[CERT-daily] Tageszusammenfassung - 12.04.2021

Daily end-of-shift report team at cert.at
Mon Apr 12 18:39:54 CEST 2021


=====================
= End-of-Day report =
=====================

Timeframe:   Freitag 09-04-2021 18:00 − Montag 12-04-2021 18:00
Handler:     Dimitri Robl
Co-Handler:  Stephan Richter

=====================
=       News        =
=====================

∗∗∗ The Top 10 Secrets of Admin Users ∗∗∗
---------------------------------------------
Administrative rights can be some of the most powerful tools in the arsenal of any malicious agent. Look at any enterprise breach of the last few years and you will see admin accounts almost invariably play a central role.
---------------------------------------------
https://www.beyondtrust.com/blog/entry/the-top-10-secrets-of-admin-users


∗∗∗ Pulse Secure VPN users cant login due to expired certificate ∗∗∗
---------------------------------------------
Users worldwide cannot connect to Pulse Secure VPN devices after a code signing certificate used to digitally sign and verify software components has expired.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/pulse-secure-vpn-users-cant-login-due-to-expired-certificate/


∗∗∗ Microsoft warnt vor Banking-Trojanern ∗∗∗
---------------------------------------------
Eine neue Angriffsmethode von Banking-Trojanern beunruhigt Microsoft. IcedID, auch bekannt als BokBot, ist ein modularer Banking-Trojaner, der es auf die Finanzdaten der Anwender abgesehen hat und als Dropper für andere Malware fungieren kann.
---------------------------------------------
https://www.zdnet.de/88394286/microsoft-warnt-vor-banking-trojanern/


∗∗∗ Messenger-Dienst: Angreifer können Whatsapp-Nutzer aus dem Dienst aussperren ∗∗∗
---------------------------------------------
Durch den massenhaften Versuch, eine Telefonnummer bei Whatsapp zu registrieren, könnte diese letztlich von dem Dienst ausgeschlossen werden.
---------------------------------------------
https://www.golem.de/news/messenger-dienst-angreifer-koennen-whatsapp-nutzer-aus-dem-dienst-aussperren-2104-155648-rss.html


∗∗∗ APKPure: Schadcode in App des alternativen Android-Stores entdeckt ∗∗∗
---------------------------------------------
Wer Android-Anwendungen über APKPure bezieht und dazu die gleichnamige App verwendet, sollte jetzt updaten: Forscher fanden Schadcode in der vorherigen Version.
---------------------------------------------
https://heise.de/-6011340


∗∗∗ Zahlreiche Probleme auf all4you-fashion.com ∗∗∗
---------------------------------------------
Immer häufiger beschäftigen die Watchlist Internet problematische Dropshipping-Angebote. Sie richten sich an österreichische und deutsche KonsumentInnen, halten dabei aber rechtliche Vorgaben nicht ein. Wer beispielsweise auf all4you-fashion.com bestellt, soll trotz „garantierten 30-tägigen Rückgaberechts“ Bearbeitungsgebühren für den Rücktritt bezahlen. Rechtlich muss ein solcher Widerruf aber kostenlos möglich sein.
---------------------------------------------
https://www.watchlist-internet.at/news/zahlreiche-probleme-auf-all4you-fashioncom/


∗∗∗ Schadsoftware infiziert halbe Million Huawei-Smartphones über offizielle App Gallery ∗∗∗
---------------------------------------------
Joker Malware war in mehreren Programmen versteckt - SMS-Betrug seit 2017 in immer neuen Formen
---------------------------------------------
https://www.derstandard.at/story/2000125753278/schadsoftware-infiziert-halbe-millionen-huawei-smartphones-ueber-offizielle-app-gallery


∗∗∗ Building an IDS Sensor with Suricata & Zeek with Logs to ELK, (Sat, Apr 10th) ∗∗∗
---------------------------------------------
Over the past several years I have used multiple pre-built sensors using readily available ISO images (rockNSM, SO, OPNSense, etc) but what I was really looking for was just a sensor to parse traffic (i.e Zeek) and IDS alerts (Suricata) to ELK.
---------------------------------------------
https://isc.sans.edu/diary/rss/27296


∗∗∗ How ransomware gangs are connected, sharing resources and tactics ∗∗∗
---------------------------------------------
New research by Analyst1 sheds light on the cooperation between some of the ransomware gangs dominating the cybersecurity news.
---------------------------------------------
https://blog.malwarebytes.com/ransomware/2021/04/how-ransomware-gangs-are-connected-and-sharing-resources-and-tactics/


∗∗∗ Recording: Analyzing Android Malware — >From triage to reverse-engineering ∗∗∗
---------------------------------------------
Its easy to get wrapped up worry about large-scale ransomware attacks on the threat landscape. These are the types of attacks that make headlines and strike fear into the hearts of CISOs everywhere. But if you want to defend the truly prolific and widespread threats that target some of the devices [...]
---------------------------------------------
https://blog.talosintelligence.com/2021/04/recording-analyzing-android-malware.html


∗∗∗ Emotet Command and Control Case Study ∗∗∗
---------------------------------------------
We provide a step-by-step technical analysis of Emotet command and control, based on observations from before Emotet threat actors were disrupted.
---------------------------------------------
https://unit42.paloaltonetworks.com/emotet-command-and-control/


∗∗∗ Criminals spread malware using website contact forms with Google URLs ∗∗∗
---------------------------------------------
Crooks are using social engineering to exploit workers efforts to do their jobs.
---------------------------------------------
https://www.zdnet.com/article/criminals-spread-malware-using-website-contact-forms-with-google-urls/


∗∗∗ Critical security alert: If you havent patched this old VPN vulnerability, assume your network is compromised ∗∗∗
---------------------------------------------
Hundreds of organisations that havent applied a Fortinet VPN security update released in 2019 should assume that cyber criminals are trying to take advantage, NCSC warns.
---------------------------------------------
https://www.zdnet.com/article/critical-security-alert-if-you-havent-patched-this-two-year-old-vpn-vulnerability-assume-your-network-is-compromised/



=====================
=  Vulnerabilities  =
=====================

∗∗∗ Tripwire Patch Priority Index for March 2021 ∗∗∗
---------------------------------------------
Tripwire’s March 2021 Patch Priority Index (PPI) brings together important vulnerabilities from SaltStack, VWware, BIG-IP and Microsoft. First on the patch priority list this month are patches for vulnerabilities in Microsoft Exchange (CVE-2021-27065, CVE-2021-26855), SaltStack (CVE-2021-25282, CVE-2021-25281), BIG-IP (CVE-2021-22986) and VMware vCenter (CVE-2021-21972). Exploits for these vulnerabilities have been recently added to the Metasploit Exploit [...]
---------------------------------------------
https://www.tripwire.com/state-of-security/vert/tripwire-patch-priority-index-for-march-2021/


∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by CentOS (kernel and libldb), Debian (mediawiki, qemu, ruby-kramdown, and xen), Fedora (grub2, libldb, libopenmpt, python-pikepdf, python39, samba, squid, and webkit2gtk3), openSUSE (bcc, ceph, gssproxy, hostapd, isync, kernel, openexr, openSUSE KMPs, and tpm2-tss-engine), SUSE (fwupdate and wpa_supplicant), and Ubuntu (spamassassin).
---------------------------------------------
https://lwn.net/Articles/852339/

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily




More information about the Daily mailing list