End-of-Day report
Timeframe: Donnerstag 12-08-2021 18:00 - Freitag 13-08-2021 18:00
Handler: Dimitri Robl
Co-Handler: Thomas Pribitzer
News
Angreifer kombinieren ProxyShell-Lücken und attackieren Microsoft Exchange
Nach gezielten Scans gibt es nun erste Attacken auf Exchange Server. In Deutschland gibt es tausende verwundbare Systeme. Patches sind verfügbar.
https://heise.de/-6164957
Unseriöse Shops kopieren Webseiten von beliebten Schuhmarken!
Wer Dr. Marten- oder Skecher-Schuhe in einem Online-Shop kaufen will, sollte sich vorher vergewissern, ob der Shop auch seriös ist. Denn derzeit werden der Watchlist Internet vermehrt Markenfälscher-Shops gemeldet, die unglaublich günstige Markenschuhe anbieten. Wenn das Impressum fehlt und die Schuhe zu unglaublichen Preisen angeboten werden, sollten Sie lieber Abstand von einem Einkauf nehmen.
https://www.watchlist-internet.at/news/unserioese-shops-kopieren-webseiten-von-beliebten-schuhmarken/
SynAck ransomware releases decryption keys after El_Cometa rebrand
The SynAck ransomware gang released the master decryption keys for their operation after rebranding as the new El_Cometa group.
https://www.bleepingcomputer.com/news/security/synack-ransomware-releases-decryption-keys-after-el-cometa-rebrand/
WordPress Sites Abused in Aggah Spear-Phishing Campaign
The Pakistan-linked threat groups campaign uses compromised WordPress sites to deliver the Warzone RAT to manufacturing companies in Taiwan and South Korea.
https://threatpost.com/aggah-wordpress-spearphishing/168657/
Example of Danabot distributed through malspam, (Fri, Aug 13th)
Danabot is an information stealer known for targeting banking data on infected Windows hosts. According to Proofpoint, Danabot version 4 started appearing in the wild in October 2020. We recently discovered a Danabot sample during an infection kicked off by an email attachment sent on Thursday 2021-08-12. Today's diary reviews this Danabot infection.
https://isc.sans.edu/diary/rss/27744
Using AI to Scale Spear Phishing
The problem with spear phishing it that it takes time and creativity to create individualized enticing phishing emails. Researchers are using GPT-3 to attempt to solve that problem: The researchers used OpenAI's GPT-3 platform in conjunction with other AI-as-a-service products focused on personality analysis to generate phishing emails tailored to their colleagues' backgrounds and traits.
https://www.schneier.com/blog/archives/2021/08/using-ai-to-scale-spear-phishing.html
Phishing campaign goes old school, dusts off Morse code
Sometimes new technology just doesnt get the job done.
https://blog.malwarebytes.com/reports/2021/08/phishing-campaign-goes-old-school-dusts-off-morse-code/
Examining threats to device security in the hybrid workplace
As employees split their time between office and off-site work, there's a greater potential for company devices and data to fall into the wrong hands
https://www.welivesecurity.com/2021/08/12/examining-threats-device-security-hybrid-workplace/
Hackers tried to exploit two zero-days in Trend Micro's Apex One EDR platform
Cyber-security firm Trend Micro said hackers tried to exploit two zero-day vulnerabilities in its Apex One EDR platform in an attempt to go after its customers in attacks that took place earlier this year.
https://therecord.media/hackers-tried-to-exploit-two-zero-days-in-trend-micros-apex-one-edr-platform/
Vulnerabilities
Drupal core - Moderately critical - Third-party libraries - SA-CORE-2021-005
The Drupal project uses the CKEditor, library for WYSIWYG editing. CKEditor has released a security update that impacts Drupal. Vulnerabilities are possible if Drupal is configured to allow use of the CKEditor library for WYSIWYG editing.
https://www.drupal.org/sa-core-2021-005
Security updates for Friday
Security updates have been issued by Debian (commons-io, curl, and firefox-esr), Fedora (perl-Encode), openSUSE (golang-github-prometheus-prometheus, grafana, and python-reportlab), Oracle (.NET Core 2.1, 389-ds:1.4, cloud-init, go-toolset:ol8, nodejs:12, nodejs:14, and rust-toolset:ol8), SUSE (aspell, firefox, kernel, and rpm), and Ubuntu (linux, linux-aws, linux-kvm, linux-lts-xenial and postgresql-10, postgresql-12, postgresql-13).
https://lwn.net/Articles/866185/
Cognex In-Sight OPC Server
This advisory contains mitigations for a Deserialization of Untrusted Data vulnerability in Cognex In-Sight OPC Server industrial software.
https://us-cert.cisa.gov/ics/advisories/icsa-21-224-01
Horner Automation Cscape
This advisory contains mitigations for Out-of-bounds Write, Access of Uninitialized Pointer, and Out-of-bounds Read vulnerabilities in Horner Automation Cscape control system application programming software.
https://us-cert.cisa.gov/ics/advisories/icsa-21-224-02
Sensormatic Electronics C-CURE 9000 (Update A)
This updated advisory is a follow-up to the original advisory titled ICSA-21-182-02 Sensormatic Electronics C-CURE 9000 that was published July 1, 2021, to the ICS webpage on us-cert.cisa.gov. This advisory contains mitigations for an Improper Input Validation vulnerability in Sensormatic Electronics C-CURE 9000 industrial software.
https://us-cert.cisa.gov/ics/advisories/icsa-21-182-02
Security Bulletin: De-serialization Vulnerability Affects IBM Partner Engagement Manager (CVE-2021-29781)
https://www.ibm.com/blogs/psirt/security-bulletin-de-serialization-vulnerability-affects-ibm-partner-engagement-manager-cve-2021-29781-2/
Security Bulletin: IBM QRadar SIEM is vulnerable to possible information disclosure in a multi-domain deployment. (CVE-2021-29880)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-is-vulnerable-to-possible-information-disclosure-in-a-multi-domain-deployment-cve-2021-29880/
Security Bulletin: Vulnerability in self-service console affects IBM Cloud Pak System (CVE-2021-20478)
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-self-service-console-affects-ibm-cloud-pak-system-cve-2021-20478-3/