Tageszusammenfassung - 02.11.2020

End-of-Day report

Timeframe: Freitag 30-10-2020 18:00 - Montag 02-11-2020 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter

News

Sicherheitslücke: Zero Day im Windows-Kernel veröffentlicht

Google hat die Sicherheitslücke nach nur 7 Tagen veröffentlicht, weil sie bereits aktiv ausgenutzt wurde. Patches gibt es nicht.

https://www.golem.de/news/sicherheitsluecke-zero-day-im-windows-kernel-veroeffentlicht-2011-151854-rss.html

More File Selection Gaffes, (Sat, Oct 31st)

A reader submitted a file, that turned out to be a mass mailer project file used by malicious actors.

https://isc.sans.edu/diary/rss/26722

CSS-JS Steganography in Fake Flash Player Update Malware

This summer, MalwareBytes researcher Jérôme Segura wrote an article about how criminals use image files (.ico) to hide JavaScript credit card stealers on compromised e-commerce sites. In a tweet, Affable Kraut also reported another similar obfuscation technique using .ico files to conceal JavaScript skimmers. Just something I-ve noticed more recently with digital skimmers/#magecart.

https://blog.sucuri.net/2020/11/css-js-steganography-in-fake-flash-player-update-malware.html

How to Protect Yourself From Pwned and Password Reuse Attacks

Many businesses are currently looking at how to bolster security across their organization as the pandemic and remote work situation continues to progress towards the end of the year. As organizations continue to implement security measures to protect business-critical data, there is an extremely important area of security that often gets overlooked - passwords.

https://thehackernews.com/2020/11/how-to-protect-yourself-from-pwned-and.html

NAT Slipstreaming

NAT Slipstreaming allows an attacker to remotely access any TCP/UDP service bound to a victim machine, bypassing the victims NAT/firewall (arbitrary firewall pinhole control), just by the victim visiting a website.

https://samy.pl/slipstream/

Ransomware Protection and Containment Strategies: Practical Guidance forEndpoint Protection, Hardening, and Containment

UPDATE (Oct. 30, 2020): We have updated the report to include additional protection and containment strategies based on front-line visibility and response efforts in combating ransomware. While the full scope of recommendations included within the initial report remain unchanged, the following strategies have been added into the report: [...]

https://www.fireeye.com/blog/threat-research/2019/09/ransomware-protection-and-containment-strategies.html

Cisco Talos Advisory on Adversaries Targeting the Healthcare and Public Health Sector

Cisco Talos has become aware that an adversary is leveraging Trickbot banking trojan and Ryuk ransomware to target U.S. hospitals and healthcare providers at an increasing rate. Security journalists reported on October 28, 2020 that the adversary was preparing to encrypt systems at -potentially hundreds- of medical centers and hospitals, based on a tip from a researcher who had been monitoring communications for the threat actor.

https://blog.talosintelligence.com/2020/10/healthcare-advisory.html

RiskIQ Has Released Its Corpus of Infrastructure and IOCs Related to Ryuk Ransomware

Ryuk Ransomware has flooded US hospitals, threatening to shut down their operations when theyre needed most. Ryuk now accounts for a third of all ransomware attacks in 2020, with its operators finding success while many healthcare organizations are most vulnerable. However, the cybersecurity community is coming together to combat this rash of attacks, combining resources to provide network defenders with alerts and intelligence to protect our healthcare institutions.

https://www.riskiq.com/blog/external-threat-management/ryuk-ransoware-indicators/

Vulnerabilities

Security updates for Monday

Security updates have been issued by Debian (cimg, junit4, kernel, openldap, qtsvg-opensource-src, spice, spice-gtk, tzdata, and wireshark), Fedora (firefox, java-1.8.0-openjdk, java-11-openjdk, and thunderbird), openSUSE (apache2, binutils, libvirt, lout, pacemaker, pagure, phpMyAdmin, samba, sane-backends, singularity, spice, spice-gtk, thunderbird, nspr, tomcat, virt-bootstrap, and xen), SUSE (graphviz, liblouis, and samba), and Ubuntu (samba).

https://lwn.net/Articles/835838/