End-of-Day report
Timeframe: Montag 31-05-2021 18:00 - Dienstag 01-06-2021 18:00
Handler: Dimitri Robl
Co-Handler: Stephan Richter
News
Firefox 89 und ESR 78.11: Neue Browser-Versionen, neue Sicherheits-Updates
Das Mozilla-Team hat den frisch erschienenen Firefox-Versionen neben neuen Features auch Schwachstellen-Patches spendiert.
https://heise.de/-6059513
Kroatien Urlaub geplant? Nehmen Sie sich vor kostenpflichtigen Registrierungsseiten wie enter-croatia.com in Acht!
Viele ÖsterreicherInnen freuen sich darauf, endlich wieder nach Kroatien zu fahren. Durch die COVID-19-Pandemie gelten jedoch strengere Einreisebestimmungen, wie die Empfehlung einer kostenlosen Online-Registrierung. Anbieter wie die Visa Gate GmbH nutzen die Unsicherheit vieler TouristInnen aus und stellen kostenpflichtige Registrierungsseiten ins Netz. Wir empfehlen Ihnen, die (freiwillige) Online-Registrierung nicht über enter-croatia.com vorzunehmen!
https://www.watchlist-internet.at/news/kroatien-urlaub-geplant-nehmen-sie-sich-vor-kostenpflichtigen-registrierungsseiten-wie-enter-croati/
Windows 10s package manager flooded with duplicate, malformed apps
Microsofts Windows 10 package manager Wingets GitHub has been flooded with duplicate apps and malformed manifest files raising concerns among developers with regards to the integrity of apps.
https://www.bleepingcomputer.com/news/security/windows-10s-package-manager-flooded-with-duplicate-malformed-apps/
Quick and dirty Python: nmap, (Mon, May 31st)
Continuing on from the "Quick and dirty Python: masscan" diary, which implemented a simple port scanner in Python using masscan to detect web instances on TCP ports 80 or 443. Masscan is perfectly good as a blunt instrument to quickly find open TCP ports across large address spaces, but for fine details it is better to use a scanner like nmap that, while much slower, is able to probe the port to get a better idea of what is running.
https://isc.sans.edu/diary/rss/27480
Guildma is now using Finger and Signed Binary Proxy Execution to evade defenses, (Mon, May 31st)
We recently identified a new Guildma/Astaroth campaign targeting South America, mainly Brazil, using a new variant of the malware. Guildma is known by its multiple-staged infection chain and evasion techniques to reach victim-s data and exfiltrate them. In a previous diary [1] at Morphus Labs, we analyzed a Guildma variant which employed an innovative strategy to stay active, using Facebook and YouTube to get a new list of its C2 servers.
https://isc.sans.edu/diary/rss/27482
Evadere Classifications
The term evasion is derived from the Latin word "evadere" which means - "To escape, to get away." The DOD defines evasion as - "The process whereby isolated personnel avoid capture with the goal of successfully returning to areas under friendly control." [...] This made me think - what does evasion or bypass truly mean? Are there different categories that these evasion techniques fit into? Lastly, if these techniques are to fit into categories - how can detection engineers leverage these for engagements?
https://posts.specterops.io/evadere-classifications-8851a429c94b
Revisiting the NSIS-based crypter
In this blog we look at the constantly evolving NSIS crypter which malware authors have been leveraging as a flexible tool to pack and encrypt their samples.
https://blog.malwarebytes.com/threat-analysis/2021/05/revisiting-the-nsis-based-crypter/
TeamTNT botnet makes 50,000 victims over the last three months
TeamTNT, a crypto-mining botnet specialized in infecting misconfigured Docker and Kubernetes platforms, has compromised more than 50,000 systems over the last three months, between March and May 2021, security firm Trend Micro said last week.
https://therecord.media/teamtnt-botnet-makes-50000-victims-over-the-last-three-months/
Vulnerabilities
Lasso SAML Implementation Vulnerability Affecting Cisco Products: June 2021
On June 1, 2021, Lasso disclosed a security vulnerability in the Lasso Security Assertion Markup Language (SAML) Single Sign-On (SSO) library. This vulnerability could allow an authenticated attacker to impersonate another authorized user when interacting with an application. For a description of this vulnerability, see lasso.git NEWS. This advisory will be updated as additional information becomes available.
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-lasso-saml-jun2021-DOXNRLkD
Security updates for Tuesday
Security updates have been issued by Fedora (cflow, chromium, eterm, gnutls, and kernel), Mageia (kernel and kernel-linus), Oracle (glib2), Red Hat (glib2, kernel, kernel-rt, and kpatch-patch), SUSE (curl, djvulibre, gstreamer, gstreamer-plugins-bad, gstreamer-plugins-base, gstreamer-plugins-good, gstreamer-plugins-ugly, nginx, python-httplib2, and slurm), and Ubuntu (gupnp, libwebp, postgresql-10, postgresql-12, postgresql-13, and python3.8).
https://lwn.net/Articles/857830/
Security Bulletin: A format string security vulnerability has been identified in IBM Spectrum Scale (CVE-2021-29740)
https://www.ibm.com/blogs/psirt/security-bulletin-a-format-string-security-vulnerability-has-been-identified-in-ibm-spectrum-scale-cve-2021-29740/
Multiple Critical Vulnerabilities in Korenix Technology, Westermo and Pepperl+Fuchs products
https://sec-consult.com/vulnerability-lab/advisory/multiple-critical-vulnerabilities-in-korenix-technology-westermo-pepperl-fuchs/