Daily NCSC-FI news followup 2021-01-19

DNSpooq – 7 vulnerabilities found in dnsmasq, an open-source DNS forwarding software in common use

www.jsof-tech.com/disclosures/dnspooq/ The Dnspooq vulnerabilities include DNS cache poisoning vulnerabilities as well as a potential Remote code execution and others. The list of devices using dnsmasq is long and varied. According to our internet-based research, prominent users of dnsmasq seem to include Cisco routers, Android phones, Aruba devices, Technicolor, and Red-Hat, as well as Siemens, Ubiquiti networks, Comcast, and others listed below. Depending on how they use dnsmasq, devices may be more or less affected, or not affected at all. PDF:

www.jsof-tech.com/wp-content/uploads/2021/01/DNSpooq_Technical-Whitepaper.pdf. TheHackerNews:

thehackernews.com/2021/01/a-set-of-severe-flaws-affect-popular.html. ZDnet:

www.zdnet.com/article/dnspooq-lets-attackers-poison-dns-cache-records/. BleepingComputer:

www.bleepingcomputer.com/news/security/dnspooq-bugs-let-attackers-hijack-dns-on-millions-of-devices/

Raindrop: New Malware Discovered in SolarWinds Investigation

symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware Raindrop (Backdoor.Raindrop) is a loader which delivers a payload of Cobalt Strike. Raindrop is very similar to the already documented Teardrop tool, but there are some key differences between the two. Raindrop is compiled as a DLL, which is built from a modified version of 7-Zip source code. The 7-Zip code is not utilized and is designed to hide malicious functionality added by the attackers. ThreaPost:

threatpost.com/solarwinds-malware-arsenal-raindrop/163153/. BleepingComputer:

www.bleepingcomputer.com/news/security/solarwinds-hackers-used-7-zip-code-to-hide-raindrop-cobalt-strike-loader/

FireEye releases tool for auditing networks for techniques used by SolarWinds hackers

www.zdnet.com/article/fireeye-releases-tool-for-auditing-networks-for-techniques-used-by-solarwinds-hackers/ Together with the report, FireEye researchers have also released a free tool on GitHub named Azure AD Investigator that they say can help companies determine if the SolarWinds hackers (also known as UNC2452) used any of these techniques inside their networks. Report:

www.fireeye.com/blog/threat-research/2021/01/remediation-and-hardening-strategies-for-microsoft-365-to-defend-against-unc2452.html. GitHub: github.com/fireeye/Mandiant-Azure-AD-Investigator

Malwarebytes targeted by Nation State Actor implicated in SolarWinds breach. Evidence suggests abuse of privileged access to Microsoft Office 365 and Azure environments

blog.malwarebytes.com/malwarebytes-news/2021/01/malwarebytes-targeted-by-nation-state-actor-implicated-in-solarwinds-breach-evidence-suggests-abuse-of-privileged-access-to-microsoft-office-365-and-… While Malwarebytes does not use SolarWinds, we, like many other companies were recently targeted by the same threat actor. We can confirm the existence of another intrusion vector that works by abusing applications with privileged access to Microsoft Office 365 and Azure environments

Linux users should patch now to block new “FreakOut” malware which exploits new vulnerabilities

blog.checkpoint.com/2021/01/19/linux-users-should-patch-now-to-block-new-freakout-malware-which-exploits-new-vulnerabilities/ These ongoing attacks involve a new malware variant. The goal behind these attacks is to create an IRC botnet, which can then be used for malicious activities, such as launching DDoS attacks on other organizations’ networks, or for crypto-mining activity on infected machines, which can potentially shut down entire systems infected. The attack exploits TerraMaster TOS, Zend Framework and Liferay Portal. ThreatPost:

threatpost.com/linux-attack-freakout-malware/163137/. BleepingComputer:

www.bleepingcomputer.com/news/security/freakout-malware-exploits-critical-bugs-to-infect-linux-hosts/. TiVi:

www.tivi.fi/uutiset/tv/372649cd-e1a1-48ab-8d4b-03f75dd6117b

You might be interested in …

Daily NCSC-FI news followup 2021-05-03

Pulse Secure fixes VPN zero-day used to hack high-value targets www.bleepingcomputer.com/news/security/pulse-secure-fixes-vpn-zero-day-used-to-hack-high-value-targets/ Apple releases fixes for three WebKit zero-days, additional patches for a fourth therecord.media/apple-releases-fixes-for-three-webkit-zero-days-additional-patches-for-a-fourth/ Spam and phishing in Q1 2021 securelist.com/spam-and-phishing-in-q1-2021/102018/ Several instances of scammers using the COVID-19 pandemic as a lure. See article for screenshots of the phishing campaigns. Spearphishing Attack Uses COVID-21 Lure […]

Read More

Daily NCSC-FI news followup 2020-05-10

Microsoft adds protection against Reply-All email storms in Office 365 www.zdnet.com/article/microsoft-adds-protection-against-reply-all-email-storms-in-office-365/ Microsoft rolled out this week a new feature to Office 365 customers to help their IT staff detect and stop “Reply-All email storms.”. The term refers to situations when employees use the Reply-All option in mass-mailed emails, such as company-wide notifications. Sodinokibi ransomware can […]

Read More

Daily NCSC-FI news followup 2020-10-06

Myöhästyykö odotettu koronarokote? Ongelmat liittyvät keskeiseen sovellukseen www.tivi.fi/uutiset/tv/a758c9c3-96cc-4861-86bd-00adc7544339 New York Times kirjoittaa eResearch Technologyyn (ERT) kohdistuneesta kiristyshaittaohjelmasta. ERT:n ohjelmistoa käyttävät monet lääkevalmistajat muun muassa koronarokotteiden kliinisissä testeissä Euroopassa, Aasiassa ja Pohjois-Amerikassa. Lisäksi: www.nytimes.com/2020/10/03/technology/clinical-trials-ransomware-attack-drugmakers.html. Lisäksi: threatpost.com/covid-19-clinical-trials-ransomware/159877/ Emotet Malware us-cert.cisa.gov/ncas/alerts/aa20-280a To secure against Emotet, CISA and MS-ISAC recommend implementing the mitigation measures described in this Alert, which […]

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.