Tageszusammenfassung - 26.02.2021

End-of-Day report

Timeframe: Donnerstag 25-02-2021 18:00 - Freitag 26-02-2021 18:00 Handler: Dimitri Robl Co-Handler: Thomas Pribitzer

News

So where did those Satori attacks come from?, (Thu, Feb 25th)

Last week I posted about a new Satori variant scanning on TCP port 26 that I was picking up in my honeypots. Things have slowed down a bit, but levels are still above where they had been since mid-July 2020 on port 26.

https://isc.sans.edu/diary/rss/27140


SQL Triggers in Website Backdoors

Over the past year, there-s been an increasing trend of WordPress malware using SQL triggers to hide malicious SQL queries within compromised databases. These queries inject an admin level user into the infected database whenever the trigger condition is met. What makes this especially problematic for website owners is that most malware cleanup guides focus on the website files and data within specific database tables - for example, wp_users, wp_options, and wp_posts.

https://blog.sucuri.net/2021/02/sql-triggers-in-website-backdoors.html


ALERT: Malicious Amazon Alexa Skills Can Easily Bypass Vetting Process

Researchers have uncovered gaps in Amazons skill vetting process for the Alexa voice assistant ecosystem that could allow a malicious actor to publish a deceptive skill under any arbitrary developer name and even make backend code changes after approval to trick users into giving up sensitive information.

https://thehackernews.com/2021/02/alert-malicious-amazon-alexa-skills-can.html


So Unchill: Melting UNC2198 ICEDID to Ransomware Operations

Since its discovery in 2017 as a banking trojan, ICEDID evolved into a pernicious point of entry for financially motivated actors to conduct intrusion operations. In earlier years, ICEDID was deployed to primarily target banking credentials.

https://www.fireeye.com/blog/threat-research/2021/02/melting-unc2198-icedid-to-ransomware-operations.html


SilentFade virus strikes, Cyberstalking and Ransom user

Recently, 360 Security Center monitored that the SlientFade virus was bundled with pirated software to spread. The infected users were mainly distributed in Malaysia, India, [...]

https://blog.360totalsecurity.com/en/silentfade-virus-strikes-cyberstalking-and-ransom-user/


Microsoft Releases Open Source Resources for Solorigate Threat Hunting

Microsoft on Thursday announced the open source availability of CodeQL queries that it used during its investigation into the SolarWinds attack.

https://www.securityweek.com/microsoft-releases-open-source-resources-solorigate-threat-hunting


Kettenbrief-Alarm: Angebliches Amazon-Gewinnspiel macht auf WhatsApp die Runde!

Auf WhatsApp wird derzeit ein Link verschickt mit einem Gewinn-Versprechen anlässlich des angeblichen 30-Jahr-Jubiläums von Amazon. Wir haben uns die Nachricht und den Link genauer angeschaut. Unser Fazit: Es handelt sich um einen klassischen Kettenbrief. Gewinn erhalten Sie dabei keinen, stattdessen müssen Sie eine gefährliche App herunterladen.

https://www.watchlist-internet.at/news/kettenbrief-alarm-angebliches-amazon-gewinnspiel-macht-auf-whatsapp-die-runde/


Go malware is now common, having been adopted by both APTs and e-crime groups

There's been a 2,000% increase of new malware written in Go over the past few years.

https://www.zdnet.com/article/go-malware-is-now-common-having-been-adopted-by-both-apts-and-e-crime-groups/


New Phishing Attack Using Malformed URL Prefixes

GreatHorn reports on a phishing technique that leverages malformed URL prefixes to bypass security scanners. Many security scanners use pattern recognition to identify URLs, thus expecting the presence of "http://" to identify them. However, the URL specification technically does not require the "//" in order to visit a URL.

https://exchange.xforce.ibmcloud.com/collection/c52464bd46eb48e4c5741df9e1b0302a

Vulnerabilities

Google looks at bypass in Chromiums ASLR security defense, throws hands up, wont patch garbage issue

In early November, a developer contributing to Googles open-source Chromium project reported a problem with Oilpan, the garbage collector for the browsers Blink rendering engine: it can be used to break a memory defense known as address space layout randomization (ASLR).

https://go.theregister.com/feed/www.theregister.com/2021/02/26/chrome_aslr_bypass/


Security Advisory for Multiple Vulnerabilities on Some Routers, Satellites, and Extenders

NETGEAR has released fixes for multiple security vulnerabilities on the following product models: BR200, running firmware versions prior to 5.10.0.5 BR500, running firmware versions prior to 5.10.0.5 D7800, running firmware versions prior to 1.0.1.60 EX6100v2, running firmware versions prior to 1.0.1.98 EX6150v2, running firmware versions prior to 1.0.1.98 EX6250, running firmware versions prior to 1.0.0.134 EX6400, running firmware versions prior to 1.0.2.158 EX6400v2, running firmware versions prior to 1.0.0.134 EX6410, running firmware versions prior to 1.0.0.134 EX6420, running firmware versions prior to 1.0.0.134 EX7300, running firmware versions prior to 1.0.2.158 EX7300v2, running firmware versions prior to 1.0.0.134 EX7320, running firmware versions prior to 1.0.0.134 EX7700, running firmware versions prior to 1.0.0.216 EX8000, running firmware versions prior to 1.0.1.232 LBR20, running firmware versions prior to 2.6.3.50 R7800, running firmware versions prior to 1.0.2.80 R8900, running firmware versions prior to 1.0.5.28 R9000, running firmware versions prior to 1.0.5.28 RBK12, running firmware versions prior to 2.7.2.104 RBK13, running firmware versions prior to 2.7.2.104 RBK14, running firmware versions prior to 2.7.2.104 RBK15, running firmware versions prior to 2.7.2.104 RBK20, running firmware versions prior to 2.6.2.104 RBK23, running firmware versions prior to 2.7.2.104 RBK40, running firmware versions prior to 2.6.2.104 RBK43, running firmware versions prior to 2.6.2.104 RBK43S, running firmware versions prior to 2.6.2.104 RBK44, running firmware versions prior to 2.6.2.104 RBK50, running firmware versions prior to 2.7.2.104 RBK53, running firmware versions prior to 2.7.2.104 RBR10, running firmware versions prior to 2.6.2.104 RBR20, running firmware versions prior to 2.6.2.104 RBR40, running firmware versions prior to 2.6.2.104 RBR50, running firmware versions prior to 2.7.2.104 RBS10, running firmware versions prior to 2.6.2.104 RBS20, running firmware versions prior to 2.6.2.104 RBS40, running firmware versions prior to 2.6.2.104 RBS50, running firmware versions prior to 2.7.2.104 RBS50Y, running firmware versions prior to 2.6.2.104 XR450, running firmware versions prior to 2.3.2.114 XR500, running firmware versions prior to 2.3.2.114 XR700, running firmware versions prior to 1.0.1.38 NETGEAR strongly recommends that you download the latest firmware as soon as possible.

https://kb.netgear.com/000062883/Security-Advisory-for-Multiple-Vulnerabilities-on-Some-Routers-Satellites-and-Extenders


Security updates for Friday

Security updates have been issued by Debian (python-pysaml2 and redis), Fedora (buildah, containernetworking-plugins, containers-common, libmysofa, libpq, podman, postgresql, skopeo, xen, and xterm), openSUSE (nghttp2), Oracle (firefox and thunderbird), SUSE (glibc, ImageMagick, python-Jinja2, and salt), and Ubuntu (python2.7, python2.7, python3.4, python3.5, python3.6, python3.8, and tiff).

https://lwn.net/Articles/847581/


PerFact OpenVPN-Client

This advisory contains mitigations for an External Control of System or Configuration Setting vulnerability in the PerFact OpenVPN-Client.

https://us-cert.cisa.gov/ics/advisories/icsa-21-056-01


Fatek FvDesigner

This advisory contains mitigations for Use After Free, Access of Uninitialized Pointer, Stack-based Buffer Overflow, Out-of-Bounds Write, and Out-of-Bounds Read vulnerabilities in Fatek FvDesigner software.

https://us-cert.cisa.gov/ics/advisories/icsa-21-056-02


Rockwell Automation Logix Controllers

This advisory contains mitigations for a n Insufficiently Protected Credentials vulnerability in Rockwell Automation Studio 5000 Logix Designer, RSLogix 5000, and Logix Controllers.

https://us-cert.cisa.gov/ics/advisories/icsa-21-056-03


ProSoft Technology ICX35

This advisory contains mitigations for a Permissions, Privileges, and Access Controls vulnerability in ProSoft Technology ICX35 industrial cellular gateways.

https://us-cert.cisa.gov/ics/advisories/icsa-21-056-04


GeNUA GeNUGate: Nicht spezifizierte Schwachstelle

http://www.cert-bund.de/advisoryshort/CB-K21-0217


Security Bulletin: Multiple vulnerabilities of Mozilla Firefox (less than Firefox 78.5 ESR + CVE-2020-26950) have affected Synthetic Playback Agent 8.1.4.0-8.1.4 IF12 + ICAM2019.3.0 - 2020.2.0

https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-of-mozilla-firefox-less-than-firefox-78-5-esr-cve-2020-26950-have-affected-synthetic-playback-agent-8-1-4-0-8-1-4-if12-icam2019-3-0-2020-2-0/


Security Bulletin: IBM Cloud Private is vulnerable to a Node.js lodash vulnerability (CVEID: 183560)

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-private-is-vulnerable-to-a-node-js-lodash-vulnerability-cveid-183560-2/


Security Bulletin: IBM Resilient SOAR is Using Components with Known Vulnerabilities - Java SE (CVE-2020-14779, CVE-2020-14792, CVE-2020-14796, CVE-2020-14797, CVE-2020-14798)

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-resilient-soar-is-using-components-with-known-vulnerabilities-java-se-cve-2020-14779-cve-2020-14792-cve-2020-14796-cve-2020-14797-cve-2020-14798/


Security Bulletin: A Security Vulnerability affects IBM Cloud Private - OpenSSL (CVE-2019-1551)

https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-affects-ibm-cloud-private-openssl-cve-2019-1551-2/


Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU - Oct 2020

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sdk-java-technology-edition-quarterly-cpu-oct-2020/


Security Bulletin: Multiple vulnerabilities of Mozilla Firefox (less than Firefox 78.5 ESR + CVE-2020-15683) have affected Synthetic Playback Agent 8.1.4.0-8.1.4 IF12 + ICAM2019.3.0 - 2020.2.0

https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-of-mozilla-firefox-less-than-firefox-78-5-esr-cve-2020-15683-have-affected-synthetic-playback-agent-8-1-4-0-8-1-4-if12-icam2019-3-0-2020-2-0/


Security Bulletin: Multiple vulnerabilities of Mozilla Firefox (less than Firefox 78.5 ESR + CVE-2020-15677) have affected Synthetic Playback Agent 8.1.4.0-8.1.4 IF12 + ICAM2019.3.0 - 2020.2.0

https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-of-mozilla-firefox-less-than-firefox-78-5-esr-cve-2020-15677-have-affected-synthetic-playback-agent-8-1-4-0-8-1-4-if12-icam2019-3-0-2020-2-0/


Security Bulletin: Security vulnerabilities in Go affect IBM Cloud Pak for Multicloud Management Hybrid GRC.

https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-in-go-affect-ibm-cloud-pak-for-multicloud-management-hybrid-grc-2/


Security Bulletin: Multiple vulnerabilities of Mozilla Firefox (less than Firefox 78.5 ESR + CVE-2020-26951) have affected Synthetic Playback Agent 8.1.4.0-8.1.4 IF11 + ICAM2019.3.0 - 2020.2.0

https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-of-mozilla-firefox-less-than-firefox-78-5-esr-cve-2020-26951-have-affected-synthetic-playback-agent-8-1-4-0-8-1-4-if11-icam2019-3-0-2020-2-0/


Security Bulletin: IBM Resilient SOAR is using opensaml-2.6.4.jar that could be vulnerable to bypass security restrictions (CVE-2015-1796)

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-resilient-soar-is-using-opensaml-2-6-4-jar-that-could-be-vulnerable-to-bypass-security-restrictions-cve-2015-1796/