[CERT-daily] Tageszusammenfassung - 02.07.2021

[Daily end-of-shift report]

=====================
= End-of-Day report =
=====================

Timeframe:   Donnerstag 01-07-2021 18:00 − Freitag 02-07-2021 18:00
Handler:     Stephan Richter
Co-Handler:  n/a

=====================
=       News        =
=====================

∗∗∗ Gelöschte Netz-Festplatten: Western Digital plant Hilfe bei Wiederherstellung ∗∗∗
---------------------------------------------
Die Daten angegriffener HDDs der WD-Baureihe My Book Live sollen sich wiederherstellen lassen. Western Digital will künftig entsprechende Dienste anbieten.
---------------------------------------------
https://heise.de/-6127479


∗∗∗ Scorecards 2.0: Sicherheitsrisiken in Open-Source-Software aufdecken ∗∗∗
---------------------------------------------
Das automatisierte Security-Tool Scorecards legt die Karten auf den Tisch - wie sicher ist Open-Source-Software?
---------------------------------------------
https://heise.de/-6127588


∗∗∗ Free Micropatches for PrintNightmare Vulnerability (CVE-2021-34527) ∗∗∗
---------------------------------------------
[Note: This blog post is expected to be updated as new micropatches are issued and new information becomes available.] 
June 2021 Windows Updates brought a fix for a vulnerability CVE-2021-1675 originally titled "Windows Print Spooler Local Code Execution Vulnerability". As usual, Microsofts advisory provided very little information about the vulnerability, and very few probably noticed that about two weeks later, the advisory was updated to [...]
---------------------------------------------
https://blog.0patch.com/2021/07/free-micropatches-for-printnightmare.html


∗∗∗ Babuk ransomware is back, uses new version on corporate networks ∗∗∗
---------------------------------------------
After announcing their exit from the ransomware business in favor of data theft extortion, the Babuk gang appears to have slipped back into their old habit of encrypting corporate networks.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/babuk-ransomware-is-back-uses-new-version-on-corporate-networks/


∗∗∗ Mongolian Certificate Authority Hacked to Distribute Backdoored CA Software ∗∗∗
---------------------------------------------
In yet another instance of software supply chain attack, unidentified hackers breached the website of MonPass, one of Mongolias major certificate authorities, to backdoor its installer software with Cobalt Strike binaries. The trojanized client was available for download between February 8, 2021, and March 3, 2021, said Czech cybersecurity software company Avast in a report published Thursday.
---------------------------------------------
https://thehackernews.com/2021/07/mongolian-certificate-authority-hacked.html


∗∗∗ New Mirai-Inspired Botnet Could Be Using Your KGUARD DVRs in Cyber Attacks ∗∗∗
---------------------------------------------
Cybersecurity researchers on Thursday revealed details about a new Mirai-inspired botnet called "mirai_ptea" that leverages an undisclosed vulnerability in digital video recorders (DVR) provided by KGUARD to propagate and carry out distributed denial-of-service (DDoS) attacks. Chinese security firm Netlab 360 pinned the first probe against the flaw on March 23, 2021, before it detected active [...]
---------------------------------------------
https://thehackernews.com/2021/07/new-mirai-inspired-botnet-could-be.html


∗∗∗ 2020 Report: ICS Endpoints as Starting Points for Threats ∗∗∗
---------------------------------------------
The use of Industrial Control Systems (ICS) makes operations more efficient for various industries. These systems are powered by the interconnection between IT (information technology) and OT (operational technology), which help boost efficiency and speed. Unfortunately, this very interconnection also inadvertently makes ICS susceptible to cyberthreats. Securing these systems is vital, and one of its components that must be protected from threats are endpoints.
---------------------------------------------
https://www.trendmicro.com/vinfo/us/security/news/internet-of-things/2020-report-ics-endpoints-as-starting-points-for-threats


∗∗∗ STIR/SHAKEN: Nordamerika signiert Rufnummern im Kampf gegen Spam ∗∗∗
---------------------------------------------
Nordamerikas Netzbetreiber signieren und verifizieren jetzt Telefonnummern nach dem STIR/SHAKEN-System. Das erschwert Anrufe mit gefälschten Anruferkennungen.
---------------------------------------------
https://heise.de/-6127147


∗∗∗ TrickBot and Zeus ∗∗∗
---------------------------------------------
TrickBot is an established and widespread multi-purpose trojan. Active since 2016 and modular in nature, it can accomplish a variety of goals ranging from credential theft to lateral movement. Many of the malware’s capabilities come as self-contained modules, which the malware is instructed to download from the C2. Initially, TrickBot’s main focus was bank fraud, but this later shifted toward corporate targetted ransomware attacks, eventually resulting in the [...]
---------------------------------------------
https://www.kryptoslogic.com/blog/2021/07/trickbot-and-zeus/


∗∗∗ Top 5 Scam Techniques: What You Need to Know ∗∗∗
---------------------------------------------
Scammers are increasingly resourceful when coming up with scam techniques. But they often rely on long-standing persuasion techniques for the scam to work. So, you may hear about a new scam that uses a novel narrative, but there is a good chance that the scam relies on proven scam techniques once the narrative is stripped [...]
---------------------------------------------
https://www.tripwire.com/state-of-security/security-data-protection/top-scam-techniques-what-you-need-to-know/


∗∗∗ Ransomware. In the air? ∗∗∗
---------------------------------------------
Introduction As an exercise, we were asked to look at the potential vectors for ransomware to affect flight despatch and operations. In most cases, flight systems simply weren’t significantly exposed, [...]
---------------------------------------------
https://www.pentestpartners.com/security-blog/ransomware-in-the-air/


∗∗∗ Mysterious Node.js malware puzzles security researchers ∗∗∗
---------------------------------------------
Almost four months after it was first spotted in the wild, the infosec community is still scratching its head in regards to the purpose of a new malware strain named Lu0bot.
---------------------------------------------
https://therecord.media/mysterious-node-js-malware-puzzles-security-researchers/


∗∗∗ TrickBot: New attacks see the botnet deploy new banking module, new ransomware ∗∗∗
---------------------------------------------
Over the course of the past few weeks, new activity has been observed from TrickBot, one of todays largest malware botnets, with reports that its operators have helped create a new ransomware strain called Diavol and that the TrickBot gang is returning to its roots as a banking trojan with a new and updated banking module.The post TrickBot: New attacks see the botnet deploy new banking module, new ransomware appeared first on The Record by Recorded Future.
---------------------------------------------
https://therecord.media/trickbot-new-attacks-see-the-botnet-deploy-new-banking-module-new-ransomware/


∗∗∗ The Brothers Grim ∗∗∗
---------------------------------------------
The reversing tale of GrimAgent malware used by Ryuk
---------------------------------------------
https://blog.group-ib.com/grimagent



=====================
=  Vulnerabilities  =
=====================

∗∗∗ WAGO: Multiple Vulnerabilities in I/O-Check Service ∗∗∗
---------------------------------------------
Multiple vulnerabilities in the WAGO I/O-Check Service were reported. By exploiting the described vulnerabilities, the attacker potentially is able to manipulate or disrupt the device.
---------------------------------------------
https://cert.vde.com/de-de/advisories/vde-2020-036


∗∗∗ Update PowerShell versions 7.0 and 7.1 to protect against a vulnerability ∗∗∗
---------------------------------------------
If you manage yoiur Azure resources from PowerShell version 7.0 or 7.1, we’ve released new versions of PowerShell to address a .NET Core remote code execution vulnerability in versions 7.0 and 7.1. We recommend that you install the updated versions as soon as possible. Windows PowerShell 5.1 isn’t affected by this issue.
---------------------------------------------
https://azure.microsoft.com/en-us/updates/update-powershell-versions-70-and-71-to-protect-against-a-vulnerability/


∗∗∗ Jetzt handeln! Angreifer nutzen Drucker-Lücke PrintNightmare in Windows aus ∗∗∗
---------------------------------------------
Alle Windows-Systeme sind von der PrintNightmare-Schwachstelle bedroht. Derzeit finden Attacken statt. So geht der Workaround zur Absicherung.
---------------------------------------------
https://heise.de/-6127265


∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by Fedora (ansible and seamonkey), openSUSE (go1.15 and opera), Oracle (kernel and microcode_ctl), and Red Hat (go-toolset-1.15 and go-toolset-1.15-golang).
---------------------------------------------
https://lwn.net/Articles/861679/


∗∗∗ Johnson Controls Facility Explorer ∗∗∗
---------------------------------------------
This advisory contains mitigations for an Improper Privilege Management vulnerability in Johnson Controls Facility Explorer industrial Ethernet controllers.
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-21-182-01


∗∗∗ Sensormatic Electronics C-CURE 9000 ∗∗∗
---------------------------------------------
This advisory contains mitigations for an Improper Input Validation vulnerability in Sensormatic Electronics C-CURE 9000 industrial software.
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-21-182-02


∗∗∗ Delta Electronics DOPSoft ∗∗∗
---------------------------------------------
This advisory contains mitigations for Out-of-bounds Read vulnerabilities in Delta Electronics DOPSoft software.
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-21-182-03


∗∗∗ Mitsubishi Electric Air Conditioning System ∗∗∗
---------------------------------------------
This advisory contains mitigations for an Incorrect Implementation of Authentication Algorithm vulnerability in Mitsubishi Electric air conditioning systems.
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-21-182-04


∗∗∗ Mitsubishi Electric Air Conditioning Systems ∗∗∗
---------------------------------------------
This advisory contains mitigations for an Improper Restriction of XML External Entity Reference vulnerability in Mitsubishi Electric Air Conditioning Systems.
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-21-182-05


∗∗∗ All Bachmann M1 System Processor Modules ∗∗∗
---------------------------------------------
This updated advisory is a follow-up to the advisory titled ICSA-21-026-01P All Bachmann M1 System Processor Modules, posted to the HSIN ICS library on January 26, 2021. This advisory is now being released to the ICS webpage on us-cert.cisa.gov. This advisory contains mitigations for a Use of Password Hash with Insufficient Computational Effort vulnerability in Bachmann M1 system processor modules.
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-21-026-01-0


∗∗∗ Apigee Edge - Moderately critical - Access bypass - SA-CONTRIB-2021-020 ∗∗∗
---------------------------------------------
https://www.drupal.org/sa-contrib-2021-020


∗∗∗ WEIDMUELLER: Multiple vulnerabilities in Industrial WLAN devices (UPDATE A) ∗∗∗
---------------------------------------------
https://cert.vde.com/de-de/advisories/vde-2021-026


∗∗∗ Node.js: Mehrere Schwachstellen ∗∗∗
---------------------------------------------
https://www.cert-bund.de/advisoryshort/CB-K21-0714


∗∗∗ Red Hat Developer Tools: Schwachstelle ermöglicht Denial of Service ∗∗∗
---------------------------------------------
https://www.cert-bund.de/advisoryshort/CB-K21-0715

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily