End-of-Day report
Timeframe: Freitag 29-01-2021 18:00 - Montag 01-02-2021 18:00
Handler: Thomas Pribitzer
Co-Handler: Robert Waldner
News
Taking a Shot at Reverse Shell Attacks, CNC Phone Home and Data Exfil from Servers, (Mon, Feb 1st)
Over the last number of weeks (after the Solarwinds Orion news) there's been a lot of discussion on how to detect if a server-based applcation is compromised. The discussions have ranged from buying new sophisticated tools, auditing the development pipeline, to diffing patches. But really, for me it's as simple as saying "should my application server really be able to connect to any internet host on any protocol".
https://isc.sans.edu/diary/rss/27054
Hintermänner der Fonix-Ransomware geben auf und veröffentlichen Master-Schlüssel
Opfer des Verschlüsselungstrojaner Fonix sehen Licht am Ende des Tunnels.
https://heise.de/-5041914
SonicWall zero-day exploited in the wild
Security firm NCC Group said it detected "indiscriminate" exploitation of a mysterious SonicWall zero-day.
https://www.zdnet.com/article/sonicwall-zero-day-exploited-in-the-wild/
Shodan Verified Vulns 2021-02-01
Wieder ist ein Monat vergangen und damit auch wieder die Zeit gekommen, um einen Blick auf Shodans Daten zu den Verified Vulnerabilities in Österreich zu werfen.
https://cert.at/de/aktuelles/2021/2/shodan-verified-vulns-2021-02-01
Trickbot feiert Comeback
Kaum ist die Freude über die Zerschlagung von Emotet verklungen, feiert ein anderes Malware-Netzwerk namens Trickbot nach einigen Monaten Stille ein Comeback.
https://www.zdnet.de/88393163/trickbot-feiert-comeback/
Vulnerabilities
Sudo Privilege Escalation Vulnerability Affecting Cisco Products: January 2021
A vulnerability in the command line parameter parsing code of Sudo could allow an authenticated, local attacker to execute commands or binaries with root privileges. [...] Cisco is investigating its product line to determine which products may be affected by this vulnerability. As the investigation progresses, Cisco will update this advisory with information about affected products.
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sudo-privesc-jan2021-qnYQfcM
WordPress-Plug-in Popup Builder: Angreifer könnten Newsletter verschicken
Es gibt ein wichtiges Sicherheitsupdate für das WordPress-Plug-in Popup Builder.
https://heise.de/-5041788
Security updates for Monday
Security updates have been issued by Arch Linux (home-assistant, libgcrypt, libvirt, and mutt), Debian (ffmpeg, kernel, libonig, libsdl2, mariadb-10.1, and thunderbird), Fedora (chromium, firefox, jasper, libebml, mingw-python3, netpbm, opensmtpd, thunderbird, and xen), Gentoo (firefox and thunderbird), Mageia (db53, dnsmasq, kernel, kernel-linus, and php-pear), openSUSE (go1.14, go1.15, messagelib, nodejs8, segv_handler, and thunderbird), Oracle (firefox, kernel, and thunderbird), Red Hat (flatpak), SUSE (firefox, rubygem-nokogiri) and Ubuntu (mysql-5.7, mysql-8.0, python-django).
https://lwn.net/Articles/844749/
Sudo vulnerability CVE-2021-3156
https://support.f5.com/csp/article/K86488846?utm_source=f5support&utm_medium=RSS
Critical vulnerability in Apple iOS WebKit browser components can impact users of the BIG-IP APM F5 Access client
https://support.f5.com/csp/article/K58149033?utm_source=f5support&utm_medium=RSS