End-of-Day report
Timeframe: Mittwoch 23-12-2020 18:00 - Montag 28-12-2020 18:00
Handler: Thomas Pribitzer
Co-Handler: Stephan Richter
News
Jahresrückblick 2020: Diese Themen beschäftigten uns heuer!
Die Corona-Krise hat 2020 die ganze Welt in Atem gehalten. Auch bei der Watchlist Internet blieb die Corona-Krise nicht unbemerkt. Kriminelle nutzten die globale Gesundheitskrise für verschiedene Betrugsmaschen - von Fake-Shops, die Atemschutzmasken in ihr Angebot aufnahmen, über betrügerische Jobangebote bis hin zu Phishing-Nachrichten. Ebenfalls mit verschiedenen Betrugsmaschen in Verbindung steht der wachsende Trend von unseriöser Werbung. Fake-Shops werden dabei [...]
https://www.watchlist-internet.at/news/jahresrueckblick-2020-diese-themen-beschaeftigten-uns-heuer/
Amazon-Geschenkkarte mit Banking-Trojaner Dridex
Ein unwillkommenes Mitbringsel präsentiert eine angebliche Amazon-Geschenkkarte. Unaufmerksame Verbraucher werden mit dem Banking-Trojaner Dridex bestohlen.
https://www.zdnet.de/88391026/amazon-geschenkkarte-mit-banking-trojaner-dridex/
Hacker missbrauchen Citrix-Geräte für DDoS-Attacken
Bedrohungsakteure haben eine Möglichkeit entdeckt, Junk-Web-Traffic gegen Citrix ADC-Netzwerkgeräte zu verstärken, um Distributed Denial of Service (DDoS)-Angriffe zu starten.
https://www.zdnet.de/88391041/hacker-missbrauchen-citrix-geraete-fuer-ddos-attacken/
DevOps und Security im Einklang
DevOps-Teams sehen Sicherheit oft als Innovationsbremse. Wir geben einige Tipps, wie Sie effektive Entwicklerarbeit und Security unter einen Hut bringen.
https://www.zdnet.de/88391052/devops-und-security-im-einklang/
CrowdStrike releases free Azure security tool after failed hack
Leading cybersecurity firm CrowdStrike was notified by Microsoft that threat actors had attempted to read the companys emails through compromised by Microsoft Azure credentials.
https://www.bleepingcomputer.com/news/security/crowdstrike-releases-free-azure-security-tool-after-failed-hack/
GitHub-hosted malware calculates Cobalt Strike payload from Imgur pic
A new strand of malware uses Word files with macros to download a PowerShell script from GitHub. This PowerShell script further downloads a legitimate image file from image hosting service Imgur to decode a Cobalt Strike script.
https://www.bleepingcomputer.com/news/security/github-hosted-malware-calculates-cobalt-strike-payload-from-imgur-pic/
Multi-platform card skimmer found on Shopify, BigCommerce stores
A recently discovered multi-platform credit card skimmer can harvest payment info on compromised stores powered by Shopify, BigCommerce, Zencart, and Woocommerce.
https://www.bleepingcomputer.com/news/security/multi-platform-card-skimmer-found-on-shopify-bigcommerce-stores/
Third-Party APIs: How to Prevent Enumeration Attacks
Jason Kent, hacker-in-residence at Cequence, walks through online-retail card fraud and what to do about it.
https://threatpost.com/third-party-apis-enumeration-attacks/162589/
Analysis Dridex Dropper, IoC extraction (guest diary), (Wed, Dec 23rd)
A couple of weeks ago, I assisted Xavier when he taught FOR610 in (virtual) Frankfurt. Last week, one of our students (Nicklas Keijser) sent us this analysis that we decided to share as a guest diary.
https://isc.sans.edu/diary/rss/26920
CISA Releases Free Detection Tool for Azure/M365 Environment
CISA has created a free tool for detecting unusual and potentially malicious activity that threatens users and applications in an Azure/Microsoft O365 environment. The tool is intended for use by incident responders and is narrowly focused on activity that is endemic to the recent identity- and authentication-based attacks seen in multiple sectors.
https://us-cert.cisa.gov/ncas/current-activity/2020/12/24/cisa-releases-free-detection-tool-azurem365-environment
The History of DNS Vulnerabilities and the Cloud
We review the history of DNS vulnerabilities, particularly DNS cache poisoning, examining both past vulnerabilities and more advanced attacks.
https://unit42.paloaltonetworks.com/dns-vulnerabilities/
Vulnerabilities
Project Zero: Schlecht gepatchte Windows-Lücke weiter ausnutzbar
Eine aktiv ausgenutzte Sicherheitslücke in Windows ist trotz Hinweisen von Google und einem unzureichenden Patch immer noch nicht behoben.
https://www.golem.de/news/project-zero-schlecht-gepatchte-windows-luecke-weiter-ausnutzbar-2012-153063-rss.html
Security updates for Thursday
Security updates have been issued by Debian (spip and sympa), Gentoo (c-ares, cherokee, curl, dbus, firefox, gdk-pixbuf, haproxy, libass, nss, openssl, pdns, pdns-recursor, php, samba, tomcat, and webkit-gtk), and SUSE (java-1_8_0-ibm, openexr, and python3).
https://lwn.net/Articles/841225/
Security updates for Friday
Security updates have been issued by Fedora (xen) and SUSE (flac and openexr).
https://lwn.net/Articles/841243/
Security updates for Monday
Security updates have been issued by Debian (horizon, kitty, python-apt, and roundcube), Fedora (libmaxminddb, mediawiki, mingw-binutils, and thunderbird), Mageia (erlang-rebar3), openSUSE (blosc, ceph, firefox, flac, kdeconnect-kde, openexr, ovmf, PackageKit, python3, thunderbird, and xen), and SUSE (thunderbird).
https://lwn.net/Articles/841378/
VU#429301: Veritas Backup Exec is vulnerable to privilege escalation due to OPENSSLDIR location
https://kb.cert.org/vuls/id/429301
VU#843464: SolarWinds Orion API authentication bypass allows remote command execution
https://kb.cert.org/vuls/id/843464
Security Bulletin: IBM MQ is affected by a vulnerability in Eclipse Jetty (CVE-2019-17638)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-is-affected-by-a-vulnerability-in-eclipse-jetty-cve-2019-17638/
Security Bulletin: tzdata has been updated to tzdata-2020d to address Fiji and Palestine time zone changes
https://www.ibm.com/blogs/psirt/security-bulletin-tzdata-has-been-updated-to-tzdata-2020d-to-address-fiji-and-palestine-time-zone-changes/
Security Bulletin: Publicly disclosed vulnerability from Samba affects IBM Netezza Host Management
https://www.ibm.com/blogs/psirt/security-bulletin-publicly-disclosed-vulnerability-from-samba-affects-ibm-netezza-host-management/
Linux kernel and TMM vulnerability CVE-2020-25705
https://support.f5.com/csp/article/K09604370
Linux kernel vulnerability CVE-2018-10675
https://support.f5.com/csp/article/K40540405