[CERT-daily] Tageszusammenfassung - 19.11.2021

[Daily end-of-shift report]

=====================
= End-of-Day report =
=====================

Timeframe:   Donnerstag 18-11-2021 18:00 − Freitag 19-11-2021 18:00
Handler:     Stephan Richter
Co-Handler:  n/a

=====================
=       News        =
=====================

∗∗∗ Sicherheitsbedrohungen im Web: Die größten Risiken laut OWASP Top Ten 2021 ∗∗∗
---------------------------------------------
Die OWASP Top Ten 2021 aktualisiert die Liste der Sicherheitsbedrohungen im Web. Defekte Zugriffsbeschränkungen stehen an erster Stelle.
---------------------------------------------
https://heise.de/-6271591


∗∗∗ Qnap veröffentlicht NAS-Updates und deaktiviert aus Sicherheitsgründen eine App ∗∗∗
---------------------------------------------
Angreifer könnten Netzwerkspeicher von Qnap attackieren. Der Sicherheitspatch für eine Lücke steht noch aus.
---------------------------------------------
https://heise.de/-6272271


∗∗∗ Azure Active Directory: Sicherheitslücke entblößt private Schlüssel ∗∗∗
---------------------------------------------
In Azure Automation waren private Schlüssel für jeden Nutzer des AD einsehbar. Obwohl Microsoft das Problem gelöst hat, ist ein Schlüsseltausch angeraten.
---------------------------------------------
https://heise.de/-6272248


∗∗∗ ProxyNoShell: Mandiant warnt vor neuen Angriffsmethoden auf Exchange-Server (Nov. 2021) ∗∗∗
---------------------------------------------
Cyber-Angreifer verwenden seit Monaten drei bekannte Schwachstellen in Microsofts Exchange Servern, für die es bereits seit Monaten Updates gibt. Trotzdem sind um die 30.000 Microsoft Exchange Sever per Internet erreichbar, die über diese Schwachstellen angreifbar sind. Sicherheitsforscher haben jetzt eine [...]
---------------------------------------------
https://www.borncity.com/blog/2021/11/19/proxynoshell-mandiant-warnt-vor-neuen-angriffsmethoden-auf-exchange-server-nov-2021/


∗∗∗ Malware downloaded from PyPI 41,000 times was surprisingly stealthy ∗∗∗
---------------------------------------------
Malware infiltrating open source repositories is getting more sophisticated.
---------------------------------------------
https://arstechnica.com/?p=1814211


∗∗∗ Android malware BrazKing returns as a stealthier banking trojan ∗∗∗
---------------------------------------------
​The BrazKing Android banking trojan has returned with dynamic banking overlays and a new implementation trick that enables it to operate without requesting risky permissions.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/android-malware-brazking-returns-as-a-stealthier-banking-trojan/


∗∗∗ Ransomware Phishing Emails Sneak Through SEGs ∗∗∗
---------------------------------------------
The MICROP ransomware spreads via Google Drive and locally stored passwords.
---------------------------------------------
https://threatpost.com/ransomware-phishing-emails-segs/176470/


∗∗∗ Downloader Disguised as Excel Add-In (XLL), (Fri, Nov 19th) ∗∗∗
---------------------------------------------
At the Internet Storm Center, we like to show how exotic extensions can be used to make victims feel confident to open malicious files. There is  an interesting webpage that maintains a list of dangerous extensions used by attackers: filesec.io[1]. The list is regularly updated and here is an example of malicious file that is currently not listed: "XLL". It's not a typo, it's not a "DLL" but close to!
---------------------------------------------
https://isc.sans.edu/diary/rss/28052


∗∗∗ New Side Channel Attacks Re-Enable Serious DNS Cache Poisoning Attacks ∗∗∗
---------------------------------------------
Researchers have demonstrated yet another variant of the SAD DNS cache poisoning attack that leaves about 38% of the domain name resolvers vulnerable, enabling attackers to redirect traffic originally destined to legitimate websites to a server under their control. "The attack allows an off-path attacker to inject a malicious DNS record into a DNS cache," University of California researchers Keyu Man, Xin'an Zhou, and Zhiyun Qian said.
---------------------------------------------
https://thehackernews.com/2021/11/new-side-channel-attacks-re-enable.html


∗∗∗ Web trust dies in darkness: Hidden Certificate Authorities undermine public crypto infrastructure ∗∗∗
---------------------------------------------
Security researchers have checked the webs public key infrastructure and have measured a long-known but little-analyzed security threat: hidden root Certificate Authorities.
---------------------------------------------
https://go.theregister.com/feed/www.theregister.com/2021/11/19/web_trust_certificates/


∗∗∗ Patch now! FatPipe VPN zero-day actively exploited ∗∗∗
---------------------------------------------
The FBI has revealed that APT actors have been abusing a zero-day in FatPipes MPVPN, WARP, and IPVPN products since May.
---------------------------------------------
https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/11/patch-now-fatpipe-vpn-zero-day-actively-exploited/


∗∗∗ New Aggah Campaign Hijacks Clipboards to Replace Cryptocurrency Addresses ∗∗∗
---------------------------------------------
Aggah is a threat group known for espionage and information theft worldwide, as well as its deft use of free and open-source infrastructure to conduct its attacks. Weve recently reported that the group is linked with the Mana Tools malware distribution and command and control (C2) panel. RiskIQ recently identified a new Aggah campaign via our global monitoring of malicious VBScript code posted on websites. In this latest campaign, operators deployed clipboard hijacking code that replaces a [...]
---------------------------------------------
https://www.riskiq.com/blog/external-threat-management/aggah-clipboard-hijack-crypto/


∗∗∗ Ransomware is now a giant black hole that is sucking in all other forms of cybercrime ∗∗∗
---------------------------------------------
File-encrypting malware is where the money is -- and thats changing the whole online crime ecosystem.
---------------------------------------------
https://www.zdnet.com/article/ransomware-is-now-a-giant-black-hole-that-is-sucking-in-all-other-forms-of-cybercrime/


∗∗∗ All Roads Lead to OpenVPN: Pwning Industrial Remote Access Clients ∗∗∗
---------------------------------------------
[...] Team82’s research uncovered four vulnerabilities in popular industrial VPN solutions from vendors HMS Industrial Networks, Siemens, PerFact, and MB connect line. 
The vulnerabilities expose users to remote and arbitrary code execution attacks, and also enable attackers to elevate privileges. 
All four vendors have either provided a fix in an updated version of their respective products, or suggested mitigations.
---------------------------------------------
https://claroty.com/2021/11/19/blog-research-all-roads-lead-to-openvpn-pwning-industrial-remote-access-clients/


∗∗∗ Kernel Karnage – Part 4 (Inter(ceptor)mezzo) ∗∗∗
---------------------------------------------
To make up for the long wait between parts 2 and 3, we’re releasing another blog post this week. Part 4 is a bit smaller than the others, an intermezzo between parts 3 and 5 if you will, discussing interceptor.
---------------------------------------------
https://blog.nviso.eu/2021/11/19/kernel-karnage-part-4-interceptormezzo/



=====================
=  Vulnerabilities  =
=====================

∗∗∗ Security Bulletin: Vulnerability in sed affects IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem V9000 products ∗∗∗
---------------------------------------------
A vulnerability in the sed command could allow an authenticated attacker to escape from a restricted shell to obtain sensitive information and cause a denial of service.
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-sed-affects-ibm-san-volume-controller-ibm-storwize-ibm-spectrum-virtualize-and-ibm-flashsystem-v9000-products-2/


∗∗∗ Security Bulletin: IBM MQ for HP NonStop Server is affected by vulnerability CVE-2021-29843 ∗∗∗
---------------------------------------------
IBM MQ is vulnerable to a denial of service attack caused by an issue processing message properties. The issue is described by CVE-2021-29843.
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-for-hp-nonstop-server-is-affected-by-vulnerability-cve-2021-29843/


∗∗∗ Xen Security Advisory CVE-2021-28710 / XSA-390 - certain VT-d IOMMUs may not work in shared page table mode ∗∗∗
---------------------------------------------
Impact: A malicious guest may be able to escalate its privileges to that of the host.
---------------------------------------------
https://xenbits.xen.org/xsa/advisory-390.html


∗∗∗ Vulnerability Spotlight: Use-after-free vulnerability in Google Chrome could lead to code execution ∗∗∗
---------------------------------------------
Cisco Talos recently discovered an exploitable use-after-free vulnerability in Google Chrome.
---------------------------------------------
https://blog.talosintelligence.com/2021/11/vulnerability-spotlight-user-after-free.html


∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by Arch Linux (chromium, grafana, kubectl-ingress-nginx, and opera), Debian (netkit-rsh and salt), Fedora (freeipa and samba), Mageia (opensc, python-django-filter, qt4, tinyxml, and transfig), openSUSE (opera and transfig), Red Hat (devtoolset-11-annobin, devtoolset-11-binutils, and llvm-toolset:rhel8), SUSE (php72 and php74), and Ubuntu (mailman and thunderbird).
---------------------------------------------
https://lwn.net/Articles/876528/


∗∗∗ QNX-2021-002 Vulnerability in BMP Image Codec Impacts BlackBerry QNX Software Development Platform (SDP) ∗∗∗
---------------------------------------------
https://support.blackberry.com/kb/articleDetail?language=en_US&articleNumber=000089042


∗∗∗ K48382137: Bootstrap vulnerability CVE-2018-14040 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K48382137


∗∗∗ K19785240: Bootstrap vulnerability CVE-2018-14042 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K19785240

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily