- Daily - CERT.at

Tageszusammenfassung - 13.10.2021
by Daily end-of-shift report 13 Oct '21

13 Oct '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 12-10-2021 18:00 − Mittwoch 13-10-2021 18:00 Handler: Dimitri Robl Co-Handler: Wolfgang Menezes ===================== = News = ===================== ∗∗∗ MysterySnail attacks with Windows zero-day ∗∗∗ --------------------------------------------- We detected attacks with the use of an elevation of privilege exploit on multiple Microsoft Windows servers. Variants of the malware payload used along with the zero-day exploit were detected in widespread espionage campaigns. --------------------------------------------- https://securelist.com/mysterysnail-attacks-with-windows-zero-day/104509/ ∗∗∗ Defining Cobalt Strike Components So You Can BEA-CONfident in Your Analysis ∗∗∗ --------------------------------------------- Cobalt Strike is a commercial adversary simulation software that is marketed to red teams but is also stolen and actively used by a wide range of threat actors from ransomware operators to espionage-focused Advanced Persistent Threats (APTs). --------------------------------------------- https://www.mandiant.com/resources/defining-cobalt-strike-components ∗∗∗ 2021: Apples Jahr der Zero-Days ∗∗∗ --------------------------------------------- In dieser Woche hat Apple erneut eine bereits ausgenutzte iPhone-Lücke gepatcht. Seit Februar gab es mehr als ein Dutzend in den Systemen des Konzerns. --------------------------------------------- https://heise.de/-6215715 ∗∗∗ Azure Privilege Escalation via Service Principal Abuse ∗∗∗ --------------------------------------------- In this blog post, I’ll explain how a particular kind of attack path can emerge in Azure based on Azure’s RBAC system — an attack path we have seen in the vast majority of Azure tenants we’ve gotten access to. --------------------------------------------- https://posts.specterops.io/azure-privilege-escalation-via-service-principa… ===================== = Vulnerabilities = ===================== ∗∗∗ SAP-Patchday: NetWeaver AS & Environmental Compliance bargen kritische Lücken ∗∗∗ --------------------------------------------- Zum monatlichen Patchday hat SAP Updates für viele Produkte veröffentlicht. Zwei beseitigten Sicherheitsproblemen wurden CVSS-Scores nahe der 10 zugeordnet. --------------------------------------------- https://heise.de/-6215952 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (flatpak and ruby2.3), Fedora (flatpak, httpd, mediawiki, redis, and xstream), openSUSE (kernel, libaom, libqt5-qtsvg, systemd, and webkit2gtk3), Red Hat (.NET 5.0, 389-ds-base, httpd:2.4, kernel, kernel-rt, libxml2, openssl, and thunderbird), Scientific Linux (389-ds-base, kernel, libxml2, and openssl), SUSE (apache2-mod_auth_openidc, curl, glibc, kernel, libaom, libqt5-qtsvg, systemd, and webkit2gtk3), and Ubuntu (squashfs-tools). --------------------------------------------- https://lwn.net/Articles/872843/ ∗∗∗ The October 2021 Security Update Review ∗∗∗ --------------------------------------------- The second Tuesday of the month is here, and that means the latest security updates from Adobe and Microsoft have arrived. --------------------------------------------- https://www.thezdi.com/blog/2021/10/12/the-october-2021-security-update-rev… ∗∗∗ Sicherheitsupdates für Exchange Server (Oktober 2021) ∗∗∗ --------------------------------------------- Microsoft hat zum 12. Oktober 2021 Sicherheitsupdates für Exchange Server 2013, Exchange Server 2016 und Exchange Server 2019 veröffentlicht. --------------------------------------------- https://www.borncity.com/blog/2021/10/13/sicherheitsupdates-fr-exchange-ser… ∗∗∗ ZDI-21-1147: Adobe Illustrator PDF File Parsing Memory Corruption Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-1147/ ∗∗∗ ZDI-21-1146: Adobe Illustrator PDF File Parsing Use-After-Free Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-1146/ ∗∗∗ ZDI-21-1148: Linux Kernel eBPF Type Confusion Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-1148/ ∗∗∗ VMSA-2021-0021 ∗∗∗ --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2021-0021.html ∗∗∗ VMSA-2021-0022 ∗∗∗ --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2021-0022.html ∗∗∗ VMSA-2021-0023 ∗∗∗ --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2021-0023.html ∗∗∗ Apache HTTPD vulnerability CVE-2021-34798 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K72382141 ∗∗∗ Multiple Vulnerabilities in Brizy Page Builder Plugin Allow Site Takeover ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2021/10/multiple-vulnerabilities-in-brizy-pa… ∗∗∗ Cross-Site Scripting in myfactory.FMS ∗∗∗ --------------------------------------------- https://www.redteam-pentesting.de/en/advisories/rt-sa-2021-001/ ∗∗∗ IPAS: Security Advisories for October 2021 ∗∗∗ --------------------------------------------- https://blogs.intel.com/technology/2021/10/intel-security-advisories-for-oc… ∗∗∗ SYSS-2021-014, SYSS-2021-015 und SYSS-2021-019: Schwachstellen in Softphones von Linphone und MicroSIP ∗∗∗ --------------------------------------------- https://www.syss.de/pentest-blog/syss-2021-014-syss-2021-015-und-syss-2021-… ∗∗∗ ThinkPad BIOS Vulnerabilities ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500444-THINKPAD-BIOS-VULNERABI… ∗∗∗ NetApp Clustered Data ONTAP X-Frame-Options Header Vulnerability ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500442-NETAPP-CLUSTERED-DATA-O… ∗∗∗ AMD x86 PREFETCH instruction related side-channels ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500445-AMD-X86-PREFETCH-INSTRU… ∗∗∗ Intel SGX SDK Advisory ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500443-INTEL-SGX-SDK-ADVISORY -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.10.2021
by Daily end-of-shift report 12 Oct '21

12 Oct '21

===================== = End-of-Day report = ===================== Timeframe: Montag 11-10-2021 18:00 − Dienstag 12-10-2021 18:00 Handler: Dimitri Robl Co-Handler: Wolfgang Menezes ===================== = News = ===================== ∗∗∗ Javascript: RSA-Schlüsselerzeugung mit vielen Nullen ∗∗∗ --------------------------------------------- Github sperrt unsichere SSH-Schlüssel, die durch einen Fehler in einer Javascript-Bibliothek erzeugt wurden. --------------------------------------------- https://www.golem.de/news/javascript-rsa-schluesselerzeugung-mit-vielen-nul… ∗∗∗ iOS 15.0.2 und watchOS 8.0.1: Viele Bugfixes – und wieder ein Exploit im Umlauf ∗∗∗ --------------------------------------------- Apple hat in der Nacht zum Dienstag seine iPhone-, iPad- und Apple-Watch-Betriebssysteme nachgebessert. Bei Telefon und Tablet geht es auch um die Sicherheit. --------------------------------------------- https://heise.de/-6214563 ∗∗∗ Johnson Controls: Lücken boten Remote-Zugriffsmöglichkeiten auf Videoüberwachung ∗∗∗ --------------------------------------------- Updates für die Videoüberwachungslösung exacqVision von Johnson Controls/Exacq Technologies schließen zwei Sicherheitslücken. Eine gilt als kritisch. --------------------------------------------- https://heise.de/-6215264 ∗∗∗ Vorsicht vor Microsoft-Anrufen ∗∗∗ --------------------------------------------- Legen Sie sofort auf, wenn Sie angeblich von Microsoft angerufen werden. Kriminelle geben sich als Microsoft-MitarbeiterInnen aus und behaupten, sie hätten auf Ihrem Computer einen Virus entdeckt. Die Fake-Microsoft-MitarbeiterInnen verwickeln Sie dann in ein Gespräch und bieten Ihnen an, das Problem gemeinsam zu lösen. Achtung: Es handelt sich um eine Betrugsmasche! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-microsoft-anrufen/ ∗∗∗ Photo editor Android app STILL sitting on Google Play store is malware ∗∗∗ --------------------------------------------- An Android app sitting on the Google Play store touts itself to be a photo editor app. But, it contains code that steals the users Facebook credentials to potentially run ad campaigns on the users behalf, with their payment information. The app has scored over 5K installs, with similar spyware apps having 500K+ installs. --------------------------------------------- https://www.bleepingcomputer.com/news/security/photo-editor-android-app-sti… ∗∗∗ How cyberattacks are changing according to new Microsoft Digital Defense Report ∗∗∗ --------------------------------------------- Get the latest expert insights on human-operated ransomware, phishing attacks, malware, and more to get ahead of these threats before they begin. --------------------------------------------- https://www.microsoft.com/security/blog/2021/10/11/how-cyberattacks-are-cha… ∗∗∗ SnapMC skips ransomware, steals data ∗∗∗ --------------------------------------------- Over the past few months NCC Group has observed an increasing number of data breach extortion cases, where the attacker steals data and threatens to publish said data online if the victim decides not to pay. Given the current threat landscape, most notable is the absence of ransomware or any technical attempt at disrupting the [...] --------------------------------------------- https://blog.fox-it.com/2021/10/11/snapmc-skips-ransomware-steals-data/ ∗∗∗ Reverse engineering and decrypting CyberArk vault credential files ∗∗∗ --------------------------------------------- This blog will be a technical deep-dive into CyberArk credential files and how the credentials stored in these files are encrypted and decrypted. I discovered it was possible to reverse engineer the encryption and key generation algorithms and decrypt the encrypted vault password. --------------------------------------------- https://blog.fox-it.com/2021/10/12/reverse-engineering-and-decrypting-cyber… ∗∗∗ New Trickbot and BazarLoader campaigns use multiple delivery vectors ∗∗∗ --------------------------------------------- Trickbot has been active since 2016 and is linked to a large number of malicious campaigns involving bitcoin mining and theft of banking information, personal identifying information (PII), and credentials. BazarLoader is a spinoff of this trojan, developed by the same authors. Both are particularly dangerous as they are easily modifiable and capable of delivering multi-stage payloads, as well as taking over computers entirely. --------------------------------------------- https://www.zscaler.com/blogs/security-research/new-trickbot-and-bazarloade… ∗∗∗ Inside Apple: How macOS attacks are evolving ∗∗∗ --------------------------------------------- Our Apple expert Thomas Reed went to the Objective by the Sea security conference. Heres what he learned about macOS attacks. --------------------------------------------- https://blog.malwarebytes.com/malwarebytes-news/2021/10/inside-apple-how-ma… ∗∗∗ ICS Patch Tuesday: Siemens and Schneider Electric Address Over 50 Vulnerabilities ∗∗∗ --------------------------------------------- Industrial giants Siemens and Schneider Electric on Tuesday released nearly a dozen security advisories describing a total of more than 50 vulnerabilities affecting their products. The companies have released patches and mitigations to address these vulnerabilities. --------------------------------------------- https://www.securityweek.com/ics-patch-tuesday-siemens-and-schneider-electr… ∗∗∗ ASEC Weekly Malware Statistics (September 27th, 2021 – October 3rd, 2021) ∗∗∗ --------------------------------------------- The ASEC analysis team is using the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from September 27th, 2021 (Monday) to October 3rd, 2021 (Sunday). For the main category, info-stealer ranked top with 63.2%, followed by Downloader with 19.2%, RAT (Remote Administration Tool) malware with 10.7%, Backdoor Downloader with 3.7%, Ransomware with 1.9%, CoinMiner with 1.1%, and Banking malware with 0.2%. --------------------------------------------- https://asec.ahnlab.com/en/27577/ ===================== = Vulnerabilities = ===================== ∗∗∗ Angreifer könnten digitale Unterschrift in LibreOffice und OpenOffice fälschen ∗∗∗ --------------------------------------------- Es gibt wichtige Sicherheitsupdates für die Office-Pakete LibreOffice und OpenOffice. --------------------------------------------- https://heise.de/-6214784 ∗∗∗ Vulnerability Spotlight: Vulnerabilities in Anker Eufy Homebase could lead to code execution, buffer overflows ∗∗∗ --------------------------------------------- Cisco Talos recently discovered two vulnerabilities in the Anker Eufy Homebase. The Eufy Homebase 2 is the video storage and networking gateway that works with Anker’s Eufy Smarthome ecosystem. --------------------------------------------- https://blog.talosintelligence.com/2021/10/vuln-spotlight-anker-.html ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr, hiredis, and icu), Fedora (kernel), Mageia (libreoffice), openSUSE (chromium, firefox, git, go1.16, kernel, mbedtls, mupdf, and nodejs8), Oracle (firefox and kernel), Red Hat (firefox, grafana, kernel, kpatch-patch, and rh-mysql80-mysql), and SUSE (apache2, containerd, docker, runc, curl, firefox, kernel, libqt5-qtsvg, and squid). --------------------------------------------- https://lwn.net/Articles/872696/ ∗∗∗ # SSA-163251: Multiple Vulnerabilities in SINEC NMS ∗∗∗ --------------------------------------------- The latest update for SINEC NMS fixes multiple vulnerabilities. The most severe could allow an authenticated remote attacker to execute arbitrary code on the system, with system privileges, under certain conditions. Siemens has released an update for SINEC NMS and recommends to update to the latest version. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-163251.txt ∗∗∗ # SSA-173565: Denial-of-Service Vulnerability in RUGGEDCOM ROX Devices ∗∗∗ --------------------------------------------- The latest update for RUGGEDCOM ROX devices fixes a vulnerability that could allow an unauthenticated attacker to cause a permanent Denial-of-Service condition under certain conditions. Siemens has released updates for the affected products and recommends to update to the latest versions. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-173565.txt ∗∗∗ # SSA-178380: Denial-of-Service Vulnerability in SINUMERIK Controllers ∗∗∗ --------------------------------------------- A Denial-of-Service vulnerability found in SINUMERIK Controllers could allow an unauthenticated attacker with network access to the affected devices to cause system failure with total loss of availability. Siemens has released an update for the SINUMERIK 828D and recommends to update to the latest version. Siemens recommends specific countermeasures for products where updates are not, or not yet available. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-178380.txt ∗∗∗ # SSA-280624: Multiple Vulnerabilities in SCALANCE W1750D ∗∗∗ --------------------------------------------- The Scalance W1750D device contains multiple vulnerabilities that could allow an attacker to inject commands or trigger buffer overflows. Siemens is preparing updates and recommends countermeasures for products where updates are not, or not yet available. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-280624.txt ∗∗∗ Advantech WebAccess SCADA ∗∗∗ --------------------------------------------- This advisory contains mitigations for a Missing Authorization vulnerability in the Advantech WebAccess SCADA HMI platform. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-285-01 ∗∗∗ Advantech WebAccess ∗∗∗ --------------------------------------------- This advisory contains mitigations for Heap-based Buffer Overflow, and Stack-based Buffer Overflow vulnerabilities in the Advantech WebAccess HMI platform. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-285-02 ∗∗∗ Schneider Electric IGSS ∗∗∗ --------------------------------------------- This advisory contains mitigations for Classic Buffer Overflow, Unrestricted Upload of File with Dangerous Type, Path Traversal, and Missing Authentication for Critical Function vulnerabilities in Schneider Electric IGSS (Interactive Graphical SCADA System) software. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-285-03 ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect AIX ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Data Risk Manager is affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-data-risk-manager-is-… ∗∗∗ Security Bulletin: Multiple Apache PDFBox security vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-apache-pdfbox-se… ∗∗∗ Security Bulletin: A vulnerability in IBM WebSphere Application Server affects IBM Spectrum Scale packaged in IBM Elastic Storage Server (CVE-2020-5258) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-we… ∗∗∗ Foxit Reader & PhantomPDF: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-1053 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.10.2021
by Daily end-of-shift report 11 Oct '21

11 Oct '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 08-10-2021 18:00 − Montag 11-10-2021 18:00 Handler: Dimitri Robl Co-Handler: Wolfgang Menezes ===================== = News = ===================== ∗∗∗ Missbrauch mit Malware-Befall: Microsoft deaktiviert Excel 4.0-Makros in Office ∗∗∗ --------------------------------------------- Gegen immer mehr Angriffe über Excel-Makros geht Microsoft nun vor: Standardmäßig werden alle Excel 4.0-Makros in Office 365 demnächst deaktiviert. --------------------------------------------- https://heise.de/-6213387 ∗∗∗ Kaufen Sie nicht in Shops mit @thateer.top Mail-Adressen ein! ∗∗∗ --------------------------------------------- Derzeit tauchen zahlreiche Fake-Shops im Internet auf, die alle ähnlich aufgebaut sind, die gleichen Texte verwenden und unter einer dieser E-Mail-Adressen erreichbar sind: [...] --------------------------------------------- https://www.watchlist-internet.at/news/kaufen-sie-nicht-in-shops-mit-thatee… ∗∗∗ Ransomware wegen Homeoffice auf dem Vormarsch ∗∗∗ --------------------------------------------- Bedingt durch die Coronavirus-Pandemie arbeiten seit 2020 Menschen vermehrt im Homeoffice. Leider konnte die Absicherung dieser Arbeitsplätze mit dieser Entwicklung nicht Schritt halten. Gleichzeitig hat die Cyberkriminalität mit der verstärkten Telearbeit in Unternehmen durch die Pandemiekrise weiter aufgerüstet und ihre [...] --------------------------------------------- https://www.borncity.com/blog/2021/10/11/ransomware-auf-dem-vormarsch/ ∗∗∗ The 5 Phases of Zero Trust Adoption ∗∗∗ --------------------------------------------- Zero trust aims to replace implicit trust with explicit, continuously adaptive trust across users, devices, networks, applications, and data. --------------------------------------------- https://www.darkreading.com/endpoint/the-5-phases-of-zero-trust-adoption ∗∗∗ Scanning for Previous Oracle WebLogic Vulnerabilities, (Sat, Oct 9th) ∗∗∗ --------------------------------------------- In the past few weeks, I have captured multiple instance of traffic related to some past Oracle vulnerabilities that have already been patched. The first is related to a RCE (CVE-2017-10271) that can be triggered to execute commands remotely by bypassing the CVE-2017-3506 patch's limitations. The POST contains an init.sh script which doesn't appear to be available for download. --------------------------------------------- https://isc.sans.edu/diary/rss/27918 ∗∗∗ Things that go "Bump" in the Night: Non HTTP Requests Hitting Web Servers, (Mon, Oct 11th) ∗∗∗ --------------------------------------------- If you are reviewing your web server logs periodically, you may notice some odd requests that are not HTTP requests in your logs. In particular if you have a web server listening on a non standard port. I want to quickly review some of the most common requests like that, that I am seeing: [...] --------------------------------------------- https://isc.sans.edu/diary/rss/27924 ∗∗∗ When criminals go corporate: Ransomware-as-a-service, bulk discounts and more ∗∗∗ --------------------------------------------- This summer, Abnormal Security discovered that some of its customers staff were receiving emails inviting them to install ransomware on a company computer in return for a $1m share of the "profits". --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2021/10/11/ransomware_a… ∗∗∗ CISA Releases Remote Access Guidance for Government Agencies ∗∗∗ --------------------------------------------- The United States Cybersecurity and Infrastructure Security Agency (CISA) last week announced the release a new guidance document: Trusted Internet Connections (TIC) 3.0 Remote User Use Case. --------------------------------------------- https://www.securityweek.com/cisa-releases-remote-access-guidance-governmen… ∗∗∗ InHand Router Flaws Could Expose Many Industrial Companies to Remote Attacks ∗∗∗ --------------------------------------------- Several serious vulnerabilities discovered by researchers in industrial routers made by InHand Networks could expose many organizations to remote attacks, and patches do not appear to be available. --------------------------------------------- https://www.securityweek.com/inhand-router-flaws-could-expose-many-industri… ∗∗∗ Protect your network ∗∗∗ --------------------------------------------- So, you know where your wallet is, yes? And your phone - it's in your pocket, or just over there on the table? Excellent. You might be reading this on your laptop, so you know where that is. You might have a snazzy Smart TV or two? Perhaps you have joined [...] --------------------------------------------- https://connect.geant.org/2021/10/11/protect-your-network ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (apache2, mediawiki, neutron, and tiff), Fedora (chromium, dr_libs, firefox, and grafana), Mageia (apache), openSUSE (chromium and rabbitmq-server), Oracle (kernel), Red Hat (firefox and httpd24-httpd), SUSE (rabbitmq-server), and Ubuntu (libntlm). --------------------------------------------- https://lwn.net/Articles/872547/ ∗∗∗ Security Advisory - Use-after-free Vulnerability in Huawei Products ∗∗∗ --------------------------------------------- https://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20211008… ∗∗∗ Security Advisory - Path Traversal Vulnerability in Huawei PC Product ∗∗∗ --------------------------------------------- https://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20211008… ∗∗∗ Security Bulletin: IBM App Connect Enterprise Certified Container Designers may be vulnerable to arbitrary code execution via CVE-2021-3757 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… ∗∗∗ Security Bulletin: IBM Cloud Pak for Integration is vulnerable to Go vulnerability CVE-2021-31525 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-integra… ∗∗∗ Security Bulletin: A vulnerability in Spring Framework affects IBM Watson Machine Learning Accelerator ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-spring… ∗∗∗ Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU – Jul 2021 – Includes Oracle Jul 2021 CPU ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sdk-java-technology-e… ∗∗∗ MediaWiki Extensions und Skins: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-1050 ∗∗∗ Apache OpenOffice und LibreOffice: Mehrere Schwachstellen ermöglichen Manipulation von Dateien ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-1051 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.10.2021
by Daily end-of-shift report 08 Oct '21

08 Oct '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 07-10-2021 18:00 − Freitag 08-10-2021 18:00 Handler: Dimitri Robl Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Rapid RYUK Ransomware Attack Group Christened as FIN12 ∗∗∗ --------------------------------------------- Prolific ransomware cybercrime groups approach underscores a complicated, layered model of cybercrime. --------------------------------------------- https://www.darkreading.com/attacks-breaches/rapid-ryuk-ransomware-attack-g… ∗∗∗ Sorting Things Out - Sorting Data by IP Address, (Fri, Oct 8th) ∗∗∗ --------------------------------------------- One thing that is huge in making sense of large volumes of data is sorting. Which makes having good sorting tools and methods a big deal when you are working through findings in a security assessment of pentest. --------------------------------------------- https://isc.sans.edu/diary/rss/27916 ∗∗∗ Free BrewDog beer, with a side order of shareholder PII? ∗∗∗ --------------------------------------------- BrewDog exposed the details of over 200,000 ‘Equity for Punks’ shareholders for over 18 months plus many more customers. --------------------------------------------- https://www.pentestpartners.com/security-blog/free-brewdog-beer-with-a-side… ∗∗∗ FontOnLake: Previously unknown malware family targeting Linux ∗∗∗ --------------------------------------------- ESET researchers discover a malware family with tools that show signs they’re used in targeted attacks. --------------------------------------------- https://www.welivesecurity.com/2021/10/07/fontonlake-previously-unknown-mal… ∗∗∗ NSA Releases Guidance on Avoiding the Dangers of Wildcard TLS Certificates and ALPACA Techniques ∗∗∗ --------------------------------------------- The National Security Agency (NSA) has released a Cybersecurity Information (CSI) sheet with guidance to help secure the Department of Defense, National Security Systems, and Defense Industrial Base organizations from poorly implemented wildcard Transport Layer Security (TLS) certificates and the exploitation of Application Layer Protocols Allowing Cross-Protocol Attacks (ALPACA). --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/10/08/nsa-releases-guid… ∗∗∗ Microsoft to disable Excel 4.0 macros, one of the most abused Office features ∗∗∗ --------------------------------------------- Microsoft plans to disable a legacy feature known as Excel 4.0 macros, also XLM macros, for all Microsoft 365 users by the end of the year [...] --------------------------------------------- https://therecord.media/microsoft-to-disable-excel-4-0-macros-one-of-the-mo… ∗∗∗ Malicious PowerPoint Files Constantly Being Distributed ∗∗∗ --------------------------------------------- On April 2021, the ASEC analysis team introduced the malware delivered via PowerPoint files attached to email in the ASEC blog. The team has found continuous malicious activities that use PPAM files in the form of PowerPoint and thus is sharing them. --------------------------------------------- https://asec.ahnlab.com/en/26597/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (libssh), Mageia (firefox), Slackware (httpd), SUSE (xen), and Ubuntu (firefox and mysql-5.7). --------------------------------------------- https://lwn.net/Articles/872267/ ∗∗∗ Google Patches Four Severe Vulnerabilities in Chrome ∗∗∗ --------------------------------------------- Google this week announced the release of an updated Chrome version for Windows, Mac and Linux, to address a total of four high-severity vulnerabilities in the browser. --------------------------------------------- https://www.securityweek.com/google-patches-four-severe-vulnerabilities-chr… ∗∗∗ Apache Releases HTTP Server version 2.4.51 to Address Vulnerabilities Under Exploitation ∗∗∗ --------------------------------------------- On October 7, 2021, the Apache Software Foundation released Apache HTTP Server version 2.4.51 to address Path Traversal and Remote Code Execution vulnerabilities (CVE-2021-41773, CVE-2021-42013) in Apache HTTP Server 2.4.49 and 2.4.50. These vulnerabilities have been exploited in the wild. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/10/07/apache-releases-h… ∗∗∗ Security Bulletin: IBM App Connect Enterprise Certified Container Designers may be vulnerable to arbitrary code execution via CVE-2021-23436 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… ∗∗∗ Security Bulletin: IBM App Connect Enterprise Certified Container could disclose sensitive information to a local user when it is configured to use an IBM Cloud API key to connect to cloud-based connectors (CVE-2021-29906) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… ∗∗∗ Security Bulletin: IBM App Connect Enterprise Certified Container Integration Servers may be vulnerable to a symlink attack due to CVE-2021-39135 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… ∗∗∗ Security Bulletin: Access Control Vulnerability Affects the User Interface of IBM Sterling File Gateway (CVE-2020-4654) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-access-control-vulnerabil… ∗∗∗ Security Bulletin: Node.js as used by IBM Security QRadar Packet Capture contains multiple vulnerabilities (CVE-2020-8201, CVE-2020-8252, CVE-2020-8251, CVE-2020-8277) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-node-js-as-used-by-ibm-se… ∗∗∗ Security Bulletin: IBM App Connect Enterprise Certified Container Integration Servers may be vulnerable to a symlink attack due to CVE-2021-39134 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… ∗∗∗ Security Bulletin: Multiple Apache PDFBox security vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-apache-pdfbox-se… ∗∗∗ Security Bulletin: IBM App Connect Enterprise Certified Container images may be vulnerable to Denial of Service attacks due to CVE-2021-23362 and CVE-2021-27290 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… ∗∗∗ Security Bulletin: IBM MQ Appliance is affected by a sensitive information disclosure vulnerability (CVE-2020-5008) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-is-affec… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM HTTP Server affect IBM Netezza Performance Portal ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Kyocera Drucker: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-1049 ∗∗∗ Johnson Controls exacqVision Server Bundle ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-280-01 ∗∗∗ Mobile Industrial Robots Vehicles and MiR Fleet Software ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-280-02 ∗∗∗ Johnson Controls exacqVision ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-280-03 ∗∗∗ Mitsubishi Electric MELSEC iQ-R Series C Controller Module ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-280-04 ∗∗∗ InHand Networks IR615 Router ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-280-05 ∗∗∗ FATEK Automation WinProladder ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-280-06 ∗∗∗ FATEK Automation Communication Server ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-280-07 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.10.2021
by Daily end-of-shift report 07 Oct '21

07 Oct '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 06-10-2021 18:00 − Donnerstag 07-10-2021 18:00 Handler: Dimitri Robl Co-Handler: Wolfgang Menezes ===================== = News = ===================== ∗∗∗ Air-Gap-Hack: LAN-Kabel als Antenne nutzen, um Daten auszuleiten ∗∗∗ --------------------------------------------- Auch wenn ein Netzwerk nicht mit dem Internet verbunden ist, lassen sich Daten ausleiten. Dazu hat ein Forscher ein LAN-Kabel zur Antenne umfunktioniert. --------------------------------------------- https://www.golem.de/news/air-gap-hack-lan-kabel-als-antenne-nutzen-um-date… ∗∗∗ Cisco schließt Root-Lücke in Intersight Virtual Appliance ∗∗∗ --------------------------------------------- Der Netzwerkausrüster Cisco hat für verschiedene Software wichtige Sicherheitsupdates veröffentlicht. --------------------------------------------- https://heise.de/-6211537 ∗∗∗ Neue Malware-Familie für Linux entdeckt ∗∗∗ --------------------------------------------- Die von ihren Entdeckern FontOnLake getaufte Malware-Familie aus trojanisierten Programmen, Backdoors und einem Rootkit eignet sich für gezielte Angriffe. --------------------------------------------- https://heise.de/-6211764 ∗∗∗ Tor Browser und Tails: Anonymisierender Browser & OS in abgesicherten Versionen ∗∗∗ --------------------------------------------- Etwas später als geplant ist eine neue Version der Linux-Distribution Tails erschienen. An Bord hat sie den ebenfalls taufrischen Tor Browser 10.5.8. --------------------------------------------- https://heise.de/-6211744 ∗∗∗ Hackers use stealthy ShellClient malware on aerospace, telco firms ∗∗∗ --------------------------------------------- Threat researchers investigating malware used to target companies in the aerospace and telecommunications sectors discovered a new threat actor that has been running cyber espionage campaigns since at least 2018. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-use-stealthy-shellcl… ∗∗∗ Unpatched Dahua cams vulnerable to unauthenticated remote access ∗∗∗ --------------------------------------------- Unpatched Dahua cameras are prone to two authentication bypass vulnerabilities, and a proof of concept exploit that came out today makes the case of upgrading pressing. --------------------------------------------- https://www.bleepingcomputer.com/news/security/unpatched-dahua-cams-vulnera… ∗∗∗ MacOS Security: What Security Teams Should Know ∗∗∗ --------------------------------------------- As more macOS patches emerge and cybercriminals and nation-states take aim at the platform, experts discuss how macOS security has evolved and how businesses can protect employees. --------------------------------------------- https://www.darkreading.com/edge-articles/mac-attacks-how-secure-are-the-ma… ∗∗∗ Ransomware in the CIS ∗∗∗ --------------------------------------------- Statistics on ransomware attacks in the CIS and technical descriptions of Trojans, including BigBobRoss/TheDMR, Crysis/Dharma, Phobos/Eking, Cryakl/CryLock, CryptConsole, Fonix/XINOF, Limbozar/VoidCrypt, Thanos/Hakbit and XMRLocker. --------------------------------------------- https://securelist.com/cis-ransomware/104452/ ∗∗∗ Apache HTTP Server CVE-2021-41773 Exploited in the Wild ∗∗∗ --------------------------------------------- On Monday, October 4, 2021, Apache published an advisory on CVE-2021-41773, an unauthenticated remote file disclosure vulnerability in HTTP Server version 2.4.49 (and only in 2.4.49). The vulnerability arises from the mishandling of URL-encoded path traversal characters in the HTTP GET request. Public proof-of-concept exploit code is widely available, and Apache and others have noted that this vulnerability is being exploited in the wild. While the original advisory indicated that CVE-2021-41773 was merely an information disclosure bug, both Rapid7 and community researchers have verified that the vulnerability can be used for remote code execution when mod_cgi is enabled. --------------------------------------------- https://www.rapid7.com/blog/post/2021/10/06/apache-http-server-cve-2021-417… ∗∗∗ Medtronics Insulin Pump Controllers Are Vulnerable to Hackers ∗∗∗ --------------------------------------------- The company just expanded its recall of insulin pump remote controllers that can be hijacked to alter insulin amounts. Medical device maker Medtronic has expanded its recall of remote controllers for its MiniMed 508 and MiniMed Paradigm insulin pumps. The reason? The devices are a potential cybersecurity risk. According to the Food and Drug Administration, unauthorized people could hijack the devices to alter how much insulin is delivered to a patient. --------------------------------------------- https://gizmodo.com/medtronics-insulin-pump-controllers-are-vulnerable-to-h… ∗∗∗ Life is Pane: Persistence via Preview Handlers ∗∗∗ --------------------------------------------- [...] The preview pane allows users to have a quick peek at the content of a selected file without actually having to open it. This feature is disabled on default Windows 10 builds, but can be enabled in the Explorer menu under View→Preview pane. While this seems relatively simple at face value, it is anything but under the hood. For example, how does Windows know how to display the contents of certain filetypes but not others? Are the previews controlled by Explorer or is it done in another process? Are these handlers abusable? We spent a few days exploring preview handlers to gain a deeper understanding of how they work and answer these questions. --------------------------------------------- https://posts.specterops.io/life-is-pane-persistence-via-preview-handlers-3… ∗∗∗ CVE-2021-26420: Remote Code Execution in SharePoint via Workflow Compilation ∗∗∗ --------------------------------------------- In June of 2021, Microsoft released a patch to correct CVE-2021-26420 - a remote code execution bug in the supported versions of Microsoft SharePoint Server. This bug was reported to the ZDI program by an anonymous researcher and is also known as ZDI-21-755. This blog takes a deeper look at the root cause of this vulnerability. --------------------------------------------- https://www.thezdi.com/blog/2021/10/5/cve-2021-26420-remote-code-execution-… ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco Security Advisories ∗∗∗ --------------------------------------------- Cisco hat Security Advisories zu 16 Schwachstellen veröffentlicht. Keine davon wird als "Critical" eingestuft, sechs als "High". --------------------------------------------- https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&first… ∗∗∗ IBM Security Bulletins 2021-10-07 ∗∗∗ --------------------------------------------- IBM hat 21 Security Bulletins veröffentlicht. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Advisory: Cisco ATA19X Privilege Escalation and RCE ∗∗∗ --------------------------------------------- 1. Lack of User Privilege Separation Enforcement in Web Management Interface: The web management interface on the ATA191 does not necessarily prevent the “user” account from performing “admin”-privileged actions. As such, a user who logs in with “user” privileges is able to perform actions that should only be performed by an “admin” user. 2. Post-Authentication Command Injection Remote Code Execution (CVE-2021-34710): The web management interface suffers [...] --------------------------------------------- https://www.iot-inspector.com/blog/advisory-cisco-ata19x-privilege-escalati… ∗∗∗ CVE-2021-33602: Denial-of-Service (DoS) Vulnerabilty ∗∗∗ --------------------------------------------- A vulnerability affecting the F-Secure antivirus engine was discovered when the engine tries to unpack a zip archive (LZW decompression method), and this can crash the scanning engine. The vulnerability can be exploited remotely by an attacker. A successful attack will result in denial-of-service of the antivirus engine. --------------------------------------------- https://www.f-secure.com/en/business/support-and-downloads/security-advisor… ∗∗∗ Typo3: Neue Version schließt zwei Sicherheitslücken im CMS ∗∗∗ --------------------------------------------- Lücken im Content-Management-System hätten Angreifern schlimmstenfalls Admin-Rechte gewähren können. Die neue Typo3-Version 11.5 bannt die Gefahr. --------------------------------------------- https://heise.de/-6211486 ∗∗∗ High Severity Vulnerability Patched in Access Demo Importer Plugin ∗∗∗ --------------------------------------------- On August 9, 2021, the Wordfence Threat Intelligence team attempted to initiate the responsible disclosure process for a vulnerability that we discovered in Access Demo Importer, a WordPress plugin installed on over 20,000 [...] --------------------------------------------- https://www.wordfence.com/blog/2021/10/high-severity-vulnerability-patched-… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr), Mageia (cockpit, fail2ban, libcryptopp, libss7, nodejs, opendmarc, and weechat), openSUSE (curl, ffmpeg, git, glibc, go1.16, libcryptopp, and nodejs8), SUSE (apache2, curl, ffmpeg, git, glibc, go1.16, grilo, libcryptopp, nodejs8, transfig, and webkit2gtk3), and Ubuntu (linux-oem-5.10 and python-bottle). --------------------------------------------- https://lwn.net/Articles/872154/ ∗∗∗ Apache OpenOffice: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-1041 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.10.2021
by Daily end-of-shift report 06 Oct '21

06 Oct '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 05-10-2021 18:00 − Mittwoch 06-10-2021 18:00 Handler: Dimitri Robl Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Collaborative Research on the CONTI Ransomware Group ∗∗∗ --------------------------------------------- Ransomware remains one of the pre-eminent cyber threats, with the evolution in tactics, techniques and procedures (TTPs) amongst threat actor groups over recent years upping the stakes for both victims and defenders. --------------------------------------------- https://team-cymru.com/blog/2021/10/05/collaborative-research-on-the-conti-… ∗∗∗ Syniverse: Möglicherweise SMS von Milliarden Menschen gehackt ∗∗∗ --------------------------------------------- Hacker sind über Jahre in ein Unternehmen eingedrungen, das Anrufe und SMS zwischen Mobilfunkunternehmen austauscht. --------------------------------------------- https://www.golem.de/news/syniverse-moeglicherweise-sms-von-milliarden-mens… ∗∗∗ Threat hunting in large datasets by clustering security events ∗∗∗ --------------------------------------------- Security tools can produce very large amounts of data that even the most sophisticated organizations may struggle to manage. Big data processing tools, such as spark, can be a powerful tool in the arsenal of security teams. --------------------------------------------- https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets… ∗∗∗ Landespolizeidirektion Steiermark: Warnung vor Betrugsversuchen mittels LPD-SMS ∗∗∗ --------------------------------------------- Am Montag, 4. Oktober 2021, versendeten unbekannte Täter in betrügerischer Absicht SMS Nachrichten. Als Absender scheint "Landespolizeidirektion (LPD) auf". Die Polizei warnt eindringlich vor diesen Betrugsversuchen. --------------------------------------------- https://www.watchlist-internet.at/news/landespolizeidirektion-steiermark-wa… ∗∗∗ Unsere Tipps, um unseriöse Notfalldienste zu entlarven! ∗∗∗ --------------------------------------------- Bei Notfällen wie einem Rohrbruch, Stromausfall oder einem Gasgebrechen ist schnelle Hilfe notwendig. Häufig bleibt da für eine genaue Überprüfung der Handwerksdienste keine Zeit. --------------------------------------------- https://www.watchlist-internet.at/news/unsere-tipps-um-unserioese-notfalldi… ∗∗∗ Cybersecurity in Power Grids: Challenges and Opportunities. (arXiv:2105.00013v2 [cs.CR] UPDATED) ∗∗∗ --------------------------------------------- Increasing volatilities within power transmission and distribution forcepower grid operators to amplify their use of communication infrastructure tomonitor and control their grid. The resulting increase in communication creates a larger attack surface for malicious actors. --------------------------------------------- http://arxiv.org/abs/2105.00013 ===================== = Vulnerabilities = ===================== ∗∗∗ Actively exploited Apache 0-day also allows remote code execution ∗∗∗ --------------------------------------------- Proof-of-Concept (PoC) exploits for the Apache web server zero-day surfaced on the internet revealing that the vulnerability is far more critical than originally disclosed. These exploits show that the scope of the vulnerability transcends path traversal, allowing attackers remote code execution (RCE) abilities. --------------------------------------------- https://www.bleepingcomputer.com/news/security/actively-exploited-apache-0-… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- IBM veröffentlicht 31 Security Bulletins. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (cryptopp), Mageia (apache), Slackware (httpd), and Ubuntu (squid, squid3). --------------------------------------------- https://lwn.net/Articles/872029/ ∗∗∗ FortiWebManager - Injection vulnerabilities ∗∗∗ --------------------------------------------- https://www.fortiguard.com/psirt/FG-IR-20-027 ∗∗∗ FortiAnalyzer & FortiManager - Forticloud credentials observed in cleartext in the logfile ∗∗∗ --------------------------------------------- https://www.fortiguard.com/psirt/FG-IR-21-112 ∗∗∗ FortiSDNConnector - Credential leak ∗∗∗ --------------------------------------------- https://www.fortiguard.com/psirt/FG-IR-20-183 ∗∗∗ FortiClientEMS - Session cookie does not expire after logout ∗∗∗ --------------------------------------------- https://www.fortiguard.com/psirt/FG-IR-20-072 ∗∗∗ XSA-386 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-386.html ∗∗∗ Samba: Mehrere Schwachstellen ermöglichen Denial of Service ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-1034 ∗∗∗ Mitsubishi Electric GOT and Tension Controller ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-278-01 ∗∗∗ Emerson WirelessHART Gateway ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-278-02 ∗∗∗ Moxa MXview Network Management Software ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-278-03 ∗∗∗ Medtronic MiniMed MMT-500/MMT-503 Remote Controllers (Update A) ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/ICSMA-18-219-02 ∗∗∗ CISA Releases Security Advisory for Honeywell Experion and ACE Controllers ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/10/05/cisa-releases-sec… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.10.2021
by Daily end-of-shift report 05 Oct '21

05 Oct '21

===================== = End-of-Day report = ===================== Timeframe: Montag 04-10-2021 18:00 − Dienstag 05-10-2021 18:00 Handler: Wolfgang Menezes Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ New UEFI bootkit used to backdoor Windows devices since 2012 ∗∗∗ --------------------------------------------- A newly discovered and previously undocumented UEFI (Unified Extensible Firmware Interface) bootkit has been used by attackers to backdoor Windows systems by hijacking the Windows Boot Manager since at least 2012. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-uefi-bootkit-used-to-bac… ∗∗∗ HiKam - "Hi – Ich bin (nicht) deine Kamera" ∗∗∗ --------------------------------------------- Die Sicherheit von IoT-Geräten, wie z.B. Überwachungskameras, sollte viel mehr im Fokus von Herstellern und Nutzern liegen. In der Realität ist dies leider nicht der Fall. Jahr für Jahr werden mehr IoT-Geräte entdeckt, die eine P2P-Cloud-Verbindung nutzen. Der Defcon-Talk von Paul Marrapese letztes Jahr und die letzte Entdeckung von Mandiant beschreiben nur einen Auszug dessen, was sich in diesem Bereich der IT-Security abgespielt hat. Im Rahmen dieses Blogposts möchten wir Ihnen aktuelle Informationen zur zugrundeliegenden IoT-Sicherheitsproblematik anhand eines konkreten Gerätes vorstellen: die HiKam S6. --------------------------------------------- https://sec-consult.com/de/blog/detail/hikam-hi-ich-bin-nicht-deine-kamera/ ∗∗∗ Kleinanzeigenbetrug mit gefälschter Post-Website ∗∗∗ --------------------------------------------- Kriminelle verwenden eine gefälschte Post-Website www.post-service.online für Kleinanzeigenbetrug. Sie suchen nach hochpreisigen Angeboten und geben vor, den Kauf über einen erfundenen Kurierservice der Post abwickeln zu wollen. Ziel ist es, den Opfern das Geld aus der Tasche zu ziehen, denn in weiterer Folge werden Kreditkartendaten abgefragt und die Freigabe einer Zahlung verlangt. --------------------------------------------- https://www.watchlist-internet.at/news/kleinanzeigenbetrug-mit-gefaelschter… ===================== = Vulnerabilities = ===================== ∗∗∗ Löchrige UPnP-Umsetzung in alten Broadcom-SDKs macht Router angreifbar ∗∗∗ --------------------------------------------- Einige Routermodelle mit EoL-Status etwa von Linksys & Cisco sind dank Lücken in alten Broadcom-SDK-Versionen via UPnP angreifbar. Updates gibt es nicht. --------------------------------------------- https://heise.de/-6209100 ∗∗∗ Sicherheitsupdate: Angreifer könnten auf Dateien von Apache-Webservern zugreifen ∗∗∗ --------------------------------------------- Angreifer haben es derzeit auf Apache-Webserver abgesehen. Davon ist aber nur eine bestimmte Version bedroht. Die Path-Traversal-Lücke (CVE-2021-41773) betrifft ausschließlich die Apache-HTTP-Server-Version 2.4.49. --------------------------------------------- https://heise.de/-6209130 ∗∗∗ TYPO3-CORE-SA-2021-015: HTTP Host Header Injection in Request Handling ∗∗∗ --------------------------------------------- It has been discovered that TYPO3 CMS is susceptible to host spoofing due to improper validation of the HTTP Host header. TYPO3 uses the HTTP Host header, for example, to generate absolute URLs during the frontend rendering process. Since the host header itself is provided by the client, it can be forged to any value, even in a name-based virtual hosts environment. CVE-ID: CVE-2021-41114 --------------------------------------------- https://typo3.org/security/advisory/typo3-core-sa-2021-015 ∗∗∗ TYPO3-CORE-SA-2021-014: Cross-Site-Request-Forgery in Backend URI Handling ∗∗∗ --------------------------------------------- It has been discovered that the new TYPO3 v11 feature that allows users to create and share deep links in the backend user interface is vulnerable to cross-site-request-forgery. [...] To successfully carry out an attack, an attacker must trick his victim to access a compromised system. The victim must have an active session in the TYPO3 backend at that time. --------------------------------------------- https://typo3.org/security/advisory/typo3-core-sa-2021-014 ∗∗∗ Android Security Bulletin—October 2021 ∗∗∗ --------------------------------------------- The Android Security Bulletin contains details of security vulnerabilities affecting Android devices. Security patch levels of 2021-10-05 or later address all of these issues. --------------------------------------------- https://source.android.com/security/bulletin/2021-10-01 ∗∗∗ docker: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein lokaler Angreifer kann mehrere Schwachstellen in docker ausnutzen, um seine Privilegien zu erhöhen oder Informationen offenzulegen. --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-1033 ∗∗∗ SYSS-2021-047: Authentication Bypass in Omikron MultiCash ∗∗∗ --------------------------------------------- In der Desktopanwendung MultiCash 4 können mittels der Rechte- und Passwortüberprüfung administrative Rechte über die Anwendung erlang werden. --------------------------------------------- https://www.syss.de/pentest-blog/syss-2021-047-authentication-bypass-in-omi… ∗∗∗ Security Bulletin: IBM Event Streams is potentially affected by multiple node vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-event-streams-is-pote… ∗∗∗ Security Bulletin: IBM Event Streams is affected by potential data integrity issue (CVE-2020-25649) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-event-streams-is-affe… ∗∗∗ Security Bulletin: IBM Event Streams is affected by multiple vulnerabilities in the Java runtime ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-event-streams-is-affe… ∗∗∗ Security Bulletin: The Community Edition of IBM ILOG CPLEX Optimization Studio is affected by a vulnerability in libcurl (CVE-2021-22925) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-the-community-edition-of-… ∗∗∗ Security Bulletin: The Community Edition of IBM ILOG CPLEX Optimization Studio is affected by a vulnerability in libcurl (CVE-2021-22924) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-the-community-edition-of-… ∗∗∗ Security Bulletin: The Community Edition of IBM ILOG CPLEX Optimization Studio is affected by a vulnerability in libcurl (CVE-2021-22945) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-the-community-edition-of-… ∗∗∗ Security Bulletin: Publicly disclosed vulnerabilities from Kernel affect IBM Netezza Host Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-publicly-disclosed-vulner… ∗∗∗ Security Bulletin: Apache Solr, shipped with IBM Operations Analytics – Log Analysis, susceptible to multiple vulnerabilities in Apache Tika ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-solr-shipped-with-… ∗∗∗ Security Bulletin: Vulnerability in MetadataExtractor used by Apache Solr affect IBM Operations Analytics – Log Analysis Analysis (CVE-2019-14262) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-metadata… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.10.2021
by Daily end-of-shift report 04 Oct '21

04 Oct '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 01-10-2021 18:00 − Montag 04-10-2021 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Ransomware: Conti-Erpressergruppe verbittet sich Leaks ihrer Verhandlungs-Chats ∗∗∗ --------------------------------------------- Die Cyberkriminellen hinter der Conti-Ransomware drohen jedem Opfer mit Veröffentlichung seiner Daten, sollten Details über die Erpressung im Netz auftauchen. --------------------------------------------- https://heise.de/-6206790 ∗∗∗ Andoid-Banking-Trojaner Hydra hat es auf Commerzbank-Kunden abgesehen ∗∗∗ --------------------------------------------- Online-Kriminelle versuchen Kunden der Commerzbank abzuzocken. Damit es dazu kommt, müssen Opfer aber mitspielen. --------------------------------------------- https://heise.de/-6207752 ∗∗∗ SMS mit Link zu Fotoalbum verbreitet Schadsoftware ∗∗∗ --------------------------------------------- Zahlreiche NutzerInnen berichten, dass sie SMS mit einem Link zu einem Fotoalbum erhalten. Angeblich wurden dort private Fotos hochgeladen. Achtung: Der Link führt zu Schadsoftware! --------------------------------------------- https://www.watchlist-internet.at/news/sms-mit-link-zu-fotoalbum-verbreitet… ∗∗∗ Webinar: Internetkriminalität - so schützen Sie sich! ∗∗∗ --------------------------------------------- Internetfallen & Betrugsmaschen werden immer ausgeklügelter. Umso wichtiger ist die Fähigkeit, Merkmale einer Betrugsmasche frühzeitig zu erkennen. In einem Webinar geben wir Ihnen einen Überblick über aktuelle Bedrohungen im Internet und zeigen Ihnen, wie Sie sich davor schützen können. --------------------------------------------- https://www.watchlist-internet.at/news/webinar-internetkriminalitaet-so-sch… ∗∗∗ Endpoint Security ist überall gefragt ∗∗∗ --------------------------------------------- Viele Endpunkte mögen auf den ersten Blick unwichtig erscheinen. Aber ungeschützte Systeme mit oder ohne Internetzugang sind ein Einfallstor für Hacker. Deshalb ist ein umfassendes Konzept für Endpoint Security für Unternehmen jeder Größe sehr wichtig. --------------------------------------------- https://www.zdnet.de/88397023/endpoint-security-ist-ueberall-gefragt/ ∗∗∗ New Atom Silo ransomware targets vulnerable Confluence servers ∗∗∗ --------------------------------------------- Atom Silo, a newly spotted ransomware group, is targeting a recently patched and actively exploited Confluence Server and Data Center vulnerability to deploy their ransomware payloads. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-atom-silo-ransomware-tar… ∗∗∗ Innovative Proxy Phantom ATO Fraud Ring Haunts eCommerce Accounts ∗∗∗ --------------------------------------------- The group uses millions of password combos at the rate of nearly 2,700 login attempts per second with new techniques that push the ATO envelope. --------------------------------------------- https://threatpost.com/proxy-phantom-fraud-ecommerce-accounts/175241/ ∗∗∗ PoC Exploit Released for macOS Gatekeeper Bypass ∗∗∗ --------------------------------------------- Rasmus Sten, a software engineer with F-Secure, has released proof-of-concept (PoC) exploit code for a macOS Gatekeeper bypass that Apple patched in April this year. The PoC exploit targets CVE-2021-1810, a vulnerability that can lead to the bypass of all three protections that Apple implemented against malicious file downloads, namely file quarantine, Gatekeeper, and notarization. --------------------------------------------- https://www.securityweek.com/poc-exploit-released-macos-gatekeeper-bypass ∗∗∗ Boutique "Dark" Botnet Hunting for Crumbs ∗∗∗ --------------------------------------------- [...] But aside from these more visible botnets, there are smaller, "Boutique" botnets. They go after less common vulnerabilities and pick systems that the major botnets find not lucrative enough to go after. Usually, only a few vulnerable devices are exposed. Taking the animal analogy a bit too far: These are like crustaceans on the ocean floor living off what the predators above discard. One such botnet is "Dark Bot". --------------------------------------------- https://isc.sans.edu/diary/rss/27898 ∗∗∗ Expired Lets Encrypt Root Certificate Causes Problems for Many Companies ∗∗∗ --------------------------------------------- A root certificate used by Let’s Encrypt expired on September 30 and, despite being notified a long time in advance, many companies experienced problems. read more --------------------------------------------- https://www.securityweek.com/expired-lets-encrypt-root-certificate-causes-p… ∗∗∗ BazarLoader and the Conti Leaks ∗∗∗ --------------------------------------------- In July, we observed an intrusion that started from a BazarLoader infection and lasted approximately three days. The threat actor’s main priority was to map the domain network, while [...] --------------------------------------------- https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/ ∗∗∗ Misconfigured Airflows Leak Thousands of Credentials from Popular Services ∗∗∗ --------------------------------------------- Apache Airflow is the #1 starred open-source workflows application on GitHub Workflow management platforms are an indispensable tool for automating business and IT tasks. These platforms make it easier to create, schedule and monitor workflows. They are typically hosted on the cloud to provide increased accessibility and scalability. On the flip side, misconfigured instances that allow [...] --------------------------------------------- https://www.intezer.com/blog/cloud-security/misconfigured-airflows-leak-cre… ∗∗∗ Phish, Phished, Phisher: A Quick Peek Inside a Telegram Harvester ∗∗∗ --------------------------------------------- In one of the smaller campaigns we monitored last month (September 2021), the threat actor inadvertently exposed Telegram credentials to their harvester. This opportunity provided us some insight into their operations; a peek behind the curtains we wanted to share. --------------------------------------------- https://blog.nviso.eu/2021/10/04/phish-phished-phisher-a-quick-peek-inside-… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (apache2, fig2dev, mediawiki, plib, and qemu), Fedora (chromium, curl, kernel, kernel-headers, kernel-tools, openssh, rust-addr2line, rust-backtrace, rust-cranelift-bforest, rust-cranelift-codegen, rust-cranelift-codegen-meta, rust-cranelift-codegen-shared, rust-cranelift-entity, rust-cranelift-frontend, rust-cranelift-native, rust-cranelift-wasm, rust-gimli, rust-object, rust-wasmparser, rust-wasmtime-cache, rust-wasmtime-environ, [...] --------------------------------------------- https://lwn.net/Articles/871841/ ∗∗∗ Shodan Verified Vulns 2021-10-01 ∗∗∗ --------------------------------------------- Mit 2021-10-01 sah die Schwachstellenlandschaft in Österreich laut Shodan wie folgt aus: Wie auch in den letzten Monaten dominieren TLS/SSL-Schwachstellen sowie Lücken in Microsofts Exchange Server das Bild. Während Server, die für die im März veröffentlichte und geschlossene "ProxyLogon" Exploit-Chain (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065) anfällig sind, mittlerweile eher selten sind, scheinen die im April bzw. Mai [...] --------------------------------------------- https://cert.at/de/aktuelles/2021/10/shodan-verified-vulns-2021-10-01 ∗∗∗ Multiple vulnerabilities in Rexroth IndraMotion and IndraLogic series ∗∗∗ --------------------------------------------- BOSCH-SA-741752: The control systems series Rexroth IndraMotion MLC and IndraLogic XLC are affected by multiple vulnerabilities in the web server, which - in combination - ultimately enable an attacker to log in to the system. --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-741752.html ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Netty vulnerability CVE-2021-21295 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K55834441 ∗∗∗ OpenSSL vulnerability CVE-2021-3712 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K19559038 ∗∗∗ Red Enterprise Linux Advanced Virtualization: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-1026 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 01.10.2021
by Daily end-of-shift report 01 Oct '21

01 Oct '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 30-09-2021 18:00 − Freitag 01-10-2021 18:00 Handler: Dimitri Robl Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Hydra malware targets customers of Germanys second largest bank ∗∗∗ --------------------------------------------- The Hydra banking trojan is back to targeting European e-banking platform users, and more specifically, customers of Commerzbank, Germanys second-largest financial institution. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hydra-malware-targets-custom… ∗∗∗ Flubot Android malware now spreads via fake security updates ∗∗∗ --------------------------------------------- The Flubot malware has switched to a new and likely more effective lure to compromise Android devices, now trying to trick its victims into infecting themselves with the help of fake security updates warning them of Flubot infections. --------------------------------------------- https://www.bleepingcomputer.com/news/security/flubot-android-malware-now-s… ∗∗∗ Hackers rob thousands of Coinbase customers using MFA flaw ∗∗∗ --------------------------------------------- Crypto exchange Coinbase disclosed that a threat actor stole cryptocurrency from 6,000 customers after using a vulnerability to bypass the companys SMS multi-factor authentication security feature. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-rob-thousands-of-coi… ∗∗∗ New Tool to Add to Your LOLBAS List: cvtres.exe , (Fri, Oct 1st) ∗∗∗ --------------------------------------------- LOLBAS (“Living Off the Land Binaries And Scripts”) is a list of tools[1] that are present on any Windows system because they are provided by Microsoft as useful tools to perform system maintenance, updates, etc. This list is maintained and upgraded regularly. This is a good starting point when you need to investigate suspicious processes activity on a system (proactively or in forensics investigation). --------------------------------------------- https://isc.sans.edu/diary/27892 ∗∗∗ Introduction to ICS Security Part 3 ∗∗∗ --------------------------------------------- In part 3 of the Introduction to ICS blog series, Stephan Mathezer discusses Remote Access Connections into ICS, examines why they here to stay, and reviews the best practices for securing them. --------------------------------------------- https://www.sans.org/blog/introduction-to-ics-security-part-3/ ∗∗∗ Android Trojan GriftHorse, the gift horse you definitely should look in the mouth ∗∗∗ --------------------------------------------- The GriftHorse Android Trojan is a widespread campaign with millions of victims in over 70 countries. --------------------------------------------- https://blog.malwarebytes.com/android/2021/09/android-trojan-grifthorse-the… ∗∗∗ ESET Threat Report T2 2021 ∗∗∗ --------------------------------------------- Unsere Sicherheitsforscher analysieren die Cybersicherheitslage und die ESET-Telemetriedaten im zweiten Drittel des Jahres 2021. --------------------------------------------- https://www.welivesecurity.com/deutsch/2021/09/30/eset-threat-report-t2-202… ∗∗∗ Heute startet der Europäische Monat der Cyber-Sicherheit! ∗∗∗ --------------------------------------------- Wie jedes Jahr steht auch heuer der Oktober ganz im Zeichen der Cyber-Sicherheit. Auch Österreich nimmt wieder an der EU-weiten Kampagne „European Cyber Security Month“ (ESCM) teil. Ziel ist es, das Bewusstsein über die Risiken im Netz zu stärken und gezielt Informationen zur IT-Sicherheit zu verbreiten. --------------------------------------------- https://www.watchlist-internet.at/news/heute-startet-der-europaeische-monat… ∗∗∗ Credential Harvesting at Scale Without Malware ∗∗∗ --------------------------------------------- Email credential harvesting can lead to business email compromise and ransomware. Often, attackers simply ask for victims’ credentials. --------------------------------------------- https://unit42.paloaltonetworks.com/credential-harvesting/ ∗∗∗ Fortinet, Shopify and more report issues after root CA certificate from Lets Encrypt expires ∗∗∗ --------------------------------------------- Experts had been warning for weeks that there would be issues resulting from the expiration of root CA certificates provided by Lets Encrypt. --------------------------------------------- https://www.zdnet.com/article/fortinet-shopify-others-report-issues-after-r… ===================== = Vulnerabilities = ===================== ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- IBM hat 11 Security Bulletins veröffentlicht. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (curl, krb5, openssl1.0, and taglib), Fedora (cifs-utils), SUSE (libqt5-qtbase and rubygem-activerecord-4_2), and Ubuntu (linux-raspi, linux-raspi-5.4 and linux-raspi2). --------------------------------------------- https://lwn.net/Articles/871564/ ∗∗∗ Google Patches Two More Exploited Zero-Day Vulnerabilities in Chrome ∗∗∗ --------------------------------------------- Google on Thursday announced the rollout of a Chrome update to address four security vulnerabilities, including two that are already being exploited in the wild. --------------------------------------------- https://www.securityweek.com/google-patches-two-more-exploited-zero-day-vul… ∗∗∗ Command Injection Vulnerability in QVR ∗∗∗ --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-21-38 ∗∗∗ Stored XSS Vulnerabilities in Photo Station ∗∗∗ --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-21-41 ∗∗∗ Stored XSS Vulnerability in Photo Station ∗∗∗ --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-21-42 ∗∗∗ Stored XSS Vulnerability in Image2PDF ∗∗∗ --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-21-43 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 30.09.2021
by Daily end-of-shift report 30 Sep '21

30 Sep '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 29-09-2021 18:00 − Donnerstag 30-09-2021 18:00 Handler: Dimitri Robl Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ RansomEXX ransomware Linux encryptor may damage victims files ∗∗∗ --------------------------------------------- Cybersecurity firm Profero has discovered that the RansomExx gang does not correctly lock Linux files during encryption, leading to potentially corrupted files. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ransomexx-ransomware-linux-e… ∗∗∗ Stop That Phish! ∗∗∗ --------------------------------------------- Although ransomware holds a significant mindshare in security, phishing continues to be an effective and efficient tool for threat actors. In this blog, Tim Helming walks through various anti-phishing tools and methods available to defenders. --------------------------------------------- https://www.domaintools.com/resources/blog/stop-that-phish ∗∗∗ An overview of malware hashing algorithms ∗∗∗ --------------------------------------------- VirusTotals "Basic Properties" tab alone lists eight different hashes and supports even more to use them for queries and hunt signatures. Hashes are important for malware analysis, as well as identification, description and detection. But why do so many of them exist and when should you use which hash function? --------------------------------------------- https://www.gdatasoftware.com/blog/2021/09/an-overview-of-malware-hashing-a… ∗∗∗ TLS-Zertifikate: Altes Lets-Encrypt-Root läuft ab ∗∗∗ --------------------------------------------- Bei Fehlkonfigurationen und alten Geräten können Zertifikatsfehler mit Lets Encrypt auftreten. --------------------------------------------- https://www.golem.de/news/tls-zertifikate-altes-let-s-encrypt-root-laeuft-a… ∗∗∗ GhostEmperor: From ProxyLogon to kernel mode ∗∗∗ --------------------------------------------- While investigating a recent rise of attacks against Exchange servers, we noticed a recurring cluster of activity that appeared in several distinct compromised networks. With a long-standing operation, high profile victims, advanced toolset and no affinity to a known threat actor, we decided to dub the cluster GhostEmperor. --------------------------------------------- https://securelist.com/ghostemperor-from-proxylogon-to-kernel-mode/104407/ ∗∗∗ What is Cryptocurrency Mining Malware? ∗∗∗ --------------------------------------------- Cryptocurrency mining malware is typically a stealthy malware that farms the resources on a system (computers, smartphones, and other electronic devices connected to the internet) to generate revenue for the cyber criminals controlling it. Instead of using video game consoles or graphics card farms, these particular cryptominers are using the computers and servers of the people around them for their processing power - without permission. --------------------------------------------- https://blog.sucuri.net/2021/09/what-is-cryptocurrency-mining-malware-2.html ∗∗∗ Apple-Pay-Funktion erlaubt angeblich Geldklau von gesperrten iPhones ∗∗∗ --------------------------------------------- Sicherheitsexperten haben die Express-ÖPNV-Funktion auf Herz und Nieren getestet und kommen zu dem Schluss, dass unerwünschte Visa-Zahlungen möglich sind. --------------------------------------------- https://heise.de/-6204960 ∗∗∗ Bericht: Android-Trojaner GriftHorse kassiert bei über 10 Millionen Opfern ab ∗∗∗ --------------------------------------------- Online-Kriminelle sollen mit Trojaner-Apps Abos abschließen und darüber hunderte Millionen Euro erbeutet haben, warnen Sicherheitsforscher. --------------------------------------------- https://heise.de/-6205272 ∗∗∗ A wolf in sheeps clothing: Actors spread malware by leveraging trust in Amnesty International and fear of Pegasus ∗∗∗ --------------------------------------------- By Vitor Ventura and Arnaud Zobec. Threat actors are impersonating the group Amnesty International and promising to protect against the Pegasus spyware as part of a scheme to deliver malware. --------------------------------------------- https://blog.talosintelligence.com/2021/09/fakeantipegasusamnesty.html ∗∗∗ Telemetry Report Shows Patch Status of High-Profile Vulnerabilities ∗∗∗ --------------------------------------------- A record number of new security vulnerabilities (18,352) were reported in 2020. This year, the number is likely to be higher (13,002 by September 1). The problem with a zero-day vulnerability is that it remains a zero-day until it is patched by both the vendor and the user. --------------------------------------------- https://www.securityweek.com/telemetry-report-shows-patch-status-high-profi… ∗∗∗ The Ransomware Threat in 2021 ∗∗∗ --------------------------------------------- New research from Symantec finds that organizations face an unprecedented level of danger from targeted ransomware attacks as the number of adversaries multiply alongside an increased sophistication in tactics. --------------------------------------------- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ra… ∗∗∗ Facebook open-sources internal tool used to detect security bugs in Android apps ∗∗∗ --------------------------------------------- Facebook has open-sourced Mariana Trench, one of its internal security tools, used by its security teams for finding and fixing bugs in Android and Java applications. --------------------------------------------- https://therecord.media/facebook-open-sources-internal-tool-used-to-detect-… ∗∗∗ Ransomware attack disrupts hundreds of bookstores across France, Belgium, and the Netherlands ∗∗∗ --------------------------------------------- Hundreds of bookstores across France, Belgium, and the Netherlands have had their operations disrupted this week after a ransomware attack crippled the IT systems of TiteLive, a French company that operates a SaaS platform for book sales and inventory management. --------------------------------------------- https://therecord.media/ransomware-attack-disrupts-hundreds-of-bookstores-a… ∗∗∗ After the storm - how to move on with NTLM ∗∗∗ --------------------------------------------- I remember that, about 15 years ago, we already flagged the absence of SMB signing as a vulnerability in reports. Though at that time, we circled more around the theoretical risk of someone tampering SMB traffic due to the lack of integrity protection. None of us really had an idea how to make use of that vulnerability. The later obviously changed. --------------------------------------------- https://cyberstoph.org/posts/2021/09/after-the-storm-how-to-move-on-with-nt… ===================== = Vulnerabilities = ===================== ∗∗∗ Linkit - Moderately critical - Cross Site Scripting - SA-CONTRIB-2021-042 ∗∗∗ --------------------------------------------- Linkit provides an easy interface for internal and external linking with WYSIWYG editors by using an autocomplete field. It does not sufficiently sanitize user input. This vulnerability is mitigated by the fact that an attacker must have a role with the permission to create or edit an entity bundle. --------------------------------------------- https://www.drupal.org/sa-contrib-2021-042 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libxstream-java, uwsgi, and weechat), Fedora (libspf2, libvirt, mingw-python3, mono-tools, python-flask-restx, and sharpziplib), Mageia (gstreamer, libgcrypt, libgd, mosquitto, php, python-pillow, qtwebengine5, and webkit2), openSUSE (postgresql12 and postgresql13), SUSE (haproxy, postgresql12, postgresql13, and rabbitmq-server), and Ubuntu (commons-io and linux-oem-5.13). --------------------------------------------- https://lwn.net/Articles/871424/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- IBM hat 12 Security Bulletins veröffentlicht. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Boston Scientific Zoom Latitude ∗∗∗ --------------------------------------------- This advisory contains mitigations for Use of Password Hash with Insufficient Computational Effort, Missing Protection Against Hardware Reverse Engineering Using Integrated Circuit (IC) Imaging Techniques, Improper Access Control, Missing Support for Integrity Check, and Reliance on Component That is Not Updateable vulnerabilities in the Boston Scientific Zoom Latitude programmer/recorder/monitor (PRM) 3120 model. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsma-21-273-01 ∗∗∗ Security Advisory - Improper Authentication Vulnerability in Huawei Product ∗∗∗ --------------------------------------------- https://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210929… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 29.09.2021
by Daily end-of-shift report 29 Sep '21

29 Sep '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 28-09-2021 18:00 − Mittwoch 29-09-2021 18:00 Handler: Dimitri Robl Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ NSA, CISA share VPN security tips to defend against hackers ∗∗∗ --------------------------------------------- The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) have released guidance for hardening the security of virtual private network (VPN) solutions. --------------------------------------------- https://www.bleepingcomputer.com/news/security/nsa-cisa-share-vpn-security-… ∗∗∗ Why Should I Care About HTTP Request Smuggling? ∗∗∗ --------------------------------------------- HTTP request smuggling is a growing vulnerability, but you can manage the risk with proper server configuration. --------------------------------------------- https://www.darkreading.com/edge-ask-the-experts/why-should-i-care-about-ht… ∗∗∗ DarkHalo after SolarWinds: the Tomiris connection ∗∗∗ --------------------------------------------- We discovered a campaign delivering the Tomiris backdoor that shows a number of similarities with the Sunshuttle malware distributed by DarkHalo APT and target overlaps with Kazuar. --------------------------------------------- https://securelist.com/darkhalo-after-solarwinds-the-tomiris-connection/104… ∗∗∗ Conti Ransomware Expands Ability to Blow Up Backups ∗∗∗ --------------------------------------------- The Conti ransomware gang has developed novel tactics to demolish backups, especially the Veeam recovery software. --------------------------------------------- https://threatpost.com/conti-ransomware-backups/175114/ ∗∗∗ How nation-state attackers like NOBELIUM are changing cybersecurity ∗∗∗ --------------------------------------------- In the first of a four-part series on the NOBELIUM nation-state attack, we describe the attack and explain why enterprises should be cautious. --------------------------------------------- https://www.microsoft.com/security/blog/2021/09/28/how-nation-state-attacke… ∗∗∗ Serious Security: Let’s Encrypt gets ready to go it alone (in a good way!) ∗∗∗ --------------------------------------------- Lets Encrypt is set to become a mainstream, self-certifying web certificate authority - heres why it took so many years. --------------------------------------------- https://nakedsecurity.sophos.com/2021/09/28/serious-security-lets-encrypt-g… ∗∗∗ Keeping Track of Time: Network Time Protocol and a GPSD Bug, (Wed, Sep 29th) ∗∗∗ --------------------------------------------- The Network Time Protocol (NTP) has been critical in ensuring time is accurately kept for various systems businesses and organizations rely on. --------------------------------------------- https://isc.sans.edu/diary/rss/27886 ∗∗∗ Phone screenshots accidentally leaked online by stalkerware-type company ∗∗∗ --------------------------------------------- Stalkerware-type company pcTattleTale hasnt been very careful about securing the screenshots it sneakily takes from its victims phones. --------------------------------------------- https://blog.malwarebytes.com/stalkerware/2021/09/phone-screenshots-acciden… ∗∗∗ Betrügerische Mail im Namen der Volksbank unterwegs ∗∗∗ --------------------------------------------- Derzeit werden massenhaft betrügerische Phishing-Mails im Namen der Volksbank verschickt. Angeblich wurde eine „irrtümlich ausgeführte Überweisung“ gesperrt. --------------------------------------------- https://www.watchlist-internet.at/news/betruegerische-mail-im-namen-der-vol… ∗∗∗ New GriftHorse malware has infected more than 10 million Android phones ∗∗∗ --------------------------------------------- Security researchers have found a massive malware operation that has infected more than 10 million Android smartphones across more than 70 countries since at least November 2020 and is making millions of dollars for its operators on a monthly basis. --------------------------------------------- https://therecord.media/new-grifthorse-malware-has-infected-more-than-10-mi… ===================== = Vulnerabilities = ===================== ∗∗∗ AirTags als Echtwelt-Trojaner: Apple lässt XSS-Lücke über Monate offen ∗∗∗ --------------------------------------------- Ein weiterer Sicherheitsforscher hat wegen Verärgerung über Apples zugeknöpftes Bug-Bounty-Programm eine Zero-Day-Schwachstelle veröffentlicht. --------------------------------------------- https://heise.de/-6204364 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (iaito, libssh, radare2, and squashfs-tools), openSUSE (hivex, shibboleth-sp, and transfig), SUSE (python-urllib3 and shibboleth-sp), and Ubuntu (apache2, linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-dell300x, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, linux-snapdragon, and linux-hwe-5.11, linux-azure, linux-azure-5.11, linux-oracle-5.11). --------------------------------------------- https://lwn.net/Articles/871227/ ∗∗∗ Security Bulletin: Bulletin: App Connect Professional is affected by Apache Tomcat vulnerabilities. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-bulletin-app-connect-prof… ∗∗∗ Security Bulletin: Security vulnerabilities in IBM SDK for Node.js might affect the configuration editor used by IBM Business Automation Workflow and IBM Business Process Manager (BPM) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities of Mozilla Firefox (less than Firefox 78.14.0 ESR + CVE-2021-29967) have affected Synthetic Playback Agent 8.1.4.0-8.1.4 IF14 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerabilities in IBM Java SDK affects App Connect Professional ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-ja… ∗∗∗ Security Bulletin: Cross-Site Scripting vulnerability affect IBM Business Automation Workflow and IBM Business Process Manager (BPM) – CVE-2021-29834 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cross-site-scripting-vuln… ∗∗∗ Security Bulletin: IBM Kenexa LCMS Premier On Premise – CVE-2021-2341 (deferred from Oracle Jul 2021 CPU for Java 7.x) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-kenexa-lcms-premier-o… ∗∗∗ Security Bulletin: Multiple vulnerabilities may affect IBM Business Automation Workflow and IBM Business Process Manager (BPM) offline documentation ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Aspera Web Application (Console, Shares) are affected by jQuery vulnerability (cross-site scripting) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-aspera-web-application-co… ∗∗∗ Security Bulletin: IBM Kenexa LMS On Premise -IBM SDK, Java Technology Edition Quarterly CPU – Jul 2021 – Includes Oracle Jul 2021 CPU (minus CVE-2021-2341) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-kenexa-lms-on-premise… ∗∗∗ Security Bulletin: IBM Kenexa LMS On Premise -CVE-2021-2341 (deferred from Oracle Jul 2021 CPU for Java 7.x) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-kenexa-lms-on-premise… ∗∗∗ F-Secure Internet Gatekeeper: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-1020 ∗∗∗ Elastic Stack Misconfiguration can lead to DDoS or Data Exfiltration ∗∗∗ --------------------------------------------- https://securitythreatnews.com/2021/09/29/elastic-stack-misconfiguration-ca… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.09.2021
by Daily end-of-shift report 28 Sep '21

28 Sep '21

===================== = End-of-Day report = ===================== Timeframe: Montag 27-09-2021 18:00 − Dienstag 28-09-2021 18:00 Handler: Dimitri Robl Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ FoggyWeb: Targeted NOBELIUM malware leads to persistent backdoor ∗∗∗ --------------------------------------------- In-depth analysis of newly detected NOBELIUM malware: a post-exploitation backdoor that Microsoft Threat Intelligence Center (MSTIC) refers to as FoggyWeb. NOBELIUM uses FoggyWeb to remotely exfiltrate the configuration database of compromised AD FS servers, decrypted token-signing certificate, and token-decryption certificate, as well as to download and execute additional components. --------------------------------------------- https://www.microsoft.com/security/blog/2021/09/27/foggyweb-targeted-nobeli… ∗∗∗ TLS 1.3 and SSL - the current state of affairs, (Tue, Sep 28th) ∗∗∗ --------------------------------------------- It has been over 3 years since the specification for TLS 1.3 was published, and although the protocol has some minor drawbacks, it is undoubtedly the most secure TLS version so far. One would therefore hope that the adoption of TLS 1.3 and its use on web servers around the globe would steadily increase over time (ideally hand in hand with a slow disappearance of older cryptographic protocols, especially the historic SSL 2.0 and SSL 3.0). --------------------------------------------- https://isc.sans.edu/diary/rss/27882 ∗∗∗ Securing mobile devices. A timely reminder ∗∗∗ --------------------------------------------- If you’re commuting again or if you’re responsible for securing your people’s devices it’s a good idea to revisit and review your security admin for mobile devices. This post isn’t breaking any new ground, but it is a good place to start that review process, and think about your security behaviours. --------------------------------------------- https://www.pentestpartners.com/security-blog/securing-mobile-devices-a-tim… ∗∗∗ Vorsicht, wenn die Wohnungsbesichtigung über booking.com abgewickelt werden sollte ∗∗∗ --------------------------------------------- Sie haben endlich Ihre Traumwohnung gefunden? Der einzige Haken: Sie sollten schon vor der Besichtigung eine Kaution bezahlen, die angeblich von booking.com verwaltet wird? Dann sind Sie auf ein betrügerisches Wohnungsinserat gestoßen. Zahlen Sie keinesfalls eine Kaution vor der Besichtigung. Diese Wohnung gibt es nicht und Sie verlieren Ihre geleistete Zahlung! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-wenn-die-wohnungsbesichtigu… ∗∗∗ Highlights From the Unit 42 Cloud Threat Report, 2H 2021 ∗∗∗ --------------------------------------------- In the Unit 42 Cloud Threat Report, 2H 2021, our researchers dive deep into the full scope of supply chain attacks in the cloud and explain often misunderstood details about how they occur. We also provide actionable recommendations any organization can adopt immediately to begin protecting their software supply chains in the cloud. --------------------------------------------- https://unit42.paloaltonetworks.com/cloud-threat-report-2h-2021/ ∗∗∗ Anatomy and Disruption of Metasploit Shellcode ∗∗∗ --------------------------------------------- In April 2021 we went through the anatomy of a Cobalt Strike stager and how some of its signature evasion techniques ended up being ineffective against detection technologies. In this blog post we will go one level deeper and focus on Metasploit, an often-used framework interoperable with Cobalt Strike. --------------------------------------------- https://blog.nviso.eu/2021/09/02/anatomy-and-disruption-of-metasploit-shell… ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI-21-1116: NETGEAR R7800 net-cgi Out-Of-Bounds Write Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of NETGEAR R7800 routers. Authentication is not required to exploit this vulnerability. CVE ID: CVE-2021-34947 --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-1116/ ∗∗∗ SSA-728618: Multiple Vulnerabilities in Solid Edge before SE2021MP8 ∗∗∗ --------------------------------------------- Siemens has released a new version for Solid Edge that fixes multiple file parsing vulnerabilities which could be triggered when the application reads files in IFC, JT or OBJ formats. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-728618.txt ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (kernel), openSUSE (gd, grilo, nodejs14, and transfig), Oracle (nodejs:14 and squid), Red Hat (kernel and shim and fwupd), SUSE (apache2, atftp, gd, and python-Pillow), and Ubuntu (apache2, linux, linux-aws, linux-aws-5.11, linux-gcp, linux-kvm, linux-oracle, linux-raspi, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gcp, linux-gcp-5.4, linux-gke, linux-gke-5.4, linux-gkeop, linux-gkeop-5.4, linux-hwe-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, and vim). --------------------------------------------- https://lwn.net/Articles/871096/ ∗∗∗ D-LINK Router: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- D-LINK Router DIR-X1560 < 1.04B04, D-LINK Router DIR-X6060 < 1.02B01 Ein entfernter, anonymer Angreifer kann eine Schwachstelle in verschiedenen D-LINK Routern ausnutzen, um einen Denial of Service Angriff durchzuführen. --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-1019 ∗∗∗ Security Bulletin: IBM Security SOAR is using a version of Elasticsearch that has known vulnerabilities (CVE-2021-22137, CVE-2021-22135) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-soar-is-usin… ∗∗∗ Security Bulletin: PostgreSQL Vulnerability Affects IBM Sterling Connect:Direct for Microsoft Windows (CVE-2021-32029) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-postgresql-vulnerability-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.09.2021
by Daily end-of-shift report 27 Sep '21

27 Sep '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 24-09-2021 18:00 − Montag 27-09-2021 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Jetzt patchen! Exploit-Code für Chrome und Edge in Umlauf ∗∗∗ --------------------------------------------- Angriffe auf die Webbrowser Chrome und Edge könnten kurz bevor stehen. Reparierte Versionen stehen zum Download bereit. --------------------------------------------- https://heise.de/-6201629 ∗∗∗ He escaped the Dark Web’s biggest bust. Now he’s back ∗∗∗ --------------------------------------------- DeSnake apparently eluded the takedown of AlphaBay and now plans to resurrect it. --------------------------------------------- https://arstechnica.com/?p=1798352 ∗∗∗ BloodyStealer and gaming assets for sale ∗∗∗ --------------------------------------------- We take a closer look at threats linked to loss of accounts with popular video game digital distribution services, such as Steam and Origin. We also explore the kind of game-related data that ends up on the black market. --------------------------------------------- https://securelist.com/bloodystealer-and-gaming-assets-for-sale/104319/ ∗∗∗ Video: Strings Analysis: VBA & Excel4 Maldoc, (Sat, Sep 25th) ∗∗∗ --------------------------------------------- I did record a video for my diary entry "Strings Analysis: VBA & Excel4 Maldoc", showing how to use CyberChef to analyze a maldoc. --------------------------------------------- https://isc.sans.edu/diary/rss/27874 ∗∗∗ New Android Malware Steals Financial Data from 378 Banking and Wallet Apps ∗∗∗ --------------------------------------------- The operators behind the BlackRock mobile malware have surfaced back with a new Android banking trojan called ERMAC that targets Poland and has its roots in the infamous Cerberus malware, according to the latest research. "The new trojan already has active distribution campaigns and is targeting 378 banking and wallet apps with overlays," ThreatFabrics CEO Cengiz Han Sahin said [...] --------------------------------------------- https://thehackernews.com/2021/09/new-android-malware-steals-financial.html ∗∗∗ New security feature in September 2021 Cumulative Update for Exchange Server ∗∗∗ --------------------------------------------- [...] As part of our continued work to help you protect your Exchange Servers, in the September 2021 Cumulative Update (CU) we have added a new feature called the Microsoft Exchange Emergency Mitigation service. This new service is not a replacement for installing Exchange Server Security Updates (SUs), but [...] --------------------------------------------- https://techcommunity.microsoft.com/t5/exchange-team-blog/new-security-feat… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (kernel, libxml-security-java, and openssl), Fedora (fetchmail and python-rsa), openSUSE (grafana-piechart-panel and opera), and Red Hat (nodejs:14). --------------------------------------------- https://lwn.net/Articles/870597/ ∗∗∗ Command Injection Vulnerabilities in QVR ∗∗∗ --------------------------------------------- Two command injection vulnerabilities have been reported to affect certain QNAP EOL devices running QVR. If exploited, these vulnerabilities allow remote attackers to run arbitrary commands. --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-21-35 ∗∗∗ GNU C Library (glibc) vulnerability CVE-2021-33574 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K43700555 ∗∗∗ LibreSSL: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-1014 ∗∗∗ GitHub Enterprise Server: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-1015 ∗∗∗ OpenSSH: Schwachstelle ermöglicht Privilegieneskalation ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-1017 ∗∗∗ FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 Remote Privilege Escalation ∗∗∗ --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5685.php ∗∗∗ FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 Hidden Backdoor Account (Write Access) ∗∗∗ --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5684.php ∗∗∗ FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 Unauthenticated Config Download ∗∗∗ --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5683.php ∗∗∗ FatPipe Networks WARP 10.2.2 Authorization Bypass ∗∗∗ --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5682.php ∗∗∗ FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 CSRF Add Admin Exploit ∗∗∗ --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5681.php ∗∗∗ Security Bulletin: OpenSSL for IBM i is affected by CVE-2021-3711 and CVE-2021-3712 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-openssl-for-ibm-i-is-affe… ∗∗∗ Security Bulletin: CVE-2021-2341 may affect IBM® SDK, Java™ Technology Edition ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2021-2341-may-affect-… ∗∗∗ Security Bulletin: IBM Planning Analytics Workspace is affected by security vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-planning-analytics-wo… ∗∗∗ Security Bulletin: Integrated application server and integrated web services for IBM i are affected by CVE-2021-35517 and CVE-2021-36090 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-integrated-application-se… ∗∗∗ Security Bulletin: Multiple vulnerabilities in Apache HTTP Server affect IBM i ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerabilities in Node.js affect IBM App Connect Enterprise and IBM Integration Bus (CVE-2020-7774) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-node-j… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 24.09.2021
by Daily end-of-shift report 24 Sep '21

24 Sep '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 23-09-2021 18:00 − Freitag 24-09-2021 18:00 Handler: Dimitri Robl Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Sicherheitsupdates: Kritische Admin-Lücke mit Höchstwertung bedroht Cisco-Geräte ∗∗∗ --------------------------------------------- Der Netzwerkausrüster hat jede Menge Sicherheitslücken geschlossen. Erfolgreiche Attacken können gefährliche Auswirkungen haben. --------------------------------------------- https://heise.de/-6200359 ∗∗∗ Frustriert von Apple: Sicherheitsforscher veröffentlicht 0-Day-Lücken für iOS 15 ∗∗∗ --------------------------------------------- Der Konzern habe nur einen der Bugs still gestopft und nicht weiter reagiert, so der Sicherheitsforscher. Die Lücken geben Apps wohl Zugriff auf Nutzerdaten. --------------------------------------------- https://heise.de/-6200907 ∗∗∗ Malware devs trick Windows validation with malformed certs ∗∗∗ --------------------------------------------- Google researchers spotted malware developers creating malformed code signatures seen as valid in Windows to bypass security software. --------------------------------------------- https://www.bleepingcomputer.com/news/security/malware-devs-trick-windows-v… ∗∗∗ TangleBot Malware Reaches Deep into Android Device Functions ∗∗∗ --------------------------------------------- The mobile baddie grants itself access to almost everything, enabling spying, data-harvesting, stalking and fraud attacks, among others. --------------------------------------------- https://threatpost.com/tanglebot-malware-device-functions/174999/ ∗∗∗ Keep an Eye on Your Users Mobile Devices (Simple Inventory), (Fri, Sep 24th) ∗∗∗ --------------------------------------------- Today, smartphones are everywhere and became our best friends for many tasks. Probably your users already access their corporate mailbox via a mobile device. If it's not yet the case, you probably have many requests to implement this. They are two ways to achieve this: [...] --------------------------------------------- https://isc.sans.edu/diary/rss/27868 ∗∗∗ Fake-Shop-Alarm: Kaufen Sie keine Fahrräder auf efahrrad-shop.com! ∗∗∗ --------------------------------------------- Der Online-Shop efahrrad-shop.com präsentiert sich auf seiner Webseite als „ausgezeichneter und zertifizierter Online Fahrradfachhandel“. Doch wer sich die Seite genauer anschaut, stößt auf zahlreiche Ungereimtheiten. So findet sich ein fehlerhaftes Impressum auf der Webseite und die angegebenen Preise liegen deutlich unter den üblichen Preisen. Alles Hinweise dafür, dass es sich um einen Fake-Shop handelt. --------------------------------------------- https://www.watchlist-internet.at/news/fake-shop-alarm-kaufen-sie-keine-fah… ∗∗∗ FamousSparrow: A suspicious hotel guest ∗∗∗ --------------------------------------------- Yet another APT group that exploited the ProxyLogon vulnerability in March 2021 --------------------------------------------- https://www.welivesecurity.com/2021/09/23/famoussparrow-suspicious-hotel-gu… ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI-21-1112: Trend Micro HouseCall for Home Networks Uncontrolled Search Path Element Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows local attackers to escalate privileges on affected installations of Trend Micro HouseCall for Home Networks. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-1112/ ∗∗∗ SonicWall warns users to patch critical vulnerability “as soon as possible” ∗∗∗ --------------------------------------------- SonicWall is asking SMA 100 series customers to patch their appliances against a vulnerability that could give attackers administrator access. --------------------------------------------- https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/09/sonicwal… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (mupdf), Fedora (ghostscript, gifsicle, and ntfs-3g), openSUSE (kernel and nodejs14), and SUSE (curl, ffmpeg, gd, hivex, kernel, nodejs14, python-reportlab, sqlite3, and xen). --------------------------------------------- https://lwn.net/Articles/870365/ ∗∗∗ Apple Releases Security Updates ∗∗∗ --------------------------------------------- Apple has released security updates to address vulnerabilities in multiple products. An attacker could exploit these vulnerabilities to take control of an affected system. These vulnerabilities have been detected in exploits in the wild. CISA encourages users and administrators to review the Apple security page for iOS 12.5.5 and Security Update 2021-006 Catalina and apply the necessary updates as soon as possible. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/09/23/apple-releases-se… ∗∗∗ BIG-IP APM XSS vulnerability CVE-2021-23054 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K41997459 ∗∗∗ Trend Micro ServerProtect: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-1010 ∗∗∗ Security Bulletin: Publicly disclosed vulnerabilities from Kernel affect IBM Netezza Host Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-publicly-disclosed-vulner… ∗∗∗ Security Bulletin: Publicly disclosed vulnerabilities from Bind affect IBM Netezza Host Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-publicly-disclosed-vulner… ∗∗∗ Security Bulletin: Public disclosed vulnerability from OpenSSL affects IBM Netezza Host Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-public-disclosed-vulnerab… ∗∗∗ Security Bulletin: Rational Asset Analyzer is affected by a WebSphere Application Server vulnerability. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-rational-asset-analyzer-i… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.09.2021
by Daily end-of-shift report 23 Sep '21

23 Sep '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 22-09-2021 18:00 − Donnerstag 23-09-2021 18:00 Handler: Dimitri Robl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Hackers are scanning for VMware CVE-2021-22005 targets, patch now! ∗∗∗ --------------------------------------------- Threat actors have already started targeting Internet-exposed VMware vCenter servers unpatched against a critical arbitrary file upload vulnerability patched yesterday that could lead to remote code execution. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-are-scanning-for-vmw… ∗∗∗ How REvil May Have Ripped Off Its Own Affiliates ∗∗∗ --------------------------------------------- A newly discovered backdoor and double chats could have enabled REvil ransomware-as-a-service operators to hijack victim cases and snatch affiliates’ cuts of ransom payments. --------------------------------------------- https://threatpost.com/how-revil-may-have-ripped-off-its-own-affiliates/174… ∗∗∗ Excel Recipe: Some VBA Code with a Touch of Excel4 Macro, (Thu, Sep 23rd) ∗∗∗ --------------------------------------------- Microsoft Excel supports two types of macros. The legacy format is known as “Excel4 macro” and the new (but already used for a while) is based on VBA. We already cover both formats in many diaries. Yesterday, I spotted an interesting sample that implements… both! --------------------------------------------- https://isc.sans.edu/diary/rss/27864 ∗∗∗ iOS 15 und macOS 12: Alte TLS-Versionen haben ausgedient ∗∗∗ --------------------------------------------- Apple will TLS 1.0 und 1.1 bald nicht mehr unterstützen. In iOS 15 & Co gelten die alten Versionen des Verschlüsselungsprotokolls bereits als abgekündigt. --------------------------------------------- https://heise.de/-6199902 ∗∗∗ BulletProofLink: Wo der ganze Phishing-Spam herkommt ∗∗∗ --------------------------------------------- Microsoft beschreibt im Detail, wie auch absolute Neulinge ohne Vorkenntnisse spielend leicht ins Geschäft mit geklauten Zugangsdaten einsteigen können. --------------------------------------------- https://heise.de/-6199720 ∗∗∗ Cyber Threats to Global Electric Sector on the Rise ∗∗∗ --------------------------------------------- The number of cyber intrusions and attacks targeting the Electric sector is increasing and in 2020 Dragos identified three new Activity Groups (AGs) targeting the Electric Sector: [...] --------------------------------------------- https://www.dragos.com/blog/industry-news/cyber-threats-to-global-electric-… ∗∗∗ Plugging the holes: How to prevent corporate data leaks in the cloud ∗∗∗ --------------------------------------------- Misconfigurations of cloud resources can lead to various security incidents and ultimately cost your organization dearly. Here’s what you can do to prevent cloud configuration conundrums. --------------------------------------------- https://www.welivesecurity.com/2021/09/22/plugging-holes-how-prevent-corpor… ∗∗∗ Rückblick auf das zweite Drittel 2021 ∗∗∗ --------------------------------------------- Das zweite Drittel 2021 ist vorbei und wie auch das erste gab es viel zu tun. Microsofts Exchange Server war diesmal nicht die einzige Mailserver-Software, in der kritische Lücken gefunden wurden; exim reihte sich mit gleich 21 Schwachsstellen in die Liste ein. Außerdem ging ab Juni wieder eine DDoS-Erpressungswelle um. --------------------------------------------- https://cert.at/de/blog/2021/9/ruckblick-auf-das-zweite-drittel-2021 ∗∗∗ CISA, FBI, and NSA Release Joint Cybersecurity Advisory on Conti Ransomware ∗∗∗ --------------------------------------------- CISA, the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) have released a joint Cybersecurity Advisory (CSA) alerting organizations of increased Conti ransomware attacks. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/09/22/cisa-fbi-and-nsa-… ∗∗∗ CISA Releases Guidance: IPv6 Considerations for TIC 3.0 ∗∗∗ --------------------------------------------- The federal government has prioritized the transition of federal networks to Internet Protocol version 6 (IPv6) since the release of Office of Management and Budget (OMB) Memorandum 05-22 in 2005. In 2020, OMB renewed its focus on IPv6 through the publication of OMB Memorandum 21-07. That memorandum specifically entrusts CISA with enhancing the Trusted Internet Connections (TIC) program to fully support the implementation of IPv6 in federal IT systems. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/09/23/cisa-releases-gui… ∗∗∗ Securing Microservices ∗∗∗ --------------------------------------------- Do you remember how it felt to get your first email account? Not only were you able to communicate with multiple people in a fast and efficient manner, it also gave you an online identity you could use to access a wide range of services. As time progressed, though, you became increasingly aware of email’s […] --------------------------------------------- https://www.intezer.com/blog/cloud-security/securing-microservices/ ===================== = Vulnerabilities = ===================== ∗∗∗ Drupal Security Advisories ∗∗∗ --------------------------------------------- Drupal hat 12 Security Advisories zu "Contributed projects", d.h. Software, die nicht vom Drupal-Team selbst entwickelt wird, veröffentlicht. Vier davon werden als "Critical" eingestuft. --------------------------------------------- https://www.drupal.org/security/contrib ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- IBMs PSIRT hat 26 Security Bulletins veröffentlicht. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Cisco Security Advisories ∗∗∗ --------------------------------------------- Cisco hat 31 Security Advisories veröffentlicht. Drei davon werden als "Critical" eingestuft, 13 als "High". --------------------------------------------- https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&first… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (ruby-kaminari and tomcat8), Mageia (389-ds-base, ansible, apache, apr, cpio, curl, firefox, ghostscript, gifsicle, gpac, libarchive, libgd, libssh, lynx, nextcloud-client, openssl, postgresql, proftpd, python3, thunderbird, tor, and vim), openSUSE (chromium, ffmpeg, grilo, hivex, linuxptp, and samba), Oracle (go-toolset:ol8, kernel, kernel-container, krb5, mysql:8.0, and nodejs:12), SUSE (ffmpeg, firefox, grilo, hivex, kernel, linuxptp, nodejs14, and --------------------------------------------- https://lwn.net/Articles/870190/ ∗∗∗ Trane Symbio ∗∗∗ --------------------------------------------- This advisory contains mitigations for a Code Injection vulnerability in Trane Symbio 700 and Symbio 800 controllers. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-266-01 ∗∗∗ Trane Tracer ∗∗∗ --------------------------------------------- This advisory contains mitigations for a Code Injection vulnerability in Trane Tracer SC, Tracer SC+, and Tracer Concierge building automation products. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-266-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.09.2021
by Daily end-of-shift report 22 Sep '21

22 Sep '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 21-09-2021 18:00 − Mittwoch 22-09-2021 18:00 Handler: Dimitri Robl Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Apple users warned: Clicking this attachment will take over your macOS ∗∗∗ --------------------------------------------- A code execution bug in Apple's macOS allows remote attackers to run arbitrary commands on your device. And the worst part is, Apple hasn't fully patched it yet, as tested by Ars. --------------------------------------------- https://arstechnica.com/?p=1797268 ∗∗∗ Datenanalyse: Steigende Zahl automatisierter Cyberangriffe ∗∗∗ --------------------------------------------- Automatisierung ist seit Jahren ein wichtiges Thema. Auch Online-Kriminelle haben laut eine Analyse die Vorteile für sich entdeckt. Kriminelle Hacker setzen nach einer neuen Datenanalyse bei Cyberangriffen immer häufiger auf automatisierte Massenattacken. Seltener werden dagegen gezielte Angriffe, bei denen Hacker noch persönlich am Computer sitzen... --------------------------------------------- https://heise.de/-6198205 ∗∗∗ Recently Patched Vulnerabilities in Ninja Forms Plugin Affect Over 1 Million Site Owners ∗∗∗ --------------------------------------------- We strongly recommend updating immediately to the latest patched version of Ninja Forms to patch these security issues, which is version 3.5.8.2 of Ninja Forms at the time of this publication. --------------------------------------------- https://www.wordfence.com/blog/2021/09/recently-patched-vulnerabilities-in-… ∗∗∗ Bei diesen Investitionsplattformen verlieren Sie Ihr Geld ∗∗∗ --------------------------------------------- Im Internet findet man unzählige Möglichkeiten, Geld einfach und unkompliziert zu investieren. Auf Trading-Plattformen wie infinitycapitalg.com, suntonfx.com oder windsorglobalaustria.com werden hohe Gewinnchancen, auch ohne großes Finanzwissen versprochen. Klingt zwar sehr verlockend, führt in Wahrheit aber zu sehr hohen Verlusten! Unser Tipp: Checken Sie die Investorenwarnungen der Finanzmarktaufsicht. --------------------------------------------- https://www.watchlist-internet.at/news/bei-diesen-investitionsplattformen-v… ∗∗∗ Microsoft Exchange Autodiscover-Designfehler ermöglicht Abgriff von Zugangsdaten ∗∗∗ --------------------------------------------- Sicherheitsforscher von Guardicore sind in Microsoft Exchange auf einen Designfehler gestoßen, der es Angreifern ermöglicht, über externe Autodiscover-Domains die Anmeldedaten von Domains abzugreifen. Möglich wird dies, weil sich Autodiscover-Domains außerhalb der Domäne des Nutzers (aber noch in derselben TLD) missbrauchen lassen. --------------------------------------------- https://www.borncity.com/blog/2021/09/22/microsoft-exchange-autodiscover-de… ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI-21-1104: McAfee Endpoint Security Incorrect Permission Assignment Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows local attackers to escalate privileges on affected installations of McAfee Endpoint Security. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-1104/ ∗∗∗ Patch now! Insecure Hikvision security cameras can be taken over remotely ∗∗∗ --------------------------------------------- The vulnerability found by Watchfull_IP is listed under CVE-2021-36260 and could allow an unauthenticated attacker to gain full access to the device and possibly perform lateral movement into internal networks.. --------------------------------------------- https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/09/patch-no… ∗∗∗ September 22, 2021 TNS-2021-16 [R1] Stand-alone Security Patch Available for Tenable.sc versions 5.16.0 to 5.19.1 ∗∗∗ --------------------------------------------- One of the third-party components (OpenSSL) was found to contain vulnerabilities, and updated versions have been made available by the providers. Out of caution, and in line with best practice, Tenable opted to upgrade the bundled OpenSSL components to address the potential impact of these issues. Tenable.sc patch SC-202109.1 updates OpenSSL to version 1.1.1l to address the identified vulnerabilities. --------------------------------------------- http://www.tenable.com/security/tns-2021-16 ∗∗∗ VMSA-2021-0020 ∗∗∗ --------------------------------------------- Multiple vulnerabilities in VMware vCenter Server were privately reported to VMware. Updates are available to remediate these vulnerabilities in affected VMware products. CVSSv3 Range: 4.3-9.8 CVE(s): CVE-2021-21991, CVE-2021-21992, CVE-2021-21993, CVE-2021-22005, CVE-2021-22006, CVE-2021-22007, CVE-2021-22008, CVE-2021-22009, CVE-2021-22010, CVE-2021-22011, CVE-2021-22012, CVE-2021-22013, CVE-2021-22014, CVE-2021-22015, CVE-2021-22016, CVE-2021-22017, CVE-2021-22018, CVE-2021-22019, CVE-2021-22020 --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2021-0020.html ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (grilo), Fedora (curl, firefox, mingw-python-pillow, python-pillow, python2-pillow, and webkit2gtk3), openSUSE (chromium, grafana-piechart-panel, kernel, libcroco, php-composer, and xen), Oracle (curl, kernel, and nss and nspr), Red Hat (nodejs:12), Slackware (alpine), SUSE (ghostscript, grafana-piechart-panel, kernel, and xen), and Ubuntu (linux, linux-hwe, linux-hwe-5.11, linux-hwe-5.4, linux-raspi, linux-raspi-5.4, and linux-raspi2). --------------------------------------------- https://lwn.net/Articles/870002/ ∗∗∗ Apple iTunes: Mehrere Schwachstellen ermöglichen Ausführen von beliebigem Programmcode mit den Rechten des Dienstes ∗∗∗ --------------------------------------------- Ein entfernter Angreifer kann mehrere Schwachstellen in Apple iTunes ausnutzen, um beliebigen Programmcode mit den Rechten des Dienstes auszuführen. --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0997 ∗∗∗ Apple Safari: Mehrere Schwachstellen ermöglichen Ausführen von beliebigem Programmcode mit den Rechten des Dienstes ∗∗∗ --------------------------------------------- Ein entfernter Angreifer kann mehrere Schwachstellen in Apple Safari ausnutzen, um beliebigen Programmcode mit den Rechten des Dienstes auszuführen. --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0996 ∗∗∗ Apple macOS: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, anonymer oder lokaler Angreifer kann mehrere Schwachstellen in Apple macOS ausnutzen, um beliebigen Programmcode mit Administratorrechten auszuführen, beliebigen Programmcode auszuführen, Informationen offenzulegen, seine Privilegien zu erhöhen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen. --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0994 ∗∗∗ Apple macOS: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode mit Benutzerrechten ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann eine Schwachstelle in Apple macOS ausnutzen, um beliebigen Programmcode mit Benutzerrechten auszuführen. --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-1000 ∗∗∗ Security Advisory - Server-Side Request Forgery Vulnerability in Huawei Product ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210922-… ∗∗∗ Security Advisory - Improper File Upload Control Vulnerability in Huawei FusionCompute Product ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210922-… ∗∗∗ Security Advisory - Command Injection Vulnerability in Huawei FusionCompute Product ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210922-… ∗∗∗ Security Bulletin: IBM® Java™ SDK Technology Edition affects IBM Security Verify Governance, Identity Manager virtual appliance component (ISVG IMVA) (CVE-2020-14781,CVE-2020-14782) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-java-sdk-technology-e… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by multiple vulnerabilities (CVE-2021-20377, CVE-2020-4690) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM QRadar Azure marketplace images include Open Management Infrastructure RPM, which is vulnerable to Remote Code Execution (CVE-2021-38647) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-azure-marketpl… ∗∗∗ Security Bulletin: IBM Jazz for Service Management is vulnerable to stored cross-site scripting (CVE-2021-29800) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-jazz-for-service-mana… ∗∗∗ Security Bulletin: IBM Security Guardium Insights is affected by multiple vulnerabilities (CVE-2021-3538, CVE-2021-33502, CVE-2021-3450, CVE-2021-3449) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-ins… ∗∗∗ Security Bulletin: App Connect Professional is affected by Apache Tomcat vulnerabilities. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-app-connect-professional-… ∗∗∗ Security Bulletin: Publicly disclosed vulnerabilities from Bind affect IBM Netezza Host Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-publicly-disclosed-vulner… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM MessageGateway ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: OpenSSL publicly disclosed vulnerability affects MessageGateway (CVE-2021-3712) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-openssl-publicly-disclose… ∗∗∗ Security Bulletin: Vulnerabilities in Node.js affect IBM App Connect Enterprise v11, v12 (CVE-2020-7608) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-node-j… ∗∗∗ Security Bulletin: Multiple security vulnerabilities have been fixed in IBM Security Verify Governance, Identity Manager virtual appliance component (ISVG IMVA) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.09.2021
by Daily end-of-shift report 21 Sep '21

21 Sep '21

===================== = End-of-Day report = ===================== Timeframe: Montag 20-09-2021 18:00 − Dienstag 21-09-2021 18:00 Handler: Dimitri Robl Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ A guide to combatting human-operated ransomware: Part 1 ∗∗∗ --------------------------------------------- As human-operated ransomware is on the rise, Microsoft’s Detection and Response Team (DART) shares how they investigate these attacks and what to consider when faced with a similar event in your organization. --------------------------------------------- https://www.microsoft.com/security/blog/2021/09/20/a-guide-to-combatting-hu… ∗∗∗ Mama Always Told Me Not to Trust Strangers without Certificates (Moar Netgear Pwnage) ∗∗∗ --------------------------------------------- This blog post details a vulnerability, the exploitation of which results in Remote Code Execution (RCE) as root, that impacts many modern Netgear Small Offices/Home Offices (SOHO) devices. The vulnerability isn’t your typical router vulnerability, in that the source of the vulnerability is located within a third-party component included in the firmware of many Netgear devices. This code is part of Circle, which adds parental control features to these devices. --------------------------------------------- https://blog.grimm-co.com/2021/09/mama-always-told-me-not-to-trust.html ∗∗∗ Does Your Organization Have a Security.txt File? ∗∗∗ --------------------------------------------- It happens all the time: Organizations get hacked because there isnt an obvious way for security researchers to let them know about security vulnerabilities or data leaks. Or maybe it isnt entirely clear who should get the report when remote access to an organizations internal network is being sold in the cybercrime underground. In a bid to minimize these scenarios, a growing number of major companies are adopting "Security.txt," a proposed new Internet standard... --------------------------------------------- https://krebsonsecurity.com/2021/09/does-your-organization-have-a-security-… ∗∗∗ TinyTurla - Turla deploys new malware to keep a secret backdoor on victim machines ∗∗∗ --------------------------------------------- Cisco Talos found a previously undiscovered backdoor from the Turla APT that we are seeing in the wild. This simple backdoor is likely used as a second-chance backdoor to maintain access to the system, even if the primary malware is removed. It could also be used as a second-stage dropper to infect the system with additional malware. --------------------------------------------- https://blog.talosintelligence.com/2021/09/tinyturla.html ∗∗∗ OpenOffice Vulnerability Exposes Users to Code Execution Attacks ∗∗∗ --------------------------------------------- A buffer overflow vulnerability in Apache OpenOffice could be exploited to execute arbitrary code on target machines using malicious documents. Tracked as CVE-2021-33035 and discovered by security researcher Eugene Lim, the bug affects OpenOffice versions up to 4.1.10, with patches deployed in the 4.1.11 beta only, meaning that most installations out there are likely vulnerable. --------------------------------------------- https://www.securityweek.com/openoffice-vulnerability-exposes-users-code-ex… ∗∗∗ Vorsicht beim Welpen-Kauf im Internet! ∗∗∗ --------------------------------------------- Wollen Sie online einen Hundewelpen kaufen? Wenn ja, dann stoßen Sie möglicherweise auf unseriöse Angebote. Der Watchlist Internet werden derzeit zahlreiche Seiten gemeldet, die angeben Rasse-Hundewelpen zu verkaufen und das meist zu einem günstigen Preis. Nicht nur die Preise, sondern auch liebevolle Fotos und Beschreibungen verlocken dazu, einen Kauf zu tätigen. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-beim-welpen-kauf-im-interne… ∗∗∗ Russian security firm sinkholes part of the dangerous Meris DDoS botnet ∗∗∗ --------------------------------------------- Rostelecom-Solar, the cybersecurity division of Russian telecom giant Rostelecom, said on Monday that it sinkholed a part of the Meris DDoS botnet after identifying a mistake from the malwares creators. --------------------------------------------- https://therecord.media/russian-security-firm-sinkholes-part-of-the-dangero… ===================== = Vulnerabilities = ===================== ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- IBM hat 21 Security Bulletins veröffentlicht. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (webkit2gtk, wpewebkit, and xen), Oracle (kernel), Red Hat (curl, go-toolset:rhel8, krb5, mysql:8.0, nodejs:12, and nss and nspr), and Ubuntu (curl and tiff). --------------------------------------------- https://lwn.net/Articles/869923/ ∗∗∗ Apple iOS & iPadOS: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- iOS 15 und iPadOS 15 sowie iOS 14.8 und iPadOS 14.8 veröffentlicht. --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0993 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.09.2021
by Daily end-of-shift report 20 Sep '21

20 Sep '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 17-09-2021 18:00 − Montag 20-09-2021 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Jetzt patchen! Krypto-Miner schlüpft durch OMIGOD-Lücken auf Azure-Server ∗∗∗ --------------------------------------------- Angreifer attackieren derzeit Azure-Kunden mit virtuellen Linux-PCs. Admins sollten jetzt handeln und die verfügbaren Sicherheitsupdates installieren. --------------------------------------------- https://heise.de/-6195928 ∗∗∗ Epik data breach impacts 15 million users, including non-customers ∗∗∗ --------------------------------------------- Scraped WHOIS data of NON-Epik customers also exposed in the 180 GB leak. --------------------------------------------- https://arstechnica.com/?p=1796568 ∗∗∗ Bring Your APIs Out of the Shadows to Protect Your Business ∗∗∗ --------------------------------------------- APIs are immensely more complex to secure. Shadow APIs - those unknown or forgotten API endpoints that escape the attention and protection of IT - present a real risk to your business. Learn how to identify shadow APIs and take control of them before attackers do. --------------------------------------------- https://threatpost.com/apis-out-of-shadows-protect-your-business/169334/ ∗∗∗ Video: Simple Analysis Of A CVE-2021-40444 .docx Document, (Sun, Sep 19th) ∗∗∗ --------------------------------------------- I created a video for the analysis I described in my last diary entry "Simple Analysis Of A CVE-2021-40444 .docx Document". --------------------------------------------- https://isc.sans.edu/diary/rss/27850 ∗∗∗ EventBuilder Exposed Information of Over 100,000 Event Registrants ∗∗∗ --------------------------------------------- Event management company EventBuilder exposed files containing the personal information of at least 100,000 users who registered for events on its platform. --------------------------------------------- https://www.securityweek.com/eventbuilder-exposed-information-over-100000-e… ∗∗∗ Network Security Trends: May-July 2021 ∗∗∗ --------------------------------------------- Network security trends, May-July 2021: We analyze how vulnerabilities are being exploited in the wild and rank the most common types of attacks. --------------------------------------------- https://unit42.paloaltonetworks.com/network-security-trends/ ∗∗∗ Threat landscape for industrial automation systems. Statistics for H1 2021 ∗∗∗ --------------------------------------------- In H1 2021, the percentage of ICS computers on which malicious objects were blocked was 33.8%, which was 0.4 p.p. more than in H2 2020. --------------------------------------------- https://ics-cert.kaspersky.com/reports/2021/09/09/threat-landscape-for-indu… ∗∗∗ ‘Yes, we are breaking the law:’ An interview with the operator of a marketplace for stolen data ∗∗∗ --------------------------------------------- A website called Marketo emerged earlier this year, billing itself as a marketplace where people can buy leaked data. Although Marketo isn’t a ransomware group, it appears to borrow key strategies from those types of threat actors. --------------------------------------------- https://therecord.media/yes-we-are-breaking-the-law-an-interview-with-the-o… ===================== = Vulnerabilities = ===================== ∗∗∗ #OMIGOD Exploits Captured in the Wild. Researchers responsible for half of scans for related ports., (Mon, Sep 20th) ∗∗∗ --------------------------------------------- After the "OMIGOD" vulnerability details were made public, and it became obvious that exploiting vulnerable hosts would be trivial, researchers and attackers started pretty much immediately to scan for vulnerable hosts. We saw a quick rise of scans, particularly against port:1270. --------------------------------------------- https://isc.sans.edu/diary/rss/27852 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (gnutls28, nettle, nextcloud-desktop, and openssl1.0), Fedora (dovecot-fts-xapian, drupal7, ghostscript, haproxy, libtpms, lynx, wordpress, and xen), openSUSE (xen), Red Hat (rh-ruby27-ruby), and SUSE (openssl, openssl1, and xen). --------------------------------------------- https://lwn.net/Articles/869863/ ∗∗∗ Researchers put together a list of vulnerabilities abused by Ransomware - Look for these immediately ∗∗∗ --------------------------------------------- LINK To make it easy, I pulled it and created a simple txt list you can use. These are the some of the initial access methods. --------------------------------------------- https://securitythreatnews.com/2021/09/20/researchers-put-together-a-list-o… ∗∗∗ McAfee Endpoint Security: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0991 ∗∗∗ Security Bulletin: IBM Aspera Webapps are vulnerable to cross-site scripting (CVE-2020-11022, CVE-2020-11023). ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-aspera-webapps-are-vu… ∗∗∗ Security Bulletin: IBM SDK, Java Tech Edition Quarterly CPU – Apr 2021 + Oracle Apr 2021; Jul 2021 + Oracle 2021 CPU ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sdk-java-tech-edition… ∗∗∗ Security Bulletin: Aspera Web Applications (Shares, Console) are affected by OpenSSL Vulnerabilities (CVE-2021-23839, CVE-2021-23840, CVE-2021-23841) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-aspera-web-applications-s… ∗∗∗ Security Bulletin: IBM Data Replication Java SDK Update ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-data-replication-java… ∗∗∗ Security Bulletin: IBM Data Replication Java SDK Update ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-data-replication-java… ∗∗∗ Security Bulletin: ISC DHCP for IBM i is affected by CVE-2021-25217 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-isc-dhcp-for-ibm-i-is-aff… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM WebSphere Cast Iron Solution & App Connect Professional ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Data Replication Java SDK Update ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-data-replication-java… ∗∗∗ Security Bulletin: IBM Cloud Pak for Data could allow a local user with special privileges to obtain highly sensitive information ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-data-co… ∗∗∗ Security Bulletin: IBM Aspera Webapps products (Shares, Console) are affected by OpenSSL Vulnerability (CVE-2021-3712) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-aspera-webapps-produc… ∗∗∗ Security Bulletin: IBM Aspera Webapps (Shares, Console) are vulnerable to an OpenSSL Vunerability (CVE-2020-7656). ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-aspera-webapps-shares… ∗∗∗ Security Bulletin: IBM SDK, Java Tech Edition Quarterly CPU Apr 2021 + Oracle APR 2021; Jul 2021 + Oracle Jul 2021 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sdk-java-tech-edition… ∗∗∗ Security Bulletin: Aspera Web Applications (Shares, Console) are affected by an OpenSSL Vulnerability (CVE-2020-1971) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-aspera-web-applications-s… ∗∗∗ Security Bulletin: Multiple vulnerabilities in Apache Commons* affect Tivoli Netcool/OMNIbus WebGUI (CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities is affecting Tivoli Netcool/OMNIbus WebGUI ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.09.2021
by Daily end-of-shift report 17 Sep '21

17 Sep '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 16-09-2021 18:00 − Freitag 17-09-2021 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ OMIGOD: Microsoft lässt Azure-Admins mit Linux-Lücke allein ∗∗∗ --------------------------------------------- Kritische Lücken in der Microsoft-Cloud ermöglichen Root-Angriffe auf Linux-VMs. Microsoft weist die Verantwortung für wichtige Updates allerdings von sich. --------------------------------------------- https://heise.de/-6194618 ∗∗∗ US-Heimatschutz warnt vor weitreichenden Angriffen über Zoho ADSelfService Plus ∗∗∗ --------------------------------------------- Über eine kritische Sicherheitslücke haben sich APT-Gruppen Zugang zu den Netzwerken mehrerer Organisationen verschafft. --------------------------------------------- https://heise.de/-6194780 ∗∗∗ Exploitation of the CVE-2021-40444 vulnerability in MSHTML ∗∗∗ --------------------------------------------- Last week, Microsoft reported the RCE vulnerability CVE-2021-40444 in the MSHTML browser engine. Kaspersky is aware of targeted attacks using this vulnerability, and our products protect against attacks leveraging it. --------------------------------------------- https://securelist.com/exploitation-of-the-cve-2021-40444-vulnerability-in-… ∗∗∗ Malicious Calendar Subscriptions Are Back?, (Fri, Sep 17th) ∗∗∗ --------------------------------------------- Did this threat really disappear? This isnt a brand new technique to deliver malicious content to mobile devices but it seems that attackers started new waves of spam campaigns based on malicious calendar subscriptions. --------------------------------------------- https://isc.sans.edu/diary/rss/27846 ∗∗∗ A Cheat-Sheet on Internet Cookies – (Who, What, When, Why & How) ∗∗∗ --------------------------------------------- What are internet cookies, how should you feel about them? Are they helpful, harmless, dangerous? Cookies are key to our modern online experience with targeted website ads and predictive search text that seems to read our minds. Cookies help us gain a customized online experience, but what do we lose? Are we being manipulated by our own data? --------------------------------------------- https://blog.sucuri.net/2021/09/a-cheat-sheet-on-internet-cookies-who-what-… ∗∗∗ AMD Chipset Driver Vulnerability Can Allow Hackers to Obtain Sensitive Data ∗∗∗ --------------------------------------------- Chipmaker AMD has patched a driver vulnerability that could allow an attacker to obtain sensitive information from the targeted system. --------------------------------------------- https://www.securityweek.com/amd-chipset-driver-vulnerability-can-allow-hac… ∗∗∗ DDoS botnets, cryptominers target Azure systems after OMIGOD exploit goes public ∗∗∗ --------------------------------------------- Threat actors are attacking Azure Linux-based servers using a recently disclosed security flaw named OMIGOD in order to hijack vulnerable systems into DDoS or crypto-mining botnets. --------------------------------------------- https://therecord.media/ddos-botnets-cryptominers-target-azure-systems-afte… ===================== = Vulnerabilities = ===================== ∗∗∗ Analysis of CVE-2021-30860 ∗∗∗ --------------------------------------------- In this guest blog post, the security researcher Tom McGuire details the flaw and fix of CVE-2021-30860, a zero-click vulnerability, exploited in the wild. --------------------------------------------- https://objective-see.com/blog/blog_0x67.html ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (firefox and thunderbird), Fedora (haproxy, wordpress, and xen), openSUSE (apache2-mod_auth_openidc, fail2ban, ghostscript, haserl, libcroco, nextcloud, and wireshark), Oracle (kernel and kernel-container), Slackware (httpd), SUSE (crmsh, gtk-vnc, libcroco, Mesa, postgresql12, postgresql13, and transfig), and Ubuntu (libgcrypt20, linux-gcp, linux-gcp-4.15, linux-hwe-5.4, linux-oem-5.13, python3.4, python3.5, and qtbase-opensource-src). --------------------------------------------- https://lwn.net/Articles/869521/ ∗∗∗ Siemens RUGGEDCOM ROX ∗∗∗ --------------------------------------------- This advisory contains mitigations for Exposure of Sensitive Information to an Unauthorized Actor, Execution with Unnecessary Privileges, and Improper Handling of Insufficient Permissions or Privileges vulnerabilities in Siemens RUGGEDCOM ROX devices. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-259-01 ∗∗∗ Schneider Electric EcoStruxure and SCADAPack ∗∗∗ --------------------------------------------- This advisory contains mitigations for a Path Traversal vulnerability in Schneider Electric EcoStruxure Control Expert, EcoStruxure Process Expert, SCADAPack RemoteConnect software designed for the x70 SCADAPack system. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-259-02 ∗∗∗ Siemens Teamcenter ∗∗∗ --------------------------------------------- This advisory contains mitigations for Privilege Defined with Unsafe Actions, Authorization Bypass Through User-Controlled Key, and Improper Restriction of XML External Entity Reference vulnerabilities in the Siemens Teamcenter virtualization platform. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-257-08 ∗∗∗ Security Bulletin: A security vulnerability in NGINX ffects IBM Cloud Automation Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: A security vulnerability in Node.js pac-resolver module affects IBM Cloud Automation Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: A security vulnerability in Golang GO affects IBM Cloud Automation Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: A security vulnerability in Golang Go affects IBM Cloud Automation Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: IBM® Db2® could allow a local user to read and write specific files due to weak file permissions (CVE-2020-4976) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-could-allow-a-loc… ∗∗∗ Security Bulletin: IBM API Connect is impacted by multiple vulnerabilities in IBM Http server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connect-is-impact… ∗∗∗ Security Bulletin: A security vulnerability in Node.js xmlhttprequest-ssl module affects IBM Cloud Automation Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: A security vulnerability in Node.js affects IBM Cloud Automation Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: September 2021 :Multiple vulnerabilities in IBM Java Runtime affect CICS Transaction Gateway ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-september-2021-multiple-v… ∗∗∗ Security Bulletin: A security vulnerability in Node.js xmlhttprequest-ssl module affects IBM Cloud Automation Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: September 2021 : A vulnerability in IBM Java Runtime affects CICS Transaction Gateway ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-september-2021-a-vulnerab… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 16.09.2021
by Daily end-of-shift report 16 Sep '21

16 Sep '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 15-09-2021 18:00 − Donnerstag 16-09-2021 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Phishing 101: why depend on one suspicious message subject when you can use many?, (Thu, Sep 16th) ∗∗∗ --------------------------------------------- There are many e-mail subjects that people tend to associate with phishing due to their overuse in this area. Among the more traditional and common phishing subjects, that most people have probably seen at some point, are variations on the [...] --------------------------------------------- https://isc.sans.edu/diary/rss/27842 ∗∗∗ Third Critical Bug Affects Netgear Smart Switches — Details and PoC Released ∗∗∗ --------------------------------------------- New details have been revealed about a recently remediated critical vulnerability in Netgear smart switches that could be leveraged by an attacker to potentially execute malicious code and take control of vulnerable devices. The flaw — dubbed "Seventh Inferno" (CVSS score: 9.8) — is part of a trio of security weaknesses, called Demons Cries (CVSS score: 9.8) and Draconian Fear (CVSS score: 7.8) --------------------------------------------- https://thehackernews.com/2021/09/third-critical-bug-affects-netgear.html ∗∗∗ PetitPotam – NTLM Relay to AD CS ∗∗∗ --------------------------------------------- Deployment of an Active Directory Certificate Services (AD CS) on a corporate environment could allow system administrators to utilize it for establishing trust between different directory objects. However, it could allow red team operators to conduct an NTLM relay attack towards the web interface of an AD CS in order to compromise the network. --------------------------------------------- https://pentestlab.blog/2021/09/14/petitpotam-ntlm-relay-to-ad-cs/ ∗∗∗ Hunderttausende MikroTik-Router sind seit 2018 angreifbar ∗∗∗ --------------------------------------------- Ein auf die Geräte spezialisiertes Botnetz hat in den vergangenen Monaten großangelegte Angriffe auf Cloudflare und Yandex zu verantworten. --------------------------------------------- https://heise.de/-6193825 ∗∗∗ Operation Layover: How we tracked an attack on the aviation industry to five years of compromise ∗∗∗ --------------------------------------------- Cisco Talos linked the recent aviation targeting campaigns to an actor who has been targeting the aviation industry for two years. The same actor has been running successful malware campaigns for more than five years. --------------------------------------------- https://blog.talosintelligence.com/2021/09/operation-layover-how-we-tracked… ∗∗∗ Vorsicht vor unseriösen Shops auf Pinterest ∗∗∗ --------------------------------------------- Günstige Modeangebote auf Pinterest entpuppen sich im Nachhinein als Kostenfalle. Oft kommt es zu hohen Lieferkosten, Zollkosten oder Rücksendekosten – Falls Retouren überhaupt akzeptiert werden. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-unserioesen-shops-auf-p… ∗∗∗ Untangling the Spider Web: The Curious Connection Between WIZARD SPIDER’s Ransomware Infrastructure and a Windows Zero-Day Exploit ∗∗∗ --------------------------------------------- RiskIQ’s Team Atlas assesses with high confidence that the network infrastructure supporting the exploitation of a Windows zero-day vulnerability disclosed by Microsoft on September 7, CVE-2021-40444, shares historical connections with that of a ransomware syndicate known as WIZARD SPIDER. This group, also tracked separately under the names UNC1878 and RYUK, deploys several different ransomware families in targeted Big-Game Hunting campaigns. --------------------------------------------- https://www.riskiq.com/blog/external-threat-management/wizard-spider-window… ∗∗∗ Dangling Domains: Security Threats, Detection and Prevalence ∗∗∗ --------------------------------------------- Dangling domains are a largely overlooked threat in DNS, but they can be exploited for domain hijacking and are important to detect. --------------------------------------------- https://unit42.paloaltonetworks.com/dangling-domains/ ∗∗∗ New Go malware Capoae targets WordPress installs, Linux systems ∗∗∗ --------------------------------------------- Capoae highlights the increase of cyberattacks designed to deploy cryptocurrency-mining payloads. --------------------------------------------- https://www.zdnet.com/article/new-go-malware-capoae-targets-wordpress-insta… ∗∗∗ Malware samples found trying to hack Windows from its Linux subsystem ∗∗∗ --------------------------------------------- Security researchers at Lumens Black Lotus Labs have found a series of malware samples that were configured to infect the Windows Subsystem for Linux and then pivot to its native Windows environment. --------------------------------------------- https://therecord.media/malware-samples-found-trying-to-hack-windows-from-i… ∗∗∗ Universal decryptor released for past REvil ransomware victims ∗∗∗ --------------------------------------------- Romanian cybersecurity firm Bitdefender has published today a universal decryption utility that will be able to help past victims of the REvil (Sodinokibi) ransomware gang recover their encrypted files — if they still have them. --------------------------------------------- https://therecord.media/universal-decryptor-released-for-past-revil-ransomw… ===================== = Vulnerabilities = ===================== ∗∗∗ Kritische Sicherheitslücke ohne Patch gefährdet ältere IBM-System-X-Server ∗∗∗ --------------------------------------------- Die Server werden seit 2020 nicht mehr mit Updates versorgt. Angreifer können sie nun über eine Lücke in der Firmware der Admin-Schnittstelle IMM kapern. --------------------------------------------- https://heise.de/-6193718 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (sssd), Fedora (libtpms and vim), openSUSE (kernel and php7-pear), Oracle (kernel), Slackware (curl), and Ubuntu (libgcrypt20 and squashfs-tools). --------------------------------------------- https://lwn.net/Articles/869380/ ∗∗∗ Several Access Bypass, CSRF Vulnerabilities Patched in Drupal ∗∗∗ --------------------------------------------- Drupal developers on Wednesday informed users that updates released for Drupal 8.9, 9.1 and 9.2 patch five vulnerabilities that can be exploited for cross-site request forgery (CSRF) and access bypass. --------------------------------------------- https://www.securityweek.com/several-access-bypass-csrf-vulnerabilities-pat… ∗∗∗ iTunes U 3.8.3 ∗∗∗ --------------------------------------------- https://support.apple.com/kb/HT212809 ∗∗∗ Security Bulletin: WebSphere Application Server is vulnerable to Information Disclosure (CVE-2021-29842) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-websphere-application-ser… ∗∗∗ Security Bulletin: IBM Aspera Webapps are vulnerable to cross-site scripting (CVE-2020-7656). ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-aspera-webapps-are-vu… ∗∗∗ Security Bulletin: A vulnerability in IBM Java Runtime affects TXSeries for Multiplatforms ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… ∗∗∗ Security Bulletin: libXml2 used by IBM InfoSphere Identity Insight has a potential vulnerability (CVE-2021-3518) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-libxml2-used-by-ibm-infos… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in Apache Commons Compress affect WebSphere Application Server Liberty (CVE-2021-33517, CVE-2021-36090) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM® Db2® could allow a local user to read and write specific files due to weak file permissions (CVE-2020-4976) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-could-allow-a-loc… ∗∗∗ Security Bulletin: IBM® Db2® is vulnerable to an information disclosure, exposing remote storage credentials to privileged users under specific conditions.(CVE-2021-29752) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect AIX ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: A vulnerability in Bouncy Castle affect IBM Watson Machine Learning Accelerator ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-bouncy… ∗∗∗ Security Bulletin: IBM® Db2® could disclose sensitive information when using ADMIN_CMD with LOAD or BACKUP. (CVE-2021-29825) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-could-disclose-se… ∗∗∗ Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU – Apr 2021 – Includes Oracle Apr 2021 CPU minus CVE-2021-2163 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sdk-java-technology-e… ∗∗∗ Security Bulletin: IBM® Db2® under very specific conditions, could allow a local user to keep running a procedure that could cause the system to run out of memory.and cause a denial of service. (CVE-2021-29763) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-under-very-specif… ∗∗∗ OpenSSH: Schwachstelle ermöglicht Offenlegung von Informationen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0979 ∗∗∗ Kubernetes: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0977 ∗∗∗ Fluent Bit: Schwachstelle ermöglicht Darstellen falscher Informationen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0985 ∗∗∗ Atlassian Jira Software: Schwachstelle ermöglicht Codeausführung ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0980 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 15.09.2021
by Daily end-of-shift report 15 Sep '21

15 Sep '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 14-09-2021 18:00 − Mittwoch 15-09-2021 18:00 Handler: Dimitri Robl Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Phishing-Alarm: Kriminelle behaupten Ihr Amazon-Konto sei gesperrt! ∗∗∗ --------------------------------------------- BetrügerInnen verschicken derzeit ein vermeintliches E-Mail von Amazon. Darin behaupten sie, dass Ihr Amazon-Konto und alle ausstehenden Bestellungen gesperrt wurden. Wer gerade etwas bestellt hat, ärgert sich natürlich über diese E-Mail. Doch es besteht kein Grund zur Sorge. Kriminelle versuchen nur an Ihre Zugangsdaten zu kommen. --------------------------------------------- https://www.watchlist-internet.at/news/phishing-alarm-kriminelle-behaupten-… ∗∗∗ The September 2021 Security Update Review ∗∗∗ --------------------------------------------- It’s the second Tuesday of the month, and that means the latest security updates from Adobe and Microsoft have been released. Apple and Google Chrome also released updates yesterday to fix bugs under active attack. Take a break from your regularly scheduled activities and join us as we review the details for their latest security offerings. --------------------------------------------- https://www.thezdi.com/blog/2021/9/14/the-september-2021-security-update-re… ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI-21-1066: (0Day) Parallels Desktop virtio-net Memory Corruption Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows local attackers to escalate privileges on affected installations of Parallels Desktop. An attacker must first obtain the ability to execute high-privileged code on the target guest system in order to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-1066/ ∗∗∗ Cisco IOS XR Software IP Service Level Agreements and Two-Way Active Measurement Protocol Denial of Service Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the IP Service Level Agreements (IP SLA) responder and Two-Way Active Measurement Protocol (TWAMP) features of Cisco IOS XR Software could allow an unauthenticated, remote attacker to cause device packet memory to become exhausted or cause the IP SLA process to crash, resulting in a denial of service (DoS) condition. Version 1.1: Added additional SMUs. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Vulnerabilities in the Autodesk FBX Review software ∗∗∗ --------------------------------------------- Applications and Services that utilize the Autodesk FBX Review have been affected by Use-After-Free, Memory Corruption, Out-Of-Bounds Read, Untrusted Pointer Dereference, Out-Of-Bounds Write, and Directory Traversal vulnerabilities. Exploitation of these vulnerabilities could lead to remote code execution and/or denial-of-service. --------------------------------------------- https://www.autodesk.com/trust/security-advisories/adsk-sa-2021-0001 ∗∗∗ Patchday: Microsoft schließt von Angreifern ausgenutzte Lücke in Windows ∗∗∗ --------------------------------------------- Seit Anfang September haben Angreifer eine Windows-Lücke im Visier. Nun gibt es Sicherheitsupdates. Auch PrintNightmare spielt am Patchday nochmal eine Rolle. --------------------------------------------- https://heise.de/-6192327 ∗∗∗ SAP schließt ungewohnt viele kritische Sicherheitslücken zum Patchday ∗∗∗ --------------------------------------------- Admins aufgepasst: SAPs Security Advisory zum Patchday im September beinhaltet gleich fünf Hinweise zu kritischen Lücken in NetWeaver und weiteren Produkten. --------------------------------------------- https://heise.de/-6192352 ∗∗∗ Patchday: Adobe schließt Schadcode-Lücken in Photoshop & Co. ∗∗∗ --------------------------------------------- Es sind wichtige Sicherheitsupdates für verschiedene Anwendungen von Adobe erschienen. Der Softwarehersteller stuft viele Schwachstellen als kritisch ein. --------------------------------------------- https://heise.de/-6192382 ∗∗∗ Mozilla NSS vulnerability CVE-2020-12413 ∗∗∗ --------------------------------------------- This can lead to an attacker being able to compute the pre-master secret in connections that have used a Diffie-Hellman (DH)-based cipher suite. In such a case, this would result in the attacker being able to eavesdrop on all encrypted communications sent over that TLS connection. The highest threat from this vulnerability is to data confidentiality. Affected products: F5OS, Traffix SDC --------------------------------------------- https://support.f5.com/csp/article/K28409184 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (chromium, element-desktop, element-web, firefox, ghostscript, and hedgedoc), Fedora (kernel and openssl), openSUSE (ghostscript, htmldoc, and openssl-1_0_0), Oracle (libtirpc), Red Hat (cyrus-imapd, kernel, and kernel-rt), SUSE (ghostscript), and Ubuntu (apport, curl, and squashfs-tools). --------------------------------------------- https://lwn.net/Articles/869301/ ∗∗∗ Linux Kernel: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- Ein lokaler Angreifer kann eine Schwachstelle im Linux Kernel ausnutzen, um einen Denial of Service Angriff durchzuführen. --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0970 ∗∗∗ cURL: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in cURL ausnutzen, um einen Denial of Service Angriff durchzuführen oder die Kryptographie zu umgehen. --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0969 ∗∗∗ Internet Systems Consortium BIND: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- Ein entfernter, authentisierter Angreifer kann eine Schwachstelle in Internet Systems Consortium BIND ausnutzen, um einen Denial of Service Angriff durchzuführen. --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0968 ∗∗∗ AMD Prozessoren und Chipsätze: Schwachstelle ermöglicht Offenlegung von Informationen ∗∗∗ --------------------------------------------- Ein lokaler Angreifer kann eine Schwachstelle im AMD Prozessoren und Chipsätzen ausnutzen, um Informationen offenzulegen. --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0967 ∗∗∗ SYSS-2021-040: TechRadar for Confluence Server 5.6 - 7.13.0 – Persistent Cross-Site Scripting (XSS) in Feld "Title" (CVE-2021-37412) ∗∗∗ --------------------------------------------- Das Atlassian Confluence Plug-in “TechRadar” verwendet bis Version 1.1 keine ausreichende Eingabevalidierung. Dadurch sind Persistent XSS-Angriffe möglich. --------------------------------------------- https://www.syss.de/pentest-blog/syss-2021-040-techradar-for-confluence-ser… ∗∗∗ Microsoft Azure-Schwachstelle OMIGOD in Linux VMs patchen ∗∗∗ --------------------------------------------- Wer unter Microsoft Azure für Linux-VMs verantwortlich ist, muss dringend reagieren. Dort wurden stillschweigen einen Verwaltungsagenten installiert, der RCE- und LPE-Schwachstellen aufweisen. Die OMIGOD genannte Sicherheitslücke muss manuell gepatcht werden, da kein Azure-update-Mechanismus existiert. --------------------------------------------- https://www.borncity.com/blog/2021/09/15/microsoft-azure-schwachstelle-omig… ∗∗∗ Security Bulletin: Vulnerabilities in IBM Java Runtime affect IBM Integration Bus and IBM App Connect Enterpise v11, V12 (CVE-2021-2161) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-ja… ∗∗∗ Security Bulletin: Multiple security vulnerabilities in IBM Java SDK affects IBM Voice Gateway ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: Security Vulnerabilities in IBM® Java SDK July 2021 CPU affect multiple IBM Continuous Engineering products based on IBM Jazz Technology ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ Security Bulletin: IBM App Connect Enterprise Certified Container may be vulnerable to Denial of Service via CVE-2021-34558 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… ∗∗∗ Security Bulletin: IBM App Connect Enterprise Certified Container may be vulnerable to Denial of Service via CVE-2021-33198 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by the following vulnerabilities ( CVE-2021-29773, CVE-2021-2161) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM QRadar SIEM is vulnerable to using weaker than expected cryptographic algorithms (CVE-2021-29750) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-is-vulner… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by an Information Exposure vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM App Connect Enterprise Certified Container may be vulnerable to Denial of Service via CVE-2021-33196 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… ∗∗∗ Digi PortServer TS 16 ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-257-01 ∗∗∗ Johnson Controls Sensormatic Electronics KT-1 ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-257-02-0 ∗∗∗ Schneider Electric Struxureware Data Center Expert ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-257-03 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.09.2021
by Daily end-of-shift report 14 Sep '21

14 Sep '21

===================== = End-of-Day report = ===================== Timeframe: Montag 13-09-2021 18:00 − Dienstag 14-09-2021 18:00 Handler: Dimitri Robl Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ New Zloader attacks disable Windows Defender to evade detection ∗∗∗ --------------------------------------------- An ongoing Zloader campaign uses a new infection chain to disable Microsoft Defender Antivirus (formerly Windows Defender) on victims computers to evade detection. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-zloader-attacks-disable-… ∗∗∗ Vermilion Strike: Linux and Windows Re-implementation of Cobalt Strike ∗∗∗ --------------------------------------------- In August 2021, we at Intezer discovered a fully undetected ELF implementation of Cobalt Strike’s beacon, which we named Vermilion Strike. The stealthy sample uses Cobalt Strike’s Command and Control (C2) protocol when communicating to the C2 server and has Remote Access capabilities such as uploading files, running shell commands and writing to files. The malware is fully undetected in VirusTotal at the time of this writing and was uploaded from Malaysia. --------------------------------------------- https://www.intezer.com/blog/malware-analysis/vermilionstrike-reimplementat… ∗∗∗ Lücken im Matrix-Protokoll gefährden Ende-zu-Ende-Verschlüsselung von Messengern ∗∗∗ --------------------------------------------- Aufgrund von kritischen Lücken in verschiedenen Matrix-Clients könnten Angreifer eigentlich verschlüsselte Nachrichten mitlesen. --------------------------------------------- https://heise.de/-6191625 ∗∗∗ Apple releases emergency update: Patch, but don’t panic ∗∗∗ --------------------------------------------- Spyware developed by the company NSO Group is back in the news today after Apple released an emergency fix for iPhones, iPads, Macs, and Apple Watches. The update fixes a vulnerability silently exploited by software called Pegasus, which is often used in high-level surveillance campaigns by governments. --------------------------------------------- https://blog.malwarebytes.com/privacy-2/2021/09/apple-releases-emergency-up… ∗∗∗ Facebook: Cineplexx-Gewinnspiel für "James Bond"-Tickets ist Fake ∗∗∗ --------------------------------------------- Auf Facebook kursiert gerade ein Fake-Gewinnspiel der Seite „Cineplexx Österreich“. Dort werden angeblich 2 „VIP-Spionage-Tickets“ für den neuen James Bond Film verlost. Die Teilnahme funktioniert ganz einfach: Man muss lediglich den Beitrag kommentieren. In weiterer Folge erhalten TeilnehmerInnen dann über den Facebook-Messenger eine Gewinnbenachrichtigung und werden gebeten, auf einen Link zu klicken. Vorsicht: Die Facebook-Seite „Cineplexx Österreich“ ist Fake, Sie tappen in eine Abo-Falle! --------------------------------------------- https://www.watchlist-internet.at/news/facebook-cineplexx-gewinnspiel-fuer-… ∗∗∗ Benutzt hier jemand Travis CI? Stellt sich raus: Keine gute Idee ∗∗∗ --------------------------------------------- Ich sage euch, die Leichtigkeit, mit der die Leute ihren Kram in die Cloud schieben, ist immer wieder atemberaubend. Als ob das nicht dein Problem ist, wenn bei denen dann was kaputt geht!? --------------------------------------------- http://blog.fefe.de/?ts=9fbe5059 ===================== = Vulnerabilities = ===================== ∗∗∗ Citrix ShareFile Storage Zones Controller Security Update ∗∗∗ --------------------------------------------- A security issue has been identified in Citrix ShareFile storage zones controller which, if exploited, would allow an unauthenticated attacker to remotely compromise the storage zones controller. --------------------------------------------- https://support.citrix.com/article/CTX328123 ∗∗∗ Siemens Advisories/Bulletins ∗∗∗ --------------------------------------------- Siemens hat am 14.9.2021 21 neue und 25 aktualisierte Advisories/Bulletins veröffentlicht. --------------------------------------------- https://new.siemens.com/global/en/products/services/cert.html ∗∗∗ SAP Security Patch Day - September 2021 ∗∗∗ --------------------------------------------- On 14th of September 2021, SAP Security Patch Day saw the release of 17 Security Notes. There were 2 updates to previously released Patch Day Security Note. --------------------------------------------- https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=585106405 ∗∗∗ Nitro PDF Pro: Security-Update verhindert Codeausführung über präparierte PDFs ∗∗∗ --------------------------------------------- Die Software Nitro PDF Pro war unter anderem mittels schädlicher PDF-Dateien angreifbar. Die neueste Version umfasst zwei wichtige Sicherheitslücken-Fixes. --------------------------------------------- https://heise.de/-6191199 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by openSUSE (libaom and nextcloud), Oracle (cyrus-imapd, firefox, and thunderbird), Red Hat (kernel and kpatch-patch), Scientific Linux (firefox and thunderbird), and Ubuntu (apport). --------------------------------------------- https://lwn.net/Articles/869221/ ∗∗∗ Atlassian Jira Software: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Jira ist eine Webanwendung zur Softwareentwicklung. Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Atlassian Jira Software ausnutzen, um Informationen offenzulegen, Sicherheitsmaßnahmen zu umgehen und einen Denial of Service Zustand herbeizuführen. --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0961 ∗∗∗ ImageMagick: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- ImageMagick ist eine Sammlung von Programmbibliotheken und Werkzeugen, die Grafiken in zahlreichen Formaten verarbeiten kann. Ein entfernter, anonymer Angreifer kann eine Schwachstelle in ImageMagick ausnutzen, um Sicherheitsvorkehrungen zu umgehen. --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0962 ∗∗∗ Sicherheitslücke in HP OMEN Gaming Hub ∗∗∗ --------------------------------------------- Sicherheitsforscher von SentinelOne haben jetzt eine schwerwiegende Sicherheitslücke im HP OMEN Gaming Hub gefunden. Die Sicherheitslücke im Treiber der Gamingsoftware von HP OMEN erlaubt Angreifern Systemrechte zu erlangen. Dies ermöglicht Systemeingriffe und das Einschleusen von Malware für nichtprivilegierte Nutzer. --------------------------------------------- https://www.borncity.com/blog/2021/09/14/sicherheitslcke-in-hp-omen-gaming-… ∗∗∗ ZDI-21-1065: (0Day) Autodesk Navisworks DWG File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-1065/ ∗∗∗ ZDI-21-1064: (0Day) Autodesk Navisworks PDF File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-1064/ ∗∗∗ ZDI-21-1063: (0Day) Autodesk Navisworks PDF File Parsing Memory Corruption Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-1063/ ∗∗∗ ZDI-21-1062: (0Day) Autodesk Navisworks DWG File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-1062/ ∗∗∗ ZDI-21-1061: (0Day) Autodesk Navisworks PDF File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-1061/ ∗∗∗ ZDI-21-1060: (0Day) Autodesk Navisworks DWG File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-1060/ ∗∗∗ Security Bulletin: CVE-2021-2341 may affect IBM® SDK, Java™ Technology Edition ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2021-2341-may-affect-… ∗∗∗ Security Bulletin: IBM Maximo Asset Management is vulnerable to cross-site scripting (CVE-2021-29744) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-asset-manageme… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: Cross-site scripting vulnerability in IBM Financial Transaction Manager for SWIFT Services ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cross-site-scripting-vuln… ∗∗∗ Security Bulletin: Multiple vulnerabilities may affect IBM® SDK, Java™ Technology Edition ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Security Guardium ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a Spring Framework vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Maximo Asset Management is vulnerable to Stored Cross-site Scripting (CVE-2021-29743) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-asset-manageme… ∗∗∗ Security Bulletin: Multiple Vulnerabilities Have Been Identified In IBM Security Verify Privilege Vault ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM DB2 affect the IBM Intelligent Operations Center (CVE-2020-4701, CVE-2020-4739) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.09.2021
by Daily end-of-shift report 13 Sep '21

13 Sep '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 10-09-2021 18:00 − Montag 13-09-2021 18:00 Handler: Dimitri Robl Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Warten auf Windows-Patches: Selbstbau-Anleitung für MSHTML-Exploit in Umlauf ∗∗∗ --------------------------------------------- Sicherheitsforscher warnen, wie Angreifer Microsofts Schutzmaßnahmen vor Windows-Attacken umgehen könnten. Außerdem ist ein Exploit-Baukasten verfügbar. --------------------------------------------- https://heise.de/-6190319 ∗∗∗ SOVA, Worryingly Sophisticated Android Trojan, Takes Flight ∗∗∗ --------------------------------------------- The malware appeared in August with an ambitious roadmap (think ransomware, DDoS) that could make it the most feature-rich Android malware on the market. --------------------------------------------- https://threatpost.com/sova-sophisticated-android-trojan/169366/ ∗∗∗ Shipping to Elasticsearch Microsoft DNS Logs, (Sat, Sep 11th) ∗∗∗ --------------------------------------------- This parser takes the logs from a Windows 2012R2 and/or 2019 server (C:\DNSLogs\windns.log) and parses them into usable metatada which can be monitored and queried via an ELK dashboard. The logs have been mapped using DNS ECS field meta here [1]. --------------------------------------------- https://isc.sans.edu/diary/rss/27828 ∗∗∗ New SpookJS Attack Bypasses Google Chrome’s Site Isolation Protection ∗∗∗ --------------------------------------------- A newly discovered side-channel attack demonstrated on modern processors can be weaponized to successfully overcome Site Isolation protections weaved into Google Chrome and Chromium browsers and leak sensitive data in a Spectre-style speculative execution attack. Dubbed "Spook.js" by academics from the University of Michigan, University of Adelaide, Georgia Institute of Technology, and Tel Aviv [...] --------------------------------------------- https://thehackernews.com/2021/09/new-spookjs-attack-bypasses-google.html ∗∗∗ REvil: Ransomware-Gang in neuer Aufstellung wieder aktiv ∗∗∗ --------------------------------------------- Neue Forenbeiträge und "Happy Blog"-Inhalte belegen, dass die Erpresserbande um REvil zurück ist - und dass ihre Auszeit wohl nicht freiwillig war. --------------------------------------------- https://heise.de/-6190537 ∗∗∗ BazarLoader to Conti Ransomware in 32 Hours ∗∗∗ --------------------------------------------- Conti is a top player in the ransomware ecosystem, being listed as 2nd overall in the Q2 2021 Coveware ransomware report. The groups deploying this RaaS have only grown [...] --------------------------------------------- https://thedfirreport.com/2021/09/13/bazarloader-to-conti-ransomware-in-32-… ∗∗∗ Incident response analyst report 2020 ∗∗∗ --------------------------------------------- We deliver a range of services: incident response, digital forensics and malware analysis. Data in the report comes from our daily practices with organizations seeking assistance with full-blown incident response or complementary expert activities for their internal incident response teams. --------------------------------------------- https://securelist.com/incident-response-analyst-report-2020/104080/ ===================== = Vulnerabilities = ===================== ∗∗∗ Vulnerability Spotlight: Code execution vulnerability in Nitro Pro PDF ∗∗∗ --------------------------------------------- Cisco Talos recently discovered a vulnerability in the Nitro Pro PDF reader that could allow an attacker to execute code in the context of the application. --------------------------------------------- https://blog.talosintelligence.com/2021/09/nitro-pro-code-execution.html ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (qemu and thunderbird), Fedora (chromium, firefox, and mosquitto), openSUSE (apache2-mod_auth_openidc, gifsicle, openssl-1_1, php7-pear, and wireshark), Oracle (oswatcher), Red Hat (cyrus-imapd, firefox, and thunderbird), SUSE (apache2-mod_auth_openidc, compat-openssl098, php7-pear, and wireshark), and Ubuntu (git and linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-dell300x, linux-hwe, linux-kvm, linux-oracle, linux-snapdragon). --------------------------------------------- https://lwn.net/Articles/869103/ ∗∗∗ Update - Kritische Sicherheitslücke in der Microsoft MSHTML Komponente - Workarounds verfügbar, Exploits veröffentlicht ∗∗∗ --------------------------------------------- Update: 13. September 2021 / Beschreibung Microsoft hat außerhalb des üblichen Patch-Zyklus eine Warnung über eine Sicherheitslücke in der MSHTML Komponente veröffentlicht. Diese kann von Angreifer:innen durch entsprechend präparierte Microsoft Office-Dokumente ausgenutzt werden - laut Microsoft sind solche Dokumente bereits im Umlauf. --------------------------------------------- https://cert.at/de/warnungen/2021/9/kritische-sicherheitslucke-in-der-micro… ∗∗∗ Security Bulletin: IBM Maximo Asset Management is vulnerable to CSV Injection (CVE-2021-20509) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-asset-manageme… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affects WebSphere Application Server July 2021 CPU that is bundled with IBM WebSphere Application Server Patterns ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in ICU libraries used in IBM DataPower Gateway ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerabilities in the AIX kernel (CVE-2021-29727, CVE-2021-29801, CVE-2021-29862) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-the-ai… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Content Collector for Email, Content Collector for File Systems, Content Collector for Microsoft SharePoint and Content Collector for IBM Connections ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect IBM Security SOAR (CVE-2021-2341, CVE-2021-2369) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities may affect IBM® SDK, Java™ Technology Edition ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Content Collector for Email, Content Collector for File Systems, Content Collector for Microsoft SharePoint and Content Collector for IBM Connections ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Content Collector for Email, Content Collector for File Systems, Content Collector for Microsoft SharePoint and Content Collector for IBM Connections ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Content Collector for Email, Content Collector for File Systems, Content Collector for Microsoft SharePoint and Content Collector for IBM Connections ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple security vulnerabilities affect Liberty for Java for IBM Cloud ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: Input Validation Vulnerability in Apache Commons Codec Affects IBM Sterling Connect:Direct for UNIX ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-input-validation-vulnerab… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.09.2021
by Daily end-of-shift report 10 Sep '21

10 Sep '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 09-09-2021 18:00 − Freitag 10-09-2021 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ MSHTML-Schwachstelle CVE-2021-40444 kritischer als bekannt ∗∗∗ --------------------------------------------- Vor einigen Tagen hat Microsoft einen Sicherheitshinweis zur Schwachstelle CVE-2021-40444 in der in Windows enthaltenen MSHTML-Komponente offen gelegt. Es hieß, es gebe den Versuch, die Schwachstelle in freier Wildbahn über präparierte Office-Dokumente auszunutzen. Aber Office-Nutzer seien eigentlich durch die geschützte Ansicht vor dieser Bedrohung geschützt. Nun wird bekannt, dass dieser Schutz löchrig ist und oft nicht wirkt. --------------------------------------------- https://www.borncity.com/blog/2021/09/10/mshtml-schwachstelle-cve-2021-4044… ∗∗∗ A Look at iMessage in iOS 14 ∗∗∗ --------------------------------------------- [...] Given that it is also now almost exactly one year ago since we published the Remote iPhone Exploitation blog post series, in which we described how an iMessage 0-click exploit can work in practice and gave a number of suggestions on how similar attacks could be prevented in the future, now seemed like a great time to dig into the security improvements in iOS 14 in more detail and explore how Apple has hardened their platform against 0-click attacks. --------------------------------------------- https://googleprojectzero.blogspot.com/2021/01/a-look-at-imessage-in-ios-14… ∗∗∗ August 2021’s Most Wanted Malware: Formbook Climbs into First Place ∗∗∗ --------------------------------------------- Check Point Research reports that the infostealer, Formbook, is the most prevalent malware while the banking trojan, Qbot, has dropped from the list all together. Our latest Global Threat Index for August 2021 has revealed that Formbook is now the most prevalent malware, taking over Trickbot, which has fallen into second following a three-month long [...] --------------------------------------------- https://blog.checkpoint.com/2021/09/10/august-2021s-most-wanted-malware-for… ∗∗∗ Meet Meris, the new 250,000-strong DDoS botnet terrorizing the internet ∗∗∗ --------------------------------------------- A new botnet consisting of an estimated 250,000 malware-infected devices has been behind some of the biggest DDoS attacks over the summer, breaking the record for the largest volumetric DDoS attack twice, once in June and again this month. --------------------------------------------- https://therecord.media/meet-meris-the-new-250000-strong-ddos-botnet-terror… ===================== = Vulnerabilities = ===================== ∗∗∗ Sicherheitspatch: WordPress-Entwickler raten zu zügigem Update ∗∗∗ --------------------------------------------- Das Content Management System WordPress ist über mehrere Sicherheitslücken angreifbar. --------------------------------------------- https://heise.de/-6188735 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr, ghostscript, ntfs-3g, and postorius), Fedora (java-1.8.0-openjdk-aarch32, libtpms, and salt), openSUSE (libaom, libtpms, and openssl-1_0_0), Red Hat (openstack-neutron), SUSE (grilo, java-1_7_0-openjdk, libaom, libtpms, mariadb, openssl-1_0_0, openssl-1_1, and php74-pear), and Ubuntu (firefox and ghostscript). --------------------------------------------- https://lwn.net/Articles/868863/ ∗∗∗ AVEVA PCS Portal ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Uncontrolled Search Path Element vulnerability in AVEVA PCS Portal sofware. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-252-01 ∗∗∗ Delta Electronics DOPSoft 2 ∗∗∗ --------------------------------------------- This advisory contains mitigations for Stack-based Buffer Overflow, Out-of-Bounds Write, and Heap-based Buffer Overflow vulnerabilities in Delta Electronics DOPSoft 2 HMI editing software. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-252-02 ∗∗∗ Mitsubishi Electric Europe B.V. smartRTU and INEA ME-RTU ∗∗∗ --------------------------------------------- This advisory is a follow-up to a CISA product update titled ICS-ALERT-19-225-01 Mitsubishi Electric Europe B.V. smartRTU and INEA ME-RTU (Update A) published September 10, 2019, on the ICS webpage on us-cert.cisa.gov. This advisory contains mitigations for OS Command Injection, Improper Access Control, Cross-site Scripting, Use of Hard-coded Credentials, Unprotected Storage of Credentials, and Incorrect Default Permissions vulnerabilities in select Mitsubishi Electric firmware. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-252-03 ∗∗∗ Security Bulletin: OpenSSL Vulnerability Affects IBM Sterling Connect:Express for UNIX (CVE-2021-3712) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-openssl-vulnerability-aff… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Rational Directory Server (Tivoli) & Rational Directory Administrator ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: OpenSSL Vulnerability Affects IBM Sterling Connect:Express for UNIX (CVE-2021-3711) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-openssl-vulnerability-aff… ∗∗∗ Stack Buffer Overflow Vulnerabilities in QTS, QuTS hero, and QuTScloud ∗∗∗ --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-21-33 ∗∗∗ Stack Buffer Overflow Vulnerability in QUSBCam2 ∗∗∗ --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-21-34 ∗∗∗ Stack-Based Buffer Overflow Vulnerabilities in NVR Storage Expansion ∗∗∗ --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-21-36 ∗∗∗ Insufficiently Protected Credentials in QSW-M2116P-2T2S and QuNetSwitch ∗∗∗ --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-21-37 ∗∗∗ Insufficient HTTP Security Headers in QTS, QuTS hero, and QuTScloud ∗∗∗ --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-21-03 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.09.2021
by Daily end-of-shift report 09 Sep '21

09 Sep '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 08-09-2021 18:00 − Donnerstag 09-09-2021 18:00 Handler: Dimitri Robl Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Ransomware: Erpressungs-Website der "REvil"-Gang plötzlich wieder online ∗∗∗ --------------------------------------------- Die Gang, deren Kaseya-Lieferkettenangriff Schlagzeilen machte, war Mitte Juli von der Bildfläche verschwunden - nun ist ihre Tor-Onion-Leak-Site wieder aktiv. --------------------------------------------- https://heise.de/-6187682 ∗∗∗ Betrügerische Streaming-Plattformen verschicken ungerechtfertigte Zahlungsaufforderungen! ∗∗∗ --------------------------------------------- Zahlreiche InternetnutzerInnen stolpern bei der Suche nach Hollywood-Blockbustern auf Webseiten wie kinox.su, justhdfilme.com oder kinox-deutsch.com. Wer auf einer solchen Seite versucht einen Film zu schauen, wird auf weitere betrügerische Websites wie luguplay.de, playnate.de oder rubuplay.de weitergeleitet. Nach einer angeblich kostenlosen Anmeldung auf diesen Seiten, können Sie sich keinen Film ansehen - stattdessen erhalten Sie Rechnungen und Mahnungen. Zahlen Sie auf keinen Fall! --------------------------------------------- https://www.watchlist-internet.at/news/betruegerische-streaming-plattformen… ∗∗∗ Fortinet warns customers after hackers leak passwords for 87,000 VPNs ∗∗∗ --------------------------------------------- Networking equipment vendor Fortinet has notified customers today that a cybercriminal gang has assembled a collection of access credentials for more than 87,000 FortiGate SSL-VPN devices. "This incident is related to an old vulnerability resolved in May 2019," the company said in a blog post following an inquiry from The Record sent on Tuesday, when a small portion of this larger list was published on a private cybercrime forum hosted on the dark web, and later on the website of a ransomware gang, [...] --------------------------------------------- https://therecord.media/fortinet-warns-customers-after-hackers-leak-passwor… ∗∗∗ Microsoft fixes bug letting hackers take over Azure containers ∗∗∗ --------------------------------------------- Microsoft has fixed a vulnerability in Azure Container Instances called Azurescape that allowed a malicious container to take over containers belonging to other customers on the platform. --------------------------------------------- https://www.bleepingcomputer.com/news/security/microsoft-fixes-bug-letting-… ∗∗∗ Updates to Our Datafeeds/API, (Thu, Sep 9th) ∗∗∗ --------------------------------------------- Most of the data we are collecting is freely available via our API. For quick documentation, see https://isc.sans.edu/api. One particular popular feed is our list of "Researcher IPs." These are IP addresses connected to commercial and academic projects that scan the internet. These scans can account for a large percentage of your unsolicited inbound activity. One use of this feed is to add "color to your logs" by enriching your log data from this feed. --------------------------------------------- https://isc.sans.edu/diary/rss/27824 ∗∗∗ Multistage WordPress Redirect Kit ∗∗∗ --------------------------------------------- Recently, one of our analysts @kpetku came across a series of semi-randomised malware injections in multiple WordPress environments. Typical of spam redirect infections, the malware redirects visitors by calling malicious files hosted on third party infected websites. Interestingly, the infection stores itself as encoded content in the database and is called through random functions littered throughout plugin files using a very common wordpress function “get_option”. --------------------------------------------- https://blog.sucuri.net/2021/09/multistage-wordpress-redirect-kit.html ∗∗∗ Get Ready for PYSA Ransomware Attacks Against Linux Systems ∗∗∗ --------------------------------------------- Linux is increasingly targeted by ransomware. Researchers have now detected indications that the PYSA ransomware, often also known as Mespinoza, is also being readied for Linux targets. read more --------------------------------------------- https://www.securityweek.com/get-ready-pysa-ransomware-attacks-against-linu… ∗∗∗ Analysis of a Parallels Desktop Stack Clash Vulnerability and Variant Hunting using Binary Ninja ∗∗∗ --------------------------------------------- Parallels Desktop uses a paravirtual PCI device called the “Parallels ToolGate” for communication between guest and host OS. This device is identified by Vendor ID 0x1AB8 and Device ID 0x4000 in a Parallels guest. The guest driver provided as part of Parallels Tools and the host virtual device communicate using a ToolGate messaging protocol. To provide a summary, the guest driver prepares a message and writes the physical address of the message to [...] --------------------------------------------- https://www.thezdi.com/blog/2021/9/9/analysis-of-a-parallels-desktop-stack-… ∗∗∗ When the Cyberthreat Comes from the Inside ∗∗∗ --------------------------------------------- Would you like to earn millions of dollars? The LockBit 2.0 ransomware are now trying to recruit insiders – and there is no reason to believe that your company wouldn’t be targeted. The global competitive framework has changed significantly: hybrid warfare with methods like infiltration and espionage will be an imminent threat against the strategic environment for the foreseeable future. --------------------------------------------- https://blog.truesec.com/2021/09/08/when-the-cyberthreat-comes-from-the-ins… ===================== = Vulnerabilities = ===================== ∗∗∗ OpenVPN for Linux and FreeBSD: Schwachstelle ermöglicht Umgehung von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann eine Schwachstelle in Linux und OpenVPN ausnutzen, um einen Denial of Service zu verursachen oder Sicherheitsvorkehrungen zu umgehen --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0944 ∗∗∗ Cisco Security Advisories ∗∗∗ --------------------------------------------- Cisco hat zehn Security Advisories veröffentlicht. Keine der darin behobenen Schwachstellen wird als "critical" eingestuft, vier als "high". --------------------------------------------- https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&first… ∗∗∗ ABB: EIBPORT several CVEs ABBVREP0049_R9120 ∗∗∗ --------------------------------------------- ABB is aware of vulnerabilities in the product versions listed above. A firmware update is available that resolves these privately reported vulnerabilities in the product versions listed above. An attacker who successfully exploited these vulnerabilities could access sensitive information stored inside the device and can access the device with root privileges. CVE-IDs: CVE-2021-28909, CVE-2021-28910, CVE-2021-28911, CVE-2021-28912, CVE-2021-28913, CVE-2021-28914 --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=9AKK107992A7304&Lan… ∗∗∗ GitHub entdeckt sieben Sicherheitslücken in Node.js Packages ∗∗∗ --------------------------------------------- In einem Rahmen Bug-Bounty-Programm hat GitHub Schwachstellen aufgedeckt und bietet Handlungsanweisungen für betroffene Nutzer. --------------------------------------------- https://heise.de/-6187785 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (lynx, matrix-synapse, and proftpd), openSUSE (ntfs-3g_ntfsprogs), Oracle (kernel), Red Hat (RHV-H), Scientific Linux (kernel), and Ubuntu (libapache2-mod-auth-mellon, linux, linux-aws, linux-aws-5.11, linux-azure, linux-azure-5.11, linux-gcp, linux-hwe-5.11, linux-kvm, linux-oracle, linux-oracle-5.11, linux-raspi, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gcp, linux-gcp-5.4, linux-gke, linux-gke-5.4, linux-gkeop, [...] --------------------------------------------- https://lwn.net/Articles/868743/ ∗∗∗ Intel processor vulnerabilities CVE-2021-0086 and CVE-2021-0089 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K41043270?utm_source=f5support&utm_mediu… ∗∗∗ SaltStack Salt: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0946 ∗∗∗ WordPress: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0948 ∗∗∗ Security Advisory - Improper Authorization Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- https://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210908… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by an Improper Restriction of Excessive Authentication Attempts vulnerability (CVE-2021-20427) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: Security vulnerabilitiy has been fixed in IBM Security Identity Manager (CVE-2021-29692) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilitiy-h… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by an OpenLDAP vulnerability (CVE-2020-25692) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: Security vulnerabilities have been identified in IBM® Java SDK that affect IBM Security Directory (CVE-2021-2161) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Security Guardium ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerability in NX-OS Firmware used by IBM c-type SAN directors and switches. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-nx-os-fi… ∗∗∗ Security Bulletin: Security vulnerabilitiy has been identified in IBM® Java SDK that affect IBM Security Directory Suite (CVE-2021-2161) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilitiy-h… ∗∗∗ Security Bulletin: Container Environment Vulnerabilities Affect IBM Secure Proxy (CVE-2020-14298, CVE-2020-14300) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-container-environment-vul… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a kernel vulnerability (CVE-2020-25705, CVE-2020-28374) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a Reliance on Untrusted Inputs in Security Descision ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a Weak Password Policy vulnerability (CVE-2021-20418) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a Oracle MySQL vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.09.2021
by Daily end-of-shift report 08 Sep '21

08 Sep '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 07-09-2021 18:00 − Mittwoch 08-09-2021 18:00 Handler: Dimitri Robl Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ vaxcontrolgroup.com: Nutzlose Studie und Scheckkarte für Nichtgeimpfte ∗∗∗ --------------------------------------------- Auf vaxcontrolgroup.com bewirbt die „Vaccine Control Group“ eine angebliche Studie, in der Nichtgeimpfte auf der ganzen Welt als Kontrollgruppe herangezogen werden sollen. Die Studie ist wissenschaftlich als unbrauchbar zu bewerten. Ein beworbener Ausweis im Scheckkartenformat, der eine Verpflichtung zur Nichtimpfung bestätigen soll, ist kostenpflichtig und nutzlos! --------------------------------------------- https://www.watchlist-internet.at/news/vaxcontrolgroupcom-nutzlose-studie-u… ===================== = Vulnerabilities = ===================== ∗∗∗ HAProxy Found Vulnerable to Critical HTTP Request Smuggling Attack ∗∗∗ --------------------------------------------- A critical security vulnerability has been disclosed in HAProxy, a widely used open-source load balancer and proxy server, that could be abused by an adversary to possibly smuggle HTTP requests, resulting in unauthorized access to sensitive data and execution of arbitrary commands, effectively opening the door to an array of attacks. Tracked as CVE-2021-40346.. --------------------------------------------- https://thehackernews.com/2021/09/haproxy-found-vulnerable-to-critical.html ∗∗∗ ZDI: Mehrere Lücken in Parallels Desktop ∗∗∗ --------------------------------------------- Toolgate Uncontrolled Memory Allocation Privilege Escalations: * CVE-2021-34869 http://www.zerodayinitiative.com/advisories/ZDI-21-1057/ * CVE-2021-34868 http://www.zerodayinitiative.com/advisories/ZDI-21-1056/ * CVE-2021-34867 http://www.zerodayinitiative.com/advisories/ZDI-21-1055/ --------------------------------------------- ∗∗∗ Fortinet Security Advisories September 2021 ∗∗∗ --------------------------------------------- Fortinet hat eine Reihe von Security Advisories zu diversen Problemen/Produkten veröffentlicht. Eine Übersicht findet sich auf der Fortinet PSIRT Webseite. --------------------------------------------- https://www.fortiguard.com/psirt-monthly-advisory/september-2021-vulnerabil… ∗∗∗ September 7, 2021 TNS-2021-15 [R1] Nessus Agent 8.3.1 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- Nessus Agent 8.3.0 and earlier were found to contain multiple local privilege escalation vulnerabilities which could allow an authenticated, local administrator to run specific executables on the Nessus Agent host. --------------------------------------------- http://www.tenable.com/security/tns-2021-15 ∗∗∗ Android Security Bulletin - September 2021 ∗∗∗ --------------------------------------------- The Android Security Bulletin contains details of security vulnerabilities affecting Android devices. Security patch levels of 2021-09-05 or later address all of these issues. --------------------------------------------- https://source.android.com/security/bulletin/2021-09-01 ∗∗∗ Xen XSA-384 - Another race in XENMAPSPACE_grant_table handling ∗∗∗ --------------------------------------------- A malicious guest may be able to elevate its privileges to that of the host, cause host or guest Denial of Service (DoS), or cause information leaks. All Xen versions from 4.0 onwards are affected. Xen versions 3.4 and older are not affected. --------------------------------------------- https://xenbits.xen.org/xsa/advisory-384.html ∗∗∗ Citrix Hypervisor Security Update ∗∗∗ --------------------------------------------- Several security issues have been discovered in Citrix Hypervisor that, collectively, may allow privileged code in a guest VM to compromise or crash the host. Citrix has released hotfixes to address these issues. Citrix recommends that affected customers install these hotfixes as their patching schedule allows --------------------------------------------- https://support.citrix.com/article/CTX325319 ∗∗∗ Microsoft Releases Mitigations and Workarounds for CVE-2021-40444 ∗∗∗ --------------------------------------------- Microsoft has released mitigations and workarounds to address a remote code execution vulnerability (CVE-2021-40444) in Microsoft Windows. Exploitation of this vulnerability may allow a remote attacker to take control of an affected system. This vulnerability has been detected in exploits in the wild. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/09/07/microsoft-release… ∗∗∗ Zoho Releases Security Update for ADSelfService Plus ∗∗∗ --------------------------------------------- Zoho has released a security update on a vulnerability (CVE-2021-40539) affecting ManageEngine ADSelfService Plus builds 6113 and below. CVE-2021-40539 has been detected in exploits in the wild. A remote attacker could exploit this vulnerability to take control of an affected system. ManageEngine ADSelfService Plus is a self-service password management and single sign-on solution for Active Directory and cloud apps. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/09/07/zoho-releases-sec… ∗∗∗ Security Bulletin: CVE-2021-2161 may affect IBM® SDK, Java™ Technology Edition for Content Collector for Email, Content Collector for File Systems, Content Collector for Microsoft SharePoint and Content Collector for IBM Connections ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2021-2161-may-affect-… ∗∗∗ Security Bulletin: Vulnerabilities in IBM Java Runtime affect IBM Integration Bus and IBM App Connect Enterpise v11, v12 (CVE-2020-2773) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-ja… ∗∗∗ Security Bulletin: A security vulnerability has been fixed in IBM Security Identity Manager Virtual Appliance (CVE-2018-15494) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: Vulnerabilities in IBM Java Runtime affect IBM Integration Bus and IBM App Connect Enterpise v11, v12 (CVE-2020-14782) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-ja… ∗∗∗ Security Bulletin: CVE-2021-2161 may affect IBM® SDK, Java™ Technology Edition for Content Collector for Email, Content Collector for File Systems, Content Collector for Microsoft SharePoint and Content Collector for IBM Connections ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2021-2161-may-affect-… ∗∗∗ Security Bulletin: CVE-2021-2161 may affect IBM® SDK, Java™ Technology Edition for Content Collector for Email, Content Collector for File Systems, Content Collector for Microsoft SharePoint and Content Collector for IBM Connections ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2021-2161-may-affect-… ∗∗∗ Security Bulletin: Security vulnerabilities have been fixed in IBM Security Identity Manager (CVE-2021-29687, CVE-2021-29688) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Security Identity Manager Password Synchronization Plug-in for Windows AD affected by multiple vulnerabilities (CVE-2021-20483, CVE-2021-20488) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-identity-man… ∗∗∗ Security Bulletin: Vulnerabilities in IBM Java Runtime affect IBM Integration Bus and IBM App Connect Enterpise v11, v12 (CVE-2020-14781) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-ja… ∗∗∗ Security Bulletin: CVE-2021-2161 may affect IBM® SDK, Java™ Technology Edition for Content Collector for Email, Content Collector for File Systems, Content Collector for Microsoft SharePoint and Content Collector for IBM Connections ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2021-2161-may-affect-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Content Collector for Email, Content Collector for File Systems, Content Collector for Microsoft SharePoint and Content Collector for IBM Connections ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in OpenSSL may affect IBM Workload Scheduler ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: CVE-2020-1971 vulnerability in OpenSSL may affect IBM Workload Scheduler ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2020-1971-vulnerabili… ∗∗∗ Security Bulletin: Security vulnerabilitiy has been fixed in IBM Security Identity Manager (93519) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilitiy-h… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Content Collector for Email, Content Collector for File Systems, Content Collector for Microsoft SharePoint and Content Collector for IBM Connections ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Security Identity Manager deprecated Self Service UI contains Struts V1 (CVE-2016-1182) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-identity-man… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Content Collector for Email, Content Collector for File Systems, Content Collector for Microsoft SharePoint and Content Collector for IBM Connections ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in OpenSSL may affect IBM Workload Scheduler ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Content Collector for Email, Content Collector for File Systems, Content Collector for Microsoft SharePoint and Content Collector for IBM Connections ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple security vulnerabilities affect Liberty for Java for IBM Cloud ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.09.2021
by Daily end-of-shift report 07 Sep '21

07 Sep '21

===================== = End-of-Day report = ===================== Timeframe: Montag 06-09-2021 18:00 − Dienstag 07-09-2021 18:00 Handler: Dimitri Robl Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Latest Atlassian Confluence Flaw Exploited to Breach Jenkins Project Server ∗∗∗ --------------------------------------------- The maintainers of Jenkins—a popular open-source automation server software—have disclosed a security breach after unidentified threat actors gained access to one of their servers by exploiting a recently disclosed vulnerability in Atlassian Confluence service to install a cryptocurrency miner. [...] "At this time we have no reason to believe that any Jenkins releases, plugins, or source code have been affected," the company said in a statement published over the weekend. --------------------------------------------- https://thehackernews.com/2021/09/latest-atlassian-confluence-flaw.html ∗∗∗ Firefox 92 und ESR-Versionen bringen wichtige Sicherheitsupdates mit ∗∗∗ --------------------------------------------- Die neuen Versionen des Browsers nebst Extended Support Releases umfassen nicht nur funktionale Neuerungen, sondern auch Sicherheitslücken-Fixes. --------------------------------------------- https://heise.de/-6185311 ∗∗∗ online-handelsregister.eu bucht für einen Handelsregisterauszug über 750 Euro ab ∗∗∗ --------------------------------------------- Für einen Handelsregisterauszug verrechnet das Unternehmen hinter online-handelsregister.eu zusätzlich 749,00 Euro – angeblich für die Freischaltung des Portals. Opfern ist meist nicht bewusst, wie dieser Betrag zu Stande kam. Eines ist klar: online-handelsregister.eu geht nicht seriös vor und hat diesen Betrag ohne Berechtigung abgezogen, denn beim Kaufabschluss wurde die sogenannte Button-Lösung nicht eingehalten. --------------------------------------------- https://www.watchlist-internet.at/news/online-handelsregistereu-bucht-fuer-… ===================== = Vulnerabilities = ===================== ∗∗∗ Ghostscript Zero-Day Allows Full Server Compromises ∗∗∗ --------------------------------------------- Proof-of-concept exploit code was published online over the weekend for an unpatched Ghostscript vulnerability that puts all servers that rely on the component at risk of attacks. From a report: Published by Vietnamese security researcher Nguyen The Duc, the proof-of-concept code is available on GitHub and was confirmed to work by several of todays leading security researchers. --------------------------------------------- https://it.slashdot.org/story/21/09/07/1532205/ghostscript-zero-day-allows-… ∗∗∗ Netgear schließt Sicherheitslücken in 20 Switches ∗∗∗ --------------------------------------------- Wenn die Voraussetzungen stimmen, könnten Angreifer die Kontrolle über Netgear-Switches erlangen. Sicherheitsupdates sind verfügbar. --------------------------------------------- https://heise.de/-6184272 ∗∗∗ Lücken in Gutenberg-Template-Plug-in gefährden eine Million WordPress-Websites ∗∗∗ --------------------------------------------- Angreifer könnten WordPress-Websites mit dem Plug-in Gutenberg Template Library & Redux Framework attackieren. Ein Sicherheitspatch steht zum Download. --------------------------------------------- https://heise.de/-6184875 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by openSUSE (apache2, java-11-openjdk, libesmtp, nodejs10, ntfs-3g_ntfsprogs, openssl-1_1, xen, and xerces-c), Red Hat (kernel-rt and kpatch-patch), and SUSE (ntfs-3g_ntfsprogs and openssl-1_1). --------------------------------------------- https://lwn.net/Articles/868569/ ∗∗∗ Synology-SA-21:26 Photo Station ∗∗∗ --------------------------------------------- A vulnerability allows remote attackers to bypass security constraints via a susceptible version of Photo Station. --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_21_26 ∗∗∗ Security Bulletin: A security vulnerability has been identified in Oracle Oct 2020 CPU for Java 8 shipped with IBM® Intelligent Operations Center (CVE-2020-14782) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect Rational Functional Tester ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerability in Dojo affects WebSphere Application Server (CVE-2020-5258) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-dojo-aff… ∗∗∗ Security Bulletin: Multiple vulnerabilities have been identified in Oracle Jan 2021 CPU for Java 8 shipped with IBM® Intelligent Operations Center (CVE-2020-14803) (CVE-2020-27221) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: A security vulnerability has been identified in Oracle Oct 2020 CPU for Java 8 shipped with IBM® Intelligent Operations Center (CVE-2020-2773) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: Vulnerability in Bind affects IBM Integrated Analytics System ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-bind-aff… ∗∗∗ Security Bulletin: Multiple vulnerabilities in OpenSSL may affect IBM Workload Scheduler ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: CVE-2020-1971 vulnerability in OpenSSL may affect IBM Workload Scheduler ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2020-1971-vulnerabili… ∗∗∗ Security Bulletin: Multiple vulnerabilities have been identified in Oracle Oct 2020 CPU for Java 8 shipped with IBM® Intelligent Operations Center (CVE-2020-14779, CVE-2020-14792,CVE-2020-14796,CVE-2020-14797,CVE-2020-14798) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in OpenSSL may affect IBM Workload Scheduler ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Mitsubishi Electric MELSEC iQ-R Series ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-250-01 ∗∗∗ Hitachi ABB Power Grids System Data Manager ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-250-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.09.2021
by Daily end-of-shift report 06 Sep '21

06 Sep '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 03-09-2021 18:00 − Montag 06-09-2021 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Exchange-Server-Attacken reißen nicht ab - Angreifer installieren 7 Hintertüren ∗∗∗ --------------------------------------------- Wenn nicht längst geschehen, sollten Admins die ProxyShell-Lücken in Exchange Server durch die Installation von Sicherheitsupdates schließen. --------------------------------------------- https://heise.de/-6182364 ∗∗∗ Patch me if you can: Ransomware 3.0 - der Widerstand wächst ∗∗∗ --------------------------------------------- ITler jonglieren gern mit Zahlen, vor allem beim Reifegrad von Software. Bei Ransomware hat ein Versionssprung aber nichts Gutes zu bedeuten - oder doch? --------------------------------------------- https://heise.de/-6071696 ∗∗∗ Sourcecode von Erpressungstrojaner "Babuk Locker" geleakt ∗∗∗ --------------------------------------------- In einem russischen Hacker-Forum sind alle Bauteile für die Ransomware "Babuk Locker" aufgetaucht. Darunter könnten auch für Opfer interessante Schlüssel sein. --------------------------------------------- https://heise.de/-6182385 ∗∗∗ Ransomware gangs target companies using these criteria ∗∗∗ --------------------------------------------- Ransomware gangs increasingly purchase access to a victims network on dark web marketplaces and from other threat actors. Analyzing their want ads makes it possible to get an inside look at the types of companies ransomware operations are targeting for attacks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ransomware-gangs-target-comp… ∗∗∗ The State of Incident Response: Measuring Risk and Evaluating Your Preparedness ∗∗∗ --------------------------------------------- Grant Oviatt, director of incident-response engagements at Red Canary, provides advice and best practices on how to get there faster. --------------------------------------------- https://threatpost.com/incident-response-risk-preparedness/169211/ ∗∗∗ Traffic Exchange Networks Distributing Malware Disguised as Cracked Software ∗∗∗ --------------------------------------------- An ongoing campaign has been found to leverage a network of websites acting as a "dropper as a service" to deliver a bundle of malware payloads to victims looking for "cracked" versions of popular business and consumer applications. "These malware included an assortment of click fraud bots, other information stealers, and even ransomware," researchers from cybersecurity firm Sophos said [...] --------------------------------------------- https://thehackernews.com/2021/09/traffic-exchange-networks-distributing.ht… ===================== = Vulnerabilities = ===================== ∗∗∗ Proxies are complicated: RCE vulnerability in a 3 million downloads/week NPM package ∗∗∗ --------------------------------------------- Pac-Resolver, a widely used NPM dependency, had a high-severity RCE (Remote Code Execution) vulnerability that could allow network administrators or other malicious actors on your local network to remotely run arbitrary code inside your Node.js process whenever you tried to send an HTTP request. --------------------------------------------- https://httptoolkit.tech/blog/npm-pac-proxy-agent-vulnerability/ ∗∗∗ ‘Demon’s Cries’ authentication bypass patched in Netgear switches ∗∗∗ --------------------------------------------- Networking equipment vendor Netgear has patched three vulnerabilities in several of its smart switches that can allow threat actors to bypass authentication and take over devices. --------------------------------------------- https://therecord.media/demons-cries-authentication-bypass-patched-in-netge… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (btrbk, pywps, and squashfs-tools), Fedora (libguestfs, libss7, ntfs-3g, ntfs-3g-system-compression, partclone, testdisk, wimlib, and xen), Mageia (exiv2, golang, libspf2, and ruby-addressable), openSUSE (apache2, dovecot23, gstreamer-plugins-good, java-11-openjdk, libesmtp, mariadb, nodejs10, opera, python39, sssd, and xerces-c), and SUSE (apache2, java-11-openjdk, libesmtp, mariadb, nodejs10, python39, sssd, xen, and xerces-c). --------------------------------------------- https://lwn.net/Articles/868464/ ∗∗∗ Security Bulletin: IBM Cloud Private is vulnerable to Helm vulnerabilities ( CVE-2021-21303) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-private-is-vuln… ∗∗∗ Security Bulletin: IBM Cloud Private is vulnerable to OpenSSL vulnerabilities (CVE-2020-1971 ) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-private-is-vuln… ∗∗∗ Security Bulletin: IBM Cloud Private is vulnerable to OpenSSL and Node.js vulnerabilities (CVE-2020-1971, CVE-2020-8287, CVE-2020-8265) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-private-is-vuln… ∗∗∗ Security Bulletin: IBM Cloud Private is vulnerable to Kubernetes vulnerabilities (CVE-2020-8554) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-private-is-vuln… ∗∗∗ Security Bulletin: IBM Cloud Private is vulnerable to Java vulnerabilities (CVE-2020-14781) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-private-is-vuln… ∗∗∗ Security Bulletin: IBM Cloud Private is vulnerable to Docker vulnerabilities (CVE-2021-21285, CVE-2021-21284) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-private-is-vuln… ∗∗∗ Security Bulletin: Multiple vulnerabilities in VMware affect IBM Cloud Pak System ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Cloud Private is vulnerable to Node.js lodash vulnerabilities (CVE-2021-23337) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-private-is-vuln… ∗∗∗ Security Bulletin: A Privilege Escalation vulnerability in Pivotal Spring Framework affects IBM LKS Administration & Reporting Tool and its Agent ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-privilege-escalation-vu… ∗∗∗ Security Bulletin: IBM Cloud Private is vulnerable to OpenSSL vulnerabilities (CVE-2020-1968 ) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-private-is-vuln… ∗∗∗ Security Bulletin: IBM Cloud Private is vulnerable to a Go vulnerability (CVE-2021-3121) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-private-is-vuln… ∗∗∗ Security Bulletin: IBM Cloud Private is vulnerable to Kubernetes vulnerabilities (CVE-2020-8569) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-private-is-vuln… ∗∗∗ Security Bulletin: IBM Cloud Private is vulnerable to FasterXML jackson-databind vulnerabilities (CVE-2020-25649) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-private-is-vuln… ∗∗∗ Security Bulletin: A security vulnerability has been identified in Oracle Oct 2020 CPU for Java 8 shipped with IBM® Intelligent Operations Center (CVE-2020-14781) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: IBM Cloud Private is vulnerable to Elastic vulnerabilities (CVE-2020-7020 ) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-private-is-vuln… ∗∗∗ Security Bulletin: IBM Cloud Private is vulnerable to Java vulnerabilities (CVE-2020-2773) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-private-is-vuln… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.09.2021
by Daily end-of-shift report 03 Sep '21

03 Sep '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 02-09-2021 18:00 − Freitag 03-09-2021 18:00 Handler: Stephan Richter Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ A deep-dive into the SolarWinds Serv-U SSH vulnerability ∗∗∗ --------------------------------------------- We're sharing technical information about the vulnerability tracked as CVE-2021-35211, which was used to attack the SolarWinds Serv-U FTP software in limited and targeted attacks. --------------------------------------------- https://www.microsoft.com/security/blog/2021/09/02/a-deep-dive-into-the-sol… ∗∗∗ From RpcView to PetitPotam ∗∗∗ --------------------------------------------- In the previous post we saw how to set up a Windows 10 machine in order to manually analyze Windows RPC with RpcView. In this post, we will see how the information provided by this tool can be used to create a basic RPC client application in C/C++. Then, we will see how we can reproduce the trick used in the PetitPotam tool. --------------------------------------------- https://itm4n.github.io/from-rpcview-to-petitpotam/ ∗∗∗ PST, Want a Shell? ProxyShell Exploiting Microsoft Exchange Servers ∗∗∗ --------------------------------------------- The Exploit Chain Explained - ProxyShell refers to a chain of attacks that exploit three different vulnerabilities affecting on-premises Microsoft Exchange servers to achieve pre-authenticated remote code execution (RCE). --------------------------------------------- http://www.fireeye.com/blog/threat-research/2021/09/proxyshell-exploiting-m… ∗∗∗ Jetzt patchen! Krypto-Miner schlüpft durch Confluence-Lücke ∗∗∗ --------------------------------------------- Angreifer nutzen derzeit aktiv eine kritische Sicherheitslücke in der Wiki-Software Confluence aus. Ein Sicherheitsupdate ist verfügbar. --------------------------------------------- https://heise.de/-6181023 ∗∗∗ From open Guest Wi-Fi to pwning a lift or why validating network segregation is critical ∗∗∗ --------------------------------------------- TL;DR A recent engagement took quite an unexpected turn and led to me having remote control of a bunch of building services including a lift from the street outside, unauthenticated. --------------------------------------------- https://www.pentestpartners.com/security-blog/from-open-guest-wi-fi-to-pwni… ∗∗∗ Shodan Verified Vulns 2021-09-01 ∗∗∗ --------------------------------------------- Mit 2021-09-01 sah die Lage laut den Daten in unserer Shodan-Datenbank wie folgt aus: Während der Großteil sich zu den Vormonaten wenig verändert hat, gibt es zwei größere Änderungen: * Im Zuge der BlackHat 2021 USA stellte der Sicherheitsforscher Orange Tsai eine neue Exploit-Chain gegen Microsoft Exchange Server vor, die "ProxyShell" genannt wurde... * Außerdem neu ist CVE-2021-31206, eine – wie auch ProxyShell – im Zuge des diesjährigen Pwn2Own-Contests der Zero Day Initiative gefundene Schwachstelle, die ebenfalls zu einer Remote-Code-Execution führen kann. --------------------------------------------- https://cert.at/de/aktuelles/2021/9/shodan-verified-vulns-2021-09-01 ===================== = Vulnerabilities = ===================== ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- IBM hat 19 Security Bulletins zu diversen Schwachstellen veröffentlicht. --------------------------------------------- https://www.ibm.com/blogs/psirt/2021/09/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (qemu), Fedora (condor, grilo, libopenmpt, opencryptoki, and php), openSUSE (xen), and SUSE (ffmpeg, file, php72, rubygem-addressable, and xen). --------------------------------------------- https://lwn.net/Articles/868282/ ∗∗∗ Microsoft Edge: Mehrere Schwachstelle ∗∗∗ --------------------------------------------- Edge ist ein Web Browser von Microsoft. Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Microsoft Edge ausnutzen, um einen Angriff mit unbekannten Auswirkungen durchzuführen. --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0934 ∗∗∗ CVE-2021-2429: A Heap-based Buffer Overflow Bug in the MySQL InnoDB memcached Plugin ∗∗∗ --------------------------------------------- The vulnerability affects MySQL versions 8.0.25 and prior. It can be triggered remotely and without authentication. Attackers can leverage this vulnerability to execute arbitrary code on the MySQL database server. Oracle patched it in July and assigned it CVE-2021-2429, while ZDI’s identifier is ZDI-2021-889. ... Although the InnoDB memcached plugin is not enabled by default, it is nonetheless wise to apply the patch as soon as possible. It would not surprise me to see a reliable full exploit in the near future. --------------------------------------------- https://www.thezdi.com/blog/2021/9/2/cve-2021-2429-a-heap-based-buffer-over… ∗∗∗ 2021-06-03: Cybersecurity Advisory - Multiple Vulnerabilities in Automation Runtime NTP Service ∗∗∗ --------------------------------------------- https://www.br-automation.com/downloads_br_productcatalogue/assets/16212592… ∗∗∗ SECURITY - ABB Base Software for SoftControl Remote Code Execution vulnerability ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=2PAA122974&Language… ∗∗∗ Security Bulletin: IBM Cloud Private is vulnerable to OpenSSL vulnerabilities (CVE-2021-23839, CVE-2021-23840, CVE-2021-23841) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-private-is-vuln… ∗∗∗ Security Bulletin: IBM Cloud Private is vulnerable to Elastic vulnerabilities (CVE-2020-7021 ) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-private-is-vuln… ∗∗∗ Security Bulletin: IBM Cloud Private is vulnerable to Node.js lodash vulnerabilities (CVE-2020-28500) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-private-is-vuln… ∗∗∗ Security Bulletin: IBM Cloud Private is vulnerable to OpenSSL and Node.js vulnerabilities (CVE-2021-23840, CVE-2021-22884, CVE-2021-22883) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-private-is-vuln… ∗∗∗ Security Bulletin: IBM Cloud Private is vulnerable to a Go vulnerability (CVE-2021-27919, CVE-2021-27918) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-private-is-vuln… ∗∗∗ Security Bulletin: IBM Cloud Private is vulnerable to OpenSSL vulnerabilities (CVE-2021-3449, CVE-2021-3450) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-private-is-vuln… ∗∗∗ Security Bulletin: IBM Cloud Private is vulnerable to Apache vulnerabilities (CVE-2021-26296) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-private-is-vuln… ∗∗∗ Security Bulletin: IBM Cloud Private is vulnerable to Dojo vulnerabilities (CVE-2020-5258) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-private-is-vuln… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.09.2021
by Daily end-of-shift report 02 Sep '21

02 Sep '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 01-09-2021 18:00 − Donnerstag 02-09-2021 18:00 Handler: Stephan Richter Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ How to block Windows Plug-and-Play auto-installing insecure apps ∗∗∗ --------------------------------------------- A trick has been discovered that prevents your device from being taken over by vulnerable Windows applications when devices are plugged into your computer. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/how-to-block-windows-plug-a… ∗∗∗ Team Cymru’s Threat Hunting Maturity Model Explained ∗∗∗ --------------------------------------------- In this four-part series, we’ll be looking at Team Cymru’s Threat Hunting Maturity Model. --------------------------------------------- https://team-cymru.com/blog/2021/09/02/team-cymrus-threat-hunting-maturity-… ∗∗∗ QakBot technical analysis ∗∗∗ --------------------------------------------- This report contains technical analysis of the Trojan-Banker named QakBot (aka QBot, QuackBot or Pinkslipbot) and its information stealing, web injection and other modules. --------------------------------------------- https://securelist.com/qakbot-technical-analysis/103931/ ∗∗∗ Analysis of a Phishing Kit (that targets Chase Bank) ∗∗∗ --------------------------------------------- Most of us are already familiar with phishing: A common type of internet scam where unsuspecting victims are conned into entering their real login credentials on fake pages controlled by attackers. --------------------------------------------- https://blog.sucuri.net/2021/09/analysis-of-a-phishing-kit-that-targets-cha… ∗∗∗ Too Log; Didnt Read — Unknown Actor Using CLFS Log Files for Stealth ∗∗∗ --------------------------------------------- The Mandiant Advanced Practices team recently discovered a new malware family we have named PRIVATELOG and its installer, STASHLOG. --------------------------------------------- http://www.fireeye.com/blog/threat-research/2021/09/unknown-actor-using-clf… ∗∗∗ Google Play sign-ins can be abused to track another person’s movements ∗∗∗ --------------------------------------------- We tried to help somebody install an app on an Android phone and stumbled on a way to track them instead. --------------------------------------------- https://blog.malwarebytes.com/awareness/2021/09/google-play-sign-ins-can-be… ∗∗∗ Translated: Talos insights from the recently leaked Conti ransomware playbook ∗∗∗ --------------------------------------------- Cisco Talos recently became aware of a leaked playbook that has been attributed to the ransomware-as-a-service (RaaS) group Conti. --------------------------------------------- https://blog.talosintelligence.com/2021/09/Conti-leak-translation.html ∗∗∗ Vorsicht vor fit4fun-arena.de – zu günstig um wahr zu sein ∗∗∗ --------------------------------------------- Der Fake-Shop fit4fun-arena.de bietet unglaublich günstige Fahrräder und weitere Fitnessartikel an. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-fit4fun-arenade-zu-guen… ===================== = Vulnerabilities = ===================== ∗∗∗ Dateimanager Midnight Commander seit neun Jahren angreifbar ∗∗∗ --------------------------------------------- Es gibt ein wichtiges Sicherheitsupdate für Midnight Commander. --------------------------------------------- https://heise.de/-6180301 ∗∗∗ Braktooth: Neue Bluetooth-Lücken bedrohen unzählige Geräte ∗∗∗ --------------------------------------------- Sicherheitsforscher haben mehrere Bluetooth-Schwachstellen entdeckt. Nicht alle Hersteller planen, Patches zu veröffentlichen. --------------------------------------------- https://heise.de/-6180540 ∗∗∗ Cisco beseitigt kritische Lücke aus Enterprise NFV Infrastructure Software ∗∗∗ --------------------------------------------- Jetzt updaten: Die Enterprise NFV Infrastructure Software (NFVIS) kann je nach Konfiguration aus der Ferne angreifbar sein. Aktualisierungen stehen bereit. --------------------------------------------- https://heise.de/-6180655 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by openSUSE (ffmpeg and gstreamer-plugins-good), SUSE (apache2, apache2-mod_auth_mellon, ffmpeg, gstreamer-plugins-good, libesmtp, openexr, rubygem-puma, xen, and xerces-c), and Ubuntu (openssl). --------------------------------------------- https://lwn.net/Articles/868155/ ∗∗∗ Recently Patched Confluence Vulnerability Exploited in the Wild ∗∗∗ --------------------------------------------- Hackers started exploiting a vulnerability in Atlassian’s Confluence enterprise collaboration product just one week after the availability of a patch was announced. --------------------------------------------- https://www.securityweek.com/recently-patched-confluence-vulnerability-expl… ∗∗∗ Cisco Nexus Insights Authenticated Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Prime Infrastructure and Cisco Evolved Programmable Network Manager Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Prime Collaboration Provisioning Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Enterprise NFV Infrastructure Software Authentication Bypass Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Identity Services Engine Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Johnson Controls Sensormatic Electronics Illustra ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-245-01 ∗∗∗ JTEKT TOYOPUC TCC-6353 PC10G-CPU ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-245-02 ∗∗∗ Advantech WebAccess ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-245-03 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 01.09.2021
by Daily end-of-shift report 01 Sep '21

01 Sep '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 31-08-2021 18:00 − Mittwoch 01-09-2021 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Kritische Root-Sicherheitslücke in Netzwerk-Videorekorder von Annke entdeckt ∗∗∗ --------------------------------------------- Es gibt ein wichtiges Sicherheitsupdate für den Netzwerk-Videorekorder N48PBB von Annke. --------------------------------------------- https://heise.de/-6179374 ∗∗∗ Energiemanagementsystem DIAEnergie weist kritische Lücken auf ∗∗∗ --------------------------------------------- Wichtige Sicherheitsupdates für das industrielle Energiemanagementsystem DIAEnergie sind in Arbeit. Die US-Behörde CISA rät zwischenzeitlich zu Schutzmaßnahmen. --------------------------------------------- https://heise.de/-6179591 ∗∗∗ SMS: Vorsicht vor gefälschter Sendungsverfolgung ∗∗∗ --------------------------------------------- Kriminelle versenden momentan per SMS gefälschte Paketinformationen zu einer Bestellung. In der Nachricht heißt es, dass Ihr Paket nicht zugestellt werden konnte oder eine Sendungsverfolgung nun möglich ist. Sie werden aufgefordert, auf einen Link zu klicken. Achtung: Der Link führt in eine Internetfalle. --------------------------------------------- https://www.watchlist-internet.at/news/sms-vorsicht-vor-gefaelschter-sendun… ∗∗∗ STRRAT: a Java-based RAT that doesnt care if you have Java, (Wed, Sep 1st) ∗∗∗ --------------------------------------------- STRRAT was discovered earlier this year as a Java-based Remote Access Tool (RAT) that does not require a preinstalled Java Runtime Environment (JRE). It has been distributed through malicious spam (malspam) during 2021. Today's diary reviews an infection generated using an Excel spreadsheet discovered on Monday, 2021-08-30. --------------------------------------------- https://isc.sans.edu/diary/rss/27798 ∗∗∗ This is why the Mozi botnet will linger on ∗∗∗ --------------------------------------------- The botnet continues to haunt IoT devices, and likely will for some time to come. --------------------------------------------- https://www.zdnet.com/article/this-is-why-the-mozi-botnet-will-linger-on/ ===================== = Vulnerabilities = ===================== ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- IBM hat 52 Security Bulletins zu diversen Schwachstellen veröffentlicht. --------------------------------------------- https://www.ibm.com/blogs/psirt/2021/08/ ∗∗∗ Mehrere Schwachstellen in Moxa Netzwerkgeräten ∗∗∗ --------------------------------------------- Mehrere Geräte, entwickelt von MOXA Inc., sind anfällig auf verschiedene Schwachstellen wie Command Injection und Cross-Site Scripting in der Config-Upload Funktion. Des weiteren wurde veraltete Software identifiziert und eine Stichprobe (CVE-2015-0235) davon wurde auch mithilfe eines öffentlichen exploits getestet. Alle Schwachstellen wurden durch Emulation des Gerätes mit der MEDUSA scalable firmware runtime verifiziert. --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/mehrere-schwachstelle… ∗∗∗ Over 1 Million Sites Affected by Gutenberg Template Library & Redux Framework Vulnerabilities ∗∗∗ --------------------------------------------- On August 3, 2021, the Wordfence Threat Intelligence team initiated the disclosure process for two vulnerabilities we discovered in the Gutenberg Template Library & Redux Framework plugin, which is installed on over 1 million WordPress sites. One vulnerability allowed users with lower permissions, such as contributors, to install and activate arbitrary plugins and delete any [...] --------------------------------------------- https://www.wordfence.com/blog/2021/09/over-1-million-sites-affected-by-red… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (bind, GNOME, hivex, kernel, and sssd), Debian (gpac and squashfs-tools), Fedora (c-ares and openssl), openSUSE (dovecot23), Oracle (bind, hivex, kernel, and sssd), Red Hat (kernel), Scientific Linux (bind, hivex, kernel, libsndfile, libX11, and sssd), Slackware (ntfs), SUSE (dovecot23), and Ubuntu (ntfs-3g). --------------------------------------------- https://lwn.net/Articles/868015/ ∗∗∗ Vulnerability Allows Remote DoS Attacks Against Apps Using Linphone SIP Stack ∗∗∗ --------------------------------------------- A serious vulnerability affecting the Linphone Session Initiation Protocol (SIP) client suite can allow malicious actors to remotely crash applications, industrial cybersecurity firm Claroty warned on Tuesday. read more --------------------------------------------- https://www.securityweek.com/vulnerability-allows-remote-dos-attacks-agains… ∗∗∗ Sensormatic Electronics KT-1 ∗∗∗ --------------------------------------------- This advisory contains mitigations for a Use of Unmaintained Third-party Components vulnerability in Sensormatic Electronics KT-1 Ethernet-ready single-door controller. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-243-01 ∗∗∗ Philips Patient Monitoring Devices (Update A) ∗∗∗ --------------------------------------------- This updated advisory is a follow-up to the original advisory titled ICSMA-20-254-01 Philips Patient Monitoring Devices that was published September 10, 2020, to the ICS webpage on us-cert.cisa.gov. This advisory contains mitigations for Improper Neutralization of Formula Elements in a CSV File, Cross-site Scripting, Improper Authentication, Improper Check for Certificate Revocation, Improper Handling of Length Parameter Inconsistency, Improper Validation of Syntactic Correctness of Input, [...] --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsma-20-254-01 ∗∗∗ Node.js: Mehrere Schwachstellen ermöglichen Manipulation von Dateien ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0932 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 31.08.2021
by Daily end-of-shift report 31 Aug '21

31 Aug '21

===================== = End-of-Day report = ===================== Timeframe: Montag 30-08-2021 18:00 − Dienstag 31-08-2021 18:00 Handler: Stephan Richter Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Cybercriminal sells tool to hide malware in AMD, NVIDIA GPUs ∗∗∗ --------------------------------------------- Cybercriminals are making strides towards attacks with malware that executes code from the graphics processing unit (GPU) of a compromised system. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cybercriminal-sells-tool-to-… ∗∗∗ LockFile Ransomware Uses Never-Before Seen Encryption to Avoid Detection ∗∗∗ --------------------------------------------- Researchers from Sophos discovered the emerging threat in July, which exploits the ProxyShell vulnerabilities in Microsoft Exchange servers to attack systems. --------------------------------------------- https://threatpost.com/lockfile-ransomware-avoid-detection/169042/ ∗∗∗ Top 3 APIs Vulnerabilities: Why Apps are Owned by Cyberattackers ∗∗∗ --------------------------------------------- Jason Kent, hacker-in-residence at Cequence, talks about how cybercriminals target apps and how to thwart them. --------------------------------------------- https://threatpost.com/top-3-api-vulnerabilities-cyberattackers/169048/ ∗∗∗ BrakTooth: Impacts, Implications and Next Steps, (Tue, Aug 31st) ∗∗∗ --------------------------------------------- Today, the Automated Systems SEcuriTy (ASSET) Research Group from the Singapore University of Technology and Design (SUTD) revealed the BrakTooth family of vulnerabilities in commercial Bluetooth (BT) Classic stacks for various System-on-Chips (SoC). --------------------------------------------- https://isc.sans.edu/diary/rss/27802 ∗∗∗ Code Generated by GitHub Copilot Can Introduce Vulnerabilities: Researchers ∗∗∗ --------------------------------------------- A group of researchers has discovered that roughly 40% of the code produced by the GitHub Copilot language model is vulnerable. --------------------------------------------- https://www.securityweek.com/code-generated-github-copilot-can-introduce-vu… ∗∗∗ SWR-Verbrauchermagazin „Marktcheck“ warnt vor Fake-Shops auf Instagram ∗∗∗ --------------------------------------------- Betrügerische Online-Shops schalten im großen Stil auf Social-Media-Plattformen wie Instagram Werbeanzeigen. --------------------------------------------- https://www.watchlist-internet.at/news/swr-verbrauchermagazin-marktcheck-wa… ∗∗∗ DNS Rebinding Attack: How Malicious Websites Exploit Private Networks ∗∗∗ --------------------------------------------- DNS rebinding allows attackers to take advantage of web-based consoles to exploit internal networks by abusing the domain name system. --------------------------------------------- https://unit42.paloaltonetworks.com/dns-rebinding/ ∗∗∗ Cyberattackers are now quietly selling off their victims internet bandwidth ∗∗∗ --------------------------------------------- Proxyware is yet another way for criminals to generate revenue from their victims. --------------------------------------------- https://www.zdnet.com/article/cyberattackers-are-now-quietly-selling-off-th… ===================== = Vulnerabilities = ===================== ∗∗∗ NAS und Sicherheit: Qnap und Synology von OpenSSL-Lücke betroffen ∗∗∗ --------------------------------------------- Produkte beider NAS-Hersteller sind von einer bereits geschlossenen OpenSSL-Lücke betroffen. Sie arbeiten an einem Fix. --------------------------------------------- https://www.golem.de/news/nas-und-sicherheit-qnap-und-synology-von-openssl-… ∗∗∗ HPE Warns Sudo Bug Gives Attackers Root Privileges to Aruba Platform ∗∗∗ --------------------------------------------- HPE joins Apple in warning customers of a high-severity Sudo vulnerability. --------------------------------------------- https://threatpost.com/hpe-sudo-bug-aruba-platform/169038/ ∗∗∗ Kritische Rechte-Lücke in PostgreSQL-Modul geschlossen ∗∗∗ --------------------------------------------- Es gibt ein wichtiges Sicherheitsupdate für das set_user-Extension-Modul der Open-Source-Datenbank PostgreSQL. --------------------------------------------- https://heise.de/-6177973 ∗∗∗ CPU-Sicherheitslücke: AMD Ryzen und Epyc per Seitenkanal verwundbar ∗∗∗ --------------------------------------------- Sicherheitsforscher der TU Dresden beweisen, dass komplizierte Angriffe der Meltdown-Klasse grundsätzlich auch bei AMDs Ryzen-Prozessoren funktionieren. --------------------------------------------- https://heise.de/-6178386 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (libsndfile and libX11), Debian (ledgersmb, libssh, and postgresql-9.6), Fedora (squashfs-tools), openSUSE (389-ds, nodejs12, php7, spectre-meltdown-checker, and thunderbird), Oracle (kernel, libsndfile, and libX11), Red Hat (bind, cloud-init, edk2, glibc, hivex, kernel, kernel-rt, kpatch-patch, microcode_ctl, python3, and sssd), SUSE (bind, mysql-connector-java, nodejs12, sssd, and thunderbird), and Ubuntu (apr, squashfs-tools, thunderbird, [...] --------------------------------------------- https://lwn.net/Articles/867917/ ∗∗∗ Companies Release Security Advisories in Response to New OpenSSL Vulnerabilities ∗∗∗ --------------------------------------------- Updates announced by the OpenSSL Project on August 24 patched CVE-2021-3711, a high-severity buffer overflow related to SM2 decryption, and CVE-2021-3712, a medium-severity flaw that can be exploited for denial-of-service (DoS) attacks, and possibly for the disclosure of private memory contents. --------------------------------------------- https://www.securityweek.com/companies-release-security-advisories-response… ∗∗∗ Vulnerabilities Can Allow Hackers to Disarm Fortress Home Security Systems ∗∗∗ --------------------------------------------- Researchers at cybersecurity firm Rapid7 have identified a couple of vulnerabilities that they claim can be exploited by hackers to remotely disarm one of the home security systems offered by Fortress Security Store. --------------------------------------------- https://www.securityweek.com/vulnerabilities-can-allow-hackers-disarm-fortr… ∗∗∗ Crashing SIP Clients with a Single Slash ∗∗∗ --------------------------------------------- Claroty’s Team82 has disclosed a vulnerability in Belledonne Communications’ Linphone SIP Protocol Stack. --------------------------------------------- https://claroty.com/2021/08/31/blog-research-crashing-sip-clients-with-a-si… ∗∗∗ Synology-SA-21:25 DSM ∗∗∗ --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_21_25 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 30.08.2021
by Daily end-of-shift report 30 Aug '21

30 Aug '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 27-08-2021 18:00 − Montag 30-08-2021 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Exchange Server: Authentifizierungs-Bypass mit ProxyToken ∗∗∗ --------------------------------------------- Im Juni 2021 hat Microsoft mit den kumulativen Updates eine Schwachstelle in seinen on-premises Exchange Servern beseitigt, über die Angreifer ohne Authentifizierung die Konfigurierung verändern konnten. So wäre es für einen nicht authentifizierten Angreifer möglich gewesen, die Konfiguration für Postfächer beliebiger Benutzer zu ändern. So hätten alle an ein E-Mail-Konto adressierten E-Mails kopiert und an ein vom Angreifer kontrolliertes Konto weitergeleitet werden können. --------------------------------------------- https://www.borncity.com/blog/2021/08/30/exchange-server-authentifizierungs… ∗∗∗ [SANS ISC] Cryptocurrency Clipboard Swapper Delivered With Love ∗∗∗ --------------------------------------------- I published the following diary on isc.sans.edu: “Cryptocurrency Clipboard Swapper Delivered With Love“: Be careful if you’re a user of cryptocurrencies. My goal is not to re-open a debate about them and their associated financial risks. No, I’m talking here about technical risk. --------------------------------------------- https://blog.rootshell.be/2021/08/30/sans-isc-cryptocurrency-clipboard-swap… ∗∗∗ Understanding Cobalt Strike Profiles ∗∗∗ --------------------------------------------- I really enjoy the process of red teaming especially when it comes to evading detection and lining up against a good blue team. Probably one of the most common commercially available Command and Control(C2) frameworks used today is Cobalt Strike(CS). So popular in fact it is classified on its own as a malware family by many defensive security products. Using CS in red team operations is common practice for a lot of companies offering red teaming to their clients and my milage is no different [...] --------------------------------------------- https://blog.zsec.uk/cobalt-strike-profiles/ ∗∗∗ Cobalt Strike, a Defender’s Guide ∗∗∗ --------------------------------------------- In our research, we expose adversarial Tactics, Techniques and Procedures (TTPs) as well as the tools they use to execute their mission objectives. In most of our cases, we [...] --------------------------------------------- https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/ ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI-21-1052: Trend Micro Maximum Security Directory Junction Denial-of-Service Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows local attackers to create a denial-of-service condition on affected installations of Trend Micro Maximum Security. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-1052/ ∗∗∗ ZDI-21-1051: NETGEAR Multiple Routers mini_httpd Authentication Bypass Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of multiple NETGEAR routers. Authentication is not required to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-1051/ ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (exiv2, grilo, gthumb, and redis), Fedora (krb5, nbdkit, and rubygem-addressable), Mageia (libass and opencontainers-runc), openSUSE (cacti, cacti-spine, go1.15, opera, qemu, and spectre-meltdown-checker), Red Hat (java-1.7.1-ibm, java-1.8.0-ibm, libsndfile, and libX11), SUSE (389-ds, qemu, and spectre-meltdown-checker), and Ubuntu (grilo). --------------------------------------------- https://lwn.net/Articles/867791/ ∗∗∗ Out-of-Bounds Read Vulnerability in OpenSSL ∗∗∗ --------------------------------------------- An out-of-bounds read vulnerability in OpenSSL has been reported to affect QNAP NAS running QTS, QuTS hero, and QuTScloud. --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-21-40 ∗∗∗ Out-of-Bounds Vulnerabilities in OpenSSL ∗∗∗ --------------------------------------------- Two out-of-bounds vulnerabilities in OpenSSL have been reported to affect QNAP NAS running HBS 3 (Hybrid Backup Sync). --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-21-39 ∗∗∗ Security Bulletin: IBM API Connect V5 is impacted by a vulnerability in nginx. (CVE-2021-23017) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connect-v5-is-imp… ∗∗∗ Security Bulletin: Vulnerability in IBM Java SDK and IBM Java Runtime affects Rational Business Developer ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java… ∗∗∗ Atlassian Jira Software: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0920 ∗∗∗ ZDI-21-1038: (0Day) Fuji Electric Tellus Lite V9 File Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-21-1038/ ∗∗∗ ZDI-21-1037: (0Day) Fuji Electric Tellus Lite V9 File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-21-1037/ ∗∗∗ ZDI-21-1036: (0Day) Fuji Electric Tellus Lite V-Simulator 6 V9 File Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-21-1036/ ∗∗∗ ZDI-21-1035: (0Day) Fuji Electric Tellus Lite V-Simulator 6 V9 File Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-21-1035/ ∗∗∗ ZDI-21-1034: (0Day) Fuji Electric Tellus Lite V-Simulator 6 V9 File Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-21-1034/ ∗∗∗ ZDI-21-1033: (0Day) Fuji Electric Tellus Lite V-Simulator 6 V9 File Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-21-1033/ ∗∗∗ ZDI-21-1032: (0Day) Fuji Electric Tellus Lite V-Simulator 6 V9 File Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-21-1032/ ∗∗∗ ZDI-21-1031: (0Day) Fuji Electric Tellus Lite V-Simulator 6 V9 File Parsing Memory Corruption Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-21-1031/ ∗∗∗ ZDI-21-1050: (0Day) Fuji Electric Tellus Lite V-Simulator V8 File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-21-1050/ ∗∗∗ ZDI-21-1049: (0Day) Fuji Electric Tellus Lite V-Simulator V8 File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-21-1049/ ∗∗∗ ZDI-21-1048: (0Day) Fuji Electric Tellus Lite V-Simulator V8 File Parsing Uninitialized Pointer Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-21-1048/ ∗∗∗ ZDI-21-1047: (0Day) Fuji Electric Tellus Lite V-Simulator V8 File Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-21-1047/ ∗∗∗ ZDI-21-1046: (0Day) Fuji Electric Tellus Lite V-Simulator V8 File Parsing Untrusted Pointer Dereference Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-21-1046/ ∗∗∗ ZDI-21-1045: (0Day) Fuji Electric Tellus Lite V9 File Parsing Memory Corruption Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-21-1045/ ∗∗∗ ZDI-21-1044: (0Day) Fuji Electric Tellus Lite V9 File Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-21-1044/ ∗∗∗ ZDI-21-1043: (0Day) Fuji Electric Tellus Lite V9 File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-21-1043/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.08.2021
by Daily end-of-shift report 27 Aug '21

27 Aug '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 26-08-2021 18:00 − Freitag 27-08-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Cosmos DB: Tausende Azure-Nutzer von Sicherheitslücke betroffen ∗∗∗ --------------------------------------------- Angreifer hätten an die Schlüssel zu Cosmos-Datenbanken gelangen können. Viele große Firmen wie Coca-Cola setzen auf den Azure-Datenbankdienst. --------------------------------------------- https://www.golem.de/news/cosmos-db-tausende-azure-nutzer-von-sicherheitslu… ∗∗∗ Ragnarok Master-Decryptor-Schlüssel veröffentlicht ∗∗∗ --------------------------------------------- Opfer der Ragnarok-Ransomware, deren Daten bei einem Angriff verschlüsselt wurden, können wieder hoffen. Nachdem die Cyber-Kriminellen gerade ihren Betrieb eingestellt hat, wurde der Master-Decryptor-Schlüssel veröffentlicht. Damit sollten sich die verschlüsselten Dateien wiederherstellen lassen. --------------------------------------------- https://www.borncity.com/blog/2021/08/27/ragnarok-master-decryptor-schlssel… ∗∗∗ Widespread credential phishing campaign abuses open redirector links ∗∗∗ --------------------------------------------- Microsoft has been actively tracking a widespread credential phishing campaign using open redirector links, which allow attackers to use a URL in a trusted domain and embed the eventual final malicious URL as a parameter. --------------------------------------------- https://www.microsoft.com/security/blog/2021/08/26/widespread-credential-ph… ∗∗∗ Big bad decryption bug in OpenSSL – but no cause for alarm ∗∗∗ --------------------------------------------- The buggy codes in there, alright. Fortunately, its hard to get OpenSSL to use it even if you want to, which mitigates the risk. --------------------------------------------- https://nakedsecurity.sophos.com/2021/08/27/big-bad-decryption-bug-in-opens… ∗∗∗ How Passwords Get Hacked ∗∗∗ --------------------------------------------- Can you think of an online service that doesn’t require a password? Everything on the internet requires a password. However, constantly creating and remembering new and ever more complex passwords is no small task. In fact, 66% of people polled admitted to using the same password more than once because of how hard it is to remember passwords that are considered strong. Taking steps to make passwords easier to remember can also make them easier for hackers to guess. --------------------------------------------- https://blog.sucuri.net/2021/08/how-passwords-get-hacked-2.html ∗∗∗ AWS ReadOnlyAccess: Not Even Once ∗∗∗ --------------------------------------------- You need to give your AWS role a set of permissions, but you still want to feel warm and safe on the inside. "Why not ReadOnlyAccess?" you ask. "I can just deny the permissions I don’t like" you proclaim. Let me show you how your faith in ReadOnly access will betray you and leave you with trust issues. --------------------------------------------- https://posts.specterops.io/aws-readonlyaccess-not-even-once-ffbceb9fc908 ∗∗∗ FBI Releases Indicators of Compromise Associated with Hive Ransomware ∗∗∗ --------------------------------------------- The Federal Bureau of Investigation (FBI) has released a Flash report detailing indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) associated with ransomware attacks by Hive, a likely Ransomware-as-a-Service organization consisting of a number of actors using multiple mechanisms to compromise business networks, exfiltrate data and encrypt data on the networks, and attempt to collect a ransom in exchange for access to the [...] --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/08/27/fbi-releases-indi… ∗∗∗ Academics bypass PINs for Mastercard and Maestro contactless payments ∗∗∗ --------------------------------------------- A team of scientists from a Swiss university has discovered a way to bypass PIN codes on contactless cards from Mastercard and Maestro. --------------------------------------------- https://therecord.media/academics-bypass-pins-for-mastercard-and-maestro-co… ===================== = Vulnerabilities = ===================== ∗∗∗ Sicherheitsupdates: Root-Kernel-Lücke bedroht IBMs Betriebssystem AIX ∗∗∗ --------------------------------------------- Angreifer könnten Systeme mit IBM AIX attackieren und sich Root-Rechte verschaffen. Sicherheitsupdates schaffen Abhilfe. --------------------------------------------- https://heise.de/-6176064 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (haproxy and libopenmpt), openSUSE (aws-cli, python-boto3, python-botocore,, dbus-1, and qemu), Oracle (rh-postgresql10-postgresql), Red Hat (compat-exiv2-023, compat-exiv2-026, exiv2, libsndfile, microcode_ctl, python27, rh-nodejs12-nodejs and rh-nodejs12-nodejs-nodemon, rh-nodejs14-nodejs and rh-nodejs14-nodejs-nodemon, and rh-python38), Scientific Linux (compat-exiv2-023 and compat-exiv2-026), SUSE (compat-openssl098), and Ubuntu (libssh, openssl, [...] --------------------------------------------- https://lwn.net/Articles/867636/ ∗∗∗ Johnson Controls Controlled Electronic Management Systems CEM Systems AC2000 ∗∗∗ --------------------------------------------- This advisory contains mitigation for an Improper Authorization vulnerability in Johnson Controls Controlled Electronic Management Systems CEM Systems AC2000, an enterprise access control and integrated security management system. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-238-01 ∗∗∗ Annke Network Video Recorder ∗∗∗ --------------------------------------------- This advisory contains mitigation for a Stack-based Buffer Overflow vulnerability in the Annke N48PBB Network Video Recorder. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-238-02 ∗∗∗ Delta Electronics DIAEnergie ∗∗∗ --------------------------------------------- This advisory contains mitigations for Use of Password Hash with Insufficient Computational Effort, Incorrect Authorization, Unrestricted Upload of File with Dangerous Type, SQL Injection, and Cross-site Request Forgery vulnerabilities in the Delta Electronics DIAEnergie industrial energy management system. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-238-03 ∗∗∗ Delta Electronics DOPSoft ∗∗∗ --------------------------------------------- This advisory contains mitigations for a Stack-based Buffer Overflow vulnerability in Delta Electronics DOPSoft HMI editing software --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-238-04 ∗∗∗ SYSS-2021-035, SySS-2021-036, SySS-2021-037, SySS-2021-038, SySS-2021-039: Mehrere Schwachstellen im MIK.starlight-Server ∗∗∗ --------------------------------------------- Mehrere Funktionen im MIK.starlight-Server deserialisieren Daten auf unsichere Weise und erlauben einem Angreifer dadurch die Übernahme des Systems. --------------------------------------------- https://www.syss.de/pentest-blog/syss-2021-035-syss-2021-036-syss-2021-037-… ∗∗∗ libssh: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0918 ∗∗∗ Authenticated RCE in BSCW Server ∗∗∗ --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/authenticated-rce-in-… ∗∗∗ XML Tag Injection in BSCW Server ∗∗∗ --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/xml-tag-injection-in-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 26.08.2021
by Daily end-of-shift report 26 Aug '21

26 Aug '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 25-08-2021 18:00 − Donnerstag 26-08-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Dimitri Robl ===================== = News = ===================== ∗∗∗ Microsoft: ProxyShell bugs “might be exploited,” patch servers now! ∗∗∗ --------------------------------------------- Microsoft has finally published guidance today for the actively exploited ProxyShell vulnerabilities impacting multiple on-premises Microsoft Exchange versions. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-proxyshell-bugs-m… ∗∗∗ Valuable Datasets to Analyze Network Infrastructure | Part 3 ∗∗∗ --------------------------------------------- In the final installment of this series, learn about Passive DNS and how it works, explore valuable artifacts for investigations, and study our handy cheat sheet. --------------------------------------------- https://www.domaintools.com/resources/blog/valuable-datasets-to-analyze-net… ∗∗∗ Plug and Play: Adminrechte bekommt man auch mit Steelseries-Mäusen ∗∗∗ --------------------------------------------- Eine Maus einstecken und den dazugehörigen Installer für erweiterte Rechte ausnutzen: Das funktioniert bei Razer und auch bei Steelseries. --------------------------------------------- https://www.golem.de/news/plug-and-play-adminrechte-bekommt-man-auch-mit-st… ∗∗∗ Secure PLC Coding Practices ∗∗∗ --------------------------------------------- In the world of operational technology, programmable logic controllers (PLCs) control physical elements such as a municipal water supply system, the room temperature in offices or a chocolate bar packaging machine. --------------------------------------------- https://securityblog.switch.ch/2021/08/26/secure-plc-coding-practices/ ∗∗∗ Engineering Workstations Are Concerning Initial Access Vector in OT Attacks ∗∗∗ --------------------------------------------- Organizations that use industrial control systems (ICS) and other operational technology (OT) are increasingly concerned about cyber threats, and while they have taken steps to address risks, many don’t know if they have suffered a breach, according to a survey conducted by the SANS Institute on behalf of industrial cybersecurity firm Nozomi Networks. --------------------------------------------- https://www.securityweek.com/engineering-workstations-are-concerning-initia… ∗∗∗ Admin password re-use. Don’t do it ∗∗∗ --------------------------------------------- As a pentester, one of the most disappointing sights is see on a test is extensive local admin password reuse. I know others get excited as it means easy pwnage [...] --------------------------------------------- https://www.pentestpartners.com/security-blog/admin-password-re-use-dont-do… ∗∗∗ Betrug mit angeblichen Nachrichten des Mobilfunkbetreibers ∗∗∗ --------------------------------------------- Erneut werden massenhaft betrügerische SMS ausgeschickt. Es soll sich um eine „Neue Nachricht des Mobilfunkbetreibers“ handeln. Für mehr Infos soll man einem Link folgen. Achtung: Der Link führt auf eine betrügerische Website mit Schadsoftware! Die Nachricht kommt nicht vom Netzbetreiber. --------------------------------------------- https://www.watchlist-internet.at/news/betrug-mit-angeblichen-nachrichten-d… ===================== = Vulnerabilities = ===================== ∗∗∗ Atlassian: Kritische Sicherheitslücke in Confluence ∗∗∗ --------------------------------------------- Nutzer, die die Wiki-Software Confluence von Atlassian selbst hosten, sind zum Update aufgefordert --------------------------------------------- https://www.golem.de/news/atlassian-kritische-sicherheitsluecke-in-confluen… ∗∗∗ ZDI-21-1026: (0Day) D-Link DIR-2055 HNAP PrivateLogin Incorrect Implementation of Authentication Algorithm Authentication Bypass Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of D-Link DIR-2055 routers. Authentication is not required to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-1026/ ∗∗∗ ZDI-21-1025: (0Day) D-Link DIR-2055 HNAP Incorrect Comparison Authentication Bypass Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of D-Link DIR-2055 routers. Authentication is not required to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-1025/ ∗∗∗ Ethereum-Client Geth: Dringendes Update wegen schwerer Lücke ∗∗∗ --------------------------------------------- Eine schwerwiegende Lücke im verbreiteten Ethereum-Client Geth könnte damit betriebene Blockchain-Knoten lahmlegen. Eine gepatchte Version steht aber bereit. --------------------------------------------- https://heise.de/-6174832 ∗∗∗ Updates verfügbar: Cisco fixt unter anderem kritische Lücke in APIC & Cloud APIC ∗∗∗ --------------------------------------------- Für die Verwaltungskomponente von Ciscos Application Centric Infrastructure (ACI) und viele weitere Produkte stehen wichtige Aktualisierungen bereit. --------------------------------------------- https://heise.de/-6174789 ∗∗∗ Drupal: Updates sichern zwei Module gegen Angriffe ab ∗∗∗ --------------------------------------------- Die Module "Webform" und "Admin Toolbar" für das Content Management System Drupal waren unter bestimmten Voraussetzungen via Cross-Site-Scripting angreifbar. --------------------------------------------- https://heise.de/-6175086 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (community-mysql, containerd, dotnet3.1, dotnet5.0, perl-Encode, and tor), Mageia (gpsd), openSUSE (cacti, cacti-spine, go1.16, jetty-minimal, libmspack, mariadb, openexr, and tor), SUSE (aspell, jetty-minimal, libesmtp, mariadb, and unrar), and Ubuntu (firefox and mongodb). --------------------------------------------- https://lwn.net/Articles/867492/ ∗∗∗ Synology-SA-21:24 OpenSSL ∗∗∗ --------------------------------------------- Multiple vulnerabilities allow remote attackers to conduct denial-of-service attack or execute arbitrary code via a susceptible version of Synology DiskStation Manager (DSM), Synology Router Manager (SRM), VPN Plus Server or VPN Server. --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_21_24 ∗∗∗ Kaseya Unitrends update ∗∗∗ --------------------------------------------- Mid July 2021 we opened case DIVD-2021-00014 tracking multiple vulnerabilities in Kaseya Unitrends. These vulnerabilities consited of: An authenticated remote code execution vulnerability on the server, a privilege escaltion vulnerability from read-only user to admin on the server and a (yet) undisclosed vulnerability on the client [...] --------------------------------------------- https://csirt.divd.nl/2021/08/26/Kaseya-Unitrends-update/ ∗∗∗ Teamviewer: August Updates - Security Patches ∗∗∗ --------------------------------------------- https://community.teamviewer.com/English/discussion/117794/august-updates-s… ∗∗∗ Security Bulletin: CVE-2020-2773 (deferred from Oracle Apr 2020 CPU) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2020-2773-deferred-fr… ∗∗∗ VMSA-2021-0019 ∗∗∗ --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2021-0019.html ∗∗∗ PHOENIX CONTACT : Security Advisory for FL SWITCH SMCS series (UPDATE A) ∗∗∗ --------------------------------------------- https://cert.vde.com/de-de/advisories/vde-2021-023 ∗∗∗ HP OfficeJet: Schwachstelle ermöglicht Cross-Site Scripting ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0909 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 25.08.2021
by Daily end-of-shift report 25 Aug '21

25 Aug '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 24-08-2021 18:00 − Mittwoch 25-08-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Medizin: Sicherheitslücken in Infusionspumpen entdeckt ∗∗∗ --------------------------------------------- Medizinische Infusionspumpen versorgen Patienten mit Medikamenten. Können Angreifer unbemerkt die Dosis manipulieren, kann das schwere Folgen haben. --------------------------------------------- https://www.golem.de/news/medizin-sicherheitsluecken-in-infusionspumpen-ent… ∗∗∗ Sicherheitsupdates: Netzwerk-Equipment von F5 für Attacken anfällig ∗∗∗ --------------------------------------------- F5 hat mehrere gefährliche Sicherheitslücken in verschiedenen BIG-IP Appliances geschlossen. --------------------------------------------- https://heise.de/-6174378 ∗∗∗ Gefahr durch alte Schwachstellen ∗∗∗ --------------------------------------------- Trend Micro fordert Unternehmen dazu auf, sich bei ihren Patching-Maßnahmen auf die Schwachstellen zu fokussieren, von denen das größte Risiko für ihr Unternehmen ausgeht - auch wenn diese schon mehrere Jahre alt sind. Rund ein Viertel der im cyberkriminellen Untergrund gehandelten Exploits sind über drei Jahre alt. --------------------------------------------- https://www.zdnet.de/88396365/gefahr-durch-alte-schwachstellen/ ∗∗∗ Vorsicht vor angeblicher Ärztin aus Afghanistan, die Ihre Wohnung kaufen will! ∗∗∗ --------------------------------------------- Haben Sie derzeit eine Immobilie im Internet inseriert? Dann sollten Sie sich einer vermeintlichen Interessentin aus Afghanistan in Acht nehmen. Eine angebliche Ärztin schreibt derzeit willkürlich Menschen an, die eine Wohnung inseriert haben und gibt vor nach Europa ziehen zu wollen. Als Grund gibt sie an, dass sie unter den Taliban nicht als Ärztin arbeiten kann. Achtung Betrug! Hier nutzen Kriminelle die Not der Bevölkerung in Afghanistan aus. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-angeblicher-aerztin-aus… ∗∗∗ Ransomware gangs script shows exactly the files theyre after ∗∗∗ --------------------------------------------- A PowerShell script used by the Pysa ransomware operation gives us a sneak peek at the types of data they attempt to steal during a cyberattack. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ransomware-gangs-script-show… ∗∗∗ FIN8 cybercrime gang backdoors US orgs with new Sardonic malware ∗∗∗ --------------------------------------------- A financially motivated cybercrime gang has breached and backdoored the network of a US financial organization with a new malware known dubbed Sardonic by Bitdefender researchers who first spotted it. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fin8-cybercrime-gang-backdoo… ∗∗∗ There may be (many) more SPF records than we might expect, (Wed, Aug 25th) ∗∗∗ --------------------------------------------- The Sender Policy Framework (SPF[1]) is a simple but fairly powerful mechanism that may be used (ideally in connection with DKIM[2] and DMARC[3]) to combat phishing to some degree. Basically, it allows a domain name owner to publish a special DNS TXT record containing a list of servers that are authorized to send e-mails for that domain. --------------------------------------------- https://isc.sans.edu/diary/rss/27786 ∗∗∗ 7 Ways to Secure Magento 1 ∗∗∗ --------------------------------------------- While unpatched installations of Magento 2 contain many vulnerabilities, I’m going to focus my attention on Magento 1 for this article. This is because Magento 2 provides regularly updated patches for many of the most common vulnerabilities targeting the platform. While Magento 1 also contains patches for many known vulnerabilities, those patches are not currently maintained. Magento 1 reached its end-of-support on June 30, 2020. --------------------------------------------- https://blog.sucuri.net/2021/08/securing-magento-1.html ∗∗∗ RiskIQ Analysis Links EITest and Gootloader Campaigns, Once Thought to Be Disparate ∗∗∗ --------------------------------------------- As RiskIQ tracks malware families to identify infrastructure patterns and common threads between threat campaigns via our Internet Intelligence Graph, we often surface strong links between seemingly disparate threat campaigns. In the case of EITest and GootLoader, these campaigns may have turned out to be one and the same. --------------------------------------------- https://www.riskiq.com/blog/external-threat-management/eitest-gootloader/ ∗∗∗ The SideWalk may be as dangerous as the CROSSWALK ∗∗∗ --------------------------------------------- Meet SparklingGoblin, a member of the Winnti family --------------------------------------------- https://www.welivesecurity.com/2021/08/24/sidewalk-may-be-as-dangerous-as-c… ∗∗∗ CISA Releases Five Pulse Secure-Related MARs ∗∗∗ --------------------------------------------- As part of CISA’s ongoing response to Pulse Secure compromises, CISA has analyzed five malware samples related to exploited Pulse Secure devices. CISA encourages users and administrators to review the following five malware analysis reports (MARs) for threat actor tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs), and review CISA’s Alert, Exploitation of Pulse Connect Secure Vulnerabilities, for more information. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/08/24/cisa-releases-fiv… ∗∗∗ North Korean BLUELIGHT Special: InkySquid Deploys RokRAT ∗∗∗ --------------------------------------------- In a recent blog post, Volexity disclosed details on a portion of the operations by a North Korean threat actor it tracks as InkySquid. This threat actor compromised a news portal to use recently patched browser exploits to deliver a custom malware family known as BLUELIGHT. This follow-up post describes findings from a recent investigation undertaken by Volexity in which the BLUELIGHT malware was discovered being delivered to a victim alongside RokRAT (aka DOGCALL). --------------------------------------------- https://www.volexity.com/blog/2021/08/24/north-korean-bluelight-special-ink… ===================== = Vulnerabilities = ===================== ∗∗∗ BlackBerry QNX-2021-001 Vulnerability Affecting Cisco Products: August 2021 ∗∗∗ --------------------------------------------- On August 17, 2021, BlackBerry released a security advisory, QNX-2021-001, that disclosed an integer overflow vulnerability in the following BlackBerry software releases: - QNX Software Development Platform (SDP) - 6.5.0SP1 and earlier - QNX OS for Medical - 1.1 and earlier - QNX OS for Safety - 1.0.1 and earlier A successful exploit could allow an attacker to execute arbitrary code or cause a denial of service (DoS). --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco NX-OS Software Python Parser Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- Update from August 25, 2021: Cisco found that this vulnerability was present in additional releases of Cisco NX-OS Software with the introduction of Python 3 support. For more information, see the Fixed Software section of this advisory. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ VMSA-2021-0018 ∗∗∗ --------------------------------------------- VMware vRealize Operations updates address multiple security vulnerabilities (CVE-2021-22022, CVE-2021-22023, CVE-2021-22024, CVE-2021-22025, CVE-2021-22026, CVE-2021-22027) --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2021-0018.html ∗∗∗ Critical Authentication Bypass Vulnerability Patched in Booster for WooCommerce ∗∗∗ --------------------------------------------- On July 30, 2021 the Wordfence Threat Intelligence team initiated the responsible disclosure process for a vulnerability that we discovered in Booster for WooCommerce, a WordPress plugin installed on over 80,000 sites. This flaw made it possible for an attacker to log in as any user, as long as certain options were enabled in the [...] --------------------------------------------- https://www.wordfence.com/blog/2021/08/critical-authentication-bypass-vulne… ∗∗∗ Nested Pages Patches Post Deletion Vulnerability ∗∗∗ --------------------------------------------- On August 13, 2021, the Wordfence Threat Intelligence team responsibly disclosed two vulnerabilities in Nested Pages, a WordPress plugin installed on over 80,000 sites that provides drag and drop functionality to manage your page structure and post ordering. These vulnerabilities included a Cross-Site Request Forgery vulnerability that allowed posts and pages to be deleted, unpublished [...] --------------------------------------------- https://www.wordfence.com/blog/2021/08/nested-pages-patches-post-deletion-v… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (openssl), openSUSE (libspf2, openssl-1_0_0, and openssl-1_1), Oracle (libsndfile), SUSE (nodejs10, nodejs12, openssl, openssl-1_0_0, openssl-1_1, and openssl1), and Ubuntu (openssl). --------------------------------------------- https://lwn.net/Articles/867354/ ∗∗∗ Hitachi ABB Power Grids TropOS ∗∗∗ --------------------------------------------- This advisory contains mitigations for Injection, Inadequate Encryption Strength, Missing Authentication for Critical Function, Improper Authentication, Improper Validation of Integrity Check Value, and Improper Input Validation vulnerabilities in Hitachi ABB Power Grids TropOS firmware. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-236-01 ∗∗∗ Hitachi ABB Power Grids Utility Retail Operations and CSB Products ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Insufficiently Protected Credentials vulnerability in Retail Operations and Counterparty Settlement Billing (CSB) utility usage and billing software products. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-236-02 ∗∗∗ Delta Electronics TPEditor ∗∗∗ --------------------------------------------- This advisory contains mitigations for a Heap-based Buffer Overflow vulnerability in Delta Electronics TPEditor programming software. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-236-03 ∗∗∗ Vembu BDR Full Disclosure ∗∗∗ --------------------------------------------- On 15 May 2021 we published case DIVD-2020-00011, which dealt with four vulnerabilities in Vembu BDR and related products. These four vulnerabilities here confidentially reported to Vembu in November 2020 and again in Februari 2021. Current status: From recent scan data we know that the three most damaging vulnerabilities have practically seized to be present on the internet, therefore we have decided to release the full technical details on these vulnerabilities. --------------------------------------------- https://csirt.divd.nl/2021/08/25/Vembu-BDR-Full-Disclosure/ ∗∗∗ Xen Security Advisory CVE-2021-28700 / XSA-383 ∗∗∗ --------------------------------------------- xen/arm: No memory limit for dom0less domUs --------------------------------------------- https://xenbits.xen.org/xsa/advisory-383.html ∗∗∗ Xen Security Advisory CVE-2021-28699 / XSA-382 ∗∗∗ --------------------------------------------- inadequate grant-v2 status frames array bounds check --------------------------------------------- https://xenbits.xen.org/xsa/advisory-382.html ∗∗∗ Xen Security Advisory CVE-2021-28698 / XSA-380 ∗∗∗ --------------------------------------------- long running loops in grant table handling --------------------------------------------- https://xenbits.xen.org/xsa/advisory-380.html ∗∗∗ Xen Security Advisory CVE-2021-28697 / XSA-379 ∗∗∗ --------------------------------------------- grant table v2 status pages may remain accessible after de-allocation --------------------------------------------- https://xenbits.xen.org/xsa/advisory-379.html ∗∗∗ Xen Security Advisory CVE-2021-28694,CVE-2021-28695,CVE-2021-28696 / XSA-378 ∗∗∗ --------------------------------------------- IOMMU page mapping issues on x86 --------------------------------------------- https://xenbits.xen.org/xsa/advisory-378.html ∗∗∗ The installers of multiple Sony products may insecurely load Dynamic Link Libraries ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN80288258/ ∗∗∗ QEMU: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0908 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 24.08.2021
by Daily end-of-shift report 24 Aug '21

24 Aug '21

===================== = End-of-Day report = ===================== Timeframe: Montag 23-08-2021 18:00 − Dienstag 24-08-2021 18:00 Handler: Dimitri Robl Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Triada Trojan in WhatsApp MOD ∗∗∗ --------------------------------------------- We discovered that the Trojan Triada snook into one of modified versions of the WhatsApp messenger called FMWhatsapp 16.80.0 together with the advertising software development kit (SDK). --------------------------------------------- https://securelist.com/triada-trojan-in-whatsapp-mod/103679/ ∗∗∗ Effective Threat-Hunting Queries in a Redacted World ∗∗∗ --------------------------------------------- Chad Anderson, senior security researcher for DomainTools, demonstrates how seemingly disparate pieces of infrastructure information can form perfect fingerprints for tracking cyberattackers infrastructure. --------------------------------------------- https://threatpost.com/effective-threat-hunting-queries/168864/ ∗∗∗ Attackers Hunting For Twilio Credentials, (Tue, Aug 24th) ∗∗∗ --------------------------------------------- Twilio is a popular service used to send/receive SMS messages and phone calls. --------------------------------------------- https://isc.sans.edu/diary/rss/27782 ∗∗∗ Power-Apps-Portale von Microsoft: 38 Millionen Datensätze lagen offen ∗∗∗ --------------------------------------------- Sicherheitsforscher haben in Power-Apps-Portalen 38 Millionen Datensätze mit teils sensiblen Daten entdeckt – laut Microsoft aufgrund von Konfigurationsfehlern. --------------------------------------------- https://heise.de/-6173306 ∗∗∗ Vorsicht vor EU Compensation E-Mail! ∗∗∗ --------------------------------------------- Aktuell werden betrügerische E-Mails von „EU Compensation“ versendet. Eine ominöse europäische Behörde behauptet, Betrugsopfer mit einer hohen Geldsumme zu entschädigen. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-eu-compensation-e-mail/ ∗∗∗ Ransomware Groups to Watch: Emerging Threats ∗∗∗ --------------------------------------------- Emerging ransomware groups to watch, according to Unit 42 researchers: AvosLocker, Hive Ransomware, HelloKitty and LockBit 2.0. --------------------------------------------- https://unit42.paloaltonetworks.com/emerging-ransomware-groups/ ∗∗∗ FBI sends its first-ever alert about a ‘ransomware affiliate’ ∗∗∗ --------------------------------------------- The US Federal Bureau of Investigations has published today its first-ever public advisory detailing the modus operandi of a "ransomware affiliate." --------------------------------------------- https://therecord.media/fbi-sends-its-first-ever-alert-about-a-ransomware-a… ===================== = Vulnerabilities = ===================== ∗∗∗ New zero-click iPhone exploit used to deploy NSO spyware ∗∗∗ --------------------------------------------- Digital threat researchers at Citizen Lab have uncovered a new zero-click iMessage exploit used to deploy NSO Groups Pegasus spyware on devices belonging to Bahraini activists. --------------------------------------------- https://www.bleepingcomputer.com/news/apple/new-zero-click-iphone-exploit-u… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (ledgersmb, tnef, and tor), Fedora (nodejs-underscore and tor), openSUSE (aws-cli, python-boto3, python-botocore,, fetchmail, firefox, and isync), SUSE (aws-cli, python-boto3, python-botocore, python-service_identity, python-trustme, python-urllib3 and python-PyYAML), and Ubuntu (linux-aws-5.8, linux-azure-5.8, linux-gcp-5.8, linux-oracle-5.8). --------------------------------------------- https://lwn.net/Articles/867247/ ∗∗∗ [20210801] - Core - Insufficient access control for com_media deletion endpoint ∗∗∗ --------------------------------------------- https://developer.joomla.org/security-centre/861-20210801-core-insufficient… ∗∗∗ Security Bulletin: CVE-2020-2773 (deferred from Oracle Apr 2020 CPU) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2020-2773-deferred-fr… ∗∗∗ Security Bulletin: Apache CXF (Publicly disclosed vulnerability) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-cxf-publicly-discl… ∗∗∗ Security Bulletin: XStream (Publicly disclosed vulnerability) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-xstream-publicly-disclose… ∗∗∗ Security Bulletin: Multiple security vulnerabilities have been identified in IBM® Java SDK that affect IBM Security Directory Suite ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: Update Secure Gateway Client in IBM DataPower Gateway to address several CVEs ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-update-secure-gateway-cli… ∗∗∗ Security Bulletin: Vulnerabilities in IBM Java Runtime affect IBM Integration Bus and IBM App Connect Enterpise v11, v12 (CVE-2020-27221) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-ja… ∗∗∗ Security Bulletin: IBM Resilient Disaster Recovery (DR) system allows connections over TLS 1.0 (CVE-2021-29704) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-resilient-disaster-re… ∗∗∗ Security Bulletin: CVE-2020-14781 (deferred from Oracle Oct 2020 CPU for Java 8) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2020-14781-deferred-f… ∗∗∗ OpenSSL: SM2 Decryption Buffer Overflow (CVE-2021-3711) ∗∗∗ --------------------------------------------- https://openssl.org/news/secadv/20210824.txt ∗∗∗ Overview of F5 vulnerabilities (August 2021) ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K50974556 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.08.2021
by Daily end-of-shift report 23 Aug '21

23 Aug '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 20-08-2021 18:00 − Montag 23-08-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ ProxyShell: Massive Angriffswelle auf ungepatchte Exchange-Server ∗∗∗ --------------------------------------------- Die Lücken sind bekannt, Patches da - trotzdem sind tausende Exchange-Server angreifbar. Nun rollt eine massive Angriffswelle, die die Schwachstellen ausnutzt. --------------------------------------------- https://heise.de/-6171597 ∗∗∗ SynAck ransomware decryptor lets victims recover files for free ∗∗∗ --------------------------------------------- Emsisoft has released a decryptor for the SynAck Ransomware, allowing victims to decrypt their encrypted files for free. --------------------------------------------- https://www.bleepingcomputer.com/news/security/synack-ransomware-decryptor-… ∗∗∗ Kubernetes hardening: Drilling down on the NSA/CISA guidance ∗∗∗ --------------------------------------------- Kubernetes has become the de facto choice for container orchestration. Some studies report that up to 88% of organizations are using Kubernetes for their container orchestration needs and 74% of that occurring in production environments. That said, security remains a critical concern with as many as 94% of organizations reporting at least one security incident in their Kubernetes environments in the last 12 months. --------------------------------------------- https://www.csoonline.com/article/3629049/kubernetes-hardening-drilling-dow… ∗∗∗ Gaming-related cyberthreats in 2020 and 2021 ∗∗∗ --------------------------------------------- In this report, you will find statistics and other information about gaming-related malware, phishing schemes and other threats in 2020 and the first half of 2021. --------------------------------------------- https://securelist.com/game-related-cyberthreats/103675/ ∗∗∗ Web Censorship Systems Can Facilitate Massive DDoS Attacks ∗∗∗ --------------------------------------------- Systems are ripe for abuse by attackers who can abuse systems to launch DDoS attacks. --------------------------------------------- https://threatpost.com/censorship-systems-ddos-attacks/168853/ ∗∗∗ Out of Band Phishing. Using SMS messages to Evade Network Detection, (Thu, Aug 19th) ∗∗∗ --------------------------------------------- Many companies have extensive security tools to monitor employee computers. But these precautions often fail for "out of band" access that uses cellular networks instead of Ethernet/WiFi networks. Our reader Isabella sent us this phishing email that they received: [...] --------------------------------------------- https://isc.sans.edu/diary/rss/27768 ∗∗∗ Researchers Detail Modus Operandi of ShinyHunters Cyber Crime Group ∗∗∗ --------------------------------------------- ShinyHunters, a notorious cybercriminal underground group thats been on a data breach spree since last year, has been observed searching companies GitHub repository source code for vulnerabilities that can be abused to stage larger scale attacks, an analysis of the hackers modus operandi has revealed. --------------------------------------------- https://thehackernews.com/2021/08/researchers-detail-modus-operandi-of.html ∗∗∗ Details Disclosed for Critical Vulnerability in Sophos Appliances ∗∗∗ --------------------------------------------- Organizations using security appliances from Sophos have been advised to make sure their devices are up to date after a researcher disclosed the details of a critical vulnerability patched last year. --------------------------------------------- https://www.securityweek.com/details-disclosed-critical-vulnerability-sopho… ∗∗∗ LockFile: Ransomware Uses PetitPotam Exploit to Compromise Windows Domain Controllers ∗∗∗ --------------------------------------------- Previously unseen ransomware hit at least 10 organizations in ongoing campaign. --------------------------------------------- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lo… ===================== = Vulnerabilities = ===================== ∗∗∗ Das Anstecken einer Razer-Maus macht Angreifer zu Windows-10-Admins ∗∗∗ --------------------------------------------- Eine Schwachstelle in der Konfigurationssoftware Synapse von Razer gefährdet Windows-PCs. Ein Sicherheitspatch steht noch aus. --------------------------------------------- https://heise.de/-6171968 ∗∗∗ Attackers Actively Exploiting Realtek SDK Flaws ∗∗∗ --------------------------------------------- Multiple vulnerabilities in software used by 65 vendors under active attack. --------------------------------------------- https://threatpost.com/attackers-exploiting-realtek/168856/ ∗∗∗ Top 15 Vulnerabilities Attackers Exploited Millions of Times to Hack Linux Systems ∗∗∗ --------------------------------------------- Close to 14 million Linux-based systems are directly exposed to the Internet, making them a lucrative target for an array of real-world attacks that could result in the deployment of malicious web shells, coin miners, ransomware, and other trojans. Thats according to an in-depth look at the Linux threat landscape published by U.S.-Japanese cybersecurity firm Trend Micro, detailing the top [...] --------------------------------------------- https://thehackernews.com/2021/08/top-15-vulnerabilities-attackers.html ∗∗∗ Micropatching MSHTML Remote Code Execution Issue (CVE-2021-33742) ∗∗∗ --------------------------------------------- June 2021 Windows Updates brought a fix for CVE-2021-33742, a remote code execution in the MSHTML component, exploitable via Microsoft browsers and potentially other applications using this component, e.g. via a malicious Microsoft Word document. Discovery of this issue was attributed to Clément Lecigne of Google’s Threat Analysis Group, while Googles security researcher Maddie Stone wrote a detailed analysis. --------------------------------------------- https://blog.0patch.com/2021/08/micropatching-mshtml-remote-code.html ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (ffmpeg, ircii, and scrollz), Fedora (kernel, krb5, libX11, and rust-actix-http), Mageia (kernel and kernel-linus), openSUSE (aspell, chromium, dbus-1, isync, java-1_8_0-openjdk, krb5, libass, libhts, libvirt, prosody, systemd, and tor), SUSE (cpio, dbus-1, libvirt, php7, qemu, and systemd), and Ubuntu (inetutils). --------------------------------------------- https://lwn.net/Articles/867149/ ∗∗∗ Planned Vembu Full Disclosure ∗∗∗ --------------------------------------------- If you are using Vembu BDR version 3.7.0, 3.9.1 Update 1, 4.2.0 or 4.2.0.1 and have your instances exposed to public internet, you are strongly advices to upgrade to Vembu BDR v4.2.0.2. On the 25th of August we plan to release the full details of the following CVEs: CVE-2021-26471, CVE-2021-26472, and CVE-2021-26473 All of these vulnerabilities are unauthenticated remote code execution vulnerabilities. --------------------------------------------- https://csirt.divd.nl/2021/08/20/Planned-Vembu-Full-Disclosure/ ∗∗∗ Security Bulletin: Vulnerabilities in IBM Java Runtime affect IBM Integration Bus and IBM App Connect Enterpise v11, v12 (CVE-2020-27221) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-ja… ∗∗∗ F-Secure Produkte: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0898 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.08.2021
by Daily end-of-shift report 20 Aug '21

20 Aug '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 19-08-2021 18:00 − Freitag 20-08-2021 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Securing Machine (Non-Human) Identities ∗∗∗ --------------------------------------------- We spend considerable time and focus on securing identities used by individuals and groups within our environment. While these are essential activities, we sometimes lose sight of a whole other set of identities, often highly privileged, that are just beneath the surface. --------------------------------------------- https://www.beyondtrust.com/blog/entry/securing-machine-non-human-identities ∗∗∗ You can post LinkedIn jobs as almost ANY employer — so can attackers ∗∗∗ --------------------------------------------- Anyone can create a job listing on the leading recruitment platform LinkedIn on behalf of any employer—no verification needed. And worse, the employer cannot easily take these down. --------------------------------------------- https://www.bleepingcomputer.com/news/security/you-can-post-linkedin-jobs-a… ∗∗∗ Pegasus iPhone hacks used as lure in extortion scheme ∗∗∗ --------------------------------------------- A new extortion scam is underway that attempts to capitalize on the recent Pegasus iOS spyware attacks to scare people into paying a blackmail demand. --------------------------------------------- https://www.bleepingcomputer.com/news/security/pegasus-iphone-hacks-used-as… ∗∗∗ Waiting for the C2 to Show Up, (Fri, Aug 20th) ∗∗∗ --------------------------------------------- Keep this in mind: "Patience is key". Sometimes when you are working on a malware sample, you depend on online resources. I'm working on a classic case: a Powershell script decodes then injects a shellcode into a process. --------------------------------------------- https://isc.sans.edu/diary/rss/27772 ∗∗∗ Project Zero: Understanding Network Access in Windows AppContainers ∗∗∗ --------------------------------------------- Being able to bypass network restrictions in AppContainer sandboxes is interesting as it expands the attack surface available to the application, such as being able to access services on localhost, as well as granting access to intranet resources in an Enterprise. --------------------------------------------- https://googleprojectzero.blogspot.com/2021/08/understanding-network-access… ∗∗∗ Gefährliche Liebschaften – Love Scammer brechen nicht nur Herzen ∗∗∗ --------------------------------------------- Mit diesen Maschen versuchen Online-Betrüger Geld aus der Partnersuche auf Dating-Plattformen herauszuschlagen. --------------------------------------------- https://www.welivesecurity.com/deutsch/2021/08/19/gefaehrliche-liebschaften… ∗∗∗ How to install Frida into an Android application ∗∗∗ --------------------------------------------- On a recent job I was testing a rather interesting piece of technology that had several server side checks but they wanted to add some additional security on the client side. --------------------------------------------- https://www.pentestpartners.com/security-blog/how-to-install-frida-into-an-… ∗∗∗ Unternehmen aufgepasst: Ignorieren Sie Fax von Branchen-Stadtplan! ∗∗∗ --------------------------------------------- UnternehmerInnen erhalten derzeit ein Fax von „Branchen-Stadtplan. Handel – Gewerbe – Industrie – Vereine & Co.“. Die Unternehmen werden aufgefordert ihre Firmendaten zu überprüfen oder zu ergänzen und das Fax unterschrieben zurückzusenden. --------------------------------------------- https://www.watchlist-internet.at/news/unternehmen-aufgepasst-ignorieren-si… ∗∗∗ RansomClave project uses Intel SGX enclaves for ransomware attacks ∗∗∗ --------------------------------------------- Academics have developed a proof-of-concept ransomware strain that uses highly secure Intel SGX enclaves to hide and keep encryption keys safe from the prying eyes of security tools. --------------------------------------------- https://therecord.media/ransomclave-project-uses-intel-sgx-enclaves-for-ran… ∗∗∗ Cloudflare says it mitigated a record-breaking 17.2M rps DDoS attack ∗∗∗ --------------------------------------------- Internet infrastructure company Cloudflare disclosed today that it mitigated the largest volumetric distributed denial of service (DDoS) attack that was recorded to date. --------------------------------------------- https://therecord.media/cloudflare-says-it-mitigated-a-record-breaking-17-2… ∗∗∗ Mozi botnet gains the ability to tamper with its victims’ traffic ∗∗∗ --------------------------------------------- A new version of Mozi, a botnet that targets routers and IoT devices, is now capable of tampering with the web traffic of infected systems via techniques such as DNS spoofing and HTTP session hijacking, a capability that could be abused to redirect users to malicious sites. --------------------------------------------- https://therecord.media/mozi-botnet-gains-the-ability-to-tamper-with-its-vi… ===================== = Vulnerabilities = ===================== ∗∗∗ New unofficial Windows patch fixes more PetitPotam attack vectors ∗∗∗ --------------------------------------------- A second unofficial patch for the Windows PetitPotam NTLM relay attack has been released to fix further issues not addressed by Microsofts official security update. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-unofficial-windows-patch… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (libtpms and mingw-exiv2), openSUSE (389-ds, aspell, c-ares, fetchmail, firefox, go1.15, go1.16, haproxy, java-1_8_0-openjdk, krb5, libass, libmspack, libsndfile, openexr, php7, qemu, and tor), Oracle (compat-exiv2-023 and compat-exiv2-026), and SUSE (389-ds, aspell, djvulibre, fetchmail, firefox, go1.15, go1.16, java-1_8_0-openjdk, krb5, libass, libmspack, nodejs8, openexr, postgresql10, qemu, and spice-vdagent). --------------------------------------------- https://lwn.net/Articles/866906/ ∗∗∗ AVEVA SuiteLink Server ∗∗∗ --------------------------------------------- This advisory contains mitigations for Heap-based Buffer Overflow, Null Pointer Dereference, and Improper Handling of Exceptional Conditions vulnerabilities in AVEVA SuiteLink Server system management software. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-231-01 ∗∗∗ Security Bulletin: Vulnerabilities in IBM Java Runtime affect IBM Integration Bus and IBM App Connect Enterpise v11, v12 (CVE-2020-27221) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-ja… ∗∗∗ Synology-SA-21:23 ISC BIND ∗∗∗ --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_21_23 ∗∗∗ MISP: Schwachstelle ermöglicht SQL-Injection ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0894 ∗∗∗ Mehrere Schwachstellen in NetModule Router Software (NRSW) ∗∗∗ --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/mehrere-schwachstelle… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.08.2021
by Daily end-of-shift report 19 Aug '21

19 Aug '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 18-08-2021 18:00 − Donnerstag 19-08-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Cisco meldet gefährliche Remote-Angriffsmöglichkeiten auf Small Business-Router ∗∗∗ --------------------------------------------- Ein aktuelles Advisory von Cisco beschreibt eine kritische Sicherheitslücke, die mehrere Small Business-Router betrifft. Updates wird es nicht geben. --------------------------------------------- https://heise.de/-6169343 ∗∗∗ Ransomware-Attacken nehmen dramatisch zu ∗∗∗ --------------------------------------------- Mehr Ransomware-Angriffe, höhere Lösegeldforderungen und eine effizientere Verteilung - die Entwicklung der Datenerpressungsbranche ist besorgniserregend. --------------------------------------------- https://heise.de/-6169583 ∗∗∗ A Short History of Essay Spam (How We Got from Pills to Plagiarism) ∗∗∗ --------------------------------------------- >From answering beginner questions like 'What is SEO spam?' to breaking down the spammers' code and exactly how they hide their injections in compromised websites, we have written regularly about spam at Sucuri. If you’ve ever operated a WordPress website you will have certainly seen, at the very least, a litany of spam comments posted on your comments section. --------------------------------------------- https://blog.sucuri.net/2021/08/a-short-history-of-essay-spam-how-we-got-fr… ∗∗∗ Oh, Behave! Figuring Out User Behavior ∗∗∗ --------------------------------------------- I decided to embark on a journey to understand user behavior without knowing exactly how I would gather details about user activity as a research topic. A major component of this research is finding a way to gather data on user behavior without making too much noise or triggering detections in a live environment. --------------------------------------------- https://www.trustedsec.com/blog/oh-behave-figuring-out-user-behavior/ ∗∗∗ How to spot a DocuSign phish and what to do about it ∗∗∗ --------------------------------------------- Phishing scammers love well known brand names, particularly if youre expecting to hear from them. --------------------------------------------- https://blog.malwarebytes.com/social-engineering/2021/08/how-to-spot-a-docu… ∗∗∗ Health authorities in 40 countries targeted by COVID‑19 vaccine scammers ∗∗∗ --------------------------------------------- Fraudsters impersonate vaccine manufacturers and authorities overseeing vaccine distribution efforts, INTERPOL warns --------------------------------------------- https://www.welivesecurity.com/2021/08/18/health-authorities-40-countries-t… ∗∗∗ CISA Provides Recommendations for Protecting Information from Ransomware-Caused Data Breaches ∗∗∗ --------------------------------------------- CISA has released the fact sheet Protecting Sensitive and Personal Information from Ransomware-Caused Data Breaches to address the increase in malicious cyber actors using ransomware to exfiltrate data and then threatening to sell or leak the exfiltrated data if the victim does not pay the ransom. These data breaches, often involving sensitive or personal information, can cause financial loss to the victim organization and erode customer trust. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/08/18/cisa-provides-rec… ∗∗∗ Cisco: Security devices are vulnerable to SNIcat data exfiltration technique ∗∗∗ --------------------------------------------- Networking equipment vendor Cisco said today that some of its security products fail to detect and stop traffic to malicious servers that abuse a technique called SNIcat to covertly steal data from inside corporate networks. --------------------------------------------- https://therecord.media/cisco-security-devices-are-vulnerable-to-snicat-dat… ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco Security Advisories 2021-08-18 ∗∗∗ --------------------------------------------- 2 critical, 5 medium severity --------------------------------------------- https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&secur… ∗∗∗ SSA-816035: Code Execution Vulnerability in SINEMA Remote Connect Client ∗∗∗ --------------------------------------------- The latest update for SINEMA Remote Connect Client fixes a vulnerability that could allow a local attacker to escalate privileges or even allow remote code execution under certain circumstances. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-816035.txt ∗∗∗ VMSA-2021-0017 ∗∗∗ --------------------------------------------- VMware Workspace ONE UEM console patches address a denial of service vulnerability (CVE-2021-22029) --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2021-0017.html ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (exiv2, firefox, and thunderbird), Fedora (libsndfile, python-docx, and xscreensaver), openSUSE (haproxy), and SUSE (haproxy). --------------------------------------------- https://lwn.net/Articles/866753/ ∗∗∗ Positive Technologies helps to fix dangerous vulnerability in CODESYS ICS software ∗∗∗ --------------------------------------------- [...] This high-severity vulnerability (CVE-2021-36764) was discovered in the CODESYS V3 Runtime System software package (version 3.15.9.10). By exploiting it, an attacker can disable the PLC and disrupt the technological process. The vulnerability (NULL Pointer Dereference) was found in the CmpGateway component. An attacker with network access to the industrial controller can send a specially formed TCP packet and interrupt the operation of the PLC. Also, it has been found that this software contains another vulnerability (Local Privilege Escalation), which is currently being reviewed by the vendor. --------------------------------------------- https://www.ptsecurity.com/ww-en/about/news/positive-technologies-helps-to-… ∗∗∗ Red Hat JBoss Enterprise Application Platform: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0892 ∗∗∗ Internet Systems Consortium BIND: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0890 ∗∗∗ Kritische Schwachstellen in Altus Sistemas de Automacao Produkten ∗∗∗ --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/kritische-schwachstel… ∗∗∗ Security Bulletin: IBM Cloud Pak for Multicloud Management Monitoring has applied security fixes for its use of Golang Go ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-multicl… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affects WebSphere Application Server July 2021 CPU that is bundled with IBM WebSphere Application Server Patterns ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in IBM® Java SDK affect WebSphere Application Server July 2021 CPU ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Cloud Pak for Multicloud Management Monitoring has applied security fixes for its use of Apache HttpClient ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-multicl… ∗∗∗ Security Bulletin: Multiple vulnerabilities may affect IBM® SDK, Java™ Technology Edition ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Security Directory Server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Linux kernel eBPF vulnerability CVE-2021-3490 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K43346111 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.08.2021
by Daily end-of-shift report 18 Aug '21

18 Aug '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 17-08-2021 18:00 − Mittwoch 18-08-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Kritische Lücke in Blackberry QNX OS gefährdet medizinische Geräte ∗∗∗ --------------------------------------------- Blackberry hat in seinem Echtzeitbetriebssystem QNX einer gefährliche Schwachstelle geschlossen. --------------------------------------------- https://heise.de/-6168793 ∗∗∗ Kritische Sicherheitslücke: Angreifer könnten Millionen IoT-Geräte belauschen ∗∗∗ --------------------------------------------- Sicherheitsforscher warnen vor einer Schwachstelle, die etwa Millionen Babyphones und IP-Kameras gefährdet. Geräte lassen sich nicht ohne Weiteres schützen. --------------------------------------------- https://heise.de/-6168381 ∗∗∗ Fortinet: Wichtiges Sicherheitsupdate für FortiWeb OS in Vorbereitung ∗∗∗ --------------------------------------------- Für eine Lücke mit High-Einstufung liegt Exploit-Code vor, Fixes kommen aber erst Ende August. Betreiber von FortiWeb WAFs sollten Vorsichtsmaßnahmen treffen. --------------------------------------------- https://heise.de/-6168205 ∗∗∗ Vorsicht! Kostenloses Antivirenprogramm „Total AV“ entpuppt sich als Kostenfalle ∗∗∗ --------------------------------------------- Immer wieder melden uns verunsicherte LeserInnen das Antivirenprogramm „Total AV“. Der Grund dafür sind nicht-transparente Kosten sowie Probleme beim Kündigen des Abo-Vertrags. Gleichzeitig wird „Total AV“ auf vielen Seiten als das beste kostenlose Antivirenprogramm beworben. Wir haben uns das Programm genauer angesehen. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-kostenloses-antivirenprogra… ∗∗∗ Sicherheitswarnung für Synology DiskStation Manager und UC SkyNAS ∗∗∗ --------------------------------------------- Der Hersteller Synology hat eine Sicherheitswarnung für seinen DiskStation Manager (Version <6.2.4-25556-2 ; 7.0) herausgegeben. In der Firmware der Geräte gibt es gleich mehrere Sicherheitslücken. Gefährdet sind auch UC SkyNAS-Einheiten. Von Synology gibt es bereits erste Firmware-Updates. Von der Ransomware eCh0raix gibt es eine neue Variante, die einen neuen Bug in QNAP und Synology NAS Devices ausnutzen kann. --------------------------------------------- https://www.borncity.com/blog/2021/08/18/sicherheitswarnung-fr-synology-dis… ∗∗∗ Diavol ransomware sample shows stronger connection to TrickBot gang ∗∗∗ --------------------------------------------- A new analysis of a Diavol ransomware sample shows a more clear connection with the gang behind the TrickBot botnet and the evolution of the malware. --------------------------------------------- https://www.bleepingcomputer.com/news/security/diavol-ransomware-sample-sho… ∗∗∗ Kerberos Authentication Spoofing: Don’t Bypass the Spec ∗∗∗ --------------------------------------------- Yaron Kassner, CTO at Silverfort, discusses authentication-bypass bugs in Cisco ASA, F5 Big-IP, IBM QRadar and Palo Alto Networks PAN-OS. --------------------------------------------- https://threatpost.com/kerberos-authentication-spoofing/168767/ ∗∗∗ 5 Things to Consider Before Moving Back to the Office, (Wed, Aug 18th) ∗∗∗ --------------------------------------------- Many readers will likely continue to enjoy working from home. Having not worked out of an office for about 20 years myself, I can certainly understand the appeal of working from home. But for some, this isn't an option and probably not even the preferred way to work. Having likely worked from home for over a year now, there are some things that you need to "readjust" as you are moving back. --------------------------------------------- https://isc.sans.edu/diary/rss/27762 ∗∗∗ Detecting Embedded Content in OOXML Documents ∗∗∗ --------------------------------------------- On Advanced Practices, we are always looking for new ways to find malicious activity and track adversaries over time. Today we’re sharing a technique we use to detect and cluster Microsoft Office documents - specifically those in the Office Open XML (OOXML) file format. Additionally, we’re releasing a tool so analysts and defenders can automatically generate YARA rules using this technique. --------------------------------------------- https://www.fireeye.com/blog/threat-research/2021/08/detecting-embedded-con… ∗∗∗ WordPress Malware Camouflaged As Code ∗∗∗ --------------------------------------------- In today’s post we discuss emerging techniques that attackers are using to hide the presence of malware. In the example we discuss below, the attacker’s goal is to make everything look routine to an analyst so that they do not dig deeper and discover the presence of malware and what it is doing. --------------------------------------------- https://www.wordfence.com/blog/2021/08/wordpress-malware-camouflaged-as-cod… ∗∗∗ IT Risk Team Discovers Previously Unknown Vulnerability in Autodesk Software During Client Penetration Test ∗∗∗ --------------------------------------------- During a recent client engagement, the DGC penetration testing team identified a previously unknown vulnerability affecting the Autodesk Licensing Service, a software component bundled with nearly all licensed Autodesk products. The vulnerability exists in a software component common to most Autodesk products and impacts nearly all organizations using licensed Autodesk software in any capacity. --------------------------------------------- https://www.tripwire.com/state-of-security/security-data-protection/risk-te… ∗∗∗ Houdini Malware Returns and Amazons Sidewalk Enter Corporate Networks ∗∗∗ --------------------------------------------- The nature of a secure access service edge (SASE) platform provides visibility into a large number of internet data flows - and the larger the platform, the more dataflows can be analyzed. An analysis of more than 250 billion network flows during Q2 2021 shows increasing threats, a new use of an old malware, and the growing incidence of consumer devices in the workplace. --------------------------------------------- https://www.securityweek.com/houdini-malware-returns-and-amazons-sidewalk-e… ∗∗∗ Breaking the Android Bootloader on the Qualcomm Snapdragon 660 ∗∗∗ --------------------------------------------- This post is a companion to the DEF CON 29 video available here. A few months ago I purchased an Android phone to do some research around a specific series [...] --------------------------------------------- https://www.pentestpartners.com/security-blog/breaking-the-android-bootload… ∗∗∗ Dumpster diving is a filthy business ∗∗∗ --------------------------------------------- One man's trash is another man's treasure - here's why you should think twice about what you toss in the recycling bin --------------------------------------------- https://www.welivesecurity.com/2021/08/17/dumpster-diving-is-filthy-busines… ∗∗∗ Cobalt Strike: Detect this Persistent Threat ∗∗∗ --------------------------------------------- Cobalt Strike is a penetration testing tool created by Raphael Mudge in 2012. To this day, it remains extremely popular in red team activities and used for malicious purposes by threat actors. --------------------------------------------- https://www.intezer.com/blog/malware-analysis/cobalt-strike-detect-this-per… ===================== = Vulnerabilities = ===================== ∗∗∗ Adobe sichert Photoshop & Co. außer der Reihe ab ∗∗∗ --------------------------------------------- Der Softwarehersteller Adobe schließt unter anderem in Bridge, Media Encoder und XMP Toolkit SDK Sicherheitslücken. --------------------------------------------- https://heise.de/-6168132 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (haproxy), Fedora (c-ares, hivex, kernel, libtpms, newsflash, python-django, rust-gettext-rs, and rust-gettext-sys), openSUSE (c-ares and libsndfile), Scientific Linux (cloud-init, edk2, exiv2, firefox, kernel, kpatch-patch, microcode_ctl, sssd, and thunderbird), SUSE (c-ares, fetchmail, haproxy, kernel, libmspack, libsndfile, rubygem-puma, spice-vdagent, and webkit2gtk3), and Ubuntu (exiv2, haproxy, linux, linux-aws, linux-aws-5.4, linux-azure, [...] --------------------------------------------- https://lwn.net/Articles/866669/ ∗∗∗ ThroughTek Kalay P2P SDK ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Improper Access Control vulnerability in the ThroughTek Kalay P2P SDK software kit. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-229-01 ∗∗∗ Advantech WebAccess/NMS ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Improper Authentication vulnerability in Advantech WebAccess/NMS network management systems. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-229-02 ∗∗∗ xArrow SCADA ∗∗∗ --------------------------------------------- This advisory contains mitigations for Cross-site Scripting, and Improper Input Validation vulnerability in the xArrow SCADA human-machine interface. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-229-03 ∗∗∗ Huawei EchoLife HG8045Q vulnerable to OS command injection ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN41646618/ ∗∗∗ Firefox & Thunderbird: Security-Fixes für Browser und Mail-Client verfügbar ∗∗∗ --------------------------------------------- https://heise.de/-6168771 ∗∗∗ glibc vulnerability CVE-2021-35942 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K98121587 ∗∗∗ Atlassian Jira Software: Schwachstelle ermöglicht Offenlegung von Informationen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0880 ∗∗∗ QEMU: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode mit Benutzerrechten ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0885 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.08.2021
by Daily end-of-shift report 17 Aug '21

17 Aug '21

===================== = End-of-Day report = ===================== Timeframe: Montag 16-08-2021 18:00 − Dienstag 17-08-2021 18:00 Handler: Dimitri Robl Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Malware dev infects own PC and data ends up on intel platform ∗∗∗ --------------------------------------------- A malware developer unleashed their creation on their system to try out new features and the data ended up on a cybercrime intelligence platform, exposing a glimpse of the cybercriminal endeavor. --------------------------------------------- https://www.bleepingcomputer.com/news/security/malware-dev-infects-own-pc-a… ∗∗∗ Copyright scammers turn to phone numbers instead of web links ∗∗∗ --------------------------------------------- Forewarned is forearmed. Here's our advice on dealing with "copyright infringement" scammers. --------------------------------------------- https://nakedsecurity.sophos.com/2021/08/16/copyright-scammers-turn-to-phon… ∗∗∗ Laravel (<=v8.4.2) exploit attempts for CVE-2021-3129 (debug mode: Remote code execution), (Tue, Aug 17th) ∗∗∗ --------------------------------------------- The vulnerability and this PoC exploit are well documented as CVE-2021-3129. The vulnerability takes advantage of the Ignition "Solutions." Solutions enable the developer to inject code snippets to aid in debugging. --------------------------------------------- https://isc.sans.edu/diary/rss/27758 ∗∗∗ Vorsicht vor Fake-Zahlungsbestätigungen von Kriminellen auf bazar.at ∗∗∗ --------------------------------------------- Wer auf bazar.at Waren zum Verkauf anbietet, muss sich momentan vor kriminellen InteressentInnen in Acht nehmen! Diese fragen nach der Verfügbarkeit und behaupten, die Zahlung über bazar.at abzuwickeln. Achtung: bazar.at bietet keine solche Zahlungsart und die Bestätigungsseiten sind gefälscht! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-fake-zahlungsbestaetigu… ∗∗∗ Thoughts on Detection ∗∗∗ --------------------------------------------- After helping with many clients with numerous detection rules, I observed one consistent theme that kept popping up, many of the rules were written in a way that seemed to be missing a large portion of the potential detection opportunities. --------------------------------------------- https://posts.specterops.io/thoughts-on-detection-3c5cab66f511 ∗∗∗ 1Password Secret Retrieval — Methodology and Implementation ∗∗∗ --------------------------------------------- 1Password is a password manager developed by AgileBits Inc., providing a place for users to store various passwords, software licenses, and other sensitive information in a virtual vaults secured with a PBKDF2 master password. --------------------------------------------- https://posts.specterops.io/1password-secret-retrieval-methodology-and-impl… ∗∗∗ Personal VPN and Its Evasions: Risk Factors and How to Maintain Network Visibility ∗∗∗ --------------------------------------------- Personal VPN usage on organizations’ networks can obscure network visibility and open the door to cybercrime such as data exfiltration. --------------------------------------------- https://unit42.paloaltonetworks.com/person-vpn-network-visibility/ ∗∗∗ ProxyShell in Österreich ∗∗∗ --------------------------------------------- In seinem Talk auf der BlackHat US 2021 stellte Sicherheitsforscher Orange Tsai eine weitere Kombination von Lücken vor, die es AngreiferInnen ermöglicht, beliebige Befehle als NT Authority\System über das Netzwerk auszuführen, ohne sich authentifizieren zu müssen. --------------------------------------------- https://cert.at/de/aktuelles/2021/8/proxyshell-in-osterreich ∗∗∗ New HolesWarm botnet targets Windows and Linux servers ∗∗∗ --------------------------------------------- A new botnet named HolesWarm has been slowly growing in the shadows since June this year, exploiting more than 20 known vulnerabilities to break into Windows and Linux servers and then deploy cryptocurrency-mining malware. --------------------------------------------- https://therecord.media/new-holeswarm-botnet-targets-windows-and-linux-serv… ===================== = Vulnerabilities = ===================== ∗∗∗ Fortinet patches bug letting attackers takeover servers remotely ∗∗∗ --------------------------------------------- Fortinet has released security updates to address a command injection vulnerability that can let attackers take complete control of servers running vulnerable FortiWeb web application firewall (WAF) installations. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fortinet-patches-bug-letting… ∗∗∗ Security: Glibc-Bugfix machte Lücke einfacher ausnutzbar ∗∗∗ --------------------------------------------- Das Beheben von Sicherheitslücken ist nicht immer so einfach, wie es anfangs scheint, was nun auch das Team der Glibc erfahren musste. --------------------------------------------- https://www.golem.de/news/security-glibc-bugfix-machte-luecke-einfacher-aus… ∗∗∗ ZDI-21-971: (Pwn2Own) Zoom Heap based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of Zoom Clients. Authentication is not required to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-971/ ∗∗∗ Sicherheitsupdate für Google Chrome beseitigt Angriffsmöglichkeiten ∗∗∗ --------------------------------------------- Für die Desktop-Fassungen des Chrome-Browsers (Win, macOS & Linux) ist eine Aktualisierung verfügbar, die mehrere Schwachstellen beseitigt. --------------------------------------------- https://heise.de/-6167542 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (firefox), openSUSE (cpio and rpm), Oracle (compat-exiv2-026, exiv2, firefox, kernel, kernel-container, qemu, sssd, and thunderbird), Red Hat (cloud-init, edk2, kernel, kpatch-patch, microcode_ctl, and sssd), and SUSE (cpio, firefox, and libcares2). --------------------------------------------- https://lwn.net/Articles/866567/ ∗∗∗ Millions of IoT Devices Exposed to Attacks Due to Cloud Platform Vulnerability ∗∗∗ --------------------------------------------- Researchers at FireEye’s threat intelligence and incident response unit Mandiant have identified a critical vulnerability that exposes millions of IoT devices to remote attacks. --------------------------------------------- https://www.securityweek.com/millions-iot-devices-exposed-attacks-due-cloud… ∗∗∗ iCloud for Windows 12.5 ∗∗∗ --------------------------------------------- https://support.apple.com/kb/HT212607 ∗∗∗ Security Bulletin: Vulnerabilities in Node.js in IBM DataPower Gateway ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-node-j… ∗∗∗ Security Bulletin: IBM Security Privileged Identity Manager is affected by security vulnerabilities (CVE-2020-1971, CVE-2020-15999, CVE-2017-12652) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-privileged-i… ∗∗∗ Security Bulletin: IBM DataPower Gateway potentially vulnerable to CSRF attack ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-datapower-gateway-pot… ∗∗∗ Security Bulletin: IBM API Connect on cloud is impacted by HTTP header injection vulnerability (CVE-2020-4706) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connect-on-cloud-… ∗∗∗ Security Bulletin: Prototype pollution flaw in y18n in IBM DataPower Gateway ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-prototype-pollution-flaw-… ∗∗∗ Security Bulletin: IBM API Connect is impacted by a vulnerability in Golang (CVE-2021-27919) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connect-is-impact… ∗∗∗ Security Bulletin: Multiple vulnerabilities in AngularJS ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Potential DoS in IBM DataPower Gateway ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-potential-dos-in-ibm-data… ∗∗∗ Security Bulletin: IBM DataPower Gateway vulnerable to a DoS ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-datapower-gateway-vul… ∗∗∗ Synology-SA-21:22 DSM ∗∗∗ --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_21_22 ∗∗∗ Apache HTTP Server: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0878 ∗∗∗ Integer Overflow to RCE — ManageEngine Asset Explorer Agent (CVE-2021–20082) ∗∗∗ --------------------------------------------- https://medium.com/tenable-techblog/integer-overflow-to-rce-manageengine-as… ∗∗∗ Stored XSS to RCE Chain as SYSTEM in ManageEngine ServiceDesk Plus ∗∗∗ --------------------------------------------- https://medium.com/tenable-techblog/stored-xss-to-rce-chain-as-system-in-ma… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 16.08.2021
by Daily end-of-shift report 16 Aug '21

16 Aug '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 13-08-2021 18:00 − Montag 16-08-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Keine Panik nach Ransomware-Angriff ∗∗∗ --------------------------------------------- Sieben Maßnahmen, die Opfer während oder nach einem erfolgreichen Ransomware-Angriff ergreifen sollten, schildert Daniel Clayton, Vice President of Global Services and Support bei Bitdefender, in einem Gastbeitrag. --------------------------------------------- https://www.zdnet.de/88396234/keine-panik-nach-ransomware-angriff/ ∗∗∗ USA: 100 Millionen T-Mobile-Kunden von Datenleck betroffen ∗∗∗ --------------------------------------------- Kriminelle haben Server von T-Mobile gehackt und umfangreiche Kundendaten kopiert. Diese bieten sie nun zum Verkauf an. --------------------------------------------- https://www.golem.de/news/usa-100-millionen-t-mobile-kunden-von-datenleck-b… ∗∗∗ Microsoft Teams korrekt absichern – Teil 2 ∗∗∗ --------------------------------------------- Wie die Absicherung der beliebten Kollaborations-Software am besten gelingt, schildert Bert Skorupski, Senior Manager Sales Engineering bei Quest Software, im zweiten Teil seines Gastbeitrages. --------------------------------------------- https://www.zdnet.de/88396232/microsoft-teams-korrekt-absichern-teil-2/ ∗∗∗ Firewalls and middleboxes can be weaponized for gigantic DDoS attacks ∗∗∗ --------------------------------------------- In an award-winning paper today, academics said they discovered a way to abuse the TCP protocol, firewalls, and other network middleboxes to launch giant distributed denial of service (DDoS) attacks against any target on the internet. --------------------------------------------- https://therecord.media/firewalls-and-middleboxes-can-be-weaponized-for-gig… ∗∗∗ The sextortion Scams: The Numbers Show That What We Have Is A Failure Of Education ∗∗∗ --------------------------------------------- Subject: Your account was under attack! Change your credentials! [...] Did you receive a message phrased more or less like that, which then went on to say that they have a video of you performing an embarrasing activity while visiting an "adult" site, which they will send to all your contacts unless you buy Bitcoin and send to a specific ID? The good news is that the video does not exist. I know this, because neither does our friend Adnan here. --------------------------------------------- https://bsdly.blogspot.com/2020/02/the-sextortion-scams-numbers-show-that.h… ∗∗∗ Windows 365 exposes Microsoft Azure credentials in plaintext ∗∗∗ --------------------------------------------- A security researcher has figured out a way to dump a users unencrypted plaintext Microsoft Azure credentials from Microsofts new Windows 365 Cloud PC service using Mimikatz. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/windows-365-exposes-microso… ∗∗∗ Colonial Pipeline reports data breach after May ransomware attack ∗∗∗ --------------------------------------------- Colonial Pipeline, the largest fuel pipeline in the United States, is sending notification letters to individuals affected by the data breach resulting from the DarkSide ransomware attack that hit its network in May. --------------------------------------------- https://www.bleepingcomputer.com/news/security/colonial-pipeline-reports-da… ∗∗∗ Simple Tips For Triage Of MALWARE Bazaars Daily Malware Batches, (Sun, Aug 15th) ∗∗∗ --------------------------------------------- I was asked for tips to triage MALWARE Bazaar's daily malware batches. On Linux / macOS, you can unzip a malware batch and triage it with the file command. There is no file command on Windows, but there are Windows versions you can install, and you can also use my file-magic tool (it's a Python tool that uses Python module python-magic-bin). --------------------------------------------- https://isc.sans.edu/diary/rss/27750 ∗∗∗ Discovering CAPTCHA Protected Phishing Campaigns ∗∗∗ --------------------------------------------- CAPTCHA-protected phishing campaigns are becoming more popular. We share techniques to detect malicious content despite these evasions. --------------------------------------------- https://unit42.paloaltonetworks.com/captcha-protected-phishing/ ∗∗∗ Trickbot Deploys a Fake 1Password Installer ∗∗∗ --------------------------------------------- Over the past years, Trickbot has established itself as modular and multifunctional malware. Initially focusing on bank credential theft, the Trickbot operators have extended its capabilities. --------------------------------------------- https://thedfirreport.com/2021/08/16/trickbot-deploys-a-fake-1password-inst… ===================== = Vulnerabilities = ===================== ∗∗∗ Security Advisories for COMMAX Products ∗∗∗ --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5667.php https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5666.php https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5665.php https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5664.php https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5663.php https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5662.php https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5661.php https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5660.php --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ ∗∗∗ Advisory: Multiple Issues in Realtek SDK Affects Hundreds of Thousands of Devices Down the Supply Chain ∗∗∗ --------------------------------------------- At least 65 vendors affected by severe vulnerabilities that enable unauthenticated attackers to fully compromise the target device and execute arbitrary code with the highest level of privilege. --------------------------------------------- https://www.iot-inspector.com/blog/advisory-multiple-issues-realtek-sdk-iot… ∗∗∗ XSS Vulnerability Patched in SEOPress Affects 100,000 sites ∗∗∗ --------------------------------------------- On July 29, 2021 the Wordfence Threat Intelligence team initiated the responsible disclosure process for a vulnerability that we discovered in SEOPress, a WordPress plugin installed on over 100,000 sites. This flaw made it possible for an attacker to inject arbitrary web scripts on a vulnerable site which would execute anytime a user accessed the [...] --------------------------------------------- https://www.wordfence.com/blog/2021/08/xss-vulnerability-patched-in-seopres… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (c-ares, firefox, fossil, gitlab, jupyterlab, loki, lynx, opera, prosody, and vivaldi), Debian (amd64-microcode, exiv2, ffmpeg, thunderbird, and trafficserver), Fedora (libsndfile, rust-argh, rust-argh_derive, rust-argh_shared, rust-askalono-cli, rust-asyncgit, rust-bugreport, rust-crosstermion, rust-diskonaut, rust-dua-cli, rust-fancy-regex, rust-fedora-update-feedback, rust-filetreelist, rust-git-version, rust-git-version-macro, rust-gitui, [...] --------------------------------------------- https://lwn.net/Articles/866473/ ∗∗∗ PEPPERL+FUCHS: WirelessHART-Gateway - Vulnerability may allow remote attackers to cause a Denial Of Service ∗∗∗ --------------------------------------------- PEPPERL+FUCHS: Critical vulnerabilities have been discovered in the product and in the utilized components jQuery by jQuery Team and TLS Version 1.0/1.1. --------------------------------------------- https://cert.vde.com/de-de/advisories/vde-2021-027 ∗∗∗ Security Bulletin: Multiple Vulnerabilities in IBM® Java SDK affect WebSphere Application Server July 2021 CPU ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Transparent Cloud Tiering is affected by a vulnerability in Apache Commons IO ( CVE-2021-29425) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-transparent-cloud-tie… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.08.2021
by Daily end-of-shift report 13 Aug '21

13 Aug '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 12-08-2021 18:00 − Freitag 13-08-2021 18:00 Handler: Dimitri Robl Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Angreifer kombinieren ProxyShell-Lücken und attackieren Microsoft Exchange ∗∗∗ --------------------------------------------- Nach gezielten Scans gibt es nun erste Attacken auf Exchange Server. In Deutschland gibt es tausende verwundbare Systeme. Patches sind verfügbar. --------------------------------------------- https://heise.de/-6164957 ∗∗∗ Unseriöse Shops kopieren Webseiten von beliebten Schuhmarken! ∗∗∗ --------------------------------------------- Wer Dr. Marten- oder Skecher-Schuhe in einem Online-Shop kaufen will, sollte sich vorher vergewissern, ob der Shop auch seriös ist. Denn derzeit werden der Watchlist Internet vermehrt Markenfälscher-Shops gemeldet, die unglaublich günstige Markenschuhe anbieten. Wenn das Impressum fehlt und die Schuhe zu unglaublichen Preisen angeboten werden, sollten Sie lieber Abstand von einem Einkauf nehmen. --------------------------------------------- https://www.watchlist-internet.at/news/unserioese-shops-kopieren-webseiten-… ∗∗∗ SynAck ransomware releases decryption keys after El_Cometa rebrand ∗∗∗ --------------------------------------------- The SynAck ransomware gang released the master decryption keys for their operation after rebranding as the new El_Cometa group. --------------------------------------------- https://www.bleepingcomputer.com/news/security/synack-ransomware-releases-d… ∗∗∗ WordPress Sites Abused in Aggah Spear-Phishing Campaign ∗∗∗ --------------------------------------------- The Pakistan-linked threat groups campaign uses compromised WordPress sites to deliver the Warzone RAT to manufacturing companies in Taiwan and South Korea. --------------------------------------------- https://threatpost.com/aggah-wordpress-spearphishing/168657/ ∗∗∗ Example of Danabot distributed through malspam, (Fri, Aug 13th) ∗∗∗ --------------------------------------------- Danabot is an information stealer known for targeting banking data on infected Windows hosts. According to Proofpoint, Danabot version 4 started appearing in the wild in October 2020. We recently discovered a Danabot sample during an infection kicked off by an email attachment sent on Thursday 2021-08-12. Today's diary reviews this Danabot infection. --------------------------------------------- https://isc.sans.edu/diary/rss/27744 ∗∗∗ Using AI to Scale Spear Phishing ∗∗∗ --------------------------------------------- The problem with spear phishing it that it takes time and creativity to create individualized enticing phishing emails. Researchers are using GPT-3 to attempt to solve that problem: The researchers used OpenAI's GPT-3 platform in conjunction with other AI-as-a-service products focused on personality analysis to generate phishing emails tailored to their colleagues' backgrounds and traits. --------------------------------------------- https://www.schneier.com/blog/archives/2021/08/using-ai-to-scale-spear-phis… ∗∗∗ Phishing campaign goes old school, dusts off Morse code ∗∗∗ --------------------------------------------- Sometimes new technology just doesnt get the job done. --------------------------------------------- https://blog.malwarebytes.com/reports/2021/08/phishing-campaign-goes-old-sc… ∗∗∗ Examining threats to device security in the hybrid workplace ∗∗∗ --------------------------------------------- As employees split their time between office and off-site work, there's a greater potential for company devices and data to fall into the wrong hands --------------------------------------------- https://www.welivesecurity.com/2021/08/12/examining-threats-device-security… ∗∗∗ Hackers tried to exploit two zero-days in Trend Micro's Apex One EDR platform ∗∗∗ --------------------------------------------- Cyber-security firm Trend Micro said hackers tried to exploit two zero-day vulnerabilities in its Apex One EDR platform in an attempt to go after its customers in attacks that took place earlier this year. --------------------------------------------- https://therecord.media/hackers-tried-to-exploit-two-zero-days-in-trend-mic… ===================== = Vulnerabilities = ===================== ∗∗∗ Drupal core - Moderately critical - Third-party libraries - SA-CORE-2021-005 ∗∗∗ --------------------------------------------- The Drupal project uses the CKEditor, library for WYSIWYG editing. CKEditor has released a security update that impacts Drupal. Vulnerabilities are possible if Drupal is configured to allow use of the CKEditor library for WYSIWYG editing. --------------------------------------------- https://www.drupal.org/sa-core-2021-005 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (commons-io, curl, and firefox-esr), Fedora (perl-Encode), openSUSE (golang-github-prometheus-prometheus, grafana, and python-reportlab), Oracle (.NET Core 2.1, 389-ds:1.4, cloud-init, go-toolset:ol8, nodejs:12, nodejs:14, and rust-toolset:ol8), SUSE (aspell, firefox, kernel, and rpm), and Ubuntu (linux, linux-aws, linux-kvm, linux-lts-xenial and postgresql-10, postgresql-12, postgresql-13). --------------------------------------------- https://lwn.net/Articles/866185/ ∗∗∗ Cognex In-Sight OPC Server ∗∗∗ --------------------------------------------- This advisory contains mitigations for a Deserialization of Untrusted Data vulnerability in Cognex In-Sight OPC Server industrial software. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-224-01 ∗∗∗ Horner Automation Cscape ∗∗∗ --------------------------------------------- This advisory contains mitigations for Out-of-bounds Write, Access of Uninitialized Pointer, and Out-of-bounds Read vulnerabilities in Horner Automation Cscape control system application programming software. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-224-02 ∗∗∗ Sensormatic Electronics C-CURE 9000 (Update A) ∗∗∗ --------------------------------------------- This updated advisory is a follow-up to the original advisory titled ICSA-21-182-02 Sensormatic Electronics C-CURE 9000 that was published July 1, 2021, to the ICS webpage on us-cert.cisa.gov. This advisory contains mitigations for an Improper Input Validation vulnerability in Sensormatic Electronics C-CURE 9000 industrial software. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-182-02 ∗∗∗ Security Bulletin: De-serialization Vulnerability Affects IBM Partner Engagement Manager (CVE-2021-29781) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-de-serialization-vulnerab… ∗∗∗ Security Bulletin: IBM QRadar SIEM is vulnerable to possible information disclosure in a multi-domain deployment. (CVE-2021-29880) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-is-vulner… ∗∗∗ Security Bulletin: Vulnerability in self-service console affects IBM Cloud Pak System (CVE-2021-20478) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-self-ser… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.08.2021
by Daily end-of-shift report 12 Aug '21

12 Aug '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 11-08-2021 18:00 − Donnerstag 12-08-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ PrintNightmare: Schon wieder eine Drucker-Lücke in Windows ohne Patch ∗∗∗ --------------------------------------------- Microsoft kriegt seine Druckerverwaltung offensichtlich nicht in den Griff, Angreifer könnten sich erneut System-Rechte verschaffen. --------------------------------------------- https://heise.de/-6163743 ∗∗∗ Accenture Opfer der Lockbit Ransomware ∗∗∗ --------------------------------------------- Das IT-Beratungsunternehmen Accenture ist wohl Opfer eines Cyber-Angriffs mit der Lockbit-Ransomware geworden. Das Unternehmen hat den Angriff inzwischen eingestanden. Bei dem Ransomware-Befall scheinen auch Daten abgezogen worden zu sein. Hier einige Informationen, was inzwischen bekannt ist. --------------------------------------------- https://www.borncity.com/blog/2021/08/12/accenture-opfer-der-lockbit-ransom… ∗∗∗ QR Code Scammers Get Creative with Bitcoin ATMs ∗∗∗ --------------------------------------------- Threat actors are targeting everyone from job hunters to Bitcoin traders to college students wanting a break on their student loans, by exploiting the popular technologys trust relationship with users. --------------------------------------------- https://threatpost.com/qr-code-scammers-bitcoin-atms/168621/ ∗∗∗ 7 ways to harden your environment against compromise ∗∗∗ --------------------------------------------- Here at the global Microsoft Compromise Recovery Security Practice (CRSP), we work with customers who have experienced disruptive security incidents to restore trust in identity systems and remove adversary control. During 2020, the team responded to many incidents involving ransomware and the deployment of crypto-mining tools. --------------------------------------------- https://www.microsoft.com/security/blog/2021/08/11/7-ways-to-harden-your-en… ∗∗∗ Best Practices for Web Form Security ∗∗∗ --------------------------------------------- Web form security ⁠— the set of tools and practices intended to protect web forms from attacks and abuse ⁠— is one of the most critical aspects of overall website security. Web forms allow users to interact with your site and enable a lot of useful functionality. However, once a user can interact with your site to do something useful there is a new attack surface for a hacker to exploit. --------------------------------------------- https://blog.sucuri.net/2021/08/best-practices-for-web-form-security.html ∗∗∗ Experts Shed Light On New Russian Malware-as-a-Service Written in Rust ∗∗∗ --------------------------------------------- A nascent information-stealing malware sold and distributed on underground Russian underground forums has been written in Rust, signalling a new trend where threat actors are increasingly adopting exotic programming languages to bypass security protections, evade analysis, and hamper reverse engineering efforts. --------------------------------------------- https://thehackernews.com/2021/08/experts-shed-light-on-new-russian.html ∗∗∗ Signed MSI files, Raccoon and Amadey are used for installing ServHelper RAT ∗∗∗ --------------------------------------------- Group TA505 has been active for at least seven years, making wide-ranging connections with other threat actors involved in ransomware, stealing credit card numbers and exfiltrating data. One of the common tools in TA505s arsenal is ServHelper. --------------------------------------------- https://blog.talosintelligence.com/2021/08/raccoon-and-amadey-install-servh… ∗∗∗ Why No HTTPS? The 2021 Version ∗∗∗ --------------------------------------------- More than 3 years ago now, Scott Helme and I launched a little project called Why No HTTPS? It listed the worlds largest websites that didnt properly redirect insecure requests to secure ones. We updated it December before last and pleasingly, noted that more websites than [...] --------------------------------------------- https://www.troyhunt.com/why-no-https-the-2021-version/ ∗∗∗ August 2021 ICS Patch Tuesday: Siemens, Schneider Address Over 50 Flaws ∗∗∗ --------------------------------------------- Siemens and Schneider Electric on Tuesday released 18 security advisories addressing a total of more than 50 vulnerabilities affecting their products. The vendors have provided patches, mitigations, and general security recommendations for reducing the risk of attacks. --------------------------------------------- https://www.securityweek.com/august-2021-ics-patch-tuesday-siemens-schneide… ∗∗∗ IISerpent: Malware‑driven SEO fraud as a service ∗∗∗ --------------------------------------------- The last in our series on IIS threats introduces a malicious IIS extension used to manipulate page rankings for third-party websites --------------------------------------------- https://www.welivesecurity.com/2021/08/11/iiserpent-malware-driven-seo-frau… ∗∗∗ Affiliates Unlocked: Gangs Switch Between Different Ransomware Families ∗∗∗ --------------------------------------------- The demise of Sodinokibi has led to a surge in LockBit activity, while there’s evidence affiliates are using multiple ransomware families to achieve their goals. --------------------------------------------- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ra… ∗∗∗ CobaltSpam tool can flood Cobalt Strike malware servers ∗∗∗ --------------------------------------------- A security researcher has published this week a tool to flood Cobalt Strike servers—often used by malware gangs—with fake beacons in order to corrupt their internal databases of infected systems. --------------------------------------------- https://therecord.media/cobaltspam-tool-can-flood-cobalt-strike-malware-ser… ===================== = Vulnerabilities = ===================== ∗∗∗ Intel schließt Sicherheitslücken in Laptops, Linux-Treibern & Co. ∗∗∗ --------------------------------------------- Angreifer könnten Intel-PCs attackieren und im schlimmsten Fall die volle Kontrolle über Computer erlangen. Sicherheitsupdates sind verfügbar. --------------------------------------------- https://heise.de/-6163478 ∗∗∗ JavaScript-Framework: Next.js 11.1 behebt eine Open-Redirect-Sicherheitslücke ∗∗∗ --------------------------------------------- Das React-Framework Next.js erhält knapp zwei Monate nach der letzten Hauptversion ein Update auf Version 11.1, um mögliche Open Redirects zu verhindern. --------------------------------------------- https://heise.de/-6163575 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (java-1.8.0-openjdk), Debian (firefox-esr, libspf2, and openjdk-11-jre-dcevm), Fedora (bluez, fetchmail, and prosody), Oracle (edk2, glib2, kernel, and libuv), Red Hat (.NET Core 3.1), SUSE (cpio), and Ubuntu (firefox and openssh). --------------------------------------------- https://lwn.net/Articles/866076/ ∗∗∗ Plone vulnerable to open redirect ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN50804280/ ∗∗∗ Security Bulletin: IBM Maximo Asset Management is vulnerable to CSV Injection (CVE-2021-20509) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-asset-manageme… ∗∗∗ Security Vulnerabilities fixed in Thunderbird 91 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2021-36/ ∗∗∗ TRUMPF Laser GmbH: multiple products prone to codesys runtime vulnerabilities ∗∗∗ --------------------------------------------- https://cert.vde.com/de-de/advisories/vde-2021-033 ∗∗∗ Node.js: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0866 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.08.2021
by Daily end-of-shift report 11 Aug '21

11 Aug '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 10-08-2021 18:00 − Mittwoch 11-08-2021 18:00 Handler: Dimitri Robl Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Kaseyas universal REvil decryption key leaked on a hacking forum ∗∗∗ --------------------------------------------- The universal decryption key for REvils attack on Kaseyas customers has been leaked on hacking forums allowing researchers their first glimpse of the mysterious key. --------------------------------------------- https://www.bleepingcomputer.com/news/security/kaseyas-universal-revil-decr… ∗∗∗ New AdLoad malware variant slips through Apples XProtect defenses ∗∗∗ --------------------------------------------- A new AdLoad malware variant is slipping through Apples YARA signature-based XProtect built-in antivirus tech to infect Macs. --------------------------------------------- https://www.bleepingcomputer.com/news/apple/new-adload-malware-variant-slip… ∗∗∗ TA551 (Shathak) continues pushing BazarLoader, infections lead to Cobalt Strike, (Wed, Aug 11th) ∗∗∗ --------------------------------------------- TA551 (also known as Shathak) represents a threat actor behind malspam that has pushed different families of malware over the past few years. --------------------------------------------- https://isc.sans.edu/diary/rss/27738 ∗∗∗ Das Conti-Leak: Bedienungsanleitung für Ransomware ∗∗∗ --------------------------------------------- In den Handbüchern für Affiliates beschreiben die Kriminellen minutiös, wie man ein Netz auskundschaftet, Zugang ausweitet und schließlich Daten verschlüsselt. --------------------------------------------- https://heise.de/-6160551 ∗∗∗ Anonym im Internet: Sicherheitsupdates für Tor Browser und Tails OS erschienen ∗∗∗ --------------------------------------------- Die Entwickler haben Komponenten von Tor Browser und Tails aktualisiert, um die Sicherheit aufrechtzuerhalten. --------------------------------------------- https://heise.de/-6161195 ∗∗∗ 5 Costly Mistakes in Cyber Incident Response Preparation ∗∗∗ --------------------------------------------- Even with the best preparation and retainers, incident response is rarely an inexpensive endeavor in terms of money, people, operational disruption, or time. --------------------------------------------- https://www.dragos.com/blog/industry-news/5-costly-mistakes-in-cyber-incide… ∗∗∗ Conducting Architecture Reviews in Light of the New TSA Directives ∗∗∗ --------------------------------------------- TSA, the sector-specific agency for pipelines, released its first directive to the pipeline industry on May 27th and followed up with a second directive on July 20th. --------------------------------------------- https://www.dragos.com/blog/industry-news/conducting-architecture-reviews-i… ∗∗∗ Why Are Ransomware Attacks Against OT Increasing? ∗∗∗ --------------------------------------------- Most discussions around cybersecurity understandably focus on information technology (IT). Assets like cloud services and data centers are typically what companies spend the most time and effort securing. Recently, though, operational technology (OT) has come under increasing scrutiny from leading security experts in both the private and public sectors. --------------------------------------------- https://www.tripwire.com/state-of-security/ics-security/why-are-ransomware-… ∗∗∗ Hacker kapern Instagram-Profil und erpressen Opfer ∗∗∗ --------------------------------------------- BetrügerInnen haben es auf Instagram-Accounts mit vielen FollowerInnen abgesehen: Sie hacken deren Konten und verlangen anschließend Lösegeld. Wird nicht bezahlt, drohen die Hacker, das Profil zu löschen. --------------------------------------------- https://www.watchlist-internet.at/news/hacker-kapern-instagram-profil-und-e… ===================== = Vulnerabilities = ===================== ∗∗∗ VU#608209: NicheStack embedded TCP/IP has vulnerabilities ∗∗∗ --------------------------------------------- HCC Embeddeds software called InterNiche stack (NicheStack) and NicheLite, which provides TCP/IP networking capability to embedded systems, is impacted by multiple vulnerabilities. --------------------------------------------- https://kb.cert.org/vuls/id/608209 ∗∗∗ Patchday: Microsoft meldet abermals Attacken auf Windows ∗∗∗ --------------------------------------------- Es gibt wichtige Sicherheitsupdates für unter anderem kritische Lücken in Azure, Edge und verschiedenen Windows-Versionen. --------------------------------------------- https://heise.de/-6160526 ∗∗∗ Free Micropatches for "PetitPotam" (CVE-2021-36942) ∗∗∗ --------------------------------------------- Update 8/11/2021-B: Neither Microsofts August fix nor our micropatch seem to have covered all PetitPotam affected code. Both fixed the anonymous attack vector but we're investigating additional authenticated paths now and looking for the best way to patch that too. --------------------------------------------- https://blog.0patch.com/2021/08/free-micropatches-for-petitpotam.html ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (ceph), Fedora (buildah, containernetworking-plugins, and podman), openSUSE (chromium, kernel, php7, python-CairoSVG, python-Pillow, seamonkey, and transfig), Red Hat (microcode_ctl), SUSE (kernel and libcares2), and Ubuntu (c-ares). --------------------------------------------- https://lwn.net/Articles/865978/ ∗∗∗ Intel Releases Multiple Security Updates ∗∗∗ --------------------------------------------- Intel has released security updates to address vulnerabilities multiple products. An attacker could exploit some of these vulnerabilities to take control of an affected system. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/08/10/intel-releases-mu… ∗∗∗ iTunes 12.11.4 for Windows ∗∗∗ --------------------------------------------- https://support.apple.com/kb/HT212609 ∗∗∗ Security Bulletin: IBM Security Guardium is affected by an Improper Restriction of Excessive Authentication Attempts vulnerability (CVE-2021-20427) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by an OpenLDAP vulnerability (CVE-2020-25692) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Disconnected Log Collector is vulnerable to using components with known vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-disconnected-log-coll… ∗∗∗ Security Bulletin: Vulnerability in npm affects IBM VM Recovery Manager DR ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-npm-affe… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a Reliance on Untrusted Inputs in Security Descision ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a Weak Password Policy vulnerability (CVE-2021-20418) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: A vulnerability was identified and remediated in the IBM MaaS360 Cloud Extender (V2.103.000.051) and Modules ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-was-ident… ∗∗∗ VMSA-2021-0016 ∗∗∗ --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2021-0016.html ∗∗∗ AMD Prozessoren: Mehrere Schwachstellen ermöglichen Offenlegung von Informationen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0852 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.08.2021
by Daily end-of-shift report 10 Aug '21

10 Aug '21

===================== = End-of-Day report = ===================== Timeframe: Montag 09-08-2021 18:00 − Dienstag 10-08-2021 18:00 Handler: Dimitri Robl Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ eCh0raix ransomware now targets both QNAP and Synology NAS devices ∗∗∗ --------------------------------------------- A newly discovered eCh0raix ransomware variant has added support for encrypting both QNAP and Synology Network-Attached Storage (NAS) devices. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ech0raix-ransomware-now-targ… ∗∗∗ Team Cymru’s Threat Hunting Maturity Model Explained ∗∗∗ --------------------------------------------- In this four part series we’ll be looking at Team Cymru’s Threat Hunting Maturity Model. --------------------------------------------- https://team-cymru.com/blog/2021/08/09/team-cymrus-threat-hunting-maturity-… ∗∗∗ Chaos Malware Walks Line Between Ransomware and Wiper ∗∗∗ --------------------------------------------- The dangerous malware has been rapidly developed since June and could be released into the wild soon. --------------------------------------------- https://threatpost.com/chaos-malware-ransomware-wiper/168520/ ∗∗∗ Vulnerability Management Resources ∗∗∗ --------------------------------------------- SANS Vulnerability Management Resources collected in one place for easy access. --------------------------------------------- https://www.sans.org/blog/vulnerability-management-resources ∗∗∗ XLSM Malware with MacroSheets ∗∗∗ --------------------------------------------- Excel-based malware has been around for decades and has been in the limelight in recent years. --------------------------------------------- https://www.mcafee.com/blogs/other-blogs/mcafee-labs/xlsm-malware-with-macr… ∗∗∗ Gefälschtes E-Mail der Post im Umlauf ∗∗∗ --------------------------------------------- Sie warten auf ein Paket? Dann nehmen Sie sich vor gefälschten Benachrichtigungen der Post in Acht. BetrügerInnen behaupten in einer E-Mail, dass Ihr Paket nicht zugestellt werden konnte und Sie über einen Link einen weiteren Zustellversuch anfordern müssen. --------------------------------------------- https://www.watchlist-internet.at/news/gefaelschtes-e-mail-der-post-im-umla… ===================== = Vulnerabilities = ===================== ∗∗∗ Root-Lücke in VPN-Lösung Pulse Connect Secure als Schadcode-Schlupfloch ∗∗∗ --------------------------------------------- Ein wichtiges Sicherheitsupdates schließt Schwachstellen in der Fernzugriff-Software Pulse Connect Secure. --------------------------------------------- https://heise.de/-6159492 ∗∗∗ Firefox und Firefox ESR gegen verschiedene Attacken abgesichert ∗∗∗ --------------------------------------------- Mozilla hat mehrere Sicherheitslücken in seinem Webbrowser Firefox geschlossen. --------------------------------------------- https://heise.de/-6160037 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (flatpak and microcode_ctl), Debian (c-ares, lynx, openjdk-8, and tomcat9), Fedora (kernel), openSUSE (apache-commons-compress, aria2, djvulibre, fastjar, kernel, libvirt, linuxptp, mysql-connector-java, nodejs8, virtualbox, webkit2gtk3, and wireshark), Oracle (kernel, kernel-container, and microcode_ctl), Red Hat (glib2, kernel, kernel-rt, kpatch-patch, and rust-toolset-1.52 and rust-toolset-1.52-rust), Scientific Linux (microcode_ctl), [...] --------------------------------------------- https://lwn.net/Articles/865872/ ∗∗∗ Adobe Releases Security Updates for Multiple Products ∗∗∗ --------------------------------------------- Adobe has released security updates to address vulnerabilities in multiple Adobe products. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/08/10/adobe-releases-se… ∗∗∗ WordPress Plugin "Quiz And Survey Master" vulnerable to cross-site scripting ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN65388002/ ∗∗∗ SSA-938030: DGN and PAR File Parsing Vulnerabilities in JT2Go and Teamcenter Visualization before V13.2.0.2 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-938030.txt ∗∗∗ SSA-865327: Incorrect Authorization Vulnerability in Industrial Products ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-865327.txt ∗∗∗ SSA-830194: Missing Authentication Vulnerability in S7-1200 Devices ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-830194.txt ∗∗∗ SSA-818688: Multiple Vulnerabilities in Solid Edge before SE2021MP7 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-818688.txt ∗∗∗ SSA-756744: OS Command Injection Vulnerability in SINEC NMS ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-756744.txt ∗∗∗ SSA-679335: Multiple Vulnerabilities in Embedded FTP Server of SIMATIC NET CP Modules ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-679335.txt ∗∗∗ SSA-553445: DNS "Name:Wreck" Vulnerabilities in Multiple Siemens Energy AGT and SGT solutions ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-553445.txt ∗∗∗ SSA-365397: Multiple File Parsing Vulnerabilities in JT2Go and Teamcenter Visualization before V13.2.0.1 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-365397.txt ∗∗∗ SSA-309571: IPU 2021.1 Vulnerabilities in Siemens Industrial Products using Intel CPUs (June 2021) ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-309571.txt ∗∗∗ SSA-158827: Denial-of-Service Vulnerability in Automation License Manager ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-158827.txt ∗∗∗ Security Bulletin: A vulnerability in glibc impacts IBM Watson™ Speech Services ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-glibc-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a jackson-databind vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a kernel vulnerability (CVE-2020-25705, CVE-2020-28374) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: A Vulnerability in IBM Java Runtime Affects IBM Sterling Connect:Direct File Agent ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… ∗∗∗ Security Bulletin: IBM Planning Analytics Spreadsheet Services is affected by security vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-planning-analytics-sp… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a Spring Framework vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a Oracle MySQL vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: Vulnerability in self-service console affects IBM Cloud Pak System (CVE-2021-20478) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-self-ser… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ XSA-357 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-357.html ∗∗∗ TYPO3 Core: Schwachstelle ermöglicht Cross-Site Scripting ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0842 ∗∗∗ SAP Patchday August 2021: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0847 ∗∗∗ Citrix ShareFile storage zones controller security update ∗∗∗ --------------------------------------------- https://support.citrix.com/article/CTX322787 ∗∗∗ XML External Entity Expansion in MobileTogether Server ∗∗∗ --------------------------------------------- https://www.redteam-pentesting.de/en/advisories/rt-sa-2021-002/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.08.2021
by Daily end-of-shift report 09 Aug '21

09 Aug '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 06-08-2021 18:00 − Montag 09-08-2021 18:00 Handler: Dimitri Robl Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Verschlüsselung: Sicherheitsrisiko STARTTLS ∗∗∗ --------------------------------------------- Das STARTTLS-Verfahren hat zahlreiche Sicherheitsrisiken. Überall, wo es möglich ist, hat die direkte Nutzung von TLS nur Vorteile. --------------------------------------------- https://www.golem.de/news/verschluesselung-sicherheitsrisiko-starttls-2108-… ∗∗∗ Black Hat: DNS-as-a-Service könnte Netzwerkinfrastruktur verraten ∗∗∗ --------------------------------------------- Durch einen Trick konnten Sicherheitsforscher Informationen über die Netzwerkinfrastruktur der Kunden eines DNS-as-a-Service-Anbieters erlangen. --------------------------------------------- https://heise.de/-6157720 ∗∗∗ Exchange ProxyShell-Lücke: Scans suchen nach verwundbaren Servern ∗∗∗ --------------------------------------------- Mehrere tausend Server sind allein in Deutschland für die neue Exchange-Lücke anfällig. Dabei gibt es längst Patches von Microsoft. --------------------------------------------- https://heise.de/-6158946 ∗∗∗ Die Anatomie nativer IIS‑Malware ∗∗∗ --------------------------------------------- ESET-Forscher veröffentlichen ein Whitepaper, das Bedrohungen durch IIS-Webserver genau unter die Lupe nimmt --------------------------------------------- https://www.welivesecurity.com/deutsch/2021/08/06/die-anatomie-nativer-iis-… ∗∗∗ IQ-Test auf offiziell-qi-test.com führt in die Abo-Falle! ∗∗∗ --------------------------------------------- Mit nur 30 Fragen kann man einen zertifizierten IQ-Test durchführen, heißt es auf der Webseite offiziell-qi-test.com. Erst nachdem der Test durchgeführt wurde, wird man erstmals auf Kosten hingewiesen: Um das Ergebnis zu sehen soll man 3,90 Euro zahlen. Doch Achtung: Im Kleingedruckten finden sich weitere Kosten und eine Abo-Falle! --------------------------------------------- https://www.watchlist-internet.at/news/iq-test-auf-offiziell-qi-testcom-fue… ∗∗∗ Cisco: Firewall manager RCE bug is a zero-day, patch incoming ∗∗∗ --------------------------------------------- In a Thursday security advisory update, Cisco revealed that a remote code execution (RCE) vulnerability in the Adaptive Security Device Manager (ADSM) Launcher disclosed last month is a zero-day bug that has yet to receive a security update. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cisco-firewall-manager-rce-b… ∗∗∗ Synology warns of malware infecting NAS devices with ransomware ∗∗∗ --------------------------------------------- Taiwan-based NAS maker Synology has warned customers that the StealthWorker botnet is targeting their network-attached storage devices in ongoing brute-force attacks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/synology-warns-of-malware-in… ∗∗∗ SQL Injection in WordPress Plugins: ORDER and ORDER BY as Overlooked Injection Points ∗∗∗ --------------------------------------------- Trustwave SpiderLabs recently undertook a survey of some 100 popular WordPress plugins for possible SQL Injection vulnerabilities. Some good news is that in the vast majority, no such vulnerabilities were identified. Most plugins were found to be using either prepared statements or suitable sanitization when incorporating user-controlled data in a query. Of the five vulnerable plugins identified, some patterns emerged, [...] --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/sql-injecti… ∗∗∗ Beware! New Android Malware Hacks Thousands of Facebook Accounts ∗∗∗ --------------------------------------------- A new Android trojan has been found to compromise Facebook accounts of over 10,000 users in at least 144 countries since March 2021 via fraudulent apps distributed through Google Play Store and other third-party app marketplaces. Dubbed "FlyTrap," the previously undocumented malware is believed to be part of a family of trojans that employ social engineering tricks to breach Facebook accounts [...] --------------------------------------------- https://thehackernews.com/2021/08/beware-new-android-malware-hacks.html ∗∗∗ Phishing Sites Targeting Scammers and Thieves ∗∗∗ --------------------------------------------- I was preparing to knock off work on a recent Friday evening when a curious and annoying email came in via the contact form on this site: “Hello I go by the username Nuclear27 on your site Briansclub[.]com,” wrote “Mitch,” confusing me with the proprietor of perhaps the underground’s largest bazaar for stolen credit and identity data. “I made a deposit to my wallet on the site but nothing has shown up yet and I would like to know why.” --------------------------------------------- https://krebsonsecurity.com/2021/08/phishing-sites-targeting-scammers-and-t… ∗∗∗ Routers and modems running Arcadyan firmware are under attack ∗∗∗ --------------------------------------------- Routers and modems running a version of the Arcadyan firmware, including devices from ASUS, Orange, Vodafone, and Verizon, are currently under attack from a threat actor attempting to ensnare the devices into their DDoS botnet. --------------------------------------------- https://therecord.media/routers-and-modems-running-arcadyan-firmware-are-un… ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI-21-951: (0Day) Delta Industrial Automation DOPSoft XLS File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of Delta Industrial Automation DOPSoft. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-951/ ∗∗∗ Sicherheitsrelevanter Bug in net-Bibliothek von Go und Rust ∗∗∗ --------------------------------------------- Die Bibliothek net in Go und Rust verhält sich nicht standardkonform und verschluckt führende Nullen. Angreifer könnten so falsche IP-Adressen einschleusen. --------------------------------------------- https://heise.de/-6157969 ∗∗∗ Exchange Server jetzt patchen: Angreifer suchen aktiv nach neuer Lücke ∗∗∗ --------------------------------------------- Admins sollten ihre Exchange Server zügig aktualisieren. Nachdem Forscher einen neuen Angriff vorgestellt haben, probieren Angreifer ihn offenbar gezielt aus. --------------------------------------------- https://heise.de/-6158190 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (ansible and bluez), Fedora (curl, kernel, mod_auth_openidc, rust-rav1e, and webkit2gtk3), Mageia (kernel and kernel-linus), openSUSE (php7 and python-reportlab), Oracle (ruby:2.7), Red Hat (microcode_ctl), SUSE (fastjar, kvm, mariadb, php7, php72, php74, and python-Pillow), and Ubuntu (docker.io). --------------------------------------------- https://lwn.net/Articles/865680/ ∗∗∗ Apple fixes AWDL bug that could be used to escape air-gapped networks ∗∗∗ --------------------------------------------- Apple has fixed a vulnerability in its Apple Wireless Direct Link (AWDL) technology that could have been abused by threat actors to escape and steal data from air-gapped networks. --------------------------------------------- https://therecord.media/apple-fixed-awdl-bug-that-could-be-used-to-escape-a… ∗∗∗ Apache Tomcat vulnerability CVE-2021-33037 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K32469285 ∗∗∗ Security Bulletin: Vulnerability in IBM® SDK Java™ Technology Edition, Version 7, Version 8, that is used by IBM Workload Scheduler. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-sdk-… ∗∗∗ Security Bulletin: Vulnerability in IBM® SDK Java™ Technology Edition, Version 7, Version 8, that is used by IBM Workload Scheduler. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-sdk-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in OpenSSL may affect IBM Workload Scheduler ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: CVE-2020-1968 vulnerability in OpenSSL may affect IBM Workload Scheduler ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2020-1968-vulnerabili… ∗∗∗ Security Bulletin: Multiple vulnerabilities in OpenSSL may affect IBM Workload Scheduler ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in GNU Binutils affect IBM Netezza Platform Software ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: ICN Is Vulnerable to Improper Input Validation ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-icn-is-vulnerable-to-impr… ∗∗∗ Security Bulletin: Vulnerability in bind (CVE-2021-25215) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-bind-cve… ∗∗∗ Security Bulletin: Vulnerabilities in IBM Java included with IBM Tivoli Monitoring ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-ja… ∗∗∗ Security Bulletin: openSSL and Apache Hadoop vulnerability impacting Aspera High-Speed Transfer Server, Aspera High-Speed Transfer Endpoint, Aspera Desktop Client, Aspera On Demand (CVE-2020-1971, CVE-2020-9492) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-openssl-and-apache-hadoop… ∗∗∗ Security Bulletin: Vulnerability in Dojo affects WebSphere Application Server (CVE-2020-5258) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-dojo-aff… ∗∗∗ Security Bulletin: Stack overflow via TIS_CODESET environment variable in IBM Workload Scheduler ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-stack-overflow-via-tis_co… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.08.2021
by Daily end-of-shift report 06 Aug '21

06 Aug '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 05-08-2021 18:00 − Freitag 06-08-2021 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Linux version of BlackMatter ransomware targets VMware ESXi servers ∗∗∗ --------------------------------------------- The BlackMatter gang has joined the ranks of ransomware operations to develop a Linux encryptor that targets VMwares ESXi virtual machine platform. --------------------------------------------- https://www.bleepingcomputer.com/news/security/linux-version-of-blackmatter… ∗∗∗ Lockbit 2.0: Ransomware will Firmen-Insider rekrutieren ∗∗∗ --------------------------------------------- Die Ransomware-Gruppe Lockbit sucht auf ungewöhnliche Weise nach Insidern, die ihr Zugangsdaten übermitteln sollen. --------------------------------------------- https://www.golem.de/news/lockbit-2-0-ransomware-will-firmen-insider-rekrut… ∗∗∗ Malicious Microsoft Word Remains A Key Infection Vector, (Fri, Aug 6th) ∗∗∗ --------------------------------------------- Despite Microsoft's attempts to make its Office suite more secure and disable many automatic features, despite the fact that users are warned that suspicious documents should not be opened, malicious Word documents remain a key infection vector today. --------------------------------------------- https://isc.sans.edu/diary/rss/27716 ∗∗∗ Using “Master Faces” to Bypass Face-Recognition Authenticating Systems ∗∗∗ --------------------------------------------- A master face is a face image that passes face-based identity-authentication for a large portion of the population. These faces can be used to impersonate, with a high probability of success, any user, without having access to any user-information. --------------------------------------------- https://www.schneier.com/blog/archives/2021/08/using-master-faces-to-bypass… ∗∗∗ EU officials investigating breach of Cybersecurity Atlas project ∗∗∗ --------------------------------------------- The European Commission is investigating a breach of its Cybersecurity Atlas project after a copy of the site’s backend database was put up for sale on an underground cybercrime forum on Monday. --------------------------------------------- https://therecord.media/eu-officials-investigating-breach-of-cybersecurity-… ∗∗∗ Security-Oscars: And the Pwnie goes to … ∗∗∗ --------------------------------------------- Der Pandemie zum Trotz hat die Pwnie-Jury auch in diesem Jahr die Security-Oscars verliehen – und natürlich auch "Goldene Himbeeren". --------------------------------------------- https://heise.de/-6157581 ∗∗∗ What is Tor? ∗∗∗ --------------------------------------------- We give a brief overview of Tor, the secure communications tool. We explain what it is, how you can use it, and some of the potential drawbacks. --------------------------------------------- https://blog.malwarebytes.com/privacy-2/2021/08/what-is-tor/ ∗∗∗ Black Hat: How cybersecurity incidents can become a legal minefield ∗∗∗ --------------------------------------------- Facing a cyberattack? Pick up the phone and talk to legal help as well as incident response. --------------------------------------------- https://www.zdnet.com/article/black-hat-how-cybersecurity-can-be-a-legal-mi… ∗∗∗ Disgruntled ransomware affiliate leaks the Conti gang’s technical manuals ∗∗∗ --------------------------------------------- A disgruntled member of the Conti ransomware program has leaked today the manuals and technical guides used by the Conti gang to train affiliate members on how to access, move laterally, and escalate access inside a hacked company and then exfiltrate its data before encrypting files. --------------------------------------------- https://therecord.media/disgruntled-ransomware-affiliate-leaks-the-conti-ga… ===================== = Vulnerabilities = ===================== ∗∗∗ VU#357312: HTTP Request Smuggling in Web Proxies ∗∗∗ --------------------------------------------- HTTP web proxies and web accelerators that support HTTP/2 for an HTTP/1.1 backend webserver are vulnerable to HTTP Request Smuggling. --------------------------------------------- https://kb.cert.org/vuls/id/357312 ∗∗∗ Kindle: Mit Schadcode infizierte E-Books konnten Amazon-Account kapern ∗∗∗ --------------------------------------------- Mit infizierten E-Books konnten Sicherheitsforscher Kindle-Reader und sogar Amazon-Konten übernehmen. Amazon hat die Lücke mittlerweile geschlossen. --------------------------------------------- https://heise.de/-6157512 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (tomcat8), Mageia (bluez, exiv2, fetchmail, libsndfile, nodejs, php-pear, python-pillow, and rabbitmq-server), openSUSE (apache-commons-compress, balsa, djvulibre, mariadb, mysql-connector-java, nodejs8, opera, and spice-vdagent), Red Hat (ruby:2.7), SUSE (apache-commons-compress, djvulibre, java-11-openjdk, libsndfile, mariadb, nodejs8, and spice-vdagent), and Ubuntu (docker.io). --------------------------------------------- https://lwn.net/Articles/865465/ ∗∗∗ Black Hat: BadAlloc bugs expose millions of IoT devices to hijack ∗∗∗ --------------------------------------------- BadAlloc vulnerabilities impact millions of devices worldwide. --------------------------------------------- https://www.zdnet.com/article/black-hat-badalloc-bugs-expose-millions-of-io… ∗∗∗ Security Bulletin: Vulnerability in IBM® SDK Java™ Technology Edition, Version 7, Version 8, that is used by IBM Workload Scheduler. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-sdk-… ∗∗∗ Security Bulletin: Vulnerability in IBM® SDK Java™ Technology Edition, Version 7, Version 8, that is used by IBM Workload Scheduler. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-sdk-… ∗∗∗ Free Micropatches for "PetitPotam" ∗∗∗ --------------------------------------------- https://blog.0patch.com/2021/08/free-micropatches-for-petitpotam.html ∗∗∗ HCC Embedded InterNiche TCP/IP stack, NicheLite ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-217-01 ∗∗∗ FATEK Automation FvDesigner ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-217-02 ∗∗∗ mySCADA myPRO ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-217-03 ∗∗∗ Advantech WebAccess SCADA ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-217-04 ∗∗∗ CISA Releases Security Advisory for InterNiche Products ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/08/05/cisa-releases-sec… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.08.2021
by Daily end-of-shift report 05 Aug '21

05 Aug '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 04-08-2021 18:00 − Donnerstag 05-08-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Ransomware: Unternehmen beklagen immense Schäden durch Cyberangriffe ∗∗∗ --------------------------------------------- Die Angriffe mit Ransomware nehmen massiv zu, zeigt nun auch der Bitkom-Verband. Auch das Homeoffice wird sicherheitskritisch. --------------------------------------------- https://www.golem.de/news/ransomware-unternehmen-beklagen-immense-schaeden-… ∗∗∗ Cisco beseitigt kritische Schwachstellen aus Small Business-Routern der RV-Serie ∗∗∗ --------------------------------------------- Jetzt updaten: Remote Code Execution und Denial-of-Service wären mögliche Angriffskonsequenzen. Auch für weitere Cisco-Produkte sind wichtige Updates verfügbar. --------------------------------------------- https://heise.de/-6155856 ∗∗∗ Sicherheitsforscher entdecken Schwachstellen in Industriekontrollsystemen von Mitsubishi ∗∗∗ --------------------------------------------- Die Patches sind bereits in Arbeit, aber noch nicht erhältlich. Grund dafür ist ein aufwändiges Zertifizierungsverfahren. Möglicherweise sind auch Produkte anderer Hersteller betroffen. --------------------------------------------- https://www.zdnet.de/88396132/sicherheitsforscher-entdecken-schwachstellen-… ∗∗∗ Black Hat USA 2021: Security Advisories – mehr Durchblick dank Automatisierung ∗∗∗ --------------------------------------------- Uneinheitliche Advisory-Formate kosten wertvolle Zeit. Und wie beschreibt man eigentlich eine "Nicht-Verwundbarkeit"? CSAF und VEX sollen Abhilfe schaffen. --------------------------------------------- https://heise.de/-6155594 ∗∗∗ Microsoft Teams korrekt absichern ∗∗∗ --------------------------------------------- Microsoft Teams ist beliebt, gerät aber immer stärker ins Visier von Hackern. Wie Sie den Schutz der Kollaborations-Software am besten bewerkstelligen, schildert Bert Skorupski, Senior Manager Sales Engineering bei Quest Software, im ersten Teil eines zweiteiligen Gastbeitrages. --------------------------------------------- https://www.zdnet.de/88396112/microsoft-teams-korrekt-absichern/ ∗∗∗ Vorsicht vor mykundenservice.com: Hohe Telefonrechnung droht! ∗∗∗ --------------------------------------------- Während die meisten Unternehmen Kontakttelefonnummern offen kommunizieren, tun dies andere nicht. Da wäre eine Sammlung von Kontaktnummern durchaus hilfreich. Auf mykundenservice.com verspricht man zwar eine solche Sammlung, doch eigentlich lockt man zum Anruf einer 0900-Nummer. Achtung: Hier entstehen hohe Kosten! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-mykundenservicecom-hohe… ∗∗∗ How to Protect against EMOTET - "The World’s Most Dangerous Malware" ∗∗∗ --------------------------------------------- In the summer of 2020, malware infections were on a clear rise. Many new variants were appearing, and enterprises, government agencies, business leaders, and public officials were all voicing concern. Yet, seven years after it was first discovered, the spread of the EMOTET malware was arguably most concerning of all. --------------------------------------------- https://www.beyondtrust.com/blog/entry/how-to-protect-against-emotet-the-wo… ∗∗∗ Windows admins now can block external devices via layered Group Policy ∗∗∗ --------------------------------------------- Microsoft has added support for layered Group Policies, which allow IT admins to control what internal or external devices users can be installed on corporate endpoints across their organizations network. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/windows-admins-now-can-bloc… ∗∗∗ MacOS Flaw in Telegram Retrieves Deleted Messages ∗∗∗ --------------------------------------------- Telegram declined to fix a scenario in which the flaw can be exploited, spurring a Trustwave researcher to decline a bug bounty and to disclose his findings instead. --------------------------------------------- https://threatpost.com/macos-flaw-in-telegram-retrieves-deleted-messages/16… ∗∗∗ Examining Unique Magento Backdoors ∗∗∗ --------------------------------------------- During a recent investigation into a compromised Magento ecommerce environment, we discovered the presence of five different backdoors that would provide attackers with code execution capabilities. The techniques used by the attackers in these backdoors illustrates the ever-changing landscape of website security and highlights some of the tactics used to avoid traditional backdoor detection. --------------------------------------------- https://blog.sucuri.net/2021/08/examining-unique-magento-backdoors.html ∗∗∗ Microsoft Patched the Issue With Windows Containers That Enabled Siloscape ∗∗∗ --------------------------------------------- Microsoft recently added additional security checks that address the Windows container escape that enabled Siloscape. --------------------------------------------- https://unit42.paloaltonetworks.com/windows-container-escape-patch/ ∗∗∗ Meet Prometheus, the secret TDS behind some of today’s malware campaigns ∗∗∗ --------------------------------------------- A recently discovered cybercrime service is helping malware gangs distribute their malicious payloads to unsuspecting users using a network of hacked websites. --------------------------------------------- https://therecord.media/meet-prometheus-the-secret-tds-behind-some-of-today… ∗∗∗ Pegasus Spyware: How It Works and What It Collects ∗∗∗ --------------------------------------------- An NSO document leaked to the internet reveals how the Pegasus spyware - sold to intelligence and law enforcement agencies around the world - can be used to spy on targeted mobile phones. --------------------------------------------- https://zetter.substack.com/p/pegasus-spyware-how-it-works-and ∗∗∗ From Stranger to DA // Using PetitPotam to NTLM relay to Domain Administrator ∗∗∗ --------------------------------------------- Knock knock, who’s there? Your new DA! Several vulnerabilities that have been recently disclosed, namely: MS-EFSRPC – AKA PetitPotam Credential Relaying abusing the AD CS role Any attacker with internal network access, such as a phished client or a malicious planted device in the network, can take over the entire Active Directory domain without any [...] --------------------------------------------- https://blog.truesec.com/2021/08/05/from-stranger-to-da-using-petitpotam-to… ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco Security Advisories 2021-08-04 ∗∗∗ --------------------------------------------- 1 critical, 4 high, 2 medium severity --------------------------------------------- https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&secur… ∗∗∗ SA44858 - 9.1R12 Security Fixes ∗∗∗ --------------------------------------------- [...] Fixes for all the CVEs listed above have been included in the latest version of PCS, 9.1R12, which was released on 2 August 2021. We strongly encourage you to upgrade to ensure your organization is protected. --------------------------------------------- https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44858 ∗∗∗ VMSA-2021-0016 ∗∗∗ --------------------------------------------- VMware Workspace One Access, Identity Manager and vRealize Automation address multiple vulnerabilities (CVE-2021-22002, CVE-2021-22003) --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2021-0016.html ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (jetty9 and openexr), openSUSE (mariadb and virtualbox), Red Hat (go-toolset-1.15 and go-toolset-1.15-golang), SUSE (djvulibre and mariadb), and Ubuntu (opencryptoki). --------------------------------------------- https://lwn.net/Articles/865306/ ∗∗∗ Amazon and Google patch major bug in their DNS-as-a-Service platforms ∗∗∗ --------------------------------------------- At the Black Hat security conference today, two security researchers have disclosed a security issue impacting hosted DNS service providers that can be abused to hijack the platforms nodes, intercept some of the incoming DNS traffic, and then map customers internal networks. --------------------------------------------- https://therecord.media/amazon-and-google-patch-major-bug-in-their-dns-as-a… ∗∗∗ IBM Security Bulletins 2021-08-04 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ BIG-IP LTM HTTP/2 desync attacks: malicious CRLF placement security exposure ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K97045220 ∗∗∗ BIG-IP LTM HTTP/2 desync attacks: request line injection ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K63312282 ∗∗∗ ffmpeg: Schwachstelle ermöglicht nicht spezifizierten Angriff ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0832 ∗∗∗ Red Hat OpenShift: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0835 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.08.2021
by Daily end-of-shift report 04 Aug '21

04 Aug '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 03-08-2021 18:00 − Mittwoch 04-08-2021 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ New Cobalt Strike bugs allow takedown of attackers’ servers ∗∗∗ --------------------------------------------- Security researchers have discovered Cobalt Strike denial of service (DoS) vulnerabilities that allow blocking beacon command-and-control (C2) communication channels and new deployments. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-cobalt-strike-bugs-allow… ∗∗∗ Phishing Campaign Dangles SharePoint File-Shares ∗∗∗ --------------------------------------------- Attackers spoof sender addresses to appear legitimate in a crafty campaign that can slip past numerous detections, Microsoft researchers have discovered. --------------------------------------------- https://threatpost.com/phishing-sharepoint-file-shares/168356/ ∗∗∗ Three Problems with Two Factor Authentication, (Tue, Aug 3rd) ∗∗∗ --------------------------------------------- Usability remains a challenge for two-factor authentication. I recently came across a review of a healthcare-related mobile app, and a one-star review complained about how unusable the application is due to its two-factor requirement. --------------------------------------------- https://isc.sans.edu/diary/rss/27704 ∗∗∗ Pivoting and Hunting for Shenanigans from a Reported Phishing Domain, (Wed, Aug 4th) ∗∗∗ --------------------------------------------- I was alerted to a web page masquerading as a local financial institution earlier in the day. The phishing web page was constructed well, looked extremely similar to the financial institutions actual page and had input fields for victims to input their credentials. --------------------------------------------- https://isc.sans.edu/diary/rss/27710 ∗∗∗ SAML is insecure by design ∗∗∗ --------------------------------------------- SAML uses signatures based on computed values. The practice is inherently insecure and thus SAML as a design is insecure. --------------------------------------------- https://joonas.fi/2021/08/saml-is-insecure-by-design/ ∗∗∗ Vulnerability Spotlight: Use-after-free vulnerability in tinyobjloader ∗∗∗ --------------------------------------------- Cisco Talos recently discovered a use-after-free vulnerability in a specific function of tinyobjloader. --------------------------------------------- https://blog.talosintelligence.com/2021/08/vuln-spotlight-.html ∗∗∗ Value of PLC Key Switch Monitoring to Keep Critical Systems More Secure ∗∗∗ --------------------------------------------- Programmable Logic Controllers (PLC) and Safety Instrumented Systems (SIS) Controllers have historically included an external switch, generally in the form of a key, to perform maintenance and troubleshooting. --------------------------------------------- https://www.dragos.com/blog/industry-news/value-of-plc-key-switch-monitorin… ∗∗∗ OpSec Leaky Images ∗∗∗ --------------------------------------------- Hackers love your marketing department. Fact! Your marketing department love telling the world what happens in your company, then they attach images to the posts, often of staff at work. --------------------------------------------- https://www.pentestpartners.com/security-blog/opsec-leaky-images/ ∗∗∗ Achtung Scheckbetrug: Restaurant-BesitzerInnen erhalten betrügerische Reservierungsanfragen! ∗∗∗ --------------------------------------------- BetrügerInnen versuchen mit vermeintlichen Reservierungen an das Geld von Restaurant-BesitzerInnen zu kommen: Wenn ein vermeintlicher Gast aus dem Ausland für eine größere Gruppe reservieren und das Geld vorab per Scheck bezahlen will, gilt es vorsichtig zu sein. --------------------------------------------- https://www.watchlist-internet.at/news/achtung-scheckbetrug-restaurant-besi… ∗∗∗ IntelMQ 3.0 - Configuration, Domain based workflow, IEPs ∗∗∗ --------------------------------------------- We are happy to announce the completion of the IntelMQ 3.0 milestone. --------------------------------------------- https://cert.at/en/blog/2021/8/intelmq-30-domain-based-workflow-ieps ∗∗∗ Shodan Verified Vulns 2021-08-01 ∗∗∗ --------------------------------------------- Schwachstellen machen leider keine Pause im Sommer und entsprechend haben wir auch diesen Monat wieder einen Blick auf jene geworfen, die Shodan in Österreich sieht. --------------------------------------------- https://cert.at/de/aktuelles/2021/8/shodan-verified-vulns-2021-08-01 ===================== = Vulnerabilities = ===================== ∗∗∗ INFRA:HALT: Neue Schwachstellen im TCP/IP-Stack von Industriegeräten entdeckt ∗∗∗ --------------------------------------------- Das Forscherteam um "Amnesia:33", "Number:Jack" und Co. hat weitere Schwachstellen gefunden – diesmal im "NicheStack" für den Bereich Operational Technology. --------------------------------------------- https://heise.de/-6154631 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (asterisk, libpam-tacplus, and wordpress), Fedora (buildah and podman), openSUSE (thunderbird and webkit2gtk3), Oracle (kernel and varnish:6), SUSE (kernel, kvm, and webkit2gtk3), and Ubuntu (libdbi-perl and php-pear). --------------------------------------------- https://lwn.net/Articles/865192/ ∗∗∗ Security Bulletin: IBM App Connect Enterprise Certified Container could allow a remote attacker to execute arbitrary code due to CVE-2021-33195 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… ∗∗∗ Security Bulletin: Vulnerability in Apache Commons IO may affect Cúram Social Program Management (CVE-2021-29425) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-c… ∗∗∗ Security Bulletin: Vulnerability in Dojo may affect Cúram Social Program Management (CVE-2020-5258) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-dojo-may… ∗∗∗ Security Bulletin: IBM API Connect is impacted by reflected cross site scripting (CVE-2020-4707) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connect-is-impact… ∗∗∗ PHOENIX CONTACT : Products utilizing WIBU SYSTEMS CodeMeter components in versions prior to V7.21a ∗∗∗ --------------------------------------------- https://cert.vde.com/de-de/advisories/vde-2021-036 ∗∗∗ PHOENIX CONTACT : DoS for PLCnext Control devices in versions prior to 2021.0.5 LTS ∗∗∗ --------------------------------------------- https://cert.vde.com/de-de/advisories/vde-2021-029 ∗∗∗ Dell integrated Dell Remote Access Controller: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0830 ∗∗∗ Cross Site Request Forgery (CSRF) vulnerability in Bosch IP cameras ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-033305-bt.html ∗∗∗ SYSS-2021-042: Tiny Java Web Server and Servlet Container (TJWS) – Reflected Cross-Site Scripting ∗∗∗ --------------------------------------------- https://www.syss.de/pentest-blog/syss-2021-042-tiny-java-web-server-and-ser… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.08.2021
by Daily end-of-shift report 03 Aug '21

03 Aug '21

===================== = End-of-Day report = ===================== Timeframe: Montag 02-08-2021 18:00 − Dienstag 03-08-2021 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Supply-Chain-Angriffe: EU-Behörde empfiehlt Code-Checks für Abhängigkeiten ∗∗∗ --------------------------------------------- Als Reaktion auf Angriffe wie bei Solarwinds hat die zuständige EU-Behörde einen einfachen Rat. Doch entsprechende Maßnahmen kann offenbar nicht mal Microsoft umsetzen. --------------------------------------------- https://www.golem.de/news/supply-chain-angriffe-eu-behoerde-empfiehlt-code-… ∗∗∗ Do You Trust Your Smart TV? ∗∗∗ --------------------------------------------- Did you ever stop to think that the office smart TV used for company presentations, Zoom meetings, and other work-related activities may not be so trustworthy? --------------------------------------------- https://securityaffairs.co/wordpress/120752/iot/smart-tv-security.html ∗∗∗ Android-Patchday: Google bessert unter anderem beim Media Framework nach ∗∗∗ --------------------------------------------- Updates für das mobile Betriebssystem zielen wieder einmal auf das Media Framework, beseitigen aber etwa auch kritische Lücken aus Qualcomm-Komponenten. --------------------------------------------- https://heise.de/-6154130 ∗∗∗ RDP brute force attacks explained ∗∗∗ --------------------------------------------- A simple and straightforward explanation of what RDP brute force attacks are, why they are so dangerous, and what you can do about them. --------------------------------------------- https://blog.malwarebytes.com/explained/2021/08/rdp-brute-force-attacks-exp… ∗∗∗ Gefälschte A1-Rechnung führt zu Schadsoftware ∗∗∗ --------------------------------------------- Aktuell werden gefälschte A1-E-Mails mit dem Betreff "Rechnung vom 04.07.2021" versendet. Im E-Mail wird behauptet, dass eine Zahlung nicht bearbeitet werden konnte. --------------------------------------------- https://www.watchlist-internet.at/news/gefaelschte-a1-rechnung-fuehrt-zu-sc… ∗∗∗ Raccoon stealer-as-a-service will now try to grab your cryptocurrency ∗∗∗ --------------------------------------------- The malware has been upgraded to target even more financial information. --------------------------------------------- https://www.zdnet.com/article/raccoon-stealer-as-a-service-will-now-try-to-… ∗∗∗ CISA and NSA Release Kubernetes Hardening Guidance ∗∗∗ --------------------------------------------- The National Security Agency (NSA) and CISA have released Kubernetes Hardening Guidance, a cybersecurity technical report detailing the complexities of securely managing Kubernetes—an open-source, container-orchestration system used to automate deploying, scaling, and managing containerized applications. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/08/02/cisa-and-nsa-rele… ∗∗∗ Positive Technologies: APT group targeting government agencies around the world detected in Russia for the first time ∗∗∗ --------------------------------------------- Positive Technologies Expert Security Center (PT ESC) revealed new attacks by APT31 and analyzed its new tool—a malicious software that allows criminals to control a victim’s computer or network by using remote access. --------------------------------------------- https://www.ptsecurity.com/ww-en/about/news/positive-technologies-apt-group… ∗∗∗ PetitPotam-Angriffe auf Windows durch RPC-Filter blocken ∗∗∗ --------------------------------------------- Sicherheitsforscher haben kürzlich einen neuen Angriffsvektor namens PetitPotam offen gelegt. Mittels eines NTLM-Relay-Angriffs kann jeder Windows Domain Controller übernommen werden. --------------------------------------------- https://www.borncity.com/blog/2021/08/03/petitpotam-angriffe-auf-windows-du… ===================== = Vulnerabilities = ===================== ∗∗∗ VU#405600: Microsoft Windows Active Directory Certificate Services can allow for AD compromise via PetitPotam NTLM relay attacks ∗∗∗ --------------------------------------------- Microsoft Windows Active Directory Certificate Services (AD CS) by default can be used as a target for NTLM relay attacks, which can allow a domain-joined computer to take over the entire Active Directory. --------------------------------------------- https://kb.cert.org/vuls/id/405600 ∗∗∗ PwnedPiper: Rohrpostsysteme in US-Krankenhäusern über Firmware-Lücken angreifbar ∗∗∗ --------------------------------------------- Sicherheitslücken erlaubten Forschern die komplette Übernahme von "Translogic"-Rohrpostsystemen. Hersteller Swisslog Healthcare hat Updates veröffentlicht. --------------------------------------------- https://heise.de/-6153319 ∗∗∗ Chrome: Browser-Update für den Desktop schließt Sicherheitslücken ∗∗∗ --------------------------------------------- Für die Windows-, Linux- und macOS-Ausgaben des Chrome-Browsers ist ein Update mit insgesamt zehn Security-Fixes verfügbar. --------------------------------------------- https://heise.de/-6153994 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (chromium, nodejs, nodejs-lts-erbium, and nodejs-lts-fermium), Debian (pyxdg, shiro, and vlc), openSUSE (qemu), Oracle (lasso), Red Hat (glibc, lasso, rh-php73-php, rh-varnish6-varnish, and varnish:6), Scientific Linux (lasso), SUSE (dbus-1, lasso, python-Pillow, and qemu), and Ubuntu (exiv2, gnutls28, and qpdf). --------------------------------------------- https://lwn.net/Articles/865029/ ∗∗∗ Code Execution Flaw Found in Cisco Firepower Device Manager On-Box Software ∗∗∗ --------------------------------------------- Cisco has addressed a vulnerability in the Firepower Device Manager (FDM) On-Box software that could be exploited to gain code execution on vulnerable devices. --------------------------------------------- https://www.securityweek.com/code-execution-flaw-found-cisco-firepower-devi… ∗∗∗ Bypassing Authentication on Arcadyan Routers with CVE-2021–20090 and rooting some Buffalo ∗∗∗ --------------------------------------------- In the following sections we will look at how I took the Buffalo devices apart, did a not-so-great solder job, and used a shell offered up on UART to help find a couple of bugs that could let users bypass authentication to the web interface and enable a root BusyBox shell on telnet. --------------------------------------------- https://medium.com/tenable-techblog/bypassing-authentication-on-arcadyan-ro… ∗∗∗ Spyware-ähnliche Funktionen in China-App Bejing One Pass gefunden ∗∗∗ --------------------------------------------- Ausländische Firmen, die in China tätig sind, benötigen die App Beijing One Pass, um Zugang zu einer digitalen Plattform für die Verwaltung der staatlichen Leistungen für Arbeitnehmer zu erhalten. Nun haben Sicherheitsspezialisten in dieser App Spyware ähnliche Funktionen gefunden. --------------------------------------------- https://www.borncity.com/blog/2021/08/02/spyware-hnliche-funktionen-in-chin… ∗∗∗ Security Bulletin: A vulneraqbility in SQLite affects IBM Cloud Application Performance Managment R esponse Time Monitoring Agent (CVE-2021-20227) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulneraqbility-in-sqlit… ∗∗∗ Security Bulletin: A vulnerabilty in encoding/unicode in the UTF-16 decoder has been found in x/text package before v0.3.3 for Go that could lead to an infinite loop and denial of service, affecting IBM Cloud Pak for Applications ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerabilty-in-encodin… ∗∗∗ Security Bulletin: A vulneraqbility in SQLite affects IBM Cloud Application Performance Managment R esponse Time Monitoring Agent (CVE-2021-20227) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulneraqbility-in-sqlit… ∗∗∗ Security Bulletin: Vulnerability in ksh affects AIX (CVE-2021-29741) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ksh-affe… ∗∗∗ JSA11209 ∗∗∗ --------------------------------------------- https://kb.juniper.net/InfoCenter/index?page=content&id=JSA11209 ∗∗∗ Linux kernel vulnerability CVE-2021-33909 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K75133288?utm_source=f5support&utm_mediu… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.08.2021
by Daily end-of-shift report 02 Aug '21

02 Aug '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 30-07-2021 18:00 − Montag 02-08-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Linux eBPF bug gets root privileges on Ubuntu - Exploit released ∗∗∗ --------------------------------------------- CVE-2021-3490. A security researcher released exploit code for a high-severity vulnerability in Linux kernel eBPF (Extended Berkeley Packet Filter) that can give an attacker increased privileges on Ubuntu machines. ... If properly exploited, a local attacker could get kernel privileges to run arbitrary code on the machine. --------------------------------------------- https://www.bleepingcomputer.com/news/security/linux-ebpf-bug-gets-root-pri… ∗∗∗ Remote print server gives anyone Windows admin privileges on a PC ∗∗∗ --------------------------------------------- A researcher has created a remote print server allowing any Windows user with limited privileges to gain complete control over a device simply by installing a print driver. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/remote-print-server-gives-a… ∗∗∗ New APT Hacking Group Targets Microsoft IIS Servers with ASP.NET Exploits ∗∗∗ --------------------------------------------- A new highly capable and persistent threat actor has been targeting major high-profile public and private entities in the U.S. as part of a series of targeted cyber intrusion attacks by exploiting internet-facing Microsoft Internet Information Services (IIS) servers to infiltrate their networks. --------------------------------------------- https://thehackernews.com/2021/08/new-apt-hacking-group-targets-microsoft.h… ∗∗∗ PwnedPiper threatens thousands of hospitals worldwide, patch your systems now ∗∗∗ --------------------------------------------- Nine critical vulnerabilities in a popular hospital pneumatic tube software could give attackers control of infrastructure and allow them to launch additional attacks that cripple healthcare operations. Discovered by researchers at security platform provider Armis and dubbed PwnedPiper, the vulnerabilities are in the Nexus Control Panel software used by Translogic pneumatic tube systems (PTS) built by Swisslog Healthcare. --------------------------------------------- https://www.techrepublic.com/article/pwnedpiper-threatens-thousands-of-hosp… ∗∗∗ Vultur: Android-Trojaner späht Login-Daten für Bankkonten und E-Wallets aus ∗∗∗ --------------------------------------------- Die fernsteuerbare Malware Vultur für Android-Smartphones nutzt Funktionen zur Bildschirmaufzeichnung, um sensible Informationen auf Handys zu stehlen. --------------------------------------------- https://heise.de/-6152250 ∗∗∗ Palo Alto Networks Discloses New Attack Surface Targeting Microsoft IIS and SQL Server at Black Hat Asia 2021 ∗∗∗ --------------------------------------------- The technique allows attackers to remotely attack IIS and SQL Server to gain SYSTEM privileges by using Microsoft Jet database engine vulnerabilities. ... In response to this research, Microsoft released a complex patch to mitigate this attack surface. However, the patch is turned off by default and most Jet vulnerabilities are still not patched. We highly recommend that our customers proactively turn on mitigation to disable remote tables access in the registry and stay cautious of these kinds of attacks. --------------------------------------------- https://unit42.paloaltonetworks.com/iis-and-sql-server/ ∗∗∗ Decryptor released for Prometheus ransomware victims ∗∗∗ --------------------------------------------- Taiwanese security firm CyCraft has released a free application that can help victims of the Prometheus ransomware recover and decrypt some of their files. --------------------------------------------- https://therecord.media/decryptor-released-for-prometheus-ransomware-victim… ===================== = Vulnerabilities = ===================== ∗∗∗ Foxit PDF Reader und Editor: Updates beseitigen zahlreiche Schwachstellen ∗∗∗ --------------------------------------------- Für Foxits PDF-Software für Windows und macOS stehen Aktualisierungen bereit, die unter anderem vor Remote Code Execution-Angriffen schützen sollen. --------------------------------------------- https://heise.de/-6152683 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (389-ds-base, consul, containerd, geckodriver, powerdns, vivaldi, webkit2gtk, and wpewebkit), Debian (aspell, condor, libsndfile, linuxptp, and lrzip), and Fedora (bluez, buildah, java-1.8.0-openjdk, java-11-openjdk, java-latest-openjdk, kernel, kernel-tools, mbedtls, mingw-exiv2, mingw-python-pillow, mrxvt, python-pillow, python2-pillow, redis, and seamonkey). --------------------------------------------- https://lwn.net/Articles/864898/ ∗∗∗ MISP: Schwachstellen ermöglichen Cross-Site Scripting ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in MISP ausnutzen, um einen Cross-Site Scripting Angriff durchzuführen. --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0823 ∗∗∗ Security Bulletin: October 2020 Patch Update for Java ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-october-2020-patch-update… ∗∗∗ Security Bulletin: Apache Commons ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-commons/ ∗∗∗ Security Bulletin: Vulnerability in ksh affects AIX (CVE-2021-29741) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ksh-affe… ∗∗∗ Security Bulletin: Potential vulnerability with Node.js lodash module ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-potential-vulnerability-w… ∗∗∗ Security Bulletin: Potential vulnerability with FasterXML jackson-databind ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-potential-vulnerability-w… ∗∗∗ Security Bulletin: Cloud Pak for Security has several security vulnerabilities addressed in the latest version ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cloud-pak-for-security-ha… ∗∗∗ Security Bulletin: Potential vulnerability with Node.js ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-potential-vulnerability-w… ∗∗∗ Security Bulletin: January 2021 Patch Update for Java ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-january-2021-patch-update… ∗∗∗ Security Bulletin: Oct 2020 Patch Update for Java ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-oct-2020-patch-update-for… ∗∗∗ Security Bulletin: IBM API Connect is impacted by multiple OpenSSL vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connect-is-impact… ∗∗∗ Security Bulletin: Potential vulnerability with Node.js ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-potential-vulnerability-w… ∗∗∗ Security Bulletin: Potential vulnerability in Java ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-potential-vulnerability-i… ∗∗∗ Security Bulletin: Potential vulnerability with Node.js ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-potential-vulnerability-w… ∗∗∗ Security Bulletin: October 2020 Patch Update for Java ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-october-2020-patch-update… ∗∗∗ Security Bulletin: User Behavior Analytics application add on to IBM QRadar SIEM performs improper CSRF checking for some components ( CVE-2021-29757) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-user-behavior-analytics-a… ∗∗∗ Security Bulletin: Potential vulnerability with Node.js lodash module ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-potential-vulnerability-w… ∗∗∗ Security Bulletin: IBM Security Privileged Identity Manager is affected by XML External Entity Injection vulnerability in WebSphere (CVE-2020-4949) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-privileged-i… ∗∗∗ Security Bulletin: Potential vulnerability with Node.js ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-potential-vulnerability-w… ∗∗∗ Security Bulletin: Vulnerability in npm affects IBM VM Recovery Manager DR ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-npm-affe… ∗∗∗ Security Bulletin: Potential vulnerability in OpenSSL ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-potential-vulnerability-i… ∗∗∗ Security Bulletin: Vulnerability in npm affects IBM VM Recovery Manager HA ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-npm-affe… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 30.07.2021
by Daily end-of-shift report 30 Jul '21

30 Jul '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 29-07-2021 18:00 − Freitag 30-07-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ [SANS ISC] Infected With a .reg File ∗∗∗ --------------------------------------------- I published the following diary on isc.sans.edu: “Infected With a .reg File“: Yesterday, I reported a piece of malware that uses archive.org to fetch its next stage. Today, I spotted another file that is also interesting: A Windows Registry file (with a “.reg” extension). Such files are text files created by exporting values [...] --------------------------------------------- https://blog.rootshell.be/2021/07/30/sans-isc-infected-with-a-reg-file/ ∗∗∗ The Life Cycle of a Breached Database ∗∗∗ --------------------------------------------- Every time there is another data breach, we are asked to change our password at the breached entity. But the reality is that in most cases by the time the victim organization discloses an incident publicly the information has already been harvested many times over by profit-seeking cybercriminals. Heres a closer look at what typically transpires in the weeks or months before an organization notifies its users about a breached database. --------------------------------------------- https://krebsonsecurity.com/2021/07/the-life-cycle-of-a-breached-database/ ∗∗∗ Threat Spotlight: Solarmarker ∗∗∗ --------------------------------------------- Cisco Talos has observed new activity from Solarmarker, a highly modular .NET-based information stealer and keylogger.A previous staging module, "d.m," used with this malware has been replaced by a new module dubbed "Mars." --------------------------------------------- https://blog.talosintelligence.com/2021/07/threat-spotlight-solarmarker.html ∗∗∗ This Week in Security: Fail2RCE, TPM Sniffing, Fishy Leaks, and Decompiling ∗∗∗ --------------------------------------------- Fail2ban is a great tool for dynamically blocking IP addresses that show bad behavior, like making repeated login attempts. It was just announced that a vulnerability could allow an attacker [...] --------------------------------------------- https://hackaday.com/2021/07/30/this-week-in-security-fail2rce-tpm-sniffing… ∗∗∗ Bear Tracks: Infrastructure Patterns Lead to More Than 30 Active APT29 C2 Servers ∗∗∗ --------------------------------------------- RiskIQs Team Atlas has uncovered still more infrastructure actively serving WellMess/WellMail. The timing here is notable. Only one month ago, the American and Russian heads of state held a summit wherein Russias aggressive cyber campaigns topped the list of President Bidens strategic concerns. Given this context, RiskIQ’s Team Atlas paid particular attention to APT around and after this summit, which took place on June 16. This report will be of particular interest to those tracking APT29 and targets and victims of WellMess/WellMail, who may benefit from the tactical intelligence provided below. --------------------------------------------- https://www.riskiq.com/blog/external-threat-management/apt29-bear-tracks/ ∗∗∗ NSA Releases Guidance on Securing Wireless Devices While in Public ∗∗∗ --------------------------------------------- The National Security Agency (NSA) has released an information sheet with guidance on securing wireless devices while in public for National Security System, Department of Defense, and Defense Industrial Base teleworkers, as well as the general public. This information sheet provides information on malicious techniques used by cyber actors to target wireless devices and ways to protect against it. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/07/30/nsa-releases-guid… ∗∗∗ Python team fixes bug that allowed takeover of PyPI repository ∗∗∗ --------------------------------------------- The Python security team has fixed today three vulnerabilities impacting the Python Package Index (PyPI), the official repository for Python libraries, including one that could have allowed a threat actor to take full control over the portal. --------------------------------------------- https://therecord.media/python-team-fixes-bug-that-allowed-takeover-of-pypi… ===================== = Vulnerabilities = ===================== ∗∗∗ Panasonic Sanyo CCTV Network Camera 2.03-0x CSRF Disable Authentication / Change Password ∗∗∗ --------------------------------------------- The application interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. These actions can be exploited to perform authentication detriment and account password change with administrative privileges if a logged-in user visits a malicious web site. --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5659.php ∗∗∗ Cisco Web Security Appliance Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the configuration management of Cisco AsyncOS for Cisco Web Security Appliance (WSA) could allow an authenticated, remote attacker to perform command injection and elevate privileges to root. This vulnerability is due to insufficient validation of user-supplied XML input for the web interface. An attacker could exploit this vulnerability by uploading crafted XML configuration files that contain scripting code to a vulnerable device. (Version 1.1 - Added a new fixed release.) --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Multiple Vulnerabilities Patched in WordPress Download Manager ∗∗∗ --------------------------------------------- On May 4, 2021, the Wordfence Threat Intelligence Team initiated the responsible disclosure process for WordPress Download Manager, a WordPress plugin installed on over 100,000 sites. We found two separate vulnerabilities, including a sensitive information disclosure as well as a file upload vulnerability which could have resulted in Remote Code Execution in some configurations. --------------------------------------------- https://www.wordfence.com/blog/2021/07/wordpress-download-manager-vulnerabi… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libsndfile and openjdk-11), Fedora (php-pear and seamonkey), openSUSE (fastjar and php7), SUSE (php72, qemu, and sqlite3), and Ubuntu (libsndfile, php-pear, and qpdf). --------------------------------------------- https://lwn.net/Articles/864684/ ∗∗∗ PEPPERL+FUCHS: Security Advisory for PrintNightmare Vulnerability in multiple HMI Devices ∗∗∗ --------------------------------------------- A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. --------------------------------------------- https://cert.vde.com/de-de/advisories/vde-2021-034 ∗∗∗ Hitachi ABB Power Grids eSOMS ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Insufficiently Protected Credentials vulnerability in Hitachi ABB Power Grids eSOMS management software. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-210-01 ∗∗∗ Wibu-Systems CodeMeter Runtime ∗∗∗ --------------------------------------------- This advisory contains mitigations for Buffer Over-read vulnerabilities in Wibu-Systems CodeMeter Runtime license manager software. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-210-02 ∗∗∗ Security Bulletin: De-serialization Vulnerability Affects IBM Partner Engagement Manager (CVE-2021-29781) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-de-serialization-vulnerab… ∗∗∗ Security Bulletin: Vulnerabilities in Java and WLP affects IBM Cloud Application Business Insights ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-java-a… ∗∗∗ Security Bulletin: WebSphere Application Server is vulnerable to a Privilege Escalation vulnerability (CVE-2021-29736) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-websphere-application-ser… ∗∗∗ Security Bulletin: Vulnerability in BIND affects AIX (CVE-2021-25215) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-bind-aff… ∗∗∗ Security Bulletin: i2 Analyze has an information disclosure vulnerability (CVE-2019-17638) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-i2-analyze-has-an-informa… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in IBM Guardium Data Encryption (GDE) ( CVE-2021-20417, CVE-2021-20415) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 29.07.2021
by Daily end-of-shift report 29 Jul '21

29 Jul '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 28-07-2021 18:00 − Donnerstag 29-07-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Verschlüsselung: Windows-Verschlüsselung Bitlocker trotz TPM-Schutz umgangen ∗∗∗ --------------------------------------------- Eine mit Bitlocker verschlüsselte SSD mit TPM-Schutz lässt sich relativ einfach knacken. Ein Passwort schützt, ist aber nicht der Standard. --------------------------------------------- https://www.golem.de/news/verschluesselung-windows-verschluesselung-bitlock… ∗∗∗ Voucher von EUSC 2021 für kostenlose Hotelübernachtungen? Versteckte Kosten! ∗∗∗ --------------------------------------------- Auf Facebook und Instagram wird von „EUCS 2021“ eine Umfrage zu Tourismuspräferenzen beworben. Als Dankeschön für die Teilnahme wird ein Voucher für 3 kostenlose Übernachtungen für 2 Personen versprochen. Beim Einlösen dieses Gutscheins werden jedoch unterschiedliche Gebühren fällig. --------------------------------------------- https://www.watchlist-internet.at/news/voucher-von-eusc-2021-fuer-kostenlos… ∗∗∗ Microsoft Security Update Revisions (29. Juli 2021) ∗∗∗ --------------------------------------------- Kurzinformation für Windows-Admins im Firmenumfeld. Microsoft hat die Nacht zum 29.7.2021 revidierte Sicherheitsupdates zur Abschwächung der NTLM Relay Attacken auf Active Directory-Zertifikate und zur Schwachstelle CVE-2021-36934 (Windows Elevation of Privilege Vulnerability) veröffentlicht. Ich stelle es man unkommentiert hier zur Info [...] --------------------------------------------- https://www.borncity.com/blog/2021/07/29/microsoft-security-update-revision… ∗∗∗ DoppelPaymer ransomware gang rebrands as the Grief group ∗∗∗ --------------------------------------------- After a period of little to no activity, the DoppelPaymer ransomware operation has made a rebranding move, now going by the name Grief (a.k.a. Pay or Grief). --------------------------------------------- https://www.bleepingcomputer.com/news/security/doppelpaymer-ransomware-gang… ∗∗∗ Tools To Quickly Extract Indicators of Compromise ∗∗∗ --------------------------------------------- Brush up on indicators of compromise, their relationship to your internal threat intelligence, and tools to help you quickly extract them from PDFs and plain text. --------------------------------------------- https://www.domaintools.com/resources/blog/tools-to-quickly-extract-indicat… ∗∗∗ APT trends report Q2 2021 ∗∗∗ --------------------------------------------- This is our latest summary of advanced persistent threat (APT) activity, focusing on significant events that we observed during Q2 2021: attacks against Microsoft Exchange servers, APT29 and APT31 activities, targeting campaigns, etc. --------------------------------------------- https://securelist.com/apt-trends-report-q2-2021/103517/ ∗∗∗ Reboot of PunkSpider Tool at DEF CON Stirs Debate ∗∗∗ --------------------------------------------- Researchers plan to introduce a revamp of PunkSpider, which helps identify flaws in websites so companies can make their back-end systems more secure, at DEF CON. --------------------------------------------- https://threatpost.com/punkspider-def-con-debate/168223/ ∗∗∗ Six Malicious Linux Shell Scripts Used to Evade Defenses and How to Stop Them ∗∗∗ --------------------------------------------- Uptycs Threat Research outline how malicious Linux shell scripts are used to cloak attacks and how defenders can detect and mitigate against them. --------------------------------------------- https://threatpost.com/six-malicious-linux-shell-scripts-how-to-stop-them/1… ∗∗∗ BazaCall: Phony call centers lead to exfiltration and ransomware ∗∗∗ --------------------------------------------- Our continued investigation into BazaCall campaigns, those that use fraudulent call centers that trick unsuspecting users into downloading the BazaLoader malware, shows that this threat is more dangerous than what’s been discussed publicly in other security blogs and covered by the media. --------------------------------------------- https://www.microsoft.com/security/blog/2021/07/29/bazacall-phony-call-cent… ∗∗∗ Malicious Content Delivered Through archive.org, (Thu, Jul 29th) ∗∗∗ --------------------------------------------- archive.org[1], also known as the "way back machine" is a very popular Internet site that allows you to travel back in time and browse old versions of a website (like the ISC website[2]). It works like regular search engines and continuously crawls the internet via bots. But there is another way to store content on archive.org: You may create an account and upload some content by yourself. --------------------------------------------- https://isc.sans.edu/diary/rss/27688 ∗∗∗ Stylish Magento Card Stealer loads Without Script Tags ∗∗∗ --------------------------------------------- Recently one of our analysts, Weston H., found a very interesting credit card stealer in a Magento environment which loads a malicious JavaScript without using any script tags. In this post I will go over how it was found, how to decode it and how it works! --------------------------------------------- https://blog.sucuri.net/2021/07/stylish-magento-card-stealer-loads-without-… ∗∗∗ Crimea "manifesto" deploys VBA Rat using double attack vectors ∗∗∗ --------------------------------------------- On July 21, 2021, we identified a suspicious document named "Манифест.docx" ("Manifest.docx") that downloads and executes two templates: one is macro-enabled and the other is an html object that contains an Internet Explorer exploit. While both techniques rely on template injection to drop a full-featured Remote Access Trojan, the IE exploit (CVE-2021-26411) previously used by the Lazarus APT is an unusual discovery. --------------------------------------------- https://blog.malwarebytes.com/threat-intelligence/2021/07/crimea-manifesto-… ∗∗∗ “Netfilter Rootkit II ” Continues to Hold WHQL Signatures ∗∗∗ --------------------------------------------- Recently, 360 Security Center discovered that a malicious driver “Netfilter rootkit” with WHQL signature was revealed in mid-June. WHQL signature means that after the [...] --------------------------------------------- https://blog.360totalsecurity.com/en/netfilter-rootkit-ii-continues-to-hold… ∗∗∗ Turn Off, Turn On: Simple Step Can Thwart Top Phone Hackers ∗∗∗ --------------------------------------------- Regularly rebooting smartphones can make even the most sophisticated hackers work harder to maintain access and steal data from a phone --------------------------------------------- https://www.securityweek.com/turn-turn-simple-step-can-thwart-top-phone-hac… ∗∗∗ McAfee: Babuk ransomware decryptor causes encryption beyond repair ∗∗∗ --------------------------------------------- Babuk announced earlier this year that it would be targeting Linux/UNIX and ESXi or VMware systems with ransomware. --------------------------------------------- https://www.zdnet.com/article/mcafee-babuk-ransomware-decryptor-causes-encr… ∗∗∗ New Android malware records smartphones via VNC to steal passwords ∗∗∗ --------------------------------------------- Security researchers have discovered a novel piece of Android malware that uses the VNC technology to record a victims smartphone screen in order to collect and steal their passwords. --------------------------------------------- https://therecord.media/new-android-malware-records-smartphones-via-vnc-to-… ∗∗∗ Communication during a hacker attack ∗∗∗ --------------------------------------------- You cannot trust your office PC during a major incident. You can neither trust your usual communication and collaboration tools. If an attacker can authenticate on any domain-joined device with any domain user, the game is over. --------------------------------------------- https://securityguide.me/issues/communication-during-a-hacker-attack ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI-21-909: (0Day) Microsoft 3D Viewer 3MF File Parsing Use-After-Free Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of Microsoft 3D Viewer. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-909/ ∗∗∗ Drupal: Wichtiges Sicherheitsupdate für "Pages Restriction Access"-Modul ∗∗∗ --------------------------------------------- Ein Update für "Pages Restriction Access" für die 8er-Versionsreihe des CMS Drupal beseitigt Zugriffsmöglichkeiten über eine kritische Sicherheitslücke. --------------------------------------------- https://heise.de/-6150416 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (webkit2gtk), Fedora (ruby and webkit2gtk3), Mageia (aspell and varnish), openSUSE (git), SUSE (ardana-cobbler, cassandra, cassandra-kit, crowbar-core, crowbar-openstack, documentation-suse-openstack-cloud, grafana, kibana, openstack-heat-templates, openstack-monasca-installer, openstack-nova, python-Django, python-elementpath, python-eventlet, python-py, python-pysaml2, python-six, python-xmlschema and git), and Ubuntu (libsndfile, mariadb-10.3, and [...] --------------------------------------------- https://lwn.net/Articles/864577/ ∗∗∗ Tomcat vulnerability CVE-2021-30640 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K35033051 ∗∗∗ Apache Tomcat vulnerability CVE-2021-30639 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K87895241 ∗∗∗ Security Bulletin: Multiple vulnerabilities in OpenSSL affects IBM InfoSphere Information Server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: glibc vulnerability affects IBM Elastic Storage System (CVE-2021-27219) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-glibc-vulnerability-affec… ∗∗∗ Security Bulletin: A vulnerability in IBM WebSphere Application Server Liberty affects IBM Elastic Storage System (CVE-2020-5258) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-we… ∗∗∗ Security Bulletin: IBM® Db2® could allow a local authenticated attacker to execute arbitrary code on the system, caused by DLL search order hijacking vulnerability in Microsoft Windows client. (CVE-2020-4739) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-could-allow-a-loc… ∗∗∗ Security Bulletin: This Power System update is being released to address CVE 2021-20505 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-this-power-system-update-… ∗∗∗ Security Bulletin: A vulnerability in IBM WebSphere Application Server affects IBM Spectrum Scale. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-we… ∗∗∗ Security Bulletin: Multiple Security Vulnerabilities fixed in Openssl as shipped with IBM Security Verify products ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.07.2021
by Daily end-of-shift report 28 Jul '21

28 Jul '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 27-07-2021 18:00 − Mittwoch 28-07-2021 18:00 Handler: Robert Waldner Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Haron and BlackMatter are the latest groups to crash the ransomware party ∗∗∗ --------------------------------------------- The additions come as the number of high-severity ransomware attacks ratchet up. --------------------------------------------- https://arstechnica.com/?p=1783582 ∗∗∗ LockBit ransomware now encrypts Windows domains using group policies ∗∗∗ --------------------------------------------- An new version of the LockBit 2.0 ransomware has been found that automates the encryption of a Windows domain using Active Directory group policies. --------------------------------------------- https://www.bleepingcomputer.com/news/security/lockbit-ransomware-now-encry… ∗∗∗ Sicherheitswarnung: BSI sieht kaum Schutzmöglichkeiten vor Pegasus ∗∗∗ --------------------------------------------- Das BSI hat eine offizielle Warnung vor der Spionagesoftware Pegasus veröffentlicht. Die Bedrohungslage wird aber nicht als kritisch eingestuft. --------------------------------------------- https://www.golem.de/news/sicherheitswarnung-bsi-sieht-kaum-schutzmoeglichk… ∗∗∗ UBEL is the New Oscorp — Android Credential Stealing Malware Active in the Wild ∗∗∗ --------------------------------------------- An Android malware that was observed abusing accessibility services in the device to hijack user credentials from European banking applications has morphed into an entirely new botnet as part of a renewed campaign that began in May 2021. --------------------------------------------- https://thehackernews.com/2021/07/ubel-is-new-oscorp-android-credential.html ∗∗∗ Top 25 der Sicherheitslücken: Buffer Overflows als größte Gefahrenquelle ∗∗∗ --------------------------------------------- Eine kürzlich veröffentlichte Auswertung von häufigen Softwareschwachstellen liefert eine Übersicht über die 25 gefährlichsten Arten. --------------------------------------------- https://heise.de/-6148053 ∗∗∗ Vorsicht bei der Urlaubsbuchung: BetrügerInnen geben sich als türkische Luxus-Hotels aus! ∗∗∗ --------------------------------------------- Wer einen Urlaub in der Türkei buchen will, sollte sich vor BetrügerInnen in Acht nehmen, die Webseiten türkischer Luxus-Hotels kopieren. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-bei-der-urlaubsbuchung-betr… ∗∗∗ THOR: Previously Unseen PlugX Variant Deployed During Microsoft Exchange Server Attacks by PKPLUG Group ∗∗∗ --------------------------------------------- We provide a technical overview of the previously unseen PlugX variant THOR, indicators of compromise and a new tool for payload decryption. --------------------------------------------- https://unit42.paloaltonetworks.com/thor-plugx-variant/ ∗∗∗ Ransomware Families: 2021 Data to Supplement the Unit 42 Ransomware Threat Report ∗∗∗ --------------------------------------------- We discuss the propagation of different ransomware families we observed in the wild in early 2021 and the different types of extortion used. --------------------------------------------- https://unit42.paloaltonetworks.com/ransomware-families/ ∗∗∗ Top Routinely Exploited Vulnerabilities ∗∗∗ --------------------------------------------- CISA, the Australian Cyber Security Centre (ACSC), the United Kingdom’s National Cyber Security Centre (NCSC), and the U.S. Federal Bureau of Investigation (FBI) have released the Joint Cybersecurity Advisory Top Routinely Exploited Vulnerabilities, which details the top vulnerabilities routinely exploited by malicious actors in 2020 and those being widely exploited thus far in 2021. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/07/28/top-routinely-exp… ===================== = Vulnerabilities = ===================== ∗∗∗ Critical Microsoft Hyper-V bug could haunt orgs for a long time ∗∗∗ --------------------------------------------- Technical details are now available for a vulnerability that affects Hyper-V, Microsofts native hypervisor for creating virtual machines on Windows systems and in Azure cloud computing environment. --------------------------------------------- https://www.bleepingcomputer.com/news/security/critical-microsoft-hyper-v-b… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (golang), Mageia (curl, filezilla, jdom/jdom2, netty, pdfbox, perl-Mojolicious, perl-Net-CIDR-Lite, perl-Net-Netmask, python-urllib3, python3, quassel, transfig, and virtualbox), openSUSE (umoci), Red Hat (rh-nodejs12-nodejs and rh-nodejs12-nodejs-nodemon and rh-nodejs14-nodejs and rh-nodejs14-nodejs-nodemon), and SUSE (firefox, glibc, libsndfile, linuxptp, qemu, and umoci). --------------------------------------------- https://lwn.net/Articles/864497/ ∗∗∗ Security Bulletin: A security vulnerability in Ruby on Rails affects IBM Cloud Pak for Multicloud Management Infrastructure Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: Oracle Database Server Vulnerability Affects IBM Emptoris Supplier Lifecycle Mgmt (CVE-2021-2207) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-oracle-database-server-vu… ∗∗∗ Security Bulletin: Multiple Oracle Database Server Vulnerabilities Affect IBM Emptoris Contract Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-oracle-database-… ∗∗∗ Security Bulletin: Multiple Oracle Database Server Vulnerabilities Affect IBM Emptoris Program Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-oracle-database-… ∗∗∗ Security Bulletin: Vulnerability deferred from Oracle Oct 2020 CPU for Java 8 (CVE-2020-14781 ) may affect IBM® SDK, Java™ Technology Edition and IBM Operations Analytics Predictive Insights ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-deferred-fr… ∗∗∗ Security Bulletin: Multiple Oracle Database Server Vulnerabilities Affect IBM Emptoris Sourcing ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-oracle-database-… ∗∗∗ Security Bulletin: IBM QRadar SIEM is vulnerable to Using Components with Known Vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-is-vulner… ∗∗∗ Security Bulletin: IBM Analyst's Notebook Premium uses a component with known vulnerabilities (CVE-2020-16013, CVE-2020-16009, CVE-2020-15999) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-analysts-notebook-pre… ∗∗∗ Security Bulletin: Vulnerabilities in Java and WLP affects IBM Cloud Application Business Insights ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-java-a… ∗∗∗ Security Bulletin: Vulnerabilities in IBM Guardium Data Encryption (GDE) (CVE-2020-7676) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-gu… ∗∗∗ Security Bulletin: Vulnerability in npm affects IBM VM Recovery Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-npm-affe… ∗∗∗ Security Bulletin: IBM QRadar SIEM is vulnerable to Using Components with Known Vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-is-vulner… ∗∗∗ Security Bulletin: HTTP Header Vulnerability Affects IBM Sterling Connect:Direct Browser User Interface (CVE-2021-20560) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-http-header-vulnerability… ∗∗∗ Security Bulletin: Multiple vulnerabilites affect Engineering Lifecycle Management and IBM Engineering products. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilites-a… ∗∗∗ Security Bulletin: RabbitMQ as used by IBM QRadar SIEM is vulnerable to unsafe deserialization (CVE-2020-36282) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-rabbitmq-as-used-by-ibm-q… ∗∗∗ Security Bulletin: Information disclosure vulnerability in IBM i2 Analyze (CVE-2021-29766) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-information-disclosure-vu… ∗∗∗ Security Bulletin: IBM Transparent Could Tiering is affected by a vulnerability in Apache Commons IO ( CVE-2021-29425) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-transparent-could-tie… ∗∗∗ Security Bulletin: i2 Analyse and Analyst's Notebook Premium have hyperlink clicking vulnerability (CVE-2021-29770) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-i2-analyse-and-analysts-n… ∗∗∗ Security Bulletin: Vulnerability in npm affects IBM VM Recovery Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-npm-affe… ∗∗∗ SECURITY BULLETIN: July 28, 2021, Security Bulletin for Worry-Free Business Security ∗∗∗ --------------------------------------------- https://success.trendmicro.com/solution/000287820 ∗∗∗ SECURITY BULLETIN: July 28, 2021, Security Bulletin for Trend Micro Apex One and Apex One as a Service ∗∗∗ --------------------------------------------- https://success.trendmicro.com/solution/000287819 ∗∗∗ MISP: Schwachstelle ermöglicht Cross-Site Scripting ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0814 ∗∗∗ KUKA KR C4 ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-208-01 ∗∗∗ Mitsubishi Electric GOT2000 series and GT SoftGOT2000 ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-208-02 ∗∗∗ Geutebrück G-Cam E2 and G-Code ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-208-03 ∗∗∗ LCDS LAquis SCADA ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-208-04 ∗∗∗ Delta Electronics DIAScreen ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-208-05 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.07.2021
by Daily end-of-shift report 27 Jul '21

27 Jul '21

===================== = End-of-Day report = ===================== Timeframe: Montag 26-07-2021 18:00 − Dienstag 27-07-2021 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Failed Malspam: Recovering The Password, (Mon, Jul 26th) ∗∗∗ --------------------------------------------- Jan's diary entry "One way to fail at malspam - give recipients the wrong password for an encrypted attachment" got my attention: it's an opportunity for me to do some password cracking. --------------------------------------------- https://isc.sans.edu/diary/rss/27674 ∗∗∗ Hiding Malware in ML Models ∗∗∗ --------------------------------------------- “EvilModel: Hiding Malware Inside of Neural Network Models”. --------------------------------------------- https://www.schneier.com/blog/archives/2021/07/hiding-malware-in-ml-models.… ∗∗∗ OSX.XLoader hides little except its main purpose: What we learned in the installation process ∗∗∗ --------------------------------------------- We dig into OSX.XLoader, also known as X Loader, which is the latest threat to macOS that bears some similarities to novice malware. --------------------------------------------- https://blog.malwarebytes.com/mac/2021/07/osx-xloader-hides-little-except-i… ∗∗∗ Malware developers turn to exotic programming languages to thwart researchers ∗∗∗ --------------------------------------------- They are focused on exploiting pain points in code analysis and reverse-engineering. --------------------------------------------- https://www.zdnet.com/article/malware-developers-turn-to-exotic-programming… ∗∗∗ Wie MSPs am besten mit der Ransomware-Krise umgehen können ∗∗∗ --------------------------------------------- Managed Service Provider (MSPs) spielen eine kritische Rolle im Kampf gegen Schadsoftware. Allerdings traf die Ransomware-Attacke auf Kaseya dutzende von MSPs mit voller Wucht und dadurch mittelbar auch deren Kunden. --------------------------------------------- https://www.zdnet.de/88395971/wie-msps-am-besten-mit-der-ransomware-krise-u… ∗∗∗ Praying Mantis APT targets IIS servers with ASP.NET exploits ∗∗∗ --------------------------------------------- A new advanced persistent threat (APT) group has been seen carrying out attacks against Microsoft IIS web servers using old exploits in ASP.NET applications in order to plant a backdoor and then pivot to companys internal networks. --------------------------------------------- https://therecord.media/praying-mantis-apt-targets-iis-servers-with-asp-net… ===================== = Vulnerabilities = ===================== ∗∗∗ Apple fixes zero-day affecting iPhones and Macs, exploited in the wild ∗∗∗ --------------------------------------------- Apple has released security updates to address a zero-day vulnerability exploited in the wild and impacting iPhones, iPads, and Macs. --------------------------------------------- https://www.bleepingcomputer.com/news/apple/apple-fixes-zero-day-affecting-… ∗∗∗ Researchers warn of unpatched Kaseya Unitrends backup vulnerabilities ∗∗∗ --------------------------------------------- Security researchers warn of new zero-day vulnerabilities in the Kaseya Unitrends service and advise users not to expose the service to the Internet. --------------------------------------------- https://www.bleepingcomputer.com/news/security/researchers-warn-of-unpatche… ∗∗∗ Moodle: Neue Versionen beseitigen Remote-Angriffsmöglichkeit via Shibboleth ∗∗∗ --------------------------------------------- Mehrere Versionen der Lernplattform sind, allerdings nur bei aktivierter Shibboleth-Authentifizierung, aus der Ferne angreifbar. Updates stehen bereit. --------------------------------------------- https://heise.de/-6148879 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (drupal7), Fedora (linux-firmware), openSUSE (qemu), Oracle (kernel and thunderbird), Red Hat (thunderbird), Scientific Linux (java-1.8.0-openjdk, java-11-openjdk, kernel, and thunderbird), SUSE (dbus-1, libvirt, linuxptp, qemu, and slurm), and Ubuntu (aspell and mysql-5.7, mysql-8.0). --------------------------------------------- https://lwn.net/Articles/864439/ ∗∗∗ Vulnerabilities Allow Hacking of Zimbra Webmail Servers With Single Email ∗∗∗ --------------------------------------------- Vulnerabilities in the Zimbra enterprise webmail solution could allow an attacker to gain unrestricted access to an organization’s sent and received email messages, software security firm SonarSource reveals. --------------------------------------------- https://www.securityweek.com/vulnerabilities-allow-hacking-zimbra-webmail-s… ∗∗∗ Security Bulletin: A security vulnerability in Golang Go affects IBM Cloud Pak for Multicloud Management Managed services ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: XSS Security Vulnerabilty Affects Mailbox UI of IBM Sterling B2B Integrator (CVE-2021-20562) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-xss-security-vulnerabilty… ∗∗∗ Security Bulletin: A security vulnerability in Ruby on Rails affects IBM Cloud Pak for Multicloud Management Infrastructure Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: GRUB2 as used by IBM QRadar SIEM is vulnerable to arbitrary code execution ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-grub2-as-used-by-ibm-qrad… ∗∗∗ Security Bulletin: IBM QRadar SIEM is vulnerable to an XML External Entity Injection (XXE) attack (CVE-2021-20399) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-is-vulner… ∗∗∗ MIT Kerberos: Schwachstelle ermöglicht Offenlegung von Informationen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0809 ∗∗∗ VLC: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0807 ∗∗∗ Foxit Reader: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0812 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 26.07.2021
by Daily end-of-shift report 26 Jul '21

26 Jul '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 23-07-2021 18:00 − Montag 26-07-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Windows-Netze verwundbar für Relay-Angriff PetitPotam ∗∗∗ --------------------------------------------- Forscher demonstrieren einen neuen Weg, sich zum König einer Windows-Domäne aufzuschwingen. Microsoft zuckt mit den Achseln und verweist auf Härtungsmaßnahmen. --------------------------------------------- https://heise.de/-6147467 ∗∗∗ GitLab schickt Package Hunter auf die Jagd nach Schadcode ∗∗∗ --------------------------------------------- Das neue Open-Source-Tool Package Hunter soll Schadcode in Dependencies erkennen können. --------------------------------------------- https://heise.de/-6147526 ∗∗∗ No More Ransom: We Prevented Ransomware Operators From Earning $1 Billion ∗∗∗ --------------------------------------------- No More Ransom is celebrating its 5th anniversary and the project says it has helped more than 6 million ransomware victims recover their files and prevented cybercriminals from earning roughly $1 billion. No More Ransom is a joint effort of law enforcement and cybersecurity companies whose goal is to help victims of ransomware attacks recover their files without having to pay the ransom demanded by criminals. --------------------------------------------- https://www.securityweek.com/no-more-ransom-we-prevented-ransomware-operato… ∗∗∗ Microsoft warns of weeks-long malspam campaign abusing HTML smuggling ∗∗∗ --------------------------------------------- The Microsoft security team said it detected a weeks-long email spam campaign abusing a technique known as “HTML smuggling” to bypass email security systems and deliver malware to user devices. HTML smugging, as explained by SecureTeam and Outflank, is a technique that allows threat actors to assemble malicious files on users’ device by clever use of HTML5 and JavaScript code. --------------------------------------------- https://therecord.media/microsoft-warns-of-weeks-long-malspam-campaign-abus… ∗∗∗ RemotePotato0: Privilege Escalation-Schwachstelle im Windows RPC Protocol ∗∗∗ --------------------------------------------- Jedes Windows-System ist anfällig für eine bestimmte NTLM-Relay-Attacke, die es Angreifern ermöglichen könnte, die Privilegien vom Benutzer zum Domain-Admin zu erweitern. Diese Schwachstelle besitzt den Status „wird nicht behoben“ und war Gegenstand des PetitPotam-Ansatzes, den ich am Wochenende thematisiert hatte. Nun hat Antonio Cocomazzi auf die RemotePotato0 genannte Schwachstelle hingewiesen. Diese verwendet das Windows RPC Protocol für eine Privilegien-Ausweitung. --------------------------------------------- https://www.borncity.com/blog/2021/07/26/remotepotato0-privilege-escalation… ===================== = Vulnerabilities = ===================== ∗∗∗ Collabora Online: Update schützt vor unbefugten Dateizugriffen aus der Ferne ∗∗∗ --------------------------------------------- Das Collabora Online-Team rät zur Aktualisierung der Online-Officeanwendung, um eine als "kritisch" eingestufte Remote-Angriffsmöglichkeit zu beseitigen. --------------------------------------------- https://heise.de/-6147967 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (aspell, intel-microcode, krb5, rabbitmq-server, and ruby-actionpack-page-caching), Fedora (chromium, containernetworking-plugins, containers-common, crun, fossil, podman, skopeo, varnish-modules, and vmod-uuid), Gentoo (leptonica, libsdl2, and libyang), Mageia (golang, lib3mf, nodejs, python-pip, redis, and xstream), openSUSE (containerd, crmsh, curl, icinga2, and systemd), Oracle (containerd), and Red Hat (thunderbird). --------------------------------------------- https://lwn.net/Articles/864346/ ∗∗∗ OTRS: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter authentisierter oder anonymer Angreifer kann mehrere Schwachstellen in OTRS ausnutzen, um Sicherheitsvorkehrungen zu umgehen und einen Cross-Site-Scripting-Angriff durchzuführen. --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0805 ∗∗∗ Security Bulletin: FasterXML Vulnerability in Jackson-Databind Affects IBM Sterling Connect:Direct File Agent (CVE-2018-7489) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-fasterxml-vulnerability-i… ∗∗∗ Security Bulletin: Apache Commons Configuration Vulnerability Affects IBM Sterling Connect:Direct File Agent (CVE-2020-1953) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-commons-configurat… ∗∗∗ Security Bulletin: IBM i2 Analyze missing security header (CVE-2021-29769) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-i2-analyze-missing-se… ∗∗∗ Security Bulletin: IBM i2 Analyze and i2 Analyst's Notebook Premium has session handling vulnerability (CVE-2021-20431) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-i2-analyze-and-i2-ana… ∗∗∗ Security Bulletin: Apache PDFBox as used by IBM QRadar Incident Forensics is vulnerable to denial of service (CVE-2021-27807, CVE-2021-27906) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-pdfbox-as-used-by-… ∗∗∗ Security Bulletin: IBM i2 Analyst's Notebook Premium has an information disclosure vulnerability (CVE-2021-29767) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-i2-analysts-notebook-… ∗∗∗ Security Bulletin: IBM i2 iBase vulnerable to DLL highjacking (CVE-2020-4623) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-i2-ibase-vulnerable-t… ∗∗∗ Security Bulletin: IBM i2 Analyst's Notebook Premium has an information disclosure vulnerability (CVE-2021-29784) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-i2-analysts-notebook-… ∗∗∗ Security Bulletin: IBM QRadar SIEM uses weaker than expected cryptographic algorithms (CVE-2021-20337) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-uses-weak… ∗∗∗ Security Bulletin: IBM i2 Analyze has an information disclosure vulnerability (CVE-2021-20430) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-i2-analyze-has-an-inf… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.07.2021
by Daily end-of-shift report 23 Jul '21

23 Jul '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 22-07-2021 18:00 − Freitag 23-07-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Nach Lieferkettenangriff: Kaseya will Daten retten dank Entschlüsselungs-Tool ∗∗∗ --------------------------------------------- Fast drei Wochen nach dem verheerenden LIeferkettenangriff auf Kunden von Kaseya gibt es Hoffnung für die Opfer. Die US-Firma hat einen Generalschlüssel. --------------------------------------------- https://heise.de/-6145950 ∗∗∗ The NSO “Surveillance List”: What It Is and Isn’t ∗∗∗ --------------------------------------------- A series of blockbuster stories published this week around a leaked list of 50,000 phone numbers have created confusion about whether the owners of those numbers were targets of surveillance or not. --------------------------------------------- https://zetter.substack.com/p/the-nso-surveillance-list-what-it ∗∗∗ Phish Swims Past Email Security With Milanote Pages ∗∗∗ --------------------------------------------- The “Evernote for creatives” is anchoring a rapidly spiking phishing campaign, evading SEGs with ease. --------------------------------------------- https://threatpost.com/phish-email-security-milanote/168021/ ∗∗∗ When coin miners evolve, Part 1: Exposing LemonDuck and LemonCat, modern mining malware infrastructure ∗∗∗ --------------------------------------------- LemonDuck, an actively updated and robust malware that’s primarily known for its botnet and cryptocurrency mining objectives, adopted more sophisticated behavior and escalated its operations. Today, beyond using resources for its traditional bot and mining activities, LemonDuck steals credentials, removes security controls, spreads via emails, moves laterally, and ultimately drops more tools for human-operated activity. --------------------------------------------- https://www.microsoft.com/security/blog/2021/07/22/when-coin-miners-evolve-… ∗∗∗ Uncovering Shenanigans in an IP Address Block via Hurricane Electrics BGP Toolkit (II), (Fri, Jul 23rd) ∗∗∗ --------------------------------------------- Today's diary revisits hunting for dodgy domains via Hurricane Electric's BGP Toolkit [1]. This was previously done in an earlier diary [2], and I plan to do this occasionally to share potential or identified threats so that readers can be aware of them. --------------------------------------------- https://isc.sans.edu/diary/rss/27664 ∗∗∗ Nasty macOS Malware XCSSET Now Targets Google Chrome, Telegram Software ∗∗∗ --------------------------------------------- A malware known for targeting macOS operating system has been updated once again to add more features to its toolset that allows it to amass and exfiltrate sensitive data stored in a variety of apps, including apps such as Google Chrome and Telegram, as part of further "refinements in its tactics." --------------------------------------------- https://thehackernews.com/2021/07/nasty-macos-malware-xcsset-now-targets.ht… ∗∗∗ Wake up! Identify API Vulnerabilities Proactively, From Production Back to Code ∗∗∗ --------------------------------------------- After more than 20 years in the making, now its official: APIs are everywhere. In a 2021 survey, 73% of enterprises reported that they already publish more than 50 APIs, and this number is constantly growing. APIs have crucial roles to play in virtually every industry today, and their importance is increasing steadily, as they move to the forefront of business strategies. --------------------------------------------- https://thehackernews.com/2021/07/wake-up-identify-api-vulnerabilities.html ∗∗∗ This Week in Security: NSO, Print Spooler, and a Mysterious Decryptor ∗∗∗ --------------------------------------------- The NSO Group has been in the news again recently, with multiple stories reporting on their Pegasus spyware product. The research and reporting spearheaded by Amnesty International is collectively known [...] --------------------------------------------- https://hackaday.com/2021/07/23/this-week-in-security-nso-print-spooler-and… ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco Unified Customer Voice Portal Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the web-based management interface of Cisco Unified Customer Voice Portal (CVP) could allow an unauthenticated, remote attacker to perform a cross-site scripting (XSS) attack against a user. This vulnerability is due to insufficient input validation of a parameter that is used by the web-based management interface. An attacker could exploit this vulnerability by persuading a user to click a malicious link. A successful exploit could allow the attacker to execute [...] --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (chromium, curl, impacket, jdk11-openjdk, jre-openjdk, jre-openjdk-headless, jre11-openjdk-headless, kernel, lib32-curl, lib32-libcurl-compat, lib32-libcurl-gnutls, libcurl-compat, libcurl-gnutls, libpano13, linux-hardened, linux-lts, linux-zen, nvidia-utils, opera, systemd, and virtualbox), CentOS (java-11-openjdk and kernel), Debian (lemonldap-ng), Fedora (curl and podman), Gentoo (icedtea-web and velocity), openSUSE (bluez, go1.15, go1.16, [...] --------------------------------------------- https://lwn.net/Articles/864158/ ∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2021-0004 ∗∗∗ --------------------------------------------- Date Reported: July 23, 2021 Advisory ID: WSA-2021-0004 CVE identifiers: CVE-2021-1817, CVE-2021-1820,CVE-2021-1825, CVE-2021-1826,CVE-2021-21775, CVE-2021-21779,CVE-2021-21806, CVE-2021-30661,CVE-2021-30663, CVE-2021-30665,CVE-2021-30666, CVE-2021-30682,CVE-2021-30689, CVE-2021-30720,CVE-2021-30734, CVE-2021-30744,CVE-2021-30749, CVE-2021-30758,CVE-2021-30761, CVE-2021-30762,CVE-2021-30795, CVE-2021-30797,CVE-2021-30799. Several vulnerabilities were discovered in WebKitGTK and WPE WebKit. --------------------------------------------- https://webkitgtk.org/security/WSA-2021-0004.html ∗∗∗ Security Advisory - Insufficient Input Validation Vulnerability in Some Huawei Smartphones ∗∗∗ --------------------------------------------- https://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210721… ∗∗∗ Security Bulletin: Multiple Oracle Database Server Vulnerabilities Affect IBM Emptoris Supplier Lifecycle Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-oracle-database-… ∗∗∗ Security Bulletin: IBM Integration Bus and IBM App Connect Enterprise v11 are affected by vulnerabilities in Node.js (CVE-2021-3450, CVE-2021-3449) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-integration-bus-and-i… ∗∗∗ Security Bulletin: Oracle Database Server Vulnerability Affects IBM Emptoris Program Management (CVE-2021-2207) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-oracle-database-server-vu… ∗∗∗ Security Bulletin: Oracle Database Server Vulnerability Affects IBM Emptoris Contract Management (CVE-2021-2207) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-oracle-database-server-vu… ∗∗∗ Security Bulletin: Multiple Oracle Database Server Vulnerabilities Affect IBM Emptoris Strategic Supply Management Platform ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-oracle-database-… ∗∗∗ Security Bulletin: Oracle Database Server Vulnerability Affects IBM Emptoris Strategic Supply Management Platform (CVE-2021-2207) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-oracle-database-server-vu… ∗∗∗ Security Bulletin: Oracle Database Server Vulnerability Affects IBM Emptoris Sourcing (CVE-2021-2207) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-oracle-database-server-vu… ∗∗∗ Microsoft Chrome Based Edge: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0800 ∗∗∗ Asterisk: Mehrere Schwachstellen ermöglichen Denial of Service ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0799 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.07.2021
by Daily end-of-shift report 22 Jul '21

22 Jul '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 21-07-2021 18:00 − Donnerstag 22-07-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Cisco: Wichtiges Sicherheitsupdate für Intersight Virtual Appliance verfügbar ∗∗∗ --------------------------------------------- Für die virtuelle Cisco Intersight-Appliance, aber auch für weitere Produkte des Netzwerkausrüsters stehen sicherheitsrelevante Aktualisierungen bereit. --------------------------------------------- https://heise.de/-6144993 ∗∗∗ HP, Samsung & Xerox: Lücke in Windows-Druckertreibern gefixt – nach 16 Jahren ∗∗∗ --------------------------------------------- Wer die seit Mitte Mai verfügbaren Druckertreiber-Updates noch nicht installiert hat, sollte dies zügig nachholen: Angreifer könnten Systeme übernehmen. --------------------------------------------- https://heise.de/-6145114 ∗∗∗ Recovery Scams: Weitere Schäden statt Geld zurück! ∗∗∗ --------------------------------------------- Wer Opfer einer betrügerischen Investitionsplattform wird, erleidet mitunter beträchtlichen finanziellen Schaden. Damit nicht genug, folgen wenig später E-Mails oder Anrufe der Kriminellen, die hinter dem Investitionsbetrug steckten. Diesmal geben sie sich jedoch nicht als InvestmentberaterInnen aus, sondern Schlüpfen in eine andere Rolle: Gegen Vorabzahlung versprechen sie Hilfe beim Zurückholen des verlorenen Geldes. --------------------------------------------- https://www.watchlist-internet.at/news/recovery-scams-weitere-schaeden-stat… ∗∗∗ MITRE updates list of top 25 most dangerous software bugs ∗∗∗ --------------------------------------------- MITRE has shared this years top 25 list of most common and dangerous weaknesses plaguing software throughout the previous two years. --------------------------------------------- https://www.bleepingcomputer.com/news/security/mitre-updates-list-of-top-25… ∗∗∗ Microsoft Issues Windows 10 Workaround Fix for ‘SeriousSAM’ Bug ∗∗∗ --------------------------------------------- A privilege elevation bug in Windows 10 opens all systems to attackers to access data and create new accounts on systems. --------------------------------------------- https://threatpost.com/win-10-serioussam/168034/ ∗∗∗ Compromising a Network Using an "Info" Level Finding ∗∗∗ --------------------------------------------- Anyone who has ever read a vulnerability scan report will know that scanners often include a large number of findings they classify as "Info". Typically this is meant to convey general information about the target systems which does not pose any risk. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/compromisin… ∗∗∗ Vulnerable Plugin Exploited in Spam Redirect Campaign ∗∗∗ --------------------------------------------- Some weeks ago a critical unauthenticated privilege escalation vulnerability was discovered in old, unpatched versions of the wp-user-avatar plugin. It also allows for arbitrary file uploads, which is where we have been seeing the infections start. This plugin has over 400,000 installations so we have seen a sustained campaign to infect sites with this plugin installed. In this post I will review a common infection seen as a result of this vulnerability in the wp-user-avatar plugin. --------------------------------------------- https://blog.sucuri.net/2021/07/vulnerable-plugin-exploited-in-spam-redirec… ∗∗∗ Oracle Warns of Critical Remotely Exploitable Weblogic Server Flaws ∗∗∗ --------------------------------------------- Oracle on Tuesday released its quarterly Critical Patch Update for July 2021 with 342 fixes spanning across multiple products, some of which could be exploited by a remote attacker to take control of an affected system. Chief among them is CVE-2019-2729, a critical deserialization vulnerability via XMLDecoder in Oracle WebLogic Server Web Services thats remotely exploitable without authentication. It's worth noting that the weakness was originally addressed as part of an out-of-band security update in June 2019. --------------------------------------------- https://thehackernews.com/2021/07/oracle-warns-of-critical-remotely.html ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (pillow and redis), Fedora (kernel-headers, kernel-tools, kernelshark, libbpf, libtraceevent, libtracefs, nextcloud, and trace-cmd), Gentoo (chromium and singularity), Mageia (kernel, kernel-linus, and systemd), openSUSE (caribou, chromium, curl, and qemu), Oracle (java-1.8.0-openjdk, java-11-openjdk, kernel, and systemd), Slackware (curl), SUSE (curl, kernel, linuxptp, python-pip, and qemu), and Ubuntu (ruby2.3, ruby2.5, ruby2.7). --------------------------------------------- https://lwn.net/Articles/863997/ ∗∗∗ Atlassian Patches Critical Vulnerability in Jira Data Center Products ∗∗∗ --------------------------------------------- Software development and collaboration solutions provider Atlassian on Wednesday informed customers that it has patched a critical code execution vulnerability affecting some of its Jira products. --------------------------------------------- https://www.securityweek.com/atlassian-patches-critical-vulnerability-jira-… ∗∗∗ IDEMIA fixed biometric identification devices vulnerabilities discovered by Positive Technologies ∗∗∗ --------------------------------------------- https://www.ptsecurity.com/ww-en/about/news/idemia-fixed-biometric-identifi… ∗∗∗ July 22, 2021 TNS-2021-14 [R1] Tenable.sc 5.19.0 Fixes Multiple Third-party Vulnerabilities ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2021-14 ∗∗∗ Drupal: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0793 ∗∗∗ cURL: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0797 ∗∗∗ MB connect line: Apache Guacamole related vulnerabilities in mbCONNECT24, mymbCONNECT24 <= 2.8.0 ∗∗∗ --------------------------------------------- https://cert.vde.com/de-de/advisories/vde-2021-031 ∗∗∗ MB connect line: two vulnerabilities in mymbCONNECT24, mbCONNECT24 <= 2.8.0 ∗∗∗ --------------------------------------------- https://cert.vde.com/de-de/advisories/vde-2021-030 ∗∗∗ MB connect line: Privilege escalation in mbDIALUP <= 3.9R0.0 ∗∗∗ --------------------------------------------- https://cert.vde.com/de-de/advisories/vde-2021-017 ∗∗∗ ZDI-21-893: (0Day) Apple macOS ImageIO WEBP File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-893/ ∗∗∗ ZDI-21-892: (0Day) Apple macOS ImageIO WEBP File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-892/ ∗∗∗ ZDI-21-891: (0Day) Apple macOS ImageIO TIFF File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-891/ ∗∗∗ ZDI-21-890: (0Day) Apple macOS AudioToolboxCore LOAS File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-890/ ∗∗∗ Security Bulletin: A vulnerability in IBM Java SDK (April 2021) affects IBM InfoSphere Information Server (CVE-2021-2161) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… ∗∗∗ Security Bulletin: Addressing the Sqlite Vulnerability CVE-2021-20227 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-addressing-the-sqlite-vul… ∗∗∗ Security Bulletin: Publicly disclosed vulnerabilities from Kernel affect IBM Netezza Host Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-publicly-disclosed-vulner… ∗∗∗ Security Bulletin: IBM InfoSphere Information Server is vulnerable to SQL injection ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-informatio… ∗∗∗ Security Bulletin: Security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Security Directory Server (CVE-2020-5258) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerability-ha… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.07.2021
by Daily end-of-shift report 21 Jul '21

21 Jul '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 20-07-2021 18:00 − Mittwoch 21-07-2021 18:00 Handler: Robert Waldner Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Trügerische Gewinnversprechen ∗∗∗ --------------------------------------------- Der Onlinehandel mit Finanzinstrumenten wird bei Anlegern immer beliebter. Diesen Trend machen sich Betrüger zunutze. Sie versprechen hohe Gewinne mit betrügerischen Cybertrading-Plattformen. --------------------------------------------- https://www.bmi.gv.at/news.aspx?id=4661724A4D466861696B4D3D ∗∗∗ XLoader malware steals logins from macOS and Windows systems ∗∗∗ --------------------------------------------- A highly popular malware for stealing information from Windows systems has been modified into a new strain called XLoader, which can also target macOS systems. --------------------------------------------- https://www.bleepingcomputer.com/news/security/xloader-malware-steals-login… ∗∗∗ NPM package steals Chrome passwords on Windows via recovery tool ∗∗∗ --------------------------------------------- New npm malware has been caught stealing credentials from the Google Chrome web browser by using legitimate password recovery tools on Windows systems. --------------------------------------------- https://www.bleepingcomputer.com/news/security/npm-package-steals-chrome-pa… ∗∗∗ Betrügerische E-Mail im Namen der Raiffeisen Bank im Umlauf ∗∗∗ --------------------------------------------- Zahlreiche InternetnutzerInnen finden derzeit ein vermeintliches E-Mail der Raiffeisen Bank in ihrem Posteingang. Darin wird behauptet, dass aufgrund aktueller Betrugsversuche ein neues Sicherheitssystem notwendig sei. --------------------------------------------- https://www.watchlist-internet.at/news/betruegerische-e-mail-im-namen-der-r… ∗∗∗ CVE-2021-31969: Underflowing in the Clouds ∗∗∗ --------------------------------------------- You can now have your storage in the cloud while exploring it locally on your system. On Windows, this is done via the Cloud Sync Engine. This component exposes a native API known as the Cloud Filter API. --------------------------------------------- https://www.thezdi.com/blog/2021/7/19/cve-2021-31969-underflowing-in-the-cl… ∗∗∗ New Attacks on Kubernetes via Misconfigured Argo Workflows ∗∗∗ --------------------------------------------- Intezer has detected a new attack vector against Kubernetes (K8s) clusters via misconfigured Argo Workflows instances. --------------------------------------------- https://www.intezer.com/blog/container-security/new-attacks-on-kubernetes-v… ===================== = Vulnerabilities = ===================== ∗∗∗ Nasty Linux Systemd Security Bug Revealed ∗∗∗ --------------------------------------------- Qualys has discovered a new systemd security bug that enables any unprivileged user to cause a denial of service via a kernel panic. --------------------------------------------- https://it.slashdot.org/story/21/07/20/211230/nasty-linux-systemd-security-… ∗∗∗ Vulnerability in ON24 Plugin for macOS Shares More Than Just Your Screen ∗∗∗ --------------------------------------------- ON24 presenter mode requires you to install a plugin that is used to share your screen. For the macOS app (DesktopScreenShare.app), the plugin is started automatically once a user logs on. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/vulnerabili… ∗∗∗ HiveNightmare: Nutzer können die Windows-Passwort-Datenbank auslesen ∗∗∗ --------------------------------------------- Fehlerhafte Zugriffsrechte verursachen eine Sicherheitslücke in Windows 10 und 11. Einen Patch gibt es noch nicht – wir zeigen aber erste Workarounds. --------------------------------------------- https://heise.de/-6143746 ∗∗∗ Sicherheitsupdates: Adobe patcht Photoshop & Co. außer der Reihe ∗∗∗ --------------------------------------------- Angreifer könnten Computer, auf denen unter anderem Adobe After Effects oder Prelude laufen, mit Schadcode attackieren. --------------------------------------------- https://heise.de/-6143780 ∗∗∗ Root-Kernel-Lücke bedroht viele Linux-Distributionen ∗∗∗ --------------------------------------------- Sicherheitsforscher demonstrieren erfolgreiche Attacken auf Debian, Fedora und Ubuntu. Im Anschluss hatten sie Root-Rechte. Patches schaffen Abhilfe. --------------------------------------------- https://heise.de/-6144023 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (ant, code, dino, firefox-ublock-origin, go, libuv, nextcloud-app-mail, nodejs-lts-erbium, nodejs-lts-fermium, openvswitch, putty, racket, telegram-desktop, and wireshark-cli), Debian (kernel, linux-4.19, and systemd), Fedora (kernel, kernel-headers, kernel-tools, and krb5), Gentoo (systemd), Mageia (perl-Convert-ASN1 and wireshark), openSUSE (caribou, containerd, crmsh, fossil, icinga2, kernel, nextcloud, and systemd), Red Hat (389-ds:1.4, glibc,[...] --------------------------------------------- https://lwn.net/Articles/863861/ ∗∗∗ Apple Releases Security Updates ∗∗∗ --------------------------------------------- Apple has released security updates to address vulnerabilities in Safari 14.1.2 and iOS 14.7. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/07/21/apple-releases-se… ∗∗∗ Malware Targeting Pulse Secure Devices ∗∗∗ --------------------------------------------- As part of CISA’s ongoing response to Pulse Secure compromises, CISA has analyzed 13 malware samples related to exploited Pulse Secure devices. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/07/21/malware-targeting… ∗∗∗ VU#914124: Arcadyan-based routers and modems vulnerable to authentication bypass ∗∗∗ --------------------------------------------- https://kb.cert.org/vuls/id/914124 ∗∗∗ Dell OpenManage Enterprise Hardcoded Credentails / Privilege Escalation / Deserialization ∗∗∗ --------------------------------------------- https://cxsecurity.com/issue/WLB-2021070121 ∗∗∗ Security Bulletin: Multiple vulnerabilities in F5 NGINX Controller affect IBM Cloud Pak for Automation ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Nvidia GPU Display Treiber: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0769 ∗∗∗ PuTTY: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0790 ∗∗∗ Mitsubishi Electric MELSEC-F Series ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-201-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.07.2021
by Daily end-of-shift report 20 Jul '21

20 Jul '21

===================== = End-of-Day report = ===================== Timeframe: Montag 19-07-2021 18:00 − Dienstag 20-07-2021 18:00 Handler: Robert Waldner Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ New MosaicLoader malware targets software pirates via online ads ∗∗∗ --------------------------------------------- An ongoing worldwide campaign is pushing new malware dubbed MosaicLoader advertising camouflaged as cracked software via search engine results to infect wannabe software pirates systems. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-mosaicloader-malware-tar… ∗∗∗ Summer of SAM - incorrect permissions on Windows 10/11 hives, (Tue, Jul 20th) ∗∗∗ --------------------------------------------- If you opened Twitter today you were probably flooded with news about the latest security issue with Windows. --------------------------------------------- https://isc.sans.edu/diary/rss/27652 ∗∗∗ 6 typische Phishing-Attacken ∗∗∗ --------------------------------------------- Phishing, Smishing, Vishing - kennen Sie den Unterschied? --------------------------------------------- https://sec-consult.com/de/blog/detail/6-common-types-of-phishing-attacks/ ∗∗∗ Protecting customers from a private-sector offensive actor using 0-day exploits and DevilsTongue malware ∗∗∗ --------------------------------------------- The Microsoft Threat Intelligence Center (MSTIC) alongside the Microsoft Security Response Center (MSRC) has uncovered a private-sector offensive actor, or PSOA, that we are calling SOURGUM in possession of now-patched, Windows 0-day exploits (CVE-2021-31979 and CVE-2021-33771). --------------------------------------------- https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-fro… ∗∗∗ Don’t Wanna Pay Ransom Gangs? Test Your Backups. ∗∗∗ --------------------------------------------- Browse the comments on virtually any story about a ransomware attack and you will almost surely encounter the view that the victim organization could have avoided paying their extortionists if only theyd had proper data backups. --------------------------------------------- https://krebsonsecurity.com/2021/07/dont-wanna-pay-ransom-gangs-test-your-b… ∗∗∗ Vorsicht vor gefälschtem „Voicemail“ SMS ∗∗∗ --------------------------------------------- „Sie haben eine neue Voicemail“: Dieses lästige Fake-SMS mit einem Link zu einer angeblichen Sprachnachricht erhalten momentan unzählige HandynutzerInnen. Klicken Sie keinesfalls auf den Link. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-gefaelschtem-voicemail-… ∗∗∗ AA21-200A: Tactics, Techniques, and Procedures of Indicted APT40 Actors Associated with China’s MSS Hainan State Security Department ∗∗∗ --------------------------------------------- This Joint Cybersecurity Advisory was written by the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) to provide information on a Chinese Advanced Persistent Threat (APT) group known in open-source reporting as APT40. --------------------------------------------- https://us-cert.cisa.gov/ncas/alerts/aa21-200a ∗∗∗ Significant Historical Cyber-Intrusion Campaigns Targeting ICS ∗∗∗ --------------------------------------------- CISA and the Federal Bureau of Investigation (FBI) have released a Joint Cybersecurity Advisory as well as updates to five alerts and advisories. These alerts and advisories contain information on historical cyber-intrusion campaigns that have targeted ICS. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/07/20/significant-histo… ===================== = Vulnerabilities = ===================== ∗∗∗ TYPO3 Security Advisories for 2021-07-20 ∗∗∗ --------------------------------------------- TYPO3-CORE-SA-2021-009 - TYPO3-CORE-SA-2021-012 --------------------------------------------- https://typo3.org/help/security-advisories ∗∗∗ Forensischer Bericht: iMessage-Lücke für Pegasus Spyware wird weiterhin genutzt ∗∗∗ --------------------------------------------- Amnesty International geht davon aus, dass eine iMessage-Lücke zur Installation von Spyware der Überwachungsfirma NSO Group bis heute ausgenutzt wird. --------------------------------------------- https://heise.de/-6141467 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (kernel, libjdom1-java, rabbitmq-server, and systemd), Fedora (glibc), Gentoo (libpano13, libslirp, mpv, pjproject, pycharm-community, and rpm), Mageia (glibc, libuv, mbedtls, rvxt-unicode, mxrvt, eterm, tomcat, and zziplib), openSUSE (dbus-1, firefox, go1.15, lasso, nodejs10, nodejs12, nodejs14, and sqlite3), SUSE (go1.15), and Ubuntu (containerd). --------------------------------------------- https://lwn.net/Articles/863617/ ∗∗∗ Oracle Releases July 2021 Critical Patch Update ∗∗∗ --------------------------------------------- Oracle has released its Critical Patch Update for July 2021 to address 327 vulnerabilities across multiple products. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/07/20/oracle-releases-j… ∗∗∗ Hundreds of millions of HP, Xerox, and Samsung printers vulnerable to new bug ∗∗∗ --------------------------------------------- Security experts have found a severe vulnerability in a common printer driver used by HP, Xerox, and Samsung. --------------------------------------------- https://therecord.media/hundreds-of-millions-of-hp-xerox-and-samsung-printe… ∗∗∗ New Sequoia bug gives you root access on most Linux systems ∗∗∗ --------------------------------------------- Security auditing firm Qualys said today it discovered a new vulnerability in the Linux operating system that can grant attackers root access on most distros, such as Ubuntu, Debian, and Fedora. --------------------------------------------- https://therecord.media/new-sequoia-bug-gives-you-root-access-on-most-linux… ∗∗∗ Sicherheitsupdates: Root-Lücke bedroht FortiManager und FortiAnalyzer ∗∗∗ --------------------------------------------- https://heise.de/-6142498 ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect OS Images for Red Hat Linux Systems used by IBM Cloud Pak System (Jan2021 updates) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM App Connect Enterprise v11 is affected by vulnerabilities in Node.js (CVE-2021-23358) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… ∗∗∗ Security Bulletin: Vulnerability in self-service console affects IBM Cloud Pak System (CVE-2021-20478) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-self-ser… ∗∗∗ Security Bulletin: A vulnerability in IBM Spectrum Scale could allow an authenticated user to gain elevated privileges (CVE-2020-9492) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-sp… ∗∗∗ Security Bulletin: Vulnerability in OpenSSL affects IBM Cloud Pak System (CVE-2020-1971) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-openssl-… ∗∗∗ Security Bulletin: Vulnerabilities in Docker affect IBM Cloud Pak System ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-docker… ∗∗∗ Security Bulletin: Vulnerabilities in Python affect OS Image for RedHat bundled with Cloud Pak System ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-python… ∗∗∗ Security Bulletin: Watson Explorer is affected by Apache PDFBox vulnerabilities (CVE-2021-27807, CVE-2021-27906, CVE-2021-31811, CVE-2021-31812) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-watson-explorer-is-affect… ∗∗∗ Security Bulletin: Vulnerability in jackson-databind affects Cloud Pak System (CVE-2020-25649) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-jackson-… ∗∗∗ Security Bulletin: IBM API Connect is impacted by vulnerabilities in node.js and OpenSSL (CVE-2021-23840, CVE-2021-22884, CVE-2021-22883) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connect-is-impact… ∗∗∗ Vulnerabilities in CODESYS V2 runtime systems ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-670099.html -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.07.2021
by Daily end-of-shift report 19 Jul '21

19 Jul '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 16-07-2021 18:00 − Montag 19-07-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Innenministerium warnt vor betrügerischen SMS ∗∗∗ --------------------------------------------- Es sind erneut Betrugs-SMS im Umlauf, wobei Menschen in Österreich immer wieder Benachrichtigungen mit Informationen zu einer verpassten Sprachnachricht erhalten. --------------------------------------------- https://www.bmi.gv.at/news.aspx?id=50783968547451414D42673D ∗∗∗ VU#131152: Microsoft Windows Print Spooler Point and Print allows installation of arbitrary queue-specific files ∗∗∗ --------------------------------------------- Microsoft Windows allows for non-admin users to be able to install printer drivers via Point and Print. Printers installed via this technique also install queue-specific files, which can be arbitrary libraries to be loaded by the privileged Windows Print Spooler process. --------------------------------------------- https://kb.cert.org/vuls/id/131152 ∗∗∗ Betrug per Whatsapp: "Ich hab mein Handy verloren, kannst du Geld überweisen?" ∗∗∗ --------------------------------------------- Mit vorgeblichen Hilferufen von Verwandten versuchen Trickbetrüger per Whatsapp, Menschen um ihr Geld zu bringen - oft mit Erfolg, sagt die Polizei. --------------------------------------------- https://www.golem.de/news/betrug-per-whatsapp-ich-hab-mein-handy-verloren-k… ∗∗∗ That iPhone WiFi crash bug is far worse than initially thought ∗∗∗ --------------------------------------------- An innocuous iPhone bug that could crash the WiFi service has turned out to be far worse than initially thought after mobile security firm ZecOps showed on Friday how the bug could be abused for remote code execution attacks. --------------------------------------------- https://therecord.media/that-iphone-wifi-crash-bug-is-far-worse-than-initia… ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI-21-815: Cisco WebEx Network Recording Player ARF File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to disclose sensitive information on affected installations of Cisco WebEx Network Recording Player. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-815/ ∗∗∗ ZDI-21-876: (0Day) Advantech WebAccess/NMS DashBoardAction Missing Authentication Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to disclose sensitive information on affected installations of Advantech WebAccess/NMS. Authentication is not required to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-876/ ∗∗∗ ZDI-21-879: (0Day) WSO2 API Manager JMX Use of Hard-coded Credentials Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of WSO2 API Manager. Authentication is not required to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-879/ ∗∗∗ ZDI-21-877: (0Day) Autodesk Meshmixer 3MF File Parsing Use-After-Free Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of Autodesk Meshmixer. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-877/ ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (chromium, firefox, mbedtls, nextcloud, python-pillow, ruby, ruby2.6, ruby2.7, systemd, thunderbird, varnish, and vivaldi), Debian (thunderbird), Fedora (chromium, firefox, and linux-firmware), Gentoo (apache, commons-fileupload, dovecot, and mediawiki), openSUSE (firefox, fossil, go1.16, and icinga2), Oracle (firefox, kernel, and kernel-container), Red Hat (nettle), and SUSE (firefox and go1.16). --------------------------------------------- https://lwn.net/Articles/863453/ ∗∗∗ Citrix Application Delivery Controller, Citrix Gateway, and Citrix SD-WAN WANOP Edition appliance Security Update ∗∗∗ --------------------------------------------- Multiple vulnerabilities have been discovered in Citrix ADC (formerly known as NetScaler ADC) and Citrix Gateway (formerly known as NetScaler Gateway), and Citrix SD-WAN WANOP Edition models 4000-WO, 4100-WO, 5000-WO, and 5100-WO. --------------------------------------------- https://support.citrix.com/article/CTX319135 ∗∗∗ Security Bulletin: Multiple vulnerabilities affect IBM Tivoli Monitoring installed WebSphere Application Server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: An unspecified vulnerability in Java SE results in a low confidentiality impact ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-an-unspecified-vulnerabil… ∗∗∗ Security Bulletin: IBM Security SOAR is using a component with known vulnerabilities – Handlebars.js ( CVE-2019-19919, CVE-2021-32820) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-soar-is-usin… ∗∗∗ Security Bulletin: Multiple vulnerabilites affect IBM Jazz Foundation and IBM Engineering products. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilites-a… ∗∗∗ Security Bulletin: IBM Security SOAR could allow a privileged user to import non-approved Python2 modules (CVE-2021-29780). ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-soar-could-a… ∗∗∗ Security Bulletin: A vulnerability in netty affects IBM Spectrum Scale Transparent Cloud Tier CVE-2021-21409 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-netty-… ∗∗∗ Security Bulletin: Vulnerability in bind (CVE-2021-25215) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-bind-cve… ∗∗∗ Security Bulletin: Vulnerability in shell affects Power Hardware Management Console ( CVE-2021-29707). ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-shell-af… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 16.07.2021
by Daily end-of-shift report 16 Jul '21

16 Jul '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 15-07-2021 18:00 − Freitag 16-07-2021 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Warten auf Patches: Neue Drucker-Lücke in Windows entdeckt ∗∗∗ --------------------------------------------- Abermals könnten Angreifer Windows über eine Drucker-Schwachstelle attackieren und Schadcode ausführen. Bislang gibt es nur einen Workaround zur Absicherung. --------------------------------------------- https://heise.de/-6140346 ∗∗∗ Vulnerabilities in Etherpad Collaboration Tool Allow Data Theft ∗∗∗ --------------------------------------------- XSS and Argument Injection Flaws Found in Popular Etherpad Collaboration Tool --------------------------------------------- https://www.securityweek.com/vulnerabilities-etherpad-collaboration-tool-al… ∗∗∗ Introduction to ICS Security Part 2 ∗∗∗ --------------------------------------------- An introduction to the Purdue Enterprise Reference Architecture (PERA), additional reference models, and best practices for secure ICS architectures. --------------------------------------------- https://www.sans.org/blog/introduction-to-ics-security-part-2?msc=rss ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco Intelligent Proximity SSL Certificate Validation Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the SSL implementation of the Cisco Intelligent Proximity solution could allow an unauthenticated, remote attacker to view or alter information shared on Cisco Webex video devices and Cisco collaboration endpoints if the products meet the conditions described in the Vulnerable Products section. The vulnerability is due to a lack of validation of the SSL server certificate received when establishing a connection to a Cisco Webex video device (Version: 1.1 Description: Added fixed releases.) --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Adaptive Security Appliance Software Release 9.16.1 and Cisco Firepower Threat Defense Software Release 7.0.0 IPsec Denial of Service Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the software cryptography module of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an authenticated, remote attacker or an unauthenticated attacker in a man-in-the-middle position to cause an unexpected reload of the device that results in a denial of service (DoS) condition. The vulnerability is due to a logic error in how the software cryptography module handles specific types of [...] --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Schadcode-Lücken im Netzwerkbetriebssystem Junos OS geschlossen ∗∗∗ --------------------------------------------- Angreifer könnten unter anderem Router und Switches von Juniper attackieren. Sicherheitsupdates schaffen Abhilfe. --------------------------------------------- https://heise.de/-6140423 ∗∗∗ WordPress-Plugin: WooCommerce schließt kritische Sicherheitslücke ∗∗∗ --------------------------------------------- WordPress hat nach dem Veröffentlichen des Patches ein automatisiertes Zwangsupdate veranlasst. Trotzdem könnten noch nicht alle Shops versorgt sein. --------------------------------------------- https://heise.de/-6140221 ∗∗∗ Vulnerability Spotlight: Multiple vulnerabilities in D-LINK DIR-3040 ∗∗∗ --------------------------------------------- Cisco Talos recently discovered multiple vulnerabilities in the D-LINK DIR-3040 wireless router. The DIR-3040 is an AC3000-based wireless internet router. These vulnerabilities could allow an attacker to carry out a variety of malicious actions, including exposing sensitive information, causing a denial of service and gaining the ability to execute arbitrary code. --------------------------------------------- https://blog.talosintelligence.com/2021/07/vuln-spotlight-d-link.html ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (firefox), Debian (firefox-esr), Fedora (linuxptp), Gentoo (commons-collections), Mageia (aom, firefox, python-django, thunderbird, and tpm2-tools), openSUSE (claws-mail, kernel, nodejs10, and nodejs14), Red Hat (nettle), Scientific Linux (firefox), SUSE (firefox, kernel, nodejs10, and nodejs14), and Ubuntu (libslirp and qemu). --------------------------------------------- https://lwn.net/Articles/863180/ ∗∗∗ Ypsomed mylife ∗∗∗ --------------------------------------------- This advisory contains mitigations for Insufficiently Protected Credentials, Not Using an Unpredictable IV with CBC Mode, and Use of Hard-coded Credentials vulnerabilities in the Ypsomed mylife diabetes management platform. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsma-21-196-01 ∗∗∗ Icinga: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0758 ∗∗∗ [webapps] Seagate BlackArmor NAS sg2000-2000.1331 - Command Injection ∗∗∗ --------------------------------------------- https://www.exploit-db.com/exploits/50132 ∗∗∗ Security Bulletin: IBM i2 Analyze is affected by multiple DB2 vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-i2-analyze-is-affecte… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM DB2 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM QRadar SIEM uses less secure methods for securing data at rest and in transit between hosts (CVE-2020-4980) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-uses-less… ∗∗∗ Security Bulletin: A vulnerability in netty affects IBM Spectrum Scale Transparent Cloud TierCVE-(2021-21295) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-netty-… ∗∗∗ Security Bulletin: 3RD PARTY IBM InfoSphere MDM Inspector – Cross Site Request Forgery ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-3rd-party-ibm-infosphere-… ∗∗∗ Security Bulletin: IBM Data Replication Support Tool Information Collection on Sybase Platform ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-data-replication-supp… ∗∗∗ Security Bulletin: IBM Data Replication Affected by Multiple Vulnerabilities in IBM Java SDK ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-data-replication-affe… ∗∗∗ Security Bulletin: IBM Data Replication Affected by IBM Java SDK Vulnerability (CVE-2019-4732) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-data-replication-affe… ∗∗∗ Security Bulletin: Dojo vulnerability in WebSphere Liberty affects Collaboration and Deployment Services (CVE-2020-5258) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-dojo-vulnerability-in-web… ∗∗∗ Security Bulletin: IBM Data Replication Affected by Multiple Vulnerabilities in IBM Java SDK ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-data-replication-affe… ∗∗∗ Security Bulletin: IBM Data Replication Affected by Vulnerabilities in IBM Java SDK (CVE-2020-2654) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-data-replication-affe… ∗∗∗ Security Bulletin: IBM Data Replication Management Console Authentication Affected by Annonymous Binding (CVE-2020-4821) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-data-replication-mana… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 15.07.2021
by Daily end-of-shift report 15 Jul '21

15 Jul '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 14-07-2021 18:00 − Donnerstag 15-07-2021 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ IT-Sicherheit: Immer mehr Zero-Day-Exploits bei Angriffen entdeckt ∗∗∗ --------------------------------------------- Sicherheitsforscher verzeichnen immer mehr Angriffe, für die zuvor unbekannte Sicherheitslücken ausgenutzt werden. Das müsse jedoch kein schlechtes Zeichen sein, sagen die Forscher. --------------------------------------------- https://www.golem.de/news/it-sicherheit-immer-mehr-zero-day-exploits-bei-an… ∗∗∗ Attacken auf nicht mehr unterstützte Fernzugriff-Produkte von Sonicwall ∗∗∗ --------------------------------------------- Angreifer attackieren derzeit nicht mehr im Support befindliche Sonicwall Secure Mobile Access und Secure Remote Access mit Ransomware. --------------------------------------------- https://heise.de/-6139330 ∗∗∗ Grüner Pass – worauf Sie achten müssen! ∗∗∗ --------------------------------------------- Seit Kurzem kann man mit dem "Grünen Pass" digital nachweisen, dass man geimpft, getestet oder genesen ist. Aber was ist der "Grüne Pass" und wie kann dieser genutzt werden? Der "Grüne Pass" kann in unterschiedlichen Formen genutzt werden: ausgedruckt, via App, als Foto etc. Wir zeigen Ihnen, wie Sie zu diesem kommen und worauf Sie achten sollten. --------------------------------------------- https://www.watchlist-internet.at/news/gruener-pass-worauf-sie-achten-muess… ∗∗∗ Ransomware: Interpol warnt vor exponentiellen Wachstum ∗∗∗ --------------------------------------------- Cyberkriminelle agieren laut Interpol über Grenzen hinweg und bleiben dabei meist ungestraft. Die Polizeibehörde befürchtet ohne eine Zusammenarbeit zwischen Ermittlern und Privatwirtschaft eine "Ransomware-Pandemie". --------------------------------------------- https://www.zdnet.de/88395786/ransomware-interpol-warnt-vor-exponentiellen-… ∗∗∗ BazarBackdoor sneaks in through nested RAR and ZIP archives ∗∗∗ --------------------------------------------- Security researchers caught a new phishing campaign that tried to deliver the BazarBackdoor malware by using the multi-compression technique and masking it as an image file. --------------------------------------------- https://www.bleepingcomputer.com/news/security/bazarbackdoor-sneaks-in-thro… ∗∗∗ Linux version of HelloKitty ransomware targets VMware ESXi servers ∗∗∗ --------------------------------------------- The ransomware gang behind the highly publicized attack on CD Projekt Red uses a Linux variant that targets VMwares ESXi virtual machine platform for maximum damage. --------------------------------------------- https://www.bleepingcomputer.com/news/security/linux-version-of-hellokitty-… ∗∗∗ USPS Phishing Using Telegram to Collect Data, (Tue, Jul 13th) ∗∗∗ --------------------------------------------- Phishing... at least they don't understand security any better than most kids. The latest example is a simple USPS phish. The lure is an email claiming that a package can not be delivered until I care to update my address. Urgency... and obvious action. They learned something in their phishing 101 class. --------------------------------------------- https://isc.sans.edu/diary/rss/27630 ∗∗∗ An Overview of Basic WordPress Hardening ∗∗∗ --------------------------------------------- We have discussed in the past how out-of-the-box security configurations tend to not be very secure. This is usually true for all software and WordPress is no exception. While there are a plethora of different ways that site owners can lock down their website, in this post we are going to review the most basic hardening mechanisms that WordPress website owners can employ to improve their security. We will also review the pros and cons of these different tactics. --------------------------------------------- https://blog.sucuri.net/2021/07/basic-wordpress-hardening.html ∗∗∗ macOS: Bashed Apples of Shlayer and Bundlore ∗∗∗ --------------------------------------------- The Uptycs threat research team has been observing over 90% of macOS malware in our daily analysis and customer telemetry alerts using shell scripts. Though these scripts have slight variations, they mostly belong to a plague of adware strains—Shlayer and Bundlore. These malware are the most predominant malware in macOS, also with a history of evading and bypassing the built-in Xprotect, Gatekeeper, Notarization and File Quarantine security features of macOS. --------------------------------------------- https://www.uptycs.com/blog/macos-bashed-apples-of-shlayer-and-bundlore ∗∗∗ Gasket and MagicSocks Tools Install Mespinoza Ransomware ∗∗∗ --------------------------------------------- As cyber extortion flourishes, ransomware gangs are constantly changing tactics and business models to increase the chances that victims will pay increasingly large ransoms. As these criminal organizations become more sophisticated, they are increasingly taking on the appearance of professional enterprises. --------------------------------------------- https://unit42.paloaltonetworks.com/gasket-and-magicsocks-tools-install-mes… ∗∗∗ CISA Insights: Guidance for MSPs and Small- and Mid-sized Businesses ∗∗∗ --------------------------------------------- Original release date: July 14, 2021CISA has released CISA Insights: Guidance for Managed Service Providers (MSPs) and Small- and Mid-sized Businesses, which provides mitigation and hardening guidance to help these organizations strengthen their defenses against cyberattacks. Many small- and mid-sized businesses use MSPs to manage IT systems, store data, or support sensitive processes, making MSPs valuable targets for malicious cyber actors. Compromises of MSPs—such as with the recent [...] --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/07/14/cisa-insights-gui… ===================== = Vulnerabilities = ===================== ∗∗∗ SA44846 - OpenSSL Security Advisory CVE-2021-23841 ∗∗∗ --------------------------------------------- On February 16 2021, the OpenSSL project announced a new security advisory. These issues may affect Pulse Secure product. [...] Pulse Secure is currently evaluating the following issues reported by OpenSSL: As the investigation continues, we recommend subscribing to this advisory as it will be periodically updated to reflect the current status. --------------------------------------------- https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44846 ∗∗∗ Juniper Security Advisories ∗∗∗ --------------------------------------------- Juniper hat am 14.7.2021 32 Security Advisories mit folgenden Severity Levels veröffentlicht: 12x Medium, 15x High, 5x Critical --------------------------------------------- https://kb.juniper.net/InfoCenter/index?page=content&channel=SECURITY_ADVIS… ∗∗∗ Vulnerability Spotlight: Multiple vulnerabilities in Advantech R-SeeNet ∗∗∗ --------------------------------------------- Cisco Talos recently discovered multiple vulnerabilities in the Advantech R-SeeNet monitoring software. R-SeeNet is the software system used for monitoring Advantech routers. [...] Talos is disclosing these vulnerabilities despite no official update from Advantech inside the 90-day deadline, as outlined in Cisco’s vulnerability disclosure policy. --------------------------------------------- https://blog.talosintelligence.com/2021/07/vuln-spotlight-r-see-net.html ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr and php7.0), Fedora (firefox, mingw-djvulibre, and seamonkey), Gentoo (fluidsynth, openscad, and urllib3), openSUSE (ffmpeg, nodejs12, and sqlite3), Red Hat (firefox), and SUSE (ffmpeg, kernel, nodejs10, nodejs12, nodejs14, and sqlite3). --------------------------------------------- https://lwn.net/Articles/863001/ ∗∗∗ Lenovo Working on Patches for BIOS Vulnerabilities Affecting Many Laptops ∗∗∗ --------------------------------------------- Lenovo this week published information on three vulnerabilities that impact the BIOS of two of its desktop products and approximately 60 laptop and notebook models. --------------------------------------------- https://www.securityweek.com/lenovo-working-patches-bios-vulnerabilities-af… ∗∗∗ Kubernetes: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0751 ∗∗∗ Security Bulletin: Multiple Vulnerabilities in IBM® WebSphere Application Server Liberty affect IBM LKS Administration and Reporting Tool and its Agent ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Security Privileged Identity Manager is affected by vulnerability in Java SE (CVE-2020-14579)( CVE-2020-14578)(CVE-2020-14577) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-privileged-i… ∗∗∗ Security Bulletin: Multiple vulnerabilities in OpenSSL affect IBM Tivoli Netcool System Service Monitors/Application Service Monitors ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Watson Compare and Comply for IBM Cloud Pak for Data affected by vulnerability in Apache PDFBox ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-compare-and-co… ∗∗∗ Security Bulletin: IBM Security SOAR is using a component with known vulnerabilities – Apache Commons ( CVE-2021-29425) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-soar-is-usin… ∗∗∗ Security Bulletin: IBM Security SOAR is using a component with known vulnerabilities – Eclipse Jetty ( CVE-2021-28163, CVE-2021-28165, CVE-2020-27223) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-soar-is-usin… ∗∗∗ Security Bulletin: IBM Security Privileged Identity Manager is affected by a specially-crafted sequence of serialized objects(CVE-2020-4576) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-privileged-i… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.07.2021
by Daily end-of-shift report 14 Jul '21

14 Jul '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 13-07-2021 18:00 − Mittwoch 14-07-2021 18:00 Handler: Stephan Richter Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Updated Joker Malware Floods into Android Apps ∗∗∗ --------------------------------------------- The Joker premium billing-fraud malware is back on Google Play in a fresh onslaught, with an updated bag of tricks to evade scanners. --------------------------------------------- https://threatpost.com/updated-joker-malware-android-apps/167776/ ∗∗∗ Cybercrime-Bande REvil von der Bildfläche verschwunden ∗∗∗ --------------------------------------------- Die Kriminellen erpressten über 1000 Firmen, deren Daten sie mit dem Kaseya-Lieferketten-Angriff verschlüsselten. Jetzt sind ihre Server nicht mehr erreichbar. --------------------------------------------- https://heise.de/-6137119 ∗∗∗ Identitätsdiebstahl statt Darlehen: Schließen Sie keinen Kredit auf 1superkredit.com und kredit-united.com ab! ∗∗∗ --------------------------------------------- Sind Sie auf der Suche nach einem Kredit? Dann stoßen Sie womöglich auf die Webseiten 1superkredit.com oder kredit-united.com. Zwei Webseiten, die einiges gemeinsam haben: Die Webseiten sehen sehr ähnlich aus, bewerben Kredite zu günstigen Bedingungen und hinter beiden Seiten stecken BetrügerInnen. --------------------------------------------- https://www.watchlist-internet.at/news/identitaetsdiebstahl-statt-darlehen-… ∗∗∗ CISA Releases Analysis of FY20 Risk and Vulnerability Assessments ∗∗∗ --------------------------------------------- CISA has released an analysis and infographic detailing the findings from the Risk and Vulnerability Assessments (RVAs) conducted in Fiscal Year (FY) 2020 across multiple sectors. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/07/08/cisa-releases-ana… ===================== = Vulnerabilities = ===================== ∗∗∗ SonicWall warns of critical ransomware risk to SMA 100 VPN appliances ∗∗∗ --------------------------------------------- SonicWall has issued an "urgent security notice" warning customers of ransomware attacks targeting unpatched end-of-life (EoL) Secure Mobile Access (SMA) 100 series and Secure Remote Access (SRA) products. --------------------------------------------- https://www.bleepingcomputer.com/news/security/sonicwall-warns-of-critical-… ∗∗∗ Authentication bypass & Remote code Execution bei Schneider Electric EVlink Ladestationen ∗∗∗ --------------------------------------------- Schneider Electric Ladestationen für E-Autos der "EVlink" Serie sind von zwei Schwachstellen betroffen die es einem Angreifer ermöglichen das System zu übernehmen und dort beliebige Befehle auszuführen. --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/authentication-bypass… ∗∗∗ Microsoft-Patchday: Angreifer nutzen vier Sicherheitslücken in Windows aus ∗∗∗ --------------------------------------------- Microsoft schließt unter anderem kritische Schadcode-Lücken in der Schutzlösung Windows Defender. Neben aktiven Angriffen könnten weitere Attacken bevorstehen. --------------------------------------------- https://heise.de/-6137050 ∗∗∗ Patchday: Adobe schließt kritische Lücken in Bridge, Illustrator & Co. ∗∗∗ --------------------------------------------- Es gibt wichtige Sicherheitsupdates für verschiedene Adobe-Anwendungen. Angreifer könnten Schadcode ausführen. --------------------------------------------- https://heise.de/-6137110 ∗∗∗ Patchday SAP: Angreifer könnten unberechtigt auf NetWeaver zugreifen ∗∗∗ --------------------------------------------- Der Softwarehersteller SAP schließt mehrere Sicherheitslücken in seinem Portfolio. --------------------------------------------- https://heise.de/-6137467 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (xstream), Debian (linuxptp), Fedora (glibc and krb5), Gentoo (pillow and thrift), Mageia (ffmpeg and libsolv), openSUSE (kernel and qemu), SUSE (kernel), and Ubuntu (php5, php7.0). --------------------------------------------- https://lwn.net/Articles/862855/ ∗∗∗ ICS Patch Tuesday: Siemens and Schneider Electric Address 100 Vulnerabilities ∗∗∗ --------------------------------------------- Industrial giants Siemens and Schneider Electric on Tuesday released a total of two dozen advisories covering roughly 100 vulnerabilities affecting their products. --------------------------------------------- https://www.securityweek.com/ics-patch-tuesday-siemens-and-schneider-electr… ∗∗∗ Security Advisory - Privilege Escalation Vulnerability in Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210714-… ∗∗∗ Security Advisory - Privilege Escalation Vulnerability in some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210714-… ∗∗∗ Security Advisory - Logic Error Vulnerability in Several Smartphones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210714-… ∗∗∗ Security Bulletin: Unrestricted document type definition vulnerability affects IBM Sterling Secure Proxy ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-unrestricted-document-typ… ∗∗∗ Security Bulletin: A security vulnerability was fixed in IBM Security Access Manager and IBM Security Verify Access Docker containers ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: Multiple Security vulnerabilities have been fixed in the IBM Security Verify Access Docker container ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: Multiple Vulnerabilities were detected in IBM Secure External Authentication Server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Apache PDFBox Vulnerabilities Affect IBM Control Center (CVE-2021-31811, CVE-2021-31812) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-pdfbox-vulnerabili… ∗∗∗ Security Bulletin: Multiple Vulnerabilities were detected in IBM Secure External Authentication Server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple Vulnerabilities were detected in IBM Secure Proxy ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ VMSA-2021-0015 ∗∗∗ --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2021-0015.html ∗∗∗ Schneider Electric C-Bus Toolkit ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-194-01 ∗∗∗ Schneider Electric SCADApack RTU, Modicon Controllers, and Software ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-194-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.07.2021
by Daily end-of-shift report 13 Jul '21

13 Jul '21

===================== = End-of-Day report = ===================== Timeframe: Montag 12-07-2021 18:00 − Dienstag 13-07-2021 18:00 Handler: Stephan Richter Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Trickbot Activity Increases; new VNC Module On the Radar ∗∗∗ --------------------------------------------- Despite the takedown attempt, Trickbot is more active than ever. In May 2021, our systems started to pick up an updated version of the vncDll module that Trickbot uses against select high-profile targets. --------------------------------------------- https://www.bitdefender.com/blog/labs/trickbot-activity-increases-new-vnc-m… ∗∗∗ Buchen Sie Ihre Unterkunft nicht auf fewolio.de ∗∗∗ --------------------------------------------- fewolio.de ist eine unseriöse Buchungsplattform für luxuriöse Ferienhäuser in Deutschland. Die betrügerische Plattform sticht vor allem durch ihre günstigen Preise und kurzfristigen Verfügbarkeiten hervor. --------------------------------------------- https://www.watchlist-internet.at/news/buchen-sie-ihre-unterkunft-nicht-auf… ===================== = Vulnerabilities = ===================== ∗∗∗ IT-Sicherheit: Neue Sicherheitslücke bei Solarwinds ∗∗∗ --------------------------------------------- Bei einer Dateiaustausch-Software von Solarwinds gab es Probleme. Ein Angreifer hat die Sicherheitslücke offenbar aktiv ausgenutzt. --------------------------------------------- https://www.golem.de/news/it-sicherheit-neue-sicherheitsluecke-bei-solarwin… ∗∗∗ ModiPwn ∗∗∗ --------------------------------------------- Armis researchers discover a critical vulnerability in Schneider Electric Modicon PLCs. The vulnerability can allow attackers to bypass authentication mechanisms which can lead to native remote-code-execution on vulnerable PLCs. --------------------------------------------- https://www.armis.com/research/modipwn/ ∗∗∗ Siemens Security Advisories 2021-07-13 ∗∗∗ --------------------------------------------- Siemens hat 18 neue und 5 aktualisierte Security Advisories veröffentlicht. (CVSS Scores von 5.3 bis 9.8) --------------------------------------------- https://new.siemens.com/de/de/produkte/services/cert.html ∗∗∗ Citrix Virtual Apps and Desktops Security Update ∗∗∗ --------------------------------------------- A vulnerability has been identified in Citrix Virtual Apps and Desktops that could, if exploited, allow a user of a Windows VDA that has either Citrix Profile Management or Citrix Profile Management WMI Plugin installed to escalate their privilege level on that Windows VDA to SYSTEM. --------------------------------------------- https://support.citrix.com/article/CTX319750 ∗∗∗ Examining Crypto and Bypassing Authentication in Schneider Electric PLCs (M340/M580) ∗∗∗ --------------------------------------------- What you see in the picture above is similar to what you might see at a factory, plant, or inside a machine. At the core of it is Schneider Electric’s Modicon M340 programmable logic controller (PLC). --------------------------------------------- https://medium.com/tenable-techblog/examining-crypto-and-bypassing-authenti… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (sogo), Fedora (libvirt), Gentoo (polkit), Mageia (binutils, freeradius, guile1.8, kernel, kernel-linus, libgrss, mediawiki, mosquitto, php-phpmailer, and webmin), openSUSE (bluez and jdom2), Oracle (kernel and xstream), Scientific Linux (xstream), and SUSE (kernel and python-pip). --------------------------------------------- https://lwn.net/Articles/862767/ ∗∗∗ Recently Patched ForgeRock AM Vulnerability Exploited in Attacks ∗∗∗ --------------------------------------------- Government agencies in the United States and Australia warn organizations that a recently patched vulnerability affecting ForgeRock Access Management has been exploited in the wild. --------------------------------------------- https://www.securityweek.com/recently-patched-forgerock-am-vulnerability-ex… ∗∗∗ ZDI-21-786: Trend Micro Apex One Incorrect Permission Assignment Denial-of-Service Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-786/ ∗∗∗ ZDI-21-789: (0Day) GoPro Player MOV File Parsing Use-After-Free Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-789/ ∗∗∗ ZDI-21-788: (0Day) GoPro Player MOV File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-788/ ∗∗∗ ZDI-21-787: (0Day) GoPro Player MOV File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-787/ ∗∗∗ SAP Software: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0734 ∗∗∗ Security Bulletin: A vulnerability was found in Oniguruma 6.9.2 that would result in a NULL Pointer Dereference, affecting IBM Cloud Pak for Applications ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-was-found… ∗∗∗ Security Bulletin: A vulnerability has been found in IBM Cloud Pak for Applications v4.3 where insecure http communications is used ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-has-been-… ∗∗∗ Security Bulletin: An out-of-bounds read vulnerability was found in the SLiRP networking implementation of the QEMU emulator, affecting IBM Cloud Pak for Applications ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-an-out-of-bounds-read-vul… ∗∗∗ Security Bulletin: A vulnerability has been found in IBM Cloud Pak for Applications v4.3 where an error message may disclose implementation details ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-has-been-… ∗∗∗ Security Bulletin: IBM Cloud Pak for Applications v4.3 does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-applica… ∗∗∗ Security Bulletin: A vulnerability has been found in IBM Cloud Pak for Applications v4.3 that exposes a cross-site scripting attack due to target blank set in HTML anchor tags ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-has-been-… ∗∗∗ Security Bulletin: A vulnerability has been found in IBM Cloud Pak for Applications v4.3 which may allow a malicious attacker to obtain sensitive user information from memory ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-has-been-… ∗∗∗ Security Bulletin: A vulnerabilty has been found in x/test pacakge before 0.3.3 for Go that could lead to an infinite loop, affecting IBM Cloud Pak for Applications ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerabilty-has-been-f… ∗∗∗ Security Bulletin: A vulnerability has been found in IBM Cloud Pak for Applications v4.3 that exposes the possibility of a cross-site scripting attack. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-has-been-… ∗∗∗ Security Bulletin: A vulnerability has been identified in IBM Cloud Pak for Applications v4.3 that exposes a cross-site scripting attack. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-has-been-… ∗∗∗ VMSA-2021-0014 ∗∗∗ --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2021-0014.html ∗∗∗ glibc vulnerability CVE-2020-27618 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K08641512 ∗∗∗ Apache Cassandra vulnerability CVE-2020-13946 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K36212405 ∗∗∗ Apache Tomcat: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0733 ∗∗∗ Icinga: Mehrere Schwachstellen ermöglichen Offenlegung von Informationen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0732 ∗∗∗ Adobe Releases Security Updates for Multiple Products ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/07/13/adobe-releases-se… ∗∗∗ Security Advisories SYSS-2021-022, SYSS-2021-023, SYSS-2021-025 und SYSS-2021-026 zu P&I-Software LOGA3 ∗∗∗ --------------------------------------------- https://www.syss.de/pentest-blog/security-advisories-syss-2021-022-syss-202… ∗∗∗ SYSS-2021-020, SYSS-2021-021, SYSS-2021-027: Mehrere Schwachstellen in Element-IT HTTP Commander ∗∗∗ --------------------------------------------- https://www.syss.de/pentest-blog/syss-2021-020-syss-2021-021-syss-2021-027-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.07.2021
by Daily end-of-shift report 12 Jul '21

12 Jul '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 09-07-2021 18:00 − Montag 12-07-2021 18:00 Handler: Stephan Richter Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Conti Unpacked | Understanding Ransomware Development As a Response to Detection ∗∗∗ --------------------------------------------- Not yet two years old and already in its seventh iteration, Ransomware as a Service variant Conti has proven to be an agile and adept malware threat, capable of both autonomous and guided operation and with unparalleled encryption speed. [...] In this report, we describe in unprecedented detail the rapid evolution of this ransomware and how it has adapted quickly to defenders’ attempts to detect and analyze it. --------------------------------------------- https://labs.sentinelone.com/conti-unpacked-understanding-ransomware-develo… ∗∗∗ Ransomware tracker: the latest figures ∗∗∗ --------------------------------------------- Ransomware attacks have been dominating the headlines, thanks to high-profile incidents against organizations including Colonial Pipeline, JBS, and Kaseya. But an analysis of attacks against certain sectors shows that not all industries are impacted to the same degree... --------------------------------------------- https://therecord.media/ransomware-tracker-the-latest-figures/ ===================== = Vulnerabilities = ===================== ∗∗∗ Serv-U Remote Memory Escape Vulnerability CVE-2021-35211 ∗∗∗ --------------------------------------------- UPDATE July 10, 2021: NOTE: This security vulnerability only affects Serv-U Managed File Transfer and Serv-U Secure FTP and does not affect any other SolarWinds or N-able (formerly SolarWinds MSP) products. SolarWinds was recently notified by Microsoft of a security vulnerability related to Serv-U Managed File Transfer Server and Serv-U Secured FTP and have developed a hotfix to resolve this vulnerability. --------------------------------------------- https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35211 ∗∗∗ Jetzt patchen! Sicherheitspatch schließt REvil-Lücke in Kaseya VSA ∗∗∗ --------------------------------------------- Admins sollten die IT-Management-Software VSA von Kaseya zügig aktualisieren. Angreifer nutzen derzeit mehrere Sicherheitslücken aus. --------------------------------------------- https://heise.de/-6134473 ∗∗∗ SECURITY BULLETIN: Trend Micro Worry-Free Business Security Incorrect Permission Assignment Denial-of-Service Vulnerability ∗∗∗ --------------------------------------------- Trend Micro has released new patches for Trend Micro Worry-Free Business Security 10.0 SP1 and Worry-Free Business Security Services that resolve an incorrect permission assignment denial-of-service vulnerability. --------------------------------------------- https://success.trendmicro.com/solution/000286856 ∗∗∗ Security updates for Saturday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (gitlab, nodejs, openexr, php, php7, rabbitmq, ruby-addressable, and spice), Fedora (suricata), Gentoo (binutils, docker, runc, and tor), Mageia (avahi, botan2, connman, gstreamer1.0-plugins, htmldoc, jhead, libcroco, libebml, libosinfo, openexr, php, php-smarty, pjproject, and python), openSUSE (apache2, bind, bouncycastle, ceph, containerd, docker, runc, cryptctl, curl, dovecot23, firefox, graphviz, gstreamer-plugins-bad, java-1_8_0-openj9, java-1_8_0-openjdk, libass, libjpeg-turbo, libopenmpt, libqt5-qtwebengine, libu2f-host, libwebp, libX11, lua53, lz4, nginx, ovmf, postgresql10, postgresql12, python-urllib3, qemu, roundcubemail, solo, thunderbird, ucode-intel, wireshark, and xterm), and SUSE (permissions). --------------------------------------------- https://lwn.net/Articles/862487/ ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (djvulibre), Gentoo (connman, gnuchess, openexr, and xen), openSUSE (arpwatch, avahi, dbus-1, dhcp, djvulibre, freeradius-server, fribidi, gstreamer, gstreamer-plugins-bad, gstreamer-plugins-base, gstreamer-plugins-good, gstreamer-plugins-ugly, gupnp, hivex, icinga2, jdom2, jetty-minimal, kernel, kubevirt, libgcrypt, libnettle, libxml2, openexr, openscad, pam_radius, polkit, postgresql13, python-httplib2, python-py, python-rsa, qemu, redis, rubygem-actionpack-5_1, salt, snakeyaml, squid, tpm2.0-tools, and xstream), Red Hat (xstream), and SUSE (bluez, csync2, dbus-1, jdom2, postgresql13, redis, slurm_20_11, and xstream). --------------------------------------------- https://lwn.net/Articles/862673/ ∗∗∗ Security Bulletin: Vulnerability in IBM Guardium Data Encryption (GDE) (CVE-2021-20414) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-guar… ∗∗∗ Security Bulletin: IBM App Connect Enterprise v11 is affected by vulnerabilities in Node.js (CVE-2021-23358) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… ∗∗∗ Security Bulletin: IBM MQ Appliance affected by a cross-site request forgery vulnerability (CVE-2020-4938) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-affected… ∗∗∗ Security Bulletin: Apache CXF Vulnerability Affects IBM Global Mailbox (CVE-2021-22696) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-cxf-vulnerability-… ∗∗∗ Security Bulletin: glibc vulnerability affects IBM Elastic Storage System (CVE-2020-27618) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-glibc-vulnerability-affec… ∗∗∗ Security Bulletin: Event Streams documentation for generating .p12 files incorrectly adds the CA key into the file (CVE-2021-29792) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-event-streams-documentati… ∗∗∗ Security Bulletin: Multiple vulnerabilities in Tivoli Netcool/OMNIbus WebGUI (CVE-2021-29803, CVE-2021-29804, CVE-2021-29805, CVE-2021-29822) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM MQ Appliance is affected by Mozilla Network Security Services (NSS) vulnerability (CVE-2020-25648) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-is-affec… ∗∗∗ Security Bulletin: IBM MQ Appliance is affected by multiple AngularJS vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-is-affec… ∗∗∗ Security Bulletin: There are multiple vulnerabilities in the Linux Kernel used in IBM Elastic Storage System ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-there-are-multiple-vulner… ∗∗∗ Critical ForgeRock Access Management Vulnerability ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/07/12/critical-forgeroc… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.07.2021
by Daily end-of-shift report 09 Jul '21

09 Jul '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 08-07-2021 18:00 − Freitag 09-07-2021 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Kaseya warns of phishing campaign pushing fake security updates ∗∗∗ --------------------------------------------- Kaseya has warned customers that an ongoing phishing campaign attempts to breach their networks by spamming emails bundling malicious attachments and embedded links posing as legitimate VSA security updates. --------------------------------------------- https://www.bleepingcomputer.com/news/security/kaseya-warns-of-phishing-cam… ∗∗∗ Clarified Guidance for CVE-2021-34527 Windows Print Spooler Vulnerability ∗∗∗ --------------------------------------------- On Tuesday July 6, 2021, Microsoft issued CVE-2021-34527 regarding a Windows Print Spooler vulnerability. Updates were released on July 6 and 7 which addressed the vulnerability for all supported Windows versions. We encourage customers to update as soon as possible. CVE-2021-34527 – Windows Print Spooler Remote Code Execution Vulnerability. Following the out of band release (OOB) we investigated claims regarding the effectiveness of the security update and questions around the suggested mitigations. --------------------------------------------- https://msrc-blog.microsoft.com:443/2021/07/08/clarified-guidance-for-cve-2… ∗∗∗ Hancitor tries XLL as initial malware file, (Fri, Jul 9th) ∗∗∗ --------------------------------------------- On Thursday 2021-07-08, for a short while when Hancitor was initially active, if any victims clicked on a malicious link from the malspam, they would receive a XLL file instead of a malicious Word doc. I tried one of the email links in my lab and received the malicious XLL file. After other researchers reported they were receiving Word documents, I tried a few hours later and received a Word document instead. --------------------------------------------- https://isc.sans.edu/diary/rss/27618 ∗∗∗ Sicherheitsupdates: Admin-Lücke bedroht Cisco Business Process Automation ∗∗∗ --------------------------------------------- Der Netzwerkausrüster Cisco hat für verschiedene Produkte Patches veröffentlicht, die mehrere Sicherheitslücken schließen. --------------------------------------------- https://heise.de/-6133522 ∗∗∗ ZLoader Adopts New Macro-Related Delivery Technique in Recent Attacks ∗∗∗ --------------------------------------------- The ZLoader malware family has switched to a new delivery mechanism in recent spam campaigns, fetching malicious code only after the initial attachment has been opened, McAfee reports. --------------------------------------------- https://www.securityweek.com/zloader-adopts-new-macro-related-delivery-tech… ∗∗∗ CVE-2021-28474: SharePoint Remote Code Execution via Server-Side Control Interpretation Conflict ∗∗∗ --------------------------------------------- In May of 2021, Microsoft released a patch to correct CVE-2021-28474, a remote code execution bug in supported versions of Microsoft SharePoint Server. This bug was reported to ZDI by an anonymous researcher and is also known as ZDI-21-574. This blog takes a deeper look at the root cause of this vulnerability. --------------------------------------------- https://www.thezdi.com/blog/2021/7/7/cve-2021-28474-sharepoint-remote-code-… ∗∗∗ Ransomwhere project wants to create a database of past ransomware payments ∗∗∗ --------------------------------------------- A new website launched this week wants to create a crowdfunded, free, and open database of past ransomware payments in the hopes of expanding visibility into the broader picture of the ransomware ecosystem. --------------------------------------------- https://therecord.media/ransomwhere-project-wants-to-create-a-database-of-p… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (apache2 and scilab), Fedora (chromium and perl-Mojolicious), Gentoo (inspircd, redis, and wireshark), and Mageia (fluidsynth, glib2.0, gnome-shell, grub2, gupnp, hivex, libupnp, redis, and zstd). --------------------------------------------- https://lwn.net/Articles/862299/ ∗∗∗ Rockwell Automation MicroLogix 1100 ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Improper Input Validation vulnerability in Rockwell Automation MicroLogix 1100. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-189-01 ∗∗∗ MDT AutoSave ∗∗∗ --------------------------------------------- This advisory contains mitigations for Inadequate Encryption Strength, SQL Injection, Relative Path Traversal, Command Injection, Uncontrolled Search Path Element, Generation of Error Message Containing Sensitive Information, and Unrestricted Upload of File with Dangerous Type in MDT Software in MDT Autosave Products. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-189-02 ∗∗∗ Vulnerabilities in CODESYS V2 runtime systems ∗∗∗ --------------------------------------------- BOSCH-SA-475180: The control systems SYNAX, Visual Motion, IndraLogic, IndraMotion MTX, IndraMotion MLC and IndraMotion MLD contain PLC technology from CODESYS GmbH. The manufacturer CODESYS GmbH published a security bulletin (1) about a weakness in the protocol for the communication between the PLC runtime and clients. By exploiting the vulnerability, attackers can send crafted communication packets which may result in a denial of service condition or allow in worst case remote code execution. --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-475180.html ∗∗∗ voidtools "Everything" vulnerable to HTTP header injection ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN68971465/ ∗∗∗ Apache Pulsar vulnerability CVE-2021-22160 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K68146245 ∗∗∗ Apache vulnerability CVE-2021-30641 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K13815051 ∗∗∗ Advisory: Denial of service vulnerability on Automation Runtime webserver ∗∗∗ --------------------------------------------- https://www.br-automation.com/downloads_br_productcatalogue/assets/16254055… ∗∗∗ Security Bulletin: IBM has announced a release for IBM Security Identity Governance and Intelligence in response to a security vulnerability (CVE-2020-4590) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-has-announced-a-relea… ∗∗∗ Security Bulletin: IBM has announced a release for IBM Security Identity Governance and Intelligence in response to a security vulnerability (CVE-2019-17006, CVE-2019-17023, CVE-2020-12403) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-has-announced-a-relea… ∗∗∗ Security Bulletin: IBM InfoSphere Information Server is vulnerable to SQL injection ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-informatio… ∗∗∗ Security Bulletin: IBM InfoSphere Information Server is vulnerable to a denial of service vulnerability in Angular.js ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-informatio… ∗∗∗ Security Bulletin: IBM has announced a release for IBM Security Identity Governance and Intelligence in response to a security vulnerability (CVE-2020-11868, CVE-2020-13817) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-has-announced-a-relea… ∗∗∗ Security Bulletin: IBM InfoSphere Information Server is affected by multiple vulnerabilities in Apache Solr ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-informatio… ∗∗∗ Security Bulletin: IBM has announced a release for IBM Security Identity Governance and Intelligence in response to a security vulnerability (CVE-2020-14579, CVE-2020-14578, CVE-2020-14577) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-has-announced-a-relea… ∗∗∗ Security Bulletin: IBM has announced a release for IBM Security Identity Governance and Intelligence in response to a security vulnerability (CVE-2020-14782) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-has-announced-a-relea… ∗∗∗ Security Bulletin: IBM has announced a release for IBM Security Identity Governance and Intelligence in response to a security vulnerability (CVE-2020-10531) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-has-announced-a-relea… ∗∗∗ Security Bulletin: IBM InfoSphere Information Analyzer is vulnerable to cross-site scripting. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-informatio… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.07.2021
by Daily end-of-shift report 08 Jul '21

08 Jul '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 07-07-2021 18:00 − Donnerstag 08-07-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ iCloud-Problem erlaubte Password-Brute-Force – Apple streitet mit Entdecker ∗∗∗ --------------------------------------------- Einem Sicherheitsexperten gelang es, über eine Race Condition und zahlreiche IPs bestimmte Apple-IDs zurückzusetzen. Angeblich waren auch iPhone-PINs bedroht. --------------------------------------------- https://heise.de/-6120219 ∗∗∗ Vorsicht vor betrügerischen und unseriösen Apps! ∗∗∗ --------------------------------------------- Für das Smartphone gibt es zahlreiche Apps, die den Alltag erleichtern. Es gibt aber auch Apps, die das Leben erschweren können: Unseriöse Anwendungen entpuppen sich oftmals als teure Abo-Fallen oder als Datenkraken. Auch Apps, die die Geräte der NutzerInnen mit Schadsoftware infizieren, sind eine beliebte Masche von Cyberkriminellen. Wir zeigen Ihnen, wie Sie sich davor schützen können. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-betruegerischen-und-uns… ∗∗∗ Kubernetes gefährdet ∗∗∗ --------------------------------------------- Kubernetes Container und Cluster werden immer beliebter, geraten dadurch aber auch ins Visier von Hackern. Palo Alto Networks und Red Hat erläutern das unterschätzte Sicherheitsrisiko und wie Kubernetes-Instanzen zu Gefahrenherden werden. --------------------------------------------- https://www.zdnet.de/88395662/kubernetes-gefaehrdet/ ∗∗∗ Using Sudo with Python For More Security Controls, (Thu, Jul 8th) ∗∗∗ --------------------------------------------- I'm a big fan of the Sudo[1] command. This tool, available on every UNIX flavor, allows system administrators to provide access to certain users/groups to certain commands as root or another user. This is performed with a lot of granularity in the access rights and logging/reporting features. I'm using it for many years and I'm still learning great stuff about it. Yesterday, at the Pass-The-Salt[2] conference, Peter Czanik presented a great feature of Sudo (available since version 1.9): the ability to extend features using Python modules! --------------------------------------------- https://isc.sans.edu/diary/rss/27614 ∗∗∗ Diving Deeper Into the Kaseya VSA Attack: REvil Returns and Other Hackers Are Riding Their Coattails ∗∗∗ --------------------------------------------- On, July 2nd, a massive ransomware attack was launched against roughly 50 managed services providers (MSPs) by criminals associated with the REvil ransomware-as-a-service (RaaS) group. The attack leveraged the on-premises servers deployed by IT Management Software vendor Kaseya. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/diving-deep… ∗∗∗ Magecart Swiper Uses Unorthodox Concatenation ∗∗∗ --------------------------------------------- MageCart is the name given to the roughly one dozen groups of cyber criminals targeting e-commerce websites with the goal of stealing credit card numbers and selling them on the black market. They remain an ever-growing threat to website owners. We’ve said many times on this blog that the attackers are constantly using new techniques to evade detection. In this post I will go over a case involving one such MageCart group. --------------------------------------------- https://blog.sucuri.net/2021/07/magecart-swiper-uses-unorthodox-concatenati… ∗∗∗ Microsoft struggles to wake from PrintNightmare: Latest print spooler patch can be bypassed, researchers say ∗∗∗ --------------------------------------------- I pity the spool / Updated / Any celebrations that Microsofts out-of-band patch had put a stop PrintNightmare shenanigans may have been premature. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2021/07/07/printnightma… ∗∗∗ Kaseya Left Customer Portal Vulnerable to 2015 Flaw in its Own Software ∗∗∗ --------------------------------------------- Last week cybercriminals deployed ransomware to 1,500 organizations that provide IT security and technical support to many other companies. The attackers exploited a vulnerability in software from Kaseya, a Miami-based company whose products help system administrators manage large networks remotely. Now it appears Kaseyas customer service portal was left vulnerable until last week to a data-leaking security flaw that was first identified in the same software six years ago. --------------------------------------------- https://krebsonsecurity.com/2021/07/kaseya-left-customer-portal-vulnerable-… ∗∗∗ 3 things the Kaseya attack can teach us about ransomware recovery ∗∗∗ --------------------------------------------- Some lessons on dealing with ransomware recovery, thanks to the admirable transparency of a Dutch MSP impacted by the REvil attack on Kaseya. --------------------------------------------- https://blog.malwarebytes.com/ransomware/2021/07/3-things-the-kaseya-attack… ∗∗∗ Non-Malicious Android Crypto Mining Apps Scam Users at Scale ∗∗∗ --------------------------------------------- With no bad behavior, the mobile apps are difficult to detect by automated security scans --------------------------------------------- https://www.securityweek.com/non-malicious-android-crypto-mining-apps-scam-… ∗∗∗ Ransomware as a service: Negotiators are now in high demand ∗∗∗ --------------------------------------------- RaaS groups are hiring negotiators whose primary role is to force victims to pay up. --------------------------------------------- https://www.zdnet.com/article/ransomware-as-a-service-negotiators-between-h… ∗∗∗ Global Phishing Campaign Targets Energy Sector and its Suppliers ∗∗∗ --------------------------------------------- Our research team has found a sophisticated campaign, active for at least one year, targeting large international companies in the energy, oil & gas, and electronics industries. The attack also targets oil & gas suppliers, possibly indicating that this is only the first stage in a wider campaign. --------------------------------------------- https://www.intezer.com/blog/research/global-phishing-campaign-targets-ener… ===================== = Vulnerabilities = ===================== ∗∗∗ Android Patchday Juli ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Google Android ausnutzen, um beliebigen Programmcode mit Administratorrechten auszuführen, seine Privilegien zu erhöhen oder Informationen offenzulegen. --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0725 ∗∗∗ Angreifer können Sicherheitslücken in Ressourcenplanungstool Sage X3 kombinieren ∗∗∗ --------------------------------------------- Systeme mit Sage X3 sind unter anderem über eine kritische Schwachstelle mit Höchstwertung attackierbar. --------------------------------------------- https://heise.de/-6132418 ∗∗∗ Vulnerability Spotlight: Information disclosure, privilege escalation vulnerabilities in IOBit Advanced SystemCare Ultimate ∗∗∗ --------------------------------------------- Cisco Talos recently discovered multiple vulnerabilities in IOBit Advanced SystemCare Ultimate. IOBit Advanced SystemCare Ultimate is a system optimizer that promises to remove unwanted files and [...] --------------------------------------------- https://blog.talosintelligence.com/2021/07/vuln-spotlight-iobit0-.html ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (linuxptp), Fedora (kernel and php), Gentoo (bladeenc, blktrace, jinja, mechanize, privoxy, and rclone), Oracle (linuxptp, ruby:2.6, and ruby:2.7), Red Hat (kernel and kpatch-patch), SUSE (kubevirt), and Ubuntu (avahi). --------------------------------------------- https://lwn.net/Articles/862163/ ∗∗∗ Cisco Releases Security Updates for Multiple Products ∗∗∗ --------------------------------------------- Cisco has released security updates to address vulnerabilities in multiple Cisco products. An attacker could exploit some of these vulnerabilities to take control of an affected system. For updates addressing lower severity vulnerabilities, see the Cisco Security Advisories page. CISA encourages users and administrators to review the following Cisco advisories and apply the necessary updates: [...] --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/07/08/cisco-releases-se… ∗∗∗ Kaseya VSA Limited Disclosure ∗∗∗ --------------------------------------------- Why we are only disclosing limited details on the Kaseya vulnerabilities / Last weekend we found ourselves in the middle of a storm. A storm created by the ransomware attacks executed via Kaseya VSA, using a vulnerability which we confidentially disclosed to Kaseya, together with six other vulnerabilities.Ever since we released the news that we indeed notified Kaseya of a vulnerability used in the ransomware attack, we have been getting requests to release details about these vulnerabilities and [...] --------------------------------------------- https://csirt.divd.nl/2021/07/07/Kaseya-Limited-Disclosure/ ∗∗∗ Security Bulletin: CVE-2021-28165 In Eclipse Jetty CPU usage can reach 100% upon receiving a large invalid TLS frame. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2021-28165-in-eclipse… ∗∗∗ Security Bulletin: CVE-2021-27568 An issue was discovered in netplex json-smart-v1, an exception is thrown from a function ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2021-27568-an-issue-w… ∗∗∗ Security Bulletin: CVE-2021-29711 Agent Upgrade through CLI requires inconsistent permission. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2021-29711-agent-upgr… ∗∗∗ Security Bulletin: A vulnerability in WebSphere Application Server Liberty affects IBM CICS TX on Cloud ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-websph… ∗∗∗ Security Bulletin: CVE-2020-27223 when Jetty handles a request containing multiple Accept headers the server may enter a denial of service (DoS) state ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2020-27223-when-jetty… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.07.2021
by Daily end-of-shift report 07 Jul '21

07 Jul '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 06-07-2021 18:00 − Mittwoch 07-07-2021 18:00 Handler: Stephan Richter Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ WildPressure targets the macOS platform ∗∗∗ --------------------------------------------- We found new malware samples used in WildPressure campaigns: newer version of the C++ Milum Trojan, a corresponding VBScript variant with the same version number, and a Python script working on both Windows and macOS. --------------------------------------------- https://securelist.com/wildpressure-targets-macos/103072/ ∗∗∗ Why I Love (Breaking Into) Your Security Appliances ∗∗∗ --------------------------------------------- David "moose" Wolpoff, CTO at Randori, discusses security appliances and VPNs and how attackers only have to "pick one lock" to invade an enterprise through them. --------------------------------------------- https://threatpost.com/breaking-into-security-appliances/167584/ ∗∗∗ Dozens of Vulnerable NuGet Packages Allow Attackers to Target .NET Platform ∗∗∗ --------------------------------------------- An analysis of off-the-shelf packages hosted on the NuGet repository has revealed 51 unique software components to be vulnerable to actively exploited, high-severity vulnerabilities, once again underscoring the threat posed by third-party dependencies to the software development process. --------------------------------------------- https://thehackernews.com/2021/07/dozens-of-vulnerable-nuget-packages.html ∗∗∗ Fake-Shops für Fahrräder und E-Bikes haben Saison! ∗∗∗ --------------------------------------------- Auf bike-heller.de und mister24bike.de wird ein riesiges Sortiment an Fahrrädern und E-Bikes lagernd und sofort lieferbar angeboten. Allein das sollte stutzig machen, da viele seriöse Händler mitten in der Saison schon ausverkauft sind. --------------------------------------------- https://www.watchlist-internet.at/news/fake-shops-fuer-fahrraeder-und-e-bik… ∗∗∗ Understanding REvil: The Ransomware Gang Behind the Kaseya Attack ∗∗∗ --------------------------------------------- Ransomware cases worked by Unit 42 consultants in the first six months of 2021 reveal insights into the preferred tactics of REvil threat actors. --------------------------------------------- https://unit42.paloaltonetworks.com/revil-threat-actors/ ∗∗∗ Update - Kaseya VSA Ransomwarevorfall: Sicht auf Österreich ∗∗∗ --------------------------------------------- In Folge dieses Vorfalls ist nun auch eine Spam-Kampagne, welche Schadsoftware (Cobalt Strike) im Anhang ausliefert und vorgibt, ein legitimes Update für Kaseya VSA zu sein, in Erscheinung getreten. --------------------------------------------- https://cert.at/de/aktuelles/2021/7/kaseya-vsa-ransomwarevorfall ∗∗∗ How to Tighten IoT Security for Healthcare Organization ∗∗∗ --------------------------------------------- This post will first explore some of the ways IoT is revolutionizing medical care, then identify some of the potential problems posed by connected devices in a medical setting. --------------------------------------------- https://blog.checkpoint.com/2021/06/21/how-to-tighten-iot-security-for-heal… ===================== = Vulnerabilities = ===================== ∗∗∗ Printnightmare: Erste Patches für Windows-Sicherheitslücke ∗∗∗ --------------------------------------------- Durch ein Problem mit dem Windows-Druck-Spooler können Angreifer Code aus der Ferne ausführen. Erste Patches stehen bereit, aber noch nicht für alles. (Windows, Drucker) --------------------------------------------- https://www.golem.de/news/printnightmare-erste-patches-fuer-windows-sicherh… ∗∗∗ Kasperskys Passwort-Manager gefährdete Benutzer mit ratbaren Passwörtern ∗∗∗ --------------------------------------------- Wegen einer gründlich verpatzten Umsetzung ließen sich die vom Kaspersky Passwort-Manager vorgeschlagenen, scheinbar zufälligen Passwörter einfach erraten. --------------------------------------------- https://heise.de/-6130796 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (glibc), Gentoo (doas, firefox, glib, schismtracker, and tpm2-tss), Mageia (httpcomponents-client), openSUSE (virtualbox), Red Hat (linuxptp), Scientific Linux (linuxptp), and Ubuntu (libuv1 and php7.2, php7.4). --------------------------------------------- https://lwn.net/Articles/862044/ ∗∗∗ This serious Wi-Fi bug can break your iPhone, but heres how to protect yourself ∗∗∗ --------------------------------------------- Walking past a Wi-Fi hotspot with a specific name can cause big problems for your iPhone. And the scary thing is that its easy to do. --------------------------------------------- https://www.zdnet.com/article/serious-wi-fi-bug-can-break-your-iphone-but-h… ∗∗∗ Security Advisory - Bluetooth Function Denial of Service Vulnerability in Some Huawei Smartphone Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210707-… ∗∗∗ Security Bulletin: Netty Vulnerability Affects IBM Watson Machine Learning on CP4D (CVE-2021-21409) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-netty-vulnerability-affec… ∗∗∗ Security Bulletin: Multiple vulnerabilities in Apache JSON Small and Fast Parser (json-smart) and Underscore affect IBM Spectrum Symphony ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM App Connect Enterprise Certified Container could allow a privileged user to obtain sensitive information from internal log files (CVE-2021-29759) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… ∗∗∗ Security Bulletin: IBM App Connect Enterprise Certified Container may be affected by a ReDoS flaw when processing URLs (CVE-2021-33502) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… ∗∗∗ Security Bulletin: Castor Vulnerability Affects IBM Control Center (CVE-2014-3004) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-castor-vulnerability-affe… ∗∗∗ Security Bulletin: Golang Go Vulnerability Affects IBM Watson Machine Learning on CP4D (CVE-2020-29652) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-golang-go-vulnerability-a… ∗∗∗ Security Bulletin: Vulnerabilities in the Python, Python cryptography , and Urllib3 affect IBM Spectrum Discover. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-the-py… ∗∗∗ Security Bulletin: IBM Cloud Pak for Integration is vulnerable to underscore vulnerability (CVE-2021-23358) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-integra… ∗∗∗ Security Bulletin: Apache Log4j Vulnerability Affects IBM Control Center (CVE-2020-9488) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerabilit… ∗∗∗ Philips Vue PACS ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsma-21-187-01 ∗∗∗ Moxa NPort IAW5000A-I/O Series Serial Device Server ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-187-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.07.2021
by Daily end-of-shift report 06 Jul '21

06 Jul '21

===================== = End-of-Day report = ===================== Timeframe: Montag 05-07-2021 18:00 − Dienstag 06-07-2021 18:00 Handler: Stephan Richter Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ How to protect your site against lethal unauthorized code injections ∗∗∗ --------------------------------------------- Lethal unauthorized code injections like XXS (cross site scripting) attacks are some of the most dynamic cyber-attacks. They are often very difficult to detect and can result in credit card theft, fraud, and endpoint data breaches, having a huge impact on small to medium sized businesses. --------------------------------------------- https://cybersecurity.att.com/blogs/security-essentials/how-to-protect-your… ∗∗∗ Python DLL Injection Check, (Tue, Jul 6th) ∗∗∗ --------------------------------------------- They are many security tools that inject DLL into processes running on a Windows system. The classic examples are anti-virus products. --------------------------------------------- https://isc.sans.edu/diary/rss/27608 ∗∗∗ Kaseya VSA: Wie die Lieferketten-Angriffe abliefen und was sie für uns bedeuten ∗∗∗ --------------------------------------------- Auch wer nicht davon betroffen ist, sollte sich klarmachen, was da gerade geschieht. Denn Angriffe wie der aktuelle REvil-Coup werden die IT-Welt verändern. --------------------------------------------- https://heise.de/-6129656 ∗∗∗ Kaseya Case Update 3 ∗∗∗ --------------------------------------------- Since the first signs of an incident last Friday evening the DIVD has continued to monitor the internet for instances of Kaseya VSA that remained online. We are happy to report a steady decrease in the number of online servers. --------------------------------------------- https://csirt.divd.nl/2021/07/06/Kaseya-Case-Update-3/ ===================== = Vulnerabilities = ===================== ∗∗∗ Authentified RFI to RCE Nagios/NagiosXI exploitation ∗∗∗ --------------------------------------------- An authenticated attacker may remotely inject and execute arbitrary code in Nagios and Nagios XI products. --------------------------------------------- https://github.com/ArianeBlow/NagiosXI-EmersonFI ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (python-django), Debian (libuv1, libxstream-java, and php7.3), Fedora (rabbitmq-server), Gentoo (glibc, google-chrome, libxml2, and postsrsd), openSUSE (libqt5-qtwebengine and roundcubemail), SUSE (python-rsa), and Ubuntu (djvulibre). --------------------------------------------- https://lwn.net/Articles/861972/ ∗∗∗ [20210705] - Core - XSS in com_media imagelist ∗∗∗ --------------------------------------------- https://developer.joomla.org:443/security-centre/860-20210705-core-xss-in-c… ∗∗∗ [20210704] - Core - Privilege escalation through com_installer ∗∗∗ --------------------------------------------- https://developer.joomla.org:443/security-centre/859-20210704-core-privileg… ∗∗∗ [20210703] - Core - Lack of enforced session termination ∗∗∗ --------------------------------------------- https://developer.joomla.org:443/security-centre/858-20210703-core-lack-of-… ∗∗∗ [20210702] - Core - DoS through usergroup table manipulation ∗∗∗ --------------------------------------------- https://developer.joomla.org:443/security-centre/857-20210702-core-dos-thro… ∗∗∗ [20210701] - Core - XSS in JForm Rules field ∗∗∗ --------------------------------------------- https://developer.joomla.org:443/security-centre/856-20210701-core-xss-in-j… ∗∗∗ Paessler PRTG: Schwachstelle ermöglicht Cross-Site Scripting ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0719 ∗∗∗ MediaWiki: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0718 ∗∗∗ QNAP NAS HBS 3: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0717 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.07.2021
by Daily end-of-shift report 05 Jul '21

05 Jul '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 02-07-2021 18:00 − Montag 05-07-2021 18:00 Handler: Stephan Richter Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Kaseya VSA Ransomwarevorfall: Sicht auf Österreich ∗∗∗ --------------------------------------------- In den Medien wird aktuell über einen Ransomwarevorfall, welcher eine große Anzahl an Firmen betrifft, berichtet 1 2. Folgend diesen Berichten gelang es der Ransomware-Gruppe "REvil" über das Einschleusen von Code in die Software-Lösung "Kaseya VSA", welche zum Remote-Monitoring und -Management für IT bei Managed Service Providern (MSP) eingesetzt wird, die Ransomware "Sodinokibi" automatisiert an die MSPs und somit auch an deren Kunden --------------------------------------------- https://cert.at/de/aktuelles/2021/7/kaseya-vsa-ransomwarevorfall ∗∗∗ Free Micropatches for PrintNightmare Vulnerability (CVE-2021-34527) ∗∗∗ --------------------------------------------- Update 7/5/2021: Security researcher cube0x0 discovered another attack vector for this vulnerability, which significantly expands the set of affected machines. While the original attack vector was Print System Remote Protocol [MS-RPRN], the same attack delivered via Print System Asynchronous Remote Protocol [MS-PAR] does not require Windows server to be a domain controller, or Windows 10 machine to have UAC User Account Control disabled or PointAndPrint NoWarningNoElevationOnInstall enabled. --------------------------------------------- https://blog.0patch.com/2021/07/free-micropatches-for-printnightmare.html ∗∗∗ Another 0-Day Looms for Many Western Digital Users ∗∗∗ --------------------------------------------- Countless Western Digital customers saw their MyBook Live network storage drives remotely wiped in the past month thanks to a bug in a product line the company stopped supporting in 2015, as well as a previously unknown zero-day flaw. But there is a similarly serious zero-day flaw present in a much broader range of newer Western Digital MyCloud network storage devices that will remain unfixed for many customers who cant or wont upgrade to the latest operating system. --------------------------------------------- https://krebsonsecurity.com/2021/07/another-0-day-looms-for-many-western-di… ∗∗∗ Spam per Termineinladung: So schützen Sie sich! ∗∗∗ --------------------------------------------- Sie haben plötzlich im Lotto gewonnen. Jemand will Ihnen aus reiner Nächstenliebe Geld spenden. Außerdem müssen Sie unbedingt auf dieser einen Trading-Plattform investieren. Gewinne garantiert! Viele von uns kennen solche Versprechungen wohl. Spam-Mails sind nichts Neues mehr. Daher überlegen sich Kriminelle immer wieder neue Möglichkeiten, um an das Geld ihrer Opfer zu kommen. Derzeit sehr beliebt: Kalender-Spam! --------------------------------------------- https://www.watchlist-internet.at/news/spam-per-termineinladung-so-schuetze… ∗∗∗ Telnet service left enabled and without a password on SIMATIC HMI Comfort Panels ∗∗∗ --------------------------------------------- Siemens SIMATIC HMI Comfort Panels, devices meant to provide visualization of data received from industrial equipment, are exposing their Telnet service without any form of authentication, security researchers have discovered. Tracked as CVE-2021-31337, the vulnerability was revealed earlier this week. All SIMATIC HMI Comfort Panels models are believed to be impacted, except panels for SINAMICS Medium Voltage Products (SL150, SM150, and SM150i), where the Telnet service is disabled by default. --------------------------------------------- https://therecord.media/telnet-service-left-enabled-and-without-a-password-… ∗∗∗ MISP 2.4.145 and 2.4.146 released (Improved warning-lists) ∗∗∗ --------------------------------------------- MISP 2.4.145 and 2.4.146 released including a massive update to the MISP warning-lists, various improvements and security fixes. --------------------------------------------- https://github.com/MISP/MISP/releases/tag/v2.4.145 ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI-21-779: Advantech WebAccess Node BwFreRPT Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of Advantech WebAccess Node. Authentication is not required to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-779/ ∗∗∗ ZDI-21-778: Advantech WebAccess Node BwImgExe Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of Advantech WebAccess Node. Authentication is not required to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-778/ ∗∗∗ ZDI-21-777: Autodesk Design Review PDF File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of Autodesk Design Review. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-777/ ∗∗∗ ZDI-21-776: Autodesk Design Review DWF File Parsing Memory Corruption Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of Autodesk Design Review. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-776/ ∗∗∗ ZDI-21-775: Autodesk Design Review DWFX File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to disclose sensitive information on affected installations of Autodesk Design Review. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-775/ ∗∗∗ ControlTouch serial number can be misused to access customer configuration ∗∗∗ --------------------------------------------- ABB is aware of a privately reported vulnerability in the ControlTouch cloud subsystem. The cloud sub-system is updated to remove the vulnerability. An attacker who successfully exploited this vulnerability could modify the configuration of the ControlTouch of an authorized user. --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=9AKK107992A3688&Lan… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (electron11, electron12, istio, jenkins, libtpms, mediawiki, mruby, opera, puppet, and python-fastapi), Debian (djvulibre and openexr), Fedora (dovecot, libtpms, nginx, and php-league-flysystem), Gentoo (corosync, freeimage, graphviz, and libqb), Mageia (busybox, file-roller, live, networkmanager, and php), openSUSE (clamav-database, lua53, and roundcubemail), Oracle (389-ds:1.4, kernel, libxml2, python38:3.8 and python38-devel:3.8, and ruby:2.5), and SUSE (crmsh, djvulibre, python-py, and python-rsa). --------------------------------------------- https://lwn.net/Articles/861906/ ∗∗∗ Ricon Industrial Cellular Router S9922XL Remote Command Execution ∗∗∗ --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5653.php ∗∗∗ GNU C Library (glibc) vlunerability CVE-2016-10228 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K52494142?utm_source=f5support&utm_mediu… ∗∗∗ Advisory: Denial of Service vulnerability in B&R Industrial Automation PROFINET IO Device ∗∗∗ --------------------------------------------- https://www.br-automation.com/downloads_br_productcatalogue/assets/16229864… ∗∗∗ Advisory: Stack crash in B&R Industrial Automation X20 EthernetIP Adpater ∗∗∗ --------------------------------------------- https://www.br-automation.com/downloads_br_productcatalogue/assets/16229864… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.07.2021
by Daily end-of-shift report 02 Jul '21

02 Jul '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 01-07-2021 18:00 − Freitag 02-07-2021 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Gelöschte Netz-Festplatten: Western Digital plant Hilfe bei Wiederherstellung ∗∗∗ --------------------------------------------- Die Daten angegriffener HDDs der WD-Baureihe My Book Live sollen sich wiederherstellen lassen. Western Digital will künftig entsprechende Dienste anbieten. --------------------------------------------- https://heise.de/-6127479 ∗∗∗ Scorecards 2.0: Sicherheitsrisiken in Open-Source-Software aufdecken ∗∗∗ --------------------------------------------- Das automatisierte Security-Tool Scorecards legt die Karten auf den Tisch - wie sicher ist Open-Source-Software? --------------------------------------------- https://heise.de/-6127588 ∗∗∗ Free Micropatches for PrintNightmare Vulnerability (CVE-2021-34527) ∗∗∗ --------------------------------------------- [Note: This blog post is expected to be updated as new micropatches are issued and new information becomes available.] June 2021 Windows Updates brought a fix for a vulnerability CVE-2021-1675 originally titled "Windows Print Spooler Local Code Execution Vulnerability". As usual, Microsofts advisory provided very little information about the vulnerability, and very few probably noticed that about two weeks later, the advisory was updated to [...] --------------------------------------------- https://blog.0patch.com/2021/07/free-micropatches-for-printnightmare.html ∗∗∗ Babuk ransomware is back, uses new version on corporate networks ∗∗∗ --------------------------------------------- After announcing their exit from the ransomware business in favor of data theft extortion, the Babuk gang appears to have slipped back into their old habit of encrypting corporate networks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/babuk-ransomware-is-back-use… ∗∗∗ Mongolian Certificate Authority Hacked to Distribute Backdoored CA Software ∗∗∗ --------------------------------------------- In yet another instance of software supply chain attack, unidentified hackers breached the website of MonPass, one of Mongolias major certificate authorities, to backdoor its installer software with Cobalt Strike binaries. The trojanized client was available for download between February 8, 2021, and March 3, 2021, said Czech cybersecurity software company Avast in a report published Thursday. --------------------------------------------- https://thehackernews.com/2021/07/mongolian-certificate-authority-hacked.ht… ∗∗∗ New Mirai-Inspired Botnet Could Be Using Your KGUARD DVRs in Cyber Attacks ∗∗∗ --------------------------------------------- Cybersecurity researchers on Thursday revealed details about a new Mirai-inspired botnet called "mirai_ptea" that leverages an undisclosed vulnerability in digital video recorders (DVR) provided by KGUARD to propagate and carry out distributed denial-of-service (DDoS) attacks. Chinese security firm Netlab 360 pinned the first probe against the flaw on March 23, 2021, before it detected active [...] --------------------------------------------- https://thehackernews.com/2021/07/new-mirai-inspired-botnet-could-be.html ∗∗∗ 2020 Report: ICS Endpoints as Starting Points for Threats ∗∗∗ --------------------------------------------- The use of Industrial Control Systems (ICS) makes operations more efficient for various industries. These systems are powered by the interconnection between IT (information technology) and OT (operational technology), which help boost efficiency and speed. Unfortunately, this very interconnection also inadvertently makes ICS susceptible to cyberthreats. Securing these systems is vital, and one of its components that must be protected from threats are endpoints. --------------------------------------------- https://www.trendmicro.com/vinfo/us/security/news/internet-of-things/2020-r… ∗∗∗ STIR/SHAKEN: Nordamerika signiert Rufnummern im Kampf gegen Spam ∗∗∗ --------------------------------------------- Nordamerikas Netzbetreiber signieren und verifizieren jetzt Telefonnummern nach dem STIR/SHAKEN-System. Das erschwert Anrufe mit gefälschten Anruferkennungen. --------------------------------------------- https://heise.de/-6127147 ∗∗∗ TrickBot and Zeus ∗∗∗ --------------------------------------------- TrickBot is an established and widespread multi-purpose trojan. Active since 2016 and modular in nature, it can accomplish a variety of goals ranging from credential theft to lateral movement. Many of the malware’s capabilities come as self-contained modules, which the malware is instructed to download from the C2. Initially, TrickBot’s main focus was bank fraud, but this later shifted toward corporate targetted ransomware attacks, eventually resulting in the [...] --------------------------------------------- https://www.kryptoslogic.com/blog/2021/07/trickbot-and-zeus/ ∗∗∗ Top 5 Scam Techniques: What You Need to Know ∗∗∗ --------------------------------------------- Scammers are increasingly resourceful when coming up with scam techniques. But they often rely on long-standing persuasion techniques for the scam to work. So, you may hear about a new scam that uses a novel narrative, but there is a good chance that the scam relies on proven scam techniques once the narrative is stripped [...] --------------------------------------------- https://www.tripwire.com/state-of-security/security-data-protection/top-sca… ∗∗∗ Ransomware. In the air? ∗∗∗ --------------------------------------------- Introduction As an exercise, we were asked to look at the potential vectors for ransomware to affect flight despatch and operations. In most cases, flight systems simply weren’t significantly exposed, [...] --------------------------------------------- https://www.pentestpartners.com/security-blog/ransomware-in-the-air/ ∗∗∗ Mysterious Node.js malware puzzles security researchers ∗∗∗ --------------------------------------------- Almost four months after it was first spotted in the wild, the infosec community is still scratching its head in regards to the purpose of a new malware strain named Lu0bot. --------------------------------------------- https://therecord.media/mysterious-node-js-malware-puzzles-security-researc… ∗∗∗ TrickBot: New attacks see the botnet deploy new banking module, new ransomware ∗∗∗ --------------------------------------------- Over the course of the past few weeks, new activity has been observed from TrickBot, one of todays largest malware botnets, with reports that its operators have helped create a new ransomware strain called Diavol and that the TrickBot gang is returning to its roots as a banking trojan with a new and updated banking module.The post TrickBot: New attacks see the botnet deploy new banking module, new ransomware appeared first on The Record by Recorded Future. --------------------------------------------- https://therecord.media/trickbot-new-attacks-see-the-botnet-deploy-new-bank… ∗∗∗ The Brothers Grim ∗∗∗ --------------------------------------------- The reversing tale of GrimAgent malware used by Ryuk --------------------------------------------- https://blog.group-ib.com/grimagent ===================== = Vulnerabilities = ===================== ∗∗∗ WAGO: Multiple Vulnerabilities in I/O-Check Service ∗∗∗ --------------------------------------------- Multiple vulnerabilities in the WAGO I/O-Check Service were reported. By exploiting the described vulnerabilities, the attacker potentially is able to manipulate or disrupt the device. --------------------------------------------- https://cert.vde.com/de-de/advisories/vde-2020-036 ∗∗∗ Update PowerShell versions 7.0 and 7.1 to protect against a vulnerability ∗∗∗ --------------------------------------------- If you manage yoiur Azure resources from PowerShell version 7.0 or 7.1, we’ve released new versions of PowerShell to address a .NET Core remote code execution vulnerability in versions 7.0 and 7.1. We recommend that you install the updated versions as soon as possible. Windows PowerShell 5.1 isn’t affected by this issue. --------------------------------------------- https://azure.microsoft.com/en-us/updates/update-powershell-versions-70-and… ∗∗∗ Jetzt handeln! Angreifer nutzen Drucker-Lücke PrintNightmare in Windows aus ∗∗∗ --------------------------------------------- Alle Windows-Systeme sind von der PrintNightmare-Schwachstelle bedroht. Derzeit finden Attacken statt. So geht der Workaround zur Absicherung. --------------------------------------------- https://heise.de/-6127265 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (ansible and seamonkey), openSUSE (go1.15 and opera), Oracle (kernel and microcode_ctl), and Red Hat (go-toolset-1.15 and go-toolset-1.15-golang). --------------------------------------------- https://lwn.net/Articles/861679/ ∗∗∗ Johnson Controls Facility Explorer ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Improper Privilege Management vulnerability in Johnson Controls Facility Explorer industrial Ethernet controllers. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-182-01 ∗∗∗ Sensormatic Electronics C-CURE 9000 ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Improper Input Validation vulnerability in Sensormatic Electronics C-CURE 9000 industrial software. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-182-02 ∗∗∗ Delta Electronics DOPSoft ∗∗∗ --------------------------------------------- This advisory contains mitigations for Out-of-bounds Read vulnerabilities in Delta Electronics DOPSoft software. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-182-03 ∗∗∗ Mitsubishi Electric Air Conditioning System ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Incorrect Implementation of Authentication Algorithm vulnerability in Mitsubishi Electric air conditioning systems. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-182-04 ∗∗∗ Mitsubishi Electric Air Conditioning Systems ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Improper Restriction of XML External Entity Reference vulnerability in Mitsubishi Electric Air Conditioning Systems. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-182-05 ∗∗∗ All Bachmann M1 System Processor Modules ∗∗∗ --------------------------------------------- This updated advisory is a follow-up to the advisory titled ICSA-21-026-01P All Bachmann M1 System Processor Modules, posted to the HSIN ICS library on January 26, 2021. This advisory is now being released to the ICS webpage on us-cert.cisa.gov. This advisory contains mitigations for a Use of Password Hash with Insufficient Computational Effort vulnerability in Bachmann M1 system processor modules. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-026-01-0 ∗∗∗ Apigee Edge - Moderately critical - Access bypass - SA-CONTRIB-2021-020 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2021-020 ∗∗∗ WEIDMUELLER: Multiple vulnerabilities in Industrial WLAN devices (UPDATE A) ∗∗∗ --------------------------------------------- https://cert.vde.com/de-de/advisories/vde-2021-026 ∗∗∗ Node.js: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0714 ∗∗∗ Red Hat Developer Tools: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0715 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 01.07.2021
by Daily end-of-shift report 01 Jul '21

01 Jul '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 30-06-2021 18:00 − Donnerstag 01-07-2021 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ "Drucker-Albtraum": Offene Sicherheitslücke erlaubt die Übernahme gesamter Windows-Netzwerke ∗∗∗ --------------------------------------------- Sicherheitsforscher veröffentlichen versehentlich passenden Schadcode, nun herrscht akuter Handlungsbedarf für Windows-Administratoren --------------------------------------------- https://www.derstandard.at/story/2000127868579/drucker-albtraum-offene-sich… ∗∗∗ Vorschussbetrug mit Krediten auf befinax.com ∗∗∗ --------------------------------------------- Auf der Suche nach Krediten, Hypotheken oder Versicherungen stoßen Sie womöglich auf befinax.com. Die Seite ist schön aufgebaut, verspricht schnelle Kreditvergaben und wirbt mit den Logos und Namen großer und bekannter Banken. Doch Vorsicht: Hier werden Sie betrogen! Vorab zu bezahlende Gebühren landen direkt in den Händen Krimineller und Kredit gibt es keinen. --------------------------------------------- https://www.watchlist-internet.at/news/vorschussbetrug-mit-krediten-auf-bef… ∗∗∗ The Most Prolific Ransomware Families: A Defenders Guide ∗∗∗ --------------------------------------------- In this article, DomainTools researchers provide a look at the three most prolific ransomware families and their toolsets. --------------------------------------------- https://www.domaintools.com/resources/blog/the-most-prolific-ransomware-fam… ∗∗∗ Linux: RPM prüft Signaturen nicht richtig ∗∗∗ --------------------------------------------- Eigentlich werden RPM-Pakte unter Linux signiert. Viele wichtige Teile der Signaturprüfung sind bisher aber gar nicht implementiert. --------------------------------------------- https://www.golem.de/news/linux-rpm-prueft-signaturen-nicht-richtig-2107-15… ∗∗∗ Another Exploit Hits WD My Book Live Owners ∗∗∗ --------------------------------------------- While it will come as no comfort to those who had their Western Digital My Book Live NAS drives wiped last week, it seems they were attacked by a combination of two exploits, and possibly caught in the fallout of a rivalry between two different teams of hackers. Toms Hardware reports: Initially, after the news broke on Friday, it was thought a known exploit from 2018 was to blame, allowing attackers to gain root access to the devices. However, it now seems that a previously unknown exploit was [...] --------------------------------------------- https://hardware.slashdot.org/story/21/06/30/2319243/another-exploit-hits-w… ∗∗∗ We Infiltrated a Counterfeit Check Ring! Now What? ∗∗∗ --------------------------------------------- Imagine waking up each morning knowing the identities of thousands of people who are about to be mugged for thousands of dollars each. You know exactly when and where each of those muggings will take place, and youve shared this information in advance with the authorities each day for a year with no outward indication that they are doing anything about it. How frustrated would you be? Such is the curse of the fraud fighter known online by the handles “Brianna Ware” and [...] --------------------------------------------- https://krebsonsecurity.com/2021/06/we-infiltrated-a-counterfeit-check-ring… ∗∗∗ Becoming Elon Musk - the Danger of Artificial Intelligence ∗∗∗ --------------------------------------------- A Tel Aviv, Israel-based artificial intelligence (AI) firm, with a mission to build trust in AI and protect AI from cyber threats, privacy issues, and safety incidents, has developed the opposite: an attack against facial recognition systems that can fool the algorithm into misinterpreting the image. --------------------------------------------- https://www.securityweek.com/becoming-elon-musk-%E2%80%93-danger-artificial… ∗∗∗ CISA’s CSET Tool Sets Sights on Ransomware Threat ∗∗∗ --------------------------------------------- CISA has released a new module in its Cyber Security Evaluation Tool (CSET): the Ransomware Readiness Assessment (RRA). CSET is a desktop software tool that guides network defenders through a step-by-step process to evaluate their cybersecurity practices on their networks. CSET—applicable to both information technology (IT) and industrial control system (ICS) networks—enables users to perform a comprehensive evaluation of their cybersecurity [...] --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/06/30/cisas-cset-tool-s… ∗∗∗ Two years later, the NSABuffMiner botnet is still alive and kicking ∗∗∗ --------------------------------------------- A crypto-mining botnet named NSABuffMiner (or Indexsinas) is still active and infecting Windows systems using three leaked NSA exploits, security firm Guardicore said today. --------------------------------------------- https://therecord.media/two-years-later-the-nsabuffminer-botnet-is-still-al… ===================== = Vulnerabilities = ===================== ∗∗∗ VU#383432: Microsoft Windows Print Spooler RpcAddPrinterDriverEx() function allows for RCE ∗∗∗ --------------------------------------------- The Microsoft Windows Print Spooler service fails to restrict access to the RpcAddPrinterDriverEx() function, which can allow a remote authenticated attacker to execute arbitrary code with SYSTEM privileges on a vulnerable system. --------------------------------------------- https://kb.cert.org/vuls/id/383432 ∗∗∗ Sicherheitsupdate: Microsoft entdeckt kritische Lücke in Netgear-Router ∗∗∗ --------------------------------------------- Es gibt ein wichtiges Sicherheitsupdate für den WLAN Router DGN2200v1 von Netgear. --------------------------------------------- https://heise.de/-6126662 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (htmldoc, ipmitool, and node-bl), Fedora (libgcrypt and libtpms), Mageia (dhcp, glibc, p7zip, sqlite3, systemd, and thunar), openSUSE (arpwatch, go1.15, and kernel), SUSE (curl, dbus-1, go1.15, and qemu), and Ubuntu (xorg-server). --------------------------------------------- https://lwn.net/Articles/861521/ ∗∗∗ EC-CUBE fails to restrict access permissions ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN57942445/ ∗∗∗ Block Content Revision UI - Moderately critical - Access bypass - SA-CONTRIB-2021-022 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2021-022 ∗∗∗ Linky Revision UI - Moderately critical - Access bypass - SA-CONTRIB-2021-021 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2021-021 ∗∗∗ Apigee Edge - Moderately critical - Access bypass - SA-CONTRIB-2021-020 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2021-020 ∗∗∗ Security Advisory - Path Traversal Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210630-… ∗∗∗ Security Notice – Statement About the Media Report on the Use of GEA-1 Weak Algorithm in Certain Phones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-notices/2021/huawei-sn-20210618-01-… ∗∗∗ Security Bulletin: Security Vulnerabilities in IBM® Java SDK April 2021 CPU plus affect multiple IBM Continuous Engineering products based on IBM Jazz Technology ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ Security Bulletin: Using XSS attack, an attacker may inject Javascript code by modifying input fields in Datacap Navigator ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-using-xss-attack-an-attac… ∗∗∗ Security Bulletin: IBM MQ Appliance vulnerability in TLS (CVE-2020-4831) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-vulnerab… ∗∗∗ Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in Go ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-discovery-for-… ∗∗∗ Security Bulletin: IBM MQ Appliance is affected by an OpenSSL vulnerability (CVE-2021-3449) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-is-affec… ∗∗∗ Security Bulletin: SQL injection from various input fields may affect Datacap Navigator ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-sql-injection-from-variou… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 30.06.2021
by Daily end-of-shift report 30 Jun '21

30 Jun '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 29-06-2021 18:00 − Mittwoch 30-06-2021 18:00 Handler: Dimitri Robl Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Lorenz ransomware decryptor recovers victims files for free ∗∗∗ --------------------------------------------- Dutch cybersecurity firm Tesorion has released a free decryptor for the Lorenz ransomware, allowing victims to recover some of their files for free without paying a ransom. --------------------------------------------- https://www.bleepingcomputer.com/news/security/lorenz-ransomware-decryptor-… ∗∗∗ An EPYC escape: Case-study of a KVM breakout ∗∗∗ --------------------------------------------- In this blog post I describe a vulnerability in KVM’s AMD-specific code and discuss how this bug can be turned into a full virtual machine escape. --------------------------------------------- https://googleprojectzero.blogspot.com/2021/06/an-epyc-escape-case-study-of… ∗∗∗ MITRE ATT&CK® mappings released for built-in Azure security controls ∗∗∗ --------------------------------------------- Microsoft is pleased to announce the publication of the Security Stack Mappings for Azure project in partnership with the Center for Threat-Informed Defense. --------------------------------------------- https://www.microsoft.com/security/blog/2021/06/29/mitre-attck-mappings-rel… ∗∗∗ June 2021 Forensic Contest: Answers and Analysis, (Wed, Jun 30th) ∗∗∗ --------------------------------------------- Thanks to everyone who participated in our June 2021 forensic contest originally posted two weeks ago. --------------------------------------------- https://isc.sans.edu/diary/rss/27582 ∗∗∗ Babuk ransomware builder leaked following muddled “retirement” ∗∗∗ --------------------------------------------- Heads are being scratched after the Babuk ransomware builder appears on VirusTotal, adding to the gangs reputation for confusion. --------------------------------------------- https://blog.malwarebytes.com/reports/2021/06/babuk-ransomware-builder-leak… ∗∗∗ Unseriöse Online-Shops verkaufen Mystery-Box mit Produkten aus unzustellbaren Amazon-Paketen ∗∗∗ --------------------------------------------- Einen Gaming Laptop oder eine PlayStation um 16 Euro? Zahlreiche Online-Shops verkaufen derzeit eine Mystery-Box, mit der das möglich sein soll. Die Box beinhaltet laut den HändlerInnen nicht zustellbare Amazon-Produkte wie Laptops, Computer, Kameras oder teure Kopfhörer. --------------------------------------------- https://www.watchlist-internet.at/news/unserioese-online-shops-verkaufen-my… ∗∗∗ FIRST Challenge 2021 Writeup ∗∗∗ --------------------------------------------- Due to the COVID-19 pandemic the FIRST conference 2021 moved online and so did the annual CTF organized by the FIRST Security Lounge SIG. Thomas Pribitzer, Dimitri Robl, and Sebastian Waldbauer from CERT.at participated as a team, scoring the 9. place out of 42 teams. --------------------------------------------- https://cert.at/en/blog/2021/6/first-challenge-2021-writeup ∗∗∗ Gozi malware gang member arrested in Colombia ∗∗∗ --------------------------------------------- Authorities in Colombia have arrested this week a Romanian national named Mihai Ionut Paunescu, one of the three suspects charged in 2013 for creating and operating the infamous Gozi banking trojan. --------------------------------------------- https://therecord.media/gozi-malware-gang-member-arrested-in-colombia/ ∗∗∗ REvil Twins ∗∗∗ --------------------------------------------- Deep Dive Into Prolific RaaS Affiliates’ TTPs --------------------------------------------- https://blog.group-ib.com/revil_raas ===================== = Vulnerabilities = ===================== ∗∗∗ DHCP Flood: Googles Cloud-VMs lassen sich per DHCP übernehmen ∗∗∗ --------------------------------------------- Angreifer könnten Root-Rechte in fremden VMs der Google-Cloud erhalten. Praktische Angriffe sind unwahrscheinlich, Updates gibt es nicht. --------------------------------------------- https://www.golem.de/news/dhcp-flood-googles-cloud-vms-lassen-sich-per-dhcp… ∗∗∗ CVE-2021-1675: Incomplete Patch and Leaked RCE Exploit, (Wed, Jun 30th) ∗∗∗ --------------------------------------------- On June 21st, Microsoft modified the description of the vulnerability upgrading it to a remote code execution vulnerability. Earlier this week, an RCE exploit was posted to GitHub. --------------------------------------------- https://isc.sans.edu/diary/rss/27588 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (fluidsynth), Fedora (libgcrypt and tpm2-tools), Mageia (nettle, nginx, openvpn, and re2c), openSUSE (kernel, roundcubemail, and tor), Oracle (edk2, lz4, and rpm), Red Hat (389-ds:1.4, edk2, fwupd, kernel, kernel-rt, libxml2, lz4, python38:3.8 and python38-devel:3.8, rpm, ruby:2.5, ruby:2.6, and ruby:2.7), and SUSE (kernel and lua53). --------------------------------------------- https://lwn.net/Articles/861420/ ∗∗∗ Security Bulletin: Vulnerabilities in OpenSSL affect IBM Rational ClearQuest (CVE-2021-3449, CVE-2021-3450) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-openss… ∗∗∗ Security Bulletin: OpenSSL publicly disclosed vulnerability affects IBM MobileFirst Platform Foundation. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-openssl-publicly-disclose… ∗∗∗ Security Bulletin: IBM® Db2® could allow an authenticated user to overwrite arbitrary files due to improper group permissions. (CVE-2020-4945) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-could-allow-an-au… ∗∗∗ Security Bulletin: IBM Cognos Analytics has addressed multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cognos-analytics-has-… ∗∗∗ Security Bulletin: Vulnerabilities in OpenSSL affect IBM Rational ClearQuest ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-openss… ∗∗∗ Security Bulletin: Multiple vulnerabilities in the IBM Java Runtime affect IBM Rational ClearCase (CVE-2020-27221, CVE-2020-14782, CVE-2020-2773, CVE-2020-14781) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerability in OpenSSL affects IBM Rational ClearCase (CVE-2020-1971, CVE-2021-23839, CVE-2021-23840, CVE-2021-23841, CVE-2021-23839, CVE-2021-23840, CVE-2021-23841) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-openssl-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in the IBM Java Runtime affect IBM Rational ClearQuest ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Apache Commons Codec Vulnerability affects IBM Rational ClearQuest (177835) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-commons-codec-vuln… ∗∗∗ Drupal 8 end-of-life on November 2, 2021 (four months from now) - PSA-2021-2021-06-29 ∗∗∗ --------------------------------------------- https://www.drupal.org/psa-2021-2021-06-29 ∗∗∗ Exacq Technologies exacqVision Web Service ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-180-01 ∗∗∗ Exacq Technologies exacqVision Enterprise Manager ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-180-02 ∗∗∗ Panasonic FPWIN Pro ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-180-03 ∗∗∗ JTEKT TOYOPUC PLC ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-180-04 ∗∗∗ AVEVA System Platform ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-180-05 ∗∗∗ Claroty Secure Remote Access Site ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-180-06 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 29.06.2021
by Daily end-of-shift report 29 Jun '21

29 Jun '21

===================== = End-of-Day report = ===================== Timeframe: Montag 28-06-2021 18:00 − Dienstag 29-06-2021 18:00 Handler: Dimitri Robl Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Ransomware gangs now creating websites to recruit affiliates ∗∗∗ --------------------------------------------- Ever since two prominent Russian-speaking cybercrime forums banned ransomware-related topics, criminal operations have been forced to promote their service through alternative methods. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ransomware-gangs-now-creatin… ∗∗∗ Microsoft successfully hit by dependency hijacking again ∗∗∗ --------------------------------------------- Microsoft has once again been successfully hit by a dependency hijacking attack. This month, another researcher found an npm internal dependency being used by an open-source project. --------------------------------------------- https://www.bleepingcomputer.com/news/security/microsoft-successfully-hit-b… ∗∗∗ Data for 700M LinkedIn Users Posted for Sale in Cyber-Underground ∗∗∗ --------------------------------------------- After 500 million LinkedIn enthusiasts were affected in a data-scraping incident in April, its happened again - with big security ramifications. --------------------------------------------- https://threatpost.com/data-700m-linkedin-users-cyber-underground/167362/ ∗∗∗ CFBF Files Strings Analysis, (Mon, Jun 28th) ∗∗∗ --------------------------------------------- The Office file format that predates the OOXML format, is a binary format based on the CFBF format. I informally call this the ole file format. --------------------------------------------- https://isc.sans.edu/diary/rss/27576 ∗∗∗ Diving into a Google Sweepstakes Phishing E-mail, (Tue, Jun 29th) ∗∗∗ --------------------------------------------- I was recently forwarded another phishing e-mail to examine. This time, it was an e-mail that claimed to be from Google. The e-mail included a pdf file, and instructed the recipient download the file for further information. --------------------------------------------- https://isc.sans.edu/diary/rss/27578 ∗∗∗ Verschlüsselungstrojaner REvil hat es nun auf virtuelle Maschinen abgesehen ∗∗∗ --------------------------------------------- Mehrere Sicherheitsforscher warnen vor einer neuen REvil-Version, die noch mehr Geräte bedroht. --------------------------------------------- https://heise.de/-6122156 ∗∗∗ Analyzing CVE-2021-1665 – Remote Code Execution Vulnerability in Windows GDI+ ∗∗∗ --------------------------------------------- Microsoft Windows Graphics Device Interface+, also known as GDI+, allows various applications to use different graphics functionality on video displays as well as printers. --------------------------------------------- https://www.mcafee.com/blogs/other-blogs/mcafee-labs/analyzing-cve-2021-166… ∗∗∗ Instagram: Kooperationsanfragen von wegego.com sind Fake ∗∗∗ --------------------------------------------- Momentan werden Instagram-NutzerInnen vermehrt von einem Profil namens sara.wegego – einer angeblichen Brand Ambassador Managerin bei wegego.com – angeschrieben. Ihnen wird eine Kooperation mit dem Unternehmen angeboten. --------------------------------------------- https://www.watchlist-internet.at/news/instagram-kooperationsanfragen-von-w… ∗∗∗ CISA Begins Cataloging Bad Practices that Increase Cyber Risk ∗∗∗ --------------------------------------------- In a blog post by Executive Assistant Director (EAD) Eric Goldstein, CISA announced the creation of a catalog to document bad cybersecurity practices that are exceptionally risky for any organization and especially dangerous for those supporting designated Critical Infrastructure or National Critical Functions. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/06/29/cisa-begins-catal… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (klibc and libjdom2-java), Mageia (bash, glibc, gnutls, java-openjdk, kernel, kernel-linus, leptonica, libgcrypt, openjpeg2, tor, and trousers), openSUSE (bouncycastle, chromium, go1.16, and kernel), Oracle (docker-engine docker-cli and qemu), Red Hat (kpatch-patch), and SUSE (arpwatch, go1.16, kernel, libsolv, microcode_ctl, and python-urllib3, python-requests). --------------------------------------------- https://lwn.net/Articles/861310/ ∗∗∗ PoC released for dangerous Windows PrintNightmare bug ∗∗∗ --------------------------------------------- Proof-of-concept exploit code has been published online today for a vulnerability in the Windows Print Spooler service (spoolsv.exe) that can allow a total compromise of Windows systems. --------------------------------------------- https://therecord.media/poc-released-for-dangerous-windows-printnightmare-b… ∗∗∗ Security Bulletin: Vulnerabilities in Python, Tornado, and Urllib3 affect IBM Spectrum Protect Plus Microsoft File Systems Backup and Restore ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-python… ∗∗∗ Security Bulletin: IBM DataQuant Fix for (All) Apache PDF Box (Publicly disclosed vulnerability) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-dataquant-fix-for-all… ∗∗∗ Security Bulletin: IBM Spectrum Protect Plus has Insecure File Permissions due to not setting the Sticky Bit (CVE-2021-20490) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-spectrum-protect-plus… ∗∗∗ Security Bulletin: IBM Integration Bus and IBM App Connect Enterprise v11 are affected by vulnerabilities in Node.js (CVE-2021-3450, CVE-2021-3449) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-integration-bus-and-i… ∗∗∗ Security Bulletin: Multiple vulnerabilities in open source libraries affects Tivoli Netcool/OMNIbus WebGUI ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerabilities in Redis, MinIO, Golang, and Urllib3 affect IBM Spectrum Protect Plus Container Backup and Restore for Kubernetes and OpenShift ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-redis-… ∗∗∗ Security Bulletin: Vulnerabilities in MongoDB, Node.js, Docker, and XStream affect IBM Spectrum Protect Plus ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-mongod… ∗∗∗ Security Bulletin: Vulnerabilities in OpenSSL affect IBM Integration Bus and IBM App Connect Enterprise v11 (CVE-2021-3449 , CVE-2021-3450) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-openss… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM HTTP Server used by WebSphere Application Server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerabilities in OpenSSL affect IBM Integration Bus and IBM App Connect Enterprise v11 (CVE-2021-23839, CVE-2021-23840) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-openss… ∗∗∗ Security Bulletin: IBM® Db2® could allow an authenticated user to overwrite arbirary files due to improper group permissions. (CVE-2020-4945) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-could-allow-an-au… ∗∗∗ Security Bulletin: IBM® Db2® could allow a local user to access and change the configuration of DB2 due to a race condition via a symbolic link. (CVE-2020-4885) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-could-allow-a-loc… ∗∗∗ Easily Exploitable Critical Vulnerabilities Patched in ProfilePress Plugin ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2021/06/easily-exploitable-critical-vulnerab… ∗∗∗ Red Hat OpenShift: Mehrere Schwachstellen ermöglichen Codeausführung ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0700 ∗∗∗ MISP: Schwachstelle ermöglicht nicht spezifizierten Angriff ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0699 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.06.2021
by Daily end-of-shift report 28 Jun '21

28 Jun '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 25-06-2021 18:00 − Montag 28-06-2021 18:00 Handler: Dimitri Robl Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Using VMs To Hide Ransomware Attacks is Becoming More Popular ∗∗∗ --------------------------------------------- In early 2020, security researchers were baffled to discover that a ransomware gang had come up with an innovative trick that allowed it to run its payload inside virtual machines on infected hosts as a technical solution that bypassed security software. One year later, that technique has spread among the cybercrime underground and is now used by multiple ransomware operators. --------------------------------------------- https://it.slashdot.org/story/21/06/28/1521220/using-vms-to-hide-ransomware… ∗∗∗ Sicherheitsforscher der TU Wien warnen vor vergessenen Subdomains auf Webseiten ∗∗∗ --------------------------------------------- Vor einer Online-Sicherheitslücke durch sozusagen vergessene Unterseiten einer Website warnen Forscher der Technischen Universität (TU) Wien. Unter bestimmten Umständen kann man sich über derartige lose Enden bei Subdomains über die Hintertür Zugang zu Hauptseiten verschaffen, berichtet ein Team aus Wien und Italien im Rahmen einer Fachkonferenz. --------------------------------------------- https://www.derstandard.at/story/2000127773220/sicherheitsforscher-der-tu-w… ∗∗∗ Jetzt patchen! Angreifer attackieren Cisco Adaptive Security Appliance ∗∗∗ --------------------------------------------- Es ist Exploit-Code für eine Sicherheitslücke in Cisco ASA und FTD in Umlauf. --------------------------------------------- https://heise.de/-6120956 ===================== = Vulnerabilities = ===================== ∗∗∗ CVE-2019-9670: Zimbra Collaboration Suite XXE vulnerability, (Sat, Jun 26th) ∗∗∗ --------------------------------------------- This XML External Entity injection (XXE) vulnerability disclosed in March 2019 is still actively scanned for a vulnerable mailboxd component in Synacor Zimbra Collaboration Suite 8.7.x before 8.7.11p10. This exploit attempts to read the Zimbra configuration file that contains an LDAP password for the zimbra account. --------------------------------------------- https://isc.sans.edu/diary/rss/27570 ∗∗∗ Western Digital My Book: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode und Löschung der Daten ∗∗∗ --------------------------------------------- Western Digital hat eine Schwachstelle in seinen My Book NAS Geräten bekanntgegeben. Ein Angreifer kann diese Schwachstelle ausnutzen, um Schadcode auszuführen und unter Umständen die Geräte in Werkseinstellung zu bringen und alle Daten zu löschen. Dazu ist keine Anmeldung am Gerät erforderlich. ... Das BürgerCERT empfiehlt als Abhilfe, den Herstellerempfehlungen folgend, die Trennung des Gerätes vom Internet. --------------------------------------------- https://www.bsi.bund.de/SharedDocs/Warnmeldungen/DE/TW/2021/06/warnmeldung_… ∗∗∗ Vulnerability Spotlight: Memory corruption vulnerability in PowerISO’s DMG handler ∗∗∗ --------------------------------------------- (CVE-2021-21871) is a memory corruption vulnerability in PowerISO that could result in the attacker gaining the ability to execute code on the victim machine. An attacker can exploit this vulnerability by tricking a user into opening a specially crafted DMG file. Cisco Talos worked with PowerISO to ensure that this issue is resolved and an update is available for affected customers --------------------------------------------- https://blog.talosintelligence.com/2021/06/vulnerability-spotlight-memory-.… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (bluez, intel-microcode, tiff, and xmlbeans), Fedora (openssh and php-phpmailer6), openSUSE (freeradius-server, java-1_8_0-openjdk, live555, openexr, roundcubemail, tor, and tpm2.0-tools), SUSE (bouncycastle and zziplib), and Ubuntu (linux-kvm and thunderbird). --------------------------------------------- https://lwn.net/Articles/861221/ ∗∗∗ ImageMagick: Schwachstelle ermöglicht Offenlegung von Informationen ∗∗∗ --------------------------------------------- ImageMagick ist eine Sammlung von Programmbibliotheken und Werkzeugen, die Grafiken in zahlreichen Formaten verarbeiten kann. Ein lokaler Angreifer kann eine Schwachstelle in ImageMagick ausnutzen, um Informationen offenzulegen. --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0698 ∗∗∗ Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Web Services Interface Cross-Site Scripting Vulnerabilities ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ ABB - Amnesia:33 – Impact on B&R Products ∗∗∗ --------------------------------------------- https://www.br-automation.com/downloads_br_productcatalogue/assets/16212592… ∗∗∗ ABB - Multiple Vulnerabilities in Automation Runtime NTP Service ∗∗∗ --------------------------------------------- https://www.br-automation.com/downloads_br_productcatalogue/assets/16212592… ∗∗∗ Security Bulletin: Incorrect authorization in IBM Business Automation Workflow and IBM Business Process Manager (BPM) – CVE-2021-29751 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-incorrect-authorization-i… ∗∗∗ Security Bulletin: Vulnerabilities in IBM Java Runtime affect IBM Spectrum Protect Backup-Archive Client, IBM Spectrum Protect for Space Management, and IBM Spectrum Protect for Virtual Environments (CVE-2020-27221, CVE-2020-14782) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-ja… ∗∗∗ Security Bulletin: Stack-based Buffer Overflow vulnerabilities in IBM Spectrum Protect Back-up Archive Client and IBM Spectrum Protect for Space Management (CVE-2021-29672, CVE-2021-20546) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-stack-based-buffer-overfl… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in IBM Guardium Data Encryption (GDE) (CVE-2017-18214, CVE-2016-4055, CVE-2021-20413) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerability in lpd affects AIX (CVE-2021-29693) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-lpd-affe… ∗∗∗ Security Bulletin: Multiple vulnerabilities affect IBM Cloud Pak for Automation ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Rational Asset Analyzer (RAA) is affected by a WebSphere Application Server vulnerability (CVE-2021-26296) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-rational-asset-analyzer-r… ∗∗∗ Security Bulletin: Security vulnerabilities in IBM SDK for Node.js might affect the configuration editor used by IBM Business Automation Workflow and Business Process Manager (BPM) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerability in Jasper, Version 8 Service Refresh 5 Fix Pack 33, used in Jetty Server 9.4.14 where Rational Synergy is deployed. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-jasper-v… ∗∗∗ Security Bulletin: Vulnerability found in Apache Log4j V1.x may affect IBM Enterprise Records ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-found-in-ap… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 25.06.2021
by Daily end-of-shift report 25 Jun '21

25 Jun '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 24-06-2021 18:00 − Freitag 25-06-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Dimitri Robl ===================== = News = ===================== ∗∗∗ Binance exchange helped track down Clop ransomware money launderers ∗∗∗ --------------------------------------------- Cryptocurrency exchange service Binance played an important part in the recent arrests of Clop ransomware group members, helping law enforcement in their effort to identify, and ultimately detain the suspects. --------------------------------------------- https://www.bleepingcomputer.com/news/security/binance-exchange-helped-trac… ∗∗∗ Microsoft signed a malicious Netfilter rootkit ∗∗∗ --------------------------------------------- What started as a false positive alert for a Microsoft signed file turns out to be a WFP application layer enforcement callout driver that redirects traffic to a Chinese IP. How did this happen? --------------------------------------------- https://www.gdatasoftware.com/blog/microsoft-signed-a-malicious-netfilter-r… ∗∗∗ SKS: Das Ende der alten PGP-Keyserver ∗∗∗ --------------------------------------------- Der Serverpool für die PGP-Keyserver mit der Software SKS wurde abgeschaltet. Grund sind Beschwerden wegen der Datenschutz-Grundverordnung. --------------------------------------------- https://www.golem.de/news/sks-das-ende-der-alten-pgp-keyserver-2106-157613.… ∗∗∗ ‘What are the odds someone will find and exploit this?’ Nice one — you just released an insecure app ∗∗∗ --------------------------------------------- Who’s to blame: devs or management? And how do we cure application vulnerability epidemic Feature According to a recently published Osterman Research white paper, 81 per cent of developers admit to knowingly releasing vulnerable apps --------------------------------------------- https://www.theregister.com/2021/06/25/application_vulnerability_epidemic/ ∗∗∗ We explored the dangers of pirated sport streams so you don’t have to ∗∗∗ --------------------------------------------- The COVID pandemic has led to a surge in content consumption as people stayed home and turned to Netflix, Youtube and other streaming services for entertainment. Not everyone agrees with paying for the latest episode or album, however, and this rise has ran parallel with a rise in digital piracy. --------------------------------------------- https://www.webroot.com/blog/2021/05/12/we-explored-the-dangers-of-pirated-… ∗∗∗ Western Digital My Book Live: Trennen Sie Ihre Festplatten vom Internet ∗∗∗ --------------------------------------------- Daten auf Festplatten der WD-Baureihe My Book Live werden von extern gelöscht und durch fremde Passwörter unzugänglich gemacht. --------------------------------------------- https://heise.de/-6119250 ∗∗∗ Crackonosh malware abuses Windows Safe mode to quietly mine for cryptocurrency ∗∗∗ --------------------------------------------- The malware is thought to have generated millions of dollars in just a few short years. --------------------------------------------- https://www.zdnet.com/article/crackonosh-malware-abuses-windows-safe-mode-t… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (chromium, dovecot, exiv2, helm, keycloak, libslirp, matrix-appservice-irc, nginx-mainline, opera, pigeonhole, tor, tpm2-tools, and vivaldi), Debian (libgcrypt20), Fedora (pdfbox), Mageia (graphicsmagick, matio, and samba and ldb), openSUSE (dovecot23, gupnp, libgcrypt, live555, and ovmf), SUSE (gupnp, libgcrypt, openexr, and ovmf), and Ubuntu (ceph and rabbitmq-server). --------------------------------------------- https://lwn.net/Articles/860981/ ∗∗∗ Philips Interoperability Solution XDS ∗∗∗ --------------------------------------------- This advisory contains mitigations for a Clear Text Transmission of Sensitive Information vulnerability in the Philips Interoperability Solution XDS document sharing system. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsma-21-175-01 ∗∗∗ FATEK WinProladder ∗∗∗ --------------------------------------------- This advisory contains mitigations for Out-of-bounds Read, Out-of-bounds Write, and Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerabilities in FATEK WinProladder programmable logic controllers. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-175-01 ∗∗∗ Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in Node.js ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-discovery-for-… ∗∗∗ Security Bulletin: Operations Dashboard is vulnerable to Go vulnerabilities (CVE-2021-27918 and CVE-2021-27919) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-operations-dashboard-is-v… ∗∗∗ Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in Apache Tika ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-discovery-for-… ∗∗∗ Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in Netty ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-discovery-for-… ∗∗∗ Security Bulletin: IBM Cloud Pak for Integration is vulnerable to OpenSSL vulnerabilities (CVE-2021-3449 and CVE-2021-3450) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-integra… ∗∗∗ Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in Python urllib3 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-discovery-for-… ∗∗∗ Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in Apache PDFBox ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-discovery-for-… ∗∗∗ Security Bulletin: IBM Cloud Pak for Integration is vulnerable to OpenSSL vulnerability (CVE-2020-1971) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-integra… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 24.06.2021
by Daily end-of-shift report 24 Jun '21

24 Jun '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 23-06-2021 18:00 − Donnerstag 24-06-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Dimitri Robl ===================== = News = ===================== ∗∗∗ Malicious spam campaigns delivering banking Trojans ∗∗∗ --------------------------------------------- In mid-March 2021, we observed two new spam campaigns delivering banking Trojans. The payload in most cases was IcedID, but we have also seen a few QBot (aka QakBot) samples. --------------------------------------------- https://securelist.com/malicious-spam-campaigns-delivering-banking-trojans/… ∗∗∗ Yet Another Archive Format Smuggling Malware ∗∗∗ --------------------------------------------- The use of novel disk image files to encapsulate malware distributed via spam has been a theme that we have highlighted over the past couple of years. As anticipated, we have seen more disk image file formats being used, in addition to .ISO, .IMG, and .DAA which we blogged about. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/another-arc… ∗∗∗ Online Credit Card Theft – A Brief Overview of Online Fraud and Abuse – Part 1 ∗∗∗ --------------------------------------------- Many clients that we work with host and operate ecommerce websites which are frequent targets of attackers. The goal of these attacks is to steal credit card details from unsuspecting victims and sell them on the black market for a profit. The online ecommerce environment is diverse, constituting many different content management system (CMS) platforms and payment gateways all of which have their own features and risks. In this post I will attempt to demystify this cluttered environment [...] --------------------------------------------- https://blog.sucuri.net/2021/06/online-credit-card-theft-online-fraud.html ∗∗∗ The May/June 2021 issue of our SWITCH Security Report is available! ∗∗∗ --------------------------------------------- Dear Reader! A new issue of our bi-monthly SWITCH Security Report is available! --------------------------------------------- https://securityblog.switch.ch/2021/06/24/the-may-june-2021-issue-of-our-sw… ∗∗∗ Complicated Active Directory setups are undermining security ∗∗∗ --------------------------------------------- Researchers have found several flaws in the Active Directory Certificate Service that can lead to credential theft, privilege escalation, and domain persistence. --------------------------------------------- https://blog.malwarebytes.com/reports/2021/06/complicated-active-directory-… ∗∗∗ Announcing a unified vulnerability schema for open source ∗∗∗ --------------------------------------------- In recent months, Google has launched several efforts to strengthen open-source security on multiple fronts. One important focus is improving how we identify and respond to known security vulnerabilities without doing extensive manual work. --------------------------------------------- https://security.googleblog.com/2021/06/announcing-unified-vulnerability-sc… ∗∗∗ Betrügerische „Voicemail“ SMS massenhaft im Umlauf! ∗∗∗ --------------------------------------------- Eine neue Welle betrügerischer SMS-Nachrichten fegt momentan über den deutschsprachigen Raum hinweg. In diesen SMS ist von einer neuen Voicemail, also einer Sprachnachricht, die Rede. Ein Link zum Abhören führt zu einer Fake-Seite, auf der eine App heruntergeladen werden soll. Achtung: Die App enthält Schadsoftware! --------------------------------------------- https://www.watchlist-internet.at/news/betruegerische-voicemail-sms-massenh… ===================== = Vulnerabilities = ===================== ∗∗∗ Atlassian Bugs Could Have Led to 1-Click Takeover ∗∗∗ --------------------------------------------- A supply-chain attack could have siphoned sensitive information out of Jira, such as security issues on Atlassian cloud, Bitbucket and on-prem products. --------------------------------------------- https://threatpost.com/atlassian-bugs-could-have-led-to-1-click-takeover/16… ∗∗∗ Sicherheitsupdate: Angreifer könnten eigene Befehle auf Qnap NAS ausführen ∗∗∗ --------------------------------------------- Qnap hat das Betriebssystem seiner Netzwerkspeicher gegen Command-Injection-Attacken abgesichert. --------------------------------------------- https://heise.de/-6117589 ∗∗∗ Kritische Admin-Lücke bedroht VMware Carbon Black App Control ∗∗∗ --------------------------------------------- Angreifer könnten Systeme mit der Server-Schutzlösung Carbon Black App Control von VMware attackieren. --------------------------------------------- https://heise.de/-6117422 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Mageia (apache-mod_auth_openidc, bind, bluez, cifs-utils, ffmpeg, gnome-autoar, guacd, kernel, kernel-linus, qtwebsockets5, slic3r, tunnel, wavpack, wireshark, and xscreensaver), openSUSE (apache2, cryptctl, go1.15, libnettle, python-rsa, salt, thunderbird, wireshark, libvirt, sbc, libqt5-qtmultimedia, xstream, and xterm), and SUSE (cryptctl, freeradius-server, libnettle, and libsolv). --------------------------------------------- https://lwn.net/Articles/860809/ ∗∗∗ 129 Dell models, including Secured-core PCs, vulnerable to new firmware flaws ∗∗∗ --------------------------------------------- Around 129 Dell consumer and business laptops, desktops, and tablets, including devices protected by Secure Boot and Dell Secured-core PCs, have been found to be vulnerable to a series of vulnerabilities that can allow threat actors to pass as the official dell.com domain and trigger malicious BIOS/UEFI firmware updates. --------------------------------------------- https://therecord.media/129-dell-models-including-secured-core-pcs-vulnerab… ∗∗∗ Zyxel says a threat actor is targeting its enterprise firewall and VPN devices ∗∗∗ --------------------------------------------- Networking equipment vendor Zyxel has emailed customers this week to alert them about a series of attacks that have been targeting some of the companys high-end enterprise-focused firewall and VPN server products. --------------------------------------------- https://therecord.media/zyxel-says-a-threat-actor-is-targeting-its-enterpri… ∗∗∗ Security Advisory - Logic Vulnerability in Huawei WATCH Kid Product ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210630-… ∗∗∗ Security Bulletin: IBM MQ is vulnerable to an issue within Pacemaker. (CVE-2020-25654) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-is-vulnerable-to-a… ∗∗∗ Security Bulletin: IBM® Db2® 'Check for Updates' process is vulnerable to DLL hijacking (CVE-2019-4588) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-check-for-updates… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Tivoli Monitoring for Virtual Environments Agent for Linux Kernel-based (June 2021) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM® Db2® could allow an authenticated user to overwrite arbirary files due to improper group permissions. (CVE-2020-4945) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-could-allow-an-au… ∗∗∗ Security Bulletin: IBM MQ Internet Pass-Thru is vulnerable to an issue within IBM® Runtime Environment Java™ Technology Edition, Version 7. (CVE-2020-14782, CVE-2020-14781) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-internet-pass-thru… ∗∗∗ Security Bulletin: IBM Cloud Transformation Advisor is affected by Node.js vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-transformation-… ∗∗∗ Security Bulletin: IBM® Db2® could allow a local authenticated attacker to execute arbitrary code on the system, caused by DLL search order hijacking vulnerability in Microsoft Windows client. (CVE-2020-4739) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-could-allow-a-loc… ∗∗∗ Security Bulletin: IBM® Db2® is vulnerable to an information disclosure (CVE-2021-20579) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-… ∗∗∗ Security Bulletin: Security vulnerabilities have been identified in IBM WebSphere Application Server used by IBM InfoSphere Master Data Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ Security Bulletin: IBM® Db2® could allow a local user to access and change the configuration of DB2 due to a race condition via a symbolic link. (CVE-2020-4885) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-could-allow-a-loc… ∗∗∗ Drupal: Mehrere Schwachstellen ermöglichen Manipulation von Dateien ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0686 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.06.2021
by Daily end-of-shift report 23 Jun '21

23 Jun '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 22-06-2021 18:00 − Mittwoch 23-06-2021 18:00 Handler: Dimitri Robl Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ A week after arrests, Cl0p ransomware group dumps new tranche of stolen data ∗∗∗ --------------------------------------------- Leak shows that, like the rest of the ransomware scourge, Cl0p isnt going away. --------------------------------------------- https://arstechnica.com/?p=1775362 ∗∗∗ SonicWall bug affecting 800K firewalls was only partially fixed ∗∗∗ --------------------------------------------- New findings have emerged that shed light on a critical SonicWall vulnerability disclosed last year, which affected over 800,000 VPN firewalls and was initially thought to have been patched. --------------------------------------------- https://www.bleepingcomputer.com/news/security/sonicwall-bug-affecting-800k… ∗∗∗ PYSA ransomware backdoors education orgs using ChaChi malware ∗∗∗ --------------------------------------------- The PYSA ransomware gang has been using a remote access Trojan (RAT) dubbed ChaChi to backdoor the systems of healthcare and education organizations and steal data that later gets leveraged in double extortion ransom schemes. --------------------------------------------- https://www.bleepingcomputer.com/news/security/pysa-ransomware-backdoors-ed… ∗∗∗ Sure looks like someones pirating the REvil ransomware, tweaking the binary in a hex editor for their own crimes ∗∗∗ --------------------------------------------- Its a crook-eat-crook world out there It appears someone is pirating the infamous REvil ransomware by tweaking its files for their own purposes. --------------------------------------------- https://www.theregister.com/2021/06/23/revil_ransomware_lv/ ∗∗∗ Ferienwohnungen nicht auf luxfewo.de buchen ∗∗∗ --------------------------------------------- Ferienwohnungen und Unterkünfte werden heute überwiegend im Internet gebucht. Doch Vorsicht: Unter den zahlreichen Plattformen und Buchungswebseiten verstecken sich auch betrügerische Angebote. Wer beispielsweise auf luxfewo.de bucht und eine Anzahlung leistet, verliert viel Geld und hat am Ende keine Unterkunft. --------------------------------------------- https://www.watchlist-internet.at/news/ferienwohnungen-nicht-auf-luxfewode-… ∗∗∗ MITRE releases D3FEND, defensive measures complimentary to its ATT&CK framework ∗∗∗ --------------------------------------------- The MITRE Corporation, one of the most respected organizations in the cybersecurity field, has released today D3FEND, a complementary framework to its industry-recognized ATT&CK matrix. --------------------------------------------- https://therecord.media/mitre-releases-d3fend-defensive-measures-compliment… ===================== = Vulnerabilities = ===================== ∗∗∗ Unpatched Linux Marketplace Bugs Allow Wormable Attacks, Drive-By RCE ∗∗∗ --------------------------------------------- A pair of zero-days affecting Pling-based marketplaces could allow for some ugly attacks on unsuspecting Linux enthusiasts -- with no patches in sight. --------------------------------------------- https://threatpost.com/unpatched-linux-marketplace-bugs-rce/167155/ ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (kernel and linux-4.19), Fedora (tor), Oracle (rh-postgresql10-postgresql), Red Hat (kernel), SUSE (ansible, apache2, dovecot23, OpenEXR, ovmf, and wireshark), and Ubuntu (linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gcp, linux-gcp-5.4, linux-gke, linux-gke-5.4, linux-gkeop, linux-gkeop-5.4, linux-hwe-5.4, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux, linux-aws, linux-aws-5.8, linux-azure,[...] --------------------------------------------- https://lwn.net/Articles/860652/ ∗∗∗ WordPress Plugin "WordPress Popular Posts" vulnerable to cross-site scripting ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN63066062/ ∗∗∗ VDE-CERT Advisories 2021-06-23: Multiple Vulnerabilities in Phoenix Contact Products and Weidmueller Industrial WLAN devices ∗∗∗ --------------------------------------------- https://cert.vde.com/de-de/advisories ∗∗∗ Security Bulletin: Security vulnerabilities have been identified in IBM WebSphere Application Server used by IBM InfoSphere Master Data Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ Security Bulletin: Security vulnerabilities have been identified in IBM WebSphere Application Server used by IBM InfoSphere Master Data Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ Security Bulletin: Security vulnerabilities have been identified in IBM WebSphere Application Server used by InfoSphere Master Data Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by Oracle MySQL vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Security Verify Password Synchronization Plug-in for Windows AD affected by multiple vulnerabilities (CVE-2021-20488, CVE-2021-20494, CVE-2021-20572, CVE-2021-20573, CVE-2021-20574) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-verify-passw… ∗∗∗ Security Bulletin: Security vulnerabilities have been identified in IBM WebSphere Application Server used by IBM InfoSphere Master Data Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by an Oracle MySQL vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Cloud Transformation Advisor is affected by Node.js vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-transformation-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by an Information Exposure vulnerability (CVE-2020-4189) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Security Guardium ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ VMSA-2021-0013 ∗∗∗ --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2021-0013.html ∗∗∗ Python Flask vulnerability CVE-2018-1000656 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K63597327 ∗∗∗ Palo Alto Networks Patches Critical Vulnerability in Cortex XSOAR ∗∗∗ --------------------------------------------- https://www.securityweek.com/palo-alto-networks-patches-critical-vulnerabil… ∗∗∗ Citrix Hypervisor Security Update ∗∗∗ --------------------------------------------- https://support.citrix.com/article/CTX316325 ∗∗∗ Advantech WebAccess HMI Designer ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-173-01 ∗∗∗ CODESYS V2 web server ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-173-02 ∗∗∗ CODESYS Control V2 communication ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-173-03 ∗∗∗ CODESYS Control V2 Linux SysFile library ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-173-04 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.06.2021
by Daily end-of-shift report 22 Jun '21

22 Jun '21

===================== = End-of-Day report = ===================== Timeframe: Montag 21-06-2021 18:00 − Dienstag 22-06-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Darkside RaaS in Linux version ∗∗∗ --------------------------------------------- Unlike the Windows version of the malware that targets any Windows endpoint, Darkside Linux version is mostly targeting ESXi servers. Its default configuration includes the root path of ESX server machines. Targeted extensions are 'vmdk', 'log', 'vmem', 'vmsn' that are used in ESX servers for saving virtual machines information, data, and logs. --------------------------------------------- https://cybersecurity.att.com/blogs/labs-research/darkside-raas-in-linux-ve… ∗∗∗ Wormable DarkRadiation Ransomware Targets Linux and Docker Instances ∗∗∗ --------------------------------------------- Cybersecurity researchers have disclosed a new ransomware strain called "DarkRadiation" thats implemented entirely in Bash and targets Linux and Docker cloud containers, while banking on messaging service Telegram for command-and-control (C2) communications. "The ransomware is written in Bash script and targets Red Hat/CentOS and Debian Linux distributions," researchers from Trend Micro said [..] --------------------------------------------- https://thehackernews.com/2021/06/wormable-darkradiation-ransomware.html ∗∗∗ Paketmanager: Kryptomining-Schadcode auf PyPI zielt auf Data-Science-Projekte ∗∗∗ --------------------------------------------- Mit Namen wie mplatlib setzen die Pakete auf Verwechslung zu matplotlib. Sie laden ein Bash-Skript herunter, das versucht einen Kryptominer zu installieren. --------------------------------------------- https://heise.de/-6113470 ∗∗∗ Shadow Credentials: Abusing Key Trust Account Mapping for Takeover ∗∗∗ --------------------------------------------- The techniques for DACL-based attacks against User and Computer objects in Active Directory have been established for years. [..] These techniques have their shortcomings [..] Tl;dr: It is possible to add “Key Credentials” to the attribute msDS-KeyCredentialLink of the target user/computer object and then perform Kerberos authentication as that account using PKINIT. In plain English: this is a much easier and more reliable takeover primitive against Users and Computers. A tool to operationalize this technique has been released alongside this post. --------------------------------------------- https://posts.specterops.io/shadow-credentials-abusing-key-trust-account-ma… ===================== = Vulnerabilities = ===================== ∗∗∗ Tor Browser fixes vulnerability that tracks you using installed apps ∗∗∗ --------------------------------------------- The Tor Project has released Tor Browser 10.0.18 to fix numerous bugs, including a vulnerability that allows sites to track users by fingerprinting the applications installed on their devices. --------------------------------------------- https://www.bleepingcomputer.com/news/security/tor-browser-fixes-vulnerabil… ∗∗∗ Bugs in NVIDIA’s Jetson Chipset Opens Door to DoS Attacks, Data Theft ∗∗∗ --------------------------------------------- Chipmaker patches nine high-severity bugs in its Jetson SoC framework tied to the way it handles low-level cryptographic algorithms. --------------------------------------------- https://threatpost.com/nvidia-jetson-chipset-dos-data-theft/167093/ ∗∗∗ Zephyr OS Bluetooth vulnerabilities left smart devices open to attack ∗∗∗ --------------------------------------------- The S in IoT stands for security. Vulnerabilities in the Zephyr real-time operating systems Bluetooth stack have been identified, leaving a wide variety of Internet of Things devices open to attack – unless upgraded to a patched version of the OS.… --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2021/06/22/zephyr_os_bl… ∗∗∗ VMSA-2021-0012 ∗∗∗ --------------------------------------------- CVE(s): CVE-2021-21998 The VMware Carbon Black App Control management server has an authentication bypass. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.4. --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2021-0012.html ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (audacity), openSUSE (chromium), Oracle (glib2), SUSE (Salt and salt), and Ubuntu (apache2 and openexr). --------------------------------------------- https://lwn.net/Articles/860559/ ∗∗∗ Security Advisory - Improper Permission Assignment Vulnerability in Some USB Dongle Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210602-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect Rational Service Tester ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect Rational Performance Tester ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: A Security Vulnerability in IBM Java Runtime affect IBM License Key Server Administration and Reporting Tool and its Agent ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: Vulnerability in OpenSSL affects Power Hardware Management Console (CVE-2021-3449). ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-openssl-… ∗∗∗ Security Bulletin: IBM Bootable Media Creator (BoMC) is affected by a vulnerability in cyrus-sasl (CVE-2019-19906) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-bootable-media-creato… ∗∗∗ Security Bulletin: Security vulnerabilities have been identified in IBM WebSphere Application Server used by IBM Master Data Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ Security Bulletin: OpenSSL publicly disclosed vulnerability affects MessageGateway (CVE-CVE-2021-3449) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-openssl-publicly-disclose… ∗∗∗ Security Bulletin: IBM Bootable Media Creator (BoMC) is affected by a vulnerability in GNU cpio (CVE-2019-14866) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-bootable-media-creato… ∗∗∗ Security Bulletin: A vulnerability in IBM WebSphere Liberty affects IBM WIoTP MessageGateway ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-we… ∗∗∗ Security Bulletin: IBM Bootable Media Creator (BoMC) is affected by vulnerabilities in libxml2 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-bootable-media-creato… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.06.2021
by Daily end-of-shift report 21 Jun '21

21 Jun '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 18-06-2021 18:00 − Montag 21-06-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Easy Access to the NIST RDS Database, (Sat, Jun 19th) ∗∗∗ --------------------------------------------- When you're facing some suspicious files while performing forensic investigations or analyzing malware components, it's always interesting to know these files are legit or malicious/modified. One of the key sources to verify hashes is provided by NIST and is called the NSLR project ("National Software Reference Library"). [...] CIRCL, the Luxembourg CERT, has a good reputation to offer/participate in services like MISP, a passive DNS service, etc. They are now offering an API to query the NIST RDS via HTTP or DNS requests! --------------------------------------------- https://isc.sans.edu/diary/rss/27544 ∗∗∗ 5 Critical Steps to Recovering From a Ransomware Attack ∗∗∗ --------------------------------------------- Businesses must prepare for the possibility of a ransomware attack affecting their data, services, and business continuity. What steps are involved in recovering from a ransomware attack? --------------------------------------------- https://thehackernews.com/2021/06/5-critical-steps-to-recovering-from.html ∗∗∗ ∗∗∗ In eigener Sache: CERT.at sucht Verstärkung: IT-Security Analyst/Analystin (m/w/d - Vollzeit - Wien) ∗∗∗ ∗∗∗ --------------------------------------------- Zur Verstärkung unseres Analysis-Teams suchen wir nach einem/einer IT-Security Analysten/Analystin. --------------------------------------------- https://cert.at/de/ueber-uns/jobs/ ===================== = Vulnerabilities = ===================== ∗∗∗ DSA-4932 tor - security update ∗∗∗ --------------------------------------------- Multiple security vulnerabilities were discovered in Tor, aconnection-based low-latency anonymous communication system, whichcould result in denial of service or spoofing. --------------------------------------------- https://www.debian.org/security/2021/dsa-4932 ∗∗∗ Autodesk schließt Schadcode-Schlupflöcher in AutoCAD-Anwendungen ∗∗∗ --------------------------------------------- Es gibt wichtige Sicherheitsupdates für verschiedene Produkte der AutoCAD-Familie. --------------------------------------------- https://heise.de/-6112990 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (connman, go, and grub), Debian (nettle, prosody, and tor), Fedora (iaito, mingw-ilmbase, mingw-openexr, mingw-python-urllib3, mosquitto, nettle, polkit, and radare2), Mageia (puddletag, python-babel, python-eventlet, and python-pikepdf), openSUSE (htmldoc), SUSE (go1.15, go1.16, gupnp, and libgcrypt), and Ubuntu (apache2 and dovecot). --------------------------------------------- https://lwn.net/Articles/860418/ ∗∗∗ CVE-2021-3609: Race condition in net/can/bcm.c leads to local privilege escalation ∗∗∗ --------------------------------------------- this is an announcement for the recently reported bug (CVE-2021-3609) in the CAN BCM networking protocol in the Linux kernel ranging from version 2.6.25 to mainline 5.13-rc6. The vulnerability is a race condition in net/can/bcm.c allowing for local privilege escalation to root. --------------------------------------------- https://seclists.org/oss-sec/2021/q2/225 ∗∗∗ SYSS-2021-032: Admin Columns Free & Pro – Persistent Cross-Site Scripting (XSS) in Custom Field (CVE-2021-24365) ∗∗∗ --------------------------------------------- Das WordPress-Plug-in “Admin Columns” ermöglicht bis Version 5.5.1 (Pro) bzw. 4.3 (Free) Persistent Cross-Site Scripting (XSS)-Angriffe. --------------------------------------------- https://www.syss.de/pentest-blog/syss-2021-032-admin-columns-free-pro-persi… ∗∗∗ Security Advisory - Deserialization Vulnerability in Huawei AnyOffice Product ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210619-… ∗∗∗ Security Bulletin: RabbitMQ as used by IBM QRadar SIEM is vulnerable to unsafe deserialization (CVE-2020-36282) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-rabbitmq-as-used-by-ibm-q… ∗∗∗ Security Bulletin: IBM Cloud Pak for Integration is vulnerable to Node.js lodash vulnerability (CVE-2020-28500) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-integra… ∗∗∗ Security Bulletin: IBM Cloud Pak for Integration is vulnerable to Node.js lodash vulnerability (CVE-2021-23337) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-integra… ∗∗∗ Security Bulletin: WebSphere Application Server Java Batch is vulnerable to an XML External Entity Injection (XXE) vulnerability (CVE-2021-20492) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-websphere-application-ser… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.06.2021
by Daily end-of-shift report 18 Jun '21

18 Jun '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 17-06-2021 18:00 − Freitag 18-06-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Dimitri Robl ===================== = News = ===================== ∗∗∗ Newly discovered Vigilante malware outs software pirates and blocks them ∗∗∗ --------------------------------------------- Most malware tries to steal stuff. Vigilante, by contrast, takes aim at piracy. --------------------------------------------- https://arstechnica.com/?p=1774437 ∗∗∗ Network Forensics on Azure VMs (Part #2), (Fri, Jun 18th) ∗∗∗ --------------------------------------------- In yesterday's diary, we took a look at two methods that allow to capture network connection information off a potentially compromised virtual machine in Azure. Today, we'll investigate the most recent addition to the VM monitoring arsenal, namely "Azure Monitor Insights". --------------------------------------------- https://isc.sans.edu/diary/rss/27538 ∗∗∗ Open redirects ... and why Phishers love them, (Fri, Jun 18th) ∗∗∗ --------------------------------------------- Working from home, did you get a meeting invite recently that pointed to https://meet.google.com ? Well, that's indeed where Google's online meeting tool is located. But potentially the URL you got is not "only" leading you there. --------------------------------------------- https://isc.sans.edu/diary/rss/27542 ∗∗∗ Intentional Flaw in GPRS Encryption Algorithm GEA-1 ∗∗∗ --------------------------------------------- General Packet Radio Service (GPRS) is a mobile data standard that was widely used in the early 2000s. The first encryption algorithm for that standard was GEA-1, a stream cipher built on three linear-feedback shift registers and a non-linear combining function. Although the algorithm has a 64-bit key, the effective key length is only 40 bits, due to “an exceptional interaction of the deployed LFSRs and the key initialization, which is highly unlikely to occur by chance. --------------------------------------------- https://www.schneier.com/blog/archives/2021/06/intentional-flaw-in-gprs-enc… ∗∗∗ Malicious Redirects Through Bogus Plugin ∗∗∗ --------------------------------------------- Recently we have been seeing a rash of WordPress website compromises with attackers abusing the plugin upload functionality in the wp-admin dashboard to redirect visitors and website owners to malicious websites. --------------------------------------------- https://blog.sucuri.net/2021/06/malicious-redirects-through-bogus-plugin.ht… ∗∗∗ Smoking Out a DARKSIDE Affiliate’s Supply Chain Software Compromise ∗∗∗ --------------------------------------------- Mandiant observed DARKSIDE affiliate UNC2465 accessing at least one victim through a Trojanized software installer downloaded from a legitimate website. --------------------------------------------- https://www.fireeye.com/blog/threat-research/2021/06/darkside-affiliate-sup… ∗∗∗ Mit diesem Leitfaden der NSA können Admins IP-Telefonie schützen ∗∗∗ --------------------------------------------- Die National Security Agency spricht Empfehlungen aus, wie Sprach- und Videoanrufe sicherer werden. --------------------------------------------- https://heise.de/-6111092 ∗∗∗ Polazert Trojan using poisoned Google Search results to spread ∗∗∗ --------------------------------------------- The threat actors behind Trojan.Polazert are using keyword-stuffed PDF files to rank high in search results and attract new victims.Categories: AwarenessTags: Polazertratseo poisoningSolarMarkerstuffed PDF(Read more...)The post Polazert Trojan using poisoned Google Search results to spread appeared first on Malwarebytes Labs. --------------------------------------------- https://blog.malwarebytes.com/awareness/2021/06/polazert-trojan-using-poiso… ∗∗∗ Service Vulnerabilities: Shared Hosting Symlink Security Issue Still Widely Exploited on Unpatched Servers ∗∗∗ --------------------------------------------- The Wordfence site cleaning team helps numerous customers recover from malware infections and site intrusions. While doing so, Wordfence Security Analysts perform a detailed forensic investigation in order to determine how the site was compromised by attackers. In a set of recent cases, we were able to identify a service vulnerability allowing malicious attackers to [...] --------------------------------------------- https://www.wordfence.com/blog/2021/06/service-vulnerabilities-shared-hosti… ∗∗∗ Betrug bei QR-Code-Scannern: Darauf sollten Sie achten! ∗∗∗ --------------------------------------------- Egal ob bei der Registrierung in einem Restaurant, bei einem Impf- oder Testtermin: Spätestens durch die Corona-Krise wurde die Verwendung von QR-Codes zur Normalität. Dementsprechend poppen derzeit zahlreiche neue QR-Code-Scanner in den App-Stores auf. Aber Achtung: Hinter manchen dieser kostenlosen Apps verstecken sich BetrügerInnen. Vorsicht ist auch bei seriösen Apps geboten, da die angezeigten Werbungen betrügerisch sein können. --------------------------------------------- https://www.watchlist-internet.at/news/betrug-bei-qr-code-scannern-darauf-s… ∗∗∗ A deep dive into the operations of the LockBit ransomware group ∗∗∗ --------------------------------------------- Most victims are from the enterprise and are expected to pay an average ransom of $85,000. --------------------------------------------- https://www.zdnet.com/article/a-deep-dive-into-the-operations-of-the-lockbi… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (aspnet-runtime, aspnet-runtime-3.1, chromium, drupal, intel-ucode, nginx, opera, python-django, radare2, thefuck, and vivaldi), Debian (jetty9), Fedora (dogtag-pki and pki-core), openSUSE (htmldoc and postgresql10), Oracle (dhcp), SUSE (apache2, caribou, jetty-minimal, libxml2, postgresql12, python-PyJWT, python-rsa, python-urllib3, thunderbird, tpm2.0-tools, xstream, and xterm), and Ubuntu (grub2-signed, grub2-unsigned and libxml2). --------------------------------------------- https://lwn.net/Articles/860260/ ∗∗∗ Hitachi Virtual File Platform vulnerable to OS command injection ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN21298724/ ∗∗∗ Security Bulletin: RabbitMQ as used by IBM QRadar SIEM is vulnerable to unsafe deserialization (CVE-2020-36282) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-rabbitmq-as-used-by-ibm-q… ∗∗∗ Security Bulletin: IBM Security Identity Manager Virtual Appliance deprecated Self Service UI contains Struts V1 (CVE-2016-1182) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-identity-man… ∗∗∗ Security Bulletin: A vulnerability have been identified in Apache Commons IO shipped with IBM Tivoli Netcool/OMNIbus Probe for Microsoft Exchange Web Services (CVE-2021-29425) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-have-been… ∗∗∗ Security Bulletin: Multiple vulnerabilities have been identified in Netty shipped with IBM Tivoli Netcool/OMNIbus Transport Module Common Integration Library (CVE-2021-21290, CVE-2021-21295, CVE-2021-21409) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Security Identity Manager deprecated Self Service UI contains Struts V1 (CVE-2016-1182) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-identity-man… ∗∗∗ Security Bulletin: BIND for IBM i is affected by CVE-2021-25214 and CVE-2021-25215 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-bind-for-ibm-i-is-affecte… ∗∗∗ Security Bulletin: IBM Resilient SOAR is vulnerable to command injection (CVE-2021-20527) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-resilient-soar-is-vul… ∗∗∗ VMSA-2021-0011 ∗∗∗ --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2021-0011.html ∗∗∗ Google Chrome: Mehrere Schwachstellen ermöglichen Codeausführung ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0670 ∗∗∗ Schneider Electric EnerlinX Com’X 510 ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-168-01 ∗∗∗ Softing OPC-UA C++ SDK ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-168-02 ∗∗∗ Advantech WebAccess/SCADA ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-168-03 ∗∗∗ WAGO M&M Software fdtCONTAINER (Update C) ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-021-05 ∗∗∗ Rockwell Automation ISaGRAF5 Runtime (Update A) ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-20-280-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.06.2021
by Daily end-of-shift report 17 Jun '21

17 Jun '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 16-06-2021 18:00 − Donnerstag 17-06-2021 18:00 Handler: Dimitri Robl Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Criminals are mailing hacked Ledger devices to steal cryptocurrency ∗∗∗ --------------------------------------------- Scammers are sending fake replacement devices to Ledger customers exposed in a recent data breach that are used to steal cryptocurrency wallets. --------------------------------------------- https://www.bleepingcomputer.com/news/cryptocurrency/criminals-are-mailing-… ∗∗∗ Network Forensics on Azure VMs (Part #1), (Thu, Jun 17th) ∗∗∗ --------------------------------------------- The tooling to investigate a potentially malicious event on an Azure Cloud VM is still in its infancy. We have covered before how we can create a snapshot of the OS disk of a running VM. Snapshotting and then killing off the infected VM is very straight forward, but it also tips off an intruder that he has been found out. Sometimes, it makes sense to first watch for a while, and learn more, for example about compromised accounts, lateral movement, or other involved hosts. --------------------------------------------- https://isc.sans.edu/diary/rss/27536 ∗∗∗ Top 5 ICS Incident Response Tabletops and How to Run Them ∗∗∗ --------------------------------------------- In this blog SANS instructor, Dean Parsons, discusses the top five ICS incident response table tops and how to run them. How prepared is your organization to respond to an industrial control system (ICS) cyber incident? How resilient is it against Ransomware that could impact safety and operations? Does your organization have the ability to detect advanced persistent threats that use modern attack methodologies against your critical infrastructure? --------------------------------------------- https://www.sans.org/blog/top-5-ics-incident-response-tabletops-and-how-to-… ∗∗∗ What you need to know about Process Ghosting, a new executable image tampering attack ∗∗∗ --------------------------------------------- This blog describes a new executable image tampering attack similar to, but distinct from, Doppelgänging and Herpaderping. With this technique, an attacker can write a piece of malware to disk in such a way that it’s difficult to scan or delete it — and where it then executes the deleted malware as though it were a regular file on disk. This technique does not involve code injection, process hollowing, or Transactional NTFS (TxF). --------------------------------------------- https://www.elastic.co/blog/process-ghosting-a-new-executable-image-tamperi… ∗∗∗ Google schickt Framework gegen Supply-Chain-Angriffe ins Rennen ∗∗∗ --------------------------------------------- SLSA soll die Integrität von Code vom Einchecken ins Repository über den Build-Prozess bis zum Verwenden von Paketen sicherstellen. --------------------------------------------- https://heise.de/-6073057 ∗∗∗ Cybercriminals go after Amazon Prime Day Shoppers ∗∗∗ --------------------------------------------- - In the last 30 days, over 2300 new domains were registered about Amazon, a 10% increase from the previous Amazon Prime Day, where the majority now are either malicious or suspicious - Almost 1 out of 2 (46%) of new domains registered containing the word “Amazon” are malicious - Almost 1 out of 3 (32%) of new domains registered with the word “Amazon” are deemed suspicious --------------------------------------------- https://blog.checkpoint.com/2021/06/16/cybercriminals-go-after-amazon-prime… ===================== = Vulnerabilities = ===================== ∗∗∗ Hitachi Application Server Help vulnerable cross-site scripting ∗∗∗ --------------------------------------------- The following products are affected by the vulnerability. * Hitachi Application Server V10 Manual (Windows) version 10-11-01 and earlier * Hitachi Application Server V10 Manual (UNIX) version 10-11-01 and earlier Solution: Apply the appropriate latest version of the help according to the information provided by the developer. --------------------------------------------- https://jvn.jp/en/jp/JVN03776901/ ∗∗∗ Chaos Tool Suite (ctools) - Moderately critical - Access bypass - SA-CONTRIB-2021-015 ∗∗∗ --------------------------------------------- Chaos tool suite (ctools) module provides a number of APIs and extensions for Drupal, its 8.x-3.x branch is a start from scratch to evaluate the features of ctools that didnt make it into Drupal Core 8.0.x and port them.The module doesnt sufficiently handle block access control on its EntityView plugin. --------------------------------------------- https://www.drupal.org/sa-contrib-2021-015 ∗∗∗ Block Content Revision UI - Moderately critical - Access bypass - SA-CONTRIB-2021-017 ∗∗∗ --------------------------------------------- This module provides a revision UI to Block Content entities.The module doesnt sufficiently respect access restrictions to certain entities when used in conjunction with specific modules.This vulnerability is mitigated by the fact that an attacker must have a role with any of the permissions provided by Block Content Revision UI, and another affected module must be enabled. --------------------------------------------- https://www.drupal.org/sa-contrib-2021-017 ∗∗∗ Linky Revision UI - Moderately critical - Access bypass - SA-CONTRIB-2021-016 ∗∗∗ --------------------------------------------- This module provides a revision UI to Linky entities.The module doesnt sufficiently respect access restrictions to certain entities when used in conjunction with specific modules.This vulnerability is mitigated by the fact that an attacker must have a role with any of the permissions provided by Linky Revision UI, and another affected module must be enabled. --------------------------------------------- https://www.drupal.org/sa-contrib-2021-016 ∗∗∗ Cisco Security Advisories ∗∗∗ --------------------------------------------- Cisco hat Security Advisories zu acht Schwachstellen veröffentlicht. Keine davon wird als "Critical" eingestuft, vier als "High". --------------------------------------------- https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&first… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (gnupnp and postgresql), Fedora (dino, microcode_ctl, and xen), Mageia (apache, gsoap, libgd, openssh, perl-Image-ExifTool, python-bleach, and qt4 and qtsvg5), openSUSE (chromium, containerd, docker, runc, djvulibre, htmldoc, kernel, libjpeg-turbo, libopenmpt, libxml2, spice, squid, and ucode-intel), Red Hat (dhcp and glib2), SUSE (apache2, inn, java-1_8_0-openjdk, and webkit2gtk3), and Ubuntu (nettle). --------------------------------------------- https://lwn.net/Articles/860128/ ∗∗∗ D-LINK Router: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in D-LINK Router ausnutzen, um beliebigen Programmcode auszuführen, Dateien zu manipulieren, Informationen offenzulegen, einen Denial of Service Zustand herbeizuführen oder Sicherheitsvorkehrungen zu umgehen. --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0666 ∗∗∗ OTRS: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in OTRS ausnutzen, um einen Denial of Service oder Cross Site Scripting Angriff durchzuführen. --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0669 ∗∗∗ Security Bulletin: ICU Vulnerability Affects IBM Control Center (CVE-2020-10531) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-icu-vulnerability-affects… ∗∗∗ Security Bulletin: Streams service for IBM Cloud Pak for Data might be affected by some underlying Java vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-streams-service-for-ibm-c… ∗∗∗ Security Bulletin: Streams service for IBM Cloud Pak for Data might be affected by some underlying WebSphere Liberty vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-streams-service-for-ibm-c… ∗∗∗ Security Bulletin: IBM Security Identity Manager Password Synchronization Plug-in for Windows AD affected by multiple vulnerabilities (CVE-2021-20483, CVE-2021-20488) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-identity-man… ∗∗∗ Security Bulletin: Vulnerability in the AIX trace facility (CVE-2021-29706) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-the-aix-… ∗∗∗ Security Bulletin: IBM API Connect is impacted by multiple vulnerabilities in Oracle MySQL ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connect-is-impact… ∗∗∗ Security Bulletin: Multiple JasperReports Vulnerabilities Affect IBM Control Center (CVE-2020-9410, CVE-2018-18809) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-jasperreports-vu… ∗∗∗ Security Bulletin: WebSphere Application Server Java Batch is vulnerable to an XML External Entity Injection (XXE) vulnerability (CVE-2021-20492) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-websphere-application-ser… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 16.06.2021
by Daily end-of-shift report 16 Jun '21

16 Jun '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 15-06-2021 18:00 − Mittwoch 16-06-2021 18:00 Handler: Dimitri Robl Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Avaddon ransomwares exit sheds light on victim landscape ∗∗∗ --------------------------------------------- A new report analyzes the recently released Avaddon ransomware decryption keys to shed light on the types of victims targeted by the threat actors and potential revenue they generated throughout their operation. --------------------------------------------- https://www.bleepingcomputer.com/news/security/avaddon-ransomwares-exit-she… ∗∗∗ Protecting Against Ransomware – From the Human Perspective ∗∗∗ --------------------------------------------- SANS blog post on what ransomware is, how it works, and most importantly, how to empower your workforce to protect against it. --------------------------------------------- https://www.sans.org/blog/protecting-against-ransomware-from-the-human-pers… ∗∗∗ Nokia Deepfield global analysis shows most DDoS attacks originate from fewer than 50 hosting companies ∗∗∗ --------------------------------------------- In-depth analysis across large sample of networks globally fingerprints and traces origins of most DDoS attacks (by frequency and traffic volume)[...] --------------------------------------------- https://www.nokia.com/about-us/news/releases/2021/06/14/nokia-deepfield-glo… ∗∗∗ The First Step: Initial Access Leads to Ransomware ∗∗∗ --------------------------------------------- Ransomware attacks still use email -- but not in the way you might think. Ransomware operators often buy access from independent cybercriminal groups who infiltrate major targets and then sell access to the ransomware actors for a slice of the ill-gotten gains. --------------------------------------------- https://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access… ∗∗∗ Achtung: Amazon-Bestellungen nicht außerhalb der Plattform abwickeln! ∗∗∗ --------------------------------------------- Über Amazon zu bestellen ist für viele ein einfacher Weg, um verschiedenste Produkte an einem Ort zu kaufen. Doch auch auf Amazon stößt man auf betrügerische Angebote! Wenn Amazon-HändlerInnen die Bestellung über E-Mail abwickeln wollen, sollten Sie vorsichtig sein. --------------------------------------------- https://www.watchlist-internet.at/news/achtung-amazon-bestellungen-nicht-au… ∗∗∗ On the Security of RFID-based TOTP Hardware Tokens ∗∗∗ --------------------------------------------- Matthias Deeg und Gerhard Klostermeier untersuchten zwei unterschiedliche RFID-basierte TOTP Hardware-Token, das OTCP-P2 und das Protectimus SLIM NFC. --------------------------------------------- https://www.syss.de/pentest-blog/on-the-security-of-rfid-based-totp-hardwar… ∗∗∗ Ukrainian police arrest Clop ransomware members, seize server infrastructure ∗∗∗ --------------------------------------------- Multiple suspects believed to be linked to the Clop ransomware cartel have been detained in Ukraine this week after a joint operation from law enforcement agencies from Ukraine, South Korea, and the US. --------------------------------------------- https://therecord.media/ukrainian-police-arrest-clop-ransomware-members-sei… ===================== = Vulnerabilities = ===================== ∗∗∗ Qnap: Updates für NAS beseitigen aus der Ferne ausnutzbare Schwachstelle ∗∗∗ --------------------------------------------- Betriebssystem-Updates für Qnaps Netzwerkspeicher (NAS) schließen zwei mit "Medium" bewertete Schwachstellen, von denen eine übers Internet attackierbar ist. --------------------------------------------- https://heise.de/-6072554 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (prosody, python-urllib3, and xen), Fedora (dino, dotnet3.1, dotnet5.0, and vmaf), Oracle (gupnp, kernel, and kernel-container), Red Hat (gupnp), Scientific Linux (kernel), SUSE (java-1_8_0-openjdk, kernel, snakeyaml, and xorg-x11-libX11), and Ubuntu (bluez). --------------------------------------------- https://lwn.net/Articles/860004/ ∗∗∗ ZDI-21-502: An Information Disclosure Bug in ISC BIND server ∗∗∗ --------------------------------------------- You should verify you have a patched version of BIND as many OS distributions provide BIND packages that differ from the official ISC release versions. --------------------------------------------- https://www.thezdi.com/blog/2021/6/15/zdi-21-502-an-information-disclosure-… ∗∗∗ Security Advisory - Out-Of-Bounds Read Vulnerability On Several Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210616-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM HTTP Server used by WebSphere Application Server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Liberty for Java for IBM Cloud is vulnerable to an XML External Entity Injection (XXE) attack (CVE-2021-20492) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-liberty-for-java-for-ibm-… ∗∗∗ Security Bulletin: Stack-based Buffer Overflow vulnerabilities in IBM Spectrum Protect Back-up Archive Client and IBM Spectrum Protect for Space Management (CVE-2021-29672, CVE-2021-20546) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-stack-based-buffer-overfl… ∗∗∗ Security Bulletin: Vulnerability in IBM Java SDK affecting IBM Application Discovery and Delivery Intelligence V5.1.0.8, V5.1.0.9 and V6.0.0.0 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java… ∗∗∗ Security Bulletin: Vulnerabilities in IBM Java Runtime affect IBM Spectrum Protect Snapshot for VMware (CVE-2020-27221, CVE-2020-14782) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-ja… ∗∗∗ Security Bulletin: IBM Resilient SOAR is Using Components with Known Vulnerabilities – Java SE (CVE-2020-14781) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-resilient-soar-is-usi… ∗∗∗ Security Bulletin: IBM® Db2® is vulnerable to a denial of service as the server terminates abnormally when executing a specifically crafted select statement. (CVE-2021-29702) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-… ∗∗∗ Security Bulletin: IBM Security Identity Manager Password Synchronization Plug-in for Windows AD affected by multiple vulnerabilities (CVE-2021-20483, CVE-2021-20488) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-identity-man… ∗∗∗ Security Bulletin: IBM MQ Appliance affected by an OpenSSL vulnerability (CVE-2020-1968) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-affected… ∗∗∗ Security Bulletin: Resilient App Host secrets are not encrypted (CVE-2021-20567) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-resilient-app-host-secret… ∗∗∗ Cross-Site Request Forgery Patched in WP Fluent Forms ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2021/06/cross-site-request-forgery-patched-i… ∗∗∗ Synology-SA-21:21 Audio Station ∗∗∗ --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_21_21 ∗∗∗ Trend Micro InterScan Web Security Virtual Appliance: Schwachstelle ermöglicht Cross-Site Scripting ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0660 ∗∗∗ ThroughTek P2P SDK ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-166-01 ∗∗∗ Automation Direct CLICK PLC CPU Modules ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-166-02 ∗∗∗ SYSS-2021-022, SYSS-2021-023, SYSS-2021-025, SYSS-2021-026: Mehrere Schwachstellen in HR-Software LOGA3 ∗∗∗ --------------------------------------------- https://www.syss.de/pentest-blog/syss-2021-022-syss-2021-023-syss-2021-025-… ∗∗∗ SYSS-2021-007: Protectimus SLIM NFC – External Control of System or Configuration Setting (CWE-15) (CVE-2021-32033) ∗∗∗ --------------------------------------------- https://www.syss.de/pentest-blog/syss-2021-007-protectimus-slim-nfc-externa… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 15.06.2021
by Daily end-of-shift report 15 Jun '21

15 Jun '21

===================== = End-of-Day report = ===================== Timeframe: Montag 14-06-2021 18:00 − Dienstag 15-06-2021 18:00 Handler: Dimitri Robl Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Paradise Ransomware source code released on a hacking forum ∗∗∗ --------------------------------------------- The complete source code for the Paradise Ransomware has been released on a hacking forum allowing any would-be cyber criminal to develop their own customized ransomware operation. --------------------------------------------- https://www.bleepingcomputer.com/news/security/paradise-ransomware-source-c… ∗∗∗ Andariel evolves to target South Korea with ransomware ∗∗∗ --------------------------------------------- In April 2021, we observed a suspicious Word document with a Korean file name and decoy. It revealed a novel infection scheme and an unfamiliar payload. --------------------------------------------- https://securelist.com/andariel-evolves-to-target-south-korea-with-ransomwa… ∗∗∗ Multi Perimeter Device Exploit Mirai Version Hunting For Sonicwall, DLink, Cisco and more, (Tue, Jun 15th) ∗∗∗ --------------------------------------------- Vulnerable perimeter devices remain a popular target, and we do see consistent exploit attempts against them. --------------------------------------------- https://isc.sans.edu/diary/rss/27528 ∗∗∗ Experts Shed Light On Distinctive Tactics Used by Hades Ransomware ∗∗∗ --------------------------------------------- Cybersecurity researchers on Tuesday disclosed "distinctive" tactics, techniques, and procedures (TTPs) adopted by operators of Hades ransomware that set it apart from the rest of the pack, attributing it to a financially motivated threat group called GOLD WINTER. --------------------------------------------- https://thehackernews.com/2021/06/experts-shed-light-on-distinctive.html ∗∗∗ What’s past is prologue – A new world of critical infrastructure security ∗∗∗ --------------------------------------------- Attackers have targeted American critical infrastructure several times over the past few years, putting at risk U.S. electrical grids, oil pipelines and water supply systems. --------------------------------------------- https://blog.talosintelligence.com/2021/06/new-world-after-pipeline-ransomw… ∗∗∗ Tracking Amazon delivery staff ∗∗∗ --------------------------------------------- The Amazon delivery tracking API allows ultra-precise tracking of drivers. Amazon claim that customers can only track the driver for the 10 stops prior to theirs. --------------------------------------------- https://www.pentestpartners.com/security-blog/tracking-amazon-delivery-staf… ∗∗∗ Beantragen Sie Kredite nicht auf ulacglobalfinanzen.com ∗∗∗ --------------------------------------------- Sie sind auf der Suche nach einem Kredit und recherchieren im Internet günstige Konditionen? Möglicherweise kommt Ihnen dann ulacglobalfinanzen.com unter – eine unseriöse Kreditgesellschaft mit großartigen Konditionen und unkomplizierter Abwicklung. Wer dort um einen Kredit ansucht, verliert jedoch Geld und übermittelt Kriminellen persönliche Daten! --------------------------------------------- https://www.watchlist-internet.at/news/beantragen-sie-kredite-nicht-auf-ula… ∗∗∗ Vishing: What is it and how do I avoid getting scammed? ∗∗∗ --------------------------------------------- How do vishing scams work, how do they impact businesses and individuals, and how can you protect yourself, your family and your business? --------------------------------------------- https://www.welivesecurity.com/2021/06/14/vishing-what-is-it-how-avoid-gett… ∗∗∗ Ransomware attacks continue to Surge, hitting a 93% increase year over year ∗∗∗ --------------------------------------------- Number of organizations impacted by ransomware has risen to 1210 in June 2021. Check Point Research sees a 41% increase in attacks since the beginning of 2021 and a 93% increase year over year. --------------------------------------------- https://blog.checkpoint.com/2021/06/14/ransomware-attacks-continue-to-surge… ===================== = Vulnerabilities = ===================== ∗∗∗ SonicWall schließt Denial-of-Service-Lücke in Firewall-Betriebssystem SonicOS ∗∗∗ --------------------------------------------- Das webbasierte Management-Interface einiger SonicOS-Versionen hätte mittels spezieller POST-Requests lahmgelegt werden können. Updates ändern das. --------------------------------------------- https://heise.de/-6071069 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (389-ds-base, dhcp, firefox, glib2, hivex, kernel, postgresql, qemu-kvm, qt5-qtimageformats, samba, and xorg-x11-server), Fedora (kernel and kernel-tools), Oracle (kernel and postgresql), Red Hat (dhcp and gupnp), Scientific Linux (gupnp and postgresql), SUSE (postgresql10 and xterm), and Ubuntu (imagemagick). --------------------------------------------- https://lwn.net/Articles/859842/ ∗∗∗ iOS 12.5.4 ∗∗∗ --------------------------------------------- https://support.apple.com/kb/HT212548 ∗∗∗ Security Bulletin: Financial Transaction Manager for Corporate Payment Services is affected by a potential Cross Site Scripting (XSS) CVE-2020-5000 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-financial-transaction-man… ∗∗∗ Security Bulletin: Vulnerabilities in OpenSSL affect IBM Spectrum Protect Backup-Archive Client NetApp Services (CVE-2020-1971, CVE-2021-23840, CVE-2021-23841) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-openss… ∗∗∗ Security Bulletin: Vulnerabilities in IBM Java Runtime affect IBM Spectrum Protect Backup-Archive Client, IBM Spectrum Protect for Space Management, and IBM Spectrum Protect for Virtual Environments (CVE-2020-27221, CVE-2020-14782) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-ja… ∗∗∗ Security Bulletin: IBM Event Streams is potentially affected by multiple node vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-event-streams-is-pote… ∗∗∗ Security Bulletin: Genivia gSOAP vulnerabilities affect IBM Spectrum Protect for Virtual Environments:Data Protection for VMware and Spectrum Protect Client (CVE-2020-13575, CVE-2020-13578, CVE-2020-13574, CVE-2020-13577, CVE-2020-13576, ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-genivia-gsoap-vulnerabili… ∗∗∗ Security Bulletin: WebSphere MQ for HP NonStop Server is affected by OpenSSL vulnerabilities (CVE-2021-3449 and CVE-2021-3450) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-websphere-mq-for-hp-nonst… ∗∗∗ Security Bulletin: IBM has announced a release for IBM Security Identity Governance and Intelligence in response to a security vulnerability (CVE-2020-10531) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-has-announced-a-relea… ∗∗∗ Security Bulletin: A vulnerability in Apache ActiveMQ affects IBM Operations Analytics Predictive Insights (CVE-2020-13947) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-apache… ∗∗∗ Security Bulletin: IBM Integration Bus & IBM App Connect Enterprise V11 are affected by vulnerabilities in Node.js (CVE-2021-27290) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-integration-bus-ibm-a… ∗∗∗ Security Bulletin: IBM MQ for HPE NonStop Server is affected by OpenSSL vulnerabilities (CVE-2021-3449 and CVE-2021-3450) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-for-hpe-nonstop-se… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.06.2021
by Daily end-of-shift report 14 Jun '21

14 Jun '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 11-06-2021 18:00 − Montag 14-06-2021 18:00 Handler: Dimitri Robl Co-Handler: Robert Waldner ===================== = News = ===================== *** DDoS Angriffe gegen Unternehmen in Österreich *** --------------------------------------------- Seit einigen Wochen versucht eine Gruppe, die sich "Fancy Lazarus" nennt, mittels DDoS-Angriffen und der Androhung von Folgeangriffen, Schutzgelder zu erpressen. Vergleichbare Angriffe gab es global auch schon ab August 2020 unter ähnlichen Namen. Nachdem wir Meldungen von Partner-CERTs an uns über Angriffe auf Ziele in anderen EU Staaten bekommen haben, sind jetzt auch in Österreich einige Fälle aufgetreten. --------------------------------------------- https://cert.at/de/warnungen/2021/6/ddos-angriffe-gegen-unternehmen-in-oste… ∗∗∗ Password Attacks 101 ∗∗∗ --------------------------------------------- According to the 2020 Data Breaches report by Verizon, 25% of all breaches involved the use of stolen credentials. And for small businesses, that number hit 30%. Brute force attacks have a similar share, accounting for 18% of all breaches, and 34% of those for small businesses. Why are password attacks like brute forcing so effective? And how exactly do they work? Let’s take a look at three kinds of password attacks that present a real threat to sites and businesses of all sizes. --------------------------------------------- https://blog.sucuri.net/2021/06/3-password-attacks-101.html ∗∗∗ Macher der Ransomware Avaddon geben auf und veröffentlichen Schlüssel ∗∗∗ --------------------------------------------- Es ist ein kostenloses Entschlüsselungstool für Opfer des Erpressungstrojaners Avaddon erschienen. --------------------------------------------- https://heise.de/-6070028 ∗∗∗ Malicious Attack Campaign Targeting Jetpack Users Reusing Passwords ∗∗∗ --------------------------------------------- The Wordfence Threat Intelligence and Site Cleaning teams have been tracking a malware campaign that redirects all site visitors to malvertising domains, while attempting to keep site administrators unaware of the infection. Since June 1, 2021, the number of sites we are tracking that have been infected with this malware has more than doubled, and we expect this campaign to continue gaining momentum as it relies on a mechanism that is difficult to block directly. --------------------------------------------- https://www.wordfence.com/blog/2021/06/malicious-attack-campaign-targeting-… ∗∗∗ Micropatch for Another Remote Code Execution Issue in Internet Explorer (CVE-2021-31959) ∗∗∗ --------------------------------------------- Windows Updates brought a fix for another "Exploitation More Likely" memory corruption vulnerability in Scripting Engine (CVE-2021-26419) discovered by Ivan Fratric of Google Project Zero, very similar to this vulnerability discovered also discovered by Ivan and patched in May.Ivan published details and a proof-of-concept three days ago and we took these to reproduce the vulnerability in our lab and create a micropatch for it. --------------------------------------------- https://blog.0patch.com/2021/06/micropatch-for-another-remote-code.html ∗∗∗ Stealing tokens, emails, files and more in Microsoft Teams through malicious tabs ∗∗∗ --------------------------------------------- I recently came across an interesting bug in the Microsoft Power Apps service which, despite its simplicity, can be leveraged by an attacker to gain persistent read/write access to a victim user’s email, Teams chats, OneDrive, Sharepoint and a variety of other services by way of a malicious Microsoft Teams tab and Power Automate flows. The bug has since been fixed by Microsoft, but in this blog we’re going to see how it /could/ have been exploited. --------------------------------------------- https://medium.com/tenable-techblog/stealing-tokens-emails-files-and-more-i… ===================== = Vulnerabilities = ===================== ∗∗∗ High Severity Vulnerability Patched in WooCommerce Stock Manager Plugin ∗∗∗ --------------------------------------------- We initially reached out to the plugin’s developer on May 21, 2021. After receiving confirmation of an appropriate communication channel, we provided the full disclosure details on May 24, 2021. A patch was quickly released on May 28, 2021 in version 2.6.0. We highly recommend updating to the latest patched version available, 2.6.0, immediately. --------------------------------------------- https://www.wordfence.com/blog/2021/06/high-severity-vulnerability-patched-… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (apache, gitlab, inetutils, isync, kube-apiserver, nettle, polkit, python-urllib3, python-websockets, thunderbird, and wireshark-cli), Debian (squid3), Fedora (glibc, libxml2, mingw-openjpeg2, and openjpeg2), Mageia (djvulibre, docker-containerd, exif, gnuchess, irssi, jasper, kernel, kernel-linus, microcode, python-lxml, python-pygments, rust, slurm, and wpa_supplicant, hostapd), openSUSE (389-ds and pam_radius), Oracle (.NET Core 3.1, container-tools:3.0, container-tools:ol8, krb5, microcode_ctl, postgresql:12, postgresql:13, and runc), Red Hat (dhcp, postgresql, postgresql:10, postgresql:12, postgresql:9.6, rh-postgresql10-postgresql, rh-postgresql12-postgresql, and rh-postgresql13-postgresql), Scientific Linux (dhcp and microcode_ctl), SUSE (ardana-neutron, ardana-swift, cassandra, crowbar-openstack, grafana, kibana, openstack-dashboard, openstack-ironic, openstack-neutron, openstack-neutron-gbp, openstack-nova, python-Django1, python-py, python-pysaml2, python-xmlschema, rubygem-activerecord-session_store, venv-openstack-keystone, crowbar-openstack, grafana, kibana, monasca-installer, python-Django, python-py, rubygem-activerecord-session_store, freeradius-server, libjpeg-turbo, spice, and squid), and Ubuntu (rpcbind). --------------------------------------------- https://lwn.net/Articles/859669/ ∗∗∗ Security Bulletin: Security Bulletin: Financial Transaction Manager for Corporate Payment Services is affected by a potential caching vulnerability (CVE-2020-5003 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-bulletin-financi… ∗∗∗ Security Bulletin: IBM Integration Bus & IBM App Connect Enterprise V11 are affected by vulnerabilities in Node.js (CVE-2021-23337) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-integration-bus-ibm-a… ∗∗∗ Security Bulletin: A vulnerability in Apache ActiveMQ affects IBM Operations Analytics Predictive Insights (CVE-2020-13947) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-apache… ∗∗∗ CISA Releases Advisory on ZOLL Defibrillator Dashboard ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/06/14/cisa-releases-adv… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.06.2021
by Daily end-of-shift report 11 Jun '21

11 Jun '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 10-06-2021 18:00 − Freitag 11-06-2021 18:00 Handler: Dimitri Robl Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Keeping an Eye on Dangerous Python Modules, (Fri, Jun 11th) ∗∗∗ --------------------------------------------- With Python getting more and more popular, especially on Microsoft Operating systems, it's common to find malicious Python scripts today. --------------------------------------------- https://isc.sans.edu/diary/rss/27514 ∗∗∗ SQL Injection: Gezielte Maßnahmen statt Block Lists ∗∗∗ --------------------------------------------- Bei Schwachstellen im Web nimmt SQL Injection nach wie vor eine führende Rolle ein, dabei ist die Abwehr gar nicht schwer. --------------------------------------------- https://heise.de/-6067640 ∗∗∗ Why hackers don’t fly coach ∗∗∗ --------------------------------------------- Physical security is relied on too heavily for cabin-based systems on the Airline Information Services Domain (AISD). --------------------------------------------- https://www.pentestpartners.com/security-blog/why-hackers-dont-fly-coach/ ∗∗∗ Unbefugter Zugriff auf Ihr PayPal-Konto? Ignorieren Sie diese E-Mail! ∗∗∗ --------------------------------------------- Aktuell versenden Kriminelle eine Phishing-Mail im Namen von PayPal. Angeblich gäbe es ungewöhnliche Aktivitäten auf Ihrem PayPal-Konto. Daher müssten Sie sich einloggen und Ihre Identität bestätigen. Gehen Sie nicht auf die Forderungen ein. Kriminelle versuchen Zugang zu Ihrem PayPal-Konto zu bekommen. --------------------------------------------- https://www.watchlist-internet.at/news/unbefugter-zugriff-auf-ihr-paypal-ko… ∗∗∗ Proxy Windows Tooling via SOCKS ∗∗∗ --------------------------------------------- Leveraging SOCKS to proxy tools from a Windows attacker machine through a compromised host is a topic that contains some nuance and room for confusion. --------------------------------------------- https://posts.specterops.io/proxy-windows-tooling-via-socks-c1af66daeef3 ∗∗∗ BackdoorDiplomacy: Upgrading from Quarian to Turian ∗∗∗ --------------------------------------------- ESET researchers discover a new campaign that evolved from the Quarian backdoor. --------------------------------------------- https://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quari… ∗∗∗ Breaking SSL Locks: App Developers Behaving Badly ∗∗∗ --------------------------------------------- Symantec analyzed five years’ worth of Android and iOS apps to see how many are sending data securely. --------------------------------------------- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/mo… ∗∗∗ Authorities seize SlilPP, a marketplace for stolen login credentials ∗∗∗ --------------------------------------------- The US Department of Justice announced today it seized the servers and domains of SlilPP, a well-known online marketplace where criminal groups assembled to trade stolen login credentials. --------------------------------------------- https://therecord.media/authorities-seize-slilpp-a-marketplace-for-stolen-l… ===================== = Vulnerabilities = ===================== ∗∗∗ Hackers can exploit bugs in Samsung pre-installed apps to spy on users ∗∗∗ --------------------------------------------- Samsung is working on patching multiple vulnerabilities affecting its mobile devices that could be used for spying or to take full control of the system. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-can-exploit-bugs-in-… ∗∗∗ Qnap sichert Switches und Netzwerkspeicher vor unberechtigten Zugriffen ab ∗∗∗ --------------------------------------------- Es gibt wichtige Sicherheitsupdates für verschiedene Netzwerkgeräte von Qnap. --------------------------------------------- https://heise.de/-6068667 ∗∗∗ Privilege escalation with polkit: How to get root on Linux with a seven-year-old bug (GitHub blog) ∗∗∗ --------------------------------------------- On the GitHub blog, Kevin Backhouse writes about a privilege escalation vulnerability in polkit, which enables an unprivileged local user to get a root shell on the system. CVE-2021-3560 is triggered by starting a dbus-send command but killing it while polkit is still in the middle of processing the request. --------------------------------------------- https://lwn.net/Articles/859064/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libwebp), Fedora (firefox, lasso, mod_auth_openidc, nginx, redis, and squid), Oracle (.NET 5.0, container-tools:2.0, dhcp, gupnp, hivex, kernel, krb5, libwebp, nginx:1.16, postgresql:10, and postgresql:9.6), SUSE (containerd, docker, runc, csync2, and salt), and Ubuntu (libimage-exiftool-perl, libwebp, and rpcbind). --------------------------------------------- https://lwn.net/Articles/859192/ ∗∗∗ WordPress plugin "Welcart e-Commerce" vulnerable to cross-site scripting ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN70566757/ ∗∗∗ Sonicwall SRA 4600 Targeted By an Old Vulnerability, (Fri, Jun 11th) ∗∗∗ --------------------------------------------- https://isc.sans.edu/diary/rss/27518 ∗∗∗ ZDI-21-682: (0Day) D-Link DAP-1330 HNAP Cookie Header Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-682/ ∗∗∗ ZDI-21-681: (0Day) D-Link DAP-1330 lighttpd http_parse_request Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-681/ ∗∗∗ ZDI-21-680: (0Day) D-Link DAP-1330 lighttpd get_soap_action Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-680/ ∗∗∗ ZDI-21-679: (0Day) D-Link DAP-1330 HNAP checkValidRequest Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-679/ ∗∗∗ Security Bulletin: WebSphere Application Server is vulnerable to a Privilege Escalation vulnerability (CVE-2021-29754) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-websphere-application-ser… ∗∗∗ Security Bulletin: Vulnerability in IBM Java SDK and IBM Java Runtime affects TPF Toolkit ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java… ∗∗∗ Security Bulletin: IBM Security QRadar Analyst Workflow App for IBM QRadar SIEM is vulnerable to cacheable SSL Pages (CVE-2021-20396) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-qradar-analy… ∗∗∗ Red Hat OpenShift: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0652 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.06.2021
by Daily end-of-shift report 10 Jun '21

10 Jun '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 09-06-2021 18:00 − Donnerstag 10-06-2021 18:00 Handler: Robert Waldner Co-Handler: Dimitri Robl ===================== = News = ===================== ∗∗∗ Cloud Atlas Navigates Us Into New Waters ∗∗∗ --------------------------------------------- Learn how to interpret nameserver activity to enumerate infrastructure in the context of a recent Cloud Atlas example investigated by Senior Security Researcher, Chad Anderson. --------------------------------------------- https://www.domaintools.com/resources/blog/cloud-atlas-navigates-us-into-ne… ∗∗∗ BloodHound – Sniffing Out the Path Through Windows Domains ∗∗∗ --------------------------------------------- BloodHound is as a tool allowing for the analysis of AD rights and relations, focusing on the ones that an attacker may abuse. --------------------------------------------- https://www.sans.org/blog/bloodhound-sniffing-out-path-through-windows-doma… ∗∗∗ Quarterly Report: Incident Response trends from Spring 2021 ∗∗∗ --------------------------------------------- While the security community made a great effort to warn users of the exploitation of several Microsoft Exchange Server zero-day vulnerabilities, it was still the biggest threat Cisco Talos Incident Response (CTIR) saw this past quarter. --------------------------------------------- https://blog.talosintelligence.com/2021/06/quarterly-report-incident-respon… ∗∗∗ CISA Addresses the Rise in Ransomware Targeting Operational Technology Assets ∗∗∗ --------------------------------------------- CISA has published the Rising Ransomware Threat to OT Assets fact sheet in response to the recent increase in ransomware attacks targeting operational technology (OT) assets and control systems. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/06/09/cisa-addresses-ri… ===================== = Vulnerabilities = ===================== ∗∗∗ Jetzt patchen! Attacken auf Googles Webbrowser Chrome könnten bevorstehen ∗∗∗ --------------------------------------------- Es ist eine gegen verschiedene Attacken abgesicherte Version des Webbrowsers Chrome erschienen. --------------------------------------------- https://heise.de/-6067353 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (htmldoc, lasso, and rails), Fedora (exiv2, firefox, and microcode_ctl), openSUSE (python-HyperKitty), Oracle (389-ds-base, qemu-kvm, qt5-qtimageformats, and samba), Red Hat (container-tools:3.0, container-tools:rhel8, postgresql:12, and postgresql:13), Scientific Linux (389-ds-base, hivex, libwebp, qemu-kvm, qt5-qtimageformats, samba, and thunderbird), SUSE (caribou, djvulibre, firefox, gstreamer-plugins-bad, kernel, libopenmpt, libxml2, --------------------------------------------- https://lwn.net/Articles/859008/ ∗∗∗ ZOLL Defibrillator Dashboard ∗∗∗ --------------------------------------------- This advisory contains mitigations for Unrestricted Upload of File with Dangerous Type, Use of Hard-coded Cryptographic Key, Cleartext Storage of Sensitive Information, Cross-site Scripting, Storing Passwords in a Recoverable Format, and Improper Privilege Management vulnerabilities in the ZOLL Defibrillator Dashboard software. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsma-21-161-01 ∗∗∗ Rockwell Automation FactoryTalk Services Platform ∗∗∗ --------------------------------------------- This advisory contains mitigations for a Protection Mechanism Failure vulnerability in Rockwell Automations Factory Talk Services Platform software. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-161-01 ∗∗∗ AGG Software Web Server Plugin ∗∗∗ --------------------------------------------- This advisory contains mitigations for Path Traversal, and Cross-site Scripting vulnerabilities in AGG Softwares Server Plugin. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-161-02 ∗∗∗ Security Advisory - Resource Management Error Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210609-… ∗∗∗ Security Bulletin: IBM Resilient SOAR is Using Components with Known Vulnerabilities – Java SE (CVE-2020-2773) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-resilient-soar-is-usi… ∗∗∗ Security Bulletin: IBM Resilient SOAR is Using Components with Known Vulnerabilities – Eclipse Jetty (CVE-2021-28163, CVE-2021-28164, CVE-2021-28165) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-resilient-soar-is-usi… ∗∗∗ Security Bulletin: Vulnerabilities in IBM Db2 affect IBM Spectrum Protect Server (CVE-2020-5024, CVE-2020-5025, CVE-2020-4976) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-db… ∗∗∗ Citrix Hypervisor Security Update ∗∗∗ --------------------------------------------- https://support.citrix.com/article/CTX316324 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.06.2021
by Daily end-of-shift report 09 Jun '21

09 Jun '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 08-06-2021 18:00 − Mittwoch 09-06-2021 18:00 Handler: Dimitri Robl Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Intel fixes 73 vulnerabilities in June 2021 Platform Update ∗∗∗ --------------------------------------------- Intel has addressed 73 security vulnerabilities as part of the June 2021 Patch Tuesday, including high severity ones impacting some versions of Intels Security Library and the BIOS firmware for Intel processors. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/intel-fixes-73-vulnerabiliti… ∗∗∗ PuzzleMaker attacks with Chrome zero-day exploit chain ∗∗∗ --------------------------------------------- We detected a wave of highly targeted attacks against multiple companies. Closer analysis revealed that all these attacks exploited a chain of Google Chrome and Microsoft Windows zero-day exploits. --------------------------------------------- https://securelist.com/puzzlemaker-chrome-zero-day-exploit-chain/102771/ ∗∗∗ Alpaca-Attacke: Angreifer könnten mit TLS gesicherte Verbindungen attackieren ∗∗∗ --------------------------------------------- Sicherheitsforscher zeigen theoretische Attacken auf TLS-Verbindungen. Angreifer könnten beispielsweise Sessions kapern. --------------------------------------------- https://heise.de/-6066915 ∗∗∗ Nameless Malware Discovered by NordLocker is Now in Have I Been Pwned ∗∗∗ --------------------------------------------- [...] they're sitting on a bunch of compromised personal info, now what? As with the two law enforcement agencies, NordLocker's goal is to inform impacted parties which is where HIBP comes in so as of now, all 1,121,484 compromised email addresses are searchable. --------------------------------------------- https://www.troyhunt.com/nameless-malware-discovered-by-nordlocker-is-now-i… ∗∗∗ Cisco Smart Install Protocol Still Abused in Attacks, 5 Years After First Warning ∗∗∗ --------------------------------------------- Cisco’s Smart Install protocol is still being abused in attacks — five years after the networking giant issued its first warning — and there are still roughly 18,000 internet-exposed devices that could be targeted by hackers. --------------------------------------------- https://www.securityweek.com/cisco-smart-install-protocol-still-abused-atta… ∗∗∗ Kleinanzeigen-Betrug: Potenzielle KäuferInnen wollen Zahlung über DHL abwickeln ∗∗∗ --------------------------------------------- Aktuell wenden Kriminelle in Kleinanzeigenplattformen wie willhaben, shpock und Co vermehrt den DHL-Trick an, um VerkäuferInnen Geld zu stehlen. Dabei geben sich Kriminelle als KäuferInnen aus und schlagen vor, die Zahlung über DHL abzuwickeln. Sie behaupten, DHL verwalte nun Zahlungen, um KäuferInnen und VerkäuferInnen eine sichere Abwicklung zu ermöglichen. In Wahrheit stecken die Kriminellen hinter den DHL-Nachrichten und versuchen so an Ihr Geld zu kommen. --------------------------------------------- https://www.watchlist-internet.at/news/kleinanzeigen-betrug-potenzielle-kae… ∗∗∗ The Sysrv-hello Cryptojacking Botnet: Here’s What’s New ∗∗∗ --------------------------------------------- The Sysrv-hello botnet is deployed on both Windows and Linux systems by exploiting multiple vulnerabilities and deployed via shell scripts. Like many of the threat actor tools weve covered, it continuously evolves to fit the needs of its operators and stay ahead of security researchers and law enforcement. Over time, there have been several slight changes in the shell scripts that install the Sysrv-hello implant on machines. --------------------------------------------- https://www.riskiq.com/blog/external-threat-management/sysrv-hello-cryptoja… ===================== = Vulnerabilities = ===================== ∗∗∗ Unsachgemäße Authentifizierung in SAP NetWeaver ABAP Server und ABAP Platform ∗∗∗ --------------------------------------------- Im Rahmen des Patchdays Juni 2021 veröffentlichte die SAP SE den Sicherheitshinweis 3007182, der einen schwerwiegenden Design-Fehler adressiert,… --------------------------------------------- https://sec-consult.com/de/blog/detail/unsachgemaesse-authentifizierung-in-… ∗∗∗ Updates verfügbar: Schwachstellen in Message-Brokern RabbitMQ, EMQ X und VerneMQ ∗∗∗ --------------------------------------------- Die Message-Broker sind für Denial-of-Service-Angriffe über das IoT-Protokoll MQTT anfällig. Aktuelle Patches sind verfügbar, Sie sollten sie schnell anwenden. --------------------------------------------- https://heise.de/-6065996 ∗∗∗ XSA-375 - Speculative Code Store Bypass ∗∗∗ --------------------------------------------- Impact: An attacker might be able to infer the contents of arbitrary host memory, including memory assigned to other guests. Resolution: Applying the appropriate attached patch resolves this issue. --------------------------------------------- https://xenbits.xen.org/xsa/advisory-375.html ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (eterm, mrxvt, and rxvt), Mageia (cgal, curl, exiv2, polkit, squid, thunderbird, and upx), openSUSE (firefox and libX11), Oracle (libwebp, nginx:1.18, and thunderbird), Red Hat (.NET 5.0, .NET Core 3.1, 389-ds-base, dhcp, gupnp, hivex, kernel, kernel-rt, libldb, libwebp, microcode_ctl, nettle, postgresql:10, postgresql:9.6, qemu-kvm, qt5-qtimageformats, rh-dotnet50-dotnet, and samba), SUSE (apache2-mod_auth_openidc, firefox, gstreamer-plugins-bad, kernel, libX11, pam_radius, qemu, runc, spice, and spice-gtk), and Ubuntu (intel-microcode and rpcbind). --------------------------------------------- https://lwn.net/Articles/858832/ ∗∗∗ Dell PowerEdge: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- DSA-2021-078: Dell PowerEdge Server Security Advisory for a Trusted Platform Module (TPM) 1.2 Firmware Vulnerability DSA-2021-103: Dell PowerEdge Server Security Update for BIOS Vulnerabilities --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0628 ∗∗∗ Xen: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein lokaler Angreifer kann mehrere Schwachstellen in Xen ausnutzen, um Informationen offenzulegen, seine Privilegien zu erhöhen oder einen Denial of Service Zustand herbeizuführen. * XSA-377: x86: TSX Async Abort protections not restored after S3 * XSA-374: Guest triggered use-after-free in Linux xen-netback * XSA-373: inappropriate x86 IOMMU timeout detection / handling * XSA-372: xen/arm: Boot modules are not scrubbed --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0627 ∗∗∗ Multiple vulnerabilities in Bosch IP cameras ∗∗∗ --------------------------------------------- BOSCH-SA-478243-BT: Multiple vulnerabilities for Bosch IP cameras have been discovered in a Penetration Test from Kaspersky ICS CERT during a certification effort from Bosch. Bosch rates these vulnerabilities with CVSSv3.1 base scores from 9.8 (Critical) to 4.9 (Medium), where the actual rating depends on the individual vulnerability and the final rating on the customer’s environment.Customers are strongly advised to upgrade to the fixed versions. --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-478243-bt.html ∗∗∗ Adobe Releases Security Updates for Multiple Products ∗∗∗ --------------------------------------------- Adobe has released security updates to address vulnerabilities in multiple Adobe products. An attacker could exploit some of these vulnerabilities to take control of an affected system. CISA encourages users and administrators to review Adobe’s Security Bulletins and apply the necessary updates. * APSB21-36 Security update available for Adobe Connect * APSB21-37 Security update available for Adobe Acrobat and Reader * APSB21-38 Security update available for Adobe Photoshop * APSB21-39 Security update available for Adobe Experience Manager * APSB21-41 Security update available for Adobe Creative Cloud Desktop Application * APSB21-44 Security update available for Adobe RoboHelp Server * APSB21-46 Security update available for Adobe Photoshop Elements * APSB21-47 Security update available for Adobe Premiere Elements * APSB21-49 Security update available for Adobe After Effects * APSB21-50 Security update available for Adobe Animate --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/06/08/adobe-releases-se… ∗∗∗ Security Bulletin: IBM Event Streams is affected by potential data integrity issue (CVE-2020-25649) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-event-streams-is-affe… ∗∗∗ Security Bulletin: IBM UrbanCode Deploy (UCD) stores keystore passwords in plain after a manuel edit, which can be read by a local user. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-urbancode-deploy-ucd-… ∗∗∗ Nettle cryptography library vulnerability CVE-2021-20305 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K33101555?utm_source=f5support&utm_mediu… ∗∗∗ Linux kernel vulnerability CVE-2019-11811 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K01512680?utm_source=f5support&utm_mediu… ∗∗∗ Johnson Controls Metasys ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-159-01 ∗∗∗ Open Design Alliance Drawings SDK ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-159-02 ∗∗∗ AVEVA InTouch ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-159-03 ∗∗∗ Schneider Electric IGSS ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-159-04 ∗∗∗ Schneider Electric Modicon X80 ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-159-05 ∗∗∗ Thales Sentinel LDK Run-Time Environment ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-159-06 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.06.2021
by Daily end-of-shift report 08 Jun '21

08 Jun '21

===================== = End-of-Day report = ===================== Timeframe: Montag 07-06-2021 18:00 − Dienstag 08-06-2021 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Microsoft Office MSGraph vulnerability could lead to code execution ∗∗∗ --------------------------------------------- Microsoft today will release a patch for a vulnerability affecting the Microsoft Office MSGraph component, responsible for displaying graphics and charts, that could be exploited to execute code on a target machine. --------------------------------------------- https://www.bleepingcomputer.com/news/security/microsoft-office-msgraph-vul… ∗∗∗ Picture this: Malware Hides in Steam Profile Images ∗∗∗ --------------------------------------------- SteamHide abuses the gaming platform Steam to serve payloads for malware downloaders. Malware operators can also update already infected machines by adding new profile images to Steam. The developers seem to have a few more ambitious goals. --------------------------------------------- https://www.gdatasoftware.com/blog/steamhide-malware-in-profile-images ∗∗∗ Sicherheitslücke FragAttacks: FritzOS-Updates für alte Fritzboxen ∗∗∗ --------------------------------------------- Der Mittelklasse-Router Fritzbox 3490 aus dem Jahr 2014 bekommt das aktuelle FritzOS 7.27 spendiert. Weitere Altmodelle könnten folgen. --------------------------------------------- https://heise.de/-6065367 ∗∗∗ Patchday Android: Kritische System- und Qualcomm-Lücken geschlossen ∗∗∗ --------------------------------------------- Angreifer könnten Android-Geräte attackieren und unter anderem Informationen leaken oder sogar Schadcode ausführen. --------------------------------------------- https://heise.de/-6064923 ∗∗∗ Organizations Warned About DoS Flaws in Popular Open Source Message Brokers ∗∗∗ --------------------------------------------- Organizations have been warned about denial of service (DoS) vulnerabilities found in RabbitMQ, EMQ X and VerneMQ, three widely used open source message brokers. --------------------------------------------- https://www.securityweek.com/organizations-warned-about-dos-flaws-popular-o… ∗∗∗ Vorsicht vor Werbung unseriöser Online-Shops! ∗∗∗ --------------------------------------------- Egal ob Facebook, Instagram, Tiktok oder Google: All diese Plattformen sind für Unternehmen attraktive Kanäle, um ihre Werbung zu platzieren. Das gilt allerdings nicht nur für seriöse, sondern auch für unseriöse Unternehmen. Immer wieder melden LeserInnen der Watchlist Internet, dass sie durch Werbeeinschaltungen auf einen problematischen Online-Shop gestoßen sind. Eine aktuelle Untersuchung der Arbeiterkammer Wien in Zusammenarbeit mit der Watchlist Internet [...] --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-werbung-unserioeser-onl… ∗∗∗ TeamTNT Using WatchDog TTPs to Expand Its Cryptojacking Footprint ∗∗∗ --------------------------------------------- We have identified indicators traditionally pointing to WatchDog operations being used by the TeamTNT cryptojacking group. --------------------------------------------- https://unit42.paloaltonetworks.com/teamtnt-cryptojacking-watchdog-operatio… ===================== = Vulnerabilities = ===================== ∗∗∗ Wago: Updates fixen gefährliche Lücken in industriellen Steuerungssystemen ∗∗∗ --------------------------------------------- Seit Mai veröffentlicht Wago nach und nach wichtige Firmware-Updates gegen kritische Lücken in speicherprogrammierbaren Steuerungen (PLC) der Serie 750. --------------------------------------------- https://heise.de/-6065199 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (nginx), Fedora (musl), Mageia (dnsmasq, firefox, graphviz, libebml, libpano13, librsvg, libxml2, lz4, mpv, tar, and vlc), openSUSE (csync2, python-py, and snakeyaml), Oracle (qemu), Red Hat (container-tools:2.0, kernel, kpatch-patch, nettle, nginx:1.16, and rh-nginx116-nginx), Slackware (httpd and polkit), SUSE (389-ds, gstreamer-plugins-bad, shim, and snakeyaml), and Ubuntu (gnome-autoar and isc-dhcp). --------------------------------------------- https://lwn.net/Articles/858644/ ∗∗∗ SAP Patchday Juni ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0616 ∗∗∗ Citrix Cloud Connector Security Update ∗∗∗ --------------------------------------------- https://support.citrix.com/article/CTX316690 ∗∗∗ Citrix Application Delivery Controller, Citrix Gateway, and Citrix SD-WAN WANOP appliance Security Update ∗∗∗ --------------------------------------------- https://support.citrix.com/article/CTX297155 ∗∗∗ SSA-133038: Multiple Modfem File Parsing Vulnerabilities in Simcenter Femap ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-133038.txt ∗∗∗ SSA-200951: Multiple Vulnerabilities in Third-Party Component libcurl of TIM Devices ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-200951.txt ∗∗∗ SSA-208356: DFT File Parsing Vulnerabilities in Solid Edge ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-208356.txt ∗∗∗ SSA-211752: Multiple NTP-Client Related Vulnerabilities in SIMATIC NET CP 443-1 OPC ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-211752.txt ∗∗∗ SSA-419820: Denial-of-Service Vulnerability in TIM 1531 IRC ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-419820.txt ∗∗∗ SSA-522654: Privilege Escalation Vulnerability in Mendix SAML Module ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-522654.txt ∗∗∗ SSA-645530: TIFF File Parsing Vulnerability in JT2Go and Teamcenter Visualization ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-645530.txt --------------------------------------------- https://new.siemens.com/global/en/products/services/cert.html ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Security Guardium ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM API Connect is impacted by multiple vulnerabilities in Oracle MySQL ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connect-is-impact… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a jackson-databind vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a kernel vulnerability (CVE-2020-25705, CVE-2020-28374) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a Privilege Escalation vulnerability (CVE-2020-4952) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Security Guardium ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Cloud Pak for Applications 4.3 nodejs and nodejs-express Appsody stacks is vulnerable to information disclosure, buffer overflow and prototype pollution exposures ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-applica… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a Oracle MySQL vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: An unspecified vulnerability in Java SE related to the Libraries component could allow an unauthenticated attacker ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-an-unspecified-vulnerabil… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.06.2021
by Daily end-of-shift report 07 Jun '21

07 Jun '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 04-06-2021 18:00 − Montag 07-06-2021 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Jetzt patchen! Angreifer attackieren VMware vCenter Server ∗∗∗ --------------------------------------------- Sicherheitsforscher warnen davor, dass Angreifer es auf eine kritische Lücke in vCenter Server abgesehen haben. --------------------------------------------- https://heise.de/-6063523 ∗∗∗ Exploit für kritische Lücke in Rocket.Chat veröffentlicht ∗∗∗ --------------------------------------------- Wer die im Mai geschlossene kritische Lücke in Rocket.Chat noch nicht gefixt hat, sollte das schleunigst nachholen. --------------------------------------------- https://heise.de/-6063795 ∗∗∗ Malware family naming hell is our own fault ∗∗∗ --------------------------------------------- EternalPetya has more than 10 different names. Many do not realize that CryptoLocker is long dead. These are not isolated cases but symptoms of a systemic problem: The way we name malware does not work. Why does it happen and how can we solve it? --------------------------------------------- https://www.gdatasoftware.com/blog/malware-family-naming-hell ∗∗∗ Gootkit: the cautious Trojan ∗∗∗ --------------------------------------------- Gootkit is complex multi-stage banking malware capable of stealing data from the browser, performing man-in-the-browser attacks, keylogging, taking screenshots and lots of other malicious actions. Its loader performs various virtual machine and sandbox checks and uses sophisticated persistence algorithms. --------------------------------------------- https://securelist.com/gootkit-the-cautious-trojan/102731/ ∗∗∗ OSX/Hydromac ∗∗∗ --------------------------------------------- In this guest blog post, the security researcher Taha Karim of ConfiantIntel, dives into a new macOS adware specimen: Hydromac. --------------------------------------------- https://objective-see.com/blog/blog_0x65.html ∗∗∗ WordPress Redirect Hack via Test0.com/Default7.com ∗∗∗ --------------------------------------------- Malicious redirect is a type of hack where website visitors are automatically redirected to some third-party website: usually it’s some malicious resource, scam site or a commercial site that buys traffic from cyber criminals (e.g. counterfeit drugs or replica merchandise). Types of Malicious Redirects There are two major types of malicious redirects: server-side redirects and client-side redirects. --------------------------------------------- https://blog.sucuri.net/2021/06/wordpress-redirect-hack-via-test0-com-defau… ∗∗∗ Siloscape: First Known Malware Targeting Windows Containers to Compromise Cloud Environments ∗∗∗ --------------------------------------------- The main purpose of Siloscape is to open a backdoor into poorly configured Kubernetes clusters in order to run malicious containers. --------------------------------------------- https://unit42.paloaltonetworks.com/siloscape/ ∗∗∗ This phishing email is pushing password-stealing malware to Windows PCs ∗∗∗ --------------------------------------------- An old form of trojan malware has been updated with new abilities, warn cybersecurity researchers. --------------------------------------------- https://www.zdnet.com/article/this-phishing-email-is-pushing-password-steal… ∗∗∗ Hacking space: How to pwn a satellite ∗∗∗ --------------------------------------------- Hacking an orbiting satellite is not light years away - here’s how things can go wrong in outer space --------------------------------------------- https://www.welivesecurity.com/2021/06/07/hacking-space-how-pwn-satellite/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libwebp, python-django, ruby-nokogiri, and thunderbird), Fedora (dhcp, polkit, transfig, and wireshark), openSUSE (chromium, inn, kernel, redis, and umoci), Oracle (pki-core:10.6), Red Hat (libwebp, nginx:1.18, rh-nginx118-nginx, and thunderbird), SUSE (gstreamer-plugins-bad), and Ubuntu (linux, linux-aws, linux-azure, linux-gcp, linux-hwe-5.8, linux-kvm, linux-oracle). --------------------------------------------- https://lwn.net/Articles/858561/ ∗∗∗ Microsoft Edge: Schwachstelle ermöglicht Cross-Site Scripting ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0612 ∗∗∗ Apache HTTP Server: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0611 ∗∗∗ QNAP NAS: Schwachstelle ermöglicht Cross-Site Scripting ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0613 ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a kernel vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: cURL libcurl vulnerabilites impacting Aspera High-Speed Transfer Server and Aspera High-Speed Transfer Endpoint 4.0 and earlier (CVE-2020-8284, CVE-2020-8286, CVE-2020-8285) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-curl-libcurl-vulnerabilit… ∗∗∗ Security Bulletin: OpenSSL vulnerabilites impacting Aspera High-Speed Transfer Server, Aspera High-Speed Transfer Endpoint, Aspera Desktop Client 4.0 and earlier (CVE-2021-23839, CVE-2021-23840, CVE-2021-23841) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-openssl-vulnerabilites-im… ∗∗∗ Security Bulletin: Multiple vulnerabilities may affect JRE in IBM DataPower Gateway ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities affect the IBM Elastic Storage Server GUI ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by Oracle MySQL vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM DataPower Gateway vulnerable to a DoS attack ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-datapower-gateway-vul… ∗∗∗ Security Bulletin: OpenSSL vulnerability impacting Aspera High-Speed Transfer Server, Aspera High-Speed Transfer Endpoint, Aspera Desktop Client 4.0, and earlier (CVE-2020-1971) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-openssl-vulnerability-imp… ∗∗∗ Security Bulletin: IBM DataPower Gateway GUI permits use of GET ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-datapower-gateway-gui… ∗∗∗ Security Bulletin: WebSphere Application Server ND is vulnerable to Directory Traversal vulnerability (CVE-2021-20517) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-websphere-application-ser… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.06.2021
by Daily end-of-shift report 04 Jun '21

04 Jun '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 02-06-2021 18:00 − Freitag 04-06-2021 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Vorsicht: Phishing-Mail von World4You im Umlauf! ∗∗∗ --------------------------------------------- Kriminelle versenden derzeit eine gefälschte World4You-Phishingmail an Webseiten-BetreiberInnnen. Darin heißt es, dass die registrierte Domain der EmpfängerInnen abläuft und daher verlängert werden muss. Gehen Sie nicht auf die Zahlungsforderung ein. Denn das Geld und Ihre Kreditkartendaten landen direkt in den Händen von Kriminellen. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-phishing-mail-von-world4you… ∗∗∗ Schlupflöcher für Schadcode in Videokonferenz-Software Cisco Webex geschlossen ∗∗∗ --------------------------------------------- Cisco hat Sicherheitsupdates für mehrere Produkte wie Router und Webex veröffentlicht. --------------------------------------------- https://heise.de/-6062229 ∗∗∗ Email spoofing: how attackers impersonate legitimate senders ∗∗∗ --------------------------------------------- This article analyzes different ways of the spoofing email addresses through changing the From header, which provides information about the senders name and address. --------------------------------------------- https://securelist.com/email-spoofing-types/102703/ ∗∗∗ Exchange Servers Targeted by ‘Epsilon Red’ Malware ∗∗∗ --------------------------------------------- REvil threat actors may be behind a set of PowerShell scripts developed for encryption and weaponized to exploit vulnerabilities in corporate networks, the ransom note suggests. --------------------------------------------- https://threatpost.com/exchange-servers-epsilon-red-ransomware/166640/ ∗∗∗ How to hack into 5500 accounts… just using “credential stuffing” ∗∗∗ --------------------------------------------- Passwords - dont just pay them lip service. --------------------------------------------- https://nakedsecurity.sophos.com/2021/06/04/how-to-hack-into-5500-accounts-… ∗∗∗ Russian Dolls VBS Obfuscation, (Fri, Jun 4th) ∗∗∗ --------------------------------------------- We received an interesting sample from one of our readers (thanks Henry!) and we like this. If you find something interesting, we are always looking for fresh meat! Henry's sample was delivered in a password-protected ZIP archive and the file was a VBS script called "presentation_37142.vbs" --------------------------------------------- https://isc.sans.edu/diary/rss/27494 ∗∗∗ Build, Hack, and Defend Azure Identity ∗∗∗ --------------------------------------------- An Introduction to PurpleCloud Hybrid + Identity Cyber Range --------------------------------------------- https://www.sans.org/blog/build-hack-defend-azure-identity?msc=rss ∗∗∗ Necro Python bot adds new exploits and Tezos mining to its bag of tricks ∗∗∗ --------------------------------------------- Some malware families stay static in terms of their functionality. But a newly discovered malware campaign utilizing the Necro Python bot shows this actor is adding new functionality and improving its chances of [...] --------------------------------------------- https://blog.talosintelligence.com/2021/06/necro-python-bot-adds-new-tricks… ∗∗∗ Organizations Warned: STUN Servers Increasingly Abused for DDoS Attacks ∗∗∗ --------------------------------------------- Application and network performance management company NETSCOUT warned organizations this week that STUN servers have been increasingly abused for distributed denial-of-service (DDoS) attacks, and there are tens of thousands of servers that could be abused for such attacks by malicious actors. --------------------------------------------- https://www.securityweek.com/organizations-warned-stun-servers-increasingly… ∗∗∗ ESET Threat Report T1 2021 ∗∗∗ --------------------------------------------- A view of the T1 2021 threat landscape as seen by ESET telemetry and from the perspective of ESET threat detection and research experts The post ESET Threat Report T1 2021 appeared first on WeLiveSecurity --------------------------------------------- https://www.welivesecurity.com/2021/06/03/eset-threat-report-t12021/ ∗∗∗ WebLogic RCE Leads to XMRig ∗∗∗ --------------------------------------------- This report will review an intrusion where, the threat actor took advantage of a WebLogic remote code execution vulnerability (CVE-2020–14882) to gain initial access to the system before installing [...] --------------------------------------------- https://thedfirreport.com/2021/06/03/weblogic-rce-leads-to-xmrig/ ∗∗∗ CISA Releases Best Practices for Mapping to MITRE ATT&CK® ∗∗∗ --------------------------------------------- As part of an effort to encourage a common language in threat actor analysis, CISA has released Best Practices for MITRE ATT&CK® Mapping. The guide shows analysts—through instructions and examples—how to map adversary behavior to the MITRE ATT&CK framework. CISA created this guide in partnership with the Homeland Security Systems Engineering and Development Institute™ (HSSEDI), a DHS-owned R&D center operated by MITRE, which [...] --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/06/02/cisa-releases-bes… ∗∗∗ FontPack: A dangerous update ∗∗∗ --------------------------------------------- Attribution secrets: Who is behind stealing credentials and bank card data by asking to install fake Flash Player, browser or font updates? --------------------------------------------- https://blog.group-ib.com/fontpack ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco Security Advisories ∗∗∗ --------------------------------------------- Cisco hat Advisories zu 13 Schwachstellen veröffentlicht. Keine davon wird als "Critical" eingestuft, fünf als "High". --------------------------------------------- https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&first… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (chromium, curl, dhclient, dhcp, firefox, keycloak, lib32-curl, lib32-libcurl-compat, lib32-libcurl-gnutls, libcurl-compat, libcurl-gnutls, opera, packagekit, pam-u2f, postgresql, rabbitmq, redis, ruby-bundler, and zint), Debian (caribou, firefox-esr, imagemagick, and isc-dhcp), Fedora (mapserver, mingw-python-pillow, and python-pillow), openSUSE (chromium), Red Hat (firefox, glib2, pki-core:10.6, polkit, rh-ruby26-ruby, and rh-ruby27-ruby), SUSE [...] --------------------------------------------- https://lwn.net/Articles/858144/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (lasso), Fedora (mingw-djvulibre, mingw-exiv2, python-lxml, and singularity), openSUSE (ceph, dhcp, inn, nginx, opera, polkit, upx, and xstream), Oracle (firefox, perl, and polkit), Scientific Linux (firefox), SUSE (avahi, csync2, djvulibre, libwebp, polkit, python-py, slurm, slurm_18_08, thunderbird, and umoci), and Ubuntu (linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gcp, linux-gcp-5.4, linux-gke, linux-gke-5.4, linux-gkeop, [...] --------------------------------------------- https://lwn.net/Articles/858331/ ∗∗∗ Advantech iView ∗∗∗ --------------------------------------------- This advisory contains mitigations for Missing Authentication for Critical Function, and SQL Injection vulnerabilities in Advantech iView IoT device management application. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-154-01 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Security Advisory - Command Injection Vulnerability in Huawei Products ∗∗∗ --------------------------------------------- https://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210602… ∗∗∗ Security Advisory - Race Condition Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- https://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210602… ∗∗∗ Drupal: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0610 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.06.2021
by Daily end-of-shift report 02 Jun '21

02 Jun '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 01-06-2021 18:00 − Mittwoch 02-06-2021 18:00 Handler: Dimitri Robl Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Producing a trustworthy x86-based Linux appliance ∗∗∗ --------------------------------------------- Lets say youre building some form of appliance on top of general purpose x86 hardware. You want to be able to verify the software its running hasnt been tampered with. Whats the best approach with existing technology? --------------------------------------------- https://mjg59.dreamwidth.org/57199.html ∗∗∗ Cobalt Strike, a penetration testing tool abused by criminals ∗∗∗ --------------------------------------------- Cobalt Strike is a pen-testing tool that often ends up in the hands of cybercriminals. Are we providing them with the tools to attack us? ... If you were to compose a list of tools and software developed by security and privacy defenders that ended up being abused by the bad guys, then Cobalt Strike would unfortunately be near the top of the list. Maybe only Metasploit could give it a run for the first place ranking. --------------------------------------------- https://blog.malwarebytes.com/researchers-corner/2021/06/cobalt-strike-a-pe… ∗∗∗ Jugendliche im Visier von Online‑Betrügern: 5 gängige Tricks ∗∗∗ --------------------------------------------- Von gefälschten Designerprodukten bis hin zu verlockenden Jobangeboten – wir stellen fünf verbreitete Betrugsmethoden vor, mit denen Kriminelle es auf Geld und Daten von Teenagern abgesehen haben --------------------------------------------- https://www.welivesecurity.com/deutsch/2021/06/01/jugendliche-im-visier-von… ∗∗∗ Webseiten-BetreiberInnen aufgepasst: TM Österreich versendet betrügerische Mail! ∗∗∗ --------------------------------------------- Webseiten-BetreiberInnen melden uns ein betrügerisches E-Mail der TM Österreich. Dort wird behauptet, dass jemand Ihre Domain mit einer anderen Endung registrieren möchte. TM Österreich bietet Ihnen an, diese zusätzliche Domain zu registrieren, um so Probleme wie Umsatzeinbußen oder Imageschäden zu vermeiden. Vorsicht: TM Österreich ist Fake. Nehmen Sie daher das Angebot auf keinen Fall an! --------------------------------------------- https://www.watchlist-internet.at/news/webseiten-betreiberinnen-aufgepasst-… ∗∗∗ Shodan Verified Vulns 2021-06-01 ∗∗∗ --------------------------------------------- Mit Stand 2021-06-01 boten unsere Shodan-Daten folgendes Bild der Schwachstellen in Österreich: Wie zu erwarten war, ist die Anzahl der verwundbaren Microsoft Exchange Server (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065) weiter zurückgegangen; laut unseren aktuellsten Scans ist die Zahl mittlerweile sogar unter 100. --------------------------------------------- https://cert.at/de/aktuelles/2021/6/shodan-verified-vulns-2021-06-01 ===================== = Vulnerabilities = ===================== ∗∗∗ Revisiting Realtek – A New Set of Critical Wi-Fi Vulnerabilities Discovered by Automated Zero-Day Analysis ∗∗∗ --------------------------------------------- On February 3rd we responsibly disclosed six critical issues in the Realtek RTL8195A Wi-Fi module... Following that successful detection and disclosure, we expanded our analysis to additional modules. This new analysis resulted in two new critical vulnerabilities discovered by scanning the modules in Vdoo’s product security platform, which contains a unique proprietary capability of detecting potential zero-days automatically. The new vulnerabilities werefixed by Realtek, following another responsible disclosure. --------------------------------------------- https://www.vdoo.com/blog/realtek-wifi-vulnerabilities-zero-day/ ∗∗∗ Overview of F5 vulnerabilities (June 2021) ∗∗∗ --------------------------------------------- On June 1, 2021, F5 announced the following security issues. High CVEs * K08503505: BIG-IP Edge Client for Windows vulnerability CVE-2021-23022, CVSS score: 7.0 (High) * K33757590: BIG-IP Edge Client for Windows vulnerability CVE-2021-23023, CVSS score: 7.0 (High) Medium CVEs * K06024431: BIG-IQ vulnerability CVE-2021-23024, CVSS score: 6.5 (Medium) --------------------------------------------- https://support.f5.com/csp/article/K67501282 ∗∗∗ Critical 0-day in Fancy Product Designer Under Active Attack ∗∗∗ --------------------------------------------- On May 31, 2021, the Wordfence Threat Intelligence team discovered a critical file upload vulnerability being actively exploited in Fancy Product Designer, a WordPress plugin installed on over 17,000 sites. ... Due to this vulnerability being actively attacked, we are publicly disclosing with minimal details even though it has not yet been patched in order to alert the community to take precautions to keep their sites protected. --------------------------------------------- https://www.wordfence.com/blog/2021/06/critical-0-day-in-fancy-product-desi… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (squid), Fedora (dhcp), openSUSE (gstreamer, gstreamer-plugins-bad, gstreamer-plugins-base, gstreamer-plugins-good, gstreamer-plugins-ugly and slurm), Oracle (glib2 and kernel), Red Hat (kernel, kernel-rt, perl, and tcpdump), Scientific Linux (glib2), SUSE (bind, dhcp, lz4, and shim), and Ubuntu (dnsmasq, lasso, and python-django). --------------------------------------------- https://lwn.net/Articles/857978/ ∗∗∗ Synology DiskStation Manager: Schwachstelle ermöglichen Codeausführung ∗∗∗ --------------------------------------------- CVE-2021-29088 Ein lokaler Angreifer kann eine Schwachstellen in Synology DiskStation Manager ausnutzen, um beliebigen Programmcode auszuführen. --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0596 ∗∗∗ XSS vulnerability found in popular WYSIWYG website editor [Froala] ∗∗∗ --------------------------------------------- ...the bug, tracked as CVE-2021-28114, impacts Froala version 3.2.6 and earlier. Froala is a lightweight What-You-See-Is-What-You-Get (WYSIWYG) HTML rich text editor for developers and content creators. --------------------------------------------- https://www.zdnet.com/article/xss-vulnerability-found-in-popular-wysiwyg-we… ∗∗∗ Security Bulletin: IBM has announced a release for IBM Security Identity Governance and Intelligence in response to a security vulnerability (CVE-2020-4590) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-has-announced-a-relea… ∗∗∗ Security Bulletin: Apache CXF vulnerability identified in IBM Tivoli Application Dependency Discovery Manager (CVE-2021-22696) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-cxf-vulnerability-… ∗∗∗ Security Bulletin: IBM has announced a release for IBM Security Identity Governance and Intelligence in response to a security vulnerability (CVE-2019-17006, CVE-2019-17023, CVE-2020-12403) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-has-announced-a-relea… ∗∗∗ Security Bulletin: Multiple vulnerabilites affect IBM Jazz Foundation and IBM Engineering products. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilites-a… ∗∗∗ Security Bulletin: IBM has announced a release for IBM Security Identity Governance and Intelligence in response to a security vulnerability (CVE-2020-11868, CVE-2020-13817) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-has-announced-a-relea… ∗∗∗ Security Bulletin: Embedded WebSphere Application Server is vulnerable to Server-side Request Forgery and affects Content Collector for Email ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-embedded-websphere-applic… ∗∗∗ Security Bulletin: Multiple vulnerabilities in Apache HttpComponents and HttpCommons affect embedded WebSphere Application Server, which affects Content Collector for Email ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Embedded WebSphere Application Server is vulnerable to an XML External Entity (XXE) Injection attack and affects Content Collector for Email ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-embedded-websphere-applic… ∗∗∗ Security Bulletin: IBM has announced a release for IBM Security Identity Governance and Intelligence in response to a security vulnerability (CVE-2020-14579, CVE-2020-14578, CVE-2020-14577) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-has-announced-a-relea… ∗∗∗ Security Bulletin: IBM has announced a release for IBM Security Identity Governance and Intelligence in response to a security vulnerability (CVE-2020-14782) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-has-announced-a-relea… ∗∗∗ Hillrom Medical Device Management ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsma-21-152-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 01.06.2021
by Daily end-of-shift report 01 Jun '21

01 Jun '21

===================== = End-of-Day report = ===================== Timeframe: Montag 31-05-2021 18:00 − Dienstag 01-06-2021 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Firefox 89 und ESR 78.11: Neue Browser-Versionen, neue Sicherheits-Updates ∗∗∗ --------------------------------------------- Das Mozilla-Team hat den frisch erschienenen Firefox-Versionen neben neuen Features auch Schwachstellen-Patches spendiert. --------------------------------------------- https://heise.de/-6059513 ∗∗∗ Kroatien Urlaub geplant? Nehmen Sie sich vor kostenpflichtigen Registrierungsseiten wie enter-croatia.com in Acht! ∗∗∗ --------------------------------------------- Viele ÖsterreicherInnen freuen sich darauf, endlich wieder nach Kroatien zu fahren. Durch die COVID-19-Pandemie gelten jedoch strengere Einreisebestimmungen, wie die Empfehlung einer kostenlosen Online-Registrierung. Anbieter wie die Visa Gate GmbH nutzen die Unsicherheit vieler TouristInnen aus und stellen kostenpflichtige Registrierungsseiten ins Netz. Wir empfehlen Ihnen, die (freiwillige) Online-Registrierung nicht über enter-croatia.com vorzunehmen! --------------------------------------------- https://www.watchlist-internet.at/news/kroatien-urlaub-geplant-nehmen-sie-s… ∗∗∗ Windows 10s package manager flooded with duplicate, malformed apps ∗∗∗ --------------------------------------------- Microsofts Windows 10 package manager Wingets GitHub has been flooded with duplicate apps and malformed manifest files raising concerns among developers with regards to the integrity of apps. --------------------------------------------- https://www.bleepingcomputer.com/news/security/windows-10s-package-manager-… ∗∗∗ Quick and dirty Python: nmap, (Mon, May 31st) ∗∗∗ --------------------------------------------- Continuing on from the "Quick and dirty Python: masscan" diary, which implemented a simple port scanner in Python using masscan to detect web instances on TCP ports 80 or 443. Masscan is perfectly good as a blunt instrument to quickly find open TCP ports across large address spaces, but for fine details it is better to use a scanner like nmap that, while much slower, is able to probe the port to get a better idea of what is running. --------------------------------------------- https://isc.sans.edu/diary/rss/27480 ∗∗∗ Guildma is now using Finger and Signed Binary Proxy Execution to evade defenses, (Mon, May 31st) ∗∗∗ --------------------------------------------- We recently identified a new Guildma/Astaroth campaign targeting South America, mainly Brazil, using a new variant of the malware. Guildma is known by its multiple-staged infection chain and evasion techniques to reach victim’s data and exfiltrate them. In a previous diary [1] at Morphus Labs, we analyzed a Guildma variant which employed an innovative strategy to stay active, using Facebook and YouTube to get a new list of its C2 servers. --------------------------------------------- https://isc.sans.edu/diary/rss/27482 ∗∗∗ Evadere Classifications ∗∗∗ --------------------------------------------- The term evasion is derived from the Latin word "evadere" which means - "To escape, to get away." The DOD defines evasion as - "The process whereby isolated personnel avoid capture with the goal of successfully returning to areas under friendly control." [...] This made me think - what does evasion or bypass truly mean? Are there different categories that these evasion techniques fit into? Lastly, if these techniques are to fit into categories - how can detection engineers leverage these for engagements? --------------------------------------------- https://posts.specterops.io/evadere-classifications-8851a429c94b ∗∗∗ Revisiting the NSIS-based crypter ∗∗∗ --------------------------------------------- In this blog we look at the constantly evolving NSIS crypter which malware authors have been leveraging as a flexible tool to pack and encrypt their samples. --------------------------------------------- https://blog.malwarebytes.com/threat-analysis/2021/05/revisiting-the-nsis-b… ∗∗∗ TeamTNT botnet makes 50,000 victims over the last three months ∗∗∗ --------------------------------------------- TeamTNT, a crypto-mining botnet specialized in infecting misconfigured Docker and Kubernetes platforms, has compromised more than 50,000 systems over the last three months, between March and May 2021, security firm Trend Micro said last week. --------------------------------------------- https://therecord.media/teamtnt-botnet-makes-50000-victims-over-the-last-th… ===================== = Vulnerabilities = ===================== ∗∗∗ Lasso SAML Implementation Vulnerability Affecting Cisco Products: June 2021 ∗∗∗ --------------------------------------------- On June 1, 2021, Lasso disclosed a security vulnerability in the Lasso Security Assertion Markup Language (SAML) Single Sign-On (SSO) library. This vulnerability could allow an authenticated attacker to impersonate another authorized user when interacting with an application. For a description of this vulnerability, see lasso.git NEWS. This advisory will be updated as additional information becomes available. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (cflow, chromium, eterm, gnutls, and kernel), Mageia (kernel and kernel-linus), Oracle (glib2), Red Hat (glib2, kernel, kernel-rt, and kpatch-patch), SUSE (curl, djvulibre, gstreamer, gstreamer-plugins-bad, gstreamer-plugins-base, gstreamer-plugins-good, gstreamer-plugins-ugly, nginx, python-httplib2, and slurm), and Ubuntu (gupnp, libwebp, postgresql-10, postgresql-12, postgresql-13, and python3.8). --------------------------------------------- https://lwn.net/Articles/857830/ ∗∗∗ Security Bulletin: A format string security vulnerability has been identified in IBM Spectrum Scale (CVE-2021-29740) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-format-string-security-… ∗∗∗ Multiple Critical Vulnerabilities in Korenix Technology, Westermo and Pepperl+Fuchs products ∗∗∗ --------------------------------------------- https://sec-consult.com/vulnerability-lab/advisory/multiple-critical-vulner… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 31.05.2021
by Daily end-of-shift report 31 May '21

31 May '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 28-05-2021 18:00 − Montag 31-05-2021 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Sicherheitsupdate: Root-Lücke in Sonicwalls Network Security Manager ∗∗∗ --------------------------------------------- Angreifer könnten durch eine Schwachstelle in der Firewall-Verwaltungssoftware Network Security Manager schlüpfen. --------------------------------------------- https://heise.de/-6057794 ∗∗∗ Client Puzzle Protocols (CPPs) als Gegenmaßnahmen gegen automatisierte Gefahren für Webapplikationen ∗∗∗ --------------------------------------------- Client Puzzle Protocols (CPPs) können effektive Maßnahmen gegen Denial-of-Service-Attacken sein. Sie müssen aber auf ihre Effektivität überprüft werden. --------------------------------------------- https://www.syss.de/pentest-blog/fachartikel-von-it-security-consultant-vla… ∗∗∗ Threat spotlight: Conti, the ransomware used in the HSE healthcare attack ∗∗∗ --------------------------------------------- [...] In this blog, we’ll home in on Conti, the strain identified by some as the successor, cousin or relative of Ryuk ransomware, due to similarities in code use and distribution tactics. --------------------------------------------- https://blog.malwarebytes.com/threat-spotlight/2021/05/threat-spotlight-con… ∗∗∗ PoC published for new Microsoft PatchGuard (KPP) bypass ∗∗∗ --------------------------------------------- A security researcher has discovered a bug in PatchGuard––a crucial Windows security feature––that can allow threat actors to load unsigned (malicious) code into the Windows operating system kernel. --------------------------------------------- https://therecord.media/poc-published-for-new-microsoft-patchguard-kpp-bypa… ∗∗∗ WooCommerce Credit Card Skimmer Hides in Plain Sight ∗∗∗ --------------------------------------------- Recently, a client’s customers were receiving a warning from their anti-virus software when they navigated to the checkout page of the client’s ecommerce website. Antivirus software such as Kaspersky and ESET would issue a warning but only once a product had been added to the cart and a customer was about to enter their payment information. This is, of course, a tell-tale sign that there is something seriously wrong with the website and likely a case of credit card exfiltration. --------------------------------------------- https://blog.sucuri.net/2021/05/woocommerce-credit-card-skimmer.html ∗∗∗ On the Taxonomy and Evolution of Ransomware ∗∗∗ --------------------------------------------- Not all ransomware is the same! Oliver Tavakoli, CTO at Vectra AI, discusses the different species of this growing scourge. --------------------------------------------- https://threatpost.com/taxonomy-evolution-ransomware/166462/ ∗∗∗ Spear-phishing Email Targeting Outlook Mail Clients , (Sat, May 29th) ∗∗∗ --------------------------------------------- In February I posted about spam pretending to be an Outlook Version update [1] and now for the past several weeks I have been receiving spear-phishing emails that pretend to be coming from Microsoft Outlook to "Sign in to verify" my account, new terms of services, new version, etc. There also have been some reports this week about large ongoing spear-phishing campaign [2][3] worth reading. Here are some samples which always include a sense of urgency to login as soon as possible: [...] --------------------------------------------- https://isc.sans.edu/diary/rss/27472 ∗∗∗ Sysinternals: Procmon, Sysmon, TcpView and Process Explorer update, (Sun, May 30th) ∗∗∗ --------------------------------------------- New versions of Sysinternals' tools Procmon, Sysmon, TcpView and Process Explorer were released. --------------------------------------------- https://isc.sans.edu/diary/rss/27476 ∗∗∗ Video: Cobalt Strike & DNS - Part 1, (Sun, May 30th) ∗∗∗ --------------------------------------------- One of the Cobalt Strike servers reported by Brad Duncan also communicates over DNS. --------------------------------------------- https://isc.sans.edu/diary/rss/27478 ∗∗∗ IT threat evolution Q1 2021 ∗∗∗ --------------------------------------------- SolarWinds attacks, MS Exchange vulnerabilities, fake adblocker distributing miner, malware for Apple Silicon platform and other threats in Q1 2021. --------------------------------------------- https://securelist.com/it-threat-evolution-q1-2021/102382/ ∗∗∗ IT threat evolution Q1 2021. Mobile statistics ∗∗∗ --------------------------------------------- In the first quarter of 2021 we detected 1.45M mobile installation packages, of which 25K packages were related to mobile banking Trojans and 3.6K packages were mobile ransomware Trojans. --------------------------------------------- https://securelist.com/it-threat-evolution-q1-2021-mobile-statistics/102547/ ∗∗∗ IT threat evolution Q1 2021. Non-mobile statistics ∗∗∗ --------------------------------------------- In Q1 2021, we blocked more than 2 billion attacks launched from online resources across the globe, detected 77.4M unique malicious and potentially unwanted objects, and recognized 614M unique URLs as malicious. --------------------------------------------- https://securelist.com/it-threat-evolution-q1-2021-non-mobile-statistics/10… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (hyperkitty, libxml2, nginx, openjdk-11-jre-dcevm, rxvt-unicode, samba, and webkit2gtk), Fedora (exiv2, java-1.8.0-openjdk-aarch32, mingw-python-pillow, opendmarc, php-symfony3, php-symfony4, python-pillow, runc, rust-cranelift-codegen-shared, rust-cranelift-entity, and rxvt-unicode), openSUSE (curl, hivex, libu2f-host, libX11, libxls, singularity, and upx), Oracle (dotnet3.1 and dotnet5.0), Red Hat (docker, glib2, and runc), and Ubuntu (lz4). --------------------------------------------- https://lwn.net/Articles/857737/ ∗∗∗ Security Bulletin: CVE-2021-2161 may affect IBM® SDK, Java™ Technology Edition ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2021-2161-may-affect-… ∗∗∗ Security Bulletin: IBM Cognos Analytics has addressed multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cognos-analytics-has-… ∗∗∗ Security Bulletin: Multiple Security Vulnerabilities have been resolved in IBM Application Gateway (CVE-2021-20576, CVE-2021-20575, CVE-2021-29665) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.05.2021
by Daily end-of-shift report 28 May '21

28 May '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 27-05-2021 18:00 − Freitag 28-05-2021 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ FBI to share compromised passwords with Have I Been Pwned ∗∗∗ --------------------------------------------- The FBI will soon begin to share compromised passwords with Have I Been Pwneds Password Pwned service that were discovered during law enforcement investigations. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fbi-to-share-compromised-pas… ∗∗∗ Ransomware gangs slow decryptors prompt victims to seek alternatives ∗∗∗ --------------------------------------------- Recently, two highly publicized ransomware victims received a decryptor that was too slow to make it effective in quickly restoring the victims network. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ransomware-gangs-slow-decryp… ∗∗∗ Tracking BokBot (a.k.a. IcedID) Infrastructure ∗∗∗ --------------------------------------------- BokBot (also known as IcedID) started life as a banking trojan using man-in-the-browser attacks to steal credentials from online banking sessions and initiate fraudulent transactions. Over time, the operator(s) of BokBot have also developed its use as a delivery mechanism for other malware, in particular ransomware. --------------------------------------------- https://team-cymru.com/blog/2021/05/19/tracking-bokbot-infrastructure/ ∗∗∗ Malicious PowerShell Hosted on script.google.com, (Fri, May 28th) ∗∗∗ --------------------------------------------- Google has an incredible portfolio of services. Besides the classic ones, there are less known services and... they could be very useful for attackers too. One of them is Google Apps Script[1]. Google describes it like this: [...] --------------------------------------------- https://isc.sans.edu/diary/rss/27468 ∗∗∗ Jetzt patchen! Kritische Lücke in HPE SIM geschlossen ∗∗∗ --------------------------------------------- Es ist ein wichtiges Sicherheitsupdate für Hewlett Packard Enterprise Systems Insight Manager (SIM) erschienen. --------------------------------------------- https://heise.de/-6056415 ∗∗∗ Falsifying and weaponizing certified PDFs ∗∗∗ --------------------------------------------- Certified PDFs are supposed to control modifications so that recipients know they havent been tampered with. It doesnt always work. --------------------------------------------- https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/05/falsifyi… ∗∗∗ Do you know your OpSec? ∗∗∗ --------------------------------------------- Open Source Intelligence (OSINT) is any information in the public domain that an attacker can dig up about you. Because of that it forms the basis of every Red Team [...] --------------------------------------------- https://www.pentestpartners.com/security-blog/do-you-know-your-opsec/ ∗∗∗ Urlaubsreif? Buchen Sie nicht über ferienhauspartner.co, fewopartner.co, holidaypartner.co & ferienpartner.co! ∗∗∗ --------------------------------------------- Sind Sie auf der Suche nach ein Urlaubsdomizil für den nahenden Sommer? Wenn ja, könnten Sie auf betrügerische Webseiten stoßen. Denn Kriminelle bieten derzeit Ferienhäuser und Ferienwohnungen in Deutschland und Dänemark an, die per Vorkasse gebucht werden können. Doch Vorsicht: Das bezahlte Geld landet direkt in den Händen der Kriminellen, eine aufrechte Buchung gibt es nicht! --------------------------------------------- https://www.watchlist-internet.at/news/urlaubsreif-buchen-sie-nicht-ueber-f… ∗∗∗ MobileInter: A Popular Magecart Skimmer Redesigned For Your Phone ∗∗∗ --------------------------------------------- To truly understand the Magecart skimming groups that have become a mainstay of the e-commerce threat landscape, you have to understand the tools of the trade. The Inter Skimmer kit is one of todays most common digital skimming solutions globally. However, a hallmark of widely used skimmers is their propensity to evolve as more actors use and tweak them to suit their unique needs and purposes. --------------------------------------------- https://www.riskiq.com/blog/external-threat-management/mobile-inter/ ∗∗∗ Docker Honeypot Reveals Cryptojacking as Most Common Cloud Threat ∗∗∗ --------------------------------------------- A Docker honeypot captured 33 types of attacks over a total of 850 attempts. Here’s what we learned about the cloud threat landscape. --------------------------------------------- https://unit42.paloaltonetworks.com/docker-honeypot/ ∗∗∗ CVE-2021-31440: An Incorrect Bounds Calculation in the Linux Kernel eBPF Verifier ∗∗∗ --------------------------------------------- In April 2021, the ZDI received a Linux kernel submission that turned out to be an incorrect bounds calculation bug in the extended Berkeley Packet Filter (eBPF) verifier. This bug was submitted to the program by Manfred Paul (@_manfp) of the RedRocket CTF team (@redrocket_ctf). Manfred Paul had successfully exploited two other eBPF verifier bugs in Pwn2Own 2020 and 2021 respectively. --------------------------------------------- https://www.thezdi.com/blog/2021/5/26/cve-2021-31440-an-incorrect-bounds-ca… ∗∗∗ The Race to Native Code Execution in PLCs ∗∗∗ --------------------------------------------- Claroty has found a severe memory protection bypass vulnerability (CVE-2020-15782) in Siemens PLCs, the SIMATIC S7-1200 and S7-1500. An attacker could abuse this vulnerability on PLCs with disabled access protection to gain read and write access anywhere on the PLC and remotely execute malicious code. --------------------------------------------- https://claroty.com/2021/05/28/blog-research-race-to-native-code-execution-… ∗∗∗ Suspected APT29 Operation Launches Election Fraud Themed Phishing Campaigns ∗∗∗ --------------------------------------------- On May 25, 2021, Volexity identified a phishing campaign targeting multiple organizations based in the United States and Europe. The following industries have been observed being targeted thus far: NGOs, Research Institutions, Government Agencies, International Agencies The campaign’s phishing e-mails purported to originate from the USAID government agency and contained a malicious link that resulted in an ISO file being delivered. This file contained a malicious LNK file, a malicious DLL [...] --------------------------------------------- https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches… ===================== = Vulnerabilities = ===================== ∗∗∗ SonicWall urges customers to immediately patch NSM On-Prem bug ∗∗∗ --------------------------------------------- SonicWall urges customers to immediately patch a post-authentication vulnerability impacting on-premises versions of the Network Security Manager (NSM) multi-tenant firewall management solution. --------------------------------------------- https://www.bleepingcomputer.com/news/security/sonicwall-urges-customers-to… ∗∗∗ SSA-434534: Memory Protection Bypass Vulnerability in SIMATIC S7-1200 and S7-1500 CPU Families ∗∗∗ --------------------------------------------- SIMATIC S7-1200 and S7-1500 CPU products contain a memory protection bypass vulnerability that could allow an attacker to write arbitrary data and code to protected memory areas or read sensitive data to launch further attacks. Siemens has released updates for several affected products and strongly recommends to update to the latest versions. Siemens is preparing further updates and recommends specific countermeasures for products where updates are not, or not yet available. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-434534.txt ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (nginx), Fedora (chromium, curl, kernel, php-symfony3, php-symfony4, python-lxml, python-pip, and runc), Mageia (ceph and wireshark), openSUSE (mpv), Oracle (bind, idm:DL1, redis:6, slapi-nis, squid:4, and xorg-x11-server), SUSE (curl, nginx, postgresql10, postgresql12, postgresql13, slurm, slurm_18_08, and slurm_20_11), and Ubuntu (nginx). --------------------------------------------- https://lwn.net/Articles/857581/ ∗∗∗ Several Vulnerabilities in Bosch B426, B426-CN/B429-CN, and B426-M ∗∗∗ --------------------------------------------- BOSCH-SA-196933-BT: A security vulnerability affects the Bosch B426, B426-CN/B429-CN, and B426-M. The vulnerability is exploitable via the network interface. Bosch rates this vulnerability at 8.0 (High) and recommends customers to update vulnerable components with fixed software versions. A second vulnerable condition was found when using http protocol, in which the user password is transmitted as a clear text parameter. Latest firmware versions allow only https. If a software update is not [...] --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-196933-bt.html ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM WebSphere eXtreme Scale Liberty Deployment. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerabilities in Java affecting Watson Knowledge Catalog for IBM Cloud Pak for Data ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-java-a… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.05.2021
by Daily end-of-shift report 27 May '21

27 May '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 26-05-2021 18:00 − Donnerstag 27-05-2021 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Achtung: Kriminelle fälschen „Grünen Pass“! ∗∗∗ --------------------------------------------- In Österreich wird bald der „Grüne Pass“ eingeführt, der den Zugang zu Gastronomie und körpernahen Dienstleistungen erleichtern soll. Dieser ist erst in der zweiten Juni-Woche verfügbar, doch Kriminelle verbreiten bereits jetzt eine „Variante“ des Grünen Passes. Wir gehen davon aus, dass dabei personenbezogene Daten abgegriffen werden. Wer die unseriöse App als gültigen Impf-, Test- oder Genesungsnachweis verwendet, könnte könnte sich außerdem strafbar machen. --------------------------------------------- https://www.watchlist-internet.at/news/achtung-kriminelle-faelschen-gruenen… ∗∗∗ Exploit veröffentlicht: Gefixte WebKit-Schwachstelle steht auf iPhones offen ∗∗∗ --------------------------------------------- Ein Patch im Open-Source-Unterbau aller iOS-Browser ist selbst nach Wochen noch nicht in Apples Betriebssysteme eingeflossen, warnt eine Sicherheitsfirma. --------------------------------------------- https://heise.de/-6055716 ∗∗∗ BazaLoader Masquerades as Movie-Streaming Service ∗∗∗ --------------------------------------------- The website for “BravoMovies” features fake movie posters and a FAQ with a rigged Excel spreadsheet for “cancelling” the service, but all it downloads is malware. --------------------------------------------- https://threatpost.com/bazaloader-fake-movie-streaming-service/166489/ ∗∗∗ “Unpatchable” vuln in Apple’s new Mac chip – what you need to know ∗∗∗ --------------------------------------------- Its all over the news! The bug you cant fix! Fortunately, you dont need to. We explain why. --------------------------------------------- https://nakedsecurity.sophos.com/2021/05/27/unpatchable-vuln-in-apples-new-… ∗∗∗ Analysis report of the Facefish rootkit ∗∗∗ --------------------------------------------- In Feb 2021, we came across an ELF sample using some CWP’s Ndays exploits, we did some analysis, but after checking with a partner who has some nice visibility in network traffic in some China areas, we discovered there is literarily 0 hit for the C2 traffic. --------------------------------------------- https://blog.netlab.360.com/ssh_stealer_facefish_en/ ∗∗∗ All your Base are...nearly equal when it comes to AV evasion, but 64-bit executables are not, (Thu, May 27th) ∗∗∗ --------------------------------------------- Malware authors like to use a variety of techniques to avoid detection of their creations by anti-malware tools. As the old saying goes, necessity is the mother of invention and in the case of malware, it has lead its authors to devise some very interesting ways to hide from detection over the years - from encoding of executable files into valid bitmap images[1] to multi-stage encryption of malicious payloads[2] and much further. --------------------------------------------- https://isc.sans.edu/diary/rss/27466 ∗∗∗ Saving Your Access ∗∗∗ --------------------------------------------- After revisiting old internal discussions, an area of interest was the possibility of using screensavers for persistence on macOS. This is an established persistence method on Windows, as noted on the MITRE ATT&CK page. --------------------------------------------- https://posts.specterops.io/saving-your-access-d562bf5bf90b ∗∗∗ Crimes of Opportunity: Increasing Frequency of Low Sophistication Operational Technology Compromises ∗∗∗ --------------------------------------------- Attacks on control processes supported by operational technology (OT) are often perceived as necessarily complex. This is because disrupting or modifying a control process to cause a predictable effect is often quite difficult and can require a lot of time and resources. However, Mandiant Threat Intelligence has observed simpler attacks, where actors with varying levels of skill and resources use common IT tools and techniques to gain access to and interact with exposed OT systems. --------------------------------------------- https://www.fireeye.com/blog/threat-research/2021/05/increasing-low-sophist… ===================== = Vulnerabilities = ===================== ∗∗∗ HPE fixes critical zero-day vulnerability disclosed in December ∗∗∗ --------------------------------------------- Hewlett Packard Enterprise (HPE) has released a security update to address a zero-day remote code execution vulnerability disclosed last year, in December. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hpe-fixes-critical-zero-day-… ∗∗∗ Drupal: Update schließt Cross-Site-Scripting-Lücke in mehreren CMS-Versionen ∗∗∗ --------------------------------------------- Die Programmbibliothek CKEditor, die vom Drupal-Core verwendet wird, barg unter bestimmten Umständen Angriffsmöglichkeiten. Für Core & Library gibt es Updates. --------------------------------------------- https://heise.de/-6055672 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (djvulibre), Fedora (slapi-nis and upx), Gentoo (ceph and nginx), openSUSE (python-httplib2 and rubygem-actionpack-5_1), Slackware (curl), SUSE (curl, libX11, and python-httplib2), and Ubuntu (isc-dhcp, lz4, and nginx). --------------------------------------------- https://lwn.net/Articles/857460/ ∗∗∗ Vulnerabilities in Visual Studio Code Extensions Expose Developers to Attacks ∗∗∗ --------------------------------------------- Vulnerabilities in Visual Studio Code extensions could be exploited by malicious attackers to steal valuable information from developers and even compromise organizations, researchers with open-source software security firm Snyk say. --------------------------------------------- https://www.securityweek.com/vulnerabilities-visual-studio-code-extensions-… ∗∗∗ GENIVI Alliance DLT ∗∗∗ --------------------------------------------- This advisory contains mitigations for a Heap-based Buffer Overflow vulnerability in GENIVI Alliance DLT-Daemon software component. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-147-01 ∗∗∗ Johnson Controls Sensormatic Electronics VideoEdge ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Off-by-one Error vulnerability in Sensormatic Electronics VideoEdge surveillance systems. Sensormatic Electronics is a subsidiary of Johnson Controls. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-147-02 ∗∗∗ Siemens JT2Go and Teamcenter Visualization ∗∗∗ --------------------------------------------- This advisory contains mitigations for Untrusted Pointer Dereference, Out-of-bounds Read, and Stack-based Buffer Overflow vulnerabilities in Siemens JT2Go and Teamcenter Visualization products. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-147-04 ∗∗∗ Mitsubishi Electric MELSEC iQ-R Series ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Uncontrolled Resource Consumption vulnerability in Mitsubishi Electric iQ-R Series CPU modules. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-147-05 ∗∗∗ Internet Systems Consortium DHCP: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0587 ∗∗∗ CommScope Ruckus IoT Controller 1.7.1.0 Undocumented Account ∗∗∗ --------------------------------------------- https://cxsecurity.com/issue/WLB-2021050156 ∗∗∗ CommScope Ruckus IoT Controller 1.7.1.0 Hard-Coded Web Application Administrator Password ∗∗∗ --------------------------------------------- https://cxsecurity.com/issue/WLB-2021050155 ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Security Guardium ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM has announced a release for IBM Security Identity Governance and Intelligence in response to a security vulnerability (CVE-2020-4996) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-has-announced-a-relea… ∗∗∗ Security Bulletin: Security Bypass Vulnerability in PostgreSQL Affects IBM Connect:Direct Web Services (CVE-2021-20229) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-bypass-vulnerabi… ∗∗∗ Security Bulletin: IBM MQ is vulnerable to an issue within IBM® Runtime Environment Java™ Technology Edition (CVE-2020-27221) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-is-vulnerable-to-a… ∗∗∗ Security Bulletin: Security Bypass Vulnerability in PostgreSQL Affects IBM Connect:Direct Web Services ( CVE-2021-3393) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-bypass-vulnerabi… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affects WebSphere Application Server April 2021 CPU that is bundled with IBM WebSphere Application Server Patterns ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerability in Java affecting Watson Knowledge Catalog for IBM Cloud Pak for Data ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-java-aff… ∗∗∗ Security Bulletin: Vulnerability in IBM Java Runtime affects IBM Spectrum Protect Snapshot on AIX and Linux (CVE-2020-27221) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java… ∗∗∗ Security Bulletin: IBM MQ is vulnerable to an issue in IBM® Runtime Environment Java™ Technology Edition. (CVE-2020-14779) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-is-vulnerable-to-a… ∗∗∗ Security Bulletin: Security Bypass Vulnerability in PostgreSQL Affects IBM Connect:Direct Web Services (CVE-2020-10733) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-bypass-vulnerabi… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 26.05.2021
by Daily end-of-shift report 26 May '21

26 May '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 25-05-2021 18:00 − Mittwoch 26-05-2021 18:00 Handler: Dimitri Robl Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Kaspersky Security Bulletin 2020-2021. EU statistics ∗∗∗ --------------------------------------------- The statistics in this report cover the period from May 2020 to April 2021, inclusive. --------------------------------------------- https://securelist.com/kaspersky-security-bulletin-2020-2021-eu-statistics/… ∗∗∗ Smart lighting security ∗∗∗ --------------------------------------------- RJ45 connections delivering Power over Ethernet are becoming prevalent in light fittings, a result of the lower power demands from LED fittings. This creates potential for uninformed installers to inadvertently bridge network security controls through connecting the light fittings to existing networking equipment. ... Radio protocols can also lead to compromise if not done securely; Bluetooth Classic, BLE, Z-Wave and many other protocols can be exploited if not configured correctly. --------------------------------------------- https://www.pentestpartners.com/security-blog/smart-lighting-security/ ∗∗∗ The Attack Path Management Manifesto ∗∗∗ --------------------------------------------- The primary goal of Attack Path Management (APM) is to directly solve the problem of Attack Paths. Today, the problem of Attack Paths is felt most acutely in the world of Microsoft Active Directory and Azure Active Directory. These platforms provide the greatest payoff for attackers, since taking control of the fundamental identity platform for an enterprise grants full control of all users, systems, and data in that enterprise --------------------------------------------- https://posts.specterops.io/the-attack-path-management-manifesto-3a3b117f5e5 ∗∗∗ CVE-2021-22909- Digging into a Ubiquiti Firmware Update bug ∗∗∗ --------------------------------------------- Back In February, Ubiquiti released a new firmware update for the Ubiquiti EdgeRouter, fixing CVE-2021-22909/ZDI-21-601. The vulnerability lies in the firmware update procedure and allows a man-in-the-middle (MiTM) attacker to execute code as root on the device by serving a malicious firmware image when the system performs an automatic firmware update. ... The impact of this vulnerability is quite nuanced and worthy of further discussion. --------------------------------------------- https://www.thezdi.com/blog/2021/5/24/cve-2021-22909-digging-into-a-ubiquit… ===================== = Vulnerabilities = ===================== ∗∗∗ VU#799380: Devices supporting Bluetooth Core and Mesh Specifications are vulnerable to impersonation attacks and AuthValue disclosure ∗∗∗ --------------------------------------------- Devices supporting the Bluetooth Core and Mesh Specifications are vulnerable to impersonation attacks and AuthValue disclosure that could allow an attacker to impersonate a legitimate device during pairing. --------------------------------------------- https://kb.cert.org/vuls/id/799380 ∗∗∗ CVE-2020-14145 ∗∗∗ --------------------------------------------- A vulnerability in OpenSSH <= 8.6 allows a man in the middle attack to determine, if a client already has prior knowledge of the remote hosts fingerprint. Using this information leak it is possible to ignore clients, which will show an error message during an man in the middle attack, while new clients can be intercepted without alerting them of the man in the middle attack. [...] At the moment, the only option to mitigate this vulnerability is to set HostKeyAlgorithms in your config file. --------------------------------------------- https://docs.ssh-mitm.at/CVE-2020-14145.html ∗∗∗ Sicherheitsupdates: Kritische Schadcode-Lücke bedroht VMware vCenter Server ∗∗∗ --------------------------------------------- Die Servermanagementsoftware vCenter Server ist verwundbar. Angreifer könnten Schadcode ausführen. --------------------------------------------- https://heise.de/-6054003 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (djvulibre, dotnet-runtime, dotnet-runtime-3.1, dotnet-sdk, dotnet-sdk-3.1, gupnp, hivex, lz4, matrix-synapse, prometheus, python-pydantic, runc, thunderbird, and websvn), Fedora (composer, moodle, and wordpress), Gentoo (bash, boost, busybox, containerd, curl, dnsmasq, ffmpeg, firejail, gnome-autoar, gptfdisk, icu, lcms, libX11, mariadb, mumble, mupdf, mutt, mysql, nettle, nextcloud-client, opensmtpd, openssh, openvpn, php, postgresql, prosody, rxvt-unicode, samba, screen, smarty, spamassassin, squid, stunnel, tar, tcpreplay, telegram-desktop), openSUSE (Botan), Red Hat (kernel), Slackware (gnutls), SUSE (hivex, libu2f-host, rubygem-actionpack-5_1), Ubuntu (apport, exiv2, libx11). --------------------------------------------- https://lwn.net/Articles/857352/ ∗∗∗ Cisco ADE-OS Local File Inclusion Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Small Business 100, 300, and 500 Series Wireless Access Points Command Injection Vulnerabilities ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Finesse Cross-Site Scripting Vulnerabilities ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Finesse Open Redirect Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco DNA Spaces Connector Privilege Escalation Vulnerabilities ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco DNA Spaces Connector Command Injection Vulnerabilities ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ SSA-119468: Luxion KeyShot Vulnerabilities in Solid Edge ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-119468.txt ∗∗∗ Security Advisory - Out-of-Bounds Read Vulnerability On Several Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210526-… ∗∗∗ Security Advisory - Possible Out-Of-Bounds Read Vulnerability in Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210526-… ∗∗∗ Security Advisory - Improper Licenses Management Vulnerability in Some Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210407-… ∗∗∗ Security Bulletin: Mitigations are being announced to address CVE-2020-4839 and CVE-2021-29695 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-mitigations-are-being-ann… ∗∗∗ Security Bulletin: WebSphere Application Server Java Batch is vulnerable to an XML External Entity Injection (XXE) vulnerability (CVE-2021-20492) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-websphere-application-ser… ∗∗∗ Security Bulletin: IBM® Db2® 'Check for Updates' process is vulnerable to DLL hijacking (CVE-2019-4588) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-check-for-updates… ∗∗∗ Security Bulletin: Mitigations are being announced to address CVE-2020-4839 and CVE-2021-29695 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-mitigations-are-being-ann… ∗∗∗ Security Bulletin: Data protection rules and policies are not enforced on virtualized objects ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-data-protection-rules-and… ∗∗∗ Security Bulletin: This Power System update is being released to address CVE-2021-20487 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-this-power-system-update-… ∗∗∗ Security Bulletin: Information disclosure vulnerability in WebSphere Application Server Liberty ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-information-disclosure-vu… ∗∗∗ Security Bulletin: Information disclosure vulnerability in WebSphere Application Server Liberty ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-information-disclosure-vu… ∗∗∗ Security Bulletin: IBM License Key Server Administration and Reporting Tool is impacted by multiple vulnerabilities in jQuery, Bootstrap and AngularJS ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-license-key-server-ad… ∗∗∗ Overview of NGINX vulnerabilities (May 2021) ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K52559937?utm_source=f5support&utm_mediu… ∗∗∗ NGINX Plus and Open Source vulnerability CVE-2021-23017 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K12331123?utm_source=f5support&utm_mediu… ∗∗∗ Datakit Libraries bundled in Luxion KeyShot ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-145-01 ∗∗∗ Rockwell Automation Micro800 and MicroLogix 1400 ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-145-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0