End-of-Day report
Timeframe: Mittwoch 10-11-2021 18:00 - Donnerstag 11-11-2021 18:00
Handler: Dimitri Robl
Co-Handler: Wolfgang Menezes
News
Sophos 2022 Threat Report: Malware, Mobile, Machine learning and more!
The crooks have shown that the'yre willing to learn and adapt their attacks, so we need to make sure we learn and adapt, too.
https://nakedsecurity.sophos.com/2021/11/09/2022-threat-report/
Understanding .htaccess Malware
The .htaccess file is notorious for being targeted by attackers. Whether it-s using the file to hide malware, redirect search engines to other sites with blackhat SEO tactics, hide backdoors, inject content, modify php.ini values; the possibilities are endless. Many site owners are unaware of this file, due to it starting with a -.- making it a hidden file. .htaccess malware can be hard to pinpoint and clean on a server [...]
https://blog.sucuri.net/2021/11/understanding-htaccess-malware.html
A Detailed Analysis of Lazarus- RAT Called FALLCHILL
FALLCHILL is a RAT that has been used by Lazarus Group since 2016. It implements a custom algorithm that is used to decode multiple DLL names and export functions, which will be imported at runtime.
https://lifars.com/knowledge-center/a-detailed-analysis-of-lazarus-rat-called-fallchill/
The Newest Malicious Actor: -Squirrelwaffle- Malicious Doc.
Authored By Kiran Raj Due to their widespread use, Office Documents are commonly used by Malicious actors as a way...The post The Newest Malicious Actor: -Squirrelwaffle- Malicious Doc. appeared first on McAfee Blogs.
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/the-newest-malicious-actor-squirrelwaffle-malicious-doc/
ClusterFuzzLite: Continuous fuzzing for all
Posted by Jonathan Metzman, Google Open Source Security TeamIn recent years, continuous fuzzing has become an essential part of the software development lifecycle. By feeding unexpected or random data into a program, fuzzing catches bugs that would otherwise slip through the most thorough manual checks and provides coverage that would take staggering human effort to replicate. NIST-s guidelines for software verification, recently released in response to the White House Executive Order on
http://security.googleblog.com/2021/11/clusterfuzzlite-continuous-fuzzing-for.html
HändlerInnen aufgepasst: BetrügerInnen geben Fake-Bestellungen im Namen von ATOS auf
Kriminelle geben sich derzeit als das Unternehmen ATOS aus und bekunden per Mail Interesse an einer Großbestellung. Für die betroffenen HändlerInnen mag das nach einem schnellen und leichten Geschäft klingen, doch tatsächlich hat die seriöse Firma ATOS nichts mit dieser Bestellung am Hut. Stattdessen würden Sie ihre Produkte an Kriminelle versenden, Geld dafür erhalten Sie nicht.
https://www.watchlist-internet.at/news/haendlerinnen-aufgepasst-betruegerinnen-geben-fake-bestellungen-im-namen-von-atos-auf/
Capability Abstraction Case Study: Detecting Malicious Boot Configuration Modifications
[...] In simple terms, capability abstraction provides a way to describe how a given attack technique interacts with the internal components of a targeted system. The abstraction map that this process produces helps us to understand the common denominator between distinct implementations of the same technique.
https://posts.specterops.io/capability-abstraction-case-study-detecting-malicious-boot-configuration-modifications-1852e2098a65
A Peek into Top-Level Domains and Cybercrime
We analyze which top-level domains (TLDs) have the highest rate of malicious domains and why, and suggest strategies for blocking malicious domains.
https://unit42.paloaltonetworks.com/top-level-domains-cybercrime/
BazarBackdoor now abuses Windows 10 apps feature in call me back attack
AppInstaller.exe has been twisted in a new form of phishing attack.
https://www.zdnet.com/article/bazarloader-now-abuses-windows-10-apps-feature-in-call-me-back-attack/
October 2021-s Most Wanted Malware: Trickbot Takes Top Spot for Fifth Time
Check Point Research reveals that Trickbot is the most prevalent malware and a new vulnerability in Apache is one of the most exploited vulnerabilities worldwide.
https://blog.checkpoint.com/2021/11/11/october-2021s-most-wanted-malware-trickbot-takes-top-spot-for-fifth-time/
Vulnerabilities
ZDI-21-1303: NETGEAR R6400v2 UPnP uuid Stack-based Buffer Overflow Remote Code Execution Vulnerability
This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of NETGEAR R6400v2 routers. Authentication is not required to exploit this vulnerability.
http://www.zerodayinitiative.com/advisories/ZDI-21-1303/
Wordpress-Plug-in WP Reset Pro fixt kritische Sicherheitslücke
In WP Reset Pro klaffte eine Sicherheitslücke, durch die angemeldete Nutzer auch ohne entsprechende Rechte ganze Wordpress-Webauftritte löschen konnten.
https://heise.de/-6264564
Sicherheitsupdate: Kritische Root-Lücke bedroht Firewalls von Palo Alto
Sind bestimmte Einstellungen aktiviert und Voraussetzungen gegeben, könnten Angreifer Palo-Alto-Firewalls attackieren.
https://heise.de/-6264656
Over 1 Million Sites Impacted by Vulnerability in Starter Templates Plugin
On October 4, 2021, the Wordfence Threat Intelligence team initiated the responsible disclosure process for the Starter Templates plugin, which is installed on over 1 Million WordPress websites. The full name of the WordPress plugin is -Starter Templates - Elementor, Gutenberg & Beaver Builder Templates- [...]
https://www.wordfence.com/blog/2021/11/over-1-million-sites-impacted-by-vulnerability-in-starter-templates-plugin/
Security updates for Thursday
Security updates have been issued by Debian (icinga2, libxstream-java, ruby-kaminari, and salt), Fedora (awscli, cacti, cacti-spine, python-boto3, python-botocore, radeontop, and rust), Mageia (firefox, libesmtp, libzapojit, sssd, and thunderbird), openSUSE (samba and samba and ldb), SUSE (firefox, pcre, qemu, samba, and samba and ldb), and Ubuntu (firejail, linux-bluefield, linux-gke-5.4, linux-oracle, linux-oracle-5.4, linux-oem-5.10, linux-oem-5.14, and python-py).
https://lwn.net/Articles/875813/
iCloud for Windows 13
https://support.apple.com/kb/HT212953
Security Bulletin: Multiple Vulnerabilities in IBM Sterling Connect:Direct Browser User Interface
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-sterling-connectdirect-browser-user-interface-3/
Security Bulletin: IBM Security SiteProtector System is affected by Cross-Site Scripting (CVE-2020-4140)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-siteprotector-system-is-affected-by-cross-site-scripting-cve-2020-4140/
Security Bulletin: Multiple Vulnerabilities in IBM Java Runtime Affect IBM Connect:Direct Web Services
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-runtime-affect-ibm-connectdirect-web-services-3/
Security Bulletin: IBM API Connect is impacted by multiple vulnerabilities in Oracle MySQL
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connect-is-impacted-by-multiple-vulnerabilities-in-oracle-mysql-4/
Security Bulletin: IBM Security SiteProtector System is affected by vulnerability CVE-2020-4146
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-siteprotector-system-is-affected-by-vulnerability-cve-2020-4146/
VMSA-2021-0026
https://www.vmware.com/security/advisories/VMSA-2021-0026.html
NGINX Ingress Controller vulnerability CVE-2021-23055
https://support.f5.com/csp/article/K01051452?utm_source=f5support&utm_medium=RSS
Micropatching Incompletely Patched Local Privilege Escalation in User Profile Service (CVE-2021-34484)
https://blog.0patch.com/2021/11/micropatching-incompletely-patched.html
Stack Buffer Overflow Vulnerability in Multimedia Console
https://www.qnap.com/en-us/security-advisory/QSA-21-45
Reflected XSS Vulnerability in QmailAgent
https://www.qnap.com/en-us/security-advisory/QSA-21-47
TR-64 - Exploited Exchange Servers - Mails with links to malware from known/valid senders
https://www.circl.lu/pub/tr-64