End-of-Day report
Timeframe: Montag 18-01-2021 18:00 - Dienstag 19-01-2021 18:00
Handler: Dimitri Robl
Co-Handler: Robert Waldner
News
Linux Devices Under Attack by New FreakOut Malware
The FreakOut malware is adding infected Linux devices to a botnet, in order to launch DDoS and cryptomining attacks.
https://threatpost.com/linux-attack-freakout-malware/163137/
Researchers Discover Raindrop - 4th Malware Linked to the SolarWinds Attack
Cybersecurity researchers have unearthed a fourth new malware strain-designed to spread the malware onto other computers in victims networks-which was deployed as part of the SolarWinds supply chain attack disclosed late last year. Dubbed "Raindrop" by Broadcom-owned Symantec, the malware joins the likes of other malicious implants such as Sunspot, Sunburst (or Solorigate), and Teardrop that were stealthily delivered to enterprise networks.
https://thehackernews.com/2021/01/researchers-discover-raindrop-4th.html
Jetzt neues Passwort vergeben! OpenWrt-Forum gehackt
Angreifer konnten auf Nutzerdaten des OpenWrt-Forums zugreifen. Dort tauschen sich Nutzer des alternativen Betriebssystems u.a. für Router aus.
https://heise.de/-5028697
Three Word Passwords
The National Cyber Security Centre (NCSC) have advocated the use of three random words for several years to create strong passwords, and that advice has been repeated recently by the National Crime Agency, and multiple police forces in the UK-. but just how strong are these passwords?
https://www.pentestpartners.com/security-blog/three-word-passwords/
All That for a Coinminer?
A threat actor recently brute forced a local administrator password using RDP and then dumped credentials using Mimikatz. They not only dumped LogonPasswords but they also exported all Kerberos tickets ...
https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer/
Vulnerabilities
DNSpooq: Mehrere Sicherheitslücken in Dnsmasq
Die IT-Sicherheitsfirma JSOF berichtet über mehrere Sicherheitslücken in der DNS-Serversoftware Dnsmasq, die sie DNSpooq genannt hat. Dabei handelt es sich um zwei zunächst völlig unterschiedliche Klassen von Problemen: Buffer Overflows in der Verarbeitung von DNSSEC-Records und einen unzureichenden Schutz vor DNS-Spoofing-Angriffen. ... Dnsmasq hat die entsprechenden Lücken in Version 2.83 geschlossen. Doch in vielen Fällen dürfte es schwer sein, Updates zu installieren. Dnsmasq wird sehr häufig in Embedded-Geräten und auch auf Android-Telefonen eingesetzt - also auf den Geräten, für die es häufig keine regelmäßigen Sicherheitsupdates gibt. Die Webseite von DNSpooq listet eine ganze Reihe von betroffenen Herstellern sowie deren Security-Advisories auf, die Liste dürfte aber unvollständig sein.
https://www.golem.de/news/dnspooq-mehrere-sicherheitsluecken-in-dnsmasq-2101-153513-rss.html
Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers Remote Command Execution and Denial of Service Vulnerabilities
Multiple vulnerabilities in the Universal Plug and Play (UPnP) service and the web-based management interface of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow a remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly. For more information about these vulnerabilities, see the Details section of this advisory. Cisco has not released software updates that address these vulnerabilities. There are no workarounds
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-rv-overflow-WUnUgv4U
Security updates for Tuesday
Security updates have been issued by Debian (gst-plugins-bad1.0), Fedora (flatpak), Red Hat (dnsmasq, kernel, kpatch-patch, libpq, linux-firmware, postgresql:10, postgresql:9.6, and thunderbird), SUSE (dnsmasq), and Ubuntu (dnsmasq, htmldoc, log4net, and pillow).
https://lwn.net/Articles/843142/
Atlassian Confluence: Schwachstelle ermöglicht Denial of Service
Ein entfernter, authentisierter Angreifer kann eine Schwachstelle in Atlassian Confluence ausnutzen, um einen Denial of Service Angriff durchzuführen.
http://www.cert-bund.de/advisoryshort/CB-K21-0052
Philips Interventional Workstations
https://us-cert.cisa.gov/ics/advisories/icsma-21-019-01
Reolink P2P Cameras
https://us-cert.cisa.gov/ics/advisories/icsa-21-019-02