End-of-Day report
Timeframe: Montag 22-02-2021 18:00 - Dienstag 23-02-2021 18:00
Handler: Dimitri Robl
Co-Handler: Thomas Pribitzer
News
Achtung: Gefälschtes E-Mail von A1 über eine Belohnung für Mobilpoints führt in Abo-Falle
-Seit Sie unsere Dienste nutzen, haben Sie 29.039 Mobilpoints gesammelt. Dank dieser erhalten Sie als Belohnung ein Smartphone.- Dieses Angebot wird angeblich von A1 per E-Mail unterbreitet. Doch Vorsicht: Dieses E-Mail stammt von Kriminellen. Wer diesem vermeintlichen Angebot Glauben schenkt und die Liefergebühren bezahlt, tappt in eine teure Abo-Falle!
https://www.watchlist-internet.at/news/achtung-gefaelschtes-e-mail-von-a1-ueber-eine-belohnung-fuer-mobilpoints-fuehrt-in-abo-falle/
Lessons Learned from SUNBURST for Threat Hunters
Practical advice from the DomainTools research team on how to approach adversary-based threat hunting, asset management, and incident response in the wake of the SUNBURST campaign.
https://www.domaintools.com/resources/blog/lessons-learned-from-sunburst-for-threat-hunters
Unprotecting Malicious Documents For Inspection, (Mon, Feb 22nd)
I wanted to take a look at Brad's malicious spreadsheet, using Excel inside a VM.
https://isc.sans.edu/diary/rss/27126
Qakbot in a response to Full Disclosure post, (Tue, Feb 23rd)
Given its history, the Full Disclosure mailing list[1] is probably one of the best-known places on the internet where information about newly discovered vulnerabilities is may be published in a completely open way. If one wishes to inform the wider security community about a vulnerability one found in any piece of software, one only has to submit a post and after it is evaluated by the moderators, the information will be published to the list.
https://isc.sans.edu/diary/rss/27130
Shadow Attacks Let Attackers Replace Content in Digitally Signed PDFs
Researchers have demonstrated a novel class of attacks that could allow a bad actor to potentially circumvent existing countermeasures and break the integrity protection of digitally signed PDF documents. Called "Shadow attacks" by academics from Ruhr-University Bochum, the technique uses the "enormous flexibility provided by the PDF specification so that shadow documents remain [...]
https://thehackernews.com/2021/02/shadow-attacks-let-attackers-replace.html
New article: Decompiling Excel Formula (XF) 4.0 malware
In a new article, researcher Kurt Natvig takes a close look at XF 4.0 malware.
https://www.virusbulletin.com/blog/2021/02/new-article-decompiling-excel-formula-xf-40-malware/
Cyber Criminals Exploit Accellion FTA for Data Theft and Extortion
Starting in mid-December 2020, malicious actors that Mandiant tracks as UNC2546 exploited multiple zero-day vulnerabilities in Accellion-s legacy File Transfer Appliance (FTA) to install a newly discovered web shell named DEWMODE. The motivation of UNC2546 was not immediately apparent, but starting in late January 2021, several organizations that had been impacted by UNC2546 in the prior month began receiving extortion emails from actors threatening to publish stolen data on the [...]
https://www.fireeye.com/blog/threat-research/2021/02/accellion-fta-exploited-for-data-theft-and-extortion.html
Checkout Skimmers Powered by Chip Cards
Easily the most sophisticated skimming devices made for hacking terminals at retail self-checkout lanes are a new breed of PIN pad overlay combined with a flexible, paper-thin device that fits inside the terminals chip reader slot. What enables these skimmers to be so slim? They draw their power from the low-voltage current that gets triggered when a chip-based card is inserted. As a result, they do not require external batteries, and can remain in operation indefinitely.
https://krebsonsecurity.com/2021/02/checkout-skimmers-powered-by-chip-cards/
Clop targets execs, ransomware tactics get another new twist
Clops targeting of executives workstations is the latest in a string of recent innovations in ransomware.
https://blog.malwarebytes.com/malwarebytes-news/2021/02/clop-targets-execs-ransomware-tactics-get-another-new-twist/
UK Banks 2FA Being Bypassed
Akamai and Cyjax have published reports on a campaign that is bypassing 2FA in order to employ a multi-part phishing kit. Functionality of this kit does not behave as typically expected. This particular phishing kit uses a centralized control panel, a departure from typical phishing operations.
https://exchange.xforce.ibmcloud.com/collection/75c736c5e365bdd5636268f9815039da
Vulnerabilities
Browser-Updates: Firefox 86 und 78.8 ESR umfassen wichtige Sicherheitsupdates
Mozillas frisch erschienene Browser-Versionen bergen neben neuen Funktionen auch Schwachstellen-Fixes. Von mehreren geht ein hohes Sicherheitsrisiko aus.
https://heise.de/-5063402
Security updates for Tuesday
Security updates have been issued by Arch Linux (connman, firejail, kernel, python-django, roundcubemail, and wpa_supplicant), Fedora (gdk-pixbuf2 and gdk-pixbuf2-xlib), openSUSE (python3 and tomcat), Scientific Linux (xterm), SUSE (postgresql12 and postgresql13), and Ubuntu (gdk-pixbuf, openldap, python-django, and qemu).
https://lwn.net/Articles/847150/
Synology Security Advisories
Synology-SA-21:09 WebDAV Server
A vulnerability allows remote authenticated users to delete arbitrary files via a susceptible version of WebDAV Server.
https://www.synology.com/en-global/support/security/Synology_SA_21_09
Synology-SA-21:08 Docker
A vulnerability allows local users to read or write arbitrary files via a susceptible version of Docker.
https://www.synology.com/en-global/support/security/Synology_SA_21_08
Synology-SA-21:07 Synology Directory Server
A vulnerability allows remote attackers to inject arbitrary web script or HTML via a susceptible version of Synology Directory Server.
https://www.synology.com/en-global/support/security/Synology_SA_21_07
Synology-SA-21:06 CardDAV Server
A vulnerability allows remote authenticated users to execute arbitrary SQL commands via a susceptible version of CardDAV Server.
https://www.synology.com/en-global/support/security/Synology_SA_21_06
Synology-SA-21:05 Audio Station
A vulnerability allows remote authenticated users to execute arbitrary code via a susceptible version of Audio Station.
https://www.synology.com/en-global/support/security/Synology_SA_21_05
Synology-SA-21:04 Video Station
A vulnerability allows remote authenticated users to access intranet resources via a susceptible version of Video Station.
https://www.synology.com/en-global/support/security/Synology_SA_21_04
Synology-SA-21:03 DSM
Multiple vulnerabilities allow remote attackers to obtain sensitive information or local users to execute arbitrary code via a susceptible version of DiskStation Manager (DSM).
https://www.synology.com/en-global/support/security/Synology_SA_21_03
https://www.synology.com/en-global/security/advisory
Security Vulnerabilities fixed in Thunderbird 78.8
https://www.mozilla.org/en-US/security/advisories/mfsa2021-09/
Security Bulletin: IBM Kenexa LCMS Premier On Premise - IBM SDK, Java Technology Edition Quarterly CPU - Oct 2020 - Includes Oracle Oct 2020 CPU
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-kenexa-lcms-premier-on-premise-ibm-sdk-java-technology-edition-quarterly-cpu-oct-2020-includes-oracle-oct-2020-cpu/
Security Bulletin: Multiple CVEs - Vulnerabilities in IBM Java Runtime affect IBM Integration Designer used in IBM Business Automation Workflow and IBM Business Process Manager
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-cves-vulnerabilities-in-ibm-java-runtime-affect-ibm-integration-designer-used-in-ibm-business-automation-workflow-and-ibm-business-process-manager-2/
Security Bulletin: IBM Planning Analytics Workspace is affected by security vulnerabilities
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-planning-analytics-workspace-is-affected-by-security-vulnerabilities-6/
Security Bulletin: IBM Kenexa LMS On Premise -IBM SDK, Java Technology Edition Quarterly CPU - Oct 2020 - Includes Oracle Oct 2020 CPU
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-kenexa-lms-on-premise-ibm-sdk-java-technology-edition-quarterly-cpu-oct-2020-includes-oracle-oct-2020-cpu/