[CERT-daily] Tageszusammenfassung - 29.06.2021

Tue Jun 29 18:14:51 CEST 2021

=====================
= End-of-Day report =
=====================

Timeframe:   Montag 28-06-2021 18:00 − Dienstag 29-06-2021 18:00
Handler:     Dimitri Robl
Co-Handler:  Thomas Pribitzer

=====================
=       News        =
=====================

∗∗∗ Ransomware gangs now creating websites to recruit affiliates ∗∗∗
---------------------------------------------
Ever since two prominent Russian-speaking cybercrime forums banned ransomware-related topics, criminal operations have been forced to promote their service through alternative methods.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/ransomware-gangs-now-creating-websites-to-recruit-affiliates/


∗∗∗ Microsoft successfully hit by dependency hijacking again ∗∗∗
---------------------------------------------
Microsoft has once again been successfully hit by a dependency hijacking attack. This month, another researcher found an npm internal dependency being used by an open-source project.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/microsoft-successfully-hit-by-dependency-hijacking-again/


∗∗∗ Data for 700M LinkedIn Users Posted for Sale in Cyber-Underground ∗∗∗
---------------------------------------------
After 500 million LinkedIn enthusiasts were affected in a data-scraping incident in April, its happened again - with big security ramifications.
---------------------------------------------
https://threatpost.com/data-700m-linkedin-users-cyber-underground/167362/


∗∗∗ CFBF Files Strings Analysis, (Mon, Jun 28th) ∗∗∗
---------------------------------------------
The Office file format that predates the OOXML format, is a binary format based on the CFBF format. I informally call this the ole file format.
---------------------------------------------
https://isc.sans.edu/diary/rss/27576


∗∗∗ Diving into a Google Sweepstakes Phishing E-mail, (Tue, Jun 29th) ∗∗∗
---------------------------------------------
I was recently forwarded another phishing e-mail to examine. This time, it was an e-mail that claimed to be from Google. The e-mail included a pdf file, and instructed the recipient download the file for further information.
---------------------------------------------
https://isc.sans.edu/diary/rss/27578


∗∗∗ Verschlüsselungstrojaner REvil hat es nun auf virtuelle Maschinen abgesehen ∗∗∗
---------------------------------------------
Mehrere Sicherheitsforscher warnen vor einer neuen REvil-Version, die noch mehr Geräte bedroht.
---------------------------------------------
https://heise.de/-6122156


∗∗∗ Analyzing CVE-2021-1665 – Remote Code Execution Vulnerability in Windows GDI+ ∗∗∗
---------------------------------------------
Microsoft Windows Graphics Device Interface+, also known as GDI+, allows various applications to use different graphics functionality on video displays as well as printers.
---------------------------------------------
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/analyzing-cve-2021-1665-remote-code-execution-vulnerability-in-windows-gdi/


∗∗∗ Instagram: Kooperationsanfragen von wegego.com sind Fake ∗∗∗
---------------------------------------------
Momentan werden Instagram-NutzerInnen vermehrt von einem Profil namens sara.wegego – einer angeblichen Brand Ambassador Managerin bei wegego.com – angeschrieben. Ihnen wird eine Kooperation mit dem Unternehmen angeboten.
---------------------------------------------
https://www.watchlist-internet.at/news/instagram-kooperationsanfragen-von-wegegocom-sind-fake/


∗∗∗ CISA Begins Cataloging Bad Practices that Increase Cyber Risk ∗∗∗
---------------------------------------------
In a blog post by Executive Assistant Director (EAD) Eric Goldstein, CISA announced the creation of a catalog to document bad cybersecurity practices that are exceptionally risky for any organization and especially dangerous for those supporting designated Critical Infrastructure or National Critical Functions.
---------------------------------------------
https://us-cert.cisa.gov/ncas/current-activity/2021/06/29/cisa-begins-cataloging-bad-practices-increase-cyber-risk


=====================
=  Vulnerabilities  =
=====================

∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (klibc and libjdom2-java), Mageia (bash, glibc, gnutls, java-openjdk, kernel, kernel-linus, leptonica, libgcrypt, openjpeg2, tor, and trousers), openSUSE (bouncycastle, chromium, go1.16, and kernel), Oracle (docker-engine docker-cli and qemu), Red Hat (kpatch-patch), and SUSE (arpwatch, go1.16, kernel, libsolv, microcode_ctl, and python-urllib3, python-requests).
---------------------------------------------
https://lwn.net/Articles/861310/


∗∗∗ PoC released for dangerous Windows PrintNightmare bug ∗∗∗
---------------------------------------------
Proof-of-concept exploit code has been published online today for a vulnerability in the Windows Print Spooler service (spoolsv.exe) that can allow a total compromise of Windows systems.
---------------------------------------------
https://therecord.media/poc-released-for-dangerous-windows-printnightmare-bug/


∗∗∗ Security Bulletin: Vulnerabilities in Python, Tornado, and Urllib3 affect IBM Spectrum Protect Plus Microsoft File Systems Backup and Restore ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-python-tornado-and-urllib3-affect-ibm-spectrum-protect-plus-microsoft-file-systems-backup-and-restore/


∗∗∗ Security Bulletin: IBM DataQuant Fix for (All) Apache PDF Box (Publicly disclosed vulnerability) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-dataquant-fix-for-all-apache-pdf-box-publicly-disclosed-vulnerability/


∗∗∗ Security Bulletin: IBM Spectrum Protect Plus has Insecure File Permissions due to not setting the Sticky Bit (CVE-2021-20490) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-spectrum-protect-plus-has-insecure-file-permissions-due-to-not-setting-the-sticky-bit-cve-2021-20490/


∗∗∗ Security Bulletin: IBM Integration Bus and IBM App Connect Enterprise v11 are affected by vulnerabilities in Node.js (CVE-2021-3450, CVE-2021-3449) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-integration-bus-and-ibm-app-connect-enterprise-v11-are-affected-by-vulnerabilities-in-node-js-cve-2021-3450-cve-2021-3449/


∗∗∗ Security Bulletin: Multiple vulnerabilities in open source libraries affects Tivoli Netcool/OMNIbus WebGUI ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-open-source-libraries-affects-tivoli-netcool-omnibus-webgui/


∗∗∗ Security Bulletin: Vulnerabilities in Redis, MinIO, Golang, and Urllib3 affect IBM Spectrum Protect Plus Container Backup and Restore for Kubernetes and OpenShift ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-redis-minio-golang-and-urllib3-affect-ibm-spectrum-protect-plus-container-backup-and-restore-for-kubernetes-and-openshift/


∗∗∗ Security Bulletin: Vulnerabilities in MongoDB, Node.js, Docker, and XStream affect IBM Spectrum Protect Plus ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-mongodb-node-js-docker-and-xstream-affect-ibm-spectrum-protect-plus/


∗∗∗ Security Bulletin: Vulnerabilities in OpenSSL affect IBM Integration Bus and IBM App Connect Enterprise v11 (CVE-2021-3449 , CVE-2021-3450) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-openssl-affect-ibm-integration-bus-and-ibm-app-connect-enterprise-v11-cve-2021-3449-cve-2021-3450-2/


∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM HTTP Server used by WebSphere Application Server ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-http-server-used-by-websphere-application-server-3/


∗∗∗ Security Bulletin: Vulnerabilities in OpenSSL affect IBM Integration Bus and IBM App Connect Enterprise v11 (CVE-2021-23839, CVE-2021-23840) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-openssl-affect-ibm-integration-bus-and-ibm-app-connect-enterprise-v11-cve-2021-23839-cve-2021-23840-2/


∗∗∗ Security Bulletin: IBM® Db2® could allow an authenticated user to overwrite arbirary files due to improper group permissions. (CVE-2020-4945) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-could-allow-an-authenticated-user-to-overwrite-arbirary-files-due-to-improper-group-permissions-cve-2020-4945-3/


∗∗∗ Security Bulletin: IBM® Db2® could allow a local user to access and change the configuration of DB2 due to a race condition via a symbolic link. (CVE-2020-4885) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-could-allow-a-local-user-to-access-and-change-the-configuration-of-db2-due-to-a-race-condition-via-a-symbolic-link-cve-2020-4885-2/


∗∗∗ Easily Exploitable Critical Vulnerabilities Patched in ProfilePress Plugin ∗∗∗
---------------------------------------------
https://www.wordfence.com/blog/2021/06/easily-exploitable-critical-vulnerabilities-patched-in-profilepress-plugin/


∗∗∗ Red Hat OpenShift: Mehrere Schwachstellen ermöglichen Codeausführung ∗∗∗
---------------------------------------------
http://www.cert-bund.de/advisoryshort/CB-K21-0700


∗∗∗ MISP: Schwachstelle ermöglicht nicht spezifizierten Angriff ∗∗∗
---------------------------------------------
http://www.cert-bund.de/advisoryshort/CB-K21-0699

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily