[CERT-daily] Tageszusammenfassung - 26.03.2021

Fri Mar 26 18:20:44 CET 2021

=====================
= End-of-Day report =
=====================

Timeframe:   Donnerstag 25-03-2021 18:00 − Freitag 26-03-2021 18:00
Handler:     Thomas Pribitzer
Co-Handler:  Stephan Richter

=====================
=       News        =
=====================

∗∗∗ FBI exposes weakness in Mamba ransomware, DiskCryptor ∗∗∗
---------------------------------------------
An alert from the U.S. Federal Bureau of Investigation about Mamba ransomware reveals a weak spot in the encryption process that could help targeted organizations recover from the attack without paying the ransom.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/fbi-exposes-weakness-in-mamba-ransomware-diskcryptor/


∗∗∗ Office macro execution evidence, (Fri, Mar 26th) ∗∗∗
---------------------------------------------
Microsoft Office Macros continue to be the security nightmare that they have been for the past 3 decades. System and security admins everywhere continue to try to protect their users from prevalent macro malware, but they find Microsoft's tooling often less than helpful.
---------------------------------------------
https://isc.sans.edu/diary/rss/27244


∗∗∗ New 5G Flaw Exposes Priority Networks to Location Tracking and Other Attacks ∗∗∗
---------------------------------------------
New research into 5G architecture has uncovered a security flaw in its network slicing and virtualized network functions that could be exploited to allow data access and denial of service attacks between different network slices on a mobile operators 5G network. AdaptiveMobile shared its findings with the GSM Association (GSMA) on February 4, 2021, following which the weaknesses were [...]
---------------------------------------------
https://thehackernews.com/2021/03/new-5g-flaw-exposes-priority-networks.html


∗∗∗ Perkiler malware turns to SMB brute force to spread ∗∗∗
---------------------------------------------
Perkiler is now using SMB brute force attacks to spread. Which is not a new concept, but why attack SMB instead of RDP?
---------------------------------------------
https://blog.malwarebytes.com/trojans/2021/03/perkiler-malware-turns-to-smb-brute-force-to-spread/


∗∗∗ Dumping LSASS in memory undetected using MirrorDump ∗∗∗
---------------------------------------------
As I am sure some of you are aware from the occasional ramblings and screenshots on twitter, I am a big fan of .NET based offensive tooling. Not because [...]
---------------------------------------------
https://www.pentestpartners.com/security-blog/dumping-lsass-in-memory-undetected-using-mirrordump/


∗∗∗ 20 Million Miners: Finding Malicious Cryptojacking Images in Docker Hub ∗∗∗
---------------------------------------------
Container images are a simple way to distribute software - including malicious cryptojacking images attackers use to distribute cryptominers.
---------------------------------------------
https://unit42.paloaltonetworks.com/malicious-cryptojacking-images/


∗∗∗ Exchange Server attacks: Microsoft shares intelligence on post-compromise activities ∗∗∗
---------------------------------------------
If youre cleaning up a infected Exchange server, you need to look for traces of multiple threats, warns Microsoft.
---------------------------------------------
https://www.zdnet.com/article/exchange-server-attacks-microsoft-shares-intelligence-on-post-compromise-activities/


∗∗∗ Aktuelle Information zu den ProxyLogon Exchange Schwachstellen in Österreich ∗∗∗
---------------------------------------------
TL;DR   254 Exchange Server nach wie vor ungepatcht (Stand: 2021-03-26). Am 18. März waren es noch 839.
Von 23. März bis 26.März wurden insgesamt 437 Webshells in Österreich gefunden.
Die Patch-Rate hat etwas abgenommen. Wir sehen die übliche exponentielle Abnahme der verwundbaren Systeme.
Allerdings dürfte die ab 18. März durch Microsoft Defender automatisch durchgeführte Mitigation ihren Zweck erfüllt haben.
---------------------------------------------
https://cert.at/de/aktuelles/2021/3/aktuelle-zahlen-zu-den-proxylogon-exchange-schwachstellen-in-osterreich


∗∗∗ PsExec Privilege Escalation in Windows Fixed ∗∗∗
---------------------------------------------
A component of Microsofts Sysinternals utility was found in January 2021 to be vulnerable to privilege escalation. According to the release notes from Microsoft: "This update to PsExec mitigates named pipe squatting attacks that can be leveraged by an attacker to intercept credentials or elevate to System privilege.
---------------------------------------------
https://exchange.xforce.ibmcloud.com/collection/e97cd1b85394822631fcc1589f7ff16d


=====================
=  Vulnerabilities  =
=====================

∗∗∗ Microsoft releases Windows 10 SSU to fix security update issue ∗∗∗
---------------------------------------------
Microsoft has released the Windows 10 1909 KB5000850 cumulative update preview and a new KB5001205 Servicing Stack Update that resolves a Secure Boot vulnerability.
---------------------------------------------
https://www.bleepingcomputer.com/news/microsoft/microsoft-releases-windows-10-ssu-to-fix-security-update-issue/


∗∗∗ Another Critical RCE Flaw Discovered in SolarWinds Orion Platform ∗∗∗
---------------------------------------------
IT infrastructure management provider SolarWinds on Thursday released a new update to its Orion networking monitoring tool with fixes for four security vulnerabilities, counting two weaknesses that could be exploited by an authenticated attacker to achieve remote code execution (RCE). Chief among them is a JSON deserialization flaw that allows an authenticated user to execute arbitrary code via [...]
---------------------------------------------
https://thehackernews.com/2021/03/solarwinds-orion-vulnerability.html


∗∗∗ Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: March 2021 ∗∗∗
---------------------------------------------
On March 25, 2021, the OpenSSL Project released a security advisory, OpenSSL Security Advisory [25 March 2021], that disclosed two vulnerabilities. Exploitation of these vulnerabilities could allow an attacker to use a valid non-certificate authority (CA) certificate to act as a CA and sign a certificate for an arbitrary organization, user or device, or to cause a denial of service (DoS) condition. This advisory will be updated as additional information becomes available.
---------------------------------------------
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-openssl-2021-GHY28dJd


∗∗∗ Sicherheitsupdates: Angreifer könnten Samba-LDAP-Server crashen ∗∗∗
---------------------------------------------
Mehrere Schwachstellen in Samba gefährden Systeme. Abgesicherte Versionen stehen zum Download bereit.
---------------------------------------------
https://heise.de/-5999401


∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (firefox-esr, jquery, openssl, and thunderbird), openSUSE (openssl-1_1 and tor), Oracle (firefox and thunderbird), Scientific Linux (firefox and thunderbird), SUSE (libzypp, zypper and openssl-1_1), and Ubuntu (firefox, ldb, openssl, and ruby2.0).
---------------------------------------------
https://lwn.net/Articles/850703/


∗∗∗ Synology-SA-21:13 Samba AD DC ∗∗∗
---------------------------------------------
Multiple vulnerabilities allow remote attackers and remote authenticated users to conduct denial-of-service attacks via a susceptible version of Synology Directory Server.
---------------------------------------------
https://www.synology.com/en-global/support/security/Synology_SA_21_13


∗∗∗ Security Advisory - Denial of Service Vulnerability in Huawei Product ∗∗∗
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210324-01-dos-en


∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM License Metric Tool v9. ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-sdk-affect-ibm-license-metric-tool-v9-3/


∗∗∗ Security Bulletin: Security vulnerabilities in Java SE affects Rational Build Forge ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-in-java-se-affects-rational-build-forge-4/


∗∗∗ Security Bulletin: Multiple vulnerabilities in node.js may affect configuration editor used in IBM Business Automation Workflow and IBM Business Process Manager (BPM) – CVE-2020-1971, CVE-2020-8265, CVE-2020-8287 ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-node-js-may-affect-configuration-editor-used-in-ibm-business-automation-workflow-and-ibm-business-process-manager-bpm-cve-2020-1971-cve-2020-8265-c/


∗∗∗ Security Bulletin: A vulnerability in IBM Java SDK affects IBM License Metric Tool v9 (CVE-2020-14782). ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-java-sdk-affects-ibm-license-metric-tool-v9-cve-2020-14782/


∗∗∗ Intel Ethernet Controller vulnerabilities CVE-2020-24497, CVE-2020-24498, CVE-2020-24500, CVE-2020-24501, and CVE-2020-24505 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K85738358

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily