End-of-Day report
Timeframe: Freitag 08-01-2021 18:00 - Montag 11-01-2021 18:00
Handler: Robert Waldner
Co-Handler: n/a
News
Bitcoin-Höhenflug spielt betrügerischen Plattformen in die Karten
Der neuerliche Höhenflug des Bitcoins sorgt für großes mediales Interesse und laufende Berichterstattung. Diese Aufmerksamkeit nützen auch Kriminelle aus. Sie bewerben betrügerische Investitionsplattformen mit erfundenen News-Beiträgen. Vorsicht: Wer in solche Plattformen investiert, verliert das Geld! Schadenssummen in Höhe mehrerer hundertausend Euro sind keine Seltenheit.
https://www.watchlist-internet.at/news/bitcoin-hoehenflug-spielt-betruegerischen-plattformen-in-die-karten/
New version of Sysinternals released, Process Hollowing detection added in Sysmon, new registry access detection added to Procmon https://docs.microsoft.com/en-us/sysinternals/, (Mon, Jan 11th)
https://isc.sans.edu/diary/rss/26972
Using the NVD Database and API to Keep Up with Vulnerabilities and Patches - Tool Drop: CVEScan (Part 3 of 3), (Mon, Jan 11th)
Now with a firm approach to or putting an inventory and using the NVD API (https://isc.sans.edu/forums/diary/Using+the+NIST+Database+and+API+to+Keep+Up+with+Vulnerabilities+and+Patches+Part+1+of+3/26958/ and https://isc.sans.edu/forums/diary/Using+the+NIST+Database+and+API+to+Keep+Up+with+Vulnerabilities+and+Patches+Playing+with+Code+Part+2+of+3/26964/), for any client I typically create 4 inventories: [...]
https://isc.sans.edu/diary/rss/26974
Detecting Post-Compromise Threat Activity in Microsoft Cloud Environments
This Advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework. See the ATT&CK for Enterprise for all referenced threat actor tactics and techniques. This Alert is a companion alert to AA20-352A: Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations.
https://us-cert.cisa.gov/ncas/alerts/aa21-008a
How I stole the data in millions of people-s Google accounts
As many of you may have suspected, this post is not entirely truthful. I have not released this fitness app onto the Play Store, nor have I collected millions of master tokens. ... But yes, these methods do work. I absolutely could release such an app, and so could anyone else (and maybe they have).
https://ethanblake4.medium.com/how-i-stole-the-data-in-millions-of-peoples-google-accounts-aa1b72dcc075
Free decrypter released for victims of Darkside ransomware
A new tool released today by Romanian security firm Bitdefender allows victims of the Darkside ransomware to recover their files without paying the ransom demand.
https://www.zdnet.com/article/free-decrypter-released-for-victims-of-darkside-ransomware/
Trickbot Still Alive and Well
In October of 2020, the group behind the infamous botnet known as Trickbot had a bad few days. The group was under concerted pressure applied by US Cyber Command infiltrating - Read MoreThe post Trickbot Still Alive and Well appeared first on The DFIR Report.
https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/
Shodan Verified Vulns 2020-12-01
Auch im Dezember wollen wir einen Blick auf Schwachstellen werfen, die Shodan in Österreich sieht. Die folgende Grafik basiert auf den Daten vom 2020-12-01: Die Daten zeigen abermals kaum Veränderungen zu den Vormonaten: der Rückgang der SSL-Schwachstellen setzt sich grundsätzlich fort, auch wenn die Änderungen erstmals seit wir die Daten erheben (also seit 2020-09) nur im zweistelligen Bereich sind. Einen Überblick über die bisherige Entwicklung bietet der [...]
https://cert.at/de/aktuelles/2020/12/shodan-verified-vulns-2020-12
Vulnerabilities
Typeform fixes Zendesk Sell form data hijacking vulnerability
Online survey and form creator Typeform has quietly patched a data hijacking vulnerability in its Zendesk Sell integration. If exploited, the vulnerability could let attacks redirect the form submissions containing potentially sensitive information to themselves.
https://www.bleepingcomputer.com/news/security/typeform-fixes-zendesk-sell-form-data-hijacking-vulnerability/
QNAP: Command Injection Vulnerability in QTS and QuTS hero
CVE identifier: CVE-2020-2508
Affected products: All QNAP NAS
Summary: A command injection vulnerability has been reported to affect QTS and QuTS hero. If exploited, this vulnerability allows attackers to execute arbitrary commands in a compromised application.
https://www.qnap.com/de-de/security-advisory/QSA-21-01
Security updates for Monday
Security updates have been issued by Arch Linux (chromium, firefox, and mbedtls), Debian (coturn), Fedora (firefox, flac, and nodejs), Gentoo (ark, chromium, dovecot, firefox, firejail, ipmitool, nodejs, and pillow), Mageia (alpine, c-client, binutils, busybox, cherokee, firefox, golang, guava, imagemagick, libass, openexr, squirrelmail, tomcat, and xrdp), openSUSE (chromium, cobbler, rpmlint, and tomcat), Oracle (kernel), Red Hat (firefox, libpq, and openssl), SUSE (python-defusedxml, [...]
https://lwn.net/Articles/842304/
Security Bulletin: Multiple vulnerabilities in IBM Java Runtime 1.8 affect IBM Sterling Secure Proxy
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-runtime-1-8-affect-ibm-sterling-secure-proxy-3/
Security Bulletin: An Eclipse Jetty Vulnerability Affects IBM Sterling Secure External Authentication Server (CVE-2020-27216)
https://www.ibm.com/blogs/psirt/security-bulletin-an-eclipse-jetty-vulnerability-affects-ibm-sterling-secure-external-authentication-server-cve-2020-27216/
Security Bulletin: Vulnerability in Eclipse Jetty affects IBM Sterling Secure Proxy (CVE-2020-27216)
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-eclipse-jetty-affects-ibm-sterling-secure-proxy-cve-2020-27216/
Security Bulletin: Multiple Vulnerabilities in IBM Java Runtime Affect IBM Sterling External Authentication Server
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-runtime-affect-ibm-sterling-external-authentication-server-3/
Security Bulletin: IBM DataPower Gateway Java security update
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-datapower-gateway-java-security-update/
Security Bulletin: IBM MQ Appliance is affected by a denial of service vulnerability (CVE-2020-4869)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-is-affected-by-a-denial-of-service-vulnerability-cve-2020-4869/
Security Bulletin: Vulnerability in Apache ActiveMQ affects IBM Sterling Secure Proxy (CVE-2020-13920)
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-activemq-affects-ibm-sterling-secure-proxy-cve-2020-13920/