Categories
NCSC-FI News followup

Daily NCSC-FI news followup 2020-02-07

Backing up is no panacea when blackmailers publish stolen data

www.kaspersky.com/blog/ransomware-data-disclosure/32410/ Backing up data has been one of the most effective, though labor-intensive, safeguards against encrypting ransomware so far. Now, malefactors seem to have caught up with those who rely on backups. The creators of several ransomware programs, confronted with victims refusing to pay the ransom, shared their data online.

Adposhel adware takes over browser push notifications administration

blog.malwarebytes.com/adware/2020/02/adware-adposhel-takes-over-your-web-push-notifications-administration/ Since late last year, our researchers have been monitoring new methods being deployed by cybercriminals to potentially abuse browser push notifications. Now, an adware family detected by Malwarebytes as Adware.Adposhel is doing just that, taking control of push notifications in Chrome at the administrator level.

Seniors Complete Guide to Internet Scams

www.pandasecurity.com/mediacenter/mobile-news/senior-scams/ Seniors have become the main target of cybercriminals. A report by the Consumer Financial Protection Bureau found that Suspicious Activity Reports for elder financial exploitation quadrupled from 2013 to 2017.

Critical Bluetooth bug leaves Android users open to attack

www.welivesecurity.com/2020/02/07/google-critical-android-bluetooth-flaw-attack/ Google has rolled out a security update to address a critical flaw in Androids Bluetooth implementation that allows remote code execution without user interaction. The vulnerability, tracked as CVE-2020-0022, affects devices running Android Oreo (8.0 and 8.1) and Pie (9.0). For these devices, which between them account for almost two-thirds of Android devices in use, the flaw is rated critical by Google.

Sandbox Detection Tricks & Nice Obfuscation in a Single VBScript

isc.sans.edu/forums/diary/Sandbox+Detection+Tricks+Nice+Obfuscation+in+a+Single+VBScript/25780/ I found an interesting VBScript sample that is a perfect textbook case for training or learning purposes. It implements a nice obfuscation technique as well as many classic sandbox detection mechanisms.

Critical Citrix RCE Flaw Still Threatens 1,000s of Corporate LANs

threatpost.com/critical-citrix-rce-flaw-corporate-lans/152677/ About one in five of the 80,000 companies affected by a critical bug in the Citrix Application Delivery Controller (ADC) and Citrix Gateway are still at risk from a trivial attack on their internal operations. If exploited, the flaw could allow unauthenticated attackers to gain remote access to a companys local network and carry out arbitrary code-execution.

Malaysia warns of Chinese hacking campaign targeting government projects

www.zdnet.com/article/malaysia-warns-of-chinese-hacking-campaign-targeting-government-projects/ A Chinese state-sponsored hacking group has been targeting Malaysian government officials, computer experts with the Malaysian government said on Wednesday. The purpose of the attacks has been to infect computers of government officials with malware and then steal confidential documents from government networks, Malaysia’s Computer Emergency Response Team (MyCERT) said in a security advisory.

Magecart Gang Attacks Olympic Ticket Reseller and Survival Food Sites

threatpost.com/olympic-ticket-survival-sites-hit-by-cyberattack/152648/ A faction of the Magecart threat group, Magecart group 12, has been linked to a recent digital card skimmer attack bent on stealing payment data from a slew of websites, including ones selling anything from Olympic tickets to emergency preparation kits. Over the past few weeks, the group has targeted two ticket sales websites one called Olympic Tickets is a re-seller of tickets to the upcoming 2020 summer Olympic games and the second, Euro 2020 Tickets, is selling tickets for the 2020 UEFA, a European football championship that takes place in June.

F-Secure: Nämä olivat 2010-luvun pahimmat kyberkatastrofit, joista kannattaa ottaa opiksi

www.tivi.fi/uutiset/tv/619a5165-bf12-40a0-a2bf-eb293347c0b1 Tietoturvan merkitys on kirkastunut monille viimeisen kymmenen vuoden aikana, kun monet scifiltä kuulostaneen uhkakuvat ovat toteutuneet. Tietoturvatalo F-Secure pikakelasi muistin virkistämiseksi, mitä kaikkea uutta konnuutta tietoturvassa nähtiin vuosina 2010-2019.

Emotet Evolves With New Wi-Fi Spreader

www.binarydefense.com/emotet-evolves-with-new-wi-fi-spreader/ Emotet is a highly sophisticated trojan that typically also serves as a loader for other malware. A key functionality of Emotet is its ability to deliver custom modules or plugins that are suited for specific tasks, including stealing Outlook contacts, or spreading over a LAN. ecently, Binary Defense has identified a new loader type that takes advantage of the wlanAPI interface to enumerate all Wi-Fi networks in the area, and then attempts to spread to these networks, infecting all devices that it can access in the process.

Unit 42 CTR: Leaked Code from Docker Registries

unit42.paloaltonetworks.com/leaked-docker-code/ The Unit 42 Cloud Threat Report: Spring 2020 focused on the practices of DevOps to determine where misconfigurations are happening in the cloud. Our research found a large number of DevOps services (e.g., SSH, Database, Code Repository) inadvertently exposed to the internet due to misconfigured infrastructure. This blog offers a detailed analysis of leaked code from Docker registries and how this, and other insecure infrastructure of misconfigurations, can lead to compromises in an organizations security posture.

Japanese Defense Contractors Kobe Steel, Pasco Disclose Breaches

www.bleepingcomputer.com/news/security/japanese-defense-contractors-kobe-steel-pasco-disclose-breaches/ Japanese defense contractors Pasco Corporation (Pasco) and Kobe Steel (Kobelco) today disclosed security breaches that happened in May 2018 and in June 2015/August 2016, respectively. The geospatial provider and the major steel manufacturer also confirmed unauthorized access to their internal network during the two incidents, as well as malware infections affecting their computing systems following the attacks.

Threat Spotlight: Email Account Takeover

blog.barracuda.com/2020/02/06/threat-spotlight-email-account-takeover/ Researchers from Barracuda and UC Berkeley, conducting a large-scale analysis of email account takeover and the timeline of attacks, recently highlighted the behaviors hackers are using to try to avoid detection, ways to identify suspicious activity that could indicate an email account has been compromised, and precautions you can take to protect your business.

Categories
NCSC-FI News followup

Daily NCSC-FI news followup 2020-02-06

Protecting users from insecure downloads in Google Chrome

security.googleblog.com/2020/02/protecting-users-from-insecure_6.html Today were announcing that Chrome will gradually ensure that secure (HTTPS) pages only download secure files. In a series of steps outlined below, well start blocking “mixed content downloads” (non-HTTPS downloads started on secure pages). This move follows a plan we announced last year to start blocking all insecure subresources on secure pages.

Insider threats have increased 47%

www.pandasecurity.com/mediacenter/security/cost-insider-threat-report/ Last year, a Canadian bank suffered a data breach that affected some 2.7 million people and around 173,000 companies. The stolen information included names, addresses, dates of birth, social insurance numbers, email addresses and information on customers transaction habits. The culprit of this breach? A malicious insider.

Biased AI Is Another Sign We Need to Solve the Cybersecurity Diversity Problem

securityintelligence.com/articles/biased-ai-is-another-sign-we-need-to-solve-the-cybersecurity-diversity-problem/ Artificial intelligence (AI) excels at finding patterns like unusual human behavior or abnormal incidents. It can also reflect human flaws and inconsistencies, including 180 known types of bias. Biased AI is everywhere, and like humans, it can discriminate against gender, race, age, disability and ideology.

Malicious Optimizer and Utility Android Apps on Google Play Communicate with Trojans that Install Malware, Perform Mobile Ad Fraud

blog.trendmicro.com/trendlabs-security-intelligence/malicious-apps-on-google-play-communicate-with-trojans-install-malware-perform-mobile-ad-fraud/ We recently discovered several malicious optimizer, booster, and utility apps (detected by Trend Micro as AndroidOS_BadBooster.HRX) on Google Play that are capable of accessing remote ad configuration servers that can be used for malicious purposes, perform mobile ad fraud, and download as many as 3,000 malware variants or malicious payloads on affected devices. These malicious apps, which are supposed to increase device performance by cleaning, organizing, and deleting files, have been collectively downloaded over 470,000 times.

The Rise of the Open Bug Bounty Project

thehackernews.com/2020/02/open-bug-bounty-project.html The once skyrocketing bug bounty industry seems to be not in the best shape today. While prominent security researchers are talking about a growing multitude of hurdles they experience with the leading commercial bug bounty platforms, the latter are trying to reinvent themselves as “next-generation penetration testing” or similar services. You be the judge of how successful they will be.

Fake browser update pages are “still a thing”

isc.sans.edu/forums/diary/Fake+browser+update+pages+are+still+a+thing/25774/ SocGholish is a term I first saw in signatures from the EmergingThreats Pro ruleset to describe fake browser update pages used to distribute malware like a NetSupport RAT-based malware package or Chthonic banking malware. Although this activity has continued into 2020, I hadn’t run across an example until this week.

Fake Interview: The New Activity of Charming Kitten

blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/ Certfa Lab has identified a new series of phishing attacks from the Charming Kitten1, the Iranian hacking group who has a close relationship with Irans state and Intelligence services. According to our investigation, these new attacks have targeted journalists, political and human rights activists.

Metamorfo Returns with Keylogger Trick to Target Financial Firms

threatpost.com/metamorfo-variant-keylogger-financial/152640/ Researchers have discovered a recent spate of phishing emails spreading a new variant of Metamorfo, a financial malware known for targeting Brazilian companies. Now, however, its expanding its geographic range and adding a new technique. Report:

www.fortinet.com/blog/threat-research/another-metamorfo-variant-targeting-customers-of-financial-institutions.html

UM Cyber Attack Symposium Lessons learnt

www.maastrichtuniversity.nl/um-cyber-attack-symposium-%E2%80%93-lessons-learnt At a symposium on Wednesday 5 February, Maastricht University (UM) addressed the cyber attack that took place on 23 December. The symposium was open to invited guests only. Other interested parties could follow the livestream, which you can replay below. Due to the complexity of the subject matter and the presence of Dutch media only, the symposium was held in Dutch.

Advisory 2020-003: Mailto ransomware incidents

www.cyber.gov.au/threats/advisory-2020-003-mailto-ransomware-incidents The Australian Signals Directorates Australian Cyber Security Centre (ACSC) is aware of recent ransomware incidents involving a ransomware tool known as Mailto or Kazakavkovkiz. Mailto belongs to the KoKo ransomware family. At this time, the ACSC is unaware whether these incidents are indicative of a broader campaign.

Emotet attacks a spike to start the year…

www.menlosecurity.com/blog/emotet-attacks-a-spike-to-start-the-year The Emotet malware is a very destructive banking Trojan that was first identified in 2014. Over the years it has evolved with new capabilities and functionalities, prompting cybersecurity agencies like the Australian Cyber Security Centre and US-CERT to issue advisories. Emotet malware generally spreads via malicious documents that drop a modular Trojan bot, which is used to download and install additional remote access tools.

Wacom drawing tablets track every app you open

www.zdnet.com/article/wacom-drawing-tablets-track-every-app-you-open/ Wacom drawing tablets will track every app you open or close on your computer, Robert Heaton, a software engineer, has revealed.. Following a months-long investigation, Heaton says Wacom’s official driver comes with a vague privacy policy that if accepted will begin tracking the apps a user opens on his device.

Infostealer, Keylogger, and Ransomware in One: Anubis Targets More than 250 Android Applications

cofense.com/infostealer-keylogger-ransomware-one-anubis-targets-250-android-applications/ The Cofense Phishing Defense Center uncovered a phishing campaign that specifically targets users of Android devices that could result in compromise if unsigned Android applications are permitted on the device.

Living off another land: Ransomware borrows vulnerable driver to remove security software

news.sophos.com/en-us/2020/02/06/living-off-another-land-ransomware-borrows-vulnerable-driver-to-remove-security-software/ Sophos has been investigating two different ransomware attacks where the adversaries deployed a legitimate, digitally signed hardware driver in order to delete security products from the targeted computers just prior to performing the destructive file encryption portion of the attack.

Medicaid CCO Vendor Breach Exposes Health, Personal Info of 654K

www.bleepingcomputer.com/news/security/medicaid-cco-vendor-breach-exposes-health-personal-info-of-654k/ Medicaid coordinated care organization (CCO) Health Share of Oregon today disclosed a data breach exposing the health and personal info of 654,362 individuals following the theft of a laptop owned by its transportation vendor GridWorks IC.

IoT Malware Campaign Infects Global Manufacturing Sites

www.darkreading.com/iot/iot-malware-campaign-infects-global-manufacturing-sites/d/d-id/1336982 A new malware campaign built to exploit flaws in connected devices is targeting manufacturers around the world and affecting products from smart printers to heavy operational equipment. Researchers at TrapX Labs first saw this attack targeting Latin American manufacturers in October 2019. Since then, it has continued to expand, with a peak in December and ongoing growth this year in regions including North America, Africa, and the Middle East, says TrapX CEO Ori Bach.

Vahva tunnistautuminen otettiin käyttöön nopeutetulla aikataululla sen jälkeen, kun Terveystalo oli kertonut sen sähköiseen verkkoajanvaraukseen kohdistuneesta tietojenkalastelusta.

yle.fi/uutiset/3-11196085 Terveyspalveluita tarjoava Terveystalo otti torstaina käyttöön vahvan tunnistautumisen sähköisessä verkkoajanvarauksessaan

Ghost in the shell: Investigating web shell attacks

www.microsoft.com/security/blog/2020/02/04/ghost-in-the-shell-investigating-web-shell-attacks/ Recently, an organization in the public sector discovered that one of their internet-facing servers was misconfigured and allowed attackers to upload a web shell, which let the adversaries gain a foothold for further compromise. The organization enlisted the services of Microsofts Detection and Response Team (DART) to conduct a full incident response and remediate the threat before it could cause further damage.

Categories
NCSC-FI News followup

Daily NCSC-FI news followup 2020-02-05

Malware infection attempts appear to be shrinking… possibly because miscreants are less spammy and more focused on specific targets

www.theregister.co.uk/2020/02/04/sonicwall_threat_report/ Attempts to infect computers with ransomware and other malware over networks are decreasing, reckons infosec outfit Sonicwall.

FBI Warns of DDoS Attack on State Voter Registration Site

www.bleepingcomputer.com/news/security/fbi-warns-of-ddos-attack-on-state-voter-registration-site/ The US Federal Bureau of Investigation (FBI) warned of a potential Distributed Denial of Service (DDoS) attack that targeted a state-level voter registration and information site in a Private Industry Notification (PIN) released today.

Emotet Gets Ready for Tax Season With Malicious W-9 Forms

www.bleepingcomputer.com/news/security/emotet-gets-ready-for-tax-season-with-malicious-w-9-forms/ The Emotet Trojan is getting ready for the tax season with a fresh spam campaign pretending to be signed W-9 tax forms.

Chrome 80 Released With 56 Security Fixes, Cookie Changes, More

www.bleepingcomputer.com/news/google/chrome-80-released-with-56-security-fixes-cookie-changes-more/ Google has released Chrome 80 today, February 4th, 2020, to the Stable desktop channel for the Windows, macOS, Linux, Chrome OS, iOS, and Android platforms with bug fixes, new features, and 56 security fixes.

Realtek Fixes DLL Hijacking Flaw in HD Audio Driver for Windows

www.bleepingcomputer.com/news/security/realtek-fixes-dll-hijacking-flaw-in-hd-audio-driver-for-windows/ Realtek fixed a security vulnerability discovered in the Realtek HD Audio Driver Package that could allow potential attackers to gain persistence, plant malware, and evade detection on unpatched Windows systems.

Bitbucket Abused to Infect 500, 000+ Hosts with Malware Cocktail

www.bleepingcomputer.com/news/security/bitbucket-abused-to-infect-500-000-hosts-with-malware-cocktail/ Attackers are abusing the Bitbucket code hosting service to store seven types of malware threats used in an ongoing campaign that has already claimed more than 500, 000 business computers across the world.

Päivitä nämä suositut ohjelmat heti hakkerit hyödyntävät edelleen vanhoja aukkoja

www.tivi.fi/uutiset/tv/839c8f50-628f-4e98-8438-9543d3b7c46c Yli puolet rikollisten käyttämistä yleisimmistä tietoturva-aukoista ovat yli vuoden vanhoja, ZDNet kirjoittaa. Jotkut ovat jopa yli viisi vuotta vanhoja.

Pelkäätkö salasanasi tai kotiosoitteesi vuotaneen nettiin? Asian tarkistamiseen on suomalainen vaihtoehto

www.is.fi/digitoday/tietoturva/art-2000006396447.html F-Securen ensi viikolla julkaistava työkalu kertoo, jos esimerkiksi salasana tai kotiosoite on päässyt vuotamaan. Tietoturvayhtiö F-Secure julkistaa ilmaistyökalun, jolla kuka tahansa voi tarkistaa, onko hänen sähköpostiosoitteensa ja mahdollisesti muutkin tietonsa vuotaneet osana jotain tietoturvamurtoa. Katso:

f-secure.com/en/home/free-tools/identity-theft-checker

Work hard… at not getting your phone compromised

www.zdnet.com/article/work-hard-at-not-getting-your-phone-compromised/ The news concerning the hacking of Amazon CEO Jeff Bezos’ mobile phone demonstrates that corporate executives are perfectly legitimate collection targets for governments. Powerful individuals should expect to be targets of criminals, activists, and governments. Furthermore, anyone in failing relationships could be a target for a partner installing “stalkerware.” To address these emerging threats, adopt a Zero Trust mentality — don’t click links or open attachments until that foreign official proves they deserve your trust.

Researcher: Backdoor mechanism still active in devices using HiSilicon chips

www.zdnet.com/article/researcher-backdoor-mechanism-discovered-in-devices-using-hisilicon-chips/ Russian security researcher Vladislav Yarmak has published today details about a backdoor mechanism he discovered in HiSilicon chips, used by millions of smart devices across the globe, such as security cameras, DVRs, NVRs, and others. In a detailed technical rundown that Yarmak published on Habr earlier today, the security researcher says the backdoor mechanism is actually a mash-up of four older security bugs/backdoors that were initially discovered and made public in March 2013, March 2017, July 2017, and September 2017. Read also:

habr.com/en/post/486856/

Bouygues Construction falls victim to ransomware

www.zdnet.com/article/bouygues-construction-falls-victim-to-ransomware/ Bouygues Construction has confirmed falling victim to ransomware that it detected across its network on January 30. “As a precautionary measure, information systems have been shut down to prevent any propagation, ” the company said in a brief statement.

Malware stew cooked up on Bitbucket, deployed in attacks worldwide

www.zdnet.com/article/malware-stew-cooked-up-on-bitbucket-deployed-in-attacks-worldwide/ Bitbucket is the latest legitimate hosting provider to be abused by cybercriminals to spread malware. In a campaign revealed by Cybereason researchers Lior Rochberger and Assaf Dahan on Wednesday, threat actors are actively delivering an “unprecedented number of malware types” in a new international attack wave. Read also:

www.cybereason.com/blog/the-hole-in-the-bucket-attackers-abuse-bitbucket-to-deliver-an-arsenal-of-malware

Two Critical Android Bugs Get Patched in February Update

threatpost.com/critical-android-bugs-patched-in-update/152539/ As part of its February bug fixes, Google is patching a critical severity remote code execution vulnerability and an information disclosure bug.

Toll Group tight-lipped on alleged ransomware attack

www.itnews.com.au/news/toll-group-tight-lipped-on-alleged-ransomware-attack-537437 May have infected over 1000 servers. The logistics giant first reported that it was suffering from the effects of a “cyber security incident” on Friday last week.

5 Zero-day Vulnerabilities in Cisco Discovery Protocol Impacting Tens of Millions of Devices

www.armis.com/cdpwn/ Armis has discovered five critical, zero-day vulnerabilities in various implementations of the Cisco Discovery Protocol (CDP) that can allow remote attackers to completely take over devices without any user interaction. CDP is a Cisco proprietary Layer 2 (Data Link Layer) network protocol that is used to discover information about locally attached Cisco equipment. CDP is implemented in virtually all Cisco products including switches, routers, IP phones and cameras. All those devices ship from the factory with CDP enabled by default. The CERT Coordination Center has also issued an advisory.. Also:

threatpost.com/critical-cisco-cdpwn-flaws-network-segmentation/152546/.

www.zdnet.com/article/cdpwn-vulnerabilities-impact-tens-of-millions-of-enterprise-devices/

The Dark Side of Smart Lighting: Check Point Research Shows How Business and Home Networks Can Be Hacked from a Lightbulb

blog.checkpoint.com/2020/02/05/the-dark-side-of-smart-lighting-check-point-research-shows-how-business-and-home-networks-can-be-hacked-from-a-lightbulb/ Everyone is familiar with the concept of IoT, the Internet of Things, but how many of you have heard of smart lightbulbs? By using a mobile app, or your digital home assistant, you can control the light in your house and even calibrate the color of each lightbulb! These smart lightbulbs are managed over the air using the familiar WiFi protocol or ZigBee, a low bandwidth radio protocol.

WhatsApp Bug Allows Malicious Code-Injection, One-Click RCE

threatpost.com/whatsapp-bug-malicious-code-injection-rce/152578/ Security researchers have identified a JavaScript vulnerability in the WhatsApp desktop platform that could allow cybercriminals to spread malware, phishing or ransomware campaigns through notification messages that appear completely normal to unsuspecting users. And, further investigation shows this could be parlayed into remote code-execution.

Kyberturvallisuuskeskus julkaisi ilmaisen kyberoppaan hyökkäys voi jopa lopettaa yrityksen toiminnan”

www.tivi.fi/uutiset/tv/9baa6664-3bd3-4374-ab26-9527a3164ded Liikenne- ja viestintäviraston Kyberturvallisuuskeskus on julkaissut oppaan Kyberturvallisuus ja yrityksen hallituksen vastuu. Oppaassa luvataan tarjota tietoturvan parantamiseen konkreettisia työkaluja. Menneen vuoden tapahtumat osoittavat, että kyberhyökkäys voi pysäyttää tai jopa lopettaa yrityksen toiminnan. Tietoturva ei ole enää vain tekninen ongelma, vaan se tulee nostaa ylimmän yritysjohdon, hallituksen ja omistajien agendalle, keskeiseksi osaksi yrityksen riskienhallintaa, toteaa Kyberturvallisuuskeskuksen ylijohtaja Kalle Luukkainen tiedotteessa.

New Ransomware Strain Halts Toll Group Deliveries

www.bleepingcomputer.com/news/security/new-ransomware-strain-halts-toll-group-deliveries/ Australian transportation and logistics company Toll Group stated today that systems across multiple sites and business units were encrypted affected by a ransomware called the Mailto ransomware. This ransomware family is known as Mailto but its actual name based on analysis of the ransomware is NetWalker.

Faking e-mails: Why it is even possible

www.kaspersky.com/blog/36c3-fake-emails/32362/ Phishing and business e-mail compromise attacks rely on fake e-mails. But why is it so easy for attackers to make them so convincing?

STOMP 2 DIS: Brilliance in the (Visual) Basics

www.fireeye.com/blog/threat-research/2020/01/stomp-2-dis-brilliance-in-the-visual-basics.html Throughout January 2020, FireEye has continued to observe multiple targeted phishing campaigns designed to download and deploy a backdoor we track as MINEBRIDGE. The campaigns primarily targeted financial services organizations in the United States, though targeting is likely more widespread than those weve initially observed in our FireEye product telemetry. At least one campaign targeted South Korean organizations, including a marketing agency.

A Queens Ransom: Varonis Uncovers Fast-Spreading SaveTheQueen Ransomware

www.varonis.com/blog/save-the-queen-ransomware/ A new strain of ransomware encrypts files and appends them with the extension, .SaveTheQueen, and propagates using the SYSVOL share on Active Directory Domain Controllers

Bug hunter finds cryptocurrency-mining botnet on DOD network

www.zdnet.com/article/bug-hunter-finds-cryptocurrency-mining-botnet-on-dod-network/ A security researcher hunting for bug bounties discovered last month that a cryptocurrency-mining botnet had found a home and burrowed inside a web server operated by the US Department of Defense (DOD).

Gamaredon APT Improves Toolset to Target Ukraine Government, Military

threatpost.com/gamaredon-apt-toolset-ukraine/152568/ The Gamaredon advanced persistent threat (APT) group has been supercharging its operations lately, improving its toolset and ramping up attacks on Ukrainian national security targets.

Categories
NCSC-FI News followup

Daily NCSC-FI news followup 2020-02-04

TeamViewer

whynotsecurity.com/blog/teamviewer/ TL;DR: TeamViewer stored user passwords encrypted with AES-128-CBC with they key of 0602000000a400005253413100040000 and iv of 0100010067244F436E6762F25EA8D704 in the Windows registry. If the password is reused anywhere, privilege escalation is possible. If you do not have RDP rights to machine but TeamViewer is installed, you can use TeamViewer to remote in. TeamViewer also lets you copy data or

Google launches open-source security key project, OpenSK

nakedsecurity.sophos.com/2020/02/03/google-launches-open-source-security-key-project-opensk/ Interested in using hardware security keys to log into online services more securely? Well, now you can make your own from scratch, thanks to an open-source project that Google announced last week. Read also:

www.theregister.co.uk/2020/02/04/burn_your_own_security_key_google_releases_opensk/

Twitter kiehtovan urkintaskandaalin keskellä hyökkääjä käytti Twitterin omaa rajapintaa

www.tivi.fi/uutiset/tv/0a8d560d-1578-41c3-9a84-a575bc5db6cd Hyökkääjät yhdistivät puhelinnumeroita Twitter-nimimerkkeihin. Lue myös:

threatpost.com/twitter-api-abused-to-uncover-identities/152521/,

www.zdnet.com/article/twitter-says-an-attacker-used-its-api-to-match-usernames-to-phone-numbers/,

www.theregister.co.uk/2020/02/04/twitter_phone_numbers/ ja

www.bleepingcomputer.com/news/security/twitter-fixed-issue-exploited-to-match-phone-numbers-to-accounts/

Pelottava löydös: Kiristysohjelma iskee myös teollisuuteen

www.is.fi/digitoday/tietoturva/art-2000006395169.html Tammikuussa löytynyt haittaohjelma rampauttaa teollisuusohjelmistoja muiden tihutöidensä ohella. Tietoturvatutkijat ovat löytäneet uudentyyppisen kiristyshaittaohjelman, joka ei tyydy vain tavanomaiseen tiedostojen kaappaamiseen ja salakirjoittamiseen. Tietoturvayhtiö Dragosin viime kuussa löytämä ja Ekansiksi nimeämä ohjelma pyrkii vahingoittamaan myös teollisuuden hallintajärjestelmiä. Asiasta kirjoittaa myös Ars Technica. Ekansiin on ohjelmoitu valmiiksi lista 64:stä teollisuudessa käytettävän ohjelman prosessista, jotka haittaohjelma lopettaa kun se aloittaa “tavanomaisemman” tiedostojen salakirjoittamisen ja kaappaamisen. Listalla on muun muassa Honeywellin, General Electricin ja GE Fanucin ohjelmia. Lue myös:

www.wired.com/story/ekans-ransomware-industrial-control-systems/,

www.zdnet.com/article/ransomware-attacks-are-now-targeting-industrial-control-systems/, . Sekä:

www.darkreading.com/attacks-breaches/ekans-ransomware-raises-industrial-control-worries/d/d-id/1336950,

www.tivi.fi/uutiset/tv/99d439eb-2fd3-44e9-919b-75d37a5f5154 ja

arstechnica.com/information-technology/2020/02/new-ransomware-intentionally-meddles-with-critical-infrastructure/

More dangerous vulnerabilities in Intel CPUs

www.pandasecurity.com/mediacenter/news/more-dangerous-vulnerabilities-intel-cpus/ Intel has released information about two potentially dangerous flaws in the processor architecture of its CPUs. The chip manufacturer had already provided security updates for similar gaps in May and November 2019. Although the new vulnerabilities seem to be less critical than the previous ones, side-channel attacks are still possible.

Traficom nostaa kyberturvallisuuden yritysten hallitusten agendalle

www.traficom.fi/fi/ajankohtaista/traficom-nostaa-kyberturvallisuuden-yritysten-hallitusten-agendalle Liikenne- ja viestintäviraston Kyberturvallisuuskeskuksen kokoama ylimmälle yritysjohdolle suunnattu opas auttaa turvaamaan liiketoimintaa digimaailmassa. Liikenne- ja viestintäviraston Kyberturvallisuuskeskus on julkaissut yritysten hallituksille suunnatun kyberturvallisuutta käsittelevän oppaan. Kyberturvallisuus ja yrityksen hallituksen vastuu -opas antaa työkaluja ja tukea organisaation kyberturvallisuuden parantamiseen. Lue myös:

www.kyberturvallisuuskeskus.fi/fi/kyberturvallisuus-ja-yrityksen-hallituksen-vastuu-opas

AZORult Campaign Adopts Novel Triple-Encryption Technique

threatpost.com/azorult-campaign-encryption-technique/152508/ Popular trojan is sneaking its way onto PCs via malspam campaign that uses three levels of encryption to sneak past cyber defenses. A recent wave of AZORult-laced spam caught the attention of researchers who warn that malicious attachments associated with the campaign are using a novel obfuscation technique, in an attempt to slip past spam gateways and avoid client-side antivirus detection.

Microsoft Teams goes down after Microsoft forgot to renew a certificate

www.theverge.com/2020/2/3/21120248/microsoft-teams-down-outage-certificate-issue-status Microsoft Teams went down this morning for nearly three hours after Microsoft forgot to renew a critical security certificate. Users of Microsoft’s Slack competitor were met with error messages attempting to sign into the service on Monday morning, with the app noting it had failed to establish an HTTPS connection to Microsoft’s servers. Read also:

www.tivi.fi/uutiset/tv/4bc9f354-866a-4f48-852b-14b888eae811

School’s out as ransomware attack downs IT systems at Scotland’s Dundee and Angus College

www.theregister.co.uk/2020/02/04/dundee_angus_college_ransomware/ A further education college in east Scotland has been struck by what its principal described as a cyber “bomb” in an apparent ransomware attack so bad that students have been told to stay away and reset passwords en masse.

Ashley Madison Breach Extortion Scam Targets Hundreds

threatpost.com/ashley-madison-breach-extortion-scam-targets-hundreds/152481/ A new extortion attack has targeted hundreds of users affected by the Ashley Madison breach over the past week. Nearly five years after the high-profile Ashley Madison data breach, hundreds of impacted website users are being targeted by a new extortion attack this past week. The 2015 data breach of the adultery website led to 32 million accounts being publicly dumped online, including victims’ names, passwords, phones numbers, credit card information and more. Up to a year after the hack, researchers with Kaspersky said that affected users were still being hit with an array of attacks, from credit card scams to spam emails. Now, cybercriminals are exploiting the treasure trove of breached Ashley Madison data again in a new highly-personalized and targeted attacks. According researchers at Vade Secure, extortionist are sending emails targeting affected Ashley Madison users once again.

New EmoCheck Tool Checks if You’re Infected With Emotet

www.bleepingcomputer.com/news/security/new-emocheck-tool-checks-if-youre-infected-with-emotet/ A new utility has been released by Japan CERT (computer emergency response team) that allows Windows users to easily check if they are infected with the Emotet Trojan. The Emotet Trojan is one of the most actively distributed malware that is spread through phishing emails with malicious Word document attachments. Read also:

github.com/JPCERTCC/EmoCheck

Office 365 to Block Harmful Content Regardless of Custom Configs

www.bleepingcomputer.com/news/security/office-365-to-block-harmful-content-regardless-of-custom-configs/ Microsoft is currently working on new features designed to block malicious content in Office 365 regardless of the custom configurations set up by administrators or users unless manually overridden.

Google Bug Sent Private Google Photos Videos to Other Users

www.bleepingcomputer.com/news/google/google-bug-sent-private-google-photos-videos-to-other-users/ In a serious privacy lapse, Google is notifying users that videos stored in their Google Photos account were mistakenly shared with other unrelated users. Read also:

thehackernews.com/2020/02/google-photos-videos.html

Teen takes down ISP with DDoS attacks to get info on one of its subscribers

www.zdnet.com/article/teen-takes-down-isp-with-ddos-attacks-to-get-info-on-one-of-its-subscribers/ Ukrainian police have arrested a 16-year-old from the city of Odessa last month for attempting to extort a local ISP (internet service provider) into sharing data on one of its subscribers. Ukrainian authorities say that when the service provider declined, the teen used distributed denial of service (DDoS) attacks to take down the ISP’s network.

These are the top ten software flaws used by crooks: Make sure you’ve applied the patches

www.zdnet.com/article/these-are-the-top-ten-software-flaws-used-by-crooks-make-sure-youve-applied-the-patches/ Hackers are exploiting many of the same security vulnerabilities as last year and they all impact Microsoft Windows products – but a bug in Adobe Flash was the most exploited in 2019. Over half of the most common security vulnerabilities exploited by criminals to conduct cyber attacks and distribute malware are more than a year old, and some are over five years old, demonstrating how failure to apply security updates is leaving organisations vulnerable to hacking and malicious compromise.

FBI catches hacker that stole Nintendo’s secrets for years

arstechnica.com/gaming/2020/02/fbi-catches-hacker-that-stole-nintendos-secrets-for-years/ A 21-year-old California man has pleaded guilty to hacking Nintendo’s servers multiple times since 2016, using phishing techniques to gain early access to information about the company’s plans. Read also:

www.scmagazine.com/home/security-news/cybercrime/hacker-pleads-guilty-to-stealing-nintendo-secrets/ and

www.bleepingcomputer.com/news/security/nintendo-hacker-pleads-guilty-to-child-porn-charges-faces-25-years/

Electric scooters vulnerable to remote hacks

www.welivesecurity.com/2020/02/04/electric-scooters-vulnerable-remote-hacks/ Electric scooters are steadily becoming a popular alternative for short commutes. Besides convenience, however, they also introduce a range of cybersecurity and privacy risks, according to a study by the University of Texas at San Antonio (UTSA). The review which UTSA said is “the first review of the security and privacy risks posed by e-scooters and their related software services and applications” outlines various attacks scenarios that riders might face, as well as how to tackle the risks. Many e-scooters rely on a combination of Bluetooth Low Energy (BLE) and the rider’s smartphone internet connection to run, as well as send data to the service provider. This opens up a number of avenues for potential attacks. For example, bad actors could eavesdrop on the data being broadcasted, which could, in turn, lead to Man-in-the-Middle (MitM) and replay attacks. Those could allow hackers to

WhatsApp Bug Allowed Attackers to Access the Local File System

www.bleepingcomputer.com/news/security/whatsapp-bug-allowed-attackers-to-access-the-local-file-system/ Facebook patched a critical WhatsApp vulnerability that would have allowed potential attackers to read files from a user’s local file system, on both macOS and Windows platforms. Read also:

www.facebook.com/security/advisories/cve-2019-18426

Medtronic Patches Implanted Device, CareLink Programmer Bugs

threatpost.com/medtronic-patches-implanted-device-carelink/152533/ Medtronic has released updates to address known vulnerabilities in its line of connected medical devices that were initially disclosed last year and in 2018. The vendor has addressed two sets of bugs. The first group, disclosed in March of last year, is found in a range of Medtronic implanted cardiac resynchronization therapy with defibrillation (CRT-D) devices; and in multiple implantable cardioverter defibrillators (ICDs). An ICS-CERT advisory last week gives the most severe of the flaws a CVSS “critical” severity rating of 9.3.

threatpost.com/medtronic-patches-implanted-device-carelink/152533/

Categories
NCSC-FI News followup

Daily NCSC-FI news followup 2020-02-03

TERVEYSTALON SÄHKÖISEEN VERKKOAJANVARAUKSEEN ON KOHDISTUNUT TIETOJENKALASTELUA

www.terveystalo.com/fi/Sijoittajat/Tiedotteet/?crid=2AECEBB792F63309 Terveystalon sähköiseen verkkoajanvaraukseen on kohdistunut tietojenkalastelua. Tämän seurauksena yksittäisten henkilöiden henkilötunnus on todennäköisesti saatu selvitettyä. Verkkoajanvarauksessa ei käsitellä potilastietoja, ainoastaan nimi- ja henkilötunnustietoja. Potilastietoja verkkoajanvarauksen kautta ei saa selvitettyä.. Lue myös yle.fi/uutiset/3-11189706,

www.hs.fi/kotimaa/art-2000006393563.html,

www.is.fi/digitoday/tietoturva/art-2000006394014.html ja

www.is.fi/digitoday/tietoturva/art-2000006394067.html

Hakkerointi on yhtä murhaava ase kuin ohjusisku, sanoo Israelin armeijan tiedustelun veteraani Näin Israelista tuli kyberturvallisuuden suurvalta

www.hs.fi/ulkomaat/art-2000006393393.html Israel kehittää ja myy hakkerointityökaluja, joita käytetään ihmisoikeuksien vastaisesti. Mutta pieni valtio kuhisee muitakin tietoverkkoyrityksiä, ja liiketoiminta kukoistaa. Kuinka heistä tuli näin tehokkaita?

Uutta suurta tietovuotoa verrataan “Panaman papereihin” Verottaja selvittää, ovatko suomalaiset piilottaneet rahojaan veroparatiisiin Mansaarelle

www.hs.fi/talous/art-2000006393350.html Tiedostot Cayman National -pankista Mansaarilta ovat kenen tahansa luettavissa vuotosivustolla. Edelliset tietovuodot Panaman paperit ja Paratiisin paperit tuomassa valtion kassaan muutamia miljoonia euroja maksamatta jääneitä veroja. Suomen verottaja tutkii jälleen suurta tietovuotoa, joka on peräisin veroparatiisista, tällä kertaa Cayman National -pankin konttorista Mansaarelta. Verottaja on aloittanut materiaalin läpikäynnin, minkä tarkoituksena on saada tietoja rahojaan mahdollisesti laittomasti piilottaneista suomalaisista. Vuotoaineisto on peräisin Mansaarten Cayman National -pankin konttorista, jonka perusti Cayman-saarten veroparatiisissa alun perin aloittanut Cayman National Bank. Britannian ja Irlannin välillä sijaitsevaa Mansaartakin pidetään veroparatiisina.

Dashlane’s Super Bowl Ad Proves Password Managers Have Arrived

www.wired.com/story/dashlane-super-bowl-ad/ This year’s crop of Super Bowl ads includes plenty of the usual suspects: expensive cars, cheap beers, big tech. But among the companies coughing up a reported $5.6 million for 30 seconds of Big Game glory is one name most people have never heard of, selling a product that many don’t know exists: Dashlane, an app that manages your passwords.

Flaws punched holes in Azure cloud, Apple patches pretty much everything, Eurocops cuff Maltese hackers, etc

www.theregister.co.uk/2020/02/03/security_roundup_jan_31/ Also, Wawa data surfaces on dark markets after December’s hack

China fears lead Interior Department to limit use of foreign drones

arstechnica.com/tech-policy/2020/01/china-fears-lead-interior-department-to-limit-use-of-foreign-drones/ The Interior Department is preparing a new agency policy that would drastically limit the use of unmanned aerial vehicles made overseas, The Wall Street Journal reports. The new policy is due to be formally announced today. The agency worries that information collected by drones could be “valuable to foreign entities, organizations, and governments.”

WannaCry ransomware attack on NHS could have triggered NATO reaction, says German cybergeneral

www.theregister.co.uk/2020/02/03/wannacry_could_have_triggered_nato_german_general_says/ FIC 2020 Western military alliance NATO could have reacted with force to the 2017 WannaCry ransomware outbreak that locked up half of Britain’s NHS, Germany’s top cybergeneral has said. During a panel discussion about military computer security, Major General Juergen Setzer, the Bundeswehr’s chief information security officer, admitted that NATO’s secretary-general had floated the idea of a military response to the software nasty.

Erikoinen taideteos mies luo tahallaan liikenneruuhkia

www.tivi.fi/uutiset/erikoinen-taideteos-mies-luo-tahallaan-liikenneruuhkia/010392df-8fb7-4d96-92bc-3ce3650537d7 Moderni teknologia auttaa monin tavoin erilaisissa arjen ongelmissa. Tekniikan tuomia mahdollisuuksia voi käyttää myös erikoisen taiteen tekemiseen. Moni Googlen kartan kanssa autoa ajanut osaa jo vilkuilla puhelimensa näyttö ennakoivasti. Mikäli reitille ilmestyy punaista väriä, on tämä merkki mahdollisesta liikenneruuhkasta. Mikäli ruuhka yltyy vallan mahdottomaksi, ohjaa Google käyttämään jotakin vaihtoehtoista reittiä. Ruuhkatiedot perustuvat muihin Googlen karttasovelluksen käyttäjiin, joiden paikkatiedon Google luonnollisesti tietää. Samalla tienpätkällä pitkään paikallaan kököttävä autoletka saa algoritmin päättelemään, että kyseessä on onnettomuus tai muu vakavampi jumi. Sen seurauksena liikenne ohjataan muille reiteille. Saksalainen Simon Weckert on nyt kertonut erikoisesta taideprojektistaan, joka hyödyntää tätä Googlen karttasovelluksen ominaisuutta. Weckert on hankkinut 99 käytettyä älypuhelinta, joihin on ladannut Googlen karttasovelluksen. Sen jälkeen Weckert on lastannut puhelinkasan kärryyn, jota vetää pitkin teitä ja katuja. Googlen virtuaalisilmissä näille paikoille muodostuu silloin valtava . 9to5google muistuttaa, että Weckertin vakuuttavasta videosta huolimatta voi olla, että koko tempaus on pelkkää huijausta. Google ei ole vielä ottanut kantaa olisiko moinen temppu edes teknisesti mahdollinen. Lue myös

ww.9to5google.com/2020/02/02/google-maps-hack-virtual-traffic-jam/# ja www.simonweckert.com/googlemapshacks.html. …ja

www.theregister.co.uk/2020/02/03/google_maps_hack_cartful_phones/ ja

www.bleepingcomputer.com/news/software/hack-creates-fake-google-maps-traffic-jams-with-99-cell-phones/

Magecart group jumps from Olympic ticket website to new wave of e-commerce shops

www.zdnet.com/article/magecart-group-jumps-from-olympic-ticket-website-to-new-wave-of-e-commerce-shops/ Skimmer references were spotted on domains serving customers worldwide. A Magecart group has expanded its operations by compromising not only an Olympic ticket reseller but also a number of other websites referencing a single malicious domain hosting the underlying skimmer code. Magecart is a term used to describe the use of skimmer code to compromise e-commerce payment platforms. Legitimate websites seemingly fine to trust — the British Airways portal and Ticketmaster being prime examples — have been infected with this form of malicious code in the past, leading to the theft of consumer payment card numbers.

‘Cyber security incident’ takes its Toll on Aussie delivery giant as box-tracking boxen yanked offline

www.theregister.co.uk/2020/02/03/toll_group_security_incident_australia/ Australian courier company Toll has shut down several of its key systems after a “security incident” last week, prompting a backlash from frustrated customers. Individual punters and businesses alike said they were unable to send, receive or track their packages since as early as Wednesday morning last week. The company’s tracking website, MyToll, has been down since Friday afternoon.

Cover for ‘cyber’ attacks is risky, complex and people don’t trust us, moan insurers

www.theregister.co.uk/2020/02/03/cyber_insurance_fic2020/ Tried not suing your customers when they make claims?. FIC 2020 EU companies aren’t taking out insurance against attacks on online assets because the companies selling coverage aren’t organised enough while Brits are more likely to pay off ransomware crooks than others. Insurance that pays out if your company gets hit by an online attack is a tricky subject. While it is an obvious business area for the insurance industry to move into, a panel discussion at France’s Forum international de la cybersécurité last week heard there’s not enough public information on the risks to insurers of offering cyberattack policies.

DoppelPaymer Ransomware Sells Victims’ Data on Darknet if Not Paid

www.bleepingcomputer.com/news/security/doppelpaymer-ransomware-sells-victims-data-on-darknet-if-not-paid/ The DoppelPaymer Ransomware is the latest family threatening to sell or publish a victim’s stolen files if they do not pay a ransom demand. A new tactic being used by ransomware operators that perform network-wide encryption is to steal a victim’s files before encrypting any devices. They then threaten to publish or sell this data if the victim does not pay the ransom. This new tactic started in November 2019 when Maze Ransomware publicly released stolen files belonging to Allied Universal for not paying a ransom. Since then, Sodinokibi/REvil released stolen data and the Nemty Ransomware announced in their RaaS affiliate panel that they would start doing it as well.

DoD to Require Cybersecurity Certification From Defense Contractors

www.bleepingcomputer.com/news/security/dod-to-require-cybersecurity-certification-from-defense-contractors/ The United States Department of Defense (DoD) announced that defense contractors will have to meet a basic level of cybersecurity standards when replying to a government acquisition program’s request for proposals by 2026. The Cybersecurity Maturity Model Certification (CMMC) framework version 1.0 was released on January 31 and it is “a unified cybersecurity standard for future DoD acquisitions.”

Bouygues Construction Shuts Down Network to Thwart Maze Ransomware

www.bleepingcomputer.com/news/security/bouygues-construction-shuts-down-network-to-thwart-maze-ransomware/ French construction giant Bouygues Construction shut down their computer network to avoid having all of their data encrypted by the Maze Ransomware.

“On erittäin vaikea saada nimensä pois yritysten rekistereistä”

www.kauppalehti.fi/uutiset/on-erittain-vaikea-saada-nimensa-pois-yritysten-rekistereista/86bd8919-b645-48a0-9820-437273791c55 Ongelma tulisi ratkaista mieluiten maailmanlaajuisesti tai ainakin EU:ssa luomalla yksi osoite, johon kaikkien rekisterinpitäjien ja etenkin ihmisten tietoja myyvien yritysten tulee rekisteröityä ja johon ihmiset voivat lähettää tiedustelut ja poistopyynnöt, kirjoittaja ehdottaa mielipidekirjoituksessaan.

Rogue IoT devices are putting your network at risk from hackers

www.zdnet.com/article/rogue-iot-devices-are-putting-your-network-at-risk-from-hackers/#ftag=RSSbaffb68 ‘Shadow IoT’ devices are creating security holes within organisations which cyber criminals are looking to exploit. Employees are bringing their own Internet of Things connected devices to the workplace and could be putting organisations at risk from cyber attacks because enterprise security teams aren’t always aware that these devices are connected to the network.

Would you get hooked by a phishing scam? Test yourself

www.welivesecurity.com/2020/02/03/would-you-get-hooked-phishing-scam-test-yourself/ As the tide of phishing attacks rises, improving your scam-spotting skills is never a bad idea. Many people are confident in their ability to recognize online fraud a mile away, but a recent survey may help explain why phishing continues to pay dividends for scammers. Only 5% of the respondents had a 100-percent success rate in spotting simulated attacks aimed at stealing their sensitive information.

CamuBot Resurfaces With Cross-Channel, Targeted Attacks in Brazil

securityintelligence.com/posts/camubot-resurfaces-with-cross-channel-targeted-attacks-in-brazil/ The malware discussed in this blog saw input from X-Force researchers Andre Piva and Ofir Ozer. It was initially described in a blog post by X-Force’s Maor Wiesen and Limor Kessem. The IBM Trusteer cybercrime research labs specialize in the detection and counteraction of the crimeware and attacks operated by organized cybercrime gangs. In one of our recent analyses, we encountered a new campaign of malware that we previously discovered and named “CamuBot.”

Attacking Driverless Cars with Projected Images

www.schneier.com/blog/archives/2020/02/attacking_drive.html Interesting research — “Phantom Attacks Against Advanced Driving Assistance Systems”:. Read also: www.nassiben.com/phantoms

Lehti: Saksa sai todisteita Huawein ja Kiinan yhteistyöstä

www.is.fi/digitoday/mobiili/art-2000006394313.html Huawei kiistää kärkkäästi Handelsblatt-lehden uusimmat väitteet, joiden mukaan Saksalla olisi tietoa yhtiön ja Kiinan hallituksen kytköksistä. Kiinalainen älypuhelin- ja verkkovalmistaja Huawei on pitkään torjunut Yhdysvaltain väitteitä vakoilusta Kiinan valtiolle. Saksalainen Handelsblatt sanoo saaneensa käsiinsä luottamuksellisen Saksan ulkoministeriön asiakirjan, jossa Yhdysvaltain tiedustelu tarjoaa todisteita vakoilusta. Lue myös:

www.nasdaq.com/articles/germany-has-proof-that-huawei-worked-with-chinese-intelligence-handelsblatt-2020-01-29

Categories
NCSC-FI News followup

Daily NCSC-FI news followup 2020-02-02

Firefox now shows what telemetry data it’s collecting about you

www.zdnet.com/article/firefox-now-shows-what-telemetry-data-its-collecting-about-you/ Users can no go to about:telemetry and see what Mozilla is collecting about their Firefox installs.

Poliisin ohje Nivalan Nuorisoseuran täydelle salille ikäihmisiä, miten pitää rahat ja omaisuus varkailta suojassa: “Jos Töllin Keijo soittaa teille, älkää antako tunnuslukua.”

www.nivala-lehti.fi/uutinen/588218 Kun sosiaalisessa mediassa kuitenkin ollaan, niin ei ole syytä kertoa sitäkään, että naapuri on reissussa. Seppälä antoi muutenkin hyviä neuvoja, mitä sosiaaliseen mediaan ei kannata laittaa. Jos lataa kuvia, niissä ei kannata esitellä omaisuutta.

Bouygues Construction joutui kiristyshaittaohjelman uhriksi

www.bouygues.com/wp-content/uploads/2020/01/prbouyguesconstructioncyberattack01-31-2020-pdf.pdf

Hakkeri käräytti Messin ja Ronaldon veronkierrosta, mutta isoin paljastus liittyi Afrikan rikkaimpaan naiseen Nyt Rui Pinto odottaa tuomiota vankeudessa

www.hs.fi/ulkomaat/art-2000006392763.html Portugalilainen hakkeri Rui Pinto oli mukana paljastamassa Lionel Messiä ja Cristiano Ronaldoa veronkierrosta. Tammikuussa hakkerille luettiin syytteet yhteensä 90 rikosepäilystä, muun muassa yksityisyyden suojan rikkomisesta, tietomurroista ja kiristyksen yrityksestä.

Pirated Software is All Fun and Games Until Your Data’s Stolen

www.bleepingcomputer.com/news/security/pirated-software-is-all-fun-and-games-until-your-data-s-stolen/ It may be tempting to try to download the latest games or applications for free, but doing so will ultimately land you in a hotbed of trouble as your computer becomes infected with adware, ransomware, and password-stealing Trojans.

Tech Support Scam Hitting Microsoft Edge Start Page Takes a Break

www.bleepingcomputer.com/news/security/tech-support-scam-hitting-microsoft-edge-start-page-takes-a-break/ A sophisticated browser locker campaign that ran on high-profile pages, like Microsoft Edge’s home or popular tech sites, was deactivated this week after in-depth research was published. The actors behind it used a compromised an ad content supplier for top-tier distribution and combined targeted traffic filtering with steganography. This mix allowed the operation to survive for at least two years, bringing victims to a tech support scam page and threat researchers to a dead end as they scratched their heads about how the redirect to the fake malware reporting page happened.

Jäikö Gmailisi auki vieraalle koneelle? Näin suljet sen etänä

www.is.fi/digitoday/art-2000006391076.html Avaa Gmail jollakin tietokoneella. Vieritä Gmailin etusivu pohjaan saakka, ja paina oikean alakulman Tiedot-linkkiä. Se vie sivulle, jossa kerrotaan toiminnasta tällä tilillä. Siellä on myös nappi nimeltä Kirjaudu ulos kaikista muista Gmail-verkkoistunnoista. Paina sitä, niin olet valmis.

Weekend Vulnerability and Patch Report, February 3, 2020

citadel-information.com/2020/02/weekend-vulnerability-and-patch-report-february-3-2020/

Hackers are hijacking smart building access systems to launch DDoS attacks

www.zdnet.com/article/hackers-are-hijacking-smart-building-access-systems-to-launch-ddos-attacks/ More than 2, 300 building access systems can be hijacked due to a severe vulnerability left without a fix. Hackers are actively searching the internet and hijacking smart door/building access control systems, which they are using to launch DDoS attacks, according to firewall company SonicWall. The attacks are targeting Linear eMerge E3, a product of Nortek Security & Control (NSC).

Categories
NCSC-FI News followup

Daily NCSC-FI news followup 2020-02-01

Exercise Crossed Swords 2020 Reached New Levels of Multinational and Interdisciplinary Cooperation

ccdcoe.org/news/2020/exercise-crossed-swords-2020-reached-new-levels-of-multinational-and-interdisciplinary-cooperation/ The 6th iteration of the annual cyber exercise Crossed Swords in Riga, Latvia, brought together more than 120 technical experts, Cyber Commands´ members, Special Forces operators and military police. Organized jointly by the NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE) and CERT.LV, Crossed Swords has evolved from a purely technical red teaming workshop into a one of a kind training event combining different technical skills with kinetic force and taking place in several locations simultaneously. The exercise plays out a number of mutually intertwined kinetic and cyber operations. The focus is on advancing cyber Red Team members’ skills in preventing, detecting and responding to an adversary in the context of full-scale cyber operations.

Kansaneläkelaitos (Kela) rikkoo lakia, kun se ei pyydä verkkosivuillaan kävijöiltä tietosuojalainsäädännön edellyttämää suostumusta käyttäjätietojen keräämiseen, kirjoittaa Uutissuomalainen

yle.fi/uutiset/3-11187680 Kelan sivuja selaavista päätyy tietoja kolmansille osapuolille. Näitä ovat muun muassa Facebook ja Google. Lue myös:

www.ksml.fi/kotimaa/Kela-rikkoo-lakia-verkon-tietosuojasta-Asiakkaiden-nettik%C3%A4ynneist%C3%A4-menee-tietoa-Googlelle-Facebookille-ja-Twitterille/1505234

Analyysi: Facebook paljastaa, miten yhtiö seuraa sinua palvelun ulkopuolella yhtiö tietää, mitä sovelluksia käytät ja milloin Facebook tekee tiedonkeruustaan läpinäkyvämpää, mutta käyttäjien yksityisyyden suojaa uudistus ei juurikaan paranna

yle.fi/uutiset/3-11186679 Facebook kerää sinusta tietoja koko ajan. Ei vain silloin, kun jaat palvelussa lomakuvia tai kommentoit ystäviesi julkaisuja. Koko ajan. Myös silloin, kun olet sulkenut sovelluksen tai kirjautunut ulos facebook.comista. Tällä viikolla tästä prosessista tuli hieman läpinäkyvämpää(siirryt toiseen palveluun). Facebook julkaisi tiistaina työkalun, jonka avulla käyttäjät näkevät, mitä tietoja Facebook on heistä kerännyt palvelunsa ulkopuolelta. Facebookin ulkopuolinen toiminta -ominaisuus paljastaa, mitkä sovellukset ja verkkosivut jakavat tietoja toimistasi somejätille. Lue myös:

about.fb.com/news/2020/01/data-privacy-day-2020/

Watch Out for Coronavirus Phishing Scams

www.wired.com/story/coronavirus-phishing-scams/ At least one email campaign is preying on fears by claiming to offer info about the Wuhan coronavirus. A sample phishing email from Tuesday, detected by security firm Mimecast, shows attackers disseminating malicious links and PDFs that claim to contain information on how to protect yourself from the spread of the disease. “Go through the attached document on safety measures regarding the spreading of corona virus, ” reads the message, which purports to come from a virologist. “This little measure can save you.”

Remember those infosec fellas who were cuffed while testing the physical security of a courthouse? The burglary charges have been dropped

www.theregister.co.uk/2020/01/31/dumb_charges_dropped_in_iowa/ Criminal charges have been dropped against two infosec professionals who were arrested during a sanctioned physical penetration test gone wrong. On Thursday, the Des Moines Register no relation reported that a judge in Dallas County, Iowa, formally dismissed the third-degree burglary and possession of burglary tools allegations against Coalfire employees Gary DeMercurio and Justin Wynn. Read also:

arstechnica.com/information-technology/2020/01/criminal-charges-dropped-against-2-pentesters-who-broke-into-iowa-courthouse/

New Intel Microcodes for Windows 10 Released to Fix CPU Bugs

www.bleepingcomputer.com/news/microsoft/new-intel-microcodes-for-windows-10-released-to-fix-cpu-bugs/ Microsoft has released a new Intel Microcode update for Windows 10 1909, 1903, and older versions that contains software fixes for hardware bugs in Intel CPUs. Intel Microcode updates are optional updates that mitigate hardware-based security vulnerabilities and bugs through a software patch. This allows Intel to fix, or at least mitigate, security flaws such as speculative execution vulnerabilities or bugs that are discovered after a CPU has been manufactured.

The Week in Ransomware – January 31st 2020 – Taking it to The Courts

www.bleepingcomputer.com/news/security/the-week-in-ransomware-january-31st-2020-taking-it-to-the-courts/ This week we saw victims continuing to use the legal system to target ransomware operators’ assets and services as well as a new ransomware targeting vulnerabilities. The most interesting news is how victims are utilizing the legal system to freeze or get injunctions against the assets and services used by ransomware operators. This was seen in the previous Southwire lawsuit against Maze and this week with a UK judge freezing the ransomware wallet for Bitpaymer.

Ransomware hits TV & radio news monitoring service TVEyes

www.zdnet.com/article/ransomware-hits-tv-radio-news-monitoring-service-tveyes/ Newsrooms, political campaigns, and PR agencies panic as they lose access to one of their crucial media monitoring tools. A ransomware infection has brought down TVEyes, a company that manages a popular platform for monitoring TV and radio news broadcasts, broadly used by newsrooms and PR agencies across the globe. TVEyes CEO David Ives told ZDNet the ransomware attack took place after midnight on Thursday, January 30. The ransomware hit core server & engineering workstations inside TVEyes’ network, primarily in the US, but also some systems located abroad. Ives told ZDNet they have not yet identified the ransomware strain that infected the company’s network, but they have already began recovery efforts.

Burn, drown, or smash your phone: Forensics can extract data anyway

www.zdnet.com/article/burn-drown-or-smash-your-phone-forensics-can-extract-data-anyway/ Even if criminals try to destroy the evidence, NIST finds forensic experts can still extract data from a damaged phone. This is how they do it. Damaged mobile phones are still filled with plenty of useful data, according to researchers at the National Institute of Standards and Technology (NIST), which is part of the U.S. Department of Commerce. NIST published the results of a recent study on forensic methods for getting data from mobile damaged mobile phones. It tested the tools that law enforcement uses to hack phones and found that even if criminals attempt to destroy the evidence by burning, drowning, or smashing their phones, forensic tools can still successfully extract data from the phone’s electronic components.

Alert (AA20-031A) – Detecting Citrix CVE-2019-19781

www.us-cert.gov/ncas/alerts/aa20-031a Unknown cyber network exploitation (CNE) actors have successfully compromised numerous organizations that employed vulnerable Citrix devices through a critical vulnerability known as CVE-2019-19781.[1]. Though mitigations were released on the same day Citrix announced CVE-2019-19781, organizations that did not appropriately apply the mitigations were likely to be targeted once exploit code began circulating on the internet a few weeks later.

Sodinokibi Ransomware Group Sponsors Hacking Contest

threatpost.com/sodinokibi-ransomware-hacking-contest/152422/ Larger winnings for underground skills competitions are attracting sophisticated crime groups. White hats aren’t alone in holding hacking contests. Russian-language cybercriminals are known for running similar competitions on underground forums. However, an analysis of Dark Web activity has uncovered a trend towards offering increasingly high-stakes prizes during such battles. At the same time, increasingly sophisticated participants are throwing their hats into the mix notably, the operators behind the Sodinokibi (a.k.a. REvil) ransomware.

Iranian Hackers Target U.S. Gov. Vendor With Malware

threatpost.com/iran-hackers-us-gov-malware/152452/ APT34 has been spotted in a malware campaign targeting customers and employees of a company that works closely with U.S. federal agencies, and state and local governments. The company in question is U.S.-based Westat, a professional services company that provides research services to U.S. state and local governments, as well as more than 80 federal agencies. Researchers at Intezer uncovered the campaign after detecting a malicious file in January (called survey.xls), purporting to be an employee satisfaction survey for Westat employees and customers. The emails contain Excel spreadsheets that, once downloaded, at first appear to be blank, according to the analysis Only after victims enable macros on the spreadsheet does the survey appear asking whether victims are satisfied by career-development opportunities and job-related training, for instance but in the background, unbeknownst to them, malicious Visual Basic for Applications (VBA)

Why Public Wi-Fi is a Lot Safer Than You Think

www.eff.org/deeplinks/2020/01/why-public-wi-fi-lot-safer-you-think If you follow security on the Internet, you may have seen articles warning you to “beware of public Wi-Fi networks” in cafes, airports, hotels, and other public places. But now, due to the widespread deployment of HTTPS encryption on most popular websites, advice to avoid public Wi-Fi is mostly out of date and applicable to a lot fewer people than it once was.

Abusing DLL Misconfigurations Using Threat Intelligence to Weaponize R&D

www.fireeye.com/blog/threat-research/2020/01/abusing-dll-misconfigurations.html Dynamic-link library (DLL) side-loading occurs when Windows Side-by-Side (WinSxS) manifests are not explicit about the characteristics of DLLs being loaded by a program. In layman’s terms, DLL side-loading can allow an attacker to trick a program into loading a malicious DLL. If you are interested in learning more about how DLL side-loading works and how we see attackers using this technique, read through our whitepaper. DLL hijacking occurs when an attacker is able to take advantage of the Windows search and load order, allowing the execution of a malicious DLL, rather than the legitimate DLL.

71% of ransomware attacks target SMEs

www.pandasecurity.com/mediacenter/business/cybersecurity-smes/ Cybercrime is an undeniable constant in the business landscape these days. The cost of cybercrime is constantly risingit is estimated that by 2021, it will have reached $6 trillion. Cyberattacks on large companies tend to grab headlines all around the world because of their spectacular impact. However, there is one sector that, though it doesn’t normally generate headlines when it suffers a cyberattack: SMEs.

Three suspects arrested in Maltese bank cyber-heist

www.zdnet.com/article/three-suspects-arrested-in-maltese-bank-cyber-heist/ British police have arrested yesterday three individuals that they believe are involved in the February 2019 hack of Bank of Valletta (BOV), one of Malta’s biggest banks. The three were arrested on money laundering charges. At the time of writing, it is unclear if the three orchestrated the Malta BOV cyber-heyst, or were just helping the hackers launder the stolen funds.

Cybersecurity lacking at most of the world’s major airports

www.scmagazine.com/home/security-news/cybersecurity-lacking-at-most-of-the-worlds-major-airports/ When it comes to cybersecurity Amsterdam, Helsinki and Dublin were ranked the three safest airports by Immuniweb, but overall these facilities fared poorly when it came to protecting their websites, mobile platforms and systems. The study found 97 of the world’s 100 largest airports have have security risks related to vulnerable web and mobile applications, misconfigured public cloud, dark web exposure or code repositories leaks.

Android Malware Targets Diabetic Patients

www.fortinet.com/blog/threat-research/android-malware-targets-diabetic-patients.html I recently ran across an Android app named “Treatment for Diabetes.” With such a title, many would intuitively think this Android application is safe. However, at the recent Virus Bulletin 2019 conference I have showed that malware can be hidden in any application medical applications included to enable criminals to generate revenue through aggressive advertisements. While this compromised app does not generate false advertisements, the issue is the same: almost any application can be infected with malware. Read also:

fortiguard.com/events/3166/virus-vulletin-2019-medical-iot-for-diabetes-and-cybercrime

Categories
NCSC-FI News followup

Daily NCSC-FI news followup 2020-01-31

How Do You Measure the Success of Your Patch Management Efforts?

securityintelligence.com/posts/how-do-you-measure-the-success-of-your-patch-management-efforts/ If you follow the news, you will often see that yet another company has been breached or taken hostage by ransomware. If you read the full details of these stories, usually they have one main thing in common: These organizations are behind in patch management. The question that arises, then, is why?. There are two sides to this story: A technical one and a procedural one. Let’s dive into the procedural side first. In general, patches with the exception of emergency patches can only be installed during a maintenance period. This is to ensure that business continuity is not interrupted. This brings the first issue forward: How do you determine what should be an emergency patch?

Winnti Group targeting universities in Hong Kong

www.welivesecurity.com/2020/01/31/winnti-group-targeting-universities-hong-kong/ ESET researchers uncover a new campaign of the Winnti Group targeting universities and using ShadowPad and Winnti malware. In November 2019, we discovered a new campaign run by the Winnti Group against two Hong Kong universities. We found a new variant of the ShadowPad backdoor, the group’s flagship backdoor, deployed using a new launcher and embedding numerous modules. The Winnti malware was also found at these universities a few weeks prior to ShadowPad.

200K WordPress Sites Vulnerable to Plugin Flaw

threatpost.com/200k-wordpress-sites-vulnerable-to-plugin-flaw/152415/ Developers behind WordPress plugin Code Snippets have issued a patch for the high-severity flaw. A high-severity vulnerability exists in a popular WordPress plugin, potentially opening up 200, 000 websites to takeover. The WordPress plugin in question in Code Snippets, which allows users to run small chunks of PHP code on their websites. This can be used to extend the functionality of the website (essentially used as a mini-plugin). The flaw (CVE-2020-8417) has been patched by the plugin’s developer, Code Snippets Pro.

Miten jäljittää henkilö tai piiloutua stalkkerilta? piiloutuminen on vaikeaa jos etsijä osaa asiansa

www.tivi.fi/uutiset/tv/dd1182b0-625b-4984-bc0a-be2dcbbffb0e Perusteellisella työllä jäljittäjä löytää henkilöstä yllättävän paljon tietoa verkossa. Henkilön jäljittämiselle verkossa voi olla monia perusteita. Toinen tahtoo löytää kauan sitten kadonneen sukulaisen, jonka kanssa ei ole tullut pidettyä yhteyttä, toinen saattaa pakkomielteissään jahdata ex-kumppaniaan. Olit sitten itse aikeissa etsiä jotakuta verkossa tai päinvastoin joutunut ikävän stalkkerin uhriksi, on hyvä tietää miten tietoa voi löytää. Lue myös:

www.gizmodo.com.au/2020/01/how-to-find-anyone-online/

FBI tutkii tietoturvayhtiötä epäilee digipussin jauhojen olevan kaikkea muuta kuin puhtaita

www.tivi.fi/uutiset/tv/3c59ed07-b251-4242-b3de-1f45d6441b9a Israelilainen NSO Group on saavuttanut kyseenalaista mainetta hakkerointityökaluillaan. Nyt yhtiöstä on kiinnostunut myös FBI. Lue myös

www.zdnet.com/article/fbi-launches-investigation-into-pegasus-spyware-vendor-over-us-intelligence-gathering-hacks/

Pelkoa koronatartunnasta käytetään hyväksi käynnissä vaarallinen sähköpostikampanja

www.is.fi/digitoday/tietoturva/art-2000006389423.html Tietokonevirusta levitetään koronaviruksen imussa. Hätäinen klikkaaja saa tartunnan. Koronavirus ei jäänyt huomaamatta haittaohjelmamaakareilta. Maailmalla ennenkin riehunutta Emotet-haittaohjelmaa levitetään sähköposteilla, joissa varoitetaan koronaviruksen tartunnoista. Lue myös

www.bleepingcomputer.com/news/security/emotet-uses-coronavirus-scare-to-infect-japanese-targets/

Microsoft Detects New Evil Corp Malware Attacks After Short Break

www.bleepingcomputer.com/news/security/microsoft-detects-new-evil-corp-malware-attacks-after-short-break/ Microsoft says that an ongoing Evil Corp phishing campaign is using attachments featuring HTML redirectors for delivering malicious Excel documents, this being the first time the threat actors have been seen adopting this technique. The new campaign is detailed in a series of tweets from the Microsoft Security Intelligence account, with the researchers saying that the final payload is being dropped using an Excel document that bundles a malicious macro.

NEC Defense Contracts Info Potentially Compromised in Breach

www.bleepingcomputer.com/news/security/nec-defense-contracts-info-potentially-compromised-in-breach/ The Japanese NEC electronics giant was the target of a cyberattack that resulted in unauthorized access to its internal network on Thursday according to information leaked to Japanese newspapers by sources close to the matter. The electronics and information technology giant is a major contractor for Japan’s defense industry, engaged in various defense equipment projects with the Japan Self-Defense Forces (JGSDF or Jieitai), including but not limited to 3D radar, broadband multipurpose radio systems and may have leaked relevant information.

TrickBot Uses a New Windows 10 UAC Bypass to Launch Quietly

www.bleepingcomputer.com/news/security/trickbot-uses-a-new-windows-10-uac-bypass-to-launch-quietly/ The TrickBot Trojan has switched to a new Windows 10 UAC bypass to execute itself with elevated privileges without showing a User Account Control prompt. Windows uses a security mechanism called User Account Control (UAC) that will display a prompt every time a program is run with administrative privileges. When these prompts are shown, they will ask logged in user if they wish to allow the program to makes changes, and if the program is suspicious or unrecognized, allows the user to prevent the program from running.

A year after Bank of Valletta ‘cyber heist’, cuffs applied as cash-cleansing case continues

www.theregister.co.uk/2020/01/31/bank_valletta_malta_cyber_heist_case_arrests/ Nearly a year after Malta’s Bank of Valletta (BOV) yanked itself from the internet amid a “cyber intrusion”, Britain’s National Crime Agency (NCA) has made three arrests. Around £800k was transferred to a number of accounts during the 2019 “cyber heist”, according to the NCA, one of which was in the UK and held in Belfast. Read also:

nationalcrimeagency.gov.uk/news/arrests-in-belfast-and-london-in-cyber-heist-money-laundering-investigation

It’s not true no one wants.uk domains just look at all these Bulgarians who signed up to nab expired addresses

www.theregister.co.uk/2020/01/31/uk_address_bulgarians/ Hundreds of thousands of unwanted.uk domains are being dropped by their owners and picked up by Europeans looking to profit from Blighty’s registry system. As we have previously noted, the controversial plan to start selling.uk domains, such as yourcompanyname.uk, resulted in thousands of Brits being pressured into owning web addresses they never wanted and never ordered.

Two Vulnerabilities Found in Microsoft Azure Infrastructure

www.darkreading.com/cloud/two-vulnerabilities-found-in-microsoft-azure-infrastructure/d/d-id/1336932 Researchers detail the process of finding two flaws in the Azure Stack architecture and Azure App Service, both of which have been patched. Check Point Research analysts who discovered two vulnerabilities in the Microsoft Azure cloud infrastructure have published the details of how these flaws were found and how attackers could potentially use them. Read also:

research.checkpoint.com/2020/remote-cloud-execution-critical-vulnerabilities-in-azure-cloud-infrastructure-part-i/

Android Malware for Mobile Ad Fraud Spiked Sharply in 2019

www.darkreading.com/mobile/android-malware-for-mobile-ad-fraud-spiked-sharply-in-2019/d/d-id/1336930 Some 93% of all mobile transactions across 20 countries were blocked as fraudulent, Upstream says. Criminal groups are increasingly targeting users of Android mobile devices with malware for conducting ad fraud on a massive scale. Mobile security vendor Upstream this week said that in 2019 it identified as many as 98, 000 malicious Android apps and 43 million infected Android devices across the 20 countries where mobile operators currently use its technology. The numbers are up sharply from 2018 when Upstream recorded some 63, 000 apps and 30 million infected devices.

Verkkohyökkäykset arkipäiväistyneet Kyberasiantuntija Aapo Cederberg: “Varautuminen on 10 kertaa halvempaa kuin jälkituhojen korjaaminen”

yle.fi/uutiset/3-11182227 Israelilainen ja suomalainen asiantuntija korostavat, että tietoturvasta ei pidä säästää väärässä paikassa. Kyberturvallisuus nousee entistä tärkeämmäksi asiaksi esineiden internetin (IoT) ja 5G-verkon yleistyessä. Tätä mieltä olivat asiantuntijat tiistaina Salossa järjestetyssä Cyber Talks -tapahtumassa, jossa yleisöä puhutti muun muassa kuntien tietojärjestelmien turvallisuus.

Categories
NCSC-FI News followup

Daily NCSC-FI news followup 2020-01-30

Enterprise Hardware Still Vulnerable to Memory Lane Attacks

www.darkreading.com/vulnerabilities—threats/enterprise-hardware-still-vulnerable-to-memory-lane-attacks/d/d-id/1336921 Most laptops, workstations, and servers are still vulnerable to physical attacks via direct memory access, despite mitigations often being available, report says.. Report:

eclypsium.com/2020/01/30/direct-memory-access-attacks/

Dozens of companies have data dumped online by ransomware ring seeking leverage

arstechnica.com/information-technology/2020/01/dozens-of-companies-have-data-dumped-online-by-ransomware-ring-seeking-leverage/ Maze operators “gift” Pensacola by removing data dump, but others not so lucky.. The Maze ransomware ring has taken extortion to new heights by publicly posting breached data on the Internetand threatening full dumps of stolen data if the ring’s “customers” don’t pay for their files to be unencrypted. But the group appears to be making one exception: the City of Pensacola, which was hit by Maze ransomware in December.

If only 3 in 100,000 cyber-crimes are prosecuted, why not train cops to bring these crooks to justice once and for all, suggests think-tank veep

www.theregister.co.uk/2020/01/30/cops_crime_failure/ ‘We are focusing on defending systems over identifying and pursuing the person behind the cyber-crime’

Varo uutta huijausta: Ilmoitus tekstiviestillä vie kalliiseen ansaan

www.is.fi/digitoday/tietoturva/art-2000006388489.html Saapuvasta paketista kertovassa tekstiviestissä on linkki hämäräsivuille, joiden tärkein tieto on pienellä ja harmaalla kirjoitettu.

Government Report Reveals Its Favorite Way to Hack iPhones, Without Backdoors

www.vice.com/en_us/article/n7jevz/government-report-reveals-its-favorite-way-to-hack-iphones-without-backdoors Feds are once again demanding encryption backdoors, but its own data shows it can extract data from phones without them.

US DOI halts operations for its entire drone fleet over Chinese cybersecurity concerns

www.zdnet.com/article/us-doi-halts-operations-for-its-entire-drone-fleet-over-cybersecurity-concerns/ The US Department of the Interior (DOI) has halted the operations of its entire drone fleet except in emergency situations as the department wants to review whether the drones manufactured by “designated foreign-owned companies” are a threat to national security.

U.N. Hack Stemmed From Microsoft SharePoint Flaw

threatpost.com/un-hack-microsoft-sharepoint-flaw/152378/ Reportedly, the bug wasnt patched, leading to a data breach in July.

Coronavirus Campaigns Spread Emotet, Malware

threatpost.com/coronavirus-propagate-emotet/152404/

Apple wants to standardize the format of SMS OTPs (one-time passcodes)

www.zdnet.com/article/apple-wants-to-standardize-the-format-of-sms-otps-one-time-passcodes/ WebKit team proposal aims to improve the security of one-time passcodes sent to users via SMS.

Microsoft Azure Flaws Could Have Let Hackers Take Over Cloud Servers

thehackernews.com/2020/01/microsoft-azure-vulnerabilities.html Cybersecurity researchers at Check Point today disclosed details of two recently patched potentially dangerous vulnerabilities in Microsoft Azure services that, if exploited, could have allowed hackers to target several businesses that run their web and mobile apps on Azure.

An Emotet campaign hits the United Nations

www.pandasecurity.com/mediacenter/news/emotet-united-nations/

Dell, HP Memory-Access Bugs Open Attacker Path to Kernel Privileges

threatpost.com/dell-hp-memory-access-bugskernel-privileges/152369/ The manufacturers have issued BIOS updates to address the issues, but researchers warn DMA attacks are likely possible against a range of laptops and desktops.

Forensics detective says Android phones are now harder to crack than iPhones

www.androidauthority.com/android-encryption-forensics-1078668/

Categories
NCSC-FI News followup

Daily NCSC-FI news followup 2020-01-29

EXCLUSIVE: The cyber attack the UN tried to keep under wraps

www.thenewhumanitarian.org/investigation/2020/01/29/united-nations-cyber-attack The UN did not publicly disclose a major hacking attack into its IT systems in Europe a decision that potentially put staff, other organisations, and individuals at risk, according to data protection advocates.. also: apnews.com/0d958e15d7f5081dd612f07482f48b73

Someone Tried to Hack My Phone. Technology Researchers Accused Saudi Arabia.

www.nytimes.com/2020/01/28/reader-center/phone-hacking-saudi-arabia.html – From a suspicious text message I received, technology researchers concluded that hackers working for Saudi Arabia had targeted my phone with powerful Israeli software.. also:

citizenlab.ca/2020/01/stopping-the-press-new-york-times-journalist-targeted-by-saudi-linked-pegasus-spyware-operator/

Wawa Breach May Have Compromised More Than 30 Million Payment Cards

krebsonsecurity.com/2020/01/wawa-breach-may-have-compromised-more-than-30-million-payment-cards/ In late December 2019, fuel and convenience store chain Wawa Inc. said a nine-month-long breach of its payment card processing systems may have led to the theft of card data from customers who visited any of its 850 locations nationwide. Now, fraud experts say the first batch of card data stolen from Wawa customers is being sold at one of the undergrounds most popular crime shops, which claims

Canadian insurer paid for ransomware decryptor. Now it’s hunting the scum down

www.theregister.co.uk/2020/01/29/canadian_insurer_paid_ransomware_hunt/ A Canadian insurance business struck by ransomware paid off the crooks via a cyber insurance policy and their English reinsurers, having shelled out 109.25 Bitcoins, want it back from the alleged blackmailers.. Neither company was going to pay out and forget the incident. The English reinsurer hired Chainalysis Inc, a “blockchain investigations firm”, which eventually pinpointed the people responsible.. also:

www.coindesk.com/british-court-freezes-860000-in-bitcoin-linked-to-ransomware-payout

2019 saw more cryptocurrency hacks than any other year

www.zdnet.com/article/2019-saw-more-cryptocurrency-hacks-than-any-other-year/ Hackers launched more attacks against cryptocurrency exchanges in 2019, but stole fewer funds.. In 2019, hackers have successfully breached 11 major cryptocurrency exchanges and have stolen more than $283 million worth of cryptocurrency, according to blockchain analysis firm Chainalysis.

Sitra: Datan liikkumista mahdoton hahmottaa gdpr täysin riittämätön

www.tivi.fi/uutiset/tv/e060fafc-9a03-486e-9f5b-421fe366fdb0

Sprint Exposed Customer Support Site to Web

krebsonsecurity.com/2020/01/sprint-exposed-customer-support-site-to-web/ Fresh on the heels of a disclosure that Microsoft Corp. leaked internal customer support data to the Internet, mobile provider Sprint has addressed a mix-up in which posts to a private customer support community were exposed to the Web.

SIM Swappers Are Phishing Telecom Company Employees to Access Internal Tools

www.vice.com/en_us/article/v74b4d/sim-swappers-phishing-verizon-sprint-tmobile-to-access-internal-tools SIM swappers are particularly interested in a tool called Omni from Verizon that allows hackers to take over phone numbers.

Leaked Documents Expose the Secretive Market for Your Web Browsing Data

www.vice.com/en_us/article/qjdkq7/avast-antivirus-sells-user-browsing-data-investigation An Avast antivirus subsidiary sells ‘Every search. Every click. Every buy. On every site.’ Its clients have included Home Depot, Google, Microsoft, Pepsi, and McKinsey.

Why the UK is banning default passwords in IoT devices

tech.newstatesman.com/security/uk-banning-default-passwords

Apple has a Vladimir Putin problem

www.fastcompany.com/90456530/apple-has-a-vladimir-putin-problem In November 2019, Russian parliament passed whats become

Google Continues to Prod Holes in Apples Security

www.cbronline.com/news/apple-cves-google One vulnerability could allow attackers nearby to remote control any Mac systems with zero interaction.