Categories
NCSC-FI News followup

Daily NCSC-FI news followup 2020-03-13

Alert (AA20-073A) – Enterprise VPN Security

www.us-cert.gov/ncas/alerts/aa20-073a As organizations prepare for possible impacts of Coronavirus Disease 2019 (COVID-19), many may consider alternate workplace options for their employees. Remote work optionsor teleworkrequire an enterprise virtual private network (VPN) solution to connect employees to an organization’s information technology (IT) network. As organizations elect to implement telework, the Cybersecurity and Infrastructure Security Agency (CISA) encourages organizations to adopt a heightened state of cybersecurity.

Ransomware

www.us-cert.gov/Ransomware The Cybersecurity and Infrastructure Security Agency (CISA) has observed an increase in ransomware attacks across the world: See CISA’s Awareness Briefings on Combating Ransomware, Joint Ransomware Statement, and CISA Insights Ransomware Outbreak.

Tips to secure your organization in a work-from-home environment

www.sans.org/blog/tips-to-secure-your-organization-in-a-work-from-home-environment/ In response to the current COVID-19 pandemic, organizations worldwide are implementing work-from-home policies. Yet for many businesses, managing an entirely remote workforce is completely new which means they may lack the processes, policies and technologies that enable employees to work from home safely and securely.

February 2020’s Most Wanted Malware: Increase in Exploits Spreading the Mirai Botnet to IoT Devices

blog.checkpoint.com/2020/03/11/february-2020s-most-wanted-malware-increase-in-exploits-spreading-the-mirai-botnet-to-iot-devices/ Check Point Research also reports that Emotet has been spreading via new SMS phishing Campaign. Our latest Global Threat Index for February 2020 shows a large increase in exploitation of a vulnerability to spread the Mirai botnet, which is notorious for targeting Internet-of-Things (IoT) devices, such as web cameras, modems and routers, and for conducting massive DDoS attacks.

Oletko nyt etätöissä? Varo huijauspuhelua

www.is.fi/digitoday/tietoturva/art-2000006437968.html Teknisen tuen huijaukset jatkuvat edelleen. Ilta-Sanomien tietoon tullut tapaus kohdistui etätyöläiseen. Jos saat yllättävän yhteydenoton teknisen tuen nimissä, älä missään tapauksessa noudata annettuja ohjeita. Älä anna kenenkään kytkeytyä tietokoneeseesi etäyhteydellä. Vaikka tämä on normaali toimintatapa todellisessakin ongelmatilanteessa, huijarin on etäyhteyden avulla helppo saastuttaa tietokone haittaohjelmilla. Katkaise puhelu, tai jos huijaus saapui vaikkapa sähköpostitse, älä vastaa siihen. Soita yrityksesi todelliseen tukilinjaan, ja kysy asiasta. Tällä tavalla saat myös sanan eteenpäin huijauksesta, jotta muitakin työntekijöitä voidaan varoittaa siitä.

Jouduitko koronan vuoksi etätöihin? Lue ohjeet turvalliseen tietokoneen käyttöön

www.is.fi/digitoday/tietoturva/art-2000006436758.html Huolimaton etätyöntekijä voi vaarantaa koko yrityksensä tietoturvan. Muutama nyrkkisääntö auttaa kuitenkin pitkälle.

Valtion salatut verkkoyhteydet kaatuivat piikki etätöissä oli liikaa

www.is.fi/digitoday/tietoturva/art-2000006437777.html Valtionhallinnon virastoille ja laitoksille, ministeriöille, eduskunnalle ja tuomioistuimille ict-palvelut toimittavan Valtorin suojatut Kauko-vpn-yhteydet kärsivät pahoista häiriöistä. Eiliseen saakka yhteydet vielä jaksoivat kantaa kuormituksen, mutta tänään ne ovat monin paikoin toimintakelvottomia.

Inadvertent Insider Threats Present a Unique Challenge to Organizations

securityintelligence.com/articles/inadvertent-insider-threats-present-a-unique-challenge-to-organizations/ According to the recent X-Force Threat Intelligence Index 2020, more than 8.5 billion records were exposed due to breaches in 2019, of which 86 percent were due to misconfigured assets. These issues affected only half of the records breached in 2018, and as the 2017 report stated, 70 percent of the 2.9 billion records lost that year were due to misconfigurations.

Working from home: 5 tips to protect your company

www.pandasecurity.com/mediacenter/tips/telework-coronavirus/ Technology changes, life habits change and the way we work changes too. And however we work, one thing that does not change is the inescapable duty we have to protect our assets in order to ensure perfect business continuity, to protect the information we manage, and to maintain business secrecy.

Swallowing the Snake’s Tail: Tracking Turla Infrastructure

www.recordedfuture.com/turla-apt-infrastructure/ Recorded Future’s Insikt Group® has developed new detection methods for Turla malware and infrastructure as part of an in-depth investigation into recent Turla activities. Data sources included the Recorded Future® Platform, ReversingLabs, VirusTotal, Shodan, BinaryEdge, and various OSINT tools. The target audience for this research includes security practitioners, network defenders, and threat intelligence professionals who are interested in Russian nation-state computer network operations activity. Turla, also known as Snake, Waterbug, and Venomous Bear, is a well-established, sophisticated, and strategically focused cyberespionage group that has for over a decade been linked to operations against research, diplomatic, and military organizations worldwide, with an ongoing focus against entities within North Atlantic Treaty Organization (NATO) and Commonwealth of Independent States (CIS). nations in particular. Read also:

go.recordedfuture.com/hubfs/reports/cta-2020-0312.pdf

New Android Malware Strain Sneaks Cookies from Facebook

www.darkreading.com/new-android-malware-strain-sneaks-cookies-from-facebook/d/d-id/1337304 Two malware modifications, when combined, can snatch cookies collected by browsers and social networking apps. Read also:

securelist.com/cookiethief/96332/,

thehackernews.com/2020/03/android-cookies-malware-hacking.html and threatpost.com/trojan-android-cookie-jars/153678/

Radio.com users affected in data breach

www.welivesecurity.com/2020/03/13/radiocom-users-affected-data-breach/ An unknown number of people had their personal data exposed as hackers accessed database backup files

Fresh virus misery for Illinois: Public health agency taken down by… web ransomware. Great timing, scumbags

www.theregister.co.uk/2020/03/12/ransomware_illinois_health/ Not like anyone is looking for medical advice right now

Open-source bug bonanza: Vulnerabilities up almost 50 per cent thanks to people actually looking for them

www.theregister.co.uk/2020/03/13/open_source_bugs/ The number of vulnerabilities in open source projects surged almost 50 per cent in 2019, according to security biz WhiteSource, which can be seen as good news in the sense that you don’t find what you’re not looking for. Read also:

www.zdnet.com/article/open-source-security-this-is-why-bugs-in-open-source-software-have-hit-a-record-high/#ftag=RSSbaffb68

Office 365 ATP To Block Email Domains That Fail Authentication

www.bleepingcomputer.com/news/security/office-365-atp-to-block-email-domains-that-fail-authentication/ Microsoft is working on including a new Office 365 Advanced Threat Protection (ATP) feature that would block email sender domains automatically if they fail DMARC authentication as part of an effort to make Office 365 ATP secure by default.

WordPress Plugin Bug Allows Malicious Code Injection on 100K Sites

www.bleepingcomputer.com/news/security/wordpress-plugin-bug-allows-malicious-code-injection-on-100k-sites/ Vulnerabilities in the Popup Builder WordPress plugin could allow unauthenticated attackers to inject malicious JavaScript code into popups displayed on tens of thousands of websites, to steal information, and to potentially fully take over targeted sites.

Rikolliset hyötyvät koronapaniikista: interaktiivisesta koronakartasta tuli tietomurtovälineen työkalu

www.tivi.fi/uutiset/tv/db61bc53-95b2-4104-859b-0da56c7fedf0 Asiantuntijan mukaan koronavirus aiheuttaa sekä biologisen että datavirusriskin. Lue myös:

www.kauppalehti.fi/uutiset/rikolliset-ottavat-kaiken-irti-koronapaniikista-interaktiivisesta-koronamallinnuksesta-tietomurtovalineen-tyokalu/dd5d415e-59d9-462e-9df0-19804d8f323e

Koronavirus tai ei jos firman tieto on riittävän salaista, etätyö ei onnistu

www.tivi.fi/uutiset/tv/871f7b6c-d3d6-4987-950c-696fe466f7d4 Monilla työpaikoilla on siirrytty etätöihin joko tiukalla määräyksellä tai lempeällä kehotuksella. Kaikki tietotyö ei kuitenkaan siirry helposti työpaikalta kotikonttorille. Mitä arkaluontoisempaa tietoa järjestelmässä on, sitä kauempana koko järjestelmä tulisi pitää internetistä. Vanha kyberturvan sääntö aiheuttaa nyt koronaviruksen myötä hankaluuksia monille yhtiöille, Wired kirjoittaa. Read also:

www.wired.com/story/high-stakes-security-set-ups-making-remote-work-impossible/

AT&T Suspends Broadband Data Caps During Coronavirus Crisis

www.vice.com/en_us/article/v74qzb/atandt-suspends-broadband-usage-caps-during-coronavirus-crisis As AT&T moves to lift usage caps, lawmakers begin pressuring ISPs to do more.

Researchers Warn of Novel PXJ Ransomware Strain

threatpost.com/novel-pxj-ransomware-strain/153673/ While PXJ performs typical ransomware functions, it does not appear to share the same underlying code with most known ransomware families.

Europol takes down SIM-swap hacking rings responsible for theft of millions of euros

www.zdnet.com/article/europol-tackles-massive-sim-swap-hacking-rings/ Arrests have been made across Europe in an effort to stamp out gangs specializing in SIM-swapping attacks. Read also:

www.bleepingcomputer.com/news/security/europol-dismantles-sim-swap-criminal-groups-that-stole-millions/

State-sponsored hackers are now using coronavirus lures to infect their targets

www.zdnet.com/article/state-sponsored-hackers-are-now-using-coronavirus-lures-to-infect-their-targets/ Chinese, North Korean, and Russian government cyberspies caught using COVID-19-themed emails to infect victims with malware. Read also:

threatpost.com/coronavirus-apt-attack-malware/153697/

Firefox 74 slams Facebook in solitary confinement: Browser add-on stops social network stalking users across the web

www.theregister.co.uk/2020/03/12/firefox_74_aims_to_contain_facebook_tighten_security/ Prompt to install enhanced extension is the first thing you’ll see

Czech hospital hit by cyberattack while in the midst of a COVID-19 outbreak

www.zdnet.com/article/czech-hospital-hit-by-cyber-attack-while-in-the-midst-of-a-covid-19-outbreak/ One of the Czech Republic’s biggest COVID-19 testing laboratories hit by mysterious cyberattack.

VMWare Releases Fix for Critical Guest-to-Host Vulnerability

www.bleepingcomputer.com/news/security/vmware-releases-fix-for-critical-guest-to-host-vulnerability/ A security update has been released that fixes a Critical vulnerability in VMware Workstation Pro that could allow an application running in a guest environment to execute a command on the host. Read also:

www.vmware.com/security/advisories/VMSA-2020-0004.html

Categories
NCSC-FI News followup

Daily NCSC-FI news followup 2020-03-12

Critical Patch Released for ‘Wormable’ SMBv3 Vulnerability Install It ASAP!

thehackernews.com/2020/03/patch-wormable-smb-vulnerability.html Microsoft today finally released an emergency software update to patch the recently disclosed very dangerous vulnerability in SMBv3 protocol that could let attackers launch wormable malware, which can propagate itself from one vulnerable computer to another automatically.. see also

www.kyberturvallisuuskeskus.fi/fi/kriittinen-haavoittuvuus-microsoftin-smbv3-toteutuksessa

48K Windows Hosts Vulnerable to SMBGhost CVE-2020-0796 RCE Attacks

www.bleepingcomputer.com/news/security/48k-windows-hosts-vulnerable-to-smbghost-cve-2020-0796-rce-attacks/ After an Internet-wide scan, researchers at cybersecurity firm Kryptos Logic discovered roughly 48,000 Windows 10 hosts vulnerable to attacks targeting the pre-auth remote code execution CVE-2020-0796 vulnerability found in Microsoft Server Message Block 3.1.1 (SMBv3).

Tracking Turla: New backdoor delivered via Armenian watering holes

www.welivesecurity.com/2020/03/12/tracking-turla-new-backdoor-armenian-watering-holes/ ESET researchers found a watering hole (aka strategic web compromise) operation targeting several high-profile Armenian websites. It relies on a fake Adobe Flash update lure and delivers two previously undocumented pieces of malware we have dubbed NetFlash and PyFlash.

Swallowing the Snakes Tail: Tracking Turla Infrastructure

www.recordedfuture.com/turla-apt-infrastructure/ Turla, also known as Snake, Waterbug, and Venomous Bear, is a well-established, sophisticated, and strategically focused cyberespionage group that has for over a decade been linked to operations against research, diplomatic, and military organizations worldwide, with an ongoing focus against entities within North Atlantic Treaty Organization (NATO) and Commonwealth of Independent States (CIS)

OpenSMTPD Vulnerability (CVE-2020-8794) Can Lead to Root Privilege Escalation and Remote Code Execution

blog.trendmicro.com/trendlabs-security-intelligence/opensmtpd-vulnerability-cve-2020-8794-can-lead-to-root-privilege-escalation-and-remote-code-execution/ A root privilege escalation and remote execution vulnerability (designated as CVE-2020-8794) has been discovered in the free and open-source Unix Daemon, OpenSMTPD. . The flaw originates from an out-of-bounds read, which attackers can take advantage of to execute arbitrary code on vulnerable systems.

Flaws Riddle Zyxels Network Management Software

threatpost.com/flaws-zyxels-network-management-software/153554/ Over 16 security flaws, including multiple backdoors and hardcoded SSH server keys, plague the software.

Juha Tapiona esiintynyt henkilö yritti huijata fanilta 10 000 euroa Rahanpesusta epäilty nigerialaismies poliisille: “Olin lumouksen vallassa”

yle.fi/uutiset/3-11249443?origin=rss

Trumpilta tuomiopäivän raportti kybersodan varalle Tilanne on sama kuin ydinaseissa

www.tivi.fi/uutiset/tv/05244fdc-048c-4b4b-9a44-74a6422fbb12 Yhdysvaltain liittohallituksen tuore pelikirja laajan kyberiskun varalle korostaa nettiyhteyksien pitämistä avoimina sekä talouselämän ja jakeluketjujen toimimista poikkeustilanteissa. Ohjeita kutsutaan kybersodan tuomiopäivän kirjaksi.

Yli 60 % yrityksistä ei ole löytänyt riittävää tietosuojaa 5g-yhteyksille tai esineiden internetille

www.tivi.fi/uutiset/tv/040583a2-26a5-4aa5-8fd6-603e12f61a29 Dellin tekemän globaalin kyselyn mukaan suurin osa yrityksistä ja muista organisaatioista ei ole löytänyt riittävää tietoturvaa uusille it-teknologioille. Yli 80 prosenttia yrityksistä on kärsinyt tietoturvaongelmista vuoden aikana.

New CoronaVirus Ransomware Acts as Cover for Kpot Infostealer

www.bleepingcomputer.com/news/security/new-coronavirus-ransomware-acts-as-cover-for-kpot-infostealer/ A new ransomware called CoronaVirus is has been distributed through a fake web site pretending to promote the system optimization software and utilities from WiseCleaner.

Cookiethief: a cookie-stealing Trojan for Android

securelist.com/cookiethief/96332/ We recently discovered a new strain of Android malware. The Trojan (detected as: Trojan-Spy.AndroidOS.Cookiethief) turned out to be quite simple. Its main task was to acquire root rights on the victim device, and transfer cookies used by the browser and Facebook app to the cybercriminals server.

Crafty Web Skimming Domain Spoofs https

krebsonsecurity.com/2020/03/crafty-web-skimming-domain-spoofs-https/ Earlier today, KrebsOnSecurity alerted the 10th largest food distributor in the United States that one of its Web sites had been hacked and retrofitted with code that steals credit card and login data. . While such Web site card skimming attacks are not new, this intrusion leveraged a sneaky new domain that hides quite easily in a hacked sites source code: http[.]ps (the actual malicious domain does not include the brackets, which are there to keep readers from being able to click on it).

Hackers Get $1.6 Million for Card Data from Breached Online Shops

www.bleepingcomputer.com/news/security/hackers-get-16-million-for-card-data-from-breached-online-shops/ Hackers have collected $1.6 million from selling more than 239,000 payment card records on the dark web. The batch was assembled from thousands of online shops running last year a tainted version of Volusion e-commerce software.

PXJ Ransomware Campaign Identified by X-Force IRIS

securityintelligence.com/posts/pxj-ransomware-campaign-identified-by-x-force-iris/ Ransomware has become one of the most profitable types of malware in the hands of cybercriminals, with reported cybercrime losses tripling in the last five years, according to the FBI.

$100K Paid Out for Google Cloud Shell Root Compromise

threatpost.com/100k-google-cloud-shell-root-compromise/153665/ A Dutch researcher claimed Googles very first annual Cloud Platform bug-bounty prize, for a clever container escape exploit.

Categories
NCSC-FI News followup

Daily NCSC-FI news followup 2020-03-11

Warning Unpatched Critical ‘Wormable’ Windows SMBv3 Flaw Disclosed

thehackernews.com/2020/03/smbv3-wormable-vulnerability.html Shortly after releasing its monthly batch of security updates, Microsoft late yesterday separately issued an advisory warning billions of its Windows users of a new critical, unpatched, and wormable vulnerability affecting Server Message Block 3.0 (SMBv3) network communication protocol.

Beware of ‘Coronavirus Maps’ It’s a malware infecting PCs to steal passwords

thehackernews.com/2020/03/coronavirus-maps-covid-19.html The malware campaign specifically aims to target those who are looking on the Internet for cartographic presentations of the spread of COVID-19 and serving them with a malicious application that, on its front-end, shows a map loaded from a legit online source but in the background compromises the computer.

DDR4 Memory Still At Rowhammer Risk, New Method Bypasses Fixes

www.bleepingcomputer.com/news/security/ddr4-memory-still-at-rowhammer-risk-new-method-bypasses-fixes/ Academic researchers testing modern memory modules from Samsung, Micron, and Hynix discovered that current protections against Rowhammer attacks are insufficient.. The new findings show that memory bit flipping works on many devices, including popular smartphones from Google, Samsung, and OnePlus.

Dutch government loses hard drives with data of 6.9 million registered donors

www.zdnet.com/article/dutch-government-loses-hard-drives-with-data-of-6-9-million-registered-donors/ The Dutch government said it lost two external hard disk storage devices that contained the personal data of more than 6.9 million organ donors.. The hard drives stored electronic copies of all donor forms filed with the Dutch Donor Register between February 1998 to June 2010, officials from the Dutch Minister of Health, Wellness, and Sport said earlier this week.

Popular ThemeREX WordPress Plugin Opens Websites to RCE

threatpost.com/themerex-wordpress-plugin-remote-code-execution/153592/ A critical vulnerability in a WordPress plugin known as ThemeREX Addons could open the door for remote code execution in tens of thousands of websites. According to Wordfence, the bug has been actively exploited in the wild as a zero-day.

Karkoff 2020: a new APT34 espionage operation involves Lebanon Government

yoroi.company/research/karkoff-2020-a-new-apt34-espionage-operation-involves-lebanon-government/ In this campaign, the APT group may have compromised a Microsoft Exchange Server belonging to a Lebanon government entity, in fact, we found some evidence in the communication logic.

The North Korean Kimsuky APT keeps threatening South Korea evolving its TTPs

yoroi.company/research/the-north-korean-kimsuky-apt-keeps-threatening-south-korea-evolving-its-ttps/ Recently we have observed a significant increase in state-sponsored operations carried out by threat actors worldwide. APT34, Gamaredon, and Transparent Tribe are a few samples of the recently uncovered campaigns, the latter was spotted after four years of apparent inactivity. Cybaze-Yoroi ZLab decided to study in depth a recent threat attributed to a North Korean APT dubbed Kimsuky.

Agent Tesla Delivered via Fake Canon EOS Notification on Free OwnCloud Account

isc.sans.edu/forums/diary/Agent+Tesla+Delivered+via+Fake+Canon+EOS+Notification+on+Free+OwnCloud+Account/25884/ For a few days, there are new waves of Agent Tesla[1] landing in our mailboxes. I found one that uses two new “channels” to deliver the trojan. Today, we can potentially receive notifications and files from many types of systems or devices. I found a phishing sample that tries to hide behind a Canon EOS camera notification.

Secret-sharing app Whisper shared secrets like last known location and actual password tokens in exposed database

www.theregister.co.uk/2020/03/11/secret_sharing_app_whisper_shared_secrets_in_exposed_database/ 900 million records detailing country, interests and more left in full view

Why are governments so vulnerable to ransomware attacks?

www.zdnet.com/article/why-are-governments-so-vulnerable-to-ransomware-attacks/#ftag=RSSbaffb68 Emisoft estimates that over 2019, ransomware attacks impacted at least 948 government agencies, educational entities, and healthcare providers.. Analysis conducted by Recorded Future suggests that 81 successful ransomware attacks took place against US government bodies across the year, and these incidents would often have a knock-on effect of impacting high numbers of towns and cities in their local areas.

Suomessa varaudutaan etätöiden kasvuun koronan vuoksi kapasiteettia ei voi kasvattaa rajattomasti

www.tivi.fi/uutiset/tv/0c720acc-d867-4e45-a1de-89db080ed8e6 Valtionhallinnon perustietotekniikasta vastaava Valtori kertoo varautuneensa etätyön huomattavaan lisääntymiseen.

Rumat luvut: Suomalaisten ilmoittamat nettipetokset lisääntyvät aina vaan

www.is.fi/digitoday/art-2000006434458.html Vaikka ilmoituksia petoksista on tuhansia aiempaa enemmän, kaikkia ei vieläkään ilmoiteta poliisille.

Valkohattuhakkeri voidaan kokea uhkaavana Pelko estää yrityksiä reagoimasta haavoittuvuuksiin

www.tivi.fi/uutiset/tv/9de19815-cd84-4170-b3e6-a7b9210d7795 Tietoturvatutkija Laura Kankaalan mukaan joissain yrityksissä ei vieläkään haluttaisi saattaa tietoturva-aukkoja päivänvaloon.

Operation Overtrap Targets Japanese Online Banking Users Via Bottle Exploit Kit and Brand-New Cinobi Banking Trojan

blog.trendmicro.com/trendlabs-security-intelligence/operation-overtrap-targets-japanese-online-banking-users-via-bottle-exploit-kit-and-brand-new-cinobi-banking-trojan/ We recently discovered a new campaign that we dubbed Operation Overtrap for the numerous ways it can infect or trap victims with its payload. The campaign mainly targets online users of various Japanese banks by stealing their banking credentials using a three-pronged attack.

Five ways to detect early signs of a breach using the network

blogs.cisco.com/security/five-ways-to-detect-early-signs-of-a-breach-using-the-network

Safeguarding Healthcare for the Future With Zero Trust Security

securityintelligence.com/posts/safeguarding-healthcare-for-the-future-with-zero-trust-security/

Securing the MSP: best practices for vetting cybersecurity vendors

blog.malwarebytes.com/business-2/2020/03/securing-the-msp-best-practices-for-vetting-cybersecurity-vendors/

Categories
NCSC-FI News followup

Daily NCSC-FI news followup 2020-03-10

Microsoft Hijacks Necurs Botnet that Infected 9 Million PCs Worldwide

thehackernews.com/2020/03/necurs-botnet-takedown.html Microsoft today announced that it has successfully disrupted the botnet network of the Necurs malware, which has infected more than 9 million computers globally, and also hijacked the majority of its infrastructure.

Fingridin kumppani joutui tietomurron uhriksi Verkot ovat hyvin suojassa edelleen

www.is.fi/digitoday/tietoturva/art-2000006434452.html Hyökkäys Entso-E:n tietojärjestelmiin ei aiheuta vaaraa Suomen sähköverkoille, Fingrid vakuuttaa.

NSA Warns About Microsoft Exchange Flaw as Attacks Start

www.bleepingcomputer.com/news/security/nsa-warns-about-microsoft-exchange-flaw-as-attacks-start/ The U.S. National Security Agency (NSA) warned about a post-auth remote code execution vulnerability in all supported Microsoft Exchange Server servers via a tweet published on the agency’s Twitter account.

Intel CPUs vulnerable to new LVI attacks

www.zdnet.com/article/intel-cpus-vulnerable-to-new-lvi-attacks/ Researchers say Intel processors will need another round of silicon chip re-designs to protect against new attack.

Rocket Loader skimmer impersonates CloudFlare library in clever scheme

blog.malwarebytes.com/threat-analysis/2020/03/rocket-loader-skimmer-impersonates-cloudflare-library-in-clever-scheme/ In a recent blog post, we noted how criminals behind Magecart skimmers mimicked content delivery networks in order to hide their payload. This time, we are looking at a far more clever scheme.. This latest skimmer is disguised as a JavaScript file that appears to be CloudFlares Rocket Loader, a library used to improve page load time. The attackers created an almost authentic replica by registering a specially crafted domain name.

Busting Ghostcat: An Analysis of the Apache Tomcat Vulnerability (CVE-2020-1938 and CNVD-2020-10487)

blog.trendmicro.com/trendlabs-security-intelligence/busting-ghostcat-an-analysis-of-the-apache-tomcat-vulnerability-cve-2020-1938-and-cnvd-2020-10487/ Discussions surrounding the Ghostcat vulnerability (CVE-2020-1938 and CNVD-2020-10487) found in Apache Tomcat puts it in the spotlight as researchers looked into its security impact, specifically its potential use for remote code execution (RCE).

Microsoft shares nightmare tale: 6 sets of hackers on a customer’s network

www.zdnet.com/article/microsoft-shares-nightmare-tale-6-sets-of-hackers-on-a-customers-network/ Microsoft’s first report from its Detection and Response Team (DART), which helps customers in deep cyber trouble, details the case of a large customer with six threat actors simultaneously on its network, including one state-sponsored hacker group that had been stealing data and email for 243 days. . see also

mssecurity.wpengine.com/wp-content/uploads/2020/03/then-there-were-six.pdf

FBI Arrests Alleged Owner of Deer.io, a Top Broker of Stolen Accounts

krebsonsecurity.com/2020/03/fbi-arrests-alleged-owner-of-deer-io-a-top-broker-of-stolen-accounts/ FBI officials last week arrested a Russian computer security researcher on suspicion of operating deer.io, a vast marketplace for buying and selling stolen account credentials for thousands of popular online services and stores.

Paradise Ransomware Distributed via Uncommon Spam Attachment

www.bleepingcomputer.com/news/security/paradise-ransomware-distributed-via-uncommon-spam-attachment/ Attackers have started to send Excel Web Query attachments in phishing campaigns to download and install the Paradise Ransomware on unsuspecting victims.

How poor IoT security is allowing this 12-year-old malware to make a comeback

www.zdnet.com/article/how-poor-iot-security-is-allowing-this-ten-year-old-malware-to-make-a-comeback/ Conficker peaked in 2009, but unsupported connected devices are allowing it to spread in 2020 – and the healthcare sector is where it’s infected the most targets.

WHO’S HACKING THE HACKERS: NO HONOR AMONG THIEVES

www.cybereason.com/blog/whos-hacking-the-hackers-no-honor-among-thieves Cybereason Nocturnus is investigating a campaign where attackers are trojanizing multiple hacking tools with njRat, a well known RAT. The campaign ultimately gives attackers total access to the target machine. The threat actors behind this campaign are posting malware embedded inside various hacking tools and cracks for those tools on several websites.

Categories
NCSC-FI News followup

Daily NCSC-FI news followup 2020-03-09

A vulnerability is Microsoft Exchange servers is being actively exploited by multiple APT groups, researchers warn.

threatpost.com/microsoft-exchange-server-flaw-exploited-in-apt-attacks/153527/ Multiple threat groups are actively exploiting a vulnerability in Microsoft Exchange servers, researchers warn. If left unpatched, the flaw allows authenticated attackers to execute code remotely with system privileges.. see also

www.thezdi.com/blog/2020/2/24/cve-2020-0688-remote-code-execution-on-microsoft-exchange-server-through-fixed-cryptographic-keys

ENTSO-E: cyber intrusion on its office network

www.fingrid.fi/en/pages/news/news/2020/entso-e-cyber-intrusion-on-its-e-office-network/ European Network of Transmission System Operations for Electricity ENTSO-E has informed that some of their IT systems had been subjected to a security attack.. The attack was not directed against Fingrid or other transmission system operators, and it didn’t have any influence on Fingrids customers or other stakeholders.

Terve epäluulo suojaa parhaiten petosrikoksilta

www.poliisi.fi/tietoa_poliisista/tiedotteet/1/1/terve_epaluulo_suojaa_parhaiten_petosrikoksilta_88476?language=fi Rikolliset osaavat häikäilemättä käyttää hyväkseen ihmisten luontaista uskoa hyvään ja toivetta nopeaan vaurastumiseen. Petosrikollisuudelta parhaiten suojaakin usein terve epäluulo.

New Variant of TrickBot Being Spread by Word Document

www.fortinet.com/blog/threat-research/new-variant-of-trickbot-being-spread-by-word-document.html Recently, FortiGuard Labs captured an MS Office Word sample in the wild that is spreading a new variant of TrickBot. I did an analysis on this sample file, and in this post I will explain how it works on the victims machine.

AMD Downplays CPU Threat Opening Chips to Data Leak Attacks

threatpost.com/amd-downplays-cpu-threat-opening-chips-to-data-leak-attacks/153516/ New side-channel attacks have been disclosed in AMD CPUs, however AMD said that they are not new.

Check Point chap: Small firms don’t invest in infosec then hope they won’t get hacked. Spoiler alert: They get hacked

www.theregister.co.uk/2020/03/09/check_point_interview/ One vendor’s security controls aren’t enough, says Dan Wiley

Twitter First: Trump Video Retweet Tagged as ‘Manipulated Media’

www.bleepingcomputer.com/news/security/twitter-first-trump-video-retweet-tagged-as-manipulated-media/ For the first time, Twitter has labeled a video as ‘Manipulated Media’ that attempts to portray Joe Biden as stating that Donald Trump should be re-elected.

Top Tips for Secure Remote Working

blog.checkpoint.com/2020/03/09/top-tips-for-secure-remote-working/ Practical tips to enable employees to work safely from home during the Coronavirus outbreak

International Womens Day: awareness of stalkerware, monitoring, and spyware apps on the rise

blog.malwarebytes.com/stalkerware/2020/03/international-womens-day-awareness-of-stalkerware-monitoring-and-spyware-apps-on-the-rise/

Crescendo: Real Time Event Viewer for macOS

www.fireeye.com/blog/threat-research/2020/03/crescendo-real-time-event-viewer-for-macos.html

Categories
NCSC-FI News followup

Daily NCSC-FI news followup 2020-03-08

Data-Stealing FormBook Malware Preys on Coronavirus Fears

www.bleepingcomputer.com/news/security/data-stealing-formbook-malware-preys-on-coronavirus-fears/ Another email campaign pretending to be Coronavirus (COVID-19) information from the World Health Organization (WHO) is distributing a malware downloader that installs the FormBook information-stealing Trojan.

Hackers can clone millions of Toyota, Hyundai, and Kia keys

arstechnica.com/cars/2020/03/hackers-can-clone-millions-of-toyota-hyundai-and-kia-keys/ Encryption flaws in common anti-theft feature expose vehicles from major OEMs.

Ransomware Threatens to Reveal Company’s ‘Dirty’ Secrets

www.bleepingcomputer.com/news/security/ransomware-threatens-to-reveal-companys-dirty-secrets/ The operators of the Sodinokibi Ransomware are threatening to publicly share a company’s “dirty” financial secrets because they refused to pay the demanded ransom.

Miten toimia, kun saat kaverilta epäilyttävän viestin? Mikko Hyppösellä on timanttinen neuvo

www.is.fi/digitoday/tietoturva/art-2000006430407.html Vastaaminen eri kanavaa myöten voi paljastaa huijausviestin.

Enjoy your Steam: how criminals make money on gamers

www.kaspersky.com/blog/steam-scam/11317/ Much like the general population, cybercriminals have areas of expertise. Some grift people on social networks, other spread malware via e-mails and then there are the ones who know how to turn gamers items and accounts into money.

Ryuk Ransomware Behind Durham, North Carolina Cyberattack

www.bleepingcomputer.com/news/security/ryuk-ransomware-behind-durham-north-carolina-cyberattack/ The City of Durham, North Carolina has shut down its network after suffering a cyberattack by the Ryuk Ransomware this weekend.

Categories
NCSC-FI News followup

Daily NCSC-FI news followup 2020-03-07

New AMD Side Channel Attacks Discovered, Impacts Zen Architecture

www.tomshardware.com/news/new-amd-side-channel-attacks-discovered-impacts-zen-architecture A new paper released by the Graz University of Technology details two new “Take A Way” attacks, Collide+Probe and Load+Reload, that can leak secret data from AMD processors by manipulating the L1D cache predictor. The researchers claim that the vulnerability impacts all AMD processors from 2011 to 2019, meaning that the Zen microarchitecture is also impacted.

This Unpatchable Flaw Affects All Intel CPUs Released in Last 5 Years

thehackernews.com/2020/03/intel-csme-vulnerability.html All Intel processors released in the past 5 years contain an unpatchable vulnerability that could allow hackers to compromise almost every hardware-enabled security technology that are otherwise designed to shield sensitive data of users even when a system gets compromised.. The vulnerability, tracked as CVE-2019-0090, resides in the hard-coded firmware running on the ROM (“read-only memory”) of the Intel’s Converged Security and Management Engine (CSME), which can’t be patched without replacing the silicon.

Zoho Releases Security Update on ManageEngine Desktop Central

www.us-cert.gov/ncas/current-activity/2020/03/06/zoho-releases-security-update-manageengine-desktop-central Zoho has released a security update on a vulnerability (CVE-2020-10189) affecting ManageEngine Desktop Central build 10.0.473 and below. A remote attacker could exploit this vulnerability to take control of an affected system. see also

www.manageengine.com/products/desktop-central/remote-code-execution-vulnerability.html

FBI Warns of BEC Attacks Abusing Microsoft Office 365, Google G Suite

www.bleepingcomputer.com/news/security/fbi-warns-of-bec-attacks-abusing-microsoft-office-365-google-g-suite/ The US Federal Bureau of Investigation (FBI) warned private industry partners of threat actors abusing Microsoft Office 365 and Google G Suite as part of Business Email Compromise (BEC) attacks.. “Between January 2014 and October 2019, the Internet Crime Complaint Center (IC3) received complaints totaling over $2.1 billion in actual losses from BEC scams targeting Microsoft Office 365 and Google G Suite.”

FYI: When Virgin Media said it leaked ‘limited contact info’, it meant p0rno filter requests, IP addresses, IMEIs as well as names, addresses and more

www.theregister.co.uk/2020/03/06/virgin_more_leak_details/

Chain Reactor: Simulate Adversary Behaviors on Linux

isc.sans.edu/forums/diary/Chain+Reactor+Simulate+Adversary+Behaviors+on+Linux/25872/

As the U.S. spied on the world, the CIA and NSA bickered

www.washingtonpost.com/national-security/as-the-us-spied-on-the-world-the-cia-and-nsa-bickered/2020/03/06/630a4e72-5365-11ea-b119-4faabac6674f_story.html U.S. spy agencies were on the verge of an espionage breakthrough, closing in on the clandestine purchase of a Swiss company that could give American intelligence the ability to crack much of the worlds encrypted communications.

Categories
NCSC-FI News followup

Daily NCSC-FI news followup 2020-03-06

Human-operated ransomware attacks: A preventable disaster

www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/ Human-operated ransomware campaigns pose a significant and growing threat to businesses and represent one of the most impactful trends in cyberattacks today.. In these hands-on-keyboard attacks, which are different from auto-spreading ransomware like WannaCry or NotPetya, adversaries employ credential theft and lateral movement methods traditionally associated with targeted attacks like those from nation-state actors.. They exhibit extensive knowledge of systems administration and common network security misconfigurations, perform thorough reconnaissance, and adapt to what they discover in a compromised network.. see also

www.bleepingcomputer.com/news/security/microsoft-shares-tactics-used-in-human-operated-ransomware-attacks/

Zoho zero-day published on Twitter

www.zdnet.com/article/zoho-zero-day-published-on-twitter/ A security researcher published yesterday details on Twitter about a zero-day vulnerability in a Zoho enterprise product.. The vulnerability impacts the Zoho ManageEngine Desktop Central. According to the Zoho website, this is an endpoint management solution. Companies use the product to control their fleets of devices — such as Android smartphones, Linux servers, or Mac and Windows workstations.

Microsoft: 99.9% of compromised accounts did not use multi-factor authentication

www.zdnet.com/article/microsoft-99-9-of-compromised-accounts-did-not-use-multi-factor-authentication/ Only 11% of all enterprise accounts use a MFA solution overall.

One billion Android devices at risk of hacking

www.bbc.com/news/technology-51751950 More than a billion Android devices are at risk of being hacked because they are no longer protected by security updates, watchdog Which? has suggested.. Google’s own data suggests that 42.1% of Android users worldwide are on version 6.0 of its operating system or below.. According to the Android security bulletin, there were no security patches issued for the Android system in 2019 for versions below 7.0.

Virgin Media Data Breach Exposes Info of 900,000 Customers

www.bleepingcomputer.com/news/security/virgin-media-data-breach-exposes-info-of-900-000-customers/ Virgin Media announced today that the personal information of roughly 900,000 of its customers was accessed without permission on at least one occasion because of a misconfigured and unsecured marketing database.

TrickBot Malware Targets Italy in Fake WHO Coronavirus Emails

www.bleepingcomputer.com/news/security/trickbot-malware-targets-italy-in-fake-who-coronavirus-emails/ A new spam campaign is underway that is preying on the fears of Coronavirus (COVID-19) to target people in Italy with the TrickBot information-stealing malware.. see also

www.us-cert.gov/ncas/current-activity/2020/03/06/defending-against-covid-19-cyber-scams

Critical PPP Daemon Flaw Opens Most Linux Systems to Remote Hackers

thehackernews.com/2020/03/ppp-daemon-vulnerability.html The US-CERT today issued advisory warning users of a new dangerous 17-year-old remote code execution vulnerability affecting the PPP daemon (pppd) software that comes installed on almost all Linux based operating systems, as well as powers the firmware of many other networking devices.

Emotet Actively Using Upgraded WiFi Spreader to Infect Victims

www.bleepingcomputer.com/news/security/emotet-actively-using-upgraded-wifi-spreader-to-infect-victims/ Emotets authors have upgraded the malware’s Wi-Fi spreader by making it a fully-fledged module and adding new functionality as shown by samples recently spotted in the wild.. We previously reported that Emotet is now capable of spreading to new victims via nearby insecure wireless networks using a Wi-Fi worm module.

NordVPN quietly plugged vuln where an HTTP POST request without authentication would return detailed customer data

www.theregister.co.uk/2020/03/06/nordvpn_no_auth_needed_view_user_payments/ A vulnerability in NordVPN’s payments platform allowed anyone to view users’ payment information and email addresses, a startling HackerOne entry has revealed.

9 Strategies for Retaining Women in Cybersecurity and STEM in 2020

securityintelligence.com/articles/9-strategies-for-retaining-women-in-cybersecurity-and-stem-in-2020/

Categories
NCSC-FI News followup

Daily NCSC-FI news followup 2020-03-05

Attackers Taking Advantage of the Coronavirus/COVID-19 Media Frenzy

www.fortinet.com/blog/threat-research/attackers-taking-advantage-of-the-coronavirus-covid-19-media-frenzy.html Over the past several weeks, FortiGuard Labs has been observing a significant increase in both legitimate and malicious activity surrounding the Coronavirus.. Threat findings via OSINT channels have yielded multiple themes, such as those appearing to be reports from trusted sources, such as governmental agencies, news outlets, etc. but that were actually malicious. It is also important to note that we are likely only scratching the surface on observable attacks as this is a global outbreak, and most of our observations have been in English or languages . The issue has now become so problematic that the World Health Organization (WHO) recently issued a statement on their website titled, Beware of criminals pretending to be WHO. The UN also recently added an advisory on the 29th of February as well reminding citizens to be vigilant of such scams.. also:

blog.checkpoint.com/2020/03/05/update-coronavirus-themed-domains-50-more-likely-to-be-malicious-than-other-domains/

Enable that MF-ing MFA: 1.2 million Azure Active Directory accounts compromised every month, reckons Microsoft

www.theregister.co.uk/2020/03/05/microsoft_12_million_enterprise_accounts_are_compromised_every_month/ Microsoft reckons 0.5 per cent of Azure Active Directory accounts as used by Office 365 are compromised every month.. “About a half of a per cent of the enterprise accounts on our system will be compromised every month, which is a really high number. If you have an organisation of 10,000 users, 50 will be compromised each month,” said Weinert.. The key point, though, is that if an account is compromised, said Weinert, “there’s a 99.9 per cent chance that it did not have MFA [Multi Factor Authentication]”. MFA is where at least one additional identifier is required when logging in, such as a code on an authenticator application or a text message to a mobile phone.

Cloud Snooper Attack Bypasses Firewall Security Measures

news.sophos.com/en-us/2020/02/25/cloud-snooper-attack-bypasses-firewall-security-measures/ In the course of investigating a malware infection of cloud infrastructure servers hosted in the Amazon Web Services (AWS) cloud, SophosLabs discovered a sophisticated attack that employed a unique combination of techniques to evade detection and that permits the malware to communicate freely with its command and control (C2) servers through a firewall that should, under normal circumstances, . PDF:

news.sophos.com/wp-content/uploads/2020/02/CloudSnooper_report.pdf

Intel x86 Root of Trust: loss of trust

blog.ptsecurity.com/2020/03/intelx86-root-of-trust-loss-of-trust.html The scenario that Intel system architects, engineers, and security specialists perhaps feared most is now a reality. A vulnerability has been found in the ROM of the Intel Converged Security and Management Engine (CSME). This vulnerability jeopardizes everything Intel has done to build the root of trust and lay a solid security foundation on the company’s platforms.. The problem is not only that it is impossible to fix firmware errors that are hard-coded in the Mask ROM of microprocessors and chipsets. The larger worry is that, because this vulnerability allows a compromise at the hardware level, it destroys the chain of trust for the platform as a whole.

Ryuk Revisited – Analysis of Recent Ryuk Attack

www.fortinet.com/blog/threat-research/ryuk-revisited-analysis-of-recent-ryuk-attack.html Ryuk is a well-known ransomware variant, and different versions have been reviewed in the past. However, due to its targeted and ever-evolving nature, it is interesting to see what the latest variants hold in store.. In this blog post, we will analyze the tactics, techniques, and procedures (TTPs) used by this recently discovered Ryuk variant, review similarities to past variants, and highlight the methods it uses to maximize the damage it can cause to the networks of targeted organizations. Reviewing these TTPs will allow you to test the current security controls within your network to ensure you are able to

Ryuk Ransomware Attacked Epiq Global Via TrickBot Infection

www.bleepingcomputer.com/news/security/ryuk-ransomware-attacked-epiq-global-via-trickbot-infection/ Legal services and e-discovery giant Epiq Global took their systems offline on Saturday after the Ryuk Ransomware was deployed and began encrypting devices on their network.

Ryuk ransomware hits Fortune 500 company EMCOR

www.zdnet.com/article/ryuk-ransomware-hits-fortune-500-company-emcor/#ftag=RSSbaffb68 EMCOR Group (NYSE: EME), a US-based Fortune 500 company specialized in engineering and industrial construction services, disclosed last month a ransomware incident that took down some of its IT systems.. The incident took place on February 15 and was identified as an infection with the Ryuk ransomware strain.

Alleged Vault 7 leaker trial finale: Want to know the CIA’s password for its top-secret hacking tools? 123ABCdef

www.theregister.co.uk/2020/03/05/cia_leak_trial/ Tales of terrible security, poor compartmentalization, and more, emerge from the Schulte hearings

Mokes and Buerak distributed under the guise of security certificates

securelist.com/mokes-and-buerak-distributed-under-the-guise-of-security-certificates/96324/ The technique of distributing malware under the guise of legitimate software updates is not new. As a rule, cybercriminals invite potential victims to install a new version of a browser or Adobe Flash Player. However, we recently discovered a new approach to this well-known method: visitors to infected sites were informed that some kind of security certificate had expired. Unsurprisingly, the . We detected the infection on variously themed websites from a zoo to a store selling auto parts. The earliest infections found date back to January 16, 2020.

Attack Landscape H2 2019: An unprecedented year for cyber attacks

blog.f-secure.com/attack-landscape-h2-2019-an-unprecedented-year-cyber-attacks/ The last year of the decade set a new standard for cyber attacks. F-Secures Attack Landscape H2 2019 notes that while the impact of sophisticated ransomware attacks continues to be devastating, most of the billions of attacks we see target devices that dont have keyboards.

Email domains without DMARC enforcement spoofed nearly 4X as often

www.helpnetsecurity.com/2020/03/05/dmarc-records/ As of January 2020, nearly 1 million (933,973) domains have published DMARC records an increase of 70% compared to last year, and more than 180% growth in the last two years.. However, just 13% of all DMARC records are configured with enforcement policies, demonstrating that interest in DMARC is increasing but DMARC expertise is not keeping pace.. But publishing a DMARC record is just the first step enforcement must be reached before a domain is protected, and trust can be restored to email.. Theres an additional downside to not getting to enforcement: Our research demonstrates that domains without DMARC policies at enforcement are spoofed nearly four times more often compared to domains with DMARC at enforcement. This is because fraudsters give up trying to spoof a domain once they realize it doesnt work, and move on to easier targets.

Chinese hackers use decade-old Bisonal Trojan in cyberespionage campaigns

www.zdnet.com/article/chinese-hackers-use-decade-old-bisonal-trojan-to-strike-russian-targets/#ftag=RSSbaffb68 The RATs core functions remain the same but it is unusual that the malware has been rehashed over so many years.. also:

blog.talosintelligence.com/2020/03/bisonal-10-years-of-play.html

Guildma: The Devil drives electric

www.welivesecurity.com/2020/03/05/guildma-devil-drives-electric/ The fourth installment of our occasional series demystifying Latin American banking trojans. In this blogpost, we will examine Guildma (also known as Astaroth, a powerful demon), a highly prevalent Latin American banking trojan. This Brazil-targeting trojan, written in Delphi, boasts some innovative execution and attack techniques. We will describe the most recent version, highlighting the most notable changes made since the middle of 2019 when an avalanche of articles about Guildma was

Warning: An Android Security App With 1 Billion Downloads Is Recording Users Web Browsing

www.forbes.com/sites/thomasbrewster/2020/03/03/warning-an-android-security-app-with-1-billion-downloads-is-recording-users-web-browsing/ In February, Google threw 600 apps out of its Play store. Amongst those was an app called Clean Master, a security tool promising antivirus protection and private browsing. It had more than 1 billion installs before it was evicted and, despite Googles ban, is one of Androids most downloaded apps ever and is likely still running on millions of phones.. Whilst Google hasnt commented on what it knew about the app, created by Chinas Cheetah Mobile, Forbes has learned a security company provided the tech giant with evidence the tool was collecting all manner of private Web use data.. That includes which websites users visited from the in-app private browser, their search engine queries and their Wi-Fi access point names, right down to more detailed information like how they scrolled on visited Web pages, according to the security companys researcher, who also provided the information to Forbes.

Lets Encrypt Pushes Back Deadline to Revoke Some TLS Certificates

threatpost.com/lets-encrypt-pushes-back-deadline-to-revoke-some-tls-certificates/153456/ Lets Encrypt said it will give users of its Transport Layer Security (TLS) certificates more time to replace 1 million certificates that are still active and potentially affected by a Certificate Authority Authorization (CAA) bug before it revokes them.

Hackers Can Clone Millions of Toyota, Hyundai, and Kia Keys

www.wired.com/story/hackers-can-clone-millions-of-toyota-hyundai-kia-keys/ Encryption flaws in a common anti-theft feature expose vehicles from major manufacturers .

PwndLocker Ransomware Gets Pwned: Decryption Now Available

www.bleepingcomputer.com/news/security/pwndlocker-ransomware-gets-pwned-decryption-now-available/ Emsisoft has discovered a way to decrypt files encrypted by the new PwndLocker Ransomware so that victims can recover their files without paying a ransom.

Dissecting Geost: Exposing the Anatomy of the Android Trojan Targeting Russian Banks

blog.trendmicro.com/trendlabs-security-intelligence/dissecting-geost-exposing-the-anatomy-of-the-android-trojan-targeting-russian-banks/ The Android banking trojan Geost was first revealed in a research by Sebastian García, Maria Jose Erquiaga and Anna Shirokova from the Stratosphere Laboratory.. The trojan employed several layers of obfuscation, encryption, reflection, and injection of non-functional code segments that made it more difficult to reverse engineer.

Hackers Compromise T-Mobile Employee’ Email Accounts and Steal User’ Data

thehackernews.com/2020/03/hackers-compromise-t-mobile-employees.html US-based telecom giant T-Mobile has suffered yet another data breach incident that recently exposed personal and accounts information of both its employees and customers to unknown hackers.

Categories
NCSC-FI News followup

Daily NCSC-FI news followup 2020-03-04

Are our police forces equipped to deal with modern cybercrimes?

blog.malwarebytes.com/opinion/2020/03/are-our-police-forces-equipped-to-deal-with-modern-cybercrimes/ You should have asked for the presence of a digital detective, Karen said when I told her what happened at the police station. I had accompanied a neighbor, who is a small business owner, that had been hit with ransomware and wanted to file a report. After listening to his story, the police officer at the desk asked if my neighbor had a description of the perpetrator. I may have groaned.. To meet a growing demand for specialized experts, the police force will need a good deal of extra funds and staff. The cost of failing to adequately meet these demands may result in heavier losses than society can afford.. At least every police station or sheriffs office should have one digital expert available to at least take in reports of cybercrimes.. If this is not an achievable goal, set up an easy-to-use site to report cybercrimes online, where a special department of digital experts can do a triage, spot trends, and involve other departments where that is beneficial.

Valkohattuhakkeri voidaan kokea uhkaavana Pelko estää yrityksiä reagoimasta haavoittuvuuksiin

www.tivi.fi/uutiset/tv/6e55f75f-5be0-47e5-80f6-85f577c6efd9 Tietoturvatutkija Laura Kankaalan mukaan joissain yrityksissä ei vieläkään haluttaisi saattaa tietoturva-aukkoja päivänvaloon.. Kankaala kehottaa yrityksiä kommunikoimaan ulospäin väylät, joiden kautta haavoittuvuuksista voidaan ilmoittaa vastuullisesti. Yritysten tulisi lisäksi kehittää selkeät, sisäiset prosessit, joiden mukaan haavoittuvuustilanteissa toimitaan.. Prosessit tulisi saattaa kuntoon niin, että kun haavoittuvuus löydetään, niin se korjataan. Silloin ei ole enää syytä mennä tolaltaan tai pelätä maineensa menettämistä, Kankaala sanoo.

Oikotie varoittaa: Varo petollista tekstiviestiä

www.is.fi/digitoday/tietoturva/art-2000006427623.html Oikotien nimissä lähetetään huijaustekstiviestejä. Älä klikkaa viestissä olevaa linkkiä.

State Department pledges $8 million more in cybersecurity aid to Ukraine

www.cyberscoop.com/state-department-ukraine-cyber-aid-kyiv/ The State Department on Tuesday announced an additional $8 million in cybersecurity funding for Ukraine, whose electric utilities sector has at least twice been struck by Russia-linked hackers in recent years. One of those cyberattacks, in 2015, plunged a quarter of a million Ukrainians into darkness.. Ukraine was one of several allies to join the U.S. in blaming the Russian government for cyberattacks on thousands of websites in the Eurasian country of Georgia last October. Moscow denied involvement in the attacks.

Cyber Threats 2019: A Year in Retrospect

www.pwc.co.uk/issues/cyber-security-data-privacy/insights/cyber-threats-2019-retrospect.html In 2019, the cyber threat landscape became increasingly complex due to the proliferation of financially motivated cyber activity, intelligence operations navigating the currents of powerful interests and international politics, and information operations attempting to manipulate the news agenda.. PDF:

www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf

Warning over ‘hidden apps’ as mobile malware attacks increase – and get sneakier

www.zdnet.com/article/warning-over-hidden-apps-as-mobile-malware-attacks-increase-and-get-sneakier/#ftag=RSSbaffb68 According to figures in the newly released McAfee Mobile Threat Report, the total number of detections for different types of mobile malware reached over 35 million during the final quarter of 2019, representing a jump of 10 million detections compared with 2018.. PDF:

www.mcafee.com/content/dam/consumer/en-us/docs/2020-Mobile-Threat-Report.pdf

Academics find 30 file upload vulnerabilities in 23 web apps, CMSes, and forums

www.zdnet.com/article/academics-find-30-file-upload-vulnerabilities-in-23-web-apps-cmses-and-forums/#ftag=RSSbaffb68 Through the use of an automated testing toolkit, a team of South Korean academics has discovered 30 vulnerabilities in the file upload mechanisms used by 23 open-source web applications, forums, store builders, and content management systems (CMSes).. When present in real-world web apps, these types of vulnerabilities allow hackers to exploit file upload forms and plant malicious files on a victim’s servers.. These files could be used to execute code on a website, weaken existing security settings, or function as backdoors, allowing hackers full control over a server.

Securing Content Management Systems

www.cyber.gov.au/publications/securing-content-management-systems The security of external-facing infrastructure is critical for organisations when considering the security of their network as a whole. Even if external-facing infrastructure does not host sensitive information, there is still a significant risk to the reputation of organisations if external-facing infrastructure is tampered with.. Security vulnerabilities within content management systems (CMS) installed on web servers of organisations are often exploited by adversaries. Once a CMS has been compromised, the web server can be used as infrastructure to facilitate targeted intrusion attempts.. This document outlines strategies for identifying and minimising the potential risk to web servers using CMS. The intended audience is individuals responsible for developing and securing websites or web applications using CMS.

Measuring Security Risk in a Medical IoT World

securityintelligence.com/posts/measuring-security-risk-in-a-medical-iot-world/ The medical internet of things (IoT) is no longer a futuristic concept. It is here today, and it includes devices you may have never considered a part of the patient care ecosystem, such as elevators, beds, exit signs and clocks.. When hospitals classify vulnerabilities, they should match the vulnerabilities with information about actual workflows, service delivery of the devices and threats that could lead to a compromise. In other words, security teams should consider the potential clinical and organizational impacts.

Singapore to introduce security label for smart home devices

www.zdnet.com/article/singapore-to-introduce-security-label-for-smart-home-devices/#ftag=RSSbaffb68 Singapore says it will launch the Cybersecurity Labelling Scheme for home routers and smart home hubs, as part of efforts to increase consumer awareness on using secured products and urge manufacturers to deploy additional cybersecurity measures.

Critical Netgear Bug Impacts Flagship Nighthawk Router

threatpost.com/critical-netgear-bug-impacts-nighthawk-router/153445/ Netgear is warning users of a critical remote code execution bug that could allow an unauthenticated attacker to take control of its Wireless AC Router Nighthawk (R7800) hardware running firmware versions prior to 1.0.2.68. The warnings, posted Tuesday, also include two high-severity bugs impacting Nighthawk routers, 21 medium-severity flaws and one rated low.

Ransomware Attackers Use Your Cloud Backups Against You

www.bleepingcomputer.com/news/security/ransomware-attackers-use-your-cloud-backups-against-you/ Backups are one the most, if not the most, important defense against ransomware, but if not configured properly, attackers will use it against you.. When Maze finds backups stored in the cloud, they attempt to obtain the cloud storage credentials and then use them to restore the victim’s data to servers under the attacker’s control.. “Yes, we download them. It is very useful. No need to search for sensitive information, it is definitely contained in backups. If backups in the cloud it is even easier, you just login to cloud and download it from your server, full invisibility to “data breach detection software”. Clouds is about security, right?”

Microsoft OneNote Used To Sidestep Phishing Detection

threatpost.com/microsoft-onenote-sidestep-phishing-detection/153436/ A phishing campaign was recently discovered leveraging OneNote, Microsofts digital notebook that automatically saves and syncs notes, to bypass detection tools and download malware onto victims systems.. The attacker was utilizing OneNote as a way to easily experiment with various lures that either delivered the credential-stealing Agent Tesla keylogger or linked to a phishing page or both. The attack first started with an email to victims that contained a link to the OneNote document.

Verisign, Amazon patch zero-day vulnerability that utilized homoglyph characters

www.cyberscoop.com/homoglyph-zero-day-verisign-soluble/ Verisign has fixed an issue that could have allowed attackers to register bogus domains by using homoglyphs in place of more common characters, due to research from California-based security firm Soluble.

Download this update from mybrowser.microsoft.com. Oh, sorry, that was malware on a hijacked sub-domain. Oops

www.theregister.co.uk/2020/03/04/microsoft_subdomain_takeover/ Lax DNS leaves door wide open for miscreants to impersonate Windows giant on its own websites. In short, the Windows giant allowed hundreds of sub-domains at least 670 on its big-name microsoft.com, skype.com, visualstudio.com, and windows.com properties to potentially fall into the hands of miscreants who could have commandeered them for phishing and malware distribution.

Scam call centre owner in custody after BBC investigation

www.bbc.com/news/technology-51740214