Posts

“Known assailant” back with a vengeance

In this post there is specific focus on an infamous threat that resurfaced during the summer.

Following several news articles in Nordic media of phishing attacks towards public services in late august and, in addition, sources that indicate that the Emotet trojan resurfaced in mid-july, several sources online are now indicating a massive campaigning not only in the Nordics but worldwide.

Emotet is an e-mail trojan that is often used as the entry point to target organizations. It´s success has largely been brought on by the craftiness of mimicking valid e-mails and attachments, utilizing macros in Word and Excel files. In addition, its evolution of attack techniques adds to that success.
For example, there are indications that the latest strain is using stolen attachments to add credibility to the forged e-mails.

Emotet is often paving way for at least two know other assailants in TrickBot and QakBot, to further spread laterally and steal credentials.

How to protect against Emotet (as well as Trojans and  Malware in general):

  • Be extra suspicious and cautious towards e-mails and attachments, even from known sources
  • Report suspicious e-mails to your Security organization for investigation
  • Make sure you have an up to date security program, preferably with anti-exploit capabilities
  • Make sure your systems are patched and up to date with the latest security patches
  • Enforce proper network segmentation
  • Enable MFA (Multi factor authentication on your e-mail service)
  • Block networks that generally do not need access (TOR, VPN etc.)

If you get infected:

  • Report it to your security organization or SIRT immediately
  • It is strongly advised that you perform and audit of your network and e-mail accounts to make sure other devices are not compromised.

Further reading:

Check your Exchange for ongoing leaks

This blog post is a summary of this week’s Information Security News put together by our Security Incident Response Team (SIRT)

Currently the biggest exposure to threats in the cyber domain is presented via mail. Phishing attacks tricks out the credentials for legitimate users and then gain access to the mail account, and some actors will sit with this access to months looking for ways to benefit from this access. As a way of establishing persistence an attacker will often create rules in the mail-system to have mail forwarded to an external account the attacker controls. This way, even if you change passwords, the attacker still receives copies of the mail.

These forwarding rules can serve as valuable indicators. And even if absence of evidence is not evidence of absence, it is worth to look for these rules with regular intervals. This is nothing new, but a reminder seemed in place given the current threat landscape. Here is an older blogpost from Compass-Security explaining the issue.

There is also a project on Github to help faciliate testing and low-volume activity data acquisition from the Office 365 Management Activity API that might be interesting in this regard.

Top 5 Security News

RedCurl cybercrime group discovered

This blog post is a summary of this week’s Information Security News put together by our Security Incident Response Team (SIRT)

A new CyberCrime group nicknamed RedCurl has been discovered after over two years of operation, attacking at least 14 organizations in over 26 attacks. They are known to attack companies in at least six countries, including Norway with banks, insurance and financial companies as some of the industries that they went after. The group was discovered by Group-IB, a global threat hunting and intelligence company headquartered in Singapore, and released a 57 page report on it.

The groups modus operandi did not use advanced tools but rather relied on handcrafted phishing emails, powershell and time to successfully carry out their attacks.

According to the Group-BI report “The attackers posed as members of the HR team at the targeted organization and sent out emails to multiple employees at once, which made the employees less vigilant, especially considering that many of them worked in the same department“, and used the companies logos, signature lines, and spoofing the companies own domain making it very difficult to spot that the mails were not legitimate.

Top 5 Security News

Unique insights and large ransomware attacks

This blog post is a summary of this week’s Information Security News put together by our Security Incident Response Team (SIRT)

This week we get a unique insight into a threat actors inner working as IBM’s X-Force IRIS security team uncover a 40GB cache of data belonging to a threat actor called “ITG18” (overlaps with another outfit alternatively known as Charming Kitten and Phosphorus) believed to be sponsored by Iran. Included in the extracted data is several hours of video “showing operators searching through and exfiltrating data from multiple compromised accounts”.
Read more …

Top 5 Security News

Aerospace and military companies in the crosshairs

This blog post is a summary of this week’s Information Security News put together by our Security Incident Response Team (SIRT)

ESET researchers are warning about targeted phishing attacks agains high-profile aerospace and military companies in Europe. The attacker will approach individual personnel about possible job vacancies, some file-sharing then commences with the pretense of informing about this vacancy, this is in reality malware giving the attacker foothold on the victims machine.

Be vigilant about files you get from strangers, and people who makes contact on social media and LinkedIn.

Top 5 Security News

Thunderbolt interface makes millions of PC’s in danger

This blog post is a summary of this week’s Information Security News put together by our Security Incident Response Team (SIRT)

It wasn’t really a news that Thunderbolt technology (USB-C) was vulnerable from years before, but now we got a demo from researcher which shows how Thunderbolt flaw allows access to a PC’s data in minutes.

More on this:

https://thunderspy.io/

https://www.wired.com/story/thunderspy-thunderbolt-evil-maid-hacking/

Top 5 Security links:

A bit of history or the 15 biggest data breaches of the 21st century

WordPress Page Builder Plugin Bugs Threaten 1 Million Sites with Full Takeover

Top 10 Routinely Exploited Vulnerabilities

Never, never pay to cybercriminals

The Confessions of the Hacker Who Saved the Internet

Woman holding laptop and media files

Zero click bugs in Apple operating systems

This blog post is a summary of this week’s Information Security News put together by our Security Incident Response Team (SIRT).

According to Google’s project zero there are vulnerabilities in Apples operating systems media managements. The vulnerabilities could let an attacker gain access by sending a specially crafted image or video to a target and no interaction would be needed from the user to be exploited.
The vulnerabilities was found using fuzzing techniques on previously found bugs, and the vulnerabilities they found have now been fixed.

More on this topic:

Google discloses zero-click bugs impacting several Apple operating systems

Top 5 Security links

Covid-19 forces changes

This blog post is a summary of this week’s Information Security News put together by our Security Incident Response Team (SIRT).

Helpdesksecurity writes “A time of chaos is a time for opportunity for unscrupulous individuals and groups, and COVID-19 is seemingly an unmissable boon for cyber crooks.

We’ve already covered a variety of COVID-19-themed scams, phishing attempts, hoaxes and malware delivery campaigns, but new and inventive approaches are popping up daily.”

Top 5 Security links

Nation state actors plays the long game

This blog post is a summary of this week’s Information Security News put together by our Security Incident Response Team (SIRT).

“Qihoo 360, one of the most prominent cybersecurity firms, today published a new report accusing the U.S. Central Intelligence Agency (CIA) to be behind an 11-year-long hacking campaign against several Chinese industries and government agencies.”

“According to Qihoo 360, the hacking tools developed by the CIA, such as Fluxwire and Grasshopper, were used by the APT-C-39 group against Chinese targets years before the Vault 7 leak.”

Read more

Top 5 Security News

Hackers Scanning for Vulnerable Microsoft Exchange Servers, Patch Now!
Let’s Encrypt is Revoking Three Million Certificates on March 4
670+ Subdomains of Microsoft are Vulnerable to Takeover
Emoji to Zero-Day: Latin Homoglyphs in Domains and Subdomains
CPR evasion encyclopedia: The Check Point evasion repository

Ransomware

Threat Hunting or Efficiency: Pick Your EDR Path?

This blog post is a summary of this week’s Information Security News put together by our Security Incident Response Team (SIRT).

Cybersecurity teams face a lot of conflicting objectives—both within their teams and from upper management. But a May 2019 commissioned study conducted by Forrester Consulting on behalf of McAfee really puts a fine point on it: When decision makers were asked which endpoint security goals and initiatives they’re prioritizing for the coming year, the top two responses were “improve security detection capabilities” (87%) and “increase efficiency in the SOC” (76%).

Read more

 

Top 5 Security News

5 scams to watch out for this shopping season

Dexphot Malware Hijacked 80K+ Devices to Mine Cryptocurrency

It’s Way Too Easy to Get a .gov Domain Name

A Cause You Care About Needs Your Cybersecurity Help

Google caught a state hacker crew uploading badness to the Play Store