NCSC-FI News followup

Daily NCSC-FI news followup 2020-08-11

Viittä nuorta miestä epäillään tietomurroista yritysten verkkopalveluihin poliisin mukaan yksittäisiä tietomurtoja paljastui useita miljoonia Poliisin esitutkinta kesti lähes kolme vuotta. Tutkinnassa oli jopa 10 miljoonaa yksittäistä tekoa. Lue myös: Sekä:

NCC Group admits its training data was leaked online after folders full of Crest pentest certification exam notes posted to Github Exclusive British infosec biz NCC Group has admitted to The Register that its internal training data was leaked on GitHub after folders purporting to help people pass the Crest pentest certification exams appeared online.

Microsoft August 2020 Patch Tuesday fixes 120 vulnerabilities, two zero-days Microsoft says attackers have used a Windows zero-day to spoof file signatures and another RCE in the Internet Explorer scripting engine to execute code on users’ devices. The first of the two zero-days patched this month is a bug in the Windows operating system. Tracked as CVE-2020-1464, Microsoft says that an attacker can exploit this bug and have Windows incorrectly validate file signatures. As for the second zero-day, this one is tracked as CVE-2020-1380, and resides in the scripting engine that ships with Internet Explorer.

Critical Intel Flaw Afflicts Several Motherboards, Server Systems, Compute Modules A critical privilege-escalation flaw affects several popular Intel motherboards, server systems and compute modules. Intel is warning of a rare critical-severity vulnerability affecting several of its motherboards, server systems and compute modules. The flaw could allow an unauthenticated, remote attacker to achieve escalated privileges. The recently patched flaw (CVE-2020-8708) ranks 9.6 out of 10 on the CVSS scale, making it critical. Dmytro Oleksiuk, who discovered the flaw, told Threatpost that it exists in the firmware of Emulex Pilot 3. This baseboard-management controller is a service processor that monitors the physical state of a computer, network server or other hardware devices via specialized sensors.

Samsung Quietly Fixes Critical Galaxy Flaws Allowing Spying, Data Wiping Four critical-severity flaws were recently disclosed in the Find My Mobile feature of Samsung Galaxy smartphones, which if exploited could allow attackers to force a factory reset on the phones or spy on users.

Google Chrome Bug Could Let Hackers Bypass CSP Protection; Update Web Browsers If you haven’t recently updated your Chrome, Opera, or Edge web browser to the latest available version, it would be an excellent idea to do so as quickly as possible.

Researcher Publishes Patch Bypass for vBulletin 0-Day A security researcher has published proof-of-concept code to outsmart a patch issued last year for a zero-day vulnerability discovered in vBulletin, a popular software for building online community forums. Calling a patch for the flaw a “fail” and “inadequate in blocking exploitation, ” Austin-based security researcher Amir Etemadieh published details and examples of exploit code on three developer platforms Bash, Python and Rubyfor the patch in a post published Sunday night. Read also: As well as:

Critical Adobe Acrobat and Reader Bugs Allow RCE Adobe patched critical and important-severity flaws tied to 26 CVEs in Acrobat and Reader. Adobe has plugged 11 critical security holes in Acrobat and Reader, which if exploited could allow attackers to remotely execute code or sidestep security features in the app. Read also:

Ransomware: These warning signs could mean you are already under attack File-encrypting ransomware attacks can take months of planning by gangs. Here’s what to look out for. There are as many as 100 claims to insurers over ransomware attacks every day, according to one estimate. And as the average ransomware attack can take anywhere from 60 to 120 days to move from the initial security breach to the delivery of the actual ransomware, that means hundreds of companies could have hackers hiding in their networks at any time, getting ready to trigger their network-encrypting malware.

A mysterious group has hijacked Tor exit nodes to perform SSL stripping attacks At one point, the group ran almost a quarter of all Tor exit nodes. Group still controls 10% of all Tor exit nodes today.

Homeland Security details new tools for extracting device data at US borders The agency says it can now obtain details including your phone’s location history, social media information, and photos and videos. Read also:

2019 Center for Internet Security Year in Review 2019 was a fast-paced and highly-productive year for the Center for Internet Security, Inc. (CIS). We continued to experience remarkable growth in our products and services, furthering our mission as an independent, global leader in cybersecurity for the benefit of both public and private sector organizations. Read also:

Belarus Has Shut Down the Internet Amid a Controversial Election Human rights organizations have blamed the Belarusian government for widespread outages. INTERNET CONNECTIVITY AND cellular service in Belarus have been down since Sunday evening, after sporadic outages early that morning and throughout the day. The connectivity blackout, which also includes landline phones, appears to be a government-imposed outage that comes amid widespread protests and increasing social unrest over Belarus’ presidential election Sunday.

Citrix provides security update on Citrix Endpoint Management Today we posted a Security Bulletin covering a set of vulnerabilities in certain on-premises instances of Citrix Endpoint Management (CEM), often referred to as XenMobile Server.. Read also:

NCSC-FI News followup

Daily NCSC-FI news followup 2020-08-10

Onko Android-puhelimessasi haittaohjelma? Nämä oireet enteilevät pahaa Haittaohjelmat uhkaavat Android-käyttäjiä jopa virallisessa Google Play -latauskaupassa. Niiden aiheuttamat vahingot voivat näkyä esimerkiksi puhelinlaskussa, mutta haittaohjelman voi usein tunnistaa jo ennen sitä tarkkailemalla puhelimen käytöstä.

FBI says an Iranian hacking group is attacking F5 networking devices Sources: Attacks linked to a hacker group known as Fox Kitten (or Parisite), considered Iran’s “spear tip” when it comes to cyber-attacks. A group of elite hackers associated with the Iranian government has been detected attacking the US private and government sector, according to a security alert sent by the FBI last week.

SBA phishing scams: from malware to advanced social engineering A number of threat actors continue to take advantage of the ongoing coronavirus pandemic through phishing scams and other campaigns distributing malware.

DDoS Attacks Cresting Amid Pandemic Attacks were way up year-over-year in the second quarter as people continue to work from home. The number of distributed denial-of-service (DDoS) attacks spiked in the second quarter of 2020, researchers said. According to the latest Kaspersky quarterly DDoS attacks report, DDoS events were three times more frequent in comparison to the second quarter last year (up 217 percent), and were up 30 percent from the number of DDoS attacks observed in the first quarter of 2020. Read also:

Suomalainen tietoturva-startup voitolliseksi jo kahdessa vuodessa Kryptografia on tarkkaa bisnestä: “Isolta firmalta vaatii rohkeutta tilata kriittisiä toimintoja pienemmältä tekijältä”… Otaniemeläinen tietoturva-alan kasvuyhtiö Xiphera katsoo, että laitteistopohjainen kryptografia olisi usein turvallisempi ratkaisu tietojen salaamiseen kuin tavanomainen ohjelmistoihin perustuva salaus. Tarve korostuu kriittisissä käyttötarkoituksissa, kuten teollisuusautomaatiossa ja kriittisessä infrastruktuurissa. Näissä kohteissa laitteistollinen salaus onkin alkanut yleistyä viime vuosina, Xipheran toimitusjohtaja ja toinen perustajaosakas Matti Tommiska sanoo. Xiphera ei kuitenkaan itse tuota konkreettisia laitteita, vaan suunnittelee salaustoiminnallisuuksia fyysisesti ohjelmoitaviin fpga-piireihin. Teollisuusautomaation lisäksi esimerkkisovelluksia fpga-pohjaiselle fyysiselle tietoturvalle ovat esineiden internet, etäohjaus, hajautettu laskenta sekä korkean tietoturvan viestintä.

Bulletin (SB20-223) – Vulnerability Summary for the Week of August 3, 2020 The CISA Vulnerability Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. NVD is sponsored by CISA. In some cases, the vulnerabilities in the bulletin may not yet have assigned CVSS scores. Please visit NVD for updated vulnerability entries, which include CVSS scores once they are available.

Office Drama on macOS – infecting macOS via macro-laden documents and 0days

NCSC-FI News followup

Daily NCSC-FI news followup 2020-08-09

Scanning Activity Include Netcat Listener This activity started on the 5 July 2020 and has been active to this day only scanning against TCP port 81. The GET command is always the same except for the Netcat IP which has changed a few times since it started. If you have a webserver or a honeypot listening on TCP 81, this activity might be contained in your logs. I have included the URL to the IPDetails reported to ISC that shows similar activity from the same source IP address listed in this diary.

Pahamaineinen vakooja opastaa: Näin puhelin ei paljasta sijaintiasi Yhdysvaltalainen tiedusteluelin National Security Agency (NSA) julkaisi ohjeet mobiilikäyttäjille oman sijaintinsa piilottamiseksi ulkopuolisilta. Asiasta kertoi Bleeping Computer. Vaikka NSA:n toiminta ympäri maailmaa on ollut paikoin kyseenalaista, sen ohjeet Yhdysvaltain puolustusministeriön työntekijöille (pdf) ovat oivaa luettavaa kaikille, jotka haluavat pitää sijaintinsa omana tietonaan. IS Digitoday teki näihin ohjeisiin joitakin tarkennuksia. Jos noudatat näitä ohjeita, varaudu siihen että useat tärkeät sijaintiin nojaavat sovellukset, kuten kartat, kuntomittarit tai sääennusteet, eivät välttämättä enää toimi. Read also:

Kyberharjoittelu paransi Kevan valmiuksia kohdata tosielämän uhkatilanteita Onko organisaatiosi kiinnostunut kyberharjoittelun aloittamisesta, mutta ette vielä tiedä, mistä lähteä liikkeelle? Kyberturvallisuuskeskus on säännöllisesti mukana tukemassa organisaatioiden harjoittelua. Olemme pyytäneet muutamia harjoitelleita tahoja kirjoittamaan kokemuksistaan. Ensimmäisenä kyberharjoituksestaan kertoo Julkisen alan työeläkevakuuttaja Keva.

Älä anna päivitysprosessin lomailla suvena Kriittisten haavoittuvuuksien päivittäminen on tärkeää – myös kesäaikana. Ovathan prosessit kunnossa ja sijaisjärjestelyt mietittynä työntekijöiden lomaillessa? Päivityksiä tulee tasaiseen tahtiin myös lomakaudella ja haavoittuvuuksien hyväksikäyttöä tapahtuu nopealla syklillä haavojen julkaisemisen jälkeen. Älä siis jätä päivityskalenteriin loma-aikaa!

5G Just Got Weird – Industry group 3GPP takes 5G in new directions in latest set of standards Release 16 is where things are getting weird for 5G. While earlier releases focused on the core of 5G as a generation of cellular service, Release 16 lays the groundwork for new services that have never been addressed by cellular before. At least, not in such a rigorous, comprehensive way. One of the flashiest things in Release 16 is V2X, short for “Vehicle to Everything.” In other words, using 5G for cars to communicate with each other and everything else around them. Hanbyul Seo, an engineer at LG Electronics, says V2X technologies have previously been standardized in IEEE 802.11p and 3GPP LTE V2X, but that the intention in these cases was to enable basic safety services. Seo is one of the rapporteurs for 3GPP’s item on V2X, meaning he was responsible for reporting on the item’s progress to 3GPP. Release 16 also includes information on location services. In past generations of cellular, three cell towers were required to triangulate where a phone was by measuring the round-trip distance of a signal from each tower. But 5G networks will be able to use the round-trip time from a single tower to locate a device. That’s because massive MIMO and beamforming allow 5G towers to send precise signals directly to devices, and so the network can measure the direction and angle of a beam, along with its distance from the tower, to locate it. Then there’s private networks. When we think of cellular networks, we tend to think of wide networks that cover lots of ground so that you can always be sure you have a signal. But 5G incorporates millimeter waves, which are higher frequency radio waves (30 to 300 GHz) that don’t travel nearly as far as traditional cell signals. Millimeter waves means it will be possible to build a network just for an office building, factory, or stadium. At those scales, 5G could function essentially like Wi-Fi networks. Release 16 has introduced a lot of new areas for 5G service, but very few of these areas are finished. “The Release 17 scope was decided last December, ” says Tseng. “We’ve got a pretty good idea of what’s in there.” In general, that means building on a lot of the blocks established in Release 16. For example, Release 17 will include more mechanisms by which devicesnot just carscan sidelink.

China is now blocking all encrypted HTTPS traffic that uses TLS 1.3 and ESNI The block was put in place at the end of July and is enforced via China’s Great Firewall. The Chinese government has deployed an update to its national censorship tool, known as the Great Firewall (GFW), to block encrypted HTTPS connections that are being set up using modern, interception-proof protocols and technologies. The ban has been in place for at least a week, since the end of July, according to a joint report published this week by three organizations tracking Chinese censorship — iYouPort, the University of Maryland, and the Great Firewall Report.

NCSC-FI News followup

Daily NCSC-FI news followup 2020-08-08

Small and mediumsized businesses: Big targets for ransomware attacks Why are SMBs a target for ransomware-wielding gangs and what can they do to protect themselves against cyber-extortion?. While large enterprises may present themselves as more lucrative prey, SMBs are an attractive target due to their lack of resources to defend against such attacks.

Iranians, Russians receive text messages seeking U.S. election hacking info Written in Farsi, the Iran text messages say: “The United States pays up to $10 million for any information on foreign interference in American elections.” They carry a link to the U.S. Rewards for Justice Program, which offers cash bounties in return for information on threats to American national security.

Capital One to pay $80 million fine after data breach Capital One Financial Corp (COF.N) will pay an $80 million penalty to a U.S. bank regulator after the bank suffered a massive data breach one year ago. The fine, announced Thursday by the Office of the Comptroller of the Currency, punishes the bank for failing to adequately identify and manage risk as it moved significant portions of its technological operations to the cloud. Read also:

Blackbaud data breach: What you should know Blackbaud, a cloud software company, disclosed that they had been the victim of an attempted ransomware attack. Between their cybersecurity team, a forensics expert and law enforcement it was successfully thwarted. Unfortunately, the perpetrator, before being locked out, copied a subset of data which they then offered to delete for an undisclosed sum of money. Blackbaud paid the ransom-to-delete and received confirmation the data had been destroyed. They claim to have taken this action because “protecting our customers’ data is our top priority”. Read also:

Threat Roundup for July 31 to August 7 Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between July 31 and Aug. 7. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

Dutch Hackers Found a Simple Way to Mess With Traffic Lights By reverse engineering apps intended for cyclists, security researchers found they could cause delays in at least 10 cities from anywhere in the world.

Beyond KrØØk: Even more WiFi chips vulnerable to eavesdropping At Black Hat USA 2020, ESET researchers delved into details about the KrØØk vulnerability in Wi-Fi chips and revealed that similar bugs affect more chip brands than previously thought. KrØØk (formally CVE-2019-15126) is a vulnerability in Broadcom and Cypress Wi-Fi chips that allows unauthorized decryption of some WPA2-encrypted traffic. Specifically, the bug has led to wireless network data being encrypted with a WPA2 pairwise session key that is all zeros instead of the proper session key that had previously been established in the 4-way handshake. This undesirable state occurs on vulnerable Broadcom and Cypress chips following a Wi-Fi disassociation.

DEF CON: New tool brings back ‘domain fronting’ as ‘domain hiding’ After Amazon and Google stopped supporting the censorship-evading domain fronting technique on their clouds in 2018, new Noctilucent toolkit aims to bring it back in a new form as “domain hiding.”. At the DEF CON 28 security conference this week, a security researcher has released a new tool that can help the makers of sensitive applications evade censorship and bypass firewalls to keep services up inside problematic areas of the globe. Domain fronting is a technique that has been made popular by mobile app developers in the 2010s and has been used to allow apps to bypass censorship attempts in oppressive countries.

Researchers found another way to hack Android cellphones via Bluetooth Attackers looking to steal sensitive information like contacts, call history, and SMS verification codes from Android devices only need to target Bluetooth protocols, according to new DBAPPSecurity research presented at the 2020 Black Hat conference Wednesday. These exploits, one of which takes advantage of a zero-day vulnerability, could also allow hackers to send fake text messages if manipulated properly, researchers found. The other attack allows researchers to take advantage of an authentication bypass vulnerability, dubbed “BlueRepli.” Would-be attackers can bypass authentication by imitating a device that has previously been connected with a target. Victims do not need to give permission to a device for the exploit to work. Read also:

Hacking the PLC via Its Engineering Software—threats/hacking-the-plc-via-its-engineering-software/d/d-id/1338612 Researcher will demonstrate at DEF CON an emerging threat to industrial control networks. Attackers don’t need to directly hack into a programmable logic controller (PLC) to wreak havoc on an industrial process: they can target its configuration files and pivot from there.

Käytätkö yhä vanhaa Windowsia? FBI:n varoitus pätee myös Suomessa Yhdysvaltain liittovaltion poliisi FBI julkaisi varoituksen (pdf) Windows 7 -käyttöjärjestelmästä, joka julkaistiin vuonna 2009. Se lakkasi saamasta tietoturvakorjauksia viime tammikuussa, ellei niistä erikseen makseta. FBI:n varoitus on suunnattu yrityksille, mutta viesti on selvä kaikille Windows 7:n käyttäjille. Käyttöjärjestelmästä pitäisi luopua pikimmiten. FBI sanoo havainneensa, että rikolliset tähtäävät sellaisiin tietokoneisiin joiden käyttöjärjestelmä on saavuttanut elinkaarensa päätepisteen. Ajan myötä Windows 7:stä tulee aina vain haavoittuvampi hyökkäyksille, kun siitä löydetään uusia ja ilman korjausta jääviä haavoittuvuuksia. Lue myös itse varoitus: Sekä

Nearly 50% of all smartphones affected by Qualcomm Snapdragon bugs Several security vulnerabilities found in Qualcomm’s Snapdragon chip Digital Signal Processor (DSP) chip could allow attackers to take control of almost 40% of all smartphones, spy on their users, and create un-removable malware capable of evading detection. Read also: As well as:—threats/400+-qualcomm-chip-vulnerabilities-threaten-millions-of-android-phones/d/d-id/1338613. And:

Why You Should Stop Sending SMS MessagesEven On Apple iMessage SMS is at the other end of the security spectrum, built on an archaic architecture that sits inside the many cellular networks around the world. When you send an SMS, while it might be secure between your phone and your network, once there it can be easily intercepted and collected. Last year I reported on hackers compromising global telcos to collect SMS traffic between targeted senders and recipients. As FireEye warned at the time, “users and organizations must consider the risk of unencrypted data being intercepted several layers upstream in their cellular communication chain.”

Whoops, our bad, we just may have ‘accidentally’ left Google Home devices recording your every word, sound, sorry Your Google Home speaker may have been quietly recording sounds around your house without your permission or authorization, it was revealed this week.

The Quest to Liberate $300, 000 of Bitcoin From an Old Zip File The story of a guy who wouldn’t let a few quintillion possible decryption keys stand between him and his cryptocurrency.

Evasive Credit Card Skimmers Using Homograph Domains and Infected Favicon Cybersecurity researchers today highlighted an evasive phishing technique that attackers are exploiting in the wild to target visitors of several sites with a quirk in domain names, and leverage modified favicons to inject e-skimmers and steal payment card information covertly. Read also:

WastedLocker’s techniques point to a familiar heritage WastedLocker’s evades detection by performing most operations in memory, and shares several characteristics with a more well known ransomware family

Water Nue Phishing Campaign Targets C-Suite’s Office 365 Accounts A series of ongoing business email compromise (BEC) campaigns that uses spear-phishing schemes on Office 365 accounts has been seen targeting business executives of over 1, 000 companies across the world since March 2020. The recent campaigns target senior positions in the United States and Canada.

Fake e-mail scanner A detailed look at a phishing site masquerading as an e-mail scanner and its attempts to snag victims. This scam message employs the time-honored trick of victim intimidation. You can see it right in the header, which reads “Virus Alert” followed by three exclamation points. However trifling punctuation may seem, it’s the first thing that should tip off the recipient that something may be wrong. Unnecessary punctuation in a work e-mail is a sign of drama or unprofessionalism. Either way, it’s inappropriate in a notification supposedly intended to convey information about a threat.

Security News This Week: The NSA’s Tips to Keep Your Phone From Tracking You Plus: A Canon ransomware hack, a nasty Twitter bug, and more of the week’s top security news.

How COVID-19 Has Changed Business Cybersecurity Priorities Forever And hackers all over the world knew it. Almost immediately, Google reported a significant increase in malicious activity, and Microsoft noted trends that appeared to back that up. The good news is that the wave of cyberattacks unleashed by the pandemic peaked in April and has since died down. Fortunately, that’s allowing IT professionals and network administrators everywhere to take a deep breath and take stock of the new security environment they’re now operating in.

GEC Special Report: Russia’s Pillars of Disinformation and Propaganda The Department’s Global Engagement Center (GEC) is leading and coordinating efforts of the U.S. Federal Government to recognize, understand, expose, and counter foreign propaganda and disinformation. In line with its congressional mandate, the GEC is releasing a special report that provides an overview of Russia’s disinformation and propaganda ecosystem. The report outlines the five pillars of Russia’s disinformation and propaganda ecosystem and how these pillars work together to create a media multiplier effect. In particular, it details how the tactics of one pillar, proxy sources, interact with one another to elevate malicious content and create an illusion of credibility. Read also:

We’ve got you covered: experts produce first-ever technical advice on cyber insurance New guidance highlights the 7 cyber security questions organisations should be asking if they are considering purchasing cyber insurance. Read also: and As well as:

Australia to spend $1.2 billion on cyber security for private sector after rise in attacks Australia will spend A$1.66 billion ($1.19 billion) over the next 10 years to strengthen the cyber defences of companies and households after a rise in cyber attacks, Prime Minister Scott Morrison said on Thursday. Cyber attacks on businesses and households are costing about A$29 billion $20.83 billion) or 1.5% of Australia’s gross domestic product (GDP), Morrison told reporters in Canberra.

NCSC-FI News followup

Daily NCSC-FI news followup 2020-08-07

The Secret Life of an Initial Access Broker Recently, ZDNet exclusively reported a leak posted on a cybercrime community containing details and credentials of over 900 enterprise Secure Pulse servers exploited by threat actors. Since this leak represents an ever-growing ransomware risk, KELA delved into both the leaks content and the actors who were involved in its inception and circulation. This short research targets a specific tier of cybercriminal actors Initial Access Brokers. These are mid-tier actors who specialize in obtaining initial network access from a variety of sources, curating and grooming it into a wider network compromise and then selling them off to ransomware affiliates. With the affiliate ransomware network becoming more and more popular and affecting huge enterprises as well as smaller ones, initial access brokers are rapidly becoming an important part of the affiliate ransomware supply chain. The list leak mentioned above seems to have been circulating between several initial access brokers in cybercrime forums, and have been exposed by a LockBit affiliate who regarded the actors as unprofessional. This event showcases the breadth of information thats exchanged on cybercrime communities and, in KELAs eyes, emphasizes the need for scalable and targeted monitoring of underground communities

Australia’s Cyber Security Strategy 2020 On 6 August 2020, the Australian Government released Australia’s Cyber Security Strategy 2020 (3MB PDF). The Australian Cyber Security Strategy 2020 will invest $1.67 billion over 10 years to achieve our vision of creating a more secure online world for Australians, their businesses and the essential services upon which we all depend. Read also:

Intel NDA blueprints 20GB of source code, schematics, specs, docs spill onto web from partners-only vault Updated Switzerland-based IT consultant Tillie Kottmann on Thursday published a trove of confidential Intel technical material, code, and documents related to various processors and chipsets. “They were given to me by an anonymous source who breached them earlier this year, more details about this will be published soon, ” Kottmann wrote on Twitter, suggesting someone had broken into Intel’s systems and siphoned off the material. More leaks of secret Intel documents are promised.. Read also: As well as:

The Current State of Exploit Development, Part 1 Memory corruption exploits have historically been one of the strongest accessories in a good red teamer’s toolkit. They present an easy win for offensive security engineers, as well as adversaries, by allowing the attacker to execute payloads without relying on any user interaction.

Exhausted, energised and overwhelmed – but in a good way! The Cyber Accelerator Programme, now in its 4th year, was created to grow the UK’s emerging cyber security industry, and provides support to innovative start-up companies aiming to bring better, faster and cheaper’ cyber security products and services to market. The Accelerator does this by offering technical leadership, guidance and mentoring to successful applicants.

Weekly Threat Report 7th August 2020 The NCSC’s weekly threat report is drawn from recent open source reporting.

Julys Most Wanted Malware: Emotet Strikes Again After Five-Month Absence Check Point Research finds sharp increase in the Emotet botnet spreading spam campaigns after period of inactivity, aiming to steal banking credentials and spread inside targeted networks

Bulgarian police arrest hacker Instakilla Hacker accused of hacking and extorting companies, selling stolen data online.

Chinese Hackers Have Pillaged Taiwan’s Semiconductor Industry A campaign called Operation Skeleton Key has stolen source code, software development kits, chip designs, and more. Read also:

Black Hat 2020: Mercedes-Benz E-Series Rife with 19 Bugs Researchers went into detail about the discovery and disclosure of 19 security flaws they found in Mercedes-Benz vehicles, which have all been fixed.

Intel, ARM, IBM, AMD Processors Vulnerable to New Side-Channel Attacks The new research explains microarchitectural attacks were actually caused by speculative dereferencing of user-space registers in the kernel, which not just impacts the most recent Intel CPUs with the latest hardware mitigations, but also several modern processors from ARM, IBM, and AMD previously believed to be unaffected.

Have I Been Pwned to go open source 10bn credentials, not so much, says creator Hunt Credential breach website Have I Been Pwned (HIBP) will be going open source, site creator and maintainer Troy Hunt has told the world.

NCSC-FI News followup

Daily NCSC-FI news followup 2020-08-06

Australia’s 2020 Cyber Security Strategy The Morrison Governments 2020 Cyber Security Strategy outlines how we will keep Australian families and businesses secure online, protect and strengthen the security and resilience of Australias critical infrastructure and ensure law enforcement agencies have the powers and technical capabilities to detect, target, investigate and disrupt cybercrime, including on the dark web. The 2020 Cyber Security Strategy is the largest ever Australian Government financial commitment to cyber security and builds on the strong foundations established by its predecessor.. (3MB PDF):

Achilles: Small chip, big peril. Over 400 vulnerabilities on Qualcomms Snapdragon chip threaten mobile phones usability worldwide. With over 3 billion users globally, smartphones are an integral, almost inseparable part of our day-to-day lives. As the mobile market continues to grow, vendors race to provide new features, new capabilities and better technological innovations in their latest devices. To support this relentless drive for innovation, vendors often rely on third parties to provide the required hardware and software for phones. One of the most common third-party solutions is the Digital Signal Processor unit, commonly known as DSP chips.

Fake e-mail scanner A detailed look at a phishing site masquerading as an e-mail scanner and its attempts to snag victims. In recent years, news about e-mail-based infections of corporate networks has been fairly regular (and generally connected with ransomware). So, its no surprise that scammers periodically use the topic to try to extract credentials for corporate mail accounts by persuading company employees to run a scan of their mailbox.

Porn blast disrupts bail hearing of alleged Twitter hacker One of the alleged Twitter hackers faced a bail hearing in a Florida court yesterday. ICYMI, the Twitter hack were referring to involved the takeover of 45 prominent Twitter accounts, including those of Joe Biden, Elon Musk, Apple Computer, Barack Obama, Kim Kardashian and a laundry list of others with huge numbers of followers

Incident Response Analyst Report 2019 As an incident response service provider, Kaspersky delivers a global service that results in global visibility of adversaries cyber-incident tactics and techniques used in the wild. In this report, we share our teams conclusions and analysis based on incident responses and statistics from 2019. As well as a range of highlights, this report will cover the affected industries, the most widespread attack tactics and techniques, how long it took to detect and stop adversaries after initial entry and the most exploited vulnerabilities. The report also provides some high-level recommendations on how to increase resilience to attacks.

Shellshock In-Depth: Why This Old Vulnerability Wont Go Away Shellshock is a bug in the Bash command-line interface shell that has existed for 30 years and was discovered as a significant threat in 2014. Today, Shellshock still remains a threat to enterprise. The threat is certainly less risky than in the year of discovery. However, in a year in which security priorities have recalibrated to keep up with the chaotic landscape, its a good time to look back at this threat and the underlying factors that keep these attacks alive today.

Bypassing MassLogger Anti-Analysis a Man-in-the-Middle Approach The FireEye Front Line Applied Research & Expertise (FLARE) Team attempts to always stay on top of the most current and emerging threats. As a member of the FLARE Reverse Engineer team, I recently received a request to analyze a fairly new credential stealer identified as MassLogger. Despite the lack of novel functionalities and features, this sample employs a sophisticated technique that replaces the Microsoft Intermediate Language (MSIL) at run time to hinder static analysis. At the time of this writing, there is only one publication discussing the MassLogger obfuscation technique in some detail.

A Fork of the FTCode Powershell Ransomware Yesterday, I found a new malicious Powershell script that deserved to be analyzed due to the way it was dropped on the victims computer. As usual, the malware was delivered through a malicious Word document with a VBA macro. A first observation reveals that its a file less macro. The malicious Base64 code is stored in multiples environment variables that are concatenated then executed through an IEX command.

Inter skimming kit used in homoglyph attacks As we continue to track web threats and credit card skimming in particular, we often rediscover techniques weve encountered elsewhere before. In this post, we share a recent find that involves what is known as an homoglyph attack. This technique has been exploited for some time already, especially in phishing scams with IDN homograph attacks.

High-Severity Cisco DoS Flaw Plagues Small-Business Switches Cisco is warning of a high-severity flaw that could allow remote, unauthenticated attackers to cripple several of its popular small-business switches with denial of service (DoS) attacks. The vulnerability stems from the IPv6 packet processing engine in the switches. IPv6 (also known as Internet Protocol version 6) is the most recent version of the Internet Protocol (IP), the communications protocol that provides an identification system for computers on networks and routes traffic across the Internet.. Also:

Intel investigating breach after 20GB of internal documents leak online US chipmaker Intel is investigating a security breach after earlier today 20 GB of internal documents, with some marked “confidential” or “restricted secret,” were uploaded online on file-sharing site MEGA. The data was published by Till Kottmann, a Swiss software engineer, who said he received the files from an anonymous hacker who claimed to have breached Intel earlier this year.. Also:

USA piirsi ison maalitaulun presidentinvaaleihin sotkeutujien otsaan: palkkio jopa 10 miljoonaa dollaria Yhdysvallat on valmis maksamaan jopa 10 miljoonaa dollaria sellaisesta vihjeestä, joka johtaa ulkomaisen vaaleihin sekaantujan kiinniottoon. ZDNetin mukaan palkkio koskee niin vaalijärjestelmiin, äänestyslaitteisiin, viranomaisiin, ehdokkaisiin kuin kampanjatyötekijöihin kohdistuneita hyökkäyksiä. Palkkio on rajattu kuitenkin koskemaan vain sellaisia tekijöitä, jotka toimivat yhteistyössä ulkomaisten valtioiden kanssa. Yksittäisten kiusantekijöiden nappaamisesta ei siis olla kiinnostuneita.

Hacked Data Broker Accounts Fueled Phony COVID Loans, Unemployment Claims A group of thieves thought to be responsible for collecting millions in fraudulent small business loans and unemployment insurance benefits from COVID-19 economic relief efforts gathered personal data on people and businesses they were impersonating by leveraging several compromised accounts at a little-known U.S. consumer data broker, KrebsOnSecurity has learned.

Insecure satellite Internet is threatening ship and plane safety More than a decade has passed since researchers demonstrated serious privacy and security holes in satellite-based Internet services. The weaknesses allowed attackers to snoop on and sometimes tamper with data received by millions of users thousands of miles away. You might expect that in 2020as satellite Internet has grown more popularproviders would have fixed those shortcomings, but youd be wrong.

Black Hat 2020: Linux Spyware Stack Ties Together 5 Chinese APTs The groups, all tied to the Winnti supply-chain specialist gang, were seen using the same Linux rootkit and backdoor combo. A stack of Linux backdoor malware used for espionage, compiled dynamically and customizable to specific targets, is being used as a shared resource by five different Chinese-language APT groups, according to researchers.

Canon confirms ransomware attack in internal memo Update 08/06/20: BleepingComputer has obtained a screenshot of an internal message sent by Canon to employees that discloses the ransomware attack. his message further states that they have hired an outside cybersecurity company to aid in their recovery.. Related:

Smart locks opened with nothing more than a MAC address A smart lock sold by major US retailers could be opened with no more than a MAC address, researchers say. Smart locks have slowly been adopted as an intelligent, Internet of Things (IoT) alternative to traditional lock-and-key methods to securing a property.

Cyber insurance guidance This guidance is for organisations of all sizes who are considering purchasing cyber insurance. It is not intended to be a comprehensive cyber insurance buyers guide, but instead focuses on the cyber security aspects of cyber insurance. If you are considering cyber insurance, these questions can be used to frame your discussions. This guidance focuses on standalone cyber insurance policies, but many of these questions may be relevant to cyber insurance where it is included in other policies.

USA decides to cleanse local networks of anything Chinese under new five-point national data security plan US secretary of state Mike Pompeo has announced a Clean Network plan he says offers a comprehensive approach to guarding our citizens privacy and our companies most sensitive information from aggressive intrusions by malign actors, such as the Chinese Communist Party (CCP).

New Windows Print Spooler Zero-Day Flaws Harken Back to Stuxnet—threats/new-windows-print-spooler-zero-day-flaws-harken-back-to-stuxnet/d/d-id/1338593 Researchers find new flaws in the ubiquitous decades-old printer software in Windows, including one that bypasses a recent Microsoft patch. Ten years after the game-changing Stuxnet attack was first discovered, a Windows printer program it exploited has been found to contain additional dangerous zero-day flaws that could allow an attacker to gain a foothold in the network as a privileged user.

Processing Data to Protect Data: Resolving the Breach Detection Paradox Most privacy laws contain two obligations: that processing of personal data must be minimised, and that security breaches must be detected and mitigated as quickly as possible. These two requirements appear to conflict, since detecting breaches requires additional processing of logfiles and other personal data to determine what went wrong. Fortunately Europes General Data Protection Regulation (GDPR) considered the strictest such law recognises this paradox and suggests how both requirements can be satisfied. This paper assesses security breach detection in the light of the principles of purpose limitation and necessity, finding that properly-conducted breach detection should satisfy both principles,

NCSC-FI News followup

Daily NCSC-FI news followup 2020-08-05

Defending the Oil and Gas Industry Against Cyber Threats The oil and gas industry is one of the most powerful financial sectors in the world, critical to global and national economies. Therefore, this industry is a valuable target for adversaries seeking to exploit Industrial Control Systems (ICS) vulnerabilities. As the recent increase in attacks against ICS demonstrates, adversaries with a specific interest in oil and gas companies remain active and are evolving their behaviors. Protection against cyber attacks is essential to the worldwide economy.

Repurposing Neural Networks to Generate Synthetic Media for Information Operations FireEyes Data Science and Information Operations Analysis teams released this blog post to coincide with our Black Hat USA 2020 Briefing, which details how open source, pre-trained neural networks can be leveraged to generate synthetic media for malicious purposes. To summarize our presentation, we first demonstrate three successive proof of concepts for how machine learning models can be fine-tuned in order to generate customizable synthetic media in the text, image, and audio domains.

Toolmarks and Intrusion Intelligence Very often, DFIR and intel analysts alike don’t appear to consider such things as toolmarks associated with TTPs, nor intrusion intelligence. However, considering such things can lead to greater edge sharpness with respect to attribution, as well as to the intrusion itself. What I’m suggesting in this post is fully exploiting the data that most DFIR analysts already collect and therefore have available. I’m not suggesting that additional tools be purchased; rather, what I’m illustrating is the value of going just below the surface of much of what’s shared, and adding a bit of context regarding the how and when of various actions taken by threat actors.

Apple Touch ID Flaw Could Have Let Attackers Hijack iCloud Accounts Apple earlier this year fixed a security vulnerability in iOS and macOS that could have potentially allowed an attacker to gain unauthorized access to a user’s iCloud account. Uncovered in February by Thijs Alkemade, a security specialist at IT security firm Computest, the flaw resided in Apple’s implementation of TouchID (or FaceID) biometric feature that authenticated users to log in to websites on Safari, specifically those that use Apple ID logins.

Traffic Analysis Quiz: What’s the Malware From This Infection? Today’s diary is a traffic analysis quiz where you try to identify the malware based on a pcap of traffic from an infected Windows host. Download the pcap from this page, which also has the alerts. Don’t open or review the alerts yet, because they give away the answer.

Microsoft Teams Updater Living off the Land During this global pandemic COVID-19 situation, there has been an increasing trend of video conferencing solutions, Trustwave SpiderLabs are exercising extra vigilance in monitoring the video conferencing traffics. During our threat hunt, we have observed lots of Microsoft Teams updater traffic. Due to the noisy nature of the traffic, there is a possibility that malicious traffic hiding there will evade the analyst’s view or even be added to a list of allowed, and therefore unmonitored, list of applications.

High-Severity Android RCE Flaw Fixed in August Security Update Google has released patches addressing a high-severity issue in its Framework component, which if exploited could enable remote code execution (RCE) on Android mobile devices. Overall, 54 high-severity flaws were patched as part of Googles August security updates for the Android operating system, released on Monday. As part of this, Qualcomm, whose chips are used in Android devices, patched a mix of high and critical-severity vulnerabilities tied to 31 CVEs.

Researcher Demonstrates 4 New Variants of HTTP Request Smuggling Attack A new research has identified four new variants of HTTP request smuggling attacks that work against various commercial off-the-shelf web servers and HTTP proxy servers. Amit Klein, VP of Security Research at SafeBreach who presented the findings today at the Black Hat security conference, said that the attacks highlight how web servers and HTTP proxy servers are still susceptible to HTTP request smuggling even after 15 years since they were first documented.

How the NSA Says You Can Limit Location Data Exposure Location data can be one of the most valuable pieces of information for an attacker, and also arguably one of the hardest to protect. Smartphones are constantly providing such data through apps, the phone’s operating system itself, or in virtue of just using telecommunications networks or being near other devices. With that in mind, the National Security Agency (NSA) on Tuesday published its own guidelines for limiting the exposure of location data. The guidelines are geared more for government officials, but the advice itself can be useful for those hoping to stop sending so much location data to tech companies, ad firms, or apps that may then expose it later.

Hacker leaks passwords for 900+ enterprise VPN servers A hacker has published today a list of plaintext usernames and passwords, along with IP addresses for more than 900 Pulse Secure VPN enterprise servers. ZDNet, which obtained a copy of this list with the help of threat intelligence firm KELA, verified its authenticity with multiple sources in the cyber-security community.

Canon hit by Maze Ransomware attack, 10TB data allegedly stolen Canon has suffered a ransomware attack that impacts numerous services, including Canon’s email, Microsoft Teams, USA website, and other internal applications. BleepingComputer has been tracking a suspicious outage on Canon’s cloud photo and video storage service resulting in the loss of data for users of their free 10GB storage feature. The site suffered an outage on July 30th, 2020, and over six days, the site would show status updates until it went back in service yesterday, August 4th.. Also:

Threat Hunting Techniques: A Quick Guide Threat hunting is an essential part of security operations center services and should be incorporated at an early stage. Threat hunting is the art of finding the unknowns in the environment, going beyond traditional detection technologies, such as security information and event management (SIEM), endpoint detection and response (EDR) and others. There are multiple methods to perform hunting, and your team can select the one that fits best based on what you want to accomplish.

FBI issues warning over Windows 7 end-of-life The Federal Bureau of Investigation has sent a private industry notification (PIN) on Monday to partners in the US private sector about the dangers of continuing to use Windows 7 after the operating system reached its official end-of-life (EOL) earlier this year. “The FBI has observed cyber criminals targeting computer network infrastructure after an operating system achieves end of life status,” the agency said.

Less Than Half of Security Pros Can Identify Their Organization’s Level of Risk Just 51% work with the business side of the house on risk reduction objectives, new study shows. Security leaders still struggle to communicate their organization’s cyber risk to business executives and the board. New research by Forrester and Tenable found that just four out of 10 security leaders can answer with a high level of confidence the question: “How secure, or at risk, are we?”

Misconfigured servers contributed to more than 200 cloud breaches Misconfigured storage services in 93 percent of cloud deployments have contributed to more than 200 breaches over the past two years, exposing more than 30 billion records, according to a report from Accurics, which predicted that cloud breaches are likely to increase in both velocity and scale. The researchers found that 91 percent of the cloud deployments analyzed had at least one major exposure that left a security group wide open while in 50 percent unprotected credentials were stored in container configuration files, significant because 84 percent of organizations use containers.

Twitter for Android vulnerability gave access to direct messages Twitter today announced that it fixed a security vulnerability in the Twitter for Android app that could have allowed attackers to gain access to users’ private Twitter data including direct messages. “We recently discovered and fixed a vulnerability in Twitter for Android related to an underlying Android OS security issue affecting OS versions 8 and 9,” Twitter explained.. Also:

The Official Facebook Chat Plugin Created Vector for Social Engineering Attacks On June 26, 2020, our Threat Intelligence team discovered a vulnerability in The Official Facebook Chat Plugin, a WordPress plugin installed on over 80,000 sites. This flaw made it possible for low-level authenticated attackers to connect their own Facebook Messenger account to any site running the vulnerable plugin and engage in chats with site visitors on affected sites. We initially reached out to Facebook on June 26, 2020 and included the full disclosure details at the time of reaching out. They initially responded on June 30, 2020, and after much back and forth, Facebook released a patch on July 28, 2020

NCSC-FI News followup

Daily NCSC-FI news followup 2020-08-04

Google and Amazon overtake Apple as most imitated brands for phishing in Q2 2020 When the career criminal Willie Sutton was asked by a reporter why he robbed so many banks, he reportedly answered: Because thats where the money is. The same logic applies to the question, Why are there so many phishing attacks? Simply because they work, again and again. Its estimated that phishing is the starting point of over 90% of all attempted cyber-attacks, and Verizons 2019 Data Breach Investigations Report showed that nearly one-third (32%) of actual data breaches involved phishing activity. Whats more, phishing was present in 78% of cyber-espionage incidents and the installation and use of backdoors to networks.

Code-Signing: How Malware Gets a Free Pass In an ideal world, something that is signed cannot not be altered. A signature implies that the signed item is trustworthy and unaltered. When it comes to signed files, things look a bit different: A signature does not always mean that everything is in order. Digitally signing a software – also referred to as code signing – is intended to certify a softwares authenticity. It is a method that provides a sense of assurance to the users that the software they are using is untampered with and true to its original design. In January 2019, Virustotal[1], together with Microsoft, disclosed a vulnerability involving digitally signed Microsoft Installer files(.MSI). Researchers had found out that the validity of a digitally signed MSI file will remain intact even after appending additional content to the end of the file.

Robocall Legal Advocate Leaks Customer Data A California company that helps telemarketing firms avoid getting sued for violating a federal law that seeks to curb robocalls has leaked the phone numbers, email addresses and passwords of all its customers, as well as the mobile phone numbers and other data on people who have hired lawyers to go after telemarketers.

Do You Have Enough Cloud Security? Use CIS Controls to Assess Yourself Clients often ask me, How do I know if I have enough security in the cloud? This is a great question because it shows a willingness to learn. The truth is that there is no right answer. However, a simple place to begin is the basics. You should be sure youre covering the basics well and tracking them closely. This is why I am a huge fan of standards. While they are not the be-all and end-all for security, they give you an excellent place to start.

6 Ransomware Trends You Should Watch for in 2020 A ransomware infection can have a significant financial impact on an organization. American digital security and data backup firm Datto found that ransomware is costing businesses more than $75 billion a year. Part of that financial impact results from downtime costs. Govtech also revealed that businesses lost an average of $8,500 per hour as the result of ransomware-related downtime, while Coveware placed the total amount of downtime damages at $65,645 per crypto-malware incident.

How much is your personal data worth on the dark web? Its no news that the dark web is rife with offers of stolen data that ranges from pilfered credit card information and hijacked payment services accounts to hacked social media accounts. Anyone interested can also hire a neer-do-well to launch a distributed denial of service (DDoS) attack, buy malware, or purchase forged documents and commit identity theft.. But have you ever wondered how much your personal information goes for on the dark web? Researchers at Privacy Affairs have sifted through the listings in the internets seedy underbelly and created an overview of the average price tags attached to your stolen personal data.

Microsoft Bug Bounty Programs Year in Review: $13.7M in Rewards Security researchers are a vital component of the cybersecurity ecosystem that safeguards every facet of digital life and commerce. The researchers who devote time to uncovering and reporting security issues before adversaries can exploit them have earned our collective respect and gratitude. The security landscape is constantly changing with emerging technology and new threats. By discovering and reporting vulnerabilities to Microsoft through Coordinated Vulnerability Disclosure (CVD), security researchers have continued to help us secure millions of customers.

Internet Choke Points: Concentration of Authoritative Name Servers A utopian vision of the Internet often describes it as a distributed partnership of equals giving everybody the ability to publish and discover information worldwide. This open, democratic Internet is often little more than an imaginary legacy construct that may have existed at some time in the distant past, if ever. Reality: Today, the Internet is governed by a few large entities. Diverse interconnectivity and content distribution were also supposed to make the Internet more robust. But as it has been shown over and over again, a simple misconfiguration at a single significant player will cause large parts of the network to disappear.

Iranian hacker group becomes first known APT to weaponize DNS-over-HTTPS (DoH) An Iranian hacking group known as Oilrig has become the first publicly known threat actor to incorporate the DNS-over-HTTPS (DoH) protocol in its attacks. Speaking in a webinar last week, Vincente Diaz, a malware analyst for antivirus maker Kaspersky, said the change happened in May this year when Oilrig added a new tool to its hacking arsenal.. According to Diaz, Oilrig operators began using a new utility called DNSExfiltrator as part of their intrusions into hacked networks.

Tietoturvaa vaivannut sama päänsärky jo 30 vuotta ei mikään tuntematon uhka Kiristyshaittaohjelmat ovat vaivanneet internetiä kolmen vuosikymmenen ajan, joten ne eivät todellakaan ole mikään eilispäivän uhka. Tästä huolimatta kaikenkokoisissa yrityksissä väki tuntuu olevan aina yhtä yllättynyt siitä, että tunkeutujat ovat onnistuneet pääsemään järjestelmiin ja verkkoihin. Lopulta uhreille jää vain kaksi vaihtoehtoa: joko rakentaa kriittiset it-järjestelmät alusta asti uudelleen tai maksaa roistoille lunnaat datan salauksen purkamiseksi. Aiheesta myös:

WastedLockers techniques point to a familiar heritage WastedLockers evades detection by performing most operations in memory, and shares several characteristics with a more well known ransomware family. Its a lot easier to change a ransomwares appearance (or obfuscate its code) than to change its underlying goals or behavior. After all, ransomware must necessarily reveal its intent when it strikes. But there are behavioral traits that ransomware routinely exhibits that security software can use to decide whether the program is malicious. Some traits such as the successive encryption of documents are hard for attackers to change.

Windows 10: HOSTS file blocking telemetry is now flagged as a risk Starting at the end of July, Microsoft has begun detecting HOSTS files that block Windows 10 telemetry servers as a ‘Severe’ security risk. The HOSTS file is a text file located at C:\Windows\system32\driver\etc\HOSTS and can only be edited by a program with Administrator privileges. This file is used to resolve hostnames to IP addresses without using the Domain Name System (DNS).

Leaky AWS S3 buckets are so common, they’re being found by the thousands now with lots of buried secrets Misconfigured AWS S3 storage buckets exposing massive amounts of data to the internet are like an unexploded bomb just waiting to go off, say experts. The team at Truffle Security said its automated search tools were able to stumble across some 4,000 open Amazon-hosted S3 buckets that included data companies would not want public things like login credentials, security keys, and API keys.

Vulnerable perimeter devices: a huge attack surface With the increase of critical gateway devices deployed to support off-premise work, companies across the world have to adapt to a new threat landscape where perimeter and remote access devices are now in the first line. Companies lack visibility into the growing network of internet-connected services and devices that support the new work paradigm; and the avalanche of vulnerabilities reported for edge devices make tackling the new security challenge even more difficult.

INTERPOL report shows alarming rate of cyberattacks during COVID-19 An INTERPOL assessment of the impact of COVID-19 on cybercrime has shown a significant target shift from individuals and small businesses to major corporations, governments and critical infrastructure. With organizations and businesses rapidly deploying remote systems and networks to support staff working from home, criminals are also taking advantage of increased security vulnerabilities to steal data, generate profits and cause disruption.. Also:

Ransomware gang publishes tens of GBs of internal data from LG and Xerox The operators of the Maze ransomware have published today tens of GB of internal data from the networks of enterprise business giants LG and Xerox following two failed extortion attempts. The hackers leaked 50.2 GB they claim to have stolen from LG’s internal network, and 25.8 GB of Xerox data. While LG issued a generic statement to ZDNet in June, neither company wanted to talk about the incident in great depth today.

Hackers Could Use IoT Botnets to Manipulate Energy Markets ON A FRIDAY morning in the fall of 2016, the Mirai botnet wrecked havoc on internet infrastructure, causing major website outages across the United States. It was a wakeup call, revealing the true damage that zombie armies of malware-infected gadgets could cause. Now, researchers at the Georgia Institute of Technology are thinking even farther afield about how the unlikely targets that botnets could someday disruptsuch as energy markets.

FBI Warns on New E-Commerce Fraud A wave of new, fraudulent websites has popped up to take advantage of the rise in online shopping during the coronavirus pandemic. The FBI is warning of a new wave of fraudulent shopping websites, often advertised on social media platforms, that take orders for a wide range of products and then never deliver.

NCSC-FI News followup

Daily NCSC-FI news followup 2020-08-03

EU imposes the first ever sanctions against cyber-attacks The Council today decided to impose restrictive measures against six individuals and three entities responsible for or involved in various cyber-attacks. These include the attempted cyber-attack against the OPCW (Organisation for the Prohibition of Chemical Weapons) and those publicly known as ‘WannaCry’, ‘NotPetya’, and ‘Operation Cloud Hopper’.. Read also:

Launching a new version of Logging Made Easy (LME) The NCSC has launched version 0.3 of LME to make logging even easier with some enhanced features. We launched Logging Made Easy (LME) officially in April 2019, enabling hundreds of you to install a basic logging capability on your IT estate, detecting and protecting against cyber attack.. Now, we’re launching LME version 0.3. This release makes logging even easier, adding some enhanced features to the open source project.

Microsoft Joins Open Source Security Foundation Microsoft has invested in the security of open source software for many years and today Im excited to share that Microsoft is joining industry partners to create the Open Source Security Foundation (OpenSSF), a new cross-industry collaboration hosted at the Linux Foundation. The OpenSSF brings together work from the Linux Foundation-initiated Core Infrastructure Initiative (CII), the GitHub-initiated Open Source Security Coalition (OSSC), and other open source security efforts to improve the security of open source software by building a broader community, targeted initiatives, and best practices.

Build a Roadmap for Cyber Resilience The current information security landscape is rapidly evolving. According to the latest research from IBM Security and the Ponemon Institutes 2020 Cyber Resilient Organization Report, 67% of organizations reported that the volume of attacks had significantly increased over the past 12 months. Its not just the amount of attacks that grew; 64% of organizations also saw an increase in the severity of the attacks. Roughly 53% of responding organizations experienced a data breach involving more than 1,000 records within the last two years.

Powershell Bot with Multiple C2 Protocols I spotted another interesting Powershell script. It’s a bot and is delivered through a VBA macro that spawns an instance of msbuild.exe This Windows tool is often used to compile/execute malicious on the fly (I already wrote a diary about this technique.). I dont have the original document but based on a technique used in the macro, it is part of a Word document. It calls Document_ContentControlOnEnter.

Meetup Critical Flaws Allow Group Takeover, Payment Theft A popular online social service, Meetup, has fixed several critical flaws in its website. If exploited, the flaws could have enabled attackers to hijack any Meetup group, access the groups member details and even redirect Meetup payments to an attacker-owned PayPal account. Meetup is a service with a user base of over 35 million users, used to organize online groups with events for people with similar interests. These events are either for free, or participants can register for a fee using PayPal.. Also:

BlackBerry releases new security tool for reverse-engineering PE files Today, at the Black Hat USA 2020 security conference, BlackBerry released a new tool for the cyber-security community. Named PE Tree, this is a new Python-based app for Linux, Mac, and Windows that can be used to reverse-engineer and analyze the internal structure of Portable Executable (PE) files — a common file that malware authors have used to hide malicious payloads.

Netwalker ransomware earned $25 million in just five months The Netwalker ransomware operation has generated a total of $25 million in ransom payments since March 1st according to a new report by McAfee. Netwalker is a Ransomware-as-a-Service (RaaS) operation that began operating in late 2019, where affiliates are enlisted to distribute the ransomware and infect victims in return for a 60-70% cut of ransom payments. Known as a human-operated, or enterprise-targeting, ransomware, Netwalker affiliates will hack into an organization’s network and quietly gain control.. Also:

Netgear Wont Patch 45 Router Models Vulnerable to Serious Flaw Almost two months after a high-severity flaw was disclosed and seven months after it was first reported Netgear has yet to issue fixes for 45 of its router models.. The remote code execution vulnerability in question, which was disclosed June 15, allows network-adjacent attackers to bypass authentication on vulnerable Netgear routers sans authentication.

CISA, DOD, FBI expose new Chinese malware strain named Taidoor Three agencies of the US government have published today a joint alert on Taidoor, a new strain of malware that has been used during recent security breaches by Chinese government hackers. The alert has been authored by the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (DHS CISA), the Department of Defense’s Cyber Command (CyberCom), and the Federal Bureau of Investigations (FBI).. Also:

‘We stopped ransomware’ boasts Blackbaud CEO. And by ‘stopped’ he means ‘got insurance to pay off crooks’ “We discovered and stopped a sophisticated attempted ransomware attack,” Blackbaud CEO Michael Gianoni has told financial analysts failing to mention the company simply paid off criminal extortionists to end the attack. Speaking on the US cloud CRM provider’s Q2 FY2020 earnings call late on Friday, Gianoni said: “Like a lot of companies, we get millions of intrusion attempts a month and unfortunately one got into a subset of our customers and a subset of our backup environment.”

Ransomware: Your biggest security headache refuses to go away Ransomware has been around for more than three decades, so it’s hardly an unexpected threat. And yet, organisations large and small are still being taken completely by surprise by the file-encrypting malware, leaving them to decide between rebuilding many of their computer systems from scratch to rid themselves of the ransomware or paying up to the crooks in the hope that they will hand over the encryption keys.

Kiristäjävirus on viranomaisten mukaan yksi USA:n vaalien pahimmista uhkista: “Yrityksiä lähes päivittäin” Yhdysvaltain liittovaltion viranomaisten mukaan marraskuun presidentinvaalien äänestyksen pahimpiin uhkiin kuuluvat hyvin ajoitetut haittaohjelmien hyökkäykset, jotka voivat halvaannuttaa äänestämisen. Kiristysviruksen hyökkäyksessä hakkeri voi muun muassa estää kohteen kovalevyn tietojen käyttämisen salaamalla tiedot. Salausavaimen saa hakkerilta tyypillisesti Bitcoin-valuutassa toimitetun, jopa miljoonien arvoisen maksun jälkeen.

The Biggest Challenges and Best Practices to Mitigate Risks in Maritime Cybersecurity Ships are increasingly using systems that rely on digitalization, integration, and automation, which call for cyber risk management on board. As technology continues to develop, the convergence of information technology (IT) and operational technology (OT) onboard ships and their connection to the Internet creates an increased attack surface that needs to be addressed.

Falsification and eavesdropping of contents across multiple websites via Web Rehosting services Researchers at NTT Secure Platform Laboratories and Waseda University have identified multiple security issues that lead to content being tampered with and eavesdropped on a service called Web Rehosting. These issues have been published in NDSS 2020. “Web Rehosting” is the name of a group of web services proposed in this study, which has the function of retrieving content from a user-specified website and hosting it again on its server.. If a web rehosting service does not take measures against the attacks listed in this advisory, there is a risk that some of the browser resources of users may be manipulated by an attacker, resulting in a security and privacy violation.

Newsletter plugin bugs let hackers inject backdoors on 300K sites Owners of WordPress sites who use the Newsletter plugin are advised to update their installations to block attacks that could use a fixed vulnerability allowing hackers to inject backdoors, create rogue admins, and potentially take over their websites. The vulnerability was found in the Newsletter WordPress plugin that provides the tools needed to create responsive newsletter and email mail marketing campaigns on WordPress blogs using a visual composer.

NCSC-FI News followup

Daily NCSC-FI news followup 2020-08-02

Telstra DNS falls over after denial of service attack Customers with Telstra’s default DNS settings found themselves seemingly unable to access the internet on Sunday morning, as the telco was facing a denial of service attack. The attack kicked off some time before 10:30am on the Australian east coast. Some of our Domain Name Servers (DNS) used to route your traffic online are experiencing a cyber attack, known as a Denial of Service (DoS),” Telstra said on Twitter just before noon.

Merenkulun kyberiskut räjähtävät käsiin, eikä virustorjunta auta kiristyskeinona voi olla rahtiöljyn vuodatus mereen Merenkulun operatiiviset järjestelmät ovat nopeasti nousseet kyberrikollisten muotikohteiksi. Osa alan yrityksistä tuudittautuu väärän turvallisuuden tunteeseen sen sijasta, että opittaisiin suojaamaan edes oikeita kohteita. Satamissa ja varustamoissa tietoturvatapausten määrä on vuodesta 2017 lähtien kivunnut huikeat 900 prosenttia. Vuoden loppuun mennessä rikotaan taas ennätyksiä, israelilainen merialan tietoturvaan erikoistunut Naval Dome varoittaa.

Havenly discloses data breach after 1.3M accounts leaked online Havenly, a US-based interior design web site, has disclosed a data breach after a hacker posted a database containing 1.3 million user records for free on a hacker forum. Havenly is an online interior design and home decoration site where users can get help designing a room in their house from certified designers. Last week, BleepingComputer reported that the ShinyHunters hacking group had leaked the databases for 18 companies on a hacker forum for free. These databases contained a combined total of 386 million user records.

Incognito Mode May Not Work the Way You Think It Does NO MATTER WHICH browser you preferChrome, Firefox, Edge, Safari, Opera, or any of the othersit will almost certainly offer an incognito or private mode, one which ostensibly keeps your web browsing secret. (Google Chrome still shows a hat-and-glasses icon when you go incognito, as if you’re now in disguise.). Incognito or private mode does indeed keep certain aspects of your browsing private, but it’s important to be aware of what it hides and erases from your computer or phone and what it doesn’t.

Microsoft has the highest rate of zero-days detected in the wild, but not all is as it seems When zero-day vulnerabilities are discovered, direct disclosure to vendors usually results in rapid patch development. However, not every hacker wears a white hat, and in some cases, security flaws may be actively exploited for criminal or financial gain. Alternatively, as in the case of the US National Security Agencys Eternal Blue exploit, these high-value, unpatched vulnerabilities may be reserved for government surveillance and other covert purposes.