End-of-Day report
Timeframe: Freitag 16-04-2021 18:00 - Montag 19-04-2021 18:00
Handler: Dimitri Robl
Co-Handler: Stephan Richter
News
Codecov: Gehacktes Entwickler-Tool Bash Uploader zum Datendiebstahl missbraucht
Unbekannte manipulierten den Bash Uploader-Code. Der Vorfall, der zwei Monate lang unbemerkt blieb, betrifft potenziell auch einige bekannte Firmen.
https://heise.de/-6019302
Ryuk ransomware operation updates hacking techniques
Recent attacks from Ryuk ransomware operators show that the actors have a new preference when it comes to gaining initial access to the victim network.
https://www.bleepingcomputer.com/news/security/ryuk-ransomware-operation-updates-hacking-techniques/
NitroRansomware Distributed as A Fake Free Nitro Gift Code Generator
BleepingComputer owner Lawrence Abrams reported infections of new singular ransomware dubbed NitroRansomware which demands a Discord Nitro gift code to the victims to decrypt their files.
https://heimdalsecurity.com/blog/nitroransomware-distributed-as-a-fake-free-nitro-gift-code-generator/
BazarLoader Malware Abuses Slack, BaseCamp Clouds
Two cyberattack campaigns are making the rounds using unique social-engineering techniques.
https://threatpost.com/bazarloader-malware-slack-basecamp/165455/
Serious Security: Rowhammer is back, but now it-s called SMASH
Simply put: reading from RAM in your program could write to RAM in someone elses
https://nakedsecurity.sophos.com/2021/04/19/serious-security-rowhammer-is-back-but-now-its-called-smash/
Querying Spamhaus for IP reputation, (Fri, Apr 16th)
Way back in 2018 I posted a diary describing how I have been using the Neutrino API to do IP reputation checks. In the subsequent 2+ years that python script has evolved some which hopefully I can go over at some point in the future, but for now I would like to show you the most recent capability I added into that script.
https://isc.sans.edu/diary/rss/27320
Decoding Cobalt Strike Traffic, (Sun, Apr 18th)
In diary entry "Example of Cleartext Cobalt Strike Traffic (Thanks Brad)" I share a capture file I found with unencrypted Cobalt Strike traffic. The traffic is unencrypted since the malicious actors used a trial version of Cobalt Strike.
https://isc.sans.edu/diary/rss/27322
Hunting phishing websites with favicon hashes, (Mon, Apr 19th)
HTTP favicons are often used by bug bounty hunters and red teamers to discover vulnerable services in a target AS or IP range. It makes sense - since different tools (and sometimes even different versions of the same tool) use different favicons[1] and services such as Shodan calculate MurmurHash values[2] for all favicons they discover and let us search through them, it can be quite easy to find specific services and devices this way.
https://isc.sans.edu/diary/rss/27326
Malware Spreads Via Xcode Projects Now Targeting Apples M1-based Macs
A Mac malware campaign targeting Xcode developers has been retooled to add support for Apples new M1 chips and expand its features to steal confidential information from cryptocurrency apps. XCSSET came into the spotlight in August 2020 after it was found to spread via modified Xcode IDE projects, which, upon the building, were configured to execute the payload.
https://thehackernews.com/2021/04/malware-spreads-via-xcode-projects-now.html
Malvertisers hacked 120 ad servers to load malicious ads
A malvertising operation known under the codename of Tag Barnakle has breached more than 120 ad servers over the past year and inserted malicious code into legitimate ads that redirected website visitors to sites promoting scams and malware.
https://therecord.media/malvertisers-hacked-120-ad-servers-to-load-malicious-ads/
Fuzzing and PR-ing: How We Found Bugs in a Popular Third-Party EtherNet/IP Protocol Stack
The Claroty Research Team today announces that it has added the necessary infrastructure to incorporate the popular AFL fuzzer into the OpENer EtherNet/IP stack.
https://claroty.com/2021/04/15/blog-research-fuzzing-and-pring/
Vulnerabilities
Kritische Schadcode-Lücken in NAS-Systemen von Qnap geschlossen
Fehler in verschiedenen Komponenten machen Netzwerkspeicher (NAS) von Qnap verwundbar. Sicherheitsupdates sind verfügbar.
https://heise.de/-6019234
VMSA-2021-0006
A privilege escalation vulnerability in VMware NSX-T was privately reported to VMware. Updates are available to remediate this vulnerability in affected VMware product.
https://www.vmware.com/security/advisories/VMSA-2021-0006.html
Security updates for Monday
Security updates have been issued by CentOS (nettle, squid, and thunderbird), Debian (libebml, python-bleach, and python2.7), Fedora (batik, gnuchess, kernel-headers, kernel-tools, ruby, singularity, and xorg-x11-server), Mageia (clamav, kernel, kernel-linus, and python3), openSUSE (chromium, fluidsynth, opensc, python-bleach, and wpa_supplicant), Oracle (gnutls and nettle), Red Hat (dpdk, gnutls and nettle, mariadb:10.3 and mariadb-devel:10.3, and redhat-ds:11), and SUSE (kernel, qemu, and [...]
https://lwn.net/Articles/853420/
iApps vulnerability CVE-2020-17507
https://support.f5.com/csp/article/K11542555
libcroco vulnerability CVE-2020-12825
https://support.f5.com/csp/article/K01074825
Dell integrated Dell Remote Access Controller: Mehrere Schwachstellen
https://www.cert-bund.de/advisoryshort/CB-K21-0397
Security Bulletin: Vulnerability with Apache Tika in Apache Solr affects IBM Operations Analytics - Log Analysis Analysis (CVE-2018-8017)
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-with-apache-tika-in-apache-solr-affects-ibm-operations-analytics-log-analysis-analysis-cve-2018-8017/
Security Bulletin: Multiple vulnerabilities in Apache Tika affects Apache Solr shipped with IBM Operations Analytics - Log Analysis
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-apache-tika-affects-apache-solr-shipped-with-ibm-operations-analytics-log-analysis/
Security Bulletin: Multiple vulnerabilities in FasterXML jackson-databind affect Apache Solr shipped with IBM Operations Analytics - Log Analysis
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-fasterxml-jackson-databind-affect-apache-solr-shipped-with-ibm-operations-analytics-log-analysis/
Security Bulletin: IBM® Db2® db2fm is vulnerable to a buffer overflow (CVE-2020-5025)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-db2fm-is-vulnerable-to-a-buffer-overflow-cve-2020-5025-6/
Security Bulletin: IBM Security Guardium is affected by multiple vulnerabilities
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-affected-by-multiple-vulnerabilities-3/
Security Bulletin: Financial Transaction Manager for Corporate Payment Services is affected by a potential code injection vulnerability (CVE-2020-5268)
https://www.ibm.com/blogs/psirt/security-bulletin-financial-transaction-manager-for-corporate-payment-services-is-affected-by-a-potential-code-injection-vulnerability-cve-2020-5268/
Security Bulletin: IBM Security Guardium is affected by Oracle MySQL vulnerabilities
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-affected-by-oracle-mysql-vulnerabilities-11/
Security Bulletin: IBM Watson OpenScale on Cloud Pak for Data is impacted by Vulnerabilities in Node.js
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-openscale-on-cloud-pak-for-data-is-impacted-by-vulnerabilities-in-node-js/
Security Bulletin: Vulnerability in Apache PDFBox affects Apache Solr shipped with IBM Operations Analytics - Log Analysis (CVE-2018-8036)
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-pdfbox-affects-apache-solr-shipped-with-ibm-operations-analytics-log-analysis-cve-2018-8036/
Security Bulletin: Vulnerabilities in IBM Java Runtime affecting Tivoli Netcool/OMNIbus (Multiple CVEs)
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-java-runtime-affecting-tivoli-netcool-omnibus-multiple-cves-3/
Security Bulletin: IBM Resilient SOAR is vulnerable to command injection (CVE-2021-20527)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-resilient-soar-is-vulnerable-to-command-injection-cve-2021-20527/