[CERT-daily] Tageszusammenfassung - 25.02.2021
Daily end-of-shift report
team at cert.at
Thu Feb 25 18:19:38 CET 2021
=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 24-02-2021 18:00 − Donnerstag 25-02-2021 18:00
Handler: Dimitri Robl
Co-Handler: Thomas Pribitzer
=====================
= News =
=====================
∗∗∗ Attackers scan for vulnerable VMware servers after PoC exploit release ∗∗∗
---------------------------------------------
After security researchers have developed and published proof-of-concept (PoC) exploit code targeting a critical vCenter remote code execution (RCE) vulnerability, attackers are now actively scanning for vulnerable Internet-exposed VMware servers.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/attackers-scan-for-vulnerable-vmware-servers-after-poc-exploit-release/
∗∗∗ Lazarus targets defense industry with ThreatNeedle ∗∗∗
---------------------------------------------
In mid-2020, we realized that Lazarus was launching attacks on the defense industry using the ThreatNeedle cluster, an advanced malware cluster of Manuscrypt (a.k.a. NukeSped). While investigating this activity, we were able to observe the complete life cycle of an attack, uncovering more technical details and links to the group’s other campaigns.
---------------------------------------------
https://securelist.com/lazarus-threatneedle/100803/
∗∗∗ Forensicating Azure VMs, (Thu, Feb 25th) ∗∗∗
---------------------------------------------
With more and more workloads migrating to "the Cloud", we see post-breach forensic investigations also increasingly moving from on-premises to remote instances. If we are lucky and the installation is well engineered, we will encounter a "managed" virtual machine setup, where a forensic agent or EDR (endpoint detection & response) product is pre-installed on our affected VM. Alas, in my experience, this so far seems to be the exception rather than the norm.
---------------------------------------------
https://isc.sans.edu/diary/rss/27136
∗∗∗ Cisco schließt drei kritische, aus der Ferne ausnutzbare Sicherheitslücken ∗∗∗
---------------------------------------------
Jetzt updaten: Im ACI Multi-Site Orchestrator (MSO), in der Application Services Engine und in Nexus-Switches klaff(t)en Remote-Lücken mit "Critical"-Wertung.
---------------------------------------------
https://heise.de/-5065055
∗∗∗ Babuk Ransomware ∗∗∗
---------------------------------------------
Babuk ransomware is a new ransomware threat discovered in 2021 that has impacted at least five big enterprises, with one already paying the criminals $85,000 after negotiations. As with other variants, this ransomware is deployed in the network of enterprises that the criminals carefully target and compromise.
---------------------------------------------
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/babuk-ransomware/
∗∗∗ DarkWorld Ransomware ∗∗∗
---------------------------------------------
Recently, 360 Security Center detected a ransomware that disguised commonly used software and appeared on the network. The virus called itself DarkWorld in the [...]
---------------------------------------------
https://blog.360totalsecurity.com/en/darkworld-ransomware/
∗∗∗ Vorsicht: Beim Shoppen auf falinas.com, falinas.de und falinas.at schließen Sie ein Abo ab! ∗∗∗
---------------------------------------------
Derzeit erreichen uns zahlreiche Meldungen, die vor dem Online-Shop falinas.com warnen. Der Online-Shop ist auch unter falinas.de und falinas.at erreichbar. Die Masche ist auf allen Seiten die gleiche. Man kauft eine der vielen Marken-Beautyprodukte zu einem günstigen Preis. Erst später bemerken die KonsumentInnen, dass sie damit ein teures Abo abgeschlossen haben. Wir empfehlen: Lassen Sie lieber die Finger von falinas.com.
---------------------------------------------
https://www.watchlist-internet.at/news/vorsicht-beim-shoppen-auf-falinascom-falinasde-und-falinasat-schliessen-sie-ein-abo-ab/
∗∗∗ This chart shows the connections between cybercrime groups ∗∗∗
---------------------------------------------
CrowdStrike puts together a list of connections and how cybercrime groups cooperate with each other.
---------------------------------------------
https://www.zdnet.com/article/this-chart-shows-the-connections-between-cybercrime-groups/
∗∗∗ Google Mail Merge Impersonation ∗∗∗
---------------------------------------------
A recent phishing campaign detected by Abnormal Security attempts to steal Outlook credentials through a Google Mail merge lure.
---------------------------------------------
https://exchange.xforce.ibmcloud.com/collection/eaf477f5b5f77df91462fd850effcb01
=====================
= Vulnerabilities =
=====================
∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by Arch Linux (ansible-base, keycloak, mumble, and postgresql), Debian (firefox-esr and nodejs), Fedora (dotnet3.1, dotnet5.0, keylime, php-horde-Horde-Text-Filter, radare2, scap-security-guide, and wireshark), openSUSE (postgresql, postgresql13 and python-djangorestframework), Red Hat (Ansible, firefox, and thunderbird), Scientific Linux (firefox and thunderbird), SUSE (php7, postgresql-jdbc, python-cryptography, rpmlint, and webkit2gtk3), and Ubuntu (dnsmasq, [...]
---------------------------------------------
https://lwn.net/Articles/847390/
∗∗∗ Node.js vulnerability CVE-2020-8277 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K07944249
∗∗∗ Security Bulletin: Vulnerabilities in Linux Kernel affect IBM Spectrum Protect Plus ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-linux-kernel-affect-ibm-spectrum-protect-plus/
∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM MessageGateway (CVE-2020-14803, CVE-2020-27221) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-runtime-affect-ibm-messagegateway-cve-2020-14803-cve-2020-27221/
∗∗∗ Security Bulletin: OpenSSL publicly disclosed vulnerability affects MessageGateway (CVE-2020-1971) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-openssl-publicly-disclosed-vulnerability-affects-messagegateway-cve-2020-1971/
∗∗∗ Security Bulletin: Multiple IBM Java Runtime Vulnerabilities Affect IBM Sterling Connect:Direct Browser User Interface ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-ibm-java-runtime-vulnerabilities-affect-ibm-sterling-connectdirect-browser-user-interface/
∗∗∗ Security Bulletin: IBM FileNet Content Manager GraphQL Cross-site request forgery security vulnerability ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-filenet-content-manager-graphql-cross-site-request-forgery-security-vulnerability/
∗∗∗ Security Bulletin: Vulnerability in NX-OS Firmware used by IBM c-type SAN directors and switches. ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-nx-os-firmware-used-by-ibm-c-type-san-directors-and-switches-2/
∗∗∗ Security Bulletin: Static Credential Vulnerability in IBM Spectrum Protect Plus (CVE-2020-4854) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-static-credential-vulnerability-in-ibm-spectrum-protect-plus-cve-2020-4854-2/
∗∗∗ Security Bulletin: A vulnerability in IBM Java Runtime affects IBM MessageGateway (CVE-2020-14781) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-java-runtime-affects-ibm-messagegateway-cve-2020-14781/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
More information about the Daily
mailing list