Deductive Labs

23/12/2021

Yet some more critical vulnerabilities in Apache, this time not log4j but the world known and most used HTTP server.

So before you IT admins go for Christmas holidays, ensure you pstch your Apache httpd:s to 2.4.52 in order to not get pawned by the Christmas Grinch/hacker! 👍💪❤️

CVE-2021-44790: Possible buffer overflow when parsing a carefully crafted request in the mod_lua multipart parser of Apache HTTP Server 2.4.51 and earlier. Apache said that its HTTPD team hasn’t seen an exploit, but “it might be possible to craft one.”

CVE-2021-44224: Possible NULL dereference or Server Side Request Forgery (SSRF) in forward proxy configurations, likewise in Apache HTTP Server 2.4.51 and earlier

https://threatpost.com/apache-httpd-server-bugs-rce-dos/177234/

https://nakedsecurity.sophos.com/2021/12/21/apaches-other-product-critical-bugs-in-httpd-web-server-patch-now/

https://httpd.apache.org/security/vulnerabilities_24.html

Don't freak: It's got nothing to do with Log4Shell, except it may be just as far-reaching as Log4j, given HTTPD's tendency to tiptoe into software projects.

14/12/2021

SentinelOne vs

Do you need the best EDR/XDR protection on the market? We can provide you with SentinelOne for your environment.

Let us take care of your cybersecurity so that you can focus on your business. And surfing the Internet . And clicking on links. And attachments. Securely. 🛡️

Watch SentinelOne protect against the Log4j2 vulnerability. In this Windows demo, we used a publicly available POC with a weaponized malicious PowerShell scr...

13/12/2021

Sårbarhet i log4j utnyttjas aktivt! Patcha omedelbart om ni använder log4j i era tjänster/miljöer!

Cybersäkerhetscentret utvecklar och övervakar kommunikationsnätens och -tjänsternas tillförlitlighet och säkerhet. Vi producerar lägesbilden av informationssäkerheten.

07/12/2021

Det finns ännu platser lediga till IT Säkerhets seminarium med Ålands Näringsliv.

"Den 9 december 2021, kl. 08:30-12:00 anordnar Ålands Näringsliv tillsammans med Deductive Labs ett förmiddagsseminarium om IT-säkerhet på Åland. Seminariet behandlar IT-säkerhet för för företag och organisationer på Åland idag, aktuella regelverk och formella krav samt flera exempel på hur man kan jobba systematiskt och med god uppföljning med IT-säkerhetsfrågor inom organisationen."

Anmäl dig på länken nedan:

Preliminärt program*: 08:30 Välkomstord /Ålands Näringsliv 08:40 Introduktion IT säkerhet /Deductive Labs IT-säkerhet, Åland, status, “whats on”? Lagstiftning och formella krav Vad behöver organisationen själv se över? Det räcker inte med policies, antivirus och att “vi håller på ...

09/09/2021

GREAT NEWS TODAY:
The Finnish Shipowners’ Association and the National Emergency Supply Agency, have published guidelines for shipping companies and vessels on best practices in cybersecurity.

>> https://shipowners.fi/en/new-maritime-cybersecurity-guidelines-for-shipping-companies-and-vessels/
>> https://www.huoltovarmuuskeskus.fi/en/publications

The project started off in January 2021 and we Deductive Labs were selected for the study, preparing the material and the final reports.
The output resulted in guidelines for shipping companies and vessels on best practices in cybersecurity as well as a complete report.
We are really happy and thankful for the collaboration together with the professionals from all organisations, participants, project- and steering group and it feels great to finally see the final result.

Online reports are availble from the websites of Finnish Shipowners’ Association and the National Emergency Supply Agency. Paper versions will be available during autumn 2021.

27/08/2021

"The new ships are full of networked devices and it exposes them to cyber attacks - the brand new Aurora Botnia is a floating computer".

https://yle.fi/uutiset/3-12026736

Article on Yle about Wasaline new vessel Aurora Botnia with Kim Halavakoski giving his views on Martime Cybersecurity. (Article in Finnish)

Artikel på Yle om Wasalines nya fartyg Aurora Botnia där Kim Halavakoski berättar om Martim Cybersäkerhet.(Artikeln på Finska)

https://yle.fi/uutiset/3-12026736

10/08/2021

Uppdatera era Exchange servers!
Patch your Exchange servers!

SANS Internet Storm Center - A global cooperative cyber threat / internet security monitor and alert system. Featuring daily handler diaries with summarizing and analyzing new threats to networks and internet security events.

05/07/2021

You may have heard of the Kaseya supply chain attack that has infected over 1 million computers of companies using Kaseya.

The cybercriminals are now demanding $70 million in ransom for decryption of all affected victims.

One of the affected victims is Coop, a swedish supermarket chain. Coop was forced to shutdown their stores over the weekend due to not being able to process payments.

This is the unfortunate impact of a successful supply chain cyberattack that all companies need to be aware of and consider in their approach to cybersecurity and in outsourcing critical functions to third party suppliers.

Deductive Labs can help with identifying critical third parties, creating cybersecurity requirements for the delivey of their services and monitoing and assessing their services on a continuous basis.

Contact us and help us secure your environment!

REvil ransomware has set a price for decrypting all systems locked during the Kaseya supply-chain attack. The gang wants $70 million in Bitcoin for the tool that allows all affected businesses to recover their files.

08/06/2021

User accounts and passwords are one of the key(pun intended) parts that keeps your accounts and data safe.

Many just scuff off by saying something like "Who would want my password?" or "I have nothing of value and not interesting to cybercriminals"

But the fact is that your accounts and information are potentially valuable to cybercriminals. Your email could be used to get access to various services, including financial-, payment-, health information.

So what do you need to do about it?
How do you manage your passwords?
Do you use strong passwords?
Do you use the same password on multiple services/accounts? Have MFA enabled?

Some quick solid tips for passwords:

- use strong passwords
- use unique passwords for each service. Don't re-use passwords
- use a password manager
- enable MFA for all accounts where possible
..and read the linked Naked security blogpost for some interesting facts about used passwords from breaches and dumps...

Passwords – don’t just pay them lip service.

06/06/2021

Attackers used compromised password to breach Colonial Pipeline:

"Hackers gained entry into the networks of Colonial Pipeline Co. on April 29 through a virtual private network account, which allowed employees to remotely access the company’s computer network"

The user account had probably been hacked on another service where the user probably used the same password on internal and external services. A big bad *NO* in password best practices.

"The account’s password has since been discovered inside a batch of leaked passwords on the dark web. That means a Colonial employee may have used the same password on another account that was previously hacked"

This attack is called credential harvesting, where attackers use leaked credentials from hacked services snd re-use those credentials to gain access to other used services. Unfortunately this method works because many users use the same password for many services. When one of these services is breached, attackers then gain access to all other services where the same password is used.

Recommendations:

- don't use the same password on different accounts and services
- use different password for work and private
- use MFA for all your accounts where possible
- use a password manager to securely store your password(Bitwarden, 1Password, etc.)
- regularly review user access and remove accounts that are not used
- check your logs for intrusions

The hack that took down the largest fuel pipeline in the U.S. and led to shortages across the East Coast was the result of a single compromised password, according to a cybersecurity consultant who responded to the attack.

06/06/2021

Critical vulnerability in VMware is actively being exploited:

- VMware vCenter Server updates address remote code ex*****on vulnerability in the vSphere Client (CVE-2021-21985)

How is your VMware environment doing? Applied latest security patches? Exposed VMware vCenter server to the Internet or other untrusted networks?

- restrict access to vmware vCenter server ports(vSphere clients)
- install patches asap.
- check logs for IOCs (see attackerKB for details, IOCs, etc: https://attackerkb.com/topics/X85GKjaVER/cve-2021-21985)

As always, if need help with log analysis, or incident response, contact us via email on:

[email protected]

Be safe!

VMware vCenter Server updates address remote code ex*****on and authentication vulnerabilities (CVE-2021-21985, CVE-2021-21986)

05/06/2021

Cybersäkerhetscentret i Finland meddelar att det för tillfället sprids skadliga Android-program sprids via textmeddelanden i Finland.

Var noga med SMS meddelanden om paket med länkar från okända avsändare. Radera meddelandet och gå via officiella logistiikföretags(posten, DHL, UPS, mm.) webbsidor för att se information om aktuella riktiga leveranser som förväntas.

Cybersäkerhetscentret utvecklar och övervakar kommunikationsnätens och -tjänsternas tillförlitlighet och säkerhet. Vi producerar lägesbilden av informationssäkerheten.