Doing one of the best jobs impersonating a website ever seen, this new scam attempts to take those renewing or initially signing up through a believable process that most would fall for.
Most of the time, impersonation scams take you to a “website” that’s more than a single web page designed to look like the login page of the impersonated brand. But a new scam centered around registering for or renewing with TSA PreCheck takes the impersonation website to an entirely new level.
According to security researchers at Abnormal Security, this new scam starts out as wonky as most phishing scams with an email that doesn’t quite feel like it’s really from the TSA.
Log4j: Getting ready for the long haul
Friday (Dec. 10th), we moved our Infocon to “Yellow” for the first time in about two years. We saw an immediate need to get the word out as the log4shell vulnerability ( CVE-2021-44228) was actively exploited and affected various widely used products. Patches and workarounds were not readily available at the time. Our Infocon indicates “change,” not “steady-state.” By now, everybody in infosec knows about log4shell. This morning I noticed that even cnn.com had log4j/log4shell mentioned at the top of the page. Once CNN covers an infosec topic like this: It should be old news for anybody “in the field.”
We are now moving our “Infocon” back to “green.”
Log4Shell will continue to haunt us for years to come. Dealing with log4shell will be a marathon. Treat it as such. Mick pointed that out in our live stream yesterday, and it is probably the most important thing you need to plan for now: How to live with log4shell long term.
continue reading: https://isc.sans.edu/diary/rss/28130
Collecting In the Dark: Tropic Trooper Targets Transportation and Government
Earth Centaur, previously known as Tropic Trooper, is a long-running cyberespionage threat group that has been active since 2011. In July 2020, we noticed interesting activity coming from the group, and we have been closely monitoring it since. The actors seem to be targeting organizations in the transportation industry and government agencies related to transport.
We observed that the group tried to access some internal documents (such as flight schedules and documents for financial plans) and personal information on the compromised hosts (such as search histories). Currently, we have not discovered substantial damage to these victims as caused by the threat group. However, we believe that it will continue collecting internal information from the compromised victims and that it is simply waiting for an opportunity to use this data.
‘Seedworm’ Attackers Target Telcos in Asia, Middle East
Attackers targeting telcos across the Middle East and Asia for the past six months are linked to Iranian state-sponsored hackers, according to researchers. The cyberespionage campaigns leverage a potent cocktail of spear phishing, known malware and legitimate network utilities that are leveraged to steal data and potentially disrupt supply-chains.
Researchers outlined their findings on Tuesday in a report that says attacks are targeting a number of IT services organizations and a utility company. Although the initial attack vector is as yet unclear, threat actors appear to gain entry to networks using spear-phishing and then steal credentials to move laterally, according to the report published by Symantec Threat Hunter Team, a division of Broadcom.
Cuba Ransomware Analysis
Due to the recent warning published by the FBI about Cuba ransomware (original FBI warning no longer available online for unknown reasons), from Lab52 we decided to publish some information about this ransomware family. Despite the fact that the ransomware has been named Cuba, there is no clear evidence linking the country to the implementation or perpetration of this type of attacks.
Nonetheless, the geopolitical analysis has revealed a few details of strategic interest. Firstly, the fact that most of the countries attacked, according to a McAfee report, correspond to those located in Latin America, North America and Europe. Of these, the most targeted were: Spain, Colombia and Germany. However, when looking at the possible link between the countries attacked and the sectors compromised, it has not been possible to identify a clear interest in the attack, since although Colombia is a US ally in Latin America and a NATO observer state, and Spain is a member of the European Union and NATO with a good geostrategic position, none of them stand out among the critical sectors that have been attacked.
continue reading: https://lab52.io/blog/cuba-ransomware-analysis/
TinyNuke Banking Malware Targets French Entities
Proofpoint identified multiple recent campaigns leveraging invoice-themed lures to distribute the uncommonly observed TinyNuke malware. The activity marks a stark reappearance of this threat, which has not been seen with regularity since 2018. The campaigns target hundreds of customers in various industries including manufacturing, technology, construction, and business services. The campaigns use French language lures with invoice or other financial themes, and almost exclusively target French entities and companies with operations in France.
TinyNuke is a banking trojan that first appeared in Proofpoint data in 2017 targeting French companies. It is similar to the notorious banking trojan Zeus, which has many variants with identical functionality. TinyNuke can be used to steal credentials and other private information and can be used to enable follow-on malware attacks. The author initially released the code on GitHub in 2017, and although the original repo is no longer available, other open-source versions of the malware exist.
Zero-day critical vulnerability in Log4j2 exploited in the wild
On December 9, 2021, Apache disclosed CVE-2021-44228, a remote code execution vulnerability – assigned with a severity of 10 (the highest possible risk score). The source of the vulnerability is Log4j, a logging library commonly used by a wide range of applications, and specifically versions up to 2.14.1 (Note: this vulnerability is also known as Log4Shell).
Log4j is an open source library, part of the Apache Logging Services, written in Java. The original release of the Java Development Kit (JDK) did not include logging APIs, so Java logging libraries quickly gained popularity including Log4j. The Log4j library is widely used by other frameworks, such as Elasticsearch, Kafka and Flink, that are foundational for many popular web sites and services.
Virginia legislative agencies and commissions hit with ransomware attack
A ransomware attack has hit agencies and commissions within the Virginia legislature, according to a statement from the governor’s office to the Associated Press.
Alena Yarmosky, spokesperson for Virginia Governor Ralph Northam, said the governor has been briefed on the attack, which currently affects Virginia’s Division of Legislative Automated Systems, the General Assembly’s IT agency. Yarmosky did not respond to requests for comment about the specifics of the attack.
Read more Cyber Security News at https://que.com/tag/cybersecurity/