Tageszusammenfassung - 20.08.2021

End-of-Day report

Timeframe: Donnerstag 19-08-2021 18:00 - Freitag 20-08-2021 18:00 Handler: Thomas Pribitzer Co-Handler: n/a

News

Securing Machine (Non-Human) Identities

-We spend considerable time and focus on securing identities used by individuals and groups within our environment. While these are essential activities, we sometimes lose sight of a whole other set of identities, often highly privileged, that are just beneath the surface.

https://www.beyondtrust.com/blog/entry/securing-machine-non-human-identities

You can post LinkedIn jobs as almost ANY employer - so can attackers

Anyone can create a job listing on the leading recruitment platform LinkedIn on behalf of any employer-no verification needed. And worse, the employer cannot easily take these down.

https://www.bleepingcomputer.com/news/security/you-can-post-linkedin-jobs-as-almost-any-employer-so-can-attackers/

Pegasus iPhone hacks used as lure in extortion scheme

A new extortion scam is underway that attempts to capitalize on the recent Pegasus iOS spyware attacks to scare people into paying a blackmail demand.

https://www.bleepingcomputer.com/news/security/pegasus-iphone-hacks-used-as-lure-in-extortion-scheme/

Waiting for the C2 to Show Up, (Fri, Aug 20th)

Keep this in mind: "Patience is key". Sometimes when you are working on a malware sample, you depend on online resources. I'm working on a classic case: a Powershell script decodes then injects a shellcode into a process.

https://isc.sans.edu/diary/rss/27772

Project Zero: Understanding Network Access in Windows AppContainers

Being able to bypass network restrictions in AppContainer sandboxes is interesting as it expands the attack surface available to the application, such as being able to access services on localhost, as well as granting access to intranet resources in an Enterprise.

https://googleprojectzero.blogspot.com/2021/08/understanding-network-access-windows-app.html

Gefährliche Liebschaften - Love Scammer brechen nicht nur Herzen

Mit diesen Maschen versuchen Online-Betrüger Geld aus der Partnersuche auf Dating-Plattformen herauszuschlagen.

https://www.welivesecurity.com/deutsch/2021/08/19/gefaehrliche-liebschaften-love-scammer-brechen-nicht-nur-herzen/

How to install Frida into an Android application

On a recent job I was testing a rather interesting piece of technology that had several server side checks but they wanted to add some additional security on the client side.

https://www.pentestpartners.com/security-blog/how-to-install-frida-into-an-android-application/

Unternehmen aufgepasst: Ignorieren Sie Fax von Branchen-Stadtplan!

UnternehmerInnen erhalten derzeit ein Fax von -Branchen-Stadtplan. Handel - Gewerbe - Industrie - Vereine & Co.-. Die Unternehmen werden aufgefordert ihre Firmendaten zu überprüfen oder zu ergänzen und das Fax unterschrieben zurückzusenden.

https://www.watchlist-internet.at/news/unternehmen-aufgepasst-ignorieren-sie-fax-von-branchen-stadtplan/

RansomClave project uses Intel SGX enclaves for ransomware attacks

Academics have developed a proof-of-concept ransomware strain that uses highly secure Intel SGX enclaves to hide and keep encryption keys safe from the prying eyes of security tools.

https://therecord.media/ransomclave-project-uses-intel-sgx-enclaves-for-ransomware-attacks/

Cloudflare says it mitigated a record-breaking 17.2M rps DDoS attack

Internet infrastructure company Cloudflare disclosed today that it mitigated the largest volumetric distributed denial of service (DDoS) attack that was recorded to date.

https://therecord.media/cloudflare-says-it-mitigated-a-record-breaking-17-2m-rps-ddos-attack/

Mozi botnet gains the ability to tamper with its victims- traffic

A new version of Mozi, a botnet that targets routers and IoT devices, is now capable of tampering with the web traffic of infected systems via techniques such as DNS spoofing and HTTP session hijacking, a capability that could be abused to redirect users to malicious sites.

https://therecord.media/mozi-botnet-gains-the-ability-to-tamper-with-its-victims-traffic/

Vulnerabilities

New unofficial Windows patch fixes more PetitPotam attack vectors

A second unofficial patch for the Windows PetitPotam NTLM relay attack has been released to fix further issues not addressed by Microsofts official security update.

https://www.bleepingcomputer.com/news/security/new-unofficial-windows-patch-fixes-more-petitpotam-attack-vectors/

Security updates for Friday

Security updates have been issued by Fedora (libtpms and mingw-exiv2), openSUSE (389-ds, aspell, c-ares, fetchmail, firefox, go1.15, go1.16, haproxy, java-1_8_0-openjdk, krb5, libass, libmspack, libsndfile, openexr, php7, qemu, and tor), Oracle (compat-exiv2-023 and compat-exiv2-026), and SUSE (389-ds, aspell, djvulibre, fetchmail, firefox, go1.15, go1.16, java-1_8_0-openjdk, krb5, libass, libmspack, nodejs8, openexr, postgresql10, qemu, and spice-vdagent).

https://lwn.net/Articles/866906/

AVEVA SuiteLink Server

This advisory contains mitigations for Heap-based Buffer Overflow, Null Pointer Dereference, and Improper Handling of Exceptional Conditions vulnerabilities in AVEVA SuiteLink Server system management software.

https://us-cert.cisa.gov/ics/advisories/icsa-21-231-01

Security Bulletin: Vulnerabilities in IBM Java Runtime affect IBM Integration Bus and IBM App Connect Enterpise v11, v12 (CVE-2020-27221)

https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-java-runtime-affect-ibm-integration-bus-and-ibm-app-connect-enterpise-v11-v12-cve-2020-27221/