End-of-Day report
Timeframe: Donnerstag 29-04-2021 18:00 - Freitag 30-04-2021 18:00
Handler: Dimitri Robl
Co-Handler: Stephan Richter
News
Qnap-NAS mit veralteter Firmware fallen AgeLocker-Ransomware zum Opfer
Erneut hat es ein Verschlüsselungstrojaner auf Netzwerkspeicher (NAS) von Qnap abgesehen.
https://heise.de/-6032831
Anlagebetrug: Alexander Van der Bellen wirbt nicht für Bitcoin-Investments!
Immer wieder berichten wir davon, dass Promis ungerechtfertigt genutzt werden, um unseriöse Trading-Plattformen zu bewerben. Aktuell haben es die Kriminellen auf den österreichischen Bundespräsidenten Alexander Van der Bellen abgesehen. Dieser soll erfundenen Berichten zu Folge unseriöse Plattformen wie -Bitcoin Era-, -Bitcoin Prime- oder -Crypto Revolt- nutzen, um zusätzliches Geld zu verdienen. Glauben Sie diesen Berichten nicht.
https://www.watchlist-internet.at/news/anlagebetrug-alexander-van-der-bellen-wirbt-nicht-fuer-bitcoin-investments/
Codecov begins notifying affected customers, discloses IOCs
Codecov has now started notifying the maintainers of software repositories affected by the recent supply-chain attack. These notifications, delivered via both email and the Codecov application interface, state that the company believes the affected repositories were downloaded by threat actors.
https://www.bleepingcomputer.com/news/security/codecov-begins-notifying-affected-customers-discloses-iocs/
DomainTools And Digital Archeology: A Look At RotaJakiro
Gain additional insight into the malware dubbed RotaJakiro by Netlab with analysis by Chad Anderson on additional infrastructure unearthed including IP addresses, C2 domains, and more.
https://www.domaintools.com/resources/blog/domaintools-and-digital-archeology-a-look-at-rotajakiro
Babuk Ransomware Gang Mulls Retirement
The RaaS operators have been posting, tweaking and taking down a goodbye note, saying that theyll be open-sourcing their data encryption malware for other crooks to use.
https://threatpost.com/babuk-ransomware-gang-mulls-retirement/165742/
Security baseline for Microsoft 365 Apps for enterprise v2104 - FINAL
Microsoft is pleased to announce the final release of the recommended security configuration baseline settings for Microsoft 365 Apps for enterprise, version 2104. Please download the content from the Microsoft Security Compliance Toolkit, test the recommended configurations, and implement as appropriate. If you have questions or issues, please let us know via the Security Baseline Community or this post.
https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-for-microsoft-365-apps-for-enterprise-v2104/ba-p/2307695
Qiling: A true instrumentable binary emulation framework, (Fri, Apr 30th)
A while ago, during the FLARE On 7 challenge last autumn, I had my first experience with the Qiling framework. It helped me to solve the challenge CrackInstaller by Paul Tarter (@Hefrpidge). If you want to read more about this (very interesting) challenge: https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/flareon7-challenge9-solution.pdf.
https://isc.sans.edu/diary/rss/27372
How to Find & Fix Mixed Content Issues with SSL / HTTPS
Note: We-ve updated this post to reflect the evolving security standards around mixed content, SSLs, and server access as a whole. With the web-s increased emphasis on security, all sites should operate on HTTPS. Installing an SSL allows you to make that transition with your website. But it can also have an unintended consequence for sites that have been operating on HTTP previously: Mixed content warnings. Today, let-s look at these common errors, what causes them, and how [...]
https://blog.sucuri.net/2021/04/how-to-find-fix-mixed-content-issues-with-ssl-https.html
UNC2447 SOMBRAT and FIVEHANDS Ransomware: A Sophisticated Financial Threat
Mandiant has observed an aggressive financially motivated group, UNC2447, exploiting one SonicWall VPN zero-day vulnerability prior to a patch being available and deploying sophisticated malware previously reported by other vendors as SOMBRAT. Mandiant has linked the use of SOMBRAT to the deployment of ransomware, which has not been previously reported publicly.
https://www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html
IoT riddled with BadAlloc vulnerabilities
A set of memory allocation vulnerabilities, dubbed BadAlloc, has been found in a massive number of IoT and OT devices.
https://blog.malwarebytes.com/reports/2021/04/iot-riddled-with-badalloc-vulnerabilities/
Vulnerabilities
Sicherheitslücke verrät Standorte von Elektro-Zweirädern und Telefonnummern
Die API des Zweiradherstellers Supersoco hat eine schwere Sicherheitslücke, aber weder der Hersteller noch der D/AT-Importeur kümmern sich.
https://heise.de/-6032820
Security updates for Friday
Security updates have been issued by Arch Linux (bind, chromium, firefox, gitlab, libupnp, nimble, opera, thunderbird, virtualbox, and vivaldi), Debian (composer, edk2, and libhibernate3-java), Fedora (java-1.8.0-openjdk, jetty, and samba), openSUSE (nim), Oracle (bind and runc), Red Hat (bind), SUSE (cifs-utils, cups, ldb, samba, permissions, samba, and tomcat), and Ubuntu (samba).
https://lwn.net/Articles/855029/
Texas Instruments SimpleLink
This advisory contains mitigations for Stack-based Buffer Overflow and Integer Overflow or Wraparound vulnerabilities in Texas Instruments SimpleLink wireless microcontrollers.
https://us-cert.cisa.gov/ics/advisories/icsa-21-119-01
Cassia Networks Access Controller
This advisory contains mitigations for a Path Traversal vulnerability in Cassia Networks Access Controller Bluetooth network management tool.
https://us-cert.cisa.gov/ics/advisories/icsa-21-119-02
Johnson Controls Exacq Technologies exacqVision
This advisory contains mitigations for an Off-by-one Error vulnerability in the Ubunty operating system of Exacq Technologies exacqVision. Exacq Technologies is a subsidiary of Johnson Controls.
https://us-cert.cisa.gov/ics/advisories/icsa-21-119-03
Multiple RTOS
CISA is aware of a public report, known as -BadAlloc- that details vulnerabilities found in multiple real-time operating systems (RTOS) and supporting libraries. This advisory contains mitigations for Integer Overflow or Wraparound vulnerabilities associated with this "BadAlloc" report.
https://us-cert.cisa.gov/ics/advisories/icsa-21-119-04
ctrlX CORE - IDE App affected by OpenSSL and Python Vulnerabilities
BOSCH-SA-017743: Multiple vulnerabilities affecting OpenSSL Versions previous to 1.1.1k and Python 0 through 3.9.1, have been reported. Affected versions are included in the ctrlX CORE - IDE App. In order to successfully exploit these vulnerabilities, an attacker requires access to the network or system. Two vulnerabilities (CVE-2021-3177 and CVE-2021-27619) are notably critical, as they can be easily exploited. The exploitation of these vulnerabilities can lead to remote code execution
https://psirt.bosch.com/security-advisories/bosch-sa-017743.html
FTP Backdoor for Rexroth Fieldbus Couplers S20 and Inline
BOSCH-SA-428397: On some Fieldbus Couplers, there is a hidden, password-protected FTP area for the root directory.
https://psirt.bosch.com/security-advisories/bosch-sa-428397.html
Parallels Desktop RDPMC Hypercall Interface and Vulnerabilities
Parallels Desktop implements a hypercall interface using an RDPMC instruction (-Read Performance-Monitoring Counter-) for communication between guest and host. More interestingly, this interface is accessible even to an unprivileged guest user. Though the HYPER-CUBE: High-Dimensional Hypervisor Fuzzing [PDF] paper by Ruhr-University Bochum has a brief mention of this interface, we have not seen many details made public. This blog post gives a brief description of the interface and [...]
https://www.thezdi.com/blog/2021/4/26/parallels-desktop-rdpmc-hypercall-interface-and-vulnerabilities
QNAP NAS: Mehrere Schwachstellen
https://www.cert-bund.de/advisoryshort/CB-K21-0462
Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Rational Directory Server (Tivoli) & Rational Directory Administrator
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-runtime-affect-rational-directory-server-tivoli-rational-directory-administrator-7/
Security Bulletin: IBM App Connect Enterprise Certified Container may be vulnerable to a denial of service attack through a DNS lookup that returns a large number of responses (CVE-2020-8277)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterprise-certified-container-may-be-vulnerable-to-a-denial-of-service-attack-through-a-dns-lookup-that-returns-a-large-number-of-responses-cve-2020-8277/
Security Bulletin: IBM App Connect Enterprise Certified Container may be vulnerable to a Server-Side Request Forgery vulnerability (CVE-2020-28168)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterprise-certified-container-may-be-vulnerable-to-a-server-side-request-forgery-vulnerability-cve-2020-28168/
Security Bulletin: Images built from IBM App Connect Enterprise Certified Container images may be vulnerable to information exposure via CVE-2020-15095
https://www.ibm.com/blogs/psirt/security-bulletin-images-built-from-ibm-app-connect-enterprise-certified-container-images-may-be-vulnerable-to-information-exposure-via-cve-2020-15095/
Security Bulletin: IBM App Connect Enterprise Certified Container may be vulnerable to multiple denial of service and HTTP request smuggling vulnerabilities
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterprise-certified-container-may-be-vulnerable-to-multiple-denial-of-service-and-http-request-smuggling-vulnerabilities/
Security Bulletin: iOS Vulnerable Minimum OS Version Supported
https://www.ibm.com/blogs/psirt/security-bulletin-ios-vulnerable-minimum-os-version-supported-2/
Security Bulletin: z/TPF is affected by an OpenSSL vulnerability
https://www.ibm.com/blogs/psirt/security-bulletin-z-tpf-is-affected-by-an-openssl-vulnerability-2/
Security Bulletin: IBM Informix Dynamic Server is vulnerable to a stack based buffer overflow, caused by improper bounds checking.
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-informix-dynamic-server-is-vulnerable-to-a-stack-based-buffer-overflow-caused-by-improper-bounds-checking/
Security Bulletin: IBM App Connect Enterprise Certified Container flows may be vulnerable to spoofing attacks (CVE-2020-26291)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterprise-certified-container-flows-may-be-vulnerable-to-spoofing-attacks-cve-2020-26291/
Security Bulletin: IBM App Connect Enterprise Certified Container Designer Authoring components may be vulnerable to a denial of service attack (CVE-2020-28477)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterprise-certified-container-designer-authoring-components-may-be-vulnerable-to-a-denial-of-service-attack-cve-2020-28477/