Tageszusammenfassung - 02.04.2021

End-of-Day report

Timeframe: Donnerstag 01-04-2021 18:00 - Freitag 02-04-2021 18:00 Handler: Stephan Richter Co-Handler: n/a

News

5 steps to respond to a data breach

This blog was written by an independent guest blogger. You-ve just been breached. What do you do next? Depending on personality, preparation, and ability under crisis, there are a variety of responses to choose from, some effective and some not. Hopefully, you-re the rare breed who plans in advance how to respond. Even better if this planning includes how to prevent them. But to execute a logical, effective response, keep reading.

https://cybersecurity.att.com/blogs/security-essentials/5-steps-to-respond-to-a-data-breach


VMware fixes authentication bypass in data center security software

VMware has addressed a critical vulnerability in the VMware Carbon Black Cloud Workload appliance that could allow attackers to bypass authentication after exploiting vulnerable servers.

https://www.bleepingcomputer.com/news/security/vmware-fixes-authentication-bypass-in-data-center-security-software/


New -BazarCall- Malware Uses Call Centers to Trick its Victims into Infecting Themselves

Today-s hackers have never been more old-fashioned - they are currently using a telephone call as a -brand new -technique to infect their victim-s devices.

https://heimdalsecurity.com/blog/bazarcall-malware-uses-call-centers-to-trick-ist-victims/


Browser lockers: extortion disguised as a fine

In this article we discuss browser lockers that mimic law enforcement websites.

https://securelist.com/browser-lockers-extortion-disguised-as-a-fine/101735/


Automating threat actor tracking: Understanding attacker behavior for intelligence and contextual alerting

A probabilistic graphical modeling framework used by Microsoft 365 Defender research and intelligence teams for threat actor tracking enables us to quickly predict the likely threat group responsible for an attack, as well as the likely next attack stages.

https://www.microsoft.com/security/blog/2021/04/01/automating-threat-actor-tracking-understanding-attacker-behavior-for-intelligence-and-contextual-alerting/


[SANS ISC] C2 Activity: Sandboxes or Real Victims?

I published the following diary on isc.sans.edu: -C2 Activity: Sandboxes or Real Victims?-: In my last diary, I mentioned that I was able to access screenshots exfiltrated by the malware sample. During the first analysis, there were approximately 460 JPEG files available. I continued to keep an eye on the [...]

https://blog.rootshell.be/2021/04/02/sans-isc-c2-activity-sandboxes-or-real-victims/


A -txt file- can steal all your secrets

Recently, 360 Security Center-s threat monitoring platform has detected an email phishing attack. This attack uses a secret-stealing Trojan called Poulight.

https://blog.360totalsecurity.com/en/a-txt-file-can-steal-all-your-secrets/


Unpatched RCE Flaws Affect Tens of Thousands of QNAP SOHO NAS Devices

A pair of unpatched vulnerabilities in QNAP small office/home office (SOHO) network attached storage (NAS) devices could allow attackers to execute code remotely, according to a warning from security researchers at SAM Seamless Network.

https://www.securityweek.com/unpatched-rce-flaws-affect-tens-thousands-qnap-soho-nas-devices


Nine Critical Flaws in FactoryTalk Product Pose Serious Risk to Industrial Firms

Industrial automation giant Rockwell Automation on Thursday informed customers that it has patched nine critical vulnerabilities in its FactoryTalk AssetCentre product.

https://www.securityweek.com/nine-critical-flaws-factorytalk-product-pose-serious-risk-industrial-firms


Financial Sector Remains Most Targeted by Threat Actors: IBM

Organizations in the financial and insurance sectors were the most targeted by threat actors in 2020, continuing a trend that was first observed roughly five years ago, IBM Security reports.

https://www.securityweek.com/financial-sector-remains-most-targeted-threat-actors-ibm


Hancitor-s Use of Cobalt Strike and a Noisy Network Ping Tool

We review samples of recent Hancitor infections, share relatively new indicators and provide examples of an associated network ping tool.

https://unit42.paloaltonetworks.com/hancitor-infections-cobalt-strike/


The best laid plans or lack thereof: Security decision-making of different stakeholder groups. (arXiv:2104.00284v1 [cs.CR])

Cyber security requirements are influenced by the priorities and decisions of a range of stakeholders. Board members and CISOs determine strategic priorities. Managers have responsibility for resource allocation and project management. Legal professionals concern themselves with regulatory compliance. Little is understood about how the security decision-making approaches of these different stakeholders contrast, and if particular groups of stakeholders have a better appreciation of security [...]

http://arxiv.org/abs/2104.00284


FBI-CISA Joint Advisory on Exploitation of Fortinet FortiOS Vulnerabilities

The Federal Bureau of Investigation (FBI) and CISA have released a Joint Cybersecurity Advisory (CSA) to warn users and administrators of the likelihood that advanced persistent threat (APT) actors are actively exploiting known Fortinet FortiOS vulnerabilities CVE-2018-13379, CVE-2020-12812, and CVE-2019-5591.

https://us-cert.cisa.gov/ncas/current-activity/2021/04/02/fbi-cisa-joint-advisory-exploitation-fortinet-fortios

Vulnerabilities

Cisco Jabber for Windows DLL Preloading Vulnerability

Version: 1.2 Description: Added information about additional software fixes because of a regression that reintroduced this vulnerability in subsequent software versions.

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190703-jabber-dll


F5 BIG-IP 16.0.x - iControl REST Remote Code Execution (Unauthenticated)

# Exploit Title: F5 BIG-IP 16.0.x - iControl REST Remote Code Execution (Unauthenticated) # Exploit Author: Al1ex # Vendor Homepage: https://www.f5.com/products/big-ip-services # Version: 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, and 12.1.x before 12.1.5.3 amd BIG-IQ 7.1.0.x before 7.1.0.3 and 7.0.0.x before 7.0.0.2 # CVE : CVE-2021-22986 https://github.com/Al1ex/CVE-2021-22986

https://www.exploit-db.com/exploits/49738


K03009991: iControl REST unauthenticated remote command execution vulnerability CVE-2021-22986

Indicators of compromise Important: F5 last updated this section on March 26, 2021 at 5:45 PM Pacific time. The information in this section is based on evidence that F5 has collected and believes to be reliable indicators of compromise. It is important to note that exploited systems may show different indicators, and a skilled attacker may be able to remove traces of their work. It is impossible to prove a device is not compromised; if you have any uncertainty, consider the device to be compromised.

https://support.f5.com/csp/article/K03009991


Security updates for Friday

Security updates have been issued by Debian (busybox, ldb, openjpeg2, spamassassin, and underscore), Fedora (kernel, kernel-headers, and kernel-tools), Mageia (privoxy, python and python3, and rpm), openSUSE (ovmf, tar, and tomcat), SUSE (curl, firefox, OpenIPMI, and tomcat), and Ubuntu (openexr).

https://lwn.net/Articles/851511/


March 31, 2021 TNS-2021-05 [R1] Nessus 8.13.2 Fixes Multiple Third-party Vulnerabilities

http://www.tenable.com/security/tns-2021-05