End-of-Day report
Timeframe: Dienstag 16-11-2021 18:00 - Mittwoch 17-11-2021 18:00
Handler: Wolfgang Menezes
Co-Handler: Thomas Pribitzer
News
These are the cryptomixers hackers use to clean their ransoms
Cryptomixers have always been at the epicenter of cybercrime activity, allowing hackers to "clean" cryptocurrency stolen from victims and making it hard for law enforcement to track them.
https://www.bleepingcomputer.com/news/security/these-are-the-cryptomixers-hackers-use-to-clean-their-ransoms/
6 Tips To Keep in Mind for Ransomware Defense
Ransomware is everywhere, including the nightly news. Most people know what it is, but how do ransomware attackers get in, and how can we defend against them?
https://www.darkreading.com/edge-articles/6-tips-to-keep-in-mind-for-ransomware-defense
Github: NPM-Pakete konnten beliebig überschrieben werden
Ein Fehler in der NPM-Registry hat das Überschreiben von Paketen ermöglicht. Github weiß nicht sicher, ob dies ausgenutzt wurde.
https://www.golem.de/news/github-npm-pakete-konnten-beliebig-ueberschrieben-werden-2111-161138-rss.html
Infect If Needed | A Deeper Dive Into Targeted Backdoor macOS.Macma
Thanks to the work of Google-s TAG team, we were able to grab two versions of the backdoor used by the threat actors, which we will label UserAgent 2019 and UserAgent 2021.
https://www.sentinelone.com/labs/infect-if-needed-a-deeper-dive-into-targeted-backdoor-macos-macma/
Lücken in Industrie-IoT-Protokoll ermöglichen Fremdsteuerung
Implementierungen eines Datenaustauschprotokolls für industrielle Steuerungen sind anfällig für Manipulationen, die zu Schäden führen könnten.
https://heise.de/-6268372
Bestellung auf fotoexperte24.de führt in Abo-Falle!
Auf der Webseite fotoexperte24.de können günstige Passbilder für verschiedene Ausweise bestellt werden. Doch tatsächlich handelt es sich um einen Fake-Shop, der keine Bilder liefert. Stattdessen bucht der unseriöse Anbieter deutlich mehr Geld von der Kreditkarte ab als beim Bestellprozess angezeigt wurde.
https://www.watchlist-internet.at/news/bestellung-auf-fotoexperte24de-fuehrt-in-abo-falle/
Cobalt Strike: Decrypting Obfuscated Traffic - Part 4
Encrypted Cobalt Strike C2 traffic can be obfuscated with malleable C2 data transforms. We show how to deobfuscate such traffic.
https://blog.nviso.eu/2021/11/17/cobalt-strike-decrypting-obfuscated-traffic-part-4/
ProxyNoShell: A Change in Tactics Exploiting ProxyShell Vulnerabilities
In several recent Incident Response engagements, Mandiant has observed threat actors exploiting the vulnerabilities in different ways than previously reported.
https://www.mandiant.com/resources/change-tactics-proxyshell-vulnerabilities
Vulnerabilities
IBM Security Bulletins
IBM hat 15 Security Bulletins veröffentlicht. Davon wird eine als "Kritisch", sechs als "High", und acht als "Medium" eingestuft.
https://www.ibm.com/blogs/psirt/
Security updates for Wednesday
Security updates have been issued by CentOS (389-ds-base and libxml2), Debian (atftp, axis, and ntfs-3g), Fedora (digikam, freerdp, guacamole-server, and remmina), openSUSE (java-11-openjdk, kernel, samba, and tomcat), SUSE (firefox, java-11-openjdk, kernel, libarchive, samba, and tomcat), and Ubuntu (accountsservice, hivex, and openexr).
https://lwn.net/Articles/876327/
Netgear patches severe pre-auth RCE in 61 router and modem models
Networking equipment vendor Netgear has patched the fifth set of dangerous remote code execution bugs impacting its small office and small home (SOHO) routers this year.
https://therecord.media/netgear-deals-with-its-fifth-wave-of-severe-rce-bugs-this-year/
ZDI-21-1320: Trend Micro Antivirus for Mac Improper Access Control Privilege Escalation Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-21-1320/
ZDI-21-1319: (0Day) Autodesk Design Review PNG File Parsing Use-After-Free Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-21-1319/
ZDI-21-1317: (0Day) Autodesk Design Review PDF File Parsing Type Confusion Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-21-1317/
ZDI-21-1316: (0Day) Autodesk Design Review PDF File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-21-1316/
ZDI-21-1315: (0Day) Autodesk Design Review PDF File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-21-1315/
Cisco Common Services Platform Collector Improper Logging Restriction Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-CSPC-ILR-8qmW8y8X
Cisco Common Services Platform Collector Stored Cross-Site Scripting Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-CSPC-XSS-KjrNbM3p
Cisco Common Services Platform Collector SQL Injection Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-CSPC-SQLI-unVPTn5
WooCommerce Extension - Reflected XSS Vulnerability
https://www.wordfence.com/blog/2021/11/woocommerce-extension-reflected-xss-vulnerability/
Synology-SA-21:29 Samba
https://www.synology.com/en-global/support/security/Synology_SA_21_29
FATEK Automation WinProladder
https://us-cert.cisa.gov/ics/advisories/icsa-21-320-01
Mitsubishi Electric GOT products
https://us-cert.cisa.gov/ics/advisories/icsa-21-320-02