End-of-Day report
Timeframe: Mittwoch 24-02-2021 18:00 - Donnerstag 25-02-2021 18:00
Handler: Dimitri Robl
Co-Handler: Thomas Pribitzer
News
Attackers scan for vulnerable VMware servers after PoC exploit release
After security researchers have developed and published proof-of-concept (PoC) exploit code targeting a critical vCenter remote code execution (RCE) vulnerability, attackers are now actively scanning for vulnerable Internet-exposed VMware servers.
https://www.bleepingcomputer.com/news/security/attackers-scan-for-vulnerable-vmware-servers-after-poc-exploit-release/
Lazarus targets defense industry with ThreatNeedle
In mid-2020, we realized that Lazarus was launching attacks on the defense industry using the ThreatNeedle cluster, an advanced malware cluster of Manuscrypt (a.k.a. NukeSped). While investigating this activity, we were able to observe the complete life cycle of an attack, uncovering more technical details and links to the group-s other campaigns.
https://securelist.com/lazarus-threatneedle/100803/
Forensicating Azure VMs, (Thu, Feb 25th)
With more and more workloads migrating to "the Cloud", we see post-breach forensic investigations also increasingly moving from on-premises to remote instances. If we are lucky and the installation is well engineered, we will encounter a "managed" virtual machine setup, where a forensic agent or EDR (endpoint detection & response) product is pre-installed on our affected VM. Alas, in my experience, this so far seems to be the exception rather than the norm.
https://isc.sans.edu/diary/rss/27136
Cisco schließt drei kritische, aus der Ferne ausnutzbare Sicherheitslücken
Jetzt updaten: Im ACI Multi-Site Orchestrator (MSO), in der Application Services Engine und in Nexus-Switches klaff(t)en Remote-Lücken mit "Critical"-Wertung.
https://heise.de/-5065055
Babuk Ransomware
Babuk ransomware is a new ransomware threat discovered in 2021 that has impacted at least five big enterprises, with one already paying the criminals $85,000 after negotiations. As with other variants, this ransomware is deployed in the network of enterprises that the criminals carefully target and compromise.
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/babuk-ransomware/
DarkWorld Ransomware
Recently, 360 Security Center detected a ransomware that disguised commonly used software and appeared on the network. The virus called itself DarkWorld in the [...]
https://blog.360totalsecurity.com/en/darkworld-ransomware/
Vorsicht: Beim Shoppen auf falinas.com, falinas.de und falinas.at schließen Sie ein Abo ab!
Derzeit erreichen uns zahlreiche Meldungen, die vor dem Online-Shop falinas.com warnen. Der Online-Shop ist auch unter falinas.de und falinas.at erreichbar. Die Masche ist auf allen Seiten die gleiche. Man kauft eine der vielen Marken-Beautyprodukte zu einem günstigen Preis. Erst später bemerken die KonsumentInnen, dass sie damit ein teures Abo abgeschlossen haben. Wir empfehlen: Lassen Sie lieber die Finger von falinas.com.
https://www.watchlist-internet.at/news/vorsicht-beim-shoppen-auf-falinascom-falinasde-und-falinasat-schliessen-sie-ein-abo-ab/
This chart shows the connections between cybercrime groups
CrowdStrike puts together a list of connections and how cybercrime groups cooperate with each other.
https://www.zdnet.com/article/this-chart-shows-the-connections-between-cybercrime-groups/
Google Mail Merge Impersonation
A recent phishing campaign detected by Abnormal Security attempts to steal Outlook credentials through a Google Mail merge lure.
https://exchange.xforce.ibmcloud.com/collection/eaf477f5b5f77df91462fd850effcb01
Vulnerabilities
Security updates for Thursday
Security updates have been issued by Arch Linux (ansible-base, keycloak, mumble, and postgresql), Debian (firefox-esr and nodejs), Fedora (dotnet3.1, dotnet5.0, keylime, php-horde-Horde-Text-Filter, radare2, scap-security-guide, and wireshark), openSUSE (postgresql, postgresql13 and python-djangorestframework), Red Hat (Ansible, firefox, and thunderbird), Scientific Linux (firefox and thunderbird), SUSE (php7, postgresql-jdbc, python-cryptography, rpmlint, and webkit2gtk3), and Ubuntu (dnsmasq, [...]
https://lwn.net/Articles/847390/
Node.js vulnerability CVE-2020-8277
https://support.f5.com/csp/article/K07944249
Security Bulletin: Vulnerabilities in Linux Kernel affect IBM Spectrum Protect Plus
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-linux-kernel-affect-ibm-spectrum-protect-plus/
Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM MessageGateway (CVE-2020-14803, CVE-2020-27221)
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-runtime-affect-ibm-messagegateway-cve-2020-14803-cve-2020-27221/
Security Bulletin: OpenSSL publicly disclosed vulnerability affects MessageGateway (CVE-2020-1971)
https://www.ibm.com/blogs/psirt/security-bulletin-openssl-publicly-disclosed-vulnerability-affects-messagegateway-cve-2020-1971/
Security Bulletin: Multiple IBM Java Runtime Vulnerabilities Affect IBM Sterling Connect:Direct Browser User Interface
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-ibm-java-runtime-vulnerabilities-affect-ibm-sterling-connectdirect-browser-user-interface/
Security Bulletin: IBM FileNet Content Manager GraphQL Cross-site request forgery security vulnerability
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-filenet-content-manager-graphql-cross-site-request-forgery-security-vulnerability/
Security Bulletin: Vulnerability in NX-OS Firmware used by IBM c-type SAN directors and switches.
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-nx-os-firmware-used-by-ibm-c-type-san-directors-and-switches-2/
Security Bulletin: Static Credential Vulnerability in IBM Spectrum Protect Plus (CVE-2020-4854)
https://www.ibm.com/blogs/psirt/security-bulletin-static-credential-vulnerability-in-ibm-spectrum-protect-plus-cve-2020-4854-2/
Security Bulletin: A vulnerability in IBM Java Runtime affects IBM MessageGateway (CVE-2020-14781)
https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-java-runtime-affects-ibm-messagegateway-cve-2020-14781/