End-of-Day report
Timeframe: Freitag 26-02-2021 18:00 - Montag 01-03-2021 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
News
Ryuk ransomware now self-spreads to other Windows LAN devices
A new Ryuk ransomware variant with worm-like capabilities that allow it to spread to other devices on victims local networks has been discovered by the French national cyber-security agency while investigating an attack in early 2021.
https://www.bleepingcomputer.com/news/security/ryuk-ransomware-now-self-spreads-to-other-windows-lan-devices/
Mobile malware evolution 2020
In 2020, Kaspersky mobile products and technologies detected 156,710 new mobile banking Trojans and 20,708 new mobile ransomware Trojans.
https://securelist.com/mobile-malware-evolution-2020/101029/
Maldocs: Protection Passwords, (Sun, Feb 28th)
In diary entry "Unprotecting Malicious Documents For Inspection" I explain how to deal with protected malicious Excel documents by removing the protection passwords.
https://isc.sans.edu/diary/rss/27146
Top 5 der simpelsten und effektivsten Maßnahmen, um Hackerangriffen vorzubeugen
Ganz egal mit welcher Art von Angreifer man es zu tun hat, die Schritte von der initialen Kompromittierung bis hin zur vollständigen "Domain Dominance" folgen gleichen Mustern.
https://sec-consult.com/de/blog/detail/top-5-der-simpelsten-und-effektivsten-massnahmen-um-hackerangriffen-vorzubeugen/
Akute Angriffswelle auf Fritzbox-Nutzer, jetzt handeln!
Mysteriöse Zugriffsversuche von der IP-Adresse 185.232.52.55 verunsichern derzeit zahlreiche Fritzbox-Nutzer. Schützen Sie Ihren Router vor der Angriffswelle.
https://heise.de/-5068111
New ICS Threat Activity Group: KAMACITE
The new KAMACITE activity group represents a long-running set of related behaviors targeting electric utilities, oil and gas operations, and various manufacturing since at least 2014.
https://www.dragos.com/blog/industry-news/new-ics-threat-activity-group-kamacite/
Free cybersecurity tool aims to help smaller businesses stay safer online
NCSC tool aims to help small businesses develop a strategy to protect themselves from cyber crime.
https://www.zdnet.com/article/free-cybersecurity-tool-aims-to-help-smaller-businesses-stay-safer-online/
Laravel Apps Leaking Secrets
An attacker logged in through RDP a few days ago to run a -smtp cracker- that scans a list of IP addresses or URLs looking for misconfigured Laravel systems.
https://thedfirreport.com/2021/02/28/laravel-debug-leaking-secrets/
Return of the MINEBRIDGE RAT With New TTPs and Social Engineering Lures
New versions of the MINEBRIDGE RAT were discovered and analyzed by Zscaler researchers. Their findings on the TTPs, attribution, C2 infrastructure, and attack flow are published in a recent blog.
https://exchange.xforce.ibmcloud.com/collection/256c2e722c138ff5a1a711314fc88f17
Vulnerabilities
Authentication Bypass Schwachstelle in Genua GenuGate High Resistance Firewall
Die Genua GenuGate High Resistance Firewall ist von einer kritischen Authentication Bypass Schwachstelle betroffen. Ein unauthentifizierter Angreifer kann sich durch Manipulation bestimmter HTTP POST Parameter beim Login als beliebiger Benutzer im Admin-Webinterface, Sidechannel Web und Userweb Interface, anmelden und somit die höchsten Rechte (root) erlangen.
https://sec-consult.com/de/vulnerability-lab/advisory/authentication-bypass-genua-genugate/
Google shares PoC exploit for critical Windows 10 Graphics RCE bug
Project Zero, Googles 0day bug-hunting team, shared technical details and proof-of-concept (PoC) exploit code for a critical remote code execution (RCE) bug affecting a Windows graphics component.
https://www.bleepingcomputer.com/news/security/google-shares-poc-exploit-for-critical-windows-10-graphics-rce-bug/
D-LinkGATE Remote Code Execution
CVE-Nummern: CVE-2021-27249, CVE-2021-27250 Product: DAP-2020 (Since the vulnerability affects a core component further models might be subject to this vulnerability) Vulnerabilities: - Blind RCE - Blind RCE to full RCE escalation - Log Injection - Arbitrary File Read - Arbitrary File upload - LPE [...]
https://suid.ch/research/DAP-2020_Preauth_RCE_Chain.html
Security updates for Monday
Security updates have been issued by CentOS (firefox, ImageMagick, libexif, thunderbird, and xorg-x11-server), Debian (docker.io, python-aiohttp, and thunderbird), Fedora (chromium, firefox, kernel, and rygel), Mageia (nodejs, pix, and subversion), openSUSE (glibc, gnuplot, nodejs12, nodejs14, pcp, python-cryptography, qemu, and salt), Red Hat (bind and podman), and SUSE (csync2, glibc, java-1_8_0-ibm, nodejs12, nodejs14, python-Jinja2, and rpmlint).
https://lwn.net/Articles/847778/
Minion privilege escalation exploit patched in SaltStack Salt project
The bug permitted attackers to perform privilege escalation attacks in the automation software.
https://www.zdnet.com/article/minion-hijacking-flaw-patched-in-saltstack-salt-project/
IBM Security Bulletins
https://www.ibm.com/blogs/psirt/