Tageszusammenfassung - 03.03.2021

End-of-Day report

Timeframe: Dienstag 02-03-2021 18:00 - Mittwoch 03-03-2021 18:30 Handler: Dimitri Robl Co-Handler: Robert Waldner

News

Qakbot infection with Cobalt Strike, (Wed, Mar 3rd)

On Tuesday 2021-03-02, I generated a Qakbot (Qbot) infection on a Windows host in one of my Active Directory (AD) test environments, where I saw Cobalt Strike as follow-up activity.

https://isc.sans.edu/diary/rss/27158

Qualys hit with ransomware: Customer invoices leaked on extortionists Tor blog

Ace infosec biz aware and investigating, were told Infosec outfit Qualys, its cloud-based vuln detection tech, and its SSL server test webpage, have seemingly fallen victim to a ransomware attack

https://go.theregister.com/feed/www.theregister.com/2021/03/03/qualys_ransomware_clop_gang/

-Urlaubsguru ReiseWelt- bewirbt Fake-Reiseangebote auf Facebook und Instagram

12 Nächte Malediven oder zwei Wochen Thailand? Und das zu einem unschlagbaren Preis und mit der Versicherung 48 Stunden vor der Reise kostenlos stornieren zu können? Das klingt zu gut, um wahr zu sein? Ist es in diesem Fall auch. Auf Facebook und Instagram bewirbt der betrügerische Anbieter -Urlaubsguru ReiseWelt- unglaubliche Angebote. Doch statt der versprochenen Traumreise, wird Ihnen nur das Geld gestohlen.

https://www.watchlist-internet.at/news/urlaubsguru-reisewelt-bewirbt-fake-reiseangebote-auf-facebook-und-instagram/

Threat Actor Group Cloud Atlas Tracked by DomainTools Researchers

Researchers from DomainTools continue to see an APT group known as Cloud Atlas (also known as Inception) run campaigns which primarily focus on targeting countries formerly part of the Soviet Union with an emphasis on energy and political themes.

https://exchange.xforce.ibmcloud.com/collection/ca6c08f0161ffd21cad662b80fa63cef

Vulnerabilities

Android-Patchday: Kritische Remote-Sicherheitslücke aus Betriebssystem beseitigt

Zum Patchday im März hat Google unter anderem mehrere kritische Sicherheitslücken aus Android entfernt. Pixel-Geräte erhalten zahlreiche Zusatz-Patches.

https://heise.de/-5070821

Medium Severity Vulnerability Patched in User Profile Picture Plugin

On February 15, 2021, our Threat Intelligence team initiated the responsible disclosure process for a vulnerability that we discovered in User Profile Picture, a WordPress plugin installed on over 60,000 sites. The vulnerability made it possible for authenticated users with the upload_files capability to obtain sensitive user information.

https://www.wordfence.com/blog/2021/03/medium-severity-vulnerability-patched-in-user-profile-picture-plugin/

Security updates for Wednesday

Security updates have been issued by CentOS (bind), Debian (adminer, grub2, spip, and wpa), Mageia (openjpeg2, wpa_supplicant, and xterm), openSUSE (avahi, bind, firefox, ImageMagick, java-1_8_0-openjdk, nodejs10, and webkit2gtk3), Red Hat (container-tools:1.0, container-tools:2.0, grub2, and virt:rhel and virt-devel:rhel), SUSE (bind, gnome-autoar, grub2, and nodejs8), and Ubuntu (python2.7 and wpa).

https://lwn.net/Articles/848089/

Kritische Sicherheitslücken in Microsoft Exchange Server - Patches verfügbar

Microsoft hat außerhalb des üblichen Update-Zyklus mehrere Patches für Microsoft Exchange zur Verfügung gestellt. Einige der darin behobenen Sicherheitslücken werden nach Angaben von Microsoft und der IT-Sicherheits-Firma Volexity bereits aktiv ausgenutzt.

https://cert.at/de/warnungen/2021/3/kritische-sicherheitslucken-in-microsoft-exchange-server-patches-verfugbar

Side Channel Key Extraction Vulnerability in Bosch IP Cameras and Encoders

BOSCH-SA-762869-BT: A recently discovered side channel attack for the NXP P5x security microcontrollers was made public. It allows attackers to extract an ECDSA private key after extensive physical access to the chip.

https://psirt.bosch.com/security-advisories/bosch-sa-762869-bt.html

Cisco Security Advisories - March 3rd, 2021

Cisco has published thirteen Security Advisories. Of the advisories, one is rated as High and twelve are rated as Medium. For all advisories listed below, it is noted that Ciscos Product Security Incident Response Team (PSIRT) is "not aware of any public announcements or malicious use of the vulnerabilities" [...]

https://exchange.xforce.ibmcloud.com/collection/a3892fab975bdb6f39d025581dba227c

SECURITY BULLETIN: Trend Micro Scan Engine Memory Exhaustion Denial-of-Service Vulnerability

https://success.trendmicro.com/solution/000285675

Security Bulletin: IBM Security Verify Bridge uses a hard-coded key to encrypt the client secret (CVE-2021-20442)

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-verify-bridge-uses-a-hard-coded-key-to-encrypt-the-client-secret-cve-2021-20442/

Security Bulletin: IBM Security Verify Information Queue uses a Node.js proxy library that has a known vulnerability (183561)

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-verify-information-queue-uses-a-node-js-proxy-library-that-has-a-known-vulnerability-183561/

Security Bulletin: iOS Vulnerable Minimum OS Version Supported

https://www.ibm.com/blogs/psirt/security-bulletin-ios-vulnerable-minimum-os-version-supported/

Security Bulletin: IBM InfoSphere Information Server is affected by a cross-site scripting vulnerability

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-information-server-is-affected-by-a-cross-site-scripting-vulnerability-2/

Security Bulletin: IBM Security Verify Bridge uses relatively weak cryptographic algorithms in two of its functions (CVE-2021-20441)

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-verify-bridge-uses-relatively-weak-cryptographic-algorithms-in-two-of-its-functions-cve-2021-20441/

Security Bulletin: Android Mobile SDK compile builder includes vulnerable components

https://www.ibm.com/blogs/psirt/security-bulletin-android-mobile-sdk-compile-builder-includes-vulnerable-components/