Tageszusammenfassung - 22.10.2021

End-of-Day report

Timeframe: Donnerstag 21-10-2021 18:00 - Freitag 22-10-2021 18:00 Handler: Dimitri Robl Co-Handler: Robert Waldner


Evil Corp demands $40 million in new Macaw ransomware attacks

Evil Corp has launched a new ransomware called Macaw Locker to evade US sanctions that prevent victims from making ransom payments.


Hacking gang creates fake firm to hire pentesters for ransomware attacks

The FIN7 hacking group is attempting to join the highly profitable ransomware space by creating fake cybersecurity companies that conduct network attacks under the guise of pentesting.


Using Kerberos for Authentication Relay Attacks

This blog post is a summary of some research I've been doing into relaying Kerberos authentication in Windows domain environments. To keep this blog shorter I am going to assume you have a working knowledge of Windows network authentication, and specifically Kerberos and NTLM. For a quick primer on Kerberos see this page which is part of Microsoft's Kerberos extension documentation or you can always read RFC4120.


Windows Exploitation Tricks: Relaying DCOM Authentication

In my previous blog post I discussed the possibility of relaying Kerberos authentication from a DCOM connection. I was originally going to provide a more in-depth explanation of how that works, but as it's quite involved I thought it was worthy of its own blog post. This is primarily a technique to get relay authentication from another user on the same machine and forward that to a network service such as LDAP. You could use this to escalate privileges on a host using a technique similar to a blog post from Shenanigans Labs but removing the requirement for the WebDAV service. Let's get straight to it.


GPS Daemon (GPSD) Rollover Bug

Critical Infrastructure (CI) owners and operators and other users who obtain Coordinated Universal Time (UTC) from Global Positioning System (GPS) devices should be aware of a GPS Daemon (GPSD) bug in GPSD versions 3.20 (released December 31, 2019) through 3.22 (released January 8, 2021). On October 24, 2021, Network Time Protocol (NTP) servers using bugged GPSD versions 3.20-3.22 may rollback the date 1,024 weeks-to March 2002-which may cause systems and services to become unavailable or unresponsive. CISA urges affected CI owners and operators to ensure systems-that use GPSD to obtain timing information from GPS devices-are using GPSD version 3.23 (released August 8, 2021) or newer.


CVE-2021-28632 & CVE-2021-39840: Bypassing Locks in Adobe Reader

Over the past few months, Adobe has patched several remote code execution bugs in Adobe Acrobat and Reader that were reported by researcher Mark Vincent Yason (@MarkYason) through our program. Two of these bugs, in particular, CVE-2021-28632 and CVE-2021-39840, are related Use-After-Free bugs even though they were patched months apart. Mark has graciously provided this detailed write-up of these vulnerabilities and their root cause.


ASEC Weekly Malware Statistics (October 11th, 2021 - October 17th, 2021)

The ASEC analysis team is using the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from October 11th, 2021 (Monday) to October 17th, 2021 (Sunday). For the main category, info-stealer ranked top with 58.2%, followed by Downloader with 24.6%, RAT (Remote Administration Tool) malware with 7.4%, Backdoor malware with 4.7%, Ransomware with 4.1%, and Banking malware with 0.9%.



Cisco SD-WAN Security Bug Allows Root Code Execution

The high-severity bug, tracked as CVE-2021-1529, is an OS command-injection flaw.


Security updates for Friday

Security updates have been issued by Arch Linux (apache, chromium, nodejs, nodejs-lts-erbium, nodejs-lts-fermium, and virtualbox), Fedora (vsftpd and watchdog), Oracle (java-1.8.0-openjdk, java-11-openjdk, and redis:6), and Ubuntu (libcaca, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gke, linux-gke-5.4, linux-gkeop, linux-gkeop-5.4, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux-azure-5.8, and mailman).


Pulse Secure Pulse Connect Secure: Schwachstelle ermöglicht Denial of Service


QNAP NAS: Schwachstelle ermöglicht Codeausführung


Security Bulletin: PostgreSQL Vulnerability Affects IBM Connect:Direct Web Service (CVE-2021-32028)


Security Bulletin: Multiple Vulnerabilities in VMware ESXi affect IBM Cloud Pak System (CVE-2021-21994, CVE-2021-21995)


Security Bulletin: Multiple security vulnerabilities in Node.js affect IBM Voice Gateway


Security Bulletin: Cross-Site scripting vulnerability affect IBM Business Automation Workflow - CVE-2021-29835