End-of-Day report
Timeframe: Dienstag 12-01-2021 18:00 - Mittwoch 13-01-2021 18:00
Handler: Thomas Pribitzer
Co-Handler: Robert Waldner
News
Hackers steal Mimecast certificate used to encrypt customers- M365 traffic
Compromise by "sophisticated threat actor" prompts company to issue new certificate.
https://arstechnica.com/?p=1734653
MegaCortex Ransomware: The Cyber-Threat Looming Over Corporate Networks
Cybercriminals only want one thing these days, and that thing is substantial payouts. This is why most hackers focus on big game hunting, directing the vast majority of their efforts towards company networks rather than individual home users.
https://heimdalsecurity.com/blog/megacortex-ransomware/
Hancitor activity resumes after a hoilday break, (Wed, Jan 13th)
Campaigns spreading Hancitor malware were active from October through December 2020, but Hancitor went quiet after 2020-12-17. On Tuesday 2021-01-12, criminals started sending malicious spam (malspam) pushing Hancitor again.
https://isc.sans.edu/diary/rss/26980
Obfuscation Techniques in Ransomweb -Ransomware-
As vital assets for many business operations, websites and their hosting servers are often the target of ransomware attacks - and if they get taken offline, this can cause major issues for a business- data, revenue, and ultimately reputation.
https://blog.sucuri.net/2021/01/obfuscation-techniques-in-ransomweb-ransomware.html
A Rare Look Inside a Cryptojacking Campaign and its Profit
This post details an ongoing cryptojacking campaign targeting Linux machines, using exposed Docker API ports as an initial access vector to a victim-s machine. The attacker then installs a Golang binary, which is undetected in VirusTotal at the time of this writing.
https://www.intezer.com/blog/research/a-rare-look-inside-a-cryptojacking-campaign-and-its-profit/
Ubiquiti breach, and other IoT security problems
Ubiquiti informed its customers about unauthorized access to its online customer portal. Heres what you need to know.
https://blog.malwarebytes.com/iot/2021/01/ubiquiti-breach-and-other-iot-security-problems/
Rogue Android RAT Can Take Control of Devices, Steal Data
A recently discovered Mobile Remote Access Trojan (MRAT) can take control of the infected Android devices and exfiltrate a trove of user data, Check Point security researchers warn.
https://www.securityweek.com/rogue-android-rat-can-take-control-devices-steal-data
Google reveals sophisticated Windows and Android hacking operation
The attackers used a combination of Android, Chrome, and Windows vulnerabilities, including both zero-days and n-days exploits.
https://www.zdnet.com/article/google-reveals-sophisticated-windows-android-hacking-operation/
Vorsicht vor gefälschten Rechnungen von Austria IT, Vicca Security & Online Service Support
Derzeit werden uns gehäuft betrügerische E-Mails mit gefälschten Rechnungen von -Austria IT-, -Vicca Security- und -Online Service Support- gemeldet.
https://www.watchlist-internet.at/news/vorsicht-vor-gefaelschten-rechnungen-von-austria-it-vicca-security-online-service-support/
Vulnerabilities
Microsoft January 2021 Patch Tuesday fixes 83 flaws, 1 zero-day
With the January 2021 Patch Tuesday security updates release, Microsoft has released fixes for 83 vulnerabilities, with ten classified as Critical and 73 as Important. There is also one zero-day and one previously disclosed vulnerabilities fixed as part of the January 2021 updates.
https://www.bleepingcomputer.com/news/microsoft/microsoft-january-2021-patch-tuesday-fixes-83-flaws-1-zero-day/
Microsoft fixes Secure Boot bug allowing Windows rootkit installation
Microsoft has fixed a security feature bypass vulnerability in Secure Boot that allows attackers to compromise the operating systems booting process even when Secure Boot is enabled.
https://www.bleepingcomputer.com/news/security/microsoft-fixes-secure-boot-bug-allowing-windows-rootkit-installation/
Cisco Security Advisories 2021-01-13
0 Critical, 4 High, 19 Medium severity
https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&securityImpactRatings=critical,high,medium&firstPublishedStartDate=2021%2F01%2F13&firstPublishedEndDate=2021%2F01%2F13&limit=50
Sicherheitsupdate: Kritische Schadcode-Lücke in Thunderbird
Mozilla hat seinen Mail-Client abgesichert. Nutzer sollten schnell updaten.
https://heise.de/-5022816
Multiple Vulnerabilities Patched in Orbit Fox by ThemeIsle Plugin
On November 19, 2020, our Threat Intelligence team responsibly disclosed two vulnerabilities in Orbit Fox by ThemeIsle, a WordPress plugin used by over 400,000 sites.
https://www.wordfence.com/blog/2021/01/multiple-vulnerabilities-patched-in-orbit-fox-by-themeisle-plugin/
Security updates for Wednesday
Security updates have been issued by Debian (coturn, imagemagick, and spice-vdagent), Fedora (roundcubemail and sympa), Gentoo (asterisk and virtualbox), Oracle (kernel and kernel-container), Red Hat (dotnet3.1, dotnet5.0, and thunderbird), SUSE (crmsh, firefox, hawk2, ImageMagick, kernel, libzypp, zypper, nodejs10, nodejs14, openstack-dashboard, release-notes-suse-openstack-cloud, and tcmu-runner), and Ubuntu (coturn).
https://lwn.net/Articles/842557/
The installer of SKYSEA Client View may insecurely load Dynamic Link Libraries
https://jvn.jp/en/jp/JVN69635538/
Security Bulletin: CVE-2020-1968 vulnerability in OpenSSL may affect IBM Workload Scheduler
https://www.ibm.com/blogs/psirt/security-bulletin-cve-2020-1968-vulnerability-in-openssl-may-affect-ibm-workload-scheduler/
Local Privilege Escalation in VMware vRealize Automation (vRA) Guest Agent Service
https://medium.com/@bridge_004/local-privilege-escalation-in-vmware-vrealize-automation-vra-guest-agent-service-a83fbdce1129
SOOIL Dana Diabecare RS Products
https://us-cert.cisa.gov/ics/advisories/icsma-21-012-01
Schneider Electric EcoStruxure Power Build-Rapsody
https://us-cert.cisa.gov/ics/advisories/icsa-21-012-01