[CERT-daily] Tageszusammenfassung - 01.03.2021

Daily end-of-shift report team at cert.at
Mon Mar 1 18:20:43 CET 2021


=====================
= End-of-Day report =
=====================

Timeframe:   Freitag 26-02-2021 18:00 − Montag 01-03-2021 18:00
Handler:     Robert Waldner
Co-Handler:  Stephan Richter

=====================
=       News        =
=====================

∗∗∗ Ryuk ransomware now self-spreads to other Windows LAN devices ∗∗∗
---------------------------------------------
A new Ryuk ransomware variant with worm-like capabilities that allow it to spread to other devices on victims local networks has been discovered by the French national cyber-security agency while investigating an attack in early 2021.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/ryuk-ransomware-now-self-spreads-to-other-windows-lan-devices/


∗∗∗ Mobile malware evolution 2020 ∗∗∗
---------------------------------------------
In 2020, Kaspersky mobile products and technologies detected 156,710 new mobile banking Trojans and 20,708 new mobile ransomware Trojans.
---------------------------------------------
https://securelist.com/mobile-malware-evolution-2020/101029/


∗∗∗ Maldocs: Protection Passwords, (Sun, Feb 28th) ∗∗∗
---------------------------------------------
In diary entry "Unprotecting Malicious Documents For Inspection" I explain how to deal with protected malicious Excel documents by removing the protection passwords.
---------------------------------------------
https://isc.sans.edu/diary/rss/27146


∗∗∗ Top 5 der simpelsten und effektivsten Maßnahmen, um Hackerangriffen vorzubeugen ∗∗∗
---------------------------------------------
Ganz egal mit welcher Art von Angreifer man es zu tun hat, die Schritte von der initialen Kompromittierung bis hin zur vollständigen "Domain Dominance" folgen gleichen Mustern.
---------------------------------------------
https://sec-consult.com/de/blog/detail/top-5-der-simpelsten-und-effektivsten-massnahmen-um-hackerangriffen-vorzubeugen/


∗∗∗ Akute Angriffswelle auf Fritzbox-Nutzer, jetzt handeln! ∗∗∗
---------------------------------------------
Mysteriöse Zugriffsversuche von der IP-Adresse 185.232.52.55 verunsichern derzeit zahlreiche Fritzbox-Nutzer. Schützen Sie Ihren Router vor der Angriffswelle.
---------------------------------------------
https://heise.de/-5068111


∗∗∗ New ICS Threat Activity Group: KAMACITE ∗∗∗
---------------------------------------------
The new KAMACITE activity group represents a long-running set of related behaviors targeting electric utilities, oil and gas operations, and various manufacturing since at least 2014.
---------------------------------------------
https://www.dragos.com/blog/industry-news/new-ics-threat-activity-group-kamacite/


∗∗∗ Free cybersecurity tool aims to help smaller businesses stay safer online ∗∗∗
---------------------------------------------
NCSC tool aims to help small businesses develop a strategy to protect themselves from cyber crime.
---------------------------------------------
https://www.zdnet.com/article/free-cybersecurity-tool-aims-to-help-smaller-businesses-stay-safer-online/


∗∗∗ Laravel Apps Leaking Secrets ∗∗∗
---------------------------------------------
An attacker logged in through RDP a few days ago to run a “smtp cracker” that scans a list of IP addresses or URLs looking for misconfigured Laravel systems.
---------------------------------------------
https://thedfirreport.com/2021/02/28/laravel-debug-leaking-secrets/


∗∗∗ Return of the MINEBRIDGE RAT With New TTPs and Social Engineering Lures ∗∗∗
---------------------------------------------
New versions of the MINEBRIDGE RAT were discovered and analyzed by Zscaler researchers. Their findings on the TTPs, attribution, C2 infrastructure, and attack flow are published in a recent blog.
---------------------------------------------
https://exchange.xforce.ibmcloud.com/collection/256c2e722c138ff5a1a711314fc88f17



=====================
=  Vulnerabilities  =
=====================

∗∗∗ Authentication Bypass Schwachstelle in Genua GenuGate High Resistance Firewall ∗∗∗
---------------------------------------------
Die Genua GenuGate High Resistance Firewall ist von einer kritischen Authentication Bypass Schwachstelle betroffen. Ein unauthentifizierter Angreifer kann sich durch Manipulation bestimmter HTTP POST Parameter beim Login als beliebiger Benutzer im Admin-Webinterface, Sidechannel Web und Userweb Interface, anmelden und somit die höchsten Rechte (root) erlangen.
---------------------------------------------
https://sec-consult.com/de/vulnerability-lab/advisory/authentication-bypass-genua-genugate/


∗∗∗ Google shares PoC exploit for critical Windows 10 Graphics RCE bug ∗∗∗
---------------------------------------------
Project Zero, Googles 0day bug-hunting team, shared technical details and proof-of-concept (PoC) exploit code for a critical remote code execution (RCE) bug affecting a Windows graphics component.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/google-shares-poc-exploit-for-critical-windows-10-graphics-rce-bug/


∗∗∗ D-LinkGATE Remote Code Execution ∗∗∗
---------------------------------------------
CVE-Nummern: CVE-2021-27249, CVE-2021-27250 Product: DAP-2020 (Since the vulnerability affects a core component further models might be subject to this vulnerability) Vulnerabilities: - Blind RCE - Blind RCE to full RCE escalation - Log Injection - Arbitrary File Read - Arbitrary File upload - LPE [...]
---------------------------------------------
https://suid.ch/research/DAP-2020_Preauth_RCE_Chain.html


∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by CentOS (firefox, ImageMagick, libexif, thunderbird, and xorg-x11-server), Debian (docker.io, python-aiohttp, and thunderbird), Fedora (chromium, firefox, kernel, and rygel), Mageia (nodejs, pix, and subversion), openSUSE (glibc, gnuplot, nodejs12, nodejs14, pcp, python-cryptography, qemu, and salt), Red Hat (bind and podman), and SUSE (csync2, glibc, java-1_8_0-ibm, nodejs12, nodejs14, python-Jinja2, and rpmlint).
---------------------------------------------
https://lwn.net/Articles/847778/


∗∗∗ Minion privilege escalation exploit patched in SaltStack Salt project ∗∗∗
---------------------------------------------
The bug permitted attackers to perform privilege escalation attacks in the automation software.
---------------------------------------------
https://www.zdnet.com/article/minion-hijacking-flaw-patched-in-saltstack-salt-project/


∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily




More information about the Daily mailing list