[CERT-daily] Tageszusammenfassung - 29.03.2021

Mon Mar 29 18:19:06 CEST 2021

=====================
= End-of-Day report =
=====================

Timeframe:   Freitag 26-03-2021 18:00 − Montag 29-03-2021 18:00
Handler:     Dimitri Robl
Co-Handler:  Stephan Richter

=====================
=       News        =
=====================

∗∗∗ Git-Hosting: Angriff auf PHPs Code-Repository ∗∗∗
---------------------------------------------
Im Git-Repository von PHP wurden zwei Hintertüren eingefügt. Als Konsequenz will man den Code künftig nicht mehr selbst hosten.
---------------------------------------------
https://www.golem.de/news/git-hosting-angriff-auf-phps-code-repository-2103-155321-rss.html


∗∗∗ Spyware: Android-Malware gibt sich als Systemupdate aus ∗∗∗
---------------------------------------------
Über den Trojaner, der sich als Android-Update ausgibt, lassen sich die betroffenen Geräte komplett übernehmen.
---------------------------------------------
https://www.golem.de/news/spyware-android-malware-gibt-sich-als-systemupdate-aus-2103-155332-rss.html


∗∗∗ Here Are the Free Ransomware Decryption Tools You Need to Use [2021 Updated] ∗∗∗
---------------------------------------------
If your network gets infected with ransomware, follow the steps below to recover essential data: Step 1: Do not pay the ransom because there is no guarantee that the ransomware creators will give you access to your data. Step 2: Find any available backups you have, and consider keeping your data backups in secure, off-site locations. Step [...]
---------------------------------------------
https://heimdalsecurity.com/blog/ransomware-decryption-tools/


∗∗∗ Malware Analysis with elastic-agent and Microsoft Sandbox, (Fri, Mar 26th) ∗∗∗
---------------------------------------------
Microsoft describes the "Windows Sandbox supports simple configuration files, which provide a minimal set of customization parameters for Sandbox. [...] Windows Sandbox configuration files are formatted as XML and are associated with Sandbox via the .wsb file extension."[6]
---------------------------------------------
https://isc.sans.edu/diary/rss/27248


∗∗∗ [SANS ISC] Jumping into Shellcode ∗∗∗
---------------------------------------------
I published the following diary on isc.sans.edu: “Jumping into Shellcode“: Malware analysis is exciting because you never know what you will find. In previous diaries, I already explained why it’s important to have a look at groups of interesting Windows API call to detect some behaviors. The classic example is code [...]
---------------------------------------------
https://blog.rootshell.be/2021/03/29/sans-isc-jumping-into-shellcode/


∗∗∗ Analyzing And Micropatching With Tetrane REVEN (Part 1, CVE-2021-26897) ∗∗∗
---------------------------------------------
March 2021 Windows Updates included fixes for seven vulnerabilities in Windows DNS Server, two of which were marked by Microsoft as "Exploitation More Likely": CVE-2021-26877 and CVE-2021-26897. They were not known to be exploited and no details were publicly available until security researchers Eoin Carroll and Kevin McGrath published their analysis on McAfee Labs blog. Their article included enough information for us to reproduce both vulnerabilities, [...]
---------------------------------------------
https://blog.0patch.com/2021/03/analyzing-and-micropatching-with.html


∗∗∗ Hades Ransomware Hits Big Firms, but Operators Slow to Respond to Victims ∗∗∗
---------------------------------------------
Researchers from CrowdStrike, Accenture, and Awake Security have dissected some of the attacks involving the Hades ransomware and published information on both the malware itself and the tactics, techniques and procedures (TTPs) employed by its operators.
---------------------------------------------
https://www.securityweek.com/hades-ransomware-hits-big-firms-operators-slow-respond-victims


∗∗∗ Threat Assessment: Matrix Ransomware ∗∗∗
---------------------------------------------
We provide an overview of the Matrix ransomware family and offer indicators of compromise in this companion to the Unit 42 Ransomware Threat Report.
---------------------------------------------
https://unit42.paloaltonetworks.com/matrix-ransomware/


∗∗∗ Sodinokibi (aka REvil) Ransomware ∗∗∗
---------------------------------------------
Intro Sodinokibi (aka REvil) has been one of the most prolific ransomware as a service (RaaS) groups over the last couple years. The ransomware family was purported to be behind [...]
---------------------------------------------
https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/


=====================
=  Vulnerabilities  =
=====================

∗∗∗ Exchange Server Post-Compromise Attack Activity Shared by Microsoft ∗∗∗
---------------------------------------------
In the context of ongoing Exchange Server attacks, Microsoft has shared information detailing post-compromise activity which has infected vulnerable targets with ransomware and a botnet. 
---------------------------------------------
https://heimdalsecurity.com/blog/exchange-server-post-compromise-attack-activity-shared-by-microsoft/


∗∗∗ Sicherheitslücke: npm-Paket Netmask ignoriert das Oktalsystem in IP-Adressen ∗∗∗
---------------------------------------------
Die verbreitete Library wertet Oktalzahlen nicht korrekt aus und interpretiert dadurch unter anderem private Adressen potenziell als öffentlich und umgekehrt.
---------------------------------------------
https://heise.de/-6000759


∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Arch Linux (awstats, busybox, dotnet-runtime, dotnet-runtime-3.1, dotnet-sdk, dotnet-sdk-3.1, gitlab, godot, groovy, libebml, mkinitcpio-busybox, openssl, python2, vivaldi, webkit2gtk, and wpewebkit), CentOS (firefox and thunderbird), Debian (pygments, spamassassin, thunderbird, and webkit2gtk), Fedora (CGAL, dotnet3.1, dotnet5.0, firefox, kernel, qt, and xen), Mageia (imagemagick, jackson-databind, openscad, redis, and unbound), openSUSE [...]
---------------------------------------------
https://lwn.net/Articles/851061/


∗∗∗ Newly-Discovered Vulnerabilities Could Allow for Bypass of Spectre Mitigations in Linux ∗∗∗
---------------------------------------------
Bugs could allow a malicious user to access data belonging to other users.
---------------------------------------------
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/spectre-bypass-linux-vulnerabilities


∗∗∗ Philips Gemini PET/CT Family ∗∗∗
---------------------------------------------
This advisory contains mitigations for a Storage of Sensitive Data in a Mechanism Without Access Control vulnerability in Philips Gemini PET/CT Family scanners.
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsma-21-084-01


∗∗∗ Weintek EasyWeb cMT ∗∗∗
---------------------------------------------
This advisory contains mitigations for Code Injection, Improper Access Control, and Cross-site Scripting vulnerabilities in Weintek EasyWeb cMT human-machine interface (HMI) products.
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-21-082-01


∗∗∗ Apple Security Updates March 26 2021 - Possible in the Wild Exploitation ∗∗∗
---------------------------------------------
Apple has published security updates for iOS, iOS and iPadOS, and watchOS. The updates all address the same, single vulnerability, in WebKit. The vulnerability may have been exploited in the wild.
---------------------------------------------
https://exchange.xforce.ibmcloud.com/collection/f7a453892e4d0d7f1e0a77077eafc7c1


∗∗∗ CVE-2021-25646: Getting Code Execution on Apache Druid ∗∗∗
---------------------------------------------
In this excerpt of a Trend Micro Vulnerability Research Service vulnerability report, Pengsu Cheng and Prosenjit Sinha of the Trend Micro Research Team detail a recent code execution vulnerability in the Apache Druid database. The bug was originally discovered and reported by Litch1 from the Security Team of Alibaba Cloud. The following is a portion of their write-up covering CVE-2021-25646, with a few minimal modifications.
---------------------------------------------
https://www.thezdi.com/blog/2021/3/25/cve-2021-25646-getting-code-execution-on-apache-druid


∗∗∗ [webapps] WordPress Plugin WP Super Cache 1.7.1 - Remote Code Execution (Authenticated) ∗∗∗
---------------------------------------------
https://www.exploit-db.com/exploits/49718


∗∗∗ OpenSSL vulnerability CVE-2021-3449 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K83623027


∗∗∗ OpenSSL vulnerability CVE-2021-3450 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K52171694

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily