[CERT-daily] Tageszusammenfassung - 02.02.2021

Daily end-of-shift report team at cert.at
Tue Feb 2 18:11:08 CET 2021


=====================
= End-of-Day report =
=====================

Timeframe:   Montag 01-02-2021 18:00 − Dienstag 02-02-2021 18:00
Handler:     Thomas Pribitzer
Co-Handler:  n/a

=====================
=       News        =
=====================

∗∗∗ New Linux malware steals SSH credentials from supercomputers ∗∗∗
---------------------------------------------
A new backdoor has been targeting supercomputers across the world, often stealing the credentials for secure network connections by using a trojanized version of the OpenSSH software.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/new-linux-malware-steals-ssh-credentials-from-supercomputers/


∗∗∗ Malicious script steals credit card info stolen by other hackers ∗∗∗
---------------------------------------------
A threat actor has infected an e-commerce store with a custom credit card skimmer designed to siphon data stolen by a previously deployed Magento card stealer.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/malicious-script-steals-credit-card-info-stolen-by-other-hackers/


∗∗∗ New Threat: Matryosh Botnet Is Spreading ∗∗∗
---------------------------------------------
On January 25, 2021, 360 netlab BotMon system labeled a suspicious ELF file as Mirai, but the network traffic did not match Mirais characteristics.
---------------------------------------------
https://blog.netlab.360.com/matryosh-botnet-is-spreading-en/


∗∗∗ New Example of XSL Script Processing aka "Mitre T1220", (Tue, Feb 2nd) ∗∗∗
---------------------------------------------
Last week, Brad posted a diary about TA551. A few days later, one of our readers submitted another sample belonging to the same campaign.
---------------------------------------------
https://isc.sans.edu/diary/rss/27056


∗∗∗ Agent Tesla Malware Spotted Using New Delivery & Evasion Techniques ∗∗∗
---------------------------------------------
Security researchers on Tuesday uncovered new delivery and evasion techniques adopted by Agent Tesla remote access trojan (RAT) to get around defense barriers and monitor its victims.
---------------------------------------------
https://thehackernews.com/2021/02/agent-tesla-malware-spotted-using-new.html


∗∗∗ Operation Dream Job by Lazarus ∗∗∗
---------------------------------------------
Lazarus (also known as Hidden Cobra) is known to use various kinds of malware in its attack operations, and we have introduced some of them in our past articles. In this article, we present two more; Torisma and LCPDot.
---------------------------------------------
https://blogs.jpcert.or.jp/en/2021/01/Lazarus_malware2.html


∗∗∗ New Trickbot module uses Masscan for local network reconnaissance ∗∗∗
---------------------------------------------
The new Trickbot module is used to scan local networks for other nearby systems with open ports that could be hacked for quick lateral movement inside a company.
---------------------------------------------
https://www.zdnet.com/article/new-trickbot-module-uses-masscan-for-local-network-reconnaissance/


∗∗∗ Microsoft tracked a system sending a million malware emails a month. Heres what it discovered ∗∗∗
---------------------------------------------
Emerging attacker email infrastructure now sends over a million malware-laden emails each month.
---------------------------------------------
https://www.zdnet.com/article/microsoft-tracked-a-system-sending-a-million-malware-emails-a-month-heres-what-it-discovered/


∗∗∗ Operation NightScout: Supply‑chain attack targets online gaming in Asia ∗∗∗
---------------------------------------------
ESET researchers uncover a supply-chain attack used in a cyberespionage operation targeting online‑gaming communities in Asia.
---------------------------------------------
https://www.welivesecurity.com/2021/02/01/operation-nightscout-supply-chain-attack-online-gaming-asia/


∗∗∗ Gewinnspiel im Namen von Hofer führt in Abo-Falle ∗∗∗
---------------------------------------------
Vorsicht: Kriminelle geben sich als Hofer aus und informieren via E-Mail über einen angeblichen Gewinn.
---------------------------------------------
https://www.watchlist-internet.at/news/gewinnspiel-im-namen-von-hofer-fuehrt-in-abo-falle/



=====================
=  Vulnerabilities  =
=====================

∗∗∗ VU#125331: Adobe ColdFusion is vulnerable to privilege escalation due to weak ACLs ∗∗∗
---------------------------------------------
Adobe ColdFusion fails to properly set ACLs, which can allow an unprivileged Windows user to be able to run arbitrary code with SYSTEM privileges.
---------------------------------------------
https://kb.cert.org/vuls/id/125331


∗∗∗ DSA-4843 linux - security update ∗∗∗
---------------------------------------------
Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.
---------------------------------------------
https://www.debian.org/security/2021/dsa-4843


∗∗∗ Apple Releases Security Updates ∗∗∗
---------------------------------------------
Apple has released security updates to address vulnerabilities in macOS Big Sur 11.0.1, macOS Catalina 10.15.7, and macOS Mojave 10.14.6.
---------------------------------------------
https://us-cert.cisa.gov/ncas/current-activity/2021/02/02/apple-releases-security-updates


∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (firefox-esr, libdatetime-timezone-perl, python-django, thunderbird, and tzdata), Fedora (kf5-messagelib and qt5-qtwebengine), Mageia (kernel-linus), openSUSE (firefox, jackson-databind, and messagelib), Oracle (flatpak), Red Hat (glibc, kernel, kernel-alt, kernel-rt, linux-firmware, net-snmp, perl, qemu-kvm, and qemu-kvm-ma), SUSE (firefox, java-11-openjdk, openvswitch, terraform, and thunderbird), and Ubuntu (fastd, firefox, python-django, and qemu).
---------------------------------------------
https://lwn.net/Articles/844865/


∗∗∗ Ransomware gangs are abusing VMWare ESXi exploits to encrypt virtual hard disks ∗∗∗
---------------------------------------------
Two VMWare ESXi vulnerabilities, CVE-2019-5544 and CVE-2020-3992, reported as abused in the wild.
---------------------------------------------
https://www.zdnet.com/article/ransomware-gangs-are-abusing-vmware-esxi-exploits-to-encrypt-virtual-hard-disks/


∗∗∗ Google Android: Mehrere Schwachstellen ∗∗∗
---------------------------------------------
http://www.cert-bund.de/advisoryshort/CB-K21-0115

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily




More information about the Daily mailing list