NCSC-FI News followup

Daily NCSC-FI news followup 2019-11-20

A Notorious Iranian Hacking Crew Is Targeting Industrial Control Systems The recent shift away from IT networks raises the possibility that Irans APT33 is exploring physically disruptive cyberattacks on critical infrastructure.

Ransomware Gangs Adopt APT Tactics in Targeted Attacks Ransomware operators are moving away from mass volume attacks and partnering with specialists who use APT techniques to provide stealthy infiltration and network-wide encryption capabilities.. In a new report by cybersecurity and intelligence firm AdvIntel, we explore how ransomware operators are partnering with actors who utilize APT methods to gain access to networks and perform network-wide ransomware attacks or supply-chain attacks.. AdvIntel report:

Ransomware Surge & Living-Off-the-Land Tactics Remain Big Threats Group-IB’s and Rapid7’s separate analysis of attack activity in recent months shows threat actors are making life harder for enterprise organizations in a variety of ways.

Haittaohjelmapiikki kiinnitti huomiomme – auttoi löytämään maailmalta yli 100 000 QSnatchin saastuttamaa laitetta Miten yksittäisestä Autoreporter-havainnosta päästään kansainvälisesti merkittävän haittaohjelman jäljille? Olemme jo kertoneet QSnatchin toiminnasta ja saastuneiden laitteiden puhdistamisesta. Nyt kerromme, kuinka sen löysimme. QSnatch on herättänyt huomiota Euroopasta Aasiaan saakka. Maailmanlaajuisesti haittaohjelmatartuntoja on havaittu ainakin 100 000.

Näin ihmisten osoitteet ja iät vuotivat Gigantin sivuilta rekisterin ylläpitäjä sai kenkää Gigantti kertoo tiedotteessaan, että sen kanta-asiakasohjelman tiedot eivät vaarantuneet viikonloppuna havaitussa tietovuodossa. Gigantti sanoo tiedotteessaan, että verkkosivulla olleet haut kohdistuivat sen kumppani Bisnoden yhteystieto- ja henkilömarkkinointirekisteriin, jossa tietosuojaongelma ilmeni.

New Phoenix Keylogger tries to stop over 80 security products to avoid detection A new keylogger called Phoenix that started selling on hacking forums over the summer has now been linked to more than 10,000 infections, researchers from Cybereason said today in a report.. Cybereason report:

NSA Publishes Advisory Addressing Encrypted Traffic Inspection Risks The National Security Agency (NSA) published an advisory that addresses the risks behind Transport Layer Security Inspection (TLSI) and provides mitigation measures for weakened security in organizations that use TLSI products..

D-Link Adds More Buggy Router Models to Wont Fix List D-Link has warned that more of its routers are vulnerable to critical flaws that allow remote hackers to take control of hardware and steal data. The routers wont be fixed, said D-Link, explaining that the hardware has reached its end-of-life and will no longer receive security updates.. D-Link identified the additional affected models as: DIR-866, DIR-655, DHP-1565, DIR-652, DAP-1533, DGL-5500, DIR-130, DIR-330, DIR-615, DIR-825, DIR-835, DIR-855L and DIR-862.

Thousands of Enterprises At Risk Due to Oracle EBS Critical Flaws Two critical security vulnerabilities discovered in Oracle’s E-Business Suite (EBS) could allow potential attackers to take full control over a company’s entire enterprise resource planning (ERP) solution.. Onapsis reported the issues to the Oracle Security Response Team in December 2018 and helped fix the vulnerabilities, with patches released as part of Oracle’s April 2019 Critical Patch Update Advisory.. At the moment, Onapsis’ research team estimates that approximately 50% of all Oracle EBS customers have not yet deployed the patches.

Mac Backdoor Linked to Lazarus Targets Korean Users Criminal interest in MacOS continues to grow, with malware authors churning out more threats that target users of the popular OS. Case in point: A new variant of a Mac backdoor (detected by Trend Micro as Backdoor.MacOS.NUKESPED.A) attributed to the cybercriminal group Lazarus, which was observed targeting Korean users with a macro-embedded Microsoft Excel spreadsheet.

Bug bounties: Mozilla just doubled its payouts as it tries to attract software vulnerability hunters Mozilla has doubled the payout across its bug bounty program and added new sites and services to the list in an attempt to attract more attention from the bug-hunting community.. The browser-maker said it has doubled all web payouts for critical, core and other Mozilla sites as part of its web and services bug bounty program page. Mozilla has also tripled payouts to $15,000 for remote code execution payouts on critical sites and is adding new sites to the program.

Exploit kits: fall 2019 review Despite a slim browser market share, Internet Explorer is still being exploited in fall 2019 in a number of drive-by download campaigns. Perhaps even more surprising, were seeing new exploit kits emerge.. Based on our telemetry, these drive-bys are happening worldwide (with the exception of a few that are geo-targeted) and are fueled by malvertising most often found on adult websites.

Attackers increasingly embrace small-scale DDoS attacks to evade detection The growth in both large- and small-scale DDoS attacks continues its upward trajectory, according to a report released by Neustar.. The report reveals that the total number of DDoS attacks was up 241% in the third quarter of 2019, compared to the same period last year. The report also confirmed the continued increase in small-scale attacks and the use of multiple threat vectors, as new vectors continue to expand the attack surface that organizations must defend.

New Roboto botnet emerges targeting Linux servers running Webmin The botnet’s main function is the ability to conduct DDoS attacks, a feature it has not used yet.. The awaiting Roboto Botnet:

How to Recover from a DDoS Attack They say nothing lasts forever and neither do DDoS attacks. Recovering from a DDoS attack is no simple matter, but once an attack is over, it is time to assess the impact, evaluate your defenses, and better prepare for the next incident.

Active C2 Discovery Using Protocol Emulation Part1 (HYDSEVEN NetWire) Malware C2 addresses can be an important IOC to detect known threats. In order to obtain C2 information, we first need malware samples which are then analyzed dynamically or statically. However the analysis task is often times not straightforward. Increasingly anti-analysis methods are implemented in malware or C2 information is extracted from secondary or tertiary websites.. VMware Carbon Black Threat Analysis Unit (TAU) analyzed HYDSEVEN NetWire samples then implemented a scanner to discover active C2 servers on the Internet by emulating the customized C2 protocol. In this blog post, the latest protocol and scanner implementation are detailed for researchers and practitioners.

Kaspersky Security Bulletin 2019. Advanced threat predictions for 2020 Nothing is more difficult than making predictions. Rather than trying to gaze into a crystal ball, we will be making educated guesses based on what has happened during the last 12 months, to see where we can see trends that might be exploited in the near future.. This is what we think might happen in the coming months, based on the knowledge of experts in this field and our observation of APT attacks since APT threat actors have historically been the center of innovation.

Cryptominers, ransomware among top malware in IR engagements in Q4 The discoveries outlined in this blog were observed during CTIR engagements between May and July, which corresponds to Ciscos fourth quarter in fiscal year 2019. These reports, which we intend to publish quarterly, are intended to provide executives and network defenders with regular updates and analysis on the threat landscape.

Why Organizations are Failing to Deal With Rising Bot Attacks The need for bot management is fueled by the rise in automated attacks. In the early days, the use of bots was limited to small scraping attempts or spamming. Today, things are vastly different. Bots are being used to take over user accounts, perform DDoS attacks, abuse APIs, scrape unique content and pricing information and more.

Want to build a successful SOC? Heres what you need to know There is no arguing the fact that networks are continually growing in complexity and the cyberattack surface is constantly expanding. A critical step in building a stronger security posture and more robust data protection strategy is a 24×7 facility whose mission is to monitor, detect, investigate and resolve active threats.. When the inevitable attack happens, timely identification, reaction and collaboration is everything, and a business with a successful SOC will be far quicker and coordinated in its response than one without.

1.19 billion confidential medical images available on the internet 1.19 billion confidential medical images are now freely available on the internet, according to Greenbones research into the security of Picture Archiving and Communication Systems (PACS) servers used by health providers across the world to store images of X-rays as well as CT, MRI and other medical scans.. Greenbone report:

High-Severity Windows UAC Flaw Enables Privilege Escalation Researchers disclosed details of a high-severity Microsoft Windows vulnerability that could give attackers elevated privileges ultimately allowing them to install programs, and view, change or delete data.. This vulnerability allows local attackers to escalate privileges on affected installations of Microsoft Windows, researchers with Zero Day Initiative (ZDI) said in a Tuesday detailed analysis of the vulnerability. An attacker must first obtain the ability to access an interactive desktop as a low-privileged user on the target system in order to exploit this vulnerability.. ZDI analysis:

Millions of Sites Exposed by Flaw in Jetpack WordPress Plugin Admins and owners of WordPress websites are urged to immediately apply the Jetpack 7.9.1 critical security update to prevent potential attacks that could abuse a vulnerability that has existed since Jetpack 5.1.. Jetpack is an extremely popular WordPress plugin that provides free security, performance, and site management features including site backups, secure logins, malware scanning, and brute-force attack protection. The plugin has over 5 million active installations, and it was developed and it is currently maintained by Automattic, the company behind WordPress.

NCSC-FI News followup

Daily NCSC-FI news followup 2019-11-19

Why Were the Russians So Set Against This Hacker Being Extradited? The Russian government has for the past four years been fighting to keep 29-year-old alleged cybercriminal Alexei Burkov from being extradited by Israel to the United States.. When Israeli authorities turned down requests to send him back to Russia supposedly to face separate hacking charges there the Russians then imprisoned an Israeli woman for seven years on trumped-up drug charges in a bid to trade prisoners.. That effort failed as well, and Burkov had his first appearance in a U.S. court last week. What follows are some clues that might explain why the Russians are so eager to reclaim this young man.

Collective Intelligence Podcast, Underground Markets Underground markets continue to thrive across the internet. This is in spite of successful law enforcement action against a number of entities peddling anything from malware to drugs, as well as other markets self-imposed shutdowns due to economic pressures within the underground.. In this episode of the Collective Intelligence Podcast, Max and Ian discuss what they characterize as a tumultuous environment, and how buyers, sellers, and researchers react when these markets change.

The U.N. passed a resolution that gives Russia greater influence over internet norms A cybercrime-focused resolution backed by Russia was passed Monday in the United Nations in New York, despite calls from the U.S. that the measure would further hamper efforts to root out crime on the internet.. The resolution, which passed 88-58 with 34 abstentions, aims to establish a group to examine cybercrime and set up a convention to prevent it. However, human rights groups have argued that the resolution is actually an effort by the Kremlin to expand its model of state-backed internet control.

Louisiana Government Suffers Outage Due to Ransomware Attack The state government of Louisiana was hit by a ransomware attack today that impacted numerous state services including the Office of Motor Vehicles, the Department of Health, and the Department of Transportion and Development.

Down the Malware Rabbit Hole: Part II In our last post in this series, we took a look at a code snippet that had been encoded in a very specific way and hidden 91 layers deep.. Today, well reveal how attackers achieve this level of encoding and investigate one of the many possible tools they can use to conceal malware on compromised websites.

Pelimies Peter Vesterbacka manaa lupaviranomaisten hitautta miljoonapotin saaminen ulkomaalaisilta opiskelijoilta vaarassa Kourallinen ulkomaalaisia opiskelijoita pääosin Intiasta on päässyt aloittamaan kyberturvallisuuden insinöörikoulutuksen Salossa, Varsinais-Suomessa. Enemmänkin olisi tulossa, mutta lupien järjestyminen on osoittautunut oletettua hitaammaksi.. Koulutusvientiyritys Edunationin osaomistaja ja neuvonantaja Peter Vesterbacka arvostelee kovin sanoin suomalaista järjestelmää.. Onhan se ihan järkyttävää, että joutuu odottamaan seitsemän kuukautta saadakseen opiskella Suomessa. Meillä on jonossa satoja opiskelijoita, jotka ovat maksaneet kymppitonnin päästäkseen opiskelemaan Suomeen. Pahimmillaan koulut ovat joutuneet palauttamaan rahoja.

Macy’s Customer Payment Info Stolen in Magecart Data Breach Macy’s has announced that they have suffered a data breach due to their web site being hacked with malicious scripts that steal customer’s payment information.. This type of compromise is called MageCart attack and consists of hackers compromising a web site so that they can inject malicious JavaScript scripts into various sections of the web site. These scripts then steal payment information that is submitted by a customer.. According to a ‘Notice of Data Breach’ issued by Macy’s, their web site was hacked on October 7th, 2019 and a malicious script was added to the ‘Checkout’ and ‘My Wallet’ pages. If any payment information was submitted on these pages while they were compromised, the credit card details and customer information was sent to a remote site under the attacker’s control.

Australia releases draft IoT cybersecurity code of practice The Australian government has released a draft code of practice for securing the Internet of Things (IoT), with a public consultation running until 1 March 2020.. The voluntary Code of Practice: Securing the Internet of Things for Consumers, published on Tuesday, is intended to provide industry with best-practice advice.

Buran Ransomware Infects PCs via Microsoft Excel Web Queries A new spam campaign has been spotted distributing the Buran Ransomware through IQY file attachments. When opened, these Microsoft Excel Web Query attachments will execute a remote command that installs the ransomware onto a victim’s computer.

Databases for actual control system cyber incidents exist and they are important for many reasons

Digitaalisen keskusteluympäristön arvaamattomuus näkyy myös poliisin työssä Älylaitteiden kehitys ja yleistyminen ovat tehostaneet ihmisten järjestäytymistä asiakysymysten taakse, mutta samalla erilaisten julkista keskustelua häiritsevien lieveilmiöiden kirjo on kasvanut. Tällaisia ilmiöitä ovat esimerkiksi ihmisten maalittaminen, keskustelun tahallinen häiriköinti, raju kielenkäyttö, trollaaminen ja disinformaatio.

Shade Ransomware Is the Most Actively Distributed Malware via Email During the first half of 2019, the Shade Ransomware (also known as Troldesh) was the most actively distributed malware via malicious email phishing campaigns according to Singapore-based Group-IB security outfit.

Hacking and cyber espionage: The countries that are going to emerge as major threats in the 2020s Nation-state backed cyber groups have been responsible for major incidents over the last decade. And now more countries want the same power.

Until recently, weaknesses in Android camera apps from Google and Samsung made it possible for rogue apps to record video and audio and take images and then upload them to an attacker-controlled serverwithout any permissions to do so. Camera apps from other manufacturers may still be susceptible. also: also:

Fake Windows Update Spam Leads to Cyborg Ransomware and Its Builder Recently, fake Microsoft Windows Update emails were spammed with the following subject lines: “Install Latest Microsoft Windows Update now!”, “Critical Microsoft Windows Update!”. The email, claiming to be from Microsoft, contains just one sentence in its email body which starts with two capital letters. It directs the recipients attention to the attachment as the latest critical update.

Cheap Chinese JAWS of DVR Exploitability on Port 60001 Looking at some local IP addresses in our database during class this week, I came across a host scanning exclusively for port 60001. Interestingly, we did see a marked increase in scans for this port in recent weeks.

Ransomware Bites 400 Veterinary Hospitals National Veterinary Associates (NVA), a California company that owns more than 700 animal care facilities around the globe, is still working to recover from a ransomware attack late last month that affected more than half of those properties, separating many veterinary practices from their patient records, payment systems and practice management software. NVA says it expects to have all facilities

Cybercriminals are Targeting your Entire Digital Footprint The third quarter of 2019 saw a number of new cyberthreat trends emerge or expand, and organizations need to be aware of these trends if they wish to stay ahead of cybercriminal strategies. One of the most effective attacks strategies does not require cybercriminals to build new malware, but simply change their tactics.

Mispadu: Advertisement for a discounted Unhappy Meal In this installment of our blog series, we will focus on Mispadu, an ambitious Latin American banking trojan that utilizes McDonalds malvertising and extends its attack surface to web browsers.. We believe this malware family is targeting the general public. Its main goals are monetary and credential theft. In Brazil, we have seen it distributing a malicious Google Chrome extension that attempts to steal credit card data and online banking data, and that compromises the Boleto payment system.

Official Monero website compromised with malware that steals funds Official Linux CLI binary for the Monero cryptocurrency compromised with malware that steals users’ funds.

Data Theft at Cayman National in the Isle of Man Cayman National Bank (Isle of Man) Limited, together with its sister company Cayman National Trust Company (Isle of Man) Limited, confirms that it has experienced a data hack. Responsibility for the data theft was claimed by a criminal hacking group on Sunday 17 November 2019.. also:

NCSC-FI News followup

Daily NCSC-FI news followup 2019-11-18

How the Iranian Government Shut Off the Internet Amid widespread demonstrations over rising gasoline prices, Iranians began experiencing internet slowdowns over the last few days that became a near-total internet and mobile data blackout on Saturday. The government is apparently seeing to silence protestors and quell unrest. So how does a country like Iran switch off internet to a population of more than 80 million? It’s not an easy thing to do.

Disney+ fans without answers after thousands hacked Thousands of Disney customers say they have been hacked after signing up to its online streaming service.

Pipka Card Skimmer Removes Itself After Infecting eCommerce Sites A new JavaScript payment card skimmer, dubbed Pipka, has been identified on at least seventeen merchant websites attempting to target site visitors payment data. Unlike other skimmers, Pipka removes itself from the HTML code of compromised websites after exfiltrating payment card data a detection evasion technique never seen before with JavaScript web skimmers.

Interpol: Strong encryption helps online predators. Build backdoors Three people “briefed on the matter” told financial newswire Reuters yesterday that the agency would be issuing a statement this week condemning the use of strong encryption because it helps child predators.. While the statement may well read like the rantings of a demented senior citizen in some long-forgotten care home, it builds on similar statements from Western governments, police and spy agencies, as well as new international treaties. So-called “think of the children” rhetoric is a tried and trusted strategy for police workers who are determined to get their way with politicians.

The Iran Cables In an unprecedented leak from one of the worlds most secretive regimes, an anonymous source provided 700 pages of Iranian intelligence reports to The Intercept, saying they wanted to let the world know what Iran is doing in my country Iraq.. also: also:

Otaniemen Junction-hackathonissa ennätysmäärä ulkomaalaisia osallistujia Pääpalkinto lasten kyberturvaa edistävälle sovellukselle Viikonlopun aikana osallistujat rakensivat yhteensä 350 uutta teknologiaprojektia, joista voittajaksi valittiin lasten kyberturvallisuutta edistävä sovellus. Sovellus mahdollistaa tarinallistamalla lapsille oman salasanansa luonnin ja muistamisen.

Pemex ransomware attack: Mexico Oil, Gas Recovery Update. How the Mexican state oil and gas conglomerate is striving to bring systems back online.

Someone is using the ‘Cozy Bear’ moniker to scare DDoS victims into bitcoin payments Multiple companies have reported to the security vendor Akamai that they were hit with a distributed denial-of-service attack, which degrades victims web services by overwhelming them with fake traffic. After a brief DDoS hit, victims say they receive an extortion note from a group claiming to be Cozy Bear, a state-sponsored Russian hacking group.. The scheme works like this: attackers launch the DDoS attack from a botnet, in which each IP in the botnet sends a fraction of the overall traffic to the target. The victim has a deadline, typically six days, to pay two bitcoin. If they dont pay by the time the deadline expires, the fee increases by one bitcoin per day, and the DDoS resumes.

Phineas Fisher Offers $100,000 Bounty to Hack Banks and Oil Companies Its a reward for hacktivists and criminals who break into capitalist institutions, offered by one of the most infamous hackers of all time.

The Importance of the Network in Detecting Incidents in Critical Infrastructure In order to have assurance of business operations, it is critical to have visibility and awareness into what is occurring on the network at any given time.. In the security world we can infer much from network telemetry, from malware behaviour and reconnaissance, to data exfiltration. It is even possible to infer to some extent what is contained in encrypted traffic.

Fortinet, Siemens pair up to better secure operational technology Fortinet and Siemens unveiled a partnership designed to better secure operational technology networks in markets such as utilities, transportation and oil and gas.. Under the alliance, Siemens will integrate its industrial and operational technologies and control systems with Fortinet’s cybersecurity platform and Fortinet Security Fabric. The aim is to better secure edge computing and Internet of things devices.

Windows security warning: Ransomware is growing fastest, and just got harder to tackle Tech security company Bitdefender analysed Windows security threats including ransomware, coin miners, fileless malware, PUAs (‘potentially unwanted applications’ that can compromise privacy or security), exploits (attacks based on unpatched or previously-unknown vulnerabilities) and banking Trojans.. Bitdefender found that of all these threats, ransomware reports saw the biggest year-on-year increase — 74.2%. Ransomware also ranked first in terms of the total number of reports.. report:

Linux, Windows Users Targeted With New ACBackdoor Malware Researchers have discovered a new multi-platform backdoor that infects Windows and Linux systems allowing the attackers to run malicious code and binaries on the compromised machines.. The malware dubbed ACBackdoor is developed by a threat group with experience in developing malicious tools for the Linux platform based on the higher complexity of the Linux variant as Intezer security researcher Ignacio Sanmillan found.. “ACBackdoor provides arbitrary execution of shell commands, arbitrary binary execution, persistence, and update capabilities,” the Intezer researcher found.

Experts found undocumented access feature in Siemens SIMATIC PLCs Researchers discovered a vulnerability in Siemens SIMATIC S7-1200 programmable logic controller (PLC) that could allow attackers to execute arbitrary code on vulnerable devices.

NCSC-FI News followup

Daily NCSC-FI news followup 2019-11-17

Indian officials acknowledged on October 30th that a cyberattack occurred at the countrys Kudankulam nuclear power plant. While reactor operations at Kudankulam were reportedly unaffected, this incident should serve as yet another wake-up call that the nuclear power industry needs to take cybersecurity more seriously.. The problem of cybersecurity is not new to the nuclear power industry, and it does not require solutions radically different from those already in place in fields such as finance and commercial aviation.. But last weeks example of a well-established nuclear power program responding to a breach with denial, obfuscation, and shopworn talk of so-called air-gaps demonstrates how dangerously little progress the industry has made to date.

Chrome, Edge, Safari hacked at elite Chinese hacking contest China’s top hackers have gathered this weekend in the city of Chengdu to compete in the Tianfu Cup, the country’s top hacking competition.. Over the course of two days — November 16 and 17 — Chinese security researchers will test zero-days against some of the world’s most popular applications.. The goal is to exploit and take over an app using never-before-seen vulnerabilities. If attacks succeed, researchers earn points towards an overall classification, cash prizes, but also the reputation that comes with winning a reputable hacking competition.

Essee: Kuka päättää, milloin tekoäly tappaa? Keskustelussa tekoälyn sotilaskäytöstä on keskitytty vääriin uhkakuviin. Kyse ei ole tappajaroboteista vaan luottamuksen rapautumisesta, kirjoittaa turvallisuuspolitiikkaan erikoistunut toimittaja Kari Huhta.. Huom: Artikkeli maksumuurin takana

Gigantin sivuston tietoturva-aukko ehti olla auki kuukauden, sivustolta pääsi hakemaan henkilötietoja Gigantti-klubi-nimisen etuasiakkuuden rekisteröintisivulla pystyi hakemaan puhelinnumerolla tietokannasta ihmisten henkilötietoja. Kyseinen tietokanta on markkina- ja luottotietoyhtiö Bisnoden yhteystieto- ja henkilömarkkinointirekisteri.. Gigantin markkinointijohtaja Sami Särkelä kertoi HS:lle sunnuntaina, että rekisteröintisivun lomake on ollut käytössä noin kuukauden ajan.. Valitettavasti meille selvisi eilen lauantaina, että asiakastietolomakkeen koodissa oleva virhe on mahdollistanut sellaisten tietojen näkymisen, joka ei ole tietosuojan mukaista, Särkelä kertoi sähköpostitse. Hänen mukaansa järjestelmä on nyt suljettu, ja koodia korjataan parhaillaan.

NCSC-FI News followup

Daily NCSC-FI news followup 2019-11-16

Holiday Shoppers Beware: 100K Malicious Sites Found Posing as Well-Known Retailers As the holiday season looms, cybercrooks are going after shoppers with more than 100,000 lookalike domains mimicking legitimate retailers.. To that point, Venafi researchers uncovered the copycat phishing sites, which use trusted, valid TLS certificates (60 percent of them are free certificates from Lets Encrypt). These make phishing websites appear valid, the better to convince consumers to enter sensitive account and payment data into online forms.. This years explosion of copycat sites more than doubles the number seen last year, Venafi said; and, it means that the total number of look-alike domains is more than 400 percent greater than the number of authentic retail domains.

Android malware disguises as ad blocker, but then pesters users with ads Security researchers have discovered a new Android malware strain that’s currently being distributed as an ad blocker for Android users, but, ironically, once installed, it pesters victims with ads through multiple methods at every couple of minutes.. Its distribution vector is via third-party app stores, where it’s available for download as an ad-blocking app named Ads Blocker, said Nathan Collier, Senior Malware Intelligence Analyst.

Microsoft Office 365 Admins Targeted by Ongoing Phishing Campaign A new phishing campaign is actively targeting Microsoft Office 365 administrators with the end goal of compromising their entire domain and using newly created accounts on the domain to deliver future phishing emails.

New WhatsApp Bug Could Have Let Hackers Secretly Install Spyware On Your Devices The Hacker News has learned that WhatsApp has recently patched yet another critical vulnerability that could have allowed attackers to remotely compromise targeted devices and potentially steal secured chat messages and files stored on them.. The vulnerability tracked as CVE-2019-11931 is a stack-based buffer overflow issue that resided in the way vulnerable WhatsApp versions parse the elementary stream metadata of an MP4 file, resulting in denial-of-service or remote code execution attacks.. To remotely exploit the vulnerability, all an attacker needs is the phone number of targeted users and send them a maliciously crafted MP4 file over WhatsApp, which eventually can be used to install a malicious backdoor or spyware on compromised devices silently.

Nettikansa hämmentyi: Gigantin nettisivuilta pystyy katsomaan kenen tahansa julkiset yhteystiedot Jos omat numero- ja osoitetiedot ovat julkisia, Gigantin rekisteröitymislomakkeella ne saa selville kuka tahansa. Yhtiön markkinointijohtaja selittää Iltalehdelle, mistä on kysymys.. Gigantin markkinointijohtaja Sami Särkelän mukaan Gigantin nettisivun rekisteröitymislomake hakee puhelinnumeron perusteella julkisesti saatavilla olevia yhteystietoja, joita esimerkiksi numeropalvelut käyttävät. Hän painottaa, että Gigantin asiakasrekisteritiedot ovat salaisia, eikä käyttäjä pääse niihin käsiksi.

NetSupport RAT installed via fake update notices Recently, the Zscaler ThreatLabZ team came across two campaigns designed to trick users into downloading a Remote Access Trojan (RAT) via a fake Flash Player update and a font update.. The two malware campaigns we examine in this blog deliver a payload designed to steal sensitive information.

NCSC-FI News followup

Daily NCSC-FI news followup 2019-11-15

Clampdown on US border device searches not such a big deal Alasaad v. Mcaleenan acknowledges the intrusiveness of digital searches, but it’s only about “contraband” and falls short of requiring a warrant. It’s time for SCOTUS and Congress to dig deeper, say experts.

New Emotet Report Details Threats From One of the Worlds Most Successful Malware Operations Emotet is still highly active, and its daily activity is noted not only by the organizations affected by this pervasive threat, but by researchers and first responders worldwide trying to understand the latest additions and attack methodologies the Emotet authors have added to their war chest. This latest playbook focuses on a specific Emotet attack campaign that FortiGuard Labs has observed as . recently as a few weeks ago. While this playbook is not meant to be an exhaustive analysis of Emotet, as that would be impossible due to time constraints, but it does serve as a small glimpse into an otherwise impressive campaign of criminal behavior.

What is application security? A process and tools for securing software According to Veracodes State of Software Security Vol. 10 report, 83% of the 85,000 applications it tested had at least one security flaw. Many had much more, as their research found a total of 10 million flaws, and 20% of all apps had at least one high severity flaw. Not all of those flaws presents a significant security risk, but the sheer number is troubling.

‘State of the Firewall’ Report: Automation Key to Preventing Costly Misconfigurations Now, more than ever, it is important to automate firewall processes to prevent misconfigurations and data breaches. Gartner has warned that “50% of enterprises will unknowingly and mistakenly have exposed some IaaS storage services, network segments, applications or APIs directly to the public internet, up from 25% at YE18.”. This is a human problem, not a firewall problem. Gartner also posits that “99% of firewall breaches will be caused by misconfigurations, not firewall flaws.”. Report at

Fraud rates increasing as criminals become more sophisticated Fraud rates have been skyrocketing, with 90 voice channel attacks occurring every minute in the U.S., Pindrop reveals.. Voice fraud continues to serve as a major threat, with rates climbing more than 350 percent from 2014 to 2018

Facebook Nixes Billions of Fake Accounts Facebook on Wednesday said it has taken down some 5.4 billion fake accounts this year in a sign of the persistent battle on social media against manipulation and misinformation.

IT professionals deem hybrid cloud as most secure Enterprises plan to aggressively shift investment to hybrid cloud architectures, with respondents reporting steady and substantial hybrid deployment plans over the next five years, according to a Nutanix survey.

How the most damaging ransomware evades IT security We decided to take a closer look at the behaviour of ransomware once it is inside a victim system, and how the various tools and techniques observed are used by the most prevalent ransomware families, from WannaCry, Matrix and GandCrab to Ryuk, SamSam, MegaCortex, and more. This article is a summary of a report were releasing today, How Ransomware Attacks: What defenders should know about the . report:

Katse tulevaisuuteen: Check Pointin kyberturvaennuste 2020

To improve incident response, you need to consider 3rd party solutions Organizations reported an average 32% reduction in threat responder workload when they deployed a managed SIEM solution, according to CenturyLink and IDG.

Under The Hood: Cybercriminals Exploit Automotive Industry’s Software Features Car manufacturers offer more software features to consumers than ever before. Cloud connectivity and wireless technologies are standard features today, and drivers expect everything to work in a safe, reliable, and smart way.. But these advanced software features tend to have lax security protocols, opening the door for threat actors to hack into any cars network and paving the way for them to access the manufacturers corporate systems.. report:

Lizard Squad Threatens UKs Labour Leader with Cyberattacks Against His Family Lizard Squad, the well-known hacktivist cybergang, is pledging to mount personal cyberattacks on Britains Labour Party leader, Jeremy Corbyn.. Lizard Squad, which specializes in mounting DDoS attacks against high-profile targets, took responsibility for the attack. It tweeted out that no terrorist-supporting government should be allowed to rule a country in a reference to leader Jeremy Corbyns views on Northern Ireland; politics-watchers say that Ulster is at the heart of the countrys inability to get a Brexit deal done.

Custom dropper hide and seek Cisco Talos has monitored adversaries which are behind a wave of ongoing campaigns dropping well-known information-stealer like Agent Tesla, Loki-bot and others since at least January 2019. The adversaries using custom droppers, which inject the final malware into common processes on the victim machine.. The injection techniques we’re seeing in the wild are well-known and have been used for many years, but with the adversaries customizing them, traditional anti-virus systems are having a hard time detecting the embedded malware. In this post, we’ll walk through one of these campaigns in detail and how the different stages of the dropper hide the malware. Any internet user is a potential target of

New NextCry Ransomware Encrypts Data on NextCloud Linux Servers A new ransomware has been found in the wild that is currently undetected by antivirus engines on public scanning platforms. Its name is NextCry as it was discovered on a Linux machine running Nextcloud server.. On October 24, Nextcloud released an urgent alert about a remote code execution vulnerability that impacts the default Nextcloud NGINX configuration. Tracked as CVE-2019-11043, the flaw is in the PHP-FPM (FastCGI Process Manager) component, included by some hosting providers like Nextcloud in their default setup. A public exploit exists and has been leveraged to compromised servers.. Nextclouds recommendation for administrators is to upgrade their PHP packages and NGINX configuration file to the latest version.

DDoS-for-Hire Services Owner Sentenced to 13 Months in Prison Sergiy P. Usatyuk, the owner and admin of several DDoS-for-hire services also known as booters or stressers, was sentenced to 13 months in prison, to be followed by three years of supervised release.

NCSC-FI News followup

Daily NCSC-FI news followup 2019-11-14

Qualcomm Chip Flaws Let Hackers Steal Private Data From Android Devices According to a report cybersecurity firm CheckPoint shared with The Hacker News, the flaws could allow attackers to steal sensitive data stored in a secure area that is otherwise supposed to be the most protected part of a mobile device.. Report at

Strange AnteFrigus Ransomware Only Targets Specific Drives A new and strange ransomware called AnteFrigus is now being distributed through malvertising that redirects users to the the RIG exploit kit. Unlike other ransomware, AnteFrigus does not target the C: drive, but only other drives commonly associated with removable devices and mapped network drives.. It turns out, that this ransomware only targets the D:, E:, F:, G:, H:, and I: drives. It does not encrypt any files located on the C: drive or unmapped network shares.

Iranian hacking group built its own VPN network One of Iran’s elite state-sponsored hacking groups has built and has been operating its own private network of VPN nodes, which they’ve using to connect to hacking infrastructure, perform reconnaissance on future targets, and even casual web browsing, according to research published today by cyber-security firm Trend Micro.. Report at

Breach affecting 1 million was caught only after hacker maxed out targets storage The US Federal Trade Commission has sued an IT provider for failing to detect 20 hacking intrusions over a 22-month period, allowing the hacker to access the data for 1 million consumers. The provider only discovered the breach when the hacker maxed out the providers storage system.. The FTC said in a statement that as part of a proposed settlement, InfoTrax will be barred from collecting, selling, sharing, or storing personal information unless the company implements a security program that corrects the failures identified in the complaint. InfoTrax will also be required to obtain third-party assessments of its security every two years.

Self-Cleaning Payment Card-Skimmer Infects E-Commerce Sites—threats/self-cleaning-payment-card-skimmer-infects-e-commerce-sites/d/d-id/1336358 Visa’s researchers discovered Pipka as they are calling the malware on a North American e-commerce site that had been previously infected with Inter, another JavaScript malware for skimming payment-card data from merchant sites. Since that initial discovery, Visa has identified at least 16 other e-commerce sites that Pipka has infected.. Report at

Exclusive: U.S. manufacturing group hacked by China as trade talks intensified – sources The National Association of Manufacturers (NAM) was hacked over the summer and hired a cybersecurity firm, which concluded the attack came from China, the two sources said.

India, Russia step up cyber security cooperation after attack on Kudankulam Deputy Chief of Mission of the Russian Embassy Roman Babushkin has said Nuclear Power Corporation of India Limited has informed Russian authorities that the plant is safe and additional steps have been taken to enhance its security further. “The Russian authorities are working with Indian agencies to stop any further attacks,” he said.

General election 2019: Labour Party hit by second cyber-attack Labour is reportedly suffering a second cyber-attack after saying it successfully thwarted one on Monday.

Labs report finds cyberthreats against healthcare increasing while security circles the drain The healthcare industry is a target for cybercriminals for several reasons, including their large databases of patients personally identifiable information, lack of sophisticated security model, and high number of endpoints and other devices connected to the network. . Report at

Infosec boffins pour cold water on claims Home Office Brexit app can be easily hacked The Financial Times today splashed with the headline “Home Office app for EU citizens easy to hack” based on a report by Norwegian security firm Promon. The company’s researchers found the app contains loopholes allowing them to access any information that was entered into it, including the facial scans and images of passport pages.. “I’ve already seen it retweeted by many who have taken the headline at face value, and that is unnecessary scaremongering. As far as I am aware, the app isn’t particularly vulnerable. If you practice good security hygiene on your device, you should be fine using the app.”. [said Professor Alan Woodward, of the Department of Computer Science at the University of Surrey]

Canada Spy Agencies Split Over Proposed Huawei 5G Ban: Media The Globe and Mail, citing an unnamed source, said the spy agency CSIS and the electronic eavesdropping agency CSE disagree on how to proceed.. The CSE reportedly supports an outright ban while the CSIS believes the risks can be mitigated with robust testing and monitoring of equipment.

TA2101 plays government imposter to distribute malware to German, Italian, and US organizations Proofpoint researchers recently detected campaigns from a relatively new actor, tracked internally as TA2101, targeting German companies and organizations to deliver and install backdoor malware.. The actor initiated their campaigns impersonating the Bundeszentralamt fur Steuern, the German Federal Ministry of Finance, with lookalike domains, verbiage, and stolen branding in the emails.. Proofpoint researchers have also observed this actor distributing Maze ransomware, employing similar social engineering techniques to those it uses for Cobalt Strike, while also targeting organizations in Italy and impersonating the Agenzia Delle Entrate, the Italian Revenue Agency. We have also recently observed the actor targeting organizations in the United States using the IcedID banking Trojan . while impersonating the United States Postal Service (USPS)

Clever WebEx Spam Use Cisco Redirect to Deliver RAT Malware A clever spam campaign is underway that pretends to be a WebEx meeting invite and uses a Cisco open redirect that pushes a Remote Access Trojan to the recipient. Using open redirects add legitimacy to spam URLs and increases the chances that victims will click on an URL.

Nettihuijaukset lisääntyvät varoituksista huolimatta lue poliisin aitoja esimerkkejä romanssihuijareista Rikosylikomisario Jari Riiali Lounais-Suomen poliisista sanoo, että netissä tapahtuvien huijausten määrä kasvaa jatkuvasti. Vaikka ihmisiä varoitellaan netin huijareista, oppi ei mene perille.

Cyber Threat Report for 2018/19 released The NCSC recorded 339 incidents in the 12 months to 30 June 2019, compared with 347 incidents in the previous year.. The NCSC was able to identify indicators linking state-sponsored cyber actors to 38 percent of total incidents recorded in 2018-19. While this is similar to the previous year (39%) NCSC analysis of these incidents shows they had a greater impact. In previous years more state-sponsored incidents were detected at an early phase before the actors were able to cause harm.

Just-Released Checkra1n iPhone Jailbreak Stirs Security Concerns That said, for an adversary to jailbreak a targets phone without their knowledge is an unwieldy process. The prerequisites for a third-party jailbreak is access to an unlocked iPhone, and tethering the device to a macOS computer running the exploit code.

Attention is All They Need: Combatting Social Media Information Operations With Neural Language Models In this blog post, we will illustrate an example of how the FireEye Data Science (FDS) team works together with FireEyes Information Operations Analysis team to better understand and detect social media information operations using neural language models.

Symantec Fixes Privilege Escalation Flaw in Endpoint Protection [Safebreach researcher Peleg] Hadar says that CVE-2019-12758 is caused by the security solution’s attempt to load a DLL from its current working directory (CWD) instead of the DLL’s actual location and by not validating if the DLLs is signed with a digital certificate.. Since August, Hadar also found other similar issues impacting Trend Micro’s Password Manager, Check Point Software’s Endpoint Security Initial Client, the free version of Bitdefender Antivirus, Avira’s Antivirus 2019 software, Avast Software’s AVG Antivirus and Avast Antivirus, and several McAfee Antivirus software solutions.

Hunting for LoLBins Attackers’ trends tend to come and go. But one popular technique we’re seeing at this time is the use of living-off-the-land binaries or “LoLBins”. LoLBins are used by different actors combined with fileless malware and legitimate cloud services to improve chances of staying undetected within an organisation, usually during post-exploitation attack phases.. In this post, we will take a look at the use of LOLBins through the lense of Cisco’s product telemetry. We’ll also walk through the most frequently abused Windows system binaries and measure their usage by analyzing data from Cisco AMP for Endpoints.

NCSC-FI News followup

Daily NCSC-FI news followup 2019-11-13

While CISOs Fret, Business Leaders Tout Security Robustness Nominet recently surveyed nearly 300 senior security and IT practitioners, including CISOs, CIOs, and CTOs from the US and UK. The survey sought to assess the level of confidence among executives about their organizations’ cybersecurity posture and readiness to deal with threats.. Seventy percent of the respondents said their organizations use its cybersecurity posture as a selling point to customers and business partners, even though CISOs and others responsible for cybersecurity were far less confident in the security stack.

Shock! US border cops need ‘reasonable suspicion’ of a crime before searching your phone, laptop Massachusetts district court judge Denise Casper declared that the practice breaks the Fourth Amendment on unreasonable search, and that border agents need to have a reasonable suspicion of illegal activity before they can search electronic devices.. Its not clear whether the ruling will apply to all visitors to the United States or just citizens and permanent residents, but Schwartz argues that the logic should be that all visitors are given equal protections.

Suomalaisten tärkeä tunnistuspalvelu reistaili syynä ei palvelunestohyökkäys oli ongelmia keskiviikkona aamulla. Palvelu ei ollut kokonaan nurin, mutta sen toiminnassa oli häiriöitä.

Russian bloke charged in US with running $20 million stolen card-as-a-service online souk Prosecutors say that Burkov was the mastermind behind two sites dedicated to buying and selling the details of stolen payment cards. One site, known as Cardplanet, was public and it is estimated that the cards traded on the site were used by criminals to rack up fraudulent charges in excess of $20m. That site operated from 2009 through most of 2013.

Hackers Breach ZoneAlarm’s Forum Site Outdated vBulletin to Blame ZoneAlarm, an internet security software company owned by Israeli cybersecurity firm Check Point Technologies, has suffered a data breach exposing data of its discussion forum users, the company confirmed The Hacker News.. Moreover, the company has also clarified that the security incident only affects users registered with the “” domain, which has a small number of subscribers, nearly 4,500.. Upon reaching out to the company, a spokesperson confirmed The Hacker News that attackers exploited a known critical RCE vulnerability (CVE-2019-16759) in the vBulletin forum software to compromise ZoneAlarm’s website and gain unauthorized access.

Two New Carding Bots Threaten E-Commerce Sites One of the new carding bots, named the canary bot, specifically exploits top e-commerce platforms. The other bot, dubbed the shortcut bot, bypasses the e-commerce website entirely and instead exploits the card payment vendor APIs used by a website or mobile app.. Describing an attack by the canary bot, researchers wrote: “In this attack, the bots create a shopping cart, add products to the cart, set shipping information, and finally execute the carding attackall of the steps except for the carding attack exhibit normal user behavior through a website.”. As can be expected from its name, the shortcut bot takes a more direct approach, skipping out on adding products to the cart and completing the billing process in an attempt to avoid detection.

Cheat or death? The secret world of malware-like cheats in video games Video game cheats are nothing new, but now, among the great variety of performance enhancing cheats we are seeing cheats that demonstrate malwarelike behavior, using evasion features and techniques that rival those of advanced persistent threats.. Video of related Bluehat talk at

Cyber Command flags North Korean-linked hackers behind ongoing financial heists The Department of Defense has once again called out North Korean hackers by exposing malware samples researchers say are linked to regime-backed financial heists, including past attacks on the interbank messaging system known as the Society for Worldwide Interbank Financial Telecommunication (SWIFT), CyberScoop has learned.. These malware samples are currently used for fund generation and malicious cyber activities including remote access, beaconing, and malware command by malicious cyber actors, [US Cyber Command] said in a tweet. [originally in news followup on 2019-07-11 from US-CERT]

GSM Traffic and Encryption: A5/1 Stream Cipher This write-up documents some of my follow-up research with regard to analyzing the GSM traffic packets I captured using Software Defined Radio. My attempt was to better understand the GSM mobile network protocols and procedures, with an emphasis on the authentication and ciphering algorithms being deployed.

Leashing Cerberus Cerberus is an Android banking trojan first reported on by ThreatFabric in June 2019 that may have been active since at least 2017. The malware is for sale on a Russian hacking forum called xss[.]is where the actors behind its development are selling licenses for the service from $4000 – $12000. This new malware-as-a-service may have filled the void for actors who require Android malware rental . services like Anubis and Red Alert which have ceased to exist. ThreatFabric analysts point out that the malware activates when victims move around, triggering the accelerometer inside the device. . Cerberus lies dormant until the pedometer (measuring step count) reaches a certain amount of steps. It also alters the lure depending on the Android package name, capturing banking details or mail credentials. Cerberus does not share code with Anubis or other Android banking trojans and appears to have been newly written

NCSC-FI News followup

Daily NCSC-FI news followup 2019-11-12

BlueKeep freakout had little to no impact on patching, say experts According to SANS, those reports did not do much to get people motivated. The security institute says that the rate of BlueKeep-vulnerable boxes it tracks on Shodan has been on a pretty steady downward slope since May, and the media’s rush to sound alarms over active attacks did not change that.

Ransomware attack at Mexico’s Pemex halts work, threatens to cripple computers MEXICO CITY (Reuters) – A ransomware attack hit computer servers and halted administrative work on Monday at Mexican state oil firm Pemex, according to employees and internal emails, in hackers latest bid to wring ransom from a major company.. An internal email seen by Reuters said Pemex was targeted by Ryuk, a strain of ransomware that experts say typically targets companies with annual revenue between $500 million and $1 billion.. Pemex said in a statement late on Monday that attempted cyber attacks the day before were neutralized in a timely matter and affected less than 5% of its computers.

Researchers Find New Approach to Attacking Cloud Infrastructure Cloud APIs’ accessibility over the Internet opens a new window for adversaries to gain highly privileged access to cloud assets.. At this year’s Black Hat Europe, Gofman and Shani plan to demonstrate an alternative new approach to attacking cloud infrastructure in a talk titled “Inside Out The Cloud Has Never Been So Close.” Their methodology involves using a graph to show permission relationships between different entities,. revealing risky choke points that need to be addressed and eliminated. The outcome of this graph, they say, can be used by red and blue teams to gain deeper understanding of permission relationships in cloud environments. After explaining the connections, they’ll show how attackers can abuse features to gain privileges.

Google brings its secret health data stockpiling systems to the US Updated Google is at it again: storing and analyzing the health data of millions of patients without seeking their consent – and claiming it doesnt need their consent either.. Following a controversial data-sharing project within the National Health Service (NHS) in the UK, the search engine giant has partnered with the second-largest health system in the United States, St Louis-based Ascension, to collect and analyze the health records of millions of patients.. Also

TrickBot Malware Uses Fake Sexual Harassment Complaints as Bait Fake sexual harassment complaints appearing to come from the U.S. Equal Employment Opportunity Commission are the latest baits used by attackers to disseminate TrickBot banking Trojan payloads onto computers of unsuspecting employees of large companies.. Original at

Can regulations improve cybersecurity? In APAC, opinions vary An ESET-commissioned survey among enterprises also shows that while respondents in most countries agree on the need to bolster cyber-defenses, some are reluctant to adopt cybersecurity solutions

Popular Android phones can be tricked into snooping on their owners Baseband firmware accepts special commands, known as AT commands, which control the devices cellular functions. These commands can be used to tell the modem which phone number to call. But the researchers found that these commands can be manipulated. The researchers developed a tool, dubbed ATFuzzer, which tries to find potentially problematic AT commands.. Paper at

Eksote käynyt läpi tietoturva-aukon tietovuoto koskee yli 700 asiakastaäynyt-läpi-tietoturva-aukon–tietovuoto-koskee-yli-700-asiakasta.aspx Etelä-Karjalan sosiaali- ja terveyspiiri (Eksote) on käynyt läpi tietoturva-aukon kautta vaarantuneet dokumentit. Tietovuodon kautta on ollut mahdollista saada selville yli 700 asiakkaan hallinnollisiin prosesseihin liittyneitä henkilötietoja. Eksote on tehnyt M-Files asianhallintajärjestelmää koskeneesta tietovuodosta tutkintapyynnön poliisille. . Myös BBC: General election 2019: ‘Cyber-attack’ on Labour Party digital platforms. Also An initial investigation indicated the attack was not particularly sophisticated, the official said. It was really very everyday, nothing more than what you would expect to see on a regular basis..

Payment security backslides for second straight year, says Verizon Verizon’s 2019 Payment Security Report found that full compliance with the Payment Card Industry Data Security Standard (PCI DSS) fell to 36.7% globally, down from 52.5% in 2018. PCI DSS was launched by Visa in 2004 and organizations were supposed to be in compliance within 5 years. Compliance improved gradually from 2010 to 2016 and then started to decline. The lack of payment compliance raises a . lot of security issues.

YouTube BitCoin Videos Pushing Predator Info-Stealing Trojan A new scam is underway on YouTube that uses videos to promote a tool that can allegedly generate the private key for a bitcoin address. The attackers then claim this key would then allow you to gain access to the bitcoins stored in the bitcoin address, when in reality the victims will be infected with a password and data stealing Trojan.

Specially Crafted ZIP Files Used to Bypass Secure Email Gateways Attackers are always looking for new tricks to distribute malware without them being detected by antivirus scanners and secure email gateways. This was illustrated in a new phishing campaign that utilized a specially crafted ZIP file that was designed to bypass secure email gateways to distribute the NanoCore RAT.. When examining the file, the Trustwave researchers discovered that the ZIP archive contained two distinct archive structures, each marked by their own EOCD record.

Ransomware forces New Mexico school district to scrub 30,000 devices A New Mexico school district that had its systems infected by ransomware last month is now having to scrub the hard drives of about 30,000 devices, district officials announced Thursday.

Blueprint For Securing Industrial Control Systems In order to secure Critical Infrastructure environments, it is vital to keep a holistic view and look at every part of the network, both the IT and OT parts and investigate the systems and processes in each zone, analyze the attack vectors and risk and provide recommended security controls.. Applying Security to ICS should dissect the 6 different Purdue layers and how they map to different areas in the network. The idea is to explain the communication flows between the different levels in the Purdue model and how they should be secured.

Tampereen it-järjestelmät kyykkäsivät taas samantyyppinen vika kuin viime viikolla Tampereen kaupungin tietoliikenteessä oli laajalti häiriöitä myös viime viikon keskiviikkona. Tällöin häiriöiden syyksi kerrottiin järjestelmiin tehdyt tietoliikennepäivitykset. [T]he Global Commission on the Stability of Cyberspace (GCSC) was convened to make recommendations for advancing cyberstability.. […] the Commission crafted eight norms designed to better ensure the stability of cyberspace and address technical concerns or gaps in previously declared norms. [T]he Commission makes six recommendations which focus on strengthening the multistakeholder model, promoting norms adoption and implementation, and ensuring that those who violate norms are held accountable.. For the members and supporters of the GCSC, however, as well as all those who support its goals, the hard work required to implement these principles, norms, and recommendations is just beginning. Begin it must, as the benefits of cyberspace will be lost if its stability is not ensured.

Don’t trust the Trusted Platform Module it may leak your VPN server’s private key (depending on your configuration) In a paper [PDF] published on Tuesday, “TPM-FAIL: TPM meets Timing and Lattice Attacks,” researchers Daniel Moghimi, Berk Sunar, Thomas Eisenbarth, and Nadia Heninger describes how they successfully conducted black-box timing analysis of TPM 2.0 devices to recover 256-bit private keys for ECDSA (Elliptic Curve Digital Signature Algorithm) and ECSchnorr signatures that are supposed to remain . Website at, paper at

PureLocker: New Ransomware-as-a-Service Being Used in Targeted Attacks Against Servers We have found a new and undetected ransomware threat that is being used for targeted attacks against production servers of enterprises. Using code reuse analysis, we discovered this threat is closely related to the more_eggs backdoor malware, which is sold on the dark web by a veteran MaaS provider and has been used by the Cobalt Gang, FIN6, and other threat groups.. We have named this ransomware PureLocker because its written in the PureBasic programming language.. Its worth noting that the ransom note does not ask for the payment type or for the monetary amount inside of the note itself, instead instructing the victim to contact the attacker via email. The attackers use the anonymous and encrypted Proton email service.

Page Cache Attacks paper, new version at CCS 19 We systematically analyze the side channel by demonstrating different hardware-agnostic local attacks, including a sandbox-bypassing high-speed covert channel, an ASLR break on Windows 10, and various information leakages that can be used for targeted extortion, spam campaigns, and more directly for UI redressing attacks.. We also show that, as with hardware cache attacks, we can attack the generation of temporary passwords on vulnerable cryptographic implementations. Our hardware-agnostic attacks can be mitigated with our proposed security patches, but the basic side channel remains exploitable via timing measurements.

TAA and other RIDL issues On Nov 12, 2019, we (VUSec) disclose TSX Asynchronous Abort (TAA), a new speculation-based vulnerability in Intel CPUs as well as other MDS-related issues, as described in our new RIDL addendum. In reality, this is no new vulnerability. We disclosed TAA (and other issues) as part of our original RIDL submission to Intel in Sep 2018. Unfortunately, the Intel PSIRT team missed our submitted . proof-of-concept exploits (PoCs), and as a result, the original MDS mitigations released in May 2019 only partially addressed RIDL. You can read the full story below.. Addendum at

Update: New Variant of ZombieLoad enables attacks on MDS-resistant CPUs With November 14th, 2019, we present a new variant of ZombieLoad that enables the attack on CPUs that include hardware mitigations against MDS in silicon. With Variant 2 (TAA), data can still be leaked on microarchitectures like Cascade Lake where other MDS attacks like RIDL or Fallout are not possible. Furthermore, we show that the software-based mitigations in combinations with microcode updates . presented as countermeasures against MDS attacks are not sufficient.. Updated paper at diff to previous at Also

2019.2 IPU TSX Asynchronous Abort Advisory A potential security vulnerability in TSX Asynchronous Abort (TAA) for some Intel® Processors may allow information disclosure. Intel is releasing firmware updates to mitigate this potential vulnerability.. Intel would like to thank the following individuals for finding and reporting the vulnerability to us via coordinated disclosure.. Intel thanks VU Amsterdam, CISPA to coordinate disclosure of TAA after the initial publication of their RIDL paper. . Intel thanks TU Graz and KU Leuven to coordinate disclosure of TAA after the initial publication of their ZombieLoad paper.

MOTHER OF ALL DRIVERS NEW VULNERABILITIES FOUND IN WINDOWS DRIVERS As part of our previous research, released in August 2019, Eclypsium researchers detailed how simple design flaws in widely distributed drivers can be abused by attackers to gain control over Windows-based systems including the underlying system and component firmware of the device. We originally named 17 vendors affected by these vulnerable drivers. . Now, as part of our ongoing analysis, we have discovered additional vulnerable drivers that are some of the most feature-rich we have seen to date, and which directly affect Intel-based devices. In this update, we detail the latest findings on these drivers and share ongoing industry response to our previous disclosures.. Also

Manual code review finds 35 vulnerabilities in 8 enclave SDKs A team of British and Belgium academics looked at eight open-source enclave SDKs and found 35 vulnerabilities that can be exploited to run malicious code inside a computer’s most secure area.. The research team’s work involved auditing all eight projects by performing manual code reviews of possibly vulnerable SDK functions that could be exploited for attacks.. In total, researchers said their manual code audit found 35 vulnerabilities across all the eight SDKs, of which, five received a CVE identifier.. Paper at Source code at

Facebook bug shows camera activated in background during app use “We recently discovered our iOS app incorrectly launched in landscape,” Rosen said. “In fixing that last week in v246 we inadvertently introduced a bug where the app partially navigates to the camera screen when a photo is tapped. We have no evidence of photos/videos uploaded due to this.”

Telegram MTProxy Servers Used to DDoS Iranian Cloud Provider As Telegram continues to be banned in Iran, users in this country route their messenger communication through MTProxy servers, which make the traffic look random through encryption. This makes restricting it difficult, allowing servers to fulfill their anti-censorship purpose.. The company notes that these distributed attacks are different from what was seen before. They targeted Arvan Cloud edge servers, had no domain defined in the requests, traffic was recorded at layer two (data link) and did not use a common protocol.

As 5G Rolls Out, Troubling New Security Flaws Emerge At the Association for Computing Machinery’s Conference on Computer and Communications Security in London today, researchers are presenting new findings that the 5G specification still has vulnerabilities. And with 5G increasingly becoming a reality, time is running out to catch these flaws.. Paper at

Plugging the Data Leak in Manufacturing Increasingly, manufacturers are deploying IoT technology to better facilitate automation and help increase productivity. Car manufacturers, railways and even companies in the food and beverage space are using families of networked sensors, actuators and other devices to collect production data and feed it to the cloud to gather further insight into their systems efficiency.. However, IIoT-generated data calibrations, measurements and other parameters still need to be stored, managed and shared securely to provide a company with maximum impact. Failing to do so could have a drastic outcome and result in service disruptions, the loss of intellectual property and data leaks.

NCSC-FI News followup

Daily NCSC-FI news followup 2019-11-11

Threat Alert: TCP Reflection Attacks Independent research in the behavior of a multitude of systems and devices on the internet exposed more than 4.8 million devices vulnerable to an average amplification factor of 112x and thousands of hosts that could be abused for amplification up to a factor of almost 80,000x, respectively, reflect more than 5,000 packets within 60 seconds, causing a serious impact on a victims network.

Puolustusministeri Kaikkonen varoittaa kyber-alarmismista PUOLUSTUSMINISTERI Antti Kaikkonen (kesk) kehottaa välttämään kyber-alarmismia eli jatkuvaa julkisuudessa esitettävää uhkakuvien maalailua. Hänen mukaansa kokemukset valtioiden turvallisuutta merkittävästi heikentäneistä kyberhyökkäyksistä ovat vähäiset.. Myös “Puolustusvoimissa panostetaan lähivuosina rahaa ja henkilöstöä kybersodankäynnin tuomien uusien turvallisuusuhkien torjumiseen.

Apple Mail Stores Encrypted Emails in Plain Text Database, fix included! The main thing I discovered was that the snippets.db database file in the Suggestions folder stored my emails. And on top of that, I found that it stored my S/MIME encrypted emails completely UNENCRYPTED. Even with Siri disabled on the Mac, it

If it sounds too good to be true, it most likely is: Nobody can decrypt the Dharma ransomware Australian biz Fast Data Recovery boasted that it is capable of decrypting Dharma, which data recovery biz Coveware’s chief exec Bill Siegel described as implying “they have tools and computing power beyond that of the NSA”.

DDoS attacks in Q3 2019 This past quarter we observed a new DDoS attack that confirmed our earlier hypothesis regarding attacks through the Memcached protocol. As we surmised, the attackers attempted to use another, rather exotic protocol to amplify DDoS attacks. Experts at Akamai Technologies recently registered an attack on one of their clients that was carried out by spoofing the return IP address through the . WS-Discovery multicast protocol. . Also

Vulnerable Versions of Adminer as a Universal Infection Vector This past week, weve been monitoring a new wave of website infections mostly impacting WordPress and Magento websites. We found that hackers have been injecting scripts from scripts.trasnaltemyrecords[.]com into multiple files and database tables.

He Thought His Phone Was Secure; Then He Lost $24 Million to Hackers Security researchers agree that for most people, adding text-message authentication is a big step up from only using a password, but that can leave you open to a relatively new [?] attack called SIM swapping

Retailer Leaked Hundreds of Internal Passwords on Pastebin according to Hold Security founder Alex Holden, this enormous passwords file was actually posted to Pastebin on two separate occasions last month, the first being on Oct. 4, and the second Oct. 22. That finding was corroborated by, a company that aggregates information from leaked databases online.

Laaja sähkö- tai telekatko saisi Suomen polvilleen Euroopan unionin lainsäädännön mukaisesti Suomessakin on jo joulukuussa 2022 pystyttävä pitämään yllä sähkönpalauttamiseen tarvittavia kriittisiä tietoliikenneyhteyksiä 24 tuntia, vaikka sähkönjakelu ei toimisikaan. Tämä vaatimus on ehdottomasti myös Suomen edun mukainen.