End-of-Day report
Timeframe: Freitag 02-04-2021 18:00 - Dienstag 06-04-2021 18:00
Handler: Dimitri Robl
Co-Handler: Stephan Richter
News
Malicious cheats for Call of Duty: Warzone are circulating online
The cheat is fake, but the malware it installs is the real thing.
https://arstechnica.com/?p=1754269
Telefonnummer, E-Mail: Bin ich im Facebook-Leak?
Auf verschiedenen Webseiten können Nutzer prüfen, ob sie zu den 533 Millionen Betroffenen des Facebook-Datenlecks gehören.
https://www.golem.de/news/telefonnummer-e-mail-bin-ich-im-facebook-leak-2104-155500-rss.html
Kryptomining: Coinhive-Skripte warnen vor sich selbst
Der Sicherheitsforscher Troy Hunt hat die Domains des Kryptominers Coinhive bekommen. Mit ihnen macht er auf Sicherheitsprobleme aufmerksam.
https://www.golem.de/news/kryptomining-coinhive-skripte-warnen-vor-sich-selbst-2104-155517-rss.html
The leap of a Cycldek-related threat actor
The investigation described in this article started with one such file which caught our attention due to the various improvements it brought to this well-known infection vector.
https://securelist.com/the-leap-of-a-cycldek-related-threat-actor/101243/
From PowerShell to Payload: An Analysis of Weaponized Malware
John Hammond, security researcher with Huntress, takes a deep-dive into a stagers technical and coding aspects.
https://threatpost.com/powershell-payload-analysis-malware/165188/
YARA and CyberChef: ZIP, (Sun, Apr 4th)
When processing the result of "unzip" in CyberChef, for example with YARA rules, all files contained inside the ZIP file, are concatenated together.
https://isc.sans.edu/diary/rss/27276
Gigaset: Malware-Befall von Android-Geräten des Herstellers gibt Rätsel auf
Besitzer von Android-Smartphones von Gigaset kämpfen seit einigen Tagen mit Malware. Einiges deutet auf einen kompromittierten Update-Server als Quelle hin.
https://heise.de/-6006464
Man in the Terminal
By using path hijacking and modification on Unix-like machines, we can achieve pseudo-keylogging functionality by prioritizing malicious middleware binaries to record and transfer standard input/output streams.
https://posts.specterops.io/man-in-the-terminal-65476e6165b9
2020 Phishing Trends With PDF Files
We analyzed recent phishing trends with PDF files and noted a dramatic increase in the practice, as well as five approaches popular with attackers.
https://unit42.paloaltonetworks.com/phishing-trends-with-pdf-files/
SAP issues advisory on the exploit of old vulnerabilities to target enterprise applications
New research also reveals that SAP vulnerabilities, on average, are weaponized in less than 72 hours.
https://www.zdnet.com/article/sap-issues-advisory-on-vulnerable-applications-being-widely-targeted-by-hackers/
Vulnerabilities
Vulnerability Spotlight: Out-of-bounds write vulnerabilities in Accusoft ImageGear
Cisco Talos recently discovered multiple out-of-bounds write vulnerabilities in Accusoft ImageGear that an adversary could exploit to corrupt memory on the targeted machine. The ImageGear library is a [...]
https://blog.talosintelligence.com/2021/03/vuln-spotlight-accusoft-image-gear-march-2021.html
Security updates for Monday
Security updates have been issued by Debian (libxstream-java, php-nette, and smarty3), Fedora (curl, openssl, spamassassin, and webkit2gtk3), Mageia (ant, batik, kernel, kernel-linus, nodejs-chownr, nodejs-yargs-parser, python-bottle, and ruby-em-http-request), openSUSE (curl and OpenIPMI), and Red Hat (openssl).
https://lwn.net/Articles/851640/
Security updates for Tuesday
Security updates have been issued by Debian (chromium, netty, python-bleach, and python3.5), Fedora (libmediainfo, libzen, and mediainfo), Mageia (openssl), openSUSE (chromium), Red Hat (389-ds:1.4, flatpak, kernel, kernel-rt, kpatch-patch, libldb, and virt:rhel and virt-devel:rhel), and Ubuntu (python-django and ruby-rack).
https://lwn.net/Articles/851772/
Android Patchday April
Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Google Android ausnutzen, um beliebigen Programmcode mit Administratorrechten auszuführen, seine Privilegien zu erhöhen oder Informationen offenzulegen.
https://www.cert-bund.de/advisoryshort/CB-K21-0344
QTS 4.3.6.1620 Build 20210322
Security Updates
Fixed a command injection vulnerability (CVE-2020-2509).
Fixed a vulnerability in Apache HTTP server (CVE-2020-9490).
https://www.qnap.com/en/release-notes/qts/4.3.6.1620/20210322
Shodan Verified Vulns 2021-04-01
Der März verging Dank (?) den Exchange-Schachstellen wie im Flug und wir werfen entsprechend wieder einen Blick auf jene Schwachstellen, die Shodan in Österreich sieht. Mit Stand 2021-04-01 ergab sich Folgendes: Es ist also passiert! Mit einem Schlag sind die TLS-Schwachstellen (fast) vom Thron gestoßen - die Microsoft Exchange Lücken greifen nach der Spitze.
https://cert.at/de/aktuelles/2021/4/shodan-verified-vulns-2021-04-01
April 5, 2021 TNS-2021-07 [R1] Nessus 8.14.0 Fixes One Vulnerability
https://www.tenable.com/security/tns-2021-07
Grafana vulnerability CVE-2019-15043
https://support.f5.com/csp/article/K00843201