[CERT-daily] Tageszusammenfassung - 23.11.2021

Daily end-of-shift report team at cert.at
Tue Nov 23 18:29:59 CET 2021


=====================
= End-of-Day report =
=====================

Timeframe:   Montag 22-11-2021 18:00 − Dienstag 23-11-2021 18:00
Handler:     Thomas Pribitzer
Co-Handler:  Stephan Richter

=====================
=       News        =
=====================

∗∗∗ Warnung: ProxyShell, Squirrelwaffle und ein PoC-Eploit, patcht endlich eure Exchange-Server ∗∗∗
---------------------------------------------
Wie oft denn noch? Aktuell warne ich fast im Tagesrhythmus vor dem Betrieb ungepatchter Exchange-Schwachstellen und ProxyShell-Angriffen. Vor einigen Tagen hat Trend Micro eine Warnung vor Angriffen auf die ProxyShell-Schwachstellen über den Squirrelwaffle-Exploit und der Übernahme der Exchange-E-Mail-Postfächer gewarnt. Seit wenigen Stunden ist ein weitere Exploit als Proof of Concept öffentlich, die Ausnutzung gegen ungepatchte Exchange-Server ist wahrscheinlich. Patcht also endlich die Systeme.
---------------------------------------------
https://www.borncity.com/blog/2021/11/23/warnung-proxyshell-squirrelwaffle-und-ein-poc-eploit-patcht-endlich-eure-exchange-server/


∗∗∗ GoDaddy-Datenpanne betrifft 1,2 Millionen WordPress-Kunden ∗∗∗
---------------------------------------------
Hacker verschafft sich Zugang zu den persönlichen Daten von mehr als 1,2 Millionen Kunden des WordPress-Hostingdienstes von GoDaddy.
---------------------------------------------
https://heise.de/-6274187


∗∗∗ FBI warnt vor Einbrüchen via VPN-Software ∗∗∗
---------------------------------------------
Bei Untersuchungen stießen Strafverfolger vom FBI auf Sicherheitslücken in VPN-Software, durch die Cyberkriminelle derzeit in Netzwerke eindringen.
---------------------------------------------
https://heise.de/-6274101


∗∗∗ ZDF-Reportage: Wie Betrüger online abzocken ∗∗∗
---------------------------------------------
Wer sind die Cyber-Kriminellen hinter den unzähligen Fake-Shops und wie können sie entlarvt werden? "WISO crime" - ein ZDF-Format berichtet über Fake-Shops im Internet und versucht, einem Fake-Shop-Betreiber auf die Schliche zu kommen.
---------------------------------------------
https://www.watchlist-internet.at/news/zdf-reportage-wie-betrueger-online-abzocken/


∗∗∗ Over nine million Android devices infected by info-stealing trojan ∗∗∗
---------------------------------------------
A large-scale malware campaign on Huaweis AppGallery has led to approximately 9,300,000 installs of Android trojans masquerading as over 190 different apps
---------------------------------------------
https://www.bleepingcomputer.com/news/security/over-nine-million-android-devices-infected-by-info-stealing-trojan/


∗∗∗ How to investigate service provider trust chains in the cloud ∗∗∗
---------------------------------------------
This blog outlines DART’s recommendations for incident responders to investigate potential abuse of these delegated admin permissions, independent of the threat actor.
---------------------------------------------
https://www.microsoft.com/security/blog/2021/11/22/how-to-investigate-service-provider-trust-chains-in-the-cloud/


∗∗∗ Simple YARA Rules for Office Maldocs, (Mon, Nov 22nd) ∗∗∗
---------------------------------------------
In diary entry "Extra Tip For Triage Of MALWARE Bazaar's Daily Malware Batches" I shared 2 simple YARA rules to triage Office documents with VBA code.
---------------------------------------------
https://isc.sans.edu/diary/rss/28062


∗∗∗ Observing Attacks Against Hundreds of Exposed Services in Public Clouds ∗∗∗
---------------------------------------------
Insecurely exposed services are common misconfigurations in cloud environments. We used a honeypot infrastructure to learn about attacks against them.
---------------------------------------------
https://unit42.paloaltonetworks.com/exposed-services-public-clouds/


∗∗∗ What to do if you receive a data breach notice ∗∗∗
---------------------------------------------
Receiving a breach notification doesn't mean you’re doomed - here's what you should consider doing in the hours and days after learning that your personal data has been exposed
---------------------------------------------
https://www.welivesecurity.com/2021/11/22/what-do-if-you-receive-data-breach-notice/


∗∗∗ GÉANT launches new security services website ∗∗∗
---------------------------------------------
As technology becomes more complex and threats more sophisticated, it’s a challenge to keep any organisation’s online environment and physical infrastructure secure. Security services protect both the networks and services from attacks, but also help secure individuals using the networks.
---------------------------------------------
https://connect.geant.org/2021/11/23/geant-launches-new-security-services-website


∗∗∗ The digital operational resilience act (DORA): what you need to know about it, the requirements and challenges we see. ∗∗∗
---------------------------------------------
TL;DR - In this blogpost, we will give you an introduction to DORA, as well as how you can prepare yourself to be ready for it. More specifically, throughout this blogpost we will try to formulate an answer to following questions: What is DORA and what are the key requirements of DORA? What are the biggest [...]
---------------------------------------------
https://blog.nviso.eu/2021/11/23/the-digital-operational-resilience-act-dora-what-you-need-to-know-about-it-the-requirements-and-challenges-we-see/


∗∗∗ GoSecure Investigates Abusing Windows Server Update Services (WSUS) to Enable NTLM Relaying Attacks ∗∗∗
---------------------------------------------
In part three of a series, GoSecure ethical hackers have found another way to exploit insecure Windows Server Update Services (WSUS) configurations. By taking advantage of the authentication provided by the Windows update client and relaying it to other domain services, we found this can lead to remote code execution. In this blog, we’ll share our findings and recommend mitigations.
---------------------------------------------
https://www.gosecure.net/blog/2021/11/22/gosecure-investigates-abusing-windows-server-update-services-wsus-to-enable-ntlm-relaying-attacks/



=====================
=  Vulnerabilities  =
=====================

∗∗∗ VMSA-2021-0027 ∗∗∗
---------------------------------------------
VMware vCenter Server updates address arbitrary file read and SSRF vulnerabilities (CVE-2021-21980, CVE-2021-22049)
---------------------------------------------
https://www.vmware.com/security/advisories/VMSA-2021-0027.html


∗∗∗ Xen Security Advisories ∗∗∗
---------------------------------------------
XSA-385 - guests may exceed their designated memory limit  
XSA-387 - grant table v2 status pages may remain accessible after de-allocation (take two)  
XSA-388 - PoD operations on misaligned GFNs  
XSA-389 - issues with partially successful P2M updates on x86
---------------------------------------------
https://xenbits.xen.org/xsa/


∗∗∗ Vulnerability Spotlight: PHP deserialize vulnerability in CloudLinux Imunity360 could lead to arbitrary code execution ∗∗∗
---------------------------------------------
Cisco Talos recently discovered a vulnerability in the Ai-Bolit functionality of CloudLinux Inc Imunify360 that could lead to arbitrary code execution. Imunify360 is a security platform for web-hosting servers that allows users to configure various settings for real-time website protection and web server security.
---------------------------------------------
https://blog.talosintelligence.com/2021/11/vulnerability-spotlight-php-deserialize.html


∗∗∗ A review of Azure Sphere vulnerabilities: Unsigned code execs, kernel bugs, escalation chains and firmware downgrades ∗∗∗
---------------------------------------------
Summary of all the vulnerabilities reported by Cisco Talos in Microsoft Azure Sphere
---------------------------------------------
https://blog.talosintelligence.com/2021/11/a-review-of-azure-sphere.html


∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (mbedtls), Red Hat (kernel and rpm), and Ubuntu (freerdp2).
---------------------------------------------
https://lwn.net/Articles/876723/


∗∗∗ 0-Day LPE-Schwachstelle im Windows Installer (Nov. 2021) ∗∗∗
---------------------------------------------
Ein Sicherheitsforscher hat eine eine 0-Day-Schwachstelle im Windows Installer gefunden, über die ein lokaler Angreifer Administratorrechte erlangen kann. Die Windows Installer Elevation of Privilege"-Schwachstelle CVE-2021-41379 ist zwar im November 2021 gepatcht worden. Aber es gibt eine Umgehungslösung, der Patch ist wirkungslos. Betroffen sind alle Windows-Versionen, einschließlich Windows 10, dass brandneue Windows 11 sowie alle Windows Server-Versionen.
---------------------------------------------
https://www.borncity.com/blog/2021/11/23/0-day-lpe-schwachstelle-im-windows-installer-nov-2021/


∗∗∗ Security Bulletin: IBM MQ is vulnerable to multiple issues within the IBM® Runtime Environment Java™ Technology Edition, Version 8 shipped with IBM MQ (CVE-2021-2432, CVE-2021-2388) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-is-vulnerable-to-multiple-issues-within-the-ibm-runtime-environment-java-technology-edition-version-8-shipped-with-ibm-mq-cve-2021-2432-cve-2021-2388/


∗∗∗ Security Bulletin: Vulnerability in MIT Kerberos 5 (CVE-2020-28196) affects HMC ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-mit-kerberos-5-cve-2020-28196-affects-hmc/


∗∗∗ Security Bulletin: Vulnerability in Apache HTTP (CVE-2018-17199 and CVE-2020-11993) affects HMC ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-http-cve-2018-17199-and-cve-2020-11993-affects-hmc/


∗∗∗ Security Bulletin: Application error in IBM Security Guardium Key Lifecycle Manager (CVE-2021-38980) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-application-error-in-ibm-security-guardium-key-lifecycle-manager-cve-2021-38980/


∗∗∗ Security Bulletin: Vulnerability in Apache Tomcat (CVE-2021-42340) affects HMC ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-tomcat-cve-2021-42340-affects-hmc/


∗∗∗ Security Bulletin: IBM MQ is vulnerable to a denial of service attack caused by an error processing messages. (CVE-2021-38875) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-is-vulnerable-to-a-denial-of-service-attack-caused-by-an-error-processing-messages-cve-2021-38875/


∗∗∗ Security Bulletin: Vulnerability in Bash (CVE-2019-18276) affects HMC ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-bash-cve-2019-18276-affects-hmc/


∗∗∗ Security Bulletin: Vulnerability in bind (CVE-2021-25215) affects Power HMC ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-bind-cve-2021-25215-affects-power-hmc/


∗∗∗ Security Bulletin: Vulnerability in glib2 (CVE-2021-27218 and CVE-2021-27219) affects Power HMC ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-glib2-cve-2021-27218-and-cve-2021-27219-affects-power-hmc/

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily




More information about the Daily mailing list