[CERT-daily] Tageszusammenfassung - 09.11.2020

Daily end-of-shift report team at cert.at
Mon Nov 9 18:23:50 CET 2020


=====================
= End-of-Day report =
=====================

Timeframe:   Freitag 06-11-2020 18:00 − Montag 09-11-2020 18:00
Handler:     Thomas Pribitzer
Co-Handler:  Stephan Richter

=====================
=       News        =
=====================

∗∗∗ Hacker haben mehrfach Sourcecode aus SonarQube-Instanzen abgegriffen ∗∗∗
---------------------------------------------
Das FBI warnte bereits im Oktober vor einem Angriff auf Installationen unter anderem von US-Regierungsbehörden, aber auch privater Firmen.
---------------------------------------------
https://heise.de/-4951630


∗∗∗ Lets Encrypt: Alte Android-Geräte bekommen Probleme mit Millionen Seiten ∗∗∗
---------------------------------------------
Der Zertifikatswechsel bei Lets Encrypt sorgt für Probleme bei einem Drittel aller Android-Geräte. Die Lösung dafür ist der Firefox.
---------------------------------------------
https://www.golem.de/news/let-s-encrypt-alte-android-geraete-bekommen-probleme-mit-millionen-seiten-2011-151987-rss.html


∗∗∗ New Pay2Key ransomware encrypts networks within one hour ∗∗∗
---------------------------------------------
A new ransomware called Pay2Key has been targeting organizations from Israel and Brazil, encrypting their networks within an hour in targeted attacks still under investigation.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/new-pay2key-ransomware-encrypts-networks-within-one-hour/


∗∗∗ How Ryuk Ransomware operators made $34 million from one victim ∗∗∗
---------------------------------------------
One hacker group that is targeting high-revenue companies with Ryuk ransomware received $34 million from one victim in exchange for the decryption key that unlocked their computers.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/how-ryuk-ransomware-operators-made-34-million-from-one-victim/


∗∗∗ Gitpaste-12 Worm Targets Linux Servers, IoT Devices ∗∗∗
---------------------------------------------
The newly discovered malware uses GitHub and Pastebin to house component code, and harbors 12 different initial attack vectors.
---------------------------------------------
https://threatpost.com/gitpaste-12-worm-linux-servers-iot-devices/161016/


∗∗∗ Adventures in Anti-Gravity ∗∗∗
---------------------------------------------
Here we deconstruct a Mac variant of GravityRAT (the cross-platform spyware, known to target the Indian armed forces).
---------------------------------------------
https://objective-see.com/blog/blog_0x5B.html


∗∗∗ Cryptojacking Targeting WebLogic TCP/7001, (Sat, Nov 7th) ∗∗∗
---------------------------------------------
This past week got some interesting logs targeting TCP/7001 (WebLogic CVE-2020-14882 - see previous diary[1][2]) looking to download and launch a shell script to install various cryptominer on the target. The shell script target SELINUX compatible hosts likely CentOS/RedHat, Ubuntu, etc to install various cryptominer applications.
---------------------------------------------
https://isc.sans.edu/diary/rss/26768


∗∗∗ How Attackers Brush Up Their Malicious Scripts, (Mon, Nov 9th) ∗∗∗
---------------------------------------------
On Friday, I received a bunch of alerts from one of my YARA hunting rules. Several samples were submitted from the same account (through the VT API), from the same country (US), and in a very short period of time. All the submitted files were OLE2 files containing a malicious macro. All of them had a low VT score so it deserved some investigations. I downloaded the samples and had a look at them.
---------------------------------------------
https://isc.sans.edu/diary/rss/26770


∗∗∗ When Threat Actors Fly Under the Radar: Vatet, PyXie and Defray777 ∗∗∗
---------------------------------------------
Vatet, PyXie and Defray777 are all associated with a financially motivated threat group. We aim to get these malware families on the radar.
---------------------------------------------
https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/


∗∗∗ xHunt Campaign: Newly Discovered Backdoors Using Deleted Email Drafts and DNS Tunneling for Command and Control ∗∗∗
---------------------------------------------
We observed evidence that the xHunt campaign used two backdoors on a compromised Microsoft Exchange Server at an organization in Kuwait.
---------------------------------------------
https://unit42.paloaltonetworks.com/xhunt-campaign-backdoors/



=====================
=  Vulnerabilities  =
=====================

∗∗∗ Cisco stopft schwerwiegende Lücke in Webex Meetings für Windows ∗∗∗
---------------------------------------------
Die Schwachstelle kommt bei internen Tests ans Licht. Ein lokaler Angreifer kann Schadcode ausführen. Weitere Schwachstellen stecken im Web Network Recording Player und Webex Player.
---------------------------------------------
https://www.zdnet.de/88389577/cisco-stopft-schwerwiegende-luecke-in-webex-meetings-fuer-windows/


∗∗∗ WordPress Sites Open to Code Injection Attacks via Welcart e-Commerce Bug ∗∗∗
---------------------------------------------
The shopping cart application contains a PHP object-injection bug.
---------------------------------------------
https://threatpost.com/wordpress_open_to_attacks_welcart_bug/161037/


∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by CentOS (bind, firefox, java-1.8.0-openjdk, kernel, libX11, qemu-kvm, thunderbird, and xorg-x11-server), Debian (guacamole-server, krb5, libexif, poppler, raptor2, and sympa), Fedora (blueman, chromium, freetype, galera, krb5, libtpms, mariadb, mariadb-connector-c, pngcheck, and salt), Mageia (blueman, docker, fontforge, junit, libproxy, libuv, mariadb, suricata, and webmin), openSUSE (apache-commons-httpclient, bluez, gnome-settings-daemon, gnome-shell, [...]
---------------------------------------------
https://lwn.net/Articles/836676/

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily




More information about the Daily mailing list