End-of-Day report
Timeframe: Freitag 25-10-2019 18:00 - Montag 28-10-2019 18:00
Handler: Dimitri Robl
Co-Handler: Stephan Richter
News
Network traffic analysis for IR: Analyzing fileless malware
Fileless malware is malware authors- response to traditional malware identification and analysis techniques. Many antiviruses operate by using signature-based analysis to identify malicious files on a computer. By ensuring that a malicious file is never saved on the filesystem, malware authors can make their attacks much more difficult to detect and [...]
https://resources.infosecinstitute.com/network-traffic-analysis-for-ir-analyzing-fileless-malware/
Steam-powered scammers
One of the most popular platforms among users (and hence cybercriminals) is Steam, and we-ve been observing money-making schemes to defraud its users for quite some time. Since June, however, such attacks have become more frequent and, compared to previous attempts, far more sophisticated.
https://securelist.com/steam-powered-scammers/94553/
Experts on demand: Your direct line to Microsoft security insight, guidance, and expertise
Experts on demand is now generally available and gives customers direct access to real-life Microsoft threat analysts to help with their security investigations.
https://www.microsoft.com/security/blog/2019/10/28/experts-on-demand-your-direct-line-to-microsoft-security-insight-guidance-and-expertise/
Using scdbg to Find Shellcode, (Sun, Oct 27th)
I've written a couple of diary entries about scdbg, a Windows 32-bit shellcode emulator.
https://isc.sans.edu/diary/rss/25460
VB2019 paper: Inside Magecart: the history behind the covert card-skimming assault on the e-commerce industry
Today we publish the VB2019 paper by RiskIQ researcher Yonathan Klijnsma, who looked at the Magecart web-skimming attacks.
https://www.virusbulletin.com:443/blog/2019/10/vb2019-paper-inside-magecart-history-behind-covert-card-skimming-assault-e-commerce-industry/
Ouroboros Ransomware decryption tool
Ouroboros ransomware has been around for more than a year in various forms, operated by different cybercrime groups. Ouroboros, known to spread via Remote Desktop Protocol bruteforce attacks and deceptive downloads, has claimed a significant number of victims worldwide. We-re now happy to announce the availability of a new decryptor that can restore the .Lazarus, and .Lazarus+ file extensions to their original, unencrypted form.
https://labs.bitdefender.com/2019/10/ouroboros-ransomware-decryption-tool/
New Ransomware CCryptor struck, which can encrypt 362 file types
Recently, 360 Security Center captured a new type of ransomware CCryptor. The attacker spread the virus by delivering phishing emails, and the CVE-2017-11882 vulnerability was [...]
https://blog.360totalsecurity.com/en/new-ransomware-ccryptor-struck-which-can-encrypt-362-file-types/
Vulnerabilities
Updates für PHP7: NGINX-Server mit PHP-FPM waren aus der Ferne angreifbar
Betreiber eines NGINX-Webservers mit PHP-FPM sollten zügig updaten: Aktuelle PHP-Versionen schließen eine Lücke, für die es Exploit-Code gibt.
https://heise.de/-4570800
Security updates for Monday
Security updates have been issued by Arch Linux (chromium, firefox, php, and thunderbird), Debian (file, golang-1.11, libarchive, libxslt, mosquitto, php5, and proftpd-dfsg), Fedora (apache-commons-compress, chromium, java-1.8.0-openjdk, java-11-openjdk, jss, kernel, kernel-headers, kernel-tools, libpcap, mod_auth_openidc, tcpdump, and xpdf), openSUSE (kernel, openconnect, procps, python, sysstat, and zziplib), and SUSE (binutils, docker-runc, ImageMagick, nfs-utils, and xen).
https://lwn.net/Articles/803318/