Tageszusammenfassung - 30.04.2021

End-of-Day report

Timeframe: Donnerstag 29-04-2021 18:00 - Freitag 30-04-2021 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter


Qnap-NAS mit veralteter Firmware fallen AgeLocker-Ransomware zum Opfer

Erneut hat es ein Verschlüsselungstrojaner auf Netzwerkspeicher (NAS) von Qnap abgesehen.


Anlagebetrug: Alexander Van der Bellen wirbt nicht für Bitcoin-Investments!

Immer wieder berichten wir davon, dass Promis ungerechtfertigt genutzt werden, um unseriöse Trading-Plattformen zu bewerben. Aktuell haben es die Kriminellen auf den österreichischen Bundespräsidenten Alexander Van der Bellen abgesehen. Dieser soll erfundenen Berichten zu Folge unseriöse Plattformen wie -Bitcoin Era-, -Bitcoin Prime- oder -Crypto Revolt- nutzen, um zusätzliches Geld zu verdienen. Glauben Sie diesen Berichten nicht.


Codecov begins notifying affected customers, discloses IOCs

Codecov has now started notifying the maintainers of software repositories affected by the recent supply-chain attack. These notifications, delivered via both email and the Codecov application interface, state that the company believes the affected repositories were downloaded by threat actors.


DomainTools And Digital Archeology: A Look At RotaJakiro

Gain additional insight into the malware dubbed RotaJakiro by Netlab with analysis by Chad Anderson on additional infrastructure unearthed including IP addresses, C2 domains, and more.


Babuk Ransomware Gang Mulls Retirement

The RaaS operators have been posting, tweaking and taking down a goodbye note, saying that theyll be open-sourcing their data encryption malware for other crooks to use.


Security baseline for Microsoft 365 Apps for enterprise v2104 - FINAL

Microsoft is pleased to announce the final release of the recommended security configuration baseline settings for Microsoft 365 Apps for enterprise, version 2104. Please download the content from the Microsoft Security Compliance Toolkit, test the recommended configurations, and implement as appropriate. If you have questions or issues, please let us know via the Security Baseline Community or this post.


Qiling: A true instrumentable binary emulation framework, (Fri, Apr 30th)

A while ago, during the FLARE On 7 challenge last autumn, I had my first experience with the Qiling framework. It helped me to solve the challenge CrackInstaller by Paul Tarter (@Hefrpidge). If you want to read more about this (very interesting) challenge: https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/flareon7-challenge9-solution.pdf.


How to Find & Fix Mixed Content Issues with SSL / HTTPS

Note: We-ve updated this post to reflect the evolving security standards around mixed content, SSLs, and server access as a whole. With the web-s increased emphasis on security, all sites should operate on HTTPS. Installing an SSL allows you to make that transition with your website. But it can also have an unintended consequence for sites that have been operating on HTTP previously: Mixed content warnings. Today, let-s look at these common errors, what causes them, and how [...]


UNC2447 SOMBRAT and FIVEHANDS Ransomware: A Sophisticated Financial Threat

Mandiant has observed an aggressive financially motivated group, UNC2447, exploiting one SonicWall VPN zero-day vulnerability prior to a patch being available and deploying sophisticated malware previously reported by other vendors as SOMBRAT. Mandiant has linked the use of SOMBRAT to the deployment of ransomware, which has not been previously reported publicly.


IoT riddled with BadAlloc vulnerabilities

A set of memory allocation vulnerabilities, dubbed BadAlloc, has been found in a massive number of IoT and OT devices.



Sicherheitslücke verrät Standorte von Elektro-Zweirädern und Telefonnummern

Die API des Zweiradherstellers Supersoco hat eine schwere Sicherheitslücke, aber weder der Hersteller noch der D/AT-Importeur kümmern sich.


Security updates for Friday

Security updates have been issued by Arch Linux (bind, chromium, firefox, gitlab, libupnp, nimble, opera, thunderbird, virtualbox, and vivaldi), Debian (composer, edk2, and libhibernate3-java), Fedora (java-1.8.0-openjdk, jetty, and samba), openSUSE (nim), Oracle (bind and runc), Red Hat (bind), SUSE (cifs-utils, cups, ldb, samba, permissions, samba, and tomcat), and Ubuntu (samba).


Texas Instruments SimpleLink

This advisory contains mitigations for Stack-based Buffer Overflow and Integer Overflow or Wraparound vulnerabilities in Texas Instruments SimpleLink wireless microcontrollers.


Cassia Networks Access Controller

This advisory contains mitigations for a Path Traversal vulnerability in Cassia Networks Access Controller Bluetooth network management tool.


Johnson Controls Exacq Technologies exacqVision

This advisory contains mitigations for an Off-by-one Error vulnerability in the Ubunty operating system of Exacq Technologies exacqVision. Exacq Technologies is a subsidiary of Johnson Controls.


Multiple RTOS

CISA is aware of a public report, known as -BadAlloc- that details vulnerabilities found in multiple real-time operating systems (RTOS) and supporting libraries. This advisory contains mitigations for Integer Overflow or Wraparound vulnerabilities associated with this "BadAlloc" report.


ctrlX CORE - IDE App affected by OpenSSL and Python Vulnerabilities

BOSCH-SA-017743: Multiple vulnerabilities affecting OpenSSL Versions previous to 1.1.1k and Python 0 through 3.9.1, have been reported. Affected versions are included in the ctrlX CORE - IDE App. In order to successfully exploit these vulnerabilities, an attacker requires access to the network or system. Two vulnerabilities (CVE-2021-3177 and CVE-2021-27619) are notably critical, as they can be easily exploited. The exploitation of these vulnerabilities can lead to remote code execution


FTP Backdoor for Rexroth Fieldbus Couplers S20 and Inline

BOSCH-SA-428397: On some Fieldbus Couplers, there is a hidden, password-protected FTP area for the root directory.


Parallels Desktop RDPMC Hypercall Interface and Vulnerabilities

Parallels Desktop implements a hypercall interface using an RDPMC instruction (-Read Performance-Monitoring Counter-) for communication between guest and host. More interestingly, this interface is accessible even to an unprivileged guest user. Though the HYPER-CUBE: High-Dimensional Hypervisor Fuzzing [PDF] paper by Ruhr-University Bochum has a brief mention of this interface, we have not seen many details made public. This blog post gives a brief description of the interface and [...]


QNAP NAS: Mehrere Schwachstellen


Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Rational Directory Server (Tivoli) & Rational Directory Administrator


Security Bulletin: IBM App Connect Enterprise Certified Container may be vulnerable to a denial of service attack through a DNS lookup that returns a large number of responses (CVE-2020-8277)


Security Bulletin: IBM App Connect Enterprise Certified Container may be vulnerable to a Server-Side Request Forgery vulnerability (CVE-2020-28168)


Security Bulletin: Images built from IBM App Connect Enterprise Certified Container images may be vulnerable to information exposure via CVE-2020-15095


Security Bulletin: IBM App Connect Enterprise Certified Container may be vulnerable to multiple denial of service and HTTP request smuggling vulnerabilities


Security Bulletin: iOS Vulnerable Minimum OS Version Supported


Security Bulletin: z/TPF is affected by an OpenSSL vulnerability


Security Bulletin: IBM Informix Dynamic Server is vulnerable to a stack based buffer overflow, caused by improper bounds checking.


Security Bulletin: IBM App Connect Enterprise Certified Container flows may be vulnerable to spoofing attacks (CVE-2020-26291)


Security Bulletin: IBM App Connect Enterprise Certified Container Designer Authoring components may be vulnerable to a denial of service attack (CVE-2020-28477)