NCSC-FI News followup

Daily NCSC-FI news followup 2020-09-29

Koronavilkku päivittyi ja esittää tärkeän kysymyksen avattaessa vastaa siihen myöntävästi Jokaisen tulisi päivittää Koronavilkku ja avata sovellus kertaalleen. Sovellus ei enää päivityksen jälkeen voi vaipua sen toimintaa häiritsevään horrostilaan.

These hackers have spent months hiding out in company networks undetected A state-sponsored hacking group been creeping around networks for almost a year as part of an information stealing campaign, warns Symantec. Detailed by cybersecurity company Symantec, the attacks against organisations in the US, Japan, Taiwan and China are being conduced with the aim of stealing information and have been linked to an espionage group known as Palmerworm aka BlackTech which has a history of campaigns going back to 2013. Report:

A Ransomware Attack Has Struck a Major US Hospital Chain “All computers are completely shut down, ” one Universal Health Services employee told WIRED.

Nevada school district refuses to submit to ransomware blackmail, hacker publishes student data Thousands of students have reportedly had their private data released online.

Ransomware hits US-based Arthur J. Gallagher insurance giant US-based Arthur J. Gallagher (AJG) global insurance brokerage and risk management firm confirmed a ransomware attack that hit its systems on Saturday. AJG is one of the largest insurance brokers in the world with more than 33, 300 employees and operations in 49 countries.

Microsoft: Some ransomware attacks take less than 45 minutes Microsoft goes over the recent malware trends in its new “Digital Defense Report.”. For many years, the Microsoft Security Intelligence Report has been the gold standard in terms of providing a yearly overview of all the major events and trends in the cyber-security and threat intelligence landscape. While Microsoft unceremoniously retired the old SIR reports back in 2018, the OS maker appears to have realized its mistake, and has brought it back today, rebranded as the new Microsoft Digital Defense Report. report:

All four of the world’s largest shipping companies have now been hit by cyber-attacks With today’s news that French shipping giant CMA CGM has been hit by a ransomware attack, this now means that all of the four biggest maritime shipping companies in the world have been hit by cyber-attacks in the past four years, since 2017.

LodaRAT Update: Alive and Well During our continuous monitoring of LodaRAT, Cisco Talos observed changes in the threat that add new functionality.

HOOK, LINE AND SINKER: CYBERCRIME NETWORK PHISHING BANK CREDENTIALS ARRESTED IN ROMANIA The criminal group sent phishing text messages and emails to get access to victims’ bank accounts

“Poikkeuksellisia tapauksia” Uusi käänne suomalaisille tulevissa huijauspuheluissa Microsoft-huijarit voivat nyt soittaa myös suomeksi. Soittoihin liittyy kuitenkin avoimia kysymyksiä.

Director of nuisance-calls company ordered to cough up £114k after ignoring £40k fine from UK data watchdog A director of a company fined £40, 000 by the Information Commissioner’s Office has himself been ordered to pay out more than £100, 000 as part of a long-running collection saga.

Microsoft Netlogon exploitation continues to rise Cisco Talos is tracking a spike in exploitation attempts against the Microsoft vulnerability CVE-2020-1472, an elevation of privilege bug in Netlogon, outlined in the August Microsoft Patch Tuesday report.

Microsoft clarifies patch confusion for Windows Zerologon flaw Microsoft clarified the steps customers should take to make sure that their devices are protected against ongoing attacks using Windows Server Zerologon (CVE-2020-1472) exploits. In a step-by-step approach, the updated advisory now explains the exact actions that administrators need to take to make sure that their environments are protected and outages are prevented in the event of an incoming attack designed to exploit servers that would otherwise be vulnerable to Zerologon exploits.

Cisco fixes actively exploited bugs in carrier-grade routers Cisco fixed two actively exploited and high severity memory exhaustion DoS vulnerabilities found in the IOS XR software that runs on multiple carrier-grade routers. Cisco warned customers on August 29th of ongoing attacks targeting carrier-grade routers running vulnerable Cisco IOS XR software versions.

QNAP tells NAS users to update firmware to avoid new type of ransomware AgeLocker ransomware has been seen infecting QNAP NAS systems since June.

Plane-tracking site Flight Radar 24 DDoSed… just as drones spotted buzzing over Azerbaijan and Armenia That’s one way of poking the world’s eyes out for a few hours

Tech Firms Accused Of Improper Data Handling – But US Government Says It Doesn’t Matter A new report indicates that US tech giants like Facebook and Netflix are failing to handle US-EU data transfers legally – but the US government is claiming that it shouldn’t be cause for concern.

Managing Remote Access for Partners & Contractors Sometimes their techs will install the Bomgar jump client on your servers when they are troubleshooting issues. They don’t remove it, it is left to the local entity to remove it or at least disable the service until it is needed again. Here are some tips to increase the operations security when working with third-parties.

Microsoftilla massiivinen katko Outlook.comissa ja Teamsissa Useat Microsoftin pilvipalvelut Outlookista Teamsiin kärsivät maanantain ja tiistain välisenä yönä katkoksesta.

With so many cloud services dependent on it, Azure Active Directory has become a single point of failure for Microsoft Does Redmond have a reliability problem?. Microsoft has fixed an issue with its OneDrive and SharePoint services where users were unable to sign in, caused by a faulty remediation for the earlier Azure Active Directory outage.

NCSC-FI News followup

Daily NCSC-FI news followup 2020-09-28

Researchers Uncover Cyber Espionage Operation Aimed At Indian Army Cybersecurity researchers uncovered fresh evidence of an ongoing cyberespionage campaign against Indian defense units and armed forces personnel at least since 2019 with an aim to steal sensitive information. Dubbed “Operation SideCopy” by Indian cybersecurity firm Quick Heal, the attacks have been attributed to an advanced persistent threat (APT) group that has successfully managed to stay under the radar by “copying” the tactics of other threat actors such as the SideWinder.

UHS hospitals hit by reported country-wide Ryuk ransomware attack Universal Health Services (UHS), a Fortune 500 hospital and healthcare services provider, has reportedly shut down systems at healthcare facilities around the US after a cyber-attack that hit its network during early Sunday morning. UHS operates over 400 healthcare facilities in the US and the UK, has more than 90, 000 employees and provides healthcare services to approximately 3.5 million patients each year.

UK, US hospital computers are down, early unofficial diagnosis is a suspected outbreak of Ryuk ransomware We’ve switched to back-up offline procedures, says Universal Health Services. Universal Health Services, which operates over 400 hospitals and healthcare facilities in the US, Puerto Rico, and the UK, said on Monday that its IT network was offline due to an unspecified cybersecurity issue.

REvil ransomware deposits $1 million in hacker recruitment drive The REvil Ransomware (Sodinokibi) operation has deposited $1 million in bitcoins on a Russian-speaking hacker forum to prove to potential affiliates that they mean business. also:

Logistics giant CMA CGM goes offline to block malware attack CMA CGM S.A., a French maritime transport and logistics giant, today disclosed a malware attack affecting some servers on the edge of its network. The attack forced CMA CGM’s IT teams to cut Internet access to some applications to block the malware from spreading to other network devices.

Ransomware is your biggest problem on the web. This huge change could be the answer Making it illegal for companies to pay up when hit with ransomware could finally halt the ‘scourge of the internet’.

FBI warns of disinformation campaigns about hacked voter systems The Federal Bureau of Investigation (FBI) and the US Cybersecurity and Infrastructure Security Agency (CISA) today issued a joint public service announcement about the threat of disinformation campaigns targeting the 2020 US election season.

Too many staff have privileged work accounts for no good reason, reckon IT bods Ever seen a Trello board you thought you shouldn’t? If you’re in UK or US, you’re not alone. Around 40 per cent of staff in British and American corporations have access to sensitive data that they don’t need to complete their jobs, according to recent research.

Suspicious logins reported after ransomware attack on US govt contractor Ransomware attack on Tyler Technologies is looking worse by the day. Customers of Tyler Technologies, one of the biggest software providers for the US state and federal government, are reporting finding suspicious logins and previously unseen remote access tools (RATs) on their networks and servers.

The price of stolen remote login passwords is dropping. That’s a bad sign The cost of RDP credentials is going down – and it’s probably happening because of poor cybersecurity is making log-in details easy to find.

Revealed: Trump campaign strategy to deter millions of Black Americans from voting in 2016 3.5 million Black Americans were profiled and categorised as Deterrence’ by Trump campaign voters they wanted to stay home on election day

This Hacker University’ Offers Dark Web Cybercrime Degrees For $125 A newly published report into the new economy of the dark web from cybersecurity-as-a-service specialist Armor’s Threat Resistance Unit (TRU), contains much of what you might expect. The relatively cheap trade-in loan applications, business ‘fullz’ comprising a complete business attack dossier, and even SMS text bombing rental services. One discovery, however, stood out from the others as far as this somewhat jaded cyber-writer is concerned: a hacker university selling cybercrime courses to dark web degree students.

Singapore in world first for facial verification Singapore will be the first country in the world to use facial verification in its national identity scheme.

NCSC-FI News followup

Daily NCSC-FI news followup 2020-09-27

Google removes 17 Android apps doing WAP billing fraud from the Play Store The 17 apps were infected with the Joker (Bread) malware, which Google described in January 2020 as one of the most persistent threats it dealt with since 2017.

iOS 14: The Surprising Security Risk Of Sharing Your New iPhone Home Screen But sharing your customized iPhone home screen far and wide isn’t actually a good ideasurprisingly, it can be a major security risk. This is because that screenshot of your iOS 14 home screen can give away a lot of information about you that could be of use to malicious hackers.

Alexa Gets New Privacy Controls All You Need To Know You can now configure Alexa so that none of your voice recordings are saved.

The Android 11 Privacy and Security Features You Should Know Many of the updates to Google’s mobile OS are behind the scenesbut they can help you control your app permissions and keep your data safe.

Tyler Technologies warns clients to change remote support passwords Tyler Technologies is warning clients to change the passwords for the technology provider’s remote access accounts after suspicious logins have been reported.

Singapore urges need for international organisations to ‘reform’ in digital age Singapore’s Foreign Affairs Minister calls for the United Nations and World Trade Organisation to be reformed, so international rules are in line with cybersecurity and other key digital developments.

NCSC-FI News followup

Daily NCSC-FI news followup 2020-09-26

ThunderX ransomware silenced with release of a free decryptor A decryptor for the ThunderX ransomware has been released by cybersecurity firm Tesorion that lets victims recover their files for free.

When coffee makers are demanding a ransom, you know IoT is screwed Watch along as hacked machine grinds, beeps, and spews water.

Threat Roundup for September 18 to September 25 Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a wide variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.

Industrial Cyberattacks Get Rarer but More Complex The first half of 2020 saw decreases in attacks on most ICS sectors, but oil/gas firms and building automation saw upticks.

KuCoin cryptocurrency exchange hacked for $150 million KuCoin said an intruder drained all its hot wallets today.

Putin Wants a Truce in Cyberspace While Denying Russian Interference With an eye to a possible Biden presidency, the Russian leader called for a “reboot” on information security but offered no concessions.

How cybercriminals launder money stolen from banks Before the thieves can enjoy them, the proceeds of cybercrime have to jump through a few hoops. We discuss the complexities involved.

Pastebin adds ‘Burn After Read’ and ‘Password Protected Pastes’ to the dismay of the infosec community The two new features will make it easier to disguise malware operations.

NCSC-FI News followup

Daily NCSC-FI news followup 2020-09-25

Microsoft boots apps out of Azure used by China-sponsored hackers Active Directory apps used for command-and-control infrastructure are no more. Report:

Feds Hit with Successful Cyberattack, Data Stolen The attack featured a unique, multistage malware and a likely PulseSecure VPN exploit.

FinSpy Spyware for Mac and Linux OS Targets Egyptian Organisations Amnesty International today exposed details of a new surveillance campaign that targeted Egyptian civil society organizations with previously undisclosed versions of FinSpy spyware designed to target Linux and macOS systems.

Mount Locker ransomware joins the multi-million dollar ransom game A new ransomware operation named Mount Locker is underway stealing victims’ files before encrypting and then demanding multi-million dollar ransoms.

The Week in Ransomware – September 25th 2020 – A Modern-Day Gold Rush This week showed continued attacks against large organizations as new ransomware operations rush to join a modern-day ransomware gold rush.

RayBan parent company reportedly suffers major ransomware attack There is no evidence that cybercriminals were also able to steal customer data

Taurus Project stealer now spreading via malvertising campaign For the past several months, Taurus Projecta relatively new stealer that appeared in the spring of 2020has been distributed via malspam campaigns targeting users in the United States. The macro-laced documents spawn a PowerShell script that invokes certutil to run an autoit script ultimately responsible for downloading the Taurus binary.

Windows-huijarit puhuvat nyt jopa suomea puhelimessa “Erittäin huolestuttava ilmiö” Moni on saanut viime viikkoina puhelun, jossa hänen tietokoneen väitetään olevan saastunut haittaohjelmilla ja soittajan auttavan tätä tietokoneen kanssa. Puheluita tehdään Kyberturvallisuuskeskukseen mukaan nyt Suomeen miljoona kuukaudessa.

Twitter is warning devs that API keys and tokens may have leaked Twitter is emailing developers stating that their API keys, access tokens, and access token secrets may have been exposed in a browser’s cache.

Fortinet VPN with Default Settings Leave 200, 000 Businesses Open to Hackers “We quickly found that under default configuration the SSL VPN is not as protected as it should be, and is vulnerable to MITM attacks quite easily, ” SAM IoT Security Lab’s Niv Hertz and Lior Tashimov said. “The Fortigate SSL-VPN client only verifies that the CA was issued by Fortigate (or another trusted CA), therefore an attacker can easily present a certificate issued to a different Fortigate router without raising any flags, and implement a man-in-the-middle attack.”

Update now: Cisco warns over 25 high-impact flaws in its IOS and IOS XE software Cisco has alerted customers using its IOS and ISO XE networking gear software to apply updates for 34 flaws across 25 high-severity security advisories.

Blast from the past! Windows XP source code allegedly leaked online If the reports are to be believed, someone has just leaked a mega-torrent (pun intended allegedly some of the files have also been uploaded to Kiwi file-sharing service Mega) of Microsoft source code going all the way back to MS-DOS 6.

“Organisaation näkökulmasta Whatsapp on katastrofi”, sanoo digikonsultti mahdoton hallinnoitava, silti käytössä työpaikoilla Ryhmien hallinta on käsityötä ja se mahdollistaa myös virheitä.

NCSC-FI News followup

Daily NCSC-FI news followup 2020-09-24

#InstaHack: how researchers were able to take over the Instagram App using a malicious image Instagram is one of the most popular social media platforms globally, with over 100+ million photos uploaded every day, and nearly 1 billion monthly active users. Individuals and companies share photos and messages about their lives and products to their followers globally. So imagine what could happen if a hacker was able to completely take over Instagram accounts, and access all the messages and photos in those accounts, post new photos or delete or manipulate existing photos. What could that do to a persons or companys reputation?

Govt. Services Firm Tyler Technologies Hit in Apparent Ransomware Attack Tyler Technologies, a Texas-based company that bills itself as the largest provider of software and technology services to the United States public sector, is battling a network intrusion that has disrupted its operations. The company declined to discuss the exact cause of the disruption, but their response so far is straight out of the playbook for responding to ransomware incidents.

Sandbox in security: what is it, and how it relates to malware To better understand modern malware detection methods, its a good idea to look at sandboxes. In cybersecurity, the use of sandboxes has gained a lot of traction over the last decade or so. With the plethora of new malware coming our way every day, security researchers needed something to test new programs without investing too much of their precious time. Sandboxes provide ideal, secluded environments to screen certain malware types without giving that malware a chance to spread. Based on the observed behavior, the samples can then be classified as harmless, malicious, or needs a closer look.

Threat landscape for industrial automation systems. H1 2020 highlights Beginning in H2 2019 we have observed a tendency for decreases in the percentages of attacked computers, both in the ICS and in the corporate and personal environments. In H1 2020 the percentage of ICS computers on which malicious objects were blocked has decreased by 6.6 percentage points to 32.6%. The number was highest in Algeria (58.1%), and lowest in Switzerland (12.7%). Despite the overall tendency for the percentages of attacked computers to decrease, we did see the number grow in the Oil & Gas sector by 1.6 p.p. to 37.8% and by 1.9 p.p. to 39.9 % for computers used in building automation systems. These numbers are higher than the percentages around the world overall.

Fuzzing Image Parsing in Windows, Part One: Color Profiles Image parsing and rendering are basic features of any modern operating system (OS). Image parsing is an easily accessible attack surface, and a vulnerability that may lead to remote code execution or information disclosure in such a feature is valuable to attackers. In this multi-part blog series, I am reviewing Windows OS built-in image parsers and related file formats: specifically looking at creating a harness, hunting for corpus and fuzzing to find vulnerabilities. In part one of this series I am looking at color profilesnot an image format itself, but something which is regularly embedded within images.

Analysis Report (AR20-268A) – Federal Agency Compromised by Malicious Cyber Actor The Cybersecurity and Infrastructure Security Agency (CISA) responded to a recent threat actors cyberattack on a federal agencys enterprise network. By leveraging compromised credentials, the cyber threat actor implanted sophisticated malwareincluding multi-stage malware that evaded the affected agencys anti-malware protectionand gained persistent access through two reverse Socket Secure (SOCKS) proxies that exploited weaknesses in the agencys firewall.

Party in Ibiza with PowerShell Today, I would like to talk about PowerShell ISE or “Integration Scripting Environment”[1]. This tool is installed by default on all Windows computers (besides the classic PowerShell interpreter). From a malware analysis point of view, ISE offers a key feature: an interactive debugger!

Micropatch for Zerologon, the “perfect” Windows vulnerability (CVE-2020-1472) The Zerologon vulnerability allows an attacker with network access to a Windows Domain Controller to quickly and reliably take complete control of the Windows domain. As such, it is a perfect vulnerability for any attacker and a nightmare for defenders. It was discovered by Tom Tervoort, a security researcher at Secura and privately reported to Microsoft, which issued a patch for supported Windows versions as part of August 2020 updates and assigned it CVE-2020-1472.. The micropatch we wrote is logically identical to Microsoft’s fix. We injected it in function NetrServerAuthenticate3 in roughly the same place where Microsoft added the call to NlIsChallengeCredentialPairVulnerable, but since the latter doesn’t exist in old versions of netlogon.dll, we had to implement its logic in our patch.

Alien Android Banking Trojan Sidesteps 2FA A newly uncovered banking trojan called Alien is invading Android devices worldwide, using an advanced ability to bypass two-factor authentication (2FA) security measures to steal victim credentials. Once it has infected a device, the RAT aims to steal passwords from at least 226 mobile applications including banking apps like Bank of America Mobile Banking and Capital One Mobile, as well as a slew of collaboration and social apps like Snapchat, Telegram and Microsoft Outlook.. Also:

Microsoft, Italy, and the Netherlands warn of increased Emotet activity Two weeks after cyber-security agencies from France, Japan, and New Zealand published warnings about an uptick in Emotet activity, new alerts have been published this past week by agencies in Italy and the Netherlands, but also by Microsoft. These new warnings come as Emotet activity has continued to increase, dwarfing any other malware operation active today. “It has been very heavy for [Emotet] spam lately,” Joseph Roosen, a member of Cryptolaemus, a group of security researchers who track Emotet malware campaigns, told ZDNet during an interview today.

Erittäin kriittinen Windows-haava uhkaa nyt varoittaa Kyberturvallisuuskeskus: paikkaa heti Kirjoitimme aiemmin tällä viikolla Zerologon-hyökkäyksistä Windowsin turva-aukkoon. Haavoittuvuuden löytäneen turvallisuusyhtiön Securan mukaan sen hyödyntäminen vie “käytännössä noin kolme sekuntia” eikä vaadi hyökkääjältä lainkaan kirjautumista. yberturvallisuuskeskus kertoo nyt, että haavoittuvuuden hyödyntämiseen on julkaistu hyökkäystyökaluja. Haavoittuvuudelle julkaistiin korjaus Microsoftin elokuun päivityksissä, ja Kyberturvallisuuskeskus suosittelee välitöntä päivitysten asentamista. Lisäksi:

One of this years most severe Windows bugs is now under active exploit One of the highest-impact Windows vulnerabilities patched this year is now under active exploitation by malicious hackers, Microsoft warned overnight, in a development that puts increasing pressure on laggards to update now. CVE-2020-1472, as the vulnerability is tracked, allows hackers to instantly take control of the Active Directory, a Windows server resource that acts as an all-powerful gatekeeper for all machines connected to a network. Also:

ZeroLogon(CVE-2020-1472) – Attacking & Defending A handy walkthrough of CVE-2020-1472 from both a red and blue team perspective, how to detect, patch and hack ZeroLogon. You’re reading this already thinking, not another zerologon post, oh great… Stay tuned it’s a bit more than the normal posts, looking at it from the build break defend fix mentality. I’ve added a quick skip ToC if you want to skip to specific areas that interest you, or otherwise buckle up folks, it’s going to be a long ride!

Phishing attacks are targeting your social network accounts Scammers are targeting your social network accounts with phishing emails that pretend to be copyright violations or promises of a shiny ‘blue checkmark’ next to your name. With social networks such as Twitter, Facebook, Instagram, and TikTok becoming a significant component in people’s lives, attackers target them for malicious purposes. These stolen accounts are then used for disinformation campaigns, cryptocurrency scams like the recent Twitter hacks, or sold on underground markets. Due to this, social accounts should be treated as a valuable commodity and protected as such.

New Snort, ClamAV coverage strikes back against Cobalt Strike Cisco Talos is releasing a new research paper called The Art and Science of Detecting Cobalt Strike.. We recently released a more granular set of updated SNORT and ClamAV detection signatures to detect attempted obfuscation and exfiltration of data via Cobalt Strike, a common toolkit often used by adversaries. Cobalt Strike is a paid software platform for adversary simulations and red team operations. It is used by professional security penetration testers and malicious actors to gain access and control infected hosts on a victim network. Cobalt Strike has been utilized in APT campaigns and most recently observed in the IndigoDrop campaign and in numerous ransomware attacks.

Wondering how to tell the world you’ve been hacked? Here’s a handy guide from infosec academics Infosec boffins at the University of Kent have developed a “comprehensive playbook” for companies who, having suffered a computer security breach, want to know how to shrug off the public consequences and pretend everything’s fine. In a new paper titled “A framework for effective corporate communication after cyber security incidents,” Kent’s Dr Jason Nurse, along with Richard Knight of the University of Warwick, devised a framework for companies figuring out how to publicly respond to data security breaches and similar incidents where servers are hacked and customer records end up in the hands of criminals.

NCSC-FI News followup

Daily NCSC-FI news followup 2020-09-23

Phishers spoof reliable cybersecurity training company to garner clicks It happens to the best of us. And, indeed, no adage is better suited to a phishing campaign that recently made headlines. Fraudsters used the brand, KnowBe4a trusted cybersecurity company that offers security awareness training for organizationsto gain recipients trust, their Microsoft Outlook credentials, and other personally identifiable information (PII). This is according to findings from our friends at Cofense Intelligence, who did a comprehensive analysis of the campaign, and of course, KnowBe4, who first reported about it.

Looking for sophisticated malware in IoT devices Smart watches, smart home devices and even smart cars as more and more connected devices join the IoT ecosystem, the importance of ensuring their security becomes patently obvious. Its widely known that the smart devices which are now inseparable parts of our lives are not very secure against cyberattacks. Malware targeting IoT devices has been around for more than a decade. Hydra, the first known router malware that operated automatically. appeared in 2008 in the form of an open-source tool. Hydra was an open-source prototype of router malware. Soon after Hydra, in-the-wild malware was also found targeting network devices. Since then, different botnet families have emerged and become widespread, including families such as Mirai, Hajime and Gafgyt.

A Recipe for Reducing Medical Device Internet of Things Risk You may recall this blog post from March 2020. It highlighted the importance of factoring in clinical, organizational, financial and regulatory impact when determining which medical Internet-of-Things (IoMT) security vulnerabilities should be fixed first. Consider this post a part two. Whereas the previous post focused on the fact that IoMT devices are here to stay and finding and prioritizing vulnerabilities based on impact cannot be overlooked, this post highlights an up and coming security challenge.

New tool helps companies assess why employees click on phishing emails Researchers at the US National Institute of Standards and Technology (NIST) have devised a new method that could be used to accurately assess why employees click on certain phishing emails. The tool, dubbed Phish Scale, uses real data to evaluate the complexity and quality of phishing attacks to help organizations comprehend where their (human) vulnerabilities lie. Heres a quick refresher: in its simplest form, phishing is an unsolicited email or any other form of electronic communication where cybercriminals impersonate a trusted organization and attempt to pilfer your data.

Zerologon Vulnerability: Analysis and Detection Tools In September 2020 Secura published an article disclosing a vulnerability in Windows Server (all known versions) Netlogon Remote Protocol. This vulnerability is known as CVE-2020-1472 or more commonly, Zerologon.. Due to the magnitude and potential impact of this vulnerability, Cynet decided to release two detection mechanisms for the wide community that provide visibility for exploits for Zerologon vulnerability. First is a YARA rule which can be used to scan memory dumps of lsass.exe. The rule will alert upon detection of Mimikatz or other Zerologon exploits. Second is an executable file, Cynet.ZerologonDetector.exe which detects spikes in network traffic of lsass.exe from a given IP.

A New Hacking Group Hitting Russian Companies With Ransomware As ransomware attacks against critical infrastructure continue to spike in recent months, cybersecurity researchers have uncovered a new entrant that has been actively trying to conduct multistage attacks on large corporate networks of medical labs, banks, manufacturers, and software developers in Russia. The ransomware gang, codenamed “OldGremlin” and believed to be a Russian-speaking threat actor, has been linked to a series of campaigns at least since March, including a successful attack against a clinical diagnostics laboratory that occurred last month on August 11.. Also:

Malicious Word Document with Dynamic Content Here is another malicious Word document that I spotted while hunting. “Another one?” may ask some of our readers. Indeed but malicious documents remain a very common infection vector and you learn a lot when you analyze them. I was recently asked to talk about Powershell (de)obfuscation techniques. When you’re dealing with an incident in a corporate environment, you don’t have time to investigate in deep. . The incident must be resolved as soon as possible because the business must go on and a classic sandbox analysis is performed to get the feedback: It’s malicious or not.

Shopify discloses security incident caused by two rogue employees Online e-commerce giant Shopify is working with the FBI and other law enforcement agencies to investigate a security breach caused by two rogue employees. The company said two members of its support team accessed and tried to obtain customer transaction details from Shopify shop owners (merchants). Shopify estimated the number of stores that might be affected by the employees’ actions at less than 200. The company boasted more than one million registered merchants in its latest quarterly filings.. Also:

Miksi suomalaisia piinaavia Windows-huijaussoittoja ei voi vain estää? Asiantuntija vastaa Suomalaiset ovat saaneet tänä vuonna riesakseen ennen kokemattoman huijauspuhelujen aallon. Englantia puhuvat huijarit esiintyvät Microsoftin teknisen tuen edustajina. He ilmoittavat, että vastaajan Windows-tietokoneessa on ongelma ja tarjoavat apua. Todellisuudessa ongelmaa ei ole ja soittaja yrittää huijata puhelun vastaajan antamaan hänelle etäyhteyden koneelle tai maksamaan hänelle rahaa avusta.

AgeLocker ransomware targets QNAP NAS devices, steals data QNAP NAS devices are being targeted in attacks by the AgeLocker ransomware, which encrypts the device’s data, and in some cases, steal files from the victim. AgeLocker is ransomware that utilizes an encryption algorithm called Age (Actually Good Encryption) designed to replace GPG for encrypting files, backups, and streams. In July 2020, we reported about a new ransomware called AgeLocker that was utilizing this algorithm to encrypt victims’ files.

As you’re scrambling to patch the scary ZeroLogon hole in Windows Server, don’t forget Samba it’s also affected Administrators running Samba as their domain controllers should update their installations as the open-source software suffers from the same ZeroLogon hole as Microsoft’s Windows Server. An alert from the project has confirmed that its code, in certain configurations, is also vulnerable to the CVE-2020-1472 bug, which can be exploited to gain domain-level administrator access.

2020: Q2 Threat Report When security teams, managers, and leaders have limited time and budget, prioritizing investments to achieve the greatest impact and reduction in risk becomes paramount. Threat reports, such as this one, help security and business professionals alike get a high-level view of the threats they face and how organizations are dealing with them. Our quarterly Threat Report is typically structured to look at threats from both a cause and effect perspective. The Focus on Telemetry section delivers analysis on the risk and prevalence of threats, while the Focus on Detections section delivers analysis on those affected and the impact of threats.

India’s Cybercrime and APT Operations on the Rise Growing geopolitical tensions with China in particular are fueling an increase in cyberattacks between the two nations, according to IntSights. A combination of economic, political, and social factors is driving an increase in cyber threat activity out of India. Much of the activity involves scams, online extortion schemes, hacktivist campaigns, and the sale of narcotics and other illicit goods online. But also operating out of the country is a handful of relatively sophisticated advanced persistent threat actors and hacker-for-hire groups that have targeted organizations in multiple countries in recent years, according to a new report from IntSights.

Hackers sell access to your network via remote management apps Remote monitoring and management (RMM) software is starting to get attention from hackers as these types of tools provide access to multiple machines across the network. At least one network access broker has been advertising access to networks of organizations in various regions of the world that use the ManageEngine Desktop Central from Zoho to manage their Windows, Linux, and Mac systems. Some of the breached companies are attractive targets for ransomware operators, who may already have jumped at the opportunity.

NCSC-FI News followup

Daily NCSC-FI news followup 2020-09-22

How to fight delayed phishing Phishing links in e-mails to company employees often become active after initial scanning. But they still can and must be caught. Phishing has long been a major attack vector on corporate networks. Its no surprise, then, that everyone and everything, from e-mail providers to mail gateways and even browsers, use antiphishing filters and malicious address scanners. Therefore, cybercriminals are constantly inventing new, and refining old, circumvention methods. One such method is delayed phishing.

How identification, authentication, and authorization differ We use raccoons to explain how identification, authorization, and authentication differ, and why 2FA is necessary. t happens to every one of us every day. We are constantly identified, authenticated, and authorized by various systems. And yet, many people confuse the meanings of these words, often using the terms identification or authorization when, in fact, they are talking about authentication.

New and improved Security Update Guide! Were excited to announce a significant update to the Security Update Guide, our one-stop site for information about all security updates provided by Microsoft. This new version will provide a more intuitive user experience to help protect our customers regardless of what Microsoft products or services they use in their environment. Weve listened to your feedback and incorporated many of your suggestions and new feature ideas. For example, it is now much easier to get a simple list of all CVEs being released on an Update Tuesday or between your own custom date range (see Vulnerabilities tab).

Carlos Arnal: The economic impact of a DNS attack is too great to ignore the vulnerabilities that would enable it One of the main problems with DNS attacks is the increasing cost of the damage they cause, as well as their rapid evolution and the diverse range of attack types. Data exfiltration over DNS is a major concern in corporate environments. In order to protect themselves, organizations are prioritizing the security of network endpoints and improving DNS traffic monitoring. We discussed this with Carlos Arnal, Product Marketing Manager Endpoint Security at Panda.

Uncover Return on Investment From Using a SOAR Platform When a cybersecurity attack happens, people may be tempted to react impulsively. Instead, security leaders should take a proactive approach. Carefully considering the long-term effects of actions on resources and security posture becomes easier with the right tools. Using a Security Orchestration, Automation and Response (SOAR) platform from day one can help your organization be better positioned to respond to cyberattacks today and in the future. At the same time, it can mean a significant return on investment (ROI) for the security budget.

Alert (AA20-266A) – LokiBot Malware CISA has observed a notable increase in the use of LokiBot malware by malicious cyber actors since July 2020. Throughout this period, CISAs EINSTEIN Intrusion Detection System, which protects federal, civilian executive branch networks, has detected persistent malicious LokiBot activity. LokiBot uses a credential- and information-stealing malware, often sent as a malicious attachment and known for being simple, yet effective, making it an attractive tool for a broad range of cyber actors across a wide variety of data compromise use cases.

Unsecured Microsoft Bing Server Exposed Users’ Search Queries and Location A back-end server associated with Microsoft Bing exposed sensitive data of the search engine’s mobile application users, including search queries, device details, and GPS coordinates, among others. The logging database, however, doesn’t include any personal details such as names or addresses.. The data leak, discovered by Ata Hakcil of WizCase on September 12, is a massive 6.5TB cache of log files that was left for anyone to access without any password, potentially allowing cybercriminals to leverage the information for carrying out extortion and phishing scams.

6% of all Google Cloud Buckets are vulnerable to unauthorized access 131 of 2,064 scanned Google Cloud buckets were vulnerable to unauthorized access by users who could list, download, and/or upload files. Amazons S3 buckets are the most popular means for apps, websites, and online services to store data in the cloud. So when data breaches and exposures occur, vulnerable S3 buckets are often cited as the target. But Amazon Web Services is far from the only provider of cloud file storage. Google Cloud buckets, for instance, are also quite common, and they are just as vulnerable (due to misconfiguration) as their more popular counterparts, according to the latest research by Comparitechs cybersecurity research team.

Firefox 81 Release Kills High-Severity Code-Execution Bugs Mozilla patched high-severity vulnerabilities with the release of Firefox 81 and Firefox ESR 78.3, including several that could be exploited to run arbitrary code. Two severe bugs (CVE-2020-15674 and CVE-2020-15673) are errors in the browsers memory-safety protections, which prevent memory access issues like buffer overflows. CVE-2020-15674 was reported in Firefox 80, while CVE-2020-15673 was reported in Firefox 80 and Firefox ESR 78.2.

Healthcare lags behind in critical vulnerability management, banks hold their ground Vulnerability management is a key component of modern strategies to combat cyberattackers, but which industries perform well in this area?. The general public faces phishing attempts, spam, malvertising, and more in their daily lives. However, in the business realm, successfully targeting major companies — including banks, industrial giants, and medical facilities — can be far more lucrative for cybercriminals.

Tämän takia paha bluetooth-aukko ei koske Koronavilkkua Itse pidän huoletta päällä Jopa miljardeja laitteita koskeva bluetooth-haavoittuvuus nimeltä Blesa ei vaikuta mitenkään Koronavilkkuun, vaikka se nojaakin ongelmalliseksi todettuun bluetooth low energy (ble) -toimintoon. Asiasta kertoo Koronavilkun toteuttaneen Solitan teknologia-asiantuntija Sami Köykkä Twitterissä. Koronavilkun käyttö on turvallista, koska se ei käytä haavoittuvuuden hyödyntämiseen tarvittavaa toimintoa.

A tip from a kid helps detect iOS and Android scam apps 2.4 million downloads Researchers said that a tip from a child led them to discover aggressive adware and exorbitant prices lurking in iOS and Android smartphone apps with a combined 2.4 million downloads from the App Store and Google Play. Posing as apps for entertainment, wallpaper images, or music downloads, some of the titles served intrusive ads even when an app wasnt active. To prevent users from uninstalling them, the apps hid their icon, making it hard to identify where the ads were coming from.

Emotet double blunder: fake Windows 10 Mobile and outdated messages The Emotet botnet has switched up their malicious spamming campaign and is now heavily distributing password-protected archives to bypass email security gateways. This campaign started on Friday with documents claiming to be created on the expired Windows 10 Mobile and continued with a large volume of messages pretending to be made on Android.

Russia wants to ban the use of secure protocols such as TLS 1.3, DoH, DoT, ESNI The Russian government is working on updating its technology laws so it can ban the use of modern internet protocols that can hinder its surveillance and censorship capabilities. According to a copy of the proposed law amendments and an explanatory note, the ban targets internet protocols and technologies such as TLS 1.3, DoH, DoT, and ESNI.

Nearly 70% of IT & Security Pros Hone Their Cyber Skills Outside of Work–of-it-and-security-pros-hone-their-cyber-skills-outside-of-work/d/d-id/1338980 New research shows how security skills are lacking across multiple IT disciplines as well – including network engineers, sys admins, and cloud developers. early three out of four organizations are struggling with a gap in security skills, and 68% of IT and security professionals say they work on advancing their cyber skills on their own time, outside of work.

Russian hackers use fake NATO training docs to breach govt networks A Russian hacker group known by names, APT28, Fancy Bear, Sofacy, Sednit, and STRONTIUM, is behind a targeted attack campaign aimed at government bodies. The group delivered a hard-to-detect strand of Zebrocy Delphi malware under the pretense of providing NATO training materials. Researchers further inspected the files containing the payload and discovered these impersonated JPG files showing NATO images when opened on a computer.

Cybersäkerhetscentret – Anvisning om cyberövningar Cybersäkerhetscentret har i samarbete med Försörjningsberedskapscentralen upprättat manualen “Anvisning om cyberövningar” som nu finns tillgänglig på engelska och svenska.

NCSC-FI – Manual for cyber exercise Organisers The Finnish National Cyber Security Centre together with the Finnish National Emergency Supply Agency present their “Manual for cyber exercise Organisers”, now available for download in English.

NCSC-FI News followup

Daily NCSC-FI news followup 2020-09-21

JAMK kartoitti kyberharjoitusympäristöjä: Euroopassa tietoverkkohyökkäyksiä vastaan harjoitellaan aktiivisesti Jyväskylän ammattikorkeakoulussa (JAMK) on selvitetty eurooppalaisia kyberturvallisuusympäristöjä ja niiden ominaisuuksia. Laaja selvitys on Euroopassa ensimmäinen laatuaan. Raportoituja eurooppalaisia kyberturvallisuusharjoitusympäristöjä (cyber range) löytyi selvityksessä kolmekymmentäyhdeksän. Suomalaisia harjoitusympäristöjä raportointiin maakohtaisesti eniten, yhteensä seitsemän.

Slightly broken overlay phishing At the Internet Storm Center, we often receive examples of interesting phishing e-mails from our readers. Of course, this is not the only source of interesting malicious messages in our inboxes sometimes the phishing authors cut out the middleman and send their creations directly to us. Last week, this was the case with a slightly unusual (and slightly broken) phishing, which tries to use legitimate pages overlaid with a fake login prompt.

The ransomware crisis is getting worse. We need to make these four big changes The cruel march of ransomware has apparently reached a grim new milestone. In Germany, authorities are investigating the death of a patient during a ransomware attack on a hospital; according to reports, the woman, who needed urgent medical care, died after being re-routed to a hospital further away, as a nearer hospital was in the midst of dealing with a ransomware attack. Elsewhere ransomware continues to create painful, if less tragic, disruptions. The UK’s cybersecurity agency has just warned that ransomware groups are launching ‘reprehensible’ attacks against universities as the new academic year starts.

Threat Landscape Trends: Endpoint Security, Part 1 In the ongoing battle to defend your organization, deciding where to dedicate resources is vital. To do so efficiently, you need to have a solid understanding of your local network topology, cloud implementations, software and hardware assets, and the security policies in place. On top of that, you need to have an understanding of whats traveling through and residing in your environment, and how to respond when something is found that shouldnt be there.

NSA:n työkalu epäilytti tietoturvaosaajia CUJOn suomalaistiimi huomasi ottaa sen avukseen Go-kielestä on tullut nopeasti haittaohjelmanikkarien uusi suosikki. CUJO AI:n Suomessa toimiva laboratorio on huomannut tämän iot-laitteiden kohdalla. Tietoturvayhtiö CUJO AI:n tietoturvalaboratoriosta vastaavan johtajan Kimmo Kasslinin mukaan go:n suosio johtuu pääosin iot-laitteiden bottiverkkojen yleistymisestä.

Strava app shows your info to nearby users unless this setting is disabled Popular running and cycling app Strava can expose your information to nearby strangers, which has sparked privacy concerns among its users. After learning of this information sharing feature, some fear this functionality can be abused for stalking and “predatory” motives. Previously, Strava had published heatmaps generated from 13 trillion GPS coordinates from joggers’ data, which inadvertently exposed the locations of military bases around the world, including those in the U.S.

Activision Accounts Hacked? 500,000 Call Of Duty Players Could Be AffectedReport According to reports, more than 500,000 Activision accounts may have been hacked with login data being compromised. The eSports site Dexerto has reported that a data breach occurred on Sunday, September 20. The credentials to access these accounts are, Dexerto said, being leaked publicly, and account details changed to prevent easy recovery by the rightful owners. Activision accounts are mostly used by players of the hugely popular Call of Duty franchise.

What to Expect When Reporting Vulnerabilities to Microsoft At the Microsoft Security Response Centers (MSRC), our primary mission is to help protect our customers. One of the ways we do this is by working with security researchers to discover security vulnerabilities in our services and products, and then making sure those that pose a threat to customers get fixed. Many researchers report these types of issues to many different companies, and how these companies manage their process for receiving, assessing, and fixing these can vary considerably. So, we would like to let you know what you can do to help speed your submission through our process when reporting security vulnerabilities to Microsoft, and what to expect afterwards.

NCSC-FI News followup

Daily NCSC-FI news followup 2020-09-20

Hackers leak details of 1,000 high-ranking Belarus police officers A group of hackers has leaked on Saturday the names and personal details of more than 1,000 high-ranking Belarusian police officers in response to violent police crackdowns against anti-government demonstrations. The leaked data included names, dates of birth, and the officers’ departments and job titles.

Google App Engine feature abused to create unlimited phishing pages A newly discovered technique by a researcher shows how Google’s App Engine domains can be abused to deliver phishing and malware while remaining undetected by leading enterprise security products. Google App Engine is a cloud-based service platform for developing and hosting web apps on Google’s servers. While reports of phishing campaigns leveraging enterprise cloud domains are nothing new, what makes Google App Engine infrastructure risky in how the subdomains get generated and paths are routed.

The Cybersecurity Threat No One Talks About Is A Simple Code QR codes are going through a renaissance today. All businesses are focusing on how they can protect employees, customers and suppliers during the pandemic by adopting touchless transactions and services to provide a safer, more streamlined buying experience. Fraudsters are quick to capitalize on the opportunity QR codes soaring popularity present too. Combining social engineering with QR codes that can be created in a second, fraudsters are using them to open victims bank accounts and drain it within seconds, install malware, penetrate entire corporate networks and more.

Analysis of a Salesforce Phishing Emails Over the past week, I have noticed several phishing emails linked to Salesforce asking to confirm the recipients email address.