End-of-Day report
Timeframe: Freitag 15-10-2021 18:00 - Montag 18-10-2021 18:00
Handler: Dimitri Robl
Co-Handler: Wolfgang Menezes
News
Unternehmensbetrug: Diese Gefahren sollten Unternehmen und ihre MitarbeiterInnen kennen!
Internetbetrug betrifft nicht nur Privatpersonen, auch Unternehmen sind eine beliebte Zielscheibe für Cyberkriminelle. Angegriffen wird allerdings nicht nur die technische Infrastruktur von Unternehmen, vielmehr zielen Attacken hauptsächlich auf die MitarbeiterInnen ab. Im Rahmen des Projekts -CyberSec- will sich die Watchlist Internet daher verstärkt dem Thema Unternehmensbetrug widmen, um Betriebe im Bereich der Internetsicherheit zu stärken.
https://www.watchlist-internet.at/news/unternehmensbetrug-diese-gefahren-sollten-unternehmen-und-ihre-mitarbeiterinnen-kennen/
REvil ransomware shuts down again after Tor sites were hijacked
The REvil ransomware operation has likely shut down once again after an unknown person hijacked their Tor payment portal and data leak blog.
https://www.bleepingcomputer.com/news/security/revil-ransomware-shuts-down-again-after-tor-sites-were-hijacked/
Microsoft asks admins to patch PowerShell to fix WDAC bypass
Microsoft has asked system administrators to patch PowerShell 7 against two vulnerabilities allowing attackers to bypass Windows Defender Application Control (WDAC) enforcements and gain access to plain text credentials.
https://www.bleepingcomputer.com/news/microsoft/microsoft-asks-admins-to-patch-powershell-to-fix-wdac-bypass/
Warranty Repairs and Non-Removable Storage Risks, (Fri, Oct 15th)
I have been asked several times in recent months about addressing risks of warranty repair service of laptops/tablets. With each of these situations, the question boiled down to the same underlying issue: non-removable storage
https://isc.sans.edu/diary/rss/27938
Malicious PowerShell Using Client Certificate Authentication, (Mon, Oct 18th)
Attackers have many ways to protect their C2 servers from unwanted connections. They can check some specific headers, the user-agent, the IP address location (GeoIP), etc. I spotted an interesting PowerShell sample that implements a client certificate authentication mechanism to access its C2 server.
https://isc.sans.edu/diary/rss/27944
Security Risks with Private 5G in Manufacturing Companies
Private 5G is said to bring about the "democratization of communications." This technology allows private companies and local governments to take the driving seat in operating the latest information communication systems.
https://www.trendmicro.com/en_us/research/21/j/security-risks-with-private-5g-in-manufacturing-companies-part-2.html
Ransomware in a global context
This report is the first step in what we hope will become an ongoing community effort to discover and share actionable information on malware trends. Over the last 16 years, we have processed more than 2 million files per day across 232 countries.
https://storage.googleapis.com/vtpublic/vt-ransomware-report-2021.pdf
Case Study: From BazarLoader to Network Reconnaissance
BazarLoader Windows-based malware provides backdoor access that criminals can use to perform reconnaissance to map the victims network.
https://unit42.paloaltonetworks.com/bazarloader-network-reconnaissance/
This particularly dangerous phishing attack features a weaponized Excel file
Security researchers warn about a sneaky phishing campaign from one of the most creative cybercrime groups on the internet.
https://www.zdnet.com/article/this-particularly-dangerous-phishing-attack-features-a-weaponized-excel-file/
Virus Bulletin: Old malware never dies - it just gets more targeted
Putting a precision payload on top of more generic malware makes perfect sense for malware operators
https://www.welivesecurity.com/2021/10/15/virus-bulletin-old-malware-never-dies-gets-more-targeted/
IcedID to XingLocker Ransomware in 24 hours
Towards the end of July, we observed an intrusion that began with IcedID malware and ended in XingLocker ransomware, a Mountlocker variant. XingLocker made its first appearance in early [...]
https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/
ASEC Weekly Malware Statistics (October 4th, 2021 - October 10th, 2021)
The ASEC analysis team is using the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from October 4th, 2021 (Monday) to October 10th, 2021 (Sunday). For the main category, info-stealer ranked top with 68.4%, followed by Downloader with 12.6%, RAT (Remote Administration Tool) malware with 8.6%, Backdoor Downloader with 6.3%, Ransomware with 3.7%, and Banking malware with 0.3%.
https://asec.ahnlab.com/en/27824/
Vulnerabilities
WordPress: Beliebtes Plugin "WP Fastest Cache" braucht dringend ein Update
Jetzt updaten: Das Cache-Plugin WP Fastest Cache wies Schwachstellen auf, die WordPress-Installationen unter bestimmten Voraussetzungen angreifbar machten.
https://heise.de/-6220994
2021-10 Security Bulletin: CTPView: HSTS not being enforced on CTPView server. (CVE-2021-0296)
The Juniper Networks CTPView server is not enforcing HTTP Strict Transport Security (HSTS).
https://kb.juniper.net/InfoCenter/index/content&id=JSA11210
2021-10 Security Bulletin: Junos OS: MX Series: Receipt of specific packet on MS-MPC/MS-MIC causes line card reset (CVE-2021-31351)
An Improper Check for Unusual or Exceptional Conditions in packet processing on the MS-MPC/MS-MIC utilized by Juniper Networks Junos OS allows a malicious attacker to send a specific packet, triggering the MS-MPC/MS-MIC to reset, causing a Denial of Service (DoS).
https://kb.juniper.net/InfoCenter/index/content&id=JSA11216
Security updates for Monday
Security updates have been issued by Debian (amd64-microcode, libreoffice, linux-4.19, and nghttp2), Fedora (chromium, libopenmpt, vim, and xen), openSUSE (firefox, kernel, krb5, libaom, and opera), Oracle (thunderbird), SUSE (firefox, firefox, rust-cbindgen, iproute2, javapackages-tools, javassist, mysql-connector-java, protobuf, python-python-gflags, and krb5), and Ubuntu (nginx).
https://lwn.net/Articles/873210/
128 Technology Session Smart Router vulnerable to authentication bypass
https://jvn.jp/en/jp/JVN85073657/
Eclipse Jetty vulnerability CVE-2021-28165
https://support.f5.com/csp/article/K15338344?utm_source=f5support&utm_medium=RSS
Node.js vulnerabilities CVE-2021-3672 and CVE-2021-22931
https://support.f5.com/csp/article/K53225395?utm_source=f5support&utm_medium=RSS
OTRS: Mehrere Schwachstellen
https://www.cert-bund.de/advisoryshort/CB-K21-1077
Security Bulletin: IBM Cloud Pak for Integration is vulnerable to jzsip (CVE-2021-23413)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-integration-is-vulnerable-to-jzsip-cve-2021-23413/
Security Bulletin: A vulnerability in Spring Framework affects IBM Watson Machine Learning Accelerator
https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-spring-framework-affects-ibm-watson-machine-learning-accelerator-2/
Security Bulletin: Cross site scripting vulnerability affecting Case Builder in IBM Business Automation Workflow - CVE-2021-29878
https://www.ibm.com/blogs/psirt/security-bulletin-cross-site-scripting-vulnerability-affecting-case-builder-in-ibm-business-automation-workflow-cve-2021-29878/
Security Bulletin: Multiple Security Vulnerabilities Have been addressed in IBM Security Access Manager
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnerabilities-have-been-addressed-in-ibm-security-access-manager/
Security Bulletin: IBM Cloud Pak for Integration is vulnerable to multiple Node.js vulnerabilities
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-integration-is-vulnerable-to-multiple-node-js-vulnerabilities/
Security Bulletin: IBM Cloud Pak for Integration is vulnerable to multiple Go vulnerabilities
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-integration-is-vulnerable-to-multiple-go-vulnerabilities/