[CERT-daily] Tageszusammenfassung - 02.04.2021

[Daily end-of-shift report]

=====================
= End-of-Day report =
=====================

Timeframe:   Donnerstag 01-04-2021 18:00 − Freitag 02-04-2021 18:00
Handler:     Stephan Richter
Co-Handler:  n/a

=====================
=       News        =
=====================

∗∗∗ 5 steps to respond to a data breach ∗∗∗
---------------------------------------------
This blog was written by an independent guest blogger. You’ve just been breached. What do you do next? Depending on personality, preparation, and ability under crisis, there are a variety of responses to choose from, some effective and some not. Hopefully, you’re the rare breed who plans in advance how to respond. Even better if this planning includes how to prevent them. But to execute a logical, effective response, keep reading.
---------------------------------------------
https://cybersecurity.att.com/blogs/security-essentials/5-steps-to-respond-to-a-data-breach


∗∗∗ VMware fixes authentication bypass in data center security software ∗∗∗
---------------------------------------------
VMware has addressed a critical vulnerability in the VMware Carbon Black Cloud Workload appliance that could allow attackers to bypass authentication after exploiting vulnerable servers. 
---------------------------------------------
https://www.bleepingcomputer.com/news/security/vmware-fixes-authentication-bypass-in-data-center-security-software/


∗∗∗ New ‘BazarCall’ Malware Uses Call Centers to Trick its Victims into Infecting Themselves ∗∗∗
---------------------------------------------
Today’s hackers have never been more old-fashioned – they are currently using a telephone call as a “brand new “technique to infect their victim’s devices.
---------------------------------------------
https://heimdalsecurity.com/blog/bazarcall-malware-uses-call-centers-to-trick-ist-victims/


∗∗∗ Browser lockers: extortion disguised as a fine ∗∗∗
---------------------------------------------
In this article we discuss browser lockers that mimic law enforcement websites.
---------------------------------------------
https://securelist.com/browser-lockers-extortion-disguised-as-a-fine/101735/


∗∗∗ Automating threat actor tracking: Understanding attacker behavior for intelligence and contextual alerting ∗∗∗
---------------------------------------------
A probabilistic graphical modeling framework used by Microsoft 365 Defender research and intelligence teams for threat actor tracking enables us to quickly predict the likely threat group responsible for an attack, as well as the likely next attack stages.
---------------------------------------------
https://www.microsoft.com/security/blog/2021/04/01/automating-threat-actor-tracking-understanding-attacker-behavior-for-intelligence-and-contextual-alerting/


∗∗∗ [SANS ISC] C2 Activity: Sandboxes or Real Victims? ∗∗∗
---------------------------------------------
I published the following diary on isc.sans.edu: “C2 Activity: Sandboxes or Real Victims?“: In my last diary, I mentioned that I was able to access screenshots exfiltrated by the malware sample. During the first analysis, there were approximately 460 JPEG files available. I continued to keep an eye on the [...]
---------------------------------------------
https://blog.rootshell.be/2021/04/02/sans-isc-c2-activity-sandboxes-or-real-victims/


∗∗∗ A “txt file” can steal all your secrets ∗∗∗
---------------------------------------------
Recently, 360 Security Center’s threat monitoring platform has detected an email phishing attack. This attack uses a secret-stealing Trojan called Poulight.
---------------------------------------------
https://blog.360totalsecurity.com/en/a-txt-file-can-steal-all-your-secrets/


∗∗∗ Unpatched RCE Flaws Affect Tens of Thousands of QNAP SOHO NAS Devices ∗∗∗
---------------------------------------------
A pair of unpatched vulnerabilities in QNAP small office/home office (SOHO) network attached storage (NAS) devices could allow attackers to execute code remotely, according to a warning from security researchers at SAM Seamless Network.
---------------------------------------------
https://www.securityweek.com/unpatched-rce-flaws-affect-tens-thousands-qnap-soho-nas-devices


∗∗∗ Nine Critical Flaws in FactoryTalk Product Pose Serious Risk to Industrial Firms ∗∗∗
---------------------------------------------
Industrial automation giant Rockwell Automation on Thursday informed customers that it has patched nine critical vulnerabilities in its FactoryTalk AssetCentre product.
---------------------------------------------
https://www.securityweek.com/nine-critical-flaws-factorytalk-product-pose-serious-risk-industrial-firms


∗∗∗ Financial Sector Remains Most Targeted by Threat Actors: IBM ∗∗∗
---------------------------------------------
Organizations in the financial and insurance sectors were the most targeted by threat actors in 2020, continuing a trend that was first observed roughly five years ago, IBM Security reports.
---------------------------------------------
https://www.securityweek.com/financial-sector-remains-most-targeted-threat-actors-ibm


∗∗∗ Hancitor’s Use of Cobalt Strike and a Noisy Network Ping Tool ∗∗∗
---------------------------------------------
We review samples of recent Hancitor infections, share relatively new indicators and provide examples of an associated network ping tool.
---------------------------------------------
https://unit42.paloaltonetworks.com/hancitor-infections-cobalt-strike/


∗∗∗ The best laid plans or lack thereof: Security decision-making of different stakeholder groups. (arXiv:2104.00284v1 [cs.CR]) ∗∗∗
---------------------------------------------
Cyber security requirements are influenced by the priorities and decisions of a range of stakeholders. Board members and CISOs determine strategic priorities. Managers have responsibility for resource allocation and project management. Legal professionals concern themselves with regulatory compliance. Little is understood about how the security decision-making approaches of these different stakeholders contrast, and if particular groups of stakeholders have a better appreciation of security [...]
---------------------------------------------
http://arxiv.org/abs/2104.00284


∗∗∗ FBI-CISA Joint Advisory on Exploitation of Fortinet FortiOS Vulnerabilities ∗∗∗
---------------------------------------------
The Federal Bureau of Investigation (FBI) and CISA have released a Joint Cybersecurity Advisory (CSA) to warn users and administrators of the likelihood that advanced persistent threat (APT) actors are actively exploiting known Fortinet FortiOS vulnerabilities CVE-2018-13379, CVE-2020-12812, and CVE-2019-5591.
---------------------------------------------
https://us-cert.cisa.gov/ncas/current-activity/2021/04/02/fbi-cisa-joint-advisory-exploitation-fortinet-fortios



=====================
=  Vulnerabilities  =
=====================

∗∗∗ Cisco Jabber for Windows DLL Preloading Vulnerability ∗∗∗
---------------------------------------------
Version: 1.2 
Description: Added information about additional software fixes because of a regression that reintroduced this vulnerability in subsequent software versions.
---------------------------------------------
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190703-jabber-dll


∗∗∗ F5 BIG-IP 16.0.x - iControl REST Remote Code Execution (Unauthenticated) ∗∗∗
---------------------------------------------
# Exploit Title: F5 BIG-IP 16.0.x - iControl REST Remote Code Execution (Unauthenticated) 
# Exploit Author: Al1ex 
# Vendor Homepage: https://www.f5.com/products/big-ip-services 
# Version: 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, and 12.1.x before 12.1.5.3 amd BIG-IQ 7.1.0.x before 7.1.0.3 and 7.0.0.x before 7.0.0.2 
# CVE : CVE-2021-22986 
https://github.com/Al1ex/CVE-2021-22986
---------------------------------------------
https://www.exploit-db.com/exploits/49738


∗∗∗ K03009991: iControl REST unauthenticated remote command execution vulnerability CVE-2021-22986 ∗∗∗
---------------------------------------------
Indicators of compromise 
Important: F5 last updated this section on March 26, 2021 at 5:45 PM Pacific time. 
The information in this section is based on evidence that F5 has collected and believes to be reliable indicators of compromise. It is important to note that exploited systems may show different indicators, and a skilled attacker may be able to remove traces of their work. It is impossible to prove a device is not compromised; if you have any uncertainty, consider the device to be compromised.
---------------------------------------------
https://support.f5.com/csp/article/K03009991


∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (busybox, ldb, openjpeg2, spamassassin, and underscore), Fedora (kernel, kernel-headers, and kernel-tools), Mageia (privoxy, python and python3, and rpm), openSUSE (ovmf, tar, and tomcat), SUSE (curl, firefox, OpenIPMI, and tomcat), and Ubuntu (openexr).
---------------------------------------------
https://lwn.net/Articles/851511/


∗∗∗ March 31, 2021   TNS-2021-05   [R1] Nessus 8.13.2 Fixes Multiple Third-party Vulnerabilities ∗∗∗
---------------------------------------------
http://www.tenable.com/security/tns-2021-05

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily