[CERT-daily] Tageszusammenfassung - 04.10.2021

Daily end-of-shift report team at cert.at
Mon Oct 4 18:40:34 CEST 2021


=====================
= End-of-Day report =
=====================

Timeframe:   Freitag 01-10-2021 18:00 − Montag 04-10-2021 18:00
Handler:     Dimitri Robl
Co-Handler:  Stephan Richter

=====================
=       News        =
=====================

∗∗∗ Ransomware: Conti-Erpressergruppe verbittet sich Leaks ihrer Verhandlungs-Chats ∗∗∗
---------------------------------------------
Die Cyberkriminellen hinter der Conti-Ransomware drohen jedem Opfer mit Veröffentlichung seiner Daten, sollten Details über die Erpressung im Netz auftauchen.
---------------------------------------------
https://heise.de/-6206790


∗∗∗ Andoid-Banking-Trojaner Hydra hat es auf Commerzbank-Kunden abgesehen ∗∗∗
---------------------------------------------
Online-Kriminelle versuchen Kunden der Commerzbank abzuzocken. Damit es dazu kommt, müssen Opfer aber mitspielen.
---------------------------------------------
https://heise.de/-6207752


∗∗∗ SMS mit Link zu Fotoalbum verbreitet Schadsoftware ∗∗∗
---------------------------------------------
Zahlreiche NutzerInnen berichten, dass sie SMS mit einem Link zu einem Fotoalbum erhalten. Angeblich wurden dort private Fotos hochgeladen. Achtung: Der Link führt zu Schadsoftware!
---------------------------------------------
https://www.watchlist-internet.at/news/sms-mit-link-zu-fotoalbum-verbreitet-schadsoftware/


∗∗∗ Webinar: Internetkriminalität - so schützen Sie sich! ∗∗∗
---------------------------------------------
Internetfallen & Betrugsmaschen werden immer ausgeklügelter. Umso wichtiger ist die Fähigkeit, Merkmale einer Betrugsmasche frühzeitig zu erkennen. In einem Webinar geben wir Ihnen einen Überblick über aktuelle Bedrohungen im Internet und zeigen Ihnen, wie Sie sich davor schützen können.
---------------------------------------------
https://www.watchlist-internet.at/news/webinar-internetkriminalitaet-so-schuetzen-sie-sich/


∗∗∗ Endpoint Security ist überall gefragt ∗∗∗
---------------------------------------------
Viele Endpunkte mögen auf den ersten Blick unwichtig erscheinen. Aber ungeschützte Systeme mit oder ohne Internetzugang sind ein Einfallstor für Hacker. Deshalb ist ein umfassendes Konzept für Endpoint Security für Unternehmen jeder Größe sehr wichtig.
---------------------------------------------
https://www.zdnet.de/88397023/endpoint-security-ist-ueberall-gefragt/


∗∗∗ New Atom Silo ransomware targets vulnerable Confluence servers ∗∗∗
---------------------------------------------
Atom Silo, a newly spotted ransomware group, is targeting a recently patched and actively exploited Confluence Server and Data Center vulnerability to deploy their ransomware payloads.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/new-atom-silo-ransomware-targets-vulnerable-confluence-servers/


∗∗∗ Innovative Proxy Phantom ATO Fraud Ring Haunts eCommerce Accounts ∗∗∗
---------------------------------------------
The group uses millions of password combos at the rate of nearly 2,700 login attempts per second with new techniques that push the ATO envelope.
---------------------------------------------
https://threatpost.com/proxy-phantom-fraud-ecommerce-accounts/175241/


∗∗∗ PoC Exploit Released for macOS Gatekeeper Bypass ∗∗∗
---------------------------------------------
Rasmus Sten, a software engineer with F-Secure, has released proof-of-concept (PoC) exploit code for a macOS Gatekeeper bypass that Apple patched in April this year. The PoC exploit targets CVE-2021-1810, a vulnerability that can lead to the bypass of all three protections that Apple implemented against malicious file downloads, namely file quarantine, Gatekeeper, and notarization.
---------------------------------------------
https://www.securityweek.com/poc-exploit-released-macos-gatekeeper-bypass


∗∗∗ Boutique "Dark" Botnet Hunting for Crumbs ∗∗∗
---------------------------------------------
[...] But aside from these more visible botnets, there are smaller, "Boutique" botnets. They go after less common vulnerabilities and pick systems that the major botnets find not lucrative enough to go after. Usually, only a few vulnerable devices are exposed. Taking the animal analogy a bit too far: These are like crustaceans on the ocean floor living off what the predators above discard. One such botnet is "Dark Bot".
---------------------------------------------
https://isc.sans.edu/diary/rss/27898


∗∗∗ Expired Lets Encrypt Root Certificate Causes Problems for Many Companies ∗∗∗
---------------------------------------------
A root certificate used by Let’s Encrypt expired on September 30 and, despite being notified a long time in advance, many companies experienced problems. read more
---------------------------------------------
https://www.securityweek.com/expired-lets-encrypt-root-certificate-causes-problems-many-companies


∗∗∗ BazarLoader and the Conti Leaks ∗∗∗
---------------------------------------------
In July, we observed an intrusion that started from a BazarLoader infection and lasted approximately three days. The threat actor’s main priority was to map the domain network, while [...]
---------------------------------------------
https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/


∗∗∗ Misconfigured Airflows Leak Thousands of Credentials from Popular Services ∗∗∗
---------------------------------------------
Apache Airflow is the #1 starred open-source workflows application on GitHub Workflow management platforms are an indispensable tool for automating business and IT tasks. These platforms make it easier to create, schedule and monitor workflows. They are typically hosted on the cloud to provide increased accessibility and scalability. On the flip side, misconfigured instances that allow [...]
---------------------------------------------
https://www.intezer.com/blog/cloud-security/misconfigured-airflows-leak-credentials/


∗∗∗ Phish, Phished, Phisher: A Quick Peek Inside a Telegram Harvester ∗∗∗
---------------------------------------------
In one of the smaller campaigns we monitored last month (September 2021), the threat actor inadvertently exposed Telegram credentials to their harvester. This opportunity provided us some insight into their operations; a peek behind the curtains we wanted to share.
---------------------------------------------
https://blog.nviso.eu/2021/10/04/phish-phished-phisher-a-quick-peek-inside-a-telegram-harvester/



=====================
=  Vulnerabilities  =
=====================

∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (apache2, fig2dev, mediawiki, plib, and qemu), Fedora (chromium, curl, kernel, kernel-headers, kernel-tools, openssh, rust-addr2line, rust-backtrace, rust-cranelift-bforest, rust-cranelift-codegen, rust-cranelift-codegen-meta, rust-cranelift-codegen-shared, rust-cranelift-entity, rust-cranelift-frontend, rust-cranelift-native, rust-cranelift-wasm, rust-gimli, rust-object, rust-wasmparser, rust-wasmtime-cache, rust-wasmtime-environ, [...]
---------------------------------------------
https://lwn.net/Articles/871841/


∗∗∗ Shodan Verified Vulns 2021-10-01 ∗∗∗
---------------------------------------------
Mit 2021-10-01 sah die Schwachstellenlandschaft in Österreich laut Shodan wie folgt aus: Wie auch in den letzten Monaten dominieren TLS/SSL-Schwachstellen sowie Lücken in Microsofts Exchange Server das Bild. Während Server, die für die im März veröffentlichte und geschlossene "ProxyLogon" Exploit-Chain (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065) anfällig sind, mittlerweile eher selten sind, scheinen die im April bzw. Mai [...]
---------------------------------------------
https://cert.at/de/aktuelles/2021/10/shodan-verified-vulns-2021-10-01


∗∗∗ Multiple vulnerabilities in Rexroth IndraMotion and IndraLogic series ∗∗∗
---------------------------------------------
BOSCH-SA-741752: The control systems series Rexroth IndraMotion MLC and IndraLogic XLC are affected by multiple vulnerabilities in the web server, which - in combination - ultimately enable an attacker to log in to the system.
---------------------------------------------
https://psirt.bosch.com/security-advisories/bosch-sa-741752.html


∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/


∗∗∗ Netty vulnerability CVE-2021-21295 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K55834441


∗∗∗ OpenSSL vulnerability CVE-2021-3712 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K19559038


∗∗∗ Red Enterprise Linux Advanced Virtualization: Mehrere Schwachstellen ∗∗∗
---------------------------------------------
https://www.cert-bund.de/advisoryshort/CB-K21-1026

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily




More information about the Daily mailing list