End-of-Day report
Timeframe: Donnerstag 05-11-2020 18:00 - Freitag 06-11-2020 18:00
Handler: Dimitri Robl
Co-Handler: Stephan Richter
News
Reverse shell botnet Gitpaste-12 spreads via GitHub and Pastebin
A newly discovered worm and botnet named Gitpaste-12 lives on GitHub and also uses Pastebin to host malicious code. The advanced malware comes equipped with reverse shell and crypto mining capabilities.
https://www.bleepingcomputer.com/news/security/reverse-shell-botnet-gitpaste-12-spreads-via-github-and-pastebin/
Sicherheitslücke: Admin-Passwort für Rettungsdienst-System ungeschützt im Netz
Über die Software Ivena werden Notfallpatienten in Krankenhäusern angemeldet. Ein Admin-Passwort ist nun öffentlich auf der Herstellerwebseite einsehbar gewesen.
https://www.golem.de/news/sicherheitsluecke-admin-passwort-fuer-rettungsdienst-system-ungeschuetzt-im-netz-2011-151946-rss.html
RansomEXX Trojan attacks Linux systems
We recently discovered a new file-encrypting Trojan built as an ELF executable and intended to encrypt data on machines controlled by Linux-based operating systems.
https://securelist.com/ransomexx-trojan-attacks-linux-systems/99279/
ALFA TEaM Shell ~ v4.1-Tesla: A Feature Update Analysis
We-ve seen a wider variety of PHP web shells being used by attackers this year - including a number of shells that have been significantly updated in an attempt to -improve- them. Depending on the scope of changes and feature enhancements that are added to an existing web shell-s source code, these updates can be tedious and time consuming for bad actors. For this reason, it-s common to see code for web shells reused among different, unaffiliated attackers.
https://blog.sucuri.net/2020/11/alfa-team-shell-v4-1-tesla-a-feature-update-analysis.html
Rediscovering Limitations of Stateful Firewalls: "NAT Slipstreaming" ? Implications, Detections and Mitigations
A recent {rediscovered} technique (NAT Slipstreaming) to allow an attacker remotely access any TCP/UDP service bound to a victim-s machine, thus bypassing the victim-s Network Address Translation (NAT)/firewall implementation was detailed by Samy Kamkar [1]. Samy had also shared a similar technique termed -NAT Pinning- back in 2010 [2]. The similarities in both techniques were convincing victims to access a specially crafted site implementing said techniques, resulting in [...]
https://isc.sans.edu/forums/diary/Rediscovering+Limitations+of+Stateful+Firewalls+NAT+Slipstreaming+Implications+Detections+and+Mitigations/26766/
Business VOIP phone systems are being hacked for profit worldwide. Is yours secure?
Security researchers have uncovered an organised gang of cybercriminals who are compromising the VOIP phone systems of over 1000 organisations worldwide. Check Point has identified a malicious campaign that has targeted a critical vulnerability in the Sangoma PBX open-source GUI, used to manage installations of Asterisk - the worlds most popular VOIP phone system for businesses.
https://businessinsights.bitdefender.com/business-voip-phone-systems-are-being-hacked-for-profit-worldwide.-is-yours-secure
IntelMQ offers tutorial lessons and a new documentation page
The IntelMQ tutorial guiding through various features and tools of IntelMQ is available in the IntelMQ Tutorial GitHub repository. Lesson one introduces the architecture, concepts and terminology of the project. Lessons two and three delve hands-on into working with IntelMQ. Starting with installation and basic usage & configuration they go on to tackle progressively more advanced topics like using advanced features or changing the message queue software to be used.
https://cert.at/en/blog/2020/11/intelmq-tutorial-and-new-documentation-page
Ryuk Speed Run, 2 Hours to Ransom
Since the end of September Ryuk has been screaming back into the news. We-ve already covered 2 cases in that timeframe. We-ve seen major healthcare providers, managed service providers, [...]
https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/
Vulnerabilities
Schwachstellen in iOS werden aktiv ausgenutzt - kein Update für iOS 13
Apple-Nutzer sollten ihr Betriebssystem zügig aktualisieren, kritische Lücken werden wohl für Angriffe verwendet. Nicht alle Systemversionen erhalten Updates.
https://heise.de/-4950496
Security updates for Friday
Security updates have been issued by Debian (sddm and wordpress), Fedora (blueman, chromium, pngcheck, and salt), openSUSE (chromium, salt, tiff, tigervnc, tmux, tomcat, transfig, and xen), Oracle (freetype, kernel, libX11, thunderbird, and xorg-x11-server), SUSE (bluez, ImageMagick, java-1_8_0-openjdk, rmt-server, salt, and u-boot), and Ubuntu (dom4j, firefox, netqmail, phpldapadmin, and tmux).
https://lwn.net/Articles/836467/
Security Advisory - Netlogon Elevation of Privilege Vulnerability
https://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20201105-01-netlogon-en
Digium Certified Asterisk: Mehrere Schwachstellen ermöglichen Denial of Service
https://www.cert-bund.de/advisoryshort/CB-K20-1084