Cyber Security News October 2020

This posting is here to collect cyber security news October 2020.

I post links to security vulnerability news with short descriptions to comments section of this article.

If you are interested in cyber security trends, read my Cyber security trends 2020 posting.

You are also free to post related links to comments.

cybergedeon_flame_color

249 Comments

  1. Tomi Engdahl says:

    Vastaamon tietomurto on sähköisen maailman suuronnettomuustilanne,
    mutta missä ovat jumalanpalvelukset ja kriisipäivystys?
    https://www.hs.fi/kotimaa/art-2000006698776.html
    Satojen, jopa tuhansien ihmisten potilastietojen vuotaminen osuu
    erityisen herkkään kohderyhmään. Vain harva auttaa koska vain harva
    ymmärtää tilanteen vakavuutta. Mielen vauriot ja sähköinen ympäristö
    eivät kelpaa tekosyyksi jättää uhrien tarvitsemaa apua järjestämättä,
    kirjoittaa tietoturvaan perehtynyt ulkomaantoimittaja Laura Halminen.

    Sisäministeri Ohisalo: Vastaamon tietomurron uhrit tarvitsevat
    pikaisesti apua
    https://www.is.fi/digitoday/tietoturva/art-2000006698870.html
    SISÄMINISTERI Maria Ohisalon mukaan Psykoterapiakeskus Vastaamon
    tietomurron uhrit tarvitsevat pikaisesti apua. Hän otti tilanteeseen
    kantaa Twitterissä lauantaina illalla. – Vastaamon tietomurron uhrit
    tarvitsevat kiireesti apua ja tukea. Olen keskustellut asiasta STM:n
    ministerien kanssa ja viranomaiset selvittävät nyt pikaisen tuen
    tarjoamisen laajempia mahdollisuuksia, Ohisalo twiittasi.

    Reply
  2. Tomi Engdahl says:

    F-Securen Hyppönen Vastaamon asiakkaiden kiristämisestä:
    Kansainvälisestikin poikkeuksellinen tapaus
    https://yle.fi/uutiset/3-11612224
    Tietoturvayhtiö F-Securen tutkimusjohtaja Mikko Hyppönen sanoo, että
    Vastaamon asiakkaiden saamat kiristysviestit ovat kansainvälisestikin
    poikkeuksellisia. – Minulla ei ole tiedossa yhtään tapausta mistään
    päin maailmaa, että näin törkeästi olisi käytetty hyväksi
    potilastietoja, Hyppönen sanoo Ylelle.

    Reply
  3. Tomi Engdahl says:

    Pääkirjoitus: Häikäilemätön Vastaamo-tietomurto on hyökkäys suomalaista tietoyhteiskuntaa vastaan – sinisilmäisen viattomuuden aika on ohi https://www.is.fi/paakirjoitus/art-2000006699383.html

    Reply
  4. Tomi Engdahl says:

    The hacker or hackers may have struck sensitive customer data twice in 2018 and 2019. Unscrupulous crime is systematic, carefully planned, and unique on a global scale when it comes to stealing an individual’s health information. The hacker demanded ransom money from the center as bitcoins. When it was not agreed, ransom demands and outright blackmail were directed at individual customers on Saturday. Indeed, many have received a blackmail letter: if money does not drop, the information will go online.

    Source:
    Pääkirjoitus: Häikäilemätön Vastaamo-tietomurto on hyökkäys suomalaista tietoyhteiskuntaa vastaan – sinisilmäisen viattomuuden aika on ohi https://www.is.fi/paakirjoitus/art-2000006699383.html

    Reply
  5. Tomi Engdahl says:

    F-Secure’s Hyppönen from Vastamo’s hacking: “Most likely, an attacker has used automated tools to look for vulnerable services”

    Hyppönen believes that Vastamo was the target of a data breach by accident.

    Mikko Hyppönen, Research Director of the security company F-Secure, considers the hacking of the Psychotherapy Center Vastamo to be exceptional.

    “Until now, professional criminals have sought to break into financial institutions, above all, or have tried to fish for credit card numbers. This is the first time subject to medical records. In the past, they have not interested criminals, ”says Hyppönen.

    He said criminals have decided that sensitive health information may be of interest. Health information is available in a great many systems. It is possible that some systems are vulnerable.

    Hyppönen believes that Vastamo was the target of a data breach by accident.

    “Most likely, the attacker has used automated tools to look for vulnerable services. For example, a machine can tap thousands of login attempts per minute. Sooner or later, weakly protected services will be found, ”says Hyppönen.

    F-Securen Hyppönen Vastaamon tietomurrosta: ”Todennäköisimmin hyökkääjä on automaattityökaluilla etsinyt haavoittuvia palveluita”
    https://www.tivi.fi/uutiset/f-securen-hypponen-vastaamon-tietomurrosta-todennakoisimmin-hyokkaaja-on-automaattityokaluilla-etsinyt-haavoittuvia-palveluita/5e1f0b1f-b981-47f7-a622-a596366b208e

    Reply
  6. Tomi Engdahl says:

    Link Previews in Chat Apps Pose Privacy, Security Issues: Researchers
    https://www.securityweek.com/link-previews-chat-apps-pose-privacy-security-issues-researchers

    An analysis of the manner in which popular chat applications handle link previews has revealed several privacy and security issues, including some that still need addressing, security researchers warn.

    Link previews provide users with information on what a link received in chat would lead them to, regardless of whether it is a file or a web page.

    However, link previews can be abused for nefarious purposes, and security researchers Talal Haj Bakry and Tommy Mysk claim to have identified several cases in which popular chat apps for iOS and Android fail to provide their users with the necessary protections against such abuses.

    Reply
  7. Tomi Engdahl says:

    US Insists on Need to Ban TikTok
    https://www.securityweek.com/us-insists-need-ban-tiktok

    US President Donald Trump’s administration has insisted on the need to ban TikTok due to national security concerns in a new court filing ahead of a plan to make the video app unavailable on November 12.

    Reply
  8. Tomi Engdahl says:

    Palo Alto Networks Threatens Legal Action Over Product Comparison
    https://www.securityweek.com/palo-alto-networks-threatens-legal-action-over-product-comparison

    Palo Alto Networks has threatened legal action against cloud visibility solutions provider Orca Security after the latter published a video comparing products from the two companies.

    The issue was made public last week in a blog post written by Avi Shua, co-founder and CEO of Orca Security. The video made by Orca in August, which is still available on YouTube, is described as a “detailed competitive comparison” between Orca Security’s platform and Palo Alto Networks’ Prisma Cloud product.

    Reply
  9. Tomi Engdahl says:

    Ruotsissa paljastunut iso tietomurto turvallisuusalan yritykseen

    DN: Suuri tietomurto ruotsalaiseen turvallisuusalan yritykseen, verkkoon on vuodettu muun muassa pankki­holvien piirustuksia
    https://www.hs.fi/ulkomaat/art-2000006700788.html

    Koko 19 gigatavun aineisto on lehden mukaan vuodettu nettiin.

    RUOTSALAISEEN, kansainvälisesti toimivaan turvallisuusalan yhtiöön on tehty mittava tietomurto, jossa verkkoon on vuodettu esimerkiksi pankkiholvien piirustuksia ja hälytysjärjestelmien kuvauksia, kertoo sanomalehti Dagens Nyheter (DN).

    Göteborgissa pääkonttoriaan pitävä Gunnebo-konserni joutui verkkohyökkäyksen kohteeksi elokuussa. Yhtiö kertoi asiasta tuolloin tiedotteessa

    Yhtiön mukaan kyse oli ”järjestäytyneestä it-hyökkäyksestä” sen palvelimiin.

    Yhtiö kertoi raportoineensa tapauksesta Ruotsin turvallisuuspoliisille Säpolle, koska yhtiö epäili teollisuusvakoilun yritystä. Yhtiön tiedotteessa ei kerrota, että hyökkäyksessä olisi onnistuttu murtautumaan palvelimille ja varastettu tietoja.

    NYT DN kuitenkin kertoo, että elokuisessa tietomurrossa onnistuttiin viemään erittäin suuri määrä tietoa. Koko 19 gigatavun aineisto on lehden mukaan sittemmin julkaistu avoimessa tietoverkossa.

    Lehti kertoo nähneensä kiristysviestin, jossa kerrotaan tietojen varastamisesta ja uhataan julkaista tiedot, jos Gunnebo ei ota rikollisiin yhteyttä. DN:n mukaan kiristäjät kertoivat, että heillä on hallussaan esimerkiksi taloustietoja, asiakkaita ja henkilökuntaa koskevia tietoja, ohjelmistojen lähdekoodeja ja salasanoja.

    GUNNEBO myy turvallisuuteen liittyviä tuotteita, palveluja ja ratkaisuja. Yhtiö on erikoistunut lähinnä fyysiseen turvallisuuteen kuten kulunvalvontaan, käteisen käsittelyjärjestelmiin ja kassakaappeihin.

    Reply
  10. Tomi Engdahl says:

    Enel Group hit by ransomware again, Netwalker demands $14 million
    https://www.bleepingcomputer.com/news/security/enel-group-hit-by-ransomware-again-netwalker-demands-14-million/
    Multinational energy company Enel Group has been hit by a ransomware
    attack for the second time this year. This time by Netwalker, who is
    asking a $14 million ransom for the decryption key and to not release
    several terabytes of stolen data. Enel is one of the largest players
    in the European energy sector, with more than 61 million customers in
    40 countries. As of August 10, it ranks 87 in Fortune Global 500, with
    a revenue of almost $90 billion in 2019.

    Reply
  11. Tomi Engdahl says:

    Steelcase furniture giant hit by Ryuk ransomware attack
    https://www.bleepingcomputer.com/news/security/steelcase-furniture-giant-hit-by-ryuk-ransomware-attack/
    Office furniture giant Steelcase has suffered a ransomware attack that
    forced them to shut down their network to contain the attack’s spread.
    Steelcase is the largest office furniture manufacturer globally, with
    13, 000 employees and $3.7 billion in 2020.

    Reply
  12. Tomi Engdahl says:

    Insikt Group Discovers Global Credential Harvesting Campaign Using
    FiercePhish Open Source Framework
    https://www.recordedfuture.com/fiercephish-credential-harvesting-campaign/
    Recorded Future’s Insikt Group discovered a wide-reaching phishing
    campaign utilizing the FiercePhish open source offensive phishing
    framework.

    Reply
  13. Tomi Engdahl says:

    3 TB of Private Webcam/Home Security Video Leaked on Porn Sites
    https://yro.slashdot.org/story/20/10/18/1850229/3-tb-of-private-webcamhome-security-video-leaked-on-porn-sites?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot%2Fto+%28%28Title%29Slashdot+%28rdf%29%29

    A hacking group that has yet to identify itself found and stole more than 3 TB of private video from around the world — mainly collected from Singapore — and shared it on porn sites, according to reports from local media like The New Paper. While some of the footage was indeed pornographic in nature, other videos are more mundane.

    More than 50,000 private IP-based cameras were accessed by hackers to amass the collection. Some were explicitly tagged with locations in Singapore, The New Paper reports, while others revealed their location as Singapore based on context clues such as book titles and home layout. Many show people (sometimes with their faces censored) in “various stages of undress or compromising positions….”

    https://www.inputmag.com/culture/hackers-leaked-tons-of-webcam-home-security-footage-on-porn-sites

    Singapore home cams hacked and stolen footage sold on pornographic sites
    Group behind hacking claims it has shared 3TB worth of clips with subscribers who paid $200 for its service
    https://www.tnp.sg/news/singapore/hackers-hawk-explicit-videos-taken-spore-home-cams

    Reply
  14. Tomi Engdahl says:

    Three npm Packages Opened Remote-Access Shells on Linux and Windows Systems
    https://it.slashdot.org/story/20/10/18/2321208/three-npm-packages-opened-remote-access-shells-on-linux-and-windows-systems?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot%2Fto+%28%28Title%29Slashdot+%28rdf%29%29

    Three npm packages found opening shells on Linux, Windows systems
    NPM staff: Any computer that has this package installed or running should be considered fully compromised.
    https://www.zdnet.com/article/three-npm-packages-found-opening-shells-on-linux-windows-systems/

    Three JavaScript packages have been removed from the npm portal on Thursday for containing malicious code.

    According to advisories from the npm security team, the three JavaScript libraries opened shells on the computers of developers who imported the packages into their projects.

    Reply
  15. Tomi Engdahl says:

    FBI warns ransomware assault threatens US healthcare system
    https://apnews.com/article/politics-crime-elections-presidential-elections-548634f03e71a830811d291401651610

    Federal agencies warned that cybercriminals are unleashing a wave of data-scrambling extortion attempts against the U.S. healthcare system designed to lock up hospital information systems, which could hurt patient care just as nationwide cases of COVID-19 are spiking.

    The cyberattacks involve ransomware, which scrambles data into gibberish that can only be unlocked with software keys provided once targets pay up. Independent security experts say it has already hobbled at least five U.S. hospitals this week, and could potentially impact hundreds more.

    The offensive by a Russian-speaking criminal gang coincides with the U.S. presidential election, although there is no immediate indication they were motivated by anything but profit. “We are experiencing the most significant cyber security threat we’ve ever seen in the United States,” Charles Carmakal, chief technical officer of the cybersecurity firm Mandiant, said in a statement.

    Reply
  16. Tomi Engdahl says:

    In a first, researchers extract secret key used to encrypt Intel CPU code
    Hackers can now reverse engineer updates or write their own custom firmware.
    https://arstechnica.com/gadgets/2020/10/in-a-first-researchers-extract-secret-key-used-to-encrypt-intel-cpu-code/

    Researchers have extracted the secret key that encrypts updates to an assortment of Intel CPUs, a feat that could have wide-ranging consequences for the way the chips are used and, possibly, the way they’re secured.

    The key makes it possible to decrypt the microcode updates Intel provides to fix security vulnerabilities and other types of bugs. Having a decrypted copy of an update may allow hackers to reverse engineer it and learn precisely how to exploit the hole it’s patching. The key may also allow parties other than Intel—say a malicious hacker or a hobbyist—to update chips with their own microcode, although that customized version wouldn’t survive a reboot.

    “At the moment, it is quite difficult to assess the security impact,” independent researcher Maxim Goryachy said in a direct message. “But in any case, this is the first time in the history of Intel processors when you can execute your microcode inside and analyze the updates.”

    Reply
  17. Tomi Engdahl says:

    Alert (AA20-302A)
    Ransomware Activity Targeting the Healthcare and Public Health Sector
    https://us-cert.cisa.gov/ncas/alerts/aa20-302a

    Reply
  18. Tomi Engdahl says:

    I think we have to assume that commercial (especially non- open source) products are NSA compromised

    The NSA is Refusing to Disclose its Policy on Backdooring Commercial Products
    https://www.schneier.com/blog/archives/2020/10/the-nsa-is-refusing-to-disclose-its-policy-on-backdooring-commercial-products.html

    Senator Ron Wyden asked, and the NSA didn’t answer:

    Reply
  19. Tomi Engdahl says:

    Scammers are spoofing bank phone numbers to rob victims
    https://blog.malwarebytes.com/social-engineering/2020/10/scammers-are-spoofing-bank-phone-numbers-to-rob-victims/
    It can be a very convincing trick “You can check the number in your
    display online sir. You’ll see I’m really calling from your bank.”
    That is, of course, if you are unaware that phone numbers can be
    spoofed.

    Reply
  20. Tomi Engdahl says:

    TrickBot Linux Variants Active in the Wild Despite Recent Takedown
    https://thehackernews.com/2020/10/trickbot-linux-variants-active-in-wild.html
    Efforts to disrupt TrickBot may have shut down most of its critical
    infrastructure, but the operators behind the notorious malware aren’t
    sitting idle. According to new findings shared by cybersecurity firm
    Netscout, TrickBot’s authors have moved portions of their code to
    Linux in an attempt to widen the scope of victims that could be
    targeted. also: https://www.netscout.com/blog/asert/dropping-anchor

    Reply
  21. Tomi Engdahl says:

    Turla uses HyperStack, Carbon, and Kazuar to compromise government
    entity
    https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity
    Accenture Cyber Threat Intelligence researchers identified a Turla
    compromise of a European government organization. During this
    compromise Turla utilized a combination of remote procedure call
    (RPC)-based backdoors, such as HyperStack and remote administration
    trojans (RATs), such as Kazuar and Carbon, which ACTI researchers
    analyzed between June and October 2020. The RATs transmit the command
    execution results and exfiltrate data from the victim’s network while
    the RPC-based backdoors use the RPC protocol to perform lateral
    movement and issue and receive commands on other machines in the local
    network. These tools often include several layers of obfuscation and
    defense evasion techniques.

    Reply
  22. Tomi Engdahl says:

    Cyberattacks target international conference attendees
    https://blogs.microsoft.com/on-the-issues/2020/10/28/cyberattacks-phosphorus-t20-munich-security-conference/
    Today, we’re sharing that we have detected and worked to stop a series
    of cyberattacks from the threat actor Phosphorous masquerading as
    conference organizers to target more than 100 high-profile
    individuals. Phosphorus, an Iranian actor, has targeted with this
    scheme potential attendees of the upcoming Munich Security Conference
    and the Think 20 (T20) Summit in Saudi Arabia. The Munich Security
    Conference is the most important gathering on the topic of security
    for heads of state and other world leaders, and it has been held
    annually for nearly 60 years. Likewise, T20 is a highly visible event
    that shapes policy ideas for the G20 nations and informs their
    critical discussions.

    Reply
  23. Tomi Engdahl says:

    Fake COVID-19 survey hides ransomware in Canadian university attack
    https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
    On October 19, we identified a new phishing document targeting staff
    at the University of British Columbia (UBC) with a fake COVID-19
    survey. However, this attack and motives are different than the ones
    previously documented. The survey is a malicious Word document whose
    purpose is to download ransomware and extort victims to recover their
    encrypted files.

    Reply
  24. Tomi Engdahl says:

    Trump’s official campaign website vandalized by hackers who ‘had
    enough of the President’s fake news’
    https://www.theregister.com/2020/10/28/trump_website_hacked/
    Well, that narrows down the list of suspects to just a few billion
    people

    Reply
  25. Tomi Engdahl says:

    EXCLUSIVE: Medical Records of 3.5 Million U.S. Patients Can be Accessed and Manipulated by Anyone
    https://www.securityweek.com/exclusive-medical-records-35-million-us-patients-can-be-accessed-and-manipulated-anyone

    More Than 2 Petabytes of Unprotected Medical Data Found on Picture Archiving and Communication System (PACS) Servers

    The results of 13 million medical examinations relating to around 3.5 million U.S. patients are unprotected and available to anyone on the internet, SecurityWeek has learned. This is despite the third week of this year’s National Cybersecurity Awareness Month (week beginning 19 October 2020) majoring on ‘Securing Internet-Connected Devices in Healthcare’.

    The details were disclosed to SecurityWeek by Dirk Schrader, global vice president at New Net Technologies (NNT — a security and compliance software firm headquartered in Naples, Florida). He demonstrated that the records can be accessed via an app that can be downloaded from the internet by anyone. The records found are in files that are still actively updated, and provide three separate threats: personal identity theft (including the more valuable medical identity theft), personal extortion, and healthcare company breaches.

    Schrader examined a range of radiology systems that include an image archive system — PACS, or picture archiving and communication system. These contain not only imagery but metadata about individual patients. The metadata includes the name, data of birth, date and reason for the medical examination, and more. Within a hospital, the imaging systems (X-rays, MRIs etc) are also stored in the PACS. The treating physician needs ready access to the images to confirm the current treatment. Schrader simply used Shodan to locate systems using the DICOM medical protocol. Individual unprotected PACS systems within the return of 3,000 servers were located manually. One, for example, contained the results of over 800,000 medical examinations, probably relating to about 250,000 different patients.

    Reply
  26. Tomi Engdahl says:

    Christopher Bing / Reuters:
    Cybersecurity experts say FBI is investigating Ryuk ransomware attacks on more than two dozen US hospitals, and officials warned hospitals to back up systems — WASHINGTON (Reuters) – The FBI is investigating the recent targeting with ransomware of more than two dozen hospitals across …
    Building wave of ransomware attacks strike U.S. hospitals
    https://www.reuters.com/article/us-usa-healthcare-cyber-idUSKBN27D35U

    Eastern European criminals are targeting dozens of U.S. hospitals with ransomware, and federal officials on Wednesday urged healthcare facilities to beef up preparations rapidly in case they are next.

    Reply
  27. Tomi Engdahl says:

    Probably woulda escaped notice except they went pretty big.

    Phishing Attack of Wisconsin GOP Leads to Theft of Millions Intended for Trump’s Reelection Campaign
    https://www.newsweek.com/phishing-attack-wisconsin-gop-leads-theft-millions-intended-trumps-reelection-campaign-1543272

    FBI investigation is underway after the Republican Party of Wisconsin (RPW) reported that $2.3 million had been stolen from an account that was meant to help reelect President Donald Trump.

    Andrew Hitt, the RPW chairman said that hackers entered the system in “a sophisticated phishing attack,” in a statement given to Newsweek. “These criminals exhibited a level of familiarity with state party operations at the end of the campaign to commit this crime.”

    Reply
  28. Tomi Engdahl says:

    Ransomware Activity Targeting the Healthcare and Public Health Sector
    https://us-cert.cisa.gov/ncas/alerts/aa20-302a

    Reply
  29. Tomi Engdahl says:

    FBI, DHS, HHS Warn of Imminent, Credible Ransomware Threat Against
    U.S. Hospitals
    https://krebsonsecurity.com/2020/10/fbi-dhs-hhs-warn-of-imminent-credible-ransomware-threat-against-u-s-hospitals/
    On Monday, Oct. 26, KrebsOnSecurity began following up on a tip from a
    reliable source that an aggressive Russian cybercriminal. gang known
    for deploying ransomware was preparing to disrupt information
    technology systems at hundreds of hospitals, clinics and medical care
    facilities across the United States. Today, officials from the FBI and
    the U.S. Department of Homeland Security hastily assembled a
    conference call with healthcare industry executives warning about an
    “imminent cybercrime threat to U.S. hospitals and healthcare
    providers.”. also:
    https://www.wired.com/story/ransomware-hospitals-ryuk-trickbot/

    Reply
  30. Tomi Engdahl says:

    Emotet campaign used parked domains to deliver malware payloads
    https://www.bleepingcomputer.com/news/security/emotet-campaign-used-parked-domains-to-deliver-malware-payloads/
    Researchers tracking malicious use of parked domains have spotted the
    Emotet botnet using such domains to deliver malware payloads as part
    of a large scale phishing campaign. Out of 6 million newly parked
    domains detected as parked between March and September 2020 by Palo
    Alto Networks, roughly 1% started being used as part of malware or
    phishing campaigns. “Often, the parking services and the advertisement
    networks do not have the means or willingness to filter abusive
    advertisers (i.e. attackers), ” Palo Alto Networks. “Therefore, users
    are exposed to various threats, such as malware distribution,
    potentially unwanted program (PUP) distribution, and phishing scams.”.
    also: Domain Parking: A Gateway to Attackers Spreading Emotet and
    Impersonating McAfee -
    https://unit42.paloaltonetworks.com/domain-parking/

    Buer Loader “malware-as-a-service” joins Emotet for ransomware
    delivery
    https://nakedsecurity.sophos.com/2020/10/29/buer-loader-malware-as-a-service-joins-emotet-for-ransomware-delivery/
    One example of an up-and-coming malware delivery network is Buer
    Loader, profiled this week in a detailed report from SophosLabs.
    Briefly summarised, Buer is a way to create a self-managed zombie
    network of your own, for example to launch remote attacks with your
    latest ransomware which you could, of course, buy in from someone else
    in the cybercrime ecosystem. also: Hacks for sale: inside the Buer
    Loader malware-as-a-service -
    https://news.sophos.com/en-us/2020/10/28/hacks-for-sale-inside-the-buer-loader-malware-as-a-service/

    Reply
  31. Tomi Engdahl says:

    DoNot’s Firestarter abuses Google Firebase Cloud Messaging to spread
    https://blog.talosintelligence.com/2020/10/donot-firestarter.html
    The newly discovered Firestarter malware uses Google Firebase Cloud
    Messaging to notify its authors of the final payload location. Even if
    the command and control (C2) is taken down, the DoNot team can still
    redirect the malware to another C2 using Google infrastructure. The
    approach in the final payload upload denotes a highly personalized
    targeting policy.

    Reply
  32. Tomi Engdahl says:

    Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser
    https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html
    Throughout 2020, ransomware activity has become increasingly prolific,
    relying on an ecosystem of distinct but co-enabling operations to gain
    access to targets of interest before conducting extortion. Mandiant
    Threat Intelligence has tracked several loader and backdoor campaigns
    that lead to the post-compromise deployment of ransomware, sometimes
    within 24 hours of initial compromise. Effective and fast detection of
    these campaigns is key to mitigating this threat. The malware families
    enabling these attacks previously reported by Mandiant to intelligence
    subscribers include KEGTAP/BEERBOT, SINGLEMALT/STILLBOT and
    WINEKEY/CORKBOT. Other security researchers have tracked these malware
    families under the names BazarLoader and BazarBackdoor or Team9.

    Reply
  33. Tomi Engdahl says:

    Maze ransomware is shutting down its cybercrime operation
    https://www.bleepingcomputer.com/news/security/maze-ransomware-is-shutting-down-its-cybercrime-operation/
    The Maze cybercrime gang is shutting down its operations after rising
    to become one of the most prominent players performing ransomware
    attacks. When BleepingComputer reached out to Maze to confirm if they
    were shutting down, we were told, “You should wait for the press
    release.”. BleepingComputer has learned that many Maze affiliates have
    switched over to a newew ransomware operation called Egregor.

    Reply
  34. Tomi Engdahl says:

    Health sector mobilizes defenses following Ryuk ransomware warning
    https://www.cyberscoop.com/health-care-ransomware-ryuk-hospitals/

    Reply
  35. Tomi Engdahl says:

    European ransomware group strikes US hospital networks, analysts warn
    https://www.cyberscoop.com/ransomware-hospitals-ryuk-fireeye/

    An Eastern European cybercriminal group has conducted ransomware attacks at multiple U.S. hospitals in recent days in some of the most disruptive cyber-activity in the sector during the coronavirus pandemic, cybersecurity company FireEye said Wednesday.

    The group, which FireEye calls UNC1878, has been deploying Ryuk ransomware and taking multiple hospital IT networks offline, said Charles Carmakal, senior vice president of Mandiant, FireEye’s incident response arm.

    “UNC1878 is one of most brazen, heartless and disruptive threat actors I’ve observed over my career,” Carmakal said. The group’s activity “is deliberately targeting and disrupting U.S. hospitals, forcing them to divert patients to other healthcare providers,” he said.

    The company did not detail any specific attacks, or the timing of the activity it says it observed.

    Reply
  36. Tomi Engdahl says:

    Why the extortion of Vastaamo matters far beyond Finland — and how cyber pros are responding
    https://www.cyberscoop.com/finland-vastaamo-hack-response/

    Reply
  37. Tomi Engdahl says:

    Microsoft said on Wednesday that it detected and worked to stop a series of cyberattacks from the threat actor Phosphorous masquerading as conference organizers to target more than 100 high-profile individuals.

    Iran-linked actor targeted international security conference, Microsoft says
    https://cybernews.com/news/microsoft-detects-cyberattacks-from-iran-linked-actor/?utm_source=facebook&utm_medium=cpc&utm_campaign=rm&utm_content=microsoft_cyberattacks&fbclid=IwAR1i5kAs7lOTAUOxPZw8oNVYQAlelMpvaeCvhyv1rj3JGqHpJf3zTxJ3wFI

    Reply
  38. Tomi Engdahl says:

    New Attack Exfiltrates Sensitive Data From Voice Assistants Using “Inaudible” Telephone Calls
    https://www.hackster.io/news/new-attack-exfiltrates-sensitive-data-from-voice-assistants-using-inaudible-telephone-calls-38c750dd5ae4

    By encoding data as DTMF tones and then modulating them to inaudible frequencies, an Alexa becomes an unwitting carrier for stolen data.

    Reply
  39. Tomi Engdahl says:

    Vandana Verma: why do we need psychologists in the infosecurity?
    https://cybernews.com/editorial/vandana-verma-why-do-we-need-psychologists-in-the-infosecurity/?utm_source=facebook&utm_medium=cpc&utm_campaign=rm&utm_content=vandana_verma&fbclid=IwAR2T6btdBFPMghjKR3Nm0B6Ip601_ogTRGro_ELdl0-vs4Hkr7Ala3klAq0

    Vandana Verma, an IBM security architect, believes in diversity in the infosecurity field. By diversity, she means including not only more women but also people of different races, ages, or educational backgrounds, as well as people with disabilities.

    “Growing up, I didn’t know that cybersecurity was a career,” Vandana Verma once said. Now, she is an IBM security engineer, founder of InfosecGirls, the only woman on The OWASP Foundation Global Board, and a keynote speaker at various conferences.

    Reply
  40. Tomi Engdahl says:

    Over 100,000 machines remain vulnerable to SMBGhost exploitation
    https://www.welivesecurity.com/2020/10/29/over-100000-machines-remain-vulnerable-smbghost-exploitation/

    The patch for the critical flaw that allows malware to spread across machines without any user interaction was released months ago

    Although Microsoft issued a patch for the critical SMBGhost vulnerability in the Server Message Block (SMB) protocol back in March, over 100,000 machines remain susceptible to attacks exploiting the flaw. This wormable Remote Code Execution (RCE) vulnerability could allow black hats to spread malware across machines without any need for user interaction.

    The severity of the bug affecting Windows 10 and Windows Server (versions 1903 and 1909) should have convinced everybody to patch their machines immediately. However, according to Jan Kopriva, who disclosed his findings on the SANS ISC Infosec Forums, that doesn’t seem to be the case.

    Reply
  41. Tomi Engdahl says:

    Google’s Project Zero discloses Windows 0day that’s been under active exploit
    Security flaw lets attackers escape sandboxes designed to contain malicious code.
    https://arstechnica.com/information-technology/2020/10/googles-project-zero-discloses-windows-0day-thats-been-under-active-exploit/

    Reply
  42. rọ túi lọc says:

    The article is very good, the content and accompanying images are also of good quality, I read and feel very helpful, I hope that I can read more articles in the future, respect you and thank you. .

    Reply

Leave a Reply to rọ túi lọc Cancel reply

Your email address will not be published. Required fields are marked *

*

*