This posting is here to collect cyber security news October 2020.
I post links to security vulnerability news with short descriptions to comments section of this article.
If you are interested in cyber security trends, read my Cyber security trends 2020 posting.
You are also free to post related links to comments.
249 Comments
Tomi Engdahl says:
Vastaamon tietomurto on sähköisen maailman suuronnettomuustilanne,
mutta missä ovat jumalanpalvelukset ja kriisipäivystys?
https://www.hs.fi/kotimaa/art-2000006698776.html
Satojen, jopa tuhansien ihmisten potilastietojen vuotaminen osuu
erityisen herkkään kohderyhmään. Vain harva auttaa koska vain harva
ymmärtää tilanteen vakavuutta. Mielen vauriot ja sähköinen ympäristö
eivät kelpaa tekosyyksi jättää uhrien tarvitsemaa apua järjestämättä,
kirjoittaa tietoturvaan perehtynyt ulkomaantoimittaja Laura Halminen.
Sisäministeri Ohisalo: Vastaamon tietomurron uhrit tarvitsevat
pikaisesti apua
https://www.is.fi/digitoday/tietoturva/art-2000006698870.html
SISÄMINISTERI Maria Ohisalon mukaan Psykoterapiakeskus Vastaamon
tietomurron uhrit tarvitsevat pikaisesti apua. Hän otti tilanteeseen
kantaa Twitterissä lauantaina illalla. – Vastaamon tietomurron uhrit
tarvitsevat kiireesti apua ja tukea. Olen keskustellut asiasta STM:n
ministerien kanssa ja viranomaiset selvittävät nyt pikaisen tuen
tarjoamisen laajempia mahdollisuuksia, Ohisalo twiittasi.
Tomi Engdahl says:
F-Securen Hyppönen Vastaamon asiakkaiden kiristämisestä:
Kansainvälisestikin poikkeuksellinen tapaus
https://yle.fi/uutiset/3-11612224
Tietoturvayhtiö F-Securen tutkimusjohtaja Mikko Hyppönen sanoo, että
Vastaamon asiakkaiden saamat kiristysviestit ovat kansainvälisestikin
poikkeuksellisia. – Minulla ei ole tiedossa yhtään tapausta mistään
päin maailmaa, että näin törkeästi olisi käytetty hyväksi
potilastietoja, Hyppönen sanoo Ylelle.
Tomi Engdahl says:
Pääkirjoitus: Häikäilemätön Vastaamo-tietomurto on hyökkäys suomalaista tietoyhteiskuntaa vastaan – sinisilmäisen viattomuuden aika on ohi https://www.is.fi/paakirjoitus/art-2000006699383.html
Tomi Engdahl says:
The hacker or hackers may have struck sensitive customer data twice in 2018 and 2019. Unscrupulous crime is systematic, carefully planned, and unique on a global scale when it comes to stealing an individual’s health information. The hacker demanded ransom money from the center as bitcoins. When it was not agreed, ransom demands and outright blackmail were directed at individual customers on Saturday. Indeed, many have received a blackmail letter: if money does not drop, the information will go online.
Source:
Pääkirjoitus: Häikäilemätön Vastaamo-tietomurto on hyökkäys suomalaista tietoyhteiskuntaa vastaan – sinisilmäisen viattomuuden aika on ohi https://www.is.fi/paakirjoitus/art-2000006699383.html
Tomi Engdahl says:
F-Secure’s Hyppönen from Vastamo’s hacking: “Most likely, an attacker has used automated tools to look for vulnerable services”
Hyppönen believes that Vastamo was the target of a data breach by accident.
Mikko Hyppönen, Research Director of the security company F-Secure, considers the hacking of the Psychotherapy Center Vastamo to be exceptional.
“Until now, professional criminals have sought to break into financial institutions, above all, or have tried to fish for credit card numbers. This is the first time subject to medical records. In the past, they have not interested criminals, ”says Hyppönen.
He said criminals have decided that sensitive health information may be of interest. Health information is available in a great many systems. It is possible that some systems are vulnerable.
Hyppönen believes that Vastamo was the target of a data breach by accident.
“Most likely, the attacker has used automated tools to look for vulnerable services. For example, a machine can tap thousands of login attempts per minute. Sooner or later, weakly protected services will be found, ”says Hyppönen.
F-Securen Hyppönen Vastaamon tietomurrosta: ”Todennäköisimmin hyökkääjä on automaattityökaluilla etsinyt haavoittuvia palveluita”
https://www.tivi.fi/uutiset/f-securen-hypponen-vastaamon-tietomurrosta-todennakoisimmin-hyokkaaja-on-automaattityokaluilla-etsinyt-haavoittuvia-palveluita/5e1f0b1f-b981-47f7-a622-a596366b208e
Tomi Engdahl says:
Link Previews in Chat Apps Pose Privacy, Security Issues: Researchers
https://www.securityweek.com/link-previews-chat-apps-pose-privacy-security-issues-researchers
An analysis of the manner in which popular chat applications handle link previews has revealed several privacy and security issues, including some that still need addressing, security researchers warn.
Link previews provide users with information on what a link received in chat would lead them to, regardless of whether it is a file or a web page.
However, link previews can be abused for nefarious purposes, and security researchers Talal Haj Bakry and Tommy Mysk claim to have identified several cases in which popular chat apps for iOS and Android fail to provide their users with the necessary protections against such abuses.
Tomi Engdahl says:
IT Services Giant Sopra Steria Hit by Ransomware
https://www.securityweek.com/it-services-giant-sopra-steria-hit-ransomware
Tomi Engdahl says:
US Insists on Need to Ban TikTok
https://www.securityweek.com/us-insists-need-ban-tiktok
US President Donald Trump’s administration has insisted on the need to ban TikTok due to national security concerns in a new court filing ahead of a plan to make the video app unavailable on November 12.
Tomi Engdahl says:
Palo Alto Networks Threatens Legal Action Over Product Comparison
https://www.securityweek.com/palo-alto-networks-threatens-legal-action-over-product-comparison
Palo Alto Networks has threatened legal action against cloud visibility solutions provider Orca Security after the latter published a video comparing products from the two companies.
The issue was made public last week in a blog post written by Avi Shua, co-founder and CEO of Orca Security. The video made by Orca in August, which is still available on YouTube, is described as a “detailed competitive comparison” between Orca Security’s platform and Palo Alto Networks’ Prisma Cloud product.
Tomi Engdahl says:
Ruotsissa paljastunut iso tietomurto turvallisuusalan yritykseen
DN: Suuri tietomurto ruotsalaiseen turvallisuusalan yritykseen, verkkoon on vuodettu muun muassa pankkiholvien piirustuksia
https://www.hs.fi/ulkomaat/art-2000006700788.html
Koko 19 gigatavun aineisto on lehden mukaan vuodettu nettiin.
RUOTSALAISEEN, kansainvälisesti toimivaan turvallisuusalan yhtiöön on tehty mittava tietomurto, jossa verkkoon on vuodettu esimerkiksi pankkiholvien piirustuksia ja hälytysjärjestelmien kuvauksia, kertoo sanomalehti Dagens Nyheter (DN).
Göteborgissa pääkonttoriaan pitävä Gunnebo-konserni joutui verkkohyökkäyksen kohteeksi elokuussa. Yhtiö kertoi asiasta tuolloin tiedotteessa
Yhtiön mukaan kyse oli ”järjestäytyneestä it-hyökkäyksestä” sen palvelimiin.
Yhtiö kertoi raportoineensa tapauksesta Ruotsin turvallisuuspoliisille Säpolle, koska yhtiö epäili teollisuusvakoilun yritystä. Yhtiön tiedotteessa ei kerrota, että hyökkäyksessä olisi onnistuttu murtautumaan palvelimille ja varastettu tietoja.
NYT DN kuitenkin kertoo, että elokuisessa tietomurrossa onnistuttiin viemään erittäin suuri määrä tietoa. Koko 19 gigatavun aineisto on lehden mukaan sittemmin julkaistu avoimessa tietoverkossa.
Lehti kertoo nähneensä kiristysviestin, jossa kerrotaan tietojen varastamisesta ja uhataan julkaista tiedot, jos Gunnebo ei ota rikollisiin yhteyttä. DN:n mukaan kiristäjät kertoivat, että heillä on hallussaan esimerkiksi taloustietoja, asiakkaita ja henkilökuntaa koskevia tietoja, ohjelmistojen lähdekoodeja ja salasanoja.
GUNNEBO myy turvallisuuteen liittyviä tuotteita, palveluja ja ratkaisuja. Yhtiö on erikoistunut lähinnä fyysiseen turvallisuuteen kuten kulunvalvontaan, käteisen käsittelyjärjestelmiin ja kassakaappeihin.
Tomi Engdahl says:
Enel Group hit by ransomware again, Netwalker demands $14 million
https://www.bleepingcomputer.com/news/security/enel-group-hit-by-ransomware-again-netwalker-demands-14-million/
Multinational energy company Enel Group has been hit by a ransomware
attack for the second time this year. This time by Netwalker, who is
asking a $14 million ransom for the decryption key and to not release
several terabytes of stolen data. Enel is one of the largest players
in the European energy sector, with more than 61 million customers in
40 countries. As of August 10, it ranks 87 in Fortune Global 500, with
a revenue of almost $90 billion in 2019.
Tomi Engdahl says:
Steelcase furniture giant hit by Ryuk ransomware attack
https://www.bleepingcomputer.com/news/security/steelcase-furniture-giant-hit-by-ryuk-ransomware-attack/
Office furniture giant Steelcase has suffered a ransomware attack that
forced them to shut down their network to contain the attack’s spread.
Steelcase is the largest office furniture manufacturer globally, with
13, 000 employees and $3.7 billion in 2020.
Tomi Engdahl says:
Insikt Group Discovers Global Credential Harvesting Campaign Using
FiercePhish Open Source Framework
https://www.recordedfuture.com/fiercephish-credential-harvesting-campaign/
Recorded Future’s Insikt Group discovered a wide-reaching phishing
campaign utilizing the FiercePhish open source offensive phishing
framework.
Tomi Engdahl says:
https://www.securityweek.com/trump-campaign-website-broken-hackers
Tomi Engdahl says:
21 Malicious Apps Downloaded 8 Million Times From Google Play
https://www.securityweek.com/21-malicious-apps-downloaded-8-million-times-google-play
Tomi Engdahl says:
New Windows 10 Remote Hacking Threat Confirmed—Homeland Security Says Update Now
https://www.forbes.com/sites/daveywinder/2020/10/18/new-windows-10-remote-hacking-threat-confirmed-homeland-security-says-update-now/
Tomi Engdahl says:
3 TB of Private Webcam/Home Security Video Leaked on Porn Sites
https://yro.slashdot.org/story/20/10/18/1850229/3-tb-of-private-webcamhome-security-video-leaked-on-porn-sites?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot%2Fto+%28%28Title%29Slashdot+%28rdf%29%29
A hacking group that has yet to identify itself found and stole more than 3 TB of private video from around the world — mainly collected from Singapore — and shared it on porn sites, according to reports from local media like The New Paper. While some of the footage was indeed pornographic in nature, other videos are more mundane.
More than 50,000 private IP-based cameras were accessed by hackers to amass the collection. Some were explicitly tagged with locations in Singapore, The New Paper reports, while others revealed their location as Singapore based on context clues such as book titles and home layout. Many show people (sometimes with their faces censored) in “various stages of undress or compromising positions….”
https://www.inputmag.com/culture/hackers-leaked-tons-of-webcam-home-security-footage-on-porn-sites
Singapore home cams hacked and stolen footage sold on pornographic sites
Group behind hacking claims it has shared 3TB worth of clips with subscribers who paid $200 for its service
https://www.tnp.sg/news/singapore/hackers-hawk-explicit-videos-taken-spore-home-cams
Tomi Engdahl says:
Three npm Packages Opened Remote-Access Shells on Linux and Windows Systems
https://it.slashdot.org/story/20/10/18/2321208/three-npm-packages-opened-remote-access-shells-on-linux-and-windows-systems?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot%2Fto+%28%28Title%29Slashdot+%28rdf%29%29
Three npm packages found opening shells on Linux, Windows systems
NPM staff: Any computer that has this package installed or running should be considered fully compromised.
https://www.zdnet.com/article/three-npm-packages-found-opening-shells-on-linux-windows-systems/
Three JavaScript packages have been removed from the npm portal on Thursday for containing malicious code.
According to advisories from the npm security team, the three JavaScript libraries opened shells on the computers of developers who imported the packages into their projects.
Tomi Engdahl says:
FBI warns ransomware assault threatens US healthcare system
https://apnews.com/article/politics-crime-elections-presidential-elections-548634f03e71a830811d291401651610
Federal agencies warned that cybercriminals are unleashing a wave of data-scrambling extortion attempts against the U.S. healthcare system designed to lock up hospital information systems, which could hurt patient care just as nationwide cases of COVID-19 are spiking.
The cyberattacks involve ransomware, which scrambles data into gibberish that can only be unlocked with software keys provided once targets pay up. Independent security experts say it has already hobbled at least five U.S. hospitals this week, and could potentially impact hundreds more.
The offensive by a Russian-speaking criminal gang coincides with the U.S. presidential election, although there is no immediate indication they were motivated by anything but profit. “We are experiencing the most significant cyber security threat we’ve ever seen in the United States,” Charles Carmakal, chief technical officer of the cybersecurity firm Mandiant, said in a statement.
Tomi Engdahl says:
In a first, researchers extract secret key used to encrypt Intel CPU code
Hackers can now reverse engineer updates or write their own custom firmware.
https://arstechnica.com/gadgets/2020/10/in-a-first-researchers-extract-secret-key-used-to-encrypt-intel-cpu-code/
Researchers have extracted the secret key that encrypts updates to an assortment of Intel CPUs, a feat that could have wide-ranging consequences for the way the chips are used and, possibly, the way they’re secured.
The key makes it possible to decrypt the microcode updates Intel provides to fix security vulnerabilities and other types of bugs. Having a decrypted copy of an update may allow hackers to reverse engineer it and learn precisely how to exploit the hole it’s patching. The key may also allow parties other than Intel—say a malicious hacker or a hobbyist—to update chips with their own microcode, although that customized version wouldn’t survive a reboot.
“At the moment, it is quite difficult to assess the security impact,” independent researcher Maxim Goryachy said in a direct message. “But in any case, this is the first time in the history of Intel processors when you can execute your microcode inside and analyze the updates.”
Tomi Engdahl says:
Alert (AA20-302A)
Ransomware Activity Targeting the Healthcare and Public Health Sector
https://us-cert.cisa.gov/ncas/alerts/aa20-302a
Tomi Engdahl says:
I think we have to assume that commercial (especially non- open source) products are NSA compromised
The NSA is Refusing to Disclose its Policy on Backdooring Commercial Products
https://www.schneier.com/blog/archives/2020/10/the-nsa-is-refusing-to-disclose-its-policy-on-backdooring-commercial-products.html
Senator Ron Wyden asked, and the NSA didn’t answer:
Tomi Engdahl says:
Scammers are spoofing bank phone numbers to rob victims
https://blog.malwarebytes.com/social-engineering/2020/10/scammers-are-spoofing-bank-phone-numbers-to-rob-victims/
It can be a very convincing trick “You can check the number in your
display online sir. You’ll see I’m really calling from your bank.”
That is, of course, if you are unaware that phone numbers can be
spoofed.
Tomi Engdahl says:
TrickBot Linux Variants Active in the Wild Despite Recent Takedown
https://thehackernews.com/2020/10/trickbot-linux-variants-active-in-wild.html
Efforts to disrupt TrickBot may have shut down most of its critical
infrastructure, but the operators behind the notorious malware aren’t
sitting idle. According to new findings shared by cybersecurity firm
Netscout, TrickBot’s authors have moved portions of their code to
Linux in an attempt to widen the scope of victims that could be
targeted. also: https://www.netscout.com/blog/asert/dropping-anchor
Tomi Engdahl says:
Turla uses HyperStack, Carbon, and Kazuar to compromise government
entity
https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity
Accenture Cyber Threat Intelligence researchers identified a Turla
compromise of a European government organization. During this
compromise Turla utilized a combination of remote procedure call
(RPC)-based backdoors, such as HyperStack and remote administration
trojans (RATs), such as Kazuar and Carbon, which ACTI researchers
analyzed between June and October 2020. The RATs transmit the command
execution results and exfiltrate data from the victim’s network while
the RPC-based backdoors use the RPC protocol to perform lateral
movement and issue and receive commands on other machines in the local
network. These tools often include several layers of obfuscation and
defense evasion techniques.
Tomi Engdahl says:
Cyberattacks target international conference attendees
https://blogs.microsoft.com/on-the-issues/2020/10/28/cyberattacks-phosphorus-t20-munich-security-conference/
Today, we’re sharing that we have detected and worked to stop a series
of cyberattacks from the threat actor Phosphorous masquerading as
conference organizers to target more than 100 high-profile
individuals. Phosphorus, an Iranian actor, has targeted with this
scheme potential attendees of the upcoming Munich Security Conference
and the Think 20 (T20) Summit in Saudi Arabia. The Munich Security
Conference is the most important gathering on the topic of security
for heads of state and other world leaders, and it has been held
annually for nearly 60 years. Likewise, T20 is a highly visible event
that shapes policy ideas for the G20 nations and informs their
critical discussions.
Tomi Engdahl says:
Fake COVID-19 survey hides ransomware in Canadian university attack
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
On October 19, we identified a new phishing document targeting staff
at the University of British Columbia (UBC) with a fake COVID-19
survey. However, this attack and motives are different than the ones
previously documented. The survey is a malicious Word document whose
purpose is to download ransomware and extort victims to recover their
encrypted files.
Tomi Engdahl says:
Trump’s official campaign website vandalized by hackers who ‘had
enough of the President’s fake news’
https://www.theregister.com/2020/10/28/trump_website_hacked/
Well, that narrows down the list of suspects to just a few billion
people
Tomi Engdahl says:
EXCLUSIVE: Medical Records of 3.5 Million U.S. Patients Can be Accessed and Manipulated by Anyone
https://www.securityweek.com/exclusive-medical-records-35-million-us-patients-can-be-accessed-and-manipulated-anyone
More Than 2 Petabytes of Unprotected Medical Data Found on Picture Archiving and Communication System (PACS) Servers
The results of 13 million medical examinations relating to around 3.5 million U.S. patients are unprotected and available to anyone on the internet, SecurityWeek has learned. This is despite the third week of this year’s National Cybersecurity Awareness Month (week beginning 19 October 2020) majoring on ‘Securing Internet-Connected Devices in Healthcare’.
The details were disclosed to SecurityWeek by Dirk Schrader, global vice president at New Net Technologies (NNT — a security and compliance software firm headquartered in Naples, Florida). He demonstrated that the records can be accessed via an app that can be downloaded from the internet by anyone. The records found are in files that are still actively updated, and provide three separate threats: personal identity theft (including the more valuable medical identity theft), personal extortion, and healthcare company breaches.
Schrader examined a range of radiology systems that include an image archive system — PACS, or picture archiving and communication system. These contain not only imagery but metadata about individual patients. The metadata includes the name, data of birth, date and reason for the medical examination, and more. Within a hospital, the imaging systems (X-rays, MRIs etc) are also stored in the PACS. The treating physician needs ready access to the images to confirm the current treatment. Schrader simply used Shodan to locate systems using the DICOM medical protocol. Individual unprotected PACS systems within the return of 3,000 servers were located manually. One, for example, contained the results of over 800,000 medical examinations, probably relating to about 250,000 different patients.
Tomi Engdahl says:
Christopher Bing / Reuters:
Cybersecurity experts say FBI is investigating Ryuk ransomware attacks on more than two dozen US hospitals, and officials warned hospitals to back up systems — WASHINGTON (Reuters) – The FBI is investigating the recent targeting with ransomware of more than two dozen hospitals across …
Building wave of ransomware attacks strike U.S. hospitals
https://www.reuters.com/article/us-usa-healthcare-cyber-idUSKBN27D35U
Eastern European criminals are targeting dozens of U.S. hospitals with ransomware, and federal officials on Wednesday urged healthcare facilities to beef up preparations rapidly in case they are next.
Tomi Engdahl says:
Probably woulda escaped notice except they went pretty big.
Phishing Attack of Wisconsin GOP Leads to Theft of Millions Intended for Trump’s Reelection Campaign
https://www.newsweek.com/phishing-attack-wisconsin-gop-leads-theft-millions-intended-trumps-reelection-campaign-1543272
FBI investigation is underway after the Republican Party of Wisconsin (RPW) reported that $2.3 million had been stolen from an account that was meant to help reelect President Donald Trump.
Andrew Hitt, the RPW chairman said that hackers entered the system in “a sophisticated phishing attack,” in a statement given to Newsweek. “These criminals exhibited a level of familiarity with state party operations at the end of the campaign to commit this crime.”
Tomi Engdahl says:
Ransomware Activity Targeting the Healthcare and Public Health Sector
https://us-cert.cisa.gov/ncas/alerts/aa20-302a
Tomi Engdahl says:
FBI, DHS, HHS Warn of Imminent, Credible Ransomware Threat Against
U.S. Hospitals
https://krebsonsecurity.com/2020/10/fbi-dhs-hhs-warn-of-imminent-credible-ransomware-threat-against-u-s-hospitals/
On Monday, Oct. 26, KrebsOnSecurity began following up on a tip from a
reliable source that an aggressive Russian cybercriminal. gang known
for deploying ransomware was preparing to disrupt information
technology systems at hundreds of hospitals, clinics and medical care
facilities across the United States. Today, officials from the FBI and
the U.S. Department of Homeland Security hastily assembled a
conference call with healthcare industry executives warning about an
“imminent cybercrime threat to U.S. hospitals and healthcare
providers.”. also:
https://www.wired.com/story/ransomware-hospitals-ryuk-trickbot/
Tomi Engdahl says:
Emotet campaign used parked domains to deliver malware payloads
https://www.bleepingcomputer.com/news/security/emotet-campaign-used-parked-domains-to-deliver-malware-payloads/
Researchers tracking malicious use of parked domains have spotted the
Emotet botnet using such domains to deliver malware payloads as part
of a large scale phishing campaign. Out of 6 million newly parked
domains detected as parked between March and September 2020 by Palo
Alto Networks, roughly 1% started being used as part of malware or
phishing campaigns. “Often, the parking services and the advertisement
networks do not have the means or willingness to filter abusive
advertisers (i.e. attackers), ” Palo Alto Networks. “Therefore, users
are exposed to various threats, such as malware distribution,
potentially unwanted program (PUP) distribution, and phishing scams.”.
also: Domain Parking: A Gateway to Attackers Spreading Emotet and
Impersonating McAfee -
https://unit42.paloaltonetworks.com/domain-parking/
Buer Loader “malware-as-a-service” joins Emotet for ransomware
delivery
https://nakedsecurity.sophos.com/2020/10/29/buer-loader-malware-as-a-service-joins-emotet-for-ransomware-delivery/
One example of an up-and-coming malware delivery network is Buer
Loader, profiled this week in a detailed report from SophosLabs.
Briefly summarised, Buer is a way to create a self-managed zombie
network of your own, for example to launch remote attacks with your
latest ransomware which you could, of course, buy in from someone else
in the cybercrime ecosystem. also: Hacks for sale: inside the Buer
Loader malware-as-a-service -
https://news.sophos.com/en-us/2020/10/28/hacks-for-sale-inside-the-buer-loader-malware-as-a-service/
Tomi Engdahl says:
DoNot’s Firestarter abuses Google Firebase Cloud Messaging to spread
https://blog.talosintelligence.com/2020/10/donot-firestarter.html
The newly discovered Firestarter malware uses Google Firebase Cloud
Messaging to notify its authors of the final payload location. Even if
the command and control (C2) is taken down, the DoNot team can still
redirect the malware to another C2 using Google infrastructure. The
approach in the final payload upload denotes a highly personalized
targeting policy.
Tomi Engdahl says:
Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser
https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html
Throughout 2020, ransomware activity has become increasingly prolific,
relying on an ecosystem of distinct but co-enabling operations to gain
access to targets of interest before conducting extortion. Mandiant
Threat Intelligence has tracked several loader and backdoor campaigns
that lead to the post-compromise deployment of ransomware, sometimes
within 24 hours of initial compromise. Effective and fast detection of
these campaigns is key to mitigating this threat. The malware families
enabling these attacks previously reported by Mandiant to intelligence
subscribers include KEGTAP/BEERBOT, SINGLEMALT/STILLBOT and
WINEKEY/CORKBOT. Other security researchers have tracked these malware
families under the names BazarLoader and BazarBackdoor or Team9.
Tomi Engdahl says:
Maze ransomware is shutting down its cybercrime operation
https://www.bleepingcomputer.com/news/security/maze-ransomware-is-shutting-down-its-cybercrime-operation/
The Maze cybercrime gang is shutting down its operations after rising
to become one of the most prominent players performing ransomware
attacks. When BleepingComputer reached out to Maze to confirm if they
were shutting down, we were told, “You should wait for the press
release.”. BleepingComputer has learned that many Maze affiliates have
switched over to a newew ransomware operation called Egregor.
Tomi Engdahl says:
Health sector mobilizes defenses following Ryuk ransomware warning
https://www.cyberscoop.com/health-care-ransomware-ryuk-hospitals/
Tomi Engdahl says:
European ransomware group strikes US hospital networks, analysts warn
https://www.cyberscoop.com/ransomware-hospitals-ryuk-fireeye/
An Eastern European cybercriminal group has conducted ransomware attacks at multiple U.S. hospitals in recent days in some of the most disruptive cyber-activity in the sector during the coronavirus pandemic, cybersecurity company FireEye said Wednesday.
The group, which FireEye calls UNC1878, has been deploying Ryuk ransomware and taking multiple hospital IT networks offline, said Charles Carmakal, senior vice president of Mandiant, FireEye’s incident response arm.
“UNC1878 is one of most brazen, heartless and disruptive threat actors I’ve observed over my career,” Carmakal said. The group’s activity “is deliberately targeting and disrupting U.S. hospitals, forcing them to divert patients to other healthcare providers,” he said.
The company did not detail any specific attacks, or the timing of the activity it says it observed.
Tomi Engdahl says:
Why the extortion of Vastaamo matters far beyond Finland — and how cyber pros are responding
https://www.cyberscoop.com/finland-vastaamo-hack-response/
Tomi Engdahl says:
Microsoft said on Wednesday that it detected and worked to stop a series of cyberattacks from the threat actor Phosphorous masquerading as conference organizers to target more than 100 high-profile individuals.
Iran-linked actor targeted international security conference, Microsoft says
https://cybernews.com/news/microsoft-detects-cyberattacks-from-iran-linked-actor/?utm_source=facebook&utm_medium=cpc&utm_campaign=rm&utm_content=microsoft_cyberattacks&fbclid=IwAR1i5kAs7lOTAUOxPZw8oNVYQAlelMpvaeCvhyv1rj3JGqHpJf3zTxJ3wFI
Tomi Engdahl says:
Google reveals a new Windows zero-day bug it says is under active attack
https://techcrunch.com/2020/10/30/google-microsoft-windows-bug-attack/?tpcc=ECFB2020&fbclid=IwAR1aUOaNGGnKLhDwgzuzrJs5a5NjCjD9QuBJIvcuV74c5ZrdhtqONBz-fUc
Tomi Engdahl says:
New Attack Exfiltrates Sensitive Data From Voice Assistants Using “Inaudible” Telephone Calls
https://www.hackster.io/news/new-attack-exfiltrates-sensitive-data-from-voice-assistants-using-inaudible-telephone-calls-38c750dd5ae4
By encoding data as DTMF tones and then modulating them to inaudible frequencies, an Alexa becomes an unwitting carrier for stolen data.
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/hpe-fixes-maximum-severity-remote-auth-bypass-bug-in-ssmc-console/
Tomi Engdahl says:
Vandana Verma: why do we need psychologists in the infosecurity?
https://cybernews.com/editorial/vandana-verma-why-do-we-need-psychologists-in-the-infosecurity/?utm_source=facebook&utm_medium=cpc&utm_campaign=rm&utm_content=vandana_verma&fbclid=IwAR2T6btdBFPMghjKR3Nm0B6Ip601_ogTRGro_ELdl0-vs4Hkr7Ala3klAq0
Vandana Verma, an IBM security architect, believes in diversity in the infosecurity field. By diversity, she means including not only more women but also people of different races, ages, or educational backgrounds, as well as people with disabilities.
“Growing up, I didn’t know that cybersecurity was a career,” Vandana Verma once said. Now, she is an IBM security engineer, founder of InfosecGirls, the only woman on The OWASP Foundation Global Board, and a keynote speaker at various conferences.
Tomi Engdahl says:
Over 100,000 machines remain vulnerable to SMBGhost exploitation
https://www.welivesecurity.com/2020/10/29/over-100000-machines-remain-vulnerable-smbghost-exploitation/
The patch for the critical flaw that allows malware to spread across machines without any user interaction was released months ago
Although Microsoft issued a patch for the critical SMBGhost vulnerability in the Server Message Block (SMB) protocol back in March, over 100,000 machines remain susceptible to attacks exploiting the flaw. This wormable Remote Code Execution (RCE) vulnerability could allow black hats to spread malware across machines without any need for user interaction.
The severity of the bug affecting Windows 10 and Windows Server (versions 1903 and 1909) should have convinced everybody to patch their machines immediately. However, according to Jan Kopriva, who disclosed his findings on the SANS ISC Infosec Forums, that doesn’t seem to be the case.
Tomi Engdahl says:
Google’s Project Zero discloses Windows 0day that’s been under active exploit
Security flaw lets attackers escape sandboxes designed to contain malicious code.
https://arstechnica.com/information-technology/2020/10/googles-project-zero-discloses-windows-0day-thats-been-under-active-exploit/
Tomi Engdahl says:
https://news.sophos.com/en-us/2020/10/13/top-reason-to-apply-october-2020s-microsoft-patches-ping-of-death-redux/
rọ túi lọc says:
The article is very good, the content and accompanying images are also of good quality, I read and feel very helpful, I hope that I can read more articles in the future, respect you and thank you. .