OSINT News - January 18, by Bart Otten

by in Security

New Findings From Our Investigation of SUNBURST

https://orangematter.solarwinds.com/2021/01/11/new-findings-from-our-investigation-of-sunburst/ 

New Findings From Our Investigation of SUNBURST - Orange Matter

Since the cyberattack on our customers and SolarWinds, we have been working around the clock to support our customers. As we shared in our recent update, we are partnering with multiple industry-leading cybersecurity experts to strengthen our systems, further enhance our product development processes, and adapt the ways that we deliver powerful, affordable, and secure solutions to our customers.

orangematter.solarwinds.com

 

---

SUNSPOT: An Implant in the Build Process

https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis 

COEST_1-1610970741758.jpeg

 

SUNSPOT Malware: A Technical Analysis | CrowdStrike

The malware then grants itself debugging privileges by modifying its security token to add SeDebugPrivilege.This step is a prerequisite for the remainder of SUNSPOT’s execution, which involves reading other processes’ memory.

www.crowdstrike.com

 

---

Alert (AA21-008A) Detecting Post-Compromise Threat Activity in Microsoft Cloud Environments

https://us-cert.cisa.gov/ncas/alerts/aa21-008a 

Detecting Post-Compromise Threat Activity in Microsoft Cloud Environments | CISA

This Advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CKRegistered) framework. See the ATT&CK for Enterprise for all referenced threat actor tactics and techniques.. This Alert is a companion alert to AA20-352A: Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations.

us-cert.cisa.gov

 

Cyberattack on EMA - update 4

https://www.ema.europa.eu/en/news/cyberattack-ema-update-4 

Cyberattack on EMA - update 4 | European Medicines Agency

The ongoing investigation of the cyberattack on EMA revealed that some of the unlawfully accessed documents related to COVID-19 medicines and vaccines belonging to third parties have been leaked on the internet.

www.ema.europa.eu

 

Winnti APT continues to target game developers in Russia and abroad

https://securityaffairs.co/wordpress/113458/apt/winnti-attacks-russia-hk.html 

COEST_2-1610970741764.png

 

Winnti continues to target game developers in Russia and out of China--Security Affairs

A Chinese Threat actor targeted organizations in Russia and Hong Kong with a previously undocumented backdoor, experts warn. Cybersecurity researchers from Positive Technologies have uncovered a series of attacks conducted by a Chinese threat actor that aimed at organizations in Russia and Hong Kong. Experts attribute the attacks to the China-linked Winnti APT group (aka APT41) […]

securityaffairs.co

 

---

NSA Recommends How Enterprises Can Securely Adopt Encrypted DNS

https://www.nsa.gov/News-Features/Feature-Stories/Article-View/Article/2471956/nsa-recommends-how-enterprises-can-securely-adopt-encrypted-dns/ 

COEST_3-1610970741785.jpeg

 

NSA Recommends How Enterprises Can Securely Adopt Encrypted DNS > National Security Agency Central Security Service > Article View

FORT MEADE, Md., Jan. 14, 2021 — The National Security Agency released a cybersecurity product, “Adopting Encrypted DNS in Enterprise Environments,” Thursday explaining the benefits and risks of adopting the encrypted domain name system (DNS) protocol, DNS over HTTPs (DoH), in enterprise environments.The release provides solutions for secure implementation based on enterprise network needs.

www.nsa.gov

 

---

Operation Spalax, an ongoing malware campaign targeting Colombian entities

https://securityaffairs.co/wordpress/113429/hacking/operation-spalax-malware.html 

COEST_4-1610970741788.jpeg

 

Operation Spalax, an ongoing campaign targeting Colombian entities--Security Affairs

Malware researchers from ESET uncovered an ongoing surveillance campaign, dubbed Operation Spalax, against Colombian entities exclusively. The attacks aimed at government institutions and private companies, most of them in the energy ...

securityaffairs.co

 

---

Classiscam expands to Europe: Russian-speaking scammers lure Europeans to pages mimicking classifieds

https://securityaffairs.co/wordpress/113404/cyber-crime/criminal-scheme-classiscam.html 

COEST_5-1610970741791.jpeg

 

Classiscam expands to Europe: Russian-speaking scammers lure Europeans to pages mimicking classifieds - Security Affairs

Group-IB, a global threat hunting and and adversary-centric cyber intelligence company, has discovered that Russian-speaking scammers started targeting users of European marketplaces and classifieds. The scheme, dubbed Classiscam by Group-IB, is an automated scam ...

securityaffairs.co

 

---

[PDF] Cracking a soft cell is harder than you think

https://github.com/yt0ng/cracking_softcell/blob/main/Cracking_SOFTCLL_TLP_WHITE.pdf 

---

Higaisa or Winnti? APT41 backdoors, old and new

https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/ 

COEST_6-1610970741802.png

 

Higaisa or Winnti? APT41 backdoors, old and new

The PT Expert Security Center regularly spots emerging threats to information security, including both previously known and newly discovered malware. During such monitoring in May 2020, we detected several samples of new malware that at first glance would seem to belong to the Higaisa group.

www.ptsecurity.com

 

---

Rogue Android RAT emerges from the darkweb

https://securityaffairs.co/wordpress/113369/malware/rogue-android-rat-darkweb.html 

COEST_7-1610970741805.jpeg

 

Rogue Android RAT emerges from the darkweb .....Security Affairs

Rogue is a new mobile RAT discovered by researchers from Check Point while investigating the activity of the darknet threat actors known as Triangulum and HeXaGoN Dev. Both actors are Android malware authors that […]

securityaffairs.co

 

---

Sophisticated hacking campaign uses Windows and Android zero-days

https://securityaffairs.co/wordpress/113342/hacking/project-zero-watering-hole-attack.html 

Sophisticated hacking campaign uses Windows and Android zero-days--Security Affairs

The Google Project Zero team has recently launched an initiative aimed at devising new techniques to detect 0-day exploits employed in attacks in the wild. While partnering with the Google Threat Analysis Group (TAG), the experts discovered a watering hole […]

securityaffairs.co

 

---

Russian hacker Andrei Tyurin sentenced to 12 years in prison

https://securityaffairs.co/wordpress/113279/cyber-crime/russian-hacker-andrei-tyurin-prison.html 

Russian hacker Andrei Tyurin sentenced to 12 years in prison--Security Affairs

A U.S. court sentenced this week Andrei Tyurin (37) to 12 years in prison for carrying out an international hacking campaign that targeted several financial institutions, brokerage firms, financial news publishers, […]

securityaffairs.co

 

---

Experts found gained access to the Git Repositories of the United Nations

https://securityaffairs.co/wordpress/113268/data-breach/united-nations-ep-data-breach.html 

Experts found gained access to the Git Repositories of the United Nations--Security Affairs

Researchers obtained gained access to the Git Repositories belonging to the United Nations, exposing staff records and credentials.

 

The research group Sakura Samurai was able to access the repositories of the United Nations as part of the Vulnerability Disclosure Program and a Hall of Fame operated by the organization. The group, composed of Jackson Henry, […]

securityaffairs.co

 

---

Police took down DarkMarket, the world’s largest darknet marketplace

https://securityaffairs.co/wordpress/113332/deep-web/dark-web-darkmarket-seized.html 

Police took down DarkMarket, the world's largest darknet marketplace--Security Affairs

DarkMarket, the world’s largest black marketplace on the dark web, has been taken offline as a result of an international operation conducted by law enforcement from Germany, Australia, Denmark, Moldova, Ukraine, the United Kingdom […]

securityaffairs.co

 

---

Police Robots Are Not a Selfie Opportunity, They’re a Privacy Disaster Waiting to Happen

https://www.eff.org/deeplinks/2021/01/police-robots-are-not-selfie-opportunity-theyre-privacy-disaster-waiting-happen 

Police Robots Are Not a Selfie Opportunity, They’re a Privacy Disaster Waiting to Happen | Electronic Frontier Foundation - eff.org

The arrival of government-operated autonomous police robots does not look like predictions in science fiction movies. An army of robots with gun arms is not kicking down your door to arrest you. Instead, a robot snitch that looks like a rolling trash can is programmed to decide whether a person...

www.eff.org

 

Intel adds hardware-based ransomware detection to 11th gen CPUs

https://www.bleepingcomputer.com/news/security/ 

News in the Security category - BleepingComputer

Microsoft has addressed a zero-day vulnerability in the Microsoft Defender antivirus, exploited in the wild by threat actors before the patch was released. With the January 2021 Patch Tuesday ...

www.bleepingcomputer.com

 

---

Combating Scraping by Malicious Browser Extensions

https://about.fb.com/news/2021/01/combating-scraping-by-malicious-browser-extensions/ 

Combating Scraping by Malicious Browser Extensions - About Facebook

To help personalize content, tailor and measure ads, and provide a safer experience, we use cookies. By clicking or navigating the site, you agree to allow our collection of information on and off Facebook through cookies.

 

---

Home Office urged to explain 150,000 arrest records wiped in tech blunder

https://www.thetimes.co.uk/edition/news/150-000-arrest-records-wiped-in-tech-blunder-krhlf302h 

Home Office urged to explain 150,000 arrest records wiped in tech blunder | News | The Times

Priti Patel has been urged to explain an “extraordinarily serious security breach” after The Times revealed a technology blunder wiped more than 150,000 fingerprint, DNA and arrest history ...

www.thetimes.co.uk

 

---

Cybercriminals demanding $500,000 after hacking Delaware County computer network: Sources

https://6abc.com/delaware-county-pa-hack-delco-pennsylvania-fbi/8257339/ 

Cybercriminals demanding $500,000 after hacking Delaware County, Pennsylvania computer network: Sources - 6abc Philadelphia

Cybercriminals have attacked the Delaware County, Pennsylvania government network and taken it hostage. The criminals are demanding $500,000 to free it up.

6abc.com

 

---

Reserve Bank response to illegal breach of data system

https://www.rbnz.govt.nz/news/2021/01/reserve-bank-response-to-illegal-breach-of-data-system 

Reserve Bank response to illegal breach of data system - Reserve Bank of New Zealand

C5 Sector lending (banks and non-bank lending institutions); C12 Credit card balances; C13 Credit card spending; C30 New residential mortgage lending by loan-to-valuation ratio (LVR); C31 New residential mortgage lending by borrower type; C32 New and existing residential mortgage lending by payment type; C35 Residential mortgage loan reconciliation; C40 Residential mortgage lending by debt-to ...

www.rbnz.govt.nz

 

 

---

CAPCOM: 390,000 people impacted in the recent ransomware Attack

https://securityaffairs.co/wordpress/113418/data-breach/capcom-breach-390k-people-impacted.html 

CAPCOM: 390K people impacted in the recent ransomware attack--Security Affairs

Capcom revealed that the recent ransomware attack has potentially impacted 390,000 people, an increase of approximately 40,000 people from the previous report.

 

In November, Japanese game developer Capcom admitted to have suffered a cyberattack that is impacting business operations. The company has developed multiple multi-million-selling game franchises, including Street Fighter, Mega Man ...

securityaffairs.co

 

---

Ubiquiti discloses a data breach

https://securityaffairs.co/wordpress/113296/data-breach/ubiquiti-discloses-data-breach.html 

Ubiquiti discloses a data breach ................................Security Affairs

American technology vendor Ubiquiti Networks suffered a data breach and is sending out notification emails to its customers asking them to change their passwords and enable 2FA for their accounts. The company discovered unauthorized access to some of […]

securityaffairs.co

 

---

Expert discovered a DoS vulnerability in F5 BIG-IP systems

https://securityaffairs.co/wordpress/113440/security/f5-big-ip-dos.html 

Expert discovered a DoS vulnerability in F5 BIG-IP systems--Security Affairs

The security expert Nikita Abramov from Positive Technologies discovered a DoS vulnerability, tracked as CVE-2020-27716, that affects certain versions of F5 BIG-IP Access Policy Manager (APM). The F5 BIG-IP Access Policy Manager is a secure, flexible, […]

securityaffairs.co

 

---

Microsoft Patch Tuesday for January 2021 fixes 83 flaws, including an actively exploited issue

https://securityaffairs.co/wordpress/113362/security/microsoft-patch-tuesday-for-january-2021-fixes-83-flaws-including-an-actively-exploited-issue.html 

Microsoft Patch Tuesday for January 2021 fixes 83 flaws, including an actively exploited issue--Security Affairs

Microsoft Patch Tuesday security updates for January 2021 fix 83 security vulnerabilities in multiple products, including Microsoft Windows, Edge (EdgeHTML-based), ChakraCore, Office and Microsoft Office Services and Web Apps, Visual Studio, Microsoft ...

securityaffairs.co

 

---

High-Severity Cisco Flaw Found in CMX Software For Retailers

https://threatpost.com/cisco-flaw-cmx-software-retailers/163027/

High-Severity Cisco Flaw Found in CMX Software For Retailers | Threatpost

Cisco fixed high-severity flaws tied to 67 CVEs overall, including ones found in its AnyConnect Secure Mobility Client and in its RV110W, RV130, RV130W, and RV215W small business routers.

threatpost.com

 

 

 

Anonymous