End-of-Day report
Timeframe: Freitag 05-11-2021 18:00 - Montag 08-11-2021 18:00
Handler: Dimitri Robl
Co-Handler: Wolfgang Menezes
News
Unbekannte infiltrieren Paketmanager npm und verseuchen Tools mit Schadcode
Die Betreiber des Paketmanagers npm warnen davor, dass Unbefugte die Pakete coa und rc trojanisiert haben.
https://heise.de/-6260153
Targeted Attack Campaign Against ManageEngine ADSelfService Plus Delivers Godzilla Webshells, NGLite Trojan and KdcSponge Stealer
A malicious campaign against ManageEngine ADSelfService Plus used Godzilla webshells, the NGLite backdoor and KdcSponge, a credential stealer.
https://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/
Pwn2Own: Printer plays AC/DC, Samsung Galaxy S21 hacked twice
Trend Micros ZDI has awarded $1,081,250 for 61 zero-days exploited at Pwn2Own Austin 2021, with competitors successfully pwning the Samsung Galaxy S21 again and hacking an HP LaserJet printer to play AC/DCs Thunderstruck on the contests third day.
https://www.bleepingcomputer.com/news/security/pwn2own-printer-plays-ac-dc-samsung-galaxy-s21-hacked-twice/
Sitecore XP RCE flaw patched last month now actively exploited
The Australian Cyber Security Center (ACSC) is alerting web admins of the active exploitation of CVE-2021-42237, a remote code execution flaw in the Sitecore Experience Platform (Sitecore XP).
https://www.bleepingcomputer.com/news/security/sitecore-xp-rce-flaw-patched-last-month-now-actively-exploited/
Video: Decrypting Cobalt Strike Traffic With Keys Extracted From Process Memory, (Sun, Nov 7th)
I made a video showing the steps to take to decrypt Cobalt Strike traffic that I covered in my diary entry "Decrypting Cobalt Strike Traffic With Keys Extracted From Process Memory".
https://isc.sans.edu/diary/rss/28008
ICS Threat Hunting: -Theyre Shootin- at the Lights!- - PART 2
[...] In this PART 2 of the blog series we will: Identify several critical and targeted ICS assets to protect, Identify related data sources for those assets, Focus on aspects of threat intel to use for a hunt, Build a threat hunt package template to prepare for executing the actual hunt
https://www.sans.org/blog/ics-threat-hunting-they-are-shootin-at-the-lights-part-2/
TA505 exploits SolarWinds Serv-U vulnerability (CVE-2021-35211) for initial access
NCC Group-s global Cyber Incident Response Team have observed an increase in Clop ransomware victims in the past weeks. The surge can be traced back to a vulnerability in SolarWinds Serv-U that is being abused by the TA505 threat actor. TA505 is a known cybercrime threat actor, who is known for extortion attacks using the [...]
https://blog.fox-it.com/2021/11/08/ta505-exploits-solarwinds-serv-u-vulnerability-cve-2021-35211-for-initial-access/
DDoS Attack Trends for Q3 2021
The third quarter of 2021 was a busy quarter for DDoS attackers. Cloudflare observed and mitigated record-setting HTTP DDoS attacks, terabit-strong network-layer attacks, one of the largest botnets ever deployed (Meris), and more recently, ransom DDoS attacks on voice over IP (VoIP) service providers and their network infrastructure around the world.
https://blog.cloudflare.com/ddos-attack-trends-for-2021-q3/
ASEC Weekly Malware Statistics (October 25th, 2021 - October 31st, 2021)
The ASEC analysis team is using the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from October 25th, 2021 (Monday) to October 31st, 2021 (Sunday). For the main category, info-stealer ranked top with 48.3%, followed by RAT (Remote Administration Tool) malware with 24.5%, Downloader with 18.3%, Backdoor malware with 4.6%, Ransomware with 4.1%, and Banking malware with 0.2%.
https://asec.ahnlab.com/en/28464/
Vulnerabilities
Security updates for Monday
Security updates have been issued by Debian (containerd, redis, and sqlalchemy), Fedora (kernel, radeontop, rpki-client, and webkit2gtk3), openSUSE (java-1_8_0-openj9, libvirt, mailman, transfig, and webkit2gtk3), Oracle (thunderbird), SUSE (libvirt), and Ubuntu (icu).
https://lwn.net/Articles/875420/
Security Bulletin:Multiple Security Vulnerabilities fixed in Openssl as shipped with IBM Security Verify products (CVE-2021-3711, CVE-2021-3712)
https://www.ibm.com/blogs/psirt/security-bulletinmultiple-security-vulnerabilities-fixed-in-openssl-as-shipped-with-ibm-security-verify-products-cve-2021-3711-cve-2021-3712/
Security Bulletin: IBM Security Guardium is affected by a Cross-Site Scripting in Guardium STAP vulnerability
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-affected-by-a-cross-site-scripting-in-guardium-stap-vulnerability/
Security Bulletin: XSS vulerability in Dojo affects IBM Tivoli Business Service Manager (CVE-2018-15494)
https://www.ibm.com/blogs/psirt/security-bulletin-xss-vulerability-in-dojo-affects-ibm-tivoli-business-service-manager-cve-2018-15494/
Security Bulletin: IBM MQ Appliance vulnerable to a denial of service attack (CVE-2021-29843)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-vulnerable-to-a-denial-of-service-attack-cve-2021-29843/
Security Bulletin: IBM Security Guardium is affected by an Oracle MySQL vulnerability
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-affected-by-an-oracle-mysql-vulnerability-5/
Security Bulletin: Multiple Apache Commons FileUpload vulnerabilities affects IBM Tivoli Business Service Manager (CVE-2014-0034, CVE-2014-0050, CVE-2013-2186, CVE-2016-3092)
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-apache-commons-fileupload-vulnerabilities-affects-ibm-tivoli-business-service-manager-cve-2014-0034-cve-2014-0050-cve-2013-2186-cve-2016-3092/