly code packed inside obfuscated Wasm modules that intentionally hid their content. These modules, the research team said, were found part of malvertising campaigns.

Automotive cybersecurity incidents doubled in 2019, up 605% since 2016

www.helpnetsecurity.com/2020/01/06/automotive-cybersecurity-incidents/ Upstream Securitys 2020 Automotive Cybersecurity Report shares in-depth insights and statistics gleaned from analyzing 367 publicly reported automotive cyber incidents spanning the past decade, highlighting vulnerabilities and insights identified during 2019.

Fresh Cambridge Analytica leak shows global manipulation is out of control

www.theguardian.com/uk-news/2020/jan/04/cambridge-analytica-data-leak-global-election-manipulation The release of documents began on New Years Day on an anonymous Twitter account, @HindsightFiles, with links to material on elections in Malaysia, Kenya and Brazil.. The documents were revealed to have come from Brittany Kaiser, an ex-Cambridge Analytica employee turned whistleblower, and to be the same ones subpoenaed by Robert Muellers investigation into Russian interference in the 2016 presidential election.

A retrospective on the first two decades of control system cyber security culture issues still prevent successfully securing control systems

www.controlglobal.com/blogs/unfettered/a-retrospective-on-the-first-two-decades-of-control-system-cyber-security-culture-issues-still-prevent-successfully-securing-control-systems/ Control system cyber security was, and should be, about protecting the control system process. That is, keeping lights on, water flowing, pipelines from rupturing, etc. Were now at the end of the second decade of control system cyber security and it has changed from protecting the process to protecting the networks – they are not the same.

The Global Disinformation Order – 2019 Global Inventory of Organised Social Media Manipulation

comprop.oii.ox.ac.uk/wp-content/uploads/sites/93/2019/09/CyberTroop-Report19.pdf Over the past three years, we have monitored the global organization of social media manipulation by governments and political parties. Our 2019 report analyses the trends of computational propaganda and the evolving tools, capacities, strategies, and resources.

Categories
NCSC-FI News followup

Daily NCSC-FI news followup 2020-01-06

The Hidden Cost of Ransomware: Wholesale Password Theft

krebsonsecurity.com/2020/01/the-hidden-cost-of-ransomware-wholesale-password-theft/ Moral of the story: Companies that experience a ransomware attack or for that matter any type of equally invasive malware infestation should assume that all credentials stored anywhere on the local network (including those saved inside Web browsers and password managers) are compromised and need to be changed.. Out of an abundance of caution, this process should be done from a pristine (preferably non-Windows-based) system that does not reside within the network compromised by the attackers. In addition, full use should be made of the strongest method available for securing these passwords with multi-factor authentication.

Google Reinstates Reported UAE Surveillance App ToTok

www.vice.com/en_us/article/dyg8qv/google-reinstates-reported-uae-surveillance-app-totok The version of ToTok on the Play Store is an updated version. Under a “what’s new” section, the ToTok app page reads “There is a newly designed dialog to ask your authorization of accessing and syncing your contact list.” When Google originally removed the app, it told the New York Times ToTok had violated unspecified policies.

Irans Cyber Attack on Billionaire Adelson Provides Lesson on Strategy

www.bloomberg.com/news/articles/2020-01-05/iranian-attack-on-adelson-provides-lesson-on-cyber-strategy As the U.S. awaits possible retribution over a recent airstrike that killed a top general, theres at least one American businessman who can attest, in detail, to what happened after he provoked Iran.. […] in February 2014, hackers inserted malware into the computer networks of Adelsons Las Vegas casino. The withering cyber-attack laid waste to about three quarters of the companys Las Vegas servers; the cost of recovering data and building new systems cost $40 million or more.

VPN warning: REvil ransomware targets unpatched Pulse Secure VPN servers

www.zdnet.com/article/vpn-warning-revil-ransomware-targets-unpatched-pulse-secure-vpn-servers/#ftag=RSSbaffb68 A security researcher is urging organizations that use Pulse Secure VPN to patch now or face ‘big game’ ransomware attacks by criminals who can easily use the Shodan.io IoT search engine to identify vulnerable VPN servers.

GoPro Karma drones grounded worldwide, thanks to possible GPS glitch

www.theverge.com/2020/1/5/21050653/gopro-karma-drone-not-flying-gps-compass-problem-glitch-grounded Owners of the GoPro Karma have been unable to fly their drones since the new year began, according to dozens of forum posts and tweets. The problem is affecting owners all around the globe, and it seems to be related to the recent so-called clock rollovers in the GPS and GLONASS satellite systems. While most tech companies tried to avert problems with the rollovers by issuing software updates . over the last few months, GoPro has not updated the Karma since September 2018, nine months after it discontinued the drone.

Tridium Niagara Vulnerabilities

www.wilbursecurity.com/2020/01/tridium-niagara-vulnerabilities/ These vulnerabilities have been out there for years and need to be remediated ASAP. If you think you might have been hacked or are hacked, reach out to an Incident Response company to comb through the environment. If your company is having these devices installed ask the installer what their security requirements are; show them the hardening guide on how its supposed to be done. We need to . change the mindset of these companies and installers, to think about the security impact of these devices. Together change happens.

Microsoft: RDP brute-force attacks last 2-3 days on average

www.zdnet.com/article/microsoft-rdp-brute-force-attacks-last-2-3-days-on-average/ Around 0.08% of RDP brute-force attacks are successful, and RDP brute-force attacks last 2-3 days on average, Microsoft said last month while presenting the results of a months-long study into the impact of RDP brute-force attacks on the enterprise sector.. Original at

www.microsoft.com/security/blog/2019/12/18/data-science-for-cybersecurity-a-probabilistic-time-series-model-for-detecting-rdp-inbound-brute-force-attacks/

Ransomware attack shuts down some Michigan schools

www.cbsnews.com/news/ransomware-attack-shuts-down-richmond-michigan-school-district/ District officials at Richmond Community Schools said their servers were attacked by ransomware during the holiday break and that the virus affected telephones, copiers and classroom technology. The district has closed three schools for the week so employees can resolve the problem, which officials believe will be “a very time-consuming process.” Student and staff information wasn’t compromised,

First Active Attack Exploiting CVE-2019-2215 Found on Google Play, Linked to SideWinder APT Group

blog.trendmicro.com/trendlabs-security-intelligence/first-active-attack-exploiting-cve-2019-2215-found-on-google-play-linked-to-sidewinder-apt-group/ We found three malicious apps in the Google Play Store that work together to compromise a victims device and collect user information. One of these apps, called Camero, exploits CVE-2019-2215, a vulnerability that exists in Binder (the main Inter-Process Communication system in Android). This is the first known active attack in the wild that uses the use-after-free vulnerability. Interestingly, . upon further investigation we also found that the three apps are likely to be part of the SideWinder threat actor groups arsenal. SideWinder, a group that has been active since 2012, is a known threat and has reportedly targeted military entities Windows machines.

Malware Infects Small Hospital’s Medical Imaging Server

www.careersinfosecurity.com/malware-infects-small-hospitals-medical-imaging-server-a-13577 A breach stemming from malware infecting a medical imaging server at a small, rural New Mexico hospital serves as a reminder of medical equipment data security and privacy vulnerabilities and risks faced by facilities of all sizes.

Cybersecurity Data Sharing: A Federal Progress Report

www.bankinfosecurity.com/cybersecurity-data-sharing-federal-progress-report-a-13575 Certain federal agencies, especially units within the Department of Defense, still have plenty of work to do when it comes to sharing cybersecurity information and threat intelligence among themselves as well with the private sector, according to an unclassified report recently sent to Congress.. Report at

www.oversight.gov/sites/default/files/oig-reports/Unclassified%2020191219_AUD-2019-005-U_Joint%20Report.pdf. The audit also identifies several hurdles that need to be overcome to improve data sharing among several of the federal agencies that share data. It notes, for example, that:. Restrictive classifications limit cyber threat information from being widely shared among agencies.. Information systems at various agencies lack the ability to communicate with each other, which hampers the timely sharing of cyber threat information.. The reluctance of private organizations to share threat intelligence because of concerns about liability must be overcome.

GCHQ: A cyber-what-now? Rumours of our probe into London Stock Exchange ‘cyberattack’ have been greatly exaggerated

www.theregister.co.uk/2020/01/06/gchq_not_investigating_london_stock_exchange_cyberattack_allegation/ GCHQ and its cyber-defence offshoot NCSC have both denied that they are investigating a cyber-attack on the London Stock Exchange, contrary to reports.. The Wall Street Journal, normally a reliable source for news with a financial flavour, reported that British signals intelligence agency Government Communications Headquarters (GCHQ) has been looking into an August 2019 outage of the LSE, which was reported to the Financial Conduct Authority at the time.