[CERT-daily] Tageszusammenfassung - 07.04.2021

Wed Apr 7 18:14:55 CEST 2021

=====================
= End-of-Day report =
=====================

Timeframe:   Dienstag 06-04-2021 18:00 − Mittwoch 07-04-2021 18:00
Handler:     Dimitri Robl
Co-Handler:  Thomas Pribitzer

=====================
=       News        =
=====================

∗∗∗ Windows XP makes ransomware gangs work harder for their money ∗∗∗
---------------------------------------------
A recently created ransomware decryptor illustrates how threat actors have to support Windows XP, even when Microsoft dropped supporting it seven years ago.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/windows-xp-makes-ransomware-gangs-work-harder-for-their-money/


∗∗∗ Top Cybercriminal Gangs Are Using EtterSilent Maldoc Builder ∗∗∗
---------------------------------------------
A malicious document builder named EtterSilent is becoming popular amongst cybercriminals as the developers keep improving it in order to avoid being detected by security solutions.
---------------------------------------------
https://heimdalsecurity.com/blog/top-cybercriminal-gangs-are-using-ettersilent-maldoc-builder/


∗∗∗ Malspam with Lokibot vs. Outlook and RFCs, (Tue, Apr 6th) ∗∗∗
---------------------------------------------
Couple of weeks ago, my phishing/spam trap caught an interesting e-mail carrying what turned out to be a sample of the Lokibot Infostealer.
---------------------------------------------
https://isc.sans.edu/diary/rss/27282


∗∗∗ WiFi IDS and Private MAC Addresses, (Wed, Apr 7th) ∗∗∗
---------------------------------------------
Nzyme does focus on WiFi-specific attacks, so it does not care about payload but inspects the 802.11 headers that escape traditional, wired IDSs.
---------------------------------------------
https://isc.sans.edu/diary/rss/27288


∗∗∗ New article: Dissecting the design and vulnerabilities in AZORult C&C panels ∗∗∗
---------------------------------------------
In a new article, Aditya K Sood looks at the command-and-control (C&C) design of the AZORult malware, discussing his teams findings related to the C&C design and some security issues they identified.
---------------------------------------------
https://www.virusbulletin.com/blog/2021/04/new-article-dissecting-design-and-vulnerabilities-azorult-cc-panels/


∗∗∗ Aurora campaign: Attacking Azerbaijan using multiple RATs ∗∗∗
---------------------------------------------
We identified a new Python-based RAT targeting Azerbaijan from the same threat actor we profiled a month ago.
---------------------------------------------
https://blog.malwarebytes.com/threat-analysis/2021/04/aurora-campaign-attacking-azerbaijan-using-multiple-rats/


∗∗∗ Fake Trezor app steals more that $1 million worth of crypto coins ∗∗∗
---------------------------------------------
Several users of Trezor, a small hardware device that acts as a cryptocurrency wallet, have lost fortunes after being duped by a phishing app.
---------------------------------------------
https://blog.malwarebytes.com/social-engineering/2021/04/fake-trezor-app-steals-more-that-1-million-worth-of-crypto-coins/


∗∗∗ White Hats Earn $440,000 for Hacking Microsoft Products on First Day of Pwn2Own 2021 ∗∗∗
---------------------------------------------
On the first day of the Pwn2Own 2021 hacking competition, participants earned more than half a million dollars, including $440,000 for demonstrating exploits against Microsoft products.
---------------------------------------------
https://www.securityweek.com/white-hats-earn-440000-hacking-microsoft-products-first-day-pwn2own-2021


∗∗∗ New wormable Android malware poses as Netflix to hijack WhatsApp sessions ∗∗∗
---------------------------------------------
Users are lured in with the promise of a free premium subscription.
---------------------------------------------
https://www.zdnet.com/article/new-android-malware-poses-as-netflix-to-hijack-whatsapp-sessions/


∗∗∗ Flexible taxonomies and new software for the tag2domain project ∗∗∗
---------------------------------------------
Domain Names are the center piece of locating services on the internet and they can be used for a variety of purposes and services. Understanding the type of services a Domain Name offers is one of the key aspects of Internet Security.
---------------------------------------------
https://cert.at/en/blog/2021/4/flexible-taxonomies-and-new-software-for-the-tag2domain-project


=====================
=  Vulnerabilities  =
=====================

∗∗∗ Notenmanipulation möglich: Große Schwachstelle in Lern-Software Moodle ∗∗∗
---------------------------------------------
Die freie Lernplattform Moodle wies über Jahre eine Sicherheitslücke auf, mit der Schüler unter anderem ihre Noten manipulieren konnten.
---------------------------------------------
https://www.golem.de/news/notenmanipulation-moeglich-grosse-schwachstelle-in-lern-software-moodle-2104-155544-rss.html


∗∗∗ Upload beliebiger Dateien und Umgehung von .htaccess Regeln in Monospace Directus Headless CMS ∗∗∗
---------------------------------------------
Monospace Directus CMS Docker Images, welche Apache als Webserver mit lokalem Storage nutzen, sind von einer Schwachstelle betroffen, über die jeder authentifizierte Nutzer beliebige Dateien und Ordner hochladen kann. In unveränderter Standard-Konfiguration ist Directus somit anfällig für Remote Code Execution und Veränderung von Webserver .htaccess Regeln.
---------------------------------------------
https://sec-consult.com/de/vulnerability-lab/advisory/arbitrary-file-upload-and-bypassing-htaccess-rules-in-monospace-directus-headless-cms/


∗∗∗ SAP-Produkte: CISA warnt vor Gefahren durch verschleppte Sicherheitsupdates ∗∗∗
---------------------------------------------
Die CISA und Forscher von Onapsis warnen vor Angriffsmöglichkeiten auf SAP-Produkte über sechs ältere Schwachstellen. Updates sind teils schon lange verfügbar.
---------------------------------------------
https://heise.de/-6007209


∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by openSUSE (chromium), Oracle (flatpak and kernel), Red Hat (virt:8.3 and virt-devel:8.3), and SUSE (gssproxy and xen).
---------------------------------------------
https://lwn.net/Articles/851868/


∗∗∗ Hitachi ABB Power Grids Multiple Products ∗∗∗
---------------------------------------------
This advisory contains mitigations for an Improper Input Validation vulnerability in some Hitachi ABB Power Grids products using IED 61850 interfaces.
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-21-096-01


∗∗∗ Security Advisory - Pointer Double Free Vulnerability in Some Huawei Products ∗∗∗
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210407-01-doublefree-en

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily