[CERT-daily] Tageszusammenfassung - 27.05.2021

Thu May 27 18:51:03 CEST 2021

=====================
= End-of-Day report =
=====================

Timeframe:   Mittwoch 26-05-2021 18:00 − Donnerstag 27-05-2021 18:00
Handler:     Dimitri Robl
Co-Handler:  Stephan Richter

=====================
=       News        =
=====================

∗∗∗ Achtung: Kriminelle fälschen „Grünen Pass“! ∗∗∗
---------------------------------------------
In Österreich wird bald der „Grüne Pass“ eingeführt, der den Zugang zu Gastronomie und körpernahen Dienstleistungen erleichtern soll. Dieser ist erst in der zweiten Juni-Woche verfügbar, doch Kriminelle verbreiten bereits jetzt eine „Variante“ des Grünen Passes. Wir gehen davon aus, dass dabei personenbezogene Daten abgegriffen werden. Wer die unseriöse App als gültigen Impf-, Test- oder Genesungsnachweis verwendet, könnte könnte sich außerdem strafbar machen.
---------------------------------------------
https://www.watchlist-internet.at/news/achtung-kriminelle-faelschen-gruenen-pass/


∗∗∗ Exploit veröffentlicht: Gefixte WebKit-Schwachstelle steht auf iPhones offen ∗∗∗
---------------------------------------------
Ein Patch im Open-Source-Unterbau aller iOS-Browser ist selbst nach Wochen noch nicht in Apples Betriebssysteme eingeflossen, warnt eine Sicherheitsfirma.
---------------------------------------------
https://heise.de/-6055716


∗∗∗ BazaLoader Masquerades as Movie-Streaming Service ∗∗∗
---------------------------------------------
The website for “BravoMovies” features fake movie posters and a FAQ with a rigged Excel spreadsheet for “cancelling” the service, but all it downloads is malware.
---------------------------------------------
https://threatpost.com/bazaloader-fake-movie-streaming-service/166489/


∗∗∗ “Unpatchable” vuln in Apple’s new Mac chip – what you need to know ∗∗∗
---------------------------------------------
Its all over the news! The bug you cant fix! Fortunately, you dont need to. We explain why.
---------------------------------------------
https://nakedsecurity.sophos.com/2021/05/27/unpatchable-vuln-in-apples-new-mac-chip-what-you-need-to-know/


∗∗∗ Analysis report of the Facefish rootkit ∗∗∗
---------------------------------------------
In Feb 2021, we came across an ELF sample using some CWP’s Ndays exploits, we did some analysis, but after checking with a partner who has some nice visibility in network traffic in some China areas, we discovered there is literarily 0 hit for the C2 traffic.
---------------------------------------------
https://blog.netlab.360.com/ssh_stealer_facefish_en/


∗∗∗ All your Base are...nearly equal when it comes to AV evasion, but 64-bit executables are not, (Thu, May 27th) ∗∗∗
---------------------------------------------
Malware authors like to use a variety of techniques to avoid detection of their creations by anti-malware tools. As the old saying goes, necessity is the mother of invention and in the case of malware, it has lead its authors to devise some very interesting ways to hide from detection over the years - from encoding of executable files into valid bitmap images[1] to multi-stage encryption of malicious payloads[2] and much further.
---------------------------------------------
https://isc.sans.edu/diary/rss/27466


∗∗∗ Saving Your Access ∗∗∗
---------------------------------------------
After revisiting old internal discussions, an area of interest was the possibility of using screensavers for persistence on macOS. This is an established persistence method on Windows, as noted on the MITRE ATT&CK page.
---------------------------------------------
https://posts.specterops.io/saving-your-access-d562bf5bf90b


∗∗∗ Crimes of Opportunity: Increasing Frequency of Low Sophistication Operational Technology Compromises ∗∗∗
---------------------------------------------
Attacks on control processes supported by operational technology (OT) are often perceived as necessarily complex. This is because disrupting or modifying a control process to cause a predictable effect is often quite difficult and can require a lot of time and resources. However, Mandiant Threat Intelligence has observed simpler attacks, where actors with varying levels of skill and resources use common IT tools and techniques to gain access to and interact with exposed OT systems.
---------------------------------------------
https://www.fireeye.com/blog/threat-research/2021/05/increasing-low-sophistication-operational-technology-compromises.html


=====================
=  Vulnerabilities  =
=====================

∗∗∗ HPE fixes critical zero-day vulnerability disclosed in December ∗∗∗
---------------------------------------------
Hewlett Packard Enterprise (HPE) has released a security update to address a zero-day remote code execution vulnerability disclosed last year, in December.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/hpe-fixes-critical-zero-day-vulnerability-disclosed-in-december/


∗∗∗ Drupal: Update schließt Cross-Site-Scripting-Lücke in mehreren CMS-Versionen ∗∗∗
---------------------------------------------
Die Programmbibliothek CKEditor, die vom Drupal-Core verwendet wird, barg unter bestimmten Umständen Angriffsmöglichkeiten. Für Core & Library gibt es Updates.
---------------------------------------------
https://heise.de/-6055672


∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (djvulibre), Fedora (slapi-nis and upx), Gentoo (ceph and nginx), openSUSE (python-httplib2 and rubygem-actionpack-5_1), Slackware (curl), SUSE (curl, libX11, and python-httplib2), and Ubuntu (isc-dhcp, lz4, and nginx).
---------------------------------------------
https://lwn.net/Articles/857460/


∗∗∗ Vulnerabilities in Visual Studio Code Extensions Expose Developers to Attacks ∗∗∗
---------------------------------------------
Vulnerabilities in Visual Studio Code extensions could be exploited by malicious attackers to steal valuable information from developers and even compromise organizations, researchers with open-source software security firm Snyk say.
---------------------------------------------
https://www.securityweek.com/vulnerabilities-visual-studio-code-extensions-expose-developers-attacks


∗∗∗ GENIVI Alliance DLT ∗∗∗
---------------------------------------------
This advisory contains mitigations for a Heap-based Buffer Overflow vulnerability in GENIVI Alliance DLT-Daemon software component.
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-21-147-01


∗∗∗ Johnson Controls Sensormatic Electronics VideoEdge ∗∗∗
---------------------------------------------
This advisory contains mitigations for an Off-by-one Error vulnerability in Sensormatic Electronics VideoEdge surveillance systems. Sensormatic Electronics is a subsidiary of Johnson Controls.
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-21-147-02


∗∗∗ Siemens JT2Go and Teamcenter Visualization ∗∗∗
---------------------------------------------
This advisory contains mitigations for Untrusted Pointer Dereference, Out-of-bounds Read, and Stack-based Buffer Overflow vulnerabilities in Siemens JT2Go and Teamcenter Visualization products.
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-21-147-04


∗∗∗ Mitsubishi Electric MELSEC iQ-R Series ∗∗∗
---------------------------------------------
This advisory contains mitigations for an Uncontrolled Resource Consumption vulnerability in Mitsubishi Electric iQ-R Series CPU modules.
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-21-147-05


∗∗∗ Internet Systems Consortium DHCP: Schwachstelle ermöglicht Denial of Service ∗∗∗
---------------------------------------------
https://www.cert-bund.de/advisoryshort/CB-K21-0587


∗∗∗ CommScope Ruckus IoT Controller 1.7.1.0 Undocumented Account ∗∗∗
---------------------------------------------
https://cxsecurity.com/issue/WLB-2021050156


∗∗∗ CommScope Ruckus IoT Controller 1.7.1.0 Hard-Coded Web Application Administrator Password ∗∗∗
---------------------------------------------
https://cxsecurity.com/issue/WLB-2021050155


∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Security Guardium ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-sdk-affect-ibm-security-guardium-16/


∗∗∗ Security Bulletin: IBM has announced a release for IBM Security Identity Governance and Intelligence in response to a security vulnerability (CVE-2020-4996) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-has-announced-a-release-for-ibm-security-identity-governance-and-intelligence-in-response-to-a-security-vulnerability-cve-2020-4996-2/


∗∗∗ Security Bulletin: Security Bypass Vulnerability in PostgreSQL Affects IBM Connect:Direct Web Services (CVE-2021-20229) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-security-bypass-vulnerability-in-postgresql-affects-ibm-connectdirect-web-services-cve-2021-20229/


∗∗∗ Security Bulletin: IBM MQ is vulnerable to an issue within IBM® Runtime Environment Java™ Technology Edition (CVE-2020-27221) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-is-vulnerable-to-an-issue-within-ibm-runtime-environment-java-technology-edition-cve-2020-27221/


∗∗∗ Security Bulletin: Security Bypass Vulnerability in PostgreSQL Affects IBM Connect:Direct Web Services ( CVE-2021-3393) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-security-bypass-vulnerability-in-postgresql-affects-ibm-connectdirect-web-services-cve-2021-3393/


∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affects WebSphere Application Server April 2021 CPU that is bundled with IBM WebSphere Application Server Patterns ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-sdk-affects-websphere-application-server-april-2021-cpu-that-is-bundled-with-ibm-websphere-application-server-patterns/


∗∗∗ Security Bulletin: Vulnerability in Java affecting Watson Knowledge Catalog for IBM Cloud Pak for Data ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-java-affecting-watson-knowledge-catalog-for-ibm-cloud-pak-for-data/


∗∗∗ Security Bulletin: Vulnerability in IBM Java Runtime affects IBM Spectrum Protect Snapshot on AIX and Linux (CVE-2020-27221) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java-runtime-affects-ibm-spectrum-protect-snapshot-on-aix-and-linux-cve-2020-27221-2/


∗∗∗ Security Bulletin: IBM MQ is vulnerable to an issue in IBM® Runtime Environment Java™ Technology Edition. (CVE-2020-14779) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-is-vulnerable-to-an-issue-in-ibm-runtime-environment-java-technology-edition-cve-2020-14779/


∗∗∗ Security Bulletin: Security Bypass Vulnerability in PostgreSQL Affects IBM Connect:Direct Web Services (CVE-2020-10733) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-security-bypass-vulnerability-in-postgresql-affects-ibm-connectdirect-web-services-cve-2020-10733/

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily