Tageszusammenfassung - 30.06.2021

End-of-Day report

Timeframe: Dienstag 29-06-2021 18:00 - Mittwoch 30-06-2021 18:00 Handler: Dimitri Robl Co-Handler: Thomas Pribitzer

News

Lorenz ransomware decryptor recovers victims files for free

Dutch cybersecurity firm Tesorion has released a free decryptor for the Lorenz ransomware, allowing victims to recover some of their files for free without paying a ransom.

https://www.bleepingcomputer.com/news/security/lorenz-ransomware-decryptor-recovers-victims-files-for-free/

An EPYC escape: Case-study of a KVM breakout

In this blog post I describe a vulnerability in KVM-s AMD-specific code and discuss how this bug can be turned into a full virtual machine escape.

https://googleprojectzero.blogspot.com/2021/06/an-epyc-escape-case-study-of-kvm.html

MITRE ATT&CK® mappings released for built-in Azure security controls

Microsoft is pleased to announce the publication of the Security Stack Mappings for Azure project in partnership with the Center for Threat-Informed Defense.

https://www.microsoft.com/security/blog/2021/06/29/mitre-attck-mappings-released-for-built-in-azure-security-controls/

June 2021 Forensic Contest: Answers and Analysis, (Wed, Jun 30th)

Thanks to everyone who participated in our June 2021 forensic contest originally posted two weeks ago.

https://isc.sans.edu/diary/rss/27582

Babuk ransomware builder leaked following muddled -retirement-

Heads are being scratched after the Babuk ransomware builder appears on VirusTotal, adding to the gangs reputation for confusion.

https://blog.malwarebytes.com/reports/2021/06/babuk-ransomware-builder-leaked-following-muddled-retirement/

Unseriöse Online-Shops verkaufen Mystery-Box mit Produkten aus unzustellbaren Amazon-Paketen

Einen Gaming Laptop oder eine PlayStation um 16 Euro? Zahlreiche Online-Shops verkaufen derzeit eine Mystery-Box, mit der das möglich sein soll. Die Box beinhaltet laut den HändlerInnen nicht zustellbare Amazon-Produkte wie Laptops, Computer, Kameras oder teure Kopfhörer.

https://www.watchlist-internet.at/news/unserioese-online-shops-verkaufen-mystery-box-mit-produkten-aus-unzustellbaren-amazon-paketen/

FIRST Challenge 2021 Writeup

Due to the COVID-19 pandemic the FIRST conference 2021 moved online and so did the annual CTF organized by the FIRST Security Lounge SIG. Thomas Pribitzer, Dimitri Robl, and Sebastian Waldbauer from CERT.at participated as a team, scoring the 9. place out of 42 teams.

https://cert.at/en/blog/2021/6/first-challenge-2021-writeup

Gozi malware gang member arrested in Colombia

Authorities in Colombia have arrested this week a Romanian national named Mihai Ionut Paunescu, one of the three suspects charged in 2013 for creating and operating the infamous Gozi banking trojan.

https://therecord.media/gozi-malware-gang-member-arrested-in-colombia/

REvil Twins

Deep Dive Into Prolific RaaS Affiliates- TTPs

https://blog.group-ib.com/revil_raas

Vulnerabilities

DHCP Flood: Googles Cloud-VMs lassen sich per DHCP übernehmen

Angreifer könnten Root-Rechte in fremden VMs der Google-Cloud erhalten. Praktische Angriffe sind unwahrscheinlich, Updates gibt es nicht.

https://www.golem.de/news/dhcp-flood-googles-cloud-vms-lassen-sich-per-dhcp-uebernehmen-2106-157764-rss.html

CVE-2021-1675: Incomplete Patch and Leaked RCE Exploit, (Wed, Jun 30th)

On June 21st, Microsoft modified the description of the vulnerability upgrading it to a remote code execution vulnerability. Earlier this week, an RCE exploit was posted to GitHub.

https://isc.sans.edu/diary/rss/27588

Security updates for Wednesday

Security updates have been issued by Debian (fluidsynth), Fedora (libgcrypt and tpm2-tools), Mageia (nettle, nginx, openvpn, and re2c), openSUSE (kernel, roundcubemail, and tor), Oracle (edk2, lz4, and rpm), Red Hat (389-ds:1.4, edk2, fwupd, kernel, kernel-rt, libxml2, lz4, python38:3.8 and python38-devel:3.8, rpm, ruby:2.5, ruby:2.6, and ruby:2.7), and SUSE (kernel and lua53).

https://lwn.net/Articles/861420/

Security Bulletin: Vulnerabilities in OpenSSL affect IBM Rational ClearQuest (CVE-2021-3449, CVE-2021-3450)

https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-openssl-affect-ibm-rational-clearquest-cve-2021-3449-cve-2021-3450/

Security Bulletin: OpenSSL publicly disclosed vulnerability affects IBM MobileFirst Platform Foundation.

https://www.ibm.com/blogs/psirt/security-bulletin-openssl-publicly-disclosed-vulnerability-affects-ibm-mobilefirst-platform-foundation/

Security Bulletin: IBM® Db2® could allow an authenticated user to overwrite arbitrary files due to improper group permissions. (CVE-2020-4945)

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-could-allow-an-authenticated-user-to-overwrite-arbitrary-files-due-to-improper-group-permissions-cve-2020-4945/

Security Bulletin: IBM Cognos Analytics has addressed multiple vulnerabilities

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cognos-analytics-has-addressed-multiple-vulnerabilities-4/

Security Bulletin: Vulnerabilities in OpenSSL affect IBM Rational ClearQuest

https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-openssl-affect-ibm-rational-clearquest/

Security Bulletin: Multiple vulnerabilities in the IBM Java Runtime affect IBM Rational ClearCase (CVE-2020-27221, CVE-2020-14782, CVE-2020-2773, CVE-2020-14781)

https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-the-ibm-java-runtime-affect-ibm-rational-clearcase-cve-2020-27221-cve-2020-14782-cve-2020-2773-cve-2020-14781/

Security Bulletin: Vulnerability in OpenSSL affects IBM Rational ClearCase (CVE-2020-1971, CVE-2021-23839, CVE-2021-23840, CVE-2021-23841, CVE-2021-23839, CVE-2021-23840, CVE-2021-23841)

https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-openssl-affects-ibm-rational-clearcase-cve-2020-1971-cve-2021-23839-cve-2021-23840-cve-2021-23841-cve-2021-23839-cve-2021-23840-cve-2021-23841/

Security Bulletin: Multiple vulnerabilities in the IBM Java Runtime affect IBM Rational ClearQuest

https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-the-ibm-java-runtime-affect-ibm-rational-clearquest-2/

Security Bulletin: Apache Commons Codec Vulnerability affects IBM Rational ClearQuest (177835)

https://www.ibm.com/blogs/psirt/security-bulletin-apache-commons-codec-vulnerability-affects-ibm-rational-clearquest-177835/

Drupal 8 end-of-life on November 2, 2021 (four months from now) - PSA-2021-2021-06-29

https://www.drupal.org/psa-2021-2021-06-29