End-of-Day report
Timeframe: Freitag 26-03-2021 18:00 - Montag 29-03-2021 18:00
Handler: Dimitri Robl
Co-Handler: Stephan Richter
News
Git-Hosting: Angriff auf PHPs Code-Repository
Im Git-Repository von PHP wurden zwei Hintertüren eingefügt. Als Konsequenz will man den Code künftig nicht mehr selbst hosten.
https://www.golem.de/news/git-hosting-angriff-auf-phps-code-repository-2103-155321-rss.html
Spyware: Android-Malware gibt sich als Systemupdate aus
Über den Trojaner, der sich als Android-Update ausgibt, lassen sich die betroffenen Geräte komplett übernehmen.
https://www.golem.de/news/spyware-android-malware-gibt-sich-als-systemupdate-aus-2103-155332-rss.html
Here Are the Free Ransomware Decryption Tools You Need to Use [2021 Updated]
If your network gets infected with ransomware, follow the steps below to recover essential data: Step 1: Do not pay the ransom because there is no guarantee that the ransomware creators will give you access to your data. Step 2: Find any available backups you have, and consider keeping your data backups in secure, off-site locations. Step [...]
https://heimdalsecurity.com/blog/ransomware-decryption-tools/
Malware Analysis with elastic-agent and Microsoft Sandbox, (Fri, Mar 26th)
Microsoft describes the "Windows Sandbox supports simple configuration files, which provide a minimal set of customization parameters for Sandbox. [...] Windows Sandbox configuration files are formatted as XML and are associated with Sandbox via the .wsb file extension."[6]
https://isc.sans.edu/diary/rss/27248
[SANS ISC] Jumping into Shellcode
I published the following diary on isc.sans.edu: -Jumping into Shellcode-: Malware analysis is exciting because you never know what you will find. In previous diaries, I already explained why it-s important to have a look at groups of interesting Windows API call to detect some behaviors. The classic example is code [...]
https://blog.rootshell.be/2021/03/29/sans-isc-jumping-into-shellcode/
Analyzing And Micropatching With Tetrane REVEN (Part 1, CVE-2021-26897)
March 2021 Windows Updates included fixes for seven vulnerabilities in Windows DNS Server, two of which were marked by Microsoft as "Exploitation More Likely": CVE-2021-26877 and CVE-2021-26897. They were not known to be exploited and no details were publicly available until security researchers Eoin Carroll and Kevin McGrath published their analysis on McAfee Labs blog. Their article included enough information for us to reproduce both vulnerabilities, [...]
https://blog.0patch.com/2021/03/analyzing-and-micropatching-with.html
Hades Ransomware Hits Big Firms, but Operators Slow to Respond to Victims
Researchers from CrowdStrike, Accenture, and Awake Security have dissected some of the attacks involving the Hades ransomware and published information on both the malware itself and the tactics, techniques and procedures (TTPs) employed by its operators.
https://www.securityweek.com/hades-ransomware-hits-big-firms-operators-slow-respond-victims
Threat Assessment: Matrix Ransomware
We provide an overview of the Matrix ransomware family and offer indicators of compromise in this companion to the Unit 42 Ransomware Threat Report.
https://unit42.paloaltonetworks.com/matrix-ransomware/
Sodinokibi (aka REvil) Ransomware
Intro Sodinokibi (aka REvil) has been one of the most prolific ransomware as a service (RaaS) groups over the last couple years. The ransomware family was purported to be behind [...]
https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
Vulnerabilities
Exchange Server Post-Compromise Attack Activity Shared by Microsoft
In the context of ongoing Exchange Server attacks, Microsoft has shared information detailing post-compromise activity which has infected vulnerable targets with ransomware and a botnet.
https://heimdalsecurity.com/blog/exchange-server-post-compromise-attack-activity-shared-by-microsoft/
Sicherheitslücke: npm-Paket Netmask ignoriert das Oktalsystem in IP-Adressen
Die verbreitete Library wertet Oktalzahlen nicht korrekt aus und interpretiert dadurch unter anderem private Adressen potenziell als öffentlich und umgekehrt.
https://heise.de/-6000759
Security updates for Monday
Security updates have been issued by Arch Linux (awstats, busybox, dotnet-runtime, dotnet-runtime-3.1, dotnet-sdk, dotnet-sdk-3.1, gitlab, godot, groovy, libebml, mkinitcpio-busybox, openssl, python2, vivaldi, webkit2gtk, and wpewebkit), CentOS (firefox and thunderbird), Debian (pygments, spamassassin, thunderbird, and webkit2gtk), Fedora (CGAL, dotnet3.1, dotnet5.0, firefox, kernel, qt, and xen), Mageia (imagemagick, jackson-databind, openscad, redis, and unbound), openSUSE [...]
https://lwn.net/Articles/851061/
Newly-Discovered Vulnerabilities Could Allow for Bypass of Spectre Mitigations in Linux
Bugs could allow a malicious user to access data belonging to other users.
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/spectre-bypass-linux-vulnerabilities
Philips Gemini PET/CT Family
This advisory contains mitigations for a Storage of Sensitive Data in a Mechanism Without Access Control vulnerability in Philips Gemini PET/CT Family scanners.
https://us-cert.cisa.gov/ics/advisories/icsma-21-084-01
Weintek EasyWeb cMT
This advisory contains mitigations for Code Injection, Improper Access Control, and Cross-site Scripting vulnerabilities in Weintek EasyWeb cMT human-machine interface (HMI) products.
https://us-cert.cisa.gov/ics/advisories/icsa-21-082-01
Apple Security Updates March 26 2021 - Possible in the Wild Exploitation
Apple has published security updates for iOS, iOS and iPadOS, and watchOS. The updates all address the same, single vulnerability, in WebKit. The vulnerability may have been exploited in the wild.
https://exchange.xforce.ibmcloud.com/collection/f7a453892e4d0d7f1e0a77077eafc7c1
CVE-2021-25646: Getting Code Execution on Apache Druid
In this excerpt of a Trend Micro Vulnerability Research Service vulnerability report, Pengsu Cheng and Prosenjit Sinha of the Trend Micro Research Team detail a recent code execution vulnerability in the Apache Druid database. The bug was originally discovered and reported by Litch1 from the Security Team of Alibaba Cloud. The following is a portion of their write-up covering CVE-2021-25646, with a few minimal modifications.
https://www.thezdi.com/blog/2021/3/25/cve-2021-25646-getting-code-execution-on-apache-druid
[webapps] WordPress Plugin WP Super Cache 1.7.1 - Remote Code Execution (Authenticated)
https://www.exploit-db.com/exploits/49718
OpenSSL vulnerability CVE-2021-3449
https://support.f5.com/csp/article/K83623027
OpenSSL vulnerability CVE-2021-3450
https://support.f5.com/csp/article/K52171694