End-of-Day report
Timeframe: Freitag 02-10-2020 18:00 - Montag 05-10-2020 18:00
Handler: Dimitri Robl
Co-Handler: Thomas Pribitzer
News
MosaicRegressor: Lurking in the Shadows of UEFI
We found a compromised UEFI firmware image that contained a malicious implant. To the best of our knowledge, this is the second known public case where malicious UEFI firmware in use by a threat actor was found in the wild.
https://securelist.com/mosaicregressor/98849/
Egregor Ransomware Threatens -Mass-Media- Release of Corporate Data
The newly discovered ransomware is hitting companies worldwide, including the GEFCO global logistics company.
https://threatpost.com/egregor-ransomware-mass-media-corporate-data/159816/
Scanning for SOHO Routers, (Sat, Oct 3rd)
In the past 30 days lots of scanning activity looking for small office and home office (SOHO) routers targeting Netgear.
https://isc.sans.edu/diary/rss/26638
Raccine-Tool soll Schattenkopien von Windows vor Ransomware schützen
Erpressungstrojaner verschlüsseln Dateien und löschen Daten, die Opfer zur Wiederherstellung nutzen könnten. Das Gratis-Tool Raccine will Hilfe anbieten.
https://heise.de/-4920206
Attacks Aimed at Disrupting the Trickbot Botnet
Over the past 10 days, someone has been launching a series of coordinated attacks designed to disrupt Trickbot, an enormous collection of more than two million malware-infected Windows PCs that are constantly being harvested for financial data and are often used as the entry point for deploying ransomware within compromised organizations.
https://krebsonsecurity.com/2020/10/attacks-aimed-at-disrupting-the-trickbot-botnet/
Black-T: New Cryptojacking Variant from TeamTnT
Code within the Black-T malware sample gives evidence of a shift in tactics, techniques and procedures for TeamTnT operations.
https://unit42.paloaltonetworks.com/black-t-cryptojacking-variant/
Shodan Verified Vulns 2020-10-05
Wie in unserem Blogpost vom September angekündigt, wollen wir monatlich einen Überblick zu Shodans "Verified Vulnerablilities" in Österreich bieten.
https://cert.at/de/aktuelles/2020/10/shodan-verified-vulns-2020-10-05
Vulnerabilities
Tenda Router Zero-Days Emerge in Spyware Botnet Campaign
A variant of the Mirai botnet, called Ttint, has added espionage capabilities to complement its denial-of-service functions.
https://threatpost.com/tenda-router-zero-days-spyware-botnet/159834/
Dringend patchen: Rund eine viertel Million Exchange-Server angreifbar
Kriminelle nutzen eine Lücke in Microsoft Exchange, um Server zu übernehmen. Dabei gibt es seit Februar einen Patch.
https://heise.de/-4920095
Security Bulletin: IBM Cloud Pak for Integration Operators affected by multiple vulnerabilities
Operators for BM Cloud Pak for Integration (CP4I) version 2020.2 are affected by vulnerabilities in Go prior to Go version 1.14.7.
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-integration-operators-affected-by-multiple-vulnerabilities/
Multiple critical vulnerabilities in RocketLinx Series
https://sec-consult.com/en/blog/advisories/multiple-critical-vulnerabilities-in-rocketlinx-series/
WAGO: XSS vulnerability in Web-UI in WAGO 750-88X and WAGO 750-89X
https://cert.vde.com/de-de/advisories/vde-2020-029
WAGO: Vulnerability in web-based authentication in WAGO 750-8XX Version <= FW07
https://cert.vde.com/de-de/advisories/vde-2020-027
WAGO: Authentication Bypass Vulnerability in WAGO 750-36X and WAGO 750-8XX Versions <= FW03
https://cert.vde.com/de-de/advisories/vde-2020-028