Tageszusammenfassung - 02.07.2021

End-of-Day report

Timeframe: Donnerstag 01-07-2021 18:00 - Freitag 02-07-2021 18:00 Handler: Stephan Richter Co-Handler: n/a

News

Gelöschte Netz-Festplatten: Western Digital plant Hilfe bei Wiederherstellung

Die Daten angegriffener HDDs der WD-Baureihe My Book Live sollen sich wiederherstellen lassen. Western Digital will künftig entsprechende Dienste anbieten.

https://heise.de/-6127479

Scorecards 2.0: Sicherheitsrisiken in Open-Source-Software aufdecken

Das automatisierte Security-Tool Scorecards legt die Karten auf den Tisch - wie sicher ist Open-Source-Software?

https://heise.de/-6127588

Free Micropatches for PrintNightmare Vulnerability (CVE-2021-34527)

[Note: This blog post is expected to be updated as new micropatches are issued and new information becomes available.] June 2021 Windows Updates brought a fix for a vulnerability CVE-2021-1675 originally titled "Windows Print Spooler Local Code Execution Vulnerability". As usual, Microsofts advisory provided very little information about the vulnerability, and very few probably noticed that about two weeks later, the advisory was updated to [...]

https://blog.0patch.com/2021/07/free-micropatches-for-printnightmare.html

Babuk ransomware is back, uses new version on corporate networks

After announcing their exit from the ransomware business in favor of data theft extortion, the Babuk gang appears to have slipped back into their old habit of encrypting corporate networks.

https://www.bleepingcomputer.com/news/security/babuk-ransomware-is-back-uses-new-version-on-corporate-networks/

Mongolian Certificate Authority Hacked to Distribute Backdoored CA Software

In yet another instance of software supply chain attack, unidentified hackers breached the website of MonPass, one of Mongolias major certificate authorities, to backdoor its installer software with Cobalt Strike binaries. The trojanized client was available for download between February 8, 2021, and March 3, 2021, said Czech cybersecurity software company Avast in a report published Thursday.

https://thehackernews.com/2021/07/mongolian-certificate-authority-hacked.html

New Mirai-Inspired Botnet Could Be Using Your KGUARD DVRs in Cyber Attacks

Cybersecurity researchers on Thursday revealed details about a new Mirai-inspired botnet called "mirai_ptea" that leverages an undisclosed vulnerability in digital video recorders (DVR) provided by KGUARD to propagate and carry out distributed denial-of-service (DDoS) attacks. Chinese security firm Netlab 360 pinned the first probe against the flaw on March 23, 2021, before it detected active [...]

https://thehackernews.com/2021/07/new-mirai-inspired-botnet-could-be.html

2020 Report: ICS Endpoints as Starting Points for Threats

The use of Industrial Control Systems (ICS) makes operations more efficient for various industries. These systems are powered by the interconnection between IT (information technology) and OT (operational technology), which help boost efficiency and speed. Unfortunately, this very interconnection also inadvertently makes ICS susceptible to cyberthreats. Securing these systems is vital, and one of its components that must be protected from threats are endpoints.

https://www.trendmicro.com/vinfo/us/security/news/internet-of-things/2020-report-ics-endpoints-as-starting-points-for-threats

STIR/SHAKEN: Nordamerika signiert Rufnummern im Kampf gegen Spam

Nordamerikas Netzbetreiber signieren und verifizieren jetzt Telefonnummern nach dem STIR/SHAKEN-System. Das erschwert Anrufe mit gefälschten Anruferkennungen.

https://heise.de/-6127147

TrickBot and Zeus

TrickBot is an established and widespread multi-purpose trojan. Active since 2016 and modular in nature, it can accomplish a variety of goals ranging from credential theft to lateral movement. Many of the malware-s capabilities come as self-contained modules, which the malware is instructed to download from the C2. Initially, TrickBot-s main focus was bank fraud, but this later shifted toward corporate targetted ransomware attacks, eventually resulting in the [...]

https://www.kryptoslogic.com/blog/2021/07/trickbot-and-zeus/

Top 5 Scam Techniques: What You Need to Know

Scammers are increasingly resourceful when coming up with scam techniques. But they often rely on long-standing persuasion techniques for the scam to work. So, you may hear about a new scam that uses a novel narrative, but there is a good chance that the scam relies on proven scam techniques once the narrative is stripped [...]

https://www.tripwire.com/state-of-security/security-data-protection/top-scam-techniques-what-you-need-to-know/

Ransomware. In the air?

Introduction As an exercise, we were asked to look at the potential vectors for ransomware to affect flight despatch and operations. In most cases, flight systems simply weren-t significantly exposed, [...]

https://www.pentestpartners.com/security-blog/ransomware-in-the-air/

Mysterious Node.js malware puzzles security researchers

Almost four months after it was first spotted in the wild, the infosec community is still scratching its head in regards to the purpose of a new malware strain named Lu0bot.

https://therecord.media/mysterious-node-js-malware-puzzles-security-researchers/

TrickBot: New attacks see the botnet deploy new banking module, new ransomware

Over the course of the past few weeks, new activity has been observed from TrickBot, one of todays largest malware botnets, with reports that its operators have helped create a new ransomware strain called Diavol and that the TrickBot gang is returning to its roots as a banking trojan with a new and updated banking module.The post TrickBot: New attacks see the botnet deploy new banking module, new ransomware appeared first on The Record by Recorded Future.

https://therecord.media/trickbot-new-attacks-see-the-botnet-deploy-new-banking-module-new-ransomware/

The Brothers Grim

The reversing tale of GrimAgent malware used by Ryuk

https://blog.group-ib.com/grimagent

Vulnerabilities

WAGO: Multiple Vulnerabilities in I/O-Check Service

Multiple vulnerabilities in the WAGO I/O-Check Service were reported. By exploiting the described vulnerabilities, the attacker potentially is able to manipulate or disrupt the device.

https://cert.vde.com/de-de/advisories/vde-2020-036

Update PowerShell versions 7.0 and 7.1 to protect against a vulnerability

If you manage yoiur Azure resources from PowerShell version 7.0 or 7.1, we-ve released new versions of PowerShell to address a .NET Core remote code execution vulnerability in versions 7.0 and 7.1. We recommend that you install the updated versions as soon as possible. Windows PowerShell 5.1 isn-t affected by this issue.

https://azure.microsoft.com/en-us/updates/update-powershell-versions-70-and-71-to-protect-against-a-vulnerability/

Jetzt handeln! Angreifer nutzen Drucker-Lücke PrintNightmare in Windows aus

Alle Windows-Systeme sind von der PrintNightmare-Schwachstelle bedroht. Derzeit finden Attacken statt. So geht der Workaround zur Absicherung.

https://heise.de/-6127265

Security updates for Friday

Security updates have been issued by Fedora (ansible and seamonkey), openSUSE (go1.15 and opera), Oracle (kernel and microcode_ctl), and Red Hat (go-toolset-1.15 and go-toolset-1.15-golang).

https://lwn.net/Articles/861679/

Johnson Controls Facility Explorer

This advisory contains mitigations for an Improper Privilege Management vulnerability in Johnson Controls Facility Explorer industrial Ethernet controllers.

https://us-cert.cisa.gov/ics/advisories/icsa-21-182-01

Sensormatic Electronics C-CURE 9000

This advisory contains mitigations for an Improper Input Validation vulnerability in Sensormatic Electronics C-CURE 9000 industrial software.

https://us-cert.cisa.gov/ics/advisories/icsa-21-182-02

Delta Electronics DOPSoft

This advisory contains mitigations for Out-of-bounds Read vulnerabilities in Delta Electronics DOPSoft software.

https://us-cert.cisa.gov/ics/advisories/icsa-21-182-03

Mitsubishi Electric Air Conditioning System

This advisory contains mitigations for an Incorrect Implementation of Authentication Algorithm vulnerability in Mitsubishi Electric air conditioning systems.

https://us-cert.cisa.gov/ics/advisories/icsa-21-182-04

Mitsubishi Electric Air Conditioning Systems

This advisory contains mitigations for an Improper Restriction of XML External Entity Reference vulnerability in Mitsubishi Electric Air Conditioning Systems.

https://us-cert.cisa.gov/ics/advisories/icsa-21-182-05

All Bachmann M1 System Processor Modules

This updated advisory is a follow-up to the advisory titled ICSA-21-026-01P All Bachmann M1 System Processor Modules, posted to the HSIN ICS library on January 26, 2021. This advisory is now being released to the ICS webpage on us-cert.cisa.gov. This advisory contains mitigations for a Use of Password Hash with Insufficient Computational Effort vulnerability in Bachmann M1 system processor modules.

https://us-cert.cisa.gov/ics/advisories/icsa-21-026-01-0