End-of-Day report
Timeframe: Montag 01-02-2021 18:00 - Dienstag 02-02-2021 18:00
Handler: Thomas Pribitzer
Co-Handler: n/a
News
New Linux malware steals SSH credentials from supercomputers
A new backdoor has been targeting supercomputers across the world, often stealing the credentials for secure network connections by using a trojanized version of the OpenSSH software.
https://www.bleepingcomputer.com/news/security/new-linux-malware-steals-ssh-credentials-from-supercomputers/
Malicious script steals credit card info stolen by other hackers
A threat actor has infected an e-commerce store with a custom credit card skimmer designed to siphon data stolen by a previously deployed Magento card stealer.
https://www.bleepingcomputer.com/news/security/malicious-script-steals-credit-card-info-stolen-by-other-hackers/
New Threat: Matryosh Botnet Is Spreading
On January 25, 2021, 360 netlab BotMon system labeled a suspicious ELF file as Mirai, but the network traffic did not match Mirais characteristics.
https://blog.netlab.360.com/matryosh-botnet-is-spreading-en/
New Example of XSL Script Processing aka "Mitre T1220", (Tue, Feb 2nd)
Last week, Brad posted a diary about TA551. A few days later, one of our readers submitted another sample belonging to the same campaign.
https://isc.sans.edu/diary/rss/27056
Agent Tesla Malware Spotted Using New Delivery & Evasion Techniques
Security researchers on Tuesday uncovered new delivery and evasion techniques adopted by Agent Tesla remote access trojan (RAT) to get around defense barriers and monitor its victims.
https://thehackernews.com/2021/02/agent-tesla-malware-spotted-using-new.html
Operation Dream Job by Lazarus
Lazarus (also known as Hidden Cobra) is known to use various kinds of malware in its attack operations, and we have introduced some of them in our past articles. In this article, we present two more; Torisma and LCPDot.
https://blogs.jpcert.or.jp/en/2021/01/Lazarus_malware2.html
New Trickbot module uses Masscan for local network reconnaissance
The new Trickbot module is used to scan local networks for other nearby systems with open ports that could be hacked for quick lateral movement inside a company.
https://www.zdnet.com/article/new-trickbot-module-uses-masscan-for-local-network-reconnaissance/
Microsoft tracked a system sending a million malware emails a month. Heres what it discovered
Emerging attacker email infrastructure now sends over a million malware-laden emails each month.
https://www.zdnet.com/article/microsoft-tracked-a-system-sending-a-million-malware-emails-a-month-heres-what-it-discovered/
Operation NightScout: Supply-chain attack targets online gaming in Asia
ESET researchers uncover a supply-chain attack used in a cyberespionage operation targeting online-gaming communities in Asia.
https://www.welivesecurity.com/2021/02/01/operation-nightscout-supply-chain-attack-online-gaming-asia/
Gewinnspiel im Namen von Hofer führt in Abo-Falle
Vorsicht: Kriminelle geben sich als Hofer aus und informieren via E-Mail über einen angeblichen Gewinn.
https://www.watchlist-internet.at/news/gewinnspiel-im-namen-von-hofer-fuehrt-in-abo-falle/
Vulnerabilities
VU#125331: Adobe ColdFusion is vulnerable to privilege escalation due to weak ACLs
Adobe ColdFusion fails to properly set ACLs, which can allow an unprivileged Windows user to be able to run arbitrary code with SYSTEM privileges.
https://kb.cert.org/vuls/id/125331
DSA-4843 linux - security update
Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.
https://www.debian.org/security/2021/dsa-4843
Apple Releases Security Updates
Apple has released security updates to address vulnerabilities in macOS Big Sur 11.0.1, macOS Catalina 10.15.7, and macOS Mojave 10.14.6.
https://us-cert.cisa.gov/ncas/current-activity/2021/02/02/apple-releases-security-updates
Security updates for Tuesday
Security updates have been issued by Debian (firefox-esr, libdatetime-timezone-perl, python-django, thunderbird, and tzdata), Fedora (kf5-messagelib and qt5-qtwebengine), Mageia (kernel-linus), openSUSE (firefox, jackson-databind, and messagelib), Oracle (flatpak), Red Hat (glibc, kernel, kernel-alt, kernel-rt, linux-firmware, net-snmp, perl, qemu-kvm, and qemu-kvm-ma), SUSE (firefox, java-11-openjdk, openvswitch, terraform, and thunderbird), and Ubuntu (fastd, firefox, python-django, and qemu).
https://lwn.net/Articles/844865/
Ransomware gangs are abusing VMWare ESXi exploits to encrypt virtual hard disks
Two VMWare ESXi vulnerabilities, CVE-2019-5544 and CVE-2020-3992, reported as abused in the wild.
https://www.zdnet.com/article/ransomware-gangs-are-abusing-vmware-esxi-exploits-to-encrypt-virtual-hard-disks/
Google Android: Mehrere Schwachstellen
http://www.cert-bund.de/advisoryshort/CB-K21-0115