[CERT-daily] Tageszusammenfassung - 18.10.2021

Mon Oct 18 18:21:49 CEST 2021

=====================
= End-of-Day report =
=====================

Timeframe:   Freitag 15-10-2021 18:00 − Montag 18-10-2021 18:00
Handler:     Dimitri Robl
Co-Handler:  Wolfgang Menezes

=====================
=       News        =
=====================

∗∗∗ Unternehmensbetrug: Diese Gefahren sollten Unternehmen und ihre MitarbeiterInnen kennen! ∗∗∗
---------------------------------------------
Internetbetrug betrifft nicht nur Privatpersonen, auch Unternehmen sind eine beliebte Zielscheibe für Cyberkriminelle. Angegriffen wird allerdings nicht nur die technische Infrastruktur von Unternehmen, vielmehr zielen Attacken hauptsächlich auf die MitarbeiterInnen ab. Im Rahmen des Projekts „CyberSec“ will sich die Watchlist Internet daher verstärkt dem Thema Unternehmensbetrug widmen, um Betriebe im Bereich der Internetsicherheit zu stärken.
---------------------------------------------
https://www.watchlist-internet.at/news/unternehmensbetrug-diese-gefahren-sollten-unternehmen-und-ihre-mitarbeiterinnen-kennen/


∗∗∗ REvil ransomware shuts down again after Tor sites were hijacked ∗∗∗
---------------------------------------------
The REvil ransomware operation has likely shut down once again after an unknown person hijacked their Tor payment portal and data leak blog.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/revil-ransomware-shuts-down-again-after-tor-sites-were-hijacked/


∗∗∗ Microsoft asks admins to patch PowerShell to fix WDAC bypass ∗∗∗
---------------------------------------------
Microsoft has asked system administrators to patch PowerShell 7 against two vulnerabilities allowing attackers to bypass Windows Defender Application Control (WDAC) enforcements and gain access to plain text credentials.
---------------------------------------------
https://www.bleepingcomputer.com/news/microsoft/microsoft-asks-admins-to-patch-powershell-to-fix-wdac-bypass/


∗∗∗ Warranty Repairs and Non-Removable Storage Risks, (Fri, Oct 15th) ∗∗∗
---------------------------------------------
I have been asked several times in recent months about addressing risks of warranty repair service of laptops/tablets. With each of these situations, the question boiled down to the same underlying issue: non-removable storage
---------------------------------------------
https://isc.sans.edu/diary/rss/27938


∗∗∗ Malicious PowerShell Using Client Certificate Authentication, (Mon, Oct 18th) ∗∗∗
---------------------------------------------
Attackers have many ways to protect their C2 servers from unwanted connections. They can check some specific headers, the user-agent, the IP address location (GeoIP), etc. I spotted an interesting PowerShell sample that implements a client certificate authentication mechanism to access its C2 server.
---------------------------------------------
https://isc.sans.edu/diary/rss/27944


∗∗∗ Security Risks with Private 5G in Manufacturing Companies ∗∗∗
---------------------------------------------
Private 5G is said to bring about the "democratization of communications." This technology allows private companies and local governments to take the driving seat in operating the latest information communication systems.
---------------------------------------------
https://www.trendmicro.com/en_us/research/21/j/security-risks-with-private-5g-in-manufacturing-companies-part-2.html


∗∗∗ Ransomware in a global context ∗∗∗
---------------------------------------------
This report is the first step in what we hope will become an ongoing community effort to discover and share actionable information on malware trends. Over the last 16 years, we have processed more than 2 million files per day across 232 countries.
---------------------------------------------
https://storage.googleapis.com/vtpublic/vt-ransomware-report-2021.pdf


∗∗∗ Case Study: From BazarLoader to Network Reconnaissance ∗∗∗
---------------------------------------------
BazarLoader Windows-based malware provides backdoor access that criminals can use to perform reconnaissance to map the victims network.
---------------------------------------------
https://unit42.paloaltonetworks.com/bazarloader-network-reconnaissance/


∗∗∗ This particularly dangerous phishing attack features a weaponized Excel file ∗∗∗
---------------------------------------------
Security researchers warn about a sneaky phishing campaign from one of the most creative cybercrime groups on the internet.
---------------------------------------------
https://www.zdnet.com/article/this-particularly-dangerous-phishing-attack-features-a-weaponized-excel-file/


∗∗∗ Virus Bulletin: Old malware never dies – it just gets more targeted ∗∗∗
---------------------------------------------
Putting a precision payload on top of more generic malware makes perfect sense for malware operators
---------------------------------------------
https://www.welivesecurity.com/2021/10/15/virus-bulletin-old-malware-never-dies-gets-more-targeted/


∗∗∗ IcedID to XingLocker Ransomware in 24 hours ∗∗∗
---------------------------------------------
Towards the end of July, we observed an intrusion that began with IcedID malware and ended in XingLocker ransomware, a Mountlocker variant. XingLocker made its first appearance in early [...]
---------------------------------------------
https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/


∗∗∗ ASEC Weekly Malware Statistics (October 4th, 2021 – October 10th, 2021) ∗∗∗
---------------------------------------------
The ASEC analysis team is using the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from October 4th, 2021 (Monday) to October 10th, 2021 (Sunday). For the main category, info-stealer ranked top with 68.4%, followed by Downloader with 12.6%, RAT (Remote Administration Tool) malware with 8.6%, Backdoor Downloader with 6.3%, Ransomware with 3.7%, and Banking malware with 0.3%.
---------------------------------------------
https://asec.ahnlab.com/en/27824/


=====================
=  Vulnerabilities  =
=====================

∗∗∗ WordPress: Beliebtes Plugin "WP Fastest Cache" braucht dringend ein Update ∗∗∗
---------------------------------------------
Jetzt updaten: Das Cache-Plugin WP Fastest Cache wies Schwachstellen auf, die WordPress-Installationen unter bestimmten Voraussetzungen angreifbar machten.
---------------------------------------------
https://heise.de/-6220994


∗∗∗ 2021-10 Security Bulletin: CTPView: HSTS not being enforced on CTPView server. (CVE-2021-0296) ∗∗∗
---------------------------------------------
The Juniper Networks CTPView server is not enforcing HTTP Strict Transport Security (HSTS).
---------------------------------------------
https://kb.juniper.net/InfoCenter/index?page=content&id=JSA11210


∗∗∗ 2021-10 Security Bulletin: Junos OS: MX Series: Receipt of specific packet on MS-MPC/MS-MIC causes line card reset (CVE-2021-31351) ∗∗∗
---------------------------------------------
An Improper Check for Unusual or Exceptional Conditions in packet processing on the MS-MPC/MS-MIC utilized by Juniper Networks Junos OS allows a malicious attacker to send a specific packet, triggering the MS-MPC/MS-MIC to reset, causing a Denial of Service (DoS).
---------------------------------------------
https://kb.juniper.net/InfoCenter/index?page=content&id=JSA11216


∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (amd64-microcode, libreoffice, linux-4.19, and nghttp2), Fedora (chromium, libopenmpt, vim, and xen), openSUSE (firefox, kernel, krb5, libaom, and opera), Oracle (thunderbird), SUSE (firefox, firefox, rust-cbindgen, iproute2, javapackages-tools, javassist, mysql-connector-java, protobuf, python-python-gflags, and krb5), and Ubuntu (nginx).
---------------------------------------------
https://lwn.net/Articles/873210/


∗∗∗ 128 Technology Session Smart Router vulnerable to authentication bypass ∗∗∗
---------------------------------------------
https://jvn.jp/en/jp/JVN85073657/


∗∗∗ Eclipse Jetty vulnerability CVE-2021-28165 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K15338344?utm_source=f5support&utm_medium=RSS


∗∗∗ Node.js vulnerabilities CVE-2021-3672 and CVE-2021-22931 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K53225395?utm_source=f5support&utm_medium=RSS


∗∗∗ OTRS: Mehrere Schwachstellen ∗∗∗
---------------------------------------------
https://www.cert-bund.de/advisoryshort/CB-K21-1077


∗∗∗ Security Bulletin: IBM Cloud Pak for Integration is vulnerable to jzsip (CVE-2021-23413) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-integration-is-vulnerable-to-jzsip-cve-2021-23413/


∗∗∗ Security Bulletin: A vulnerability in Spring Framework affects IBM Watson Machine Learning Accelerator ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-spring-framework-affects-ibm-watson-machine-learning-accelerator-2/


∗∗∗ Security Bulletin: Cross site scripting vulnerability affecting Case Builder in IBM Business Automation Workflow – CVE-2021-29878 ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-cross-site-scripting-vulnerability-affecting-case-builder-in-ibm-business-automation-workflow-cve-2021-29878/


∗∗∗ Security Bulletin: Multiple Security Vulnerabilities Have been addressed in IBM Security Access Manager ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnerabilities-have-been-addressed-in-ibm-security-access-manager/


∗∗∗ Security Bulletin: IBM Cloud Pak for Integration is vulnerable to multiple Node.js vulnerabilities ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-integration-is-vulnerable-to-multiple-node-js-vulnerabilities/


∗∗∗ Security Bulletin: IBM Cloud Pak for Integration is vulnerable to multiple Go vulnerabilities ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-integration-is-vulnerable-to-multiple-go-vulnerabilities/

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily