End-of-Day report
Timeframe: Freitag 09-04-2021 18:00 - Montag 12-04-2021 18:00
Handler: Dimitri Robl
Co-Handler: Stephan Richter
News
The Top 10 Secrets of Admin Users
Administrative rights can be some of the most powerful tools in the arsenal of any malicious agent. Look at any enterprise breach of the last few years and you will see admin accounts almost invariably play a central role.
https://www.beyondtrust.com/blog/entry/the-top-10-secrets-of-admin-users
Pulse Secure VPN users cant login due to expired certificate
Users worldwide cannot connect to Pulse Secure VPN devices after a code signing certificate used to digitally sign and verify software components has expired.
https://www.bleepingcomputer.com/news/security/pulse-secure-vpn-users-cant-login-due-to-expired-certificate/
Microsoft warnt vor Banking-Trojanern
Eine neue Angriffsmethode von Banking-Trojanern beunruhigt Microsoft. IcedID, auch bekannt als BokBot, ist ein modularer Banking-Trojaner, der es auf die Finanzdaten der Anwender abgesehen hat und als Dropper für andere Malware fungieren kann.
https://www.zdnet.de/88394286/microsoft-warnt-vor-banking-trojanern/
Messenger-Dienst: Angreifer können Whatsapp-Nutzer aus dem Dienst aussperren
Durch den massenhaften Versuch, eine Telefonnummer bei Whatsapp zu registrieren, könnte diese letztlich von dem Dienst ausgeschlossen werden.
https://www.golem.de/news/messenger-dienst-angreifer-koennen-whatsapp-nutzer-aus-dem-dienst-aussperren-2104-155648-rss.html
APKPure: Schadcode in App des alternativen Android-Stores entdeckt
Wer Android-Anwendungen über APKPure bezieht und dazu die gleichnamige App verwendet, sollte jetzt updaten: Forscher fanden Schadcode in der vorherigen Version.
https://heise.de/-6011340
Zahlreiche Probleme auf all4you-fashion.com
Immer häufiger beschäftigen die Watchlist Internet problematische Dropshipping-Angebote. Sie richten sich an österreichische und deutsche KonsumentInnen, halten dabei aber rechtliche Vorgaben nicht ein. Wer beispielsweise auf all4you-fashion.com bestellt, soll trotz -garantierten 30-tägigen Rückgaberechts- Bearbeitungsgebühren für den Rücktritt bezahlen. Rechtlich muss ein solcher Widerruf aber kostenlos möglich sein.
https://www.watchlist-internet.at/news/zahlreiche-probleme-auf-all4you-fashioncom/
Schadsoftware infiziert halbe Million Huawei-Smartphones über offizielle App Gallery
Joker Malware war in mehreren Programmen versteckt - SMS-Betrug seit 2017 in immer neuen Formen
https://www.derstandard.at/story/2000125753278/schadsoftware-infiziert-halbe-millionen-huawei-smartphones-ueber-offizielle-app-gallery
Building an IDS Sensor with Suricata & Zeek with Logs to ELK, (Sat, Apr 10th)
Over the past several years I have used multiple pre-built sensors using readily available ISO images (rockNSM, SO, OPNSense, etc) but what I was really looking for was just a sensor to parse traffic (i.e Zeek) and IDS alerts (Suricata) to ELK.
https://isc.sans.edu/diary/rss/27296
How ransomware gangs are connected, sharing resources and tactics
New research by Analyst1 sheds light on the cooperation between some of the ransomware gangs dominating the cybersecurity news.
https://blog.malwarebytes.com/ransomware/2021/04/how-ransomware-gangs-are-connected-and-sharing-resources-and-tactics/
Recording: Analyzing Android Malware - >From triage to reverse-engineering
Its easy to get wrapped up worry about large-scale ransomware attacks on the threat landscape. These are the types of attacks that make headlines and strike fear into the hearts of CISOs everywhere. But if you want to defend the truly prolific and widespread threats that target some of the devices [...]
https://blog.talosintelligence.com/2021/04/recording-analyzing-android-malware.html
Emotet Command and Control Case Study
We provide a step-by-step technical analysis of Emotet command and control, based on observations from before Emotet threat actors were disrupted.
https://unit42.paloaltonetworks.com/emotet-command-and-control/
Criminals spread malware using website contact forms with Google URLs
Crooks are using social engineering to exploit workers efforts to do their jobs.
https://www.zdnet.com/article/criminals-spread-malware-using-website-contact-forms-with-google-urls/
Critical security alert: If you havent patched this old VPN vulnerability, assume your network is compromised
Hundreds of organisations that havent applied a Fortinet VPN security update released in 2019 should assume that cyber criminals are trying to take advantage, NCSC warns.
https://www.zdnet.com/article/critical-security-alert-if-you-havent-patched-this-two-year-old-vpn-vulnerability-assume-your-network-is-compromised/
Vulnerabilities
Tripwire Patch Priority Index for March 2021
Tripwire-s March 2021 Patch Priority Index (PPI) brings together important vulnerabilities from SaltStack, VWware, BIG-IP and Microsoft. First on the patch priority list this month are patches for vulnerabilities in Microsoft Exchange (CVE-2021-27065, CVE-2021-26855), SaltStack (CVE-2021-25282, CVE-2021-25281), BIG-IP (CVE-2021-22986) and VMware vCenter (CVE-2021-21972). Exploits for these vulnerabilities have been recently added to the Metasploit Exploit [...]
https://www.tripwire.com/state-of-security/vert/tripwire-patch-priority-index-for-march-2021/
Security updates for Monday
Security updates have been issued by CentOS (kernel and libldb), Debian (mediawiki, qemu, ruby-kramdown, and xen), Fedora (grub2, libldb, libopenmpt, python-pikepdf, python39, samba, squid, and webkit2gtk3), openSUSE (bcc, ceph, gssproxy, hostapd, isync, kernel, openexr, openSUSE KMPs, and tpm2-tss-engine), SUSE (fwupdate and wpa_supplicant), and Ubuntu (spamassassin).
https://lwn.net/Articles/852339/