Tageszusammenfassung - 28.01.2021

End-of-Day report

Timeframe: Mittwoch 27-01-2021 18:00 - Donnerstag 28-01-2021 18:00 Handler: Dimitri Robl Co-Handler: Thomas Pribitzer

News

Emotet vs. Windows Attack Surface Reduction, (Thu, Jan 28th)

Emotet malware in the form of malicious Word documents continued to make the rounds over the past weeks, and the samples initially often had pretty poor anti-virus coverage (Virustotal).

https://isc.sans.edu/diary/rss/27036


Italy CERT Warns of a New Credential Stealing Android Malware

Researchers have disclosed a new family of Android malware that abuses accessibility services in the device to hijack user credentials and record audio and video.

https://thehackernews.com/2021/01/italy-cert-warns-of-new-credential.html


CISA Malware Analysis on Supernova

CISA has released a malware analysis report on Supernova malware affecting unpatched SolarWinds Orion software. The report contains indicators of compromise (IOCs) and analyzes several malicious artifacts.

https://us-cert.cisa.gov/ncas/current-activity/2021/01/27/cisa-malware-analysis-supernova


Pro-Ocean: Rocke Group-s New Cryptojacking Malware

In 2019, Unit 42 researchers documented cloud-targeted malware used by the Rocke Group to conduct cryptojacking attacks to mine for Monero.

https://unit42.paloaltonetworks.com/pro-ocean-rocke-groups-new-cryptojacking-malware/


US and Bulgarian authorities disrupt NetWalker ransomware operation

Authorities seize dark web domains, charge a Canadian, and seize $454,000 in cryptocurrency.

https://www.zdnet.com/article/us-and-bulgarian-authorities-dirsupt-netwalker-ransomware-operation/


Stack Overflow: Heres what happened when we were hacked back in 2019

Company goes into detail on how a hacker used Overflows community knowledge-sharing to figure out how to hack it back in 2019.

https://www.zdnet.com/article/stack-overflow-heres-what-happened-when-we-were-hacked-back-in-2019/

Vulnerabilities

Google Chrome blocks 7 more ports to stop NAT Slipstreaming attacks

Google Chrome now blocks access to websites on an additional seven TCP ports to protect against the NAT Slipstreaming 2.0 vulnerability.

https://www.bleepingcomputer.com/news/security/google-chrome-blocks-7-more-ports-to-stop-nat-slipstreaming-attacks/


The Wordfence 2020 WordPress Threat Report

Over the course of 2020, and in the process of protecting over 4 million WordPress customers, the Wordfence Threat Intelligence team gathered a massive amount of raw data from attacks targeting WordPress [...]

https://www.wordfence.com/blog/2021/01/the-wordfence-2020-wordpress-threat-report/


Windows Installer Local Privilege Escalation 0day Gets a Micropatch

On December 26, security researcher Abdelhamid Naceri published a blog post with a number of 0days in various security products and a local privilege escalation 0day in Windows Installer.

https://blog.0patch.com/2021/01/windows-installer-local-privilege.html


Local Privilege Escalation 0day in PsExec Gets a Micropatch

Update 1/28/2021: Since our publication of micropatch for PsExec version 2.2, PsExec has been updated to versions 2.30, 2.31 and finally 2.32. where it still resides today. David was able to update his POC for each version so the current version 2.32. is still vulnerable to the same attack.

https://blog.0patch.com/2021/01/local-privilege-escalation-0day-in.html


Security updates for Thursday

Security updates have been issued by Debian (ansible, firefox-esr, and slurm-llnl), Fedora (firefox, nss, php-pear, seamonkey, and thunderbird), Gentoo (phpmyadmin and telegram-desktop), openSUSE (chromium and python-autobahn), Oracle (firefox and sudo), Red Hat (firefox), Scientific Linux (firefox), and Ubuntu (ceph, kernel, linux, linux-lts-xenial, linux-aws, linux-aws-5.4, linux-azure, linux-gcp, linux-kvm, linux-oracle, linux-raspi, linux-aws, linux-kvm, linux-oracle, linux-raspi2,[...]

https://lwn.net/Articles/844366/


SECURITY BULLETIN: January 2021 Security Bulletin for Trend Micro OfficeScan XG SP1

https://success.trendmicro.com/solution/000284205


SECURITY BULLETIN: January 2021 Security Bulletin for Trend Micro Apex One and Apex One as a Service

https://success.trendmicro.com/solution/000284202


SECURITY BULLETIN: January 2021 Security Bulletin for Trend Micro Worry-Free Business Security 10 SP1 and Worry-Free Business Security Services

https://success.trendmicro.com/solution/000284206


JasPer: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode mit den Rechten des Dienstes

http://www.cert-bund.de/advisoryshort/CB-K21-0100


Drupal: Mehrere Schwachstellen ermöglichen Umgehen von Sicherheitsvorkehrungen

http://www.cert-bund.de/advisoryshort/CB-K21-0099