[CERT-daily] Tageszusammenfassung - 09.04.2021

Daily end-of-shift report team at cert.at
Fri Apr 9 18:17:15 CEST 2021


=====================
= End-of-Day report =
=====================

Timeframe:   Donnerstag 08-04-2021 18:00 − Freitag 09-04-2021 18:00
Handler:     Dimitri Robl
Co-Handler:  Stephan Richter

=====================
=       News        =
=====================

∗∗∗ Facebook-Leak: So könnten die Daten abhanden gekommen sein ∗∗∗
---------------------------------------------
Facebook und Linkedin bestreiten, dass es einen Einbruch gab. Andererseits enthalten die Leaks etwa Telefonnumern, die nicht öffentlich einsehbar sein sollten.
---------------------------------------------
https://heise.de/-6009896


∗∗∗ Gehackt: Windows, Ubuntu, Exchange, Teams, Zoom, Chrome, Safari und Edge ∗∗∗
---------------------------------------------
Für Prämien von insgesamt über 1 Million US-Dollar demonstrierten Hacker beim Pwn2Own 2021 erneut Sicherheitslücken in wichtigen IT-Produkten.
---------------------------------------------
https://heise.de/-6010171


∗∗∗ Sony bestätigt PS5-Betrug durch Fake-Shop "playstation-sony.eu" ∗∗∗
---------------------------------------------
Der aufwendig gestaltete Online-Shop gehört nicht zum Sony-Konzern. Analysen deuten auf ein großes Betrugs-Netzwerk hin. Spuren führen in die Ukraine.
---------------------------------------------
https://heise.de/-6009907


∗∗∗ Cisco: Keine Patches mehr für angreifbare SoHo-Router ∗∗∗
---------------------------------------------
Weil die Produkte nicht mehr unterstützt werden, will Cisco keine Fixes bereit stellen. Die Kunden sollen neuere Modelle kaufen.
---------------------------------------------
https://heise.de/-6010387


∗∗∗ Trojan detected in APKPure Android app store client software ∗∗∗
---------------------------------------------
Doctor Web specialists have discovered a malicious functionality in APKPure - an official client application of popular third-party Android app store. The trojan built into it downloads and installs various apps, including other malware, without users’ permission. The APKPure is one of the oldest and the most popular third-party games and software catalogs for the Android OS.
---------------------------------------------
https://news.drweb.com/show/?i=14188&lng=en&c=9


∗∗∗ IcedID Banking Trojan Surges: The New Emotet? ∗∗∗
---------------------------------------------
A widespread email campaign using malicious Microsoft Excel attachments and Excel 4 macros is delivering IcedID at high volumes, suggesting its filling the Emotet void.
---------------------------------------------
https://threatpost.com/icedid-banking-trojan-surges-emotet/165314/


∗∗∗ Threat matrix for storage services ∗∗∗
---------------------------------------------
Storage services are one of the most popular services in the cloud. In this blog, we outline potential risks that you should be aware of when deploying, configuring, or monitoring your storage environment.
---------------------------------------------
https://www.microsoft.com/security/blog/2021/04/08/threat-matrix-for-storage/


∗∗∗ [SANS ISC] No Python Interpreter? This Simple RAT Installs Its Own Copy ∗∗∗
---------------------------------------------
I published the following diary on isc.sans.edu: "No Python Interpreter? This Simple RAT Installs Its Own Copy": For a while, I’m keeping an eye on malicious Python code targeting Windows environments. If Python looks more and more popular, attackers are facing a major issue: Python is not installed by default on most Windows operating systems.
---------------------------------------------
https://blog.rootshell.be/2021/04/09/sans-isc-no-python-interpreter-this-simple-rat-installs-its-own-copy/


∗∗∗ Detecting Exposed Cobalt Strike DNS Redirectors ∗∗∗
---------------------------------------------
This research will focus on some of the active detections that can be used to fingerprint exposed Cobalt Strike servers that are using DNS as a communication channel. Although the research approach will be a bit different, the outcome will be similar to what JARM did for HTTP/HTTPs restricted to the scope of Cobalt Strike.
---------------------------------------------
https://labs.f-secure.com/blog/detecting-exposed-cobalt-strike-dns-redirectors


∗∗∗ Sysrv Botnet Expands and Gains Persistence ∗∗∗
---------------------------------------------
On March 4, 2021, Juniper Threat Labs identified a surge of activity of the Sysrv botnet. The botnet spread itself into Windows and Linux systems by exploiting multiple vulnerabilities, which we will cover in this blog. The threat actor’s objective is to install a Monero cryptominer. The attack remains active. Here’s what we’ve seen so far.
---------------------------------------------
https://blogs.juniper.net/en-us/threat-research/sysrv-botnet-expands-and-gains-persistence


∗∗∗ Cryptomining containers caught coining cryptocurrency covertly ∗∗∗
---------------------------------------------
Research has uncovered 30 compromised images in 10 different Docker Hub accounts, representing over 20 million pulls.
---------------------------------------------
https://blog.malwarebytes.com/web-threats/2021/04/cryptomining-containers-caught-coining-cryptocurrency-covertly/


∗∗∗ A deep dive into Saint Bot, a new downloader ∗∗∗
---------------------------------------------
Saint Bot is a downloader that has been used to drop stealers. We take a deep look at it and its accompanying panel.
---------------------------------------------
https://blog.malwarebytes.com/threat-analysis/2021/04/a-deep-dive-into-saint-bot-downloader/


∗∗∗ Vorsicht vor Kreditbetrug auf Facebook! ∗∗∗
---------------------------------------------
Die Auswirkungen der Corona-Krise sorgen immer noch dafür, dass viele Menschen von Finanzhilfen abhängig sind. Kriminelle nutzen dies aus und bieten auf Facebook angebliche Kredite und Darlehen an. Durch Kommentare und Privatnachrichten versuchen die BetrügerInnen das Vertrauen der Opfer zu gewinnen. Die Kredite werden jedoch niemals ausgezahlt, stattdessen sollen die Opfer Vorschusszahlungen leisten.
---------------------------------------------
https://www.watchlist-internet.at/news/vorsicht-vor-kreditbetrug-auf-facebook/


∗∗∗ Using Aviary to Analyze Post-Compromise Threat Activity in M365 Environments ∗∗∗
---------------------------------------------
Aviary is a new dashboard that CISA and partners developed to help visualize and analyze outputs from its Sparrow detection tool released in December 2020. Sparrow helps network defenders detect possible compromised accounts and applications in Azure/Microsoft O365 environments. CISA created Sparrow to support hunts for threat activity following the SolarWinds compromise. Aviary - a Splunk-based dashboard - facilitates analysis of Sparrow data [...]
---------------------------------------------
https://us-cert.cisa.gov/ncas/current-activity/2021/04/08/using-aviary-to-analyze-post-compromise-threat-activity



=====================
=  Vulnerabilities  =
=====================

∗∗∗ Vulnerabilities Patched in WP Page Builder ∗∗∗
---------------------------------------------
On February 15, 2021, the Wordfence Threat Intelligence team began the responsible disclosure process for several vulnerabilities in WP Page Builder, a plugin installed on over 10,000 sites. These vulnerabilities allowed any logged-in user, including subscribers, to access the page builder’s editor and make changes to existing posts on the site by default. Additionally, any [...]
---------------------------------------------
https://www.wordfence.com/blog/2021/04/vulnerabilities-patched-in-wp-page-builder/


∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (lib3mf, php-pear, and python-django), Fedora (perl-Net-Netmask), openSUSE (flatpak, libostree, xdg-desktop-portal,, fwupd, fwupdate, and hostapd), Oracle (kernel, libldb, nettle, and squid), Red Hat (nettle), and SUSE (fwupdate, tpm2-tss-engine, and umoci).
---------------------------------------------
https://lwn.net/Articles/852110/


∗∗∗ FATEK Automation WinProladder ∗∗∗
---------------------------------------------
This advisory contains mitigations for an Integer Underflow vulnerability in the FATEK Automation WinProladder programmable logic controller.
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-21-098-01


∗∗∗ MediaWiki: Mehrere Schwachstellen ∗∗∗
---------------------------------------------
https://www.cert-bund.de/advisoryshort/CB-K21-0366


∗∗∗ Red Hat Enterprise Linux: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗
---------------------------------------------
https://www.cert-bund.de/advisoryshort/CB-K21-0364


∗∗∗ Atlassian Jira Software: Schwachstelle ermöglicht Offenlegung von Informationen ∗∗∗
---------------------------------------------
https://www.cert-bund.de/advisoryshort/CB-K21-0362

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily




More information about the Daily mailing list