Tageszusammenfassung - 29.11.2021

End-of-Day report

Timeframe: Freitag 26-11-2021 18:00 - Montag 29-11-2021 18:00 Handler: Wolfgang Menezes Co-Handler: Robert Waldner

News

TrickBot phishing checks screen resolution to evade researchers

The TrickBot malware operators have been using a new method to check the screen resolution of a victim system to evade detection of security software and analysis by researchers.

https://www.bleepingcomputer.com/news/security/trickbot-phishing-checks-screen-resolution-to-evade-researchers/


IT-Security: ETSI veröffentlicht erste Norm für sichere Smartphones

Ein neuer Standard des europäischen Normungsinstituts ETSI soll Herstellern weltweit helfen, die IT-Sicherheit bei Mobiltelefonen für Verbraucher zu erhöhen.

https://heise.de/-6278376


Google-Analyse: Cloud-Dienste durch schwache Passwörter angreifbar

Das Unternehmen hat Einbrüche in Cloud-Instanzen untersucht, nennt Ursachen und liefert daraus resultierende Handlungsempfehlungen.

https://heise.de/-6277514


Micropatching Unpatched Local Privilege Escalation in Mobile Device Management Service (CVE-2021-24084 / 0day)

In June 2021, security researcher Abdelhamid Naceri published a blog post about an "unpatched information disclosure" vulnerability in Windows. The post details the mechanics of the issue and its exploitation, allowing a non-admin Windows user to read arbitrary files even if they do not have permissions to do so.

https://blog.0patch.com/2021/11/micropatching-unpatched-local-privilege.html


Ghidra 101: Binary Patching

There are several circumstances where it can be helpful to make a modification to code or data within a compiled program. Sometimes, it is necessary to fix a vulnerability or compatibility issue without functional source code or compilers. This can happen when source code gets lost, systems go out of support, or software firms go out of business. In case you should find yourself in this situation, keep calm and read on to learn how to do this within Ghidra.

https://www.tripwire.com/state-of-security/security-data-protection/ghidra-101-binary-patching/


AVM warnt vor Phishing-Mails mit FRITZ!Box-Anrufbeantworternachricht

Der Hersteller der FRITZ!Boxen, die Berliner-Firma AVM warnt aktuell von einer Welle von Phishing-Mails, die im Anhang angeblich eine Sprachnachricht des FRITZ!Box-Anrufbeantworters enthalten. Wer diesen Anhang per Doppelklick unter Windows abhören möchte, installiert sich Schadsoftware.

https://www.borncity.com/blog/2021/11/28/avm-warnt-vor-phishing-mails-mit-fritzbox-anrufbeantworternachricht/


Cobalt Strike: Decrypting DNS Traffic - Part 5

Cobalt Strike beacons can communicate over DNS. We show how to decode and decrypt DNS traffic in this blog post.

https://blog.nviso.eu/2021/11/29/cobalt-strike-decrypting-dns-traffic-part-5/

Vulnerabilities

Backdoor.Win32.Coredoor.10.a / Authentication Bypass RCE

Description: The malware listens on TCP port 21000. Third-party attackers who can reach infected systems can logon using any username/password combination. Intruders may then upload executables using ftp PASV, STOR commands, this can result in remote code execution.

https://cxsecurity.com/issue/WLB-2021110120


FortiClientWindows & FortiClient EMS - Privilege escalation via DLL Hijacking

An unsafe search path vulnerability in FortiClient and FortiClient EMS may allow an attacker to perform a DLL Hijack attack on affected devices via a malicious OpenSSL engine library in the search path.

https://www.fortiguard.com/psirt/FG-IR-21-088


Security updates for Monday

Security updates have been issued by Debian (bluez, icu, libntlm, libvorbis, libvpx, opensc, roundcube, and tar), Fedora (kernel, kernel-headers, kernel-tools, puppet, slurm, stargz-snapshotter, and suricata), openSUSE (netcdf), Oracle (bluez, kernel, kernel-container, krb5, mailman:2.1, openssh, python3, and rpm), Red Hat (samba), and SUSE (xen).

https://lwn.net/Articles/877105/


Insulet OmniPod Insulin Management System vulnerability

https://omnipod.lyrebirds.dk/


Security Bulletin: Vulnerability in IBM SDK Java affects IBM Cloud Pak System (CVE-2020-27221)

https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-sdk-java-affects-ibm-cloud-pak-system-cve-2020-27221-2/