Say hello to one more zero-day and yet more potential remote data death for those who can’t/won’t upgrade their My Cloud storage devices.
Read More
The post Western Digital Users Face Another RCE appeared first on Malware Devil.
REvil ransomware gang lowers price for universal decryptor after massive worldwide ransomware push against Kaseya security vulnerability CVE-2021-30116.
Read More
The post Kaseya Patches Imminent After Zero-Day Exploits, 1,500 Impacted appeared first on Malware Devil.
Over the long weekend, a huge ransomware attack emerged. Kaseya seems to have been the common component.
The post REvil Makes Monkeys out of Kaseya Customers appeared first on Security Boulevard.
The post REvil Makes Monkeys out of Kaseya Customers appeared first on Malware Devil.
Identifier: AV21-314
Read More
The post [Control Systems] Moxa Security Advisor appeared first on Malware Devil.
They are many security tools that inject DLL into processes running on a Windows system. The classic examples are anti-virus products. They like to inject plenty of code that, combined with API hooking, implements security checks. If DLLs are injected into processes, they can be detected and it’s a common anti-debugging or evasion technique implemented by many malware samples. If you’re interested in such techniques, they are covered in the FOR610[1] training. The detection relies on a specific API call GetModuleFileName()[2]. The function expects the following parameters: A handle (pointer) to a process and the name of the DLL to check. Malware samples list all running processes, get a handle on them, and search for interesting DLL names. To get the handle, the OpenProcess()[3] API call must use the following access flag (0x0410 – PROCESS_VM_READ|PROCESS_QUERY_INFORMATION).
Today, I found a Python script that implemented this technique. Note that the script just borrows and obfuscates a snippet of code available on github.com[4] for a while. The list of DLLs is a bit outdated but remains valid.
import win32api
import win32process
LRazMCgmBIhqNsJ= []
wqeltyA = [“sbiedll.dll”,”api_log.dll”,”dir_watch.dll”,”pstorec.dll”,”vmcheck.dll”,”wpespy.dll”]
eDbscqrrt= win32process.EnumProcesses()
for mbPLkF in eDbscqrrt:
try:
mhEIFoBo = win32api.OpenProcess(0x0410, 0, mbPLkF)
try:
JoKxLLHnpg= win32process.EnumProcessModules(mhEIFoBo)
for qGvSyMSQH in JoKxLLHnpg:
XFUQQonQDUFW= str(win32process.GetModuleFileNameEx(mhEIFoBo, qGvSyMSQH)).lower()
for yeksLrlmxhewfzF in wqeltyA:
if yeksLrlmxhewfzF in XFUQQonQDUFW:
if XFUQQonQDUFW not in LRazMCgmBIhqNsJ:
LRazMCgmBIhqNsJ.append(XFUQQonQDUFW)
finally:
win32api.CloseHandle(mbPLkF)
except:
pass
if not LRazMCgmBIhqNsJ:
If the array LRazMCgmBIhqNsJ is still empty, no suspicious (from a malware point of view) DLL has been found and the execution continues…
The sample received a nice VT score of 4/59 (SHA256:b78a5b2b36639edfd622d4a7f7c00fd78ba3d9c8437df104b286642507c12334)[5]. Another good example of Python integration with the Windows API!
[1] http://for610.com
[2] https://docs.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-getmodulefilenamea
[3] https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-openprocess
[4] https://github.com/Arvanaghi/CheckPlease/blob/master/Python/check_all_DLL_names.py
[5] https://www.virustotal.com/gui/file/b78a5b2b36639edfd622d4a7f7c00fd78ba3d9c8437df104b286642507c12334/detection
Xavier Mertens (@xme)
Senior ISC Handler – Freelance Cyber Security Consultant
PGP Key
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License. Read More
The post Python DLL Injection Check, (Tue, Jul 6th) appeared first on Malware Devil.
Identifier: AV21-314
Read More
The post IBM Security Advisory appeared first on Malware Devil.
Often, ideas are ahead of their time. In October 2017, IDC’s Simon Piff and Hugh Ujhazy published a paper positing that data was the new endpoint. There is good chance that, in the near future, they will stand on the same zero-trust pedestal as Forrester’s John Kindervag, who’s credited with creating the zero-trust security model..
The post Zero-Trust at the Data Layer appeared first on Security Boulevard.
The post Zero-Trust at the Data Layer appeared first on Malware Devil.
During COVID-19, threat actors used fear of the virus and hope of a vaccine to trick unwitting victims into downloading malware or giving up their credentials. It was a master class in social engineering, one that put an organization’s security posture at risk. Social engineering attacks like phishing take advantage of an employee’s awareness of..
The post Reaction to Social Engineering Indicative of Cybersecurity Culture appeared first on Security Boulevard.
The post Reaction to Social Engineering Indicative of Cybersecurity Culture appeared first on Malware Devil.
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License. Read More
The post ISC Stormcast For Tuesday, July 6th, 2021 https://isc.sans.edu/podcastdetail.html?id=7572, (Tue, Jul 6th) appeared first on Malware Devil.
—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2021.2317
USN-5005-1: DjVuLibre vulnerability
6 July 2021
===========================================================================
AusCERT Security Bulletin Summary
———————————
Product: DjVuLibre
Publisher: Ubuntu
Operating System: Ubuntu
Impact/Access: Execute Arbitrary Code/Commands — Existing Account
Denial of Service — Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2021-3630
Reference: ESB-2021.2311
ESB-2021.2309
Original Bulletin:
https://ubuntu.com/security/notices/USN-5005-1
– ————————–BEGIN INCLUDED TEXT——————–
USN-5005-1: DjVuLibre vulnerability
05 July 2021
DjVuLibre could be made to crash or execute arbitrary code if it
opened a specially crafted file.
Releases
o Ubuntu 18.04 LTS
o Ubuntu 16.04 ESM
Packages
o djvulibre – DjVu image format library and tools
Details
It was discovered that DjVuLibre incorrectly handled certain djvu files.
An attacker could possibly use this issue to execute arbitrary code or
cause a crash.
Update instructions
The problem can be corrected by updating your system to the following package
versions:
Ubuntu 18.04
o libdjvulibre21 – 3.5.27.1-8ubuntu0.4
Ubuntu 16.04
o libdjvulibre21 – 3.5.27.1-5ubuntu0.1+esm2
Available with UA Infra or UA Desktop
In general, a standard system update will make all the necessary changes.
References
o CVE-2021-3630
– ————————–END INCLUDED TEXT——————–
You have received this e-mail bulletin as a result of your organisation’s
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT’s members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation’s
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author’s website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
—–BEGIN PGP SIGNATURE—–
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYOPK8ONLKJtyKPYoAQisWw/+MNG0c9sBYzY6SIL9n6YmrgetGY84AdCw
xn8+GWpZ8e0IgpRysWGpHm+MA+xOaDiBY0MIcA7zUf+89T94yYJlt6BhcOZkklpl
+GlAXFCb5eeOFZNYOrPlpM8J8zDOI1NdNigjNE8dOd7UtbaWNxvvwEnB4fMlxol1
lnRx5b9YRjrQSrlCRL+2SFzs2eGF5kgCmC2fx331x1nrRNhO05zu8UbLQTeSIlH2
8cXDcyCSwDLDNAJ8z3lKgYOVGvjyzu1W97wGr+n5e3E9k2syvVoG+Uymo6uGHDTS
Gl4c3DlJCWRfQCwoYTCca63uLurylY+CoMZsQsBLLpqpFx+hHWeIzHMf9k5bfWCG
sgcP6MblQ+6TPCVuI7mYrWXN1WCan4WNCDiiDWC3pC7HLqmcu7mHOYSLnkwsmEpP
VJ1RUIoGaaAb4S9dQ7571wXH6uys14WoubO4C+ZDmLGSvhTevv5qxcMJfThCvqDS
RVqhEq487ZY59mFb1nTlmSRfMBvE1VbuHPDCLWW2zUhhYal0FT83lf0Q0bU79HM7
VcsWNgSBhSgMS6uKkix0XBcG+cMVEtLmH8vbKoO3zcRFrRc5PiQ6cvr3weQ8ae5W
bFJt1EW4mc7vY7jZnd/FIWwTEysv4/G3MS6MdD///tyIvym1ncxke4fUI2/ktY1d
L9q3b1D/2EU=
=6NMf
—–END PGP SIGNATURE—–
The post ESB-2021.2317 – [Ubuntu] DjVuLibre: Multiple Vulnerabilities appeared first on Malware Devil.
—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2021.2313
libxstream-java security update
6 July 2021
===========================================================================
AusCERT Security Bulletin Summary
———————————
Product: libxstream-java
Publisher: Debian
Operating System: Debian GNU/Linux
Impact/Access: Execute Arbitrary Code/Commands — Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2021-29505
Reference: ESB-2021.2179
Original Bulletin:
https://lists.debian.org/debian-lts-announce/2021/07/msg00004.html
– ————————–BEGIN INCLUDED TEXT——————–
– —–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA512
– – ————————————————————————-
Debian LTS Advisory DLA-2704-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Sylvain Beucler
July 05, 2021 https://wiki.debian.org/LTS
– – ————————————————————————-
Package : libxstream-java
Version : 1.4.11.1-1+deb9u3
CVE ID : CVE-2021-29505
Debian Bug : 989491
A vulnerability in XStream, a Java library to serialize objects to and
from XML, may allow a remote attacker to execute commands of the host
only by manipulating the processed input stream.
Note: the XStream project recommends to setup its security framework
with a whitelist limited to the minimal required types, rather than
relying on the black list (which got updated to address this
vulnerability). The project is also phasing out maintainance of the
black list, see https://x-stream.github.io/security.html .
For Debian 9 stretch, this problem has been fixed in version
1.4.11.1-1+deb9u3.
We recommend that you upgrade your libxstream-java packages.
For the detailed security status of libxstream-java please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libxstream-java
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
– —–BEGIN PGP SIGNATURE—–
iQIzBAEBCgAdFiEE1vEOfV7HXWKqBieIDTl9HeUlXjAFAmDjNh0ACgkQDTl9HeUl
XjA0axAAoB6YDtSteqeW4ALsLjmek2SrK4OqOZv82PUSaWF7p0rFPoLx98dhMBwM
Dx1axozdcmZsSgVp1u/19TuxTo/7pkT/0r7WeKb4FhcvMkKz4pZ5Jc6IrOLZV7mL
mL6Uv3jfczV44oaD+Q8LvUnK5MRn6IdUX+COkWuflugM940gHdK4OJFyoggrUMxF
Fj2P4qzKarwqS1xNb+SIkKGgaSW0L6olF+7RIqADwS4fBxFveellgteAP+kuthf5
X1bryCmYA7CuH8ruq2Ckt61Peq91j+c9S33nXG61eoXYx23Iyeu6pFmuG6Dq8M9m
8ld2oW1O/bwuWBM+aWTjC3jphLhosRXVrODz0kAg/qxtFC56/px74LOdGH8kdIb4
xDmijp0jMdseRpqhen5MVqKhHk341WpFFiKlMojyd8ToM3HpQOBpStxXtnYId8x2
gCRNpN1LoEIJkVyM1PbCuYEln3H9HFISsKjWj2a/93bnEITXLaZxC9UmCs7c631J
p3zrdaIGwEBNgSuHuAT++wCy5ask6cd6utK+5f4L3QeVMjlMs46hqwjZSDNVV78w
RBs7erOZ+tkS+35ZzDO6xTuWIhgzAPp/QgX2Okqm9ijchfBhoMAMfscoBTKeCKji
vNyuT9S8JVFhJa9xfwh18T/RQoJUZQGq3b8RS3vVmOlIKFdpqg8=
=MRBt
– —–END PGP SIGNATURE—–
– ————————–END INCLUDED TEXT——————–
You have received this e-mail bulletin as a result of your organisation’s
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT’s members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation’s
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author’s website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
—–BEGIN PGP SIGNATURE—–
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYOOgFeNLKJtyKPYoAQhCcg//Upq3NLgXzmeMPt2NoGRmLnwOH3iWiRAq
P5Jc+zhat27clz6m/zGsXnGp2T+eB1Pnhv1AZ02jBKUU8KuwF+SXCPyw4IiQkuiu
u7PTir1dw5l+UeHUktMp0cGe9V+Zd7o4ekzdBrpGVt+am4SbcowNRsWWEiIBG0DZ
2FpXCDw90RLfIJo2S4Cg9mwHcNn52OlB21Yfr90FNqGoi9zK05uAp78+W+vq3Sq0
01xbqsPJxSt6s6mRC1gNOZN1wQl/tNM0W8CnblS5F9UTYTknal4adv6m0gIu/lO9
ypye2uUl6unv2t/50Lo4iScfi5+z3e7BvpzXZeEFzd+0IwhUZnRCE0XUlsXoeV2j
TklQLn2gbn2KBJvHetweaoKpRRPZSwErDKdiyhIWxv7dq/dHohjMdIuFMvAhpscf
L1EVnRQmD78cGh4cDBhidFEtjoD30Mp/Hs3U6QIGb4wl3QVTUnAmjEh1cxtlbas2
i11gRCtuIA/DrRZVOGKUQfsBnnX2zMalEoV6VInhWajdwPFO1Y4n81YawIxlDVhh
TmlkXvdi+plH/cSM96Draw8rD9p2tMVHagDU7WlUWfRpFuy8WyCVn/HGtRx+6iCA
MZjziyBPAXNRk6mYQCs2OZDeDlbKUFx16tB4XQDYxBlgpDBVdtcd3IER4w2+997e
pxGOEOY3smQ=
=x3Va
—–END PGP SIGNATURE—–
The post ESB-2021.2313 – [Debian] libxstream-java: Execute arbitrary code/commands – Remote/unauthenticated appeared first on Malware Devil.
—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2021.2314
php7.3 security update
6 July 2021
===========================================================================
AusCERT Security Bulletin Summary
———————————
Product: php7.3
Publisher: Debian
Operating System: Debian GNU/Linux
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Execute Arbitrary Code/Commands — Remote/Unauthenticated
Denial of Service — Remote/Unauthenticated
Provide Misleading Information — Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2021-21705 CVE-2021-21704
Original Bulletin:
https://lists.debian.org/debian-security-announce/2021/msg00118.html
Comment: This advisory references vulnerabilities in products which run on
platforms other than Debian. It is recommended that administrators
running php7.3 check for an updated version of the software for
their operating system.
– ————————–BEGIN INCLUDED TEXT——————–
– —–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA512
– – ————————————————————————-
Debian Security Advisory DSA-4935-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
July 05, 2021 https://www.debian.org/security/faq
– – ————————————————————————-
Package : php7.3
CVE ID : CVE-2021-21704 CVE-2021-21705
Multiple security issues were found in PHP, a widely-used open source
general purpose scripting language which could result an SSRF bypass
of the FILTER_VALIDATE_URL check and denial of service or potentially
the execution of arbitrary code in the Firebird PDO.
For the stable distribution (buster), these problems have been fixed in
version 7.3.29-1~deb10u1.
We recommend that you upgrade your php7.3 packages.
For the detailed security status of php7.3 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/php7.3
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org
– —–BEGIN PGP SIGNATURE—–
iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmDjTqYACgkQEMKTtsN8
Tjb9thAApXkYm6fyLT8BpRPj21y0JaMGirAH4Z6N32Jnb9Uqt5r1/CORTEZ6ZF0t
ruJwebu9cvikv5RO/Lmz3vUSlvfqrsxviEP09yGC1cH2OByvutkSETG5mVaSiC8Q
rmivT1vgTBywZAajHgZLJZxk+YfWDEZRH9aSovFUUVzQajEnBeMq0rGrGUCgP8AW
0q/Ro6Mo0tdJx5ci8eUxXCk2gpwmmJKrmOKQjiNpJmjKStM5ovQYCrcaPkF7B7/g
eLRbGv9s+ZGqVsa7J9/VY32C2YiKMJ78Ry4+YYFOAg7KAd+7IiOIF3HxZs/lTWvN
ud8lirN0pc9TB7ji30vKnah2R1sO0X2hEu0XG0wGHJLhrUJkF9U5uy4JyVV8Aksp
a/2GyFBK7Lz0kTpUOSCi16I8+vOgvpANXsRX146dfUVVb7tXjVdMWneCuS4a6A6k
0hZo3mQPHUlat70hJXv3po6qQAVayvKiOI/FbUzThkepWIolFnaRXMq5cAOTwB6O
fG2ht0tAADtAi6gUTDwrlmViwdEUXPrn2MNPqT+6gp8XpteXW9fRZ51DtmSle0eh
hG5Dwu9bLoS2okCXqQKVAUGwOzwKykq6RcvoGxqr54jF3554+LtYbpoIdibqAyOw
L3/G1MK4HIr2ktKL/kSghF7KHFOC0Cntz3P6Pe7SmeU2RCvPuWU=
=muSI
– —–END PGP SIGNATURE—–
– ————————–END INCLUDED TEXT——————–
You have received this e-mail bulletin as a result of your organisation’s
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT’s members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation’s
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author’s website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
—–BEGIN PGP SIGNATURE—–
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYOOk/ONLKJtyKPYoAQhMtg/8DlX9GSH9Buvv1j9NaNR+aIcWUH6tb5Eh
9QExNz55e4GNQu4sV+J2JMIpNpHWBX3CjiJupKrD7g6yKUlu8f/mMnC1HqfZe1Dn
Kr8Pru67C2pULVS9PbSK5c8rjcbbpcb6a48nqelED/+PtkS5dXVpaed8uOxUKBUR
GwSfyURjpwP/OgTVr93fnXcWRW9b20+dr02Sc34YaptF5k5ZoCN5gnwli89xpnQK
ThvMxskSkZA1zk8vOzyk9VVXbERQl9lqFchsyYBqnP6GmAReDoCP1F7qI6FiK+sT
t1adbswaBebRNHYj5b+pj69BNTTB2aWlCTTObEkcTkXLLJOGdYeS9q2ivGYZAlpc
sMESLJpfBaDhZBjhbo49X/Slenc1z8stryoVlPDRkS14wqc9nR+9IjM+y9JiQ5tz
cid2agkKjt6ekkrlvdSDl56Piajwk+a5OFW+wKMwPc8L2JQFAgFuuTp99VLB59jt
DxiQ/zJ+VZpXHwAjPI5sTpFmUCn9yMBEFzufQoOyH8n744RoR3Iz6qbWJF6TC2S/
0MrFYgYmtMOnv6U3nMk1afCCeg5ruVfSs7WMAO4JJvyY6vdCV/nfWc1lLGpe7Wgj
lTmQz1MhlCucoo6cPbNWoC6Gw+QA3u7mtrSNMVwI/vN+l0p+mjm7X+aJe9tXIrM2
ei+ZHmwCZB8=
=Hk8/
—–END PGP SIGNATURE—–
The post ESB-2021.2314 – [UNIX/Linux][Debian] php7.3: Multiple vulnerabilities appeared first on Malware Devil.
—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2021.2315
libuv1 security update
6 July 2021
===========================================================================
AusCERT Security Bulletin Summary
———————————
Product: libuv1
Publisher: Debian
Operating System: Debian GNU/Linux
UNIX variants (UNIX, Linux, OSX)
Windows
Impact/Access: Denial of Service — Remote/Unauthenticated
Access Confidential Data — Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2021-22918
Original Bulletin:
https://lists.debian.org/debian-security-announce/2021/msg00119.html
Comment: This advisory references vulnerabilities in products which run on
platforms other than Debian. It is recommended that administrators
running libuv1 check for an updated version of the software for
their operating system.
– ————————–BEGIN INCLUDED TEXT——————–
– —–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA512
– – ————————————————————————-
Debian Security Advisory DSA-4936-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
July 05, 2021 https://www.debian.org/security/faq
– – ————————————————————————-
Package : libuv1
CVE ID : CVE-2021-22918
Debian Bug : 990561
An out-of-bounds read was discovered in the uv__idna_to_ascii() function
of Libuv, an asynchronous event notification library, which could result
in denial of service or information disclosure.
For the stable distribution (buster), this problem has been fixed in
version 1.24.1-1+deb10u1.
We recommend that you upgrade your libuv1 packages.
For the detailed security status of libuv1 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libuv1
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org
– —–BEGIN PGP SIGNATURE—–
iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmDjTqsACgkQEMKTtsN8
TjZNLA//fyXwxX2RIBFMjEApNAg6G02ErmsQGpWyiWF49u+fvaSa3J2BzLSFaohG
pj5Tk86jTvhm3McYavgmxtjii8/HLpGrzMjmaEDlImFU91y4nFHnuUpkD7XvROq+
s7VhY/EB+8U5RNLuExh6CnzuoLh3bgBBHEpFydf93Oekf8USkBLM1yPFdMrL+1NU
doCL+B2W5KcEWnMt3T7WdsxJBWtAlQw785XveZDmnW8vycRA9O24tCMLYBv/4w6z
PhSRht8Df/0bjZAFyFORq7K2CKeO4nWCN2uy9x+iBR49PBHiZ9WPJo6IjlryIRqg
r/zsWmiuSOA3NcHORyh6VSIQ4G7+Z+TTdwcFe9MNjOlnhicAD1hduNhfswVmMppr
wpB7XSA6q4FChWDcUpeckwGVEpMj2y5S1M3Zcx/vYRjRbRGl5k3bULzo7Kh1fHUQ
dG7i7txDfsWvd54002km8ptV07a7GZNVqyb5Mcx7pPdVhLCNvd6A2bOOrYOrMYjW
S7OwkBhx0RY537J1eH5kZyhtgEN3DrnIxVyxLqzEK9qN2EkljxqtiiBuO8TtOuLz
o2gVsvJ8pmPtdN33Eg3DQO3KhHxVkfpEsOv8IR6Yzq+KPuS7R2KNEZ7MCG3AvQGm
ytQhmgLUOInr/FMoib6iWCkrR0hYFr63ynklSOUMR2OFpt+AIqA=
=79Ug
– —–END PGP SIGNATURE—–
– ————————–END INCLUDED TEXT——————–
You have received this e-mail bulletin as a result of your organisation’s
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT’s members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation’s
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author’s website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
—–BEGIN PGP SIGNATURE—–
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYOOlKeNLKJtyKPYoAQjW/BAAlJCB7LphXsbStjaSpISLCgd/IGExgzBp
BQGpjy6sYVOQUBFVFmYZAiTeEOX4OXA2F9KsyL2yYLrb9yX69kv4DRViij+J1R3V
EsHhNqZocCQrsqxpWFpPyxH5AAtTit3gbHqPE00d6AAMpO5c1C5Y6oF3OlnkY2vt
aVDPlcTEz6BUc4OdbFPPR/RAmPl0VaCoKsX4ZYlYpfh6fx7qfCdrVW0H0tk5fm6P
MjsHUy7vPdZaGnYJwluxPxzl3l9K7sdytETRDFk98TwzY38KToUTMH7k0tLWtEz3
PQpWY3E72IaKDxDBQx2hyHmrvjYa1w4uWteUd0w6fyYeRHKR0o3ASK8Xfhp4e0Sw
FqBOlVrpZEQFJ2cpLlHmUiZtfvsfZYsnFRby0aDy9J2L2mMCUwQ8GcrP1WQbTVvg
ivpAWR44tmUXr3QuRRUYfJ9gdDOiwMopuh6tp0hqoCXFaL4JGVDlEJr30F2uSzsg
vhLmIUHdTyRuzj6XFjjibdezZKF8QtLZnfp8j4ge33UF+gbTNamBHnRVGeUM3L2n
mqtKzJ3Slu7L3YxgAJZwB7TGkqndQOH5oD4qSGEoQMkLB9KNNlJ7448zIrUNms5n
nseaAzdOdKZ54M2N6htKzhlPSHYZhUA5LnEhS7tJXHGctucN/FgdWMw9j5YU9LWO
qC98mqNJD6w=
=l2ix
—–END PGP SIGNATURE—–
The post ESB-2021.2315 – [Win][UNIX/Linux][Debian] libuv1: Multiple Vulnerabilities appeared first on Malware Devil.
—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2021.2316
MISP Cross Site Scripting
6 July 2021
===========================================================================
AusCERT Security Bulletin Summary
———————————
Product: MISP
Publisher: Misp Product
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Impact/Access: Cross-site Scripting — Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2021-35502
Original Bulletin:
https://www.misp-project.org/2021/07/05/MISP.2.4.145-and-2.4.146.released.html
– ————————–BEGIN INCLUDED TEXT——————–
https://www.misp-project.org/2021/07/05/MISP.2.4.145-and-2.4.146.released.html
MISP 2.4.145 and 2.4.146 released
MISP 2.4.145 and 2.4.146 released including a massive update to the MISP
warning-lists, various improvements and security fixes.
MISP warning-lists improvements.
Warning lists system has been significantly improved (thanks to Jakub Onderka).
o Custom warning lists can be created and managed in the MISP user-interface
o Warning lists can be now imported via API
o Warning lists changes are exported in the ZMQ channel
o Warning lists include new categories to describe the scope
New features
Summary email notification
New event summaries only added as a new setting. This feature publish the
normal alert reports excluding attributes and object to only describe a summary
of the alert. This can be used when encryption cannot be enabled and
organisations still require email alerting.
Documentation
A new documentation has been added to describe the session and cookie handling
in MISP.
API
o Read only authentication keys feature has been added. (don’t forget to
enable the advanced authentication key feature)
Security Fixes
o Various fixes regarding XSS and potential escaping issues including
CVE-2021-35502.
Thanks to the reporters including Nicolas Vidal from TEHTRIS.
Various improvements
o [OpenAPI] – Missing return formats added to the documentation
o [server caching] only push data to redis / logs if there’s something to
push
o [attribute] validation tightened for empty strings. A value containing only
control characters will now be blocked from entry.
o [feeds] Added 3 daily feeds (ssh bruteforce, telnet bruteforce, URLs seen)
from the APNIC Community Honeynet Project
Acknowledgement
We would like to thank all the contributors, reporters and users who have
helped us in the past months to improve MISP and information sharing at large.
This release includes multiple updates in misp-objects, misp-taxonomies and
misp-galaxy .
As always, a detailed and complete changelog is available with all the fixes,
changes and improvements.
– ————————–END INCLUDED TEXT——————–
You have received this e-mail bulletin as a result of your organisation’s
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT’s members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation’s
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author’s website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
—–BEGIN PGP SIGNATURE—–
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYOOlYONLKJtyKPYoAQhIvRAApOaTAH8L9N+MpfunBwUkacjEaEQQZEru
rWoyKOrz21KCSrYWZObP+XGylP87qsMLW8lD7xNqF22Fxm37YzsUVg7fKaIPI9wt
ylUkcKqRkT27/F9e19E40sUyhhfXrH97Iv9yrb3NXeQCheZa27A9WG0w+Ai3dXTQ
qrw3JfG0zo/eUJN1ZgSHte6yL0DQWkBzWZRp7PsRO0GryDWqYkgJ6nTY5VYOHem9
pNPtNFyM51TdthUHWXk0myAmfeSds1e4lXoliK50RhCmyUoihR2/495TEhSDHaku
TA3UjRE6EMgOIplECdvSSMAiYH3L/ViPxCbQ4LXHXMCZZMkp6Eebzc/MNKbrdV81
VWb2zd1KIL9xy7qSIWzSxM3gteSkaosE7aRNmm/rXjNBdFtqGmGF/0+TQfDjHeza
K0ixvA6RMz3++qc6Pk0oiYOhJCiElK0R027hnbhq4F7737AOXiHekcn2hi3XSrLK
GFHQIKan4t4Zh/8sbF9vVp+OrrwajnslXaf1CGYzQmbxBIwNZZrwtum2YhB1CdFb
5jMG6EQmJnkydTmJyp9Mjq5K7IdptPFEOIj37d0pzQw9r0T+5uD5rl6yxOyLZEvu
Nqn+qpqkkoRqHkH1IgwHHSNSxcuBME4B50V2PCu2cljj/7LCcjtPkwm/FFotApMi
l17x4xL4FIU=
=xifl
—–END PGP SIGNATURE—–
The post ESB-2021.2316 – [Win][UNIX/Linux] MISP: Cross-site scripting – Remote with user interaction appeared first on Malware Devil.
Kaseya REvil Update; Printnightmare Update; RPM Key Issues; Node.JS Patches
Kaseya REvil Update
https://helpdesk.kaseya.com/hc/en-gb/articles/4403440684689
https://www.huntress.com/blog/rapid-response-kaseya-vsa-mass-msp-ransomware-incident
https://doublepulsar.com/kaseya-supply-chain-attack-delivers-mass-ransomware-event-to-us-companies-76e4ec6ec64b
https://csirt.divd.nl/2021/07/03/Kaseya-Case-Update/
Printnightmare Update
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527
https://doublepulsar.com/zero-day-for-every-supported-windows-os-version-in-the-wild-printnightmare-b3fdb82f840c
https://blog.truesec.com/2021/06/30/fix-for-printnightmare-cve-2021-1675-exploit-to-keep-your-print-servers-running-while-a-patch-is-not-available/
https://github.com/LaresLLC/CVE-2021-1675
Expired RPM Key Problem
https://github.com/rpm-software-management/rpm/issues/1598
Node.JS Update
https://nodejs.org/en/blog/vulnerability/july-2021-security-releases/
keywords: node.js; revil; rpm; pgp; keys; printnightmare; kasey; ransomware
The post Network Security News Summary for Tuesday July 6th, 2021 appeared first on Malware Devil.
Following a brazen ransomware attack by the REvil cybergang, CISA and FBI offer guidance to victims.
Read More
The post Kaseya Attack Fallout: CISA, FBI Offer Guidance appeared first on Malware Devil.
Cryptography, privacy, stalkerware and how infosec professionals relax. Listen, enjoy and learn!
Read More
The post S3 Ep 39.5: A conversation with Eva Galperin [Podcast] appeared first on Malware Devil.
Are you feeling generous? Do you want to help others? These cybercriminals are hoping someone is and does…
Read More
The post Kaseya ransomware attackers say: “Pay $70 million and we’ll set everyone free” appeared first on Malware Devil.
An attack perpetrated by REvil aka Sodinokibi ransomware gang against Managed Service Providers (MSPs) and their clients was discovered on July 2. Some of the victims have reportedly been compromised through a popular MSP software which led to encryption of their customers. The total number of encrypted businesses could run into thousands.
REvil ransomware has been advertised on underground forums for three years and it is one of the most prolific RaaS operations. According to an interview with the REvil operator, the gang earned over $100 million from its operations in 2020. The group’s activity was first observed in April 2019 after the shutdown of GandCrab, another now-defunct ransomware gang. More details about that gang can be found in our articles Ransomware world in 2021: who, how and why and Sodin ransomware exploits Windows vulnerability and processor architecture.
In this latest case, the attackers deployed a malicious dropper via the PowerShell script, which, in turn, was executed through the vendor’s agent:
This script disables Microsoft Defender for Endpoint protection features and then uses the certutil.exe utility to decode a malicious executable (agent.exe) that drops a legitimate Microsoft binary (MsMpEng.exe, an older version of Microsoft Defender) and malicious library (mpsvc.dll), which is the REvil ransomware. This library is then loaded by the legitimate MsMpEng.exe by utilizing the DLL side-loading technique (T1574.002).
Execution map for the “agent.exe” dropper – Kaspersky Cloud Sandbox
Using our Threat Intelligence service, we observed more than 5,000 attack attempts in 22 countries by the time of writing.
Geography of attack attempts (based on KSN statistics)
REvil uses the Salsa20 symmetric stream algorithm for encrypting the content of files and the keys for it with an elliptic curve asymmetric algorithm. Decryption of files affected by this malware is impossible without the cybercriminals’ keys due to the secure cryptographic scheme and implementation used in the malware.
Kaspersky products protect against this threat and detect it with the following names:
UDS:DangerousObject.Multi.Generic
Trojan-Ransom.Win32.Gen.gen
Trojan-Ransom.Win32.Sodin.gen
Trojan-Ransom.Win32.Convagent.gen
PDM:Trojan.Win32.Generic (with Behavior Detection)
Section of Kaspersky TIP lookup page for the 0x561CFFBABA71A6E8CC1CDCEDA990EAD4 binary
The vendor whose software was reportedly compromised, issued a special advisory which is being periodically updated.
To keep your company protected against ransomware 2.0 attacks, Kaspersky experts recommend:
Not exposing remote desktop services (such as RDP) to public networks unless absolutely necessary and always using strong passwords for them.
Promptly installing available patches for commercial VPN solutions providing access for remote employees and acting as gateways in your network.
Always keeping software updated on all the devices you use to prevent ransomware from exploiting vulnerabilities.
Focusing your defense strategy on detecting lateral movements and data exfiltration to the internet. Pay special attention to the outgoing traffic to detect cybercriminals’ connections. Back up data regularly. Make sure you can quickly access it in an emergency when needed. Use the latest Threat Intelligence information to stay aware of actual TTPs used by threat actors.
Using solutions like Kaspersky Endpoint Detection and Response and the Kaspersky Managed Detection and Response service which help to identify and stop attacks at the early stages, before the attackers reach their main goals.
Protecting the corporate environment and educating your employees. Dedicated training courses can help, such as those provided in the Kaspersky Automated Security Awareness Platform. A free lesson on how to protect against ransomware attacks is available here.
Using a reliable endpoint security solution such as Kaspersky Endpoint Security for Business that is powered by exploit prevention, behavior detection and a remediation engine that can roll back malicious actions. KESB also has self-defense mechanisms that can prevent its removal by cybercriminals.
agent.cer (encrypted agent.exe)
95F0A946CD6881DD5953E6DB4DFB0CB9
agent.exe
561CFFBABA71A6E8CC1CDCEDA990EAD4
mpscv.dll, REvil ransomware
7EA501911850A077CF0F9FE6A7518859
A47CF00AEDF769D60D58BFE00C0B5421
The post REvil ransomware attack against MSPs and its clients around the world appeared first on Malware Devil.
Matt Bromiley, senior consultant with Mandiant Managed Defense, discusses the top tricks and tips for protecting enterprise environments from ransomware.
Read More
The post Ransomware Defense: Top 5 Things to Do Right Now appeared first on Malware Devil.
In 1801, the United States had a small Navy. Thomas Jefferson deployed almost half that Navy—three frigates and a schooner—to the Barbary C...
