Tageszusammenfassung - 26.03.2021

End-of-Day report

Timeframe: Donnerstag 25-03-2021 18:00 - Freitag 26-03-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter

News

FBI exposes weakness in Mamba ransomware, DiskCryptor

An alert from the U.S. Federal Bureau of Investigation about Mamba ransomware reveals a weak spot in the encryption process that could help targeted organizations recover from the attack without paying the ransom.

https://www.bleepingcomputer.com/news/security/fbi-exposes-weakness-in-mamba-ransomware-diskcryptor/


Office macro execution evidence, (Fri, Mar 26th)

Microsoft Office Macros continue to be the security nightmare that they have been for the past 3 decades. System and security admins everywhere continue to try to protect their users from prevalent macro malware, but they find Microsoft's tooling often less than helpful.

https://isc.sans.edu/diary/rss/27244


New 5G Flaw Exposes Priority Networks to Location Tracking and Other Attacks

New research into 5G architecture has uncovered a security flaw in its network slicing and virtualized network functions that could be exploited to allow data access and denial of service attacks between different network slices on a mobile operators 5G network. AdaptiveMobile shared its findings with the GSM Association (GSMA) on February 4, 2021, following which the weaknesses were [...]

https://thehackernews.com/2021/03/new-5g-flaw-exposes-priority-networks.html


Perkiler malware turns to SMB brute force to spread

Perkiler is now using SMB brute force attacks to spread. Which is not a new concept, but why attack SMB instead of RDP?

https://blog.malwarebytes.com/trojans/2021/03/perkiler-malware-turns-to-smb-brute-force-to-spread/


Dumping LSASS in memory undetected using MirrorDump

As I am sure some of you are aware from the occasional ramblings and screenshots on twitter, I am a big fan of .NET based offensive tooling. Not because [...]

https://www.pentestpartners.com/security-blog/dumping-lsass-in-memory-undetected-using-mirrordump/


20 Million Miners: Finding Malicious Cryptojacking Images in Docker Hub

Container images are a simple way to distribute software - including malicious cryptojacking images attackers use to distribute cryptominers.

https://unit42.paloaltonetworks.com/malicious-cryptojacking-images/


Exchange Server attacks: Microsoft shares intelligence on post-compromise activities

If youre cleaning up a infected Exchange server, you need to look for traces of multiple threats, warns Microsoft.

https://www.zdnet.com/article/exchange-server-attacks-microsoft-shares-intelligence-on-post-compromise-activities/


Aktuelle Information zu den ProxyLogon Exchange Schwachstellen in Österreich

TL;DR 254 Exchange Server nach wie vor ungepatcht (Stand: 2021-03-26). Am 18. März waren es noch 839. Von 23. März bis 26.März wurden insgesamt 437 Webshells in Österreich gefunden. Die Patch-Rate hat etwas abgenommen. Wir sehen die übliche exponentielle Abnahme der verwundbaren Systeme. Allerdings dürfte die ab 18. März durch Microsoft Defender automatisch durchgeführte Mitigation ihren Zweck erfüllt haben.

https://cert.at/de/aktuelles/2021/3/aktuelle-zahlen-zu-den-proxylogon-exchange-schwachstellen-in-osterreich


PsExec Privilege Escalation in Windows Fixed

A component of Microsofts Sysinternals utility was found in January 2021 to be vulnerable to privilege escalation. According to the release notes from Microsoft: "This update to PsExec mitigates named pipe squatting attacks that can be leveraged by an attacker to intercept credentials or elevate to System privilege.

https://exchange.xforce.ibmcloud.com/collection/e97cd1b85394822631fcc1589f7ff16d

Vulnerabilities

Microsoft releases Windows 10 SSU to fix security update issue

Microsoft has released the Windows 10 1909 KB5000850 cumulative update preview and a new KB5001205 Servicing Stack Update that resolves a Secure Boot vulnerability.

https://www.bleepingcomputer.com/news/microsoft/microsoft-releases-windows-10-ssu-to-fix-security-update-issue/


Another Critical RCE Flaw Discovered in SolarWinds Orion Platform

IT infrastructure management provider SolarWinds on Thursday released a new update to its Orion networking monitoring tool with fixes for four security vulnerabilities, counting two weaknesses that could be exploited by an authenticated attacker to achieve remote code execution (RCE). Chief among them is a JSON deserialization flaw that allows an authenticated user to execute arbitrary code via [...]

https://thehackernews.com/2021/03/solarwinds-orion-vulnerability.html


Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: March 2021

On March 25, 2021, the OpenSSL Project released a security advisory, OpenSSL Security Advisory [25 March 2021], that disclosed two vulnerabilities. Exploitation of these vulnerabilities could allow an attacker to use a valid non-certificate authority (CA) certificate to act as a CA and sign a certificate for an arbitrary organization, user or device, or to cause a denial of service (DoS) condition. This advisory will be updated as additional information becomes available.

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-openssl-2021-GHY28dJd


Sicherheitsupdates: Angreifer könnten Samba-LDAP-Server crashen

Mehrere Schwachstellen in Samba gefährden Systeme. Abgesicherte Versionen stehen zum Download bereit.

https://heise.de/-5999401


Security updates for Friday

Security updates have been issued by Debian (firefox-esr, jquery, openssl, and thunderbird), openSUSE (openssl-1_1 and tor), Oracle (firefox and thunderbird), Scientific Linux (firefox and thunderbird), SUSE (libzypp, zypper and openssl-1_1), and Ubuntu (firefox, ldb, openssl, and ruby2.0).

https://lwn.net/Articles/850703/


Synology-SA-21:13 Samba AD DC

Multiple vulnerabilities allow remote attackers and remote authenticated users to conduct denial-of-service attacks via a susceptible version of Synology Directory Server.

https://www.synology.com/en-global/support/security/Synology_SA_21_13


Security Advisory - Denial of Service Vulnerability in Huawei Product

http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210324-01-dos-en


Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM License Metric Tool v9.

https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-sdk-affect-ibm-license-metric-tool-v9-3/


Security Bulletin: Security vulnerabilities in Java SE affects Rational Build Forge

https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-in-java-se-affects-rational-build-forge-4/


Security Bulletin: Multiple vulnerabilities in node.js may affect configuration editor used in IBM Business Automation Workflow and IBM Business Process Manager (BPM) - CVE-2020-1971, CVE-2020-8265, CVE-2020-8287

https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-node-js-may-affect-configuration-editor-used-in-ibm-business-automation-workflow-and-ibm-business-process-manager-bpm-cve-2020-1971-cve-2020-8265-c/


Security Bulletin: A vulnerability in IBM Java SDK affects IBM License Metric Tool v9 (CVE-2020-14782).

https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-java-sdk-affects-ibm-license-metric-tool-v9-cve-2020-14782/


Intel Ethernet Controller vulnerabilities CVE-2020-24497, CVE-2020-24498, CVE-2020-24500, CVE-2020-24501, and CVE-2020-24505

https://support.f5.com/csp/article/K85738358