Categories
NCSC-FI News followup

Daily NCSC-FI news followup 2020-01-05

Austria: Cyberangriff auf Außenministerium

orf.at/stories/3149769/ Die IT-Systeme des Außenministeriums sind derzeit offenbar Ziel eines schwerwiegenden Cyberangriffs. Der Angriff lief auch am Sonntag weiter, so Außenamtssprecher Peter Guschelbauer. Vonseiten des Ministeriums vermutet man einen Angriff eines staatlichen Akteurs.. Also www.bbc.com/news/world-europe-50997773

US announces AI software export restrictions

www.theverge.com/2020/1/5/21050508/us-export-ban-ai-software-china-geospatial-analysis The ban, which comes into force on Monday, is the first to be applied under a 2018 law known as the Export Control Reform Act or ECRA. This requires the government to examine how it can restrict the export of emerging technologies essential to the national security of the United States including AI. News of the ban was first reported by Reuters.. But the new export ban is extremely narrow. It applies only to software that uses neural networks (a key component in machine learning) to discover points of interest in geospatial imagery; things like houses or vehicles. The ruling, posted by the Bureau of Industry and Security, notes that the restriction only applies to software with a graphical user interface a feature that makes . programs easier for non-technical users to operate.

Russia Takes a Big Step Toward Internet Isolation

www.wired.com/story/russia-internet-control-disconnect-censorship/ According to Russian reports, last week’s government drills actually focused on testing firewalls meant to protect telephony and wireless protocol layers known as SS7 and Diameter that are used for relaying and authenticating data. Mikhail Klimarev, executive director of the Internet Protection Society, a Russian NGO, argues that the tests were largely a propaganda exercise to spread fear about the . extent of the government’s technical prowess.

SUMMARY OF TERRORISM THREAT TO THE U.S. HOMELAND

www.dhs.gov/sites/default/files/ntas/alerts/20_0104_ntas_bulletin.pdf Iran maintains a robust cyber program and can execute cyber attacks against the United States. Iran is capable, at a minimum, of carrying out attacks with temporary disruptive effects against critical infrastructure in the United States

Researching the Digitime Tech FOTA Backdoors

wuffs.org/blog/digitime-tech-fota-backdoors An investigation into the shady stuff going on behind Digitime Tech’s FOTA (Firmware Over The Air) update service, as seen on Planet Computers’s Android devices and on other low-budget Android hardware.. Planet are only one OEM though and there’s undoubtedly others using Digitime’s services. There is no way I can trust an OTA distributor which moonlights as a malware distributor like this. This isn’t your typical accidental security bug – this is a company that is knowingly and actively putting a malware distribution mechanism on phones through the supply chain, and getting paid for it. Truly . living the dream.

Iranilaiseksi itseään väittävä ryhmä hakkeroi USA:n hallituksen viraston nettisivun

www.iltalehti.fi/ulkomaat/a/37237c4c-36ae-42d2-828b-2eca66dbee7c Virasto, jonka sivuille hakkerit onnistuivat pääsemään on Federal Depository Library Program (FDLP). Se on verrattain vähän tunnettu. FDLP:n tarkoitus on taata se, että kaikilla halukkailla on ilmainen pääsy hallituksen julkaisuihin.

Time for Insider-Threat Programs to Grow Up

www.darkreading.com/threat-intelligence/time-for-insider-threat-programs-to-grow-up/d/d-id/1336713 In a research paper published this week, Forrester Research found that many of the current insider-threat programs may violate new privacy laws and the more draconian programs may undercut employee performance, says Joseph Blankenship, vice president of research for Forrester.

DeathRansom Part II: Attribution

www.fortinet.com/blog/threat-research/death-ransom-attribution.html FortiGuard Labs established a significant connection between the ongoing DeathRansom and Vidar malware campaigns. They share the naming pattern and infrastructure used. We also found evidence that a Vidar sample tried to download the DeathRansom malware.. Based on the evidence left on Russian underground forums, we were able to find a person who seems to likely to be behind these malicious campaigns.

FPGA cards can be abused for faster and more reliable Rowhammer attacks

www.zdnet.com/article/fpga-cards-can-be-abused-for-faster-and-more-reliable-rowhammer-attacks/ Seeing that FPGA-CPU architectures are becoming more common, a team of researchers from the Worcester Polytechnic Institute in the US, the University of Lubeck in Germany, and Intel, have looked into how Rowhammer attacks impact this new cloud setup.. Furthermore, the academic team also found that a JackHammer attack is much more difficult to detect because of the FPGA’s direct access to system resources leaves no traces on the CPU of the FPGA’s memory access operations. Since most anti-Rowhammer detection systems are configured at the CPU level, this opens a new blindspot in CPU and cloud security.

Trump signs law increasing max robocall fine to $10,000

www.theverge.com/2020/1/1/21045369/robocall-traced-act-signed-trump-law-congress-fcc-ajit-pai The Telephone Robocall Abuse Criminal Enforcement and Deterrence Act (TRACED Act) was signed on Monday, after Congress approved the landmark bill earlier this month to give the federal government new abilities to go after illegal robocallers. Fines can now reach $10,000 per call. The law also requires major carriers such as AT&T, Verizon, and T-Mobile to use a new technology called STIR/SHAKEN to . help customers know if theyre being targeted by a robocaller with a spoofed number.

www.linkedin.com/pulse/australian-research-program-inspects-real-scene-between-peter-cassidy/ A population-level survey of Australia would measure the population’s resilience to common spam-based phishing and deliver important insights into any number of factors at the real scene of the cybercrime: between the users ears. With a deeper view of the behavioral aspects of the phishing phenomenon, the research and development communities also come closer to the right questions about how . design of the built computing environment and user experience contributes to the success of the phishers artful deceptions.

‘Do Not Sell My Info’ – U.S. retailers rush to comply with California privacy law

in.reuters.com/article/uk-usa-retail-privacy/do-not-sell-my-info-u-s-retailers-rush-to-comply-with-california-privacy-law-idINKBN1YZ04D U.S. retailers including Walmart Inc will add Do Not Sell My Info links to their websites and signage in stores starting Jan. 1, allowing California shoppers to understand for the first time what personal and other data the retailers collect, sources said.

Categories
NCSC-FI News followup

Daily NCSC-FI news followup 2020-01-04

Police Tracked a Terror Suspect Until His Phone Went Dark After a Facebook Warning

www.morningstar.com/news/dow-jones/202001026663/police-tracked-a-terror-suspect-until-his-phone-went-dark-after-a-facebook-warning WhatsApp, Facebook Inc.’s popular messaging tool, had just notified about 1,400 users — among them the suspected terrorist — that their phones had been hacked by an “advanced cyber actor.” An elite surveillance team was using spyware from NSO Group, an Israeli company, to track the suspect, according to a law-enforcement official overseeing the investigation.

U.S. Officials Brace for Cyber-Attack Retaliation From Iran

www.msn.com/en-us/news/world/us-officials-brace-for-cyber-attack-retaliation-from-iran/ar-BBYAGGB Former U.S. officials and security experts said there is precedent for such concerns amid years of tit-for-tat cyber-attacks between the two countries. As recently as June, after the U.S. sent additional troops to the Middle East and announced further sanctions on Iran, cyber-attacks targeting U.S. industries and government agencies increased, the Department of Homeland Security said at the time.. Also

www.motherjones.com/politics/2020/01/heres-what-a-cyber-attack-by-iran-might-look-like/

Promiscuous Cookies and Their Impending Death via the SameSite Policy

www.troyhunt.com/promiscuous-cookies-and-their-impending-death-via-the-samesite-policy/ Come version 80, any cookie without a SameSite attribute will be treated as “Lax” by Chrome. This is really important to understand because put simply, it’ll very likely break a bunch of stuff.. Enterprise IT administrators may need to implement special policies to temporarily revert Chrome Browser to legacy behavior if some services such as single sign-on or internal applications are not ready for the February launch.

This page is currency unavailable… Travelex scrubs UK homepage, kills services, knackers other sites amid ‘software virus’ infection

www.theregister.co.uk/2020/01/03/travelex_down_malware/ While no details were given on just what the infection was or how it got onto the network, Brit infosec watcher Kevin Beaumont pointed out Travelex had public-facing Windows remote-desktop servers with no Network Level Authentication enabled that’s the feature that requires users to authenticate before they can establish a session and attempt to login.

Categories
NCSC-FI News followup

Daily NCSC-FI news followup 2020-01-03

Don’t Xiaomi pics of other people’s places! Chinese kitmaker fingers dodgy Boxing Day cache update after Google banishes it from Home

www.theregister.co.uk/2020/01/03/google_blocks_xiaomi/ Xiaomi has blamed some post-Christmas cache digestion problems after finding itself plonked on the naughty step by Google which blocked the Chinese tech conglomerate’s devices from its Nest Hub and Assistant last night.

U.S. Government Issues Warning About Possible Iranian Cyberattacks

www.bleepingcomputer.com/news/security/us-government-issues-warning-about-possible-iranian-cyberattacks/ Christopher C. Krebs, Director of Cybersecurity and Infrastructure Security Agency issued a warning about a potential new wave of Iranian cyber-attacks targeting U.S. assets after Maj. Gen. Qassim Suleimani was killed by a U.S. airstrike at the Baghdad airport in Iraq.

Categories
NCSC-FI News followup

Daily NCSC-FI news followup 2020-01-02

New evasion techniques found in web skimmers

blog.malwarebytes.com/threat-analysis/2019/12/new-evasion-techniques-found-in-web-skimmers/ For a number of years, criminals have been able to steal credit card details from unaware online shoppers without attracting too much attention. Few people in the security industry were talking about these credit card web skimmers, both server-side and client-side, before the latter became largely known as Magecart.

Landry’s restaurant chain disclose POS malware incident

www.zdnet.com/article/landrys-restaurant-chain-disclose-pos-malware-incident/ US restaurant chain Landry’s disclosed a security incident that involved the discovery of malware on the network of hundreds of restaurants.

Ransomware Attackers Offer Holiday Discounts and Greetings

www.bleepingcomputer.com/news/security/ransomware-attackers-offer-holiday-discounts-and-greetings/ To celebrate the holidays, ransomware operators are providing discounts or season’s greetings to entice victims into paying a ransom demand.Such is the case with the Sodinokibi Ransomware (REvil) who MalwareHunterTeam noticed had changed their ransom note over the holidays to include a new message wishing the victims a “Merry Christmas and Happy Holidays”.

Starbucks Devs Leave API Key in GitHub Public Repo

www.bleepingcomputer.com/news/security/starbucks-devs-leave-api-key-in-github-public-repo/ One misstep from developers at Starbucks left exposed an API key that could be used by an attacker to access internal systems and manipulate the list of authorized users.

Post-quantum TLS now supported in AWS KMS https://aws.amazon.com/blogs/security/post-quantum-tls-now-supported-in-aws-kms/ AWS Key Management Service (AWS KMS) now supports post-quantum hybrid key exchange for the Transport Layer Security (TLS) network encryption protocol that is used when connecting to KMS API endpoints. In this post, Ill tell you what post-quantum TLS is, what hybrid key exchange is, why its important, how to take advantage of this new feature, and how to give us feedback.

Categories
NCSC-FI News followup

Daily NCSC-FI news followup 2020-01-01

Chrome extension caught stealing crypto-wallet private keys

www.zdnet.com/article/chrome-extension-caught-stealing-crypto-wallet-private-keys/ A Google Chrome extension was caught injecting JavaScript code on web pages to steal passwords and private keys from cryptocurrency wallets and cryptocurrency portals.

Categories
NCSC-FI News followup

Daily NCSC-FI news followup 2019-12-31

Ghosts in the Clouds: Inside Chinas Major Corporate Hack

www.wsj.com/articles/ghosts-in-the-clouds-inside-chinas-major-corporate-hack-11577729061 A Wall Street Journal investigation has found that the attack was much bigger than previously known. It goes far beyond the 14 unnamed companies listed in the indictment, stretching across at least a dozen cloud providers, including CGI Group Inc. Tieto Oyj, a major Finnish IT services company; and International Business Machines Corp (IBM). Article behind paywall

Microsoft on ottanut haltuunsa hakkeriryhmän käyttämiä verkkotunnuksia ryhmän arvellaan toimivan Pohjois-Koreasta käsin

yle.fi/uutiset/3-11138983 Tietotekniikkajätti Microsoft on ottanut haltuun kymmenittäin hakkeriryhmän käyttämiä verkkotunnuksia. Thallium-hakkeriryhmä käytti verkkotunnuksia arkaluontoisten tietojen varastamiseen esimerkiksi valtioiden virastojen, ajatushautomoiden, kansalaisoikeusjärjestöjen ja yliopistojen työntekijöiltä.. See also:

blogs.microsoft.com/on-the-issues/2019/12/30/microsoft-court-action-against-nation-state-cybercrime/

BRONZE PRESIDENT Targets NGOs

www.secureworks.com/research/bronze-president-targets-ngos BRONZE PRESIDENT is a likely People’s Republic of China (PRC)-based targeted cyberespionage group that uses both proprietary and publicly available tools to target NGO networks.

Categories
NCSC-FI News followup

Daily NCSC-FI news followup 2019-12-30

Uusi viranomainen alkaa välittää suomalaisten potilastietoja eteenpäin, mutta lupaa yksityisyyden suojan olevan turvattu

yle.fi/uutiset/3-11133001 Vuodenvaihteessa toimintansa aloittaa uusi viranomainen, Findata. Se kerää ja välittää suomalaisten terveystietoja niistä kiinnostuneille tahoille. Taustalla on vappuna 2019 voimaan tullut toisiolaki.

Satakunnassa erittäin vakava tietoliikennekatkos sairaaloissa käyttäjän vahinko katkaisi yhteyden potilastietojärjestelmiin

yle.fi/uutiset/3-11138205 Satakunnassa erikoissairaanhoitoa tuottavan Satasairaalan tietoverkoissa oli maanantaina päivällä laaja ja erittäin vakavaksi kuvattu tietoliikennekatkos.

Categories
NCSC-FI News followup

Daily NCSC-FI news followup 2019-12-29

UK Government exposes addresses of new year honours recipients

www.theguardian.com/uk-news/2019/dec/28/government-exposes-addresses-of-new-year-honours-recipients More than 1,000 celebrities, government employees and politicians recognized in the U.K.’s traditional New Year’s Honours list this year “have had their home and work addresses posted on a government website.”

IoT vendor Wyze confirms server leak

www.zdnet.com/article/iot-vendor-wyze-confirms-server-leak/ Wyze, a company that sells smart devices like security cameras, smart plugs, smart lightbulbs, and smart door locks, confirmed today a server leak that exposed the details of roughly 2.4 million customers.. The leak occurred after an internal database was accidentally exposed online, Wyze co-founder Dongsheng Song said in a forum post published over Christmas.

2019 Data Breaches: These were the biggest data breaches of the year

www.cnet.com/news/2019-data-breach-hall-of-shame-these-were-the-biggest-data-breaches-of-the-year/ The words “unsecured database” seemed to run on repeat through security journalism in 2019. Every month, another company was asking its customers to change their passwords and report any damage.

Top 10 Breaches and Leaky Server Screw Ups of 2019

threatpost.com/top-10-breaches-leaky-server-2019/151386/ 2019 was a banner year for data exposures, with billions of people affected by cloud misconfigurations, hacks and poor security practices in general. Heres the Threatpost Top 10 for data-breach news of the year, featuring all the low-lights.

The Uncommon Becomes Ordinary: 4 Trends That Defined Data Breaches in 2019

securityintelligence.com/articles/the-uncommon-becomes-ordinary-4-trends-that-defined-data-breaches-in-2019/

The iOS, Android security landscape in 2019

www.zdnet.com/pictures/these-are-the-ios-android-malware-families-most-likely-to-hit-your-handset-in-2019/

Biggest Malware Threats of 2019

threatpost.com/biggest-malware-threats-of-2019/151423/ 2019 was another banner year for bots, trojans, RATS and ransomware. Lets take a look back.

The Internet of Things (IoT) and security in 2019

www.zdnet.com/pictures/the-biggest-internet-of-things-smart-home-hacks-over-2019/ Attackers targeted everything from gas pumps to your smart TV this year.

Top Zero Days, Data Breaches and Security Stories of 2019: News Wrap

threatpost.com/top-zero-days-data-breaches-and-security-stories-of-2019-news-wrap/151340/

Reviewing our 2019 AppSec predictions: Supply chain attacks

blog.barracuda.com/2019/12/24/reviewing-our-2019-appsec-predictions-supply-chain-attacks/ At the start of the year, I made three predictions on attacks vectors that would become big problems over the year and beyond. This is the look at where the three are, now, at the end of the year.

Catalog of Supply Chain Compromises

github.com/cncf/sig-security/tree/master/supply-chain-security/compromises The goal is not to catalog every known supply chain attack, but rather to capture many examples of different kinds of attack, so that we can better understand the patterns and develop best practices and tools.

A decade in cybersecurity fails: the top breaches, threats, and ‘whoopsies’ of the 2010s

blog.malwarebytes.com/awareness/2019/12/a-decade-in-cybersecurity-fails-top-breaches-threats-of-2010s/

Start the Year Right with a Security and Privacy Check Up

www.tripwire.com/state-of-security/security-awareness/start-year-right-security-privacy-check-up/ Change passwords, enable multi-factor authentication, review security and privacy settings.

7 signs your cybersecurity is doomed to fail in 2020

www.helpnetsecurity.com/2019/12/20/cybersecurity-fail-2020/

Looking Ahead to 2020 Cybersecurity Trends and a New Decade

securityintelligence.com/articles/looking-ahead-to-2020-cybersecurity-trends-and-a-new-decade/

2020 Predictions: Mobile Security

www.scmagazine.com/home/security-news/mobile-security/2020-predictions-mobile-security/

Bringing Starchild Down to Earth: Soraka SDK

www.whiteops.com/blog/bringing-starchild-down-to-earth-soraka-sdk The White Ops Threat Intelligence team recently identified 100+ malicious apps, with more than 4.6 million downloads, performing ad fraud. All of the apps use a common code package White Ops has dubbed Soraka (com.android.sorakalibrary)

Categories
NCSC-FI News followup

Daily NCSC-FI news followup 2019-12-28

U.S. Coast Guard Says Ryuk Ransomware Took Down Maritime Facility

www.bleepingcomputer.com/news/security/us-coast-guard-says-ryuk-ransomware-took-down-maritime-facility/ The systems encrypted by Ryuk Ransomware directly impacted the facility’s “entire corporate IT network (beyond the footprint of the facility)” [emphasis ours] and physical access and camera control systems, and it also led to “loss of critical process control monitoring systems.”

Ransomware Hits Maastricht University, All Systems Taken Down

www.bleepingcomputer.com/news/security/ransomware-hits-maastricht-university-all-systems-taken-down/ Maastricht University (UM) announced that almost all of its Windows systems have been encrypted by ransomware following a cyber-attack that took place on Monday, December 23.. UM is a university from the Netherlands with over 18,000 students, 4,400 employees, and 70,000 alumni.

Ransomware at IT Services Provider Synoptek

krebsonsecurity.com/2019/12/ransomware-at-it-services-provider-synoptek/ Synoptek, a California-based cloud hosting and IT management services provider suffered a ransomware attack this week that has disrupted operations for many of its clients.. Two sources who work at the company have now confirmed their employer was hit by Sodinokibi, a potent ransomware strain also known as rEvil.

Ransomware Situation Goes From Bad to Worse

www.darkreading.com/attacks-breaches/ransomware-situation-goes-from-bad-to-worse/d/d-id/1336664 The surge in ransomware attacks on cities, municipalities, schools, and healthcare organizations this year is just a foretaste of what is likely come in 2020.. Threat actors have sensed a very real opportunity to make big returns attacking enterprise organizations using ransomware and are refining their tools and techniques to increase their chances for success, say worried security experts.

30 years of ransomware: How one bizarre attack laid the foundations for the malware taking over the world

www.zdnet.com/article/30-years-of-ransomware-how-one-bizarre-attack-laid-the-foundations-for-the-malware-taking-over-the-world/ In December 1989 the world was introduced to the first ever ransomware – – and 30 years later ransomware attacks are now at crisis levels.

Leveraging Disk Imaging Tools to Deliver RATs

www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/leveraging-disk-imaging-tools-to-deliver-rats/ This year we observed a notable uptick in disc imaging software (like .ISO) being used as a container for serving malware via email, with .ISO archives attributing to 6% of all malware attachment archives seen this year.

Ring and Amazon get slammed with a federal lawsuit that claims the companies failed to secure cameras against hackers

www.businessinsider.com/ring-amazon-sued-federal-court-security-hacking-2fa-2019-12 The lawsuit alleges that, as a manufacturer of security products, Ring failed to meet its “most basic obligation by not ensuring its Wi-Fi enabled cameras were protected against cyber-attack.”

Categories
NCSC-FI News followup

Daily NCSC-FI news followup 2019-12-27

Yli puolet haittaohjelmista muhii kodin älylaitteissa – kaksi asiaa, joilla tukit helpoimmat vuotopaikat

yle.fi/uutiset/3-11127237?origin=rss Kotirauhaasi häiritsevät uhat ovat varsin yksinkertaisia haittaohjelmia. Kun perusasiat ovat kunnossa, saadaan tietoturva paljon paremmaksi. Muista nämä: salasana ja laitteen päivitykset.. Nämä kaksi kriteeriä ovat myös tietoturvamerkin ehtoja laitevalmistajille – tietoturvamerkki.fi/

Kunnilla heikkoja salasanoja ja huteria palomuureja – Lahti maksoi kyberhyökkäyksen torjunnasta liki miljoonan ja jakaa nyt oppeja muillekin

yle.fi/uutiset/3-11121273?origin=rss – – Kun tuntee järjestelmän, tietää myös sen vahvuudet ja heikkoudet. Sitten voi tehdä järkevää riskianalyysiä tunnistaakseen heikoimmat lenkit, joihin kannattaa panostaa eniten, sanoo yksikönpäällikkö Arttu Lehmuskallio Kyberturvallisuuskeskuksesta.

Huawei syyttää Supoa: Levittää amerikkalaisten valheita

www.is.fi/digitoday/tietoturva/art-2000006353678.html Huawein mukaan Yhdysvaltain hallitus pyrkii vaikuttamaan maiden tiedusteluviranomaisiin sekä hallitusten päätöksentekoon.. Me emme muodosta kantojamme minkään ulkopuolisen tahon intressien pohjalta, emme myöskään kansainvälisten yritysten, Supon viestintäasiantuntija Minna Passi kertoi lausunnossaan.

Ryuk Ransomware Stops Encrypting Linux Folders

www.bleepingcomputer.com/news/security/ryuk-ransomware-stops-encrypting-linux-folders/ A Linux/Unix variant of Ryuk does not exist, but Windows 10 does contain a feature called the Windows Subsystem for Linux (WSL) that allows you to install various Linux distributions directly in Windows. These installations utilize folders with the same blacklisted names as listed above.. As the goal of most successful ransomware is to encrypt a victim’s data, but not affect the functionality of the operating system, this change makes sense

Cyber attack shuts down computers at San Antonio mental health provider

www.expressnews.com/business/health-care/article/Cyber-attack-shuts-down-computers-at-San-Antonio-14930383.php CEO Jelynne LeBlanc Burley said federal officials called the center last week about the attack, and that the centers techs isolated the threat to a single computer server. Burley decided to shut down the centers entire computer system as a precaution.

Thai officials say prison cameras were hacked, broadcast

apnews.com/5c290e2d728c573d16a71247d44b50da Authorities in Thailand say they are investigating an apparent online break-in by a computer hacker that allowed him to broadcast surveillance video from inside a prison in the countrys south.

Constant Vigilance Requires Looking Back as Well as Forward

www.securityweek.com/constant-vigilance-requires-looking-back-well-forward In spite of its notoriety and the assumption that most organizations would at least have hardened their systems to that threat, Mirai still represents a serious threat to organizations around the world.. Of the top five botnets identified during Q3 of 2019, number four was Mirai, the botnet that caused such widespread devastation in August of 2016.