[CERT-daily] Tageszusammenfassung - 03.05.2021

Mon May 3 18:19:22 CEST 2021

=====================
= End-of-Day report =
=====================

Timeframe:   Freitag 30-04-2021 18:00 − Montag 03-05-2021 18:00
Handler:     Dimitri Robl
Co-Handler:  Stephan Richter

=====================
=       News        =
=====================

∗∗∗ Babuk quits ransomware encryption, focuses on data-theft extortion ∗∗∗
---------------------------------------------
A new message today from the operators of Babuk ransomware clarifies that the gang has decided to close the affiliate program and move to an extortion model that does not rely on encrypting victim computers.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/babuk-quits-ransomware-encryption-focuses-on-data-theft-extortion/


∗∗∗ Hacker-Wettbewerb Austria Cyber Security Challenge gestartet ∗∗∗
---------------------------------------------
Der IT-Security-Wettbewerb für Schüler*innen, Studierende und Interessierte feiert heuer sein 10-jähriges Jubiläum.
---------------------------------------------
https://futurezone.at/digital-life/hacker-wettbewerb-austria-cyber-security-challenge-gestartet/401370374


∗∗∗ New Buer Malware Downloader Rewritten in E-Z Rust Language ∗∗∗
---------------------------------------------
Its coming in emails disguised as DHL Support shipping notices and is apparently getting prepped for leasing on the underground.
---------------------------------------------
https://threatpost.com/buer-malware-loader-rewritten-rust/165782/


∗∗∗ PuTTY And FileZilla Use The Same Fingerprint Registry Keys, (Sun, May 2nd) ∗∗∗
---------------------------------------------
Many SSH clients can remember SSH servers' fingerprints. This can serve as a safety mechanism: you get a warning when the server you want to connect to, has no longer the same fingerprint. And then you can decide what to do: continue with the connection, or stop and try to figure out what is going on.
---------------------------------------------
https://isc.sans.edu/diary/rss/27376


∗∗∗ Sicherheitslücke Spectre lebt neu auf: AMD- und Intel-Prozessoren betroffen ∗∗∗
---------------------------------------------
Ein neuer Seitenkanalangriff zielt auf die Micro-Op-Caches aller modernen CPUs von AMD und Intel ab, Ryzen 5000 und Rocket Lake-S eingeschlossen.
---------------------------------------------
https://heise.de/-6034264


∗∗∗ Windows 10: BSI stellt Sicherheitseinstellungen zur Verfügung ∗∗∗
---------------------------------------------
Das BSI hat im Rahmen der „Studie zu Systemaufbau, Protokollierung, Härtung und Sicherheitsfunktionen in Windows 10“ (SiSyPHuS Win10) Handlungsempfehlungen zur Absicherung der Windows-Systeme in deutscher und englischer Sprache veröffentlicht.
---------------------------------------------
https://www.bsi.bund.de/DE/Service-Navi/Presse/Pressemitteilungen/Presse2021/210503_SiSyPHuS.html


∗∗∗ Tesla Car Hacked Remotely From Drone via Zero-Click Exploit ∗∗∗
---------------------------------------------
Two researchers have shown how a Tesla - and possibly other cars - can be hacked remotely without any user interaction. They carried out the attack from a drone.
---------------------------------------------
https://www.securityweek.com/tesla-car-hacked-remotely-drone-zero-click-exploit


∗∗∗ Trickbot Brief: Creds and Beacons ∗∗∗
---------------------------------------------
“TrickBot malware—first identified in 2016—is a Trojan developed and operated by a sophisticated group of cybercrime actors. The cybercrime group initially designed TrickBot as a banking trojan to steal [...]
---------------------------------------------
https://thedfirreport.com/2021/05/02/trickbot-brief-creds-and-beacons/


∗∗∗ Swiss Cloud becomes the latest web hosting provider to suffer a ransomware attack ∗∗∗
---------------------------------------------
Swiss Cloud, a Switzerland-based cloud hosting provider, has suffered this week a ransomware attack that brought the companys server infrastructure to its knees.
---------------------------------------------
https://therecord.media/swiss-cloud-becomes-the-latest-web-hosting-provider-to-suffer-a-ransomware-attack/


=====================
=  Vulnerabilities  =
=====================

∗∗∗ Pulse Secure fixes VPN zero-day used to hack high-value targets ∗∗∗
---------------------------------------------
Pulse Secure has fixed a zero-day vulnerability in the Pulse Connect Secure (PCS) SSL VPN appliance that is being actively exploited to compromise the internal networks of defense firms and govt agencies.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/pulse-secure-fixes-vpn-zero-day-used-to-hack-high-value-targets/


∗∗∗ 8 geben: Python-Standard-Library ignoriert das Oktalystem in IP-Adressen ∗∗∗
---------------------------------------------
Die Library ipaddress prüft IP-Adressen seit 2019 nicht mehr auf führende Nullen. Ein Patch ist in Sicht, aber noch nicht veröffentlicht.
---------------------------------------------
https://heise.de/-6034508


∗∗∗ SQL Injection Vulnerability Patched in CleanTalk AntiSpam Plugin ∗∗∗
---------------------------------------------
On March 4, 2021, the Wordfence Threat Intelligence team initiated responsible disclosure for a Time-Based Blind SQL Injection vulnerability discovered in Spam protection, AntiSpam, FireWall by CleanTalk, a WordPress plugin installed on over 100,000 sites. This vulnerability could be used to extract sensitive information from a site’s database, including user emails and password hashes, all [...]
---------------------------------------------
https://www.wordfence.com/blog/2021/05/sql-injection-vulnerability-patched-in-cleantalk-antispam-plugin/


∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by CentOS (bind, GNOME, java-1.8.0-openjdk, java-11-openjdk, nss and nspr, xstream, and xterm), Debian (bind9 and libimage-exiftool-perl), Fedora (ansible, babel, java-11-openjdk, and java-latest-openjdk), Gentoo (chromium, clamav, firefox, git, grub, python, thunderbird, tiff, webkit-gtk, and xorg-server), Mageia (kernel, nvidia-current, nvidia390, qtbase5, and sdl2), openSUSE (Chromium, cifs-utils, cups, giflib, gsoap, libnettle, librsvg, netdata, postsrsd, [...]
---------------------------------------------
https://lwn.net/Articles/855217/


∗∗∗ Synology-SA-21:16 ISC BIND ∗∗∗
---------------------------------------------
A vulnerability allows remote attackers to obtain sensitive information or conduct denial-of-service attacks via a susceptible version of Synology DNS Server.
---------------------------------------------
https://www.synology.com/en-global/support/security/Synology_SA_21_16


∗∗∗ Synology-SA-21:17 Samba ∗∗∗
---------------------------------------------
https://www.synology.com/en-global/support/security/Synology_SA_21_17


∗∗∗ Epic Games Rocket League 1.95 (AK::MemoryMgr::GetPoolName) Stack Buffer Overrun ∗∗∗
---------------------------------------------
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5651.php


∗∗∗ Epic Games Psyonix Rocket League v1.95 Insecure Permissions ∗∗∗
---------------------------------------------
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5650.php


∗∗∗ Security Bulletin: Vulnerability in bind affects IBM Integrated Analytics System ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-bind-affects-ibm-integrated-analytics-system-5/


∗∗∗ Security Bulletin: Vulnerability in bind affects IBM Integrated Analytics System ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-bind-affects-ibm-integrated-analytics-system-4/


∗∗∗ Security Bulletin: IBM App Connect Enterprise Certified Container may be vulnerable to multiple denial of service through the Node.js runtime ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterprise-certified-container-may-be-vulnerable-to-multiple-denial-of-service-through-the-node-js-runtime/


∗∗∗ Security Bulletin: A vulnerability in IBM® SDK, Java™ Technology Edition may affect IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-sdk-java-technology-edition-may-affect-ibm-cloud-orchestrator-and-ibm-cloud-orchestrator-enterprise-2/


∗∗∗ Security Bulletin: Vulnerability in OpenSSL affects IBM Integrated Analytics System ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-openssl-affects-ibm-integrated-analytics-system-5/


∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM® SDK, Java™ Technology Edition may affect IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-sdk-java-technology-edition-may-affect-ibm-cloud-orchestrator-and-ibm-cloud-orchestrator-enterprise-2/


∗∗∗ Security Bulletin: IBM App Connect Enterprise Certified Container may be vulnerable to a command injection vulnerability (CVE-2021-23337) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterprise-certified-container-may-be-vulnerable-to-a-command-injection-vulnerability-cve-2021-23337/


∗∗∗ Security Bulletin: IBM® Db2® is vulnerable to a denial of service (CVE-2020-5024) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-a-denial-of-service-cve-2020-5024-7/


∗∗∗ Security Bulletin: A vulnerability in IBM® SDK, Java™ Technology Edition may affect IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-sdk-java-technology-edition-may-affect-ibm-cloud-orchestrator-and-ibm-cloud-orchestrator-enterprise/


∗∗∗ Security Bulletin: IBM App Connect Enterprise Certified Container may be affected by OpenSSL vulnerabilities (CVE-2021-3449 and CVE-2021-3450) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterprise-certified-container-may-be-affected-by-openssl-vulnerabilities-cve-2021-3449-and-cve-2021-3450/

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily