[CERT-daily] Tageszusammenfassung - 25.05.2021

Tue May 25 18:35:20 CEST 2021

=====================
= End-of-Day report =
=====================

Timeframe:   Freitag 21-05-2021 18:00 − Dienstag 25-05-2021 18:00
Handler:     Dimitri Robl
Co-Handler:  Stephan Richter

=====================
=       News        =
=====================

∗∗∗ Vorsicht bei SMS-Benachrichtigungen zum Lieferstatus einer Bestellung ∗∗∗
---------------------------------------------
Sie erwarten ein Paket? Dann sollten Sie besonders vorsichtig sein, wenn Sie per SMS, Informationen über den Status Ihrer Bestellung erhalten, denn Kriminelle versenden momentan massenhaft gefälschte Lieferbenachrichtigungen. Um Details zu erfahren, werden Sie aufgefordert auf einen Link zu klicken. Tun Sie das keinesfalls, [...]
---------------------------------------------
https://www.watchlist-internet.at/news/vorsicht-bei-sms-benachrichtigungen-zum-lieferstatus-einer-bestellung/


∗∗∗ Jetzt patchen! Kritische Windows-Lücke betrifft mehr Systeme als gedacht ∗∗∗
---------------------------------------------
Ein Sicherheitsforscher hat eine weitere verwundbare Komponente in Windows-Systemen entdeckt. Updates sind bereits verfügbar.
---------------------------------------------
https://heise.de/-6052749


∗∗∗ Qnap sichert NAS spät gegen Qlocker-Attacken ab ∗∗∗
---------------------------------------------
Seit April hat es ein Erpressungstrojaner auf Netzwerkspeicher von Qnap abgesehen. Erst jetzt gibt es Sicherheitspatches.
---------------------------------------------
https://heise.de/-6052783


∗∗∗ Evolution of JSWorm ransomware ∗∗∗
---------------------------------------------
There are times when a single ransomware family has evolved from a mass-scale operation to a highly targeted threat - all in the span of two years. In this post we want to talk about one of those families, named JSWorm.
---------------------------------------------
https://securelist.com/evolution-of-jsworm-ransomware/102428/


∗∗∗ "Serverless" Phishing Campaign, (Sat, May 22nd) ∗∗∗
---------------------------------------------
The Internet is full of code snippets and free resources that you can embed in your projects. SmtpJS is one of those small projects that are very interesting for developers but also bad guys. It's the first time that I spot a phishing campaign that uses this piece of JavaScript code.
---------------------------------------------
https://isc.sans.edu/diary/rss/27446


∗∗∗ Video: Making Sense Of Encrypted Cobalt Strike Traffic, (Sun, May 23rd) ∗∗∗
---------------------------------------------
Brad posted another malware analysis with capture file of Cobalt Strike traffic.
---------------------------------------------
https://isc.sans.edu/diary/rss/27448


∗∗∗ Web Applications and Internal Penetration Tests ∗∗∗
---------------------------------------------
Until recently, I really didnt care about web applications on an internal penetration test. Whether it was as an entry point or target, I was not interested, since I typically had far better targets and could compromise the networks anyway. However, the times have changed, internal environments are much more restricted, not many services are exposed, and applications are the main reason for the tests. This is not supposed to be a guide to analyze web applications, but some thoughts [...]
---------------------------------------------
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/web-applications-and-internal-penetration-tests/


∗∗∗ Apple‌ Issues Patches to Combat Ongoing 0-Day Attacks on macOS, tvOS ∗∗∗
---------------------------------------------
Apple on Monday rolled out security updates for iOS, macOS, tvOS, watchOS, and Safari web browser to fix multiple vulnerabilities, including an actively exploited zero-day flaw in macOS Big Sur and expand patches for two previously disclosed zero-day flaws. Tracked as CVE-2021-30713, the zero-day concerns a permissions issue in Apples Transparency, Consent, and Control (TCC) framework in macOS
---------------------------------------------
https://thehackernews.com/2021/05/apple-issues-patches-to-combat-ongoing.html


∗∗∗ OT Systems Increasingly Targeted by Unsophisticated Hackers: Mandiant ∗∗∗
---------------------------------------------
Unsophisticated threat actors - in many cases motivated by financial gain - have increasingly targeted internet-exposed operational technology (OT) systems, according to research conducted by Mandiant, FireEye’s threat intelligence and incident response unit.
---------------------------------------------
https://www.securityweek.com/ot-systems-increasingly-targeted-unsophisticated-hackers-mandiant


∗∗∗ DarkChronicles: the consequences of the Colonial Pipeline attack ∗∗∗
---------------------------------------------
This article began as an overview of the Colonial Pipeline incident. However, the events unfolded so rapidly that the scope of the publication has gone beyond a single incident.
---------------------------------------------
https://ics-cert.kaspersky.com/reports/2021/05/21/darkchronicles-the-consequences-of-the-colonial-pipeline-attack/


=====================
=  Vulnerabilities  =
=====================

∗∗∗ VU#799380: Devices supporting Bluetooth Core and Mesh Specifications are vulnerable to impersonation attacks and AuthValue disclosure ∗∗∗
---------------------------------------------
Devices supporting the Bluetooth Core and Mesh Specifications are vulnerable to impersonation attacks and AuthValue disclosure that could allow an attacker to impersonate a legitimate device during pairing.
---------------------------------------------
https://kb.cert.org/vuls/id/799380


∗∗∗ VU#667933: Pulse Connect Secure Samba buffer overflow ∗∗∗
---------------------------------------------
Pulse Connect Secure (PCS) gateway contains a buffer overflow vulnerability in Samba-related code that may allow an authenticated remote attacker to execute arbitrary code.
---------------------------------------------
https://kb.cert.org/vuls/id/667933


∗∗∗ Trend Micro: Home Network Security Station gegen drei Schwachstellen abgesichert ∗∗∗
---------------------------------------------
Ein Firmware-Update schützt Home Network Security Stations vor Angriffsmöglichkeiten, von denen zwei, obwohl nur lokal ausnutzbar, hohe Risiken bergen sollen.
---------------------------------------------
https://heise.de/-6053146


∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (libx11, prosody, and ring), Fedora (ceph, glibc, kernel, libxml2, python-pip, slurm, and tpm2-tss), Mageia (bind, libx11, mediawiki, openjpeg2, postgresql, and thunderbird), openSUSE (Botan, cacti, cacti-spine, chromium, djvulibre, fribidi, graphviz, java-1_8_0-openj9, kernel, libass, libxml2, lz4, and python-httplib2), and Slackware (expat).
---------------------------------------------
https://lwn.net/Articles/857132/


∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by Fedora (python-eventlet), openSUSE (grub2 and mpv), and Red Hat (kpatch-patch and rh-ruby25-ruby).
---------------------------------------------
https://lwn.net/Articles/857212/


∗∗∗ [20210503] - Core - CSRF in data download endpoints ∗∗∗
---------------------------------------------
https://developer.joomla.org:443/security-centre/854-20210503-core-csrf-in-data-download-endpoints.html


∗∗∗ [20210502] - Core - CSRF in AJAX reordering endpoint ∗∗∗
---------------------------------------------
https://developer.joomla.org:443/security-centre/853-20210502-core-csrf-in-ajax-reordering-endpoint.html


∗∗∗ [20210501] - Core - Adding HTML to the executable block list of MediaHelper::canUpload ∗∗∗
---------------------------------------------
https://developer.joomla.org:443/security-centre/852-20210501-core-adding-html-to-the-executable-block-list-of-mediahelper-canupload.html


∗∗∗ Pulse Secure VPNs Get Quick Fix for Critical RCE ∗∗∗
---------------------------------------------
https://threatpost.com/pulse-secure-vpns-critical-rce/166437/


∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/


∗∗∗ NGINX Controller vulnerability CVE-2021-23018 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K97002210


∗∗∗ NGINX Controller vulnerability CVE-2021-23021 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K36926027


∗∗∗ NGINX Controller vulnerability CVE-2021-23020 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K45263486


∗∗∗ SYSS-2021-010: Path Traversal in LANCOM R&S Unified Firewalls ∗∗∗
---------------------------------------------
https://www.syss.de/pentest-blog/syss-2021-010-path-traversal-in-lancom-rs-unified-firewalls

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily