Tageszusammenfassung - 18.06.2021

End-of-Day report

Timeframe: Donnerstag 17-06-2021 18:00 - Freitag 18-06-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Dimitri Robl

News

Newly discovered Vigilante malware outs software pirates and blocks them

Most malware tries to steal stuff. Vigilante, by contrast, takes aim at piracy.

Network Forensics on Azure VMs (Part #2), (Fri, Jun 18th)

In yesterday's diary, we took a look at two methods that allow to capture network connection information off a potentially compromised virtual machine in Azure. Today, we'll investigate the most recent addition to the VM monitoring arsenal, namely "Azure Monitor Insights".

https://isc.sans.edu/diary/rss/27538

Open redirects ... and why Phishers love them, (Fri, Jun 18th)

Working from home, did you get a meeting invite recently that pointed to https://meet.google.com ? Well, that's indeed where Google's online meeting tool is located. But potentially the URL you got is not "only" leading you there.

https://isc.sans.edu/diary/rss/27542

Intentional Flaw in GPRS Encryption Algorithm GEA-1

General Packet Radio Service (GPRS) is a mobile data standard that was widely used in the early 2000s. The first encryption algorithm for that standard was GEA-1, a stream cipher built on three linear-feedback shift registers and a non-linear combining function. Although the algorithm has a 64-bit key, the effective key length is only 40 bits, due to -an exceptional interaction of the deployed LFSRs and the key initialization, which is highly unlikely to occur by chance.

https://www.schneier.com/blog/archives/2021/06/intentional-flaw-in-gprs-encryption-algorithm-gea-1.html

Malicious Redirects Through Bogus Plugin

Recently we have been seeing a rash of WordPress website compromises with attackers abusing the plugin upload functionality in the wp-admin dashboard to redirect visitors and website owners to malicious websites.

https://blog.sucuri.net/2021/06/malicious-redirects-through-bogus-plugin.html

Smoking Out a DARKSIDE Affiliate-s Supply Chain Software Compromise

Mandiant observed DARKSIDE affiliate UNC2465 accessing at least one victim through a Trojanized software installer downloaded from a legitimate website.

https://www.fireeye.com/blog/threat-research/2021/06/darkside-affiliate-supply-chain-software-compromise.html

Mit diesem Leitfaden der NSA können Admins IP-Telefonie schützen

Die National Security Agency spricht Empfehlungen aus, wie Sprach- und Videoanrufe sicherer werden.

https://heise.de/-6111092

Polazert Trojan using poisoned Google Search results to spread

The threat actors behind Trojan.Polazert are using keyword-stuffed PDF files to rank high in search results and attract new victims.Categories: AwarenessTags: Polazertratseo poisoningSolarMarkerstuffed PDF(Read more...)The post Polazert Trojan using poisoned Google Search results to spread appeared first on Malwarebytes Labs.

https://blog.malwarebytes.com/awareness/2021/06/polazert-trojan-using-poisoned-google-search-results-to-spread/

Service Vulnerabilities: Shared Hosting Symlink Security Issue Still Widely Exploited on Unpatched Servers

The Wordfence site cleaning team helps numerous customers recover from malware infections and site intrusions. While doing so, Wordfence Security Analysts perform a detailed forensic investigation in order to determine how the site was compromised by attackers. In a set of recent cases, we were able to identify a service vulnerability allowing malicious attackers to [...]

https://www.wordfence.com/blog/2021/06/service-vulnerabilities-shared-hosting-symlink-security-issue-still-widely-exploited-on-unpatched-servers/

Betrug bei QR-Code-Scannern: Darauf sollten Sie achten!

Egal ob bei der Registrierung in einem Restaurant, bei einem Impf- oder Testtermin: Spätestens durch die Corona-Krise wurde die Verwendung von QR-Codes zur Normalität. Dementsprechend poppen derzeit zahlreiche neue QR-Code-Scanner in den App-Stores auf. Aber Achtung: Hinter manchen dieser kostenlosen Apps verstecken sich BetrügerInnen. Vorsicht ist auch bei seriösen Apps geboten, da die angezeigten Werbungen betrügerisch sein können.

https://www.watchlist-internet.at/news/betrug-bei-qr-code-scannern-darauf-sollten-sie-achten-1/

A deep dive into the operations of the LockBit ransomware group

Most victims are from the enterprise and are expected to pay an average ransom of $85,000.

https://www.zdnet.com/article/a-deep-dive-into-the-operations-of-the-lockbit-ransomware-group/

Vulnerabilities

Security updates for Friday

Security updates have been issued by Arch Linux (aspnet-runtime, aspnet-runtime-3.1, chromium, drupal, intel-ucode, nginx, opera, python-django, radare2, thefuck, and vivaldi), Debian (jetty9), Fedora (dogtag-pki and pki-core), openSUSE (htmldoc and postgresql10), Oracle (dhcp), SUSE (apache2, caribou, jetty-minimal, libxml2, postgresql12, python-PyJWT, python-rsa, python-urllib3, thunderbird, tpm2.0-tools, xstream, and xterm), and Ubuntu (grub2-signed, grub2-unsigned and libxml2).

https://lwn.net/Articles/860260/

Hitachi Virtual File Platform vulnerable to OS command injection

https://jvn.jp/en/jp/JVN21298724/

Security Bulletin: RabbitMQ as used by IBM QRadar SIEM is vulnerable to unsafe deserialization (CVE-2020-36282)

https://www.ibm.com/blogs/psirt/security-bulletin-rabbitmq-as-used-by-ibm-qradar-siem-is-vulnerable-to-unsafe-deserialization-cve-2020-36282/

Security Bulletin: IBM Security Identity Manager Virtual Appliance deprecated Self Service UI contains Struts V1 (CVE-2016-1182)

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-identity-manager-virtual-appliance-deprecated-self-service-ui-contains-struts-v1-cve-2016-1182/

Security Bulletin: A vulnerability have been identified in Apache Commons IO shipped with IBM Tivoli Netcool/OMNIbus Probe for Microsoft Exchange Web Services (CVE-2021-29425)

https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-have-been-identified-in-apache-commons-io-shipped-with-ibm-tivoli-netcool-omnibus-probe-for-microsoft-exchange-web-services-cve-2021-29425/

Security Bulletin: Multiple vulnerabilities have been identified in Netty shipped with IBM Tivoli Netcool/OMNIbus Transport Module Common Integration Library (CVE-2021-21290, CVE-2021-21295, CVE-2021-21409)

https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-have-been-identified-in-netty-shipped-with-ibm-tivoli-netcool-omnibus-transport-module-common-integration-library-cve-2021-21290-cve-2021-21295-cve-2021/

Security Bulletin: IBM Security Identity Manager deprecated Self Service UI contains Struts V1 (CVE-2016-1182)

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-identity-manager-deprecated-self-service-ui-contains-struts-v1-cve-2016-1182/

Security Bulletin: BIND for IBM i is affected by CVE-2021-25214 and CVE-2021-25215

https://www.ibm.com/blogs/psirt/security-bulletin-bind-for-ibm-i-is-affected-by-cve-2021-25214-and-cve-2021-25215/

Security Bulletin: IBM Resilient SOAR is vulnerable to command injection (CVE-2021-20527)

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-resilient-soar-is-vulnerable-to-command-injection-cve-2021-20527-2/