[CERT-daily] Tageszusammenfassung - 30.09.2021
Daily end-of-shift report
team at cert.at
Thu Sep 30 18:25:06 CEST 2021
=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 29-09-2021 18:00 − Donnerstag 30-09-2021 18:00
Handler: Dimitri Robl
Co-Handler: Thomas Pribitzer
=====================
= News =
=====================
∗∗∗ RansomEXX ransomware Linux encryptor may damage victims files ∗∗∗
---------------------------------------------
Cybersecurity firm Profero has discovered that the RansomExx gang does not correctly lock Linux files during encryption, leading to potentially corrupted files.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/ransomexx-ransomware-linux-encryptor-may-damage-victims-files/
∗∗∗ Stop That Phish! ∗∗∗
---------------------------------------------
Although ransomware holds a significant mindshare in security, phishing continues to be an effective and efficient tool for threat actors. In this blog, Tim Helming walks through various anti-phishing tools and methods available to defenders.
---------------------------------------------
https://www.domaintools.com/resources/blog/stop-that-phish
∗∗∗ An overview of malware hashing algorithms ∗∗∗
---------------------------------------------
VirusTotals "Basic Properties" tab alone lists eight different hashes and supports even more to use them for queries and hunt signatures. Hashes are important for malware analysis, as well as identification, description and detection. But why do so many of them exist and when should you use which hash function?
---------------------------------------------
https://www.gdatasoftware.com/blog/2021/09/an-overview-of-malware-hashing-algorithms
∗∗∗ TLS-Zertifikate: Altes Lets-Encrypt-Root läuft ab ∗∗∗
---------------------------------------------
Bei Fehlkonfigurationen und alten Geräten können Zertifikatsfehler mit Lets Encrypt auftreten.
---------------------------------------------
https://www.golem.de/news/tls-zertifikate-altes-let-s-encrypt-root-laeuft-ab-2109-159989-rss.html
∗∗∗ GhostEmperor: From ProxyLogon to kernel mode ∗∗∗
---------------------------------------------
While investigating a recent rise of attacks against Exchange servers, we noticed a recurring cluster of activity that appeared in several distinct compromised networks. With a long-standing operation, high profile victims, advanced toolset and no affinity to a known threat actor, we decided to dub the cluster GhostEmperor.
---------------------------------------------
https://securelist.com/ghostemperor-from-proxylogon-to-kernel-mode/104407/
∗∗∗ What is Cryptocurrency Mining Malware? ∗∗∗
---------------------------------------------
Cryptocurrency mining malware is typically a stealthy malware that farms the resources on a system (computers, smartphones, and other electronic devices connected to the internet) to generate revenue for the cyber criminals controlling it. Instead of using video game consoles or graphics card farms, these particular cryptominers are using the computers and servers of the people around them for their processing power - without permission.
---------------------------------------------
https://blog.sucuri.net/2021/09/what-is-cryptocurrency-mining-malware-2.html
∗∗∗ Apple-Pay-Funktion erlaubt angeblich Geldklau von gesperrten iPhones ∗∗∗
---------------------------------------------
Sicherheitsexperten haben die Express-ÖPNV-Funktion auf Herz und Nieren getestet und kommen zu dem Schluss, dass unerwünschte Visa-Zahlungen möglich sind.
---------------------------------------------
https://heise.de/-6204960
∗∗∗ Bericht: Android-Trojaner GriftHorse kassiert bei über 10 Millionen Opfern ab ∗∗∗
---------------------------------------------
Online-Kriminelle sollen mit Trojaner-Apps Abos abschließen und darüber hunderte Millionen Euro erbeutet haben, warnen Sicherheitsforscher.
---------------------------------------------
https://heise.de/-6205272
∗∗∗ A wolf in sheeps clothing: Actors spread malware by leveraging trust in Amnesty International and fear of Pegasus ∗∗∗
---------------------------------------------
By Vitor Ventura and Arnaud Zobec. Threat actors are impersonating the group Amnesty International and promising to protect against the Pegasus spyware as part of a scheme to deliver malware.
---------------------------------------------
https://blog.talosintelligence.com/2021/09/fakeantipegasusamnesty.html
∗∗∗ Telemetry Report Shows Patch Status of High-Profile Vulnerabilities ∗∗∗
---------------------------------------------
A record number of new security vulnerabilities (18,352) were reported in 2020. This year, the number is likely to be higher (13,002 by September 1). The problem with a zero-day vulnerability is that it remains a zero-day until it is patched by both the vendor and the user.
---------------------------------------------
https://www.securityweek.com/telemetry-report-shows-patch-status-high-profile-vulnerabilities
∗∗∗ The Ransomware Threat in 2021 ∗∗∗
---------------------------------------------
New research from Symantec finds that organizations face an unprecedented level of danger from targeted ransomware attacks as the number of adversaries multiply alongside an increased sophistication in tactics.
---------------------------------------------
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-targeted-2021
∗∗∗ Facebook open-sources internal tool used to detect security bugs in Android apps ∗∗∗
---------------------------------------------
Facebook has open-sourced Mariana Trench, one of its internal security tools, used by its security teams for finding and fixing bugs in Android and Java applications.
---------------------------------------------
https://therecord.media/facebook-open-sources-internal-tool-used-to-detect-security-bugs-in-android-apps/
∗∗∗ Ransomware attack disrupts hundreds of bookstores across France, Belgium, and the Netherlands ∗∗∗
---------------------------------------------
Hundreds of bookstores across France, Belgium, and the Netherlands have had their operations disrupted this week after a ransomware attack crippled the IT systems of TiteLive, a French company that operates a SaaS platform for book sales and inventory management.
---------------------------------------------
https://therecord.media/ransomware-attack-disrupts-hundreds-of-bookstores-across-france-belgium-and-the-netherlands/
∗∗∗ After the storm - how to move on with NTLM ∗∗∗
---------------------------------------------
I remember that, about 15 years ago, we already flagged the absence of SMB signing as a vulnerability in reports. Though at that time, we circled more around the theoretical risk of someone tampering SMB traffic due to the lack of integrity protection. None of us really had an idea how to make use of that vulnerability. The later obviously changed.
---------------------------------------------
https://cyberstoph.org/posts/2021/09/after-the-storm-how-to-move-on-with-ntlm/
=====================
= Vulnerabilities =
=====================
∗∗∗ Linkit - Moderately critical - Cross Site Scripting - SA-CONTRIB-2021-042 ∗∗∗
---------------------------------------------
Linkit provides an easy interface for internal and external linking with WYSIWYG editors by using an autocomplete field. It does not sufficiently sanitize user input. This vulnerability is mitigated by the fact that an attacker must have a role with the permission to create or edit an entity bundle.
---------------------------------------------
https://www.drupal.org/sa-contrib-2021-042
∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (libxstream-java, uwsgi, and weechat), Fedora (libspf2, libvirt, mingw-python3, mono-tools, python-flask-restx, and sharpziplib), Mageia (gstreamer, libgcrypt, libgd, mosquitto, php, python-pillow, qtwebengine5, and webkit2), openSUSE (postgresql12 and postgresql13), SUSE (haproxy, postgresql12, postgresql13, and rabbitmq-server), and Ubuntu (commons-io and linux-oem-5.13).
---------------------------------------------
https://lwn.net/Articles/871424/
∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
IBM hat 12 Security Bulletins veröffentlicht.
---------------------------------------------
https://www.ibm.com/blogs/psirt/
∗∗∗ Boston Scientific Zoom Latitude ∗∗∗
---------------------------------------------
This advisory contains mitigations for Use of Password Hash with Insufficient Computational Effort, Missing Protection Against Hardware Reverse Engineering Using Integrated Circuit (IC) Imaging Techniques, Improper Access Control, Missing Support for Integrity Check, and Reliance on Component That is Not Updateable vulnerabilities in the Boston Scientific Zoom Latitude programmer/recorder/monitor (PRM) 3120 model.
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsma-21-273-01
∗∗∗ Security Advisory - Improper Authentication Vulnerability in Huawei Product ∗∗∗
---------------------------------------------
https://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210929-01-auth-en
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
More information about the Daily
mailing list