End-of-Day report
Timeframe: Mittwoch 05-05-2021 18:00 - Donnerstag 06-05-2021 18:00
Handler: Dimitri Robl
Co-Handler: Stephan Richter
News
RotaJakiro, the Linux version of the OceanLotus
On Apr 28, we published our RotaJakiro backdoor blog, at that time, we didn-t have the answer for a very important question, what is this backdoor exactly for? We asked the community for clues and two days ago we got a hint, PE(Thanks!) wrote the following comment on
https://blog.netlab.360.com/rotajakiro_linux_version_of_oceanlotus/
Alternative Ways To Perform Basic Tasks, (Thu, May 6th)
I like to spot techniques used by malware developers to perform basic tasks. We know the lolbins[1] that are pre-installed tools used to perform malicious activities. Many lolbins are used, for example, to download some content from the Internet. Some tools are so powerful that they can also be used to perform unexpected tasks.
https://isc.sans.edu/diary/rss/27392
Strong, Secure Passwords Are Key to Helping Reduce Risk to Your Organization
Blog post on how to create strong, secure passwords to reduce risk to your organization.
https://www.sans.org/blog/strong-secure-passwords-are-key-to-helping-reduce-risk-to-your-organization
BSI veröffentlicht Whitepaper zum aktuellen Stand der Prüfbarkeit von KI-Systemen
Basierend auf einem vom BSI, vom Verband der TÜVs und vom Fraunhofer HHI ausgetragenen internationalen Expertenworkshop wurde ein Whitepaper zum aktuellen Stand, offenen Fragen und zukünftig wichtigen Aktivitäten bezüglich der Prüfbarkeit von KI-Systemen verfasst.
https://www.bsi.bund.de/DE/Service-Navi/Presse/Alle-Meldungen-News/Meldungen/Whitepaper_Pruefbarkeit_KI-Systeme_060521.html
TrickBot: Get to Know the Malware That Refuses to Be Killed
Versatile, easy to use, and widely available, TrickBot has become a favorite tool of threat actors of all skill levels and a formidable threat that security teams in all organizations should be familiar with. Over the last five years, TrickBot has earned a reputation as a remarkably adaptive modular malware, with its operators regularly updating its software to be more effective and potent against a wide range of targets worldwide.
https://www.riskiq.com/blog/external-threat-management/trickbot/
Ryuk ransomware finds foothold in bio research institute through student who wouldn-t pay for software
The incident started with a student who didnt want to pay for a license and ended with the loss of research.
https://www.zdnet.com/article/ryuk-ransomware-finds-foothold-in-bio-research-institute-through-a-student-who-wouldnt-pay-for-software/
CISA Releases Analysis Reports on New FiveHands Ransomware
CISA is aware of a recent, successful cyberattack against an organization using a new ransomware variant, known as FiveHands, that has been used to successfully conduct a cyberattack against an organization. CISA has released AR21-126A: FiveHands Ransomware and MAR-10324784-1.v1: FiveHands Ransomware to provide analysis of the threat actor-s tactics, techniques, and procedures as well as indicators of compromise (IOCs).
https://us-cert.cisa.gov/ncas/current-activity/2021/05/06/cisa-releases-analysis-reports-new-fivehands-ransomware
Vulnerabilities
Cisco SD-WAN: Angreifer könnten Admin-Accounts erstellen
Es gibt wichtige Sicherheitsupdates für mehrere Produkte von Cisco.
https://heise.de/-6038258
Security updates for Thursday
Security updates have been issued by Debian (python-django), Fedora (java-latest-openjdk, libopenmpt, python-yara, skopeo, thunderbird, and yara), openSUSE (ceph and openexr), Red Hat (postgresql), SUSE (libxml2), and Ubuntu (exim4 and gnome-autoar).
https://lwn.net/Articles/855613/
Android users- privacy at risk as Check Point Research identifies vulnerability on Qualcomm-s mobile station modems
Check Point Research (CPR) found a security vulnerability in Qualcomm-s mobile station modem (MSM), the chip responsible for cellular communication in nearly 40% of the world-s phones. If exploited, the vulnerability would have allowed an attacker to use Android OS itself as an entry point to inject malicious and invisible code into phones, granting them [...]
https://blog.checkpoint.com/2021/05/06/android-users-privacy-at-risk-as-check-point-research-identifies-vulnerability-on-qualcomms-mobile-station-modems/
Security Advisory - Insufficient Input Validation Vulnerability in FusionCompute Product
https://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210506-01-inputvalidate-en
Ruby on Rails: Mehrere Schwachstellen
https://www.cert-bund.de/advisoryshort/CB-K21-0480
Foxit Reader & PhantomPDF: Mehrere Schwachstellen
https://www.cert-bund.de/advisoryshort/CB-K21-0481
VMware vRealize Operations: Schwachstelle ermöglicht Codeausführung
https://www.cert-bund.de/advisoryshort/CB-K21-0489
ZDI-21-523: (0Day) Esri ArcReader PMF File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability
https://www.zerodayinitiative.com/advisories/ZDI-21-523/
ZDI-21-522: (0Day) Esri ArcReader PMF File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability
https://www.zerodayinitiative.com/advisories/ZDI-21-522/
ZDI-21-521: (0Day) Esri ArcReader PMF File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability
https://www.zerodayinitiative.com/advisories/ZDI-21-521/
ZDI-21-520: (0Day) Esri ArcReader PMF File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability
https://www.zerodayinitiative.com/advisories/ZDI-21-520/
Security Bulletin: Vulnerability in Fabric OS used by IBM b-type SAN directors and switches.
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-fabric-os-used-by-ibm-b-type-san-directors-and-switches-3/
Security Bulletin: IBM Integration Bus & IBM App Connect Enterprise V11 are affected by vulnerabilities in Node.js (CVE-2020-8287)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-integration-bus-ibm-app-connect-enterprise-v11-are-affected-by-vulnerabilities-in-node-js-cve-2020-8287/
Security Bulletin: IBM Integration Bus & IBM App Connect Enterprise V11 are affected by vulnerabilities in Node.js (CVE-2020-8265)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-integration-bus-ibm-app-connect-enterprise-v11-are-affected-by-vulnerabilities-in-node-js-cve-2020-8265/
Security Bulletin: A vulnerabilities in IBM Java affects IBM Rational Asset Analyzer.
https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerabilities-in-ibm-java-affects-ibm-rational-asset-analyzer/
Security Bulletin: IBM Integration Bus & IBM App Connect Enterprise V11 are affected by vulnerabilities in Node.js (CVE-2020-28500)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-integration-bus-ibm-app-connect-enterprise-v11-are-affected-by-vulnerabilities-in-node-js-cve-2020-28500/
Security Bulletin: Vulnerabilities in IBM Java affecting IBM Rational Asset Analyzer.
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-java-affecting-ibm-rational-asset-analyzer-2/
Security Bulletin: Vulnerabilitiìy identified in IBM DB2 that is shipped as component and pattern type or pType with Cloud Pak System and Cloud Pak System Software Suite. Cloud Pak System addressed response with new DB2 pType
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilitiy-identified-in-ibm-db2-that-is-shipped-as-component-and-pattern-type-or-ptype-with-cloud-pak-system-and-cloud-pak-system-software-suite-cloud-pak-system-address/
Security Bulletin: IBM Data Risk Manager is affected by multiple vulnerabilities
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-data-risk-manager-is-affected-by-multiple-vulnerabilities-4/