End-of-Day report
Timeframe: Donnerstag 25-03-2021 18:00 - Freitag 26-03-2021 18:00
Handler: Thomas Pribitzer
Co-Handler: Stephan Richter
News
FBI exposes weakness in Mamba ransomware, DiskCryptor
An alert from the U.S. Federal Bureau of Investigation about Mamba ransomware reveals a weak spot in the encryption process that could help targeted organizations recover from the attack without paying the ransom.
https://www.bleepingcomputer.com/news/security/fbi-exposes-weakness-in-mamba-ransomware-diskcryptor/
Office macro execution evidence, (Fri, Mar 26th)
Microsoft Office Macros continue to be the security nightmare that they have been for the past 3 decades. System and security admins everywhere continue to try to protect their users from prevalent macro malware, but they find Microsoft's tooling often less than helpful.
https://isc.sans.edu/diary/rss/27244
New 5G Flaw Exposes Priority Networks to Location Tracking and Other Attacks
New research into 5G architecture has uncovered a security flaw in its network slicing and virtualized network functions that could be exploited to allow data access and denial of service attacks between different network slices on a mobile operators 5G network. AdaptiveMobile shared its findings with the GSM Association (GSMA) on February 4, 2021, following which the weaknesses were [...]
https://thehackernews.com/2021/03/new-5g-flaw-exposes-priority-networks.html
Perkiler malware turns to SMB brute force to spread
Perkiler is now using SMB brute force attacks to spread. Which is not a new concept, but why attack SMB instead of RDP?
https://blog.malwarebytes.com/trojans/2021/03/perkiler-malware-turns-to-smb-brute-force-to-spread/
Dumping LSASS in memory undetected using MirrorDump
As I am sure some of you are aware from the occasional ramblings and screenshots on twitter, I am a big fan of .NET based offensive tooling. Not because [...]
https://www.pentestpartners.com/security-blog/dumping-lsass-in-memory-undetected-using-mirrordump/
20 Million Miners: Finding Malicious Cryptojacking Images in Docker Hub
Container images are a simple way to distribute software - including malicious cryptojacking images attackers use to distribute cryptominers.
https://unit42.paloaltonetworks.com/malicious-cryptojacking-images/
Exchange Server attacks: Microsoft shares intelligence on post-compromise activities
If youre cleaning up a infected Exchange server, you need to look for traces of multiple threats, warns Microsoft.
https://www.zdnet.com/article/exchange-server-attacks-microsoft-shares-intelligence-on-post-compromise-activities/
Aktuelle Information zu den ProxyLogon Exchange Schwachstellen in Österreich
TL;DR 254 Exchange Server nach wie vor ungepatcht (Stand: 2021-03-26). Am 18. März waren es noch 839.
Von 23. März bis 26.März wurden insgesamt 437 Webshells in Österreich gefunden.
Die Patch-Rate hat etwas abgenommen. Wir sehen die übliche exponentielle Abnahme der verwundbaren Systeme.
Allerdings dürfte die ab 18. März durch Microsoft Defender automatisch durchgeführte Mitigation ihren Zweck erfüllt haben.
https://cert.at/de/aktuelles/2021/3/aktuelle-zahlen-zu-den-proxylogon-exchange-schwachstellen-in-osterreich
PsExec Privilege Escalation in Windows Fixed
A component of Microsofts Sysinternals utility was found in January 2021 to be vulnerable to privilege escalation. According to the release notes from Microsoft: "This update to PsExec mitigates named pipe squatting attacks that can be leveraged by an attacker to intercept credentials or elevate to System privilege.
https://exchange.xforce.ibmcloud.com/collection/e97cd1b85394822631fcc1589f7ff16d
Vulnerabilities
Microsoft releases Windows 10 SSU to fix security update issue
Microsoft has released the Windows 10 1909 KB5000850 cumulative update preview and a new KB5001205 Servicing Stack Update that resolves a Secure Boot vulnerability.
https://www.bleepingcomputer.com/news/microsoft/microsoft-releases-windows-10-ssu-to-fix-security-update-issue/
Another Critical RCE Flaw Discovered in SolarWinds Orion Platform
IT infrastructure management provider SolarWinds on Thursday released a new update to its Orion networking monitoring tool with fixes for four security vulnerabilities, counting two weaknesses that could be exploited by an authenticated attacker to achieve remote code execution (RCE). Chief among them is a JSON deserialization flaw that allows an authenticated user to execute arbitrary code via [...]
https://thehackernews.com/2021/03/solarwinds-orion-vulnerability.html
Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: March 2021
On March 25, 2021, the OpenSSL Project released a security advisory, OpenSSL Security Advisory [25 March 2021], that disclosed two vulnerabilities. Exploitation of these vulnerabilities could allow an attacker to use a valid non-certificate authority (CA) certificate to act as a CA and sign a certificate for an arbitrary organization, user or device, or to cause a denial of service (DoS) condition. This advisory will be updated as additional information becomes available.
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-openssl-2021-GHY28dJd
Sicherheitsupdates: Angreifer könnten Samba-LDAP-Server crashen
Mehrere Schwachstellen in Samba gefährden Systeme. Abgesicherte Versionen stehen zum Download bereit.
https://heise.de/-5999401
Security updates for Friday
Security updates have been issued by Debian (firefox-esr, jquery, openssl, and thunderbird), openSUSE (openssl-1_1 and tor), Oracle (firefox and thunderbird), Scientific Linux (firefox and thunderbird), SUSE (libzypp, zypper and openssl-1_1), and Ubuntu (firefox, ldb, openssl, and ruby2.0).
https://lwn.net/Articles/850703/
Synology-SA-21:13 Samba AD DC
Multiple vulnerabilities allow remote attackers and remote authenticated users to conduct denial-of-service attacks via a susceptible version of Synology Directory Server.
https://www.synology.com/en-global/support/security/Synology_SA_21_13
Security Advisory - Denial of Service Vulnerability in Huawei Product
http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210324-01-dos-en
Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM License Metric Tool v9.
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-sdk-affect-ibm-license-metric-tool-v9-3/
Security Bulletin: Security vulnerabilities in Java SE affects Rational Build Forge
https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-in-java-se-affects-rational-build-forge-4/
Security Bulletin: Multiple vulnerabilities in node.js may affect configuration editor used in IBM Business Automation Workflow and IBM Business Process Manager (BPM) - CVE-2020-1971, CVE-2020-8265, CVE-2020-8287
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-node-js-may-affect-configuration-editor-used-in-ibm-business-automation-workflow-and-ibm-business-process-manager-bpm-cve-2020-1971-cve-2020-8265-c/
Security Bulletin: A vulnerability in IBM Java SDK affects IBM License Metric Tool v9 (CVE-2020-14782).
https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-java-sdk-affects-ibm-license-metric-tool-v9-cve-2020-14782/
Intel Ethernet Controller vulnerabilities CVE-2020-24497, CVE-2020-24498, CVE-2020-24500, CVE-2020-24501, and CVE-2020-24505
https://support.f5.com/csp/article/K85738358