[CERT-daily] Tageszusammenfassung - 29.11.2021

Mon Nov 29 18:17:48 CET 2021

=====================
= End-of-Day report =
=====================

Timeframe:   Freitag 26-11-2021 18:00 − Montag 29-11-2021 18:00
Handler:     Wolfgang Menezes
Co-Handler:  Robert Waldner

=====================
=       News        =
=====================

∗∗∗ TrickBot phishing checks screen resolution to evade researchers ∗∗∗
---------------------------------------------
The TrickBot malware operators have been using a new method to check the screen resolution of a victim system to evade detection of security software and analysis by researchers.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/trickbot-phishing-checks-screen-resolution-to-evade-researchers/


∗∗∗ IT-Security: ETSI veröffentlicht erste Norm für sichere Smartphones ∗∗∗
---------------------------------------------
Ein neuer Standard des europäischen Normungsinstituts ETSI soll Herstellern weltweit helfen, die IT-Sicherheit bei Mobiltelefonen für Verbraucher zu erhöhen.
---------------------------------------------
https://heise.de/-6278376


∗∗∗ Google-Analyse: Cloud-Dienste durch schwache Passwörter angreifbar ∗∗∗
---------------------------------------------
Das Unternehmen hat Einbrüche in Cloud-Instanzen untersucht, nennt Ursachen und liefert daraus resultierende Handlungsempfehlungen.
---------------------------------------------
https://heise.de/-6277514


∗∗∗ Micropatching Unpatched Local Privilege Escalation in Mobile Device Management Service (CVE-2021-24084 / 0day) ∗∗∗
---------------------------------------------
In June 2021, security researcher Abdelhamid Naceri published a blog post about an "unpatched information disclosure" vulnerability in Windows. The post details the mechanics of the issue and its exploitation, allowing a non-admin Windows user to read arbitrary files even if they do not have permissions to do so.
---------------------------------------------
https://blog.0patch.com/2021/11/micropatching-unpatched-local-privilege.html


∗∗∗ Ghidra 101: Binary Patching ∗∗∗
---------------------------------------------
There are several circumstances where it can be helpful to make a modification to code or data within a compiled program. Sometimes, it is necessary to fix a vulnerability or compatibility issue without functional source code or compilers. This can happen when source code gets lost, systems go out of support, or software firms go out of business. In case you should find yourself in this situation, keep calm and read on to learn how to do this within Ghidra. 
---------------------------------------------
https://www.tripwire.com/state-of-security/security-data-protection/ghidra-101-binary-patching/


∗∗∗ AVM warnt vor Phishing-Mails mit FRITZ!Box-Anrufbeantworternachricht ∗∗∗
---------------------------------------------
Der Hersteller der FRITZ!Boxen, die Berliner-Firma AVM warnt aktuell von einer Welle von Phishing-Mails, die im Anhang angeblich eine Sprachnachricht des FRITZ!Box-Anrufbeantworters enthalten. Wer diesen Anhang per Doppelklick unter Windows abhören möchte, installiert sich Schadsoftware.
---------------------------------------------
https://www.borncity.com/blog/2021/11/28/avm-warnt-vor-phishing-mails-mit-fritzbox-anrufbeantworternachricht/


∗∗∗ Cobalt Strike: Decrypting DNS Traffic – Part 5 ∗∗∗
---------------------------------------------
Cobalt Strike beacons can communicate over DNS. We show how to decode and decrypt DNS traffic in this blog post.
---------------------------------------------
https://blog.nviso.eu/2021/11/29/cobalt-strike-decrypting-dns-traffic-part-5/


=====================
=  Vulnerabilities  =
=====================

∗∗∗ Backdoor.Win32.Coredoor.10.a / Authentication Bypass RCE ∗∗∗
---------------------------------------------
Description: The malware listens on TCP port 21000. Third-party attackers who can reach infected systems can logon using any username/password combination. Intruders may then upload executables using ftp PASV, STOR commands, this can result in remote code execution.
---------------------------------------------
https://cxsecurity.com/issue/WLB-2021110120


∗∗∗ FortiClientWindows & FortiClient EMS - Privilege escalation via DLL Hijacking ∗∗∗
---------------------------------------------
An unsafe search path vulnerability in FortiClient and FortiClient EMS may allow an attacker to perform a DLL Hijack attack on affected devices via a malicious OpenSSL engine library in the search path.
---------------------------------------------
https://www.fortiguard.com/psirt/FG-IR-21-088


∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (bluez, icu, libntlm, libvorbis, libvpx, opensc, roundcube, and tar), Fedora (kernel, kernel-headers, kernel-tools, puppet, slurm, stargz-snapshotter, and suricata), openSUSE (netcdf), Oracle (bluez, kernel, kernel-container, krb5, mailman:2.1, openssh, python3, and rpm), Red Hat (samba), and SUSE (xen).
---------------------------------------------
https://lwn.net/Articles/877105/


∗∗∗ Insulet OmniPod Insulin Management System vulnerability ∗∗∗
---------------------------------------------
https://omnipod.lyrebirds.dk/


∗∗∗ Security Bulletin: Vulnerability in IBM SDK Java affects IBM Cloud Pak System (CVE-2020-27221) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-sdk-java-affects-ibm-cloud-pak-system-cve-2020-27221-2/

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily