End-of-Day report
Timeframe: Donnerstag 28-10-2021 18:00 - Freitag 29-10-2021 18:00
Handler: Dimitri Robl
Co-Handler: Stephan Richter
News
Wie Ransomware eine Stadtverwaltung Tage lang lahmlegte
Neustadt am Rübenberge war Ziel eines großen IT-Angriffs. Der Fall zeigt, wie stark sich das auswirken kann, welche Lehren Institutionen daraus ziehen sollten.
https://heise.de/-6236592
Betrügerische Mails und SMS im Namen der Volksbank im Umlauf!
Derzeit geben sich BetrügerInnen vermehrt als Volksbank aus, um per Mail oder SMS an die Online-Banking-Zugangsdaten von potenziellen Opfer zu kommen. Die Kriminellen behaupten dabei, dass eine App installiert werden müsste oder der Zugang zu dieser App gesperrt wurde. Achtung: Es handelt sich um Phishing und Smishing!
https://www.watchlist-internet.at/news/betruegerische-mails-und-sms-im-namen-der-volksbank-im-umlauf/
SEO Poisoning Used to Distribute Ransomware
This tactic - used to distribute REvil ransomware and the SolarMarker backdoor - is part of a broader increase in such attacks in recent months, researchers say.
https://www.darkreading.com/attacks-breaches/seo-poisoning-used-to-distribute-ransomware
Google Chrome is Abused to Deliver Malware as -Legit- Win 10 App
Malware delivered via a compromised website on Chrome browsers can bypass User Account Controls to infect systems and steal sensitive data, such as credentials and cryptocurrency.
https://threatpost.com/chrome-deliver-malware-as-legit-win-10-app/175884/
Pink, a botnet that competed with the vendor to control the massive infected devices
Most of the following article was completed around early 2020, at that time the vendor was trying different ways to recover the massive amount of infected devices, we shared our findings with the vendor, as well as to CNCERT, and decided to not publish the blog while the vendors working [...]
https://blog.netlab.360.com/pink-en/
This New Android Malware Can Gain Root Access to Your Smartphones
An unidentified threat actor has been linked to a new Android malware strain that features the ability to root smartphones and take complete control over infected smartphones while simultaneously taking steps to evade detection. The malware has been named "AbstractEmu" owing to its use of code abstraction and anti-emulation checks to avoid running while under analysis.
https://thehackernews.com/2021/10/this-new-android-malware-can-gain-root.html
Update your OptinMonster WordPress plugin immediately
We look at a recent WordPress plugin compromise, explain what it is, and also what you have to do to ensure your blog and visitors are safe.
https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/10/update-your-optinmonster-wordpress-plugin-immediately/
Network Scanning Traffic Observed in Public Clouds
Cybercriminals can use scanning results to identify potential victims. We share our observations of network scanning traffic in public clouds.
https://unit42.paloaltonetworks.com/cloud-network-scanning-traffic/
NSA-CISA Series on Securing 5G Cloud Infrastructures
The National Security Agency (NSA) and CISA have published the first of a four-part series, Security Guidance for 5G Cloud Infrastructures. Security Guidance for 5G Cloud Infrastructures - Part I: Prevent and Detect Lateral Movement provides recommendations for mitigating lateral movement attempts by threat actors who have gained initial access to cloud infrastructures.
https://us-cert.cisa.gov/ncas/current-activity/2021/10/28/nsa-cisa-series-securing-5g-cloud-infrastructures
Vulnerabilities
All Windows versions impacted by new LPE zero-day vulnerability
A security researcher has disclosed technical details for a Windows zero-day privilege elevation vulnerability and a public proof-of-concept (PoC) exploit that gives SYSTEM privileges under certain conditions.
https://www.bleepingcomputer.com/news/security/all-windows-versions-impacted-by-new-lpe-zero-day-vulnerability/
Multiple vulnerabilities in CLUSTERPRO X and EXPRESSCLUSTER X
CLUSTERPRO X and EXPRESSCLUSTER X provided by NEC Corporation contain multiple vulnerabilities.
https://jvn.jp/en/jp/JVN69304877/
Shrootless: Microsoft finds Apple macOS vulnerability
Shrootless is a vulnerability found in macOS that can bypass the System Integrity Protection by abusing inherited permissions.
https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/10/shrootless-microsoft-finds-apple-vulnerability-in-macos/
XSS Vulnerability in NextScripts: Social Networks Auto-Poster Plugin Impacts 100,000 Sites
On August 19, 2021, the Wordfence Threat Intelligence team began the disclosure process for a reflected Cross-Site Scripting(XSS) vulnerability we found in NextScripts: Social Networks Auto-Poster, a WordPress plugin with over 100,000 installations.
https://www.wordfence.com/blog/2021/10/xss-vulnerability-in-nextscripts-social-networks-auto-poster-plugin-impacts-100000-sites/
Security updates for Friday
Security updates have been issued by Debian (bind9, gpsd, jbig2dec, libdatetime-timezone-perl, tzdata, webkit2gtk, and wpewebkit), Fedora (flatpak, java-1.8.0-openjdk, java-11-openjdk, and php), SUSE (qemu), and Ubuntu (bind9).
https://lwn.net/Articles/874354/
Sensormatic Electronics victor
This advisory contains mitigations for a Use of Hard-coded Credentials vulnerability in Sensormatic Electronics victor video management systems.
https://us-cert.cisa.gov/ics/advisories/icsa-21-301-01
Delta Electronics DOPSoft (Update A)
This updated advisory is a follow-up to the original advisory titled ICSA-21-238-04 Delta Electronics DOPSoft that was published August 26, 2021, to the ICS webpage on us-cert.cisa.gov. This advisory contains mitigations for a Stack-based Buffer Overflow vulnerability in Delta Electronics DOPSoft HMI editing software.
https://us-cert.cisa.gov/ics/advisories/icsa-21-238-04
GoCD Authentication Vulnerability
GoCD has released a security update to address a critical authentication vulnerability in GoCD versions 20.6.0 through 21.2.0. GoCD is an open-source Continuous Integration and Continuous Delivery system. A remote attacker could exploit this vulnerability to obtain sensitive information.
https://us-cert.cisa.gov/ncas/current-activity/2021/10/29/gocd-authentication-vulnerability
IBM Security Bulletins
https://www.ibm.com/blogs/psirt/
Advisory: RCE Vulnerability in Automation Studio
https://www.br-automation.com/downloads_br_productcatalogue/assets/1634138454867-en-original-1.0.pdf
Advisory: ZipSlip Vulnerability in Automation Studio Project Import
https://www.br-automation.com/downloads_br_productcatalogue/assets/1634138454862-en-original-1.0.pdf
Advisory: DLL Hijacking Vulnerability in Automation Studio
https://www.br-automation.com/downloads_br_productcatalogue/assets/1634138454857-en-original-1.0.pdf
ESET Cyber Security and ESET Endpoint series vulnerable to denial-of-service (DoS)
https://jvn.jp/en/jp/JVN60553023/
ZDI-21-1273: (0Day) Bitdefender Total Security Unnecessary Privileges Local Privilege Escalation Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-21-1273/
ZDI-21-1272: (0Day) Bitdefender Total Security Unnecessary Privileges Local Privilege Escalation Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-21-1272/
ZDI-21-1271: (0Day) Bitdefender Endpoint Security Unnecessary Privileges Local Privilege Escalation Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-21-1271/
ZDI-21-1270: (0Day) Bitdefender Endpoint Security Unnecessary Privileges Local Privilege Escalation Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-21-1270/
ZDI-21-1275: NETGEAR Multiple Routers httpd Missing Authentication for Critical Function Information Disclosure Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-21-1275/
ZDI-21-1274: NETGEAR Multiple Routers httpd Stack-based Buffer Overflow Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-21-1274/