End-of-Day report
Timeframe: Donnerstag 25-02-2021 18:00 - Freitag 26-02-2021 18:00
Handler: Dimitri Robl
Co-Handler: Thomas Pribitzer
News
So where did those Satori attacks come from?, (Thu, Feb 25th)
Last week I posted about a new Satori variant scanning on TCP port 26 that I was picking up in my honeypots. Things have slowed down a bit, but levels are still above where they had been since mid-July 2020 on port 26.
https://isc.sans.edu/diary/rss/27140
SQL Triggers in Website Backdoors
Over the past year, there-s been an increasing trend of WordPress malware using SQL triggers to hide malicious SQL queries within compromised databases. These queries inject an admin level user into the infected database whenever the trigger condition is met. What makes this especially problematic for website owners is that most malware cleanup guides focus on the website files and data within specific database tables - for example, wp_users, wp_options, and wp_posts.
https://blog.sucuri.net/2021/02/sql-triggers-in-website-backdoors.html
ALERT: Malicious Amazon Alexa Skills Can Easily Bypass Vetting Process
Researchers have uncovered gaps in Amazons skill vetting process for the Alexa voice assistant ecosystem that could allow a malicious actor to publish a deceptive skill under any arbitrary developer name and even make backend code changes after approval to trick users into giving up sensitive information.
https://thehackernews.com/2021/02/alert-malicious-amazon-alexa-skills-can.html
So Unchill: Melting UNC2198 ICEDID to Ransomware Operations
Since its discovery in 2017 as a banking trojan, ICEDID evolved into a pernicious point of entry for financially motivated actors to conduct intrusion operations. In earlier years, ICEDID was deployed to primarily target banking credentials.
https://www.fireeye.com/blog/threat-research/2021/02/melting-unc2198-icedid-to-ransomware-operations.html
SilentFade virus strikes, Cyberstalking and Ransom user
Recently, 360 Security Center monitored that the SlientFade virus was bundled with pirated software to spread. The infected users were mainly distributed in Malaysia, India, [...]
https://blog.360totalsecurity.com/en/silentfade-virus-strikes-cyberstalking-and-ransom-user/
Microsoft Releases Open Source Resources for Solorigate Threat Hunting
Microsoft on Thursday announced the open source availability of CodeQL queries that it used during its investigation into the SolarWinds attack.
https://www.securityweek.com/microsoft-releases-open-source-resources-solorigate-threat-hunting
Kettenbrief-Alarm: Angebliches Amazon-Gewinnspiel macht auf WhatsApp die Runde!
Auf WhatsApp wird derzeit ein Link verschickt mit einem Gewinn-Versprechen anlässlich des angeblichen 30-Jahr-Jubiläums von Amazon. Wir haben uns die Nachricht und den Link genauer angeschaut. Unser Fazit: Es handelt sich um einen klassischen Kettenbrief. Gewinn erhalten Sie dabei keinen, stattdessen müssen Sie eine gefährliche App herunterladen.
https://www.watchlist-internet.at/news/kettenbrief-alarm-angebliches-amazon-gewinnspiel-macht-auf-whatsapp-die-runde/
Go malware is now common, having been adopted by both APTs and e-crime groups
There's been a 2,000% increase of new malware written in Go over the past few years.
https://www.zdnet.com/article/go-malware-is-now-common-having-been-adopted-by-both-apts-and-e-crime-groups/
New Phishing Attack Using Malformed URL Prefixes
GreatHorn reports on a phishing technique that leverages malformed URL prefixes to bypass security scanners. Many security scanners use pattern recognition to identify URLs, thus expecting the presence of "http://" to identify them. However, the URL specification technically does not require the "//" in order to visit a URL.
https://exchange.xforce.ibmcloud.com/collection/c52464bd46eb48e4c5741df9e1b0302a
Vulnerabilities
Google looks at bypass in Chromiums ASLR security defense, throws hands up, wont patch garbage issue
In early November, a developer contributing to Googles open-source Chromium project reported a problem with Oilpan, the garbage collector for the browsers Blink rendering engine: it can be used to break a memory defense known as address space layout randomization (ASLR).
https://go.theregister.com/feed/www.theregister.com/2021/02/26/chrome_aslr_bypass/
Security Advisory for Multiple Vulnerabilities on Some Routers, Satellites, and Extenders
NETGEAR has released fixes for multiple security vulnerabilities on the following product models:
BR200, running firmware versions prior to 5.10.0.5
BR500, running firmware versions prior to 5.10.0.5
D7800, running firmware versions prior to 1.0.1.60
EX6100v2, running firmware versions prior to 1.0.1.98
EX6150v2, running firmware versions prior to 1.0.1.98
EX6250, running firmware versions prior to 1.0.0.134
EX6400, running firmware versions prior to 1.0.2.158
EX6400v2, running firmware versions prior to 1.0.0.134
EX6410, running firmware versions prior to 1.0.0.134
EX6420, running firmware versions prior to 1.0.0.134
EX7300, running firmware versions prior to 1.0.2.158
EX7300v2, running firmware versions prior to 1.0.0.134
EX7320, running firmware versions prior to 1.0.0.134
EX7700, running firmware versions prior to 1.0.0.216
EX8000, running firmware versions prior to 1.0.1.232
LBR20, running firmware versions prior to 2.6.3.50
R7800, running firmware versions prior to 1.0.2.80
R8900, running firmware versions prior to 1.0.5.28
R9000, running firmware versions prior to 1.0.5.28
RBK12, running firmware versions prior to 2.7.2.104
RBK13, running firmware versions prior to 2.7.2.104
RBK14, running firmware versions prior to 2.7.2.104
RBK15, running firmware versions prior to 2.7.2.104
RBK20, running firmware versions prior to 2.6.2.104
RBK23, running firmware versions prior to 2.7.2.104
RBK40, running firmware versions prior to 2.6.2.104
RBK43, running firmware versions prior to 2.6.2.104
RBK43S, running firmware versions prior to 2.6.2.104
RBK44, running firmware versions prior to 2.6.2.104
RBK50, running firmware versions prior to 2.7.2.104
RBK53, running firmware versions prior to 2.7.2.104
RBR10, running firmware versions prior to 2.6.2.104
RBR20, running firmware versions prior to 2.6.2.104
RBR40, running firmware versions prior to 2.6.2.104
RBR50, running firmware versions prior to 2.7.2.104
RBS10, running firmware versions prior to 2.6.2.104
RBS20, running firmware versions prior to 2.6.2.104
RBS40, running firmware versions prior to 2.6.2.104
RBS50, running firmware versions prior to 2.7.2.104
RBS50Y, running firmware versions prior to 2.6.2.104
XR450, running firmware versions prior to 2.3.2.114
XR500, running firmware versions prior to 2.3.2.114
XR700, running firmware versions prior to 1.0.1.38
NETGEAR strongly recommends that you download the latest firmware as soon as possible.
https://kb.netgear.com/000062883/Security-Advisory-for-Multiple-Vulnerabilities-on-Some-Routers-Satellites-and-Extenders
Security updates for Friday
Security updates have been issued by Debian (python-pysaml2 and redis), Fedora (buildah, containernetworking-plugins, containers-common, libmysofa, libpq, podman, postgresql, skopeo, xen, and xterm), openSUSE (nghttp2), Oracle (firefox and thunderbird), SUSE (glibc, ImageMagick, python-Jinja2, and salt), and Ubuntu (python2.7, python2.7, python3.4, python3.5, python3.6, python3.8, and tiff).
https://lwn.net/Articles/847581/
PerFact OpenVPN-Client
This advisory contains mitigations for an External Control of System or Configuration Setting vulnerability in the PerFact OpenVPN-Client.
https://us-cert.cisa.gov/ics/advisories/icsa-21-056-01
Fatek FvDesigner
This advisory contains mitigations for Use After Free, Access of Uninitialized Pointer, Stack-based Buffer Overflow, Out-of-Bounds Write, and Out-of-Bounds Read vulnerabilities in Fatek FvDesigner software.
https://us-cert.cisa.gov/ics/advisories/icsa-21-056-02
Rockwell Automation Logix Controllers
This advisory contains mitigations for a n Insufficiently Protected Credentials vulnerability in Rockwell Automation Studio 5000 Logix Designer, RSLogix 5000, and Logix Controllers.
https://us-cert.cisa.gov/ics/advisories/icsa-21-056-03
ProSoft Technology ICX35
This advisory contains mitigations for a Permissions, Privileges, and Access Controls vulnerability in ProSoft Technology ICX35 industrial cellular gateways.
https://us-cert.cisa.gov/ics/advisories/icsa-21-056-04
GeNUA GeNUGate: Nicht spezifizierte Schwachstelle
http://www.cert-bund.de/advisoryshort/CB-K21-0217
Security Bulletin: Multiple vulnerabilities of Mozilla Firefox (less than Firefox 78.5 ESR + CVE-2020-26950) have affected Synthetic Playback Agent 8.1.4.0-8.1.4 IF12 + ICAM2019.3.0 - 2020.2.0
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-of-mozilla-firefox-less-than-firefox-78-5-esr-cve-2020-26950-have-affected-synthetic-playback-agent-8-1-4-0-8-1-4-if12-icam2019-3-0-2020-2-0/
Security Bulletin: IBM Cloud Private is vulnerable to a Node.js lodash vulnerability (CVEID: 183560)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-private-is-vulnerable-to-a-node-js-lodash-vulnerability-cveid-183560-2/
Security Bulletin: IBM Resilient SOAR is Using Components with Known Vulnerabilities - Java SE (CVE-2020-14779, CVE-2020-14792, CVE-2020-14796, CVE-2020-14797, CVE-2020-14798)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-resilient-soar-is-using-components-with-known-vulnerabilities-java-se-cve-2020-14779-cve-2020-14792-cve-2020-14796-cve-2020-14797-cve-2020-14798/
Security Bulletin: A Security Vulnerability affects IBM Cloud Private - OpenSSL (CVE-2019-1551)
https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-affects-ibm-cloud-private-openssl-cve-2019-1551-2/
Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU - Oct 2020
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sdk-java-technology-edition-quarterly-cpu-oct-2020/
Security Bulletin: Multiple vulnerabilities of Mozilla Firefox (less than Firefox 78.5 ESR + CVE-2020-15683) have affected Synthetic Playback Agent 8.1.4.0-8.1.4 IF12 + ICAM2019.3.0 - 2020.2.0
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-of-mozilla-firefox-less-than-firefox-78-5-esr-cve-2020-15683-have-affected-synthetic-playback-agent-8-1-4-0-8-1-4-if12-icam2019-3-0-2020-2-0/
Security Bulletin: Multiple vulnerabilities of Mozilla Firefox (less than Firefox 78.5 ESR + CVE-2020-15677) have affected Synthetic Playback Agent 8.1.4.0-8.1.4 IF12 + ICAM2019.3.0 - 2020.2.0
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-of-mozilla-firefox-less-than-firefox-78-5-esr-cve-2020-15677-have-affected-synthetic-playback-agent-8-1-4-0-8-1-4-if12-icam2019-3-0-2020-2-0/
Security Bulletin: Security vulnerabilities in Go affect IBM Cloud Pak for Multicloud Management Hybrid GRC.
https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-in-go-affect-ibm-cloud-pak-for-multicloud-management-hybrid-grc-2/
Security Bulletin: Multiple vulnerabilities of Mozilla Firefox (less than Firefox 78.5 ESR + CVE-2020-26951) have affected Synthetic Playback Agent 8.1.4.0-8.1.4 IF11 + ICAM2019.3.0 - 2020.2.0
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-of-mozilla-firefox-less-than-firefox-78-5-esr-cve-2020-26951-have-affected-synthetic-playback-agent-8-1-4-0-8-1-4-if11-icam2019-3-0-2020-2-0/
Security Bulletin: IBM Resilient SOAR is using opensaml-2.6.4.jar that could be vulnerable to bypass security restrictions (CVE-2015-1796)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-resilient-soar-is-using-opensaml-2-6-4-jar-that-could-be-vulnerable-to-bypass-security-restrictions-cve-2015-1796/