Malware Devil: April 2021

Friday, April 30, 2021

Task Force delivers strategic plan to address global ransomware problem

The Ransomware Task Force (RTF), a think tank composed of more than 60 volunteer experts who represent organizations encompassing industries and governments, has recently pushed out a comprehensive and strategic plan for tackling the increasing threat and evolution of ransomware.

The report, entitled “Combating Ransomware – A Comprehensive Framework for Action: Key Recommendations from the Ransomware Task Force”, which you can read here [PDF] advocates for “a unified, aggressive, comprehensive, public-private anti-ransomware campaign.”

The purpose of creating the document seems to be threefold: first, to educate the targeted reader–in this case, policy makers and industry leaders–about the dangers of ransomware; second, to call for unification amongst organizations to collectively beat the ransomware enterprise; and third, to guide organizations and governments on action items (48 in total) they can pursue to disrupt the ransomware-as-a-service (RaaS) model and extensively lessen the impact of current and future attacks.

“This is great news and sorely needed,” says Jerome Segura, Director of Threat Intelligence at Malwarebytes, in an email. “One key aspect is, of course, international cooperation (or the lack thereof) which has proven to be a key reason why many criminals from Eastern Europe can continue their business without real fear of prosecution.”

Ransomware: a threat to national security

Ransomware attacks had been popping up left and right, even before the COVID-19 pandemic threw a wrench into cybersecurity efforts of many already challenged companies and industries. Ransom demands inflated steeply through the pandemic, and the money raised appears to be being reflected in increasing innovation and sophistication.

The report quantifies the impact of a ransomware attacks with some startling statistics. According to the RTF the average ransom payment in 2020 was $312,493, an increase of 171% over the previous year. Perhaps even more costly and damaging, it puts the average time it takes to fully recover from a ransomware attack at just over nine months.

Ransomware statistics collated by the task force (Source: The RTF Report 2020)

Note that these are average numbers, which means that there are cases when organizations have dealt with much longer downtimes and paid far higher ransoms (demands go into the tens of millions) to get their businesses back up and running as quickly as possible.

Gone are the days when threat actors behind ransomware campaigns targeted organizations they thought had the means to readily cough up money to meet their demands. These past few years, ransomware gangs have become more opportunistic, perhaps comforted by the wide availability of ransom insurance. They have deliberately targeted networks and breached systems of vital infrastructure, such as hospitals, schools, local governments, and nuclear plants, knowing full well that they may be putting lives at risk.

Organizations who refuse to pay the ransom have then to deal with the data leaking that will inevitably follow; the delays caused by identifying and fixing the problems that allowed the ransomware gang into its systems; and the cost to undergo crisis management efforts and generally getting back on track as quickly as possible, while also increasing their overall cybersecurity posture. On the other hand, organizations who do pay the ransom get to spend millions of dollars, too, on top of the ransom payment and still aren’t guaranteed to get their data back, or a speedy recovery.

Ransom payments may then used to fund criminal enterprises that, for example, engage in human trafficking, terrorism, and “the proliferation of mass destruction”. But perhaps the most damaging of all is that ransomware attacks can sow doubt in the minds of the public towards public institutions.

To add salt to the wound, ransomware threat actors do this from within countries that are turning a blind eye to, or even encouraging, these cybercrime campaigns. They are safe havens where gangs know they won’t be charged, prosecuted or extradited for their actions. It is not difficult then to see why the RTF urged its audience to “raise the priority of ransomware within the intelligence community, and designate it as a national security threat” while advocating the use of “criminal prosecution and other tactics”.

Core actions organizations and governments must take

Although there are multiple steps recommended in the report, the RTF prescribes that these steps should be viewed and considered part of a bigger whole as they were each designed to complement and build on each other.

According to the report:

“The strategic framework is organized around four primary goals: to deter ransomware attacks through a nationally and internationally coordinated, comprehensive strategy; to disrupt the business model and reduce criminal profits; to help organizations prepare for ransomware attacks; and to respond to ransomware attacks more effectively.”

To see the necessary impact against the ransomware enterprise, the task force stresses the importance of adopting these steps as soon as possible, with continuous coordination among the involved parties at a national and international level. (The RTF has proposed that the US government take charge in international coordination efforts with its partners.)

Among its priority recommendations, the RTF proposes that greater prioritization be given to an intelligence-driven anti-ransomware efforts; mandatory reporting of ransomware attacks and the creation of Cyber Response and Recovery funds; the development of a framework to help organizations prepare for, and respond to, ransomware attacks; and greater regulation of the cryptocurrency sector.

Among the action items to be done, these are the five most urgent, according to the Ransomware Task Force. The rest are supporting actions that strengthen or lead to the fulfillment of these five. (Source: The RTF Report 2020)

About the RTF and other anti-ransomware efforts

The Institute of Security and Technology (IST) is the host organization that launched the Ransomware Task Force four months ago in December 2020. Before this, significant efforts have been made by organizations within or associated with the cybersecurity industry in combating ransomware.

In January this year, the Cybersecurity and Infrastructure Security Agency (CISA) launched the Reduce the Risk of Ransomware Campaign where it focused on educating the public and private sectors on anti-ransomware best practices and what tools and resources to use to mitigate attacks. CISA’s one-stop page for everything one needs to know about ransomware can be found on this CISA ransomware page.

In July 2016, Europol’s European Cybercrime Centre joined forces with other law enforcement bodies and IT security companies to launch No More Ransom (NMR). Similar to the above mentioned efforts, NMR also aims to help victims recover their data without shelling out money. They do this by collating decryption tools for ransomware families, created by cybersecurity volunteers. You can learn more about No More Ransom by visiting its official website.

The post Task Force delivers strategic plan to address global ransomware problem appeared first on Malware Devil.

https://malwaredevil.com/2021/04/30/task-force-delivers-strategic-plan-to-address-global-ransomware-problem-5/?utm_source=rss&utm_medium=rss&utm_campaign=task-force-delivers-strategic-plan-to-address-global-ransomware-problem-5

Ransomware Task Force Publishes Framework to Fight Global Threat

An 81-page report details how ransomware has evolved, along with recommendations on how to deter attacks and disrupt its business model.

The post Ransomware Task Force Publishes Framework to Fight Global Threat appeared first on Malware Devil.

https://malwaredevil.com/2021/04/30/ransomware-task-force-publishes-framework-to-fight-global-threat-2/?utm_source=rss&utm_medium=rss&utm_campaign=ransomware-task-force-publishes-framework-to-fight-global-threat-2

New Threat Group Carrying Out Aggressive Ransomware Campaign

UNC2447 observed targeting now-patched vulnerability in SonicWall VPN.

The post New Threat Group Carrying Out Aggressive Ransomware Campaign appeared first on Malware Devil.

https://malwaredevil.com/2021/04/30/new-threat-group-carrying-out-aggressive-ransomware-campaign-2/?utm_source=rss&utm_medium=rss&utm_campaign=new-threat-group-carrying-out-aggressive-ransomware-campaign-2

Task Force delivers strategic plan to address global ransomware problem

Ransomware: a threat to national security

Ransomware statistics collated by the task force (Source: The RTF Report 2020)

Core actions organizations and governments must take

According to the report:

About the RTF and other anti-ransomware efforts

The post Task Force delivers strategic plan to address global ransomware problem appeared first on Malware Devil.

https://malwaredevil.com/2021/04/30/task-force-delivers-strategic-plan-to-address-global-ransomware-problem-4/?utm_source=rss&utm_medium=rss&utm_campaign=task-force-delivers-strategic-plan-to-address-global-ransomware-problem-4

Use Case: Financial Sector

Community Healthcare Provider Gains Added PHI Security, Improved Vulnerability Management on a Limited Budget.

The post Use Case: Financial Sector appeared first on Digital Defense, Inc..

The post Use Case: Financial Sector appeared first on Security Boulevard.

The post Use Case: Financial Sector appeared first on Malware Devil.

https://malwaredevil.com/2021/04/30/use-case-financial-sector/?utm_source=rss&utm_medium=rss&utm_campaign=use-case-financial-sector

Ransomware Task Force Publishes Framework to Fight Global Threat

An 81-page report details how ransomware has evolved, along with recommendations on how to deter attacks and disrupt its business model.

The Ransomware Task Force (RTF) this week published a report detailing recommendations to fight back against the operators and infrastructure that drive ransomware, which its team of experts describes as a “serious national security threat” and “public health and safety concern.”

More than 60 people from software companies, security vendors, government agencies, nonprofits, and academic institutions teamed up with the Institute for Security and Technology (IST) to create the RTF, which launched last December. Participants include Microsoft, McAfee, Rapid7, Amazon, Cisco, the Cyber Threat Alliance, the Global Cyber Alliance, US Department of Justice, Europol, and the UK’s National Crime Agency, among many others.

In their 81-page report, “A Comprehensive Framework for Action: Key Recommendations from the Ransomware Task Force,” experts share proposed guidance to deter ransomware attacks, disrupt its business model, help organizations prepare, and better respond to the global threat.

While other threats, such as business email compromise, also cause tremendous losses for businesses each year, RTF is focusing on ransomware because of its massive impact.

“One of the concerns we have is the scope and scale of ransomware,” says Megan Stifel, executive director for the Americas at the Global Cyber Alliance and co-chair of the RTF. “It’s holding parts of the ecosystem and the economy at risk, particularly aspects of critical infrastructure, that can give rise to a range of cascading consequences that in some cases individually, or certainly collectively, can create a significant national security problem.”

RTF’s framework arrives as ransomware attackers continue to evolve their strategies. Ransomware targeted the healthcare industry during a global pandemic and has shut down schools, hospitals, police stations, city governments, and US military facilities, its report points out.

“The professionalism of the affiliates, and focusing on their ability to attack organizations, is probably the biggest challenge,” says Raj Samani, fellow and chief scientist at McAfee, of fighting ransomware. “This has supported the big-game hunting strategy and ultimately the ability to get into organizations and disrupt operations or steal data, [which] has given threat actors the ability to demand a lot more than ever before.”

The framework outlines 48 actions government and industry leaders can take to disrupt the ransomware business model and mitigate the impact of attacks. While there have been many reports on the growing ransomware threat and widespread recommendations on how to fight it, many organizations struggle to adopt them. The idea behind this framework is to create a more comprehensive, all-hands-on-deck approach to dismantling the ransomware threat.

Some of the RTF’s recommendations are listed as higher priority, though it advises viewing them together as a whole. At the top of its list is the suggestion for a coordinated, law enforcement effort to prioritize ransomware through a strategy that includes the use of “a carrot-and-stick approach to direct nation-states away from providing safe havens to ransomware criminals,” the RTF says in the framework.

“The first priority really does need to be this public pronouncement that ransomware is a serious national security threat, and that governments will work together with the private sector and other stakeholders in reducing its impact through a range of actions, including this idea of enhanced information sharing to support intelligence and enforcement,” says Stifel.

There is room for improvement in how this is done, she adds.

“The ability for the government to ingest information around ransomware needs to improve, but also the ability for industry to share information around ransomware is in significant need of enhancement,” Stifel says.

The RTF’s second recommendation suggests the US launch an “intelligence-driven anti-ransomware campaign, coordinated by the White House.” This must include an Interagency Working Group led by the National Security Council, an internal US government joint ransomware task force, and a private, industry-led informal Ransomware Threat Focus Hub.

Its third prioritized recommendation suggests governments create a cyber response and recovery fund to support ransomware response and other security efforts, mandate victims report ransom payments, and require them to consider alternatives before paying ransom.

Payments were a tricky subject to navigate in the creation of the framework, and Stifel notes the RTF couldn’t come to a consensus on whether to prohibit payments. Participants agreed that while paying ransom is detrimental in many ways, there are challenges in barring payments altogether. Doing so “would really put victims in a very hard spot,” Stifel adds.

The framework also suggests closer regulation of the cryptocurrency sector and states governments should require cryptocurrency exchanges, crypto kiosks, and over-the-counter trading to comply with existing laws, such as Know Your Customer, Anti-Money Laundering, and Combatting Financing of Terrorism.

Ransomware is a rapidly evolving threat, and criminals continue to hone their skills and tactics to successfully extort businesses. McAfee’s Samani will elaborate more on this topic and how these changes have influenced the distribution of ransomware in an upcoming RSA Conference session entitled “Ransomware: New Recipe For An Old Dish.”

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial … View Full Bio

Recommended Reading:

Comment |

Email This |

Print |

RSS

More Insights

Webcasts
More Webcasts

White Papers

Annual Cybercrime Report

The Five Major Security Pitfalls of WFH and How to Solve Them

More White Papers

Reports

Improving Security by Moving Beyond VPN

Accelerate Threat Resolutions with DNS

More Reports

The post Ransomware Task Force Publishes Framework to Fight Global Threat appeared first on Malware Devil.

https://malwaredevil.com/2021/04/30/ransomware-task-force-publishes-framework-to-fight-global-threat/?utm_source=rss&utm_medium=rss&utm_campaign=ransomware-task-force-publishes-framework-to-fight-global-threat

New Threat Group Carrying Out Aggressive Ransomware Campaign

UNC2447 observed targeting now-patched vulnerability in SonicWall VPN.

Researchers at FireEye Mandiant have observed what they describe as an aggressive new threat group exploiting a recently patched zero-day flaw in SonicWall’s virtual private network (VPN) technology to drop ransomware called Fivehands on enterprise networks.

The group, which Mandiant is tracking as UNC2447, has been attempting to extort victims both with the ransomware itself and by stealing data from them and threatening to leak it on hacker forums, like many other ransomware operators recently. The group’s victims — mostly in the US and Europe — include organizations across multiple industries such as telecommunications, healthcare, construction and engineering, food and beverage, and education.

Tyler McLellan, principal threat analyst for advanced practices at Mandiant says the company is unsure about how many SonicWall VPN devices remain unpatched against CVE-2021-20016, a critical SQL injection vulnerability in SonicWall’s Secure Mobile Access SMA 100 series remote access products. SonicWall issued a patch for the flaw, which is the one that UNC2447 is targeting, in February 2021.

“While we don’t have numbers on unpatched devices, Mandiant is aware that UNC2447-related threat actors are still in possession of credentials stolen from over 100 VPN appliances,” McLellan says. “These affected organizations will remain at risk of ransomware attack even if patched, unless they enable multifactor authentication or reset all passwords.”

Mandiant first observed signs of UNC2447 activity in November 2020, when it discovered a PowerShell dropper called Warprism being used to install the Cobalt Strike Beacon on systems belonging to two of its customers. In January and February, Mandiant spotted the threat actor using SombRAT — a backdoor packaged as a Windows executable — to deploy Fivehands ransomware on multiple victim networks.

BlackBerry Cylance was the first to spot SombRAT last December. McClellan says that since then, Mandiant has observed only UNC2447 using it and only to deploy Fivehands. According to Mandiant, SombRAT is an especially sophisticated tool designed primarily to download and execute plugins from a command-and-control server. The backdoor supports dozens of commands and includes multiple anti-detection features and mechanisms for obfuscating itself.

Past reporting by BlackBerry suggests that SombRAT could be a sophisticated mercenary cyber-espionage tool. Its use during multiple ransomware intrusions is unusual and noteworthy, McClellan says.

The Fivehands ransomware tool itself is not especially different from others of its kind. It appears to be a rewrite of a previous ransomware tool called Deathransom. It shares some similarities with HelloKitty, another derivative of Deathransom. UNC2447 appears to have begun using Fivehands only since the start of this year. Before that, the threat actor appears to have been using HelloKitty, Mandiant said in its report.

Fivehands is optimized to be substantially faster than HelloKitty, McLellan notes. “[It has] added a feature to accept a command line option to limit encryption to just a certain folder,” he says. “These improvements could allow a Fivehands ransom operator to more quickly target a victim’s important data for maximum impact.”

While Fivehands itself is not particularly noteworthy, the encrypted launcher that it uses is very unusual because it uses a command line password to decrypt and load the ransomware into memory, McClellan says. “Even if the actor left the launcher executable on disk, it would be nearly impossible to crack the password to allow the victim to identify the ransomware strain used against them.”

Mandiant says it has observed UNC2447 using multiple legitimate and dual-use tools and utilities, including Adfind, Bloodhound, Mimikatz, PChunter, and RCLONE.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Recommended Reading:

Comment |

Email This |

Print |

RSS

More Insights

Webcasts

SASE: The Right Framework for Today’s Distributed Enterprises

More Webcasts

White Papers

Annual Cybercrime Report

The Five Major Security Pitfalls of WFH and How to Solve Them

More White Papers

Reports

Improving Security by Moving Beyond VPN

Accelerate Threat Resolutions with DNS

More Reports

The post New Threat Group Carrying Out Aggressive Ransomware Campaign appeared first on Malware Devil.

https://malwaredevil.com/2021/04/30/new-threat-group-carrying-out-aggressive-ransomware-campaign/?utm_source=rss&utm_medium=rss&utm_campaign=new-threat-group-carrying-out-aggressive-ransomware-campaign

Five Reasons Memory-Based Cyberattacks Continue to Succeed

Almost every week we see new examples of highly sophisticated organizations and enterprises falling victim to another nation-state cyberattack or other security breach. These attacks are circumventing staple security products such as next-gen firewalls, IDS/IPS systems, web and endpoint security defenses, web application firewalls and database monitoring solutions.

Breaches continue to happen at an increasing rate, with more severe consequences. Forbes reported that the year 2020 broke all records when it came to data lost in breaches and sheer numbers of cyber-attacks on companies, government, and individuals. While substantial sums have been spent on network and endpoint-based security, these breaches reflect a general lack of investment in adequate application-aware workload protection. This has continued despite repeated surveys pointing to applications and OS vulnerabilities as the largest areas of enterprise security exposure.

“Memory-based attacks are happening all around us and no one seems to want to talk about it because there hasn’t been a lot of defense against them. Virsec has an extraordinary and effective solution for defending against memory-based attacks. These guys are monsters in that.”
– Chief Security Architect, Schneider Electric

Below are five key reasons why memory-based attacks continue to evade conventional security tools:

1. Memory-based attacks cannot be identified via signature.

Buffer errors or return-to-libc attacks, and many other memory corruption exploits, attack the call stack or memory registers of an application in non-repeating ways. This presents problems for traditional security solutions because most approaches are based on pattern matching, using signatures of past malware or malicious actions.

While some endpoint vendors promote defenses against “memory exploit techniques”, they are still based on signatures and pattern-matching of pieces of existing executable code. Today’s advanced attackers are innovative and resourceful and easily avoid repetitive behavior that can be detected by pattern-matching.

2. Most security defenses focus on network protection and authorization, while memory-based attacks happen in the guts of applications.

Today’s advanced attacks are aimed at high-value targets, take place in the memory of an application, and manipulate the application’s execution path. By the time a successful memory-based attack makes a network transmission, it is doing so over normal channels and will evade detection.

Conventional enterprise security strategies are built on an authentication/authorization model, network checkpoints and sandboxes that sample or inspect moving packets across the network. However, memory-based attacks typically use phished or insider credentials with escalated privileges or they use remote OS commands to execute such as PowerShell. These techniques make memory threats, such as ROP chain attacks invisible at the packet level.

3. Endpoint security is pervasive in enterprises but lacks the ability to stop fileless and remote code execution exploits.

Focusing on the endpoint has become a popular model as traditional perimeter security is disappearing. But most endpoint technologies focus on end user devices, and less on core, high-value servers. Applications running on servers and workloads are fundamentally different than those running on devices and laptops and require different means of protection.

Other technologies such as host-based IPS (HIPS), app control, file-whitelisting, and server endpoint suites, also have significant limitations against memory-based attacks, and are known for producing large quantities of false positives. File-whitelisting is becoming more widely used but misses most memory-based attacks that exploit legitimate applications allowed to run in a file-whitelist environment.

4. Traditional application security solutions focus on eliminating code vulnerabilities, but not securing the applications at runtime.

Most memory-based attacks target enterprise applications, but most application security solutions focus only on identifying and remediating vulnerabilities in developer code. Relying on developers to find and eliminate all weaknesses is not adequate.

Most developers prefer to focus on application features over security, and have limited experience in risk management, and enterprise security automation across large numbers of applications and 3rd-party components. Additionally, these solutions tend to be imprecise in identifying advanced attacks and generate larger numbers of false positives.

More importantly, the most sophisticated and evasive attacks – like the recent SolarWinds or Hafnium Microsoft Exchange server hack – are occurring in runtime.

5. Many organizations fail to systematically patch vital applications and host OS binaries.

A significant number of companies do not have a mature patch management strategy in place. Keeping up with patching is a significant challenge for many organizations that have a wide range of heterogenous servers, many of which may no longer receive updates.

Advanced hackers have become adept at scanning networks to identify unpatched systems and target vulnerable applications with zero-day exploits. Verizon’s 2020 Annual Data Breach Report confirms that most breaches occur using vulnerabilities for which CVE (common event vulnerability) or patch has existed for several years, but not been deployed consistently.

How to Ensure Memory Protection

Memory-based attacks comprise the most insidious threats to critical applications, exploit the most common vulnerability in applications (buffer overflows), and represent the most frequently used advanced exploit over the last several years. Remote code execution exploits – once an outlier – have now become the go-to evasive attack technique, and many IT professionals regard memory attacks as “indefensible” by today’s security products.

Virsec Security Platform

Virsec Security Platform provides application-aware workload protection that ensures comprehensive memory protection and runtime protection. Virsec’s patented technology is delivered via the following three application-aware components:

Memory Protection: leverages in-memory instrumentation to detect and protect when a workload starts executing attacker-provided shell code.

Web Protection: leverages in-memory instrumentation to detect and protect when a workload starts executing attacker-provided byte code.

Host Protection: leverages file integrity capabilities to prevent even single instructions from any unauthorized executables, libraries, and scripts from executing.

Unlike EDR/EPP and other perimeter security controls, Virsec’s source of trust is the application’s code itself. Once a developer delivers an application, the Virsec source of trust never changes. This stands in contrast to conventional security controls, which depend on a moving target of threat feeds.

Additional Learning

White Paper: The Need for Application-Aware Workload Protection

Solution Brief: Virsec Security Platform

Webinar: Defending Against Nation-State Attacks: Breaking the Kill Chain

Webinar: SolarWinds CSI: Re-creating the SolarWinds Attack

The post Five Reasons Memory-Based Cyberattacks Continue to Succeed appeared first on Security Boulevard.

The post Five Reasons Memory-Based Cyberattacks Continue to Succeed appeared first on Malware Devil.

https://malwaredevil.com/2021/04/30/five-reasons-memory-based-cyberattacks-continue-to-succeed/?utm_source=rss&utm_medium=rss&utm_campaign=five-reasons-memory-based-cyberattacks-continue-to-succeed

Task Force delivers strategic plan to address global ransomware problem

The purpose of creating the document seems to be threefold: first, to educate the targeted reader—in this case, policy makers and industry leaders—about the dangers of ransomware; second, to call for unification amongst organizations to collectively beat the ransomware enterprise; and third, to guide organizations and governments on action items (48 in total) they can pursue to disrupt the ransomware-as-a-service (RaaS) model and extensively lessen the impact of current and future attacks.

Ransomware: a threat to national security

Ransomware statistics collated by the task force (Source: The RTF Report 2020)

Core actions organizations and governments must take

According to the report:

About the RTF and other anti-ransomware efforts

The post Task Force delivers strategic plan to address global ransomware problem appeared first on Malwarebytes Labs.

The post Task Force delivers strategic plan to address global ransomware problem appeared first on Malware Devil.

https://malwaredevil.com/2021/04/30/task-force-delivers-strategic-plan-to-address-global-ransomware-problem-3/?utm_source=rss&utm_medium=rss&utm_campaign=task-force-delivers-strategic-plan-to-address-global-ransomware-problem-3

Task Force delivers strategic plan to address global ransomware problem

Ransomware: a threat to national security

Ransomware statistics collated by the task force (Source: The RTF Report 2020)

Core actions organizations and governments must take

According to the report:

About the RTF and other anti-ransomware efforts

The post Task Force delivers strategic plan to address global ransomware problem appeared first on Malware Devil.

https://malwaredevil.com/2021/04/30/task-force-delivers-strategic-plan-to-address-global-ransomware-problem-2/?utm_source=rss&utm_medium=rss&utm_campaign=task-force-delivers-strategic-plan-to-address-global-ransomware-problem-2

Task Force delivers strategic plan to address global ransomware problem

Ransomware: a threat to national security

Ransomware statistics collated by the task force (Source: The RTF Report 2020)

Core actions organizations and governments must take

According to the report:

About the RTF and other anti-ransomware efforts

The post Task Force delivers strategic plan to address global ransomware problem appeared first on Malwarebytes Labs.

The post Task Force delivers strategic plan to address global ransomware problem appeared first on Malware Devil.

https://malwaredevil.com/2021/04/30/task-force-delivers-strategic-plan-to-address-global-ransomware-problem/?utm_source=rss&utm_medium=rss&utm_campaign=task-force-delivers-strategic-plan-to-address-global-ransomware-problem

PortDoor Espionage Malware Takes Aim at Russian Defense Sector

The stealthy backdoor is likely being used by Chinese APTs, researchers said.
Read More

The post PortDoor Espionage Malware Takes Aim at Russian Defense Sector appeared first on Malware Devil.

https://malwaredevil.com/2021/04/30/portdoor-espionage-malware-takes-aim-at-russian-defense-sector/?utm_source=rss&utm_medium=rss&utm_campaign=portdoor-espionage-malware-takes-aim-at-russian-defense-sector

The Night Witches of WWII

In the famous Pulitzer-prize winning book “The Guns of August“, the author applies some colorful language to illustrate WWI and Imperial Germany. Tuchman for example frames their march like predator ants: (page 251) The German march through Belgium, like the march of predator ants who periodically emerge from the South American jungle to carve a … Continue reading The Night Witches of WWII →

The post The Night Witches of WWII appeared first on Security Boulevard.

The post The Night Witches of WWII appeared first on Malware Devil.

https://malwaredevil.com/2021/04/30/the-night-witches-of-wwii/?utm_source=rss&utm_medium=rss&utm_campaign=the-night-witches-of-wwii

MITRE Adds MacOS, More Data Types to ATT&CK Framework

Version 9 of the popular threat matrix will improve support for a variety of platforms, including cloud infrastructure.

Nonprofit research organization MITRE has released the latest version of its ATT&CK framework, adding support for threat information affecting Apple’s MacOS and containers, while also allowing more data sources and relationships.

The release is one of two updates to the popular framework due out this year, with another planned for October. The two most major changes are better support for both the MacOS and containers and the adoption of more flexible ways of specifying the necessary data to describe each threat technique. The release includes 16 new groups, 67 new pieces of software, and updates to 36 other groups and 51 software entries, according to MITRE.

The goal is to make the framework more functional, based on specific feedback from its community of users, says Adam Pennington, ATT&CK lead at MITRE.

“People look at ATT&CK as a way to map out and plan their defenses,” he says. “We are seeing it used as a way for people to either start from a specific area — such as an adversary that they are worried about or some subset of an attack, and take a look at what their stance is in relation to each of those behaviors — or perhaps as a way to plan out behavioral analytics.”

In a blog published Thursday, the research organization stated that the update is designed to better connect offensive techniques with potential defensive actions. The intent is to tag every technique in the ATT&CK framework with “defensive-focused fields [and] properties as a way to help defenders detect and respond to attacks.

The company had described the improvements in its road map for 2021, published in March. The organization stated there would be no major structural adjustments; instead, MITRE plans to make improvements across the framework.

“Our chief focus will be on enhancing and enriching content across the ATT&CK platforms and technical domains,” MITRE stated in its road map. “We’ll be making incremental updates to core concepts, such as Software and Groups, and working towards a more structured contributions process, while maintaining a biannual release tempo, scheduled for April and October.”

A major initiative in the latest version is to allow better data to be collected on specific threat descriptions included in the ATT&CK framework. The idea is to tell defenders specifically what data they need to collect to best detect attackers and determine which techniques they are using. MITRE reviewed all the different data sources and components and remapped them where necessary.

“The material that people see today is not going to undergo another drastic change. We are just going to be adding more context behind it,” Pennington says. “It’s about getting a better idea of — with their various collection mechanisms, SIEMs, sensors, whatever — what do they need to be looking for to understand an adversary’s behavior.”

The ATT&CK framework now also includes more MacOS-specific threats and mappings, he says. Techniques and data specific to Linux-based systems will arrive with the next update in October.

“We spend a lot of time on Windows, as do adversaries,” Pennington says. “For Linux, we hear a lot going on with containers, but we don’t see a ton of detail in what is going on. The same with Mac. We hear from people there is a lot of activity going on, and we are beginning to incorporate that into ATT&CK.”

MITRE has also brought together the threats, techniques, and data sources for cloud platforms into consolidated groups, such as the infrastructure-as-a-service (IaaS) platform as part of the broader Cloud Service Providers category. In addition, software-as-a-service (SaaS) offerings Office 365 and Google Workspace are not included, so defenders can map adversary behaviors.

The company continues to make modifications based on feedback. In October, the company will release more support for mobile threats and defenses, as well as update the approach to threats that affect industrial control systems.

In the future, ATT&CK will also incorporate container technologies. MITRE has already released ATT&CK for Containers matrix and will be incorporating feedback for future releases, the organization says.

Editor’s note: This article was updated to correct an error regarding when Linux will be explicitly supported in the ATT&CK framework. Linux support is planned for October.

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT’s Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline … View Full Bio

Recommended Reading:

Comment |

Email This |

Print |

RSS

More Insights

Webcasts
More Webcasts

White Papers

Annual Cybercrime Report

The Five Major Security Pitfalls of WFH and How to Solve Them

More White Papers

Reports

Improving Security by Moving Beyond VPN

Accelerate Threat Resolutions with DNS

More Reports

The post MITRE Adds MacOS, More Data Types to ATT&CK Framework appeared first on Malware Devil.

https://malwaredevil.com/2021/04/30/mitre-adds-macos-more-data-types-to-attck-framework/?utm_source=rss&utm_medium=rss&utm_campaign=mitre-adds-macos-more-data-types-to-attck-framework

CISA Emergency Directive 21-03: VPN Vulnerabilities Actively Exploited

On April 20, 2021, the Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) released an alert on the exploitation of Pulse Connect Secure Vulnerabilities with Alert AA21-110A: Exploitation of Pulse Connect Secure Vulnerabilities, as well as Emergency Directive (ED) 21-03, after a FireEye blog shed light on security incidents involving compromises of Pulse Secure VPN appliances. The directive outlines the specific actions all US federal agencies should take to mitigate the vulnerability and maintain compliance.

The post CISA Emergency Directive 21-03: VPN Vulnerabilities Actively Exploited appeared first on Security Boulevard.

The post CISA Emergency Directive 21-03: VPN Vulnerabilities Actively Exploited appeared first on Malware Devil.

https://malwaredevil.com/2021/04/30/cisa-emergency-directive-21-03-vpn-vulnerabilities-actively-exploited/?utm_source=rss&utm_medium=rss&utm_campaign=cisa-emergency-directive-21-03-vpn-vulnerabilities-actively-exploited

WeSteal: A Cryptocurrency-Stealing Tool That Does Just That

The developer of the WeSteal cryptocurrency stealer can’t be bothered with fancy talk: they say flat-out that it’s “the leading way to make money in 2021”.
Read More

The post WeSteal: A Cryptocurrency-Stealing Tool That Does Just That appeared first on Malware Devil.

https://malwaredevil.com/2021/04/30/westeal-a-cryptocurrency-stealing-tool-that-does-just-that/?utm_source=rss&utm_medium=rss&utm_campaign=westeal-a-cryptocurrency-stealing-tool-that-does-just-that

ESB-2021.1478 – [Win][UNIX/Linux][SUSE] samba: Multiple vulnerabilities

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA256

===========================================================================
AUSCERT External Security Bulletin Redistribution

ESB-2021.1478
Security update for samba
30 April 2021

===========================================================================

AusCERT Security Bulletin Summary
———————————

Product: samba
Publisher: SUSE
Operating System: SUSE
UNIX variants (UNIX, Linux, OSX)
Windows
Impact/Access: Unauthorised Access — Existing Account
Reduced Security — Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2021-20254

Original Bulletin:
https://www.suse.com/support/update/announcement/2021/suse-su-20211442-1
https://www.suse.com/support/update/announcement/2021/suse-su-20211438-1
https://www.suse.com/support/update/announcement/2021/suse-su-202114709-1
https://www.suse.com/support/update/announcement/2021/suse-su-20211439-1

Comment: This bulletin contains four (4) SUSE security advisories.

This advisory references vulnerabilities in products which run on
platforms other than SUSE. It is recommended that administrators
running samba check for an updated version of the software for their
operating system.

– ————————–BEGIN INCLUDED TEXT——————–

SUSE Security Update: Security update for samba

______________________________________________________________________________

Announcement ID: SUSE-SU-2021:1442-1
Rating: important
References: #1184677
Cross-References: CVE-2021-20254
Affected Products:
SUSE Linux Enterprise Server 12-SP2-LTSS-SAP
SUSE Linux Enterprise Server 12-SP2-LTSS-ERICSSON
SUSE Linux Enterprise Server 12-SP2-BCL
______________________________________________________________________________

An update that fixes one vulnerability is now available.

Description:

This update for samba fixes the following issues:

o CVE-2021-20254: Fixed a buffer overrun in sids_to_unixids() (bsc#1184677).

Patch Instructions:

To install this SUSE Security Update use the SUSE recommended installation
methods like YaST online_update or “zypper patch”.
Alternatively you can run the command listed for your product:

o SUSE Linux Enterprise Server 12-SP2-LTSS-SAP:
zypper in -t patch SUSE-SLE-SERVER-12-SP2-LTSS-SAP-2021-1442=1
o SUSE Linux Enterprise Server 12-SP2-LTSS-ERICSSON:
zypper in -t patch SUSE-SLE-SERVER-12-SP2-LTSS-ERICSSON-2021-1442=1
o SUSE Linux Enterprise Server 12-SP2-BCL:
zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2021-1442=1

Package List:

o SUSE Linux Enterprise Server 12-SP2-LTSS-SAP (x86_64):
libdcerpc-atsvc0-4.2.4-28.39.1
libdcerpc-atsvc0-debuginfo-4.2.4-28.39.1
o SUSE Linux Enterprise Server 12-SP2-LTSS-ERICSSON (x86_64):
libdcerpc-atsvc0-4.2.4-28.39.1
libdcerpc-atsvc0-debuginfo-4.2.4-28.39.1
o SUSE Linux Enterprise Server 12-SP2-BCL (x86_64):
libdcerpc-atsvc0-4.2.4-28.39.1
libdcerpc-atsvc0-debuginfo-4.2.4-28.39.1

References:

o https://www.suse.com/security/cve/CVE-2021-20254.html
o https://bugzilla.suse.com/1184677

– ——————————————————————————–

SUSE Security Update: Security update for samba

______________________________________________________________________________

Announcement ID: SUSE-SU-2021:1438-1
Rating: important
References: #1178469 #1179156 #1184677
Cross-References: CVE-2021-20254
Affected Products:
SUSE Linux Enterprise Software Development Kit 12-SP5
SUSE Linux Enterprise Server 12-SP5
SUSE Linux Enterprise High Availability 12-SP5
______________________________________________________________________________

An update that solves one vulnerability and has two fixes is now available.

Description:

This update for samba fixes the following issues:

o CVE-2021-20254: Fixed a buffer overrun in sids_to_unixids() (bsc#1184677).
o Avoid free’ing our own pointer in memcache when memcache_trim attempts to
reduce cache size (bsc#1179156).
o Adjust smbcacls ‘–propagate-inheritance’ feature to align with upstream
(bsc#1178469).

Patch Instructions:

To install this SUSE Security Update use the SUSE recommended installation
methods like YaST online_update or “zypper patch”.
Alternatively you can run the command listed for your product:

o SUSE Linux Enterprise Software Development Kit 12-SP5:
zypper in -t patch SUSE-SLE-SDK-12-SP5-2021-1438=1
o SUSE Linux Enterprise Server 12-SP5:
zypper in -t patch SUSE-SLE-SERVER-12-SP5-2021-1438=1
o SUSE Linux Enterprise High Availability 12-SP5:
zypper in -t patch SUSE-SLE-HA-12-SP5-2021-1438=1

Package List:

o SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le
s390x x86_64):
libndr-devel-4.10.18+git.269.dd608524c88-3.27.1
libndr-krb5pac-devel-4.10.18+git.269.dd608524c88-3.27.1
libndr-nbt-devel-4.10.18+git.269.dd608524c88-3.27.1
libndr-standard-devel-4.10.18+git.269.dd608524c88-3.27.1
libsamba-util-devel-4.10.18+git.269.dd608524c88-3.27.1
libsmbclient-devel-4.10.18+git.269.dd608524c88-3.27.1
libwbclient-devel-4.10.18+git.269.dd608524c88-3.27.1
samba-core-devel-4.10.18+git.269.dd608524c88-3.27.1
samba-debuginfo-4.10.18+git.269.dd608524c88-3.27.1
samba-debugsource-4.10.18+git.269.dd608524c88-3.27.1
o SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64):
libdcerpc-binding0-4.10.18+git.269.dd608524c88-3.27.1
libdcerpc-binding0-debuginfo-4.10.18+git.269.dd608524c88-3.27.1
libdcerpc0-4.10.18+git.269.dd608524c88-3.27.1
libdcerpc0-debuginfo-4.10.18+git.269.dd608524c88-3.27.1
libndr-krb5pac0-4.10.18+git.269.dd608524c88-3.27.1
libndr-krb5pac0-debuginfo-4.10.18+git.269.dd608524c88-3.27.1
libndr-nbt0-4.10.18+git.269.dd608524c88-3.27.1
libndr-nbt0-debuginfo-4.10.18+git.269.dd608524c88-3.27.1
libndr-standard0-4.10.18+git.269.dd608524c88-3.27.1
libndr-standard0-debuginfo-4.10.18+git.269.dd608524c88-3.27.1
libndr0-4.10.18+git.269.dd608524c88-3.27.1
libndr0-debuginfo-4.10.18+git.269.dd608524c88-3.27.1
libnetapi0-4.10.18+git.269.dd608524c88-3.27.1
libnetapi0-debuginfo-4.10.18+git.269.dd608524c88-3.27.1
libsamba-credentials0-4.10.18+git.269.dd608524c88-3.27.1
libsamba-credentials0-debuginfo-4.10.18+git.269.dd608524c88-3.27.1
libsamba-errors0-4.10.18+git.269.dd608524c88-3.27.1
libsamba-errors0-debuginfo-4.10.18+git.269.dd608524c88-3.27.1
libsamba-hostconfig0-4.10.18+git.269.dd608524c88-3.27.1
libsamba-hostconfig0-debuginfo-4.10.18+git.269.dd608524c88-3.27.1
libsamba-passdb0-4.10.18+git.269.dd608524c88-3.27.1
libsamba-passdb0-debuginfo-4.10.18+git.269.dd608524c88-3.27.1
libsamba-util0-4.10.18+git.269.dd608524c88-3.27.1
libsamba-util0-debuginfo-4.10.18+git.269.dd608524c88-3.27.1
libsamdb0-4.10.18+git.269.dd608524c88-3.27.1
libsamdb0-debuginfo-4.10.18+git.269.dd608524c88-3.27.1
libsmbclient0-4.10.18+git.269.dd608524c88-3.27.1
libsmbclient0-debuginfo-4.10.18+git.269.dd608524c88-3.27.1
libsmbconf0-4.10.18+git.269.dd608524c88-3.27.1
libsmbconf0-debuginfo-4.10.18+git.269.dd608524c88-3.27.1
libsmbldap2-4.10.18+git.269.dd608524c88-3.27.1
libsmbldap2-debuginfo-4.10.18+git.269.dd608524c88-3.27.1
libtevent-util0-4.10.18+git.269.dd608524c88-3.27.1
libtevent-util0-debuginfo-4.10.18+git.269.dd608524c88-3.27.1
libwbclient0-4.10.18+git.269.dd608524c88-3.27.1
libwbclient0-debuginfo-4.10.18+git.269.dd608524c88-3.27.1
samba-4.10.18+git.269.dd608524c88-3.27.1
samba-client-4.10.18+git.269.dd608524c88-3.27.1
samba-client-debuginfo-4.10.18+git.269.dd608524c88-3.27.1
samba-debuginfo-4.10.18+git.269.dd608524c88-3.27.1
samba-debugsource-4.10.18+git.269.dd608524c88-3.27.1
samba-libs-4.10.18+git.269.dd608524c88-3.27.1
samba-libs-debuginfo-4.10.18+git.269.dd608524c88-3.27.1
samba-libs-python3-4.10.18+git.269.dd608524c88-3.27.1
samba-libs-python3-debuginfo-4.10.18+git.269.dd608524c88-3.27.1
samba-winbind-4.10.18+git.269.dd608524c88-3.27.1
samba-winbind-debuginfo-4.10.18+git.269.dd608524c88-3.27.1
o SUSE Linux Enterprise Server 12-SP5 (s390x x86_64):
libdcerpc-binding0-32bit-4.10.18+git.269.dd608524c88-3.27.1
libdcerpc-binding0-debuginfo-32bit-4.10.18+git.269.dd608524c88-3.27.1
libdcerpc0-32bit-4.10.18+git.269.dd608524c88-3.27.1
libdcerpc0-debuginfo-32bit-4.10.18+git.269.dd608524c88-3.27.1
libndr-krb5pac0-32bit-4.10.18+git.269.dd608524c88-3.27.1
libndr-krb5pac0-debuginfo-32bit-4.10.18+git.269.dd608524c88-3.27.1
libndr-nbt0-32bit-4.10.18+git.269.dd608524c88-3.27.1
libndr-nbt0-debuginfo-32bit-4.10.18+git.269.dd608524c88-3.27.1
libndr-standard0-32bit-4.10.18+git.269.dd608524c88-3.27.1
libndr-standard0-debuginfo-32bit-4.10.18+git.269.dd608524c88-3.27.1
libndr0-32bit-4.10.18+git.269.dd608524c88-3.27.1
libndr0-debuginfo-32bit-4.10.18+git.269.dd608524c88-3.27.1
libnetapi0-32bit-4.10.18+git.269.dd608524c88-3.27.1
libnetapi0-debuginfo-32bit-4.10.18+git.269.dd608524c88-3.27.1
libsamba-credentials0-32bit-4.10.18+git.269.dd608524c88-3.27.1
libsamba-credentials0-debuginfo-32bit-4.10.18+git.269.dd608524c88-3.27.1
libsamba-errors0-32bit-4.10.18+git.269.dd608524c88-3.27.1
libsamba-errors0-debuginfo-32bit-4.10.18+git.269.dd608524c88-3.27.1
libsamba-hostconfig0-32bit-4.10.18+git.269.dd608524c88-3.27.1
libsamba-hostconfig0-debuginfo-32bit-4.10.18+git.269.dd608524c88-3.27.1
libsamba-passdb0-32bit-4.10.18+git.269.dd608524c88-3.27.1
libsamba-passdb0-debuginfo-32bit-4.10.18+git.269.dd608524c88-3.27.1
libsamba-util0-32bit-4.10.18+git.269.dd608524c88-3.27.1
libsamba-util0-debuginfo-32bit-4.10.18+git.269.dd608524c88-3.27.1
libsamdb0-32bit-4.10.18+git.269.dd608524c88-3.27.1
libsamdb0-debuginfo-32bit-4.10.18+git.269.dd608524c88-3.27.1
libsmbclient0-32bit-4.10.18+git.269.dd608524c88-3.27.1
libsmbclient0-debuginfo-32bit-4.10.18+git.269.dd608524c88-3.27.1
libsmbconf0-32bit-4.10.18+git.269.dd608524c88-3.27.1
libsmbconf0-debuginfo-32bit-4.10.18+git.269.dd608524c88-3.27.1
libsmbldap2-32bit-4.10.18+git.269.dd608524c88-3.27.1
libsmbldap2-debuginfo-32bit-4.10.18+git.269.dd608524c88-3.27.1
libtevent-util0-32bit-4.10.18+git.269.dd608524c88-3.27.1
libtevent-util0-debuginfo-32bit-4.10.18+git.269.dd608524c88-3.27.1
libwbclient0-32bit-4.10.18+git.269.dd608524c88-3.27.1
libwbclient0-debuginfo-32bit-4.10.18+git.269.dd608524c88-3.27.1
samba-client-32bit-4.10.18+git.269.dd608524c88-3.27.1
samba-client-debuginfo-32bit-4.10.18+git.269.dd608524c88-3.27.1
samba-libs-32bit-4.10.18+git.269.dd608524c88-3.27.1
samba-libs-debuginfo-32bit-4.10.18+git.269.dd608524c88-3.27.1
samba-libs-python3-32bit-4.10.18+git.269.dd608524c88-3.27.1
samba-libs-python3-debuginfo-32bit-4.10.18+git.269.dd608524c88-3.27.1
samba-winbind-32bit-4.10.18+git.269.dd608524c88-3.27.1
samba-winbind-debuginfo-32bit-4.10.18+git.269.dd608524c88-3.27.1
o SUSE Linux Enterprise Server 12-SP5 (noarch):
samba-doc-4.10.18+git.269.dd608524c88-3.27.1
o SUSE Linux Enterprise High Availability 12-SP5 (ppc64le s390x x86_64):
ctdb-4.10.18+git.269.dd608524c88-3.27.1
ctdb-debuginfo-4.10.18+git.269.dd608524c88-3.27.1
samba-debuginfo-4.10.18+git.269.dd608524c88-3.27.1
samba-debugsource-4.10.18+git.269.dd608524c88-3.27.1

References:

o https://www.suse.com/security/cve/CVE-2021-20254.html
o https://bugzilla.suse.com/1178469
o https://bugzilla.suse.com/1179156
o https://bugzilla.suse.com/1184677

– ——————————————————————————–

SUSE Security Update: Security update for samba

______________________________________________________________________________

Announcement ID: SUSE-SU-2021:14709-1
Rating: important
References: #1178469 #1184677
Cross-References: CVE-2021-20254
Affected Products:
SUSE Linux Enterprise Server 11-SP4-LTSS
SUSE Linux Enterprise Point of Sale 11-SP3
SUSE Linux Enterprise Debuginfo 11-SP4
SUSE Linux Enterprise Debuginfo 11-SP3
______________________________________________________________________________

An update that solves one vulnerability and has one errata is now available.

Description:

This update for samba fixes the following issues:

o CVE-2021-20254: Fixed a buffer overrun in sids_to_unixids() (bsc#1184677).
o Adjust smbcacls ‘–propagate-inheritance’ feature to align with upstream
(bsc#1178469).

Patch Instructions:

To install this SUSE Security Update use the SUSE recommended installation
methods like YaST online_update or “zypper patch”.
Alternatively you can run the command listed for your product:

o SUSE Linux Enterprise Server 11-SP4-LTSS:
zypper in -t patch slessp4-samba-14709=1
o SUSE Linux Enterprise Point of Sale 11-SP3:
zypper in -t patch sleposp3-samba-14709=1
o SUSE Linux Enterprise Debuginfo 11-SP4:
zypper in -t patch dbgsp4-samba-14709=1
o SUSE Linux Enterprise Debuginfo 11-SP3:
zypper in -t patch dbgsp3-samba-14709=1

Package List:

o SUSE Linux Enterprise Server 11-SP4-LTSS (i586 ppc64 s390x x86_64):
ldapsmb-1.34b-94.34.1
libldb1-3.6.3-94.34.1
libsmbclient0-3.6.3-94.34.1
libtalloc2-3.6.3-94.34.1
libtdb1-3.6.3-94.34.1
libtevent0-3.6.3-94.34.1
libwbclient0-3.6.3-94.34.1
samba-3.6.3-94.34.1
samba-client-3.6.3-94.34.1
samba-krb-printing-3.6.3-94.34.1
samba-winbind-3.6.3-94.34.1
o SUSE Linux Enterprise Server 11-SP4-LTSS (ppc64 s390x x86_64):
libsmbclient0-32bit-3.6.3-94.34.1
libtalloc2-32bit-3.6.3-94.34.1
libtdb1-32bit-3.6.3-94.34.1
libtevent0-32bit-3.6.3-94.34.1
libwbclient0-32bit-3.6.3-94.34.1
samba-32bit-3.6.3-94.34.1
samba-client-32bit-3.6.3-94.34.1
samba-winbind-32bit-3.6.3-94.34.1
o SUSE Linux Enterprise Server 11-SP4-LTSS (noarch):
samba-doc-3.6.3-94.34.1
o SUSE Linux Enterprise Point of Sale 11-SP3 (noarch):
samba-doc-3.6.3-94.34.1
o SUSE Linux Enterprise Point of Sale 11-SP3 (i586):
ldapsmb-1.34b-94.34.1
libldb1-3.6.3-94.34.1
libsmbclient0-3.6.3-94.34.1
libtalloc2-3.6.3-94.34.1
libtdb1-3.6.3-94.34.1
libtevent0-3.6.3-94.34.1
libwbclient0-3.6.3-94.34.1
samba-3.6.3-94.34.1
samba-client-3.6.3-94.34.1
samba-krb-printing-3.6.3-94.34.1
samba-winbind-3.6.3-94.34.1
o SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ppc64 s390x x86_64):
samba-debuginfo-3.6.3-94.34.1
samba-debugsource-3.6.3-94.34.1
o SUSE Linux Enterprise Debuginfo 11-SP4 (ppc64 s390x x86_64):
samba-debuginfo-32bit-3.6.3-94.34.1
o SUSE Linux Enterprise Debuginfo 11-SP3 (i586 s390x x86_64):
samba-debuginfo-3.6.3-94.34.1
samba-debugsource-3.6.3-94.34.1
o SUSE Linux Enterprise Debuginfo 11-SP3 (s390x):
samba-debuginfo-32bit-3.6.3-94.34.1

References:

o https://www.suse.com/security/cve/CVE-2021-20254.html
o https://bugzilla.suse.com/1178469
o https://bugzilla.suse.com/1184677

– ——————————————————————————–

SUSE Security Update: Security update for samba

______________________________________________________________________________

Announcement ID: SUSE-SU-2021:1439-1
Rating: important
References: #1178469 #1184677
Cross-References: CVE-2021-20254
Affected Products:
SUSE Linux Enterprise Server 12-SP2-LTSS-SAP
SUSE Linux Enterprise Server 12-SP2-LTSS-ERICSSON
SUSE Linux Enterprise Server 12-SP2-BCL
______________________________________________________________________________

An update that solves one vulnerability and has one errata is now available.

Description:

This update for samba fixes the following issues:

o CVE-2021-20254: Fixed a buffer overrun in sids_to_unixids() (bsc#1184677).
o Adjust smbcacls ‘–propagate-inheritance’ feature to align with upstream
(bsc#1178469).

Patch Instructions:

To install this SUSE Security Update use the SUSE recommended installation
methods like YaST online_update or “zypper patch”.
Alternatively you can run the command listed for your product:

o SUSE Linux Enterprise Server 12-SP2-LTSS-SAP:
zypper in -t patch SUSE-SLE-SERVER-12-SP2-LTSS-SAP-2021-1439=1
o SUSE Linux Enterprise Server 12-SP2-LTSS-ERICSSON:
zypper in -t patch SUSE-SLE-SERVER-12-SP2-LTSS-ERICSSON-2021-1439=1
o SUSE Linux Enterprise Server 12-SP2-BCL:
zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2021-1439=1

Package List:

o SUSE Linux Enterprise Server 12-SP2-LTSS-SAP (noarch):
samba-doc-4.4.2-38.42.1
o SUSE Linux Enterprise Server 12-SP2-LTSS-SAP (x86_64):
ctdb-4.4.2-38.42.1
ctdb-debuginfo-4.4.2-38.42.1
libdcerpc-binding0-32bit-4.4.2-38.42.1
libdcerpc-binding0-4.4.2-38.42.1
libdcerpc-binding0-debuginfo-32bit-4.4.2-38.42.1
libdcerpc-binding0-debuginfo-4.4.2-38.42.1
libdcerpc0-32bit-4.4.2-38.42.1
libdcerpc0-4.4.2-38.42.1
libdcerpc0-debuginfo-32bit-4.4.2-38.42.1
libdcerpc0-debuginfo-4.4.2-38.42.1
libndr-krb5pac0-32bit-4.4.2-38.42.1
libndr-krb5pac0-4.4.2-38.42.1
libndr-krb5pac0-debuginfo-32bit-4.4.2-38.42.1
libndr-krb5pac0-debuginfo-4.4.2-38.42.1
libndr-nbt0-32bit-4.4.2-38.42.1
libndr-nbt0-4.4.2-38.42.1
libndr-nbt0-debuginfo-32bit-4.4.2-38.42.1
libndr-nbt0-debuginfo-4.4.2-38.42.1
libndr-standard0-32bit-4.4.2-38.42.1
libndr-standard0-4.4.2-38.42.1
libndr-standard0-debuginfo-32bit-4.4.2-38.42.1
libndr-standard0-debuginfo-4.4.2-38.42.1
libndr0-32bit-4.4.2-38.42.1
libndr0-4.4.2-38.42.1
libndr0-debuginfo-32bit-4.4.2-38.42.1
libndr0-debuginfo-4.4.2-38.42.1
libnetapi0-32bit-4.4.2-38.42.1
libnetapi0-4.4.2-38.42.1
libnetapi0-debuginfo-32bit-4.4.2-38.42.1
libnetapi0-debuginfo-4.4.2-38.42.1
libsamba-credentials0-32bit-4.4.2-38.42.1
libsamba-credentials0-4.4.2-38.42.1
libsamba-credentials0-debuginfo-32bit-4.4.2-38.42.1
libsamba-credentials0-debuginfo-4.4.2-38.42.1
libsamba-errors0-32bit-4.4.2-38.42.1
libsamba-errors0-4.4.2-38.42.1
libsamba-errors0-debuginfo-32bit-4.4.2-38.42.1
libsamba-errors0-debuginfo-4.4.2-38.42.1
libsamba-hostconfig0-32bit-4.4.2-38.42.1
libsamba-hostconfig0-4.4.2-38.42.1
libsamba-hostconfig0-debuginfo-32bit-4.4.2-38.42.1
libsamba-hostconfig0-debuginfo-4.4.2-38.42.1
libsamba-passdb0-32bit-4.4.2-38.42.1
libsamba-passdb0-4.4.2-38.42.1
libsamba-passdb0-debuginfo-32bit-4.4.2-38.42.1
libsamba-passdb0-debuginfo-4.4.2-38.42.1
libsamba-util0-32bit-4.4.2-38.42.1
libsamba-util0-4.4.2-38.42.1
libsamba-util0-debuginfo-32bit-4.4.2-38.42.1
libsamba-util0-debuginfo-4.4.2-38.42.1
libsamdb0-32bit-4.4.2-38.42.1
libsamdb0-4.4.2-38.42.1
libsamdb0-debuginfo-32bit-4.4.2-38.42.1
libsamdb0-debuginfo-4.4.2-38.42.1
libsmbclient0-32bit-4.4.2-38.42.1
libsmbclient0-4.4.2-38.42.1
libsmbclient0-debuginfo-32bit-4.4.2-38.42.1
libsmbclient0-debuginfo-4.4.2-38.42.1
libsmbconf0-32bit-4.4.2-38.42.1
libsmbconf0-4.4.2-38.42.1
libsmbconf0-debuginfo-32bit-4.4.2-38.42.1
libsmbconf0-debuginfo-4.4.2-38.42.1
libsmbldap0-32bit-4.4.2-38.42.1
libsmbldap0-4.4.2-38.42.1
libsmbldap0-debuginfo-32bit-4.4.2-38.42.1
libsmbldap0-debuginfo-4.4.2-38.42.1
libtevent-util0-32bit-4.4.2-38.42.1
libtevent-util0-4.4.2-38.42.1
libtevent-util0-debuginfo-32bit-4.4.2-38.42.1
libtevent-util0-debuginfo-4.4.2-38.42.1
libwbclient0-32bit-4.4.2-38.42.1
libwbclient0-4.4.2-38.42.1
libwbclient0-debuginfo-32bit-4.4.2-38.42.1
libwbclient0-debuginfo-4.4.2-38.42.1
samba-4.4.2-38.42.1
samba-client-32bit-4.4.2-38.42.1
samba-client-4.4.2-38.42.1
samba-client-debuginfo-32bit-4.4.2-38.42.1
samba-client-debuginfo-4.4.2-38.42.1
samba-debuginfo-4.4.2-38.42.1
samba-debugsource-4.4.2-38.42.1
samba-libs-32bit-4.4.2-38.42.1
samba-libs-4.4.2-38.42.1
samba-libs-debuginfo-32bit-4.4.2-38.42.1
samba-libs-debuginfo-4.4.2-38.42.1
samba-winbind-32bit-4.4.2-38.42.1
samba-winbind-4.4.2-38.42.1
samba-winbind-debuginfo-32bit-4.4.2-38.42.1
samba-winbind-debuginfo-4.4.2-38.42.1
o SUSE Linux Enterprise Server 12-SP2-LTSS-ERICSSON (noarch):
samba-doc-4.4.2-38.42.1
o SUSE Linux Enterprise Server 12-SP2-LTSS-ERICSSON (x86_64):
ctdb-4.4.2-38.42.1
ctdb-debuginfo-4.4.2-38.42.1
libdcerpc-binding0-32bit-4.4.2-38.42.1
libdcerpc-binding0-4.4.2-38.42.1
libdcerpc-binding0-debuginfo-32bit-4.4.2-38.42.1
libdcerpc-binding0-debuginfo-4.4.2-38.42.1
libdcerpc0-32bit-4.4.2-38.42.1
libdcerpc0-4.4.2-38.42.1
libdcerpc0-debuginfo-32bit-4.4.2-38.42.1
libdcerpc0-debuginfo-4.4.2-38.42.1
libndr-krb5pac0-32bit-4.4.2-38.42.1
libndr-krb5pac0-4.4.2-38.42.1
libndr-krb5pac0-debuginfo-32bit-4.4.2-38.42.1
libndr-krb5pac0-debuginfo-4.4.2-38.42.1
libndr-nbt0-32bit-4.4.2-38.42.1
libndr-nbt0-4.4.2-38.42.1
libndr-nbt0-debuginfo-32bit-4.4.2-38.42.1
libndr-nbt0-debuginfo-4.4.2-38.42.1
libndr-standard0-32bit-4.4.2-38.42.1
libndr-standard0-4.4.2-38.42.1
libndr-standard0-debuginfo-32bit-4.4.2-38.42.1
libndr-standard0-debuginfo-4.4.2-38.42.1
libndr0-32bit-4.4.2-38.42.1
libndr0-4.4.2-38.42.1
libndr0-debuginfo-32bit-4.4.2-38.42.1
libndr0-debuginfo-4.4.2-38.42.1
libnetapi0-32bit-4.4.2-38.42.1
libnetapi0-4.4.2-38.42.1
libnetapi0-debuginfo-32bit-4.4.2-38.42.1
libnetapi0-debuginfo-4.4.2-38.42.1
libsamba-credentials0-32bit-4.4.2-38.42.1
libsamba-credentials0-4.4.2-38.42.1
libsamba-credentials0-debuginfo-32bit-4.4.2-38.42.1
libsamba-credentials0-debuginfo-4.4.2-38.42.1
libsamba-errors0-32bit-4.4.2-38.42.1
libsamba-errors0-4.4.2-38.42.1
libsamba-errors0-debuginfo-32bit-4.4.2-38.42.1
libsamba-errors0-debuginfo-4.4.2-38.42.1
libsamba-hostconfig0-32bit-4.4.2-38.42.1
libsamba-hostconfig0-4.4.2-38.42.1
libsamba-hostconfig0-debuginfo-32bit-4.4.2-38.42.1
libsamba-hostconfig0-debuginfo-4.4.2-38.42.1
libsamba-passdb0-32bit-4.4.2-38.42.1
libsamba-passdb0-4.4.2-38.42.1
libsamba-passdb0-debuginfo-32bit-4.4.2-38.42.1
libsamba-passdb0-debuginfo-4.4.2-38.42.1
libsamba-util0-32bit-4.4.2-38.42.1
libsamba-util0-4.4.2-38.42.1
libsamba-util0-debuginfo-32bit-4.4.2-38.42.1
libsamba-util0-debuginfo-4.4.2-38.42.1
libsamdb0-32bit-4.4.2-38.42.1
libsamdb0-4.4.2-38.42.1
libsamdb0-debuginfo-32bit-4.4.2-38.42.1
libsamdb0-debuginfo-4.4.2-38.42.1
libsmbclient0-32bit-4.4.2-38.42.1
libsmbclient0-4.4.2-38.42.1
libsmbclient0-debuginfo-32bit-4.4.2-38.42.1
libsmbclient0-debuginfo-4.4.2-38.42.1
libsmbconf0-32bit-4.4.2-38.42.1
libsmbconf0-4.4.2-38.42.1
libsmbconf0-debuginfo-32bit-4.4.2-38.42.1
libsmbconf0-debuginfo-4.4.2-38.42.1
libsmbldap0-32bit-4.4.2-38.42.1
libsmbldap0-4.4.2-38.42.1
libsmbldap0-debuginfo-32bit-4.4.2-38.42.1
libsmbldap0-debuginfo-4.4.2-38.42.1
libtevent-util0-32bit-4.4.2-38.42.1
libtevent-util0-4.4.2-38.42.1
libtevent-util0-debuginfo-32bit-4.4.2-38.42.1
libtevent-util0-debuginfo-4.4.2-38.42.1
libwbclient0-32bit-4.4.2-38.42.1
libwbclient0-4.4.2-38.42.1
libwbclient0-debuginfo-32bit-4.4.2-38.42.1
libwbclient0-debuginfo-4.4.2-38.42.1
samba-4.4.2-38.42.1
samba-client-32bit-4.4.2-38.42.1
samba-client-4.4.2-38.42.1
samba-client-debuginfo-32bit-4.4.2-38.42.1
samba-client-debuginfo-4.4.2-38.42.1
samba-debuginfo-4.4.2-38.42.1
samba-debugsource-4.4.2-38.42.1
samba-libs-32bit-4.4.2-38.42.1
samba-libs-4.4.2-38.42.1
samba-libs-debuginfo-32bit-4.4.2-38.42.1
samba-libs-debuginfo-4.4.2-38.42.1
samba-winbind-32bit-4.4.2-38.42.1
samba-winbind-4.4.2-38.42.1
samba-winbind-debuginfo-32bit-4.4.2-38.42.1
samba-winbind-debuginfo-4.4.2-38.42.1
o SUSE Linux Enterprise Server 12-SP2-BCL (x86_64):
libdcerpc-binding0-32bit-4.4.2-38.42.1
libdcerpc-binding0-4.4.2-38.42.1
libdcerpc-binding0-debuginfo-32bit-4.4.2-38.42.1
libdcerpc-binding0-debuginfo-4.4.2-38.42.1
libdcerpc0-32bit-4.4.2-38.42.1
libdcerpc0-4.4.2-38.42.1
libdcerpc0-debuginfo-32bit-4.4.2-38.42.1
libdcerpc0-debuginfo-4.4.2-38.42.1
libndr-krb5pac0-32bit-4.4.2-38.42.1
libndr-krb5pac0-4.4.2-38.42.1
libndr-krb5pac0-debuginfo-32bit-4.4.2-38.42.1
libndr-krb5pac0-debuginfo-4.4.2-38.42.1
libndr-nbt0-32bit-4.4.2-38.42.1
libndr-nbt0-4.4.2-38.42.1
libndr-nbt0-debuginfo-32bit-4.4.2-38.42.1
libndr-nbt0-debuginfo-4.4.2-38.42.1
libndr-standard0-32bit-4.4.2-38.42.1
libndr-standard0-4.4.2-38.42.1
libndr-standard0-debuginfo-32bit-4.4.2-38.42.1
libndr-standard0-debuginfo-4.4.2-38.42.1
libndr0-32bit-4.4.2-38.42.1
libndr0-4.4.2-38.42.1
libndr0-debuginfo-32bit-4.4.2-38.42.1
libndr0-debuginfo-4.4.2-38.42.1
libnetapi0-32bit-4.4.2-38.42.1
libnetapi0-4.4.2-38.42.1
libnetapi0-debuginfo-32bit-4.4.2-38.42.1
libnetapi0-debuginfo-4.4.2-38.42.1
libsamba-credentials0-32bit-4.4.2-38.42.1
libsamba-credentials0-4.4.2-38.42.1
libsamba-credentials0-debuginfo-32bit-4.4.2-38.42.1
libsamba-credentials0-debuginfo-4.4.2-38.42.1
libsamba-errors0-32bit-4.4.2-38.42.1
libsamba-errors0-4.4.2-38.42.1
libsamba-errors0-debuginfo-32bit-4.4.2-38.42.1
libsamba-errors0-debuginfo-4.4.2-38.42.1
libsamba-hostconfig0-32bit-4.4.2-38.42.1
libsamba-hostconfig0-4.4.2-38.42.1
libsamba-hostconfig0-debuginfo-32bit-4.4.2-38.42.1
libsamba-hostconfig0-debuginfo-4.4.2-38.42.1
libsamba-passdb0-32bit-4.4.2-38.42.1
libsamba-passdb0-4.4.2-38.42.1
libsamba-passdb0-debuginfo-32bit-4.4.2-38.42.1
libsamba-passdb0-debuginfo-4.4.2-38.42.1
libsamba-util0-32bit-4.4.2-38.42.1
libsamba-util0-4.4.2-38.42.1
libsamba-util0-debuginfo-32bit-4.4.2-38.42.1
libsamba-util0-debuginfo-4.4.2-38.42.1
libsamdb0-32bit-4.4.2-38.42.1
libsamdb0-4.4.2-38.42.1
libsamdb0-debuginfo-32bit-4.4.2-38.42.1
libsamdb0-debuginfo-4.4.2-38.42.1
libsmbclient0-32bit-4.4.2-38.42.1
libsmbclient0-4.4.2-38.42.1
libsmbclient0-debuginfo-32bit-4.4.2-38.42.1
libsmbclient0-debuginfo-4.4.2-38.42.1
libsmbconf0-32bit-4.4.2-38.42.1
libsmbconf0-4.4.2-38.42.1
libsmbconf0-debuginfo-32bit-4.4.2-38.42.1
libsmbconf0-debuginfo-4.4.2-38.42.1
libsmbldap0-32bit-4.4.2-38.42.1
libsmbldap0-4.4.2-38.42.1
libsmbldap0-debuginfo-32bit-4.4.2-38.42.1
libsmbldap0-debuginfo-4.4.2-38.42.1
libtevent-util0-32bit-4.4.2-38.42.1
libtevent-util0-4.4.2-38.42.1
libtevent-util0-debuginfo-32bit-4.4.2-38.42.1
libtevent-util0-debuginfo-4.4.2-38.42.1
libwbclient0-32bit-4.4.2-38.42.1
libwbclient0-4.4.2-38.42.1
libwbclient0-debuginfo-32bit-4.4.2-38.42.1
libwbclient0-debuginfo-4.4.2-38.42.1
samba-4.4.2-38.42.1
samba-client-32bit-4.4.2-38.42.1
samba-client-4.4.2-38.42.1
samba-client-debuginfo-32bit-4.4.2-38.42.1
samba-client-debuginfo-4.4.2-38.42.1
samba-debuginfo-4.4.2-38.42.1
samba-debugsource-4.4.2-38.42.1
samba-libs-32bit-4.4.2-38.42.1
samba-libs-4.4.2-38.42.1
samba-libs-debuginfo-32bit-4.4.2-38.42.1
samba-libs-debuginfo-4.4.2-38.42.1
samba-winbind-32bit-4.4.2-38.42.1
samba-winbind-4.4.2-38.42.1
samba-winbind-debuginfo-32bit-4.4.2-38.42.1
samba-winbind-debuginfo-4.4.2-38.42.1
o SUSE Linux Enterprise Server 12-SP2-BCL (noarch):
samba-doc-4.4.2-38.42.1

References:

o https://www.suse.com/security/cve/CVE-2021-20254.html
o https://bugzilla.suse.com/1178469
o https://bugzilla.suse.com/1184677

– ————————–END INCLUDED TEXT——————–

You have received this e-mail bulletin as a result of your organisation’s
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT’s members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation’s
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author’s website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
—–BEGIN PGP SIGNATURE—–
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBYItVIuNLKJtyKPYoAQioow/+O5Q8HjQM7101NeGX2HRZhSp/cH1mLZib
pWFGu/58orX5UmBYsUIk6ZRSBM+M7y3b+AOH9v3GKs2mnJVvVHU5BP3T01nY4sSq
lQ0C3splkWDAoyTUC/j19HSxr/AHbaJS7g++v7d4nnFs48yvfhPB9y9yKwREV7sA
7RCCCYwq6T0682dBS8SXP3Z/umCpdQgZpAWkOVS5WexyXs+k5OxlIcpZhMvXG54L
xogCwT5E3LZlwZt9FDnPWcme2zPxKAQ7ezCQR+qfRpyrnP6Lqj7Yvw0DCmKIjtVV
h9E4f16YH/a8f9Ql6N5qRDNEGsSsnaKS9bhyGdnIDqtpdBbzT7d1qFRtTdGOmBwp
pphcp5YQepO4STaM3NoBG1XUTVMfaaOUd+J09FVeu1glUXN0/6HfkyqPY3jk9Vkn
nXa+u0lQw4/yRrBwpiuFoFffEHCfhRMW7Dmv+nHb7RP1FHY+73LHHO4P3uELsABw
qmpvj6ZV+1C2vJAGf2yID7giQ3JStB8/SBN4VGZe3yxz6Rdps1YWsdUXoEoCPShc
kBrCvmpPT48kXWu7nSuk5Rf9FzDTTaC9ksWofL7z4ynhD6xQk/GlvUmEntZ4Fw2Z
AIRBRkfZZ1y5+Eo8g79zKLPIxu0bNyYuG+Anpybz9B1HQpkq2TzFikpczOnhxOAW
s43N5KqzhwE=
=xQuW
—–END PGP SIGNATURE—–

The post ESB-2021.1478 – [Win][UNIX/Linux][SUSE] samba: Multiple vulnerabilities appeared first on Malware Devil.

https://malwaredevil.com/2021/04/30/esb-2021-1478-winunix-linuxsuse-samba-multiple-vulnerabilities/?utm_source=rss&utm_medium=rss&utm_campaign=esb-2021-1478-winunix-linuxsuse-samba-multiple-vulnerabilities

Malware Devil

Friday, April 30, 2021

Ransomware: a threat to national security

Core actions organizations and governments must take

About the RTF and other anti-ransomware efforts

Ransomware: a threat to national security

Core actions organizations and governments must take

About the RTF and other anti-ransomware efforts

1. Memory-based attacks cannot be identified via signature.

2. Most security defenses focus on network protection and authorization, while memory-based attacks happen in the guts of applications.

3. Endpoint security is pervasive in enterprises but lacks the ability to stop fileless and remote code execution exploits.

4. Traditional application security solutions focus on eliminating code vulnerabilities, but not securing the applications at runtime.

5. Many organizations fail to systematically patch vital applications and host OS binaries.

How to Ensure Memory Protection

Virsec Security Platform

Ransomware: a threat to national security

Core actions organizations and governments must take

About the RTF and other anti-ransomware efforts

Ransomware: a threat to national security

Core actions organizations and governments must take

About the RTF and other anti-ransomware efforts

Ransomware: a threat to national security

Core actions organizations and governments must take

About the RTF and other anti-ransomware efforts

Blog Archive

About Me