Showing a laptop being updated

Supply chain attacks and Zero-days

The year 2021 has seen several high profiled vulnerabilities being actively exploited in big
and popular software, including Microsoft Exchange and Solar Winds Orion.
Experience shows that in some cases it is too late to patch even after a few days.
Many organizations work with the guideline of patching within 30 days, if the vendor states the
update is of important nature. This is an attempt to verify that the patch does not cause any
adverse effects. The need for a vigilant Vulnerability Management process that continuously triage
published vulnerabilities is becoming clear.

Some of the issues published lately is Supply chain attacks, where an attacker manipulates
products or product delivery mechanisms prior to receipt by a final consumer or exploiting
previously unknown vulnerabilities (so called Zero Days). Defending against these attacks is in
some cases not possible, or at least demands such a high level of security that it often is difficult
to stay productive and profitable. Seemingly in some cases it seems like the best an organization
can do is to not be the weakest link and the easiest target.

It is important to prepare for an attack and have a plan for incident response. Perform exercises.
Deploy a security framework in order to engage in continuous improvement of the security

Windows update

NSA publishes advisory on 25 vulnerabilities used by Chinese state sponsored hackers

The National security Agency in the United States recently released an advisory warning of the threat of Chinese state sponsored attacks and detailed 25 vulnerabilities used. The advisory gives detailed information about the vulnerabilities, what it affects and how to remediate them. Most of them are remotely exploited and can be used to gain initial access to a system before using other vulnerabilities to go further in to the network. Most of these vulnerabilities already have patches ready to be installed so as always we really want to emphasize keeping systems up to date with the latest patches and software.

Top 5 Security News

“Known assailant” back with a vengeance

In this post there is specific focus on an infamous threat that resurfaced during the summer.

Following several news articles in Nordic media of phishing attacks towards public services in late august and, in addition, sources that indicate that the Emotet trojan resurfaced in mid-july, several sources online are now indicating a massive campaigning not only in the Nordics but worldwide.

Emotet is an e-mail trojan that is often used as the entry point to target organizations. It´s success has largely been brought on by the craftiness of mimicking valid e-mails and attachments, utilizing macros in Word and Excel files. In addition, its evolution of attack techniques adds to that success.
For example, there are indications that the latest strain is using stolen attachments to add credibility to the forged e-mails.

Emotet is often paving way for at least two know other assailants in TrickBot and QakBot, to further spread laterally and steal credentials.

How to protect against Emotet (as well as Trojans and  Malware in general):

  • Be extra suspicious and cautious towards e-mails and attachments, even from known sources
  • Report suspicious e-mails to your Security organization for investigation
  • Make sure you have an up to date security program, preferably with anti-exploit capabilities
  • Make sure your systems are patched and up to date with the latest security patches
  • Enforce proper network segmentation
  • Enable MFA (Multi factor authentication on your e-mail service)
  • Block networks that generally do not need access (TOR, VPN etc.)

If you get infected:

  • Report it to your security organization or SIRT immediately
  • It is strongly advised that you perform and audit of your network and e-mail accounts to make sure other devices are not compromised.

Further reading:

Check your Exchange for ongoing leaks

This blog post is a summary of this week’s Information Security News put together by our Security Incident Response Team (SIRT)

Currently the biggest exposure to threats in the cyber domain is presented via mail. Phishing attacks tricks out the credentials for legitimate users and then gain access to the mail account, and some actors will sit with this access to months looking for ways to benefit from this access. As a way of establishing persistence an attacker will often create rules in the mail-system to have mail forwarded to an external account the attacker controls. This way, even if you change passwords, the attacker still receives copies of the mail.

These forwarding rules can serve as valuable indicators. And even if absence of evidence is not evidence of absence, it is worth to look for these rules with regular intervals. This is nothing new, but a reminder seemed in place given the current threat landscape. Here is an older blogpost from Compass-Security explaining the issue.

There is also a project on Github to help faciliate testing and low-volume activity data acquisition from the Office 365 Management Activity API that might be interesting in this regard.

Top 5 Security News

RedCurl cybercrime group discovered

This blog post is a summary of this week’s Information Security News put together by our Security Incident Response Team (SIRT)

A new CyberCrime group nicknamed RedCurl has been discovered after over two years of operation, attacking at least 14 organizations in over 26 attacks. They are known to attack companies in at least six countries, including Norway with banks, insurance and financial companies as some of the industries that they went after. The group was discovered by Group-IB, a global threat hunting and intelligence company headquartered in Singapore, and released a 57 page report on it.

The groups modus operandi did not use advanced tools but rather relied on handcrafted phishing emails, powershell and time to successfully carry out their attacks.

According to the Group-BI report “The attackers posed as members of the HR team at the targeted organization and sent out emails to multiple employees at once, which made the employees less vigilant, especially considering that many of them worked in the same department“, and used the companies logos, signature lines, and spoofing the companies own domain making it very difficult to spot that the mails were not legitimate.

Top 5 Security News

Unique insights and large ransomware attacks

This blog post is a summary of this week’s Information Security News put together by our Security Incident Response Team (SIRT)

This week we get a unique insight into a threat actors inner working as IBM’s X-Force IRIS security team uncover a 40GB cache of data belonging to a threat actor called “ITG18” (overlaps with another outfit alternatively known as Charming Kitten and Phosphorus) believed to be sponsored by Iran. Included in the extracted data is several hours of video “showing operators searching through and exfiltrating data from multiple compromised accounts”.
Read more …

Top 5 Security News

Aerospace and military companies in the crosshairs

This blog post is a summary of this week’s Information Security News put together by our Security Incident Response Team (SIRT)

ESET researchers are warning about targeted phishing attacks agains high-profile aerospace and military companies in Europe. The attacker will approach individual personnel about possible job vacancies, some file-sharing then commences with the pretense of informing about this vacancy, this is in reality malware giving the attacker foothold on the victims machine.

Be vigilant about files you get from strangers, and people who makes contact on social media and LinkedIn.

Top 5 Security News

Zoom continues to face security issues

This blog post is a summary of this week’s Information Security News put together by our Security Incident Response Team (SIRT)

Zoom has become very popular as people are working from home and unable to travel, but faced backlash after multiple security vulnerabilities was discovered earlier this year. Now Cisco Talos discovered two more security vulnerabilities that could lead to remote code execution. One of the bugs was in zooms giphy animated gif code that could lead to path traversal and arbitrary file write, and the other one was in Zooms message processing code where a specially crafted message could lead to arbitrary code execution. Both vulnerabilities was disclosed to Zoom and a patch was released
before Talos publicly released the information. Just another reminder to keep software up to date.

Zoom also announced that they will no longer offer end-to-end encryption to its free user but offer it as part of its premium feature for paid customers. The move has been criticized by security experts, especially in lieu of all the recent security vulnerabilities discovered in their platform. Eric Yuan, Zooms CEO claim that the move is to work together with FBI and local law enforcement in case someone use Zoom for a bad purpose

Top 5 Security links:

NATO Condemns Cyber-Attacks

Fraudulent iOS VPN Apps Attempt to Scam Users

Hackers Compromise Cisco Servers Via SaltStack Flaws

Malware Campaign Hides in Resumes and Medical Leave Forms

Zero-day in Sign in with Apple

Woman holding laptop and media files

Zero click bugs in Apple operating systems

This blog post is a summary of this week’s Information Security News put together by our Security Incident Response Team (SIRT).

According to Google’s project zero there are vulnerabilities in Apples operating systems media managements. The vulnerabilities could let an attacker gain access by sending a specially crafted image or video to a target and no interaction would be needed from the user to be exploited.
The vulnerabilities was found using fuzzing techniques on previously found bugs, and the vulnerabilities they found have now been fixed.

More on this topic:

Google discloses zero-click bugs impacting several Apple operating systems

Top 5 Security links

Zoom faces a privacy and security backlash

This blog post is a summary of this week’s Information Security News put together by our Security Incident Response Team (SIRT).

The use of the Zoom video conference application has exploded in popularity amid the ongoing coronavirus pandemic but this has lead to the importance of scrutiny from a security and privacy perspective which as uncovered lots of privacy and security issues and even zero day vulnerabilities.
As result of this Zoom now faces a privacy and security backlash.

More on this topic:

Wired article on Zoom

Even Doc Searls has written a series of four posts about Zoom and privacy.


Top 5 Security links

In COVID-19 Scam Scramble, Cybercrooks Recycle Phishing Kits

Hackers Install Secret Backdoor on Thousands of Microsoft SQL Servers

Online Credit Card Skimmers Are Thriving During the Pandemic

‘Zombie’ Windows win32k bug reanimated by researcher

Privacy vs. Surveillance in the Age of COVID-19