[CERT-daily] Tageszusammenfassung - 31.05.2021

Mon May 31 18:19:09 CEST 2021

=====================
= End-of-Day report =
=====================

Timeframe:   Freitag 28-05-2021 18:00 − Montag 31-05-2021 18:00
Handler:     Dimitri Robl
Co-Handler:  Stephan Richter

=====================
=       News        =
=====================

∗∗∗ Sicherheitsupdate: Root-Lücke in Sonicwalls Network Security Manager ∗∗∗
---------------------------------------------
Angreifer könnten durch eine Schwachstelle in der Firewall-Verwaltungssoftware Network Security Manager schlüpfen.
---------------------------------------------
https://heise.de/-6057794


∗∗∗ Client Puzzle Protocols (CPPs) als Gegenmaßnahmen gegen automatisierte Gefahren für Webapplikationen ∗∗∗
---------------------------------------------
Client Puzzle Protocols (CPPs) können effektive Maßnahmen gegen Denial-of-Service-Attacken sein. Sie müssen aber auf ihre Effektivität überprüft werden.
---------------------------------------------
https://www.syss.de/pentest-blog/fachartikel-von-it-security-consultant-vladimir-bostanov


∗∗∗ Threat spotlight: Conti, the ransomware used in the HSE healthcare attack ∗∗∗
---------------------------------------------
[...] In this blog, we’ll home in on Conti, the strain identified by some as the successor, cousin or relative of Ryuk ransomware, due to similarities in code use and distribution tactics.
---------------------------------------------
https://blog.malwarebytes.com/threat-spotlight/2021/05/threat-spotlight-conti-the-ransomware-used-in-the-hse-healthcare-attack/


∗∗∗ PoC published for new Microsoft PatchGuard (KPP) bypass ∗∗∗
---------------------------------------------
A security researcher has discovered a bug in PatchGuard––a crucial Windows security feature––that can allow threat actors to load unsigned (malicious) code into the Windows operating system kernel.
---------------------------------------------
https://therecord.media/poc-published-for-new-microsoft-patchguard-kpp-bypass/


∗∗∗ WooCommerce Credit Card Skimmer Hides in Plain Sight ∗∗∗
---------------------------------------------
Recently, a client’s customers were receiving a warning from their anti-virus software when they navigated to the checkout page of the client’s ecommerce website. Antivirus software such as Kaspersky and ESET would issue a warning but only once a product had been added to the cart and a customer was about to enter their payment information. This is, of course, a tell-tale sign that there is something seriously wrong with the website and likely a case of credit card exfiltration.
---------------------------------------------
https://blog.sucuri.net/2021/05/woocommerce-credit-card-skimmer.html


∗∗∗ On the Taxonomy and Evolution of Ransomware ∗∗∗
---------------------------------------------
Not all ransomware is the same! Oliver Tavakoli, CTO at Vectra AI, discusses the different species of this growing scourge.
---------------------------------------------
https://threatpost.com/taxonomy-evolution-ransomware/166462/


∗∗∗ Spear-phishing Email Targeting Outlook Mail Clients , (Sat, May 29th) ∗∗∗
---------------------------------------------
In February I posted about spam pretending to be an Outlook Version update [1] and now for the past several weeks I have been receiving spear-phishing emails that pretend to be coming from Microsoft Outlook to "Sign in to verify" my account, new terms of services, new version, etc. There also have been some reports this week about large ongoing spear-phishing campaign [2][3] worth reading. Here are some samples which always include a sense of urgency to login as soon as possible: [...]
---------------------------------------------
https://isc.sans.edu/diary/rss/27472


∗∗∗ Sysinternals: Procmon, Sysmon, TcpView and Process Explorer update, (Sun, May 30th) ∗∗∗
---------------------------------------------
New versions of Sysinternals' tools Procmon, Sysmon, TcpView and Process Explorer were released.
---------------------------------------------
https://isc.sans.edu/diary/rss/27476


∗∗∗ Video: Cobalt Strike & DNS - Part 1, (Sun, May 30th) ∗∗∗
---------------------------------------------
One of the Cobalt Strike servers reported by Brad Duncan also communicates over DNS.
---------------------------------------------
https://isc.sans.edu/diary/rss/27478


∗∗∗ IT threat evolution Q1 2021 ∗∗∗
---------------------------------------------
SolarWinds attacks, MS Exchange vulnerabilities, fake adblocker distributing miner, malware for Apple Silicon platform and other threats in Q1 2021.
---------------------------------------------
https://securelist.com/it-threat-evolution-q1-2021/102382/


∗∗∗ IT threat evolution Q1 2021. Mobile statistics ∗∗∗
---------------------------------------------
In the first quarter of 2021 we detected 1.45M mobile installation packages, of which 25K packages were related to mobile banking Trojans and 3.6K packages were mobile ransomware Trojans.
---------------------------------------------
https://securelist.com/it-threat-evolution-q1-2021-mobile-statistics/102547/


∗∗∗ IT threat evolution Q1 2021. Non-mobile statistics ∗∗∗
---------------------------------------------
In Q1 2021, we blocked more than 2 billion attacks launched from online resources across the globe, detected 77.4M unique malicious and potentially unwanted objects, and recognized 614M unique URLs as malicious.
---------------------------------------------
https://securelist.com/it-threat-evolution-q1-2021-non-mobile-statistics/102425/


=====================
=  Vulnerabilities  =
=====================

∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (hyperkitty, libxml2, nginx, openjdk-11-jre-dcevm, rxvt-unicode, samba, and webkit2gtk), Fedora (exiv2, java-1.8.0-openjdk-aarch32, mingw-python-pillow, opendmarc, php-symfony3, php-symfony4, python-pillow, runc, rust-cranelift-codegen-shared, rust-cranelift-entity, and rxvt-unicode), openSUSE (curl, hivex, libu2f-host, libX11, libxls, singularity, and upx), Oracle (dotnet3.1 and dotnet5.0), Red Hat (docker, glib2, and runc), and Ubuntu (lz4).
---------------------------------------------
https://lwn.net/Articles/857737/


∗∗∗ Security Bulletin: CVE-2021-2161 may affect IBM® SDK, Java™ Technology Edition ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-cve-2021-2161-may-affect-ibm-sdk-java-technology-edition-3/


∗∗∗ Security Bulletin: IBM Cognos Analytics has addressed multiple vulnerabilities ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cognos-analytics-has-addressed-multiple-vulnerabilities-3/


∗∗∗ Security Bulletin: Multiple Security Vulnerabilities have been resolved in IBM Application Gateway (CVE-2021-20576, CVE-2021-20575, CVE-2021-29665) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnerabilities-have-been-resolved-in-ibm-application-gateway-cve-2021-20576-cve-2021-20575-cve-2021-29665/

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily