CERT-SE:s veckobrev v.26

VECKOBREV

Många läsvärda rapporter i detta veckobrev, bland annat en temafördjupning om utpressningsvirus från Nationellt cybersäkerhetscenter. Dessutom referat från såväl Cyber Europe, där medarbetare från CERT-SE övade tillsammans, som Midnight Sun CTF. Trevlig helg önskar CERT-SE!

Nyheter i veckan

MSB deltog i Europas största cybersäkerhetsövning (20 jun)https://www.msb.se/sv/aktuellt/nyheter/2024/juni/msb-deltog-i-europas-storsta-cybersakerhetsovning

NCSC statement following reports of a Synnovis data breach (21 jun)https://www.ncsc.gov.uk/news/ncsc-statement-following-reports-of-a-synnovis-data-breach

30M Potentially Affected in Tickettek Australia Cloud Breach (24 jun)https://www.darkreading.com/cloud-security/30m-affected-tickettek-australia-cloud-breach

Car dealership outages drag on after CDK cyberattacks (24 jun)https://techcrunch.com/2024/06/24/car-dealership-outages-drag-on-after-cdk-cyberattack

Levi’s caught with pants down: Hackers expose 72,000 customer account details (24 jun)https://www.scmagazine.com/news/levis-gets-stripped-of-72000-customer-account-details

‘Mirai-like’ botnet observed attacking EOL Zyxel NAS devices (24 jun)https://www.theregister.com/2024/06/24/mirailike_botnet_zyxel_nas

CISA confirms hackers may have accessed data from chemical facilities during January incident (24 jun)https://therecord.media/cisa-confirms-hackers-chemical-facilities

LockBit lied: Stolen data is from a bank, not US Federal Reserve (26 jun)https://www.bleepingcomputer.com/news/security/lockbit-lied-stolen-data-is-from-a-bank-not-us-federal-reserve

Over 110,000 Websites Affected by Hijacked Polyfill Supply Chain Attack (26 jun)https://thehackernews.com/2024/06/over-110000-websites-affected-by.html

Exploring Memory Safety in Critical Open Source Projects (26 jun)https://www.cisa.gov/resources-tools/resources/exploring-memory-safety-critical-open-source-projects

Your Phone’s 5G Connection is Vulnerable to Bypass, DoS Attacks (27 jun)https://www.darkreading.com/mobile-security/your-phone-s-5g-connection-is-exposed-to-bypass-dos-attacks

‘Poseidon’ Mac stealer distributed via Google ads (27 jun)https://www.malwarebytes.com/blog/news/2024/06/poseidon-mac-stealer-distributed-via-google-ads

The Importance of Cyber Threat Intelligence: Insights from Recent Nobelium Attacks SANS Institute (28 jun)https://www.sans.org/blog/the-importance-of-cyber-threat-intelligence-insights-from-recent-nobelium-attacks

TeamViewer IT security update (28 jun)https://www.teamviewer.com/en/resources/trust-center/statement

Rapporter och analyser

Även cyberkriminella använder AI för effektivisering (21 jun)https://computersweden.se/article/2149610/aven-cyberkriminella-anvander-ai-for-effektivisering.html..
Cybercriminals and AI: Not Just Better Phishing (12 jun)https://intel471.com/blog/cybercriminals-and-ai-not-just-better-phishing

NCSC temafördjupning: Utpressningsangrepp (23 jun)https://www.ncsc.se/aktuellt/utpressningsangrepp

New SnailLoad Attack Relies on Network Latency Variations to Infer User Activity (24 jun)https://www.securityweek.com/new-snailload-attack-relies-on-network-latency-variations-to-infer-user-activity..
SnailLoad: Remote Network Latency Measurements Leak User Activityhttps://snailload.com

Social Engineering Tactics Targeting Healthcare & Public Health Entities and Providers (24 jun)https://www.ic3.gov/Media/News/2024/240624.pdf

New Medusa malware variants target Android users in seven countries (25 jun)https://www.bleepingcomputer.com/news/security/new-medusa-malware-variants-target-android-users-in-seven-countries..
Medusa Reborn: A New Compact Variant Discovered (20 jun)https://www.cleafy.com/cleafy-labs/medusa-reborn-a-new-compact-variant-discovered

The Growing Threat of Malware Concealed Behind Cloud Services (25 jun)https://www.fortinet.com/blog/threat-research/growing-threat-of-malware-concealed-behind-cloud-services

Multiple vulnerabilities in TP-Link Omada system could lead to root access (26 jun)https://blog.talosintelligence.com/multiple-vulnerabilities-in-tp-link-omada-system

Attackers Exploiting Public Cobalt Strike Profiles (26 jun)https://unit42.paloaltonetworks.com/attackers-exploit-public-cobalt-strike-profiles

Snowflake isn’t an outlier, it’s the canary in the coal mine (27 jun)https://blog.talosintelligence.com/infostealer-landscape-facilitates-breaches

Informationssäkerhet och blandat

New cyber-security taskforce begins meeting to share intelligence on threats to Jersey (25 jun)https://jerseyeveningpost.com/news/2024/06/25/new-cyber-security-taskforce-begins-meeting-to-share-intelligence-on-threats-to-jersey

Meta’s Virtual Reality Headset Vulnerable to Ransomware Attacks: Researcher (25 jun)https://www.securityweek.com/metas-virtual-reality-headset-vulnerable-to-ransomware-attacks-researcher

Konferens och hackingtävling i världsklass (26 jun)https://www.aktuellsakerhet.se/konferens-och-hackingtavling-i-varldsklass

Försäkringskassan: Så kan bedragarna lura dig (26 jun)https://sverigesradio.se/artikel/forsakringskassan-tipsar-sa-luras-bedragarna

Microsoft founder Paul Allen’s tech museum closes, sells off collection (26 jun)https://www.theregister.com/2024/06/26/paul_allen_museum_closes

CERT-SE i veckan

Kritiska sårbarheter i Gitlab (28 jun)https://www.cert.se/2024/06/kritiska-sarbarheter-i-gitlab.html

Kritisk sårbarhet i FileCatalyst Workflow (27 jun)https://www.cert.se/2024/06/kritisk-sarbarhet-i-filecatalyst-workflow.html

Kritisk sårbarhet i MOVEit Transfer (26 jun)https://www.cert.se/2024/06/kritisk-sarbarhet-i-moveit-transfer.html

Publikation från NCSC om ransomware (25 jun)https://www.cert.se/2024/06/publikation-fran-ncsc-om-ransomware.html

CERT-SE deltog vid Cyber Europe (24 jun)https://www.cert.se/2024/06/cert-se-deltog-vid-cyber-europe.html

CERT-SE:s veckobrev v.25

VECKOBREV

Anmälan till Cybersäkerhetskonferensen har nu öppnat. Fokus för konferensen kommer vara NIS2-direktivet och annan lagstiftning inom cyberområdet. Se https://www.msb.se/sv/aktuellt/kalender/2024/oktober/cybersakerhetskonferensen-2024/

Sista dagen att söka tjänsten som projketledare vid CERT-SE närmar sig, ta en titt på https://msb.varbi.com/se/what:job/jobID:732300/type:job/where:4/apply:1

Trevlig midsommar önskar CERT-SE!

Nyheter i veckan

Exclusive: ICC probes cyberattacks in Ukraine as possible war crimes, sources say (14 jun)https://www.reuters.com/world/europe/icc-probes-cyberattacks-ukraine-possible-war-crimes-sources-2024-06-14/

Alleged Boss of ‘Scattered Spider’ Hacking Group Arrested (15 jun)https://krebsonsecurity.com/2024/06/alleged-boss-of-scattered-spider-hacking-group-arrested/

London Ransomware Attack Led to 1500 Cancelled Appointments and Operations (17 jun)https://www.infosecurity-magazine.com/news/london-ransomware1500-cancelled/

Hackers Detail How They Allegedly Stole Ticketmaster Data From Snowflake (17 jun)https://www.wired.com/story/epam-snowflake-ticketmaster-breach-shinyhunters/

Medibank’s lack of multi-factor authentication allowed hackers to infiltrate systems, regulator alleges (17 jun)https://therecord.media/all-scottish-households-nhs-hack-alert

All households in Scottish region to get alert about hackers publishing stolen medical data (17 jun)https://www.theguardian.com/australia-news/article/2024/jun/17/medibank-hack-data-breach-federal-court-case

Fake Google Chrome errors trick you into running malicious PowerShell scripts (17 jun)https://www.bleepingcomputer.com/news/security/fake-google-chrome-errors-trick-you-into-running-malicious-powershell-scripts/

Malicious activities linked to the Nobelium intrusion set (19 jun)https://cert.ssi.gouv.fr/cti/CERTFR-2024-CTI-006/

Rapporter och analyser

From Clipboard to Compromise: A PowerShell Self-Pwn (17 jun)https://www.proofpoint.com/us/blog/threat-insight/clipboard-compromise-powershell-self-pwn

KraftCERT/InfraCERT Threat Assessment 2024 (17 jun)https://www.kraftcert.no/filer/KraftCERT-ThreatAssessment2024.pdf

USB-minnen och QR-koder – low tech-metoder fortsatt stora hot (18 jun)https://computersweden.se/article/2139528/usb-minnen-och-qr-koder-low-tech-metoder-fortsatt-stora-hot.html

Cloaked and Covert: Uncovering UNC3886 Espionage Operations (18 jun)https://cloud.google.com/blog/topics/threat-intelligence/uncovering-unc3886-espionage-operations

LockBit resurgence sees ransomware attacks reach record high in May (20 jun)https://siliconangle.com/2024/06/20/lockbit-resurgence-sees-ransomware-attacks-reach-record-high-may/

Informationssäkerhet och blandat

Civilministern har tagit emot förslag om en digital identitetsplånbok (17 jun)https://regeringen.se/pressmeddelanden/2024/06/civilministern-har-tagit-emot-forslag-om-en-digital-identitetsplanbok/

Efter cyberattacken mot Tietoevry – drabbade vill ha skadestånd (17 jun)https://computersweden.se/article/2149327/efter-cyberattacken-mot-tietoevry-drabbade-vill-ha-skadestand.html

Nu matas AI-assistenten för offentlig sektor med data – ”fullt fungerande prototyp” (17 jun)https://computersweden.se/article/2147759/nu-matas-ai-assistenten-for-offentlig-sektor-med-data-fullt-fungerande-prototyp.html

Cybersäkerhetskonferensen 2024 (17 jun)https://www.msb.se/sv/aktuellt/kalender/2024/oktober/cybersakerhetskonferensen-2024/

Ett nytt Nationellt cybersäkerhetcenter – Del 2 (18 jun)https://www.regeringen.se/rattsliga-dokument/departementsserien-och-promemorior/2024/06/ett-nytt-nationellt-cybersakerhetcenter—del-2/

Modern Approaches to Network Access Security (18 jun)https://www.cisa.gov/resources-tools/resources/modern-approaches-network-access-security

CERT-SE i veckan

Kritiska sårbarheter påverkar VMware vCenter Server (18 jun)https://www.cert.se/2024/06/kritiska-sarbarheter-paverkar-vmware-vcenter-server.html

CERT-SE:s veckobrev v.24

VECKOBREV

Med trovärdigt utformade meddelanden skickade från till synes legitima avsändare, är nätfiske fortsatt en de mest effektiva metoderna för bedrägerier och dataintrång.

Läs och sprid gärna vår senaste artikel på temat, publicerad med anledning av en pågående nätfiskekampanj mot svenska kommuner och skolor: https://www.cert.se/2024/06/pagaende-natfiskekampanj-riktad-mot-kommuner-och-skolor.html

Trevlig helg önskar CERT-SE!

Nyheter i veckan

7,000 LockBit decryption keys now in the hands of the FBI, offering victims hope (6 jun)
https://arstechnica.com/security/2024/06/fbi-urges-lockbit-victims-to-step-forward-after-seizing-7000-decryption-keys..
FBI Cyber Assistant Director Bryan Vorndran’s Remarks at the 2024 Boston Conference on Cyber Security (5 jun)
https://www.fbi.gov/news/speeches/fbi-cyber-assistant-director-bryan-vorndran-s-remarks-at-the-2024-boston-conference-on-cyber-security

Så lätt hackas ditt barns smarta klocka (8 jun)
https://www.svt.se/nyheter/inrikes/sa-latt-hackas-ditt-barns-smarta-klocka

Cylance confirms data breach linked to ‘third-party’ platform (10 jun)
https://www.bleepingcomputer.com/news/security/cylance-confirms-data-breach-linked-to-third-party-platform

O-type blood donors needed after London cyber-attack (10 jun)
https://www.bbc.com/news/articles/c2eeg9gygyno

Two cuffed over suspected smishing campaign using ‘text message blaster’ (10 jun)
https://www.theregister.com/2024/06/10/two_arrested_in_uk_over

Region Dalarna i stabsläge på grund av störningar i journalsystem och intranätet (11 jun)
https://www.regiondalarna.se/press/nyheter-och-pressmeddelanden/region-dalarna-i-stabslage-pa-grund-av-storningar-i-journalsystem-och-intranatet

Pure Storage confirms data breach after Snowflake account hack (11 jun)
https://www.bleepingcomputer.com/news/security/pure-storage-confirms-data-breach-after-snowflake-account-hack..
Security Bulletin for Unauthorized Access to Telemetry Information (14 jun)
https://support.purestorage.com/bundle/m_security_bulletins/page/Employee_Handbooks/Technical_Services/PSIRT/topics/concept/c_support_escalation_how_to_escalate_a_case.html

It-attacken: Tusentals sjukhusfiler fortfarande på darknet (12 jun)
https://sverigesradio.se/artikel/it-attacken-tusentals-sjukhusfiler-fortfarande-pa-darknet..
Sjukhusets vd bryter tystnaden: Det stals vid it-attacken (12 jun)
https://sverigesradio.se/artikel/sjukhusets-vd-journaluppgifter-lackte-vid-it-attacken

New phishing toolkit uses PWAs to steal login credentials (12 jun)
https://www.bleepingcomputer.com/news/security/new-phishing-toolkit-uses-pwas-to-steal-login-credentials

Phone Scammers Impersonating CISA Employees (12 jun)
https://www.cisa.gov/news-events/alerts/2024/06/12/phone-scammers-impersonating-cisa-employees

Ransomware Group Exploits Critical PHP Flaw (12 jun)
https://www.darkreading.com/vulnerabilities-threats/tellyouthepass-ransomware-exploits-critical-php-flaw

Ascension hacked after employee downloaded malicious file (13 jun)
https://www.infosecurity-magazine.com/news/ascension-attack-employee/

City governments in Michigan, New York face shutdowns after ransomware attacks (13 jun)
https://therecord.media/traverse-city-michigan-newburgh-new-york-ransomware

Phishing campaign impacting organisations and New Zealanders (14 jun)
https://www.cert.govt.nz/individuals/alerts/phishing-campaign-impacting-new-zealand-organisations

MSB varnar skolor och kommuner för ny nätfiskekampanj (14 jun)
https://computersweden.se/article/2147697/msb-varnar-skolor-och-kommuner-for-ny-natfiskekampanj.html

Rapporter och analyser

Dissecting SSLoad Malware: A Comprehensive Technical Analysis (10 jun)
https://intezer.com/blog/research/ssload-technical-malware-analysis

May 2024’s Most Wanted Malware: Phorpiex Botnet Unleashes Phishing Frenzy While LockBit3 Dominates Once Again (10 jun)
https://blog.checkpoint.com/research/may-2024s-most-wanted-malware-phorpiex-botnet-unleashes-phishing-frenzy-while-lockbit3-dominates-once-again

IcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware Deployment (10 jun)
https://thedfirreport.com/2024/06/10/icedid-brings-screenconnect-and-csharp-streamer-to-alphv-ransomware-deployment

A Brief History of SmokeLoader, Part 1 (11 jun)
https://www.zscaler.com/blogs/security-research/brief-history-smokeloader-part-1

Ransomware Attackers May Have Used Privilege Escalation Vulnerability as Zero-day (12 jun)
https://symantec-enterprise-blogs.security.com/threat-intelligence/black-basta-ransomware-zero-day

Dipping into Danger: The WARMCOOKIE backdoor (12 jun)
https://www.elastic.co/security-labs/dipping-into-danger

WithSecure Reveals Mass Exploitation of Edge Software and Infrastructure Appliances (12 jun)
https://www.infosecurity-magazine.com/news/withsecure-exploitation-edge/https://labs.withsecure.com/publications/mass-exploitation-the-vulnerable-edge-of-enterprise-security

Facebook, Meta, Apple, Amazon Most Impersonated in Phishing Scams (12 jun)
https://hackread.com/facebook-meta-apple-amazon-impersonate-phishing-scams/

Informationssäkerhet och blandat

Nu släpps Sveriges geologiska information som öppna data (10 jun)
https://computersweden.se/article/2140077/nu-slapps-sveriges-geologiska-information-som-oppna-data.html

New internet routing security rules proposed by FCC (10 jun)
https://www.scmagazine.com/brief/new-internet-routing-security-rules-proposed-by-fcc

Superdatorn Berzelius uppgraderas till dubbla kapaciteten (11 jun)
https://news.cision.com/se/linkopings-universitet/r/superdatorn-berzelius-uppgraderas-till-dubbla-kapaciteten,c3998165

Ny CRA-lag vänligare mot öppen källkod (11 jun)
https://etn.se/index.php/teknik/71169-ny-cra-lag-vanligare-mot-oppen-kallkod.html

The mystery of an alleged data broker’s data breach (11 jun)
https://techcrunch.com/2024/06/11/the-mystery-of-an-alleged-data-brokers-data-breach

White House report dishes deets on all 11 major government breaches from 2023 (12 jun)
https://www.theregister.com/2024/06/12/white_house_report/

Skyhög nota för it-avbrott för de största företagen (12 jun)
https://computersweden.se/article/2143164/skyhog-nota-for-it-avbrott-for-de-storsta-foretagen.html

Rockwell’s ICS Directive Comes as Critical Infrastructure Risk Peaks (13 jun)
https://www.darkreading.com/ics-ot-security/rockwell-ics-directive-critical-infrastructure-risk-peaks

Prevalence and Impact of Password Exposure Vulnerabilities in ICS/OT (13 jun)
https://www.securityweek.com/prevalence-and-impact-of-password-exposure-vulnerabilities-in-ics-ot/

CERT-SE i veckan

Microsofts månatliga säkerhetsuppdateringar för juni 2024 (12 jun)
https://www.cert.se/2024/06/microsofts-manatliga-sakerhetsuppdateringar-for-juni-2024.html

Adobes månatliga säkerhetsuppdateringar för juni 2024 (13 jun)
https://www.cert.se/2024/06/adobes-manatliga-sakerhetsuppdateringar-for-juni-2024.html

Pågående nätfiskekampanj riktad mot kommuner och skolor (13 jun)
https://www.cert.se/2024/06/pagaende-natfiskekampanj-riktad-mot-kommuner-och-skolor.html

CERT-SE:s veckobrev v.23

VECKOBREV

Summering av veckans nyheter mellan nationaldagsfirande och valdagen för EU-valet 2024. I vanlig ordning både nationella och internationella händelser samt ett antal läsvärda analyser. Bland övriga nyheter noterar vi att NCSC-SE publicerat save the date för sin årliga konferens till den 19 november 2024.

Trevlig helg!

Nyheter i veckan

Spanish police investigate whether hackers stole millions of drivers’ data (31 maj)https://www.reuters.com/technology/cybersecurity/spanish-police-investigate-whether-hackers-stole-millions-drivers-data-2024-05-31/

Ticketmaster hit by data hack that may affect 560m customers (1 jun)https://www.theguardian.com/technology/article/2024/jun/01/live-nation-investigating-data-breach-of-its-us-ticketmaster-unit

Germany’s Christian Democratic party hit by ‘serious’ cyberattack (1 jun)https://www.reuters.com/technology/cybersecurity/germanys-christian-democratic-party-hit-by-serious-cyberattack-2024-06-01/

Identities of Cybercriminals Linked to Malware Loaders Revealed (3 jun)https://www.securityweek.com/identities-of-cybercriminals-linked-to-malware-loaders-revealed/

Nationella cybersäkerhetscentret i Danmark (CFCS) höjer hotnivån för destruktiva cyberangrepp (4 jun)https://www.cfcs.dk/da/nyheder/2024/center-for-cybersikkerhed-haver-trusselsniveauet-for-destruktive-cyberangreb/

Major cyberattack sees NHS London hospitals declare critical incident with operations cancelled (4 jun)https://www.bbc.com/news/articles/c288n8rkpvno

Cyberattack mot Trafikverket – hemsidan nere (4 jun)https://www.svt.se/nyheter/inrikes/cyberattack-mot-trafikverket-hemsidan-nere

361 million account credentials leaked on Telegram: Are yours among them? (4 jun)https://www.helpnetsecurity.com/2024/06/04/check-account-credentials-compromised/

CISA Warns of Attacks Exploiting Old Oracle WebLogic Vulnerability (4 jun)https://www.securityweek.com/cisa-warns-of-attacks-exploiting-old-oracle-weblogic-vulnerability/

Cyberattack disrupts operations of supermarkets across Russia (4 jun)https://therecord.media/cyberattack-disrupts-supermarket-operations-russia

Four arrested for allegedly attempting to sabotage Interpol criminal search system (5 jun)https://therecord.media/interpol-red-alert-system-corruption-moldova-arrests

TikTok warns of exploit aimed at ‘high-profile accounts’ (4 jun)https://therecord.media/tiktok-exploit-high-profile-accounts

Hackerattack mot Sveriges domstolar – sajter har problem (5 jun)https://sverigesradio.se/artikel/hackerattack-mot-sveriges-domstolar-sajter-har-problem

Rapporter och analyser

Ransomware Rebounds: Extortion Threat Surges in 2023, Attackers Rely on Publicly Available and Legitimate Tools (3 jun)https://cloud.google.com/blog/topics/threat-intelligence/ransomware-attacks-surge-rely-on-public-legitimate-tools

A SANS’s 2024 Threat-Hunting Survey Review (4 jun)https://www.trendmicro.com/en_no/research/24/f/sans-2024-threat-hunting-survey-review.htmlhttps://www.sans.org/white-papers/sans-2024-threat-hunting-survey-hunting-normal-within-chaos/

#Infosec2024: Conflicts Drive DDoS Attack Surge in EMEA (4 jun)https://www.infosecurity-magazine.com/news/conflicts-drive-ddos-attacks-emea/

TargetCompany’s Linux Variant Targets ESXi Environments (5 jun)https://www.trendmicro.com/en_us/research/24/f/targetcompany-s-linux-variant-targets-esxi-environments.html

RansomHub: New Ransomware has Origins in Older Knight (5 jun)https://symantec-enterprise-blogs.security.com/threat-intelligence/ransomhub-knight-ransomware

Commando Cat: A Novel Cryptojacking Attack Abusing Docker Remote API Servers (6 jun)https://www.trendmicro.com/en_us/research/24/f/commando-cat-a-novel-cryptojacking-attack-.html

Informationssäkerhet och blandat

Böndernas oro – cyberattacker kan slå ut jordbruket (31 maj)https://www.svt.se/nyheter/lokalt/orebro/bondernas-oro-cyberattacker-kan-sla-ut-jordbruket

Hurdling Over Hazards: Multifaceted Threats to the Paris Olympics (4 jun)https://www.recordedfuture.com/hurdling-over-hazards-multifaceted-threats-to-the-2024-paris-olympics

NIST is finally getting help with the National Vulnerability Database backlog (4 jun)https://www.csoonline.com/article/2138449/nist-is-finally-getting-help-with-the-national-vulnerability-database-backlog.html

Save the date: NCSC-konferensen 2024https://www.ncsc.se/aktuellt/ncsc-konferensen-2024/

Poland to invest $760 million in cyberdefense as Russian pressure mounts (5 jun)https://therecord.media/poland-cyberdefense-spending-russian-attacks

IBM blog: 5 takeaways from the White House cybersecurity workforce discussion (5 jun)https://securityintelligence.com/news/5-takeaways-white-house-cybersecurity-workforce-oncd/

FBI Cyber Lead Urges Potential LockBit Victims to Contact Internet Crime Complaint Center (5 jun)https://www.fbi.gov/news/stories/fbi-cyber-lead-urges-potential-lockbit-victims-to-contact-internet-crime-complaint-center

How to watch the European election like a Pro (6 jun)https://www.politico.eu/article/european-parliament-election-pro/

CERT-SE i veckan

Nolldagssårbarhet i VPN-produkter från Check Point (uppdaterad 3 jun)https://www.cert.se/2024/05/nolldagssarbarhet-i-vpn-produkter-fran-check-point.html