Tageszusammenfassung - 31.05.2021

End-of-Day report

Timeframe: Freitag 28-05-2021 18:00 - Montag 31-05-2021 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter

News

Sicherheitsupdate: Root-Lücke in Sonicwalls Network Security Manager

Angreifer könnten durch eine Schwachstelle in der Firewall-Verwaltungssoftware Network Security Manager schlüpfen.

https://heise.de/-6057794


Client Puzzle Protocols (CPPs) als Gegenmaßnahmen gegen automatisierte Gefahren für Webapplikationen

Client Puzzle Protocols (CPPs) können effektive Maßnahmen gegen Denial-of-Service-Attacken sein. Sie müssen aber auf ihre Effektivität überprüft werden.

https://www.syss.de/pentest-blog/fachartikel-von-it-security-consultant-vladimir-bostanov


Threat spotlight: Conti, the ransomware used in the HSE healthcare attack

[...] In this blog, we-ll home in on Conti, the strain identified by some as the successor, cousin or relative of Ryuk ransomware, due to similarities in code use and distribution tactics.

https://blog.malwarebytes.com/threat-spotlight/2021/05/threat-spotlight-conti-the-ransomware-used-in-the-hse-healthcare-attack/


PoC published for new Microsoft PatchGuard (KPP) bypass

A security researcher has discovered a bug in PatchGuard--a crucial Windows security feature--that can allow threat actors to load unsigned (malicious) code into the Windows operating system kernel.

https://therecord.media/poc-published-for-new-microsoft-patchguard-kpp-bypass/


WooCommerce Credit Card Skimmer Hides in Plain Sight

Recently, a client-s customers were receiving a warning from their anti-virus software when they navigated to the checkout page of the client-s ecommerce website. Antivirus software such as Kaspersky and ESET would issue a warning but only once a product had been added to the cart and a customer was about to enter their payment information. This is, of course, a tell-tale sign that there is something seriously wrong with the website and likely a case of credit card exfiltration.

https://blog.sucuri.net/2021/05/woocommerce-credit-card-skimmer.html


On the Taxonomy and Evolution of Ransomware

Not all ransomware is the same! Oliver Tavakoli, CTO at Vectra AI, discusses the different species of this growing scourge.

https://threatpost.com/taxonomy-evolution-ransomware/166462/


Spear-phishing Email Targeting Outlook Mail Clients , (Sat, May 29th)

In February I posted about spam pretending to be an Outlook Version update [1] and now for the past several weeks I have been receiving spear-phishing emails that pretend to be coming from Microsoft Outlook to "Sign in to verify" my account, new terms of services, new version, etc. There also have been some reports this week about large ongoing spear-phishing campaign [2][3] worth reading. Here are some samples which always include a sense of urgency to login as soon as possible: [...]

https://isc.sans.edu/diary/rss/27472


Sysinternals: Procmon, Sysmon, TcpView and Process Explorer update, (Sun, May 30th)

New versions of Sysinternals' tools Procmon, Sysmon, TcpView and Process Explorer were released.

https://isc.sans.edu/diary/rss/27476


Video: Cobalt Strike & DNS - Part 1, (Sun, May 30th)

One of the Cobalt Strike servers reported by Brad Duncan also communicates over DNS.

https://isc.sans.edu/diary/rss/27478


IT threat evolution Q1 2021

SolarWinds attacks, MS Exchange vulnerabilities, fake adblocker distributing miner, malware for Apple Silicon platform and other threats in Q1 2021.

https://securelist.com/it-threat-evolution-q1-2021/102382/


IT threat evolution Q1 2021. Mobile statistics

In the first quarter of 2021 we detected 1.45M mobile installation packages, of which 25K packages were related to mobile banking Trojans and 3.6K packages were mobile ransomware Trojans.

https://securelist.com/it-threat-evolution-q1-2021-mobile-statistics/102547/


IT threat evolution Q1 2021. Non-mobile statistics

In Q1 2021, we blocked more than 2 billion attacks launched from online resources across the globe, detected 77.4M unique malicious and potentially unwanted objects, and recognized 614M unique URLs as malicious.

https://securelist.com/it-threat-evolution-q1-2021-non-mobile-statistics/102425/

Vulnerabilities

Security updates for Monday

Security updates have been issued by Debian (hyperkitty, libxml2, nginx, openjdk-11-jre-dcevm, rxvt-unicode, samba, and webkit2gtk), Fedora (exiv2, java-1.8.0-openjdk-aarch32, mingw-python-pillow, opendmarc, php-symfony3, php-symfony4, python-pillow, runc, rust-cranelift-codegen-shared, rust-cranelift-entity, and rxvt-unicode), openSUSE (curl, hivex, libu2f-host, libX11, libxls, singularity, and upx), Oracle (dotnet3.1 and dotnet5.0), Red Hat (docker, glib2, and runc), and Ubuntu (lz4).

https://lwn.net/Articles/857737/


Security Bulletin: CVE-2021-2161 may affect IBM® SDK, Java- Technology Edition

https://www.ibm.com/blogs/psirt/security-bulletin-cve-2021-2161-may-affect-ibm-sdk-java-technology-edition-3/


Security Bulletin: IBM Cognos Analytics has addressed multiple vulnerabilities

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cognos-analytics-has-addressed-multiple-vulnerabilities-3/


Security Bulletin: Multiple Security Vulnerabilities have been resolved in IBM Application Gateway (CVE-2021-20576, CVE-2021-20575, CVE-2021-29665)

https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnerabilities-have-been-resolved-in-ibm-application-gateway-cve-2021-20576-cve-2021-20575-cve-2021-29665/