End-of-Day report
Timeframe: Dienstag 23-06-2020 18:00 - Mittwoch 24-06-2020 18:00
Handler: Dimitri Robl
Co-Handler: Stephan Richter
News
IT-Sicherheit: Etwa 80.000 Drucker sind im Internet offen ansteuerbar
Die Security-Organisation Shadowserver hat einen globalen IPP-Scan durchgeführt und viele Drucker gefunden, die offen Informationen teilen.
https://www.golem.de/news/it-sicherheit-etwa-80-000-drucker-sind-im-internet-offen-ansteuerbar-2006-149276-rss.html
What is DNS Poisoning and to Protect Your Enterprise Against it
Modern enterprise cybersecurity has evolved - that-s a true statement. If we were to travel back in time - say, 10 or 20 years - ago, we would have discovered, much to our stupefaction, that cybersecurity was nothing more than an auxiliary attribution, bestowed upon the (un)fortunate soul who had the (dubious privilege) of fulfilling [...]
https://heimdalsecurity.com/blog/what-is-dns-poisoning/
Magnitude exploit kit - evolution
Exploit kits still play a role in today-s threat landscape and continue to evolve. For this blogpost I studied and analyzed the evolution of one of the most sophisticated exploit kits out there - Magnitude EK - for a whole year.
https://securelist.com/magnitude-exploit-kit-evolution/97436/
Sodinokibi Ransomware Now Scans Networks For PoS Systems
Attackers are compromising large companies with the Cobalt Strike malware, and then deploying the Sodinokibi ransomware.
https://threatpost.com/sodinokibi-ransomware-now-scans-networks-for-pos-systems/156855/
Hakbit Ransomware Attack Uses GuLoader, Malicious Microsoft Excel Attachments
Recent spearphishing emails spread the Hakbit ransomware using malicious Microsoft Excel attachments and the GuLoader dropper.
https://threatpost.com/hackbit-ransomware-attack-uses-guloader-malicious-microsoft-excel-attachments/156826/
Using Shell Links as zero-touch downloaders and to initiate network connections, (Wed, Jun 24th)
Probably anyone who has used any modern version of Windows is aware of their file-based shortcuts, also known as LNKs or Shell Link files. Although they were intended as a simple feature to make Windows a bit more user-friendly, over the years, a significant number[1] of vulnerabilities were identified in handling of LNKs. Many of these vulnerabilities lead to remote code execution and one (CVE-2010-2568) was even used in creation of the Stuxnet worm.
https://isc.sans.edu/diary/rss/26276
Three words you do not want to hear regarding a secure browser called SafePay... Remote. Code. Execution
How Bitdefenders security software was caught napping by ad-block bod Folks running Bitdefenders Total Security 2020 package should check they have the latest version installed following the disclosure of a remote code execution bug.
https://go.theregister.com/feed/www.theregister.com/2020/06/24/bitdefender_safepay_rce/
WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group
WastedLocker is a new ransomware locker we-ve detected being used since May 2020. We believe it has been in development for a number of months prior to this and was started in conjunction with a number of other changes we have seen originate from the Evil Corp group in 2020. Evil Corp were previously associated to the Dridex malware and BitPaymer ransomware, the latter came to prominence in the first half of 2017. Recently Evil Corp has changed a number of TTPs related to their operations further described in this article.
https://blog.fox-it.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/
Gefälschte PayLife-Mails im Umlauf
Unter verschiedenen Vorwänden versuchen BetrügerInnen derzeit an Zugangs- und Kreditkartendaten von PayLife-KundInnen zu kommen. Kommt man den Aufforderungen in diesen Mails nicht nach, wird mit einer Sperre der Karte oder anderen Einschränkungen gedroht. Folgen Sie dem Link in diesen Mails nicht und laden Sie auch keine -Kartensicherheits-App- herunter!
https://www.watchlist-internet.at/news/gefaelschte-paylife-mails-im-umlauf/
Lucifer: New Cryptojacking and DDoS Hybrid Malware Exploiting High and Critical Vulnerabilities to Infect Windows Devices
A new hybrid malware capable of cryptojacking and launching DDoS was discovered in the wild, which weve named "Lucifer."
https://unit42.paloaltonetworks.com/lucifer-new-cryptojacking-and-ddos-hybrid-malware/
This sneaky malware goes to unusual lengths to cover its tracks
Glupteba creates a backdoor into infected Windows systems - and researchers think itll be offered to cyber criminals as an easy means of distributing other malware.
https://www.zdnet.com/article/this-sneaky-malware-goes-to-unusual-lengths-to-cover-its-tracks/
Vulnerabilities
Kritische Sicherheitslücke bedroht Magento-Shops
Angreifer könnten Onlineshops auf Magento-Basis attackieren und im schlimmsten Fall komplett übernehmen.
https://heise.de/-4793608
Kritische Lücke: Helpdesk-App auf Qnap-NAS lädt Angreifer ein
Qnap hat eine wichtige Aktualisierung für die Support-App Helpdesk veröffentlicht.
https://heise.de/-4794415
Security updates for Wednesday
Security updates have been issued by CentOS (kernel, ntp, and unbound), Fedora (php-horde-horde and tcpreplay), openSUSE (chromium, java-1_8_0-openj9, mozilla-nspr, mozilla-nss, and opera), Oracle (gnutls, grafana, thunderbird, and unbound), Red Hat (candlepin and satellite, docker, microcode_ctl, openstack-keystone, openstack-manila and openstack-manila, and qemu-kvm-rhev), Scientific Linux (kernel and ntp), Slackware (ntp), SUSE (curl, libreoffice, libssh2_org, and php5), and Ubuntu (curl).
https://lwn.net/Articles/824378/
VMware Produkte: Mehrere Schwachstellen
http://www.cert-bund.de/advisoryshort/CB-K20-0622
Security Bulletin: IBM Security Guardium is affected by Use of Hard-Coded Credentials vulnerabilities
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-affected-by-use-of-hard-coded-credentials-vulnerabilities-2/
Security Bulletin: Multiple vulnerabilities have been identified in IBM Tivoli Netcool/OMNIbus Probe for Network Node Manager i (CVE-2009-3555)
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-have-been-identified-in-ibm-tivoli-netcool-omnibus-probe-for-network-node-manager-i-cve-2009-3555/
Security Bulletin: IBM Security Guardium is affected by an OS Command Injection vulnerabilities
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-affected-by-an-os-command-injection-vulnerabilities-4/
Security Bulletin: IBM Security Guardium is affected by Oracle MySQL vulnerabilities
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-affected-by-oracle-mysql-vulnerabilities-3/
Security Bulletin: Speech to Text, Text to Speech ICP WebSphere Application Server Liberty Fix
https://www.ibm.com/blogs/psirt/security-bulletin-speech-to-text-text-to-speech-icp-websphere-application-server-liberty-fix/