End-of-Day report
Timeframe: Dienstag 05-01-2021 18:00 - Donnerstag 07-01-2021 18:00
Handler: Thomas Pribitzer
Co-Handler: Stephan Richter
News
l+f: Security-Albtraum SMB im Browser
Security-Puristen warnten schon lange vor Techniken wie Webassembly und Websockets. Jetzt zeigt ein Hacker, was damit alles geht.
https://heise.de/-5005070
PayPal-Nutzer sind Ziel einer neuen SMS-Phishing-Kampagne
Der Betrug beginnt mit einer SMS, die Nutzer vor verdächtigen Aktivitäten auf ihren Konten warnt.
https://www.welivesecurity.com/deutsch/2021/01/06/paypal-nutzer-sind-ziel-einer-neuen-sms-phishing-kampagne/
Phishing-Nachrichten auf Facebook im Umlauf!
Derzeit verschicken Kriminelle Nachrichten über den Facebook-Messenger. Darin befindet sich ein Link, der vorgibt zum Werbemanager von Facebook weiterzuleiten. Tatsächlich handelt es sich jedoch, um eine nachgeahmte und betrügerische Seite. Die Kriminellen hoffen darauf, dass Sie Ihre Daten eingeben und so Zugang zu Ihrem Facebook-Konto und zu Ihren Kreditkartendaten erhalten!
https://www.watchlist-internet.at/news/phishing-nachrichten-auf-facebook-im-umlauf/
Malware using new Ezuri memory loader
Multiple threat actors have recently started using a Go language (Golang) tool to act as a packer and avoid Antivirus detection. Additionally, the Ezuri memory loader tool acts as a malware loader and executes its payload in memory, without writing the file to disk. While this technique is known and commonly used by Windows malware, it is less popular in Linux environments.
https://cybersecurity.att.com/blogs/labs-research/malware-using-new-ezuri-memory-loader
Babuk Locker is the first new enterprise ransomware of 2021
Its a new year, and with it comes a new ransomware called Babuk Locker that targets corporate victims in human-operated attacks.
https://www.bleepingcomputer.com/news/security/babuk-locker-is-the-first-new-enterprise-ransomware-of-2021/
FBI warns of Egregor ransomware extorting businesses worldwide
The US Federal Bureau of Investigation (FBI) has sent a security alert warning private sector companies that the Egregor ransomware operation is actively targeting and extorting businesses worldwide.
https://www.bleepingcomputer.com/news/security/fbi-warns-of-egregor-ransomware-extorting-businesses-worldwide/
Holiday Bazar: Tracking a TrickBot-Related Ransomware Incident
DomainTools researchers recently learned of a ransomware campaign targeting multiple entities. The incident highlighted several methods of network and malware analysis that can be used to gain a greater understanding of individual campaigns.
https://www.domaintools.com/resources/blog/tracking-a-trickbot-related-ransomware-incident
NSA Urges SysAdmins to Replace Obsolete TLS Protocols
The NSA released new guidance providing system administrators with the tools to update outdated TLS protocols.
https://threatpost.com/nsa-urges-sysadmins-to-replace-obsolete-tls-protocols/162814/
Bogus CSS Injection Leads to Stolen Credit Card Details
A client recently reported their customers were receiving antivirus warnings when trying to access and purchase products from a Magento ecommerce website. This is almost always a telltale sign that something is amiss, and so I began my investigation. Malware in Database Tables As is pretty common with Magento credit card swiper investigations, my initial scans came up clean. Attackers are writing new pieces of malware like it-s going out of style, so there are very frequently new [...]
https://blog.sucuri.net/2021/01/bogus-css-injection-leads-to-stolen-credit-card-details.html
A Deep Dive into Lokibot Infection Chain
Lokibot is one of the most well-known information stealers on the malware landscape. In this post, well provide a technical breakdown of one of the latest Lokibot campaigns. Talos also has a new script to unpack the droppers third stage.
https://blog.talosintelligence.com/2021/01/a-deep-dive-into-lokibot-infection-chain.html
TA551: Email Attack Campaign Switches from Valak to IcedID
We continue to monitor the email attack campaign TA551, AKA Shathak, which has recently pushed IcedID, a family of information-stealing malware.
https://unit42.paloaltonetworks.com/ta551-shathak-icedid/
Cobalt Strike and Metasploit accounted for a quarter of all malware C&C servers in 2020
Security firm Recorded Future said it tracked more than 10,000 malware command and control servers last year, used across more than 80 malware families.
https://www.zdnet.com/article/cobalt-strike-and-metasploit-accounted-for-a-quarter-of-all-malware-c-c-servers-in-2020/
A DoppelPaymer Ransomware Overview
Believed to be based on the BitPaymer ransomware, the DoppelPaymer ransomware emerged in 2019. Since then it has been used in number of high profile attacks. Trend Micro Research has published an overview of the DoppelPaymer ransomware.
https://exchange.xforce.ibmcloud.com/collection/7c157bb8989d76730fed733016c2004d
Vulnerabilities
Gefährliche Sicherheitslücken in Office-Anwendung TextMaker
Angreifer könnten TextMaker-Nutzer attackieren. Die Gefahrenstufe gilt als hoch.
https://heise.de/-5005181
Vulnerability Spotlight: Multiple vulnerabilities in Genivia gSOAP
Cisco Talos recently discovered multiple vulnerabilities in various Genivia gSOAP toolkit plugins. These vulnerabilities could allow an attacker to carry out a variety of malicious activities, including causing a denial of service on the victim machine or gaining the ability to execute arbitrary code. The gSOAP toolkit is a C/C++ library for developing XML-based web services.
https://blog.talosintelligence.com/2021/01/vuln-spotlight-genivia-gsoap-.html
Security updates for Wednesday
Security updates have been issued by Debian (cairo, dovecot, and minidlna), Oracle (ImageMagick), Scientific Linux (ImageMagick), SUSE (clamav, dovecot23, java-1_8_0-ibm, and tomcat), and Ubuntu (linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gcp, linux-gcp-5.4, linux-gke-5.4, linux-hwe-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-gcp, linux-gcp-4.15, linux-gke-4.15, [...]
https://lwn.net/Articles/841873/
Security updates for Thursday
Security updates have been issued by Debian (golang-websocket, nodejs, and pacemaker), Fedora (mingw-binutils and rubygem-em-http-request), and Ubuntu (linux-oem-5.6 and p11-kit).
https://lwn.net/Articles/841977/
Vulnerabilities in Fortinet WAF Can Expose Corporate Networks to Attacks
Several potentially serious vulnerabilities discovered in Fortinet-s FortiWeb web application firewall (WAF) could expose corporate networks to attacks, according to the researcher who found them.
https://www.securityweek.com/vulnerabilities-fortinet-waf-can-expose-corporate-networks-attacks
ICS-CERT Security Advisories - January 5th, 2021
ICS-CERT has released six security advisories addressing vulnerabilities in ICS-related devices and software.
https://exchange.xforce.ibmcloud.com/collection/f9e8dce556fb93fa97530e3e1dd5704c
Security Bulletin: Spectrum Discover has addressed multiple security vulnerabilities (CVE-2020-13401, CVE-2019-20372)
https://www.ibm.com/blogs/psirt/security-bulletin-spectrum-discover-has-addressed-multiple-security-vulnerabilities-cve-2020-13401-cve-2019-20372/
Security Bulletin: Stored Cross-Site Scripting Vulnerability Affects IBM Emptoris Sourcing (CVE-2020-4895)
https://www.ibm.com/blogs/psirt/security-bulletin-stored-cross-site-scripting-vulnerability-affects-ibm-emptoris-sourcing-cve-2020-4895/
Security Bulletin: IBM Event Streams is affected by multiple Go vulnerabilities
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-event-streams-is-affected-by-multiple-go-vulnerabilities/
Security Bulletin: Upgrade to IBP v2.5.1 to address recent concerns/issues with Golang versions other than 1.14.12
https://www.ibm.com/blogs/psirt/security-bulletin-upgrade-to-ibp-v2-5-1-to-address-recent-concerns-issues-with-golang-versions-other-than-1-14-12/
Security Bulletin: Enterprise Content Management System Monitor is affected by a vulnerability in IBM® SDK Java- Technology Edition
https://www.ibm.com/blogs/psirt/security-bulletin-enterprise-content-management-system-monitor-is-affected-by-a-vulnerability-in-ibm-sdk-java-technology-edition-3/
Security Bulletin: Communication between burst buffer processes not properly secured
https://www.ibm.com/blogs/psirt/security-bulletin-communication-between-burst-buffer-processes-not-properly-secured/
Security Bulletin: Lucky 13 Vulnerability Affects IBM Emptoris Strategic Supply Management Platform (CVE-2020-4898)
https://www.ibm.com/blogs/psirt/security-bulletin-lucky-13-vulnerability-affects-ibm-emptoris-strategic-supply-management-platform-cve-2020-4898/
Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU - Oct 2020 - Includes Oracle Oct 2020 CPU minus CVE-2020-14782 affects Liberty for Java for IBM Cloud
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sdk-java-technology-edition-quarterly-cpu-oct-2020-includes-oracle-oct-2020-cpu-minus-cve-2020-14782-affects-liberty-for-java-for-ibm-cloud/
Security Bulletin: Information Disclosure Vulnerability Affects IBM Emptoris Spend Analysis (CVE-2020-4897)
https://www.ibm.com/blogs/psirt/security-bulletin-information-disclosure-vulnerability-affects-ibm-emptoris-spend-analysis-cve-2020-4897/
Security Bulletin: IBM Cloud Pak for Integration is affected by multiple Node.js vulnerabilities
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-integration-is-affected-by-multiple-node-js-vulnerabilities-2/