[CERT-daily] Tageszusammenfassung - 26.02.2021

Daily end-of-shift report team at cert.at
Fri Feb 26 18:24:25 CET 2021 

=====================
= End-of-Day report =
=====================

Timeframe:   Donnerstag 25-02-2021 18:00 − Freitag 26-02-2021 18:00
Handler:     Dimitri Robl
Co-Handler:  Thomas Pribitzer

=====================
=       News        =
=====================

∗∗∗ So where did those Satori attacks come from?, (Thu, Feb 25th) ∗∗∗
---------------------------------------------
Last week I posted about a new Satori variant scanning on TCP port 26 that I was picking up in my honeypots. Things have slowed down a bit, but levels are still above where they had been since mid-July 2020 on port 26.
---------------------------------------------
https://isc.sans.edu/diary/rss/27140


∗∗∗ SQL Triggers in Website Backdoors ∗∗∗
---------------------------------------------
Over the past year, there’s been an increasing trend of WordPress malware using SQL triggers to hide malicious SQL queries within compromised databases. These queries inject an admin level user into the infected database whenever the trigger condition is met. What makes this especially problematic for website owners is that most malware cleanup guides focus on the website files and data within specific database tables — for example, wp_users, wp_options, and wp_posts.
---------------------------------------------
https://blog.sucuri.net/2021/02/sql-triggers-in-website-backdoors.html


∗∗∗ ALERT: Malicious Amazon Alexa Skills Can Easily Bypass Vetting Process ∗∗∗
---------------------------------------------
Researchers have uncovered gaps in Amazons skill vetting process for the Alexa voice assistant ecosystem that could allow a malicious actor to publish a deceptive skill under any arbitrary developer name and even make backend code changes after approval to trick users into giving up sensitive information.
---------------------------------------------
https://thehackernews.com/2021/02/alert-malicious-amazon-alexa-skills-can.html


∗∗∗ So Unchill: Melting UNC2198 ICEDID to Ransomware Operations ∗∗∗
---------------------------------------------
Since its discovery in 2017 as a banking trojan, ICEDID evolved into a pernicious point of entry for financially motivated actors to conduct intrusion operations. In earlier years, ICEDID was deployed to primarily target banking credentials.
---------------------------------------------
https://www.fireeye.com/blog/threat-research/2021/02/melting-unc2198-icedid-to-ransomware-operations.html


∗∗∗ SilentFade virus strikes, Cyberstalking and Ransom user ∗∗∗
---------------------------------------------
Recently, 360 Security Center monitored that the SlientFade virus was bundled with pirated software to spread. The infected users were mainly distributed in Malaysia, India, [...]
---------------------------------------------
https://blog.360totalsecurity.com/en/silentfade-virus-strikes-cyberstalking-and-ransom-user/


∗∗∗ Microsoft Releases Open Source Resources for Solorigate Threat Hunting ∗∗∗
---------------------------------------------
Microsoft on Thursday announced the open source availability of CodeQL queries that it used during its investigation into the SolarWinds attack.
---------------------------------------------
https://www.securityweek.com/microsoft-releases-open-source-resources-solorigate-threat-hunting


∗∗∗ Kettenbrief-Alarm: Angebliches Amazon-Gewinnspiel macht auf WhatsApp die Runde! ∗∗∗
---------------------------------------------
Auf WhatsApp wird derzeit ein Link verschickt mit einem Gewinn-Versprechen anlässlich des angeblichen 30-Jahr-Jubiläums von Amazon. Wir haben uns die Nachricht und den Link genauer angeschaut. Unser Fazit: Es handelt sich um einen klassischen Kettenbrief. Gewinn erhalten Sie dabei keinen, stattdessen müssen Sie eine gefährliche App herunterladen.
---------------------------------------------
https://www.watchlist-internet.at/news/kettenbrief-alarm-angebliches-amazon-gewinnspiel-macht-auf-whatsapp-die-runde/


∗∗∗ Go malware is now common, having been adopted by both APTs and e-crime groups ∗∗∗
---------------------------------------------
There's been a 2,000% increase of new malware written in Go over the past few years.
---------------------------------------------
https://www.zdnet.com/article/go-malware-is-now-common-having-been-adopted-by-both-apts-and-e-crime-groups/


∗∗∗ New Phishing Attack Using Malformed URL Prefixes ∗∗∗
---------------------------------------------
GreatHorn reports on a phishing technique that leverages malformed URL prefixes to bypass security scanners. Many security scanners use pattern recognition to identify URLs, thus expecting the presence of "http://" to identify them. However, the URL specification technically does not require the "//" in order to visit a URL.
---------------------------------------------
https://exchange.xforce.ibmcloud.com/collection/c52464bd46eb48e4c5741df9e1b0302a



=====================
=  Vulnerabilities  =
=====================

∗∗∗ Google looks at bypass in Chromiums ASLR security defense, throws hands up, wont patch garbage issue ∗∗∗
---------------------------------------------
In early November, a developer contributing to Googles open-source Chromium project reported a problem with Oilpan, the garbage collector for the browsers Blink rendering engine: it can be used to break a memory defense known as address space layout randomization (ASLR).
---------------------------------------------
https://go.theregister.com/feed/www.theregister.com/2021/02/26/chrome_aslr_bypass/


∗∗∗ Security Advisory for Multiple Vulnerabilities on Some Routers, Satellites, and Extenders ∗∗∗
---------------------------------------------
NETGEAR has released fixes for multiple security vulnerabilities on the following product models:
BR200, running firmware versions prior to 5.10.0.5
BR500, running firmware versions prior to 5.10.0.5
D7800, running firmware versions prior to 1.0.1.60
EX6100v2, running firmware versions prior to 1.0.1.98
EX6150v2, running firmware versions prior to 1.0.1.98
EX6250, running firmware versions prior to 1.0.0.134
EX6400, running firmware versions prior to 1.0.2.158
EX6400v2, running firmware versions prior to 1.0.0.134
EX6410, running firmware versions prior to 1.0.0.134
EX6420, running firmware versions prior to 1.0.0.134
EX7300, running firmware versions prior to 1.0.2.158
EX7300v2, running firmware versions prior to 1.0.0.134
EX7320, running firmware versions prior to 1.0.0.134
EX7700, running firmware versions prior to 1.0.0.216
EX8000, running firmware versions prior to 1.0.1.232
LBR20, running firmware versions prior to 2.6.3.50
R7800, running firmware versions prior to 1.0.2.80
R8900, running firmware versions prior to 1.0.5.28
R9000, running firmware versions prior to 1.0.5.28
RBK12, running firmware versions prior to 2.7.2.104
RBK13, running firmware versions prior to 2.7.2.104
RBK14, running firmware versions prior to 2.7.2.104
RBK15, running firmware versions prior to 2.7.2.104
RBK20, running firmware versions prior to 2.6.2.104
RBK23, running firmware versions prior to 2.7.2.104
RBK40, running firmware versions prior to 2.6.2.104
RBK43, running firmware versions prior to 2.6.2.104
RBK43S, running firmware versions prior to 2.6.2.104
RBK44, running firmware versions prior to 2.6.2.104
RBK50, running firmware versions prior to 2.7.2.104
RBK53, running firmware versions prior to 2.7.2.104
RBR10, running firmware versions prior to 2.6.2.104
RBR20, running firmware versions prior to 2.6.2.104
RBR40, running firmware versions prior to 2.6.2.104
RBR50, running firmware versions prior to 2.7.2.104
RBS10, running firmware versions prior to 2.6.2.104
RBS20, running firmware versions prior to 2.6.2.104
RBS40, running firmware versions prior to 2.6.2.104
RBS50, running firmware versions prior to 2.7.2.104
RBS50Y, running firmware versions prior to 2.6.2.104
XR450, running firmware versions prior to 2.3.2.114
XR500, running firmware versions prior to 2.3.2.114
XR700, running firmware versions prior to 1.0.1.38
NETGEAR strongly recommends that you download the latest firmware as soon as possible.
---------------------------------------------
https://kb.netgear.com/000062883/Security-Advisory-for-Multiple-Vulnerabilities-on-Some-Routers-Satellites-and-Extenders


∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (python-pysaml2 and redis), Fedora (buildah, containernetworking-plugins, containers-common, libmysofa, libpq, podman, postgresql, skopeo, xen, and xterm), openSUSE (nghttp2), Oracle (firefox and thunderbird), SUSE (glibc, ImageMagick, python-Jinja2, and salt), and Ubuntu (python2.7, python2.7, python3.4, python3.5, python3.6, python3.8, and tiff).
---------------------------------------------
https://lwn.net/Articles/847581/


∗∗∗ PerFact OpenVPN-Client ∗∗∗
---------------------------------------------
This advisory contains mitigations for an External Control of System or Configuration Setting vulnerability in the PerFact OpenVPN-Client.
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-21-056-01


∗∗∗ Fatek FvDesigner ∗∗∗
---------------------------------------------
This advisory contains mitigations for Use After Free, Access of Uninitialized Pointer, Stack-based Buffer Overflow, Out-of-Bounds Write, and Out-of-Bounds Read vulnerabilities in Fatek FvDesigner software.
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-21-056-02


∗∗∗ Rockwell Automation Logix Controllers ∗∗∗
---------------------------------------------
This advisory contains mitigations for a n Insufficiently Protected Credentials vulnerability in Rockwell Automation Studio 5000 Logix Designer, RSLogix 5000, and Logix Controllers.
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-21-056-03


∗∗∗ ProSoft Technology ICX35 ∗∗∗
---------------------------------------------
This advisory contains mitigations for a Permissions, Privileges, and Access Controls vulnerability in ProSoft Technology ICX35 industrial cellular gateways.
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-21-056-04


∗∗∗ GeNUA GeNUGate: Nicht spezifizierte Schwachstelle ∗∗∗
---------------------------------------------
http://www.cert-bund.de/advisoryshort/CB-K21-0217


∗∗∗ Security Bulletin: Multiple vulnerabilities of Mozilla Firefox (less than Firefox 78.5 ESR + CVE-2020-26950) have affected Synthetic Playback Agent 8.1.4.0-8.1.4 IF12 + ICAM2019.3.0 – 2020.2.0 ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-of-mozilla-firefox-less-than-firefox-78-5-esr-cve-2020-26950-have-affected-synthetic-playback-agent-8-1-4-0-8-1-4-if12-icam2019-3-0-2020-2-0/


∗∗∗ Security Bulletin: IBM Cloud Private is vulnerable to a Node.js lodash vulnerability (CVEID: 183560) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-private-is-vulnerable-to-a-node-js-lodash-vulnerability-cveid-183560-2/


∗∗∗ Security Bulletin: IBM Resilient SOAR is Using Components with Known Vulnerabilities – Java SE (CVE-2020-14779, CVE-2020-14792, CVE-2020-14796, CVE-2020-14797, CVE-2020-14798) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-resilient-soar-is-using-components-with-known-vulnerabilities-java-se-cve-2020-14779-cve-2020-14792-cve-2020-14796-cve-2020-14797-cve-2020-14798/


∗∗∗ Security Bulletin: A Security Vulnerability affects IBM Cloud Private – OpenSSL (CVE-2019-1551) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-affects-ibm-cloud-private-openssl-cve-2019-1551-2/


∗∗∗ Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU – Oct 2020 ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sdk-java-technology-edition-quarterly-cpu-oct-2020/


∗∗∗ Security Bulletin: Multiple vulnerabilities of Mozilla Firefox (less than Firefox 78.5 ESR + CVE-2020-15683) have affected Synthetic Playback Agent 8.1.4.0-8.1.4 IF12 + ICAM2019.3.0 – 2020.2.0 ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-of-mozilla-firefox-less-than-firefox-78-5-esr-cve-2020-15683-have-affected-synthetic-playback-agent-8-1-4-0-8-1-4-if12-icam2019-3-0-2020-2-0/


∗∗∗ Security Bulletin: Multiple vulnerabilities of Mozilla Firefox (less than Firefox 78.5 ESR + CVE-2020-15677) have affected Synthetic Playback Agent 8.1.4.0-8.1.4 IF12 + ICAM2019.3.0 – 2020.2.0 ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-of-mozilla-firefox-less-than-firefox-78-5-esr-cve-2020-15677-have-affected-synthetic-playback-agent-8-1-4-0-8-1-4-if12-icam2019-3-0-2020-2-0/


∗∗∗ Security Bulletin: Security vulnerabilities in Go affect IBM Cloud Pak for Multicloud Management Hybrid GRC. ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-in-go-affect-ibm-cloud-pak-for-multicloud-management-hybrid-grc-2/


∗∗∗ Security Bulletin: Multiple vulnerabilities of Mozilla Firefox (less than Firefox 78.5 ESR + CVE-2020-26951) have affected Synthetic Playback Agent 8.1.4.0-8.1.4 IF11 + ICAM2019.3.0 – 2020.2.0 ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-of-mozilla-firefox-less-than-firefox-78-5-esr-cve-2020-26951-have-affected-synthetic-playback-agent-8-1-4-0-8-1-4-if11-icam2019-3-0-2020-2-0/


∗∗∗ Security Bulletin: IBM Resilient SOAR is using opensaml-2.6.4.jar that could be vulnerable to bypass security restrictions (CVE-2015-1796) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-resilient-soar-is-using-opensaml-2-6-4-jar-that-could-be-vulnerable-to-bypass-security-restrictions-cve-2015-1796/

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

More information about the Daily mailing list