Tageszusammenfassung - 09.11.2020

End-of-Day report

Timeframe: Freitag 06-11-2020 18:00 - Montag 09-11-2020 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter

News

Hacker haben mehrfach Sourcecode aus SonarQube-Instanzen abgegriffen

Das FBI warnte bereits im Oktober vor einem Angriff auf Installationen unter anderem von US-Regierungsbehörden, aber auch privater Firmen.

https://heise.de/-4951630


Lets Encrypt: Alte Android-Geräte bekommen Probleme mit Millionen Seiten

Der Zertifikatswechsel bei Lets Encrypt sorgt für Probleme bei einem Drittel aller Android-Geräte. Die Lösung dafür ist der Firefox.

https://www.golem.de/news/let-s-encrypt-alte-android-geraete-bekommen-probleme-mit-millionen-seiten-2011-151987-rss.html


New Pay2Key ransomware encrypts networks within one hour

A new ransomware called Pay2Key has been targeting organizations from Israel and Brazil, encrypting their networks within an hour in targeted attacks still under investigation.

https://www.bleepingcomputer.com/news/security/new-pay2key-ransomware-encrypts-networks-within-one-hour/


How Ryuk Ransomware operators made $34 million from one victim

One hacker group that is targeting high-revenue companies with Ryuk ransomware received $34 million from one victim in exchange for the decryption key that unlocked their computers.

https://www.bleepingcomputer.com/news/security/how-ryuk-ransomware-operators-made-34-million-from-one-victim/


Gitpaste-12 Worm Targets Linux Servers, IoT Devices

The newly discovered malware uses GitHub and Pastebin to house component code, and harbors 12 different initial attack vectors.

https://threatpost.com/gitpaste-12-worm-linux-servers-iot-devices/161016/


Adventures in Anti-Gravity

Here we deconstruct a Mac variant of GravityRAT (the cross-platform spyware, known to target the Indian armed forces).

https://objective-see.com/blog/blog_0x5B.html


Cryptojacking Targeting WebLogic TCP/7001, (Sat, Nov 7th)

This past week got some interesting logs targeting TCP/7001 (WebLogic CVE-2020-14882 - see previous diary[1][2]) looking to download and launch a shell script to install various cryptominer on the target. The shell script target SELINUX compatible hosts likely CentOS/RedHat, Ubuntu, etc to install various cryptominer applications.

https://isc.sans.edu/diary/rss/26768


How Attackers Brush Up Their Malicious Scripts, (Mon, Nov 9th)

On Friday, I received a bunch of alerts from one of my YARA hunting rules. Several samples were submitted from the same account (through the VT API), from the same country (US), and in a very short period of time. All the submitted files were OLE2 files containing a malicious macro. All of them had a low VT score so it deserved some investigations. I downloaded the samples and had a look at them.

https://isc.sans.edu/diary/rss/26770


When Threat Actors Fly Under the Radar: Vatet, PyXie and Defray777

Vatet, PyXie and Defray777 are all associated with a financially motivated threat group. We aim to get these malware families on the radar.

https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/


xHunt Campaign: Newly Discovered Backdoors Using Deleted Email Drafts and DNS Tunneling for Command and Control

We observed evidence that the xHunt campaign used two backdoors on a compromised Microsoft Exchange Server at an organization in Kuwait.

https://unit42.paloaltonetworks.com/xhunt-campaign-backdoors/

Vulnerabilities

Cisco stopft schwerwiegende Lücke in Webex Meetings für Windows

Die Schwachstelle kommt bei internen Tests ans Licht. Ein lokaler Angreifer kann Schadcode ausführen. Weitere Schwachstellen stecken im Web Network Recording Player und Webex Player.

https://www.zdnet.de/88389577/cisco-stopft-schwerwiegende-luecke-in-webex-meetings-fuer-windows/


WordPress Sites Open to Code Injection Attacks via Welcart e-Commerce Bug

The shopping cart application contains a PHP object-injection bug.

https://threatpost.com/wordpress_open_to_attacks_welcart_bug/161037/


Security updates for Monday

Security updates have been issued by CentOS (bind, firefox, java-1.8.0-openjdk, kernel, libX11, qemu-kvm, thunderbird, and xorg-x11-server), Debian (guacamole-server, krb5, libexif, poppler, raptor2, and sympa), Fedora (blueman, chromium, freetype, galera, krb5, libtpms, mariadb, mariadb-connector-c, pngcheck, and salt), Mageia (blueman, docker, fontforge, junit, libproxy, libuv, mariadb, suricata, and webmin), openSUSE (apache-commons-httpclient, bluez, gnome-settings-daemon, gnome-shell, [...]

https://lwn.net/Articles/836676/