Daily NCSC-FI news followup 2021-01-19

DNSpooq – 7 vulnerabilities found in dnsmasq, an open-source DNS forwarding software in common use

www.jsof-tech.com/disclosures/dnspooq/ The Dnspooq vulnerabilities include DNS cache poisoning vulnerabilities as well as a potential Remote code execution and others. The list of devices using dnsmasq is long and varied. According to our internet-based research, prominent users of dnsmasq seem to include Cisco routers, Android phones, Aruba devices, Technicolor, and Red-Hat, as well as Siemens, Ubiquiti networks, Comcast, and others listed below. Depending on how they use dnsmasq, devices may be more or less affected, or not affected at all. PDF:

www.jsof-tech.com/wp-content/uploads/2021/01/DNSpooq_Technical-Whitepaper.pdf. TheHackerNews:

thehackernews.com/2021/01/a-set-of-severe-flaws-affect-popular.html. ZDnet:

www.zdnet.com/article/dnspooq-lets-attackers-poison-dns-cache-records/. BleepingComputer:

www.bleepingcomputer.com/news/security/dnspooq-bugs-let-attackers-hijack-dns-on-millions-of-devices/

Raindrop: New Malware Discovered in SolarWinds Investigation

symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware Raindrop (Backdoor.Raindrop) is a loader which delivers a payload of Cobalt Strike. Raindrop is very similar to the already documented Teardrop tool, but there are some key differences between the two. Raindrop is compiled as a DLL, which is built from a modified version of 7-Zip source code. The 7-Zip code is not utilized and is designed to hide malicious functionality added by the attackers. ThreaPost:

threatpost.com/solarwinds-malware-arsenal-raindrop/163153/. BleepingComputer:

www.bleepingcomputer.com/news/security/solarwinds-hackers-used-7-zip-code-to-hide-raindrop-cobalt-strike-loader/

FireEye releases tool for auditing networks for techniques used by SolarWinds hackers

www.zdnet.com/article/fireeye-releases-tool-for-auditing-networks-for-techniques-used-by-solarwinds-hackers/ Together with the report, FireEye researchers have also released a free tool on GitHub named Azure AD Investigator that they say can help companies determine if the SolarWinds hackers (also known as UNC2452) used any of these techniques inside their networks. Report:

www.fireeye.com/blog/threat-research/2021/01/remediation-and-hardening-strategies-for-microsoft-365-to-defend-against-unc2452.html. GitHub: github.com/fireeye/Mandiant-Azure-AD-Investigator

Malwarebytes targeted by Nation State Actor implicated in SolarWinds breach. Evidence suggests abuse of privileged access to Microsoft Office 365 and Azure environments

blog.malwarebytes.com/malwarebytes-news/2021/01/malwarebytes-targeted-by-nation-state-actor-implicated-in-solarwinds-breach-evidence-suggests-abuse-of-privileged-access-to-microsoft-office-365-and-… While Malwarebytes does not use SolarWinds, we, like many other companies were recently targeted by the same threat actor. We can confirm the existence of another intrusion vector that works by abusing applications with privileged access to Microsoft Office 365 and Azure environments

Linux users should patch now to block new “FreakOut” malware which exploits new vulnerabilities

blog.checkpoint.com/2021/01/19/linux-users-should-patch-now-to-block-new-freakout-malware-which-exploits-new-vulnerabilities/ These ongoing attacks involve a new malware variant. The goal behind these attacks is to create an IRC botnet, which can then be used for malicious activities, such as launching DDoS attacks on other organizations’ networks, or for crypto-mining activity on infected machines, which can potentially shut down entire systems infected. The attack exploits TerraMaster TOS, Zend Framework and Liferay Portal. ThreatPost:

threatpost.com/linux-attack-freakout-malware/163137/. BleepingComputer:

www.bleepingcomputer.com/news/security/freakout-malware-exploits-critical-bugs-to-infect-linux-hosts/. TiVi:

www.tivi.fi/uutiset/tv/372649cd-e1a1-48ab-8d4b-03f75dd6117b

You might be interested in …

Daily NCSC-FI news followup 2021-03-14

New PoC for Microsoft Exchange bugs puts attacks in reach of anyone www.bleepingcomputer.com/news/security/new-poc-for-microsoft-exchange-bugs-puts-attacks-in-reach-of-anyone/ A security researcher has released a new proof-of-concept exploit this weekend that requires slight modification to install web shells on Microsoft Exchange servers vulnerable to the actively exploited ProxyLogon vulnerabilities. Will Dorman, a Vulnerability Analyst at the CERT/CC, tested the vulnerability on […]

Read More

Daily NCSC-FI news followup 2020-03-07

New AMD Side Channel Attacks Discovered, Impacts Zen Architecture www.tomshardware.com/news/new-amd-side-channel-attacks-discovered-impacts-zen-architecture A new paper released by the Graz University of Technology details two new “Take A Way” attacks, Collide+Probe and Load+Reload, that can leak secret data from AMD processors by manipulating the L1D cache predictor. The researchers claim that the vulnerability impacts all AMD processors from […]

Read More

Daily NCSC-FI news followup 2021-05-01

PortDoor: New Chinese APT Backdoor Attack Targets Russian Defense Sector www.cybereason.com/blog/portdoor-new-chinese-apt-backdoor-attack-targets-russian-defense-sector The Cybereason Nocturnus Team has been tracking recent developments in the RoyalRoad weaponizer, also known as the 8.t Dropper/RTF exploit builder. Over the years, this tool has become a part of the arsenal of several Chinese-related threat actors such as Tick, Tonto Team and […]

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.