End-of-Day report
Timeframe: Mittwoch 20-01-2021 18:00 - Donnerstag 21-01-2021 18:00
Handler: Dimitri Robl
Co-Handler: Robert Waldner
News
Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop
One missing link in the complex Solorigate attack chain is the handover from the Solorigate DLL backdoor to the Cobalt Strike loader. How exactly does the jump from the Solorigate backdoor (SUNBURST) to the Cobalt Strike loader (TEARDROP, Raindrop, and others) happen? What code gets triggered, and what indicators should defenders look for?
https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/
Powershell Dropping a REvil Ransomware, (Thu, Jan 21st)
I spotted a piece of Powershell code that deserved some investigations because it makes use of RunSpaces. The file (SHA256:e1e19d637e6744fedb76a9008952e01ee6dabaecbc6ad2701dfac6aab149cecf) has a very low VT score: only 1/59!.
https://isc.sans.edu/diary/rss/27012
Scanning Activity Detected After Release of Exploit for Critical SAP SolMan Flaw
A Russian researcher has made public on GitHub a functional exploit targeting a critical vulnerability that SAP patched in its Solution Manager product in March 2020.
https://www.securityweek.com/scanning-activity-detected-after-release-exploit-critical-sap-solman-flaw
Vulnerabilities
Security updates for Thursday
Security updates have been issued by Debian (mutt), Fedora (libntlm, mingw-python-pillow, python-pillow, and sudo), Mageia (kernel), SUSE (gdk-pixbuf, perl-Convert-ASN1, samba, and yast2-multipath), and Ubuntu (linux, linux-aws, linux-azure, linux-gcp, linux-hwe-5.4, linux-hwe-5.8, linux-oracle).
https://lwn.net/Articles/843413/
Security Bulletin: Vulnerabilities in IBM WebSphere Liberty affects IBM Waston Machine Learning Accelerator
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-websphere-liberty-affects-ibm-waston-machine-learning-accelerator/
Security Bulletin: IBM Planning Analytics Workspace is affected by security vulnerabilities
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-planning-analytics-workspace-is-affected-by-security-vulnerabilities-4/
Security Bulletin: IBM App Connect Enterprise & IBM Integration Bus are affected by vulnerabilities in Apache Xerces-C 3.0.0 to 3.2.2 XML parser (CVE-2018-1311)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterprise-ibm-integration-bus-are-affected-by-vulnerabilities-in-apache-xerces-c-3-0-0-to-3-2-2-xml-parser-cve-2018-1311/
Security Bulletin: Vulnerabilities in IBM WebSphere Liberty affects IBM Waston Machine Learning Accelerator
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-websphere-liberty-affects-ibm-waston-machine-learning-accelerator-2/
Security Bulletin: Vulnerability in gencore affects AIX (CVE-2020-4887)
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-gencore-affects-aix-cve-2020-4887/
Security Bulletin: Vulnerability in Apache Ant affects IBM Spectrum Symphony
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-ant-affects-ibm-spectrum-symphony/
Security Bulletin: IBM has announced a release for IBM Security Identity Governance and Intelligence in response to a security vulnerability (CVE-2020-10693)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-has-announced-a-release-for-ibm-security-identity-governance-and-intelligence-in-response-to-a-security-vulnerability-cve-2020-10693/
Security Bulletin: Vulnerability in Google Guava affects WebSphere Service Registry and Repository (CVE-2018-10237)
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-google-guava-affects-websphere-service-registry-and-repository-cve-2018-10237/
Security Bulletin: IBM has announced a release for IBM Security Identity Governance and Intelligence in response to a security vulnerability (CVE-2020-4969)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-has-announced-a-release-for-ibm-security-identity-governance-and-intelligence-in-response-to-a-security-vulnerability-cve-2020-4969/
Security Bulletin: Rational Test Control Panel affected by Spring Framework vulnerability
https://www.ibm.com/blogs/psirt/security-bulletin-rational-test-control-panel-affected-by-spring-framework-vulnerability/
Security Bulletin: IBM has announced a release for IBM Security Identity Governance and Intelligence in response to a security vulnerability (CVE-2020-4958)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-has-announced-a-release-for-ibm-security-identity-governance-and-intelligence-in-response-to-a-security-vulnerability-cve-2020-4958/
Security Bulletin: IBM has announced a release for IBM Security Identity Governance and Intelligence in response to a security vulnerability (CVE-2020-4966)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-has-announced-a-release-for-ibm-security-identity-governance-and-intelligence-in-response-to-a-security-vulnerability-cve-2020-4966/
XSA-360
https://xenbits.xen.org/xsa/advisory-360.html
Drupal: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode mit den Rechten des Dienstes
http://www.cert-bund.de/advisoryshort/CB-K21-0081