Tageszusammenfassung - 26.08.2020

End-of-Day report

Timeframe: Dienstag 25-08-2020 18:00 - Mittwoch 26-08-2020 18:00 Handler: Stephan Richter Co-Handler: n/a

News

New SunCrypt Ransomware sheds light on Mazes ransomware cartel

A new ransomware named SunCrypt has joined the Maze cartel, and with their membership, we get insight into how these groups are working together.

https://www.bleepingcomputer.com/news/security/new-suncrypt-ransomware-sheds-light-on-mazes-ransomware-cartel/


Reverse Engineering and observing an IoT botnet

IoT devices are everywhere around us and some of them are not up to date with todays security standard. A single light bulb exposed to the internet can offer an attacker a variety of possibilities to attack companies or households. The possibilities are endless.

https://www.gdatasoftware.com/blog/2020/08/36243-reverse-engineering-and-observing-an-iot-botnet


[SANS ISC] Malicious Excel Sheet with a NULL VT Score

I published the following diary on isc.sans.edu: "Malicious Excel Sheet with a NULL VT Score": Just a quick diary today to demonstrate, once again, that relying only on a classic antivirus solution is not sufficient in 2020. I found a sample that just has a very nice score of 0/57 on VT.

https://blog.rootshell.be/2020/08/26/sans-isc-malicious-excel-sheet-with-a-null-vt-score/


Emulation of Malicious Shellcode With Speakeasy

In order to enable emulation of malware samples at scale, we have developed the Speakeasy emulation framework. Speakeasy aims to make it as easy as possible for users who are not malware analysts to acquire triage reports in an automated way, as well as enabling reverse engineers to write custom plugins to triage difficult malware families.

http://www.fireeye.com/blog/threat-research/2020/08/emulation-of-malicious-shellcode-with-speakeasy.html


Most organizations have no Active Directory cyber disaster recovery plan

Although 97% of organizations said that Active Directory (AD) is mission-critical, more than half never actually tested their AD cyber disaster recovery process or do not have a plan in place at all, a Semperis survey of over 350 identity-centric security leaders reveals. "The expanded work-from-home environment makes organizational identity a priority and also increases the attack surface relative to Active Directory," said Charles Kolodgy, Principal at Security Mindsets.

https://www.helpnetsecurity.com/2020/08/26/active-directory-cyber-disaster-recovery-plan/


Vorsicht beim privaten Autokauf: Spedition alo-car.com ist Fake!

Bei der Suche nach günstigen Gebrauchtautos, Wohnmobilen oder Motorrädern, sind Kleinanzeigenplattformen oftmals die beste Option. Doch seien Sie vorsichtig, wenn Ihr Gegenüber sich angeblich im Ausland befindet und den Kauf über eine Spedition abwickeln will. In vielen Fällen handelt es sich dabei um erfundene Speditionen und um Kriminelle, die nur an Ihr Geld wollen.

https://www.watchlist-internet.at/news/vorsicht-beim-privaten-autokauf-spedition-alo-carcom-ist-fake/


Conti (Ryuk) joins the ranks of ransomware gangs operating data leak sites

More and more ransomware gangs are now operating sites where they leak sensitive data from victims who refuse to pay the ransom demand.

https://www.zdnet.com/article/conti-ryuk-joins-the-ranks-of-ransomware-gangs-operating-data-leak-sites/


Söldner starten APT-Attacken

Eine Hackergruppe, die sich als Söldner für verschiedene Auftraggeber verdingt, hat laut Erkenntnissen von Bitdefender Cyber-Spionageangriffe per Advanced-Persistent-Threat-(APT) mit Zero-Day-Attacken auf Autodesk 3ds Max genutzt, um geistiges Eigentum zu stehlen.

https://www.zdnet.de/88382317/soeldner-starten-apt-attacken/

Vulnerabilities

Magento Multiversion (1.x/2.x) Backdoor

The Magento 1 EOL date has already passed, however it-s evident that a large number of websites will continue to use it for the foreseeable future. Unfortunately, attackers are also aware that many websites are straggling with their Magento migrations and post compromise tools have been created to support deployment for both Magento 1.x and 2.x versions, making it easier for them to exploit a larger number of sites.

https://blog.sucuri.net/2020/08/magento-multiversion-1-x-2-x-backdoor.html


Extensive file permissions on service executable in Eikon Thomson Reuters (CVE-2019-10679)

SEC Consult found a vulnerability that allows unprivileged users to escalate their privileges to SYSTEM in Eikon of Thomson Reuters. This is possible due to extensive file permissions that allow standard users to modify executable files.

https://sec-consult.com/en/blog/advisories/extensive-file-permissions-on-service-executable-in-eikon-thomson-reuters-cve-2019-10679/


Huawei Security Advisories

Huawei has published 20 new or updated Security Advisories.

https://www.huawei.com/en/psirt/all-bulletins


WordPress: Sicherheitslücken in millionenfach installiertem Plugin Autoptimize

Nutzer des Plugins Autoptimize sollten dieses zügig auf 2.7.7 updaten. Für eine von zwei geschlossenen Lücken soll demnächst Demo-Code veröffentlicht werden.

https://heise.de/-4879463


Security updates for Wednesday

Security updates have been issued by Debian (firefox-esr, ghostscript, php7.0, and proftpd-dfsg), Fedora (mod_http2 and thunderbird), Red Hat (chromium-browser and firefox), and SUSE (apache2, grub2, samba, and xorg-x11-server).

https://lwn.net/Articles/829609/


F5 BIG-IP: Mehrere Schwachstellen

https://www.cert-bund.de/advisoryshort/CB-K20-0843


Security Bulletin: August 2020 : CVE-2020-2654 in IBM Java Runtime affect CICS Transaction Gateway

https://www.ibm.com/blogs/psirt/security-bulletin-august-2020-cve-2020-2654-in-ibm-java-runtime-affect-cics-transaction-gateway/


Security Bulletin: Kerberos vulnerability in IBM Java Runtime affects Collaboration and Deployment Services

https://www.ibm.com/blogs/psirt/security-bulletin-kerberos-vulnerability-in-ibm-java-runtime-affects-collaboration-and-deployment-services/


Security Bulletin: BEAST security vulnerability in IBM Tivoli Netcool Performance Manager for Wireline( CVE-2011-3389)

https://www.ibm.com/blogs/psirt/security-bulletin-beast-security-vulnerability-in-ibm-tivoli-netcool-performance-manager-for-wireline-cve-2011-3389/


Security Bulletin: Vulnerability in Apache Batik affects WebSphere Application Server (CVE-2019-17566)

https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-batik-affects-websphere-application-server-cve-2019-17566/