Categories
NCSC-FI News followup

Daily NCSC-FI news followup 2019-06-08

Critical Flaws in Amcrest HDSeries Camera Allow Complete Takeover

threatpost.com/amcrest-critical-security-issues/145507/
Two critical severity bugs have been publicly disclosed that impact Amcrest HDSeries model IPM-721S cameras. Both vulnerabilities open the consumer-grade ($50) Wi-Fi cameras to complete takeover by remote, unauthenticated attackers. Mandar Satam, senior security researcher at Synopsys, found the six security flaws in the IPM-721S camera back in 2017, and the disclosure process began. A spokesperson for Texas-based Amcrest said firmware updates that address the flaw have been available for months users were alerted were alerted to the need to install a mandatory firmware update when logging into the their camera, according to Amcrest.

For two hours, a large chunk of European mobile traffic was rerouted through China

www.zdnet.com/article/for-two-hours-a-large-chunk-of-european-mobile-traffic-was-rerouted-through-china/
For more than two hours on Thursday, June 6, a large chunk of European mobile traffic was rerouted through the infrastructure of China Telecom, China’s third-largest telco and internet service provider (ISP). The incident occurred because of a BGP route leak at Swiss data center colocation company Safe Host, which accidentally leaked over 70,000 routes from its internal routing table to the Chinese ISP.

Oletko aiheuttanut tietämättäsi tietoturvariskin? Kyberiskut ovat arkipäivää

www.tivi.fi/uutiset/tv/e5ce2c9b-558a-418e-ae99-2fc0e115342d
Tahattomasti riskejä aiheuttavat työntekijät ovat nousseet yritysten suurimpien turvauhkien joukkoon. Asian vakavuutta korostaa se, että kyberiskut yleistyvät muutenkin. Kyberhyökkäysten määrä kasvaa yrityksissä vääjäämätöntä tahtiaan, vaikka organisaatiot jättävät kertomatta suuresta osasta iskuja, it-alan tietoturvajärjestö ISACA:n maanantaina julkistamasta kyselystä ilmenee.

The Catch-22 That Broke the Internet

www.wired.com/story/google-cloud-outage-catch-22/
FIVE DAYS AGO, the internet had a conniption. In broad patches around the globe, YouTube sputtered. Shopify stores shut down. Snapchat blinked out. And millions of people couldnt access their Gmail accounts. The disruptions all stemmed from Google Cloud, which suffered a prolonged outagewhich also prevented Google engineers from pushing a fix. And so, for an entire afternoon and into the night, the internet was stuck in a crippling ouroboros: Google coul

Dark Web Becomes a Haven for Targeted Hits

www.darkreading.com/vulnerabilities—threats/dark-web-becomes-a-haven-for-targeted-hits/d/d-id/1334914
Malicious services offered on the Dark Web are more like precision arms than blunt instruments, and they’re taking aim at the biggest of businesses. New research, conducted by Dr. Mike McGuire of the University of Surrey, shows four in 10 Dark Web vendors are selling targeted hacking services aimed at FTSE 100 and Fortune 500 businesses. Among the information and services McGuire found on the Dark Web, access to corporate networks is sold openly, with 60% of v

In June 2018, we came across an unusual set of samples spreading throughout South and Southeast Asian countries targeting diplomatic, government and military entities. The campaign, which may have started as far back as 2012, featured a multi-stage approach and was dubbed EasternRoppels. The actor behind this campaign, believed to be related to the notorious PLATINUM APT group, used an elaborate, previously unseen steganographic technique to conceal communica

securelist.com/platinum-is-back/91135/

Diebold Nixdorf warns customers of RCE bug in older ATMs

www.zdnet.com/article/diebold-nixdorf-warns-customers-of-rce-bug-in-older-atms/
Diebold Nixdorf, one of the world’s largest ATM vendors, will notify customers starting next week about ways to secure older Opteva-branded ATMs against a remote code execution (RCE) vulnerability that was publicly disclosed this week. Details about this vulnerability have been published on Medium on Monday, June 4, by a group of Vietnamese security researchers named NightSt0rm.

Categories
NCSC-FI News followup

Daily NCSC-FI news followup 2019-06-07

A Deep Dive into the Emotet Malware

www.fortinet.com/blog/threat-research/deep-dive-into-emotet-malware.html
Emotet is a trojan that is primarily spread through spam emails. During its lifecycle, it has gone through a few iterations. Early versions were delivered as a malicious JavaScript file. Later versions evolved to use macro-enabled Office documents to retrieve a malicious payload from a C2 server. FortiGuard Labs has been tracking Emotet since it was first discovered, and in this blog, I will provide a deep analysis of a new Emotet sample found in early May. This detailed analysis includes how to unpack the persistent payload, how Emotet malware communicates with its C2 servers, how to identify the hard-coded C2 server list and RSA key in the executable, as well as how it encrypts the data it gathers

Strange Bits: Sodinokibi Spam, CinaRAT, and Fake G DATA

www.gdatasoftware.com/blog/2019/06/31724-strange-bits-sodinokibi-spam-cinarat-and-fake-g-data
n the second part of our Strange Bits series we are taking a closer look at Sodinokibi Spam E-Mails, CinaRAT and a Malware that tries to imitate G DATA. Sodinokibi ransomware was known so far for being installed via Oracle WebLogic exploit (see Talos’ article). A new campaign uses spam emails with attached MS Office Word document to download Sokinokibi to the target system. JamesWT found the first sample, Sculabs another one[1]. The email pretends to be a warning letter from the fee collection center of public-law broadcasting institutions in the Federal Public of Germany and demands 213.50 EUR payment.

CIA sextortion an old scam with a new twist

www.kaspersky.com/blog/cia-sextortion/27146/
What would you think if you received an e-mail with Central Intelligence Agency Case #45361978 in the subject line? Would you decide that someone, somewhere had seriously screwed up and accidentally sent you a top-secret file? Or that youre being recruited for the secret services (well, you never know)? Alas, in either case you would almost certainly be mistaken the e-mails in question are just another extortion trick.

New Brute-Force Botnet Targeting Over 1.5 Million RDP Servers Worldwide

thehackernews.com/2019/06/windows-rdp-brute-force.html
Security researchers have discovered an ongoing sophisticated botnet campaign that is currently brute-forcing more than 1.5 million publicly accessible Windows RDP servers on the Internet. Dubbed GoldBrute, the botnet scheme has been designed in a way to escalate gradually by adding every new cracked system to its network, forcing them to further find new available RDP servers and then brute force them.. Also:

isc.sans.edu/forums/diary/GoldBrute+Botnet+Brute+Forcing+15+Million+RDP+Servers/25002/
. Also:

threatpost.com/forget-bluekeep-beware-goldbrute/145482/

SandboxEscaper Debuts ByeBear Windows Patch Bypass

threatpost.com/sandboxescaper-byebear-windows-bypass/145470/
Guerrilla developer SandboxEscaper has disclosed a second bypass exploit for a patch that fixes a Windows local privilege-escalation (LPE) flaw again without notifying Microsoft. The exploit, dubbed ByeBear, enables attackers to get past the patch to attack a permissions-overwrite, privilege-escalation flaw (CVE-2019-0841), which exists because Windows AppX Deployment Service (AppXSVC) improperly handles hard links. It allows a local attacker to run processes in an elevated context, allowing them to then install programs, and view, change or delete data, according to Microsoft.. Also:

thehackernews.com/2019/06/windows-eop-exploit.html
. Also:

www.bleepingcomputer.com/news/security/new-windows-10-zero-day-bug-emerges-from-bypassing-patched-flaw/

Ancient ICEFOG APT malware spotted again in new wave of attacks

www.zdnet.com/article/ancient-icefog-apt-malware-spotted-again-in-new-wave-of-attacks/
Malware developed by Chinese state-sponsored hackers that was once thought to have disappeared has been recently spotted in new attacks, in an updated and more dangerous form. Spotted by FireEye senior researcher Chi-en (Ashley) Shen, the malware is named ICEFOG (also known as Fucobha). It was initially used by a Chinese APT (advanced persistent threat, a technical term for state-sponsored hacking units), also named ICEFOG, whose operations were first detailed in a Kaspersky report in September 2013.

Tietomurto Marimekon verkkokaupassa: Yli 1 500 käyttäjän syöttämiä tietoja on kerätty luvattomasti

www.hs.fi/kotimaa/art-2000006133616.html
Tietomurto Marimekon verkkokaupassa: Yli 1 500 käyttäjän syöttämiä tietoja on kerätty luvattomasti. Murtautuja on voinut saada haltuunsa sivustolla tietomurron aikana asioineen käyttäjän syöttämiä tietoja, kuten toimitus- ja laskutusosoitteen sekä verkkokaupan kirjautumistiedot, kertoo sähköpostitse Marimekon digitaalisen liiketoiminnan johtaja Kari Härkönen.

PHA Family Highlights: Triada

security.googleblog.com/2019/06/pha-family-highlights-triada.html
We continue our PHA family highlights series with the Triada family, which was first discovered early in 2016. The main purpose of Triada apps was to install spam apps on a device that displays ads. The creators of Triada collected revenue from the ads displayed by the spam apps. The methods Triada used were complex and unusual for these types of apps. Triada apps started as rooting trojans, but as Google Play Protect strengthened defenses against rooting expl. Myös:

www.tivi.fi/uutiset/tv/b27c5cea-155a-4812-be53-de78d1a70e46

Someone slipped a vuln into crypto-wallets via an NPM package. Then someone else siphoned off $13m in coins to protect it from thieves

www.theregister.co.uk/2019/06/07/komodo_npm_wallets/
lockchain biz Komodo this week said it had used a vulnerability discovered by JavaScript package biz NPM to take control of some older Agama cryptocurrency wallets to prevent hackers from doing the same. The digital currency startup said it had socked away 8 million KMD (Komodo) and 96 BTC (Bitcoin) tokens worth about almost $13m from the wallets, and stashed them in two digital wallets under its control, where the assets await reclamation by their owners.

Massive Changes to Tech and Platforms, But Cybercrime? Not So Much

www.darkreading.com/threat-intelligence/massive-changes-to-tech-and-platforms-but-cybercrime-not-so-much/d/d-id/1334911
The still-relevant recommendation is to invest more in law enforcement, concludes an economic study of cybercrime. In 2012, a group of cybersecurity researchers and social scientists studied the impact of cybercrime and its cost to society, concluding that the money spent anticipating an attack is less effective than money spent responding to an attack. This week, many of the same researchers released an updated paper at the Workshop on the Economics of Information Security (WIES) conference, in Cambridge, Mass., that looks at direct and indirect damages due to cybercrime,

The Endless Scourge of Malicious Email

blogs.cisco.com/security/threat-report-email-attacks
There is no question that unwanted email is a source of annoyance. It is also the biggest source of cyber threats. In fact, just last month, spam accounted for 85 percent of all email sent. Plus, according to Verizons 2018 Data Breach Investigations Report, email is the number one vector for both malware distribution (92.4 percent) and phishing (96 percent). Attackers know that, unfortunately, this channel just works. Because email forces the user to stop and at least scan every message they receive, it presents the perfect opportunity to serve up malicious links and file attachments that people in a hurry sometimes mistakenly click on. Phishing and social engineering have gotten so sophisticated that it can be hard for even cyber-savvy users to discern the legitimate from the malicious.

Hackers selling services to target FTSE companies

www.itproportal.com/news/hackers-selling-services-to-target-ftse-companies/
The amount of hacking tools that can be used against FTSE 100 and Fortune 500 companies is on the rise on the dark net, new research has warned. A report from Bromium found four in ten vendors on the dark net are selling targeted hacking services, which it claims translates to a 20 per cent rise compared to the same period three years ago. The price varies, significantly from $150 to $10,000, and mostly depends on the target company, and the plan to which

Cathay Pacific’s unpatched decade-old vulnerability led to 2018 breach

www.zdnet.com/article/cathay-pacifics-unpatched-decade-old-vulnerability-led-to-2018-breach/
The Hong Kong Privacy Commissioner for Personal Data Stephen Kai-yi Wong released a report [PDF] on Thursday detailing his findings relating to the Cathay Pacific breach disclosed in October that affected 9.4 million people. In his report, Wong spelled out how a pair of groups had targeted the airline, with the first dropping a keylogger onto a reporting system in October 2014 that harvested credentials and allowed them to move laterally through the network and gather other credentials before ceasing on March 22, 2018. The report said Cathay is not aware of how this group entered the system.

AMCA Healthcare Hack Widens Again, Reaching 20.1M Victims

threatpost.com/amca-healthcare-hack-widens-opko/145453/
The hack of the American Medical Collection Agency (AMCA), a third-party bill collection vendor, continues to expand, now impacting 20.1 million patients across three laboratory services providers. In the wake of revelations that the personal data of 12 million patients from Quest Diagnostics had been potentially compromised by an infiltration of AMCA systems, another 7.7 million patients from LabCorp were shown on Wednesday to be impacted. And, 400,000 victims from OPKO Health have been now been added to the tally as of Thursday.

New Mirai Variant Adds 8 New Exploits, Targets Additional IoT Devices

unit42.paloaltonetworks.com/new-mirai-variant-adds-8-new-exploits-targets-additional-iot-devices/
Palo Alto Networks Unit 42 has been tracking the evolution of the Mirai malware, known for targeting embedded devices with the primary intent of launching DDoS attacks and self-propagation, since 2016 when it took down several notable targets. As part of this ongoing research, weve recently discovered a new variant of Mirai that has eight new exploits against a wide range of embedded devices. These newly targeted devices range from wireless presentation systems to set-top-boxes, SD-WANs, and even smart home controllers.

Categories
NCSC-FI News followup

Daily NCSC-FI news followup 2019-06-06

Microsoft and Oracle link up their clouds

techcrunch.com/2019/06/05/microsoft-and-oracle-link-up-their-clouds/
Microsoft and Oracle announced a new alliance today that will see the two companies directly connect their clouds over a direct network connection so that their users can then move workloads and data seamlessly between the two. This alliance goes a bit beyond just basic direct connectivity and also includes identity interoperability.

New exim4 RCE vulnerability impacts nearly half of the internet’s email servers

www.zdnet.com/article/new-rce-vulnerability-impacts-nearly-half-of-the-internets-email-servers/
Exim vulnerability lets attackers run commands as root on remote email servers.. According to a June 2019 survey of all mail servers visible on the Internet, 57% (507,389) of all email servers run Exim — although different reports would put the number of Exim installations at ten times that number, at 5.4 million.. “To remotely exploit this vulnerability in the default configuration, an attacker must keep a connection to the vulnerable server open for 7 days (by transmitting one byte every few minutes),” researchers said.

Your AWS S3 Bucket Safety Checklist

blog.paloaltonetworks.com/2019/06/cloud-your-aws-s3-bucket-safety-checklist/
With each new open S3 bucket, a public cloud storage resource available in Amazon Web Services Simple Storage Service, come millions more customer and employee records that have been left open to the world, and potentially breached

Apple deprecates SHA-1 certificates in iOS 13 and macOS Catalina

www.zdnet.com/article/apple-deprecates-sha-1-certificates-in-ios-13-and-macos-catalina/
Apple joins Google, Firefox, and Microsoft in banning SHA-1-signed TLS certs.. More than two years after Google, Firefox, and Microsoft have taken steps to deprecate TLS/SSL certificates signed with the SHA-1 algorithm, Apple has finally announced a similar measure this week.

Poliisi: Varoituksen sana huijareista

www.poliisi.fi/tietoa_poliisista/tiedotteet/1/1/varoituksen_sana_huijareista_81104?language=fi
Poliisin tietoon on tullut taas joitankin ns. “toimitusjohtajahuijauksia”. Ideana näissä on, että yrityksen johtajan nimissä läheteään yrityksen maksuliikennettä käsitteleville henkilöille sähköpostia, jossa pyydetään suorittamaan tilisiirto. Yleensä siirto suuntautuu ulkomaille.

Scattered Canary Evolves From One-Man Operation to BEC Giant

www.bleepingcomputer.com/news/security/scattered-canary-evolves-from-one-man-operation-to-bec-giant/
A Nigerian cybercriminal group dubbed Scattered Canary has evolved from a one-man operation running Craigslist and romance scams to a large scale criminal business operating multiple types of frauds concomitantly and coordinating at least 35 threat actors.. Since 2008, when the group founder named “Alpha” ran basic scams, Scattered Canary has evolved into an organization with credential phishing operations leading to business email compromise (BEC) scams and credit card fraud, as detailed by the Agari Cyber Intelligence Division (ACID).

Vietnam Rises as Cyberthreat

www.darkreading.com/attacks-breaches/vietnam-rises-as-cyberthreat-/d/d-id/1334890
The country’s rapid economic growth and other factors are driving an increase in cybercrime and cyber espionage activity. Vietnam has rarely been associated with cybercrime activity in the same way other Asian nations, such as China, North Korea, and Iran, have in recent years. But that could change soon.. According to a new report from Intsights, cybercrime and cyber espionage activity in Vietnam is growing. At least one previously known advanced persistent threat (APT) group APT32/OceanLotus appears to be working in support of the government’s strategic interests.

Huge scope of Australia’s new national security laws reveals itself

www.zdnet.com/article/huge-scope-of-australias-new-national-security-laws-reveals-itself/
“I’m still staggered by the power of this warrant. It allows the AFP to ‘add, copy, delete or alter’ material in the ABC’s computers,” tweeted John Lyons, executive editor of news and head of investigative journalism at the Australian Broadcasting Corporation (ABC).. The AFP said the warrant was “in relation to allegations of publishing classified material”, namely the reported “hundreds of pages” of classified documents which led to the ABC’s report from mid-2017 titled The Afghan Files.

Cisco Fixes High Severity Flaws in Industrial, Enterprise Tools

www.bleepingcomputer.com/news/security/cisco-fixes-high-severity-flaws-in-industrial-enterprise-tools/
Cisco patched two high severity improper input validation vulnerabilities found in the update feature of the Cisco Industrial Network Director (IND) software and the authentication service of Cisco Unified Presence (Cisco Unified CM IM&P Service, Cisco VCS, and Cisco Expressway Series).. Cisco IND is a solution designed to provide full visibility and control of industrial automation networks as detailed on its spec sheet, while Cisco Unified Presence is an enterprise platform for exchanging presence and instant messaging info in and across organizations.

Only 5.5% of all vulnerabilities are ever exploited in the wild

www.zdnet.com/article/only-5-5-of-all-vulnerabilities-are-ever-exploited-in-the-wild/#ftag=RSSbaffb68
Most vulnerabilities that are exploited in the wild have a CVSS severity score of 9 or 10.. The research — considered the most extensive of its type to date — found that only 4,183 security flaws from the total of 76,000 vulnerabilities discovered between 2009 and 2018 had been exploited in the wild.

Baltimores bill for ransomware: Over $18 million, so far

arstechnica.com/information-technology/2019/06/baltimores-bill-for-ransomware-over-18-million-so-far/
Mayor says Baltimore is “open for business,” but city has lost millions from slowed payments.. City’s director of finance has estimated will cost Baltimore $10 million – not including $8 million lost because of deferred or lost revenue while the city was unable to process payments.

Two-thirds of iOS apps disable ATS (App Transport Security), an iOS security feature

www.zdnet.com/article/two-thirds-of-ios-apps-disable-ats-an-ios-security-feature/
Three and a half years after its launch, ATS is still not widely adopted.. Cyber-security firm Wandera said it scanned over 30,000 iOS applications and found that 67.7% of the apps were disabling a default iOS security feature called ATS (App Transport Security) on purpose.

Europols top hacking ring takedowns

www.zdnet.com/pictures/europols-most-wanted-top-hacking-ring-takedowns-in-pictures/
European law enforcement has smashed everything from Dark Web marketplaces to ATM skimmer rings.

US State Department proposes new $20.8 million cybersecurity bureau

www.cyberscoop.com/state-department-proposes-new-20-8-million-cybersecurity-bureau/
The State Departments new plan, obtained by CyberScoop, would create the Bureau of Cyberspace Security and Emerging Technologies (CSET) to lead U.S. government diplomatic efforts to secure cyberspace and its technologies, reduce the likelihood of cyber conflict, and prevail in strategic cyber competition.. The new bureau, with a proposed staff of 80 and projected budget of $20.8 million, would be led by a Senate-confirmed coordinator and ambassador-at-large with the equivalent status of an assistant secretary of State, who would report to the Undersecretary of State for Arms Control and International Security.

Fake Cryptocurrency Trading Site Pushes Crypto Stealing Malware

www.bleepingcomputer.com/news/security/fake-cryptocurrency-trading-site-pushes-crypto-stealing-malware/
Malware distributors have setup a site that impersonates the legitimate Cryptohopper cryptocurrency trading platform in order to distribute malware payloads such as information-stealing Trojans, miners, and clipboard hijackers.. Cryptohopper is a trading platform where users can build models that will be used for automated trading of cryptocurrency on various markets.

CERT CANADA: Active Spam Campaigns Leveraging EMOTET Malware

cyber.gc.ca/en/alerts/active-spam-campaigns-leveraging-emotet-malware
The Cyber Centre is aware of an ongoing email phishing campaign affecting Canadians and Canadian Industry that is leveraging the EMOTET malware. EMOTET is an advanced botnet that has infected hundreds of thousands of systems worldwide. Once a system is infected by EMOTET, additional malware may be implanted on the system, or data may be exfiltrated.

DNS Rebinding Attacks Could Hit Billions of IoT Devices

www.infosecurity-magazine.com/news/dns-rebinding-iot-threat-1-1/
DNS rebinding attacks are a real threat that could hit the billions of internet of things (IoT) devices in peoples homes, according to Craig Young, principal security researcher at Tripwire.. This is partly because IoT often uses HTTP, which is vulnerable to DNS rebinding. In the future, the consequences could be significant: Rebinding also opens new doors for botnets, according to Young.

UK’s NCSC: “We Can Build Safe 5G Networks Irrespective of Supplier”

www.infosecurity-magazine.com/news/infosec19-we-can-build-safe-5g-1/
Governments and industry need to focus on fixes, not fear, and work out how to build safer 5G networks rather than obsessing about national security concerns leveled at suppliers, according to the National Cyber Security Centre (NCSC).

Huawei has signed a contract to develop Russian 5G networks for mobile provider MTS over the next two years.

www.theregister.co.uk/2019/06/06/russia_signs_huawei_deal/
The deal was signed on the sidelines of a Kremlin meeting between Russian and Chinese leaders Vladimir Putin and Xi Jinping.. Details of the 5G deal have not been released but, given the backdrop, it is a boost to Huawei and its symbolism is clear. MTS is the largest Russian mobile provider with over 30 per cent market share. It is either number one or two in Armenia, Belarus and Ukraine. It also has sizeable fixed-line internet and cloud services businesses.

Germany: Backdoor found in four smartphone models; 20,000 users infected

www.zdnet.com/article/germany-backdoor-found-in-four-smartphone-models-20000-users-infected/#ftag=RSSbaffb68
German cyber-security agency warns against buying or using four low-end smartphone models.. The German Federal Office for Information Security (or the Bundesamt für Sicherheit in der Informationstechnik – — BSI) has issued security alerts today warning about dangerous backdoor malware found embedded in the firmware of at least four smartphone models sold in the country.. Impacted models include the Doogee BL7000, the M-Horse Pure 1, the Keecoo P11, and the VKworld Mix Plus (malware present in the firmware, but inactive). All four are low-end Android smartphones.

Categories
Cyber security NCSC-FI News followup

About the NCSC-FI daily news summary

The National Cyber Security Center of Finland provides a number of awesome services. One of those services is a news follow-up, which consists of the duty officers wading throught the masses of infosec news appearing every day and hand-picks the most important and significant ones.

These are combined to an email digest, that is sent to subscribers every night. You can subscribe to the email list here.

I’ve set my site up so that it receives this newsletter and posts it as an article every night, so that the news items are easily available right here.

Enjoy!

Categories
NCSC-FI News followup

Daily NCSC-FI news followup 2019-06-05

The EU Found Out That Its Embassy In Moscow Had Been Hacked But Kept
It A Secret
www.buzzfeednews.com/article/albertonardelli/eu-embassy-moscow-hack-russia
A sophisticated cyber espionage event began in February 2017. Russian
entities are believed to be behind the hack, a source told BuzzFeed
News.

The Most Expensive Lesson Of My Life: Details of SIM port hack
medium.com/coinmonks/the-most-expensive-lesson-of-my-life-details-of-sim-port-hack-35de11517124
I lost north of $100,000 last Wednesday. It evaporated over a 24-hour
time span in a SIM port attack that drained my Coinbase account.

Twitterbots: Anatomy of a Propaganda Campaign
www.symantec.com/blogs/threat-intelligence/twitterbots-propaganda-disinformation
Internet Research Agency archive reveals a vast, coordinated campaign
that was incredibly successful at pushing out and amplifying its
messages.. The operation was carefully planned, with accounts often
registered months before they were used and well in advance of the
2016 U.S. presidential election. The average time between account
creation and first tweet was 177 days.. In October 2018, Twitter
released a massive dataset of content posted on its service by the
Internet Research Agency (IRA), a Russian company responsible for the
largest propaganda campaign directed against the U.S.

UK Hasn’t Made Sufficient Progress for National Security Strategy
www.infosecurity-magazine.com/news/uk-hasnt-made-progress-security/
The National Cyber Security Centre (NCSC) has dealt with over 1,100
cybersecurity incidents since it was established in October 2016. CSC
chair Meg Hillier says that the UK will need to protect itself against
risks created by more and more services going online, but there is
concern that consumers do not know how well they are protected: “We
welcome the National Cyber Security Strategy but are concerned that
the program designed to deliver it is insufficien

440 Million Android Users Plagued By Extremely Obnoxious Pop-Ups
threatpost.com/android-completely-obnoxious-pop-ups/145390/
The mobile ad plugin, found in hundreds of Google Play apps, uses
well-honed techniques from malware development to hide itself.. Over
440 million Android phones have been exposed to an obnoxious
advertising plugin hidden within hundreds of popular applications
available via Google Play, which ultimately can render phones almost
unusable.

Infosecurity Europe: Easing the Clash Between IT and OT
threatpost.com/infosecurity-europe-easing-the-clash-between-it-and-ot/145334/
Experts at Infosecurity Europe shed light on how IT and operational
technology teams can better collaborate as industrial IoT takes hold.

Crime doesn’t pay? Crime doesn’t do secure coding, either: Akamai
bug-hunters find hijack hole in bank phishing kit
www.theregister.co.uk/2019/06/05/akamai_phishing_kit_vuln/
Phishing kits used by miscreants to build webpages that steal
victims’ personal information and money by masquerading as legit
websites harbor vulnerabilities that can be exploited by other
miscreants to pilfer freshly stolen data.

Apple bans ads, third-party tracking in apps meant for kids
nakedsecurity.sophos.com/2019/06/05/apple-bans-ads-third-party-tracking-in-apps-meant-for-kids/
On Monday, Apple updated the Kids category in its App Store developer
guidelines to include a new ban on third-party advertising or
analytics (which are ostensibly used for tracking) in content aimed at
younger audiences.. Previously, the guidelines only restricted
behavioral advertising tracking e.g., advertisers werent allowed to
serve ads based on kids activity, plus ads had to be appropriate for
young audiences.

Categories
NCSC-FI News followup

Daily NCSC-FI news followup 2019-06-04

Headhunting Firm Leaks Millions of Resumes, Client Private Data
www.bleepingcomputer.com/news/security/headhunting-firm-leaks-millions-of-resumes-client-private-data/
A misconfigured and publicly accessible ElasticSearch cluster owned by
FMC Consulting, a Chinese headhunting company, leaked millions of
resumes and company records, as well as customers and employees PII
data.. The database containing hundreds of thousands of customer
records, internal emails, as well as employees daily tasks and calls
they made while contacting clients was left unprotected, exposing all
the data to anyone who knew where and how to look for it.. The
database contained among other data: 20,539,522 resumes ; 9082
company contracts ; 884,178 mail logs with complete email body

Threat actors cobble together open-source pieces into monstrous
Frankenstein campaign
blog.talosintelligence.com/2019/06/frankenstein-campaign.html
Cisco Talos recently identified a series of documents that we believe
are part of a coordinated series of cyber attacks that we are calling
the Frankenstein campaign. We assess that the attackers carried out
these operations between January and April 2019 in an effort to
install malware on users machines via malicious documents. . We assess
that this activity was hyper-targeted given that there was a low
volume of these documents in various malware repositories.
Frankenstein the name refers to the actors ability to piece together
several unrelated components leveraged four different open-source
techniques to build the tools used during the campaign.. The actors’
preference for open-source solutions appears to be part of a broader
trend in which adversaries are increasingly using publicly available
tools. A campaign that leverages custom tools is more easily
attributed to the tools’ developers. This growing trend highlights
that highly trained operators are increasingly using unsophisticated
tools to accomplish their goals.

Zebrocy APT Group Expands Malware Arsenal with New Backdoor Family
www.darkreading.com/attacks-breaches/zebrocy-apt-group-expands-malware-arsenal-with-new-backdoor-family/d/d-id/1334863
Zebrocy, a Russian-speaking advanced persistent threat (APT) actor
associated with numerous attacks on government, military, and foreign
affairs-related targets since at least 2015 is back at it again..
Researchers from Kaspersky Lab say they have observed the group using
a new downloader to deploy a recently developed backdoor family on
organizations in multiple countries, including Germany, the United
Kingdom, Iran, Ukraine, and Afghanistan.. Kaspersky Lab itself
considers the team using Zebrocy as a sort of separate subgroup that
shares its lineage with Sofacy/Fancy Bear and the BlackEnergy/Sandworm
APT group that is believed to be behind a series of disruptive attacks
on Ukraine’s power grid in 2015.. See also –
securelist.com/zebrocys-multilanguage-malware-salad/90680/

Remote Desktop Zero-Day Bug Allows Attackers to Hijack Sessions
www.bleepingcomputer.com/news/security/remote-desktop-zero-day-bug-allows-attackers-to-hijack-sessions/
A new zero-day vulnerability has been disclosed that could allow
attackers to hijack existing Remote Desktop Services sessions in order
to gain access to a computer.. The flaw can be exploited to bypass the
lock screen of a Windows machine, even when two-factor authentication
(2FA) mechanisms such as Duo Security MFA are used. Other login
banners an organization may set up are also bypassed.. The exploit
does require physical access to the machine from which the RDP session
is initiated from.

The Cost of Cybercrime
www.schneier.com/blog/archives/2019/06/the_cost_of_cyb_1.html
In 2012 we presented the first systematic study of the costs of
cybercrime. In this paper,we report what has changed in the seven
years since. The period has seen major platform evolution, with the
mobile phone replacing the PC and laptop as the consumer terminal of
choice, with Android replacing Windows, and with many services moving
to the cloud.The use of social networks has become extremely
widespread. The executive summary is that about half of all pro. The
big money is still in tax fraud, welfare fraud, VAT fraud, and so on.
We spend more money on cyber defense than we do on the actual losses.
Criminals largely act with impunity. They don’t believe they will get
caught, and mostly that’s correct. . Bottom line: the technology has
changed a lot since 2012, but the economic considerations remain
unchanged.

Hackers slurp 19 years of Australian student data in uni’s second
breach within a year
www.theregister.co.uk/2019/06/04/hackers_slurp_19_years_of_aussie_student_data/
We believe there was unauthorised access to significant amounts of
personal staff, student and visitor data extending back 19 years..
Depending on the information you have provided to the University, this
may include names, addresses, dates of birth, phone numbers, personal
email addresses and emergency contact details, tax file numbers,
payroll information, bank account details, and passport details.
Student academic records were also accessed.

Windows 10 Apps Hit by Malicious Ads that Blockers Won’t Stop
www.bleepingcomputer.com/news/security/windows-10-apps-hit-by-malicious-ads-that-blockers-wont-stop/
Windows 10 users in Germany are reporting that while using their
computer, their default browser would suddenly open to malicious and
scam advertisements. These advertisements are being shown by
malvertising campaigns on the Microsoft Advertising network that are
being displayed in ad supported apps.. As these ads are being
displayed because of ad-supported apps, any ad blockers you have
installed in your browsers will not prevent the pages from loading.
This is because the scripts that are normally blocked by ad blockers
are being executed in the app and Windows 10 is just launching a web
page in your browser.

Report: No Eternal Blue Exploit Found in Baltimore City Ransomware
krebsonsecurity.com/2019/06/report-no-eternal-blue-exploit-found-in-baltimore-city-ransomware/
According to Joe Stewart, a seasoned malware analyst now consulting
with security firm Armor, the malicious software used in the Baltimore
attack does not contain any Eternal Blue exploit code. Stewart said he
obtained a sample of the malware that he was able to confirm was
connected to the Baltimore incident.

Experts Urge Defense-in-Depth Approach to Security Training
www.infosecurity-magazine.com/news/infosec19-experts-defense-security-1/
Its very important to do as an organization, but running a phishing
awareness campaign alone doesnt protect you. Security training could
also include elements such as: password management; safe internet
usage, data handling and downloads; and compliance requirements, for
example.. Staff training should be combined with sandboxing, threat
intelligence and other security controls for true defense-in-depth,
argued Kershaw.

Categories
Cyber security

Digihuijatut @ YLE Areena

YLE Areena has published a Finnish TV show that details cases of digital fraud. The TV show is called “Digihuijatut”, and it covers fraud cases from romance scams to identity theft. Each episode is based around interviews conducted with victims of digital fraud.

I was interviewed as a cyber security expert on several of the episodes.

You can watch all of the episodes here.

Categories
Cyber security Opinion Social media

Podcast appearance | We need to talk about infosec

A podcast episode where I spoke with Laura about online honesty and scamming people has been released. You can listen to it on SoundCloud here:

https://soundcloud.com/weneedtotalkaboutinfosec/online-honesty
Categories
Cyber security Law enforcement Opinion Social media

Disobey 2019: Social Cyberattacks (video)

I presented about the psychology of social cyberattacks at Disobey on january 2019.

Here is the video of that presentation: https://youtu.be/3mgntbZzFaw

(Embedding the video causes the page to cut it in half and I can’t be arsed to mess with CSS to make it work so you can just follow the link.)

Categories
All posts Cyber security Law enforcement Opinion

Podcast appearance | Jargonmankeli ep. #11

I was recently interviewed on Alma Talent’s podcast about cybercrime. The interview is in Finnish.

You can find the Jargonmankeli-podcast on any decent podcast platform, (here’s the iTunes link).

Here’s the SoundCloud link if the embed doesn’t work.