End-of-Day report
Timeframe: Mittwoch 11-11-2020 18:00 - Donnerstag 12-11-2020 18:00
Handler: Dimitri Robl
Co-Handler: Stephan Richter
News
Angeblich Quellcode des Exploit-Toolkits Cobalt Strike durchgesickert
Auf GitHub findet sich seit fast zwei Wochen ein Repository mit dem Namen CobaltStrike. Es enthält angeblich den Code von Cobalt Strike 4.0. Der Autor entfernt zudem die Lizenzprüfung, was auf eine geknackte Version schließen lässt.
https://www.zdnet.de/88389725/angeblich-quellcode-des-exploit-toolkits-cobalt-strike-durchgesickert/
Hungrig nach Daten - ModPipe Backdoor bedroht POS-Software im Gastgewerbe
Die Backdoor-Autoren verfügen offenbar über umfassende Kenntnisse der Software und entschlüsseln Datenbankkennwörter aus Windows-Registry-Werten.
https://www.welivesecurity.com/deutsch/2020/11/12/hungrig-nach-daten-modpipe-backdoor-bedroht-pos-software-im-gastgewerbe/
Extrapolating Adversary Intent Through Infrastructure
Hear from Senior Security Researcher Joe Slowik to discover the significance behind domain name patterns and learn how defenders can use these thematic insights to further their security operations.
https://www.domaintools.com/resources/blog/extrapolating-adversary-intent-through-infrastructure
2 More Google Chrome Zero-Days Under Active Exploitation
Browser users are once again being asked to patch severe vulnerabilities that can lead to remote code execution.
https://threatpost.com/2-zero-day-bugs-google-chrome/161160/
Preventing Exposed Azure Blob Storage, (Thu, Nov 12th)
In the previous diary, I explained the three public access levels of Azure Blob Storage, and how to investigate the setup for any issues. Until a couple of months ago, there was no reliable way to prevent the problem from occurring in the first place, but thankfully, Microsoft has finally seen the light.
https://isc.sans.edu/diary/rss/26786
Attacking SCADA Part II: Vulnerabilities in Schneider Electric EcoStruxure Machine Expert and M221 PLC
We present two vulnerabilities in EcoStruxure Machine Expert v1.0 and Schneider Electric M221 (Firmware 1.10.2.2) Programmable Logic Controller (PLC). All three vulnerabilities were disclosed to Schneider Electric and the details were released on 10 November 2020.
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/attacking-scada-part-ii-vulnerabilities-in-schneider-electric-ecostruxure-machine-expert-and-m221-plc/
Exploring the Exploitability of "Bad Neighbor": The Recent ICMPv6 Vulnerability (CVE-2020-16898)
We wanted to find out whether something else could be done with this vulnerability, aside from triggering the buffer overflow and causing a blue screen (BSOD)
https://blog.zecops.com/vulnerabilities/exploring-the-exploitability-of-bad-neighbor-the-recent-icmpv6-vulnerability-cve-2020-16898/
CRAT wants to plunder your endpoints
Cisco Talos has observed a new version of a remote access trojan (RAT) family known as CRAT. Apart from the prebuilt RAT capabilities, the malware can download and deploy additional malicious plugins on the infected endpoint. One of the plugins is a ransomware known as "Hansom."
https://blog.talosintelligence.com/2020/11/crat-and-plugins.html
Avionics Safety and Secured Connectivity: A Look at DO-326A/ED-202A, DO-355 and DO-356
One of the major improvements that the avionics industry is undergoing is an Internet of Things (IoT) upgrade. And this is inevitably affecting how airlines approach aircraft safety. From the beginning, safety has been paramount to the aviation industry. But while it is a welcome innovation, the incorporation of IoT devices in aircraft comes with [...]
https://www.tripwire.com/state-of-security/regulatory-compliance/avionics-safety-secured-connectivity-do-326a-ed-202a-do-355-do-356/
Comodo open-sources its EDR solution
OpenEDR, announced in September, is available on GitHub starting this week.
https://www.zdnet.com/article/comodo-open-sources-its-edr-solution/
Why you should keep your Netflix password to yourself
Sharing is caring - except when it isn't. Here-s why you shouldn't share your password for online media services with other people.
https://www.welivesecurity.com/2020/11/11/why-you-should-keep-netflix-password-yourself/
Cryptominers Exploiting Weblogic RCE CVE-2020-14882
Intro Towards the end of October, we started seeing attackers take advantage of a Weblogic RCE vulnerability (CVE-2020-14882). Recently, SANS ISC talked about this vulnerability being exploited in the wild, [...]
https://thedfirreport.com/2020/11/12/cryptominers-exploiting-weblogic-rce-cve-2020-14882/
Vulnerabilities
Security updates for Thursday
Security updates have been issued by Debian (codemirror-js, firefox-esr, and pacemaker), Fedora (firefox, java-latest-openjdk, and xen), openSUSE (sddm), Oracle (bind, curl, fence-agents, kernel, librepo, libvirt, python3, qt and qt5-qtbase, and tomcat), SUSE (firefox), and Ubuntu (intel-microcode, openldap, and raptor2).
https://lwn.net/Articles/836994/
Encryption Vulnerabilities Allow Hackers to Take Control of Schneider Electric PLCs
Schneider Electric this week released advisories for vulnerabilities impacting various products, including flaws that can be exploited to take control of Modicon M221 programmable logic controllers (PLCs).
https://www.securityweek.com/encryption-vulnerabilities-allow-hackers-take-control-schneider-electric-plcs
Security Advisory - Denial of Service Vulnerability in Some Huawei Products
https://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20201111-02-dos-en
Security Bulletin: IBM API Connect V5 is vulnerable to denial of service (CVE-2019-11479)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connect-v5-is-vulnerable-to-denial-of-service-cve-2019-11479/
Security Bulletin: Vulnerability in HTTPD affects IBM Integrated Analytics System
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-httpd-affects-ibm-integrated-analytics-system/