NCSC-FI News followup

Daily NCSC-FI news followup 2020-04-12

Sodinokibi Ransomware to stop taking Bitcoin to hide money trail The Sodinokibi Ransomware has started to accept the Monero cryptocurrency to make it harder for law enforcement to track ransom payments and plans to stop allowing bitcoin payments in the future.

Burning Cell Towers, Out of Baseless Fear They Spread the Virus Across Britain, more than 30 acts of arson and vandalism have taken place against wireless towers and other telecom gear this month, according to police reports and a telecom trade group. In roughly 80 other incidents in the country, telecom technicians have been harassed on the job.

New Wiper Malware impersonates security researchers as prank A malware distributor has decided to play a nasty prank by locking victim’s computers before they can start Windows and then blaming the infection on two well-known and respected security researchers.

NCSC-FI News followup

Daily NCSC-FI news followup 2020-04-11

How Apple and Google Are Enabling Covid-19 Contact-Tracing The tech giants have teamed up to use a Bluetooth-based framework to keep track of the spread of infections without compromising location privacy.

The Challenge of Proximity Apps For COVID-19 Contact Tracing Around the world, a diverse and growing chorus is calling for the use of smartphone proximity technology to fight COVID-19. In particular, public health experts and others argue that smartphones could provide a solution to an urgent need for rapid, widespread contact tracingthat is, tracking who infected people come in contact with as they move through the world.

WooCommerce Falls to Fresh Card-Skimmer Malware The payment-card stealer differs from typical malware targeting WordPress-based e-commerce environments.

Kun sairaalaan tehtiin tietoturvahyökkäys, se oli viimeinen pisara Mikko Kenttälälle ja muille hakkereille, jotka haluavat käyttää taitojaan hyvään Mikko Kenttälä on kybervapaapalokunnan jäsen. Hän sammuttaa tietoturvan tulipaloja.

NCSC-FI News followup

Daily NCSC-FI news followup 2020-04-10

Large email extortion campaign underway, DON’T PANIC! A large email extortion campaign is underway telling recipients that their computer was hacked and that a video was taken through the hacked computer’s webcam. The attackers then demand $1,900 in bitcoins or the video will be sent to family and friends.

Ransomware scumbags leak Boeing, Lockheed Martin, SpaceX documents after contractor refuses to pay Internal confidential documents belonging to some of the largest aerospace companies in the world have been stolen from an industrial contractor and leaked online.

5G Virus Conspiracy Theory Fueled by Coordinated Effort Marc Owen Jones, a researcher at Hamad bin Khalifa University in Qatar, who specializes in online disinformation networks, analyzed 22,000 recent interactions on Twitter mentioning 5G and corona, and said he found a large number of accounts displaying what he termed inauthentic activity. He said the effort bears some hallmarks of a state-backed campaign.

Ever needed a Zoom password? Probably not. But why not? With Zoom and Zoom-bombing being all the rage, heres why the apps default password settings may be leaving the backdoor wide open

US wants to ban China Telecom over national cybersecurity risks Several U.S. Executive Branch agencies are asking the Federal Communications Commission (FCC) to block China Telecom Americas authorization to operate within the United States over significant cybersecurity risks.

Microsoft: Azure delays not acknowledged for 5 hours because manager was asleep Microsoft has revealed it took five hours to acknowledge lengthy disruptions affecting European customers in late March because the task of informing customers relied on a US-based incident manager, who was asleep at the time.

Unique P2P Architecture Gives DDG Botnet Unstoppable Status DDG might be the worlds first P2P-based cryptomining botnet.

The Sandboxie Windows sandbox isolation tool is now open-source! Cybersecurity firm Sophos announced today that it has open-sourced the Sandboxie Windows sandbox-based isolation utility 15 years after it was released.

Compromised Zoom Credentials Swapped in Underground Forums Thousands of compromised Zoom credentials were discovered in underground forums as cybercriminals look to tap into the burgeoning remote workforce.

San Francisco Intl Airport discloses data breach after hack San Francisco International Airport (SFO) disclosed a data breach after two of its websites, and, were hacked during March 2020.

Dutch police arrests suspect behind DDoS attacks on government sites A 19-year old man from Breda, Netherlands, was arrested today for allegedly carrying out distributed denial-of-service (DDoS) attacks that caused two Dutch government websites to shut down for several hours on March 19, 2020.

Critical VMware Bug Opens Up Corporate Treasure to Hackers A critical information-disclosure bug in VMwares Directory Service (vmdir) could lay bare the contents of entire corporate virtual infrastructures, if exploited by cyberattackers.. see also

Promising Results for Post-Quantum Certificates in TLS 1.3 Quantum Computers could threaten the security of TLS key exchange and authentication. To assess the performance of post-quantum certificates TLS 1.3, we evaluated NIST Round 2 signature algorithms and concluded that two of them offer acceptable speeds. We also analyzed other implications of post-quantum certs in TLS. More details in

NCSC-FI News followup

Daily NCSC-FI news followup 2020-04-09

HMR targeted by cyber criminals On Saturday 14 March 2020, HMR was subjected to a targeted and sophisticated attack by cyber criminals. We took immediate action to stop the attack, but not before the attackers had stolen copies of some of our files.. Were sorry to report that, during 2123 March 2020, the criminals published on their website records from some of our volunteers screening visits. The website is not visible on the public web, and those records have since been taken down. The records were from some of our volunteers with surnames beginning with D, G, I or J. The records were scanned copies of documents and results we . collected at screening

DDoS attacks took down Italys social security website amid COVID-19 crisis Frequent cyber attacks forced Italys social security and welfare department to temporarily shut down its website at a time when thousands of vulnerable citizens were trying to apply for financial assistance in the middle of the crisis.

Android Users Beware: 100 Million Users Must Delete This Very Dangerous App Now According to VPNpro, SuperVPN allows hackers to intercept communications between the user and the provider, and even redirect users to a hackers malicious server instead of the real VPN server. There is no inference that the apps developer was responsible for any attacks or data interception. But the risks were well known and publicised, making it an open vulnerability for others to . exploit.

A Familiar Storm Approaches: April 14ths Vulnerability Fujiwhara Event Back in January, we first warned organizations about the Vulnerability Fujiwhara Effect that will hit three times this year. These major security events, in which Microsoft, Oracle and other multiple large vendors disclose vulnerabilities in popular products on the same day, pose a particular challenge for Vulnerability Management teams who are left analyzing and prioritizing hundreds of . disclosures before remediation can even begin. We have already seen the impacts of the first storm that occurred on January 14th.

Radio frequency: An invisible espionage threat to enterprises The cybersecurity industry has seen an increase in enterprise attacks from vulnerable RF devices. From unmanageable device attacks and IoT devices being more vulnerable than corporate-managed computers to IoT security breaches, RF espionage is a growing concern for enterprises, but the concern still lags behind the threat.

Spam and phishing in 2019 In 2019, scammers found new ways to exploit popular resources and social networks to spread spam and sell non-existent goods and services. They actively used Youtube and Instagram comments to place ads and links to potentially malicious pages, and created numerous social media accounts that they promoted by commenting on the posts of popular bloggers.

PowerPoint Weakness Opens Door to Malicious Mouse-Over Attack A researcher is sounding the alarm over what he believes could be a novel attack vector which allows a hacker to manipulate a PowerPoint file to download and begin the installation of malware, simply by hovering over a hypertext link.. The technique does require a victim to accept one pop-up dialogue box to run or install a program. For those reasons, Microsoft does not consider this a vulnerability. Mandar Satam, independent security researcher, disagrees.

Tältä näyttää zoombombing viranomaiselta jykevät ohjeet Kyberturvallisuuskeskus opastaa turvalliseen videoneuvotteluun. Etenkin Zoomin on oltava tarkkana.

US Senate, German government tell employees not to use Zoom The two organizations now join a list that also includes the Taiwanese government, the Australian government, SpaceX, Google, and New York state area schools.

Cisco Critical Update Phishing Attack Steals Webex Credentials Emails purporting to be a Cisco critical security advisory are actually part of a phishing campaign trying to steal victims Webex credentials.

APTs and COVID-19: How advanced persistent threats use the coronavirus as a lure – From late January, several cyber-criminal and state-sponsored groups have begun using coronavirus-based phishing as their infection vectors to gain a foothold on their victims machines. Just like the spread of coronavirus itself, China was the first targeted by APT groups and as the virus spread worldwide, so did the attacks. . full whitepaper

7 Ways Hackers and Scammers Are Exploiting Coronavirus Panic Here, we took a look at some of the wide range of unseen threats rising in the digital space, powered by coronavirus-themed lures that cybercriminals are using for espionage and commercial gain.

Virven oma verkko ajetaan alas: Viranomaisten kriittinen viestintä siirtyy Elisan verkkoon Erillisverkot-konserni kertoo hankkivansa laajakaistaisen Virve 2.0:n radioverkon palveluna Elisalta ja keskeisimmät tietojärjestelmät Ericssonilta. Tavoitteena on turvata yhteiskunnan kriittisen viestinnän jatkuvuus ja viranomaistoiminta kaikissa olosuhteissa myös jatkossa.

Phishing emails impersonate the White House and VP Mike Pence Phishing scammers have started to impersonate President Trump and Vice President Mike Pence in emails that distribute malware or perform extortion scams.

Despite Infighting and Volatility, Iran Maintains Aggressive Cyber Operations Structure Recorded Futures Insikt Group® is conducting ongoing research on the organizations involved in Irans cyber program. This report serves to provide greater insight into the major military and intelligence bodies involved in Irans offensive cyber program.. full report

Phishers and iPhone Thieves Rolling Out Multimillion-Dollar Operations IBM X-Force Incident Response and Intelligence Services (IRIS) researchers recently went down the rabbit hole of a physical iPhone theft that was followed by a SMiShing campaign designed to unlock the phone for resale on the black market.

March 2020s Most Wanted Malware: Dridex Banking Trojan Ranks On Top Malware List For First Time Our latest Global Threat Index for March 2020 shows the well-known banking trojan Dridex, which first appeared in 2011, has entered the top ten malware list for the first time, as the third most prevalent malware in March. Dridex has been updated and is now being used in the early attack stages for downloading targeted ransomware, such as BitPaymer and DoppelPaymer.

Unbreakable Smart Lock Draws FTC Ire for Deceptive Security Claims Tapplock catches heat for patched vulnerabilities because of its claims that its smart locks cant be hacked.

Consumer reviewer Which? finds CAN bus ports on Ford and VW, starts yelling ‘Security! We have a problem…’ Modern connected cars contain security threats, consumer org Which? has said after commissioning analyses of two models, a Ford and a Volkswagen.

NCSC-FI News followup

Daily NCSC-FI news followup 2020-04-08

COVID-19 Exploited by Malicious Cyber Actors This alert provides information on exploitation by cybercriminal and advanced persistent threat (APT) groups of the current coronavirus disease 2019 (COVID-19) global pandemic. It includes a non-exhaustive list of indicators of compromise (IOCs) for detection as well as mitigation advice.. This is a joint alert from the United States Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and the United Kingdoms National Cyber Security Centre (NCSC).

Online credit card skimming increased by 26 percent in March Crisis events such as the current COVID-19 pandemic often lead to a change in habits that captures the attention of cybercriminals. With the confinement measures imposed in many countries, for example, online shopping has soared and along with it, credit card skimming. According to our data, web skimming increased by 26 percent in March over the previous month.. While this might not seem like a dramatic jump, digital credit card skimming was already on the rise prior to COVID-19, and this trend will likely continue into the near future.

Introducing our new book Building Secure and Reliable Systems For good reasons, enterprise security teams have largely focused on confidentiality. However, organizations often recognize data integrity and availability to be equally important, and address these areas with different teams and different controls. . The SRE function is a best-in-class approach to reliability. However, it also plays a role in the real-time detection of and response to technical issuesincluding security- related attacks on privileged access or sensitive data. Ultimately, while engineering teams are often organizationally separated according to specialized skill sets, they have a common goal: ensuring the quality and safety . of the system or application.

ThreatList: Skype-Themed Apps Hide a Raft of Malware It should be said that Skype isnt alone in being targeted: The research found that among a total of 1,300 suspicious files not using the Skype name, 42 percent were disguised as Zoom, followed by WebEx (22 percent), GoToMeeting (13 percent), Flock (11 percent) and Slack (11 percent).

Zoom removes meeting IDs from client title bar to boost security A new update to the Zoom client has been released that removes the meeting ID from the title bar when conducting meetings to increase security and to prevent them from being exposed in screenshots.. Other Zoom-related news at

Microsoft: No surge in malicious attacks, only more COVID-19 lures “Attackers dont suddenly have more resources theyre diverting towards tricking users; instead, theyre pivoting their existing infrastructure, like ransomware, phishing, and other malware delivery tools, to include COVID-19 keywords that get us to click,” Microsoft 365 Security Corporate Vice President Rob Lefferts said.. Also

Intent to Infekt: Operation Pinball Tactics Reminiscent of Operation Secondary Infektion Insikt Group recently identified an ongoing information operation that we assess with high confidence shares significant overlap with what the Atlantic Councils Digital Forensics Lab (DFRLab) refers to as Operation Secondary Infektion (Secondary Infektion); a covert information operation targeting governments in the United States and Europe and believed to originate from Russia. We have named . this information operation Operation Pinball.

Fingerprint cloning: Myth or reality? Our tests showed that on average we achieved an ~80 percent success rate while using the fake fingerprints, where the sensors were bypassed at least once. Reaching this success rate was difficult and tedious work. We found several obstacles and limitations related to scaling and material physical properties. Even so, this level of success rate means that we have a very high probability of . unlocking any of the tested devices before it falls back into the pin unlocking. The results show fingerprints are good enough to protect the average person’s privacy if they lose their phone. However, a person that is likely to be targeted by a well-funded and motivated actor should not use fingerprint authentication.

Shipbuilder Austal was hacked with stolen creds sold on dark web Austal, the ASX-listed shipbuilder and defence contractor, was compromised in late 2018 by an attacker who used login credentials purchased on a dark web forum, but who then failed to extract much of value or secure a ransom to have it returned.. CEO David Singleton provided a full post-mortem of the mid-October 2018 breach last week – which he said included a grilling from senior government ministers – and revealed cyber defences put in place afterwards had saved the company from credential phishes as recently as the past fortnight.

Maze ransomware group hacks oil giant; leaks data online On April 1st, 2020, Berkine became a victim of cyber-attack by the notorious Maze ransomware group that is known for its unique blackmailing practices.. Berkine is a joint venture of Algerias state-owned oil firm Sonatrach and Anadarko Algeria Company, a subsidiary of a US-based firm previously known as Anadarko Petroleum Corp. and currently Oxy Occidental.

Antivirus for GPS spoofing and other vulnerabilities The Regulus system is a software solution that uses machine learning to detect spoofing and defend any GNSS receiver, device, or chipset against it. GPS spoofing attacks are becoming more common and are often very difficult to detect and protect against.

Domain name registrar suspends 600 suspicious coronavirus websites The UK’s domain name registrar Nominet, which manages the launch of .uk websites, is stepping up efforts to tackle the proliferation of sites dedicated to scamming the public, for example by selling fake vaccines, protective equipment and frauds remedies to the COVID-19 virus. . Rather than taking down domains after they have been reported as malicious, the organization has implemented more radical measures to stop these sites appearing in the first place, with extra scrutiny of websites names containing “coronavirus”, “covid”, or other selected terms related to the pandemic.. It is only once the organization has established that the website is legitimate that the domain name will be able to resolve. Eleanor Bradley, head of registry domains at Nominet, told ZDNet that about 600 names have been suspended so far.

How to implement a secure software development lifecycle Have you ever found yourself wondering if the system you are implementing is secure enough? I have. Quite often actually. It is not an easy question to answer unless you are prepared. This blog post is about how to prepare yourself for that question. The short answer is the Secure Software Development Lifecycle which I will call SSDLC from this point onwards.

Perussuomalaisten kansanedustajat käyttävät Facebookia valiokunta-asioiden hoitamiseen asiantuntijalta täystyrmäys Eduskunnan hallintojohtaja Pertti Rauhio hämmästyy kuullessaan, että perussuomalaisten kansanedustajat käyttävät valiokunta-asioiden hoitamiseen Facebookin Messenger-sovellusta.

How an Attacker Could Use Instance Metadata to Breach Your App in AWS All cloud providers have capabilities to manage credentials for resources in your cloud-native applications. When used correctly, these capabilities allow you to avoid storing credentials in the clear, or in a source code repository. In AWS, the Instance Metadata Service (IMDS) makes information about a compute instance, its network, and storage available to software running on the instance. IMDS . also makes temporary, frequently rotated credentials available for any IAM role attached to the instance. IAM roles attached to an instance may for example, define that the instance and software running on it can access data in S3 storage buckets.

New dark_nexus IoT Botnet Puts Others to Shame We named the botnet dark_nexus based on a string it prints in its banner. In one of its earliest versions, it used this name in its user agent string when carrying out exploits over HTTP: dark_NeXus_Qbot/4.0, citing Qbot as its influence. Our analysis has determined that, although dark_nexus reuses some Qbot and Mirai code, its core modules are mostly original.

An Elite Spy Group Used 5 Zero-Days to Hack North Koreans Cybersecurity researchers at Google’s Threat Analysis Group revealed on Thursday that an unnamed group of hackers used no fewer than five zero-day vulnerabilities, or secret hackable flaws in software, to target North Koreans and North Korea-focused professionals in 2019. . Also

DDG botnet, round X, is there an ending? DDG is a mining botnet that we first blogged about in Jan 2018, we reported back then that it had made a profit somewhere between 5.8million and 9.8million RMB(about 820,000 to 1.4Million US dollar ), we have many follow up blogs about this botnet after that, but it shows no sign of slowing down.. Details in Chinese

New year, old threats: Malware peddlers went into overdrive in Q1, says Trend Micro In a report released today, the outfit said it had seen a 24.3 per cent increase in BEC attempts between January and February 2020.

Microsoft and Google postpone insecure authentication removal Microsoft says that Basic Authentication’s removal from Exchange Online is being postponed until the second half of 2021 due to the current situation created by the COVID-19 pandemic.. While Google also announced in December 2019 that it will block less secure apps (LSAs) from accessing G Suite accounts’ data starting in February 2021, the company now says that the LSA turn-off is put on hold until further notice.

NCSC-FI News followup

Daily NCSC-FI news followup 2020-04-07

80% of all exposed Exchange servers still unpatched for critical flaw Starting March 24, Rapid7 used its Project Sonar internet-wide survey tool to discover all publicly-facing Exchange servers on the Internet and the numbers are grim.. As they found, “at least 357,629 (82.5%) of the 433,464 Exchange servers” are still vulnerable to attacks that would exploit the CVE-2020-0688 vulnerability.

Trusting Zoom? Since the world went virtual, often by using Zoom, several people have asked me if I use it, and if so, do I use their app or their web interface. If I do use it, isn’t this odd, given that I’ve been doing security and privacy work for more than 30 years and everyone knows that Zoom is a security disaster?. Also

Haittaohjelma leviää pikaviestinä kaverilta älä klikkaa, toimi näin Samanlaista haittaohjelmaa on levitetty myös vuosina 2016, 2017 ja 2018. Kaikki ovat toimintalogiikaltaan samanlaisia: ne pyrkivät säikäyttämään tai hämmentämään vastaanottajaa yhdistämällä viestin tämän nimeen.

Support of DANE and DNSSEC in Office 365 Exchange Online Microsoft has been working closely with partners through the industry association M3AAWG to solve such limitations throughout the email ecosystem. As a result, we have decided to build and add support for DNSSEC and DANE for SMTP to Exchange Online. This support will be specific to SMTP traffic between SMTP gateways. We will also be providing support for TLS reporting (TLS-RPT). . The first phase will include only outbound support (mail sent outbound from Exchange Online) and we aim to enable this by the end of the calendar year 2020. The second phase will add inbound support for Exchange Online and we plan to enable that by the end of 2021. For both of those phases, corresponding TLS-RPT support will be provided.

Defense Evasion Dominant in Top MITRE ATT&CK Tactics of 2019 In 2019, Recorded Future began integrating data regarding cyberattacker tactics, techniques, and procedures (TTPs) based on MITRE ATT&CK® into its data collection and analysis. As part of a review of these identifiers across sandbox submissions for the year,. Recorded Futures Insikt Group assembled a list of the top 10 most frequently referenced techniques. Our analysis of this data found that Defense Evasion was the predominant tactic observed in 2019, with the number one technique being Security Software Discovery.

Europol arrests man for coronavirus business email scam peddling masks, sanitizer It is claimed the individual was involved in a scam in which an unnamed pharmaceutical company, based in Europe, was defrauded out of 6.64 million. The man masqueraded as a legitimate organization that advertised the quick supply and delivery of FFP2 surgical masks and hand sanitizers, products that have become invaluable in the fight against COVID-19 while also allowing core businesses, . research projects, and services to continue.

Microsoft announces IPE, a new code integrity feature for Linux On Linux systems where IPE is enabled, system administrators can create a list of binaries that are allowed to execute and then add the verification attributes the kernel needs to check for each binary before allowing it to run. If binaries have been altered by an attacker, IPE can block the execution of the malicious code.

ITG08 (aka FIN6) Partners With TrickBot Gang, Uses Anchor Framework The past two years have borne witness to the increasing collaboration between organized cybercrime groups to avoid duplication of efforts and maximize profits. Although this collaboration has primarily occurred between gangs developing and distributing well-known banking Trojans, such as Emotet, TrickBot and IcedID, it does not stop there. In a new and dangerous twist to this trend, IBM X-Force . Incident Response and Intelligence Services (IRIS) research believes that the elite cybercriminal threat actor ITG08, also known as FIN6, has partnered with the malware gang behind one of the most active Trojans TrickBot to use TrickBots new malware framework dubbed Anchor against organizations for financial profit.

Small business owners applying for COVID-19 relief may have had PII exposed, agency says As the federal agency overseeing relief to small businesses during the coronavirus pandemic was preparing to ramp up its lending, some of the Small Business Administrations loan applicants may have had their personally identifiable information exposed to others, an agency spokeswoman tells CyberScoop.

Official Government COVID-19 Mobile Apps Hide a Raft of Threats Security researchers at the ZeroFOX Alpha Team have uncovered various privacy concerns and security vulnerabilities including a backdoor in various apps. The apps are either created and endorsed by countries or invented as one-offs by threat actors to take advantage of the current pandemic, according to a blog post published Monday.. Original at Also

PayPal and Venmo Are Letting SIM Swappers Hijack Accounts Several major apps and websites, such as Paypal and Venmo have a flaw that lets hackers easily take over users accounts once they have taken control of the victims phone number.. Last week, two months after their initial outreach to the companies to report this flaw in their authentication mechanisms, the Princeton researchers checked again to see if the companies had fixed the problem. Some, including Adobe, Blizzard, Ebay, Microsoft, and Snapchat, have plugged the hole.

Email provider got hacked, data of 600,000 users now sold on the dark web The data of more than 600,000 users is currently being sold on the dark web, ZDNet has learned following a tip from one of our readers.

Australia on the cyber offence to bring down COVID-19 scammers Minister for Defence Linda Reynolds said in a statement that the Australian Signals Directorate (ASD) had mobilised its offensive cyber capabilities to disrupt the foreign cyber criminals behind the spate of malicious activities that have come out of the global pandemic.

Microsoft Buys So Bad Guys Cant Wisconsin native Mike OConnor, who bought 26 years ago but has done very little with it since, said he hoped Microsoft would buy it because hundreds of thousands of confused Windows PCs are constantly trying to share sensitive data with Also, early versions of Windows actually encouraged the adoption of insecure settings that made it more likely Windows computers might try to

How we abused Slack’s TURN servers to gain access to internal services Confusion surrounding official information channels, like in the case of Italy where there are many sanctioned applications, also puts users at increased risk of falling victim to unofficial applications like the backdoored one Alpha Team identified.

Unkillable xHelper and a Trojan matryoshka It was the middle of last year that we detected the start of mass attacks by the xHelper Trojan on Android smartphones, but even now the malware remains as active as ever. The main feature of xHelper is entrenchment once it gets into the phone, it somehow remains there even after the user deletes it and restores the factory settings. We conducted a thorough study to determine how xHelpers . creators furnished it with such survivability.

Dutch indicted for running criminal data center in Germany Four Dutch people have been charged with cybercrime in Germany, reports the German police. The Dutch ran a data center for criminal use from an old NATO bunker in the German state of Rhineland-Palatinate.. Among other things, the data center ran the infamous Wall Street Market, which was taken off the air in April last year. This place was one of the largest dark web marketplaces, where large numbers of drugs were traded.

Thinking Outside the Bochs: Code Grafting to Unpack Malware in Emulation This blog post continues the FLARE script series with a discussion of patching IDA Pro database files (IDBs) to interactively emulate code. While the fastest way to analyze or unpack malware is often to run it, malware wont always successfully execute in a VM. I use IDA Pros Bochs integration in IDB mode to sidestep tedious debugging scenarios and get quick results. Bochs emulates the opcodes . directly from your IDB in a Bochs VM with no OS.

Decade of the RATs: Novel APT Attacks Targeting Linux, Windows and Android BlackBerry researchers have released a new report that examines how five related APT groups operating in the interest of the Chinese government have systematically targeted Linux servers, Windows systems and Android mobile devices while remaining undetected for nearly a decade.. Report at

Increase in RDP Scanning The increased interest in scanning port 3389 indicates that attackers are ready for some of the changes to network configurations as a result of increased remote access requirements. Sadly attackers do not give us a break. Instead, they are focusing on weaknesses that organizations are exposing now. Every single attack vector we have looked at these last few months has incorporated the Coronavirus . crisis, and attackers are ruthless as usual in exploiting any weakness they can find.

NCSC-FI News followup

Daily NCSC-FI news followup 2020-04-06

DarkHotel hackers use VPN zero-day to breach Chinese government agencies Chinese security-firm Qihoo 360, which detected the intrusions, said the hackers used a zero-day vulnerability in Sangfor SSL VPN servers, used to provide remote access to enterprise and government networks.

Attacks Simultaneously Exploiting Vulnerability in IE (CVE-2020-0674) and Firefox (CVE-2019-17026) On 8 January 2020, Mozilla released an advisory regarding a vulnerability in Firefox. On 17 January, Microsoft reported that 0-day attacks exploiting a vulnerability in Internet Explorer (IE) had been seen in the wild. JPCERT/CC confirmed attacks exploiting both vulnerabilities at once and issued a security alert.. This article explains the details of these attacks.

Interpol: Ransomware attacks on hospitals are increasing According to security analysts from Chinese firm Qihoo 360, attacks began in March on a Chinese VPN provider called SangFor, used by a number of Chinese governmental agencies. At least 200 VPN servers connecting to multiple endpoints were compromised as of the first week of April, they added.. Following this trend, INTERPOLs Cybercrime Threat Response team at its Cyber Fusion Centre said over the weekend that it “has detected a significant increase in the number of attempted ransomware attacks against key organizations and infrastructure engaged in the virus response.”

Zero-Day Exploitation Increasingly Demonstrates Access to Money, Rather than Skill Intelligence for Vulnerability Management, Part One FireEye Mandiant Threat Intelligence documented more zero-days exploited in 2019 than any of the previous three years. While not every instance of zero-day exploitation can be attributed to a tracked group, we noted that a wider range of tracked actors appear to have gained access to these capabilities. . Furthermore, we noted a significant increase over time in the number of zero-days leveraged by groups suspected to be customers of companies that supply offensive cyber capabilities, as well as an increase in zero-days used against targets in the Middle East, and/or by groups with suspected ties to this region.. Going forward, we are likely to see a greater variety of actors using zero-days, especially as private vendors continue feeding the demand for offensive cyber weapons.. Also

Beyond Zoom: How Safe Are Slack and Other Collaboration Apps? As the coronavirus pandemic continues to worsen, remote-collaboration platforms now fixtures in many workers new normal are facing more scrutiny. Popular video-conferencing app Zoom may currently be in the cybersecurity hot seat, but other collaboration tools, such as Slack, Trello, WebEx and Microsoft Teams, are certainly not immune from cybercriminal attention.

Malware found in BB server, again “the internet protocol used by the network of Bangladesh Bank is sending and receiving info to suspicious internet protocol infected with malware and botnet,” BCC director Tarique M Barkatullah wrote in a recent letter to the central bank.

Cyber criminals are trying a new trick to cash in on Zoom’s popularity Now researchers at Trend Micro have uncovered cyber criminals looking to exploit Zoom by bundling cryptocurrency mining malware inside a legitimate installer for the video conferencing software.

Password Protected Malicious Excel Files A variant we are observing now, is password protected Excel 4 maldocs, using the binary file format .xls (and not OOXML, .xlsm).

Coronavirus-related cyberattacks surge in Brazil During the months of February and March, the cybersecurity company detected an increase of 124% in this type of scam. According to the study, this growth in cyberattacks is directly related to a surge in malicious messages sent through WhatsApp taking advantage of the Covid-19 situation.

Analyzing & Decrypting L4NC34s Simple Ransomware Were constantly seeing news about computers being infected by ransomware, but very little do we hear about it affecting websites. That being said, the impact can be serious if the affected website is the webmasters only source of income or a business relies entirely on its website and online presence.. We recently came across a case where all of the website files were seemingly encrypted and had their file names changed to append a .crypt.

Enabling security research & hunting with open source IoT attack data When researching and developing detection techniques, sourcing attack data: to train machine learning models and for use as test data, can be a challenge. To help drive pro-defence research and innovation in this area, Microsoft is releasing data from attacks against our IoT honeypot sensor network from a four-month period in 2019. We are releasing this under the in the hope that this enabled

NASA sees an exponential jump in malware attacks as personnel work from home NASA has experienced an exponential increase in malware attacks and a doubling of agency devices trying to access malicious sites in the past few days as personnel work from home, the space agencys Office of the Chief Information Officer said on Monday.

NCSC-FI News followup

Daily NCSC-FI news followup 2020-04-05

Suomessa kaupitellaan nyt olemattomia hengityssuojaimia Koronapandemia pitää rötöstelijätkin kotona, mutta nettirikolliset aktiivisina EU-komissio ja eurooppalaiset kuluttajaviranomaiset ovat ryhtyneet toimiin koronaan liittyvien huijausten ehkäisemiseksi. Esimerkiksi EU-komissio on vaatinut suurilta markkinoijilta ja alustoilta yhteistyötä. Koronaan liittyviä huijausilmoituksia on tullut parikymmentä tähän mennessä, sanoo erityisasiantuntija Saija Kivimäki Kilpailu- ja kuluttajavirastosta.

Microsoft: Emotet Took Down a Network by Overheating All Computers Microsoft says that an Emotet infection was able to take down an organization’s entire network by maxing out CPUs on Windows devices and bringing its Internet connection down to a crawl after one employee was tricked to open a phishing email attachment.. Case study at

Threat Alert: Kinsing Malware Attacks Targeting Container Environments Lately weve been witnessing a rise in the number of attacks that target container environments. Weve been tracking an organized attack campaign that targets misconfigured open Docker Daemon API ports. This persistent campaign has been going on for months, with thousands of attempts taking place nearly on a daily basis. These are the highest numbers weve seen in some time, far exceeding . what we have witnessed to date. We therefore believe that these attacks are directed by actors with sufficient resources and the infrastructure needed to carry out and sustain such attacks, and that this is not an improvised endeavor.

Hundreds of internal servicedesks exposed due to COVID-19 An increasing number of Atlassian JIRA Servicedesks have been misconfigured to be accessible for anyone to sign up. In essence, this is nothing to worry about as servicedesks may have legitimate reasons to be public. However, a growing number of instances have been repurposed to serve as an internal service ticket portal, allowing attackers to impersonate employees and create legitimate internal . requests. […] I took a list of 10.000 popular domain names globally and found out that no less than 288 of 1.972 (roughly 15%) corresponding Atlassian instances were open to the public. This was an increase of 12% compared to tests conducted before the COVID-19 crisis my earliest scans date back from last summer.. About one third of the servicedesks I joined allowed me to assign tickets to other users. In certain configurations, where users are created for any inbound support e-mail (with their display name automatically set to their e-mail address), this would leak the e-mail addresses of every user that has interacted with the external support channels as well.

This is how you deal with route leaks Heres the beginning: for approximately an hour, starting at 19:28 UTC on April 1, 2020, the largest Russian ISP Rostelecom (AS12389) was announcing prefixes belonging to prominent internet players: Akamai, Cloudflare, Hetzner, Digital Ocean, Amazon AWS, and other famous names.

Crave the Data: Statistics from 1,300 Phishing Campaigns analysing the data NCC Group has from its Piranha platform we found a distinct variation on success rates when comparing organisations from different sectors. Targets in Charities were found to be over 3 times more likely to click a link in a Phishing attack than targets in the Health sector, however once a user had been fooled into clicking the link, half were likely to enter credentials . regardless of what sector they worked in.

NCSC-FI News followup

Daily NCSC-FI news followup 2020-04-04

Zoomed In: A Look into a Coinminer Bundled with Zoom Installer We found a Coinminer bundled with the legitimate installer of video conferencing app Zoom, luring users who want to install the software but end up unwittingly downloading a malicious file. The compromised files are not from Zooms official download center, and are assumed to come from fraudulent websites. We have been working with Zoom to ensure that they are able to communicate this to their . users appropriately.

NSO Group: Facebook tried to license our spyware to snoop on its own addicts the same spyware it’s suing us over The Israeli spyware maker’s CEO Shalev Hulio alleged in a statement [PDF] to a US federal district court that in 2017 he was approached by Facebook reps who wanted to use NSO’s Pegasus technology in Facebook’s controversial Onavo Protect app to track mobile users.

Harri Hursti varoittaa: koronavirus tai kyberkonnat liikkeelle Koronaviruksen varjolla rakennetaan parhaillaan massiivista disinformaatiokoneistoa sosiaaliseen mediaan ja internetiin, kyberasiantuntija Harri Hursti sanoo haastattelussa.

Twitter botnet targeted Turkey while politicizing coronavirus Twitter has taken down a network of more than 9,000 Twitter bots that published inauthentic posts promoting the political interests of the United Arab Emirates and Saudi Arabia. This astroturfing network criticized Turkeys intervention in Libya a shared interest of both governments by targeting Turkish President Recep Tayyip Erdogan, DFRLab analysis confirmed through an analysis of . the network had begun politicizing the COVID-19 coronavirus pandemic.

Google rolls back Chrome privacy feature due to COVID-19 Google announced today it was rolling back a recent Chrome browser privacy feature to prevent any disruption to existing websites and their availability during the current coronavirus (COVID-19) outbreak..

Webcam Hacking This post is a technical walkthrough of how I discovered several zero-day bugs in Safari during my hunt to hack the iOS/MacOS camera.

iPhone Camera Hack I discovered a vulnerability in Safari that allowed unauthorized. websites to access your camera on iOS and macOS

Why is ransomware still a thing? One-in-three polled netizens say they would cave to extortion demands This is according to a customer survey [PDF] by Kaspersky Lab. The Russian security house polled more than 2,000 business workers in the US, and 1,000 in Canada, in an online study, and found that 33 per cent would cough up at least some money to cyber-extortionists to get their data back on their own personal machines.. Report at Report at

More Than 8,000 Unsecured Redis Instances Found in the Cloud We discovered 8,000 Redis instances that are running unsecured in different parts of the world, even ones deployed in public clouds. These Redis instances have been found without Transport Layer Security (TLS) encryption and are not password protected.. Using Shodan, a popular search engine for internet-connected or IoT devices, we discovered over 8,000 unsecured Redis instances deployed worldwide. Some of these unsecured Redis instances were deployed in public clouds such as AWS, Azure, and Google Cloud.

Researchers Discover Hidden Behavior in Thousands of Android Apps The research uncovered 12,706 applications (8.47%) with backdoor secrets (secret access keys, master passwords, and secret commands providing access to admin-only functions), and 4,028 apps (2.69%) that contain blacklist secrets (they would block content based on keywords subject to censorship, cyber bullying or discrimination).. Paper at

Zoom will enable waiting rooms by default to stop Zoombombing Zoom is making some drastic changes to prevent rampant abuse as trolls attack publicly shared video calls. Starting April 5th, it will require passwords to enter calls via Meeting ID, as these may be guessed or reused. Meanwhile, it will change virtual waiting rooms to be on by default so hosts have to manually admit attendees.

Zoom admits some calls were routed through China by mistake Zoom now says that during its efforts to ramp up its server capacity to accommodate the massive influx of users over the past few weeks, it mistakenly allowed two of its Chinese data centers to accept calls as a backup in the event of network congestion.

TAMPERING WITH ZOOM’S ANTI-TAMPERING LIBRARY This quick blog post highlights some of the flaws found in the Zoom application when attempting to do integrity checking, these checks verify that the DLLs inside the folder are signed by Zoom and also that no 3rd party DLLs are loaded at runtime. We can trivially disable this DLL, by replacing it with our own or simply unloading it from the process.

Helsingin Sanomien nimissä lähetetty huijausviestejä Linkistä avautuu Helsingin Sanomien juttua visuaalisesti muistuttava uutinen, joka kertoo, kuinka bitconeilla rikastuu erityisesti tällaisena aikana, kertoo Helsingin Sanomien hallintopäällikkö Jaakko Lähteenmaa.

IRS Warns of Surge in Economic Stimulus Payment Scams The Internal Revenue Service (IRS) today issued a warning to alert about a surge in coronavirus-related scams over email, phone calls, or social media requesting personal information while using economic impact payments as a lure.

NCSC-FI News followup

Daily NCSC-FI news followup 2020-04-03

A hacker has wiped, defaced more than 15,000 Elasticsearch servers For the past two weeks, a hacker has been breaking into Elasticsearch servers that have been left open on the internet without a password and attempting to wipe their content, while also leaving the name of a cyber-security firm behind, trying to divert blame.

A Quick Look at the Confidentiality of Zoom Meetings This report examines the encryption that protects meetings in the popular Zoom teleconference app. We find that Zoom has rolled their own encryption scheme, which has significant weaknesses. In addition, we identify potential areas of concern in Zooms infrastructure, including observing the transmission of meeting encryption keys through China.

Europol report on cybercrime and disinformation amid the COVID-19 pandemic During the COVID-19 pandemic, criminals have been quick to seize opportunities to exploit the crisis by adapting their modi operandi and engaging in new criminal activities. Cybercriminals have been among the most adept at exploiting the pandemic. The threat from cybercrime activities during the crisis is dynamic and has the potential to increase further. With a record number of potential victims . staying at home and using online services across the EU, the ways for cybercriminals seeking to exploit emerging opportunities and vulnerabilities have multiplied.. Report at

Thousands of Zoom video calls left exposed on open Web The problem is not exclusive to Zoom video or Amazon storage. But in designing their service, Zooms engineers bypassed some common security features of other video-chat programs, such as requiring people to use a unique file name before saving their own clips. That style of operating simplicity has powered Zoom to become the most popular video-chat application in the United States, but it has . also frustrated some security researchers who believe such shortcuts can leave users more vulnerable to hacks or abuse.

Supo: Poikkeusolojen pitkittyminen voi lisätä kansallisen turvallisuuden uhkia myös etätyö aiheuttaa oman riskinsä Supo harvoin ohjeistaa suoraan kansalaisia, mutta koronavirustilanteen keskellä se lähettää terveiset kotikonttoreille. Nyt olisi hyvä aika muistaa tietoturva.

Poikkeuksellisen taitavat huijarit vaativat Postin nimissä valemaksuja lasku voi tulla aitoon viestiketjuun Tekstiviestihuijaus voi tulla puhelimeen samaan viestiketjuun ja ikään kuin samalta lähettäjältä kuin aidot saapumisilmoitusviestit.

Harden Your Zoom Settings to Protect Your Privacy and Avoid Trolls In the meantime, take these steps to harden your Zoom privacy settings and protect your meetings from Zoombombing trolls. The settings below are all separate, which means you dont need to change them all, and you dont need to change them in any particular order. Consider which settings make sense for you and the groups you communicate with, and do your best to make sure meeting . organizers and participants are on the same page about settings and shared expectations.