Categories
NCSC-FI News followup

Daily NCSC-FI news followup 2020-09-19

5 ways cybercriminals can try to extort you

www.welivesecurity.com/2020/09/18/five-cybercriminals-extortion-schemes/ When it comes to coercing people into parting with their money, cybercriminals seem to have an endless bag of tricks to choose from. There are some tricks, that they favor more than others, one of which is extortion. According to the FBIs latest Internet Crime Report, US victims of extortion lost some US$107.5 million to these crimes last year.

Stubborn WooCommerce Plugin Bugs Get Third Patch

threatpost.com/woocommerce-plugin-bug-allows-site-takeover/159364/ E-commerce sites using the WordPress plugin Discount Rules for WooCommerce are being urged to patch two high-severity cross-site scripting flaws that could allow an attacker to hijack a targeted site. Two fixes for the flaws, first available on Aug. 22 and second on Sept. 2, failed to patch the problem. A third round of patches for the bugs became available to customers on Sept. 9. On Thursday, the Wordfence Threat Intelligence researchers that were tipped-off to the vulnerabilities, publicly disclosed the flaws and offered a technical analysis.

Firefox bug lets you hijack nearby mobile browsers via WiFi

www.zdnet.com/article/firefox-bug-lets-you-hijack-nearby-mobile-browsers-via-wifi/ Mozilla has fixed a bug that can be abused to hijack all the Firefox for Android browsers on the same WiFi network and force users to access malicious sites, such as phishing pages. The bug was discovered by Chris Moberly, an Australian security researcher working for GitLab. The actual vulnerability resides in the Firefox SSDP component. SSDP stands for Simple Service Discovery Protocol and is the mechanism through which Firefox finds other devices on the same network in order to share or receive content (i.e., such as sharing video streams with a Roku device).

Tutanota encrypted email service suffers DDoS cyberattacks

www.bleepingcomputer.com/news/security/tutanota-encrypted-email-service-suffers-ddos-cyberattacks/ Encrypted email service, Tutanota has experienced a series of DDoS attacks this week, first targeting the Tutanota website and further its DNS providers. This had caused downtime for several hours for millions of Tutanota users. The outage was further exacerbated by the fact that different DNS servers continued to cache the incorrect entries for the domain. Tutanota is a German provider of end-to-end encrypted email service with over 2 million users. The company is frequently cited alongside popular encrypted email providers like ProtonMail.

CISA Releases Emergency Directive on Microsoft Windows Netlogon Remote Protocol

us-cert.cisa.gov/ncas/current-activity/2020/09/18/cisa-releases-emergency-directive-microsoft-windows-netlogon The Cybersecurity and Infrastructure Security Agency (CISA) has released Emergency Directive (ED) 20-04 addressing a critical vulnerability CVE-2020-1472affecting Microsoft Windows Netlogon Remote Protocol. An unauthenticated attacker with network access to a domain controller could exploit this vulnerability to compromise all Active Directory identity services.

Nainen kuoli ambulanssiin, kun kyberhyökkäys jumitti saksalaisen sairaalan tietojärjestelmän syyttäjä avasi harvinaisen henkirikostutkimuksen

yle.fi/uutiset/3-11553530 Jos tutkimukset johtavat syytteeseen, on kyseessä Reutersin mukaan ensimmäinen kerta, kun ihmisen kuolema on suoraan yhdistetty kyberhyökkäykseen. Rikosnimikkeenä olisi kuolemantuottamus. Saksassa syyttäjä avasi perjantaina harvinaisen henkirikostutkimuksen, jossa naisen epäillään kuolleen sairaalaan tehdyn kyberhyökkäyksen seurauksena, kertoo uutistoimisto Reuters.

Categories
NCSC-FI News followup

Daily NCSC-FI news followup 2020-09-18

RampantKitten: An Iranian Surveillance Operation unraveled

blog.checkpoint.com/2020/09/18/rampantkitten-an-iranian-surveillance-operation-unraveled/ Check Point Research has unraveled an ongoing surveillance operation by Iranian entities that has been targeting Iranian expats and dissidents for years. While some individual sightings of this attack were previously reported by other researchers and journalists, our investigation allowed us to connect the several different campaigns and attribute all of them to the same attackers.. Full research:

research.checkpoint.com/2020/rampant-kitten-an-iranian-espionage-campaign/

Chinese Antivirus Firm Was Part of APT41 Supply Chain Attack

krebsonsecurity.com/2020/09/chinese-antivirus-firm-was-part-of-apt41-supply-chain-attack/ The U.S. Justice Department this week indicted seven Chinese nationals for a decade-long hacking spree that targeted more than 100 high-tech and online gaming companies. The government alleges the men used malware-laced phishing emails and supply chain attacks to steal data from companies and their customers. One of the alleged hackers was first profiled here in 2012 as the owner of a Chinese antivirus firm.

Is domain name abuse something companies should worry about?

blog.malwarebytes.com/business-2/2020/09/is-domain-name-abuse-something-companies-should-worry-about/ Even though some organizations and companies may not realize it, their domain name is an important asset. Their web presence can even make or break companies. Therefor, domain name abuse is something that can ruin your reputation.

A real-life Maze ransomware attack If at first you dont succeed

nakedsecurity.sophos.com/2020/09/18/a-real-life-maze-ransomware-attack-if-at-first-you-dont-succeed/ Youve probably heard terms like spray-and-pray and fire-and-forget applied to cybercriminality, especially if your involvement in cybersecurity goes back to the early days of spamming and scamming. Those phrases recognise that sending unsolicited email is annoyingly cheap and easy for cybercrooks, who generally dont bother running servers of their own they often just rent email bandwidth from other crooks.

Plugging in a strange USB drive What could possibly go wrong?

www.welivesecurity.com/2020/09/17/plugging-in-strange-usb-drive/ External data storage devices have been around almost as long as computers have existed. Magnetic tape and floppy disks, which were once the dominant media, are now mostly fond memories, while optical discs are mostly used in gaming consoles. For the past 20 years, the dominant player on the external storage scene has been the USB flash drive. No wonder: over the years, their storage capacity has increased, and their prices have dropped.

U.S. Treasury Sanctions Hacking Group Backed by Iranian Intelligence

thehackernews.com/2020/09/iranian-hackers-sanctioned.html The U.S. government on Thursday imposed sweeping sanctions against an Iranian threat actor backed by the country’s Ministry of Intelligence and Security (MOIS) for carrying out malware campaigns targeting Iranian dissidents, journalists, and international companies in the telecom and travel sectors. According to the U.S. Treasury and the Federal Bureau of Investigation (FBI), the sanctions target Rana Intelligence Computing Company (or Rana), which the agencies said operated as a front for the threat group APT39 (aka Chafer or Remix Kitten).. Also:

www.zdnet.com/article/us-sanctions-iranian-government-front-company-hiding-major-hacking-operations/

A Mix of Python & VBA in a Malicious Word Document

isc.sans.edu/forums/diary/A+Mix+of+Python+VBA+in+a+Malicious+Word+Document/26578/ A few days ago, Didier wrote an interesting diary about embedded objects into an Office document[1]. I had a discussion about an interesting OLE file that I found. Because it used the same technique, I let Didier publish his diary first. Now, let’s have a look at the document.

Apple Bug Allows Code Execution on iPhone, iPad, iPod

threatpost.com/apple-bug-code-execution-iphone/159332/ Release of iOS 14 and iPadOS 14 brings fixes 11 bugs, some rated high-severity. Apple has updated its iOS and iPadOS operating systems, which addressed a wide range of flaws in its iPhone, iPad and iPod devices. The most severe of these could allow an adversary to exploit a privilege-escalation vulnerability against any of the devices and ultimately gain arbitrary code-execution.

US charges Iranian hackers for breaching US satellite companies

www.zdnet.com/article/us-charges-iranian-hackers-for-breaching-us-satellite-companies/ Three Iranian nationals have been indicted on charges of hacking US aerospace and satellite companies, the US Department of Justice announced today. Federal prosecutors accused Said Pourkarim Arabi, Mohammad Reza Espargham, and Mohammad Bayati of orchestrating a years-long hacking campaign on behalf of the Iranian government.. The hacking spree started in July 2015 and targeted a broad spectrum of victim organizations from both the US and abroad, from where they stole commercial information and intellectual property, officials said today.

Opiskelijat huijaripuheluiden kohteena Helsingin yliopisto varoittaa teknisestä tuesta

www.tivi.fi/uutiset/tv/fc16002d-c675-412b-bd90-9c03950a3152 Helsingin yliopisto varoittaa sen nimissä liikkuvista huijaussoitoista. Yliopisto kirjoittaa Twitterissä, että huijarit esiintyvät teknisenä tukena. Puhelut voivat tulla aidolta vaikuttavasta numerosta, sillä rikolliset käyttävät väärennettyjä numeroita. Huijaussoittoja tehtailevat rikolliset yrittävät saada asennettua käyttäjän koneelle etähallintaohjelman. Tämän ohjelman avulla huijarit voivat ottaa koneen haltuunsa.

Leading U.S. laser developer IPG Photonics hit with ransomware

www.bleepingcomputer.com/news/security/leading-us-laser-developer-ipg-photonics-hit-with-ransomware/ IPG Photonics, a leading U.S. developer of fiber lasers for cutting, welding, medical use, and laser weaponry has suffered a ransomware attack that is disrupting their operations. Based out of Oxford, Massachusets, IPG Photonics has locations worldwide where they employ over 4,000 people and have a $1.3 billion revenue in 2019. The company’s lasers were used as part of the U.S. Navy’s Laser Weapon System (LaWS) that was installed on the USS Ponce. This system is an experimental defensive weapon against small threats and vehicles.

Indictments Unlikely to Deter China’s APT41 Activity

www.darkreading.com/threat-intelligence/indictments-unlikely-to-deter-chinas-apt41-activity-/d/d-id/1338952 So far, at least, the threat group has not let public scrutiny slow it down, security researchers say. Security researchers hold little hope that indictments unsealed this week against five members of the China-based APT41 threat group will deter it from acting with the same impunity it has for the past several years. The US Department of Justice on Wednesday unsealed two indictments one from August 2019 and the other from August 2020 charging five members of APT41 with computer intrusions, including ransomware attacks and cryptojacking schemes at over 100 companies in the US and abroad.

Spammers use hexadecimal IP addresses to evade detection

www.zdnet.com/article/spammers-use-hexadecimal-ip-addresses-to-evade-detection/ A spam group has picked up a pretty clever trick that has allowed it to bypass email filters and security systems and land in more inboxes than usual. The trick relies on a quirk in RFC791 a standard that describes the Internet Protocol (IP).

Testaa verkkopalvelusi tietoturva vertailussa 6 avoimen koodin tietoturvaskanneria

www.tivi.fi/uutiset/testaa-verkkopalvelusi-tietoturva-vertailussa-6-avoimen-koodin-tietoturvaskanneria/55533dd6-bfff-40c8-b993-8d1ba275e47f Krakkereiden käyttämät avoimen lähdekoodin tietoturvaskannerit on hyvä tuntea. Parhaista on apua myös tietoturvan varmistamisessa. Viime vuosina ei ole voinut olla lukematta uutisia miljoonien käyttäjätunnusten ja salasanojen tietovuodoista. Joukossa on ollut monien suomalaisten käyttämiä palveluja kuten Adobe, MyFitnessPal ja MyHeritage. Tapaukset ovat herättäneet tarpeita etsiä ja korjata verkkosovellusten tietoturva-aukot ennen verkkorikollisia. Vikojen etsintään tarvitaan hyviä menetelmiä.

Taas yksi tapa huijata rantautui ulkomailta: Viitteellä Facebk viety luottokortilta rahaa

yle.fi/uutiset/3-11551613 Veloitukset luottokortilta on tehty usein ulkomailta. Tästä syystä petoksien selvittäminen voi olla hankalaa. Huijarit ovat yhä kekseliäämpiä. Sisä-Suomen poliisilaitos varoittaa uusista posti- ja Facebk-petoksista. Niistä on ilmoitettu tällä viikolla poliisille. Postihuijausyrityksissä henkilö on poliisin mukaan saanut tekstiviestin, jossa kerrotaan, että hänelle olisi lähetys tulossa, mutta postimaksua uupuu. Viestin linkki ohjeistaa tietojenkalastelusivulle, jossa pyydetään henkilön pankkitunnuksia.

Categories
NCSC-FI News followup

Daily NCSC-FI news followup 2020-09-17

Ransomware attack at German hospital leads to death of patient

www.bleepingcomputer.com/news/security/ransomware-attack-at-german-hospital-leads-to-death-of-patient/ A person in a life-threatening condition passed away after being forced to go to a more distant hospital due to a ransomware attack.

www.is.fi/digitoday/tietoturva/art-2000006638568.html Postin nimissä lähetettäviä huijaustekstiviestejä tulee suomalaisille hyvin aktiivisesti. Ilta-Sanomat Digitoday on saanut useita ilmoituksia viime viikonloppuna ja tällä viikolla lähetetyistä viesteistä.

Zerologon hacking Windows servers with a bunch of zeros

nakedsecurity.sophos.com/2020/09/17/zerologon-hacking-windows-servers-with-a-bunch-of-zeros/ The big, bad bug of the week is called Zerologon.. As you can probably tell from the name, it involves Windows everyone else talks about logging in, but on Windows youve always very definitely logged on and it is an authentication bypass, because it lets you get away with using a zero-length password.

Emotet strikes Quebecs Department of Justice: An ESET Analysis

www.welivesecurity.com/2020/09/16/emotet-quebec-department-justice-eset/ The cyber attack affects 14 inboxes belonging to the Department of Justice was confirmed by ESET researchers.

Ransomware warning: Hackers are launching fresh attacks against universities

www.zdnet.com/article/ransomware-warning-hackers-are-launching-fresh-attacks-against-universities/ Cybersecurity agency warns about a spike in ransomware attacks targeting universities and colleges.

Maze ransomware now encrypts via virtual machines to evade detection

www.bleepingcomputer.com/news/security/maze-ransomware-now-encrypts-via-virtual-machines-to-evade-detection/ The Maze ransomware operators have adopted a tactic previously used by the Ragnar Locker gang; to encrypt a computer from within a virtual machine.

A New Botnet Attack Just Mozied Into Town

securityintelligence.com/posts/botnet-attack-mozi-mozied-into-town/ A relatively new player in the threat arena, the Mozi botnet, has spiked among Internet of things (IoT) devices, IBM X-Force has discovered.

Two Russians Charged in $17M Cryptocurrency Phishing Spree

krebsonsecurity.com/2020/09/two-russians-charged-in-17m-cryptocurrency-phishing-spree/ U.S. authorities today announced criminal charges and financial sanctions against two Russian men accused of stealing nearly $17 million worth of virtual currencies in a series of phishing attacks throughout 2017 and 2018 that spoofed websites for some of the most popular cryptocurrency exchanges.

Categories
NCSC-FI News followup

Daily NCSC-FI news followup 2020-09-16

Tietovuoto: Kiinalaisyrityksen urkintalistalla on 799 suomalaista, joukossa poliitikkoja ja heidän lähipiiriään Katso, miten suomalaiset on jaoteltu

yle.fi/uutiset/3-11544521 Poikkeuksellinen tietovuoto kertoo, millaiset suomalaiset vaikuttajat kiinnostavat Kiinaa.

Pitkään kestävä syysmyrsky huolettaa sähköyhtiöitä “Valmiudessa on moninkertainen määrä työntekijöitä”

yle.fi/uutiset/3-11547019 Keski-Pohjanmaalla toimivat sähköyhtiöt ovat nostaneet selvästi varautumistaan voimakkaan ja poikkeuksellisen pitkäkestoisen syysmyrskyn varalle.

Yhä useampi on huolissaan lähipiiriinsä kohdistuvista tietoturvauhkista

www.epressi.com/tiedotteet/teknologia/yha-useampi-on-huolissaan-lahipiiriinsa-kohdistuvista-tietoturvauhkista.html Liikenne- ja viestintävirasto Traficomin loppukeväällä teettämän kuluttajatutkimuksen mukaan suomalaiset kokevat tietoturvaan liittyvät uhkakuvat merkittävinä huomattavasti aiempaa laajemmin. Valmiuksien suojautua näiltä uhkilta ei kuitenkaan ole koettu parantuneen samassa suhteessa. Samaan aikaan nettiin kytketyt älylaitteet ovat yleistyneet kodeissa.

Billions of devices vulnerable to new ‘BLESA’ Bluetooth security flaw

www.zdnet.com/article/billions-of-devices-vulnerable-to-new-blesa-bluetooth-security-flaw/ New BLESA attack goes after the often ignored Bluetooth reconnection process, unlike previous vulnerabilities, most found in the pairing operation.

DDoS Attacks Skyrocket as Pandemic Bites

threatpost.com/ddos-attacks-skyrocket-pandemic/159301/ More people being online during lockdowns and work-from-home shifts has proven to be lucrative for DDoS-ers.

US charges two hackers for defacing US websites following Soleimani killing

www.zdnet.com/article/us-charges-two-hackers-for-defacing-us-websites-following-soleimani-killing/ US authorities have tracked down the two hackers behind a January 2020 mass-defacement campaign.

FBI adds 5 Chinese APT41 hackers to its Cyber’s Most Wanted List

thehackernews.com/2020/09/apt41-hackers-wanted-by-fbi.html The United States government today announced charges against 5 alleged members of a Chinese state-sponsored hacking group and 2 Malaysian hackers that are responsible for hacking than 100 companies throughout the world.

Koronavilkulla yli kaksi miljoonaa latausta 218 ilmoittanut tartunnasta

www.is.fi/digitoday/mobiili/art-2000006637535.html Tartunnoista on ilmoitettu Koronavilkussa samassa suhteessa kuin mitä sovellusta on otettu käyttöön.

LockBit ransomware launches data leak site to double-extort victims

www.bleepingcomputer.com/news/security/lockbit-ransomware-launches-data-leak-site-to-double-extort-victims/ The LockBit ransomware gang has launched a new data leak site to be used as part of their double extortion strategy to scare victims into paying a ransom.

Payments stopped, three arrested in medical supplies fraud case

www.interpol.int/en/News-and-Events/News/2020/Payments-stopped-three-arrested-in-medical-supplies-fraud-case Three members of an international crime syndicate wanted for tricking an Italian company into making fraudulent payments for non-existent medical equipment were arrested in Indonesia, in a case supported by INTERPOL.

Cerberus banking Trojan source code released for free to cyberattackers

www.zdnet.com/article/cerberus-banking-trojan-source-code-released-for-free-to-cyberattackers/ An auction designed to net the developer of the Android malware $100,000 failed.

Microsoft announces new Project OneFuzz framework, an open source developer tool to find and fix bugs at scale

www.microsoft.com/security/blog/2020/09/15/microsoft-onefuzz-framework-open-source-developer-tool-fix-bugs/ Today, were excited to release this new tool called Project OneFuzz, an extensible fuzz testing framework for Azure. Available through GitHub as an open-source tool, the testing framework used by Microsoft Edge, Windows, and teams across Microsoft is now available to developers around the world.

This security awareness training email is actually a phishing scam

www.bleepingcomputer.com/news/security/this-security-awareness-training-email-is-actually-a-phishing-scam/ A creative phishing campaign uses an email template that pretends to be a reminder to complete security awareness training from a well-known security company.

Worried about bootkits, rootkits, UEFI nasties? Have you tried turning on Secure Boot, asks the No Sh*! Agency

www.theregister.com/2020/09/16/nsa_secureboot_guide/ The NSA has published online a guide for IT admins to keep systems free of bootkits and rootkits.. see also

media.defense.gov/2020/Sep/15/2002497594/-1/-1/0/CTR-UEFI-SECURE-BOOT-CUSTOMIZATION-20200915.PDF/CTR-UEFI-SECURE-BOOT-CUSTOMIZATION-20200915.PDF

Improved malware protection for users in the Advanced Protection Program

security.googleblog.com/2020/09/improved-malware-protection-for-users.html Googles Advanced Protection Program helps secure people at higher risk of targeted online attacks, like journalists, political organizations, and activists, with a set of constantly evolving safeguards that reflect todays threat landscape.

Categories
NCSC-FI News followup

Daily NCSC-FI news followup 2020-09-15

Windows Exploit Released For Microsoft Zerologon Flaw

threatpost.com/windows-exploit-microsoft-zerologon-flaw/159254/ Security researchers and U.S. government authorities alike are urging admins to address Microsofts critical privilege escalation flaw.. Proof-of-concept (PoC) exploit code has been released for a Windows flaw, which could allow attackers to infiltrate enterprises by gaining administrative privileges, giving them access to companies Active Directory domain controllers (DCs).. The vulnerability, dubbed Zerologon, is a privilege-escalation glitch (CVE-2020-1472) with a CVSS score of 10 out of 10, making it critical in severity. The flaw was addressed in Microsofts August 2020 security updates.

Iran-Based Threat Actor Exploits VPN Vulnerabilities

us-cert.cisa.gov/ncas/alerts/aa20-259a CISA and FBI are aware of a widespread campaign from an Iran-based malicious cyber actor targeting several industries mainly associated with information technology, government, healthcare, financial, insurance, and media sectors across the United States. . see also

us-cert.cisa.gov/ncas/analysis-reports/ar20-259a

How I Hacked Facebook Again! Unauthenticated RCE on MobileIron MDM

blog.orange.tw/2020/09/how-i-hacked-facebook-again-mobileiron-mdm-rce.html This new post is about my research this March, which talks about how I found vulnerabilities on a leading Mobile Device Management product and bypassed several limitations to achieve unauthenticated RCE. All the vulnerabilities have been reported to the vendor and got fixed in June.

MFA Bypass Bugs Opened Microsoft 365 to Attack

threatpost.com/flaws-in-microsoft-365s-mfa-access-cloud-apps/159240/ Vulnerabilities that have existed for years in WS-Trust could be exploited to attack other services such as Azure and Visual Studio.

Back Despite Disruption: RedDelta Resumes Operations

www.recordedfuture.com/reddelta-cyber-threat-operations/ In the interim two-month period since previous Insikt Group reporting, RedDelta has largely remained unperturbed by the extensive public reporting on its targeting of the Vatican and other Catholic organizations.

Not for higher education: cybercriminals target academic & research institutions across the world

blog.checkpoint.com/2020/09/15/not-for-higher-education-cybercriminals-target-academic-research-institutions-across-the-world/ Across the USA, Europe and Asia, there was an increase in the number of attacks targeting the education and research sector in recent months.

MITRE releases emulation plan for FIN6 hacking group, more to follow

www.zdnet.com/article/mitre-releases-emulation-plan-for-fin6-hacking-group-more-to-follow/ New MITRE project to provide free emulation plans that mimic major threat actors in order to train and help defenders.

Fingrid nostaa valmiutta lähestyvän myrskyn vuoksi

www.fingrid.fi/sivut/ajankohtaista/tiedotteet/2020/fingrid-nostaa-valmiutta-lahestyvan-myrskyn-vuoksi/ Suomeen ennustetun myrskyn vuoksi kantaverkon häiriönselvitysvalmiutta nostetaan keskiviikosta 16.9. klo 16 alkaen. Valmiustilan nosto kestää perjantaiaamuun 17.9. klo 7 saakka.

Categories
NCSC-FI News followup

Daily NCSC-FI news followup 2020-09-14

Alert (AA20-258A) – Chinese Ministry of State Security-Affiliated Cyber Threat Actor Activity

us-cert.cisa.gov/ncas/alerts/aa20-258a The Cybersecurity and Infrastructure Security Agency (CISA) has consistently observed Chinese Ministry of State Security (MSS)-affiliated cyber threat actors using publicly available information sources and common, well-known tactics, techniques, and procedures (TTPs) to target U.S. Government agencies.. see also

www.zdnet.com/article/cisa-chinese-state-hackers-are-exploiting-f5-citrix-pulse-secure-and-exchange-bugs/

Magecart Attack Impacts More Than 10K Online Shoppers

threatpost.com/magecart-campaign-10k-online-shoppers/159216/ Close to 2,000 e-commerce sites were infected over the weekend with a payment-card skimmer, maybe the result of a zero-day exploit.

Postin nimissä liikkeellä huijausviestejä älä reagoi, älä klikkaa yllättäviä linkkejä, katso myös Poliisin ohjeet (päivitetty 14.9.)

www.posti.com/media/mediauutiset/2020/postin-nimissa-liikkeella-huijausviesteja–ala-reagoi-ala-klikkaa-yllattavia-linkkeja-katso-myos-poliisin-ohjeet/ Erilaisia huijausviestejä on liikkeellä yhä enemmän, myös Postin nimissä. Uusimmat huijausviestit näyttävät monelta osin hyvin erehdyttävästi aidoilta. Viesteissä voi olla myös Postin logo. Posti tekee tiivistä yhteistyötä Poliisin kanssa huijausviestien vastaisessa työssä.

Huijaus Tokmannin nimissä näin suomalaisten kotiosoitteita kerätään

www.is.fi/digitoday/tietoturva/art-2000006635306.html Facebookissa tehtävät huijaukset jatkuvat. Ihmisiä harhautetaan Tokmannin nimissä luovuttamaan yhteystietonsa.

New BlindSide attack uses speculative execution to bypass ASLR

www.zdnet.com/article/new-blindside-attack-uses-speculative-execution-to-bypass-aslr/ New BlindSide technique abuses the CPU’s internal performance-boosting feature to bypass OS security protection.

Personal data from Experian on 40% of South Africa’s population has been bundled onto a file-sharing website

www.theregister.com/2020/09/14/south_africa_experian_data_breach_wesendit/ August breach hadn’t been cleared up at all and regulators are furious

Helping organisations – and researchers – to manage vulnerability disclosure

www.ncsc.gov.uk/blog-post/helping-to-manage-vulnerability-disclosure Ollie N explains the thinking behind the NCSCs new Vulnerability Disclosure Toolkit, which is now available to download.

Vast majority of cyber-attacks on cloud servers aim to mine cryptocurrency

www.zdnet.com/article/vast-majority-of-cyber-attacks-on-cloud-servers-aim-to-mine-cryptocurrency/ Cyber-attacks on cloud systems spiked 250% from 2019 to 2020.

A “DFUR-ent” Perspective on Threat Modeling and Application Log Forensic Analysis

www.fireeye.com/blog/threat-research/2020/09/dfur-ent-perspective-on-threat-modeling-and-application-log-forensic-analysis.html Many organizations operating in e-commerce, hospitality, healthcare, managed services, and other service industries rely on web applications. And buried within the application logs may be the potential discovery of fraudulent use and/or compromise! But, let’s face it, finding evil in application logs can be difficult and overwhelming for a few reasons.

COVID cybercrime: 10 disturbing statistics to keep you awake tonight

www.zdnet.com/article/ten-disturbing-coronavirus-related-cybercrime-statistics-to-keep-you-awake-tonight/ Nine out of 10 coronavirus domains are scams. Half a million Zoom accounts are for sale on the Dark Web. Brute-force attacks are up 400%. And there’s more. So much more.

Valtionhallinnon toimijoiden kyberturvallisuustaidot testissä JAMKin harjoituksessa

www.epressi.com/tiedotteet/teknologia/valtionhallinnon-toimijoiden-kyberturvallisuustaidot-testissa-jamkin-harjoituksessa.html Jyväskylän ammattikorkeakoulun (JAMK) kyberturvallisuuden tutkimus-, kehitys- ja koulutuskeskus JYVSECTEC (Jyväskylä Security Technology) järjestää kansallisen kyberturvallisuusharjoituksen (KYHA20vh) 28.9.-2.10.2020.

Ransomware: This essential step could help you make it through an attack

www.zdnet.com/article/ransomware-this-essential-step-could-help-you-make-it-through-an-attack/ New advice from the National Cyber Security Centre urges businesses to have an incident response plan in place – even if they think they’re unlikely to fall victim to hackers.

After 12 Years, Malwares puzzling Nuisance Worm Conficker Refuses To Die

www.forbes.com/sites/johndunn/2020/09/14/after-12-years-malwares-puzzling-nuisance-worm-conficker-refuses-to-die/ What ranks as historys most successful malware? Depending on who you ask, the names that come up are usually destructive spectaculars such as NotPetya and WannaCry from 2017 or perhaps the panic-inducing SQL Slammer work from 14 years earlier.. It all depends what you mean by successful, of course, but my choice would be Conficker (aka downadup), a sophisticated 2008 Windows worm that threatened mayhem before disappearing not long after before anyone could fathom its true purpose.

Creating patched binaries for pentesting purposes

isc.sans.edu/forums/diary/Creating+patched+binaries+for+pentesting+purposes/26560/

Categories
NCSC-FI News followup

Daily NCSC-FI news followup 2020-09-13

BLINDSIDE – A Speculative Execution Attack

www.vusec.net/projects/blindside/ BlindSide allows attackers to hack blind in the Spectre era. That is, given a simple buffer overflow in the kernel and no additional info leak vulnerability, BlindSide can mount BROP-style attacks in the speculative execution domain to repeatedly probe and derandomize the kernel address space, craft arbitrary memory read gadgets, and enable reliable exploitation.. POC video https://www.youtube.com/watch?v=m-FUIZiRN5o. whitepaper

download.vusec.net/papers/blindside_ccs20.pdf

Leaky server exposes users of dating site network

www.zdnet.com/article/leaky-server-exposes-users-of-dating-site-network/ Personal details of hundreds of thousands of dating site users were temporarily exposed online earlier this month.

How to enable DNS-over-HTTPS (DoH) on Windows

www.bleepingcomputer.com/news/microsoft/how-to-enable-dns-over-https-doh-on-windows/ DNS-over-HTTPS (DoH) allows DNS resolution to be performed via the HTTPS protocol rather than through the normal plain text DNS lookups.

Categories
NCSC-FI News followup

Daily NCSC-FI news followup 2020-09-12

IT staffing firm Artech says ransomware attack led to data breach

www.bleepingcomputer.com/news/security/it-staffing-firm-artech-says-ransomware-attack-led-to-data-breach/ Artech Information Systems, one of the largest US IT staffing companies, has disclosed a data breach caused by a ransomware attack that affected some of its systems during early January 2020.

Its No Giggle: Managing Expectations for Vulnerability Disclosure

threatpost.com/giggle-managing-expectations-vulnerability-disclosure/159039/ Vulnerability-disclosure policies (VDPs), if done right, can help provide clarity and clear guidelines to both bug-hunters and vendors when it comes to going public with security flaws.

Fairfax County schools hit by Maze ransomware, student data leaked

www.bleepingcomputer.com/news/security/fairfax-county-schools-hit-by-maze-ransomware-student-data-leaked/ Fairfax County Public Schools (FCPS), the 10th largest school division in the US, was recently hit by ransomware according to an official statement published on Friday evening.

Researcher kept a major Bitcoin bug secret for two years to prevent attacks

www.zdnet.com/article/researcher-kept-a-major-bitcoin-bug-secret-for-two-years-to-prevent-attacks/ The INVDoS bug would have allowed attackers to crash Bitcoin nodes and other similar blockchains.

Don’t pay the ransom, mate. Don’t even fix a price, say Australia’s cyber security bods

www.theregister.com/2020/09/12/follow_security_basics_and_you/ Most online attacks could be easily avoided by following basic cyber security advice, Australias national cyber security bureau has said even as it warned that the impact and severity of things like ransomware attacks are getting worse and worse.

Office 365 Phishing Attack Leverages Real-Time Active Directory Validation

threatpost.com/office-365-phishing-attack-leverages-real-time-active-directory-validation/159188/ Attackers check the victims Office 365 credentials in real time as they are typed into the phishing landing page, by using authentication APIs.

Office Documents with Embedded Objects

isc.sans.edu/forums/diary/Office+Documents+with+Embedded+Objects/26558/

Categories
NCSC-FI News followup

Daily NCSC-FI news followup 2020-09-11

New cyberattacks targeting U.S. elections

blogs.microsoft.com/on-the-issues/2020/09/10/cyberattacks-us-elections-trump-biden/ In recent weeks, Microsoft has detected cyberattacks targeting people and organizations involved in the upcoming presidential election, including unsuccessful attacks on people associated with both the Trump and Biden campaigns, as detailed below.. Strontium, operating from Russia, has attacked more than 200 organizations including political campaigns, advocacy groups, parties and political consultants. Zirconium, operating from China, has attacked high-profile individuals associated with the election, including people associated with the Joe Biden for President campaign and prominent leaders in the international affairs community. Phosphorus, operating from Iran, has continued to attack the personal accounts of people associated with the Donald J. Trump for President campaign

STRONTIUM: Detecting new patterns in credential harvesting

www.microsoft.com/security/blog/2020/09/10/strontium-detecting-new-patters-credential-harvesting/ Microsoft has tied STRONTIUM to a newly uncovered pattern of Office365 credential harvesting activity aimed at US and UK organizations directly involved in political elections.. STRONTIUM launched credential harvesting attacks against tens of thousands of accounts at more than 200 organizations.

Development Bank of Seychelles hit by ransomware attack

www.bleepingcomputer.com/news/security/development-bank-of-seychelles-hit-by-ransomware-attack/ The Development Bank of Seychelles (DBS) was hit by ransomware according to a press statement published earlier today by the Central Bank of Seychelles (CBS).

WordPress Plugin Flaw Allows Attackers to Forge Emails

threatpost.com/wordpress-plugin-flaw/159172/ The high-severity flaw in the Email Subscribers & Newsletters plugin by Icegram affects more than 100,000 WordPress websites.

Hackers Stole $5.4 Million From Eterbase Cryptocurrency Exchange

thehackernews.com/2020/09/hackers-stole-cryptocurrencies.html European cryptocurrency exchange Eterbase this week disclosed a massive breach of its network by an unknown group of hackers who stole cryptocurrencies worth 5.4 million dollars.

New Linux Malware Steals Call Details from VoIP Softswitch Systems

thehackernews.com/2020/09/linux-voip-softswitch-malware.html Cybersecurity researchers have discovered an entirely new kind of Linux malware dubbed “CDRThief” that targets voice over IP (VoIP) softswitches in an attempt to steal phone call metadata.

Razer Gaming Fans Caught Up in Data Leak

threatpost.com/razer-gaming-fans-data-leak/159147/ A cloud misconfiguration at the gaming-gear merchant potentially exposed 100,000 customers to phishing and fraud.

An overview of targeted attacks and APTs on Linux

securelist.com/an-overview-of-targeted-attacks-and-apts-on-linux/98440/ In this report, we focus on the targeting of Linux resources by APT threat actors.

IPhone-käyttäjä, asensitko uuden iOS:n? Tiedä tämä Koronavilkusta

www.is.fi/digitoday/mobiili/art-2000006632046.html Ihmisiä hämmentäneet viikkoraportit katoavat iPhoneista käyttöjärjestelmän päivityksen myötä.

Serious Security: Hacking Windows passwords via your wallpaper

nakedsecurity.sophos.com/2020/09/11/serious-security-hacking-windows-passwords-via-your-wallpaper/

Porn site users targeted with malicious ads redirecting to exploit kits, malware

www.zdnet.com/article/porn-site-users-targeted-with-malicious-ads-redirecting-to-exploit-kits-malware/ Adult ad networks abused in last hurrah attacks before Flash and IE near EOL.

Three middle-aged Dutch hackers slipped into Donald Trump’s Twitter account days before 2016 US election

www.theregister.com/2020/09/11/trump_twitter_account_recycled_password/ Three grumpy old hackers in the Netherlands managed to access Donald Trumps Twitter account in 2016 by extracting his password from the 2012 Linkedin hack.

Zoom adds two-factor authentication (2FA) support to all accounts

www.bleepingcomputer.com/news/security/zoom-adds-two-factor-authentication-2fa-support-to-all-accounts/ Zoom has announced that starting today it has added two-factor authentication (2FA) support to all user accounts to make it simpler to secure them against security breaches and identity theft.

Office 365 will let users view their quarantined phishing messages

www.bleepingcomputer.com/news/microsoft/office-365-will-let-users-view-their-quarantined-phishing-messages/ Microsoft is planning to allow Office 365 users to view and request the release of phishing messages automatically quarantined by the Exchange Online Protection (EOP) filtering stack.

Report: Pandemic caused significant shift in buyer appetite in the dark web

blog.malwarebytes.com/cybercrime/2020/09/report-pandemic-caused-significant-shift-in-buyer-appetite-in-the-dark-web/ Last year, credentials for PayPal, Facebook, and Airbnb were among the top goods on high demand in the dark web, aka the Internets underground market. But due to the COVID-19 outbreak, with most of the worldwide population sheltering, working, and studying indoors, many facets of life have made a full 180-degree turnincluding the criminal world.

Malware & ransomware guidance: the reboot!

www.ncsc.gov.uk/blog-post/rebooting-malware-and-ransomware-guidance Using knowledge from the ‘cyber frontline’ to improve our ‘Mitigating malware and ransomware’ guidance.. see also

www.ncsc.gov.uk/guidance/mitigating-malware-and-ransomware-attacks

Categories
NCSC-FI News followup

Daily NCSC-FI news followup 2020-09-10

Viranomainen varoittaa huijausviestistä – varo tätä sähköpostia

www.is.fi/digitoday/tietoturva/art-2000006630773.html Apple ID -tunnusten kalastelu on nyt aktiivista. Huijauksen mukaan vastaanottajan Apple ID:tä olisi käytetty luvattomasti muualla Applen iCloud-palveluun kirjautumiseksi. Tämän väitetään tapahtuneen Moskovasta käsin. Mukana on keinotekoinen ip-osoite sekä päivämäärä ja kellonaika. Ne saattavat vaihdella viestistä toiseen. Katso myös meidän twiitti: https://twitter.com/CERTFI/status/1303604786361774080

Ransomware accounted for 41% of all cyber insurance claims in H1 2020

www.zdnet.com/article/ransomware-accounts-to-41-of-all-cyber-insurance-claims/ Cyber insurance claims ranged in size from $1, 000 to well over $2, 000, 000 per security incident. Ransomware incidents have accounted for 41% of cyber insurance claims filed in the first half of 2020, according to a report published today by Coalition, one of the largest providers of cyber insurance services in North America. “In the first half of 2020 alone, we observed a 260% increase in the frequency of ransomware attacks amongst our policyholders, with the average ransom demand increasing 47%, ” the company added.

Equinix data center giant hit by Netwalker Ransomware, $4.5M ransom

www.bleepingcomputer.com/news/security/equinix-data-center-giant-hit-by-netwalker-ransomware-45m-ransom/ Data center and colocation giant Equinix has been hit with a Netwalker ransomware attack where threat actors are demanding $4.5 million for a decryptor and to prevent the release of stolen data. Equinix is a massive data center and colocation provider with over 50 locations worldwide. Customers use these data centers to colocate their equipment or to interconnect with other ISPs and network providers.

Zeppelin Ransomware Returns with New Trojan on Board

threatpost.com/zeppelin-ransomware-returns-trojan/159092/ The malware has popped up in a targeted campaign and a new infection routine. The Zeppelin ransomware has sailed back into relevance, after a hiatus of several months. Zeppelin is a variant of the Delphi-based ransomware-as-a-service (RaaS) family initially known as Vega or VegaLocker, which emerged at the beginning of 2019. Unlike its predecessor, Zeppelin is much more targeted, and first took aim at targeted tech and healthcare companies in Europe and the U.S.

ProLock ransomware increases payment demand and victim count

www.bleepingcomputer.com/news/security/prolock-ransomware-increases-payment-demand-and-victim-count/ Using standard tactics, the operators of ProLock ransomware were able to deploy a large number of attacks over the past six months, averaging close to one target every day. A fresh start in March under the ProLock label also meant increased activity and larger ransoms. Since then, the average figure swelled to $1.8 million, indicates incident response data from cybersecurity company Group-IB.

BLURtooth vulnerability lets attackers defeat Bluetooth encryption

www.bleepingcomputer.com/news/security/blurtooth-vulnerability-lets-attackers-defeat-bluetooth-encryption/ BLURtooth is also suitable for man-in-the-middle (MitM) type of attacks, with the attacker sits between two vulnerable devices that had been linked using authenticated pairing.

Knowing The Cyber Landscape: Five Ways CFOs Can Quantify And Articulate Data Security And Privacy

www.forbes.com/sites/jimdeloach/2020/09/08/knowing-the-cyber-landscape-five-ways-cfos-can-quantify-and-articulate-data-security-and-privacy/

Microsoft to finally kill Adobe Flash support by January 2021

www.bleepingcomputer.com/news/microsoft/microsoft-to-finally-kill-adobe-flash-support-by-january-2021/