[CERT-daily] Tageszusammenfassung - 18.06.2021

Fri Jun 18 18:14:03 CEST 2021

=====================
= End-of-Day report =
=====================

Timeframe:   Donnerstag 17-06-2021 18:00 − Freitag 18-06-2021 18:00
Handler:     Thomas Pribitzer
Co-Handler:  Dimitri Robl

=====================
=       News        =
=====================

∗∗∗ Newly discovered Vigilante malware outs software pirates and blocks them ∗∗∗
---------------------------------------------
Most malware tries to steal stuff. Vigilante, by contrast, takes aim at piracy.
---------------------------------------------
https://arstechnica.com/?p=1774437


∗∗∗ Network Forensics on Azure VMs (Part #2), (Fri, Jun 18th) ∗∗∗
---------------------------------------------
In yesterday's diary, we took a look at two methods that allow to capture network connection information off a potentially compromised virtual machine in Azure. Today, we'll investigate the most recent addition to the VM monitoring arsenal, namely "Azure Monitor Insights".
---------------------------------------------
https://isc.sans.edu/diary/rss/27538


∗∗∗ Open redirects ... and why Phishers love them, (Fri, Jun 18th) ∗∗∗
---------------------------------------------
Working from home, did you get a meeting invite recently that pointed to https://meet.google.com ?  Well, that's indeed where Google's online meeting tool is located. But potentially the URL you got is not "only" leading you there.
---------------------------------------------
https://isc.sans.edu/diary/rss/27542


∗∗∗ Intentional Flaw in GPRS Encryption Algorithm GEA-1 ∗∗∗
---------------------------------------------
General Packet Radio Service (GPRS) is a mobile data standard that was widely used in the early 2000s. The first encryption algorithm for that standard was GEA-1, a stream cipher built on three linear-feedback shift registers and a non-linear combining function. Although the algorithm has a 64-bit key, the effective key length is only 40 bits, due to “an exceptional interaction of the deployed LFSRs and the key initialization, which is highly unlikely to occur by chance.
---------------------------------------------
https://www.schneier.com/blog/archives/2021/06/intentional-flaw-in-gprs-encryption-algorithm-gea-1.html


∗∗∗ Malicious Redirects Through Bogus Plugin ∗∗∗
---------------------------------------------
Recently we have been seeing a rash of WordPress website compromises with attackers abusing the plugin upload functionality in the wp-admin dashboard to redirect visitors and website owners to malicious websites.
---------------------------------------------
https://blog.sucuri.net/2021/06/malicious-redirects-through-bogus-plugin.html


∗∗∗ Smoking Out a DARKSIDE Affiliate’s Supply Chain Software Compromise ∗∗∗
---------------------------------------------
Mandiant observed DARKSIDE affiliate UNC2465 accessing at least one victim through a Trojanized software installer downloaded from a legitimate website.
---------------------------------------------
https://www.fireeye.com/blog/threat-research/2021/06/darkside-affiliate-supply-chain-software-compromise.html


∗∗∗ Mit diesem Leitfaden der NSA können Admins IP-Telefonie schützen ∗∗∗
---------------------------------------------
Die National Security Agency spricht Empfehlungen aus, wie Sprach- und Videoanrufe sicherer werden.
---------------------------------------------
https://heise.de/-6111092


∗∗∗ Polazert Trojan using poisoned Google Search results to spread ∗∗∗
---------------------------------------------
The threat actors behind Trojan.Polazert are using keyword-stuffed PDF files to rank high in search results and attract new victims.Categories: AwarenessTags: Polazertratseo poisoningSolarMarkerstuffed PDF(Read more...)The post Polazert Trojan using poisoned Google Search results to spread appeared first on Malwarebytes Labs.
---------------------------------------------
https://blog.malwarebytes.com/awareness/2021/06/polazert-trojan-using-poisoned-google-search-results-to-spread/


∗∗∗ Service Vulnerabilities: Shared Hosting Symlink Security Issue Still Widely Exploited on Unpatched Servers ∗∗∗
---------------------------------------------
The Wordfence site cleaning team helps numerous customers recover from malware infections and site intrusions. While doing so, Wordfence Security Analysts perform a detailed forensic investigation in order to determine how the site was compromised by attackers. In a set of recent cases, we were able to identify a service vulnerability allowing malicious attackers to [...]
---------------------------------------------
https://www.wordfence.com/blog/2021/06/service-vulnerabilities-shared-hosting-symlink-security-issue-still-widely-exploited-on-unpatched-servers/


∗∗∗ Betrug bei QR-Code-Scannern: Darauf sollten Sie achten! ∗∗∗
---------------------------------------------
Egal ob bei der Registrierung in einem Restaurant, bei einem Impf- oder Testtermin: Spätestens durch die Corona-Krise wurde die Verwendung von QR-Codes zur Normalität. Dementsprechend poppen derzeit zahlreiche neue QR-Code-Scanner in den App-Stores auf. Aber Achtung: Hinter manchen dieser kostenlosen Apps verstecken sich BetrügerInnen. Vorsicht ist auch bei seriösen Apps geboten, da die angezeigten Werbungen betrügerisch sein können.
---------------------------------------------
https://www.watchlist-internet.at/news/betrug-bei-qr-code-scannern-darauf-sollten-sie-achten-1/


∗∗∗ A deep dive into the operations of the LockBit ransomware group ∗∗∗
---------------------------------------------
Most victims are from the enterprise and are expected to pay an average ransom of $85,000.
---------------------------------------------
https://www.zdnet.com/article/a-deep-dive-into-the-operations-of-the-lockbit-ransomware-group/


=====================
=  Vulnerabilities  =
=====================

∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by Arch Linux (aspnet-runtime, aspnet-runtime-3.1, chromium, drupal, intel-ucode, nginx, opera, python-django, radare2, thefuck, and vivaldi), Debian (jetty9), Fedora (dogtag-pki and pki-core), openSUSE (htmldoc and postgresql10), Oracle (dhcp), SUSE (apache2, caribou, jetty-minimal, libxml2, postgresql12, python-PyJWT, python-rsa, python-urllib3, thunderbird, tpm2.0-tools, xstream, and xterm), and Ubuntu (grub2-signed, grub2-unsigned and libxml2).
---------------------------------------------
https://lwn.net/Articles/860260/


∗∗∗ Hitachi Virtual File Platform vulnerable to OS command injection ∗∗∗
---------------------------------------------
https://jvn.jp/en/jp/JVN21298724/


∗∗∗ Security Bulletin: RabbitMQ as used by IBM QRadar SIEM is vulnerable to unsafe deserialization (CVE-2020-36282) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-rabbitmq-as-used-by-ibm-qradar-siem-is-vulnerable-to-unsafe-deserialization-cve-2020-36282/


∗∗∗ Security Bulletin: IBM Security Identity Manager Virtual Appliance deprecated Self Service UI contains Struts V1 (CVE-2016-1182) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-identity-manager-virtual-appliance-deprecated-self-service-ui-contains-struts-v1-cve-2016-1182/


∗∗∗ Security Bulletin: A vulnerability have been identified in Apache Commons IO shipped with IBM Tivoli Netcool/OMNIbus Probe for Microsoft Exchange Web Services (CVE-2021-29425) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-have-been-identified-in-apache-commons-io-shipped-with-ibm-tivoli-netcool-omnibus-probe-for-microsoft-exchange-web-services-cve-2021-29425/


∗∗∗ Security Bulletin: Multiple vulnerabilities have been identified in Netty shipped with IBM Tivoli Netcool/OMNIbus Transport Module Common Integration Library (CVE-2021-21290, CVE-2021-21295, CVE-2021-21409) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-have-been-identified-in-netty-shipped-with-ibm-tivoli-netcool-omnibus-transport-module-common-integration-library-cve-2021-21290-cve-2021-21295-cve-2021/


∗∗∗ Security Bulletin: IBM Security Identity Manager deprecated Self Service UI contains Struts V1 (CVE-2016-1182) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-identity-manager-deprecated-self-service-ui-contains-struts-v1-cve-2016-1182/


∗∗∗ Security Bulletin: BIND for IBM i is affected by CVE-2021-25214 and CVE-2021-25215 ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-bind-for-ibm-i-is-affected-by-cve-2021-25214-and-cve-2021-25215/


∗∗∗ Security Bulletin: IBM Resilient SOAR is vulnerable to command injection (CVE-2021-20527) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-resilient-soar-is-vulnerable-to-command-injection-cve-2021-20527-2/


∗∗∗ VMSA-2021-0011 ∗∗∗
---------------------------------------------
https://www.vmware.com/security/advisories/VMSA-2021-0011.html


∗∗∗ Google Chrome: Mehrere Schwachstellen ermöglichen Codeausführung ∗∗∗
---------------------------------------------
http://www.cert-bund.de/advisoryshort/CB-K21-0670


∗∗∗ Schneider Electric EnerlinX Com’X 510 ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-21-168-01


∗∗∗ Softing OPC-UA C++ SDK ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-21-168-02


∗∗∗ Advantech WebAccess/SCADA ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-21-168-03


∗∗∗ WAGO M&M Software fdtCONTAINER (Update C) ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-21-021-05


∗∗∗ Rockwell Automation ISaGRAF5 Runtime (Update A) ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-20-280-01

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily