[CERT-daily] Tageszusammenfassung - 22.04.2021

Thu Apr 22 18:46:35 CEST 2021

=====================
= End-of-Day report =
=====================

Timeframe:   Mittwoch 21-04-2021 18:00 − Donnerstag 22-04-2021 18:00
Handler:     Dimitri Robl
Co-Handler:  Stephan Richter

=====================
=       News        =
=====================

∗∗∗ Macher des Signal-Messenger hacken Spionage-Software von Cellebrite ∗∗∗
---------------------------------------------
Die Signal-Entwickler zeigen per Video, wie ein präpariertes iPhone die von Ermittlungsbehörden verwendete Software von Cellebrite aushebelt.
---------------------------------------------
https://heise.de/-6024421


∗∗∗ Massive Qlocker ransomware attack uses 7zip to encrypt QNAP devices ∗∗∗
---------------------------------------------
A massive ransomware campaign targeting QNAP devices worldwide is underway, and users are finding their files now stored in password-protected 7zip archives.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/massive-qlocker-ransomware-attack-uses-7zip-to-encrypt-qnap-devices/


∗∗∗ Attackers can hide external sender email warnings with HTML and CSS ∗∗∗
---------------------------------------------
The "external sender" warnings shown to email recipients by clients like Microsoft Outlook can be hidden by the sender, as demonstrated by a researcher. Turns out, all it takes for attackers to alter the "external sender" warning, or remove it altogether from emails is just a few lines of HTML and CSS code.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/attackers-can-hide-external-sender-email-warnings-with-html-and-css/


∗∗∗ Telegram Platform Abused in ‘ToxicEye’ Malware Campaigns ∗∗∗
---------------------------------------------
Even if the app is not installed or in use, threat actors can use it to spread malware through email campaigns and take over victims’ machines, new research has found.
---------------------------------------------
https://threatpost.com/telegram-toxiceye-malware/165543/


∗∗∗ Announcing the New Reports API ∗∗∗
---------------------------------------------
We are happy to announce a completely new way of accessing our reports - via a RESTful API. Every report recipient can now choose to opt in to this delivery method and receive a unique API key and unique secret.
---------------------------------------------
https://www.shadowserver.org/news/announcing-the-new-reports-api/


∗∗∗ All Your Databases Belong To Me! A Blind SQLi Case Study ∗∗∗
---------------------------------------------
The following blog post does not include any novel attack vectors. On the contrary, it serves as a humble reminder that the same software bugs discovered more than a decade ago are also found in commercial software products in 2021. It also highlights once more the necessity of conducting security assessments on a regular basis.
---------------------------------------------
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/all-your-databases-belong-to-me-a-blind-sqli-case-study/


∗∗∗ Researchers Find Additional Infrastructure Used By SolarWinds Hackers ∗∗∗
---------------------------------------------
The sprawling SolarWinds cyberattack which came to light last December was known for its sophistication in the breadth of tactics used to infiltrate and persist in the target infrastructure, so much so that Microsoft went on to call the threat actor behind the campaign "skillful and methodic operators who follow operations security (OpSec) best practices to minimize traces, stay under the radar, [...]
---------------------------------------------
https://thehackernews.com/2021/04/researchers-find-additional.html


∗∗∗ [SANS ISC] How Safe Are Your Docker Images? ∗∗∗
---------------------------------------------
I published the following diary on isc.sans.edu: “How Safe Are Your Docker Images?“: Today, I don’t know any organization that is not using Docker today. For only test and development only or to full production systems, containers are deployed everywhere! In the same way, most popular tools today have a "dockerized" version ready to use, sometimes maintained by the developers themselves, sometimes maintained by third parties. An example is the Docker container that I created with all Didier’s tools. Today, we are also facing a new threat: supply chain attacks (think about Solarwinds or, more recently, CodeCov). Let’s mix the attraction for container technologies and this threat, we realize that  Docker images are a great way to compromise an organization!
---------------------------------------------
https://blog.rootshell.be/2021/04/22/sans-isc-how-safe-are-your-docker-images/


∗∗∗ PSA: Remove Kaswara Modern WPBakery Page Builder Addons Plugin Immediately ∗∗∗
---------------------------------------------
Today, April 21, 2021, the Wordfence Threat Intelligence team became aware of a critical 0-day vulnerability that is being actively exploited in Kaswara Modern WPBakery Page Builder Addons, a premium plugin that we estimate has over 10,000 installations. This vulnerability was reported this morning to WPScan by “Robin Goodfellow.” The exploited flaw makes it possible [...]
---------------------------------------------
https://www.wordfence.com/blog/2021/04/psa-remove-kaswara-modern-wpbakery-page-builder-addons-plugin-immediately/


∗∗∗ Now this botnet is hunting for unpatched Microsoft Exchange servers ∗∗∗
---------------------------------------------
Prometei botnets key goal is cryptojacking - but its powerful capabilities could see it deployed for much more dangerous attacks.
---------------------------------------------
https://www.zdnet.com/article/now-this-botnet-is-hunting-for-unpatched-microsoft-exchange-servers/


∗∗∗ CISA Incident Response to SUPERNOVA Malware ∗∗∗
---------------------------------------------
CISA has released AR21-112A: CISA Identifies SUPERNOVA Malware During Incident Response to provide analysis of a compromise in an organization’s enterprise network by an advance persistent threat actor. This report provides tactics, techniques, and procedures CISA observed during the incident response engagement. CISA encourages organizations to review AR21-112A for more information.
---------------------------------------------
https://us-cert.cisa.gov/ncas/current-activity/2021/04/22/cisa-incident-response-supernova-malware


∗∗∗ AirDrop bugs expose Apple users' email addresses, phone numbers ∗∗∗
---------------------------------------------
A team of academics from a German university said it discovered two vulnerabilities that can be abused to extract phone numbers and email addresses from Apples AirDrop file transfer feature.
---------------------------------------------
https://therecord.media/airdrop-bugs-expose-apple-users-email-addresses-phone-numbers/


=====================
=  Vulnerabilities  =
=====================

∗∗∗ Cisco Security Advisories zu Cisco SD-WAN vManage Software ∗∗∗
---------------------------------------------
Cisco hat 5 Security Advisories zu Cisco SD-WAN vManage Software veröffentlicht, die alle als "Medium" klassifiziert werden.
---------------------------------------------
https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&firstPublishedStartDate=2021%2F04%2F21&firstPublishedEndDate=2021%2F04%2F21


∗∗∗ Sicherheitsupdates: Statische Zugangsdaten gefährden Qnap NAS ∗∗∗
---------------------------------------------
Eine kritische Lücke in HBS 3 Hybrid Backup Sync bringt Netzwerkspeicher (NAS) von Qnap in Gefahr.
---------------------------------------------
https://heise.de/-6025271


∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (thunderbird and wordpress), Fedora (curl, firefox, mediawiki, mingw-binutils, os-autoinst, and rpm-ostree), Oracle (java-1.8.0-openjdk and java-11-openjdk), SUSE (kernel, pcp, and tomcat6), and Ubuntu (linux, linux-aws, linux-gke-5.3, linux-hwe, linux-kvm, linux-lts-xenial, linux-oem-5.6, linux-raspi2-5.3, linux-snapdragon).
---------------------------------------------
https://lwn.net/Articles/853953/


∗∗∗ Google rushes out fix for zero‑day vulnerability in Chrome ∗∗∗
---------------------------------------------
The update patches a total of seven security flaws in the desktop versions of the popular web browser
---------------------------------------------
https://www.welivesecurity.com/2021/04/21/google-fix-zero-day-vulnerability-chrome/


∗∗∗ Drupal: Schwachstelle ermöglicht Cross-Site Scripting ∗∗∗
---------------------------------------------
https://www.cert-bund.de/advisoryshort/CB-K21-0432


∗∗∗ Red Hat OpenShift: Mehrere Schwachstellen ermöglichen Denial of Service ∗∗∗
---------------------------------------------
https://www.cert-bund.de/advisoryshort/CB-K21-0431


∗∗∗ Stored XSS (veraltete Software-Bibliothek) in BMDWeb 2.0 ∗∗∗
---------------------------------------------
https://sec-consult.com/de/vulnerability-lab/advisory/stored-xss-veraltete-software-bibliothek-in-bmdweb-2/


∗∗∗ Security Bulletin: Vulnerability in Dojo affects WebSphere Application Server (CVE-2020-5258) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-dojo-affects-websphere-application-server-cve-2020-5258-2/


∗∗∗ Security Bulletin: Vulnerabilities in Java affects IBM Cloud Application Business Insights ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-java-affects-ibm-cloud-application-business-insights-3/


∗∗∗ Security Bulletin: Tensor Flow security vulnerabilities on IBM Watson Machine Learning Server ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-tensor-flow-security-vulnerabilities-on-ibm-watson-machine-learning-server/


∗∗∗ Security Bulletin: Multiple security vulnerabilities with IBM Content Navigator component in IBM Business Automation Workflow – CVE-2020-4757, PSIRT-ADV0028011, CVE-2020-4934 ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnerabilities-with-ibm-content-navigator-component-in-ibm-business-automation-workflow-cve-2020-4757-psirt-adv0028011-cve-2020-4934/


∗∗∗ Security Bulletin: Multiple vulnerabilities in GNU Binutils affect IBM Netezza Performance Server ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-gnu-binutils-affect-ibm-netezza-performance-server/

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily