End-of-Day report
Timeframe: Mittwoch 27-01-2021 18:00 - Donnerstag 28-01-2021 18:00
Handler: Dimitri Robl
Co-Handler: Thomas Pribitzer
News
Emotet vs. Windows Attack Surface Reduction, (Thu, Jan 28th)
Emotet malware in the form of malicious Word documents continued to make the rounds over the past weeks, and the samples initially often had pretty poor anti-virus coverage (Virustotal).
https://isc.sans.edu/diary/rss/27036
Italy CERT Warns of a New Credential Stealing Android Malware
Researchers have disclosed a new family of Android malware that abuses accessibility services in the device to hijack user credentials and record audio and video.
https://thehackernews.com/2021/01/italy-cert-warns-of-new-credential.html
CISA Malware Analysis on Supernova
CISA has released a malware analysis report on Supernova malware affecting unpatched SolarWinds Orion software. The report contains indicators of compromise (IOCs) and analyzes several malicious artifacts.
https://us-cert.cisa.gov/ncas/current-activity/2021/01/27/cisa-malware-analysis-supernova
Pro-Ocean: Rocke Group-s New Cryptojacking Malware
In 2019, Unit 42 researchers documented cloud-targeted malware used by the Rocke Group to conduct cryptojacking attacks to mine for Monero.
https://unit42.paloaltonetworks.com/pro-ocean-rocke-groups-new-cryptojacking-malware/
US and Bulgarian authorities disrupt NetWalker ransomware operation
Authorities seize dark web domains, charge a Canadian, and seize $454,000 in cryptocurrency.
https://www.zdnet.com/article/us-and-bulgarian-authorities-dirsupt-netwalker-ransomware-operation/
Stack Overflow: Heres what happened when we were hacked back in 2019
Company goes into detail on how a hacker used Overflows community knowledge-sharing to figure out how to hack it back in 2019.
https://www.zdnet.com/article/stack-overflow-heres-what-happened-when-we-were-hacked-back-in-2019/
Vulnerabilities
Google Chrome blocks 7 more ports to stop NAT Slipstreaming attacks
Google Chrome now blocks access to websites on an additional seven TCP ports to protect against the NAT Slipstreaming 2.0 vulnerability.
https://www.bleepingcomputer.com/news/security/google-chrome-blocks-7-more-ports-to-stop-nat-slipstreaming-attacks/
The Wordfence 2020 WordPress Threat Report
Over the course of 2020, and in the process of protecting over 4 million WordPress customers, the Wordfence Threat Intelligence team gathered a massive amount of raw data from attacks targeting WordPress [...]
https://www.wordfence.com/blog/2021/01/the-wordfence-2020-wordpress-threat-report/
Windows Installer Local Privilege Escalation 0day Gets a Micropatch
On December 26, security researcher Abdelhamid Naceri published a blog post with a number of 0days in various security products and a local privilege escalation 0day in Windows Installer.
https://blog.0patch.com/2021/01/windows-installer-local-privilege.html
Local Privilege Escalation 0day in PsExec Gets a Micropatch
Update 1/28/2021: Since our publication of micropatch for PsExec version 2.2, PsExec has been updated to versions 2.30, 2.31 and finally 2.32. where it still resides today. David was able to update his POC for each version so the current version 2.32. is still vulnerable to the same attack.
https://blog.0patch.com/2021/01/local-privilege-escalation-0day-in.html
Security updates for Thursday
Security updates have been issued by Debian (ansible, firefox-esr, and slurm-llnl), Fedora (firefox, nss, php-pear, seamonkey, and thunderbird), Gentoo (phpmyadmin and telegram-desktop), openSUSE (chromium and python-autobahn), Oracle (firefox and sudo), Red Hat (firefox), Scientific Linux (firefox), and Ubuntu (ceph, kernel, linux, linux-lts-xenial, linux-aws, linux-aws-5.4, linux-azure, linux-gcp, linux-kvm, linux-oracle, linux-raspi, linux-aws, linux-kvm, linux-oracle, linux-raspi2,[...]
https://lwn.net/Articles/844366/
SECURITY BULLETIN: January 2021 Security Bulletin for Trend Micro OfficeScan XG SP1
https://success.trendmicro.com/solution/000284205
SECURITY BULLETIN: January 2021 Security Bulletin for Trend Micro Apex One and Apex One as a Service
https://success.trendmicro.com/solution/000284202
SECURITY BULLETIN: January 2021 Security Bulletin for Trend Micro Worry-Free Business Security 10 SP1 and Worry-Free Business Security Services
https://success.trendmicro.com/solution/000284206
JasPer: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode mit den Rechten des Dienstes
http://www.cert-bund.de/advisoryshort/CB-K21-0100
Drupal: Mehrere Schwachstellen ermöglichen Umgehen von Sicherheitsvorkehrungen
http://www.cert-bund.de/advisoryshort/CB-K21-0099