[CERT-daily] Tageszusammenfassung - 05.08.2021

[Daily end-of-shift report]

=====================
= End-of-Day report =
=====================

Timeframe:   Mittwoch 04-08-2021 18:00 − Donnerstag 05-08-2021 18:00
Handler:     Thomas Pribitzer
Co-Handler:  Stephan Richter

=====================
=       News        =
=====================

∗∗∗ Ransomware: Unternehmen beklagen immense Schäden durch Cyberangriffe ∗∗∗
---------------------------------------------
Die Angriffe mit Ransomware nehmen massiv zu, zeigt nun auch der Bitkom-Verband. Auch das Homeoffice wird sicherheitskritisch.
---------------------------------------------
https://www.golem.de/news/ransomware-unternehmen-beklagen-immense-schaeden-durch-cyberangriffe-2108-158684-rss.html


∗∗∗ Cisco beseitigt kritische Schwachstellen aus Small Business-Routern der RV-Serie ∗∗∗
---------------------------------------------
Jetzt updaten: Remote Code Execution und Denial-of-Service wären mögliche Angriffskonsequenzen. Auch für weitere Cisco-Produkte sind wichtige Updates verfügbar.
---------------------------------------------
https://heise.de/-6155856


∗∗∗ Sicherheitsforscher entdecken Schwachstellen in Industriekontrollsystemen von Mitsubishi ∗∗∗
---------------------------------------------
Die Patches sind bereits in Arbeit, aber noch nicht erhältlich. Grund dafür ist ein aufwändiges Zertifizierungsverfahren. Möglicherweise sind auch Produkte anderer Hersteller betroffen.
---------------------------------------------
https://www.zdnet.de/88396132/sicherheitsforscher-entdecken-schwachstellen-in-industriekontrollsystemen-von-mitsubishi/


∗∗∗ Black Hat USA 2021: Security Advisories – mehr Durchblick dank Automatisierung ∗∗∗
---------------------------------------------
Uneinheitliche Advisory-Formate kosten wertvolle Zeit. Und wie beschreibt man eigentlich eine "Nicht-Verwundbarkeit"? CSAF und VEX sollen Abhilfe schaffen.
---------------------------------------------
https://heise.de/-6155594


∗∗∗ Microsoft Teams korrekt absichern ∗∗∗
---------------------------------------------
Microsoft Teams ist beliebt, gerät aber immer stärker ins Visier von Hackern. Wie Sie den Schutz der Kollaborations-Software am besten bewerkstelligen, schildert Bert Skorupski, Senior Manager Sales Engineering bei Quest Software, im ersten Teil eines zweiteiligen Gastbeitrages.
---------------------------------------------
https://www.zdnet.de/88396112/microsoft-teams-korrekt-absichern/


∗∗∗ Vorsicht vor mykundenservice.com: Hohe Telefonrechnung droht! ∗∗∗
---------------------------------------------
Während die meisten Unternehmen Kontakttelefonnummern offen kommunizieren, tun dies andere nicht. Da wäre eine Sammlung von Kontaktnummern durchaus hilfreich. Auf mykundenservice.com verspricht man zwar eine solche Sammlung, doch eigentlich lockt man zum Anruf einer 0900-Nummer. Achtung: Hier entstehen hohe Kosten!
---------------------------------------------
https://www.watchlist-internet.at/news/vorsicht-vor-mykundenservicecom-hohe-telefonrechnung-droht/


∗∗∗ How to Protect against EMOTET - "The World’s Most Dangerous Malware" ∗∗∗
---------------------------------------------
​In the summer of 2020, malware infections were on a clear rise. Many new variants were appearing, and enterprises, government agencies, business leaders, and public officials were all voicing concern. Yet, seven years after it was first discovered, the spread of the EMOTET malware was arguably most concerning of all.
---------------------------------------------
https://www.beyondtrust.com/blog/entry/how-to-protect-against-emotet-the-worlds-most-dangerous-malware


∗∗∗ Windows admins now can block external devices via layered Group Policy ∗∗∗
---------------------------------------------
Microsoft has added support for layered Group Policies, which allow IT admins to control what internal or external devices users can be installed on corporate endpoints across their organizations network.
---------------------------------------------
https://www.bleepingcomputer.com/news/microsoft/windows-admins-now-can-block-external-devices-via-layered-group-policy/


∗∗∗ MacOS Flaw in Telegram Retrieves Deleted Messages ∗∗∗
---------------------------------------------
Telegram declined to fix a scenario in which the flaw can be exploited, spurring a Trustwave researcher to decline a bug bounty and to disclose his findings instead.
---------------------------------------------
https://threatpost.com/macos-flaw-in-telegram-retrieves-deleted-messages/168412/


∗∗∗ Examining Unique Magento Backdoors ∗∗∗
---------------------------------------------
During a recent investigation into a compromised Magento ecommerce environment, we discovered the presence of five different backdoors that would provide attackers with code execution capabilities. The techniques used by the attackers in these backdoors illustrates the ever-changing landscape of website security and highlights some of the tactics used to avoid traditional backdoor detection.
---------------------------------------------
https://blog.sucuri.net/2021/08/examining-unique-magento-backdoors.html


∗∗∗ Microsoft Patched the Issue With Windows Containers That Enabled Siloscape ∗∗∗
---------------------------------------------
Microsoft recently added additional security checks that address the Windows container escape that enabled Siloscape.
---------------------------------------------
https://unit42.paloaltonetworks.com/windows-container-escape-patch/


∗∗∗ Meet Prometheus, the secret TDS behind some of today’s malware campaigns ∗∗∗
---------------------------------------------
A recently discovered cybercrime service is helping malware gangs distribute their malicious payloads to unsuspecting users using a network of hacked websites.
---------------------------------------------
https://therecord.media/meet-prometheus-the-secret-tds-behind-some-of-todays-malware-campaigns/


∗∗∗ Pegasus Spyware: How It Works and What It Collects ∗∗∗
---------------------------------------------
An NSO document leaked to the internet reveals how the Pegasus spyware - sold to intelligence and law enforcement agencies around the world - can be used to spy on targeted mobile phones.
---------------------------------------------
https://zetter.substack.com/p/pegasus-spyware-how-it-works-and


∗∗∗ From Stranger to DA // Using PetitPotam to NTLM relay to Domain Administrator ∗∗∗
---------------------------------------------
Knock knock, who’s there? Your new DA! Several vulnerabilities that have been recently disclosed, namely: MS-EFSRPC – AKA PetitPotam Credential Relaying abusing the AD CS role Any attacker with internal network access, such as a phished client or a malicious planted device in the network, can take over the entire Active Directory domain without any [...]
---------------------------------------------
https://blog.truesec.com/2021/08/05/from-stranger-to-da-using-petitpotam-to-ntlm-relay-to-active-directory/



=====================
=  Vulnerabilities  =
=====================

∗∗∗ Cisco Security Advisories 2021-08-04 ∗∗∗
---------------------------------------------
1 critical, 4 high, 2 medium severity
---------------------------------------------
https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&securityImpactRatings=critical,high,medium&firstPublishedStartDate=2021%2F08%2F04&firstPublishedEndDate=2021%2F08%2F04


∗∗∗ SA44858 - 9.1R12 Security Fixes ∗∗∗
---------------------------------------------
[...] Fixes for all the CVEs listed above have been included in the latest version of PCS, 9.1R12, which was released on 2 August 2021. We strongly encourage you to upgrade to ensure your organization is protected.
---------------------------------------------
https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44858


∗∗∗ VMSA-2021-0016 ∗∗∗
---------------------------------------------
VMware Workspace One Access, Identity Manager and vRealize Automation address multiple vulnerabilities (CVE-2021-22002, CVE-2021-22003)
---------------------------------------------
https://www.vmware.com/security/advisories/VMSA-2021-0016.html


∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (jetty9 and openexr), openSUSE (mariadb and virtualbox), Red Hat (go-toolset-1.15 and go-toolset-1.15-golang), SUSE (djvulibre and mariadb), and Ubuntu (opencryptoki).
---------------------------------------------
https://lwn.net/Articles/865306/


∗∗∗ Amazon and Google patch major bug in their DNS-as-a-Service platforms ∗∗∗
---------------------------------------------
At the Black Hat security conference today, two security researchers have disclosed a security issue impacting hosted DNS service providers that can be abused to hijack the platforms nodes, intercept some of the incoming DNS traffic, and then map customers internal networks.
---------------------------------------------
https://therecord.media/amazon-and-google-patch-major-bug-in-their-dns-as-a-service-platforms/


∗∗∗ IBM Security Bulletins 2021-08-04 ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/


∗∗∗ BIG-IP LTM HTTP/2 desync attacks: malicious CRLF placement security exposure ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K97045220


∗∗∗ BIG-IP LTM HTTP/2 desync attacks: request line injection ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K63312282


∗∗∗ ffmpeg: Schwachstelle ermöglicht nicht spezifizierten Angriff ∗∗∗
---------------------------------------------
https://www.cert-bund.de/advisoryshort/CB-K21-0832


∗∗∗ Red Hat OpenShift: Schwachstelle ermöglicht Denial of Service ∗∗∗
---------------------------------------------
https://www.cert-bund.de/advisoryshort/CB-K21-0835

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily