Tageszusammenfassung - 26.04.2021

End-of-Day report

Timeframe: Freitag 23-04-2021 18:00 - Montag 26-04-2021 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter

News

Qnap: NAS-Ransomware erpresst in wenigen Tagen 230.000 Euro

Mit einer trivialen Sicherheitslücke konnte die Ransomware Qlocker binnen weniger Tage Tausende Euro von Qnap-NAS-Besitzern erpressen.

https://www.golem.de/news/qnap-nas-ransomware-erpresst-in-wenigen-tagen-230-000-euro-2104-156014-rss.html

Passwordstate: Passwort-Manager von Click Studios gehackt

Angreifern ist die Kompromittierung einer Upgrade-Funktion von Click Studios gelungen. Nutzer von Passwordstate sollen ihre Passwörter zurücksetzen.

https://heise.de/-6027188

"Tschüss Emotet": Malware deinstalliert sich selbst

Der "König der Schad-Software" machte still und leise einen Abgang.

https://heise.de/-6028392

Unsecured Kubernetes Instances Could Be Vulnerable to Exploitation

We discuss how malware and malicious activities can occur in unsecured Kubernetes instances and how better configuration can help.

https://unit42.paloaltonetworks.com/unsecured-kubernetes-instances/

This password-stealing Android malware is spreading quickly: Heres what to watch out for

FluBot is designed to steal personal information including bank details - and infected users are being exploited to spread the malware to their contacts.

https://www.zdnet.com/article/this-password-stealing-android-malware-is-spreading-quickly-heres-watch-to-watch-out-for/

Hacking campaign targets FileZen file-sharing network appliances

Threat actors are using two vulnerabilities in a popular file-sharing server to breach corporate and government systems and steal sensitive data as part of a global hacking campaign that has already hit a major target in the Japanese Prime Ministers Cabinet Office.

https://therecord.media/hacking-campaign-targets-filezen-file-sharing-network-appliances/

Fake Microsoft DirectX 12 site pushes crypto-stealing malware

Cybercriminals have created a fake Microsoft DirectX 12 download page to distribute malware that steals your cryptocurrency wallets and passwords.

https://www.bleepingcomputer.com/news/security/fake-microsoft-directx-12-site-pushes-crypto-stealing-malware/

Base64 Hashes Used in Web Scanning, (Sat, Apr 24th)

I have honeypot activity logs going back to May 2018 and I was curious what type of username:password combination was stored in the web traffic logs following either the Proxy-Authorization: Basic or Authorization: Basic in each logs. This graph illustrate an increase in web scanning activity for username:password over the past 3 years.

https://isc.sans.edu/diary/rss/27346

Vulnerabilities

Critical RCE Bug Found in Homebrew Package Manager for macOS and Linux

A recently identified security vulnerability in the official Homebrew Cask repository could have been exploited by an attacker to execute arbitrary code on users machines that have Homebrew installed. The issue, which was reported to the maintainers on April 18 by a Japanese security researcher named RyotaK, stemmed from the way code changes in its GitHub repository were handled, resulting in a [...]

https://thehackernews.com/2021/04/critical-rce-bug-found-in-homebrew.html

SSD Advisory - Hongdian H8922 Multiple Vulnerabilities

The H8922 -4G industrial router is based on 3G/4G wireless network and adopts a high-performance 32-bit embedded operating system with full industrial design. It supports wired and wireless network backup, and its high reliability and convenient networking make it suitable for large-scale distributed industrial applications. Such as smart lockers, charging piles, bank ATM machines, tower monitoring, electricity, water conservancy, environmental protection-. Several vulnerabilities in the H8922 device allow remote attackers to cause the device to execute arbitrary commands with root privileges due to the fact that user provided data is not properly filtered as well as a backdoor account allows access via port 5188/tcp.

https://ssd-disclosure.com/ssd-advisory-hongdian-h8922-multiple-vulnerabilities/

[PDF] Beckhoff Security Advisory 2021-001: DoS-Vulnerability for TwinCAT OPC UA Server and IPC Diagnostics UA Server

Some TwinCAT OPC UA Server and IPC Diagnostics UA Server versions from Beckhoff Automation GmbH & Co. KG are vulnerable to denial of service attacks. The attacker needs to send several specifically crafted requests to the running OPC UA server. After some of these requests the OPC UA server is no longer responsive to any client. This is without effect to the real-time functionality of IPCs.

https://download.beckhoff.com/download/document/product-security/Advisories/advisory-2021-001.pdf

Erneut Sicherheitslücke bei Corona-Schnelltests

Aufgrund einer Sicherheitslücke in einer Schnelltest-Software konnten Unbefugte auf sensible Informationen zugreifen. Die Lücke ist mittlerweile geschlossen.

https://heise.de/-6027394

Security updates for Monday

Security updates have been issued by Debian (drupal7, gst-libav1.0, gst-plugins-bad1.0, gst-plugins-base1.0, gst-plugins-good1.0, gst-plugins-ugly1.0, jackson-databind, libspring-java, opendmarc, openjdk-11, and pjproject), Fedora (buildah, containers-common, crun, firefox, java-11-openjdk, nextcloud-client, openvpn, podman, python3-docs, python3.9, runc, and xorg-x11-server), Mageia (connman, krb5-appl, and virtualbox), openSUSE (apache-commons-io, ImageMagick, jhead, libdwarf, nim, [...]

https://lwn.net/Articles/854504/

MB connect line: multiple products partially affected by DNSspooq

Multiple flaws have been found in dnsmasq before version 2.83 [...]

https://cert.vde.com/de-de/advisories/vde-2021-012