Tageszusammenfassung - 19.04.2021

End-of-Day report

Timeframe: Freitag 16-04-2021 18:00 - Montag 19-04-2021 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter


Codecov: Gehacktes Entwickler-Tool Bash Uploader zum Datendiebstahl missbraucht

Unbekannte manipulierten den Bash Uploader-Code. Der Vorfall, der zwei Monate lang unbemerkt blieb, betrifft potenziell auch einige bekannte Firmen.


Ryuk ransomware operation updates hacking techniques

Recent attacks from Ryuk ransomware operators show that the actors have a new preference when it comes to gaining initial access to the victim network.


NitroRansomware Distributed as A Fake Free Nitro Gift Code Generator

BleepingComputer owner Lawrence Abrams reported infections of new singular ransomware dubbed NitroRansomware which demands a Discord Nitro gift code to the victims to decrypt their files.


BazarLoader Malware Abuses Slack, BaseCamp Clouds

Two cyberattack campaigns are making the rounds using unique social-engineering techniques.


Serious Security: Rowhammer is back, but now it-s called SMASH

Simply put: reading from RAM in your program could write to RAM in someone elses


Querying Spamhaus for IP reputation, (Fri, Apr 16th)

Way back in 2018 I posted a diary describing how I have been using the Neutrino API to do IP reputation checks. In the subsequent 2+ years that python script has evolved some which hopefully I can go over at some point in the future, but for now I would like to show you the most recent capability I added into that script.


Decoding Cobalt Strike Traffic, (Sun, Apr 18th)

In diary entry "Example of Cleartext Cobalt Strike Traffic (Thanks Brad)" I share a capture file I found with unencrypted Cobalt Strike traffic. The traffic is unencrypted since the malicious actors used a trial version of Cobalt Strike.


Hunting phishing websites with favicon hashes, (Mon, Apr 19th)

HTTP favicons are often used by bug bounty hunters and red teamers to discover vulnerable services in a target AS or IP range. It makes sense - since different tools (and sometimes even different versions of the same tool) use different favicons[1] and services such as Shodan calculate MurmurHash values[2] for all favicons they discover and let us search through them, it can be quite easy to find specific services and devices this way.


Malware Spreads Via Xcode Projects Now Targeting Apples M1-based Macs

A Mac malware campaign targeting Xcode developers has been retooled to add support for Apples new M1 chips and expand its features to steal confidential information from cryptocurrency apps. XCSSET came into the spotlight in August 2020 after it was found to spread via modified Xcode IDE projects, which, upon the building, were configured to execute the payload.


Malvertisers hacked 120 ad servers to load malicious ads

A malvertising operation known under the codename of Tag Barnakle has breached more than 120 ad servers over the past year and inserted malicious code into legitimate ads that redirected website visitors to sites promoting scams and malware.


Fuzzing and PR-ing: How We Found Bugs in a Popular Third-Party EtherNet/IP Protocol Stack

The Claroty Research Team today announces that it has added the necessary infrastructure to incorporate the popular AFL fuzzer into the OpENer EtherNet/IP stack.



Kritische Schadcode-Lücken in NAS-Systemen von Qnap geschlossen

Fehler in verschiedenen Komponenten machen Netzwerkspeicher (NAS) von Qnap verwundbar. Sicherheitsupdates sind verfügbar.



A privilege escalation vulnerability in VMware NSX-T was privately reported to VMware. Updates are available to remediate this vulnerability in affected VMware product.


Security updates for Monday

Security updates have been issued by CentOS (nettle, squid, and thunderbird), Debian (libebml, python-bleach, and python2.7), Fedora (batik, gnuchess, kernel-headers, kernel-tools, ruby, singularity, and xorg-x11-server), Mageia (clamav, kernel, kernel-linus, and python3), openSUSE (chromium, fluidsynth, opensc, python-bleach, and wpa_supplicant), Oracle (gnutls and nettle), Red Hat (dpdk, gnutls and nettle, mariadb:10.3 and mariadb-devel:10.3, and redhat-ds:11), and SUSE (kernel, qemu, and [...]


iApps vulnerability CVE-2020-17507


libcroco vulnerability CVE-2020-12825


Dell integrated Dell Remote Access Controller: Mehrere Schwachstellen


Security Bulletin: Vulnerability with Apache Tika in Apache Solr affects IBM Operations Analytics - Log Analysis Analysis (CVE-2018-8017)


Security Bulletin: Multiple vulnerabilities in Apache Tika affects Apache Solr shipped with IBM Operations Analytics - Log Analysis


Security Bulletin: Multiple vulnerabilities in FasterXML jackson-databind affect Apache Solr shipped with IBM Operations Analytics - Log Analysis


Security Bulletin: IBM® Db2® db2fm is vulnerable to a buffer overflow (CVE-2020-5025)


Security Bulletin: IBM Security Guardium is affected by multiple vulnerabilities


Security Bulletin: Financial Transaction Manager for Corporate Payment Services is affected by a potential code injection vulnerability (CVE-2020-5268)


Security Bulletin: IBM Security Guardium is affected by Oracle MySQL vulnerabilities


Security Bulletin: IBM Watson OpenScale on Cloud Pak for Data is impacted by Vulnerabilities in Node.js


Security Bulletin: Vulnerability in Apache PDFBox affects Apache Solr shipped with IBM Operations Analytics - Log Analysis (CVE-2018-8036)


Security Bulletin: Vulnerabilities in IBM Java Runtime affecting Tivoli Netcool/OMNIbus (Multiple CVEs)


Security Bulletin: IBM Resilient SOAR is vulnerable to command injection (CVE-2021-20527)