[CERT-daily] Tageszusammenfassung - 18.08.2021

Wed Aug 18 18:21:20 CEST 2021

=====================
= End-of-Day report =
=====================

Timeframe:   Dienstag 17-08-2021 18:00 − Mittwoch 18-08-2021 18:00
Handler:     Thomas Pribitzer
Co-Handler:  Stephan Richter

=====================
=       News        =
=====================

∗∗∗ Kritische Lücke in Blackberry QNX OS gefährdet medizinische Geräte ∗∗∗
---------------------------------------------
Blackberry hat in seinem Echtzeitbetriebssystem QNX einer gefährliche Schwachstelle geschlossen.
---------------------------------------------
https://heise.de/-6168793


∗∗∗ Kritische Sicherheitslücke: Angreifer könnten Millionen IoT-Geräte belauschen ∗∗∗
---------------------------------------------
Sicherheitsforscher warnen vor einer Schwachstelle, die etwa Millionen Babyphones und IP-Kameras gefährdet. Geräte lassen sich nicht ohne Weiteres schützen.
---------------------------------------------
https://heise.de/-6168381


∗∗∗ Fortinet: Wichtiges Sicherheitsupdate für FortiWeb OS in Vorbereitung ∗∗∗
---------------------------------------------
Für eine Lücke mit High-Einstufung liegt Exploit-Code vor, Fixes kommen aber erst Ende August. Betreiber von FortiWeb WAFs sollten Vorsichtsmaßnahmen treffen.
---------------------------------------------
https://heise.de/-6168205


∗∗∗ Vorsicht! Kostenloses Antivirenprogramm „Total AV“ entpuppt sich als Kostenfalle ∗∗∗
---------------------------------------------
Immer wieder melden uns verunsicherte LeserInnen das Antivirenprogramm „Total AV“. Der Grund dafür sind nicht-transparente Kosten sowie Probleme beim Kündigen des Abo-Vertrags. Gleichzeitig wird „Total AV“ auf vielen Seiten als das beste kostenlose Antivirenprogramm beworben. Wir haben uns das Programm genauer angesehen.
---------------------------------------------
https://www.watchlist-internet.at/news/vorsicht-kostenloses-antivirenprogramm-total-av-entpuppt-sich-als-kostenfalle/


∗∗∗ Sicherheitswarnung für Synology DiskStation Manager und UC SkyNAS ∗∗∗
---------------------------------------------
Der Hersteller Synology hat eine Sicherheitswarnung für seinen DiskStation Manager (Version <6.2.4-25556-2 ; 7.0) herausgegeben. In der Firmware der Geräte gibt es gleich mehrere Sicherheitslücken. Gefährdet sind auch UC SkyNAS-Einheiten. Von Synology gibt es bereits erste Firmware-Updates. Von der Ransomware eCh0raix gibt es eine neue Variante, die einen neuen Bug in QNAP und Synology NAS Devices ausnutzen kann.
---------------------------------------------
https://www.borncity.com/blog/2021/08/18/sicherheitswarnung-fr-synology-diskstation-manager-und-uc-skynas/


∗∗∗ Diavol ransomware sample shows stronger connection to TrickBot gang ∗∗∗
---------------------------------------------
A new analysis of a Diavol ransomware sample shows a more clear connection with the gang behind the TrickBot botnet and the evolution of the malware.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/diavol-ransomware-sample-shows-stronger-connection-to-trickbot-gang/


∗∗∗ Kerberos Authentication Spoofing: Don’t Bypass the Spec ∗∗∗
---------------------------------------------
Yaron Kassner, CTO at Silverfort, discusses authentication-bypass bugs in Cisco ASA, F5 Big-IP, IBM QRadar and Palo Alto Networks PAN-OS.
---------------------------------------------
https://threatpost.com/kerberos-authentication-spoofing/168767/


∗∗∗ 5 Things to Consider Before Moving Back to the Office, (Wed, Aug 18th) ∗∗∗
---------------------------------------------
Many readers will likely continue to enjoy working from home. Having not worked out of an office for about 20 years myself, I can certainly understand the appeal of working from home. But for some, this isn't an option and probably not even the preferred way to work. Having likely worked from home for over a year now, there are some things that you need to "readjust" as you are moving back.
---------------------------------------------
https://isc.sans.edu/diary/rss/27762


∗∗∗ Detecting Embedded Content in OOXML Documents ∗∗∗
---------------------------------------------
On Advanced Practices, we are always looking for new ways to find malicious activity and track adversaries over time. Today we’re sharing a technique we use to detect and cluster Microsoft Office documents - specifically those in the Office Open XML (OOXML) file format. Additionally, we’re releasing a tool so analysts and defenders can automatically generate YARA rules using this technique.
---------------------------------------------
https://www.fireeye.com/blog/threat-research/2021/08/detecting-embedded-content-in-ooxml-documents.html


∗∗∗ WordPress Malware Camouflaged As Code ∗∗∗
---------------------------------------------
In today’s post we discuss emerging techniques that attackers are using to hide the presence of malware. In the example we discuss below, the attacker’s goal is to make everything look routine to an analyst so that they do not dig deeper and discover the presence of malware and what it is doing.
---------------------------------------------
https://www.wordfence.com/blog/2021/08/wordpress-malware-camouflaged-as-code/


∗∗∗ IT Risk Team Discovers Previously Unknown Vulnerability in Autodesk Software During Client Penetration Test ∗∗∗
---------------------------------------------
During a recent client engagement, the DGC penetration testing team identified a previously unknown vulnerability affecting the Autodesk Licensing Service, a software component bundled with nearly all licensed Autodesk products. The vulnerability exists in a software component common to most Autodesk products and impacts nearly all organizations using licensed Autodesk software in any capacity.
---------------------------------------------
https://www.tripwire.com/state-of-security/security-data-protection/risk-team-discovers-unknown-vulnerability-autodesk-software/


∗∗∗ Houdini Malware Returns and Amazons Sidewalk Enter Corporate Networks ∗∗∗
---------------------------------------------
The nature of a secure access service edge (SASE) platform provides visibility into a large number of internet data flows - and the larger the platform, the more dataflows can be analyzed. An analysis of more than 250 billion network flows during Q2 2021 shows increasing threats, a new use of an old malware, and the growing incidence of consumer devices in the workplace.
---------------------------------------------
https://www.securityweek.com/houdini-malware-returns-and-amazons-sidewalk-enter-corporate-networks


∗∗∗ Breaking the Android Bootloader on the Qualcomm Snapdragon 660 ∗∗∗
---------------------------------------------
This post is a companion to the DEF CON 29 video available here. A few months ago I purchased an Android phone to do some research around a specific series [...]
---------------------------------------------
https://www.pentestpartners.com/security-blog/breaking-the-android-bootloader-on-the-qualcomm-snapdragon-660/


∗∗∗ Dumpster diving is a filthy business ∗∗∗
---------------------------------------------
One man's trash is another man's treasure - here's why you should think twice about what you toss in the recycling bin
---------------------------------------------
https://www.welivesecurity.com/2021/08/17/dumpster-diving-is-filthy-business/


∗∗∗ Cobalt Strike: Detect this Persistent Threat ∗∗∗
---------------------------------------------
Cobalt Strike is a penetration testing tool created by Raphael Mudge in 2012. To this day, it remains extremely popular in red team activities and used for malicious purposes by threat actors.
---------------------------------------------
https://www.intezer.com/blog/malware-analysis/cobalt-strike-detect-this-persistent-threat/


=====================
=  Vulnerabilities  =
=====================

∗∗∗ Adobe sichert Photoshop & Co. außer der Reihe ab ∗∗∗
---------------------------------------------
Der Softwarehersteller Adobe schließt unter anderem in Bridge, Media Encoder und XMP Toolkit SDK Sicherheitslücken.
---------------------------------------------
https://heise.de/-6168132


∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (haproxy), Fedora (c-ares, hivex, kernel, libtpms, newsflash, python-django, rust-gettext-rs, and rust-gettext-sys), openSUSE (c-ares and libsndfile), Scientific Linux (cloud-init, edk2, exiv2, firefox, kernel, kpatch-patch, microcode_ctl, sssd, and thunderbird), SUSE (c-ares, fetchmail, haproxy, kernel, libmspack, libsndfile, rubygem-puma, spice-vdagent, and webkit2gtk3), and Ubuntu (exiv2, haproxy, linux, linux-aws, linux-aws-5.4, linux-azure, [...]
---------------------------------------------
https://lwn.net/Articles/866669/


∗∗∗ ThroughTek Kalay P2P SDK ∗∗∗
---------------------------------------------
This advisory contains mitigations for an Improper Access Control vulnerability in the ThroughTek Kalay P2P SDK software kit.
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-21-229-01


∗∗∗ Advantech WebAccess/NMS ∗∗∗
---------------------------------------------
This advisory contains mitigations for an Improper Authentication vulnerability in Advantech WebAccess/NMS network management systems.
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-21-229-02


∗∗∗ xArrow SCADA ∗∗∗
---------------------------------------------
This advisory contains mitigations for Cross-site Scripting, and Improper Input Validation vulnerability in the xArrow SCADA human-machine interface.
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-21-229-03


∗∗∗ Huawei EchoLife HG8045Q vulnerable to OS command injection ∗∗∗
---------------------------------------------
https://jvn.jp/en/jp/JVN41646618/


∗∗∗ Firefox & Thunderbird: Security-Fixes für Browser und Mail-Client verfügbar ∗∗∗
---------------------------------------------
https://heise.de/-6168771


∗∗∗ glibc vulnerability CVE-2021-35942 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K98121587


∗∗∗ Atlassian Jira Software: Schwachstelle ermöglicht Offenlegung von Informationen ∗∗∗
---------------------------------------------
https://www.cert-bund.de/advisoryshort/CB-K21-0880


∗∗∗ QEMU: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode mit Benutzerrechten ∗∗∗
---------------------------------------------
https://www.cert-bund.de/advisoryshort/CB-K21-0885

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily