Daily NCSC-FI news followup 2021-01-19

DNSpooq – 7 vulnerabilities found in dnsmasq, an open-source DNS forwarding software in common use

www.jsof-tech.com/disclosures/dnspooq/ The Dnspooq vulnerabilities include DNS cache poisoning vulnerabilities as well as a potential Remote code execution and others. The list of devices using dnsmasq is long and varied. According to our internet-based research, prominent users of dnsmasq seem to include Cisco routers, Android phones, Aruba devices, Technicolor, and Red-Hat, as well as Siemens, Ubiquiti networks, Comcast, and others listed below. Depending on how they use dnsmasq, devices may be more or less affected, or not affected at all. PDF:

www.jsof-tech.com/wp-content/uploads/2021/01/DNSpooq_Technical-Whitepaper.pdf. TheHackerNews:

thehackernews.com/2021/01/a-set-of-severe-flaws-affect-popular.html. ZDnet:

www.zdnet.com/article/dnspooq-lets-attackers-poison-dns-cache-records/. BleepingComputer:

www.bleepingcomputer.com/news/security/dnspooq-bugs-let-attackers-hijack-dns-on-millions-of-devices/

Raindrop: New Malware Discovered in SolarWinds Investigation

symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware Raindrop (Backdoor.Raindrop) is a loader which delivers a payload of Cobalt Strike. Raindrop is very similar to the already documented Teardrop tool, but there are some key differences between the two. Raindrop is compiled as a DLL, which is built from a modified version of 7-Zip source code. The 7-Zip code is not utilized and is designed to hide malicious functionality added by the attackers. ThreaPost:

threatpost.com/solarwinds-malware-arsenal-raindrop/163153/. BleepingComputer:

www.bleepingcomputer.com/news/security/solarwinds-hackers-used-7-zip-code-to-hide-raindrop-cobalt-strike-loader/

FireEye releases tool for auditing networks for techniques used by SolarWinds hackers

www.zdnet.com/article/fireeye-releases-tool-for-auditing-networks-for-techniques-used-by-solarwinds-hackers/ Together with the report, FireEye researchers have also released a free tool on GitHub named Azure AD Investigator that they say can help companies determine if the SolarWinds hackers (also known as UNC2452) used any of these techniques inside their networks. Report:

www.fireeye.com/blog/threat-research/2021/01/remediation-and-hardening-strategies-for-microsoft-365-to-defend-against-unc2452.html. GitHub: github.com/fireeye/Mandiant-Azure-AD-Investigator

Malwarebytes targeted by Nation State Actor implicated in SolarWinds breach. Evidence suggests abuse of privileged access to Microsoft Office 365 and Azure environments

blog.malwarebytes.com/malwarebytes-news/2021/01/malwarebytes-targeted-by-nation-state-actor-implicated-in-solarwinds-breach-evidence-suggests-abuse-of-privileged-access-to-microsoft-office-365-and-… While Malwarebytes does not use SolarWinds, we, like many other companies were recently targeted by the same threat actor. We can confirm the existence of another intrusion vector that works by abusing applications with privileged access to Microsoft Office 365 and Azure environments

Linux users should patch now to block new “FreakOut” malware which exploits new vulnerabilities

blog.checkpoint.com/2021/01/19/linux-users-should-patch-now-to-block-new-freakout-malware-which-exploits-new-vulnerabilities/ These ongoing attacks involve a new malware variant. The goal behind these attacks is to create an IRC botnet, which can then be used for malicious activities, such as launching DDoS attacks on other organizations’ networks, or for crypto-mining activity on infected machines, which can potentially shut down entire systems infected. The attack exploits TerraMaster TOS, Zend Framework and Liferay Portal. ThreatPost:

threatpost.com/linux-attack-freakout-malware/163137/. BleepingComputer:

www.bleepingcomputer.com/news/security/freakout-malware-exploits-critical-bugs-to-infect-linux-hosts/. TiVi:

www.tivi.fi/uutiset/tv/372649cd-e1a1-48ab-8d4b-03f75dd6117b

You might be interested in …

Daily NCSC-FI news followup 2020-08-22

Grandoreiro banking trojan impersonates Spains tax agency www.welivesecurity.com/2020/08/21/grandoreiro-banking-trojan-impersonates-spain-tax-agency/ Although its been some weeks since the height of the income tax season in many countries around the globe, the year 2020 has been looking less than normal even for cybercriminal activity. For several months, various threat actors have been attempting to impersonate governmental organizations, such as […]

Read More

Daily NCSC-FI news followup 2019-10-18

KRP epäilee: Rikosliiga hankki suomalaisia henkilötunnuksia ja pankkitilejä kuin liukuhihnalta kansainvälisessä petossarjassa yle.fi/uutiset/3-11026054 KRP:n mukaan asianomistajille aiheutuneet vahingot ovat olleet tutkittavassa kokonaisuudessa yhteensä noin 725 000 euroa. APT trends report Q3 2019 securelist.com/apt-trends-report-q3-2019/94530/ UK government has revealed it is working with chip-maker Arm on a £36m initiative to make more secure processors. www.infosecurity-magazine.com/news/uk-government-announces/ See also […]

Read More

Daily NCSC-FI news followup 2019-11-30

How is NordVPN unblocking Disney+? It might be through YOUR own computer. Even if youve never used Disney+ or NordVPN. medium.com/@derek./how-is-nordvpn-unblocking-disney-6c51045dbc30 New Chrome Password Stealer Sends Stolen Data to a MongoDB Database www.bleepingcomputer.com/news/security/new-chrome-password-stealer-sends-stolen-data-to-a-mongodb-database/ A new trojan has been discovered that attempts to steal passwords stored in the Google Chrome browser. While this is nothing unique, […]

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.