End-of-Day report
Timeframe: Freitag 01-10-2021 18:00 - Montag 04-10-2021 18:00
Handler: Dimitri Robl
Co-Handler: Stephan Richter
News
Ransomware: Conti-Erpressergruppe verbittet sich Leaks ihrer Verhandlungs-Chats
Die Cyberkriminellen hinter der Conti-Ransomware drohen jedem Opfer mit Veröffentlichung seiner Daten, sollten Details über die Erpressung im Netz auftauchen.
https://heise.de/-6206790
Andoid-Banking-Trojaner Hydra hat es auf Commerzbank-Kunden abgesehen
Online-Kriminelle versuchen Kunden der Commerzbank abzuzocken. Damit es dazu kommt, müssen Opfer aber mitspielen.
https://heise.de/-6207752
SMS mit Link zu Fotoalbum verbreitet Schadsoftware
Zahlreiche NutzerInnen berichten, dass sie SMS mit einem Link zu einem Fotoalbum erhalten. Angeblich wurden dort private Fotos hochgeladen. Achtung: Der Link führt zu Schadsoftware!
https://www.watchlist-internet.at/news/sms-mit-link-zu-fotoalbum-verbreitet-schadsoftware/
Webinar: Internetkriminalität - so schützen Sie sich!
Internetfallen & Betrugsmaschen werden immer ausgeklügelter. Umso wichtiger ist die Fähigkeit, Merkmale einer Betrugsmasche frühzeitig zu erkennen. In einem Webinar geben wir Ihnen einen Überblick über aktuelle Bedrohungen im Internet und zeigen Ihnen, wie Sie sich davor schützen können.
https://www.watchlist-internet.at/news/webinar-internetkriminalitaet-so-schuetzen-sie-sich/
Endpoint Security ist überall gefragt
Viele Endpunkte mögen auf den ersten Blick unwichtig erscheinen. Aber ungeschützte Systeme mit oder ohne Internetzugang sind ein Einfallstor für Hacker. Deshalb ist ein umfassendes Konzept für Endpoint Security für Unternehmen jeder Größe sehr wichtig.
https://www.zdnet.de/88397023/endpoint-security-ist-ueberall-gefragt/
New Atom Silo ransomware targets vulnerable Confluence servers
Atom Silo, a newly spotted ransomware group, is targeting a recently patched and actively exploited Confluence Server and Data Center vulnerability to deploy their ransomware payloads.
https://www.bleepingcomputer.com/news/security/new-atom-silo-ransomware-targets-vulnerable-confluence-servers/
Innovative Proxy Phantom ATO Fraud Ring Haunts eCommerce Accounts
The group uses millions of password combos at the rate of nearly 2,700 login attempts per second with new techniques that push the ATO envelope.
https://threatpost.com/proxy-phantom-fraud-ecommerce-accounts/175241/
PoC Exploit Released for macOS Gatekeeper Bypass
Rasmus Sten, a software engineer with F-Secure, has released proof-of-concept (PoC) exploit code for a macOS Gatekeeper bypass that Apple patched in April this year. The PoC exploit targets CVE-2021-1810, a vulnerability that can lead to the bypass of all three protections that Apple implemented against malicious file downloads, namely file quarantine, Gatekeeper, and notarization.
https://www.securityweek.com/poc-exploit-released-macos-gatekeeper-bypass
Boutique "Dark" Botnet Hunting for Crumbs
[...] But aside from these more visible botnets, there are smaller, "Boutique" botnets. They go after less common vulnerabilities and pick systems that the major botnets find not lucrative enough to go after. Usually, only a few vulnerable devices are exposed. Taking the animal analogy a bit too far: These are like crustaceans on the ocean floor living off what the predators above discard. One such botnet is "Dark Bot".
https://isc.sans.edu/diary/rss/27898
Expired Lets Encrypt Root Certificate Causes Problems for Many Companies
A root certificate used by Let-s Encrypt expired on September 30 and, despite being notified a long time in advance, many companies experienced problems. read more
https://www.securityweek.com/expired-lets-encrypt-root-certificate-causes-problems-many-companies
BazarLoader and the Conti Leaks
In July, we observed an intrusion that started from a BazarLoader infection and lasted approximately three days. The threat actor-s main priority was to map the domain network, while [...]
https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/
Misconfigured Airflows Leak Thousands of Credentials from Popular Services
Apache Airflow is the #1 starred open-source workflows application on GitHub Workflow management platforms are an indispensable tool for automating business and IT tasks. These platforms make it easier to create, schedule and monitor workflows. They are typically hosted on the cloud to provide increased accessibility and scalability. On the flip side, misconfigured instances that allow [...]
https://www.intezer.com/blog/cloud-security/misconfigured-airflows-leak-credentials/
Phish, Phished, Phisher: A Quick Peek Inside a Telegram Harvester
In one of the smaller campaigns we monitored last month (September 2021), the threat actor inadvertently exposed Telegram credentials to their harvester. This opportunity provided us some insight into their operations; a peek behind the curtains we wanted to share.
https://blog.nviso.eu/2021/10/04/phish-phished-phisher-a-quick-peek-inside-a-telegram-harvester/
Vulnerabilities
Security updates for Monday
Security updates have been issued by Debian (apache2, fig2dev, mediawiki, plib, and qemu), Fedora (chromium, curl, kernel, kernel-headers, kernel-tools, openssh, rust-addr2line, rust-backtrace, rust-cranelift-bforest, rust-cranelift-codegen, rust-cranelift-codegen-meta, rust-cranelift-codegen-shared, rust-cranelift-entity, rust-cranelift-frontend, rust-cranelift-native, rust-cranelift-wasm, rust-gimli, rust-object, rust-wasmparser, rust-wasmtime-cache, rust-wasmtime-environ, [...]
https://lwn.net/Articles/871841/
Shodan Verified Vulns 2021-10-01
Mit 2021-10-01 sah die Schwachstellenlandschaft in Österreich laut Shodan wie folgt aus: Wie auch in den letzten Monaten dominieren TLS/SSL-Schwachstellen sowie Lücken in Microsofts Exchange Server das Bild. Während Server, die für die im März veröffentlichte und geschlossene "ProxyLogon" Exploit-Chain (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065) anfällig sind, mittlerweile eher selten sind, scheinen die im April bzw. Mai [...]
https://cert.at/de/aktuelles/2021/10/shodan-verified-vulns-2021-10-01
Multiple vulnerabilities in Rexroth IndraMotion and IndraLogic series
BOSCH-SA-741752: The control systems series Rexroth IndraMotion MLC and IndraLogic XLC are affected by multiple vulnerabilities in the web server, which - in combination - ultimately enable an attacker to log in to the system.
https://psirt.bosch.com/security-advisories/bosch-sa-741752.html
IBM Security Bulletins
https://www.ibm.com/blogs/psirt/
Netty vulnerability CVE-2021-21295
https://support.f5.com/csp/article/K55834441
OpenSSL vulnerability CVE-2021-3712
https://support.f5.com/csp/article/K19559038
Red Enterprise Linux Advanced Virtualization: Mehrere Schwachstellen
https://www.cert-bund.de/advisoryshort/CB-K21-1026