Daily Top 10 Countries – July 27, 2020
New unique DDoS malware hosts detected by country:
China: 363
Taiwan: 319
Vietnam: 279
Egypt: 198
Greece: 84
United States: 57
South Korea: 55
Hong Kong: 53
Brazil: 51
Malaysia: 48
Source: bad_packets
27th July
Alert: Potential legacy risk from malware targeting QNAP NAS devices
Campaigns
The NCSC and CISA have identified two campaigns of activity for QSnatch malware. The first campaign likely began in early 2014 and continued until mid-2017, while the second started in late 2018 and was still active in late 2019. The two campaigns are distinguished by the initial payload used as well as some differences in capabilities. This alert focuses on the second campaign as it is the most recent threat.It is important to note that infrastructure used by the malicious cyber actors in both campaigns is not currently active, but the threat remains to unpatched devices.
Although the identities and objectives of the malicious cyber actors using QSnatch are currently unknown, the malware is relatively sophisticated, and the cyber actors demonstrate an awareness of operational security.
Global distribution of infections
Analysis shows a significant number of infected devices. In mid-June 2020, there were approximately 62,000 infected devices worldwide; of these, approximately 3,900 were in the UK and 7,600 were in the US.
Original advisory
Community topic: UK/US Governments Warn of QNAP NAS Malware
I just realised I posted the very same thing! 
old notice, but of severity that I felt it important to include; was previously mentioned in News thread
2020-06-11 - Anarcat
CVE-2020-13777 GnuTLS audit: be scared
… You are reading this correctly: supposedly encrypted TLS connections made with affected GnuTLS releases are vulnerable to passive cleartext recovery attack (and active for 1.3, but who uses that anyways).
2020-08-01 - Abrams, Lawrence - Bleeping Computer
Confirmed: Garmin received decryptor for WastedLocker ransomware
BleepingComputer can confirm that Garmin has received the decryption key to recover their files encrypted in the WastedLocker Ransomware attack.
Following article dated 2020-07-28, author Cimpanu, Catalin:
Context: Previously mentioned in News thread when only outage, and an attack was suspected.
Searchability: WastedLocker, EvilCorp
following article dated 2020-07-31, author Cimpanu, Catalin
mentioned in News thread, and in the ISC stormcast for 2020-08-10
| Date | Author | Article | |
|---|---|---|---|
| 2020-08-07 | Kevin Bock; iyouport; Anonymous; Merino, Louis-Henri; Fifield, David; Houmansadr, Amir; Levin, Dave |
Exposing and Circumventing China’s Censorship of ESNI | Great Firewall Report |
| 2020-08-08 | Cimpanu, Catalin | China is now blocking all encrypted HTTPS traffic that uses TLS 1.3 and ESNI | ZDNet |
| 2020-08-11 | China now blocking ESNI-enabled TLS 1.3 connections, say Great-Firewall-watchers | Register |
Portable Document Flaws 101 presentation by Jens Müller at Blackhat
There is now an associated GitHub repo; see the readme file for an overview comparison table:
“Microsoft will retire content that is Windows-signed for Secure Hash Algorithm 1 (SHA-1) from the Microsoft Download Center on August 3, 2020.”
older news (2020-07-29), but potentially has large effects; are these downloads entirely impossible to find now?
| Date | Author | Article | |
|---|---|---|---|
| 2020-07-28 | Namrata_Bachwani (Microsoft Tech Community) | SHA-1 Windows content to be retired August 3, 2020 | Microsoft |
| 2020-07-29 | Cimpanu, Catalin | Microsoft to remove all SHA-1 Windows downloads next week | ZDNet |
One of these was particularly useful, thanks.
Interesting info on the tor network being used to target Bitcoin users.
Glad to hear it.
Maybe if we get into a more consistent rhythm and format for posting, we should turn this into a meta/discussion thread, and fork off a more formal Ticker thread, which links here for posting formatting/rules. Maybe not yet though, this doesn’t see quite enough activity to warrant that yet.
For the time being I will still be a bit inconsistent when I post; I am still trying to sort out how best to format this sort of stuff.
We are obviously being less formal than the dump thread, where only links, onebox, or onebox-equivalent content is acceptable, but I very much like the idea of linking to more than only one source; however, once you have multiple sources, the redundant oneboxes become a hindrance to readability. The news-dump thread model is clearly best for single-source, one onebox per story posting.
I suppose the ideal would be to have the primary sources first, followed by all the secondaries, but the onebox of a secondary source does usually give an overview, that the primary source may be lacking.
As seen above I have tried a raw list of sources with a brief description, but that is far more time intensive, and I am not sure I could keep it up.
I should also note that the News-dump thread’s archiving policy is really bad for links, as it breaks either the links to the post, or the cached link-back from the news-dump post.
Yeah, as with the first post. This was a way for people to quickly drop in links to new security topics and emerging security issues without the need to spend time on it (as usually we got stuff to do at the time of finding a new piece of security info). So the idea being anything that gained further discussion can have a new topic created from it (of which there are a couple here).
Obviously its a slow thread (I even forget to update it sometimes as im often doing something about what I find and forget), so participation welcome. Id would be good to get a good source collection here of incoming up to date security info.
You can ‘disable’ one boxes by putting a space before the link (I might add that to the top post.)
Can’t look at the article because my German internet is currently not behaving.
Let me just say “Bild” is the least trustworthy of all newspapers in Germany.
Mentioned in 2020-08-21 ISC Stormcast. News thread crosslink
My understanding is that DW and ZDF are respectively the external and internal public broadcasters for Germany, together akin to a BBC (UK), PBS (US), ABC (AU), or TVNZ (NZ). I assumed DW reporting on it was a sufficient mark of credibility to post here.
That is correct.
Also: The BWFuhrparkService was really attacked, does not seem to be anything critial according to Tagesschau.de ← article in German only