[CERT-daily] Tageszusammenfassung - 18.11.2021

Thu Nov 18 18:27:03 CET 2021

=====================
= End-of-Day report =
=====================

Timeframe:   Mittwoch 17-11-2021 18:00 − Donnerstag 18-11-2021 18:00
Handler:     Thomas Pribitzer
Co-Handler:  Robert Waldner

=====================
=       News        =
=====================

∗∗∗ PerSwaysion Phishing Campaign Continues to Be an Active Threat for Organizations ∗∗∗
---------------------------------------------
Research shows that multiple attack groups have been using the Microsoft file-sharing service - leveraging phishing kit for much longer than previously thought.
---------------------------------------------
https://www.darkreading.com/vulnerabilities-threats/-perswaysion-phishing-campaign-continues-to-be-an-active-threat-for-organizations


∗∗∗ Fake Ransomware Infection Hits WordPress Sites ∗∗∗
---------------------------------------------
WordPress sites have been splashed with ransomware warnings that are as real as dime-store cobwebs made out of spun polyester.
---------------------------------------------
https://threatpost.com/fake-ransomware-infection-wordpress/176410/


∗∗∗ Guidance for Azure Active Directory (AD) keyCredential property Information Disclosure in Application and Service Principal APIs ∗∗∗
---------------------------------------------
Microsoft recently mitigated an information disclosure issue, CVE-2021-42306, to prevent private key data from being stored by some Azure services in the keyCredentials property of an Azure Active Directory (Azure AD) Application and/or Service Principal, and prevent reading of private key data previously stored in the keyCredentials property. [...] As a precautionary measure, Microsoft is recommending customers using these services take action as described in “Affected products/services,”...
---------------------------------------------
https://msrc-blog.microsoft.com:443/2021/11/17/guidance-for-azure-active-directory-ad-keycredential-property-information-disclosure-in-application-and-service-principal-apis/


∗∗∗ [Conti] Ransomware Group In-Depth Analysis ∗∗∗
---------------------------------------------
Providing a detailed perspective towards different fundamental aspects of Conti's Operation, our report approaches this case through different angles such as "Business Model", "Conti Attack Kill Chain", "Management Panel" and "Money Operation".
---------------------------------------------
https://www.prodaft.com/resource/detail/conti-ransomware-group-depth-analysis


∗∗∗ Portable Malware Analyzis Lab ∗∗∗
---------------------------------------------
Short tutorial about the installation of a malware analyzis lab on Proxmox.
---------------------------------------------
https://blog.rootshell.be/2021/11/17/portable-malware-analyzis-lab/


∗∗∗ New ETW Attacks Can Allow Hackers to Blind Security Products ∗∗∗
---------------------------------------------
Researchers have described two new attack methods that can be used to “blind” cybersecurity products that rely on a logging mechanism named Event Tracing for Windows (ETW). ETW, which is present by default in Windows since Windows XP, is designed for tracing and logging events associated with user-mode applications and kernel-mode drivers.
---------------------------------------------
https://www.securityweek.com/new-etw-attacks-can-allow-hackers-blind-security-products


∗∗∗ biovea.net und biovea.com: Häufig Probleme bei Bestellungen ∗∗∗
---------------------------------------------
Biovea bietet auf den Websites biovea.net und biovea.com diverse Nahrungsergänzungsmittel, Körperpflegeprodukte und Waren aus dem Gesundheitsbereich an. Bestellte Produkte werden tatsächlich versandt, doch fehlende Kontaktinformationen, Versand teils aus Amerika und der Import der Produkte beim Zoll können zu zahlreichen Problemen für Bestellende führen.
---------------------------------------------
https://www.watchlist-internet.at/news/bioveanet-und-bioveacom-haeufig-probleme-bei-bestellungen/


=====================
=  Vulnerabilities  =
=====================

∗∗∗ Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2021-011 ∗∗∗
---------------------------------------------
13∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default
The Drupal project uses the CKEditor library for WYSIWYG editing. CKEditor has released a security update that impacts Drupal.Vulnerabilities are possible if Drupal is configured to allow use of the CKEditor library for WYSIWYG editing. An attacker that can create or edit content (even without access to
---------------------------------------------
https://www.drupal.org/sa-core-2021-011


∗∗∗ Drupal: OpenID Connect Microsoft Azure Active Directory client - Moderately critical - Access Bypass - SA-CONTRIB-2021-044 ∗∗∗
---------------------------------------------
14∕25 AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:Default
This module enables users to authenticate through their Microsoft Azure AD account.The module does not sufficiently check authorization before updating user profile information in certain non-default configurations. This could lead a user being able to hijack another
---------------------------------------------
https://www.drupal.org/sa-contrib-2021-044


∗∗∗ Vulnerability Spotlight: Multiple code execution vulnerabilities in LibreCAD ∗∗∗
---------------------------------------------
Cisco Talos recently discovered three vulnerabilities in LibreCAD’s libdfxfw open-source library.  This library reads and writes .dxf and .dwg files — the primary file format for vector graphics in CAD software. LibreCAD, a free computer-aided design software for 2-D models, uses this libdfxfw. [...] Users are encouraged to update these affected products as soon as possible: LibreCad libdxfrw, version 2.2.0-rc2-19-ge02f3580. Talos tested and confirmed these versions of the library could be exploited by this vulnerability. 
---------------------------------------------
http://blog.talosintelligence.com/2021/11/libre-cad-vuln-spotlight-.html


∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by CentOS (binutils, firefox, flatpak, freerdp, httpd, java-1.8.0-openjdk, java-11-openjdk, kernel, openssl, and thunderbird), Fedora (python-sport-activities-features, rpki-client, and vim), and Red Hat (devtoolset-10-annobin and devtoolset-10-binutils).
---------------------------------------------
https://lwn.net/Articles/876413/


∗∗∗ Reflected XSS Vulnerability in Ragic Cloud DB ∗∗∗
---------------------------------------------
A reflected cross-site scripting (XSS) vulnerability has been reported to affect QNAP NAS running Ragic Cloud DB. If exploited, this vulnerability allows remote attackers to inject malicious code. We have already disabled and removed Ragic Cloud DB from the QNAP App Center, pending a security patch from Ragic. 
To secure your device, we recommend uninstalling Ragic Cloud DB until a security patch is available.
---------------------------------------------
https://www.qnap.com/en-us/security-advisory/QSA-21-48


∗∗∗ CSRF Vulnerability in QmailAgent ∗∗∗
---------------------------------------------
A cross-site request forgery (CSRF) vulnerability has been reported to affect QNAP NAS running QmailAgent. If exploited, this vulnerability allows remote attackers to trick a victim into performing unintended actions on the web application while the victim is logged in. We have already fixed this vulnerability in the following versions of QmailAgent: QmailAgent 3.0.2 (2021/08/25) and later
---------------------------------------------
https://www.qnap.com/en-us/security-advisory/QSA-21-49


∗∗∗ Heap-Based Buffer Overflow Vulnerability in QTS and QuTS hero ∗∗∗
---------------------------------------------
A heap-based buffer overflow vulnerability has been reported to affect QNAP NAS devices that have Apple File Protocol (AFP) enabled in QTS or QuTS hero. If exploited, this vulnerability allows attackers to execute arbitrary code.
We have already fixed this vulnerability in the following versions of QTS and QuTS hero: [...]
---------------------------------------------
https://www.qnap.com/en-us/security-advisory/QSA-21-50


∗∗∗ Security Bulletin: Vulnerabilitiy affects IBM Observability with Instana ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilitiy-affects-ibm-observability-with-instana-2/


∗∗∗ Security Bulletin: Multiple vulnerabilities affect IBM Cloud Object Storage Systems (Nov V2) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-affect-ibm-cloud-object-storage-systems-nov-v2/


∗∗∗ Philips IntelliBridge EC 40 and EC 80 Hub ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsma-21-322-01


∗∗∗ Philips Patient Information Center iX (PIC iX) and Efficia CM Series ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsma-21-322-02

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily