[CERT-daily] Tageszusammenfassung - 07.01.2021

Thu Jan 7 18:20:55 CET 2021

=====================
= End-of-Day report =
=====================

Timeframe:   Dienstag 05-01-2021 18:00 − Donnerstag 07-01-2021 18:00
Handler:     Thomas Pribitzer
Co-Handler:  Stephan Richter

=====================
=       News        =
=====================

∗∗∗ l+f: Security-Albtraum SMB im Browser ∗∗∗
---------------------------------------------
Security-Puristen warnten schon lange vor Techniken wie Webassembly und Websockets. Jetzt zeigt ein Hacker, was damit alles geht.
---------------------------------------------
https://heise.de/-5005070


∗∗∗ PayPal‑Nutzer sind Ziel einer neuen SMS‑Phishing‑Kampagne ∗∗∗
---------------------------------------------
Der Betrug beginnt mit einer SMS, die Nutzer vor verdächtigen Aktivitäten auf ihren Konten warnt.
---------------------------------------------
https://www.welivesecurity.com/deutsch/2021/01/06/paypal-nutzer-sind-ziel-einer-neuen-sms-phishing-kampagne/


∗∗∗ Phishing-Nachrichten auf Facebook im Umlauf! ∗∗∗
---------------------------------------------
Derzeit verschicken Kriminelle Nachrichten über den Facebook-Messenger. Darin befindet sich ein Link, der vorgibt zum Werbemanager von Facebook weiterzuleiten. Tatsächlich handelt es sich jedoch, um eine nachgeahmte und betrügerische Seite. Die Kriminellen hoffen darauf, dass Sie Ihre Daten eingeben und so Zugang zu Ihrem Facebook-Konto und zu Ihren Kreditkartendaten erhalten!
---------------------------------------------
https://www.watchlist-internet.at/news/phishing-nachrichten-auf-facebook-im-umlauf/


∗∗∗ Malware using new Ezuri memory loader ∗∗∗
---------------------------------------------
Multiple threat actors have recently started using a Go language (Golang) tool to act as a packer and avoid Antivirus detection. Additionally, the Ezuri memory loader tool acts as a malware loader and executes its payload in memory, without writing the file to disk. While this technique is known and commonly used by Windows malware, it is less popular in Linux environments.
---------------------------------------------
https://cybersecurity.att.com/blogs/labs-research/malware-using-new-ezuri-memory-loader


∗∗∗ Babuk Locker is the first new enterprise ransomware of 2021 ∗∗∗
---------------------------------------------
Its a new year, and with it comes a new ransomware called Babuk Locker that targets corporate victims in human-operated attacks.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/babuk-locker-is-the-first-new-enterprise-ransomware-of-2021/


∗∗∗ FBI warns of Egregor ransomware extorting businesses worldwide ∗∗∗
---------------------------------------------
The US Federal Bureau of Investigation (FBI) has sent a security alert warning private sector companies that the Egregor ransomware operation is actively targeting and extorting businesses worldwide.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/fbi-warns-of-egregor-ransomware-extorting-businesses-worldwide/


∗∗∗ Holiday Bazar: Tracking a TrickBot-Related Ransomware Incident ∗∗∗
---------------------------------------------
DomainTools researchers recently learned of a ransomware campaign targeting multiple entities. The incident highlighted several methods of network and malware analysis that can be used to gain a greater understanding of individual campaigns.
---------------------------------------------
https://www.domaintools.com/resources/blog/tracking-a-trickbot-related-ransomware-incident


∗∗∗ NSA Urges SysAdmins to Replace Obsolete TLS Protocols ∗∗∗
---------------------------------------------
The NSA released new guidance providing system administrators with the tools to update outdated TLS protocols.
---------------------------------------------
https://threatpost.com/nsa-urges-sysadmins-to-replace-obsolete-tls-protocols/162814/


∗∗∗ Bogus CSS Injection Leads to Stolen Credit Card Details ∗∗∗
---------------------------------------------
A client recently reported their customers were receiving antivirus warnings when trying to access and purchase products from a Magento ecommerce website. This is almost always a telltale sign that something is amiss, and so I began my investigation. Malware in Database Tables As is pretty common with Magento credit card swiper investigations, my initial scans came up clean. Attackers are writing new pieces of malware like it’s going out of style, so there are very frequently new [...]
---------------------------------------------
https://blog.sucuri.net/2021/01/bogus-css-injection-leads-to-stolen-credit-card-details.html


∗∗∗ A Deep Dive into Lokibot Infection Chain ∗∗∗
---------------------------------------------
Lokibot is one of the most well-known information stealers on the malware landscape. In this post, well provide a technical breakdown of one of the latest Lokibot campaigns. Talos also has a new script to unpack the droppers third stage.
---------------------------------------------
https://blog.talosintelligence.com/2021/01/a-deep-dive-into-lokibot-infection-chain.html


∗∗∗ TA551: Email Attack Campaign Switches from Valak to IcedID ∗∗∗
---------------------------------------------
We continue to monitor the email attack campaign TA551, AKA Shathak, which has recently pushed IcedID, a family of information-stealing malware.
---------------------------------------------
https://unit42.paloaltonetworks.com/ta551-shathak-icedid/


∗∗∗ Cobalt Strike and Metasploit accounted for a quarter of all malware C&C servers in 2020 ∗∗∗
---------------------------------------------
Security firm Recorded Future said it tracked more than 10,000 malware command and control servers last year, used across more than 80 malware families.
---------------------------------------------
https://www.zdnet.com/article/cobalt-strike-and-metasploit-accounted-for-a-quarter-of-all-malware-c-c-servers-in-2020/


∗∗∗ A DoppelPaymer Ransomware Overview ∗∗∗
---------------------------------------------
Believed to be based on the BitPaymer ransomware, the DoppelPaymer ransomware emerged in 2019. Since then it has been used in number of high profile attacks. Trend Micro Research has published an overview of the DoppelPaymer ransomware.
---------------------------------------------
https://exchange.xforce.ibmcloud.com/collection/7c157bb8989d76730fed733016c2004d


=====================
=  Vulnerabilities  =
=====================

∗∗∗ Gefährliche Sicherheitslücken in Office-Anwendung TextMaker ∗∗∗
---------------------------------------------
Angreifer könnten TextMaker-Nutzer attackieren. Die Gefahrenstufe gilt als hoch.
---------------------------------------------
https://heise.de/-5005181


∗∗∗ Vulnerability Spotlight: Multiple vulnerabilities in Genivia gSOAP ∗∗∗
---------------------------------------------
Cisco Talos recently discovered multiple vulnerabilities in various Genivia gSOAP toolkit plugins. These vulnerabilities could allow an attacker to carry out a variety of malicious activities, including causing a denial of service on the victim machine or gaining the ability to execute arbitrary code. The gSOAP toolkit is a C/C++ library for developing XML-based web services.
---------------------------------------------
https://blog.talosintelligence.com/2021/01/vuln-spotlight-genivia-gsoap-.html


∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (cairo, dovecot, and minidlna), Oracle (ImageMagick), Scientific Linux (ImageMagick), SUSE (clamav, dovecot23, java-1_8_0-ibm, and tomcat), and Ubuntu (linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gcp, linux-gcp-5.4, linux-gke-5.4, linux-hwe-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-gcp, linux-gcp-4.15, linux-gke-4.15, [...]
---------------------------------------------
https://lwn.net/Articles/841873/


∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (golang-websocket, nodejs, and pacemaker), Fedora (mingw-binutils and rubygem-em-http-request), and Ubuntu (linux-oem-5.6 and p11-kit).
---------------------------------------------
https://lwn.net/Articles/841977/


∗∗∗ Vulnerabilities in Fortinet WAF Can Expose Corporate Networks to Attacks ∗∗∗
---------------------------------------------
Several potentially serious vulnerabilities discovered in Fortinet’s FortiWeb web application firewall (WAF) could expose corporate networks to attacks, according to the researcher who found them.
---------------------------------------------
https://www.securityweek.com/vulnerabilities-fortinet-waf-can-expose-corporate-networks-attacks


∗∗∗ ICS-CERT Security Advisories - January 5th, 2021 ∗∗∗
---------------------------------------------
ICS-CERT has released six security advisories addressing vulnerabilities in ICS-related devices and software.
---------------------------------------------
https://exchange.xforce.ibmcloud.com/collection/f9e8dce556fb93fa97530e3e1dd5704c


∗∗∗ Security Bulletin: Spectrum Discover has addressed multiple security vulnerabilities (CVE-2020-13401, CVE-2019-20372) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-spectrum-discover-has-addressed-multiple-security-vulnerabilities-cve-2020-13401-cve-2019-20372/


∗∗∗ Security Bulletin: Stored Cross-Site Scripting Vulnerability Affects IBM Emptoris Sourcing (CVE-2020-4895) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-stored-cross-site-scripting-vulnerability-affects-ibm-emptoris-sourcing-cve-2020-4895/


∗∗∗ Security Bulletin: IBM Event Streams is affected by multiple Go vulnerabilities ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-event-streams-is-affected-by-multiple-go-vulnerabilities/


∗∗∗ Security Bulletin: Upgrade to IBP v2.5.1 to address recent concerns/issues with Golang versions other than 1.14.12 ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-upgrade-to-ibp-v2-5-1-to-address-recent-concerns-issues-with-golang-versions-other-than-1-14-12/


∗∗∗ Security Bulletin: Enterprise Content Management System Monitor is affected by a vulnerability in IBM® SDK Java™ Technology Edition ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-enterprise-content-management-system-monitor-is-affected-by-a-vulnerability-in-ibm-sdk-java-technology-edition-3/


∗∗∗ Security Bulletin: Communication between burst buffer processes not properly secured ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-communication-between-burst-buffer-processes-not-properly-secured/


∗∗∗ Security Bulletin: Lucky 13 Vulnerability Affects IBM Emptoris Strategic Supply Management Platform (CVE-2020-4898) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-lucky-13-vulnerability-affects-ibm-emptoris-strategic-supply-management-platform-cve-2020-4898/


∗∗∗ Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU – Oct 2020 – Includes Oracle Oct 2020 CPU minus CVE-2020-14782 affects Liberty for Java for IBM Cloud ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sdk-java-technology-edition-quarterly-cpu-oct-2020-includes-oracle-oct-2020-cpu-minus-cve-2020-14782-affects-liberty-for-java-for-ibm-cloud/


∗∗∗ Security Bulletin: Information Disclosure Vulnerability Affects IBM Emptoris Spend Analysis (CVE-2020-4897) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-information-disclosure-vulnerability-affects-ibm-emptoris-spend-analysis-cve-2020-4897/


∗∗∗ Security Bulletin: IBM Cloud Pak for Integration is affected by multiple Node.js vulnerabilities ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-integration-is-affected-by-multiple-node-js-vulnerabilities-2/

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily