- Daily - CERT.at

Tageszusammenfassung - 27.07.2021
by Daily end-of-shift report 27 Jul '21

27 Jul '21

===================== = End-of-Day report = ===================== Timeframe: Montag 26-07-2021 18:00 − Dienstag 27-07-2021 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Failed Malspam: Recovering The Password, (Mon, Jul 26th) ∗∗∗ --------------------------------------------- Jan's diary entry "One way to fail at malspam - give recipients the wrong password for an encrypted attachment" got my attention: it's an opportunity for me to do some password cracking. --------------------------------------------- https://isc.sans.edu/diary/rss/27674 ∗∗∗ Hiding Malware in ML Models ∗∗∗ --------------------------------------------- “EvilModel: Hiding Malware Inside of Neural Network Models”. --------------------------------------------- https://www.schneier.com/blog/archives/2021/07/hiding-malware-in-ml-models.… ∗∗∗ OSX.XLoader hides little except its main purpose: What we learned in the installation process ∗∗∗ --------------------------------------------- We dig into OSX.XLoader, also known as X Loader, which is the latest threat to macOS that bears some similarities to novice malware. --------------------------------------------- https://blog.malwarebytes.com/mac/2021/07/osx-xloader-hides-little-except-i… ∗∗∗ Malware developers turn to exotic programming languages to thwart researchers ∗∗∗ --------------------------------------------- They are focused on exploiting pain points in code analysis and reverse-engineering. --------------------------------------------- https://www.zdnet.com/article/malware-developers-turn-to-exotic-programming… ∗∗∗ Wie MSPs am besten mit der Ransomware-Krise umgehen können ∗∗∗ --------------------------------------------- Managed Service Provider (MSPs) spielen eine kritische Rolle im Kampf gegen Schadsoftware. Allerdings traf die Ransomware-Attacke auf Kaseya dutzende von MSPs mit voller Wucht und dadurch mittelbar auch deren Kunden. --------------------------------------------- https://www.zdnet.de/88395971/wie-msps-am-besten-mit-der-ransomware-krise-u… ∗∗∗ Praying Mantis APT targets IIS servers with ASP.NET exploits ∗∗∗ --------------------------------------------- A new advanced persistent threat (APT) group has been seen carrying out attacks against Microsoft IIS web servers using old exploits in ASP.NET applications in order to plant a backdoor and then pivot to companys internal networks. --------------------------------------------- https://therecord.media/praying-mantis-apt-targets-iis-servers-with-asp-net… ===================== = Vulnerabilities = ===================== ∗∗∗ Apple fixes zero-day affecting iPhones and Macs, exploited in the wild ∗∗∗ --------------------------------------------- Apple has released security updates to address a zero-day vulnerability exploited in the wild and impacting iPhones, iPads, and Macs. --------------------------------------------- https://www.bleepingcomputer.com/news/apple/apple-fixes-zero-day-affecting-… ∗∗∗ Researchers warn of unpatched Kaseya Unitrends backup vulnerabilities ∗∗∗ --------------------------------------------- Security researchers warn of new zero-day vulnerabilities in the Kaseya Unitrends service and advise users not to expose the service to the Internet. --------------------------------------------- https://www.bleepingcomputer.com/news/security/researchers-warn-of-unpatche… ∗∗∗ Moodle: Neue Versionen beseitigen Remote-Angriffsmöglichkeit via Shibboleth ∗∗∗ --------------------------------------------- Mehrere Versionen der Lernplattform sind, allerdings nur bei aktivierter Shibboleth-Authentifizierung, aus der Ferne angreifbar. Updates stehen bereit. --------------------------------------------- https://heise.de/-6148879 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (drupal7), Fedora (linux-firmware), openSUSE (qemu), Oracle (kernel and thunderbird), Red Hat (thunderbird), Scientific Linux (java-1.8.0-openjdk, java-11-openjdk, kernel, and thunderbird), SUSE (dbus-1, libvirt, linuxptp, qemu, and slurm), and Ubuntu (aspell and mysql-5.7, mysql-8.0). --------------------------------------------- https://lwn.net/Articles/864439/ ∗∗∗ Vulnerabilities Allow Hacking of Zimbra Webmail Servers With Single Email ∗∗∗ --------------------------------------------- Vulnerabilities in the Zimbra enterprise webmail solution could allow an attacker to gain unrestricted access to an organization’s sent and received email messages, software security firm SonarSource reveals. --------------------------------------------- https://www.securityweek.com/vulnerabilities-allow-hacking-zimbra-webmail-s… ∗∗∗ Security Bulletin: A security vulnerability in Golang Go affects IBM Cloud Pak for Multicloud Management Managed services ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: XSS Security Vulnerabilty Affects Mailbox UI of IBM Sterling B2B Integrator (CVE-2021-20562) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-xss-security-vulnerabilty… ∗∗∗ Security Bulletin: A security vulnerability in Ruby on Rails affects IBM Cloud Pak for Multicloud Management Infrastructure Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: GRUB2 as used by IBM QRadar SIEM is vulnerable to arbitrary code execution ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-grub2-as-used-by-ibm-qrad… ∗∗∗ Security Bulletin: IBM QRadar SIEM is vulnerable to an XML External Entity Injection (XXE) attack (CVE-2021-20399) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-is-vulner… ∗∗∗ MIT Kerberos: Schwachstelle ermöglicht Offenlegung von Informationen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0809 ∗∗∗ VLC: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0807 ∗∗∗ Foxit Reader: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0812 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 26.07.2021
by Daily end-of-shift report 26 Jul '21

26 Jul '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 23-07-2021 18:00 − Montag 26-07-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Windows-Netze verwundbar für Relay-Angriff PetitPotam ∗∗∗ --------------------------------------------- Forscher demonstrieren einen neuen Weg, sich zum König einer Windows-Domäne aufzuschwingen. Microsoft zuckt mit den Achseln und verweist auf Härtungsmaßnahmen. --------------------------------------------- https://heise.de/-6147467 ∗∗∗ GitLab schickt Package Hunter auf die Jagd nach Schadcode ∗∗∗ --------------------------------------------- Das neue Open-Source-Tool Package Hunter soll Schadcode in Dependencies erkennen können. --------------------------------------------- https://heise.de/-6147526 ∗∗∗ No More Ransom: We Prevented Ransomware Operators From Earning $1 Billion ∗∗∗ --------------------------------------------- No More Ransom is celebrating its 5th anniversary and the project says it has helped more than 6 million ransomware victims recover their files and prevented cybercriminals from earning roughly $1 billion. No More Ransom is a joint effort of law enforcement and cybersecurity companies whose goal is to help victims of ransomware attacks recover their files without having to pay the ransom demanded by criminals. --------------------------------------------- https://www.securityweek.com/no-more-ransom-we-prevented-ransomware-operato… ∗∗∗ Microsoft warns of weeks-long malspam campaign abusing HTML smuggling ∗∗∗ --------------------------------------------- The Microsoft security team said it detected a weeks-long email spam campaign abusing a technique known as “HTML smuggling” to bypass email security systems and deliver malware to user devices. HTML smugging, as explained by SecureTeam and Outflank, is a technique that allows threat actors to assemble malicious files on users’ device by clever use of HTML5 and JavaScript code. --------------------------------------------- https://therecord.media/microsoft-warns-of-weeks-long-malspam-campaign-abus… ∗∗∗ RemotePotato0: Privilege Escalation-Schwachstelle im Windows RPC Protocol ∗∗∗ --------------------------------------------- Jedes Windows-System ist anfällig für eine bestimmte NTLM-Relay-Attacke, die es Angreifern ermöglichen könnte, die Privilegien vom Benutzer zum Domain-Admin zu erweitern. Diese Schwachstelle besitzt den Status „wird nicht behoben“ und war Gegenstand des PetitPotam-Ansatzes, den ich am Wochenende thematisiert hatte. Nun hat Antonio Cocomazzi auf die RemotePotato0 genannte Schwachstelle hingewiesen. Diese verwendet das Windows RPC Protocol für eine Privilegien-Ausweitung. --------------------------------------------- https://www.borncity.com/blog/2021/07/26/remotepotato0-privilege-escalation… ===================== = Vulnerabilities = ===================== ∗∗∗ Collabora Online: Update schützt vor unbefugten Dateizugriffen aus der Ferne ∗∗∗ --------------------------------------------- Das Collabora Online-Team rät zur Aktualisierung der Online-Officeanwendung, um eine als "kritisch" eingestufte Remote-Angriffsmöglichkeit zu beseitigen. --------------------------------------------- https://heise.de/-6147967 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (aspell, intel-microcode, krb5, rabbitmq-server, and ruby-actionpack-page-caching), Fedora (chromium, containernetworking-plugins, containers-common, crun, fossil, podman, skopeo, varnish-modules, and vmod-uuid), Gentoo (leptonica, libsdl2, and libyang), Mageia (golang, lib3mf, nodejs, python-pip, redis, and xstream), openSUSE (containerd, crmsh, curl, icinga2, and systemd), Oracle (containerd), and Red Hat (thunderbird). --------------------------------------------- https://lwn.net/Articles/864346/ ∗∗∗ OTRS: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter authentisierter oder anonymer Angreifer kann mehrere Schwachstellen in OTRS ausnutzen, um Sicherheitsvorkehrungen zu umgehen und einen Cross-Site-Scripting-Angriff durchzuführen. --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0805 ∗∗∗ Security Bulletin: FasterXML Vulnerability in Jackson-Databind Affects IBM Sterling Connect:Direct File Agent (CVE-2018-7489) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-fasterxml-vulnerability-i… ∗∗∗ Security Bulletin: Apache Commons Configuration Vulnerability Affects IBM Sterling Connect:Direct File Agent (CVE-2020-1953) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-commons-configurat… ∗∗∗ Security Bulletin: IBM i2 Analyze missing security header (CVE-2021-29769) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-i2-analyze-missing-se… ∗∗∗ Security Bulletin: IBM i2 Analyze and i2 Analyst's Notebook Premium has session handling vulnerability (CVE-2021-20431) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-i2-analyze-and-i2-ana… ∗∗∗ Security Bulletin: Apache PDFBox as used by IBM QRadar Incident Forensics is vulnerable to denial of service (CVE-2021-27807, CVE-2021-27906) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-pdfbox-as-used-by-… ∗∗∗ Security Bulletin: IBM i2 Analyst's Notebook Premium has an information disclosure vulnerability (CVE-2021-29767) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-i2-analysts-notebook-… ∗∗∗ Security Bulletin: IBM i2 iBase vulnerable to DLL highjacking (CVE-2020-4623) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-i2-ibase-vulnerable-t… ∗∗∗ Security Bulletin: IBM i2 Analyst's Notebook Premium has an information disclosure vulnerability (CVE-2021-29784) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-i2-analysts-notebook-… ∗∗∗ Security Bulletin: IBM QRadar SIEM uses weaker than expected cryptographic algorithms (CVE-2021-20337) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-uses-weak… ∗∗∗ Security Bulletin: IBM i2 Analyze has an information disclosure vulnerability (CVE-2021-20430) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-i2-analyze-has-an-inf… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.07.2021
by Daily end-of-shift report 23 Jul '21

23 Jul '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 22-07-2021 18:00 − Freitag 23-07-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Nach Lieferkettenangriff: Kaseya will Daten retten dank Entschlüsselungs-Tool ∗∗∗ --------------------------------------------- Fast drei Wochen nach dem verheerenden LIeferkettenangriff auf Kunden von Kaseya gibt es Hoffnung für die Opfer. Die US-Firma hat einen Generalschlüssel. --------------------------------------------- https://heise.de/-6145950 ∗∗∗ The NSO “Surveillance List”: What It Is and Isn’t ∗∗∗ --------------------------------------------- A series of blockbuster stories published this week around a leaked list of 50,000 phone numbers have created confusion about whether the owners of those numbers were targets of surveillance or not. --------------------------------------------- https://zetter.substack.com/p/the-nso-surveillance-list-what-it ∗∗∗ Phish Swims Past Email Security With Milanote Pages ∗∗∗ --------------------------------------------- The “Evernote for creatives” is anchoring a rapidly spiking phishing campaign, evading SEGs with ease. --------------------------------------------- https://threatpost.com/phish-email-security-milanote/168021/ ∗∗∗ When coin miners evolve, Part 1: Exposing LemonDuck and LemonCat, modern mining malware infrastructure ∗∗∗ --------------------------------------------- LemonDuck, an actively updated and robust malware that’s primarily known for its botnet and cryptocurrency mining objectives, adopted more sophisticated behavior and escalated its operations. Today, beyond using resources for its traditional bot and mining activities, LemonDuck steals credentials, removes security controls, spreads via emails, moves laterally, and ultimately drops more tools for human-operated activity. --------------------------------------------- https://www.microsoft.com/security/blog/2021/07/22/when-coin-miners-evolve-… ∗∗∗ Uncovering Shenanigans in an IP Address Block via Hurricane Electrics BGP Toolkit (II), (Fri, Jul 23rd) ∗∗∗ --------------------------------------------- Today's diary revisits hunting for dodgy domains via Hurricane Electric's BGP Toolkit [1]. This was previously done in an earlier diary [2], and I plan to do this occasionally to share potential or identified threats so that readers can be aware of them. --------------------------------------------- https://isc.sans.edu/diary/rss/27664 ∗∗∗ Nasty macOS Malware XCSSET Now Targets Google Chrome, Telegram Software ∗∗∗ --------------------------------------------- A malware known for targeting macOS operating system has been updated once again to add more features to its toolset that allows it to amass and exfiltrate sensitive data stored in a variety of apps, including apps such as Google Chrome and Telegram, as part of further "refinements in its tactics." --------------------------------------------- https://thehackernews.com/2021/07/nasty-macos-malware-xcsset-now-targets.ht… ∗∗∗ Wake up! Identify API Vulnerabilities Proactively, From Production Back to Code ∗∗∗ --------------------------------------------- After more than 20 years in the making, now its official: APIs are everywhere. In a 2021 survey, 73% of enterprises reported that they already publish more than 50 APIs, and this number is constantly growing. APIs have crucial roles to play in virtually every industry today, and their importance is increasing steadily, as they move to the forefront of business strategies. --------------------------------------------- https://thehackernews.com/2021/07/wake-up-identify-api-vulnerabilities.html ∗∗∗ This Week in Security: NSO, Print Spooler, and a Mysterious Decryptor ∗∗∗ --------------------------------------------- The NSO Group has been in the news again recently, with multiple stories reporting on their Pegasus spyware product. The research and reporting spearheaded by Amnesty International is collectively known [...] --------------------------------------------- https://hackaday.com/2021/07/23/this-week-in-security-nso-print-spooler-and… ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco Unified Customer Voice Portal Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the web-based management interface of Cisco Unified Customer Voice Portal (CVP) could allow an unauthenticated, remote attacker to perform a cross-site scripting (XSS) attack against a user. This vulnerability is due to insufficient input validation of a parameter that is used by the web-based management interface. An attacker could exploit this vulnerability by persuading a user to click a malicious link. A successful exploit could allow the attacker to execute [...] --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (chromium, curl, impacket, jdk11-openjdk, jre-openjdk, jre-openjdk-headless, jre11-openjdk-headless, kernel, lib32-curl, lib32-libcurl-compat, lib32-libcurl-gnutls, libcurl-compat, libcurl-gnutls, libpano13, linux-hardened, linux-lts, linux-zen, nvidia-utils, opera, systemd, and virtualbox), CentOS (java-11-openjdk and kernel), Debian (lemonldap-ng), Fedora (curl and podman), Gentoo (icedtea-web and velocity), openSUSE (bluez, go1.15, go1.16, [...] --------------------------------------------- https://lwn.net/Articles/864158/ ∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2021-0004 ∗∗∗ --------------------------------------------- Date Reported: July 23, 2021 Advisory ID: WSA-2021-0004 CVE identifiers: CVE-2021-1817, CVE-2021-1820,CVE-2021-1825, CVE-2021-1826,CVE-2021-21775, CVE-2021-21779,CVE-2021-21806, CVE-2021-30661,CVE-2021-30663, CVE-2021-30665,CVE-2021-30666, CVE-2021-30682,CVE-2021-30689, CVE-2021-30720,CVE-2021-30734, CVE-2021-30744,CVE-2021-30749, CVE-2021-30758,CVE-2021-30761, CVE-2021-30762,CVE-2021-30795, CVE-2021-30797,CVE-2021-30799. Several vulnerabilities were discovered in WebKitGTK and WPE WebKit. --------------------------------------------- https://webkitgtk.org/security/WSA-2021-0004.html ∗∗∗ Security Advisory - Insufficient Input Validation Vulnerability in Some Huawei Smartphones ∗∗∗ --------------------------------------------- https://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210721… ∗∗∗ Security Bulletin: Multiple Oracle Database Server Vulnerabilities Affect IBM Emptoris Supplier Lifecycle Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-oracle-database-… ∗∗∗ Security Bulletin: IBM Integration Bus and IBM App Connect Enterprise v11 are affected by vulnerabilities in Node.js (CVE-2021-3450, CVE-2021-3449) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-integration-bus-and-i… ∗∗∗ Security Bulletin: Oracle Database Server Vulnerability Affects IBM Emptoris Program Management (CVE-2021-2207) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-oracle-database-server-vu… ∗∗∗ Security Bulletin: Oracle Database Server Vulnerability Affects IBM Emptoris Contract Management (CVE-2021-2207) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-oracle-database-server-vu… ∗∗∗ Security Bulletin: Multiple Oracle Database Server Vulnerabilities Affect IBM Emptoris Strategic Supply Management Platform ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-oracle-database-… ∗∗∗ Security Bulletin: Oracle Database Server Vulnerability Affects IBM Emptoris Strategic Supply Management Platform (CVE-2021-2207) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-oracle-database-server-vu… ∗∗∗ Security Bulletin: Oracle Database Server Vulnerability Affects IBM Emptoris Sourcing (CVE-2021-2207) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-oracle-database-server-vu… ∗∗∗ Microsoft Chrome Based Edge: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0800 ∗∗∗ Asterisk: Mehrere Schwachstellen ermöglichen Denial of Service ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0799 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.07.2021
by Daily end-of-shift report 22 Jul '21

22 Jul '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 21-07-2021 18:00 − Donnerstag 22-07-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Cisco: Wichtiges Sicherheitsupdate für Intersight Virtual Appliance verfügbar ∗∗∗ --------------------------------------------- Für die virtuelle Cisco Intersight-Appliance, aber auch für weitere Produkte des Netzwerkausrüsters stehen sicherheitsrelevante Aktualisierungen bereit. --------------------------------------------- https://heise.de/-6144993 ∗∗∗ HP, Samsung & Xerox: Lücke in Windows-Druckertreibern gefixt – nach 16 Jahren ∗∗∗ --------------------------------------------- Wer die seit Mitte Mai verfügbaren Druckertreiber-Updates noch nicht installiert hat, sollte dies zügig nachholen: Angreifer könnten Systeme übernehmen. --------------------------------------------- https://heise.de/-6145114 ∗∗∗ Recovery Scams: Weitere Schäden statt Geld zurück! ∗∗∗ --------------------------------------------- Wer Opfer einer betrügerischen Investitionsplattform wird, erleidet mitunter beträchtlichen finanziellen Schaden. Damit nicht genug, folgen wenig später E-Mails oder Anrufe der Kriminellen, die hinter dem Investitionsbetrug steckten. Diesmal geben sie sich jedoch nicht als InvestmentberaterInnen aus, sondern Schlüpfen in eine andere Rolle: Gegen Vorabzahlung versprechen sie Hilfe beim Zurückholen des verlorenen Geldes. --------------------------------------------- https://www.watchlist-internet.at/news/recovery-scams-weitere-schaeden-stat… ∗∗∗ MITRE updates list of top 25 most dangerous software bugs ∗∗∗ --------------------------------------------- MITRE has shared this years top 25 list of most common and dangerous weaknesses plaguing software throughout the previous two years. --------------------------------------------- https://www.bleepingcomputer.com/news/security/mitre-updates-list-of-top-25… ∗∗∗ Microsoft Issues Windows 10 Workaround Fix for ‘SeriousSAM’ Bug ∗∗∗ --------------------------------------------- A privilege elevation bug in Windows 10 opens all systems to attackers to access data and create new accounts on systems. --------------------------------------------- https://threatpost.com/win-10-serioussam/168034/ ∗∗∗ Compromising a Network Using an "Info" Level Finding ∗∗∗ --------------------------------------------- Anyone who has ever read a vulnerability scan report will know that scanners often include a large number of findings they classify as "Info". Typically this is meant to convey general information about the target systems which does not pose any risk. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/compromisin… ∗∗∗ Vulnerable Plugin Exploited in Spam Redirect Campaign ∗∗∗ --------------------------------------------- Some weeks ago a critical unauthenticated privilege escalation vulnerability was discovered in old, unpatched versions of the wp-user-avatar plugin. It also allows for arbitrary file uploads, which is where we have been seeing the infections start. This plugin has over 400,000 installations so we have seen a sustained campaign to infect sites with this plugin installed. In this post I will review a common infection seen as a result of this vulnerability in the wp-user-avatar plugin. --------------------------------------------- https://blog.sucuri.net/2021/07/vulnerable-plugin-exploited-in-spam-redirec… ∗∗∗ Oracle Warns of Critical Remotely Exploitable Weblogic Server Flaws ∗∗∗ --------------------------------------------- Oracle on Tuesday released its quarterly Critical Patch Update for July 2021 with 342 fixes spanning across multiple products, some of which could be exploited by a remote attacker to take control of an affected system. Chief among them is CVE-2019-2729, a critical deserialization vulnerability via XMLDecoder in Oracle WebLogic Server Web Services thats remotely exploitable without authentication. It's worth noting that the weakness was originally addressed as part of an out-of-band security update in June 2019. --------------------------------------------- https://thehackernews.com/2021/07/oracle-warns-of-critical-remotely.html ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (pillow and redis), Fedora (kernel-headers, kernel-tools, kernelshark, libbpf, libtraceevent, libtracefs, nextcloud, and trace-cmd), Gentoo (chromium and singularity), Mageia (kernel, kernel-linus, and systemd), openSUSE (caribou, chromium, curl, and qemu), Oracle (java-1.8.0-openjdk, java-11-openjdk, kernel, and systemd), Slackware (curl), SUSE (curl, kernel, linuxptp, python-pip, and qemu), and Ubuntu (ruby2.3, ruby2.5, ruby2.7). --------------------------------------------- https://lwn.net/Articles/863997/ ∗∗∗ Atlassian Patches Critical Vulnerability in Jira Data Center Products ∗∗∗ --------------------------------------------- Software development and collaboration solutions provider Atlassian on Wednesday informed customers that it has patched a critical code execution vulnerability affecting some of its Jira products. --------------------------------------------- https://www.securityweek.com/atlassian-patches-critical-vulnerability-jira-… ∗∗∗ IDEMIA fixed biometric identification devices vulnerabilities discovered by Positive Technologies ∗∗∗ --------------------------------------------- https://www.ptsecurity.com/ww-en/about/news/idemia-fixed-biometric-identifi… ∗∗∗ July 22, 2021 TNS-2021-14 [R1] Tenable.sc 5.19.0 Fixes Multiple Third-party Vulnerabilities ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2021-14 ∗∗∗ Drupal: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0793 ∗∗∗ cURL: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0797 ∗∗∗ MB connect line: Apache Guacamole related vulnerabilities in mbCONNECT24, mymbCONNECT24 <= 2.8.0 ∗∗∗ --------------------------------------------- https://cert.vde.com/de-de/advisories/vde-2021-031 ∗∗∗ MB connect line: two vulnerabilities in mymbCONNECT24, mbCONNECT24 <= 2.8.0 ∗∗∗ --------------------------------------------- https://cert.vde.com/de-de/advisories/vde-2021-030 ∗∗∗ MB connect line: Privilege escalation in mbDIALUP <= 3.9R0.0 ∗∗∗ --------------------------------------------- https://cert.vde.com/de-de/advisories/vde-2021-017 ∗∗∗ ZDI-21-893: (0Day) Apple macOS ImageIO WEBP File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-893/ ∗∗∗ ZDI-21-892: (0Day) Apple macOS ImageIO WEBP File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-892/ ∗∗∗ ZDI-21-891: (0Day) Apple macOS ImageIO TIFF File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-891/ ∗∗∗ ZDI-21-890: (0Day) Apple macOS AudioToolboxCore LOAS File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-890/ ∗∗∗ Security Bulletin: A vulnerability in IBM Java SDK (April 2021) affects IBM InfoSphere Information Server (CVE-2021-2161) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… ∗∗∗ Security Bulletin: Addressing the Sqlite Vulnerability CVE-2021-20227 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-addressing-the-sqlite-vul… ∗∗∗ Security Bulletin: Publicly disclosed vulnerabilities from Kernel affect IBM Netezza Host Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-publicly-disclosed-vulner… ∗∗∗ Security Bulletin: IBM InfoSphere Information Server is vulnerable to SQL injection ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-informatio… ∗∗∗ Security Bulletin: Security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Security Directory Server (CVE-2020-5258) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerability-ha… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.07.2021
by Daily end-of-shift report 21 Jul '21

21 Jul '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 20-07-2021 18:00 − Mittwoch 21-07-2021 18:00 Handler: Robert Waldner Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Trügerische Gewinnversprechen ∗∗∗ --------------------------------------------- Der Onlinehandel mit Finanzinstrumenten wird bei Anlegern immer beliebter. Diesen Trend machen sich Betrüger zunutze. Sie versprechen hohe Gewinne mit betrügerischen Cybertrading-Plattformen. --------------------------------------------- https://www.bmi.gv.at/news.aspx?id=4661724A4D466861696B4D3D ∗∗∗ XLoader malware steals logins from macOS and Windows systems ∗∗∗ --------------------------------------------- A highly popular malware for stealing information from Windows systems has been modified into a new strain called XLoader, which can also target macOS systems. --------------------------------------------- https://www.bleepingcomputer.com/news/security/xloader-malware-steals-login… ∗∗∗ NPM package steals Chrome passwords on Windows via recovery tool ∗∗∗ --------------------------------------------- New npm malware has been caught stealing credentials from the Google Chrome web browser by using legitimate password recovery tools on Windows systems. --------------------------------------------- https://www.bleepingcomputer.com/news/security/npm-package-steals-chrome-pa… ∗∗∗ Betrügerische E-Mail im Namen der Raiffeisen Bank im Umlauf ∗∗∗ --------------------------------------------- Zahlreiche InternetnutzerInnen finden derzeit ein vermeintliches E-Mail der Raiffeisen Bank in ihrem Posteingang. Darin wird behauptet, dass aufgrund aktueller Betrugsversuche ein neues Sicherheitssystem notwendig sei. --------------------------------------------- https://www.watchlist-internet.at/news/betruegerische-e-mail-im-namen-der-r… ∗∗∗ CVE-2021-31969: Underflowing in the Clouds ∗∗∗ --------------------------------------------- You can now have your storage in the cloud while exploring it locally on your system. On Windows, this is done via the Cloud Sync Engine. This component exposes a native API known as the Cloud Filter API. --------------------------------------------- https://www.thezdi.com/blog/2021/7/19/cve-2021-31969-underflowing-in-the-cl… ∗∗∗ New Attacks on Kubernetes via Misconfigured Argo Workflows ∗∗∗ --------------------------------------------- Intezer has detected a new attack vector against Kubernetes (K8s) clusters via misconfigured Argo Workflows instances. --------------------------------------------- https://www.intezer.com/blog/container-security/new-attacks-on-kubernetes-v… ===================== = Vulnerabilities = ===================== ∗∗∗ Nasty Linux Systemd Security Bug Revealed ∗∗∗ --------------------------------------------- Qualys has discovered a new systemd security bug that enables any unprivileged user to cause a denial of service via a kernel panic. --------------------------------------------- https://it.slashdot.org/story/21/07/20/211230/nasty-linux-systemd-security-… ∗∗∗ Vulnerability in ON24 Plugin for macOS Shares More Than Just Your Screen ∗∗∗ --------------------------------------------- ON24 presenter mode requires you to install a plugin that is used to share your screen. For the macOS app (DesktopScreenShare.app), the plugin is started automatically once a user logs on. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/vulnerabili… ∗∗∗ HiveNightmare: Nutzer können die Windows-Passwort-Datenbank auslesen ∗∗∗ --------------------------------------------- Fehlerhafte Zugriffsrechte verursachen eine Sicherheitslücke in Windows 10 und 11. Einen Patch gibt es noch nicht – wir zeigen aber erste Workarounds. --------------------------------------------- https://heise.de/-6143746 ∗∗∗ Sicherheitsupdates: Adobe patcht Photoshop & Co. außer der Reihe ∗∗∗ --------------------------------------------- Angreifer könnten Computer, auf denen unter anderem Adobe After Effects oder Prelude laufen, mit Schadcode attackieren. --------------------------------------------- https://heise.de/-6143780 ∗∗∗ Root-Kernel-Lücke bedroht viele Linux-Distributionen ∗∗∗ --------------------------------------------- Sicherheitsforscher demonstrieren erfolgreiche Attacken auf Debian, Fedora und Ubuntu. Im Anschluss hatten sie Root-Rechte. Patches schaffen Abhilfe. --------------------------------------------- https://heise.de/-6144023 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (ant, code, dino, firefox-ublock-origin, go, libuv, nextcloud-app-mail, nodejs-lts-erbium, nodejs-lts-fermium, openvswitch, putty, racket, telegram-desktop, and wireshark-cli), Debian (kernel, linux-4.19, and systemd), Fedora (kernel, kernel-headers, kernel-tools, and krb5), Gentoo (systemd), Mageia (perl-Convert-ASN1 and wireshark), openSUSE (caribou, containerd, crmsh, fossil, icinga2, kernel, nextcloud, and systemd), Red Hat (389-ds:1.4, glibc,[...] --------------------------------------------- https://lwn.net/Articles/863861/ ∗∗∗ Apple Releases Security Updates ∗∗∗ --------------------------------------------- Apple has released security updates to address vulnerabilities in Safari 14.1.2 and iOS 14.7. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/07/21/apple-releases-se… ∗∗∗ Malware Targeting Pulse Secure Devices ∗∗∗ --------------------------------------------- As part of CISA’s ongoing response to Pulse Secure compromises, CISA has analyzed 13 malware samples related to exploited Pulse Secure devices. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/07/21/malware-targeting… ∗∗∗ VU#914124: Arcadyan-based routers and modems vulnerable to authentication bypass ∗∗∗ --------------------------------------------- https://kb.cert.org/vuls/id/914124 ∗∗∗ Dell OpenManage Enterprise Hardcoded Credentails / Privilege Escalation / Deserialization ∗∗∗ --------------------------------------------- https://cxsecurity.com/issue/WLB-2021070121 ∗∗∗ Security Bulletin: Multiple vulnerabilities in F5 NGINX Controller affect IBM Cloud Pak for Automation ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Nvidia GPU Display Treiber: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0769 ∗∗∗ PuTTY: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0790 ∗∗∗ Mitsubishi Electric MELSEC-F Series ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-201-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.07.2021
by Daily end-of-shift report 20 Jul '21

20 Jul '21

===================== = End-of-Day report = ===================== Timeframe: Montag 19-07-2021 18:00 − Dienstag 20-07-2021 18:00 Handler: Robert Waldner Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ New MosaicLoader malware targets software pirates via online ads ∗∗∗ --------------------------------------------- An ongoing worldwide campaign is pushing new malware dubbed MosaicLoader advertising camouflaged as cracked software via search engine results to infect wannabe software pirates systems. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-mosaicloader-malware-tar… ∗∗∗ Summer of SAM - incorrect permissions on Windows 10/11 hives, (Tue, Jul 20th) ∗∗∗ --------------------------------------------- If you opened Twitter today you were probably flooded with news about the latest security issue with Windows. --------------------------------------------- https://isc.sans.edu/diary/rss/27652 ∗∗∗ 6 typische Phishing-Attacken ∗∗∗ --------------------------------------------- Phishing, Smishing, Vishing - kennen Sie den Unterschied? --------------------------------------------- https://sec-consult.com/de/blog/detail/6-common-types-of-phishing-attacks/ ∗∗∗ Protecting customers from a private-sector offensive actor using 0-day exploits and DevilsTongue malware ∗∗∗ --------------------------------------------- The Microsoft Threat Intelligence Center (MSTIC) alongside the Microsoft Security Response Center (MSRC) has uncovered a private-sector offensive actor, or PSOA, that we are calling SOURGUM in possession of now-patched, Windows 0-day exploits (CVE-2021-31979 and CVE-2021-33771). --------------------------------------------- https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-fro… ∗∗∗ Don’t Wanna Pay Ransom Gangs? Test Your Backups. ∗∗∗ --------------------------------------------- Browse the comments on virtually any story about a ransomware attack and you will almost surely encounter the view that the victim organization could have avoided paying their extortionists if only theyd had proper data backups. --------------------------------------------- https://krebsonsecurity.com/2021/07/dont-wanna-pay-ransom-gangs-test-your-b… ∗∗∗ Vorsicht vor gefälschtem „Voicemail“ SMS ∗∗∗ --------------------------------------------- „Sie haben eine neue Voicemail“: Dieses lästige Fake-SMS mit einem Link zu einer angeblichen Sprachnachricht erhalten momentan unzählige HandynutzerInnen. Klicken Sie keinesfalls auf den Link. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-gefaelschtem-voicemail-… ∗∗∗ AA21-200A: Tactics, Techniques, and Procedures of Indicted APT40 Actors Associated with China’s MSS Hainan State Security Department ∗∗∗ --------------------------------------------- This Joint Cybersecurity Advisory was written by the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) to provide information on a Chinese Advanced Persistent Threat (APT) group known in open-source reporting as APT40. --------------------------------------------- https://us-cert.cisa.gov/ncas/alerts/aa21-200a ∗∗∗ Significant Historical Cyber-Intrusion Campaigns Targeting ICS ∗∗∗ --------------------------------------------- CISA and the Federal Bureau of Investigation (FBI) have released a Joint Cybersecurity Advisory as well as updates to five alerts and advisories. These alerts and advisories contain information on historical cyber-intrusion campaigns that have targeted ICS. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/07/20/significant-histo… ===================== = Vulnerabilities = ===================== ∗∗∗ TYPO3 Security Advisories for 2021-07-20 ∗∗∗ --------------------------------------------- TYPO3-CORE-SA-2021-009 - TYPO3-CORE-SA-2021-012 --------------------------------------------- https://typo3.org/help/security-advisories ∗∗∗ Forensischer Bericht: iMessage-Lücke für Pegasus Spyware wird weiterhin genutzt ∗∗∗ --------------------------------------------- Amnesty International geht davon aus, dass eine iMessage-Lücke zur Installation von Spyware der Überwachungsfirma NSO Group bis heute ausgenutzt wird. --------------------------------------------- https://heise.de/-6141467 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (kernel, libjdom1-java, rabbitmq-server, and systemd), Fedora (glibc), Gentoo (libpano13, libslirp, mpv, pjproject, pycharm-community, and rpm), Mageia (glibc, libuv, mbedtls, rvxt-unicode, mxrvt, eterm, tomcat, and zziplib), openSUSE (dbus-1, firefox, go1.15, lasso, nodejs10, nodejs12, nodejs14, and sqlite3), SUSE (go1.15), and Ubuntu (containerd). --------------------------------------------- https://lwn.net/Articles/863617/ ∗∗∗ Oracle Releases July 2021 Critical Patch Update ∗∗∗ --------------------------------------------- Oracle has released its Critical Patch Update for July 2021 to address 327 vulnerabilities across multiple products. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/07/20/oracle-releases-j… ∗∗∗ Hundreds of millions of HP, Xerox, and Samsung printers vulnerable to new bug ∗∗∗ --------------------------------------------- Security experts have found a severe vulnerability in a common printer driver used by HP, Xerox, and Samsung. --------------------------------------------- https://therecord.media/hundreds-of-millions-of-hp-xerox-and-samsung-printe… ∗∗∗ New Sequoia bug gives you root access on most Linux systems ∗∗∗ --------------------------------------------- Security auditing firm Qualys said today it discovered a new vulnerability in the Linux operating system that can grant attackers root access on most distros, such as Ubuntu, Debian, and Fedora. --------------------------------------------- https://therecord.media/new-sequoia-bug-gives-you-root-access-on-most-linux… ∗∗∗ Sicherheitsupdates: Root-Lücke bedroht FortiManager und FortiAnalyzer ∗∗∗ --------------------------------------------- https://heise.de/-6142498 ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect OS Images for Red Hat Linux Systems used by IBM Cloud Pak System (Jan2021 updates) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM App Connect Enterprise v11 is affected by vulnerabilities in Node.js (CVE-2021-23358) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… ∗∗∗ Security Bulletin: Vulnerability in self-service console affects IBM Cloud Pak System (CVE-2021-20478) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-self-ser… ∗∗∗ Security Bulletin: A vulnerability in IBM Spectrum Scale could allow an authenticated user to gain elevated privileges (CVE-2020-9492) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-sp… ∗∗∗ Security Bulletin: Vulnerability in OpenSSL affects IBM Cloud Pak System (CVE-2020-1971) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-openssl-… ∗∗∗ Security Bulletin: Vulnerabilities in Docker affect IBM Cloud Pak System ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-docker… ∗∗∗ Security Bulletin: Vulnerabilities in Python affect OS Image for RedHat bundled with Cloud Pak System ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-python… ∗∗∗ Security Bulletin: Watson Explorer is affected by Apache PDFBox vulnerabilities (CVE-2021-27807, CVE-2021-27906, CVE-2021-31811, CVE-2021-31812) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-watson-explorer-is-affect… ∗∗∗ Security Bulletin: Vulnerability in jackson-databind affects Cloud Pak System (CVE-2020-25649) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-jackson-… ∗∗∗ Security Bulletin: IBM API Connect is impacted by vulnerabilities in node.js and OpenSSL (CVE-2021-23840, CVE-2021-22884, CVE-2021-22883) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connect-is-impact… ∗∗∗ Vulnerabilities in CODESYS V2 runtime systems ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-670099.html -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.07.2021
by Daily end-of-shift report 19 Jul '21

19 Jul '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 16-07-2021 18:00 − Montag 19-07-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Innenministerium warnt vor betrügerischen SMS ∗∗∗ --------------------------------------------- Es sind erneut Betrugs-SMS im Umlauf, wobei Menschen in Österreich immer wieder Benachrichtigungen mit Informationen zu einer verpassten Sprachnachricht erhalten. --------------------------------------------- https://www.bmi.gv.at/news.aspx?id=50783968547451414D42673D ∗∗∗ VU#131152: Microsoft Windows Print Spooler Point and Print allows installation of arbitrary queue-specific files ∗∗∗ --------------------------------------------- Microsoft Windows allows for non-admin users to be able to install printer drivers via Point and Print. Printers installed via this technique also install queue-specific files, which can be arbitrary libraries to be loaded by the privileged Windows Print Spooler process. --------------------------------------------- https://kb.cert.org/vuls/id/131152 ∗∗∗ Betrug per Whatsapp: "Ich hab mein Handy verloren, kannst du Geld überweisen?" ∗∗∗ --------------------------------------------- Mit vorgeblichen Hilferufen von Verwandten versuchen Trickbetrüger per Whatsapp, Menschen um ihr Geld zu bringen - oft mit Erfolg, sagt die Polizei. --------------------------------------------- https://www.golem.de/news/betrug-per-whatsapp-ich-hab-mein-handy-verloren-k… ∗∗∗ That iPhone WiFi crash bug is far worse than initially thought ∗∗∗ --------------------------------------------- An innocuous iPhone bug that could crash the WiFi service has turned out to be far worse than initially thought after mobile security firm ZecOps showed on Friday how the bug could be abused for remote code execution attacks. --------------------------------------------- https://therecord.media/that-iphone-wifi-crash-bug-is-far-worse-than-initia… ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI-21-815: Cisco WebEx Network Recording Player ARF File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to disclose sensitive information on affected installations of Cisco WebEx Network Recording Player. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-815/ ∗∗∗ ZDI-21-876: (0Day) Advantech WebAccess/NMS DashBoardAction Missing Authentication Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to disclose sensitive information on affected installations of Advantech WebAccess/NMS. Authentication is not required to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-876/ ∗∗∗ ZDI-21-879: (0Day) WSO2 API Manager JMX Use of Hard-coded Credentials Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of WSO2 API Manager. Authentication is not required to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-879/ ∗∗∗ ZDI-21-877: (0Day) Autodesk Meshmixer 3MF File Parsing Use-After-Free Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of Autodesk Meshmixer. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-877/ ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (chromium, firefox, mbedtls, nextcloud, python-pillow, ruby, ruby2.6, ruby2.7, systemd, thunderbird, varnish, and vivaldi), Debian (thunderbird), Fedora (chromium, firefox, and linux-firmware), Gentoo (apache, commons-fileupload, dovecot, and mediawiki), openSUSE (firefox, fossil, go1.16, and icinga2), Oracle (firefox, kernel, and kernel-container), Red Hat (nettle), and SUSE (firefox and go1.16). --------------------------------------------- https://lwn.net/Articles/863453/ ∗∗∗ Citrix Application Delivery Controller, Citrix Gateway, and Citrix SD-WAN WANOP Edition appliance Security Update ∗∗∗ --------------------------------------------- Multiple vulnerabilities have been discovered in Citrix ADC (formerly known as NetScaler ADC) and Citrix Gateway (formerly known as NetScaler Gateway), and Citrix SD-WAN WANOP Edition models 4000-WO, 4100-WO, 5000-WO, and 5100-WO. --------------------------------------------- https://support.citrix.com/article/CTX319135 ∗∗∗ Security Bulletin: Multiple vulnerabilities affect IBM Tivoli Monitoring installed WebSphere Application Server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: An unspecified vulnerability in Java SE results in a low confidentiality impact ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-an-unspecified-vulnerabil… ∗∗∗ Security Bulletin: IBM Security SOAR is using a component with known vulnerabilities – Handlebars.js ( CVE-2019-19919, CVE-2021-32820) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-soar-is-usin… ∗∗∗ Security Bulletin: Multiple vulnerabilites affect IBM Jazz Foundation and IBM Engineering products. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilites-a… ∗∗∗ Security Bulletin: IBM Security SOAR could allow a privileged user to import non-approved Python2 modules (CVE-2021-29780). ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-soar-could-a… ∗∗∗ Security Bulletin: A vulnerability in netty affects IBM Spectrum Scale Transparent Cloud Tier CVE-2021-21409 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-netty-… ∗∗∗ Security Bulletin: Vulnerability in bind (CVE-2021-25215) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-bind-cve… ∗∗∗ Security Bulletin: Vulnerability in shell affects Power Hardware Management Console ( CVE-2021-29707). ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-shell-af… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 16.07.2021
by Daily end-of-shift report 16 Jul '21

16 Jul '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 15-07-2021 18:00 − Freitag 16-07-2021 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Warten auf Patches: Neue Drucker-Lücke in Windows entdeckt ∗∗∗ --------------------------------------------- Abermals könnten Angreifer Windows über eine Drucker-Schwachstelle attackieren und Schadcode ausführen. Bislang gibt es nur einen Workaround zur Absicherung. --------------------------------------------- https://heise.de/-6140346 ∗∗∗ Vulnerabilities in Etherpad Collaboration Tool Allow Data Theft ∗∗∗ --------------------------------------------- XSS and Argument Injection Flaws Found in Popular Etherpad Collaboration Tool --------------------------------------------- https://www.securityweek.com/vulnerabilities-etherpad-collaboration-tool-al… ∗∗∗ Introduction to ICS Security Part 2 ∗∗∗ --------------------------------------------- An introduction to the Purdue Enterprise Reference Architecture (PERA), additional reference models, and best practices for secure ICS architectures. --------------------------------------------- https://www.sans.org/blog/introduction-to-ics-security-part-2?msc=rss ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco Intelligent Proximity SSL Certificate Validation Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the SSL implementation of the Cisco Intelligent Proximity solution could allow an unauthenticated, remote attacker to view or alter information shared on Cisco Webex video devices and Cisco collaboration endpoints if the products meet the conditions described in the Vulnerable Products section. The vulnerability is due to a lack of validation of the SSL server certificate received when establishing a connection to a Cisco Webex video device (Version: 1.1 Description: Added fixed releases.) --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Adaptive Security Appliance Software Release 9.16.1 and Cisco Firepower Threat Defense Software Release 7.0.0 IPsec Denial of Service Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the software cryptography module of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an authenticated, remote attacker or an unauthenticated attacker in a man-in-the-middle position to cause an unexpected reload of the device that results in a denial of service (DoS) condition. The vulnerability is due to a logic error in how the software cryptography module handles specific types of [...] --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Schadcode-Lücken im Netzwerkbetriebssystem Junos OS geschlossen ∗∗∗ --------------------------------------------- Angreifer könnten unter anderem Router und Switches von Juniper attackieren. Sicherheitsupdates schaffen Abhilfe. --------------------------------------------- https://heise.de/-6140423 ∗∗∗ WordPress-Plugin: WooCommerce schließt kritische Sicherheitslücke ∗∗∗ --------------------------------------------- WordPress hat nach dem Veröffentlichen des Patches ein automatisiertes Zwangsupdate veranlasst. Trotzdem könnten noch nicht alle Shops versorgt sein. --------------------------------------------- https://heise.de/-6140221 ∗∗∗ Vulnerability Spotlight: Multiple vulnerabilities in D-LINK DIR-3040 ∗∗∗ --------------------------------------------- Cisco Talos recently discovered multiple vulnerabilities in the D-LINK DIR-3040 wireless router. The DIR-3040 is an AC3000-based wireless internet router. These vulnerabilities could allow an attacker to carry out a variety of malicious actions, including exposing sensitive information, causing a denial of service and gaining the ability to execute arbitrary code. --------------------------------------------- https://blog.talosintelligence.com/2021/07/vuln-spotlight-d-link.html ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (firefox), Debian (firefox-esr), Fedora (linuxptp), Gentoo (commons-collections), Mageia (aom, firefox, python-django, thunderbird, and tpm2-tools), openSUSE (claws-mail, kernel, nodejs10, and nodejs14), Red Hat (nettle), Scientific Linux (firefox), SUSE (firefox, kernel, nodejs10, and nodejs14), and Ubuntu (libslirp and qemu). --------------------------------------------- https://lwn.net/Articles/863180/ ∗∗∗ Ypsomed mylife ∗∗∗ --------------------------------------------- This advisory contains mitigations for Insufficiently Protected Credentials, Not Using an Unpredictable IV with CBC Mode, and Use of Hard-coded Credentials vulnerabilities in the Ypsomed mylife diabetes management platform. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsma-21-196-01 ∗∗∗ Icinga: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0758 ∗∗∗ [webapps] Seagate BlackArmor NAS sg2000-2000.1331 - Command Injection ∗∗∗ --------------------------------------------- https://www.exploit-db.com/exploits/50132 ∗∗∗ Security Bulletin: IBM i2 Analyze is affected by multiple DB2 vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-i2-analyze-is-affecte… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM DB2 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM QRadar SIEM uses less secure methods for securing data at rest and in transit between hosts (CVE-2020-4980) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-uses-less… ∗∗∗ Security Bulletin: A vulnerability in netty affects IBM Spectrum Scale Transparent Cloud TierCVE-(2021-21295) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-netty-… ∗∗∗ Security Bulletin: 3RD PARTY IBM InfoSphere MDM Inspector – Cross Site Request Forgery ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-3rd-party-ibm-infosphere-… ∗∗∗ Security Bulletin: IBM Data Replication Support Tool Information Collection on Sybase Platform ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-data-replication-supp… ∗∗∗ Security Bulletin: IBM Data Replication Affected by Multiple Vulnerabilities in IBM Java SDK ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-data-replication-affe… ∗∗∗ Security Bulletin: IBM Data Replication Affected by IBM Java SDK Vulnerability (CVE-2019-4732) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-data-replication-affe… ∗∗∗ Security Bulletin: Dojo vulnerability in WebSphere Liberty affects Collaboration and Deployment Services (CVE-2020-5258) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-dojo-vulnerability-in-web… ∗∗∗ Security Bulletin: IBM Data Replication Affected by Multiple Vulnerabilities in IBM Java SDK ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-data-replication-affe… ∗∗∗ Security Bulletin: IBM Data Replication Affected by Vulnerabilities in IBM Java SDK (CVE-2020-2654) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-data-replication-affe… ∗∗∗ Security Bulletin: IBM Data Replication Management Console Authentication Affected by Annonymous Binding (CVE-2020-4821) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-data-replication-mana… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 15.07.2021
by Daily end-of-shift report 15 Jul '21

15 Jul '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 14-07-2021 18:00 − Donnerstag 15-07-2021 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ IT-Sicherheit: Immer mehr Zero-Day-Exploits bei Angriffen entdeckt ∗∗∗ --------------------------------------------- Sicherheitsforscher verzeichnen immer mehr Angriffe, für die zuvor unbekannte Sicherheitslücken ausgenutzt werden. Das müsse jedoch kein schlechtes Zeichen sein, sagen die Forscher. --------------------------------------------- https://www.golem.de/news/it-sicherheit-immer-mehr-zero-day-exploits-bei-an… ∗∗∗ Attacken auf nicht mehr unterstützte Fernzugriff-Produkte von Sonicwall ∗∗∗ --------------------------------------------- Angreifer attackieren derzeit nicht mehr im Support befindliche Sonicwall Secure Mobile Access und Secure Remote Access mit Ransomware. --------------------------------------------- https://heise.de/-6139330 ∗∗∗ Grüner Pass – worauf Sie achten müssen! ∗∗∗ --------------------------------------------- Seit Kurzem kann man mit dem "Grünen Pass" digital nachweisen, dass man geimpft, getestet oder genesen ist. Aber was ist der "Grüne Pass" und wie kann dieser genutzt werden? Der "Grüne Pass" kann in unterschiedlichen Formen genutzt werden: ausgedruckt, via App, als Foto etc. Wir zeigen Ihnen, wie Sie zu diesem kommen und worauf Sie achten sollten. --------------------------------------------- https://www.watchlist-internet.at/news/gruener-pass-worauf-sie-achten-muess… ∗∗∗ Ransomware: Interpol warnt vor exponentiellen Wachstum ∗∗∗ --------------------------------------------- Cyberkriminelle agieren laut Interpol über Grenzen hinweg und bleiben dabei meist ungestraft. Die Polizeibehörde befürchtet ohne eine Zusammenarbeit zwischen Ermittlern und Privatwirtschaft eine "Ransomware-Pandemie". --------------------------------------------- https://www.zdnet.de/88395786/ransomware-interpol-warnt-vor-exponentiellen-… ∗∗∗ BazarBackdoor sneaks in through nested RAR and ZIP archives ∗∗∗ --------------------------------------------- Security researchers caught a new phishing campaign that tried to deliver the BazarBackdoor malware by using the multi-compression technique and masking it as an image file. --------------------------------------------- https://www.bleepingcomputer.com/news/security/bazarbackdoor-sneaks-in-thro… ∗∗∗ Linux version of HelloKitty ransomware targets VMware ESXi servers ∗∗∗ --------------------------------------------- The ransomware gang behind the highly publicized attack on CD Projekt Red uses a Linux variant that targets VMwares ESXi virtual machine platform for maximum damage. --------------------------------------------- https://www.bleepingcomputer.com/news/security/linux-version-of-hellokitty-… ∗∗∗ USPS Phishing Using Telegram to Collect Data, (Tue, Jul 13th) ∗∗∗ --------------------------------------------- Phishing... at least they don't understand security any better than most kids. The latest example is a simple USPS phish. The lure is an email claiming that a package can not be delivered until I care to update my address. Urgency... and obvious action. They learned something in their phishing 101 class. --------------------------------------------- https://isc.sans.edu/diary/rss/27630 ∗∗∗ An Overview of Basic WordPress Hardening ∗∗∗ --------------------------------------------- We have discussed in the past how out-of-the-box security configurations tend to not be very secure. This is usually true for all software and WordPress is no exception. While there are a plethora of different ways that site owners can lock down their website, in this post we are going to review the most basic hardening mechanisms that WordPress website owners can employ to improve their security. We will also review the pros and cons of these different tactics. --------------------------------------------- https://blog.sucuri.net/2021/07/basic-wordpress-hardening.html ∗∗∗ macOS: Bashed Apples of Shlayer and Bundlore ∗∗∗ --------------------------------------------- The Uptycs threat research team has been observing over 90% of macOS malware in our daily analysis and customer telemetry alerts using shell scripts. Though these scripts have slight variations, they mostly belong to a plague of adware strains—Shlayer and Bundlore. These malware are the most predominant malware in macOS, also with a history of evading and bypassing the built-in Xprotect, Gatekeeper, Notarization and File Quarantine security features of macOS. --------------------------------------------- https://www.uptycs.com/blog/macos-bashed-apples-of-shlayer-and-bundlore ∗∗∗ Gasket and MagicSocks Tools Install Mespinoza Ransomware ∗∗∗ --------------------------------------------- As cyber extortion flourishes, ransomware gangs are constantly changing tactics and business models to increase the chances that victims will pay increasingly large ransoms. As these criminal organizations become more sophisticated, they are increasingly taking on the appearance of professional enterprises. --------------------------------------------- https://unit42.paloaltonetworks.com/gasket-and-magicsocks-tools-install-mes… ∗∗∗ CISA Insights: Guidance for MSPs and Small- and Mid-sized Businesses ∗∗∗ --------------------------------------------- Original release date: July 14, 2021CISA has released CISA Insights: Guidance for Managed Service Providers (MSPs) and Small- and Mid-sized Businesses, which provides mitigation and hardening guidance to help these organizations strengthen their defenses against cyberattacks. Many small- and mid-sized businesses use MSPs to manage IT systems, store data, or support sensitive processes, making MSPs valuable targets for malicious cyber actors. Compromises of MSPs—such as with the recent [...] --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/07/14/cisa-insights-gui… ===================== = Vulnerabilities = ===================== ∗∗∗ SA44846 - OpenSSL Security Advisory CVE-2021-23841 ∗∗∗ --------------------------------------------- On February 16 2021, the OpenSSL project announced a new security advisory. These issues may affect Pulse Secure product. [...] Pulse Secure is currently evaluating the following issues reported by OpenSSL: As the investigation continues, we recommend subscribing to this advisory as it will be periodically updated to reflect the current status. --------------------------------------------- https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44846 ∗∗∗ Juniper Security Advisories ∗∗∗ --------------------------------------------- Juniper hat am 14.7.2021 32 Security Advisories mit folgenden Severity Levels veröffentlicht: 12x Medium, 15x High, 5x Critical --------------------------------------------- https://kb.juniper.net/InfoCenter/index?page=content&channel=SECURITY_ADVIS… ∗∗∗ Vulnerability Spotlight: Multiple vulnerabilities in Advantech R-SeeNet ∗∗∗ --------------------------------------------- Cisco Talos recently discovered multiple vulnerabilities in the Advantech R-SeeNet monitoring software. R-SeeNet is the software system used for monitoring Advantech routers. [...] Talos is disclosing these vulnerabilities despite no official update from Advantech inside the 90-day deadline, as outlined in Cisco’s vulnerability disclosure policy. --------------------------------------------- https://blog.talosintelligence.com/2021/07/vuln-spotlight-r-see-net.html ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr and php7.0), Fedora (firefox, mingw-djvulibre, and seamonkey), Gentoo (fluidsynth, openscad, and urllib3), openSUSE (ffmpeg, nodejs12, and sqlite3), Red Hat (firefox), and SUSE (ffmpeg, kernel, nodejs10, nodejs12, nodejs14, and sqlite3). --------------------------------------------- https://lwn.net/Articles/863001/ ∗∗∗ Lenovo Working on Patches for BIOS Vulnerabilities Affecting Many Laptops ∗∗∗ --------------------------------------------- Lenovo this week published information on three vulnerabilities that impact the BIOS of two of its desktop products and approximately 60 laptop and notebook models. --------------------------------------------- https://www.securityweek.com/lenovo-working-patches-bios-vulnerabilities-af… ∗∗∗ Kubernetes: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0751 ∗∗∗ Security Bulletin: Multiple Vulnerabilities in IBM® WebSphere Application Server Liberty affect IBM LKS Administration and Reporting Tool and its Agent ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Security Privileged Identity Manager is affected by vulnerability in Java SE (CVE-2020-14579)( CVE-2020-14578)(CVE-2020-14577) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-privileged-i… ∗∗∗ Security Bulletin: Multiple vulnerabilities in OpenSSL affect IBM Tivoli Netcool System Service Monitors/Application Service Monitors ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Watson Compare and Comply for IBM Cloud Pak for Data affected by vulnerability in Apache PDFBox ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-compare-and-co… ∗∗∗ Security Bulletin: IBM Security SOAR is using a component with known vulnerabilities – Apache Commons ( CVE-2021-29425) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-soar-is-usin… ∗∗∗ Security Bulletin: IBM Security SOAR is using a component with known vulnerabilities – Eclipse Jetty ( CVE-2021-28163, CVE-2021-28165, CVE-2020-27223) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-soar-is-usin… ∗∗∗ Security Bulletin: IBM Security Privileged Identity Manager is affected by a specially-crafted sequence of serialized objects(CVE-2020-4576) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-privileged-i… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.07.2021
by Daily end-of-shift report 14 Jul '21

14 Jul '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 13-07-2021 18:00 − Mittwoch 14-07-2021 18:00 Handler: Stephan Richter Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Updated Joker Malware Floods into Android Apps ∗∗∗ --------------------------------------------- The Joker premium billing-fraud malware is back on Google Play in a fresh onslaught, with an updated bag of tricks to evade scanners. --------------------------------------------- https://threatpost.com/updated-joker-malware-android-apps/167776/ ∗∗∗ Cybercrime-Bande REvil von der Bildfläche verschwunden ∗∗∗ --------------------------------------------- Die Kriminellen erpressten über 1000 Firmen, deren Daten sie mit dem Kaseya-Lieferketten-Angriff verschlüsselten. Jetzt sind ihre Server nicht mehr erreichbar. --------------------------------------------- https://heise.de/-6137119 ∗∗∗ Identitätsdiebstahl statt Darlehen: Schließen Sie keinen Kredit auf 1superkredit.com und kredit-united.com ab! ∗∗∗ --------------------------------------------- Sind Sie auf der Suche nach einem Kredit? Dann stoßen Sie womöglich auf die Webseiten 1superkredit.com oder kredit-united.com. Zwei Webseiten, die einiges gemeinsam haben: Die Webseiten sehen sehr ähnlich aus, bewerben Kredite zu günstigen Bedingungen und hinter beiden Seiten stecken BetrügerInnen. --------------------------------------------- https://www.watchlist-internet.at/news/identitaetsdiebstahl-statt-darlehen-… ∗∗∗ CISA Releases Analysis of FY20 Risk and Vulnerability Assessments ∗∗∗ --------------------------------------------- CISA has released an analysis and infographic detailing the findings from the Risk and Vulnerability Assessments (RVAs) conducted in Fiscal Year (FY) 2020 across multiple sectors. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/07/08/cisa-releases-ana… ===================== = Vulnerabilities = ===================== ∗∗∗ SonicWall warns of critical ransomware risk to SMA 100 VPN appliances ∗∗∗ --------------------------------------------- SonicWall has issued an "urgent security notice" warning customers of ransomware attacks targeting unpatched end-of-life (EoL) Secure Mobile Access (SMA) 100 series and Secure Remote Access (SRA) products. --------------------------------------------- https://www.bleepingcomputer.com/news/security/sonicwall-warns-of-critical-… ∗∗∗ Authentication bypass & Remote code Execution bei Schneider Electric EVlink Ladestationen ∗∗∗ --------------------------------------------- Schneider Electric Ladestationen für E-Autos der "EVlink" Serie sind von zwei Schwachstellen betroffen die es einem Angreifer ermöglichen das System zu übernehmen und dort beliebige Befehle auszuführen. --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/authentication-bypass… ∗∗∗ Microsoft-Patchday: Angreifer nutzen vier Sicherheitslücken in Windows aus ∗∗∗ --------------------------------------------- Microsoft schließt unter anderem kritische Schadcode-Lücken in der Schutzlösung Windows Defender. Neben aktiven Angriffen könnten weitere Attacken bevorstehen. --------------------------------------------- https://heise.de/-6137050 ∗∗∗ Patchday: Adobe schließt kritische Lücken in Bridge, Illustrator & Co. ∗∗∗ --------------------------------------------- Es gibt wichtige Sicherheitsupdates für verschiedene Adobe-Anwendungen. Angreifer könnten Schadcode ausführen. --------------------------------------------- https://heise.de/-6137110 ∗∗∗ Patchday SAP: Angreifer könnten unberechtigt auf NetWeaver zugreifen ∗∗∗ --------------------------------------------- Der Softwarehersteller SAP schließt mehrere Sicherheitslücken in seinem Portfolio. --------------------------------------------- https://heise.de/-6137467 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (xstream), Debian (linuxptp), Fedora (glibc and krb5), Gentoo (pillow and thrift), Mageia (ffmpeg and libsolv), openSUSE (kernel and qemu), SUSE (kernel), and Ubuntu (php5, php7.0). --------------------------------------------- https://lwn.net/Articles/862855/ ∗∗∗ ICS Patch Tuesday: Siemens and Schneider Electric Address 100 Vulnerabilities ∗∗∗ --------------------------------------------- Industrial giants Siemens and Schneider Electric on Tuesday released a total of two dozen advisories covering roughly 100 vulnerabilities affecting their products. --------------------------------------------- https://www.securityweek.com/ics-patch-tuesday-siemens-and-schneider-electr… ∗∗∗ Security Advisory - Privilege Escalation Vulnerability in Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210714-… ∗∗∗ Security Advisory - Privilege Escalation Vulnerability in some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210714-… ∗∗∗ Security Advisory - Logic Error Vulnerability in Several Smartphones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210714-… ∗∗∗ Security Bulletin: Unrestricted document type definition vulnerability affects IBM Sterling Secure Proxy ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-unrestricted-document-typ… ∗∗∗ Security Bulletin: A security vulnerability was fixed in IBM Security Access Manager and IBM Security Verify Access Docker containers ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: Multiple Security vulnerabilities have been fixed in the IBM Security Verify Access Docker container ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: Multiple Vulnerabilities were detected in IBM Secure External Authentication Server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Apache PDFBox Vulnerabilities Affect IBM Control Center (CVE-2021-31811, CVE-2021-31812) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-pdfbox-vulnerabili… ∗∗∗ Security Bulletin: Multiple Vulnerabilities were detected in IBM Secure External Authentication Server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple Vulnerabilities were detected in IBM Secure Proxy ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ VMSA-2021-0015 ∗∗∗ --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2021-0015.html ∗∗∗ Schneider Electric C-Bus Toolkit ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-194-01 ∗∗∗ Schneider Electric SCADApack RTU, Modicon Controllers, and Software ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-194-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.07.2021
by Daily end-of-shift report 13 Jul '21

13 Jul '21

===================== = End-of-Day report = ===================== Timeframe: Montag 12-07-2021 18:00 − Dienstag 13-07-2021 18:00 Handler: Stephan Richter Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Trickbot Activity Increases; new VNC Module On the Radar ∗∗∗ --------------------------------------------- Despite the takedown attempt, Trickbot is more active than ever. In May 2021, our systems started to pick up an updated version of the vncDll module that Trickbot uses against select high-profile targets. --------------------------------------------- https://www.bitdefender.com/blog/labs/trickbot-activity-increases-new-vnc-m… ∗∗∗ Buchen Sie Ihre Unterkunft nicht auf fewolio.de ∗∗∗ --------------------------------------------- fewolio.de ist eine unseriöse Buchungsplattform für luxuriöse Ferienhäuser in Deutschland. Die betrügerische Plattform sticht vor allem durch ihre günstigen Preise und kurzfristigen Verfügbarkeiten hervor. --------------------------------------------- https://www.watchlist-internet.at/news/buchen-sie-ihre-unterkunft-nicht-auf… ===================== = Vulnerabilities = ===================== ∗∗∗ IT-Sicherheit: Neue Sicherheitslücke bei Solarwinds ∗∗∗ --------------------------------------------- Bei einer Dateiaustausch-Software von Solarwinds gab es Probleme. Ein Angreifer hat die Sicherheitslücke offenbar aktiv ausgenutzt. --------------------------------------------- https://www.golem.de/news/it-sicherheit-neue-sicherheitsluecke-bei-solarwin… ∗∗∗ ModiPwn ∗∗∗ --------------------------------------------- Armis researchers discover a critical vulnerability in Schneider Electric Modicon PLCs. The vulnerability can allow attackers to bypass authentication mechanisms which can lead to native remote-code-execution on vulnerable PLCs. --------------------------------------------- https://www.armis.com/research/modipwn/ ∗∗∗ Siemens Security Advisories 2021-07-13 ∗∗∗ --------------------------------------------- Siemens hat 18 neue und 5 aktualisierte Security Advisories veröffentlicht. (CVSS Scores von 5.3 bis 9.8) --------------------------------------------- https://new.siemens.com/de/de/produkte/services/cert.html ∗∗∗ Citrix Virtual Apps and Desktops Security Update ∗∗∗ --------------------------------------------- A vulnerability has been identified in Citrix Virtual Apps and Desktops that could, if exploited, allow a user of a Windows VDA that has either Citrix Profile Management or Citrix Profile Management WMI Plugin installed to escalate their privilege level on that Windows VDA to SYSTEM. --------------------------------------------- https://support.citrix.com/article/CTX319750 ∗∗∗ Examining Crypto and Bypassing Authentication in Schneider Electric PLCs (M340/M580) ∗∗∗ --------------------------------------------- What you see in the picture above is similar to what you might see at a factory, plant, or inside a machine. At the core of it is Schneider Electric’s Modicon M340 programmable logic controller (PLC). --------------------------------------------- https://medium.com/tenable-techblog/examining-crypto-and-bypassing-authenti… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (sogo), Fedora (libvirt), Gentoo (polkit), Mageia (binutils, freeradius, guile1.8, kernel, kernel-linus, libgrss, mediawiki, mosquitto, php-phpmailer, and webmin), openSUSE (bluez and jdom2), Oracle (kernel and xstream), Scientific Linux (xstream), and SUSE (kernel and python-pip). --------------------------------------------- https://lwn.net/Articles/862767/ ∗∗∗ Recently Patched ForgeRock AM Vulnerability Exploited in Attacks ∗∗∗ --------------------------------------------- Government agencies in the United States and Australia warn organizations that a recently patched vulnerability affecting ForgeRock Access Management has been exploited in the wild. --------------------------------------------- https://www.securityweek.com/recently-patched-forgerock-am-vulnerability-ex… ∗∗∗ ZDI-21-786: Trend Micro Apex One Incorrect Permission Assignment Denial-of-Service Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-786/ ∗∗∗ ZDI-21-789: (0Day) GoPro Player MOV File Parsing Use-After-Free Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-789/ ∗∗∗ ZDI-21-788: (0Day) GoPro Player MOV File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-788/ ∗∗∗ ZDI-21-787: (0Day) GoPro Player MOV File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-787/ ∗∗∗ SAP Software: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0734 ∗∗∗ Security Bulletin: A vulnerability was found in Oniguruma 6.9.2 that would result in a NULL Pointer Dereference, affecting IBM Cloud Pak for Applications ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-was-found… ∗∗∗ Security Bulletin: A vulnerability has been found in IBM Cloud Pak for Applications v4.3 where insecure http communications is used ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-has-been-… ∗∗∗ Security Bulletin: An out-of-bounds read vulnerability was found in the SLiRP networking implementation of the QEMU emulator, affecting IBM Cloud Pak for Applications ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-an-out-of-bounds-read-vul… ∗∗∗ Security Bulletin: A vulnerability has been found in IBM Cloud Pak for Applications v4.3 where an error message may disclose implementation details ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-has-been-… ∗∗∗ Security Bulletin: IBM Cloud Pak for Applications v4.3 does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-applica… ∗∗∗ Security Bulletin: A vulnerability has been found in IBM Cloud Pak for Applications v4.3 that exposes a cross-site scripting attack due to target blank set in HTML anchor tags ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-has-been-… ∗∗∗ Security Bulletin: A vulnerability has been found in IBM Cloud Pak for Applications v4.3 which may allow a malicious attacker to obtain sensitive user information from memory ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-has-been-… ∗∗∗ Security Bulletin: A vulnerabilty has been found in x/test pacakge before 0.3.3 for Go that could lead to an infinite loop, affecting IBM Cloud Pak for Applications ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerabilty-has-been-f… ∗∗∗ Security Bulletin: A vulnerability has been found in IBM Cloud Pak for Applications v4.3 that exposes the possibility of a cross-site scripting attack. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-has-been-… ∗∗∗ Security Bulletin: A vulnerability has been identified in IBM Cloud Pak for Applications v4.3 that exposes a cross-site scripting attack. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-has-been-… ∗∗∗ VMSA-2021-0014 ∗∗∗ --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2021-0014.html ∗∗∗ glibc vulnerability CVE-2020-27618 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K08641512 ∗∗∗ Apache Cassandra vulnerability CVE-2020-13946 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K36212405 ∗∗∗ Apache Tomcat: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0733 ∗∗∗ Icinga: Mehrere Schwachstellen ermöglichen Offenlegung von Informationen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0732 ∗∗∗ Adobe Releases Security Updates for Multiple Products ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/07/13/adobe-releases-se… ∗∗∗ Security Advisories SYSS-2021-022, SYSS-2021-023, SYSS-2021-025 und SYSS-2021-026 zu P&I-Software LOGA3 ∗∗∗ --------------------------------------------- https://www.syss.de/pentest-blog/security-advisories-syss-2021-022-syss-202… ∗∗∗ SYSS-2021-020, SYSS-2021-021, SYSS-2021-027: Mehrere Schwachstellen in Element-IT HTTP Commander ∗∗∗ --------------------------------------------- https://www.syss.de/pentest-blog/syss-2021-020-syss-2021-021-syss-2021-027-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.07.2021
by Daily end-of-shift report 12 Jul '21

12 Jul '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 09-07-2021 18:00 − Montag 12-07-2021 18:00 Handler: Stephan Richter Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Conti Unpacked | Understanding Ransomware Development As a Response to Detection ∗∗∗ --------------------------------------------- Not yet two years old and already in its seventh iteration, Ransomware as a Service variant Conti has proven to be an agile and adept malware threat, capable of both autonomous and guided operation and with unparalleled encryption speed. [...] In this report, we describe in unprecedented detail the rapid evolution of this ransomware and how it has adapted quickly to defenders’ attempts to detect and analyze it. --------------------------------------------- https://labs.sentinelone.com/conti-unpacked-understanding-ransomware-develo… ∗∗∗ Ransomware tracker: the latest figures ∗∗∗ --------------------------------------------- Ransomware attacks have been dominating the headlines, thanks to high-profile incidents against organizations including Colonial Pipeline, JBS, and Kaseya. But an analysis of attacks against certain sectors shows that not all industries are impacted to the same degree... --------------------------------------------- https://therecord.media/ransomware-tracker-the-latest-figures/ ===================== = Vulnerabilities = ===================== ∗∗∗ Serv-U Remote Memory Escape Vulnerability CVE-2021-35211 ∗∗∗ --------------------------------------------- UPDATE July 10, 2021: NOTE: This security vulnerability only affects Serv-U Managed File Transfer and Serv-U Secure FTP and does not affect any other SolarWinds or N-able (formerly SolarWinds MSP) products. SolarWinds was recently notified by Microsoft of a security vulnerability related to Serv-U Managed File Transfer Server and Serv-U Secured FTP and have developed a hotfix to resolve this vulnerability. --------------------------------------------- https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35211 ∗∗∗ Jetzt patchen! Sicherheitspatch schließt REvil-Lücke in Kaseya VSA ∗∗∗ --------------------------------------------- Admins sollten die IT-Management-Software VSA von Kaseya zügig aktualisieren. Angreifer nutzen derzeit mehrere Sicherheitslücken aus. --------------------------------------------- https://heise.de/-6134473 ∗∗∗ SECURITY BULLETIN: Trend Micro Worry-Free Business Security Incorrect Permission Assignment Denial-of-Service Vulnerability ∗∗∗ --------------------------------------------- Trend Micro has released new patches for Trend Micro Worry-Free Business Security 10.0 SP1 and Worry-Free Business Security Services that resolve an incorrect permission assignment denial-of-service vulnerability. --------------------------------------------- https://success.trendmicro.com/solution/000286856 ∗∗∗ Security updates for Saturday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (gitlab, nodejs, openexr, php, php7, rabbitmq, ruby-addressable, and spice), Fedora (suricata), Gentoo (binutils, docker, runc, and tor), Mageia (avahi, botan2, connman, gstreamer1.0-plugins, htmldoc, jhead, libcroco, libebml, libosinfo, openexr, php, php-smarty, pjproject, and python), openSUSE (apache2, bind, bouncycastle, ceph, containerd, docker, runc, cryptctl, curl, dovecot23, firefox, graphviz, gstreamer-plugins-bad, java-1_8_0-openj9, java-1_8_0-openjdk, libass, libjpeg-turbo, libopenmpt, libqt5-qtwebengine, libu2f-host, libwebp, libX11, lua53, lz4, nginx, ovmf, postgresql10, postgresql12, python-urllib3, qemu, roundcubemail, solo, thunderbird, ucode-intel, wireshark, and xterm), and SUSE (permissions). --------------------------------------------- https://lwn.net/Articles/862487/ ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (djvulibre), Gentoo (connman, gnuchess, openexr, and xen), openSUSE (arpwatch, avahi, dbus-1, dhcp, djvulibre, freeradius-server, fribidi, gstreamer, gstreamer-plugins-bad, gstreamer-plugins-base, gstreamer-plugins-good, gstreamer-plugins-ugly, gupnp, hivex, icinga2, jdom2, jetty-minimal, kernel, kubevirt, libgcrypt, libnettle, libxml2, openexr, openscad, pam_radius, polkit, postgresql13, python-httplib2, python-py, python-rsa, qemu, redis, rubygem-actionpack-5_1, salt, snakeyaml, squid, tpm2.0-tools, and xstream), Red Hat (xstream), and SUSE (bluez, csync2, dbus-1, jdom2, postgresql13, redis, slurm_20_11, and xstream). --------------------------------------------- https://lwn.net/Articles/862673/ ∗∗∗ Security Bulletin: Vulnerability in IBM Guardium Data Encryption (GDE) (CVE-2021-20414) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-guar… ∗∗∗ Security Bulletin: IBM App Connect Enterprise v11 is affected by vulnerabilities in Node.js (CVE-2021-23358) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… ∗∗∗ Security Bulletin: IBM MQ Appliance affected by a cross-site request forgery vulnerability (CVE-2020-4938) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-affected… ∗∗∗ Security Bulletin: Apache CXF Vulnerability Affects IBM Global Mailbox (CVE-2021-22696) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-cxf-vulnerability-… ∗∗∗ Security Bulletin: glibc vulnerability affects IBM Elastic Storage System (CVE-2020-27618) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-glibc-vulnerability-affec… ∗∗∗ Security Bulletin: Event Streams documentation for generating .p12 files incorrectly adds the CA key into the file (CVE-2021-29792) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-event-streams-documentati… ∗∗∗ Security Bulletin: Multiple vulnerabilities in Tivoli Netcool/OMNIbus WebGUI (CVE-2021-29803, CVE-2021-29804, CVE-2021-29805, CVE-2021-29822) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM MQ Appliance is affected by Mozilla Network Security Services (NSS) vulnerability (CVE-2020-25648) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-is-affec… ∗∗∗ Security Bulletin: IBM MQ Appliance is affected by multiple AngularJS vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-is-affec… ∗∗∗ Security Bulletin: There are multiple vulnerabilities in the Linux Kernel used in IBM Elastic Storage System ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-there-are-multiple-vulner… ∗∗∗ Critical ForgeRock Access Management Vulnerability ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/07/12/critical-forgeroc… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.07.2021
by Daily end-of-shift report 09 Jul '21

09 Jul '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 08-07-2021 18:00 − Freitag 09-07-2021 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Kaseya warns of phishing campaign pushing fake security updates ∗∗∗ --------------------------------------------- Kaseya has warned customers that an ongoing phishing campaign attempts to breach their networks by spamming emails bundling malicious attachments and embedded links posing as legitimate VSA security updates. --------------------------------------------- https://www.bleepingcomputer.com/news/security/kaseya-warns-of-phishing-cam… ∗∗∗ Clarified Guidance for CVE-2021-34527 Windows Print Spooler Vulnerability ∗∗∗ --------------------------------------------- On Tuesday July 6, 2021, Microsoft issued CVE-2021-34527 regarding a Windows Print Spooler vulnerability. Updates were released on July 6 and 7 which addressed the vulnerability for all supported Windows versions. We encourage customers to update as soon as possible. CVE-2021-34527 – Windows Print Spooler Remote Code Execution Vulnerability. Following the out of band release (OOB) we investigated claims regarding the effectiveness of the security update and questions around the suggested mitigations. --------------------------------------------- https://msrc-blog.microsoft.com:443/2021/07/08/clarified-guidance-for-cve-2… ∗∗∗ Hancitor tries XLL as initial malware file, (Fri, Jul 9th) ∗∗∗ --------------------------------------------- On Thursday 2021-07-08, for a short while when Hancitor was initially active, if any victims clicked on a malicious link from the malspam, they would receive a XLL file instead of a malicious Word doc. I tried one of the email links in my lab and received the malicious XLL file. After other researchers reported they were receiving Word documents, I tried a few hours later and received a Word document instead. --------------------------------------------- https://isc.sans.edu/diary/rss/27618 ∗∗∗ Sicherheitsupdates: Admin-Lücke bedroht Cisco Business Process Automation ∗∗∗ --------------------------------------------- Der Netzwerkausrüster Cisco hat für verschiedene Produkte Patches veröffentlicht, die mehrere Sicherheitslücken schließen. --------------------------------------------- https://heise.de/-6133522 ∗∗∗ ZLoader Adopts New Macro-Related Delivery Technique in Recent Attacks ∗∗∗ --------------------------------------------- The ZLoader malware family has switched to a new delivery mechanism in recent spam campaigns, fetching malicious code only after the initial attachment has been opened, McAfee reports. --------------------------------------------- https://www.securityweek.com/zloader-adopts-new-macro-related-delivery-tech… ∗∗∗ CVE-2021-28474: SharePoint Remote Code Execution via Server-Side Control Interpretation Conflict ∗∗∗ --------------------------------------------- In May of 2021, Microsoft released a patch to correct CVE-2021-28474, a remote code execution bug in supported versions of Microsoft SharePoint Server. This bug was reported to ZDI by an anonymous researcher and is also known as ZDI-21-574. This blog takes a deeper look at the root cause of this vulnerability. --------------------------------------------- https://www.thezdi.com/blog/2021/7/7/cve-2021-28474-sharepoint-remote-code-… ∗∗∗ Ransomwhere project wants to create a database of past ransomware payments ∗∗∗ --------------------------------------------- A new website launched this week wants to create a crowdfunded, free, and open database of past ransomware payments in the hopes of expanding visibility into the broader picture of the ransomware ecosystem. --------------------------------------------- https://therecord.media/ransomwhere-project-wants-to-create-a-database-of-p… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (apache2 and scilab), Fedora (chromium and perl-Mojolicious), Gentoo (inspircd, redis, and wireshark), and Mageia (fluidsynth, glib2.0, gnome-shell, grub2, gupnp, hivex, libupnp, redis, and zstd). --------------------------------------------- https://lwn.net/Articles/862299/ ∗∗∗ Rockwell Automation MicroLogix 1100 ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Improper Input Validation vulnerability in Rockwell Automation MicroLogix 1100. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-189-01 ∗∗∗ MDT AutoSave ∗∗∗ --------------------------------------------- This advisory contains mitigations for Inadequate Encryption Strength, SQL Injection, Relative Path Traversal, Command Injection, Uncontrolled Search Path Element, Generation of Error Message Containing Sensitive Information, and Unrestricted Upload of File with Dangerous Type in MDT Software in MDT Autosave Products. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-189-02 ∗∗∗ Vulnerabilities in CODESYS V2 runtime systems ∗∗∗ --------------------------------------------- BOSCH-SA-475180: The control systems SYNAX, Visual Motion, IndraLogic, IndraMotion MTX, IndraMotion MLC and IndraMotion MLD contain PLC technology from CODESYS GmbH. The manufacturer CODESYS GmbH published a security bulletin (1) about a weakness in the protocol for the communication between the PLC runtime and clients. By exploiting the vulnerability, attackers can send crafted communication packets which may result in a denial of service condition or allow in worst case remote code execution. --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-475180.html ∗∗∗ voidtools "Everything" vulnerable to HTTP header injection ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN68971465/ ∗∗∗ Apache Pulsar vulnerability CVE-2021-22160 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K68146245 ∗∗∗ Apache vulnerability CVE-2021-30641 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K13815051 ∗∗∗ Advisory: Denial of service vulnerability on Automation Runtime webserver ∗∗∗ --------------------------------------------- https://www.br-automation.com/downloads_br_productcatalogue/assets/16254055… ∗∗∗ Security Bulletin: IBM has announced a release for IBM Security Identity Governance and Intelligence in response to a security vulnerability (CVE-2020-4590) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-has-announced-a-relea… ∗∗∗ Security Bulletin: IBM has announced a release for IBM Security Identity Governance and Intelligence in response to a security vulnerability (CVE-2019-17006, CVE-2019-17023, CVE-2020-12403) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-has-announced-a-relea… ∗∗∗ Security Bulletin: IBM InfoSphere Information Server is vulnerable to SQL injection ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-informatio… ∗∗∗ Security Bulletin: IBM InfoSphere Information Server is vulnerable to a denial of service vulnerability in Angular.js ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-informatio… ∗∗∗ Security Bulletin: IBM has announced a release for IBM Security Identity Governance and Intelligence in response to a security vulnerability (CVE-2020-11868, CVE-2020-13817) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-has-announced-a-relea… ∗∗∗ Security Bulletin: IBM InfoSphere Information Server is affected by multiple vulnerabilities in Apache Solr ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-informatio… ∗∗∗ Security Bulletin: IBM has announced a release for IBM Security Identity Governance and Intelligence in response to a security vulnerability (CVE-2020-14579, CVE-2020-14578, CVE-2020-14577) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-has-announced-a-relea… ∗∗∗ Security Bulletin: IBM has announced a release for IBM Security Identity Governance and Intelligence in response to a security vulnerability (CVE-2020-14782) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-has-announced-a-relea… ∗∗∗ Security Bulletin: IBM has announced a release for IBM Security Identity Governance and Intelligence in response to a security vulnerability (CVE-2020-10531) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-has-announced-a-relea… ∗∗∗ Security Bulletin: IBM InfoSphere Information Analyzer is vulnerable to cross-site scripting. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-informatio… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.07.2021
by Daily end-of-shift report 08 Jul '21

08 Jul '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 07-07-2021 18:00 − Donnerstag 08-07-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ iCloud-Problem erlaubte Password-Brute-Force – Apple streitet mit Entdecker ∗∗∗ --------------------------------------------- Einem Sicherheitsexperten gelang es, über eine Race Condition und zahlreiche IPs bestimmte Apple-IDs zurückzusetzen. Angeblich waren auch iPhone-PINs bedroht. --------------------------------------------- https://heise.de/-6120219 ∗∗∗ Vorsicht vor betrügerischen und unseriösen Apps! ∗∗∗ --------------------------------------------- Für das Smartphone gibt es zahlreiche Apps, die den Alltag erleichtern. Es gibt aber auch Apps, die das Leben erschweren können: Unseriöse Anwendungen entpuppen sich oftmals als teure Abo-Fallen oder als Datenkraken. Auch Apps, die die Geräte der NutzerInnen mit Schadsoftware infizieren, sind eine beliebte Masche von Cyberkriminellen. Wir zeigen Ihnen, wie Sie sich davor schützen können. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-betruegerischen-und-uns… ∗∗∗ Kubernetes gefährdet ∗∗∗ --------------------------------------------- Kubernetes Container und Cluster werden immer beliebter, geraten dadurch aber auch ins Visier von Hackern. Palo Alto Networks und Red Hat erläutern das unterschätzte Sicherheitsrisiko und wie Kubernetes-Instanzen zu Gefahrenherden werden. --------------------------------------------- https://www.zdnet.de/88395662/kubernetes-gefaehrdet/ ∗∗∗ Using Sudo with Python For More Security Controls, (Thu, Jul 8th) ∗∗∗ --------------------------------------------- I'm a big fan of the Sudo[1] command. This tool, available on every UNIX flavor, allows system administrators to provide access to certain users/groups to certain commands as root or another user. This is performed with a lot of granularity in the access rights and logging/reporting features. I'm using it for many years and I'm still learning great stuff about it. Yesterday, at the Pass-The-Salt[2] conference, Peter Czanik presented a great feature of Sudo (available since version 1.9): the ability to extend features using Python modules! --------------------------------------------- https://isc.sans.edu/diary/rss/27614 ∗∗∗ Diving Deeper Into the Kaseya VSA Attack: REvil Returns and Other Hackers Are Riding Their Coattails ∗∗∗ --------------------------------------------- On, July 2nd, a massive ransomware attack was launched against roughly 50 managed services providers (MSPs) by criminals associated with the REvil ransomware-as-a-service (RaaS) group. The attack leveraged the on-premises servers deployed by IT Management Software vendor Kaseya. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/diving-deep… ∗∗∗ Magecart Swiper Uses Unorthodox Concatenation ∗∗∗ --------------------------------------------- MageCart is the name given to the roughly one dozen groups of cyber criminals targeting e-commerce websites with the goal of stealing credit card numbers and selling them on the black market. They remain an ever-growing threat to website owners. We’ve said many times on this blog that the attackers are constantly using new techniques to evade detection. In this post I will go over a case involving one such MageCart group. --------------------------------------------- https://blog.sucuri.net/2021/07/magecart-swiper-uses-unorthodox-concatenati… ∗∗∗ Microsoft struggles to wake from PrintNightmare: Latest print spooler patch can be bypassed, researchers say ∗∗∗ --------------------------------------------- I pity the spool / Updated / Any celebrations that Microsofts out-of-band patch had put a stop PrintNightmare shenanigans may have been premature. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2021/07/07/printnightma… ∗∗∗ Kaseya Left Customer Portal Vulnerable to 2015 Flaw in its Own Software ∗∗∗ --------------------------------------------- Last week cybercriminals deployed ransomware to 1,500 organizations that provide IT security and technical support to many other companies. The attackers exploited a vulnerability in software from Kaseya, a Miami-based company whose products help system administrators manage large networks remotely. Now it appears Kaseyas customer service portal was left vulnerable until last week to a data-leaking security flaw that was first identified in the same software six years ago. --------------------------------------------- https://krebsonsecurity.com/2021/07/kaseya-left-customer-portal-vulnerable-… ∗∗∗ 3 things the Kaseya attack can teach us about ransomware recovery ∗∗∗ --------------------------------------------- Some lessons on dealing with ransomware recovery, thanks to the admirable transparency of a Dutch MSP impacted by the REvil attack on Kaseya. --------------------------------------------- https://blog.malwarebytes.com/ransomware/2021/07/3-things-the-kaseya-attack… ∗∗∗ Non-Malicious Android Crypto Mining Apps Scam Users at Scale ∗∗∗ --------------------------------------------- With no bad behavior, the mobile apps are difficult to detect by automated security scans --------------------------------------------- https://www.securityweek.com/non-malicious-android-crypto-mining-apps-scam-… ∗∗∗ Ransomware as a service: Negotiators are now in high demand ∗∗∗ --------------------------------------------- RaaS groups are hiring negotiators whose primary role is to force victims to pay up. --------------------------------------------- https://www.zdnet.com/article/ransomware-as-a-service-negotiators-between-h… ∗∗∗ Global Phishing Campaign Targets Energy Sector and its Suppliers ∗∗∗ --------------------------------------------- Our research team has found a sophisticated campaign, active for at least one year, targeting large international companies in the energy, oil & gas, and electronics industries. The attack also targets oil & gas suppliers, possibly indicating that this is only the first stage in a wider campaign. --------------------------------------------- https://www.intezer.com/blog/research/global-phishing-campaign-targets-ener… ===================== = Vulnerabilities = ===================== ∗∗∗ Android Patchday Juli ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Google Android ausnutzen, um beliebigen Programmcode mit Administratorrechten auszuführen, seine Privilegien zu erhöhen oder Informationen offenzulegen. --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0725 ∗∗∗ Angreifer können Sicherheitslücken in Ressourcenplanungstool Sage X3 kombinieren ∗∗∗ --------------------------------------------- Systeme mit Sage X3 sind unter anderem über eine kritische Schwachstelle mit Höchstwertung attackierbar. --------------------------------------------- https://heise.de/-6132418 ∗∗∗ Vulnerability Spotlight: Information disclosure, privilege escalation vulnerabilities in IOBit Advanced SystemCare Ultimate ∗∗∗ --------------------------------------------- Cisco Talos recently discovered multiple vulnerabilities in IOBit Advanced SystemCare Ultimate. IOBit Advanced SystemCare Ultimate is a system optimizer that promises to remove unwanted files and [...] --------------------------------------------- https://blog.talosintelligence.com/2021/07/vuln-spotlight-iobit0-.html ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (linuxptp), Fedora (kernel and php), Gentoo (bladeenc, blktrace, jinja, mechanize, privoxy, and rclone), Oracle (linuxptp, ruby:2.6, and ruby:2.7), Red Hat (kernel and kpatch-patch), SUSE (kubevirt), and Ubuntu (avahi). --------------------------------------------- https://lwn.net/Articles/862163/ ∗∗∗ Cisco Releases Security Updates for Multiple Products ∗∗∗ --------------------------------------------- Cisco has released security updates to address vulnerabilities in multiple Cisco products. An attacker could exploit some of these vulnerabilities to take control of an affected system. For updates addressing lower severity vulnerabilities, see the Cisco Security Advisories page. CISA encourages users and administrators to review the following Cisco advisories and apply the necessary updates: [...] --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/07/08/cisco-releases-se… ∗∗∗ Kaseya VSA Limited Disclosure ∗∗∗ --------------------------------------------- Why we are only disclosing limited details on the Kaseya vulnerabilities / Last weekend we found ourselves in the middle of a storm. A storm created by the ransomware attacks executed via Kaseya VSA, using a vulnerability which we confidentially disclosed to Kaseya, together with six other vulnerabilities.Ever since we released the news that we indeed notified Kaseya of a vulnerability used in the ransomware attack, we have been getting requests to release details about these vulnerabilities and [...] --------------------------------------------- https://csirt.divd.nl/2021/07/07/Kaseya-Limited-Disclosure/ ∗∗∗ Security Bulletin: CVE-2021-28165 In Eclipse Jetty CPU usage can reach 100% upon receiving a large invalid TLS frame. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2021-28165-in-eclipse… ∗∗∗ Security Bulletin: CVE-2021-27568 An issue was discovered in netplex json-smart-v1, an exception is thrown from a function ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2021-27568-an-issue-w… ∗∗∗ Security Bulletin: CVE-2021-29711 Agent Upgrade through CLI requires inconsistent permission. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2021-29711-agent-upgr… ∗∗∗ Security Bulletin: A vulnerability in WebSphere Application Server Liberty affects IBM CICS TX on Cloud ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-websph… ∗∗∗ Security Bulletin: CVE-2020-27223 when Jetty handles a request containing multiple Accept headers the server may enter a denial of service (DoS) state ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2020-27223-when-jetty… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.07.2021
by Daily end-of-shift report 07 Jul '21

07 Jul '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 06-07-2021 18:00 − Mittwoch 07-07-2021 18:00 Handler: Stephan Richter Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ WildPressure targets the macOS platform ∗∗∗ --------------------------------------------- We found new malware samples used in WildPressure campaigns: newer version of the C++ Milum Trojan, a corresponding VBScript variant with the same version number, and a Python script working on both Windows and macOS. --------------------------------------------- https://securelist.com/wildpressure-targets-macos/103072/ ∗∗∗ Why I Love (Breaking Into) Your Security Appliances ∗∗∗ --------------------------------------------- David "moose" Wolpoff, CTO at Randori, discusses security appliances and VPNs and how attackers only have to "pick one lock" to invade an enterprise through them. --------------------------------------------- https://threatpost.com/breaking-into-security-appliances/167584/ ∗∗∗ Dozens of Vulnerable NuGet Packages Allow Attackers to Target .NET Platform ∗∗∗ --------------------------------------------- An analysis of off-the-shelf packages hosted on the NuGet repository has revealed 51 unique software components to be vulnerable to actively exploited, high-severity vulnerabilities, once again underscoring the threat posed by third-party dependencies to the software development process. --------------------------------------------- https://thehackernews.com/2021/07/dozens-of-vulnerable-nuget-packages.html ∗∗∗ Fake-Shops für Fahrräder und E-Bikes haben Saison! ∗∗∗ --------------------------------------------- Auf bike-heller.de und mister24bike.de wird ein riesiges Sortiment an Fahrrädern und E-Bikes lagernd und sofort lieferbar angeboten. Allein das sollte stutzig machen, da viele seriöse Händler mitten in der Saison schon ausverkauft sind. --------------------------------------------- https://www.watchlist-internet.at/news/fake-shops-fuer-fahrraeder-und-e-bik… ∗∗∗ Understanding REvil: The Ransomware Gang Behind the Kaseya Attack ∗∗∗ --------------------------------------------- Ransomware cases worked by Unit 42 consultants in the first six months of 2021 reveal insights into the preferred tactics of REvil threat actors. --------------------------------------------- https://unit42.paloaltonetworks.com/revil-threat-actors/ ∗∗∗ Update - Kaseya VSA Ransomwarevorfall: Sicht auf Österreich ∗∗∗ --------------------------------------------- In Folge dieses Vorfalls ist nun auch eine Spam-Kampagne, welche Schadsoftware (Cobalt Strike) im Anhang ausliefert und vorgibt, ein legitimes Update für Kaseya VSA zu sein, in Erscheinung getreten. --------------------------------------------- https://cert.at/de/aktuelles/2021/7/kaseya-vsa-ransomwarevorfall ∗∗∗ How to Tighten IoT Security for Healthcare Organization ∗∗∗ --------------------------------------------- This post will first explore some of the ways IoT is revolutionizing medical care, then identify some of the potential problems posed by connected devices in a medical setting. --------------------------------------------- https://blog.checkpoint.com/2021/06/21/how-to-tighten-iot-security-for-heal… ===================== = Vulnerabilities = ===================== ∗∗∗ Printnightmare: Erste Patches für Windows-Sicherheitslücke ∗∗∗ --------------------------------------------- Durch ein Problem mit dem Windows-Druck-Spooler können Angreifer Code aus der Ferne ausführen. Erste Patches stehen bereit, aber noch nicht für alles. (Windows, Drucker) --------------------------------------------- https://www.golem.de/news/printnightmare-erste-patches-fuer-windows-sicherh… ∗∗∗ Kasperskys Passwort-Manager gefährdete Benutzer mit ratbaren Passwörtern ∗∗∗ --------------------------------------------- Wegen einer gründlich verpatzten Umsetzung ließen sich die vom Kaspersky Passwort-Manager vorgeschlagenen, scheinbar zufälligen Passwörter einfach erraten. --------------------------------------------- https://heise.de/-6130796 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (glibc), Gentoo (doas, firefox, glib, schismtracker, and tpm2-tss), Mageia (httpcomponents-client), openSUSE (virtualbox), Red Hat (linuxptp), Scientific Linux (linuxptp), and Ubuntu (libuv1 and php7.2, php7.4). --------------------------------------------- https://lwn.net/Articles/862044/ ∗∗∗ This serious Wi-Fi bug can break your iPhone, but heres how to protect yourself ∗∗∗ --------------------------------------------- Walking past a Wi-Fi hotspot with a specific name can cause big problems for your iPhone. And the scary thing is that its easy to do. --------------------------------------------- https://www.zdnet.com/article/serious-wi-fi-bug-can-break-your-iphone-but-h… ∗∗∗ Security Advisory - Bluetooth Function Denial of Service Vulnerability in Some Huawei Smartphone Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210707-… ∗∗∗ Security Bulletin: Netty Vulnerability Affects IBM Watson Machine Learning on CP4D (CVE-2021-21409) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-netty-vulnerability-affec… ∗∗∗ Security Bulletin: Multiple vulnerabilities in Apache JSON Small and Fast Parser (json-smart) and Underscore affect IBM Spectrum Symphony ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM App Connect Enterprise Certified Container could allow a privileged user to obtain sensitive information from internal log files (CVE-2021-29759) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… ∗∗∗ Security Bulletin: IBM App Connect Enterprise Certified Container may be affected by a ReDoS flaw when processing URLs (CVE-2021-33502) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… ∗∗∗ Security Bulletin: Castor Vulnerability Affects IBM Control Center (CVE-2014-3004) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-castor-vulnerability-affe… ∗∗∗ Security Bulletin: Golang Go Vulnerability Affects IBM Watson Machine Learning on CP4D (CVE-2020-29652) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-golang-go-vulnerability-a… ∗∗∗ Security Bulletin: Vulnerabilities in the Python, Python cryptography , and Urllib3 affect IBM Spectrum Discover. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-the-py… ∗∗∗ Security Bulletin: IBM Cloud Pak for Integration is vulnerable to underscore vulnerability (CVE-2021-23358) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-integra… ∗∗∗ Security Bulletin: Apache Log4j Vulnerability Affects IBM Control Center (CVE-2020-9488) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerabilit… ∗∗∗ Philips Vue PACS ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsma-21-187-01 ∗∗∗ Moxa NPort IAW5000A-I/O Series Serial Device Server ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-187-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.07.2021
by Daily end-of-shift report 06 Jul '21

06 Jul '21

===================== = End-of-Day report = ===================== Timeframe: Montag 05-07-2021 18:00 − Dienstag 06-07-2021 18:00 Handler: Stephan Richter Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ How to protect your site against lethal unauthorized code injections ∗∗∗ --------------------------------------------- Lethal unauthorized code injections like XXS (cross site scripting) attacks are some of the most dynamic cyber-attacks. They are often very difficult to detect and can result in credit card theft, fraud, and endpoint data breaches, having a huge impact on small to medium sized businesses. --------------------------------------------- https://cybersecurity.att.com/blogs/security-essentials/how-to-protect-your… ∗∗∗ Python DLL Injection Check, (Tue, Jul 6th) ∗∗∗ --------------------------------------------- They are many security tools that inject DLL into processes running on a Windows system. The classic examples are anti-virus products. --------------------------------------------- https://isc.sans.edu/diary/rss/27608 ∗∗∗ Kaseya VSA: Wie die Lieferketten-Angriffe abliefen und was sie für uns bedeuten ∗∗∗ --------------------------------------------- Auch wer nicht davon betroffen ist, sollte sich klarmachen, was da gerade geschieht. Denn Angriffe wie der aktuelle REvil-Coup werden die IT-Welt verändern. --------------------------------------------- https://heise.de/-6129656 ∗∗∗ Kaseya Case Update 3 ∗∗∗ --------------------------------------------- Since the first signs of an incident last Friday evening the DIVD has continued to monitor the internet for instances of Kaseya VSA that remained online. We are happy to report a steady decrease in the number of online servers. --------------------------------------------- https://csirt.divd.nl/2021/07/06/Kaseya-Case-Update-3/ ===================== = Vulnerabilities = ===================== ∗∗∗ Authentified RFI to RCE Nagios/NagiosXI exploitation ∗∗∗ --------------------------------------------- An authenticated attacker may remotely inject and execute arbitrary code in Nagios and Nagios XI products. --------------------------------------------- https://github.com/ArianeBlow/NagiosXI-EmersonFI ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (python-django), Debian (libuv1, libxstream-java, and php7.3), Fedora (rabbitmq-server), Gentoo (glibc, google-chrome, libxml2, and postsrsd), openSUSE (libqt5-qtwebengine and roundcubemail), SUSE (python-rsa), and Ubuntu (djvulibre). --------------------------------------------- https://lwn.net/Articles/861972/ ∗∗∗ [20210705] - Core - XSS in com_media imagelist ∗∗∗ --------------------------------------------- https://developer.joomla.org:443/security-centre/860-20210705-core-xss-in-c… ∗∗∗ [20210704] - Core - Privilege escalation through com_installer ∗∗∗ --------------------------------------------- https://developer.joomla.org:443/security-centre/859-20210704-core-privileg… ∗∗∗ [20210703] - Core - Lack of enforced session termination ∗∗∗ --------------------------------------------- https://developer.joomla.org:443/security-centre/858-20210703-core-lack-of-… ∗∗∗ [20210702] - Core - DoS through usergroup table manipulation ∗∗∗ --------------------------------------------- https://developer.joomla.org:443/security-centre/857-20210702-core-dos-thro… ∗∗∗ [20210701] - Core - XSS in JForm Rules field ∗∗∗ --------------------------------------------- https://developer.joomla.org:443/security-centre/856-20210701-core-xss-in-j… ∗∗∗ Paessler PRTG: Schwachstelle ermöglicht Cross-Site Scripting ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0719 ∗∗∗ MediaWiki: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0718 ∗∗∗ QNAP NAS HBS 3: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0717 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.07.2021
by Daily end-of-shift report 05 Jul '21

05 Jul '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 02-07-2021 18:00 − Montag 05-07-2021 18:00 Handler: Stephan Richter Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Kaseya VSA Ransomwarevorfall: Sicht auf Österreich ∗∗∗ --------------------------------------------- In den Medien wird aktuell über einen Ransomwarevorfall, welcher eine große Anzahl an Firmen betrifft, berichtet 1 2. Folgend diesen Berichten gelang es der Ransomware-Gruppe "REvil" über das Einschleusen von Code in die Software-Lösung "Kaseya VSA", welche zum Remote-Monitoring und -Management für IT bei Managed Service Providern (MSP) eingesetzt wird, die Ransomware "Sodinokibi" automatisiert an die MSPs und somit auch an deren Kunden --------------------------------------------- https://cert.at/de/aktuelles/2021/7/kaseya-vsa-ransomwarevorfall ∗∗∗ Free Micropatches for PrintNightmare Vulnerability (CVE-2021-34527) ∗∗∗ --------------------------------------------- Update 7/5/2021: Security researcher cube0x0 discovered another attack vector for this vulnerability, which significantly expands the set of affected machines. While the original attack vector was Print System Remote Protocol [MS-RPRN], the same attack delivered via Print System Asynchronous Remote Protocol [MS-PAR] does not require Windows server to be a domain controller, or Windows 10 machine to have UAC User Account Control disabled or PointAndPrint NoWarningNoElevationOnInstall enabled. --------------------------------------------- https://blog.0patch.com/2021/07/free-micropatches-for-printnightmare.html ∗∗∗ Another 0-Day Looms for Many Western Digital Users ∗∗∗ --------------------------------------------- Countless Western Digital customers saw their MyBook Live network storage drives remotely wiped in the past month thanks to a bug in a product line the company stopped supporting in 2015, as well as a previously unknown zero-day flaw. But there is a similarly serious zero-day flaw present in a much broader range of newer Western Digital MyCloud network storage devices that will remain unfixed for many customers who cant or wont upgrade to the latest operating system. --------------------------------------------- https://krebsonsecurity.com/2021/07/another-0-day-looms-for-many-western-di… ∗∗∗ Spam per Termineinladung: So schützen Sie sich! ∗∗∗ --------------------------------------------- Sie haben plötzlich im Lotto gewonnen. Jemand will Ihnen aus reiner Nächstenliebe Geld spenden. Außerdem müssen Sie unbedingt auf dieser einen Trading-Plattform investieren. Gewinne garantiert! Viele von uns kennen solche Versprechungen wohl. Spam-Mails sind nichts Neues mehr. Daher überlegen sich Kriminelle immer wieder neue Möglichkeiten, um an das Geld ihrer Opfer zu kommen. Derzeit sehr beliebt: Kalender-Spam! --------------------------------------------- https://www.watchlist-internet.at/news/spam-per-termineinladung-so-schuetze… ∗∗∗ Telnet service left enabled and without a password on SIMATIC HMI Comfort Panels ∗∗∗ --------------------------------------------- Siemens SIMATIC HMI Comfort Panels, devices meant to provide visualization of data received from industrial equipment, are exposing their Telnet service without any form of authentication, security researchers have discovered. Tracked as CVE-2021-31337, the vulnerability was revealed earlier this week. All SIMATIC HMI Comfort Panels models are believed to be impacted, except panels for SINAMICS Medium Voltage Products (SL150, SM150, and SM150i), where the Telnet service is disabled by default. --------------------------------------------- https://therecord.media/telnet-service-left-enabled-and-without-a-password-… ∗∗∗ MISP 2.4.145 and 2.4.146 released (Improved warning-lists) ∗∗∗ --------------------------------------------- MISP 2.4.145 and 2.4.146 released including a massive update to the MISP warning-lists, various improvements and security fixes. --------------------------------------------- https://github.com/MISP/MISP/releases/tag/v2.4.145 ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI-21-779: Advantech WebAccess Node BwFreRPT Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of Advantech WebAccess Node. Authentication is not required to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-779/ ∗∗∗ ZDI-21-778: Advantech WebAccess Node BwImgExe Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of Advantech WebAccess Node. Authentication is not required to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-778/ ∗∗∗ ZDI-21-777: Autodesk Design Review PDF File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of Autodesk Design Review. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-777/ ∗∗∗ ZDI-21-776: Autodesk Design Review DWF File Parsing Memory Corruption Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of Autodesk Design Review. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-776/ ∗∗∗ ZDI-21-775: Autodesk Design Review DWFX File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to disclose sensitive information on affected installations of Autodesk Design Review. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-775/ ∗∗∗ ControlTouch serial number can be misused to access customer configuration ∗∗∗ --------------------------------------------- ABB is aware of a privately reported vulnerability in the ControlTouch cloud subsystem. The cloud sub-system is updated to remove the vulnerability. An attacker who successfully exploited this vulnerability could modify the configuration of the ControlTouch of an authorized user. --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=9AKK107992A3688&Lan… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (electron11, electron12, istio, jenkins, libtpms, mediawiki, mruby, opera, puppet, and python-fastapi), Debian (djvulibre and openexr), Fedora (dovecot, libtpms, nginx, and php-league-flysystem), Gentoo (corosync, freeimage, graphviz, and libqb), Mageia (busybox, file-roller, live, networkmanager, and php), openSUSE (clamav-database, lua53, and roundcubemail), Oracle (389-ds:1.4, kernel, libxml2, python38:3.8 and python38-devel:3.8, and ruby:2.5), and SUSE (crmsh, djvulibre, python-py, and python-rsa). --------------------------------------------- https://lwn.net/Articles/861906/ ∗∗∗ Ricon Industrial Cellular Router S9922XL Remote Command Execution ∗∗∗ --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5653.php ∗∗∗ GNU C Library (glibc) vlunerability CVE-2016-10228 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K52494142?utm_source=f5support&utm_mediu… ∗∗∗ Advisory: Denial of Service vulnerability in B&R Industrial Automation PROFINET IO Device ∗∗∗ --------------------------------------------- https://www.br-automation.com/downloads_br_productcatalogue/assets/16229864… ∗∗∗ Advisory: Stack crash in B&R Industrial Automation X20 EthernetIP Adpater ∗∗∗ --------------------------------------------- https://www.br-automation.com/downloads_br_productcatalogue/assets/16229864… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.07.2021
by Daily end-of-shift report 02 Jul '21

02 Jul '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 01-07-2021 18:00 − Freitag 02-07-2021 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Gelöschte Netz-Festplatten: Western Digital plant Hilfe bei Wiederherstellung ∗∗∗ --------------------------------------------- Die Daten angegriffener HDDs der WD-Baureihe My Book Live sollen sich wiederherstellen lassen. Western Digital will künftig entsprechende Dienste anbieten. --------------------------------------------- https://heise.de/-6127479 ∗∗∗ Scorecards 2.0: Sicherheitsrisiken in Open-Source-Software aufdecken ∗∗∗ --------------------------------------------- Das automatisierte Security-Tool Scorecards legt die Karten auf den Tisch - wie sicher ist Open-Source-Software? --------------------------------------------- https://heise.de/-6127588 ∗∗∗ Free Micropatches for PrintNightmare Vulnerability (CVE-2021-34527) ∗∗∗ --------------------------------------------- [Note: This blog post is expected to be updated as new micropatches are issued and new information becomes available.] June 2021 Windows Updates brought a fix for a vulnerability CVE-2021-1675 originally titled "Windows Print Spooler Local Code Execution Vulnerability". As usual, Microsofts advisory provided very little information about the vulnerability, and very few probably noticed that about two weeks later, the advisory was updated to [...] --------------------------------------------- https://blog.0patch.com/2021/07/free-micropatches-for-printnightmare.html ∗∗∗ Babuk ransomware is back, uses new version on corporate networks ∗∗∗ --------------------------------------------- After announcing their exit from the ransomware business in favor of data theft extortion, the Babuk gang appears to have slipped back into their old habit of encrypting corporate networks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/babuk-ransomware-is-back-use… ∗∗∗ Mongolian Certificate Authority Hacked to Distribute Backdoored CA Software ∗∗∗ --------------------------------------------- In yet another instance of software supply chain attack, unidentified hackers breached the website of MonPass, one of Mongolias major certificate authorities, to backdoor its installer software with Cobalt Strike binaries. The trojanized client was available for download between February 8, 2021, and March 3, 2021, said Czech cybersecurity software company Avast in a report published Thursday. --------------------------------------------- https://thehackernews.com/2021/07/mongolian-certificate-authority-hacked.ht… ∗∗∗ New Mirai-Inspired Botnet Could Be Using Your KGUARD DVRs in Cyber Attacks ∗∗∗ --------------------------------------------- Cybersecurity researchers on Thursday revealed details about a new Mirai-inspired botnet called "mirai_ptea" that leverages an undisclosed vulnerability in digital video recorders (DVR) provided by KGUARD to propagate and carry out distributed denial-of-service (DDoS) attacks. Chinese security firm Netlab 360 pinned the first probe against the flaw on March 23, 2021, before it detected active [...] --------------------------------------------- https://thehackernews.com/2021/07/new-mirai-inspired-botnet-could-be.html ∗∗∗ 2020 Report: ICS Endpoints as Starting Points for Threats ∗∗∗ --------------------------------------------- The use of Industrial Control Systems (ICS) makes operations more efficient for various industries. These systems are powered by the interconnection between IT (information technology) and OT (operational technology), which help boost efficiency and speed. Unfortunately, this very interconnection also inadvertently makes ICS susceptible to cyberthreats. Securing these systems is vital, and one of its components that must be protected from threats are endpoints. --------------------------------------------- https://www.trendmicro.com/vinfo/us/security/news/internet-of-things/2020-r… ∗∗∗ STIR/SHAKEN: Nordamerika signiert Rufnummern im Kampf gegen Spam ∗∗∗ --------------------------------------------- Nordamerikas Netzbetreiber signieren und verifizieren jetzt Telefonnummern nach dem STIR/SHAKEN-System. Das erschwert Anrufe mit gefälschten Anruferkennungen. --------------------------------------------- https://heise.de/-6127147 ∗∗∗ TrickBot and Zeus ∗∗∗ --------------------------------------------- TrickBot is an established and widespread multi-purpose trojan. Active since 2016 and modular in nature, it can accomplish a variety of goals ranging from credential theft to lateral movement. Many of the malware’s capabilities come as self-contained modules, which the malware is instructed to download from the C2. Initially, TrickBot’s main focus was bank fraud, but this later shifted toward corporate targetted ransomware attacks, eventually resulting in the [...] --------------------------------------------- https://www.kryptoslogic.com/blog/2021/07/trickbot-and-zeus/ ∗∗∗ Top 5 Scam Techniques: What You Need to Know ∗∗∗ --------------------------------------------- Scammers are increasingly resourceful when coming up with scam techniques. But they often rely on long-standing persuasion techniques for the scam to work. So, you may hear about a new scam that uses a novel narrative, but there is a good chance that the scam relies on proven scam techniques once the narrative is stripped [...] --------------------------------------------- https://www.tripwire.com/state-of-security/security-data-protection/top-sca… ∗∗∗ Ransomware. In the air? ∗∗∗ --------------------------------------------- Introduction As an exercise, we were asked to look at the potential vectors for ransomware to affect flight despatch and operations. In most cases, flight systems simply weren’t significantly exposed, [...] --------------------------------------------- https://www.pentestpartners.com/security-blog/ransomware-in-the-air/ ∗∗∗ Mysterious Node.js malware puzzles security researchers ∗∗∗ --------------------------------------------- Almost four months after it was first spotted in the wild, the infosec community is still scratching its head in regards to the purpose of a new malware strain named Lu0bot. --------------------------------------------- https://therecord.media/mysterious-node-js-malware-puzzles-security-researc… ∗∗∗ TrickBot: New attacks see the botnet deploy new banking module, new ransomware ∗∗∗ --------------------------------------------- Over the course of the past few weeks, new activity has been observed from TrickBot, one of todays largest malware botnets, with reports that its operators have helped create a new ransomware strain called Diavol and that the TrickBot gang is returning to its roots as a banking trojan with a new and updated banking module.The post TrickBot: New attacks see the botnet deploy new banking module, new ransomware appeared first on The Record by Recorded Future. --------------------------------------------- https://therecord.media/trickbot-new-attacks-see-the-botnet-deploy-new-bank… ∗∗∗ The Brothers Grim ∗∗∗ --------------------------------------------- The reversing tale of GrimAgent malware used by Ryuk --------------------------------------------- https://blog.group-ib.com/grimagent ===================== = Vulnerabilities = ===================== ∗∗∗ WAGO: Multiple Vulnerabilities in I/O-Check Service ∗∗∗ --------------------------------------------- Multiple vulnerabilities in the WAGO I/O-Check Service were reported. By exploiting the described vulnerabilities, the attacker potentially is able to manipulate or disrupt the device. --------------------------------------------- https://cert.vde.com/de-de/advisories/vde-2020-036 ∗∗∗ Update PowerShell versions 7.0 and 7.1 to protect against a vulnerability ∗∗∗ --------------------------------------------- If you manage yoiur Azure resources from PowerShell version 7.0 or 7.1, we’ve released new versions of PowerShell to address a .NET Core remote code execution vulnerability in versions 7.0 and 7.1. We recommend that you install the updated versions as soon as possible. Windows PowerShell 5.1 isn’t affected by this issue. --------------------------------------------- https://azure.microsoft.com/en-us/updates/update-powershell-versions-70-and… ∗∗∗ Jetzt handeln! Angreifer nutzen Drucker-Lücke PrintNightmare in Windows aus ∗∗∗ --------------------------------------------- Alle Windows-Systeme sind von der PrintNightmare-Schwachstelle bedroht. Derzeit finden Attacken statt. So geht der Workaround zur Absicherung. --------------------------------------------- https://heise.de/-6127265 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (ansible and seamonkey), openSUSE (go1.15 and opera), Oracle (kernel and microcode_ctl), and Red Hat (go-toolset-1.15 and go-toolset-1.15-golang). --------------------------------------------- https://lwn.net/Articles/861679/ ∗∗∗ Johnson Controls Facility Explorer ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Improper Privilege Management vulnerability in Johnson Controls Facility Explorer industrial Ethernet controllers. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-182-01 ∗∗∗ Sensormatic Electronics C-CURE 9000 ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Improper Input Validation vulnerability in Sensormatic Electronics C-CURE 9000 industrial software. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-182-02 ∗∗∗ Delta Electronics DOPSoft ∗∗∗ --------------------------------------------- This advisory contains mitigations for Out-of-bounds Read vulnerabilities in Delta Electronics DOPSoft software. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-182-03 ∗∗∗ Mitsubishi Electric Air Conditioning System ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Incorrect Implementation of Authentication Algorithm vulnerability in Mitsubishi Electric air conditioning systems. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-182-04 ∗∗∗ Mitsubishi Electric Air Conditioning Systems ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Improper Restriction of XML External Entity Reference vulnerability in Mitsubishi Electric Air Conditioning Systems. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-182-05 ∗∗∗ All Bachmann M1 System Processor Modules ∗∗∗ --------------------------------------------- This updated advisory is a follow-up to the advisory titled ICSA-21-026-01P All Bachmann M1 System Processor Modules, posted to the HSIN ICS library on January 26, 2021. This advisory is now being released to the ICS webpage on us-cert.cisa.gov. This advisory contains mitigations for a Use of Password Hash with Insufficient Computational Effort vulnerability in Bachmann M1 system processor modules. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-026-01-0 ∗∗∗ Apigee Edge - Moderately critical - Access bypass - SA-CONTRIB-2021-020 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2021-020 ∗∗∗ WEIDMUELLER: Multiple vulnerabilities in Industrial WLAN devices (UPDATE A) ∗∗∗ --------------------------------------------- https://cert.vde.com/de-de/advisories/vde-2021-026 ∗∗∗ Node.js: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0714 ∗∗∗ Red Hat Developer Tools: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0715 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 01.07.2021
by Daily end-of-shift report 01 Jul '21

01 Jul '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 30-06-2021 18:00 − Donnerstag 01-07-2021 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ "Drucker-Albtraum": Offene Sicherheitslücke erlaubt die Übernahme gesamter Windows-Netzwerke ∗∗∗ --------------------------------------------- Sicherheitsforscher veröffentlichen versehentlich passenden Schadcode, nun herrscht akuter Handlungsbedarf für Windows-Administratoren --------------------------------------------- https://www.derstandard.at/story/2000127868579/drucker-albtraum-offene-sich… ∗∗∗ Vorschussbetrug mit Krediten auf befinax.com ∗∗∗ --------------------------------------------- Auf der Suche nach Krediten, Hypotheken oder Versicherungen stoßen Sie womöglich auf befinax.com. Die Seite ist schön aufgebaut, verspricht schnelle Kreditvergaben und wirbt mit den Logos und Namen großer und bekannter Banken. Doch Vorsicht: Hier werden Sie betrogen! Vorab zu bezahlende Gebühren landen direkt in den Händen Krimineller und Kredit gibt es keinen. --------------------------------------------- https://www.watchlist-internet.at/news/vorschussbetrug-mit-krediten-auf-bef… ∗∗∗ The Most Prolific Ransomware Families: A Defenders Guide ∗∗∗ --------------------------------------------- In this article, DomainTools researchers provide a look at the three most prolific ransomware families and their toolsets. --------------------------------------------- https://www.domaintools.com/resources/blog/the-most-prolific-ransomware-fam… ∗∗∗ Linux: RPM prüft Signaturen nicht richtig ∗∗∗ --------------------------------------------- Eigentlich werden RPM-Pakte unter Linux signiert. Viele wichtige Teile der Signaturprüfung sind bisher aber gar nicht implementiert. --------------------------------------------- https://www.golem.de/news/linux-rpm-prueft-signaturen-nicht-richtig-2107-15… ∗∗∗ Another Exploit Hits WD My Book Live Owners ∗∗∗ --------------------------------------------- While it will come as no comfort to those who had their Western Digital My Book Live NAS drives wiped last week, it seems they were attacked by a combination of two exploits, and possibly caught in the fallout of a rivalry between two different teams of hackers. Toms Hardware reports: Initially, after the news broke on Friday, it was thought a known exploit from 2018 was to blame, allowing attackers to gain root access to the devices. However, it now seems that a previously unknown exploit was [...] --------------------------------------------- https://hardware.slashdot.org/story/21/06/30/2319243/another-exploit-hits-w… ∗∗∗ We Infiltrated a Counterfeit Check Ring! Now What? ∗∗∗ --------------------------------------------- Imagine waking up each morning knowing the identities of thousands of people who are about to be mugged for thousands of dollars each. You know exactly when and where each of those muggings will take place, and youve shared this information in advance with the authorities each day for a year with no outward indication that they are doing anything about it. How frustrated would you be? Such is the curse of the fraud fighter known online by the handles “Brianna Ware” and [...] --------------------------------------------- https://krebsonsecurity.com/2021/06/we-infiltrated-a-counterfeit-check-ring… ∗∗∗ Becoming Elon Musk - the Danger of Artificial Intelligence ∗∗∗ --------------------------------------------- A Tel Aviv, Israel-based artificial intelligence (AI) firm, with a mission to build trust in AI and protect AI from cyber threats, privacy issues, and safety incidents, has developed the opposite: an attack against facial recognition systems that can fool the algorithm into misinterpreting the image. --------------------------------------------- https://www.securityweek.com/becoming-elon-musk-%E2%80%93-danger-artificial… ∗∗∗ CISA’s CSET Tool Sets Sights on Ransomware Threat ∗∗∗ --------------------------------------------- CISA has released a new module in its Cyber Security Evaluation Tool (CSET): the Ransomware Readiness Assessment (RRA). CSET is a desktop software tool that guides network defenders through a step-by-step process to evaluate their cybersecurity practices on their networks. CSET—applicable to both information technology (IT) and industrial control system (ICS) networks—enables users to perform a comprehensive evaluation of their cybersecurity [...] --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/06/30/cisas-cset-tool-s… ∗∗∗ Two years later, the NSABuffMiner botnet is still alive and kicking ∗∗∗ --------------------------------------------- A crypto-mining botnet named NSABuffMiner (or Indexsinas) is still active and infecting Windows systems using three leaked NSA exploits, security firm Guardicore said today. --------------------------------------------- https://therecord.media/two-years-later-the-nsabuffminer-botnet-is-still-al… ===================== = Vulnerabilities = ===================== ∗∗∗ VU#383432: Microsoft Windows Print Spooler RpcAddPrinterDriverEx() function allows for RCE ∗∗∗ --------------------------------------------- The Microsoft Windows Print Spooler service fails to restrict access to the RpcAddPrinterDriverEx() function, which can allow a remote authenticated attacker to execute arbitrary code with SYSTEM privileges on a vulnerable system. --------------------------------------------- https://kb.cert.org/vuls/id/383432 ∗∗∗ Sicherheitsupdate: Microsoft entdeckt kritische Lücke in Netgear-Router ∗∗∗ --------------------------------------------- Es gibt ein wichtiges Sicherheitsupdate für den WLAN Router DGN2200v1 von Netgear. --------------------------------------------- https://heise.de/-6126662 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (htmldoc, ipmitool, and node-bl), Fedora (libgcrypt and libtpms), Mageia (dhcp, glibc, p7zip, sqlite3, systemd, and thunar), openSUSE (arpwatch, go1.15, and kernel), SUSE (curl, dbus-1, go1.15, and qemu), and Ubuntu (xorg-server). --------------------------------------------- https://lwn.net/Articles/861521/ ∗∗∗ EC-CUBE fails to restrict access permissions ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN57942445/ ∗∗∗ Block Content Revision UI - Moderately critical - Access bypass - SA-CONTRIB-2021-022 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2021-022 ∗∗∗ Linky Revision UI - Moderately critical - Access bypass - SA-CONTRIB-2021-021 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2021-021 ∗∗∗ Apigee Edge - Moderately critical - Access bypass - SA-CONTRIB-2021-020 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2021-020 ∗∗∗ Security Advisory - Path Traversal Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210630-… ∗∗∗ Security Notice – Statement About the Media Report on the Use of GEA-1 Weak Algorithm in Certain Phones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-notices/2021/huawei-sn-20210618-01-… ∗∗∗ Security Bulletin: Security Vulnerabilities in IBM® Java SDK April 2021 CPU plus affect multiple IBM Continuous Engineering products based on IBM Jazz Technology ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ Security Bulletin: Using XSS attack, an attacker may inject Javascript code by modifying input fields in Datacap Navigator ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-using-xss-attack-an-attac… ∗∗∗ Security Bulletin: IBM MQ Appliance vulnerability in TLS (CVE-2020-4831) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-vulnerab… ∗∗∗ Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in Go ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-discovery-for-… ∗∗∗ Security Bulletin: IBM MQ Appliance is affected by an OpenSSL vulnerability (CVE-2021-3449) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-is-affec… ∗∗∗ Security Bulletin: SQL injection from various input fields may affect Datacap Navigator ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-sql-injection-from-variou… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 30.06.2021
by Daily end-of-shift report 30 Jun '21

30 Jun '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 29-06-2021 18:00 − Mittwoch 30-06-2021 18:00 Handler: Dimitri Robl Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Lorenz ransomware decryptor recovers victims files for free ∗∗∗ --------------------------------------------- Dutch cybersecurity firm Tesorion has released a free decryptor for the Lorenz ransomware, allowing victims to recover some of their files for free without paying a ransom. --------------------------------------------- https://www.bleepingcomputer.com/news/security/lorenz-ransomware-decryptor-… ∗∗∗ An EPYC escape: Case-study of a KVM breakout ∗∗∗ --------------------------------------------- In this blog post I describe a vulnerability in KVM’s AMD-specific code and discuss how this bug can be turned into a full virtual machine escape. --------------------------------------------- https://googleprojectzero.blogspot.com/2021/06/an-epyc-escape-case-study-of… ∗∗∗ MITRE ATT&CK® mappings released for built-in Azure security controls ∗∗∗ --------------------------------------------- Microsoft is pleased to announce the publication of the Security Stack Mappings for Azure project in partnership with the Center for Threat-Informed Defense. --------------------------------------------- https://www.microsoft.com/security/blog/2021/06/29/mitre-attck-mappings-rel… ∗∗∗ June 2021 Forensic Contest: Answers and Analysis, (Wed, Jun 30th) ∗∗∗ --------------------------------------------- Thanks to everyone who participated in our June 2021 forensic contest originally posted two weeks ago. --------------------------------------------- https://isc.sans.edu/diary/rss/27582 ∗∗∗ Babuk ransomware builder leaked following muddled “retirement” ∗∗∗ --------------------------------------------- Heads are being scratched after the Babuk ransomware builder appears on VirusTotal, adding to the gangs reputation for confusion. --------------------------------------------- https://blog.malwarebytes.com/reports/2021/06/babuk-ransomware-builder-leak… ∗∗∗ Unseriöse Online-Shops verkaufen Mystery-Box mit Produkten aus unzustellbaren Amazon-Paketen ∗∗∗ --------------------------------------------- Einen Gaming Laptop oder eine PlayStation um 16 Euro? Zahlreiche Online-Shops verkaufen derzeit eine Mystery-Box, mit der das möglich sein soll. Die Box beinhaltet laut den HändlerInnen nicht zustellbare Amazon-Produkte wie Laptops, Computer, Kameras oder teure Kopfhörer. --------------------------------------------- https://www.watchlist-internet.at/news/unserioese-online-shops-verkaufen-my… ∗∗∗ FIRST Challenge 2021 Writeup ∗∗∗ --------------------------------------------- Due to the COVID-19 pandemic the FIRST conference 2021 moved online and so did the annual CTF organized by the FIRST Security Lounge SIG. Thomas Pribitzer, Dimitri Robl, and Sebastian Waldbauer from CERT.at participated as a team, scoring the 9. place out of 42 teams. --------------------------------------------- https://cert.at/en/blog/2021/6/first-challenge-2021-writeup ∗∗∗ Gozi malware gang member arrested in Colombia ∗∗∗ --------------------------------------------- Authorities in Colombia have arrested this week a Romanian national named Mihai Ionut Paunescu, one of the three suspects charged in 2013 for creating and operating the infamous Gozi banking trojan. --------------------------------------------- https://therecord.media/gozi-malware-gang-member-arrested-in-colombia/ ∗∗∗ REvil Twins ∗∗∗ --------------------------------------------- Deep Dive Into Prolific RaaS Affiliates’ TTPs --------------------------------------------- https://blog.group-ib.com/revil_raas ===================== = Vulnerabilities = ===================== ∗∗∗ DHCP Flood: Googles Cloud-VMs lassen sich per DHCP übernehmen ∗∗∗ --------------------------------------------- Angreifer könnten Root-Rechte in fremden VMs der Google-Cloud erhalten. Praktische Angriffe sind unwahrscheinlich, Updates gibt es nicht. --------------------------------------------- https://www.golem.de/news/dhcp-flood-googles-cloud-vms-lassen-sich-per-dhcp… ∗∗∗ CVE-2021-1675: Incomplete Patch and Leaked RCE Exploit, (Wed, Jun 30th) ∗∗∗ --------------------------------------------- On June 21st, Microsoft modified the description of the vulnerability upgrading it to a remote code execution vulnerability. Earlier this week, an RCE exploit was posted to GitHub. --------------------------------------------- https://isc.sans.edu/diary/rss/27588 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (fluidsynth), Fedora (libgcrypt and tpm2-tools), Mageia (nettle, nginx, openvpn, and re2c), openSUSE (kernel, roundcubemail, and tor), Oracle (edk2, lz4, and rpm), Red Hat (389-ds:1.4, edk2, fwupd, kernel, kernel-rt, libxml2, lz4, python38:3.8 and python38-devel:3.8, rpm, ruby:2.5, ruby:2.6, and ruby:2.7), and SUSE (kernel and lua53). --------------------------------------------- https://lwn.net/Articles/861420/ ∗∗∗ Security Bulletin: Vulnerabilities in OpenSSL affect IBM Rational ClearQuest (CVE-2021-3449, CVE-2021-3450) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-openss… ∗∗∗ Security Bulletin: OpenSSL publicly disclosed vulnerability affects IBM MobileFirst Platform Foundation. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-openssl-publicly-disclose… ∗∗∗ Security Bulletin: IBM® Db2® could allow an authenticated user to overwrite arbitrary files due to improper group permissions. (CVE-2020-4945) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-could-allow-an-au… ∗∗∗ Security Bulletin: IBM Cognos Analytics has addressed multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cognos-analytics-has-… ∗∗∗ Security Bulletin: Vulnerabilities in OpenSSL affect IBM Rational ClearQuest ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-openss… ∗∗∗ Security Bulletin: Multiple vulnerabilities in the IBM Java Runtime affect IBM Rational ClearCase (CVE-2020-27221, CVE-2020-14782, CVE-2020-2773, CVE-2020-14781) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerability in OpenSSL affects IBM Rational ClearCase (CVE-2020-1971, CVE-2021-23839, CVE-2021-23840, CVE-2021-23841, CVE-2021-23839, CVE-2021-23840, CVE-2021-23841) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-openssl-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in the IBM Java Runtime affect IBM Rational ClearQuest ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Apache Commons Codec Vulnerability affects IBM Rational ClearQuest (177835) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-commons-codec-vuln… ∗∗∗ Drupal 8 end-of-life on November 2, 2021 (four months from now) - PSA-2021-2021-06-29 ∗∗∗ --------------------------------------------- https://www.drupal.org/psa-2021-2021-06-29 ∗∗∗ Exacq Technologies exacqVision Web Service ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-180-01 ∗∗∗ Exacq Technologies exacqVision Enterprise Manager ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-180-02 ∗∗∗ Panasonic FPWIN Pro ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-180-03 ∗∗∗ JTEKT TOYOPUC PLC ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-180-04 ∗∗∗ AVEVA System Platform ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-180-05 ∗∗∗ Claroty Secure Remote Access Site ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-180-06 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 29.06.2021
by Daily end-of-shift report 29 Jun '21

29 Jun '21

===================== = End-of-Day report = ===================== Timeframe: Montag 28-06-2021 18:00 − Dienstag 29-06-2021 18:00 Handler: Dimitri Robl Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Ransomware gangs now creating websites to recruit affiliates ∗∗∗ --------------------------------------------- Ever since two prominent Russian-speaking cybercrime forums banned ransomware-related topics, criminal operations have been forced to promote their service through alternative methods. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ransomware-gangs-now-creatin… ∗∗∗ Microsoft successfully hit by dependency hijacking again ∗∗∗ --------------------------------------------- Microsoft has once again been successfully hit by a dependency hijacking attack. This month, another researcher found an npm internal dependency being used by an open-source project. --------------------------------------------- https://www.bleepingcomputer.com/news/security/microsoft-successfully-hit-b… ∗∗∗ Data for 700M LinkedIn Users Posted for Sale in Cyber-Underground ∗∗∗ --------------------------------------------- After 500 million LinkedIn enthusiasts were affected in a data-scraping incident in April, its happened again - with big security ramifications. --------------------------------------------- https://threatpost.com/data-700m-linkedin-users-cyber-underground/167362/ ∗∗∗ CFBF Files Strings Analysis, (Mon, Jun 28th) ∗∗∗ --------------------------------------------- The Office file format that predates the OOXML format, is a binary format based on the CFBF format. I informally call this the ole file format. --------------------------------------------- https://isc.sans.edu/diary/rss/27576 ∗∗∗ Diving into a Google Sweepstakes Phishing E-mail, (Tue, Jun 29th) ∗∗∗ --------------------------------------------- I was recently forwarded another phishing e-mail to examine. This time, it was an e-mail that claimed to be from Google. The e-mail included a pdf file, and instructed the recipient download the file for further information. --------------------------------------------- https://isc.sans.edu/diary/rss/27578 ∗∗∗ Verschlüsselungstrojaner REvil hat es nun auf virtuelle Maschinen abgesehen ∗∗∗ --------------------------------------------- Mehrere Sicherheitsforscher warnen vor einer neuen REvil-Version, die noch mehr Geräte bedroht. --------------------------------------------- https://heise.de/-6122156 ∗∗∗ Analyzing CVE-2021-1665 – Remote Code Execution Vulnerability in Windows GDI+ ∗∗∗ --------------------------------------------- Microsoft Windows Graphics Device Interface+, also known as GDI+, allows various applications to use different graphics functionality on video displays as well as printers. --------------------------------------------- https://www.mcafee.com/blogs/other-blogs/mcafee-labs/analyzing-cve-2021-166… ∗∗∗ Instagram: Kooperationsanfragen von wegego.com sind Fake ∗∗∗ --------------------------------------------- Momentan werden Instagram-NutzerInnen vermehrt von einem Profil namens sara.wegego – einer angeblichen Brand Ambassador Managerin bei wegego.com – angeschrieben. Ihnen wird eine Kooperation mit dem Unternehmen angeboten. --------------------------------------------- https://www.watchlist-internet.at/news/instagram-kooperationsanfragen-von-w… ∗∗∗ CISA Begins Cataloging Bad Practices that Increase Cyber Risk ∗∗∗ --------------------------------------------- In a blog post by Executive Assistant Director (EAD) Eric Goldstein, CISA announced the creation of a catalog to document bad cybersecurity practices that are exceptionally risky for any organization and especially dangerous for those supporting designated Critical Infrastructure or National Critical Functions. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/06/29/cisa-begins-catal… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (klibc and libjdom2-java), Mageia (bash, glibc, gnutls, java-openjdk, kernel, kernel-linus, leptonica, libgcrypt, openjpeg2, tor, and trousers), openSUSE (bouncycastle, chromium, go1.16, and kernel), Oracle (docker-engine docker-cli and qemu), Red Hat (kpatch-patch), and SUSE (arpwatch, go1.16, kernel, libsolv, microcode_ctl, and python-urllib3, python-requests). --------------------------------------------- https://lwn.net/Articles/861310/ ∗∗∗ PoC released for dangerous Windows PrintNightmare bug ∗∗∗ --------------------------------------------- Proof-of-concept exploit code has been published online today for a vulnerability in the Windows Print Spooler service (spoolsv.exe) that can allow a total compromise of Windows systems. --------------------------------------------- https://therecord.media/poc-released-for-dangerous-windows-printnightmare-b… ∗∗∗ Security Bulletin: Vulnerabilities in Python, Tornado, and Urllib3 affect IBM Spectrum Protect Plus Microsoft File Systems Backup and Restore ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-python… ∗∗∗ Security Bulletin: IBM DataQuant Fix for (All) Apache PDF Box (Publicly disclosed vulnerability) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-dataquant-fix-for-all… ∗∗∗ Security Bulletin: IBM Spectrum Protect Plus has Insecure File Permissions due to not setting the Sticky Bit (CVE-2021-20490) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-spectrum-protect-plus… ∗∗∗ Security Bulletin: IBM Integration Bus and IBM App Connect Enterprise v11 are affected by vulnerabilities in Node.js (CVE-2021-3450, CVE-2021-3449) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-integration-bus-and-i… ∗∗∗ Security Bulletin: Multiple vulnerabilities in open source libraries affects Tivoli Netcool/OMNIbus WebGUI ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerabilities in Redis, MinIO, Golang, and Urllib3 affect IBM Spectrum Protect Plus Container Backup and Restore for Kubernetes and OpenShift ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-redis-… ∗∗∗ Security Bulletin: Vulnerabilities in MongoDB, Node.js, Docker, and XStream affect IBM Spectrum Protect Plus ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-mongod… ∗∗∗ Security Bulletin: Vulnerabilities in OpenSSL affect IBM Integration Bus and IBM App Connect Enterprise v11 (CVE-2021-3449 , CVE-2021-3450) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-openss… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM HTTP Server used by WebSphere Application Server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerabilities in OpenSSL affect IBM Integration Bus and IBM App Connect Enterprise v11 (CVE-2021-23839, CVE-2021-23840) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-openss… ∗∗∗ Security Bulletin: IBM® Db2® could allow an authenticated user to overwrite arbirary files due to improper group permissions. (CVE-2020-4945) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-could-allow-an-au… ∗∗∗ Security Bulletin: IBM® Db2® could allow a local user to access and change the configuration of DB2 due to a race condition via a symbolic link. (CVE-2020-4885) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-could-allow-a-loc… ∗∗∗ Easily Exploitable Critical Vulnerabilities Patched in ProfilePress Plugin ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2021/06/easily-exploitable-critical-vulnerab… ∗∗∗ Red Hat OpenShift: Mehrere Schwachstellen ermöglichen Codeausführung ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0700 ∗∗∗ MISP: Schwachstelle ermöglicht nicht spezifizierten Angriff ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0699 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.06.2021
by Daily end-of-shift report 28 Jun '21

28 Jun '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 25-06-2021 18:00 − Montag 28-06-2021 18:00 Handler: Dimitri Robl Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Using VMs To Hide Ransomware Attacks is Becoming More Popular ∗∗∗ --------------------------------------------- In early 2020, security researchers were baffled to discover that a ransomware gang had come up with an innovative trick that allowed it to run its payload inside virtual machines on infected hosts as a technical solution that bypassed security software. One year later, that technique has spread among the cybercrime underground and is now used by multiple ransomware operators. --------------------------------------------- https://it.slashdot.org/story/21/06/28/1521220/using-vms-to-hide-ransomware… ∗∗∗ Sicherheitsforscher der TU Wien warnen vor vergessenen Subdomains auf Webseiten ∗∗∗ --------------------------------------------- Vor einer Online-Sicherheitslücke durch sozusagen vergessene Unterseiten einer Website warnen Forscher der Technischen Universität (TU) Wien. Unter bestimmten Umständen kann man sich über derartige lose Enden bei Subdomains über die Hintertür Zugang zu Hauptseiten verschaffen, berichtet ein Team aus Wien und Italien im Rahmen einer Fachkonferenz. --------------------------------------------- https://www.derstandard.at/story/2000127773220/sicherheitsforscher-der-tu-w… ∗∗∗ Jetzt patchen! Angreifer attackieren Cisco Adaptive Security Appliance ∗∗∗ --------------------------------------------- Es ist Exploit-Code für eine Sicherheitslücke in Cisco ASA und FTD in Umlauf. --------------------------------------------- https://heise.de/-6120956 ===================== = Vulnerabilities = ===================== ∗∗∗ CVE-2019-9670: Zimbra Collaboration Suite XXE vulnerability, (Sat, Jun 26th) ∗∗∗ --------------------------------------------- This XML External Entity injection (XXE) vulnerability disclosed in March 2019 is still actively scanned for a vulnerable mailboxd component in Synacor Zimbra Collaboration Suite 8.7.x before 8.7.11p10. This exploit attempts to read the Zimbra configuration file that contains an LDAP password for the zimbra account. --------------------------------------------- https://isc.sans.edu/diary/rss/27570 ∗∗∗ Western Digital My Book: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode und Löschung der Daten ∗∗∗ --------------------------------------------- Western Digital hat eine Schwachstelle in seinen My Book NAS Geräten bekanntgegeben. Ein Angreifer kann diese Schwachstelle ausnutzen, um Schadcode auszuführen und unter Umständen die Geräte in Werkseinstellung zu bringen und alle Daten zu löschen. Dazu ist keine Anmeldung am Gerät erforderlich. ... Das BürgerCERT empfiehlt als Abhilfe, den Herstellerempfehlungen folgend, die Trennung des Gerätes vom Internet. --------------------------------------------- https://www.bsi.bund.de/SharedDocs/Warnmeldungen/DE/TW/2021/06/warnmeldung_… ∗∗∗ Vulnerability Spotlight: Memory corruption vulnerability in PowerISO’s DMG handler ∗∗∗ --------------------------------------------- (CVE-2021-21871) is a memory corruption vulnerability in PowerISO that could result in the attacker gaining the ability to execute code on the victim machine. An attacker can exploit this vulnerability by tricking a user into opening a specially crafted DMG file. Cisco Talos worked with PowerISO to ensure that this issue is resolved and an update is available for affected customers --------------------------------------------- https://blog.talosintelligence.com/2021/06/vulnerability-spotlight-memory-.… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (bluez, intel-microcode, tiff, and xmlbeans), Fedora (openssh and php-phpmailer6), openSUSE (freeradius-server, java-1_8_0-openjdk, live555, openexr, roundcubemail, tor, and tpm2.0-tools), SUSE (bouncycastle and zziplib), and Ubuntu (linux-kvm and thunderbird). --------------------------------------------- https://lwn.net/Articles/861221/ ∗∗∗ ImageMagick: Schwachstelle ermöglicht Offenlegung von Informationen ∗∗∗ --------------------------------------------- ImageMagick ist eine Sammlung von Programmbibliotheken und Werkzeugen, die Grafiken in zahlreichen Formaten verarbeiten kann. Ein lokaler Angreifer kann eine Schwachstelle in ImageMagick ausnutzen, um Informationen offenzulegen. --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0698 ∗∗∗ Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Web Services Interface Cross-Site Scripting Vulnerabilities ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ ABB - Amnesia:33 – Impact on B&R Products ∗∗∗ --------------------------------------------- https://www.br-automation.com/downloads_br_productcatalogue/assets/16212592… ∗∗∗ ABB - Multiple Vulnerabilities in Automation Runtime NTP Service ∗∗∗ --------------------------------------------- https://www.br-automation.com/downloads_br_productcatalogue/assets/16212592… ∗∗∗ Security Bulletin: Incorrect authorization in IBM Business Automation Workflow and IBM Business Process Manager (BPM) – CVE-2021-29751 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-incorrect-authorization-i… ∗∗∗ Security Bulletin: Vulnerabilities in IBM Java Runtime affect IBM Spectrum Protect Backup-Archive Client, IBM Spectrum Protect for Space Management, and IBM Spectrum Protect for Virtual Environments (CVE-2020-27221, CVE-2020-14782) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-ja… ∗∗∗ Security Bulletin: Stack-based Buffer Overflow vulnerabilities in IBM Spectrum Protect Back-up Archive Client and IBM Spectrum Protect for Space Management (CVE-2021-29672, CVE-2021-20546) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-stack-based-buffer-overfl… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in IBM Guardium Data Encryption (GDE) (CVE-2017-18214, CVE-2016-4055, CVE-2021-20413) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerability in lpd affects AIX (CVE-2021-29693) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-lpd-affe… ∗∗∗ Security Bulletin: Multiple vulnerabilities affect IBM Cloud Pak for Automation ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Rational Asset Analyzer (RAA) is affected by a WebSphere Application Server vulnerability (CVE-2021-26296) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-rational-asset-analyzer-r… ∗∗∗ Security Bulletin: Security vulnerabilities in IBM SDK for Node.js might affect the configuration editor used by IBM Business Automation Workflow and Business Process Manager (BPM) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerability in Jasper, Version 8 Service Refresh 5 Fix Pack 33, used in Jetty Server 9.4.14 where Rational Synergy is deployed. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-jasper-v… ∗∗∗ Security Bulletin: Vulnerability found in Apache Log4j V1.x may affect IBM Enterprise Records ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-found-in-ap… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 25.06.2021
by Daily end-of-shift report 25 Jun '21

25 Jun '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 24-06-2021 18:00 − Freitag 25-06-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Dimitri Robl ===================== = News = ===================== ∗∗∗ Binance exchange helped track down Clop ransomware money launderers ∗∗∗ --------------------------------------------- Cryptocurrency exchange service Binance played an important part in the recent arrests of Clop ransomware group members, helping law enforcement in their effort to identify, and ultimately detain the suspects. --------------------------------------------- https://www.bleepingcomputer.com/news/security/binance-exchange-helped-trac… ∗∗∗ Microsoft signed a malicious Netfilter rootkit ∗∗∗ --------------------------------------------- What started as a false positive alert for a Microsoft signed file turns out to be a WFP application layer enforcement callout driver that redirects traffic to a Chinese IP. How did this happen? --------------------------------------------- https://www.gdatasoftware.com/blog/microsoft-signed-a-malicious-netfilter-r… ∗∗∗ SKS: Das Ende der alten PGP-Keyserver ∗∗∗ --------------------------------------------- Der Serverpool für die PGP-Keyserver mit der Software SKS wurde abgeschaltet. Grund sind Beschwerden wegen der Datenschutz-Grundverordnung. --------------------------------------------- https://www.golem.de/news/sks-das-ende-der-alten-pgp-keyserver-2106-157613.… ∗∗∗ ‘What are the odds someone will find and exploit this?’ Nice one — you just released an insecure app ∗∗∗ --------------------------------------------- Who’s to blame: devs or management? And how do we cure application vulnerability epidemic Feature According to a recently published Osterman Research white paper, 81 per cent of developers admit to knowingly releasing vulnerable apps --------------------------------------------- https://www.theregister.com/2021/06/25/application_vulnerability_epidemic/ ∗∗∗ We explored the dangers of pirated sport streams so you don’t have to ∗∗∗ --------------------------------------------- The COVID pandemic has led to a surge in content consumption as people stayed home and turned to Netflix, Youtube and other streaming services for entertainment. Not everyone agrees with paying for the latest episode or album, however, and this rise has ran parallel with a rise in digital piracy. --------------------------------------------- https://www.webroot.com/blog/2021/05/12/we-explored-the-dangers-of-pirated-… ∗∗∗ Western Digital My Book Live: Trennen Sie Ihre Festplatten vom Internet ∗∗∗ --------------------------------------------- Daten auf Festplatten der WD-Baureihe My Book Live werden von extern gelöscht und durch fremde Passwörter unzugänglich gemacht. --------------------------------------------- https://heise.de/-6119250 ∗∗∗ Crackonosh malware abuses Windows Safe mode to quietly mine for cryptocurrency ∗∗∗ --------------------------------------------- The malware is thought to have generated millions of dollars in just a few short years. --------------------------------------------- https://www.zdnet.com/article/crackonosh-malware-abuses-windows-safe-mode-t… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (chromium, dovecot, exiv2, helm, keycloak, libslirp, matrix-appservice-irc, nginx-mainline, opera, pigeonhole, tor, tpm2-tools, and vivaldi), Debian (libgcrypt20), Fedora (pdfbox), Mageia (graphicsmagick, matio, and samba and ldb), openSUSE (dovecot23, gupnp, libgcrypt, live555, and ovmf), SUSE (gupnp, libgcrypt, openexr, and ovmf), and Ubuntu (ceph and rabbitmq-server). --------------------------------------------- https://lwn.net/Articles/860981/ ∗∗∗ Philips Interoperability Solution XDS ∗∗∗ --------------------------------------------- This advisory contains mitigations for a Clear Text Transmission of Sensitive Information vulnerability in the Philips Interoperability Solution XDS document sharing system. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsma-21-175-01 ∗∗∗ FATEK WinProladder ∗∗∗ --------------------------------------------- This advisory contains mitigations for Out-of-bounds Read, Out-of-bounds Write, and Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerabilities in FATEK WinProladder programmable logic controllers. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-175-01 ∗∗∗ Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in Node.js ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-discovery-for-… ∗∗∗ Security Bulletin: Operations Dashboard is vulnerable to Go vulnerabilities (CVE-2021-27918 and CVE-2021-27919) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-operations-dashboard-is-v… ∗∗∗ Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in Apache Tika ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-discovery-for-… ∗∗∗ Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in Netty ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-discovery-for-… ∗∗∗ Security Bulletin: IBM Cloud Pak for Integration is vulnerable to OpenSSL vulnerabilities (CVE-2021-3449 and CVE-2021-3450) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-integra… ∗∗∗ Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in Python urllib3 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-discovery-for-… ∗∗∗ Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in Apache PDFBox ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-discovery-for-… ∗∗∗ Security Bulletin: IBM Cloud Pak for Integration is vulnerable to OpenSSL vulnerability (CVE-2020-1971) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-integra… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 24.06.2021
by Daily end-of-shift report 24 Jun '21

24 Jun '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 23-06-2021 18:00 − Donnerstag 24-06-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Dimitri Robl ===================== = News = ===================== ∗∗∗ Malicious spam campaigns delivering banking Trojans ∗∗∗ --------------------------------------------- In mid-March 2021, we observed two new spam campaigns delivering banking Trojans. The payload in most cases was IcedID, but we have also seen a few QBot (aka QakBot) samples. --------------------------------------------- https://securelist.com/malicious-spam-campaigns-delivering-banking-trojans/… ∗∗∗ Yet Another Archive Format Smuggling Malware ∗∗∗ --------------------------------------------- The use of novel disk image files to encapsulate malware distributed via spam has been a theme that we have highlighted over the past couple of years. As anticipated, we have seen more disk image file formats being used, in addition to .ISO, .IMG, and .DAA which we blogged about. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/another-arc… ∗∗∗ Online Credit Card Theft – A Brief Overview of Online Fraud and Abuse – Part 1 ∗∗∗ --------------------------------------------- Many clients that we work with host and operate ecommerce websites which are frequent targets of attackers. The goal of these attacks is to steal credit card details from unsuspecting victims and sell them on the black market for a profit. The online ecommerce environment is diverse, constituting many different content management system (CMS) platforms and payment gateways all of which have their own features and risks. In this post I will attempt to demystify this cluttered environment [...] --------------------------------------------- https://blog.sucuri.net/2021/06/online-credit-card-theft-online-fraud.html ∗∗∗ The May/June 2021 issue of our SWITCH Security Report is available! ∗∗∗ --------------------------------------------- Dear Reader! A new issue of our bi-monthly SWITCH Security Report is available! --------------------------------------------- https://securityblog.switch.ch/2021/06/24/the-may-june-2021-issue-of-our-sw… ∗∗∗ Complicated Active Directory setups are undermining security ∗∗∗ --------------------------------------------- Researchers have found several flaws in the Active Directory Certificate Service that can lead to credential theft, privilege escalation, and domain persistence. --------------------------------------------- https://blog.malwarebytes.com/reports/2021/06/complicated-active-directory-… ∗∗∗ Announcing a unified vulnerability schema for open source ∗∗∗ --------------------------------------------- In recent months, Google has launched several efforts to strengthen open-source security on multiple fronts. One important focus is improving how we identify and respond to known security vulnerabilities without doing extensive manual work. --------------------------------------------- https://security.googleblog.com/2021/06/announcing-unified-vulnerability-sc… ∗∗∗ Betrügerische „Voicemail“ SMS massenhaft im Umlauf! ∗∗∗ --------------------------------------------- Eine neue Welle betrügerischer SMS-Nachrichten fegt momentan über den deutschsprachigen Raum hinweg. In diesen SMS ist von einer neuen Voicemail, also einer Sprachnachricht, die Rede. Ein Link zum Abhören führt zu einer Fake-Seite, auf der eine App heruntergeladen werden soll. Achtung: Die App enthält Schadsoftware! --------------------------------------------- https://www.watchlist-internet.at/news/betruegerische-voicemail-sms-massenh… ===================== = Vulnerabilities = ===================== ∗∗∗ Atlassian Bugs Could Have Led to 1-Click Takeover ∗∗∗ --------------------------------------------- A supply-chain attack could have siphoned sensitive information out of Jira, such as security issues on Atlassian cloud, Bitbucket and on-prem products. --------------------------------------------- https://threatpost.com/atlassian-bugs-could-have-led-to-1-click-takeover/16… ∗∗∗ Sicherheitsupdate: Angreifer könnten eigene Befehle auf Qnap NAS ausführen ∗∗∗ --------------------------------------------- Qnap hat das Betriebssystem seiner Netzwerkspeicher gegen Command-Injection-Attacken abgesichert. --------------------------------------------- https://heise.de/-6117589 ∗∗∗ Kritische Admin-Lücke bedroht VMware Carbon Black App Control ∗∗∗ --------------------------------------------- Angreifer könnten Systeme mit der Server-Schutzlösung Carbon Black App Control von VMware attackieren. --------------------------------------------- https://heise.de/-6117422 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Mageia (apache-mod_auth_openidc, bind, bluez, cifs-utils, ffmpeg, gnome-autoar, guacd, kernel, kernel-linus, qtwebsockets5, slic3r, tunnel, wavpack, wireshark, and xscreensaver), openSUSE (apache2, cryptctl, go1.15, libnettle, python-rsa, salt, thunderbird, wireshark, libvirt, sbc, libqt5-qtmultimedia, xstream, and xterm), and SUSE (cryptctl, freeradius-server, libnettle, and libsolv). --------------------------------------------- https://lwn.net/Articles/860809/ ∗∗∗ 129 Dell models, including Secured-core PCs, vulnerable to new firmware flaws ∗∗∗ --------------------------------------------- Around 129 Dell consumer and business laptops, desktops, and tablets, including devices protected by Secure Boot and Dell Secured-core PCs, have been found to be vulnerable to a series of vulnerabilities that can allow threat actors to pass as the official dell.com domain and trigger malicious BIOS/UEFI firmware updates. --------------------------------------------- https://therecord.media/129-dell-models-including-secured-core-pcs-vulnerab… ∗∗∗ Zyxel says a threat actor is targeting its enterprise firewall and VPN devices ∗∗∗ --------------------------------------------- Networking equipment vendor Zyxel has emailed customers this week to alert them about a series of attacks that have been targeting some of the companys high-end enterprise-focused firewall and VPN server products. --------------------------------------------- https://therecord.media/zyxel-says-a-threat-actor-is-targeting-its-enterpri… ∗∗∗ Security Advisory - Logic Vulnerability in Huawei WATCH Kid Product ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210630-… ∗∗∗ Security Bulletin: IBM MQ is vulnerable to an issue within Pacemaker. (CVE-2020-25654) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-is-vulnerable-to-a… ∗∗∗ Security Bulletin: IBM® Db2® 'Check for Updates' process is vulnerable to DLL hijacking (CVE-2019-4588) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-check-for-updates… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Tivoli Monitoring for Virtual Environments Agent for Linux Kernel-based (June 2021) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM® Db2® could allow an authenticated user to overwrite arbirary files due to improper group permissions. (CVE-2020-4945) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-could-allow-an-au… ∗∗∗ Security Bulletin: IBM MQ Internet Pass-Thru is vulnerable to an issue within IBM® Runtime Environment Java™ Technology Edition, Version 7. (CVE-2020-14782, CVE-2020-14781) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-internet-pass-thru… ∗∗∗ Security Bulletin: IBM Cloud Transformation Advisor is affected by Node.js vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-transformation-… ∗∗∗ Security Bulletin: IBM® Db2® could allow a local authenticated attacker to execute arbitrary code on the system, caused by DLL search order hijacking vulnerability in Microsoft Windows client. (CVE-2020-4739) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-could-allow-a-loc… ∗∗∗ Security Bulletin: IBM® Db2® is vulnerable to an information disclosure (CVE-2021-20579) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-… ∗∗∗ Security Bulletin: Security vulnerabilities have been identified in IBM WebSphere Application Server used by IBM InfoSphere Master Data Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ Security Bulletin: IBM® Db2® could allow a local user to access and change the configuration of DB2 due to a race condition via a symbolic link. (CVE-2020-4885) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-could-allow-a-loc… ∗∗∗ Drupal: Mehrere Schwachstellen ermöglichen Manipulation von Dateien ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0686 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.06.2021
by Daily end-of-shift report 23 Jun '21

23 Jun '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 22-06-2021 18:00 − Mittwoch 23-06-2021 18:00 Handler: Dimitri Robl Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ A week after arrests, Cl0p ransomware group dumps new tranche of stolen data ∗∗∗ --------------------------------------------- Leak shows that, like the rest of the ransomware scourge, Cl0p isnt going away. --------------------------------------------- https://arstechnica.com/?p=1775362 ∗∗∗ SonicWall bug affecting 800K firewalls was only partially fixed ∗∗∗ --------------------------------------------- New findings have emerged that shed light on a critical SonicWall vulnerability disclosed last year, which affected over 800,000 VPN firewalls and was initially thought to have been patched. --------------------------------------------- https://www.bleepingcomputer.com/news/security/sonicwall-bug-affecting-800k… ∗∗∗ PYSA ransomware backdoors education orgs using ChaChi malware ∗∗∗ --------------------------------------------- The PYSA ransomware gang has been using a remote access Trojan (RAT) dubbed ChaChi to backdoor the systems of healthcare and education organizations and steal data that later gets leveraged in double extortion ransom schemes. --------------------------------------------- https://www.bleepingcomputer.com/news/security/pysa-ransomware-backdoors-ed… ∗∗∗ Sure looks like someones pirating the REvil ransomware, tweaking the binary in a hex editor for their own crimes ∗∗∗ --------------------------------------------- Its a crook-eat-crook world out there It appears someone is pirating the infamous REvil ransomware by tweaking its files for their own purposes. --------------------------------------------- https://www.theregister.com/2021/06/23/revil_ransomware_lv/ ∗∗∗ Ferienwohnungen nicht auf luxfewo.de buchen ∗∗∗ --------------------------------------------- Ferienwohnungen und Unterkünfte werden heute überwiegend im Internet gebucht. Doch Vorsicht: Unter den zahlreichen Plattformen und Buchungswebseiten verstecken sich auch betrügerische Angebote. Wer beispielsweise auf luxfewo.de bucht und eine Anzahlung leistet, verliert viel Geld und hat am Ende keine Unterkunft. --------------------------------------------- https://www.watchlist-internet.at/news/ferienwohnungen-nicht-auf-luxfewode-… ∗∗∗ MITRE releases D3FEND, defensive measures complimentary to its ATT&CK framework ∗∗∗ --------------------------------------------- The MITRE Corporation, one of the most respected organizations in the cybersecurity field, has released today D3FEND, a complementary framework to its industry-recognized ATT&CK matrix. --------------------------------------------- https://therecord.media/mitre-releases-d3fend-defensive-measures-compliment… ===================== = Vulnerabilities = ===================== ∗∗∗ Unpatched Linux Marketplace Bugs Allow Wormable Attacks, Drive-By RCE ∗∗∗ --------------------------------------------- A pair of zero-days affecting Pling-based marketplaces could allow for some ugly attacks on unsuspecting Linux enthusiasts -- with no patches in sight. --------------------------------------------- https://threatpost.com/unpatched-linux-marketplace-bugs-rce/167155/ ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (kernel and linux-4.19), Fedora (tor), Oracle (rh-postgresql10-postgresql), Red Hat (kernel), SUSE (ansible, apache2, dovecot23, OpenEXR, ovmf, and wireshark), and Ubuntu (linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gcp, linux-gcp-5.4, linux-gke, linux-gke-5.4, linux-gkeop, linux-gkeop-5.4, linux-hwe-5.4, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux, linux-aws, linux-aws-5.8, linux-azure,[...] --------------------------------------------- https://lwn.net/Articles/860652/ ∗∗∗ WordPress Plugin "WordPress Popular Posts" vulnerable to cross-site scripting ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN63066062/ ∗∗∗ VDE-CERT Advisories 2021-06-23: Multiple Vulnerabilities in Phoenix Contact Products and Weidmueller Industrial WLAN devices ∗∗∗ --------------------------------------------- https://cert.vde.com/de-de/advisories ∗∗∗ Security Bulletin: Security vulnerabilities have been identified in IBM WebSphere Application Server used by IBM InfoSphere Master Data Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ Security Bulletin: Security vulnerabilities have been identified in IBM WebSphere Application Server used by IBM InfoSphere Master Data Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ Security Bulletin: Security vulnerabilities have been identified in IBM WebSphere Application Server used by InfoSphere Master Data Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by Oracle MySQL vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Security Verify Password Synchronization Plug-in for Windows AD affected by multiple vulnerabilities (CVE-2021-20488, CVE-2021-20494, CVE-2021-20572, CVE-2021-20573, CVE-2021-20574) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-verify-passw… ∗∗∗ Security Bulletin: Security vulnerabilities have been identified in IBM WebSphere Application Server used by IBM InfoSphere Master Data Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by an Oracle MySQL vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Cloud Transformation Advisor is affected by Node.js vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-transformation-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by an Information Exposure vulnerability (CVE-2020-4189) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Security Guardium ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ VMSA-2021-0013 ∗∗∗ --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2021-0013.html ∗∗∗ Python Flask vulnerability CVE-2018-1000656 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K63597327 ∗∗∗ Palo Alto Networks Patches Critical Vulnerability in Cortex XSOAR ∗∗∗ --------------------------------------------- https://www.securityweek.com/palo-alto-networks-patches-critical-vulnerabil… ∗∗∗ Citrix Hypervisor Security Update ∗∗∗ --------------------------------------------- https://support.citrix.com/article/CTX316325 ∗∗∗ Advantech WebAccess HMI Designer ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-173-01 ∗∗∗ CODESYS V2 web server ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-173-02 ∗∗∗ CODESYS Control V2 communication ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-173-03 ∗∗∗ CODESYS Control V2 Linux SysFile library ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-173-04 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.06.2021
by Daily end-of-shift report 22 Jun '21

22 Jun '21

===================== = End-of-Day report = ===================== Timeframe: Montag 21-06-2021 18:00 − Dienstag 22-06-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Darkside RaaS in Linux version ∗∗∗ --------------------------------------------- Unlike the Windows version of the malware that targets any Windows endpoint, Darkside Linux version is mostly targeting ESXi servers. Its default configuration includes the root path of ESX server machines. Targeted extensions are 'vmdk', 'log', 'vmem', 'vmsn' that are used in ESX servers for saving virtual machines information, data, and logs. --------------------------------------------- https://cybersecurity.att.com/blogs/labs-research/darkside-raas-in-linux-ve… ∗∗∗ Wormable DarkRadiation Ransomware Targets Linux and Docker Instances ∗∗∗ --------------------------------------------- Cybersecurity researchers have disclosed a new ransomware strain called "DarkRadiation" thats implemented entirely in Bash and targets Linux and Docker cloud containers, while banking on messaging service Telegram for command-and-control (C2) communications. "The ransomware is written in Bash script and targets Red Hat/CentOS and Debian Linux distributions," researchers from Trend Micro said [..] --------------------------------------------- https://thehackernews.com/2021/06/wormable-darkradiation-ransomware.html ∗∗∗ Paketmanager: Kryptomining-Schadcode auf PyPI zielt auf Data-Science-Projekte ∗∗∗ --------------------------------------------- Mit Namen wie mplatlib setzen die Pakete auf Verwechslung zu matplotlib. Sie laden ein Bash-Skript herunter, das versucht einen Kryptominer zu installieren. --------------------------------------------- https://heise.de/-6113470 ∗∗∗ Shadow Credentials: Abusing Key Trust Account Mapping for Takeover ∗∗∗ --------------------------------------------- The techniques for DACL-based attacks against User and Computer objects in Active Directory have been established for years. [..] These techniques have their shortcomings [..] Tl;dr: It is possible to add “Key Credentials” to the attribute msDS-KeyCredentialLink of the target user/computer object and then perform Kerberos authentication as that account using PKINIT. In plain English: this is a much easier and more reliable takeover primitive against Users and Computers. A tool to operationalize this technique has been released alongside this post. --------------------------------------------- https://posts.specterops.io/shadow-credentials-abusing-key-trust-account-ma… ===================== = Vulnerabilities = ===================== ∗∗∗ Tor Browser fixes vulnerability that tracks you using installed apps ∗∗∗ --------------------------------------------- The Tor Project has released Tor Browser 10.0.18 to fix numerous bugs, including a vulnerability that allows sites to track users by fingerprinting the applications installed on their devices. --------------------------------------------- https://www.bleepingcomputer.com/news/security/tor-browser-fixes-vulnerabil… ∗∗∗ Bugs in NVIDIA’s Jetson Chipset Opens Door to DoS Attacks, Data Theft ∗∗∗ --------------------------------------------- Chipmaker patches nine high-severity bugs in its Jetson SoC framework tied to the way it handles low-level cryptographic algorithms. --------------------------------------------- https://threatpost.com/nvidia-jetson-chipset-dos-data-theft/167093/ ∗∗∗ Zephyr OS Bluetooth vulnerabilities left smart devices open to attack ∗∗∗ --------------------------------------------- The S in IoT stands for security. Vulnerabilities in the Zephyr real-time operating systems Bluetooth stack have been identified, leaving a wide variety of Internet of Things devices open to attack – unless upgraded to a patched version of the OS.… --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2021/06/22/zephyr_os_bl… ∗∗∗ VMSA-2021-0012 ∗∗∗ --------------------------------------------- CVE(s): CVE-2021-21998 The VMware Carbon Black App Control management server has an authentication bypass. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.4. --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2021-0012.html ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (audacity), openSUSE (chromium), Oracle (glib2), SUSE (Salt and salt), and Ubuntu (apache2 and openexr). --------------------------------------------- https://lwn.net/Articles/860559/ ∗∗∗ Security Advisory - Improper Permission Assignment Vulnerability in Some USB Dongle Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210602-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect Rational Service Tester ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect Rational Performance Tester ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: A Security Vulnerability in IBM Java Runtime affect IBM License Key Server Administration and Reporting Tool and its Agent ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: Vulnerability in OpenSSL affects Power Hardware Management Console (CVE-2021-3449). ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-openssl-… ∗∗∗ Security Bulletin: IBM Bootable Media Creator (BoMC) is affected by a vulnerability in cyrus-sasl (CVE-2019-19906) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-bootable-media-creato… ∗∗∗ Security Bulletin: Security vulnerabilities have been identified in IBM WebSphere Application Server used by IBM Master Data Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ Security Bulletin: OpenSSL publicly disclosed vulnerability affects MessageGateway (CVE-CVE-2021-3449) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-openssl-publicly-disclose… ∗∗∗ Security Bulletin: IBM Bootable Media Creator (BoMC) is affected by a vulnerability in GNU cpio (CVE-2019-14866) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-bootable-media-creato… ∗∗∗ Security Bulletin: A vulnerability in IBM WebSphere Liberty affects IBM WIoTP MessageGateway ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-we… ∗∗∗ Security Bulletin: IBM Bootable Media Creator (BoMC) is affected by vulnerabilities in libxml2 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-bootable-media-creato… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.06.2021
by Daily end-of-shift report 21 Jun '21

21 Jun '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 18-06-2021 18:00 − Montag 21-06-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Easy Access to the NIST RDS Database, (Sat, Jun 19th) ∗∗∗ --------------------------------------------- When you're facing some suspicious files while performing forensic investigations or analyzing malware components, it's always interesting to know these files are legit or malicious/modified. One of the key sources to verify hashes is provided by NIST and is called the NSLR project ("National Software Reference Library"). [...] CIRCL, the Luxembourg CERT, has a good reputation to offer/participate in services like MISP, a passive DNS service, etc. They are now offering an API to query the NIST RDS via HTTP or DNS requests! --------------------------------------------- https://isc.sans.edu/diary/rss/27544 ∗∗∗ 5 Critical Steps to Recovering From a Ransomware Attack ∗∗∗ --------------------------------------------- Businesses must prepare for the possibility of a ransomware attack affecting their data, services, and business continuity. What steps are involved in recovering from a ransomware attack? --------------------------------------------- https://thehackernews.com/2021/06/5-critical-steps-to-recovering-from.html ∗∗∗ ∗∗∗ In eigener Sache: CERT.at sucht Verstärkung: IT-Security Analyst/Analystin (m/w/d - Vollzeit - Wien) ∗∗∗ ∗∗∗ --------------------------------------------- Zur Verstärkung unseres Analysis-Teams suchen wir nach einem/einer IT-Security Analysten/Analystin. --------------------------------------------- https://cert.at/de/ueber-uns/jobs/ ===================== = Vulnerabilities = ===================== ∗∗∗ DSA-4932 tor - security update ∗∗∗ --------------------------------------------- Multiple security vulnerabilities were discovered in Tor, aconnection-based low-latency anonymous communication system, whichcould result in denial of service or spoofing. --------------------------------------------- https://www.debian.org/security/2021/dsa-4932 ∗∗∗ Autodesk schließt Schadcode-Schlupflöcher in AutoCAD-Anwendungen ∗∗∗ --------------------------------------------- Es gibt wichtige Sicherheitsupdates für verschiedene Produkte der AutoCAD-Familie. --------------------------------------------- https://heise.de/-6112990 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (connman, go, and grub), Debian (nettle, prosody, and tor), Fedora (iaito, mingw-ilmbase, mingw-openexr, mingw-python-urllib3, mosquitto, nettle, polkit, and radare2), Mageia (puddletag, python-babel, python-eventlet, and python-pikepdf), openSUSE (htmldoc), SUSE (go1.15, go1.16, gupnp, and libgcrypt), and Ubuntu (apache2 and dovecot). --------------------------------------------- https://lwn.net/Articles/860418/ ∗∗∗ CVE-2021-3609: Race condition in net/can/bcm.c leads to local privilege escalation ∗∗∗ --------------------------------------------- this is an announcement for the recently reported bug (CVE-2021-3609) in the CAN BCM networking protocol in the Linux kernel ranging from version 2.6.25 to mainline 5.13-rc6. The vulnerability is a race condition in net/can/bcm.c allowing for local privilege escalation to root. --------------------------------------------- https://seclists.org/oss-sec/2021/q2/225 ∗∗∗ SYSS-2021-032: Admin Columns Free & Pro – Persistent Cross-Site Scripting (XSS) in Custom Field (CVE-2021-24365) ∗∗∗ --------------------------------------------- Das WordPress-Plug-in “Admin Columns” ermöglicht bis Version 5.5.1 (Pro) bzw. 4.3 (Free) Persistent Cross-Site Scripting (XSS)-Angriffe. --------------------------------------------- https://www.syss.de/pentest-blog/syss-2021-032-admin-columns-free-pro-persi… ∗∗∗ Security Advisory - Deserialization Vulnerability in Huawei AnyOffice Product ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210619-… ∗∗∗ Security Bulletin: RabbitMQ as used by IBM QRadar SIEM is vulnerable to unsafe deserialization (CVE-2020-36282) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-rabbitmq-as-used-by-ibm-q… ∗∗∗ Security Bulletin: IBM Cloud Pak for Integration is vulnerable to Node.js lodash vulnerability (CVE-2020-28500) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-integra… ∗∗∗ Security Bulletin: IBM Cloud Pak for Integration is vulnerable to Node.js lodash vulnerability (CVE-2021-23337) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-integra… ∗∗∗ Security Bulletin: WebSphere Application Server Java Batch is vulnerable to an XML External Entity Injection (XXE) vulnerability (CVE-2021-20492) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-websphere-application-ser… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.06.2021
by Daily end-of-shift report 18 Jun '21

18 Jun '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 17-06-2021 18:00 − Freitag 18-06-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Dimitri Robl ===================== = News = ===================== ∗∗∗ Newly discovered Vigilante malware outs software pirates and blocks them ∗∗∗ --------------------------------------------- Most malware tries to steal stuff. Vigilante, by contrast, takes aim at piracy. --------------------------------------------- https://arstechnica.com/?p=1774437 ∗∗∗ Network Forensics on Azure VMs (Part #2), (Fri, Jun 18th) ∗∗∗ --------------------------------------------- In yesterday's diary, we took a look at two methods that allow to capture network connection information off a potentially compromised virtual machine in Azure. Today, we'll investigate the most recent addition to the VM monitoring arsenal, namely "Azure Monitor Insights". --------------------------------------------- https://isc.sans.edu/diary/rss/27538 ∗∗∗ Open redirects ... and why Phishers love them, (Fri, Jun 18th) ∗∗∗ --------------------------------------------- Working from home, did you get a meeting invite recently that pointed to https://meet.google.com ? Well, that's indeed where Google's online meeting tool is located. But potentially the URL you got is not "only" leading you there. --------------------------------------------- https://isc.sans.edu/diary/rss/27542 ∗∗∗ Intentional Flaw in GPRS Encryption Algorithm GEA-1 ∗∗∗ --------------------------------------------- General Packet Radio Service (GPRS) is a mobile data standard that was widely used in the early 2000s. The first encryption algorithm for that standard was GEA-1, a stream cipher built on three linear-feedback shift registers and a non-linear combining function. Although the algorithm has a 64-bit key, the effective key length is only 40 bits, due to “an exceptional interaction of the deployed LFSRs and the key initialization, which is highly unlikely to occur by chance. --------------------------------------------- https://www.schneier.com/blog/archives/2021/06/intentional-flaw-in-gprs-enc… ∗∗∗ Malicious Redirects Through Bogus Plugin ∗∗∗ --------------------------------------------- Recently we have been seeing a rash of WordPress website compromises with attackers abusing the plugin upload functionality in the wp-admin dashboard to redirect visitors and website owners to malicious websites. --------------------------------------------- https://blog.sucuri.net/2021/06/malicious-redirects-through-bogus-plugin.ht… ∗∗∗ Smoking Out a DARKSIDE Affiliate’s Supply Chain Software Compromise ∗∗∗ --------------------------------------------- Mandiant observed DARKSIDE affiliate UNC2465 accessing at least one victim through a Trojanized software installer downloaded from a legitimate website. --------------------------------------------- https://www.fireeye.com/blog/threat-research/2021/06/darkside-affiliate-sup… ∗∗∗ Mit diesem Leitfaden der NSA können Admins IP-Telefonie schützen ∗∗∗ --------------------------------------------- Die National Security Agency spricht Empfehlungen aus, wie Sprach- und Videoanrufe sicherer werden. --------------------------------------------- https://heise.de/-6111092 ∗∗∗ Polazert Trojan using poisoned Google Search results to spread ∗∗∗ --------------------------------------------- The threat actors behind Trojan.Polazert are using keyword-stuffed PDF files to rank high in search results and attract new victims.Categories: AwarenessTags: Polazertratseo poisoningSolarMarkerstuffed PDF(Read more...)The post Polazert Trojan using poisoned Google Search results to spread appeared first on Malwarebytes Labs. --------------------------------------------- https://blog.malwarebytes.com/awareness/2021/06/polazert-trojan-using-poiso… ∗∗∗ Service Vulnerabilities: Shared Hosting Symlink Security Issue Still Widely Exploited on Unpatched Servers ∗∗∗ --------------------------------------------- The Wordfence site cleaning team helps numerous customers recover from malware infections and site intrusions. While doing so, Wordfence Security Analysts perform a detailed forensic investigation in order to determine how the site was compromised by attackers. In a set of recent cases, we were able to identify a service vulnerability allowing malicious attackers to [...] --------------------------------------------- https://www.wordfence.com/blog/2021/06/service-vulnerabilities-shared-hosti… ∗∗∗ Betrug bei QR-Code-Scannern: Darauf sollten Sie achten! ∗∗∗ --------------------------------------------- Egal ob bei der Registrierung in einem Restaurant, bei einem Impf- oder Testtermin: Spätestens durch die Corona-Krise wurde die Verwendung von QR-Codes zur Normalität. Dementsprechend poppen derzeit zahlreiche neue QR-Code-Scanner in den App-Stores auf. Aber Achtung: Hinter manchen dieser kostenlosen Apps verstecken sich BetrügerInnen. Vorsicht ist auch bei seriösen Apps geboten, da die angezeigten Werbungen betrügerisch sein können. --------------------------------------------- https://www.watchlist-internet.at/news/betrug-bei-qr-code-scannern-darauf-s… ∗∗∗ A deep dive into the operations of the LockBit ransomware group ∗∗∗ --------------------------------------------- Most victims are from the enterprise and are expected to pay an average ransom of $85,000. --------------------------------------------- https://www.zdnet.com/article/a-deep-dive-into-the-operations-of-the-lockbi… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (aspnet-runtime, aspnet-runtime-3.1, chromium, drupal, intel-ucode, nginx, opera, python-django, radare2, thefuck, and vivaldi), Debian (jetty9), Fedora (dogtag-pki and pki-core), openSUSE (htmldoc and postgresql10), Oracle (dhcp), SUSE (apache2, caribou, jetty-minimal, libxml2, postgresql12, python-PyJWT, python-rsa, python-urllib3, thunderbird, tpm2.0-tools, xstream, and xterm), and Ubuntu (grub2-signed, grub2-unsigned and libxml2). --------------------------------------------- https://lwn.net/Articles/860260/ ∗∗∗ Hitachi Virtual File Platform vulnerable to OS command injection ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN21298724/ ∗∗∗ Security Bulletin: RabbitMQ as used by IBM QRadar SIEM is vulnerable to unsafe deserialization (CVE-2020-36282) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-rabbitmq-as-used-by-ibm-q… ∗∗∗ Security Bulletin: IBM Security Identity Manager Virtual Appliance deprecated Self Service UI contains Struts V1 (CVE-2016-1182) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-identity-man… ∗∗∗ Security Bulletin: A vulnerability have been identified in Apache Commons IO shipped with IBM Tivoli Netcool/OMNIbus Probe for Microsoft Exchange Web Services (CVE-2021-29425) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-have-been… ∗∗∗ Security Bulletin: Multiple vulnerabilities have been identified in Netty shipped with IBM Tivoli Netcool/OMNIbus Transport Module Common Integration Library (CVE-2021-21290, CVE-2021-21295, CVE-2021-21409) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Security Identity Manager deprecated Self Service UI contains Struts V1 (CVE-2016-1182) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-identity-man… ∗∗∗ Security Bulletin: BIND for IBM i is affected by CVE-2021-25214 and CVE-2021-25215 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-bind-for-ibm-i-is-affecte… ∗∗∗ Security Bulletin: IBM Resilient SOAR is vulnerable to command injection (CVE-2021-20527) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-resilient-soar-is-vul… ∗∗∗ VMSA-2021-0011 ∗∗∗ --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2021-0011.html ∗∗∗ Google Chrome: Mehrere Schwachstellen ermöglichen Codeausführung ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0670 ∗∗∗ Schneider Electric EnerlinX Com’X 510 ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-168-01 ∗∗∗ Softing OPC-UA C++ SDK ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-168-02 ∗∗∗ Advantech WebAccess/SCADA ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-168-03 ∗∗∗ WAGO M&M Software fdtCONTAINER (Update C) ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-021-05 ∗∗∗ Rockwell Automation ISaGRAF5 Runtime (Update A) ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-20-280-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.06.2021
by Daily end-of-shift report 17 Jun '21

17 Jun '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 16-06-2021 18:00 − Donnerstag 17-06-2021 18:00 Handler: Dimitri Robl Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Criminals are mailing hacked Ledger devices to steal cryptocurrency ∗∗∗ --------------------------------------------- Scammers are sending fake replacement devices to Ledger customers exposed in a recent data breach that are used to steal cryptocurrency wallets. --------------------------------------------- https://www.bleepingcomputer.com/news/cryptocurrency/criminals-are-mailing-… ∗∗∗ Network Forensics on Azure VMs (Part #1), (Thu, Jun 17th) ∗∗∗ --------------------------------------------- The tooling to investigate a potentially malicious event on an Azure Cloud VM is still in its infancy. We have covered before how we can create a snapshot of the OS disk of a running VM. Snapshotting and then killing off the infected VM is very straight forward, but it also tips off an intruder that he has been found out. Sometimes, it makes sense to first watch for a while, and learn more, for example about compromised accounts, lateral movement, or other involved hosts. --------------------------------------------- https://isc.sans.edu/diary/rss/27536 ∗∗∗ Top 5 ICS Incident Response Tabletops and How to Run Them ∗∗∗ --------------------------------------------- In this blog SANS instructor, Dean Parsons, discusses the top five ICS incident response table tops and how to run them. How prepared is your organization to respond to an industrial control system (ICS) cyber incident? How resilient is it against Ransomware that could impact safety and operations? Does your organization have the ability to detect advanced persistent threats that use modern attack methodologies against your critical infrastructure? --------------------------------------------- https://www.sans.org/blog/top-5-ics-incident-response-tabletops-and-how-to-… ∗∗∗ What you need to know about Process Ghosting, a new executable image tampering attack ∗∗∗ --------------------------------------------- This blog describes a new executable image tampering attack similar to, but distinct from, Doppelgänging and Herpaderping. With this technique, an attacker can write a piece of malware to disk in such a way that it’s difficult to scan or delete it — and where it then executes the deleted malware as though it were a regular file on disk. This technique does not involve code injection, process hollowing, or Transactional NTFS (TxF). --------------------------------------------- https://www.elastic.co/blog/process-ghosting-a-new-executable-image-tamperi… ∗∗∗ Google schickt Framework gegen Supply-Chain-Angriffe ins Rennen ∗∗∗ --------------------------------------------- SLSA soll die Integrität von Code vom Einchecken ins Repository über den Build-Prozess bis zum Verwenden von Paketen sicherstellen. --------------------------------------------- https://heise.de/-6073057 ∗∗∗ Cybercriminals go after Amazon Prime Day Shoppers ∗∗∗ --------------------------------------------- - In the last 30 days, over 2300 new domains were registered about Amazon, a 10% increase from the previous Amazon Prime Day, where the majority now are either malicious or suspicious - Almost 1 out of 2 (46%) of new domains registered containing the word “Amazon” are malicious - Almost 1 out of 3 (32%) of new domains registered with the word “Amazon” are deemed suspicious --------------------------------------------- https://blog.checkpoint.com/2021/06/16/cybercriminals-go-after-amazon-prime… ===================== = Vulnerabilities = ===================== ∗∗∗ Hitachi Application Server Help vulnerable cross-site scripting ∗∗∗ --------------------------------------------- The following products are affected by the vulnerability. * Hitachi Application Server V10 Manual (Windows) version 10-11-01 and earlier * Hitachi Application Server V10 Manual (UNIX) version 10-11-01 and earlier Solution: Apply the appropriate latest version of the help according to the information provided by the developer. --------------------------------------------- https://jvn.jp/en/jp/JVN03776901/ ∗∗∗ Chaos Tool Suite (ctools) - Moderately critical - Access bypass - SA-CONTRIB-2021-015 ∗∗∗ --------------------------------------------- Chaos tool suite (ctools) module provides a number of APIs and extensions for Drupal, its 8.x-3.x branch is a start from scratch to evaluate the features of ctools that didnt make it into Drupal Core 8.0.x and port them.The module doesnt sufficiently handle block access control on its EntityView plugin. --------------------------------------------- https://www.drupal.org/sa-contrib-2021-015 ∗∗∗ Block Content Revision UI - Moderately critical - Access bypass - SA-CONTRIB-2021-017 ∗∗∗ --------------------------------------------- This module provides a revision UI to Block Content entities.The module doesnt sufficiently respect access restrictions to certain entities when used in conjunction with specific modules.This vulnerability is mitigated by the fact that an attacker must have a role with any of the permissions provided by Block Content Revision UI, and another affected module must be enabled. --------------------------------------------- https://www.drupal.org/sa-contrib-2021-017 ∗∗∗ Linky Revision UI - Moderately critical - Access bypass - SA-CONTRIB-2021-016 ∗∗∗ --------------------------------------------- This module provides a revision UI to Linky entities.The module doesnt sufficiently respect access restrictions to certain entities when used in conjunction with specific modules.This vulnerability is mitigated by the fact that an attacker must have a role with any of the permissions provided by Linky Revision UI, and another affected module must be enabled. --------------------------------------------- https://www.drupal.org/sa-contrib-2021-016 ∗∗∗ Cisco Security Advisories ∗∗∗ --------------------------------------------- Cisco hat Security Advisories zu acht Schwachstellen veröffentlicht. Keine davon wird als "Critical" eingestuft, vier als "High". --------------------------------------------- https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&first… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (gnupnp and postgresql), Fedora (dino, microcode_ctl, and xen), Mageia (apache, gsoap, libgd, openssh, perl-Image-ExifTool, python-bleach, and qt4 and qtsvg5), openSUSE (chromium, containerd, docker, runc, djvulibre, htmldoc, kernel, libjpeg-turbo, libopenmpt, libxml2, spice, squid, and ucode-intel), Red Hat (dhcp and glib2), SUSE (apache2, inn, java-1_8_0-openjdk, and webkit2gtk3), and Ubuntu (nettle). --------------------------------------------- https://lwn.net/Articles/860128/ ∗∗∗ D-LINK Router: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in D-LINK Router ausnutzen, um beliebigen Programmcode auszuführen, Dateien zu manipulieren, Informationen offenzulegen, einen Denial of Service Zustand herbeizuführen oder Sicherheitsvorkehrungen zu umgehen. --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0666 ∗∗∗ OTRS: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in OTRS ausnutzen, um einen Denial of Service oder Cross Site Scripting Angriff durchzuführen. --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0669 ∗∗∗ Security Bulletin: ICU Vulnerability Affects IBM Control Center (CVE-2020-10531) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-icu-vulnerability-affects… ∗∗∗ Security Bulletin: Streams service for IBM Cloud Pak for Data might be affected by some underlying Java vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-streams-service-for-ibm-c… ∗∗∗ Security Bulletin: Streams service for IBM Cloud Pak for Data might be affected by some underlying WebSphere Liberty vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-streams-service-for-ibm-c… ∗∗∗ Security Bulletin: IBM Security Identity Manager Password Synchronization Plug-in for Windows AD affected by multiple vulnerabilities (CVE-2021-20483, CVE-2021-20488) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-identity-man… ∗∗∗ Security Bulletin: Vulnerability in the AIX trace facility (CVE-2021-29706) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-the-aix-… ∗∗∗ Security Bulletin: IBM API Connect is impacted by multiple vulnerabilities in Oracle MySQL ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connect-is-impact… ∗∗∗ Security Bulletin: Multiple JasperReports Vulnerabilities Affect IBM Control Center (CVE-2020-9410, CVE-2018-18809) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-jasperreports-vu… ∗∗∗ Security Bulletin: WebSphere Application Server Java Batch is vulnerable to an XML External Entity Injection (XXE) vulnerability (CVE-2021-20492) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-websphere-application-ser… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 16.06.2021
by Daily end-of-shift report 16 Jun '21

16 Jun '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 15-06-2021 18:00 − Mittwoch 16-06-2021 18:00 Handler: Dimitri Robl Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Avaddon ransomwares exit sheds light on victim landscape ∗∗∗ --------------------------------------------- A new report analyzes the recently released Avaddon ransomware decryption keys to shed light on the types of victims targeted by the threat actors and potential revenue they generated throughout their operation. --------------------------------------------- https://www.bleepingcomputer.com/news/security/avaddon-ransomwares-exit-she… ∗∗∗ Protecting Against Ransomware – From the Human Perspective ∗∗∗ --------------------------------------------- SANS blog post on what ransomware is, how it works, and most importantly, how to empower your workforce to protect against it. --------------------------------------------- https://www.sans.org/blog/protecting-against-ransomware-from-the-human-pers… ∗∗∗ Nokia Deepfield global analysis shows most DDoS attacks originate from fewer than 50 hosting companies ∗∗∗ --------------------------------------------- In-depth analysis across large sample of networks globally fingerprints and traces origins of most DDoS attacks (by frequency and traffic volume)[...] --------------------------------------------- https://www.nokia.com/about-us/news/releases/2021/06/14/nokia-deepfield-glo… ∗∗∗ The First Step: Initial Access Leads to Ransomware ∗∗∗ --------------------------------------------- Ransomware attacks still use email -- but not in the way you might think. Ransomware operators often buy access from independent cybercriminal groups who infiltrate major targets and then sell access to the ransomware actors for a slice of the ill-gotten gains. --------------------------------------------- https://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access… ∗∗∗ Achtung: Amazon-Bestellungen nicht außerhalb der Plattform abwickeln! ∗∗∗ --------------------------------------------- Über Amazon zu bestellen ist für viele ein einfacher Weg, um verschiedenste Produkte an einem Ort zu kaufen. Doch auch auf Amazon stößt man auf betrügerische Angebote! Wenn Amazon-HändlerInnen die Bestellung über E-Mail abwickeln wollen, sollten Sie vorsichtig sein. --------------------------------------------- https://www.watchlist-internet.at/news/achtung-amazon-bestellungen-nicht-au… ∗∗∗ On the Security of RFID-based TOTP Hardware Tokens ∗∗∗ --------------------------------------------- Matthias Deeg und Gerhard Klostermeier untersuchten zwei unterschiedliche RFID-basierte TOTP Hardware-Token, das OTCP-P2 und das Protectimus SLIM NFC. --------------------------------------------- https://www.syss.de/pentest-blog/on-the-security-of-rfid-based-totp-hardwar… ∗∗∗ Ukrainian police arrest Clop ransomware members, seize server infrastructure ∗∗∗ --------------------------------------------- Multiple suspects believed to be linked to the Clop ransomware cartel have been detained in Ukraine this week after a joint operation from law enforcement agencies from Ukraine, South Korea, and the US. --------------------------------------------- https://therecord.media/ukrainian-police-arrest-clop-ransomware-members-sei… ===================== = Vulnerabilities = ===================== ∗∗∗ Qnap: Updates für NAS beseitigen aus der Ferne ausnutzbare Schwachstelle ∗∗∗ --------------------------------------------- Betriebssystem-Updates für Qnaps Netzwerkspeicher (NAS) schließen zwei mit "Medium" bewertete Schwachstellen, von denen eine übers Internet attackierbar ist. --------------------------------------------- https://heise.de/-6072554 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (prosody, python-urllib3, and xen), Fedora (dino, dotnet3.1, dotnet5.0, and vmaf), Oracle (gupnp, kernel, and kernel-container), Red Hat (gupnp), Scientific Linux (kernel), SUSE (java-1_8_0-openjdk, kernel, snakeyaml, and xorg-x11-libX11), and Ubuntu (bluez). --------------------------------------------- https://lwn.net/Articles/860004/ ∗∗∗ ZDI-21-502: An Information Disclosure Bug in ISC BIND server ∗∗∗ --------------------------------------------- You should verify you have a patched version of BIND as many OS distributions provide BIND packages that differ from the official ISC release versions. --------------------------------------------- https://www.thezdi.com/blog/2021/6/15/zdi-21-502-an-information-disclosure-… ∗∗∗ Security Advisory - Out-Of-Bounds Read Vulnerability On Several Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210616-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM HTTP Server used by WebSphere Application Server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Liberty for Java for IBM Cloud is vulnerable to an XML External Entity Injection (XXE) attack (CVE-2021-20492) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-liberty-for-java-for-ibm-… ∗∗∗ Security Bulletin: Stack-based Buffer Overflow vulnerabilities in IBM Spectrum Protect Back-up Archive Client and IBM Spectrum Protect for Space Management (CVE-2021-29672, CVE-2021-20546) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-stack-based-buffer-overfl… ∗∗∗ Security Bulletin: Vulnerability in IBM Java SDK affecting IBM Application Discovery and Delivery Intelligence V5.1.0.8, V5.1.0.9 and V6.0.0.0 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java… ∗∗∗ Security Bulletin: Vulnerabilities in IBM Java Runtime affect IBM Spectrum Protect Snapshot for VMware (CVE-2020-27221, CVE-2020-14782) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-ja… ∗∗∗ Security Bulletin: IBM Resilient SOAR is Using Components with Known Vulnerabilities – Java SE (CVE-2020-14781) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-resilient-soar-is-usi… ∗∗∗ Security Bulletin: IBM® Db2® is vulnerable to a denial of service as the server terminates abnormally when executing a specifically crafted select statement. (CVE-2021-29702) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-… ∗∗∗ Security Bulletin: IBM Security Identity Manager Password Synchronization Plug-in for Windows AD affected by multiple vulnerabilities (CVE-2021-20483, CVE-2021-20488) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-identity-man… ∗∗∗ Security Bulletin: IBM MQ Appliance affected by an OpenSSL vulnerability (CVE-2020-1968) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-affected… ∗∗∗ Security Bulletin: Resilient App Host secrets are not encrypted (CVE-2021-20567) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-resilient-app-host-secret… ∗∗∗ Cross-Site Request Forgery Patched in WP Fluent Forms ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2021/06/cross-site-request-forgery-patched-i… ∗∗∗ Synology-SA-21:21 Audio Station ∗∗∗ --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_21_21 ∗∗∗ Trend Micro InterScan Web Security Virtual Appliance: Schwachstelle ermöglicht Cross-Site Scripting ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0660 ∗∗∗ ThroughTek P2P SDK ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-166-01 ∗∗∗ Automation Direct CLICK PLC CPU Modules ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-166-02 ∗∗∗ SYSS-2021-022, SYSS-2021-023, SYSS-2021-025, SYSS-2021-026: Mehrere Schwachstellen in HR-Software LOGA3 ∗∗∗ --------------------------------------------- https://www.syss.de/pentest-blog/syss-2021-022-syss-2021-023-syss-2021-025-… ∗∗∗ SYSS-2021-007: Protectimus SLIM NFC – External Control of System or Configuration Setting (CWE-15) (CVE-2021-32033) ∗∗∗ --------------------------------------------- https://www.syss.de/pentest-blog/syss-2021-007-protectimus-slim-nfc-externa… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 15.06.2021
by Daily end-of-shift report 15 Jun '21

15 Jun '21

===================== = End-of-Day report = ===================== Timeframe: Montag 14-06-2021 18:00 − Dienstag 15-06-2021 18:00 Handler: Dimitri Robl Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Paradise Ransomware source code released on a hacking forum ∗∗∗ --------------------------------------------- The complete source code for the Paradise Ransomware has been released on a hacking forum allowing any would-be cyber criminal to develop their own customized ransomware operation. --------------------------------------------- https://www.bleepingcomputer.com/news/security/paradise-ransomware-source-c… ∗∗∗ Andariel evolves to target South Korea with ransomware ∗∗∗ --------------------------------------------- In April 2021, we observed a suspicious Word document with a Korean file name and decoy. It revealed a novel infection scheme and an unfamiliar payload. --------------------------------------------- https://securelist.com/andariel-evolves-to-target-south-korea-with-ransomwa… ∗∗∗ Multi Perimeter Device Exploit Mirai Version Hunting For Sonicwall, DLink, Cisco and more, (Tue, Jun 15th) ∗∗∗ --------------------------------------------- Vulnerable perimeter devices remain a popular target, and we do see consistent exploit attempts against them. --------------------------------------------- https://isc.sans.edu/diary/rss/27528 ∗∗∗ Experts Shed Light On Distinctive Tactics Used by Hades Ransomware ∗∗∗ --------------------------------------------- Cybersecurity researchers on Tuesday disclosed "distinctive" tactics, techniques, and procedures (TTPs) adopted by operators of Hades ransomware that set it apart from the rest of the pack, attributing it to a financially motivated threat group called GOLD WINTER. --------------------------------------------- https://thehackernews.com/2021/06/experts-shed-light-on-distinctive.html ∗∗∗ What’s past is prologue – A new world of critical infrastructure security ∗∗∗ --------------------------------------------- Attackers have targeted American critical infrastructure several times over the past few years, putting at risk U.S. electrical grids, oil pipelines and water supply systems. --------------------------------------------- https://blog.talosintelligence.com/2021/06/new-world-after-pipeline-ransomw… ∗∗∗ Tracking Amazon delivery staff ∗∗∗ --------------------------------------------- The Amazon delivery tracking API allows ultra-precise tracking of drivers. Amazon claim that customers can only track the driver for the 10 stops prior to theirs. --------------------------------------------- https://www.pentestpartners.com/security-blog/tracking-amazon-delivery-staf… ∗∗∗ Beantragen Sie Kredite nicht auf ulacglobalfinanzen.com ∗∗∗ --------------------------------------------- Sie sind auf der Suche nach einem Kredit und recherchieren im Internet günstige Konditionen? Möglicherweise kommt Ihnen dann ulacglobalfinanzen.com unter – eine unseriöse Kreditgesellschaft mit großartigen Konditionen und unkomplizierter Abwicklung. Wer dort um einen Kredit ansucht, verliert jedoch Geld und übermittelt Kriminellen persönliche Daten! --------------------------------------------- https://www.watchlist-internet.at/news/beantragen-sie-kredite-nicht-auf-ula… ∗∗∗ Vishing: What is it and how do I avoid getting scammed? ∗∗∗ --------------------------------------------- How do vishing scams work, how do they impact businesses and individuals, and how can you protect yourself, your family and your business? --------------------------------------------- https://www.welivesecurity.com/2021/06/14/vishing-what-is-it-how-avoid-gett… ∗∗∗ Ransomware attacks continue to Surge, hitting a 93% increase year over year ∗∗∗ --------------------------------------------- Number of organizations impacted by ransomware has risen to 1210 in June 2021. Check Point Research sees a 41% increase in attacks since the beginning of 2021 and a 93% increase year over year. --------------------------------------------- https://blog.checkpoint.com/2021/06/14/ransomware-attacks-continue-to-surge… ===================== = Vulnerabilities = ===================== ∗∗∗ SonicWall schließt Denial-of-Service-Lücke in Firewall-Betriebssystem SonicOS ∗∗∗ --------------------------------------------- Das webbasierte Management-Interface einiger SonicOS-Versionen hätte mittels spezieller POST-Requests lahmgelegt werden können. Updates ändern das. --------------------------------------------- https://heise.de/-6071069 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (389-ds-base, dhcp, firefox, glib2, hivex, kernel, postgresql, qemu-kvm, qt5-qtimageformats, samba, and xorg-x11-server), Fedora (kernel and kernel-tools), Oracle (kernel and postgresql), Red Hat (dhcp and gupnp), Scientific Linux (gupnp and postgresql), SUSE (postgresql10 and xterm), and Ubuntu (imagemagick). --------------------------------------------- https://lwn.net/Articles/859842/ ∗∗∗ iOS 12.5.4 ∗∗∗ --------------------------------------------- https://support.apple.com/kb/HT212548 ∗∗∗ Security Bulletin: Financial Transaction Manager for Corporate Payment Services is affected by a potential Cross Site Scripting (XSS) CVE-2020-5000 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-financial-transaction-man… ∗∗∗ Security Bulletin: Vulnerabilities in OpenSSL affect IBM Spectrum Protect Backup-Archive Client NetApp Services (CVE-2020-1971, CVE-2021-23840, CVE-2021-23841) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-openss… ∗∗∗ Security Bulletin: Vulnerabilities in IBM Java Runtime affect IBM Spectrum Protect Backup-Archive Client, IBM Spectrum Protect for Space Management, and IBM Spectrum Protect for Virtual Environments (CVE-2020-27221, CVE-2020-14782) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-ja… ∗∗∗ Security Bulletin: IBM Event Streams is potentially affected by multiple node vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-event-streams-is-pote… ∗∗∗ Security Bulletin: Genivia gSOAP vulnerabilities affect IBM Spectrum Protect for Virtual Environments:Data Protection for VMware and Spectrum Protect Client (CVE-2020-13575, CVE-2020-13578, CVE-2020-13574, CVE-2020-13577, CVE-2020-13576, ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-genivia-gsoap-vulnerabili… ∗∗∗ Security Bulletin: WebSphere MQ for HP NonStop Server is affected by OpenSSL vulnerabilities (CVE-2021-3449 and CVE-2021-3450) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-websphere-mq-for-hp-nonst… ∗∗∗ Security Bulletin: IBM has announced a release for IBM Security Identity Governance and Intelligence in response to a security vulnerability (CVE-2020-10531) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-has-announced-a-relea… ∗∗∗ Security Bulletin: A vulnerability in Apache ActiveMQ affects IBM Operations Analytics Predictive Insights (CVE-2020-13947) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-apache… ∗∗∗ Security Bulletin: IBM Integration Bus & IBM App Connect Enterprise V11 are affected by vulnerabilities in Node.js (CVE-2021-27290) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-integration-bus-ibm-a… ∗∗∗ Security Bulletin: IBM MQ for HPE NonStop Server is affected by OpenSSL vulnerabilities (CVE-2021-3449 and CVE-2021-3450) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-for-hpe-nonstop-se… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.06.2021
by Daily end-of-shift report 14 Jun '21

14 Jun '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 11-06-2021 18:00 − Montag 14-06-2021 18:00 Handler: Dimitri Robl Co-Handler: Robert Waldner ===================== = News = ===================== *** DDoS Angriffe gegen Unternehmen in Österreich *** --------------------------------------------- Seit einigen Wochen versucht eine Gruppe, die sich "Fancy Lazarus" nennt, mittels DDoS-Angriffen und der Androhung von Folgeangriffen, Schutzgelder zu erpressen. Vergleichbare Angriffe gab es global auch schon ab August 2020 unter ähnlichen Namen. Nachdem wir Meldungen von Partner-CERTs an uns über Angriffe auf Ziele in anderen EU Staaten bekommen haben, sind jetzt auch in Österreich einige Fälle aufgetreten. --------------------------------------------- https://cert.at/de/warnungen/2021/6/ddos-angriffe-gegen-unternehmen-in-oste… ∗∗∗ Password Attacks 101 ∗∗∗ --------------------------------------------- According to the 2020 Data Breaches report by Verizon, 25% of all breaches involved the use of stolen credentials. And for small businesses, that number hit 30%. Brute force attacks have a similar share, accounting for 18% of all breaches, and 34% of those for small businesses. Why are password attacks like brute forcing so effective? And how exactly do they work? Let’s take a look at three kinds of password attacks that present a real threat to sites and businesses of all sizes. --------------------------------------------- https://blog.sucuri.net/2021/06/3-password-attacks-101.html ∗∗∗ Macher der Ransomware Avaddon geben auf und veröffentlichen Schlüssel ∗∗∗ --------------------------------------------- Es ist ein kostenloses Entschlüsselungstool für Opfer des Erpressungstrojaners Avaddon erschienen. --------------------------------------------- https://heise.de/-6070028 ∗∗∗ Malicious Attack Campaign Targeting Jetpack Users Reusing Passwords ∗∗∗ --------------------------------------------- The Wordfence Threat Intelligence and Site Cleaning teams have been tracking a malware campaign that redirects all site visitors to malvertising domains, while attempting to keep site administrators unaware of the infection. Since June 1, 2021, the number of sites we are tracking that have been infected with this malware has more than doubled, and we expect this campaign to continue gaining momentum as it relies on a mechanism that is difficult to block directly. --------------------------------------------- https://www.wordfence.com/blog/2021/06/malicious-attack-campaign-targeting-… ∗∗∗ Micropatch for Another Remote Code Execution Issue in Internet Explorer (CVE-2021-31959) ∗∗∗ --------------------------------------------- Windows Updates brought a fix for another "Exploitation More Likely" memory corruption vulnerability in Scripting Engine (CVE-2021-26419) discovered by Ivan Fratric of Google Project Zero, very similar to this vulnerability discovered also discovered by Ivan and patched in May.Ivan published details and a proof-of-concept three days ago and we took these to reproduce the vulnerability in our lab and create a micropatch for it. --------------------------------------------- https://blog.0patch.com/2021/06/micropatch-for-another-remote-code.html ∗∗∗ Stealing tokens, emails, files and more in Microsoft Teams through malicious tabs ∗∗∗ --------------------------------------------- I recently came across an interesting bug in the Microsoft Power Apps service which, despite its simplicity, can be leveraged by an attacker to gain persistent read/write access to a victim user’s email, Teams chats, OneDrive, Sharepoint and a variety of other services by way of a malicious Microsoft Teams tab and Power Automate flows. The bug has since been fixed by Microsoft, but in this blog we’re going to see how it /could/ have been exploited. --------------------------------------------- https://medium.com/tenable-techblog/stealing-tokens-emails-files-and-more-i… ===================== = Vulnerabilities = ===================== ∗∗∗ High Severity Vulnerability Patched in WooCommerce Stock Manager Plugin ∗∗∗ --------------------------------------------- We initially reached out to the plugin’s developer on May 21, 2021. After receiving confirmation of an appropriate communication channel, we provided the full disclosure details on May 24, 2021. A patch was quickly released on May 28, 2021 in version 2.6.0. We highly recommend updating to the latest patched version available, 2.6.0, immediately. --------------------------------------------- https://www.wordfence.com/blog/2021/06/high-severity-vulnerability-patched-… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (apache, gitlab, inetutils, isync, kube-apiserver, nettle, polkit, python-urllib3, python-websockets, thunderbird, and wireshark-cli), Debian (squid3), Fedora (glibc, libxml2, mingw-openjpeg2, and openjpeg2), Mageia (djvulibre, docker-containerd, exif, gnuchess, irssi, jasper, kernel, kernel-linus, microcode, python-lxml, python-pygments, rust, slurm, and wpa_supplicant, hostapd), openSUSE (389-ds and pam_radius), Oracle (.NET Core 3.1, container-tools:3.0, container-tools:ol8, krb5, microcode_ctl, postgresql:12, postgresql:13, and runc), Red Hat (dhcp, postgresql, postgresql:10, postgresql:12, postgresql:9.6, rh-postgresql10-postgresql, rh-postgresql12-postgresql, and rh-postgresql13-postgresql), Scientific Linux (dhcp and microcode_ctl), SUSE (ardana-neutron, ardana-swift, cassandra, crowbar-openstack, grafana, kibana, openstack-dashboard, openstack-ironic, openstack-neutron, openstack-neutron-gbp, openstack-nova, python-Django1, python-py, python-pysaml2, python-xmlschema, rubygem-activerecord-session_store, venv-openstack-keystone, crowbar-openstack, grafana, kibana, monasca-installer, python-Django, python-py, rubygem-activerecord-session_store, freeradius-server, libjpeg-turbo, spice, and squid), and Ubuntu (rpcbind). --------------------------------------------- https://lwn.net/Articles/859669/ ∗∗∗ Security Bulletin: Security Bulletin: Financial Transaction Manager for Corporate Payment Services is affected by a potential caching vulnerability (CVE-2020-5003 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-bulletin-financi… ∗∗∗ Security Bulletin: IBM Integration Bus & IBM App Connect Enterprise V11 are affected by vulnerabilities in Node.js (CVE-2021-23337) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-integration-bus-ibm-a… ∗∗∗ Security Bulletin: A vulnerability in Apache ActiveMQ affects IBM Operations Analytics Predictive Insights (CVE-2020-13947) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-apache… ∗∗∗ CISA Releases Advisory on ZOLL Defibrillator Dashboard ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/06/14/cisa-releases-adv… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.06.2021
by Daily end-of-shift report 11 Jun '21

11 Jun '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 10-06-2021 18:00 − Freitag 11-06-2021 18:00 Handler: Dimitri Robl Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Keeping an Eye on Dangerous Python Modules, (Fri, Jun 11th) ∗∗∗ --------------------------------------------- With Python getting more and more popular, especially on Microsoft Operating systems, it's common to find malicious Python scripts today. --------------------------------------------- https://isc.sans.edu/diary/rss/27514 ∗∗∗ SQL Injection: Gezielte Maßnahmen statt Block Lists ∗∗∗ --------------------------------------------- Bei Schwachstellen im Web nimmt SQL Injection nach wie vor eine führende Rolle ein, dabei ist die Abwehr gar nicht schwer. --------------------------------------------- https://heise.de/-6067640 ∗∗∗ Why hackers don’t fly coach ∗∗∗ --------------------------------------------- Physical security is relied on too heavily for cabin-based systems on the Airline Information Services Domain (AISD). --------------------------------------------- https://www.pentestpartners.com/security-blog/why-hackers-dont-fly-coach/ ∗∗∗ Unbefugter Zugriff auf Ihr PayPal-Konto? Ignorieren Sie diese E-Mail! ∗∗∗ --------------------------------------------- Aktuell versenden Kriminelle eine Phishing-Mail im Namen von PayPal. Angeblich gäbe es ungewöhnliche Aktivitäten auf Ihrem PayPal-Konto. Daher müssten Sie sich einloggen und Ihre Identität bestätigen. Gehen Sie nicht auf die Forderungen ein. Kriminelle versuchen Zugang zu Ihrem PayPal-Konto zu bekommen. --------------------------------------------- https://www.watchlist-internet.at/news/unbefugter-zugriff-auf-ihr-paypal-ko… ∗∗∗ Proxy Windows Tooling via SOCKS ∗∗∗ --------------------------------------------- Leveraging SOCKS to proxy tools from a Windows attacker machine through a compromised host is a topic that contains some nuance and room for confusion. --------------------------------------------- https://posts.specterops.io/proxy-windows-tooling-via-socks-c1af66daeef3 ∗∗∗ BackdoorDiplomacy: Upgrading from Quarian to Turian ∗∗∗ --------------------------------------------- ESET researchers discover a new campaign that evolved from the Quarian backdoor. --------------------------------------------- https://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quari… ∗∗∗ Breaking SSL Locks: App Developers Behaving Badly ∗∗∗ --------------------------------------------- Symantec analyzed five years’ worth of Android and iOS apps to see how many are sending data securely. --------------------------------------------- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/mo… ∗∗∗ Authorities seize SlilPP, a marketplace for stolen login credentials ∗∗∗ --------------------------------------------- The US Department of Justice announced today it seized the servers and domains of SlilPP, a well-known online marketplace where criminal groups assembled to trade stolen login credentials. --------------------------------------------- https://therecord.media/authorities-seize-slilpp-a-marketplace-for-stolen-l… ===================== = Vulnerabilities = ===================== ∗∗∗ Hackers can exploit bugs in Samsung pre-installed apps to spy on users ∗∗∗ --------------------------------------------- Samsung is working on patching multiple vulnerabilities affecting its mobile devices that could be used for spying or to take full control of the system. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-can-exploit-bugs-in-… ∗∗∗ Qnap sichert Switches und Netzwerkspeicher vor unberechtigten Zugriffen ab ∗∗∗ --------------------------------------------- Es gibt wichtige Sicherheitsupdates für verschiedene Netzwerkgeräte von Qnap. --------------------------------------------- https://heise.de/-6068667 ∗∗∗ Privilege escalation with polkit: How to get root on Linux with a seven-year-old bug (GitHub blog) ∗∗∗ --------------------------------------------- On the GitHub blog, Kevin Backhouse writes about a privilege escalation vulnerability in polkit, which enables an unprivileged local user to get a root shell on the system. CVE-2021-3560 is triggered by starting a dbus-send command but killing it while polkit is still in the middle of processing the request. --------------------------------------------- https://lwn.net/Articles/859064/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libwebp), Fedora (firefox, lasso, mod_auth_openidc, nginx, redis, and squid), Oracle (.NET 5.0, container-tools:2.0, dhcp, gupnp, hivex, kernel, krb5, libwebp, nginx:1.16, postgresql:10, and postgresql:9.6), SUSE (containerd, docker, runc, csync2, and salt), and Ubuntu (libimage-exiftool-perl, libwebp, and rpcbind). --------------------------------------------- https://lwn.net/Articles/859192/ ∗∗∗ WordPress plugin "Welcart e-Commerce" vulnerable to cross-site scripting ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN70566757/ ∗∗∗ Sonicwall SRA 4600 Targeted By an Old Vulnerability, (Fri, Jun 11th) ∗∗∗ --------------------------------------------- https://isc.sans.edu/diary/rss/27518 ∗∗∗ ZDI-21-682: (0Day) D-Link DAP-1330 HNAP Cookie Header Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-682/ ∗∗∗ ZDI-21-681: (0Day) D-Link DAP-1330 lighttpd http_parse_request Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-681/ ∗∗∗ ZDI-21-680: (0Day) D-Link DAP-1330 lighttpd get_soap_action Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-680/ ∗∗∗ ZDI-21-679: (0Day) D-Link DAP-1330 HNAP checkValidRequest Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-679/ ∗∗∗ Security Bulletin: WebSphere Application Server is vulnerable to a Privilege Escalation vulnerability (CVE-2021-29754) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-websphere-application-ser… ∗∗∗ Security Bulletin: Vulnerability in IBM Java SDK and IBM Java Runtime affects TPF Toolkit ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java… ∗∗∗ Security Bulletin: IBM Security QRadar Analyst Workflow App for IBM QRadar SIEM is vulnerable to cacheable SSL Pages (CVE-2021-20396) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-qradar-analy… ∗∗∗ Red Hat OpenShift: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0652 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.06.2021
by Daily end-of-shift report 10 Jun '21

10 Jun '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 09-06-2021 18:00 − Donnerstag 10-06-2021 18:00 Handler: Robert Waldner Co-Handler: Dimitri Robl ===================== = News = ===================== ∗∗∗ Cloud Atlas Navigates Us Into New Waters ∗∗∗ --------------------------------------------- Learn how to interpret nameserver activity to enumerate infrastructure in the context of a recent Cloud Atlas example investigated by Senior Security Researcher, Chad Anderson. --------------------------------------------- https://www.domaintools.com/resources/blog/cloud-atlas-navigates-us-into-ne… ∗∗∗ BloodHound – Sniffing Out the Path Through Windows Domains ∗∗∗ --------------------------------------------- BloodHound is as a tool allowing for the analysis of AD rights and relations, focusing on the ones that an attacker may abuse. --------------------------------------------- https://www.sans.org/blog/bloodhound-sniffing-out-path-through-windows-doma… ∗∗∗ Quarterly Report: Incident Response trends from Spring 2021 ∗∗∗ --------------------------------------------- While the security community made a great effort to warn users of the exploitation of several Microsoft Exchange Server zero-day vulnerabilities, it was still the biggest threat Cisco Talos Incident Response (CTIR) saw this past quarter. --------------------------------------------- https://blog.talosintelligence.com/2021/06/quarterly-report-incident-respon… ∗∗∗ CISA Addresses the Rise in Ransomware Targeting Operational Technology Assets ∗∗∗ --------------------------------------------- CISA has published the Rising Ransomware Threat to OT Assets fact sheet in response to the recent increase in ransomware attacks targeting operational technology (OT) assets and control systems. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/06/09/cisa-addresses-ri… ===================== = Vulnerabilities = ===================== ∗∗∗ Jetzt patchen! Attacken auf Googles Webbrowser Chrome könnten bevorstehen ∗∗∗ --------------------------------------------- Es ist eine gegen verschiedene Attacken abgesicherte Version des Webbrowsers Chrome erschienen. --------------------------------------------- https://heise.de/-6067353 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (htmldoc, lasso, and rails), Fedora (exiv2, firefox, and microcode_ctl), openSUSE (python-HyperKitty), Oracle (389-ds-base, qemu-kvm, qt5-qtimageformats, and samba), Red Hat (container-tools:3.0, container-tools:rhel8, postgresql:12, and postgresql:13), Scientific Linux (389-ds-base, hivex, libwebp, qemu-kvm, qt5-qtimageformats, samba, and thunderbird), SUSE (caribou, djvulibre, firefox, gstreamer-plugins-bad, kernel, libopenmpt, libxml2, --------------------------------------------- https://lwn.net/Articles/859008/ ∗∗∗ ZOLL Defibrillator Dashboard ∗∗∗ --------------------------------------------- This advisory contains mitigations for Unrestricted Upload of File with Dangerous Type, Use of Hard-coded Cryptographic Key, Cleartext Storage of Sensitive Information, Cross-site Scripting, Storing Passwords in a Recoverable Format, and Improper Privilege Management vulnerabilities in the ZOLL Defibrillator Dashboard software. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsma-21-161-01 ∗∗∗ Rockwell Automation FactoryTalk Services Platform ∗∗∗ --------------------------------------------- This advisory contains mitigations for a Protection Mechanism Failure vulnerability in Rockwell Automations Factory Talk Services Platform software. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-161-01 ∗∗∗ AGG Software Web Server Plugin ∗∗∗ --------------------------------------------- This advisory contains mitigations for Path Traversal, and Cross-site Scripting vulnerabilities in AGG Softwares Server Plugin. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-161-02 ∗∗∗ Security Advisory - Resource Management Error Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210609-… ∗∗∗ Security Bulletin: IBM Resilient SOAR is Using Components with Known Vulnerabilities – Java SE (CVE-2020-2773) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-resilient-soar-is-usi… ∗∗∗ Security Bulletin: IBM Resilient SOAR is Using Components with Known Vulnerabilities – Eclipse Jetty (CVE-2021-28163, CVE-2021-28164, CVE-2021-28165) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-resilient-soar-is-usi… ∗∗∗ Security Bulletin: Vulnerabilities in IBM Db2 affect IBM Spectrum Protect Server (CVE-2020-5024, CVE-2020-5025, CVE-2020-4976) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-db… ∗∗∗ Citrix Hypervisor Security Update ∗∗∗ --------------------------------------------- https://support.citrix.com/article/CTX316324 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.06.2021
by Daily end-of-shift report 09 Jun '21

09 Jun '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 08-06-2021 18:00 − Mittwoch 09-06-2021 18:00 Handler: Dimitri Robl Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Intel fixes 73 vulnerabilities in June 2021 Platform Update ∗∗∗ --------------------------------------------- Intel has addressed 73 security vulnerabilities as part of the June 2021 Patch Tuesday, including high severity ones impacting some versions of Intels Security Library and the BIOS firmware for Intel processors. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/intel-fixes-73-vulnerabiliti… ∗∗∗ PuzzleMaker attacks with Chrome zero-day exploit chain ∗∗∗ --------------------------------------------- We detected a wave of highly targeted attacks against multiple companies. Closer analysis revealed that all these attacks exploited a chain of Google Chrome and Microsoft Windows zero-day exploits. --------------------------------------------- https://securelist.com/puzzlemaker-chrome-zero-day-exploit-chain/102771/ ∗∗∗ Alpaca-Attacke: Angreifer könnten mit TLS gesicherte Verbindungen attackieren ∗∗∗ --------------------------------------------- Sicherheitsforscher zeigen theoretische Attacken auf TLS-Verbindungen. Angreifer könnten beispielsweise Sessions kapern. --------------------------------------------- https://heise.de/-6066915 ∗∗∗ Nameless Malware Discovered by NordLocker is Now in Have I Been Pwned ∗∗∗ --------------------------------------------- [...] they're sitting on a bunch of compromised personal info, now what? As with the two law enforcement agencies, NordLocker's goal is to inform impacted parties which is where HIBP comes in so as of now, all 1,121,484 compromised email addresses are searchable. --------------------------------------------- https://www.troyhunt.com/nameless-malware-discovered-by-nordlocker-is-now-i… ∗∗∗ Cisco Smart Install Protocol Still Abused in Attacks, 5 Years After First Warning ∗∗∗ --------------------------------------------- Cisco’s Smart Install protocol is still being abused in attacks — five years after the networking giant issued its first warning — and there are still roughly 18,000 internet-exposed devices that could be targeted by hackers. --------------------------------------------- https://www.securityweek.com/cisco-smart-install-protocol-still-abused-atta… ∗∗∗ Kleinanzeigen-Betrug: Potenzielle KäuferInnen wollen Zahlung über DHL abwickeln ∗∗∗ --------------------------------------------- Aktuell wenden Kriminelle in Kleinanzeigenplattformen wie willhaben, shpock und Co vermehrt den DHL-Trick an, um VerkäuferInnen Geld zu stehlen. Dabei geben sich Kriminelle als KäuferInnen aus und schlagen vor, die Zahlung über DHL abzuwickeln. Sie behaupten, DHL verwalte nun Zahlungen, um KäuferInnen und VerkäuferInnen eine sichere Abwicklung zu ermöglichen. In Wahrheit stecken die Kriminellen hinter den DHL-Nachrichten und versuchen so an Ihr Geld zu kommen. --------------------------------------------- https://www.watchlist-internet.at/news/kleinanzeigen-betrug-potenzielle-kae… ∗∗∗ The Sysrv-hello Cryptojacking Botnet: Here’s What’s New ∗∗∗ --------------------------------------------- The Sysrv-hello botnet is deployed on both Windows and Linux systems by exploiting multiple vulnerabilities and deployed via shell scripts. Like many of the threat actor tools weve covered, it continuously evolves to fit the needs of its operators and stay ahead of security researchers and law enforcement. Over time, there have been several slight changes in the shell scripts that install the Sysrv-hello implant on machines. --------------------------------------------- https://www.riskiq.com/blog/external-threat-management/sysrv-hello-cryptoja… ===================== = Vulnerabilities = ===================== ∗∗∗ Unsachgemäße Authentifizierung in SAP NetWeaver ABAP Server und ABAP Platform ∗∗∗ --------------------------------------------- Im Rahmen des Patchdays Juni 2021 veröffentlichte die SAP SE den Sicherheitshinweis 3007182, der einen schwerwiegenden Design-Fehler adressiert,… --------------------------------------------- https://sec-consult.com/de/blog/detail/unsachgemaesse-authentifizierung-in-… ∗∗∗ Updates verfügbar: Schwachstellen in Message-Brokern RabbitMQ, EMQ X und VerneMQ ∗∗∗ --------------------------------------------- Die Message-Broker sind für Denial-of-Service-Angriffe über das IoT-Protokoll MQTT anfällig. Aktuelle Patches sind verfügbar, Sie sollten sie schnell anwenden. --------------------------------------------- https://heise.de/-6065996 ∗∗∗ XSA-375 - Speculative Code Store Bypass ∗∗∗ --------------------------------------------- Impact: An attacker might be able to infer the contents of arbitrary host memory, including memory assigned to other guests. Resolution: Applying the appropriate attached patch resolves this issue. --------------------------------------------- https://xenbits.xen.org/xsa/advisory-375.html ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (eterm, mrxvt, and rxvt), Mageia (cgal, curl, exiv2, polkit, squid, thunderbird, and upx), openSUSE (firefox and libX11), Oracle (libwebp, nginx:1.18, and thunderbird), Red Hat (.NET 5.0, .NET Core 3.1, 389-ds-base, dhcp, gupnp, hivex, kernel, kernel-rt, libldb, libwebp, microcode_ctl, nettle, postgresql:10, postgresql:9.6, qemu-kvm, qt5-qtimageformats, rh-dotnet50-dotnet, and samba), SUSE (apache2-mod_auth_openidc, firefox, gstreamer-plugins-bad, kernel, libX11, pam_radius, qemu, runc, spice, and spice-gtk), and Ubuntu (intel-microcode and rpcbind). --------------------------------------------- https://lwn.net/Articles/858832/ ∗∗∗ Dell PowerEdge: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- DSA-2021-078: Dell PowerEdge Server Security Advisory for a Trusted Platform Module (TPM) 1.2 Firmware Vulnerability DSA-2021-103: Dell PowerEdge Server Security Update for BIOS Vulnerabilities --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0628 ∗∗∗ Xen: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein lokaler Angreifer kann mehrere Schwachstellen in Xen ausnutzen, um Informationen offenzulegen, seine Privilegien zu erhöhen oder einen Denial of Service Zustand herbeizuführen. * XSA-377: x86: TSX Async Abort protections not restored after S3 * XSA-374: Guest triggered use-after-free in Linux xen-netback * XSA-373: inappropriate x86 IOMMU timeout detection / handling * XSA-372: xen/arm: Boot modules are not scrubbed --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0627 ∗∗∗ Multiple vulnerabilities in Bosch IP cameras ∗∗∗ --------------------------------------------- BOSCH-SA-478243-BT: Multiple vulnerabilities for Bosch IP cameras have been discovered in a Penetration Test from Kaspersky ICS CERT during a certification effort from Bosch. Bosch rates these vulnerabilities with CVSSv3.1 base scores from 9.8 (Critical) to 4.9 (Medium), where the actual rating depends on the individual vulnerability and the final rating on the customer’s environment.Customers are strongly advised to upgrade to the fixed versions. --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-478243-bt.html ∗∗∗ Adobe Releases Security Updates for Multiple Products ∗∗∗ --------------------------------------------- Adobe has released security updates to address vulnerabilities in multiple Adobe products. An attacker could exploit some of these vulnerabilities to take control of an affected system. CISA encourages users and administrators to review Adobe’s Security Bulletins and apply the necessary updates. * APSB21-36 Security update available for Adobe Connect * APSB21-37 Security update available for Adobe Acrobat and Reader * APSB21-38 Security update available for Adobe Photoshop * APSB21-39 Security update available for Adobe Experience Manager * APSB21-41 Security update available for Adobe Creative Cloud Desktop Application * APSB21-44 Security update available for Adobe RoboHelp Server * APSB21-46 Security update available for Adobe Photoshop Elements * APSB21-47 Security update available for Adobe Premiere Elements * APSB21-49 Security update available for Adobe After Effects * APSB21-50 Security update available for Adobe Animate --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/06/08/adobe-releases-se… ∗∗∗ Security Bulletin: IBM Event Streams is affected by potential data integrity issue (CVE-2020-25649) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-event-streams-is-affe… ∗∗∗ Security Bulletin: IBM UrbanCode Deploy (UCD) stores keystore passwords in plain after a manuel edit, which can be read by a local user. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-urbancode-deploy-ucd-… ∗∗∗ Nettle cryptography library vulnerability CVE-2021-20305 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K33101555?utm_source=f5support&utm_mediu… ∗∗∗ Linux kernel vulnerability CVE-2019-11811 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K01512680?utm_source=f5support&utm_mediu… ∗∗∗ Johnson Controls Metasys ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-159-01 ∗∗∗ Open Design Alliance Drawings SDK ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-159-02 ∗∗∗ AVEVA InTouch ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-159-03 ∗∗∗ Schneider Electric IGSS ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-159-04 ∗∗∗ Schneider Electric Modicon X80 ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-159-05 ∗∗∗ Thales Sentinel LDK Run-Time Environment ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-159-06 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.06.2021
by Daily end-of-shift report 08 Jun '21

08 Jun '21

===================== = End-of-Day report = ===================== Timeframe: Montag 07-06-2021 18:00 − Dienstag 08-06-2021 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Microsoft Office MSGraph vulnerability could lead to code execution ∗∗∗ --------------------------------------------- Microsoft today will release a patch for a vulnerability affecting the Microsoft Office MSGraph component, responsible for displaying graphics and charts, that could be exploited to execute code on a target machine. --------------------------------------------- https://www.bleepingcomputer.com/news/security/microsoft-office-msgraph-vul… ∗∗∗ Picture this: Malware Hides in Steam Profile Images ∗∗∗ --------------------------------------------- SteamHide abuses the gaming platform Steam to serve payloads for malware downloaders. Malware operators can also update already infected machines by adding new profile images to Steam. The developers seem to have a few more ambitious goals. --------------------------------------------- https://www.gdatasoftware.com/blog/steamhide-malware-in-profile-images ∗∗∗ Sicherheitslücke FragAttacks: FritzOS-Updates für alte Fritzboxen ∗∗∗ --------------------------------------------- Der Mittelklasse-Router Fritzbox 3490 aus dem Jahr 2014 bekommt das aktuelle FritzOS 7.27 spendiert. Weitere Altmodelle könnten folgen. --------------------------------------------- https://heise.de/-6065367 ∗∗∗ Patchday Android: Kritische System- und Qualcomm-Lücken geschlossen ∗∗∗ --------------------------------------------- Angreifer könnten Android-Geräte attackieren und unter anderem Informationen leaken oder sogar Schadcode ausführen. --------------------------------------------- https://heise.de/-6064923 ∗∗∗ Organizations Warned About DoS Flaws in Popular Open Source Message Brokers ∗∗∗ --------------------------------------------- Organizations have been warned about denial of service (DoS) vulnerabilities found in RabbitMQ, EMQ X and VerneMQ, three widely used open source message brokers. --------------------------------------------- https://www.securityweek.com/organizations-warned-about-dos-flaws-popular-o… ∗∗∗ Vorsicht vor Werbung unseriöser Online-Shops! ∗∗∗ --------------------------------------------- Egal ob Facebook, Instagram, Tiktok oder Google: All diese Plattformen sind für Unternehmen attraktive Kanäle, um ihre Werbung zu platzieren. Das gilt allerdings nicht nur für seriöse, sondern auch für unseriöse Unternehmen. Immer wieder melden LeserInnen der Watchlist Internet, dass sie durch Werbeeinschaltungen auf einen problematischen Online-Shop gestoßen sind. Eine aktuelle Untersuchung der Arbeiterkammer Wien in Zusammenarbeit mit der Watchlist Internet [...] --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-werbung-unserioeser-onl… ∗∗∗ TeamTNT Using WatchDog TTPs to Expand Its Cryptojacking Footprint ∗∗∗ --------------------------------------------- We have identified indicators traditionally pointing to WatchDog operations being used by the TeamTNT cryptojacking group. --------------------------------------------- https://unit42.paloaltonetworks.com/teamtnt-cryptojacking-watchdog-operatio… ===================== = Vulnerabilities = ===================== ∗∗∗ Wago: Updates fixen gefährliche Lücken in industriellen Steuerungssystemen ∗∗∗ --------------------------------------------- Seit Mai veröffentlicht Wago nach und nach wichtige Firmware-Updates gegen kritische Lücken in speicherprogrammierbaren Steuerungen (PLC) der Serie 750. --------------------------------------------- https://heise.de/-6065199 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (nginx), Fedora (musl), Mageia (dnsmasq, firefox, graphviz, libebml, libpano13, librsvg, libxml2, lz4, mpv, tar, and vlc), openSUSE (csync2, python-py, and snakeyaml), Oracle (qemu), Red Hat (container-tools:2.0, kernel, kpatch-patch, nettle, nginx:1.16, and rh-nginx116-nginx), Slackware (httpd and polkit), SUSE (389-ds, gstreamer-plugins-bad, shim, and snakeyaml), and Ubuntu (gnome-autoar and isc-dhcp). --------------------------------------------- https://lwn.net/Articles/858644/ ∗∗∗ SAP Patchday Juni ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0616 ∗∗∗ Citrix Cloud Connector Security Update ∗∗∗ --------------------------------------------- https://support.citrix.com/article/CTX316690 ∗∗∗ Citrix Application Delivery Controller, Citrix Gateway, and Citrix SD-WAN WANOP appliance Security Update ∗∗∗ --------------------------------------------- https://support.citrix.com/article/CTX297155 ∗∗∗ SSA-133038: Multiple Modfem File Parsing Vulnerabilities in Simcenter Femap ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-133038.txt ∗∗∗ SSA-200951: Multiple Vulnerabilities in Third-Party Component libcurl of TIM Devices ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-200951.txt ∗∗∗ SSA-208356: DFT File Parsing Vulnerabilities in Solid Edge ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-208356.txt ∗∗∗ SSA-211752: Multiple NTP-Client Related Vulnerabilities in SIMATIC NET CP 443-1 OPC ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-211752.txt ∗∗∗ SSA-419820: Denial-of-Service Vulnerability in TIM 1531 IRC ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-419820.txt ∗∗∗ SSA-522654: Privilege Escalation Vulnerability in Mendix SAML Module ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-522654.txt ∗∗∗ SSA-645530: TIFF File Parsing Vulnerability in JT2Go and Teamcenter Visualization ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-645530.txt --------------------------------------------- https://new.siemens.com/global/en/products/services/cert.html ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Security Guardium ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM API Connect is impacted by multiple vulnerabilities in Oracle MySQL ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connect-is-impact… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a jackson-databind vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a kernel vulnerability (CVE-2020-25705, CVE-2020-28374) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a Privilege Escalation vulnerability (CVE-2020-4952) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Security Guardium ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Cloud Pak for Applications 4.3 nodejs and nodejs-express Appsody stacks is vulnerable to information disclosure, buffer overflow and prototype pollution exposures ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-applica… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a Oracle MySQL vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: An unspecified vulnerability in Java SE related to the Libraries component could allow an unauthenticated attacker ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-an-unspecified-vulnerabil… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.06.2021
by Daily end-of-shift report 07 Jun '21

07 Jun '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 04-06-2021 18:00 − Montag 07-06-2021 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Jetzt patchen! Angreifer attackieren VMware vCenter Server ∗∗∗ --------------------------------------------- Sicherheitsforscher warnen davor, dass Angreifer es auf eine kritische Lücke in vCenter Server abgesehen haben. --------------------------------------------- https://heise.de/-6063523 ∗∗∗ Exploit für kritische Lücke in Rocket.Chat veröffentlicht ∗∗∗ --------------------------------------------- Wer die im Mai geschlossene kritische Lücke in Rocket.Chat noch nicht gefixt hat, sollte das schleunigst nachholen. --------------------------------------------- https://heise.de/-6063795 ∗∗∗ Malware family naming hell is our own fault ∗∗∗ --------------------------------------------- EternalPetya has more than 10 different names. Many do not realize that CryptoLocker is long dead. These are not isolated cases but symptoms of a systemic problem: The way we name malware does not work. Why does it happen and how can we solve it? --------------------------------------------- https://www.gdatasoftware.com/blog/malware-family-naming-hell ∗∗∗ Gootkit: the cautious Trojan ∗∗∗ --------------------------------------------- Gootkit is complex multi-stage banking malware capable of stealing data from the browser, performing man-in-the-browser attacks, keylogging, taking screenshots and lots of other malicious actions. Its loader performs various virtual machine and sandbox checks and uses sophisticated persistence algorithms. --------------------------------------------- https://securelist.com/gootkit-the-cautious-trojan/102731/ ∗∗∗ OSX/Hydromac ∗∗∗ --------------------------------------------- In this guest blog post, the security researcher Taha Karim of ConfiantIntel, dives into a new macOS adware specimen: Hydromac. --------------------------------------------- https://objective-see.com/blog/blog_0x65.html ∗∗∗ WordPress Redirect Hack via Test0.com/Default7.com ∗∗∗ --------------------------------------------- Malicious redirect is a type of hack where website visitors are automatically redirected to some third-party website: usually it’s some malicious resource, scam site or a commercial site that buys traffic from cyber criminals (e.g. counterfeit drugs or replica merchandise). Types of Malicious Redirects There are two major types of malicious redirects: server-side redirects and client-side redirects. --------------------------------------------- https://blog.sucuri.net/2021/06/wordpress-redirect-hack-via-test0-com-defau… ∗∗∗ Siloscape: First Known Malware Targeting Windows Containers to Compromise Cloud Environments ∗∗∗ --------------------------------------------- The main purpose of Siloscape is to open a backdoor into poorly configured Kubernetes clusters in order to run malicious containers. --------------------------------------------- https://unit42.paloaltonetworks.com/siloscape/ ∗∗∗ This phishing email is pushing password-stealing malware to Windows PCs ∗∗∗ --------------------------------------------- An old form of trojan malware has been updated with new abilities, warn cybersecurity researchers. --------------------------------------------- https://www.zdnet.com/article/this-phishing-email-is-pushing-password-steal… ∗∗∗ Hacking space: How to pwn a satellite ∗∗∗ --------------------------------------------- Hacking an orbiting satellite is not light years away - here’s how things can go wrong in outer space --------------------------------------------- https://www.welivesecurity.com/2021/06/07/hacking-space-how-pwn-satellite/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libwebp, python-django, ruby-nokogiri, and thunderbird), Fedora (dhcp, polkit, transfig, and wireshark), openSUSE (chromium, inn, kernel, redis, and umoci), Oracle (pki-core:10.6), Red Hat (libwebp, nginx:1.18, rh-nginx118-nginx, and thunderbird), SUSE (gstreamer-plugins-bad), and Ubuntu (linux, linux-aws, linux-azure, linux-gcp, linux-hwe-5.8, linux-kvm, linux-oracle). --------------------------------------------- https://lwn.net/Articles/858561/ ∗∗∗ Microsoft Edge: Schwachstelle ermöglicht Cross-Site Scripting ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0612 ∗∗∗ Apache HTTP Server: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0611 ∗∗∗ QNAP NAS: Schwachstelle ermöglicht Cross-Site Scripting ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0613 ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a kernel vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: cURL libcurl vulnerabilites impacting Aspera High-Speed Transfer Server and Aspera High-Speed Transfer Endpoint 4.0 and earlier (CVE-2020-8284, CVE-2020-8286, CVE-2020-8285) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-curl-libcurl-vulnerabilit… ∗∗∗ Security Bulletin: OpenSSL vulnerabilites impacting Aspera High-Speed Transfer Server, Aspera High-Speed Transfer Endpoint, Aspera Desktop Client 4.0 and earlier (CVE-2021-23839, CVE-2021-23840, CVE-2021-23841) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-openssl-vulnerabilites-im… ∗∗∗ Security Bulletin: Multiple vulnerabilities may affect JRE in IBM DataPower Gateway ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities affect the IBM Elastic Storage Server GUI ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by Oracle MySQL vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM DataPower Gateway vulnerable to a DoS attack ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-datapower-gateway-vul… ∗∗∗ Security Bulletin: OpenSSL vulnerability impacting Aspera High-Speed Transfer Server, Aspera High-Speed Transfer Endpoint, Aspera Desktop Client 4.0, and earlier (CVE-2020-1971) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-openssl-vulnerability-imp… ∗∗∗ Security Bulletin: IBM DataPower Gateway GUI permits use of GET ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-datapower-gateway-gui… ∗∗∗ Security Bulletin: WebSphere Application Server ND is vulnerable to Directory Traversal vulnerability (CVE-2021-20517) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-websphere-application-ser… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.06.2021
by Daily end-of-shift report 04 Jun '21

04 Jun '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 02-06-2021 18:00 − Freitag 04-06-2021 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Vorsicht: Phishing-Mail von World4You im Umlauf! ∗∗∗ --------------------------------------------- Kriminelle versenden derzeit eine gefälschte World4You-Phishingmail an Webseiten-BetreiberInnnen. Darin heißt es, dass die registrierte Domain der EmpfängerInnen abläuft und daher verlängert werden muss. Gehen Sie nicht auf die Zahlungsforderung ein. Denn das Geld und Ihre Kreditkartendaten landen direkt in den Händen von Kriminellen. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-phishing-mail-von-world4you… ∗∗∗ Schlupflöcher für Schadcode in Videokonferenz-Software Cisco Webex geschlossen ∗∗∗ --------------------------------------------- Cisco hat Sicherheitsupdates für mehrere Produkte wie Router und Webex veröffentlicht. --------------------------------------------- https://heise.de/-6062229 ∗∗∗ Email spoofing: how attackers impersonate legitimate senders ∗∗∗ --------------------------------------------- This article analyzes different ways of the spoofing email addresses through changing the From header, which provides information about the senders name and address. --------------------------------------------- https://securelist.com/email-spoofing-types/102703/ ∗∗∗ Exchange Servers Targeted by ‘Epsilon Red’ Malware ∗∗∗ --------------------------------------------- REvil threat actors may be behind a set of PowerShell scripts developed for encryption and weaponized to exploit vulnerabilities in corporate networks, the ransom note suggests. --------------------------------------------- https://threatpost.com/exchange-servers-epsilon-red-ransomware/166640/ ∗∗∗ How to hack into 5500 accounts… just using “credential stuffing” ∗∗∗ --------------------------------------------- Passwords - dont just pay them lip service. --------------------------------------------- https://nakedsecurity.sophos.com/2021/06/04/how-to-hack-into-5500-accounts-… ∗∗∗ Russian Dolls VBS Obfuscation, (Fri, Jun 4th) ∗∗∗ --------------------------------------------- We received an interesting sample from one of our readers (thanks Henry!) and we like this. If you find something interesting, we are always looking for fresh meat! Henry's sample was delivered in a password-protected ZIP archive and the file was a VBS script called "presentation_37142.vbs" --------------------------------------------- https://isc.sans.edu/diary/rss/27494 ∗∗∗ Build, Hack, and Defend Azure Identity ∗∗∗ --------------------------------------------- An Introduction to PurpleCloud Hybrid + Identity Cyber Range --------------------------------------------- https://www.sans.org/blog/build-hack-defend-azure-identity?msc=rss ∗∗∗ Necro Python bot adds new exploits and Tezos mining to its bag of tricks ∗∗∗ --------------------------------------------- Some malware families stay static in terms of their functionality. But a newly discovered malware campaign utilizing the Necro Python bot shows this actor is adding new functionality and improving its chances of [...] --------------------------------------------- https://blog.talosintelligence.com/2021/06/necro-python-bot-adds-new-tricks… ∗∗∗ Organizations Warned: STUN Servers Increasingly Abused for DDoS Attacks ∗∗∗ --------------------------------------------- Application and network performance management company NETSCOUT warned organizations this week that STUN servers have been increasingly abused for distributed denial-of-service (DDoS) attacks, and there are tens of thousands of servers that could be abused for such attacks by malicious actors. --------------------------------------------- https://www.securityweek.com/organizations-warned-stun-servers-increasingly… ∗∗∗ ESET Threat Report T1 2021 ∗∗∗ --------------------------------------------- A view of the T1 2021 threat landscape as seen by ESET telemetry and from the perspective of ESET threat detection and research experts The post ESET Threat Report T1 2021 appeared first on WeLiveSecurity --------------------------------------------- https://www.welivesecurity.com/2021/06/03/eset-threat-report-t12021/ ∗∗∗ WebLogic RCE Leads to XMRig ∗∗∗ --------------------------------------------- This report will review an intrusion where, the threat actor took advantage of a WebLogic remote code execution vulnerability (CVE-2020–14882) to gain initial access to the system before installing [...] --------------------------------------------- https://thedfirreport.com/2021/06/03/weblogic-rce-leads-to-xmrig/ ∗∗∗ CISA Releases Best Practices for Mapping to MITRE ATT&CK® ∗∗∗ --------------------------------------------- As part of an effort to encourage a common language in threat actor analysis, CISA has released Best Practices for MITRE ATT&CK® Mapping. The guide shows analysts—through instructions and examples—how to map adversary behavior to the MITRE ATT&CK framework. CISA created this guide in partnership with the Homeland Security Systems Engineering and Development Institute™ (HSSEDI), a DHS-owned R&D center operated by MITRE, which [...] --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/06/02/cisa-releases-bes… ∗∗∗ FontPack: A dangerous update ∗∗∗ --------------------------------------------- Attribution secrets: Who is behind stealing credentials and bank card data by asking to install fake Flash Player, browser or font updates? --------------------------------------------- https://blog.group-ib.com/fontpack ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco Security Advisories ∗∗∗ --------------------------------------------- Cisco hat Advisories zu 13 Schwachstellen veröffentlicht. Keine davon wird als "Critical" eingestuft, fünf als "High". --------------------------------------------- https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&first… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (chromium, curl, dhclient, dhcp, firefox, keycloak, lib32-curl, lib32-libcurl-compat, lib32-libcurl-gnutls, libcurl-compat, libcurl-gnutls, opera, packagekit, pam-u2f, postgresql, rabbitmq, redis, ruby-bundler, and zint), Debian (caribou, firefox-esr, imagemagick, and isc-dhcp), Fedora (mapserver, mingw-python-pillow, and python-pillow), openSUSE (chromium), Red Hat (firefox, glib2, pki-core:10.6, polkit, rh-ruby26-ruby, and rh-ruby27-ruby), SUSE [...] --------------------------------------------- https://lwn.net/Articles/858144/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (lasso), Fedora (mingw-djvulibre, mingw-exiv2, python-lxml, and singularity), openSUSE (ceph, dhcp, inn, nginx, opera, polkit, upx, and xstream), Oracle (firefox, perl, and polkit), Scientific Linux (firefox), SUSE (avahi, csync2, djvulibre, libwebp, polkit, python-py, slurm, slurm_18_08, thunderbird, and umoci), and Ubuntu (linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gcp, linux-gcp-5.4, linux-gke, linux-gke-5.4, linux-gkeop, [...] --------------------------------------------- https://lwn.net/Articles/858331/ ∗∗∗ Advantech iView ∗∗∗ --------------------------------------------- This advisory contains mitigations for Missing Authentication for Critical Function, and SQL Injection vulnerabilities in Advantech iView IoT device management application. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-154-01 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Security Advisory - Command Injection Vulnerability in Huawei Products ∗∗∗ --------------------------------------------- https://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210602… ∗∗∗ Security Advisory - Race Condition Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- https://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210602… ∗∗∗ Drupal: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0610 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.06.2021
by Daily end-of-shift report 02 Jun '21

02 Jun '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 01-06-2021 18:00 − Mittwoch 02-06-2021 18:00 Handler: Dimitri Robl Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Producing a trustworthy x86-based Linux appliance ∗∗∗ --------------------------------------------- Lets say youre building some form of appliance on top of general purpose x86 hardware. You want to be able to verify the software its running hasnt been tampered with. Whats the best approach with existing technology? --------------------------------------------- https://mjg59.dreamwidth.org/57199.html ∗∗∗ Cobalt Strike, a penetration testing tool abused by criminals ∗∗∗ --------------------------------------------- Cobalt Strike is a pen-testing tool that often ends up in the hands of cybercriminals. Are we providing them with the tools to attack us? ... If you were to compose a list of tools and software developed by security and privacy defenders that ended up being abused by the bad guys, then Cobalt Strike would unfortunately be near the top of the list. Maybe only Metasploit could give it a run for the first place ranking. --------------------------------------------- https://blog.malwarebytes.com/researchers-corner/2021/06/cobalt-strike-a-pe… ∗∗∗ Jugendliche im Visier von Online‑Betrügern: 5 gängige Tricks ∗∗∗ --------------------------------------------- Von gefälschten Designerprodukten bis hin zu verlockenden Jobangeboten – wir stellen fünf verbreitete Betrugsmethoden vor, mit denen Kriminelle es auf Geld und Daten von Teenagern abgesehen haben --------------------------------------------- https://www.welivesecurity.com/deutsch/2021/06/01/jugendliche-im-visier-von… ∗∗∗ Webseiten-BetreiberInnen aufgepasst: TM Österreich versendet betrügerische Mail! ∗∗∗ --------------------------------------------- Webseiten-BetreiberInnen melden uns ein betrügerisches E-Mail der TM Österreich. Dort wird behauptet, dass jemand Ihre Domain mit einer anderen Endung registrieren möchte. TM Österreich bietet Ihnen an, diese zusätzliche Domain zu registrieren, um so Probleme wie Umsatzeinbußen oder Imageschäden zu vermeiden. Vorsicht: TM Österreich ist Fake. Nehmen Sie daher das Angebot auf keinen Fall an! --------------------------------------------- https://www.watchlist-internet.at/news/webseiten-betreiberinnen-aufgepasst-… ∗∗∗ Shodan Verified Vulns 2021-06-01 ∗∗∗ --------------------------------------------- Mit Stand 2021-06-01 boten unsere Shodan-Daten folgendes Bild der Schwachstellen in Österreich: Wie zu erwarten war, ist die Anzahl der verwundbaren Microsoft Exchange Server (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065) weiter zurückgegangen; laut unseren aktuellsten Scans ist die Zahl mittlerweile sogar unter 100. --------------------------------------------- https://cert.at/de/aktuelles/2021/6/shodan-verified-vulns-2021-06-01 ===================== = Vulnerabilities = ===================== ∗∗∗ Revisiting Realtek – A New Set of Critical Wi-Fi Vulnerabilities Discovered by Automated Zero-Day Analysis ∗∗∗ --------------------------------------------- On February 3rd we responsibly disclosed six critical issues in the Realtek RTL8195A Wi-Fi module... Following that successful detection and disclosure, we expanded our analysis to additional modules. This new analysis resulted in two new critical vulnerabilities discovered by scanning the modules in Vdoo’s product security platform, which contains a unique proprietary capability of detecting potential zero-days automatically. The new vulnerabilities werefixed by Realtek, following another responsible disclosure. --------------------------------------------- https://www.vdoo.com/blog/realtek-wifi-vulnerabilities-zero-day/ ∗∗∗ Overview of F5 vulnerabilities (June 2021) ∗∗∗ --------------------------------------------- On June 1, 2021, F5 announced the following security issues. High CVEs * K08503505: BIG-IP Edge Client for Windows vulnerability CVE-2021-23022, CVSS score: 7.0 (High) * K33757590: BIG-IP Edge Client for Windows vulnerability CVE-2021-23023, CVSS score: 7.0 (High) Medium CVEs * K06024431: BIG-IQ vulnerability CVE-2021-23024, CVSS score: 6.5 (Medium) --------------------------------------------- https://support.f5.com/csp/article/K67501282 ∗∗∗ Critical 0-day in Fancy Product Designer Under Active Attack ∗∗∗ --------------------------------------------- On May 31, 2021, the Wordfence Threat Intelligence team discovered a critical file upload vulnerability being actively exploited in Fancy Product Designer, a WordPress plugin installed on over 17,000 sites. ... Due to this vulnerability being actively attacked, we are publicly disclosing with minimal details even though it has not yet been patched in order to alert the community to take precautions to keep their sites protected. --------------------------------------------- https://www.wordfence.com/blog/2021/06/critical-0-day-in-fancy-product-desi… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (squid), Fedora (dhcp), openSUSE (gstreamer, gstreamer-plugins-bad, gstreamer-plugins-base, gstreamer-plugins-good, gstreamer-plugins-ugly and slurm), Oracle (glib2 and kernel), Red Hat (kernel, kernel-rt, perl, and tcpdump), Scientific Linux (glib2), SUSE (bind, dhcp, lz4, and shim), and Ubuntu (dnsmasq, lasso, and python-django). --------------------------------------------- https://lwn.net/Articles/857978/ ∗∗∗ Synology DiskStation Manager: Schwachstelle ermöglichen Codeausführung ∗∗∗ --------------------------------------------- CVE-2021-29088 Ein lokaler Angreifer kann eine Schwachstellen in Synology DiskStation Manager ausnutzen, um beliebigen Programmcode auszuführen. --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0596 ∗∗∗ XSS vulnerability found in popular WYSIWYG website editor [Froala] ∗∗∗ --------------------------------------------- ...the bug, tracked as CVE-2021-28114, impacts Froala version 3.2.6 and earlier. Froala is a lightweight What-You-See-Is-What-You-Get (WYSIWYG) HTML rich text editor for developers and content creators. --------------------------------------------- https://www.zdnet.com/article/xss-vulnerability-found-in-popular-wysiwyg-we… ∗∗∗ Security Bulletin: IBM has announced a release for IBM Security Identity Governance and Intelligence in response to a security vulnerability (CVE-2020-4590) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-has-announced-a-relea… ∗∗∗ Security Bulletin: Apache CXF vulnerability identified in IBM Tivoli Application Dependency Discovery Manager (CVE-2021-22696) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-cxf-vulnerability-… ∗∗∗ Security Bulletin: IBM has announced a release for IBM Security Identity Governance and Intelligence in response to a security vulnerability (CVE-2019-17006, CVE-2019-17023, CVE-2020-12403) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-has-announced-a-relea… ∗∗∗ Security Bulletin: Multiple vulnerabilites affect IBM Jazz Foundation and IBM Engineering products. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilites-a… ∗∗∗ Security Bulletin: IBM has announced a release for IBM Security Identity Governance and Intelligence in response to a security vulnerability (CVE-2020-11868, CVE-2020-13817) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-has-announced-a-relea… ∗∗∗ Security Bulletin: Embedded WebSphere Application Server is vulnerable to Server-side Request Forgery and affects Content Collector for Email ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-embedded-websphere-applic… ∗∗∗ Security Bulletin: Multiple vulnerabilities in Apache HttpComponents and HttpCommons affect embedded WebSphere Application Server, which affects Content Collector for Email ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Embedded WebSphere Application Server is vulnerable to an XML External Entity (XXE) Injection attack and affects Content Collector for Email ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-embedded-websphere-applic… ∗∗∗ Security Bulletin: IBM has announced a release for IBM Security Identity Governance and Intelligence in response to a security vulnerability (CVE-2020-14579, CVE-2020-14578, CVE-2020-14577) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-has-announced-a-relea… ∗∗∗ Security Bulletin: IBM has announced a release for IBM Security Identity Governance and Intelligence in response to a security vulnerability (CVE-2020-14782) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-has-announced-a-relea… ∗∗∗ Hillrom Medical Device Management ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsma-21-152-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 01.06.2021
by Daily end-of-shift report 01 Jun '21

01 Jun '21

===================== = End-of-Day report = ===================== Timeframe: Montag 31-05-2021 18:00 − Dienstag 01-06-2021 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Firefox 89 und ESR 78.11: Neue Browser-Versionen, neue Sicherheits-Updates ∗∗∗ --------------------------------------------- Das Mozilla-Team hat den frisch erschienenen Firefox-Versionen neben neuen Features auch Schwachstellen-Patches spendiert. --------------------------------------------- https://heise.de/-6059513 ∗∗∗ Kroatien Urlaub geplant? Nehmen Sie sich vor kostenpflichtigen Registrierungsseiten wie enter-croatia.com in Acht! ∗∗∗ --------------------------------------------- Viele ÖsterreicherInnen freuen sich darauf, endlich wieder nach Kroatien zu fahren. Durch die COVID-19-Pandemie gelten jedoch strengere Einreisebestimmungen, wie die Empfehlung einer kostenlosen Online-Registrierung. Anbieter wie die Visa Gate GmbH nutzen die Unsicherheit vieler TouristInnen aus und stellen kostenpflichtige Registrierungsseiten ins Netz. Wir empfehlen Ihnen, die (freiwillige) Online-Registrierung nicht über enter-croatia.com vorzunehmen! --------------------------------------------- https://www.watchlist-internet.at/news/kroatien-urlaub-geplant-nehmen-sie-s… ∗∗∗ Windows 10s package manager flooded with duplicate, malformed apps ∗∗∗ --------------------------------------------- Microsofts Windows 10 package manager Wingets GitHub has been flooded with duplicate apps and malformed manifest files raising concerns among developers with regards to the integrity of apps. --------------------------------------------- https://www.bleepingcomputer.com/news/security/windows-10s-package-manager-… ∗∗∗ Quick and dirty Python: nmap, (Mon, May 31st) ∗∗∗ --------------------------------------------- Continuing on from the "Quick and dirty Python: masscan" diary, which implemented a simple port scanner in Python using masscan to detect web instances on TCP ports 80 or 443. Masscan is perfectly good as a blunt instrument to quickly find open TCP ports across large address spaces, but for fine details it is better to use a scanner like nmap that, while much slower, is able to probe the port to get a better idea of what is running. --------------------------------------------- https://isc.sans.edu/diary/rss/27480 ∗∗∗ Guildma is now using Finger and Signed Binary Proxy Execution to evade defenses, (Mon, May 31st) ∗∗∗ --------------------------------------------- We recently identified a new Guildma/Astaroth campaign targeting South America, mainly Brazil, using a new variant of the malware. Guildma is known by its multiple-staged infection chain and evasion techniques to reach victim’s data and exfiltrate them. In a previous diary [1] at Morphus Labs, we analyzed a Guildma variant which employed an innovative strategy to stay active, using Facebook and YouTube to get a new list of its C2 servers. --------------------------------------------- https://isc.sans.edu/diary/rss/27482 ∗∗∗ Evadere Classifications ∗∗∗ --------------------------------------------- The term evasion is derived from the Latin word "evadere" which means - "To escape, to get away." The DOD defines evasion as - "The process whereby isolated personnel avoid capture with the goal of successfully returning to areas under friendly control." [...] This made me think - what does evasion or bypass truly mean? Are there different categories that these evasion techniques fit into? Lastly, if these techniques are to fit into categories - how can detection engineers leverage these for engagements? --------------------------------------------- https://posts.specterops.io/evadere-classifications-8851a429c94b ∗∗∗ Revisiting the NSIS-based crypter ∗∗∗ --------------------------------------------- In this blog we look at the constantly evolving NSIS crypter which malware authors have been leveraging as a flexible tool to pack and encrypt their samples. --------------------------------------------- https://blog.malwarebytes.com/threat-analysis/2021/05/revisiting-the-nsis-b… ∗∗∗ TeamTNT botnet makes 50,000 victims over the last three months ∗∗∗ --------------------------------------------- TeamTNT, a crypto-mining botnet specialized in infecting misconfigured Docker and Kubernetes platforms, has compromised more than 50,000 systems over the last three months, between March and May 2021, security firm Trend Micro said last week. --------------------------------------------- https://therecord.media/teamtnt-botnet-makes-50000-victims-over-the-last-th… ===================== = Vulnerabilities = ===================== ∗∗∗ Lasso SAML Implementation Vulnerability Affecting Cisco Products: June 2021 ∗∗∗ --------------------------------------------- On June 1, 2021, Lasso disclosed a security vulnerability in the Lasso Security Assertion Markup Language (SAML) Single Sign-On (SSO) library. This vulnerability could allow an authenticated attacker to impersonate another authorized user when interacting with an application. For a description of this vulnerability, see lasso.git NEWS. This advisory will be updated as additional information becomes available. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (cflow, chromium, eterm, gnutls, and kernel), Mageia (kernel and kernel-linus), Oracle (glib2), Red Hat (glib2, kernel, kernel-rt, and kpatch-patch), SUSE (curl, djvulibre, gstreamer, gstreamer-plugins-bad, gstreamer-plugins-base, gstreamer-plugins-good, gstreamer-plugins-ugly, nginx, python-httplib2, and slurm), and Ubuntu (gupnp, libwebp, postgresql-10, postgresql-12, postgresql-13, and python3.8). --------------------------------------------- https://lwn.net/Articles/857830/ ∗∗∗ Security Bulletin: A format string security vulnerability has been identified in IBM Spectrum Scale (CVE-2021-29740) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-format-string-security-… ∗∗∗ Multiple Critical Vulnerabilities in Korenix Technology, Westermo and Pepperl+Fuchs products ∗∗∗ --------------------------------------------- https://sec-consult.com/vulnerability-lab/advisory/multiple-critical-vulner… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 31.05.2021
by Daily end-of-shift report 31 May '21

31 May '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 28-05-2021 18:00 − Montag 31-05-2021 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Sicherheitsupdate: Root-Lücke in Sonicwalls Network Security Manager ∗∗∗ --------------------------------------------- Angreifer könnten durch eine Schwachstelle in der Firewall-Verwaltungssoftware Network Security Manager schlüpfen. --------------------------------------------- https://heise.de/-6057794 ∗∗∗ Client Puzzle Protocols (CPPs) als Gegenmaßnahmen gegen automatisierte Gefahren für Webapplikationen ∗∗∗ --------------------------------------------- Client Puzzle Protocols (CPPs) können effektive Maßnahmen gegen Denial-of-Service-Attacken sein. Sie müssen aber auf ihre Effektivität überprüft werden. --------------------------------------------- https://www.syss.de/pentest-blog/fachartikel-von-it-security-consultant-vla… ∗∗∗ Threat spotlight: Conti, the ransomware used in the HSE healthcare attack ∗∗∗ --------------------------------------------- [...] In this blog, we’ll home in on Conti, the strain identified by some as the successor, cousin or relative of Ryuk ransomware, due to similarities in code use and distribution tactics. --------------------------------------------- https://blog.malwarebytes.com/threat-spotlight/2021/05/threat-spotlight-con… ∗∗∗ PoC published for new Microsoft PatchGuard (KPP) bypass ∗∗∗ --------------------------------------------- A security researcher has discovered a bug in PatchGuard––a crucial Windows security feature––that can allow threat actors to load unsigned (malicious) code into the Windows operating system kernel. --------------------------------------------- https://therecord.media/poc-published-for-new-microsoft-patchguard-kpp-bypa… ∗∗∗ WooCommerce Credit Card Skimmer Hides in Plain Sight ∗∗∗ --------------------------------------------- Recently, a client’s customers were receiving a warning from their anti-virus software when they navigated to the checkout page of the client’s ecommerce website. Antivirus software such as Kaspersky and ESET would issue a warning but only once a product had been added to the cart and a customer was about to enter their payment information. This is, of course, a tell-tale sign that there is something seriously wrong with the website and likely a case of credit card exfiltration. --------------------------------------------- https://blog.sucuri.net/2021/05/woocommerce-credit-card-skimmer.html ∗∗∗ On the Taxonomy and Evolution of Ransomware ∗∗∗ --------------------------------------------- Not all ransomware is the same! Oliver Tavakoli, CTO at Vectra AI, discusses the different species of this growing scourge. --------------------------------------------- https://threatpost.com/taxonomy-evolution-ransomware/166462/ ∗∗∗ Spear-phishing Email Targeting Outlook Mail Clients , (Sat, May 29th) ∗∗∗ --------------------------------------------- In February I posted about spam pretending to be an Outlook Version update [1] and now for the past several weeks I have been receiving spear-phishing emails that pretend to be coming from Microsoft Outlook to "Sign in to verify" my account, new terms of services, new version, etc. There also have been some reports this week about large ongoing spear-phishing campaign [2][3] worth reading. Here are some samples which always include a sense of urgency to login as soon as possible: [...] --------------------------------------------- https://isc.sans.edu/diary/rss/27472 ∗∗∗ Sysinternals: Procmon, Sysmon, TcpView and Process Explorer update, (Sun, May 30th) ∗∗∗ --------------------------------------------- New versions of Sysinternals' tools Procmon, Sysmon, TcpView and Process Explorer were released. --------------------------------------------- https://isc.sans.edu/diary/rss/27476 ∗∗∗ Video: Cobalt Strike & DNS - Part 1, (Sun, May 30th) ∗∗∗ --------------------------------------------- One of the Cobalt Strike servers reported by Brad Duncan also communicates over DNS. --------------------------------------------- https://isc.sans.edu/diary/rss/27478 ∗∗∗ IT threat evolution Q1 2021 ∗∗∗ --------------------------------------------- SolarWinds attacks, MS Exchange vulnerabilities, fake adblocker distributing miner, malware for Apple Silicon platform and other threats in Q1 2021. --------------------------------------------- https://securelist.com/it-threat-evolution-q1-2021/102382/ ∗∗∗ IT threat evolution Q1 2021. Mobile statistics ∗∗∗ --------------------------------------------- In the first quarter of 2021 we detected 1.45M mobile installation packages, of which 25K packages were related to mobile banking Trojans and 3.6K packages were mobile ransomware Trojans. --------------------------------------------- https://securelist.com/it-threat-evolution-q1-2021-mobile-statistics/102547/ ∗∗∗ IT threat evolution Q1 2021. Non-mobile statistics ∗∗∗ --------------------------------------------- In Q1 2021, we blocked more than 2 billion attacks launched from online resources across the globe, detected 77.4M unique malicious and potentially unwanted objects, and recognized 614M unique URLs as malicious. --------------------------------------------- https://securelist.com/it-threat-evolution-q1-2021-non-mobile-statistics/10… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (hyperkitty, libxml2, nginx, openjdk-11-jre-dcevm, rxvt-unicode, samba, and webkit2gtk), Fedora (exiv2, java-1.8.0-openjdk-aarch32, mingw-python-pillow, opendmarc, php-symfony3, php-symfony4, python-pillow, runc, rust-cranelift-codegen-shared, rust-cranelift-entity, and rxvt-unicode), openSUSE (curl, hivex, libu2f-host, libX11, libxls, singularity, and upx), Oracle (dotnet3.1 and dotnet5.0), Red Hat (docker, glib2, and runc), and Ubuntu (lz4). --------------------------------------------- https://lwn.net/Articles/857737/ ∗∗∗ Security Bulletin: CVE-2021-2161 may affect IBM® SDK, Java™ Technology Edition ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2021-2161-may-affect-… ∗∗∗ Security Bulletin: IBM Cognos Analytics has addressed multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cognos-analytics-has-… ∗∗∗ Security Bulletin: Multiple Security Vulnerabilities have been resolved in IBM Application Gateway (CVE-2021-20576, CVE-2021-20575, CVE-2021-29665) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.05.2021
by Daily end-of-shift report 28 May '21

28 May '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 27-05-2021 18:00 − Freitag 28-05-2021 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ FBI to share compromised passwords with Have I Been Pwned ∗∗∗ --------------------------------------------- The FBI will soon begin to share compromised passwords with Have I Been Pwneds Password Pwned service that were discovered during law enforcement investigations. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fbi-to-share-compromised-pas… ∗∗∗ Ransomware gangs slow decryptors prompt victims to seek alternatives ∗∗∗ --------------------------------------------- Recently, two highly publicized ransomware victims received a decryptor that was too slow to make it effective in quickly restoring the victims network. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ransomware-gangs-slow-decryp… ∗∗∗ Tracking BokBot (a.k.a. IcedID) Infrastructure ∗∗∗ --------------------------------------------- BokBot (also known as IcedID) started life as a banking trojan using man-in-the-browser attacks to steal credentials from online banking sessions and initiate fraudulent transactions. Over time, the operator(s) of BokBot have also developed its use as a delivery mechanism for other malware, in particular ransomware. --------------------------------------------- https://team-cymru.com/blog/2021/05/19/tracking-bokbot-infrastructure/ ∗∗∗ Malicious PowerShell Hosted on script.google.com, (Fri, May 28th) ∗∗∗ --------------------------------------------- Google has an incredible portfolio of services. Besides the classic ones, there are less known services and... they could be very useful for attackers too. One of them is Google Apps Script[1]. Google describes it like this: [...] --------------------------------------------- https://isc.sans.edu/diary/rss/27468 ∗∗∗ Jetzt patchen! Kritische Lücke in HPE SIM geschlossen ∗∗∗ --------------------------------------------- Es ist ein wichtiges Sicherheitsupdate für Hewlett Packard Enterprise Systems Insight Manager (SIM) erschienen. --------------------------------------------- https://heise.de/-6056415 ∗∗∗ Falsifying and weaponizing certified PDFs ∗∗∗ --------------------------------------------- Certified PDFs are supposed to control modifications so that recipients know they havent been tampered with. It doesnt always work. --------------------------------------------- https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/05/falsifyi… ∗∗∗ Do you know your OpSec? ∗∗∗ --------------------------------------------- Open Source Intelligence (OSINT) is any information in the public domain that an attacker can dig up about you. Because of that it forms the basis of every Red Team [...] --------------------------------------------- https://www.pentestpartners.com/security-blog/do-you-know-your-opsec/ ∗∗∗ Urlaubsreif? Buchen Sie nicht über ferienhauspartner.co, fewopartner.co, holidaypartner.co & ferienpartner.co! ∗∗∗ --------------------------------------------- Sind Sie auf der Suche nach ein Urlaubsdomizil für den nahenden Sommer? Wenn ja, könnten Sie auf betrügerische Webseiten stoßen. Denn Kriminelle bieten derzeit Ferienhäuser und Ferienwohnungen in Deutschland und Dänemark an, die per Vorkasse gebucht werden können. Doch Vorsicht: Das bezahlte Geld landet direkt in den Händen der Kriminellen, eine aufrechte Buchung gibt es nicht! --------------------------------------------- https://www.watchlist-internet.at/news/urlaubsreif-buchen-sie-nicht-ueber-f… ∗∗∗ MobileInter: A Popular Magecart Skimmer Redesigned For Your Phone ∗∗∗ --------------------------------------------- To truly understand the Magecart skimming groups that have become a mainstay of the e-commerce threat landscape, you have to understand the tools of the trade. The Inter Skimmer kit is one of todays most common digital skimming solutions globally. However, a hallmark of widely used skimmers is their propensity to evolve as more actors use and tweak them to suit their unique needs and purposes. --------------------------------------------- https://www.riskiq.com/blog/external-threat-management/mobile-inter/ ∗∗∗ Docker Honeypot Reveals Cryptojacking as Most Common Cloud Threat ∗∗∗ --------------------------------------------- A Docker honeypot captured 33 types of attacks over a total of 850 attempts. Here’s what we learned about the cloud threat landscape. --------------------------------------------- https://unit42.paloaltonetworks.com/docker-honeypot/ ∗∗∗ CVE-2021-31440: An Incorrect Bounds Calculation in the Linux Kernel eBPF Verifier ∗∗∗ --------------------------------------------- In April 2021, the ZDI received a Linux kernel submission that turned out to be an incorrect bounds calculation bug in the extended Berkeley Packet Filter (eBPF) verifier. This bug was submitted to the program by Manfred Paul (@_manfp) of the RedRocket CTF team (@redrocket_ctf). Manfred Paul had successfully exploited two other eBPF verifier bugs in Pwn2Own 2020 and 2021 respectively. --------------------------------------------- https://www.thezdi.com/blog/2021/5/26/cve-2021-31440-an-incorrect-bounds-ca… ∗∗∗ The Race to Native Code Execution in PLCs ∗∗∗ --------------------------------------------- Claroty has found a severe memory protection bypass vulnerability (CVE-2020-15782) in Siemens PLCs, the SIMATIC S7-1200 and S7-1500. An attacker could abuse this vulnerability on PLCs with disabled access protection to gain read and write access anywhere on the PLC and remotely execute malicious code. --------------------------------------------- https://claroty.com/2021/05/28/blog-research-race-to-native-code-execution-… ∗∗∗ Suspected APT29 Operation Launches Election Fraud Themed Phishing Campaigns ∗∗∗ --------------------------------------------- On May 25, 2021, Volexity identified a phishing campaign targeting multiple organizations based in the United States and Europe. The following industries have been observed being targeted thus far: NGOs, Research Institutions, Government Agencies, International Agencies The campaign’s phishing e-mails purported to originate from the USAID government agency and contained a malicious link that resulted in an ISO file being delivered. This file contained a malicious LNK file, a malicious DLL [...] --------------------------------------------- https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches… ===================== = Vulnerabilities = ===================== ∗∗∗ SonicWall urges customers to immediately patch NSM On-Prem bug ∗∗∗ --------------------------------------------- SonicWall urges customers to immediately patch a post-authentication vulnerability impacting on-premises versions of the Network Security Manager (NSM) multi-tenant firewall management solution. --------------------------------------------- https://www.bleepingcomputer.com/news/security/sonicwall-urges-customers-to… ∗∗∗ SSA-434534: Memory Protection Bypass Vulnerability in SIMATIC S7-1200 and S7-1500 CPU Families ∗∗∗ --------------------------------------------- SIMATIC S7-1200 and S7-1500 CPU products contain a memory protection bypass vulnerability that could allow an attacker to write arbitrary data and code to protected memory areas or read sensitive data to launch further attacks. Siemens has released updates for several affected products and strongly recommends to update to the latest versions. Siemens is preparing further updates and recommends specific countermeasures for products where updates are not, or not yet available. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-434534.txt ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (nginx), Fedora (chromium, curl, kernel, php-symfony3, php-symfony4, python-lxml, python-pip, and runc), Mageia (ceph and wireshark), openSUSE (mpv), Oracle (bind, idm:DL1, redis:6, slapi-nis, squid:4, and xorg-x11-server), SUSE (curl, nginx, postgresql10, postgresql12, postgresql13, slurm, slurm_18_08, and slurm_20_11), and Ubuntu (nginx). --------------------------------------------- https://lwn.net/Articles/857581/ ∗∗∗ Several Vulnerabilities in Bosch B426, B426-CN/B429-CN, and B426-M ∗∗∗ --------------------------------------------- BOSCH-SA-196933-BT: A security vulnerability affects the Bosch B426, B426-CN/B429-CN, and B426-M. The vulnerability is exploitable via the network interface. Bosch rates this vulnerability at 8.0 (High) and recommends customers to update vulnerable components with fixed software versions. A second vulnerable condition was found when using http protocol, in which the user password is transmitted as a clear text parameter. Latest firmware versions allow only https. If a software update is not [...] --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-196933-bt.html ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM WebSphere eXtreme Scale Liberty Deployment. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerabilities in Java affecting Watson Knowledge Catalog for IBM Cloud Pak for Data ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-java-a… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.05.2021
by Daily end-of-shift report 27 May '21

27 May '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 26-05-2021 18:00 − Donnerstag 27-05-2021 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Achtung: Kriminelle fälschen „Grünen Pass“! ∗∗∗ --------------------------------------------- In Österreich wird bald der „Grüne Pass“ eingeführt, der den Zugang zu Gastronomie und körpernahen Dienstleistungen erleichtern soll. Dieser ist erst in der zweiten Juni-Woche verfügbar, doch Kriminelle verbreiten bereits jetzt eine „Variante“ des Grünen Passes. Wir gehen davon aus, dass dabei personenbezogene Daten abgegriffen werden. Wer die unseriöse App als gültigen Impf-, Test- oder Genesungsnachweis verwendet, könnte könnte sich außerdem strafbar machen. --------------------------------------------- https://www.watchlist-internet.at/news/achtung-kriminelle-faelschen-gruenen… ∗∗∗ Exploit veröffentlicht: Gefixte WebKit-Schwachstelle steht auf iPhones offen ∗∗∗ --------------------------------------------- Ein Patch im Open-Source-Unterbau aller iOS-Browser ist selbst nach Wochen noch nicht in Apples Betriebssysteme eingeflossen, warnt eine Sicherheitsfirma. --------------------------------------------- https://heise.de/-6055716 ∗∗∗ BazaLoader Masquerades as Movie-Streaming Service ∗∗∗ --------------------------------------------- The website for “BravoMovies” features fake movie posters and a FAQ with a rigged Excel spreadsheet for “cancelling” the service, but all it downloads is malware. --------------------------------------------- https://threatpost.com/bazaloader-fake-movie-streaming-service/166489/ ∗∗∗ “Unpatchable” vuln in Apple’s new Mac chip – what you need to know ∗∗∗ --------------------------------------------- Its all over the news! The bug you cant fix! Fortunately, you dont need to. We explain why. --------------------------------------------- https://nakedsecurity.sophos.com/2021/05/27/unpatchable-vuln-in-apples-new-… ∗∗∗ Analysis report of the Facefish rootkit ∗∗∗ --------------------------------------------- In Feb 2021, we came across an ELF sample using some CWP’s Ndays exploits, we did some analysis, but after checking with a partner who has some nice visibility in network traffic in some China areas, we discovered there is literarily 0 hit for the C2 traffic. --------------------------------------------- https://blog.netlab.360.com/ssh_stealer_facefish_en/ ∗∗∗ All your Base are...nearly equal when it comes to AV evasion, but 64-bit executables are not, (Thu, May 27th) ∗∗∗ --------------------------------------------- Malware authors like to use a variety of techniques to avoid detection of their creations by anti-malware tools. As the old saying goes, necessity is the mother of invention and in the case of malware, it has lead its authors to devise some very interesting ways to hide from detection over the years - from encoding of executable files into valid bitmap images[1] to multi-stage encryption of malicious payloads[2] and much further. --------------------------------------------- https://isc.sans.edu/diary/rss/27466 ∗∗∗ Saving Your Access ∗∗∗ --------------------------------------------- After revisiting old internal discussions, an area of interest was the possibility of using screensavers for persistence on macOS. This is an established persistence method on Windows, as noted on the MITRE ATT&CK page. --------------------------------------------- https://posts.specterops.io/saving-your-access-d562bf5bf90b ∗∗∗ Crimes of Opportunity: Increasing Frequency of Low Sophistication Operational Technology Compromises ∗∗∗ --------------------------------------------- Attacks on control processes supported by operational technology (OT) are often perceived as necessarily complex. This is because disrupting or modifying a control process to cause a predictable effect is often quite difficult and can require a lot of time and resources. However, Mandiant Threat Intelligence has observed simpler attacks, where actors with varying levels of skill and resources use common IT tools and techniques to gain access to and interact with exposed OT systems. --------------------------------------------- https://www.fireeye.com/blog/threat-research/2021/05/increasing-low-sophist… ===================== = Vulnerabilities = ===================== ∗∗∗ HPE fixes critical zero-day vulnerability disclosed in December ∗∗∗ --------------------------------------------- Hewlett Packard Enterprise (HPE) has released a security update to address a zero-day remote code execution vulnerability disclosed last year, in December. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hpe-fixes-critical-zero-day-… ∗∗∗ Drupal: Update schließt Cross-Site-Scripting-Lücke in mehreren CMS-Versionen ∗∗∗ --------------------------------------------- Die Programmbibliothek CKEditor, die vom Drupal-Core verwendet wird, barg unter bestimmten Umständen Angriffsmöglichkeiten. Für Core & Library gibt es Updates. --------------------------------------------- https://heise.de/-6055672 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (djvulibre), Fedora (slapi-nis and upx), Gentoo (ceph and nginx), openSUSE (python-httplib2 and rubygem-actionpack-5_1), Slackware (curl), SUSE (curl, libX11, and python-httplib2), and Ubuntu (isc-dhcp, lz4, and nginx). --------------------------------------------- https://lwn.net/Articles/857460/ ∗∗∗ Vulnerabilities in Visual Studio Code Extensions Expose Developers to Attacks ∗∗∗ --------------------------------------------- Vulnerabilities in Visual Studio Code extensions could be exploited by malicious attackers to steal valuable information from developers and even compromise organizations, researchers with open-source software security firm Snyk say. --------------------------------------------- https://www.securityweek.com/vulnerabilities-visual-studio-code-extensions-… ∗∗∗ GENIVI Alliance DLT ∗∗∗ --------------------------------------------- This advisory contains mitigations for a Heap-based Buffer Overflow vulnerability in GENIVI Alliance DLT-Daemon software component. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-147-01 ∗∗∗ Johnson Controls Sensormatic Electronics VideoEdge ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Off-by-one Error vulnerability in Sensormatic Electronics VideoEdge surveillance systems. Sensormatic Electronics is a subsidiary of Johnson Controls. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-147-02 ∗∗∗ Siemens JT2Go and Teamcenter Visualization ∗∗∗ --------------------------------------------- This advisory contains mitigations for Untrusted Pointer Dereference, Out-of-bounds Read, and Stack-based Buffer Overflow vulnerabilities in Siemens JT2Go and Teamcenter Visualization products. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-147-04 ∗∗∗ Mitsubishi Electric MELSEC iQ-R Series ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Uncontrolled Resource Consumption vulnerability in Mitsubishi Electric iQ-R Series CPU modules. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-147-05 ∗∗∗ Internet Systems Consortium DHCP: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0587 ∗∗∗ CommScope Ruckus IoT Controller 1.7.1.0 Undocumented Account ∗∗∗ --------------------------------------------- https://cxsecurity.com/issue/WLB-2021050156 ∗∗∗ CommScope Ruckus IoT Controller 1.7.1.0 Hard-Coded Web Application Administrator Password ∗∗∗ --------------------------------------------- https://cxsecurity.com/issue/WLB-2021050155 ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Security Guardium ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM has announced a release for IBM Security Identity Governance and Intelligence in response to a security vulnerability (CVE-2020-4996) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-has-announced-a-relea… ∗∗∗ Security Bulletin: Security Bypass Vulnerability in PostgreSQL Affects IBM Connect:Direct Web Services (CVE-2021-20229) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-bypass-vulnerabi… ∗∗∗ Security Bulletin: IBM MQ is vulnerable to an issue within IBM® Runtime Environment Java™ Technology Edition (CVE-2020-27221) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-is-vulnerable-to-a… ∗∗∗ Security Bulletin: Security Bypass Vulnerability in PostgreSQL Affects IBM Connect:Direct Web Services ( CVE-2021-3393) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-bypass-vulnerabi… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affects WebSphere Application Server April 2021 CPU that is bundled with IBM WebSphere Application Server Patterns ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerability in Java affecting Watson Knowledge Catalog for IBM Cloud Pak for Data ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-java-aff… ∗∗∗ Security Bulletin: Vulnerability in IBM Java Runtime affects IBM Spectrum Protect Snapshot on AIX and Linux (CVE-2020-27221) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java… ∗∗∗ Security Bulletin: IBM MQ is vulnerable to an issue in IBM® Runtime Environment Java™ Technology Edition. (CVE-2020-14779) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-is-vulnerable-to-a… ∗∗∗ Security Bulletin: Security Bypass Vulnerability in PostgreSQL Affects IBM Connect:Direct Web Services (CVE-2020-10733) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-bypass-vulnerabi… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 26.05.2021
by Daily end-of-shift report 26 May '21

26 May '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 25-05-2021 18:00 − Mittwoch 26-05-2021 18:00 Handler: Dimitri Robl Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Kaspersky Security Bulletin 2020-2021. EU statistics ∗∗∗ --------------------------------------------- The statistics in this report cover the period from May 2020 to April 2021, inclusive. --------------------------------------------- https://securelist.com/kaspersky-security-bulletin-2020-2021-eu-statistics/… ∗∗∗ Smart lighting security ∗∗∗ --------------------------------------------- RJ45 connections delivering Power over Ethernet are becoming prevalent in light fittings, a result of the lower power demands from LED fittings. This creates potential for uninformed installers to inadvertently bridge network security controls through connecting the light fittings to existing networking equipment. ... Radio protocols can also lead to compromise if not done securely; Bluetooth Classic, BLE, Z-Wave and many other protocols can be exploited if not configured correctly. --------------------------------------------- https://www.pentestpartners.com/security-blog/smart-lighting-security/ ∗∗∗ The Attack Path Management Manifesto ∗∗∗ --------------------------------------------- The primary goal of Attack Path Management (APM) is to directly solve the problem of Attack Paths. Today, the problem of Attack Paths is felt most acutely in the world of Microsoft Active Directory and Azure Active Directory. These platforms provide the greatest payoff for attackers, since taking control of the fundamental identity platform for an enterprise grants full control of all users, systems, and data in that enterprise --------------------------------------------- https://posts.specterops.io/the-attack-path-management-manifesto-3a3b117f5e5 ∗∗∗ CVE-2021-22909- Digging into a Ubiquiti Firmware Update bug ∗∗∗ --------------------------------------------- Back In February, Ubiquiti released a new firmware update for the Ubiquiti EdgeRouter, fixing CVE-2021-22909/ZDI-21-601. The vulnerability lies in the firmware update procedure and allows a man-in-the-middle (MiTM) attacker to execute code as root on the device by serving a malicious firmware image when the system performs an automatic firmware update. ... The impact of this vulnerability is quite nuanced and worthy of further discussion. --------------------------------------------- https://www.thezdi.com/blog/2021/5/24/cve-2021-22909-digging-into-a-ubiquit… ===================== = Vulnerabilities = ===================== ∗∗∗ VU#799380: Devices supporting Bluetooth Core and Mesh Specifications are vulnerable to impersonation attacks and AuthValue disclosure ∗∗∗ --------------------------------------------- Devices supporting the Bluetooth Core and Mesh Specifications are vulnerable to impersonation attacks and AuthValue disclosure that could allow an attacker to impersonate a legitimate device during pairing. --------------------------------------------- https://kb.cert.org/vuls/id/799380 ∗∗∗ CVE-2020-14145 ∗∗∗ --------------------------------------------- A vulnerability in OpenSSH <= 8.6 allows a man in the middle attack to determine, if a client already has prior knowledge of the remote hosts fingerprint. Using this information leak it is possible to ignore clients, which will show an error message during an man in the middle attack, while new clients can be intercepted without alerting them of the man in the middle attack. [...] At the moment, the only option to mitigate this vulnerability is to set HostKeyAlgorithms in your config file. --------------------------------------------- https://docs.ssh-mitm.at/CVE-2020-14145.html ∗∗∗ Sicherheitsupdates: Kritische Schadcode-Lücke bedroht VMware vCenter Server ∗∗∗ --------------------------------------------- Die Servermanagementsoftware vCenter Server ist verwundbar. Angreifer könnten Schadcode ausführen. --------------------------------------------- https://heise.de/-6054003 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (djvulibre, dotnet-runtime, dotnet-runtime-3.1, dotnet-sdk, dotnet-sdk-3.1, gupnp, hivex, lz4, matrix-synapse, prometheus, python-pydantic, runc, thunderbird, and websvn), Fedora (composer, moodle, and wordpress), Gentoo (bash, boost, busybox, containerd, curl, dnsmasq, ffmpeg, firejail, gnome-autoar, gptfdisk, icu, lcms, libX11, mariadb, mumble, mupdf, mutt, mysql, nettle, nextcloud-client, opensmtpd, openssh, openvpn, php, postgresql, prosody, rxvt-unicode, samba, screen, smarty, spamassassin, squid, stunnel, tar, tcpreplay, telegram-desktop), openSUSE (Botan), Red Hat (kernel), Slackware (gnutls), SUSE (hivex, libu2f-host, rubygem-actionpack-5_1), Ubuntu (apport, exiv2, libx11). --------------------------------------------- https://lwn.net/Articles/857352/ ∗∗∗ Cisco ADE-OS Local File Inclusion Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Small Business 100, 300, and 500 Series Wireless Access Points Command Injection Vulnerabilities ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Finesse Cross-Site Scripting Vulnerabilities ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Finesse Open Redirect Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco DNA Spaces Connector Privilege Escalation Vulnerabilities ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco DNA Spaces Connector Command Injection Vulnerabilities ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ SSA-119468: Luxion KeyShot Vulnerabilities in Solid Edge ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-119468.txt ∗∗∗ Security Advisory - Out-of-Bounds Read Vulnerability On Several Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210526-… ∗∗∗ Security Advisory - Possible Out-Of-Bounds Read Vulnerability in Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210526-… ∗∗∗ Security Advisory - Improper Licenses Management Vulnerability in Some Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210407-… ∗∗∗ Security Bulletin: Mitigations are being announced to address CVE-2020-4839 and CVE-2021-29695 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-mitigations-are-being-ann… ∗∗∗ Security Bulletin: WebSphere Application Server Java Batch is vulnerable to an XML External Entity Injection (XXE) vulnerability (CVE-2021-20492) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-websphere-application-ser… ∗∗∗ Security Bulletin: IBM® Db2® 'Check for Updates' process is vulnerable to DLL hijacking (CVE-2019-4588) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-check-for-updates… ∗∗∗ Security Bulletin: Mitigations are being announced to address CVE-2020-4839 and CVE-2021-29695 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-mitigations-are-being-ann… ∗∗∗ Security Bulletin: Data protection rules and policies are not enforced on virtualized objects ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-data-protection-rules-and… ∗∗∗ Security Bulletin: This Power System update is being released to address CVE-2021-20487 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-this-power-system-update-… ∗∗∗ Security Bulletin: Information disclosure vulnerability in WebSphere Application Server Liberty ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-information-disclosure-vu… ∗∗∗ Security Bulletin: Information disclosure vulnerability in WebSphere Application Server Liberty ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-information-disclosure-vu… ∗∗∗ Security Bulletin: IBM License Key Server Administration and Reporting Tool is impacted by multiple vulnerabilities in jQuery, Bootstrap and AngularJS ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-license-key-server-ad… ∗∗∗ Overview of NGINX vulnerabilities (May 2021) ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K52559937?utm_source=f5support&utm_mediu… ∗∗∗ NGINX Plus and Open Source vulnerability CVE-2021-23017 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K12331123?utm_source=f5support&utm_mediu… ∗∗∗ Datakit Libraries bundled in Luxion KeyShot ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-145-01 ∗∗∗ Rockwell Automation Micro800 and MicroLogix 1400 ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-145-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 25.05.2021
by Daily end-of-shift report 25 May '21

25 May '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 21-05-2021 18:00 − Dienstag 25-05-2021 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Vorsicht bei SMS-Benachrichtigungen zum Lieferstatus einer Bestellung ∗∗∗ --------------------------------------------- Sie erwarten ein Paket? Dann sollten Sie besonders vorsichtig sein, wenn Sie per SMS, Informationen über den Status Ihrer Bestellung erhalten, denn Kriminelle versenden momentan massenhaft gefälschte Lieferbenachrichtigungen. Um Details zu erfahren, werden Sie aufgefordert auf einen Link zu klicken. Tun Sie das keinesfalls, [...] --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-bei-sms-benachrichtigungen-… ∗∗∗ Jetzt patchen! Kritische Windows-Lücke betrifft mehr Systeme als gedacht ∗∗∗ --------------------------------------------- Ein Sicherheitsforscher hat eine weitere verwundbare Komponente in Windows-Systemen entdeckt. Updates sind bereits verfügbar. --------------------------------------------- https://heise.de/-6052749 ∗∗∗ Qnap sichert NAS spät gegen Qlocker-Attacken ab ∗∗∗ --------------------------------------------- Seit April hat es ein Erpressungstrojaner auf Netzwerkspeicher von Qnap abgesehen. Erst jetzt gibt es Sicherheitspatches. --------------------------------------------- https://heise.de/-6052783 ∗∗∗ Evolution of JSWorm ransomware ∗∗∗ --------------------------------------------- There are times when a single ransomware family has evolved from a mass-scale operation to a highly targeted threat - all in the span of two years. In this post we want to talk about one of those families, named JSWorm. --------------------------------------------- https://securelist.com/evolution-of-jsworm-ransomware/102428/ ∗∗∗ "Serverless" Phishing Campaign, (Sat, May 22nd) ∗∗∗ --------------------------------------------- The Internet is full of code snippets and free resources that you can embed in your projects. SmtpJS is one of those small projects that are very interesting for developers but also bad guys. It's the first time that I spot a phishing campaign that uses this piece of JavaScript code. --------------------------------------------- https://isc.sans.edu/diary/rss/27446 ∗∗∗ Video: Making Sense Of Encrypted Cobalt Strike Traffic, (Sun, May 23rd) ∗∗∗ --------------------------------------------- Brad posted another malware analysis with capture file of Cobalt Strike traffic. --------------------------------------------- https://isc.sans.edu/diary/rss/27448 ∗∗∗ Web Applications and Internal Penetration Tests ∗∗∗ --------------------------------------------- Until recently, I really didnt care about web applications on an internal penetration test. Whether it was as an entry point or target, I was not interested, since I typically had far better targets and could compromise the networks anyway. However, the times have changed, internal environments are much more restricted, not many services are exposed, and applications are the main reason for the tests. This is not supposed to be a guide to analyze web applications, but some thoughts [...] --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/web-applica… ∗∗∗ Apple‌ Issues Patches to Combat Ongoing 0-Day Attacks on macOS, tvOS ∗∗∗ --------------------------------------------- Apple on Monday rolled out security updates for iOS, macOS, tvOS, watchOS, and Safari web browser to fix multiple vulnerabilities, including an actively exploited zero-day flaw in macOS Big Sur and expand patches for two previously disclosed zero-day flaws. Tracked as CVE-2021-30713, the zero-day concerns a permissions issue in Apples Transparency, Consent, and Control (TCC) framework in macOS --------------------------------------------- https://thehackernews.com/2021/05/apple-issues-patches-to-combat-ongoing.ht… ∗∗∗ OT Systems Increasingly Targeted by Unsophisticated Hackers: Mandiant ∗∗∗ --------------------------------------------- Unsophisticated threat actors - in many cases motivated by financial gain - have increasingly targeted internet-exposed operational technology (OT) systems, according to research conducted by Mandiant, FireEye’s threat intelligence and incident response unit. --------------------------------------------- https://www.securityweek.com/ot-systems-increasingly-targeted-unsophisticat… ∗∗∗ DarkChronicles: the consequences of the Colonial Pipeline attack ∗∗∗ --------------------------------------------- This article began as an overview of the Colonial Pipeline incident. However, the events unfolded so rapidly that the scope of the publication has gone beyond a single incident. --------------------------------------------- https://ics-cert.kaspersky.com/reports/2021/05/21/darkchronicles-the-conseq… ===================== = Vulnerabilities = ===================== ∗∗∗ VU#799380: Devices supporting Bluetooth Core and Mesh Specifications are vulnerable to impersonation attacks and AuthValue disclosure ∗∗∗ --------------------------------------------- Devices supporting the Bluetooth Core and Mesh Specifications are vulnerable to impersonation attacks and AuthValue disclosure that could allow an attacker to impersonate a legitimate device during pairing. --------------------------------------------- https://kb.cert.org/vuls/id/799380 ∗∗∗ VU#667933: Pulse Connect Secure Samba buffer overflow ∗∗∗ --------------------------------------------- Pulse Connect Secure (PCS) gateway contains a buffer overflow vulnerability in Samba-related code that may allow an authenticated remote attacker to execute arbitrary code. --------------------------------------------- https://kb.cert.org/vuls/id/667933 ∗∗∗ Trend Micro: Home Network Security Station gegen drei Schwachstellen abgesichert ∗∗∗ --------------------------------------------- Ein Firmware-Update schützt Home Network Security Stations vor Angriffsmöglichkeiten, von denen zwei, obwohl nur lokal ausnutzbar, hohe Risiken bergen sollen. --------------------------------------------- https://heise.de/-6053146 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libx11, prosody, and ring), Fedora (ceph, glibc, kernel, libxml2, python-pip, slurm, and tpm2-tss), Mageia (bind, libx11, mediawiki, openjpeg2, postgresql, and thunderbird), openSUSE (Botan, cacti, cacti-spine, chromium, djvulibre, fribidi, graphviz, java-1_8_0-openj9, kernel, libass, libxml2, lz4, and python-httplib2), and Slackware (expat). --------------------------------------------- https://lwn.net/Articles/857132/ ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (python-eventlet), openSUSE (grub2 and mpv), and Red Hat (kpatch-patch and rh-ruby25-ruby). --------------------------------------------- https://lwn.net/Articles/857212/ ∗∗∗ [20210503] - Core - CSRF in data download endpoints ∗∗∗ --------------------------------------------- https://developer.joomla.org:443/security-centre/854-20210503-core-csrf-in-… ∗∗∗ [20210502] - Core - CSRF in AJAX reordering endpoint ∗∗∗ --------------------------------------------- https://developer.joomla.org:443/security-centre/853-20210502-core-csrf-in-… ∗∗∗ [20210501] - Core - Adding HTML to the executable block list of MediaHelper::canUpload ∗∗∗ --------------------------------------------- https://developer.joomla.org:443/security-centre/852-20210501-core-adding-h… ∗∗∗ Pulse Secure VPNs Get Quick Fix for Critical RCE ∗∗∗ --------------------------------------------- https://threatpost.com/pulse-secure-vpns-critical-rce/166437/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ NGINX Controller vulnerability CVE-2021-23018 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K97002210 ∗∗∗ NGINX Controller vulnerability CVE-2021-23021 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K36926027 ∗∗∗ NGINX Controller vulnerability CVE-2021-23020 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K45263486 ∗∗∗ SYSS-2021-010: Path Traversal in LANCOM R&S Unified Firewalls ∗∗∗ --------------------------------------------- https://www.syss.de/pentest-blog/syss-2021-010-path-traversal-in-lancom-rs-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.05.2021
by Daily end-of-shift report 21 May '21

21 May '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 20-05-2021 18:00 − Freitag 21-05-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Mail-Verschlüsselung: Thunderbird schlampte mit PGP-Schlüsseln ∗∗∗ --------------------------------------------- Die OpenPGP-Implementierung des Open-Source-Mailers Thunderbird speicherte die geheimen Schlüssel im Klartext. --------------------------------------------- https://heise.de/-6051767 ∗∗∗ QNAP confirms Qlocker ransomware used HBS backdoor account ∗∗∗ --------------------------------------------- QNAP is advising customers to update the HBS 3 disaster recovery app to block Qlocker ransomware attacks targeting their Internet-exposed Network Attached Storage (NAS) devices. --------------------------------------------- https://www.bleepingcomputer.com/news/security/qnap-confirms-qlocker-ransom… ∗∗∗ Locking Kernel32.dll As Anti-Debugging Technique, (Fri, May 21st) ∗∗∗ --------------------------------------------- For bad guys, the implementation of techniques to prevent Security Analysts to perform their job is key! The idea is to make our life more difficult (read: "frustrating"). There are plenty of techniques that can be implemented but it's an ever-ongoing process. --------------------------------------------- https://isc.sans.edu/diary/rss/27444 ∗∗∗ Double-Encrypting Ransomware ∗∗∗ --------------------------------------------- This seems to be a new tactic: Emsisoft has identified two distinct tactics. In the first, hackers encrypt data with ransomware A and then re-encrypt that data with ransomware B. The other path involves what Emsisoft calls a “side-by-side encryption” attack, in which attacks encrypt some of an organization’s systems with ransomware A and others with ransomware B. In that case, data is only encrypted once, but a victim would need both decryption keys to unlock everything. --------------------------------------------- https://www.schneier.com/blog/archives/2021/05/double-encrypting-ransomware… ∗∗∗ 21nails: Reporting on Vulnerable SMTP/Exim Servers ∗∗∗ --------------------------------------------- We have recently started to perform a full IPv4 Internet-wide scan for accessible SMTP services and will report out possible vulnerabilities that have been observed, with a current focus on Exim (in the future non-Exim vulnerabilities may be added). We scan by performing a connection to port 25, recognizing an SMTP response and collecting the banner served. These connections look just like a normal SMTP connection, there is not any attempt to exploit the port, only to collect the banner [...] --------------------------------------------- https://www.shadowserver.org/news/21nails-reporting-on-vulnerable-smtp-exim… ∗∗∗ Project Zero: Fuzzing iOS code on macOS at native speed ∗∗∗ --------------------------------------------- This short post explains how code compiled for iOS can be run natively on Apple Silicon Macs. --------------------------------------------- https://googleprojectzero.blogspot.com/2021/05/fuzzing-ios-code-on-macos-at… ∗∗∗ Microsoft Unveils SimuLand: Open Source Attack Techniques Simulator ∗∗∗ --------------------------------------------- Microsoft this week announced the availability of SimuLand, an open source tool that enables security researchers to reproduce attack techniques in lab environments. --------------------------------------------- https://www.securityweek.com/microsoft-unveils-simuland-open-source-attack-… ∗∗∗ Getting a persistent shell on a 747 IFE ∗∗∗ --------------------------------------------- TL:DR The Coronavirus pandemic has hit the airline industry hard. One sad consequence was early retirement of most of the 747 passenger fleet. This does however create opportunities for aviation security research, [...] --------------------------------------------- https://www.pentestpartners.com/security-blog/getting-a-persistent-shell-on… ∗∗∗ New YouTube Video Series: Everything you ever wanted to know about DNS and more!, (Thu, May 20th) ∗∗∗ --------------------------------------------- [...] I planned this video series a couple months ago, and figured that this would be easy. I know DNS... but each time I look at DNS, I learn something new, so it has taken a while to get the first episodes together, and today I am releasing the first one. --------------------------------------------- https://isc.sans.edu/diary/rss/27440 ===================== = Vulnerabilities = ===================== ∗∗∗ Vulnerability Spotlight: Heap-based buffer overflow in Google Chrome could lead to code execution ∗∗∗ --------------------------------------------- Cisco Talos recently discovered an exploitable heap-based buffer overflow vulnerability in Google Chrome. --------------------------------------------- https://blog.talosintelligence.com/2021/05/vuln-spotlight-google-chrome-hea… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (ceph, chromium, firefox, gitlab, hedgedoc, keycloak, libx11, mariadb, opendmarc, prosody, python-babel, python-flask-security-too, redmine, squid, and vivaldi), Debian (lz4), Fedora (ceph and python-pydantic), and openSUSE (cacti, cacti-spine). --------------------------------------------- https://lwn.net/Articles/856902/ ∗∗∗ Security Advisory - Improper Authorization Vulnerability in Huawei Products ∗∗∗ --------------------------------------------- https://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210519… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in IBM® Java SDK affect WebSphere Application Server April 2021 CPU ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: A security vulnerabilitiy has been fixed in IBM Security Identity Manager Virtual Appliance(CVE-2019-17006) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerabilitiy… ∗∗∗ Security Bulletin: IBM InfoSphere Information Server is affected by an Information disclosure vulnerability. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-informatio… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect Rational Service Tester ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerabilities in XStream, Java, OpenSSL, WebSphere Application Server Liberty and Node.js affect IBM Spectrum Control ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-xstrea… ∗∗∗ Security Bulletin: IBM Spectrum Scale Transparent Cloud Tiering is affected by a vulnerability which could allow access to sensitive information ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-spectrum-scale-transp… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect Rational Performance Tester ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.05.2021
by Daily end-of-shift report 20 May '21

20 May '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 19-05-2021 18:00 − Donnerstag 20-05-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Exchange bleibt Hauptangriffsziel in der Microsoft-Cloud ∗∗∗ --------------------------------------------- Vectra AI hat die zehn wichtigsten Bedrohungen in Azure AD und Office 365 aufgelistet. Exchange bleibt für Angreifer offenbar unverändert attraktiv. --------------------------------------------- https://heise.de/-6050650 ∗∗∗ Cisco bringt Security-Updates ∗∗∗ --------------------------------------------- Cisco hat einige Updates zu Sicherheitsprodukten angekündigt, darunter das Major Release 7.0 der Secure Firewall Threat Defense und die Integration von Snort 3. --------------------------------------------- https://heise.de/-6049957 ∗∗∗ Attacken auf Android: Jetzt patchen! Wenn es denn Sicherheitsupdates gibt ... ∗∗∗ --------------------------------------------- Derzeit haben es Angreifer auf Android-Geräte abgesehen. Patches gibt es aber in der Regel nur für aktuelle Smartphones und Tablets. --------------------------------------------- https://heise.de/-6050515 ∗∗∗ Fake-Shops: So erkennen Sie betrügerische Online-Shops! ∗∗∗ --------------------------------------------- Das Problem betrügerischer Online-Shops - besser bekannt als Fake-Shops - nimmt weiterhin zu. Damit Sie die unterschiedlichen Arten von Fake-Shops schnell erkennen, beschreiben wir im folgenden Artikel die gängigsten Formen und worauf bei diesen besonders aufzupassen ist. Ein Einkauf in einem Fake-Shop kann Sie nämlich wahrlich teuer zu stehen kommen. --------------------------------------------- https://www.watchlist-internet.at/news/fake-shops-so-erkennen-sie-betrueger… ∗∗∗ Qlocker ransomware shuts down after extorting hundreds of QNAP users ∗∗∗ --------------------------------------------- The Qlocker ransomware gang has shut down their operation after earning $350,000 in a month by exploiting vulnerabilities in QNAP NAS devices. --------------------------------------------- https://www.bleepingcomputer.com/news/security/qlocker-ransomware-shuts-dow… ∗∗∗ Keksec Cybergang Debuts Simps Botnet for Gaming DDoS ∗∗∗ --------------------------------------------- The newly discovered malware infects IoT devices in tandem with the prolific Gafgyt botnet, using known security vulnerabilities. --------------------------------------------- https://threatpost.com/keksec-simps-botnet-gaming-ddos/166306/ ∗∗∗ BazarCall: Call Centers Help Spread BazarLoader Malware ∗∗∗ --------------------------------------------- Call center operators offer to personally guide victims through a process designed to infect vulnerable computers with BazarLoader malware. --------------------------------------------- https://unit42.paloaltonetworks.com/bazarloader-malware/ ∗∗∗ Update to CISA-FBI Joint Cybersecurity Advisory on DarkSide Ransomware ∗∗∗ --------------------------------------------- CISA and the Federal Bureau of Investigation (FBI) have updated Joint Cybersecurity Advisory AA21-131A: DarkSide Ransomware: Best Practices for Preventing Disruption from Ransomware Attacks, originally released May 11, 2021. This update provides a downloadable STIX file of indicators of compromise (IOCs) to help network defenders find and mitigate activity associated with DarkSide ransomware. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/05/19/update-cisa-fbi-j… ∗∗∗ Misconfiguration of third party cloud services exposed data of over 100 million users ∗∗∗ --------------------------------------------- After examining 23 Android applications, Check Point Research (CPR) noticed mobile app developers potentially exposed the personal data of over 100 million users through a variety of misconfigurations of third party cloud services. Personal data included emails, chat messages, location, passwords and photos, which, in the hands of malicious actors could lead to fraud, identity-theft and service swipes. --------------------------------------------- https://blog.checkpoint.com/2021/05/20/misconfiguration-of-third-party-clou… ∗∗∗ Microsoft warns of malware campaign spreading a RAT masquerading as ransomware ∗∗∗ --------------------------------------------- The Microsoft security team has published details on Wednesday about a malware campaign that is currently spreading a remote access trojan named STRRAT that steals data from infected systems while masquerading as a ransomware attack. --------------------------------------------- https://therecord.media/microsoft-warns-of-malware-campaign-spreading-a-rat… ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI-21-601: Ubiquiti Networks EdgeOS Improper Certificate Validation Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ubiquiti Networks EdgeOS on EdgeRouter X, EdgeRouter Pro X SFP, EdgeRouter 10X and EdgePoint 6-port routers. User interaction is required to exploit this vulnerability in that an administrator must perform a firmware update on the device. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-601/ ∗∗∗ Vulnerability Spotlight: Information disclosure vulnerability in macOS SMB server ∗∗∗ --------------------------------------------- Cisco Talos recently discovered an exploitable integer overflow vulnerability in Apple macOS’ SMB server that could lead to information disclosure. --------------------------------------------- https://blog.talosintelligence.com/2021/05/vuln-spotlight-smb-information-d… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (cacti, cacti-spine, exif, firefox, kernel, mariadb, and thunderbird), Mageia (kernel, kernel-linus, and libxml2), openSUSE (exim and jhead), Oracle (slapi-nis and xorg-x11-server), Scientific Linux (slapi-nis and xorg-x11-server), Slackware (libX11), SUSE (djvulibre, fribidi, graphviz, grub2, libass, libxml2, lz4, python-httplib2, redis, rubygem-actionpack-4_2, and xen), and Ubuntu (pillow and python-babel). --------------------------------------------- https://lwn.net/Articles/856775/ ∗∗∗ Cisco Releases Security Updates for Multiple Products ∗∗∗ --------------------------------------------- Cisco has released security updates to address vulnerabilities in multiple Cisco products. A remote attacker could exploit some of these vulnerabilities to take control of an affected system. For updates addressing lower severity vulnerabilities, see the Cisco Security Advisories page. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/05/20/cisco-releases-se… ∗∗∗ Security Bulletin: A vulnerability in IBM Java affects IBM Developer for z Systems. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… ∗∗∗ Security Bulletin: Vulnerabilities in IBM Java SDK affect IBM WebSphere Cast Iron Solution & App Connect Professional ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-ja… ∗∗∗ Security Bulletin: Security vulnerabilities have been fixed in IBM Security Identity Manager Virtual Appliance ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ Security Bulletin: IBM MQ is affected by a vulnerability within libcurl (CVE-2020-8284) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-is-affected-by-a-v… ∗∗∗ Security Bulletin: A security vulnerability in Node.js netmask module affects IBM Cloud Pak for Multicloud Management Managed Service ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: A security vulnerability in Node.js netmask module affects IBM Cloud Automation Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: IBM Spectrum Scale Transparent Cloud Tiering is affected by a vulnerability in IBM® Runtime Environment Java™ ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-spectrum-scale-transp… ∗∗∗ Security Bulletin: A security vulnerability in Node.js braces and netmask module affects IBM Cloud Pak for Multicloud Management Managed Service ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: There are multiple vulnerabilities in the Linux Kernel used in IBM Elastic Storage System ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-there-are-multiple-vulner… ∗∗∗ Security Bulletin: A security vulnerability in Node.js lodash module affects IBM Cloud Pak for Multicloud Management Managed Service ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: Security vulnerabilities have been fixed in IBM Security Identity Manager (CVE-2021-29687, CVE-2021-29688) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ WAGO: Multiple Vulnerabilities in CODESYS Runtime 2.3 ∗∗∗ --------------------------------------------- https://cert.vde.com/de-de/advisories/vde-2021-014 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.05.2021
by Daily end-of-shift report 19 May '21

19 May '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 18-05-2021 18:00 − Mittwoch 19-05-2021 18:00 Handler: Dimitri Robl Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ MountLocker ransomware uses Windows API to worm through networks ∗∗∗ --------------------------------------------- The MountLocker ransomware operation now uses enterprise Windows Active Directory APIs to worm through networks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/mountlocker-ransomware-uses-… ∗∗∗ Transparent Tribe APT Infrastructure Mapping ∗∗∗ --------------------------------------------- Transparent Tribe (APT36, Mythic Leopard, ProjectM, Operation C-Major) is the name given to a threat actor group largely targeting Indian entities and assets. --------------------------------------------- https://team-cymru.com/blog/2021/04/16/transparent-tribe-apt-infrastructure… ∗∗∗ May 2021 Forensic Contest: Answers and Analysis, (Wed, May 19th) ∗∗∗ --------------------------------------------- You can still find the pcap for our May 2021 forensic contest at this Github repository. --------------------------------------------- https://isc.sans.edu/diary/rss/27430 ∗∗∗ When Intrusions Don’t Align: A New Water Watering Hole and Oldsmar ∗∗∗ --------------------------------------------- The purpose behind this investigative anecdote on the “water watering hole” is educational and highlights how sometimes two intrusions just don’t line up together no matter how much coincidence there is. --------------------------------------------- https://www.dragos.com/blog/industry-news/a-new-water-watering-hole/ ∗∗∗ Instagram-NutzerInnen aufgepasst: Unseriöse Shops locken mit angeblicher Kooperation! ∗∗∗ --------------------------------------------- Auf Instagram tauchen immer wieder unseriöse Online-Shops auf. Die BetreiberInnen dieser Shops wenden unterschiedliche Maschen an, um ihre Produkte zu bewerben. --------------------------------------------- https://www.watchlist-internet.at/news/instagram-nutzerinnen-aufgepasst-uns… ∗∗∗ Crypto-mining gangs are running amok on free cloud computing platforms ∗∗∗ --------------------------------------------- Over the course of the last few months, some crypto-mining gangs have switched their modus operandi from attacking and hijacking unpatched servers to abusing the free tiers of cloud computing platforms. --------------------------------------------- https://therecord.media/crypto-mining-gangs-are-running-amok-on-free-cloud-… ===================== = Vulnerabilities = ===================== ∗∗∗ Pega Infinity patches authentication vulnerability ∗∗∗ --------------------------------------------- Pega Infinity is a popular enterprise software and researchers found a flaw in the authentication process by using a password reset weakness. --------------------------------------------- https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/05/pega-inf… ∗∗∗ Over 600,000 Sites Impacted by WP Statistics Patch ∗∗∗ --------------------------------------------- On March 13, 2021, the Wordfence Threat Intelligence team initiated responsible disclosure for a vulnerability in WP Statistics, a plugin installed on over 600,000 WordPress sites. --------------------------------------------- https://www.wordfence.com/blog/2021/05/over-600000-sites-impacted-by-wp-sta… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (cacti, cacti-spine, exif, and hivex), Red Hat (bash, bind, bluez, brotli, container-tools:rhel8, cpio, curl, dotnet3.1, dotnet5.0, dovecot, evolution, exiv2, freerdp, ghostscript, glibc, GNOME, go-toolset:rhel8, grafana, gssdp and gupnp, httpd:2.4, idm:DL1, idm:DL1 and idm:client, ipa, kernel, kernel-rt, krb5, libdb, libvncserver, libxml2, linux-firmware, mailman:2.1, mingw packages, NetworkManager and libnma, opensc, p11-kit, pandoc, perl, [...] --------------------------------------------- https://lwn.net/Articles/856649/ ∗∗∗ Researchers Find Exploitable Bugs in Mercedes-Benz Cars ∗∗∗ --------------------------------------------- Following an eight-month audit of the code in the latest infotainment system in Mercedes-Benz cars, security researchers with Tencent Security Keen Lab identified five vulnerabilities, four of which could be exploited for remote code execution. --------------------------------------------- https://www.securityweek.com/researchers-find-exploitable-bugs-mercedes-ben… ∗∗∗ Security Advisory - Denial of Service Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210519-… ∗∗∗ Security Advisory - Resource Management Error Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210519-… ∗∗∗ Security Advisory - Denial of Service Vulnerability in Huawei Smartphone ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210519-… ∗∗∗ Security Advisory - Out of Bounds Write Vulnerability in Huawei CloudEngine Product ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210519-… ∗∗∗ Security Bulletin: Client-side HTTP Parameter Pollution in WAS Intelligent Management Admin console ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-client-side-http-paramete… ∗∗∗ Security Bulletin: Multiple Security Vulnerabilities in Jackson-Databind Affect IBM Sterling B2B Integrator ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: Access Control Security Vulnerability Exists in Dashboard User Interface of IBM Sterling B2B Integrator (CVE-2020-4646) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-access-control-security-v… ∗∗∗ Security Bulletin: IBM Resilient SOAR is Using Components with Known Vulnerabilities – Java SE (CVE-2020-14782) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-resilient-soar-is-usi… ∗∗∗ Security Bulletin: A vulnerability in Java affects IBM Cloud Pak for Multicloud Management Monitoring ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-java-a… ∗∗∗ Security Bulletin: IBM WebSphere Application Server 7.0, 8.0, 8.5, 9.0, and Liberty could allow a remote attacker to obtain sensitive information when a stack trace is returned in the browser. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-websphere-application… ∗∗∗ Security Bulletin: Multiple Security Vulnerabilities in IBM WebSphere Application Server Affect IBM Sterling B2B Integrator ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: Vulnerablities in IBM SDK, Java Technology Edition Quarterly. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerablities-in-ibm-sdk… ∗∗∗ Security Bulletin: A vulnerability in Java affects IBM Cloud Pak for Multicloud Management Monitoring ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-java-a… ∗∗∗ Security Bulletin: A vulnerability in IBM Java affects IBM Developer for z Systems. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… ∗∗∗ Gdk-pixbuf vulnerability CVE-2017-2862 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K36984830 ∗∗∗ Linux kernel vulnerability CVE-2019-20811 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K52525232 ∗∗∗ BIND vulnerability CVE-2021-25215 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K96223611 ∗∗∗ BIND vulnerability CVE-2021-25214 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K11426315 ∗∗∗ BOSCH-SA-350374: Vulnerability in the routing protocol of the PLC runtime ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-350374.html -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.05.2021
by Daily end-of-shift report 18 May '21

18 May '21

===================== = End-of-Day report = ===================== Timeframe: Montag 17-05-2021 18:00 − Dienstag 18-05-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Sicherheitsupdate steht noch aus: Root-Lücke in Pulse Connect Secure ∗∗∗ --------------------------------------------- Angreifer könnten VPN Appliances vom Typ Pulse Connect Secure attackieren. Bislang ist nur eine Übergangslösung zu Absicherung verfügbar. --------------------------------------------- https://heise.de/-6048342 ∗∗∗ Unternehmen erhalten gefälschtes Schreiben vom "WD - Wirtschaftsdienst für Industrie, Handel & Gewerbe" ∗∗∗ --------------------------------------------- Zahlreiche UnternehmerInnen erhalten momentan einen Brief vom „WD - Wirtschaftsdienst für Industrie, Handel & Gewerbe“ – angeblich eine Behörde zur Verwaltung von Firmendaten. Im Schreiben werden Sie aufgefordert, Ihre Daten zu überprüfen und ggf. zu korrigieren und zu ergänzen. Tun Sie das keinesfalls – es handelt sich um Betrug. Sie werden in eine Abo-Falle gelockt! --------------------------------------------- https://www.watchlist-internet.at/news/unternehmen-erhalten-gefaelschtes-sc… ∗∗∗ Ransomware victim shows why transparency in attacks matters ∗∗∗ --------------------------------------------- As devastating ransomware attacks continue to have far-reaching consequences, companies still try to hide the attacks rather than be transparent. Below we highlight a companys response to an attack that should be used as a model for all future disclosures. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ransomware-victim-shows-why-… ∗∗∗ Codecov hackers gained access to Monday.com source code ∗∗∗ --------------------------------------------- Monday.com has recently disclosed the impact of the Codecov supply-chain attack that affected multiple companies. As reported by BleepingComputer last month, popular code coverage tool Codecov had been a victim of a supply-chain attack that lasted for two months. --------------------------------------------- https://www.bleepingcomputer.com/news/security/codecov-hackers-gained-acces… ∗∗∗ DarkSide Hits Toshiba; XSS Forum Bans Ransomware ∗∗∗ --------------------------------------------- The criminal forum washed its hands of ransomware after DarkSides pipeline attack & alleged shutdown: A "loss of servers" that didnt stop another attack. --------------------------------------------- https://threatpost.com/darkside-toshiba-xss-bans-ransomware/166210/ ∗∗∗ From RunDLL32 to JavaScript then PowerShell, (Tue, May 18th) ∗∗∗ --------------------------------------------- I spotted an interesting script on VT a few days ago and it deserves a quick diary because it uses a nice way to execute JavaScript on the targeted system. The technique used in this case is based on very common LOLbin: RunDLL32.exe. The goal of the tool is, as the name says, to load a DLL and execute one of its exported function: [...] --------------------------------------------- https://isc.sans.edu/diary/rss/27428 ∗∗∗ Exploitation of Sharepoint 2016: Simple Things Matter – Case Study ∗∗∗ --------------------------------------------- This story started during one of my recent assessments when I was assigned for a test of an on-premise internal Sharepoint 2016 site. Initial enumeration showed that the target runs Sharepoint version 16.0.0.4681. I assumed this based on the response header MicrosoftSharePointTeamServices returned by the application (and you can estimate that version was released somewhere in April 2018). At that point, I started looking for publicly known exploits and research papers. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/exploitatio… ∗∗∗ Leveraging Microsoft Teams to persist and cover up Cobalt Strike traffic ∗∗∗ --------------------------------------------- During a recent operation, the Red Team got local admin privileges on a workstation where an EDR solution was identified. In this scenario, the next step to proceed with the engagement was to infect and persist on the compromised system, towards securing remote access. --------------------------------------------- https://www.blackarrow.net/leveraging-microsoft-teams-to-persist-and-cover-… ∗∗∗ Scammers Impersonating Windows Defender to Push Malicious Windows Apps ∗∗∗ --------------------------------------------- Summary points: Scammers are increasingly using Windows Push Notifications to impersonate legitimate alerts Recent campaigns pose as a Windows Defender Update Victims end up allowing the installation of a malicious Windows Application that targets user and system information Browser push notifications can highly resemble Windows system notifications. As recently discussed, scammers are abusing push notifications […]The post Scammers Impersonating Windows Defender to Push Malicious --------------------------------------------- https://www.mcafee.com/blogs/other-blogs/mcafee-labs/scammers-impersonating… ∗∗∗ CVE-2021-31166: A Wormable Code Execution Bug in HTTP.sys ∗∗∗ --------------------------------------------- In this excerpt of a Trend Micro Vulnerability Research Service vulnerability report, Kc Udonsi and Yazhi Wang of the Trend Micro Research Team detail a recent code execution vulnerability in the Microsoft Internet Information Services (IIS) for Windows. The bug was originally discovered by the Microsoft Platform Security & Vulnerability Research team. The following is a portion of their write-up covering CVE-2021-31166, with a few minimal modifications. --------------------------------------------- https://www.thezdi.com/blog/2021/5/17/cve-2021-31166-a-wormable-code-execut… ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI-21-594: (0Day) Microsoft Windows JET Database Engine Memory Corruption Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of Microsoft Windows. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-594/ ∗∗∗ About the security content of Boot Camp 6.1.14 ∗∗∗ --------------------------------------------- Impact: A malicious application may be able to elevate privileges Description: A memory corruption issue was addressed with improved state management. --------------------------------------------- https://support.apple.com/en-us/HT212517 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium, curl, prosody, and ruby-rack-cors), Fedora (dotnet3.1 and dotnet5.0), openSUSE (ibsim and prosody), SUSE (kernel and python3), and Ubuntu (caribou and djvulibre). --------------------------------------------- https://lwn.net/Articles/856496/ ∗∗∗ Emerson Rosemount X-STREAM ∗∗∗ --------------------------------------------- This advisory contains mitigations for Inadequate Encryption Strength, Unrestricted Upload of File with Dangerous Type, Path Traversal, Use of Persistent Cookies Containing Sensitive Information, Cross-site Scripting, and Improper Restriction of Rendered UI Layers or Frames vulnerabilities for the Rosemount X-STREAM Gas Analyzer. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-138-01 ∗∗∗ D-LINK Router: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0536 ∗∗∗ Dell integrated Dell Remote Access Controller: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0533 ∗∗∗ KLCERT-20-021: Moxa NPort IA5000A Series. Cleartext Transmission of Sensitive Information via Moxa Service ∗∗∗ --------------------------------------------- https://ics-cert.kaspersky.com/advisories/klcert-advisories/2021/05/11/klce… ∗∗∗ KLCERT-20-020: Moxa NPort IA5000A Series. Using the Telnet service ∗∗∗ --------------------------------------------- https://ics-cert.kaspersky.com/advisories/klcert-advisories/2021/05/11/klce… ∗∗∗ KLCERT-20-019: Moxa NPort IA5000A Series. Passwords stored in plaintext ∗∗∗ --------------------------------------------- https://ics-cert.kaspersky.com/advisories/klcert-advisories/2021/05/11/klce… ∗∗∗ KLCERT-20-018: Moxa NPort IA5000A Series. Broken access control ∗∗∗ --------------------------------------------- https://ics-cert.kaspersky.com/advisories/klcert-advisories/2021/05/11/klce… ∗∗∗ Security Bulletin: A vulnerabilities in IBM Java affects IBM Developer for z Systems. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerabilities-in-ibm-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java affect IBM Netezza Analytics for NPS ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple security vulnerabilities with IBM Content Navigator component in IBM Business Automation Workflow – CVE-2020-4757, PSIRT-ADV0028011, CVE-2020-4934 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in PostgreSQL Affect IBM Connect:Direct Web Service ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: OpenSSL Vulnerabilities Affect IBM Sterling Connect:Express for UNIX (CVE-2021-3449, CVE-2021-3450) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-openssl-vulnerabilities-a… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.05.2021
by Daily end-of-shift report 17 May '21

17 May '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 14-05-2021 18:00 − Montag 17-05-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Exploit released for wormable Windows HTTP vulnerability ∗∗∗ --------------------------------------------- Proof-of-concept exploit code has been released over the weekend for a critical wormable vulnerability in the latest Windows 10 and Windows Server versions. --------------------------------------------- https://www.bleepingcomputer.com/news/security/exploit-released-for-wormabl… ∗∗∗ Bizarro banking Trojan expands its attacks to Europe ∗∗∗ --------------------------------------------- Bizarro is yet another banking Trojan family originating from Brazil that steals credentials from customers of 70 banks from different European and South American countries. --------------------------------------------- https://securelist.com/bizarro-banking-trojan-expands-its-attacks-to-europe… ∗∗∗ Ransomware Defenses, (Mon, May 17th) ∗∗∗ --------------------------------------------- Ransomware attacks continue to be in the headlines everywhere, and are also an almost weekly reoccurring subject in the SANS Newsbites. As useful as many of the reports are that security firms and researchers publish on the subject, they often focus heavily on one particular incident or type of ransomware, and the associated "indicators of compromise" (IOCs). We already covered before how IOCs can turn into IOOI's (Indicators of Outdated Intelligence), and how to try to [...] --------------------------------------------- https://isc.sans.edu/diary/rss/27420 ∗∗∗ AHK RAT Loader Used in Unique Delivery Campaigns ∗∗∗ --------------------------------------------- The Morphisec Labs team has tracked a unique and ongoing RAT delivery campaign that started in February of this year. This campaign is unique in that it heavily uses the AutoHotKey scripting language - a fork of the AutoIt language that is frequently used for testing purposes. --------------------------------------------- https://blog.morphisec.com/ahk-rat-loader-leveraged-in-unique-delivery-camp… ∗∗∗ Take action now - FluBot malware may be on its way ∗∗∗ --------------------------------------------- Why FluBot is a major threat for Android users, how to avoid falling victim, and how to get rid of the malware if your device has already been compromised --------------------------------------------- https://www.welivesecurity.com/2021/05/17/take-action-now-flubot-malware-ma… ∗∗∗ Two attacks disclosed against AMD’s SEV virtual machine protection system ∗∗∗ --------------------------------------------- Chipmaker AMD has issued guidance this week for two attacks against its SEV (Secure Encrypted Virtualization) technology that protects virtual machines from rogue operating systems. The two attacks, documented in two academic papers, can allow a threat actor to inject malicious code inside SEV-encrypted virtual machines, giving them full control over the VMs operating system. --------------------------------------------- https://therecord.media/two-attacks-disclosed-against-amds-sev-virtual-mach… ===================== = Vulnerabilities = ===================== ∗∗∗ Beckhoff Security Advisory 2021-002: Stack Overflow and XXE vulnerability in various OPC UA products ∗∗∗ --------------------------------------------- The affected products can act as OPC UA client or server and are vulnerable to two different kind of attacks via the OPC UA protocol. --------------------------------------------- https://download.beckhoff.com/download/document/product-security/Advisories… ∗∗∗ SSA-695540: ASM and PAR File Parsing Vulnerabilities in JT2Go and Teamcenter Visualization before V13.1.0.2 ∗∗∗ --------------------------------------------- Siemens has released version V13.1.0.2 for JT2Go and Teamcenter Visualization to fix multiple vulnerabilities that could be triggered when the products read files in ASM and PAR file formats. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-695540.txt ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libimage-exiftool-perl and postgresql-9.6), Fedora (chromium, exiv2, firefox, kernel, kernel-headers, kernel-tools, mariadb, and python-impacket), Mageia (avahi), openSUSE (chromium, drbd-utils, dtc, ipvsadm, jhead, nagios, netdata, openvpn, opera, prosody, and virtualbox), Slackware (libxml2), SUSE (kernel and lz4), and Ubuntu (intel-microcode, python-eventlet, and rust-pleaser). --------------------------------------------- https://lwn.net/Articles/856437/ ∗∗∗ Security Bulletin: Multiple Apache Tomcat Vulnerabilities Affect IBM Control Center ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-apache-tomcat-vu… ∗∗∗ Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in XStream ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-discovery-for-… ∗∗∗ Security Bulletin: Guava Google Core Libraries Vulnerability Affects IBM Control Center (CVE-2020-8908) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-guava-google-core-librari… ∗∗∗ Security Bulletin: IBM InfoSphere DataStage is affected by an Information disclosure vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-datastage-… ∗∗∗ Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in FasterXML jackson-dataformat ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-discovery-for-… ∗∗∗ Security Bulletin: Apache Ant Vulnerabilities Affect IBM Control Center (CVE-2020-1945, CVE-2020-11979) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-ant-vulnerabilitie… ∗∗∗ Security Bulletin: Multiple CKEditor Vulnerabilities Affect IBM Control Center ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-ckeditor-vulnera… ∗∗∗ Security Bulletin: Security Vulnerabilities affect IBM Cloud Pak for Data – Python (CVE-2020-15801) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ Security Bulletin: Security Vulnerabilities affect IBM Cloud Pak for Data – OpenSSL ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ Security Bulletin: H2 Database Vulnerabilities Affect IBM Control Center (CVE-2018-10054, CVE-2018-14335) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-h2-database-vulnerabiliti… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.05.2021
by Daily end-of-shift report 14 May '21

14 May '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 12-05-2021 18:00 − Freitag 14-05-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Jetzt patchen! Kritische Lücke bedroht WordPress 3.7 bis 5.7 ∗∗∗ --------------------------------------------- Viele WordPress-Websites sind verwundbar. Sicherheitsupdates sind verfügbar. --------------------------------------------- https://heise.de/-6045823 ∗∗∗ DarkSide Ransomware Gang Quits After Servers, Bitcoin Stash Seized ∗∗∗ --------------------------------------------- The DarkSide ransomware affiliate program responsible for the six-day outage at Colonial Pipeline this week that led to fuel shortages and price spikes across the country is running for the hills. The crime gang announced it was closing up shop after its servers were seized and someone drained funds from an account the group uses to pay affiliates. --------------------------------------------- https://krebsonsecurity.com/2021/05/darkside-ransomware-gang-quits-after-se… ∗∗∗ Newly observed PHP-based skimmer shows ongoing Magecart Group 12 activity ∗∗∗ --------------------------------------------- This skimmer is using a hybrid approach to bypass detection and target vulnerable e-commerce websites. --------------------------------------------- https://blog.malwarebytes.com/cybercrime/2021/05/newly-observed-php-based-s… ∗∗∗ „Hier ist die letzte Warnung!“: Erpresser fordern Bitcoins ∗∗∗ --------------------------------------------- Kriminelle versenden derzeit massenweise Erpressungsmails. Darin wird behauptet, dass das System der EmpfängerInnen gehackt wurde. Außerdem gäbe es ein Video, in dem ersichtlich wird, dass die betroffene Person einen Pornofilm sähe und dabei masturbiert. Die Kriminellen drohen, dieses Video zu veröffentlichen - außer man bezahlt 1.200$. Gehen Sie auf die Forderungen nicht ein, denn: Die Mails werden willkürlich an zahlreiche Menschen versendet. --------------------------------------------- https://www.watchlist-internet.at/news/hier-ist-die-letzte-warnung-erpresse… ∗∗∗ CISA Publishes Eviction Guidance for Networks Affected by SolarWinds and AD/M365 Compromise ∗∗∗ --------------------------------------------- CISA has released an analysis report, AR21-134A Eviction Guidance for Networks Affected by the SolarWinds and Active Directory/M365 Compromise. The report provides detailed steps for affected organizations to evict the adversary from compromised on-premises and cloud environments. Additionally, CISA has publicly issued Emergency Directive (ED) 21-01 Supplemental Direction Version 4: Mitigate SolarWinds Orion Code Compromise to all federal agencies that [...] --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/05/14/cisa-publishes-ev… ∗∗∗ Microsoft: Windows 10 1809 and 1909 have reached end of service ∗∗∗ --------------------------------------------- Multiple editions of Windows 10 versions 1803, 1809, and 1909 have reached their End of Service (EOS) on this months Patch Tuesday, as Microsoft reminded customers yesterday. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-windows-10-1809-a… ∗∗∗ Meet Lorenz - A new ransomware gang targeting the enterprise ∗∗∗ --------------------------------------------- A new ransomware operation known as Lorenz targets organizations worldwide with customized attacks demanding hundreds of thousands of dollars in ransoms. --------------------------------------------- https://www.bleepingcomputer.com/news/security/meet-lorenz-a-new-ransomware… ∗∗∗ Attackers abuse Microsoft dev tool to deploy Windows malware ∗∗∗ --------------------------------------------- Threat actors are abusing the Microsoft Build Engine (MSBuild) to deploy remote access tools and information-stealing malware filelessly as part of an ongoing campaign. --------------------------------------------- https://www.bleepingcomputer.com/news/security/attackers-abuse-microsoft-de… ∗∗∗ QNAP warns of eCh0raix ransomware attacks, Roon Server zero-day ∗∗∗ --------------------------------------------- QNAP warns customers of an actively exploited Roon Server zero-day bug and eCh0raix ransomware attacks targeting their Network Attached Storage (NAS) devices, just two weeks after alerting them of an ongoing AgeLocker ransomware outbreak. --------------------------------------------- https://www.bleepingcomputer.com/news/security/qnap-warns-of-ech0raix-ranso… ∗∗∗ Fresh Loader Targets Aviation Victims with Spy RATs ∗∗∗ --------------------------------------------- The campaign is harvesting screenshots, keystrokes, credentials, webcam feeds, browser and clipboard data and more, with RevengeRAT or AsyncRAT payloads. --------------------------------------------- https://threatpost.com/loader-aviation-spy-rats/166133/ ∗∗∗ "Open" Access to Industrial Systems Interface is Also Far From Zero, (Fri, May 14th) ∗∗∗ --------------------------------------------- Jan's last diary about the recent attack against the US pipeline[1] was in perfect timing with the quick research I was preparing for a few weeks. If core components of industrial systems are less exposed in the wild, as said Jan, there is another issue with such infrastructures: remote access tools. --------------------------------------------- https://isc.sans.edu/diary/rss/27418 ∗∗∗ Server Side Scans and File Integrity Monitoring ∗∗∗ --------------------------------------------- When it comes to the ABCs of website security server side scans and file integrity monitoring are the “A” and “B”. In fact, our server side scanner is one of the most crucial tools in Sucuri’s arsenal. It’s paramount in maintaining an effective security product for our customers and analysts alike. This crucial tool handles tasks like issuing security warnings and alerts to our clients, notifying them that they have been compromised, and assisting our [...] --------------------------------------------- https://blog.sucuri.net/2021/05/server-side-scans-and-file-integrity-monito… ===================== = Vulnerabilities = ===================== ∗∗∗ SA44800 - 2021-05: Out-of-Cycle Advisory: Pulse Connect Secure Buffer Overflow Vulnerability ∗∗∗ --------------------------------------------- A vulnerability was discovered under Pulse Connect Secure (PCS). This includes buffer overflow vulnerability on the Pulse Connect Secure gateway that allows a remote authenticated user with privileges to browse SMB shares to execute arbitrary code as the root user. --------------------------------------------- https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44800 ∗∗∗ Cisco AnyConnect Secure Mobility Client Arbitrary Code Execution Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the interprocess communication (IPC) channel of Cisco AnyConnect Secure Mobility Client Software could allow an authenticated, local attacker to cause a targeted AnyConnect user to execute a malicious script. The vulnerability is due to a lack of authentication to the IPC listener. An attacker could exploit this vulnerability by sending crafted IPC messages to the AnyConnect client IPC listener. A successful exploit could allow an attacker to cause the targeted [...] --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Hosted Collaboration Mediation Fulfillment Denial of Service Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the Java Management Extensions (JMX) component of Cisco Hosted Collaboration Mediation Fulfillment (HCM-F) could allow an authenticated, remote attacker to cause a denial of service (DoS) condition on an affected system. This vulnerability is due to an unsecured TCP/IP port. An attacker could exploit this vulnerability by accessing the port and restarting the JMX process. A successful exploit could allow the attacker to cause a DoS condition on an affected system. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Critical Vulnerability Patched in External Media Plugin ∗∗∗ --------------------------------------------- On February 2, 2021, our Threat Intelligence team responsibly disclosed the details of a vulnerability in External Media, a WordPress plugin used by over 8,000 sites. This flaw made it possible for authenticated users, such as subscribers, to upload arbitrary files on any site running the plugin. This vulnerability could be used to achieve remote [...] --------------------------------------------- https://www.wordfence.com/blog/2021/05/critical-vulnerability-patched-in-ex… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (graphviz and redmine), Fedora (dom4j, kernel, kernel-headers, kernel-tools, mariadb, php, php-phpmailer6, and redis), openSUSE (kernel and nagios), and Ubuntu (mysql-5.7, mysql-8.0 and python-django). --------------------------------------------- https://lwn.net/Articles/856177/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (jetty9, libgetdata, and postgresql-11), openSUSE (java-11-openjdk), SUSE (dtc, ibsim, ibutils, ipvsadm, and kernel), and Ubuntu (awstats and glibc). --------------------------------------------- https://lwn.net/Articles/856265/ ∗∗∗ Rockwell Automation Connected Components Workbench ∗∗∗ --------------------------------------------- This advisory contains mitigations for Deserialization of Untrusted Data, Path Traversal, and Improper Input Validation vulnerabilities in Rockwell Automation Connected Components Workbench software. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-133-01 ∗∗∗ Johnson Controls Sensormatic Tyco AI ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Off-by-one Error vulnerability in Sensormatic Electronics (a subsidiary of Johnson Controls) Tyco AI products. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-133-02 ∗∗∗ OPC Foundation UA Products Built with .NET Framework ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Uncontrolled Recursion vulnerability in OPC Foundation servers. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-133-03 ∗∗∗ OPC UA Products Built with the .NET Framework 4.5, 4.0, and 3.5 ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Unified Automation .NET based OPC UA Client/Server SDK Bundle Framework versions. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-133-04 ∗∗∗ mod_auth_openidc vulnerable to denial-of-service (DoS) ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN49704918/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ PostgreSQL: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0521 ∗∗∗ Drupal: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0528 ∗∗∗ ILIAS: Schwachstelle ermöglicht Codeausführung ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0526 ∗∗∗ git: Schwachstelle ermöglicht Codeausführung ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0524 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.05.2021
by Daily end-of-shift report 12 May '21

12 May '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 11-05-2021 18:00 − Mittwoch 12-05-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Number of industrial control systems on the internet is lower then in 2020...but still far from zero, (Wed, May 12th) ∗∗∗ --------------------------------------------- With the recent ransomware attack that impacted operation of one of the major US pipelines, I thought it might be a good time to revisit the old topic of internet-connected industrial systems. --------------------------------------------- https://isc.sans.edu/diary/rss/27412 ∗∗∗ Nearly All Wi-Fi Devices Are Vulnerable to New FragAttacks ∗∗∗ --------------------------------------------- Three design and multiple implementation flaws have been disclosed in IEEE 802.11 technical standard that undergirds Wi-Fi, potentially enabling an adversary to take control over a system and plunder confidential data. --------------------------------------------- https://thehackernews.com/2021/05/nearly-all-wifi-devices-are-vulnerable.ht… ∗∗∗ Shining a Light on DARKSIDE Ransomware Operations ∗∗∗ --------------------------------------------- Since initially surfacing in August 2020, the creators of DARKSIDE ransomware and their affiliates have launched a global crime spree affecting organizations in more than 15 countries and multiple industry verticals. --------------------------------------------- https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-dar… ∗∗∗ Lebenslauf-Erstellung auf cvmaker.de führt zu Abo-Vertrag! ∗∗∗ --------------------------------------------- Sie sind auf Arbeitssuche und wollen einen professionellen Lebenslauf erstellen? Die Suche danach könnte Sie auf die Seite cvmaker.de führen. Dort können Sie schnell und unkompliziert den benötigten Lebenslauf erstellen und das für nur 2,95 Euro. Aber Achtung: Sieben Tage nachdem Sie bezahlt haben, schließen Sie automatisch ein Abo ab. --------------------------------------------- https://www.watchlist-internet.at/news/lebenslauf-erstellung-auf-cvmakerde-… ∗∗∗ „Ihre Lieferung befindet sich in unserem Zollzentrum“: Vorsicht vor betrügerischer SMS! ∗∗∗ --------------------------------------------- Zahlreiche LeserInnen der Watchlist Internet melden uns derzeit eine betrügerische SMS, die die EmpfängerInnen in eine Abo-Falle locken soll. Darin wird behauptet, dass sich eine Lieferung im Zollzentrum befindet und Importgebühren bezahlt werden müssen. --------------------------------------------- https://www.watchlist-internet.at/news/ihre-lieferung-befindet-sich-in-unse… ∗∗∗ Conti Ransomware ∗∗∗ --------------------------------------------- First seen in May 2020, Conti ransomware has quickly become one of the most common ransomware variants, according to Coveware. --------------------------------------------- https://thedfirreport.com/2021/05/12/conti-ransomware/ ===================== = Vulnerabilities = ===================== ∗∗∗ Send My: Arbitrary data transmission via Apples Find My network ∗∗∗ --------------------------------------------- Its possible to upload arbitrary data from non-internet-connected devices by sending Find My BLE broadcasts to nearby Apple devices that then upload the data for you. --------------------------------------------- https://positive.security/blog/send-my ∗∗∗ Microsoft-Patchday: Windows-Trojaner könnte sich wurmartig auf PCs verbreiten ∗∗∗ --------------------------------------------- Es gibt wichtige Sicherheitsupdates für Windows & Co. Mehrere Lücken sind bereits öffentlich bekannt. Attacken gibt es wohl noch nicht. --------------------------------------------- https://heise.de/-6044412 ∗∗∗ Adobe-Patchday: Attacken auf Adobe Acrobat und Reader ∗∗∗ --------------------------------------------- Adobe hat Sicherheitsupdates für verschiedene Anwendungen veröffentlicht. Vor allem Nutzer von Acrobat und Reader sollten die Patches zügig installieren. --------------------------------------------- https://heise.de/-6044528 ∗∗∗ SAP-Patchday: Angreifer könnten Daten von SAP-Software leaken ∗∗∗ --------------------------------------------- SAP hat Sicherheitsupdates für unter anderem Business One und NetWeaver AS ABAP veröffentlicht. --------------------------------------------- https://heise.de/-6044570 ∗∗∗ WLAN-Sicherheitslücken FragAttacks: Erste Updates ∗∗∗ --------------------------------------------- Für Windows, Linux, Router und WLAN-Adapter es bereits Patches oder zumindest Hinweise zum Schutz gegen die WLAN-Schwachstellen "FragAttacks". --------------------------------------------- https://heise.de/-6045116 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (composer, hivex, lz4, and rails), Fedora (chromium, community-mysql, djvulibre, dom4j, firefox, php, php-phpmailer6, python-django, and redis), Mageia (mariadb, nagios, and pngcheck), openSUSE (opera, syncthing, and vlc), SUSE (kernel, openvpn, openvpn-openssl1, shim, and xen), and Ubuntu (flatpak, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gcp, linux-gcp-5.4, linux-gke, linux-gke-5.4, linux-gkeop, linux-gkeop-5.4,[...] --------------------------------------------- https://lwn.net/Articles/856086/ ∗∗∗ Security Bulletin: Vulnerability in WebSphere Application Server Liberty affects IBM Financial Transaction Manager for RedHat OpenShift (CVE-2020-5258) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-webspher… ∗∗∗ Security Bulletin: A security vulnerability in Node.js glob-parent module affects IBM Cloud Automation Manager. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: Security Bypass Vulnerability in PostgreSQL Affect IBM Connect:Direct Web Service ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-bypass-vulnerabi… ∗∗∗ Security Bulletin: Vulnerabilities in IBM Java Runtime affect IBM Netcool Agile Service Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-ja… ∗∗∗ Security Bulletin: A security vulnerability in GO affects IBM Cloud Automation Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in PostgreSQL Affect IBM Connect:Direct Web Service ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: A security vulnerability in Node.js Lodash module affects IBM Cloud Automation Manager. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in PostgreSQL Affect IBM Connect:Direct Web Service ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Security vulnerabilities in Ansible affect IBM Cloud Pak for Multicloud Management Hybrid GRC ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ May 10, 2021 TNS-2021-09 [R1] Nessus Network Monitor 5.13.1 Fixes Multiple Third-party Vulnerabilities ∗∗∗ --------------------------------------------- http://www.tenable.com/security/tns-2021-09 ∗∗∗ Synology-SA-21:20 FragAttacks ∗∗∗ --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_21_20 ∗∗∗ BlackBerry Workspaces Server: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0503 ∗∗∗ Red Hat OpenShift: Mehrere Schwachstellen ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0510 ∗∗∗ BlackBerry UEM Management Console: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0517 ∗∗∗ Atlassian Jira Software: Schwachstelle ermöglicht Offenlegung von Informationen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0515 ∗∗∗ Omron CX-One ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-131-01 ∗∗∗ Mitsubishi Electric GOT and Tension Controller ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-131-02 ∗∗∗ Siemens Mendix Database Replication Module ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-131-05 ∗∗∗ Siemens Tecnomatix Plant Simulation ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-131-08 ∗∗∗ SA44790 - HTTP Request Smuggling vulnerability with Virtual Traffic Manager (vTM) ∗∗∗ --------------------------------------------- https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44790 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.05.2021
by Daily end-of-shift report 11 May '21

11 May '21

===================== = End-of-Day report = ===================== Timeframe: Montag 10-05-2021 18:00 − Dienstag 11-05-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ BSI aktualisiert den Mindeststandard zur Verwendung von Transport Layer Security (TLS) ∗∗∗ --------------------------------------------- Die neue Version 2.2 des Mindeststandards berücksichtigt die aktuellen Empfehlungen der technischen Richtlinien des BSI (TR 02102-2, TR 03116-4) und thematisiert den Umgang mit TLS-Protokoll-Versionen und kryptografischen Verfahren, die nicht den Vorgaben des Mindeststandards entsprechen. --------------------------------------------- https://www.bsi.bund.de/DE/Service-Navi/Presse/Alle-Meldungen-News/Meldunge… ∗∗∗ Gefälschtes E-Mail der bank99 im Umlauf ∗∗∗ --------------------------------------------- Ihr bank99-Konto wurde angeblich gesperrt, weil Sie Ihre Identität nicht bestätigt haben? Vorsicht, diese Kundenmitteilung ist gefälscht. Kriminelle fälschen bank99-E-Mails, um an Ihre Zugangsdaten zu kommen. Klicken Sie keinesfalls auf den "Vorgang starten"-Link. Sie werden auf eine nachgebaute Login-Website geleitet. --------------------------------------------- https://www.watchlist-internet.at/news/gefaelschtes-e-mail-der-bank99-im-um… ∗∗∗ US and Australia warn of escalating Avaddon ransomware attacks ∗∗∗ --------------------------------------------- The Federal Bureau of Investigation (FBI) and the Australian Cyber Security Centre (ACSC) are warning of an ongoing Avaddon ransomware campaign targeting organizations from an extensive array of sectors in the US and worldwide. --------------------------------------------- https://www.bleepingcomputer.com/news/security/us-and-australia-warn-of-esc… ∗∗∗ TeaBot: a new Android malware emerged in Italy, targets banks in Europe ∗∗∗ --------------------------------------------- [...] At the beginning of January 2021, a new Android banker started appearing and it was discovered and analysed by our Threat Intelligence and Incident Response (TIR) team. Since lack of information and the absence of a proper nomenclature of this Android banker family, we decide to dub it as TeaBot to better track this family inside our internal Threat Intelligence taxonomy. --------------------------------------------- https://www.cleafy.com/documents/teabot ∗∗∗ Beware of Applications Misusing Root Stores ∗∗∗ --------------------------------------------- We have been alerted about applications that use the root store provided by Mozilla for purposes other than what Mozilla’s root store is curated for. [...] Applications that use Mozilla’s root store for a purpose other than that have a critical security vulnerability. --------------------------------------------- https://blog.mozilla.org/security/2021/05/10/beware-of-applications-misusin… ∗∗∗ DarkSide Malware Profile ∗∗∗ --------------------------------------------- The following report provides X-Force Threat Intelligences analysis of the DarkSide ransomware family based on publicly available samples. Summary: DarkSide, like other ransomware used in targeted attacks, encrypts user data in compromised computers. Recent variants of DarkSide ransomware enumerates various system properties of the victim and beacons them in an encoded POST request to its C2 address. DarkSide also executes an encoded PowerShell command to delete volume shadow copies. It deletes [...] --------------------------------------------- https://exchange.xforce.ibmcloud.com/collection/06d0917405c36ca91f5db1fe0c0… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (hivex), Fedora (djvulibre and thunderbird), openSUSE (monitoring-plugins-smart and perl-Image-ExifTool), Oracle (kernel and kernel-container), Red Hat (kernel and kpatch-patch), SUSE (drbd-utils, java-11-openjdk, and python3), and Ubuntu (exiv2, firefox, libxstream-java, and pyyaml). --------------------------------------------- https://lwn.net/Articles/855995/ ∗∗∗ Synology-SA-21:19 SRM ∗∗∗ --------------------------------------------- A vulnerability allows remote authenticated users to execute arbitrary commands via a susceptible version of Synology Router Manager (SRM). --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_21_19 ∗∗∗ Citrix Workspace App Security Update ∗∗∗ --------------------------------------------- A vulnerability has been identified that could result in a local user escalating their privilege level to SYSTEM on the computer running Citrix Workspace app for Windows. --------------------------------------------- https://support.citrix.com/article/CTX307794 ∗∗∗ Google Releases Security Updates for Chrome ∗∗∗ --------------------------------------------- Google has released Chrome version 90.0.4430.212 for Windows, Mac, and Linux. This version addresses vulnerabilities that an attacker could exploit to take control of an affected system. CISA encourages users and administrators to review the Chrome Release Note and apply the necessary updates. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/05/11/google-releases-s… ∗∗∗ Reflected XSS Vulnerability in SIS Infromatik - Rewe Go ∗∗∗ --------------------------------------------- https://sec-consult.com/vulnerability-lab/advisory/reflected-xss-sis-infrom… ∗∗∗ SAP Patchday Mai ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0496 ∗∗∗ 2020-10Password Change Authentication Bypass Vulnerability in HiOS & HiSecOS ∗∗∗ --------------------------------------------- https://dam.belden.com/dmm3bwsv3/assetstream.aspx?assetid=12914&mediaformat… ∗∗∗ Security Bulletin: IBM OpenPages with Watson has addressed an information disclosure vulnerability (CVE-2020-4536) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-openpages-with-watson… ∗∗∗ Security Bulletin: IBM OpenPages with Watson has addressed a cross-site scripting vulnerability (CVE-2020-4535) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-openpages-with-watson… ∗∗∗ SSA-854248: Information Disclosure Vulnerability in Mendix Excel Importer Module ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-854248.txt ∗∗∗ SSA-752103: Telnet Authentication Vulnerability in SINAMICS Medium Voltage Products ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-752103.txt ∗∗∗ SSA-723417: Multiple Vulnerabilities in SCALANCE W1750D ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-723417.txt ∗∗∗ SSA-678983: Vulnerabilities in Industrial PCs and CNC devices using Intel CPUs (November 2020) ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-678983.txt ∗∗∗ SSA-676775: Denial-of-Service Vulnerability in SIMATIC NET CP 343-1 Devices ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-676775.txt ∗∗∗ SSA-594364: Denial-of-Service Vulnerability in SNMP Implementation of WinCC Runtime ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-594364.txt ∗∗∗ SSA-501073: Vulnerabilities in Controllers CPU 1518 MFP using Intel CPUs (November 2020) ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-501073.txt ∗∗∗ SSA-324955: SAD DNS Attack in Linux Based Products ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-324955.txt ∗∗∗ SSA-286838: Multiple Vulnerabilities in SINAMICS Medium Voltage Products ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-286838.txt ∗∗∗ SSA-116379: Denial-of-Service Vulnerability in OSPF Packet Handling of SCALANCE XM-400 and XR-500 Devices ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-116379.txt -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.05.2021
by Daily end-of-shift report 10 May '21

10 May '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 07-05-2021 18:00 − Montag 10-05-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Correctly Validating IP Addresses: Why encoding matters for input validation., (Mon, May 10th) ∗∗∗ --------------------------------------------- Recently, a number of libraries suffered from a very similar security flaw: IP addresses expressed in octal were not correctly interpreted. The result was that an attacker was able to bypass input validation rules that restricted IP addresses to specific subnets. --------------------------------------------- https://isc.sans.edu/diary/rss/27404 ∗∗∗ Manipulierte Entwicklungsumgebung: Xcode-Malware war enorm verbreitet ∗∗∗ --------------------------------------------- Im Verfahren Epic gegen Apple kam heraus, dass 2015 fast 130 Millionen iPhone-Nutzer von "XcodeGhost" betroffen waren – in über 2500 Apps. --------------------------------------------- https://heise.de/-6041836 ∗∗∗ Lemon Duck spreads its wings: Actors target Microsoft Exchange servers, incorporate new TTPs ∗∗∗ --------------------------------------------- Lemon Duck continues to refine and improve upon their tactics, techniques and procedures as they attempt to maximize the effectiveness of their campaigns. Lemon Duck remains relevant as the operators begin to target [...] --------------------------------------------- https://blog.talosintelligence.com/2021/05/lemon-duck-spreads-wings.html ∗∗∗ Banking‑Trojaner Ousaban analysiert ∗∗∗ --------------------------------------------- In unserer Serie zu lateinamerikanischen Banking-Trojanern betrachten wir einen Vertreter mit komplexen Vertriebsweg --------------------------------------------- https://www.welivesecurity.com/deutsch/2021/05/07/banking-trojaner-ousaban-… ∗∗∗ Colonial Pipeline Falls Victim to Attack ∗∗∗ --------------------------------------------- Summary A top U.S. fuel pipeline company has suffered a cyber attack that has forced them to halt operations. Several news sources and the company itself have confirmed the attack. Threat Type Cyber Attack Overview ** Update May 10 - 8:50 AM** The most recent reporting indicates that the attack likely involved DarkSide, a ransomware-as-a-service (RaaS) affiliate operation. DarkSide posted the following statement to their leak site following the attack: We are apolitical, we do not participate in [...] --------------------------------------------- https://exchange.xforce.ibmcloud.com/collection/cc757925ae0fdf1689518a35128… ∗∗∗ SolarWinds says fewer than 100 customers were impacted by supply chain attack ∗∗∗ --------------------------------------------- Texas-based software firm SolarWinds downgraded the number of customers impacted by its 2020 supply chain attack from 18,000 to less than 100. --------------------------------------------- https://therecord.media/solarwinds-says-fewer-than-100-customers-were-impac… ===================== = Vulnerabilities = ===================== ∗∗∗ Foxit Reader bug lets attackers run malicious code via PDFs ∗∗∗ --------------------------------------------- Foxit Software, the company behind the highly popular Foxit Reader, has published security updates to fix a high severity remote code execution (RCE) vulnerability affecting the PDF reader. --------------------------------------------- https://www.bleepingcomputer.com/news/security/foxit-reader-bug-lets-attack… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libxml2), Fedora (autotrace, babel, kernel, libopenmpt, libxml2, mingw-exiv2, mingw-OpenEXR, mingw-openexr, python-markdown2, and samba), openSUSE (alpine, avahi, libxml2, p7zip, redis, syncthing, and vlc), and Ubuntu (webkit2gtk). --------------------------------------------- https://lwn.net/Articles/855909/ ∗∗∗ Linux kernel vulnerability CVE-2020-1749 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K02186513 ∗∗∗ Security Bulletin: IBM CloudPak foundational services (Events Operator) is affected by potential data integrity issue (CVE-2020-25649) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloudpak-foundational… ∗∗∗ Security Bulletin: IBM Kenexa LCMS Premier On Premise – CVE-2020-14782 (deferred from Oracle Oct 2020 CPU for Java 8) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-kenexa-lcms-premier-o… ∗∗∗ Security Bulletin: IBM Cloud Pak for Security is vulnerable to CVE-2021-20538 and CVE-2021-20577 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-securit… ∗∗∗ Security Bulletin: A security vulnerability in Node.js urijs module affects IBM Cloud Pak for Multicloud Management Infrastructure management. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: IBM Kenexa LMS On Premise – CVE-2020-14782 (deferred from Oracle Oct 2020 CPU for Java 8) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-kenexa-lms-on-premise… ∗∗∗ Security Bulletin: IBM Kenexa LMS On Premise -CVE-2020-14781 (deferred from Oracle Oct 2020 CPU for Java 8) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-kenexa-lms-on-premise… ∗∗∗ Security Bulletin: IBM Control Desk is vulnerable to Cross-Site Scripting Vulnerability (CVE-2021-20559) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-control-desk-is-vulne… ∗∗∗ Security Bulletin: IBM Kenexa LCMS Premier On Premise – CVE-2020-14781 (deferred from Oracle Oct 2020 CPU for Java 8) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-kenexa-lcms-premier-o… ∗∗∗ Security Bulletin: IBM InfoSphere Information Server is affected by a vulnerability in Apache Commons Codec ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-informatio… ∗∗∗ Security Bulletin: IBM InfoSphere Information Server is affected by multiple vulnerabilities in XStream ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-informatio… ∗∗∗ Security Bulletin: Vulnerabilities in Apache Commons and Log4j affect IBM Spectrum Protect Backup-Archive Client and IBM Spectrum Protect for Virtual Environments ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-apache… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.05.2021
by Daily end-of-shift report 07 May '21

07 May '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 06-05-2021 18:00 − Freitag 07-05-2021 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Cuba Ransomware partners with Hancitor for spam-fueled attacks ∗∗∗ --------------------------------------------- The Cuba Ransomware gang has teamed up with the spam operators of the Hancitor malware to gain easier access to compromised corporate networks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cuba-ransomware-partners-wit… ∗∗∗ MSM: Qualcomm-Modems in Millionen Smartphones angreifbar ∗∗∗ --------------------------------------------- Die Modems von Qualcomm könnten aus Android heraus angegriffen werden, um Gespräche mitzuhören. --------------------------------------------- https://www.golem.de/news/msm-qualcomm-modems-in-millionen-smartphones-angr… ∗∗∗ TsuNAME Vulnerability Can Be Exploited for DDoS Attacks on DNS Servers ∗∗∗ --------------------------------------------- Some DNS resolvers are affected by a vulnerability that can be exploited to launch distributed denial-of-service (DDoS) attacks against authoritative DNS servers, a group of researchers warned this week. --------------------------------------------- https://www.securityweek.com/tsuname-vulnerability-can-be-exploited-ddos-at… ∗∗∗ Grill- und Gartensaison eröffnet: BetrügerInnen locken mit günstigen Angeboten! ∗∗∗ --------------------------------------------- Egal ob Werkzeuge zur Pflanzenpflege, ein neuer Griller, Terrassenmöbel oder ein Pool für den Garten: Mit steigenden Temperaturen, nimmt der Bedarf nach diesen Produkten zu. Natürlich lassen da auch BetrügerInnen nicht lange auf sich warten und locken mit günstigen Angeboten für die Grill- und Gartensaison. Wir zeigen Ihnen, wo Sie lieber nicht shoppen sollten! --------------------------------------------- https://www.watchlist-internet.at/news/grill-und-gartensaison-eroeffnet-bet… ∗∗∗ New Moriya rootkit stealthily backdoors Windows systems ∗∗∗ --------------------------------------------- Unknown attackers may have been quietly exploiting networks in attacks reaching back to 2018. --------------------------------------------- https://www.zdnet.com/article/new-moriya-rootkit-stealthily-backdoors-windo… ∗∗∗ LibInjection – Detect SQL Injection (SQLi) and Cross-Site Scripting (XSS) ∗∗∗ --------------------------------------------- LibInjection is a C library to Detect SQL Injection (SQLi) and Cross-Site Scripting (XSS) through lexical analysis of real-world Attacks. SQLi and other injection attacks remain the top OWASP and CERT vulnerability. Current detection attempts frequently involve a myriad of regular expressions which are not only brittle and error-prone but also proven by Hanson and Patterson at Black Hat 2005 to never be a complete solution. --------------------------------------------- https://www.darknet.org.uk/2021/05/libinjection-detect-sql-injection-sqli-a… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (mediawiki and unbound1.9), Fedora (djvulibre and samba), Mageia (ceph, messagelib, and pagure), openSUSE (alpine and exim), Oracle (kernel and postgresql), Scientific Linux (postgresql), and Ubuntu (thunderbird and unbound). --------------------------------------------- https://lwn.net/Articles/855744/ ∗∗∗ SYSS-2021-024: XSS-SCHWACHSTELLE IM PRODUKT ADISCON LOGANALYZER (CVE-2021-31738) ∗∗∗ --------------------------------------------- Die Loginmaske des Adiscon LogAnalyzer war anfällig für eine Reflected XSS-Schwachstelle. Der Hersteller hat diese bereits mit einem Patch behoben. --------------------------------------------- https://www.syss.de/pentest-blog/syss-2021-024-xss-schwachstelle-im-produkt… ∗∗∗ ABB Cybersecurity Advisory - AC 800PEC platform NAME:WRECK vulnerability ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=9AKK107992A1892&Lan… ∗∗∗ ABB Cybersecurity Advisory - Cassia Access Controller for ABB ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=9AKK108368&Language… ∗∗∗ Security Advisory - Out-of-Bounds Write Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- https://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210506… ∗∗∗ Security Bulletin: IBM Watson OpenScale on Cloud Pak for Data is impacted by CVE-2021-3177 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-openscale-on-c… ∗∗∗ Security Bulletin: Vulnerability in WebSphere Application Server Liberty affects IBM Financial Transaction Manager for Interac e-Transfers for Red Hat OpenShift (CVE-2020-5258) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-webspher… ∗∗∗ Security Bulletin: Vulnerability in WebSphere Application Server Liberty affects IBM Financial Transaction Manager for Digital Payments for RedHat OpenShift (CVE-2020-5258) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-webspher… ∗∗∗ Security Bulletin: Information disclosure vulnerability may affect IBM Robotic Process Automation Anywher – CVE-2020-4901 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-information-disclosure-vu… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.05.2021
by Daily end-of-shift report 06 May '21

06 May '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 05-05-2021 18:00 − Donnerstag 06-05-2021 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ RotaJakiro, the Linux version of the OceanLotus ∗∗∗ --------------------------------------------- On Apr 28, we published our RotaJakiro backdoor blog, at that time, we didn’t have the answer for a very important question, what is this backdoor exactly for? We asked the community for clues and two days ago we got a hint, PE(Thanks!) wrote the following comment on --------------------------------------------- https://blog.netlab.360.com/rotajakiro_linux_version_of_oceanlotus/ ∗∗∗ Alternative Ways To Perform Basic Tasks, (Thu, May 6th) ∗∗∗ --------------------------------------------- I like to spot techniques used by malware developers to perform basic tasks. We know the lolbins[1] that are pre-installed tools used to perform malicious activities. Many lolbins are used, for example, to download some content from the Internet. Some tools are so powerful that they can also be used to perform unexpected tasks. --------------------------------------------- https://isc.sans.edu/diary/rss/27392 ∗∗∗ Strong, Secure Passwords Are Key to Helping Reduce Risk to Your Organization ∗∗∗ --------------------------------------------- Blog post on how to create strong, secure passwords to reduce risk to your organization. --------------------------------------------- https://www.sans.org/blog/strong-secure-passwords-are-key-to-helping-reduce… ∗∗∗ BSI veröffentlicht Whitepaper zum aktuellen Stand der Prüfbarkeit von KI-Systemen ∗∗∗ --------------------------------------------- Basierend auf einem vom BSI, vom Verband der TÜVs und vom Fraunhofer HHI ausgetragenen internationalen Expertenworkshop wurde ein Whitepaper zum aktuellen Stand, offenen Fragen und zukünftig wichtigen Aktivitäten bezüglich der Prüfbarkeit von KI-Systemen verfasst. --------------------------------------------- https://www.bsi.bund.de/DE/Service-Navi/Presse/Alle-Meldungen-News/Meldunge… ∗∗∗ TrickBot: Get to Know the Malware That Refuses to Be Killed ∗∗∗ --------------------------------------------- Versatile, easy to use, and widely available, TrickBot has become a favorite tool of threat actors of all skill levels and a formidable threat that security teams in all organizations should be familiar with. Over the last five years, TrickBot has earned a reputation as a remarkably adaptive modular malware, with its operators regularly updating its software to be more effective and potent against a wide range of targets worldwide. --------------------------------------------- https://www.riskiq.com/blog/external-threat-management/trickbot/ ∗∗∗ Ryuk ransomware finds foothold in bio research institute through student who wouldn’t pay for software ∗∗∗ --------------------------------------------- The incident started with a student who didnt want to pay for a license and ended with the loss of research. --------------------------------------------- https://www.zdnet.com/article/ryuk-ransomware-finds-foothold-in-bio-researc… ∗∗∗ CISA Releases Analysis Reports on New FiveHands Ransomware ∗∗∗ --------------------------------------------- CISA is aware of a recent, successful cyberattack against an organization using a new ransomware variant, known as FiveHands, that has been used to successfully conduct a cyberattack against an organization. CISA has released AR21-126A: FiveHands Ransomware and MAR-10324784-1.v1: FiveHands Ransomware to provide analysis of the threat actor’s tactics, techniques, and procedures as well as indicators of compromise (IOCs). --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/05/06/cisa-releases-ana… ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco SD-WAN: Angreifer könnten Admin-Accounts erstellen ∗∗∗ --------------------------------------------- Es gibt wichtige Sicherheitsupdates für mehrere Produkte von Cisco. --------------------------------------------- https://heise.de/-6038258 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (python-django), Fedora (java-latest-openjdk, libopenmpt, python-yara, skopeo, thunderbird, and yara), openSUSE (ceph and openexr), Red Hat (postgresql), SUSE (libxml2), and Ubuntu (exim4 and gnome-autoar). --------------------------------------------- https://lwn.net/Articles/855613/ ∗∗∗ Android users’ privacy at risk as Check Point Research identifies vulnerability on Qualcomm’s mobile station modems ∗∗∗ --------------------------------------------- Check Point Research (CPR) found a security vulnerability in Qualcomm’s mobile station modem (MSM), the chip responsible for cellular communication in nearly 40% of the world’s phones. If exploited, the vulnerability would have allowed an attacker to use Android OS itself as an entry point to inject malicious and invisible code into phones, granting them [...] --------------------------------------------- https://blog.checkpoint.com/2021/05/06/android-users-privacy-at-risk-as-che… ∗∗∗ Security Advisory - Insufficient Input Validation Vulnerability in FusionCompute Product ∗∗∗ --------------------------------------------- https://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210506… ∗∗∗ Ruby on Rails: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0480 ∗∗∗ Foxit Reader & PhantomPDF: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0481 ∗∗∗ VMware vRealize Operations: Schwachstelle ermöglicht Codeausführung ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0489 ∗∗∗ ZDI-21-523: (0Day) Esri ArcReader PMF File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-21-523/ ∗∗∗ ZDI-21-522: (0Day) Esri ArcReader PMF File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-21-522/ ∗∗∗ ZDI-21-521: (0Day) Esri ArcReader PMF File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-21-521/ ∗∗∗ ZDI-21-520: (0Day) Esri ArcReader PMF File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-21-520/ ∗∗∗ Security Bulletin: Vulnerability in Fabric OS used by IBM b-type SAN directors and switches. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-fabric-o… ∗∗∗ Security Bulletin: IBM Integration Bus & IBM App Connect Enterprise V11 are affected by vulnerabilities in Node.js (CVE-2020-8287) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-integration-bus-ibm-a… ∗∗∗ Security Bulletin: IBM Integration Bus & IBM App Connect Enterprise V11 are affected by vulnerabilities in Node.js (CVE-2020-8265) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-integration-bus-ibm-a… ∗∗∗ Security Bulletin: A vulnerabilities in IBM Java affects IBM Rational Asset Analyzer. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerabilities-in-ibm-… ∗∗∗ Security Bulletin: IBM Integration Bus & IBM App Connect Enterprise V11 are affected by vulnerabilities in Node.js (CVE-2020-28500) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-integration-bus-ibm-a… ∗∗∗ Security Bulletin: Vulnerabilities in IBM Java affecting IBM Rational Asset Analyzer. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-ja… ∗∗∗ Security Bulletin: Vulnerabilitiìy identified in IBM DB2 that is shipped as component and pattern type or pType with Cloud Pak System and Cloud Pak System Software Suite. Cloud Pak System addressed response with new DB2 pType ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilitiy-identified… ∗∗∗ Security Bulletin: IBM Data Risk Manager is affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-data-risk-manager-is-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.05.2021
by Daily end-of-shift report 05 May '21

05 May '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 04-05-2021 18:00 − Mittwoch 05-05-2021 18:00 Handler: Stephan Richter Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Quick and dirty Python: masscan, (Tue, May 4th) ∗∗∗ --------------------------------------------- The last couple of years I have been trying to ramp up on Python and am increasingly finding that these complicated shell code scripts can be elegantly implemented in Python. The resulting code is way easier to read and way more supportable. --------------------------------------------- https://isc.sans.edu/diary/rss/27384 ∗∗∗ Introducing Baserunner: a tool for exploring and exploiting Firebase datastores ∗∗∗ --------------------------------------------- In this post well be looking at some risks posed by Firebase, a popular serverless application platform. --------------------------------------------- https://iosiro.com/blog/baserunner-exploiting-firebase-datastores ∗∗∗ How Attackers Use Compromised Accounts to Create and Distribute Malicious OAuth Apps ∗∗∗ --------------------------------------------- Open authorization or “OAuth” apps add business features and user-interface enhancements to major cloud platforms such as Microsoft 365 and Google Workspace. Unfortunately, they’re also a new threat vector [...] --------------------------------------------- https://www.proofpoint.com/us/blog/email-and-cloud-threats/how-attackers-us… ∗∗∗ How to Stop the Popups ∗∗∗ --------------------------------------------- McAfee is tracking an increase in the use of deceptive popups that mislead some users into taking action, while annoying many others. --------------------------------------------- https://www.mcafee.com/blogs/other-blogs/mcafee-labs/how-to-stop-the-popups/ ∗∗∗ Tour de Peloton: Exposed user data ∗∗∗ --------------------------------------------- An unauthenticated user could view sensitive information for all users, and snoop on live class statistics and its attendees, despite having a private mode. --------------------------------------------- https://www.pentestpartners.com/security-blog/tour-de-peloton-exposed-user-… ∗∗∗ Wunderheilmittel Entgiftungspflaster? Vorsicht bei Bestellungen auf nuubu.com! ∗∗∗ --------------------------------------------- Die körperliche und psychische Gesundheit mit Hilfe eines Entgiftungspflasters steigern? Das verspricht die litauische Firma „UAB Ekomlita“, die die Webseite nuubu.com betreibt. Wir raten jedoch zu Vorsicht: Rechtliche Vorgaben werden nicht eingehalten. --------------------------------------------- https://www.watchlist-internet.at/news/wunderheilmittel-entgiftungspflaster… ===================== = Vulnerabilities = ===================== ∗∗∗ Jetzt patchen! Kritische Root-Lücken bedrohen Exim-Mail-Server ∗∗∗ --------------------------------------------- Bei einer Untersuchung des Codes von Exim sind Sicherheitsforscher auf 21 Sicherheitslücken gestoßen. Angreifer könnten ganze Server übernehmen. --------------------------------------------- https://heise.de/-6036724 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (cgal, exim4, and mediawiki), Fedora (axel, libmicrohttpd, libtpms, perl-Image-ExifTool, pngcheck, python-yara, and yara), Gentoo (exim), Mageia (kernel-linus), openSUSE (bind and postsrsd), SUSE (avahi, openexr, p7zip, python-Pygments, python36, samba, sca-patterns-sle11, and webkit2gtk3), and Ubuntu (nvidia-graphics-drivers-390, nvidia-graphics-drivers-418-server, nvidia-graphics-drivers-450, nvidia-graphics-drivers-450-server,[...] --------------------------------------------- https://lwn.net/Articles/855462/ ∗∗∗ Advantech WISE-PaaS RMM ∗∗∗ --------------------------------------------- This advisory contains mitigations for a Use of Hard-coded Credentials vulnerability in Advantech WISE-PaaS RMM, a software platform focused on IoT device remote monitoring and management. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-124-01 ∗∗∗ Delta Electronics CNCSoft ScreenEditor ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Out-of-bounds Write vulnerability in Delta Electronics CNCSoft ScreenEditor software management platform. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-124-02 ∗∗∗ Security Bulletin: IBM QRadar SIEM is vulnerable to using components with known vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-is-vulner… ∗∗∗ Security Bulletin: IBM QRadar SIEM is vulnerable to insecure inter-deployment communication (CVE-2020-4979) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-is-vulner… ∗∗∗ Security Bulletin: Issues in IBM® Java™ SDK Technology Edition affects IBM Security Identity Manager Virtual Appliance (CVE-2020-14577, CVE-2020-14578, CVE-2020-14579) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-issues-in-ibm-java-sdk-te… ∗∗∗ Security Bulletin: IBM QRadar SIEM contains hard-coded credentials (CVE-2021-20401, CVE-2020-4932) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-contains-… ∗∗∗ Security Bulletin: IBM QRadar SIEM is vulnerable to Cross Site Scripting (XSS) (CVE-2020-4929) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-is-vulner… ∗∗∗ Security Bulletin: IBM InfoSphere Information Server is affected by a vulnerability in Apache httpclient ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-informatio… ∗∗∗ Security Bulletin: IBM QRadar SIEM is vulnerable to path traversal (CVE-2020-4993) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-is-vulner… ∗∗∗ Security Bulletin: IBM QRadar SIEM may be vulnerable to a XML External Entity Injection attack (XXE) (CVE-2020-5013) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-may-be-vu… ∗∗∗ Security Bulletin: IBM QRadar SIEM is vulnerable to Cross domain information disclosure (CVE-2020-4883) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-is-vulner… ∗∗∗ Security Bulletin: Apache Tomcat as used by IBM QRadar SIEM is vulnerable to information disclosure (CVE-2020-13943) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-tomcat-as-used-by-… ∗∗∗ CVE-2021-26900: Privilege Escalation Via a Use After Free Vulnerability In win32k ∗∗∗ --------------------------------------------- https://www.thezdi.com/blog/2021/5/3/cve-2021-26900-privilege-escalation-vi… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.05.2021
by Daily end-of-shift report 04 May '21

04 May '21

===================== = End-of-Day report = ===================== Timeframe: Montag 03-05-2021 18:00 − Dienstag 04-05-2021 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Webkit: Apple warnt vor Zero Days in iOS und MacOS ∗∗∗ --------------------------------------------- Die Apple-Lücken in Webkit werden wohl bereits aktiv ausgenutzt. Das Unternehmen stellt Updates bereit. --------------------------------------------- https://www.golem.de/news/webkit-apple-warnt-vor-zero-days-in-ios-2105-1562… ∗∗∗ 21Nails vulnerabilities impact 60% of the internet’s email servers ∗∗∗ --------------------------------------------- The maintainers of the Exim email server software have released updates today to patch a collection of 21 vulnerabilities that can allow threat actors to take over servers using both local and remote attack vectors. --------------------------------------------- https://therecord.media/21nails-vulnerabilities-impact-60-of-the-internets-… ∗∗∗ Pingback: Backdoor At The End Of The ICMP Tunnel ∗∗∗ --------------------------------------------- In this post, we analyze a piece of malware that we encountered during a recent breach investigation. What caught our attention was how the malware achieved persistence, how it used ICMP tunneling for its backdoor communications, and how it operated with different modes to increase its chances of a successful attack. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at… ∗∗∗ RM3 - Curiosities of the wildest banking malware ∗∗∗ --------------------------------------------- TL:DR Our Research and Intelligence Fusion Team have been tracking the Gozi variant RM3 for close to 30 months. In this post we provide some history, analysis and observations on this most pernicious family of banking malware targeting Oceania, the UK, Germany and Italy. We’ll start with an overview of its origins and current operations before providing a deep dive technical analysis [...] --------------------------------------------- https://blog.fox-it.com/2021/05/04/rm3-curiosities-of-the-wildest-banking-m… ∗∗∗ Firebase Domain Front - Hiding C2 as App traffic ∗∗∗ --------------------------------------------- We often see that large organization use firebase for hosting their applications and database. Firebase has a lot of features such as real-time database, hosting, cloud functions, hosting etc. Today we are going to talk about firebase hosting and cloud functions which are used by a lot of mobile applications these days. In our recent project, we were able to hide ourselves as a legit mobile traffic and bypass a lot of traffic filters --------------------------------------------- https://www.redteam.cafe/red-team/domain-front/firebase-domain-front-hiding… ∗∗∗ Jetzt patchen! Sicherheitsupdate für Pulse Connect Secure verfügbar ∗∗∗ --------------------------------------------- In einer aktualisierten Version der VPN-Software Pulse Connect Secure von Ivanti haben die Entwickler kritische Lücken geschlossen. --------------------------------------------- https://heise.de/-6035501 ∗∗∗ ATT&CK v9 Introduces Containers, Google Workspace ∗∗∗ --------------------------------------------- MITRE announced last week that the latest update to the popular ATT&CK framework introduces techniques related to containers and the Google Workspace platform. --------------------------------------------- https://www.securityweek.com/attck-v9-introduces-containers-google-workspace ∗∗∗ Anzügliche Sex-Nachrichten auf Facebook & Instagram: Dahinter steckt Betrug ∗∗∗ --------------------------------------------- Facebook- und Instagram-NutzerInnen kennen es: Freundschaftsanfragen oder Nachrichten von unbekannten, meist freizügig gekleideten Frauen. Auf Instagram werden NutzerInnen auch sehr häufig zu fragwürdigen Gruppen hinzugefügt oder von Unbekannten auf Bildern markiert. Dahinter stecken Fake-Profile oder Bots, die auf unseriöse Dating-Portale locken, Daten sammeln oder nach Zugangsdaten fischen. --------------------------------------------- https://www.watchlist-internet.at/news/anzuegliche-sex-nachrichten-auf-face… ∗∗∗ Three new malware families found in global finance phishing campaign ∗∗∗ --------------------------------------------- Doubledrag, Doubledrop, and Doubleback are the work of “experienced” threat actors. --------------------------------------------- https://www.zdnet.com/article/researchers-find-three-new-malware-families-u… ===================== = Vulnerabilities = ===================== ∗∗∗ Aktiv ausgenutzte Lücken: Apple patcht iOS, macOS und watchOS ∗∗∗ --------------------------------------------- macOS 11.3.1, iOS 14.5.1 und watchOS 7.4.1 beheben ein akutes Sicherheitsproblem in Safari. Außerdem wird ein Bug beim iPhone-App-Tracking-Schutz gefixt. --------------------------------------------- https://heise.de/-6035220 ∗∗∗ Android-Patchday: Kritische System-Lücke gibt Angreifern die volle Kontrolle ∗∗∗ --------------------------------------------- Es gibt wichtige Sicherheitsupdates für verschiedene Android-Versionen. --------------------------------------------- https://heise.de/-6035560 ∗∗∗ Xen Security Advisory CVE-2021-28689 / XSA-370 - x86: Speculative vulnerabilities with bare (non-shim) 32-bit PV guests ∗∗∗ --------------------------------------------- A malicious 32-bit guest kernel may be able to mount a Spectre v2 attack against Xen, despite the presence hardware protections being active. It therefore might be able to infer the contents of arbitrary host memory, including memory assigned to other guests. --------------------------------------------- https://xenbits.xen.org/xsa/advisory-370.html ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (bind9, chromium, exim4, and subversion), Fedora (exiv2 and skopeo), openSUSE (gsoap), Oracle (bind, kernel, and sudo), SUSE (bind, ceph, ceph, deepsea, permissions, and stunnel), and Ubuntu (clamav, exim4, openvpn, python-django, and samba). --------------------------------------------- https://lwn.net/Articles/855308/ ∗∗∗ High-Severity Dell Driver Vulnerabilities Impact Hundreds of Millions of Devices ∗∗∗ --------------------------------------------- Owners of Dell devices were informed on Tuesday that a firmware update driver present on a large number of systems is affected by a series of high-severity vulnerabilities. --------------------------------------------- https://www.securityweek.com/high-severity-dell-driver-vulnerabilities-impa… ∗∗∗ Synology-SA-21:18 Hyper Backup ∗∗∗ --------------------------------------------- A vulnerability allows remote attackers to inject arbitrary web script or HTML via a susceptible version of Hyper Backup. --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_21_18 ∗∗∗ Security Bulletin: Go is vulnerable to a denial of service on IBM Watson Machine Learning on CP4D ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-go-is-vulnerable-to-a-den… ∗∗∗ Security Bulletin: Tensor Flow security vulnerabilities with segmentation fault on IBM Watson Machine Learning on CP4D ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-tensor-flow-security-vuln… ∗∗∗ Security Bulletin: GO is vulnerable to allows attacks on clients on IBM Watson Machine Learning on CP4D ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-go-is-vulnerable-to-allow… ∗∗∗ Security Bulletin: Vulnerabilities in OpenSSL affect AIX (CVE-2021-23839, CVE-2021-23840, and CVE-2021-23841) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-openss… ∗∗∗ Security Bulletin: A vulnerability exists in the management GUI of the IBM FlashSystem 900 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-exists-in… ∗∗∗ Security Bulletin: Tensor Flow security vulnerabilities with denial of service on IBM Watson Machine Learning on CP4D ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-tensor-flow-security-vuln… ∗∗∗ Security Bulletin: Tensor Flow security vulnerabilities with denial of service on IBM Watson Machine Learning Server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-tensor-flow-security-vuln… ∗∗∗ Security Bulletin: TensorFlow is vulnerable to a heap-based buffer overflow on IBM Watson Machine Learning on CP4D ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-tensorflow-is-vulnerable-… ∗∗∗ Security Bulletin: GO security vulnerabilities on IBM Watson Machine Learning Server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-go-security-vulnerabiliti… ∗∗∗ Security Bulletin: OpenSSL Vulnerabilities Affect IBM Sterling Connect:Express for UNIX (CVE-2021-3049, CVE-2021-3050) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-openssl-vulnerabilities-a… ∗∗∗ Security Bulletin: WebSphere Application Server is vulnerable to an XML External Entity (XXE) Injection vulnerability (CVE-2021-20454). ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-websphere-application-ser… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.05.2021
by Daily end-of-shift report 03 May '21

03 May '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 30-04-2021 18:00 − Montag 03-05-2021 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Babuk quits ransomware encryption, focuses on data-theft extortion ∗∗∗ --------------------------------------------- A new message today from the operators of Babuk ransomware clarifies that the gang has decided to close the affiliate program and move to an extortion model that does not rely on encrypting victim computers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/babuk-quits-ransomware-encry… ∗∗∗ Hacker-Wettbewerb Austria Cyber Security Challenge gestartet ∗∗∗ --------------------------------------------- Der IT-Security-Wettbewerb für Schüler*innen, Studierende und Interessierte feiert heuer sein 10-jähriges Jubiläum. --------------------------------------------- https://futurezone.at/digital-life/hacker-wettbewerb-austria-cyber-security… ∗∗∗ New Buer Malware Downloader Rewritten in E-Z Rust Language ∗∗∗ --------------------------------------------- Its coming in emails disguised as DHL Support shipping notices and is apparently getting prepped for leasing on the underground. --------------------------------------------- https://threatpost.com/buer-malware-loader-rewritten-rust/165782/ ∗∗∗ PuTTY And FileZilla Use The Same Fingerprint Registry Keys, (Sun, May 2nd) ∗∗∗ --------------------------------------------- Many SSH clients can remember SSH servers' fingerprints. This can serve as a safety mechanism: you get a warning when the server you want to connect to, has no longer the same fingerprint. And then you can decide what to do: continue with the connection, or stop and try to figure out what is going on. --------------------------------------------- https://isc.sans.edu/diary/rss/27376 ∗∗∗ Sicherheitslücke Spectre lebt neu auf: AMD- und Intel-Prozessoren betroffen ∗∗∗ --------------------------------------------- Ein neuer Seitenkanalangriff zielt auf die Micro-Op-Caches aller modernen CPUs von AMD und Intel ab, Ryzen 5000 und Rocket Lake-S eingeschlossen. --------------------------------------------- https://heise.de/-6034264 ∗∗∗ Windows 10: BSI stellt Sicherheitseinstellungen zur Verfügung ∗∗∗ --------------------------------------------- Das BSI hat im Rahmen der „Studie zu Systemaufbau, Protokollierung, Härtung und Sicherheitsfunktionen in Windows 10“ (SiSyPHuS Win10) Handlungsempfehlungen zur Absicherung der Windows-Systeme in deutscher und englischer Sprache veröffentlicht. --------------------------------------------- https://www.bsi.bund.de/DE/Service-Navi/Presse/Pressemitteilungen/Presse202… ∗∗∗ Tesla Car Hacked Remotely From Drone via Zero-Click Exploit ∗∗∗ --------------------------------------------- Two researchers have shown how a Tesla - and possibly other cars - can be hacked remotely without any user interaction. They carried out the attack from a drone. --------------------------------------------- https://www.securityweek.com/tesla-car-hacked-remotely-drone-zero-click-exp… ∗∗∗ Trickbot Brief: Creds and Beacons ∗∗∗ --------------------------------------------- “TrickBot malware—first identified in 2016—is a Trojan developed and operated by a sophisticated group of cybercrime actors. The cybercrime group initially designed TrickBot as a banking trojan to steal [...] --------------------------------------------- https://thedfirreport.com/2021/05/02/trickbot-brief-creds-and-beacons/ ∗∗∗ Swiss Cloud becomes the latest web hosting provider to suffer a ransomware attack ∗∗∗ --------------------------------------------- Swiss Cloud, a Switzerland-based cloud hosting provider, has suffered this week a ransomware attack that brought the companys server infrastructure to its knees. --------------------------------------------- https://therecord.media/swiss-cloud-becomes-the-latest-web-hosting-provider… ===================== = Vulnerabilities = ===================== ∗∗∗ Pulse Secure fixes VPN zero-day used to hack high-value targets ∗∗∗ --------------------------------------------- Pulse Secure has fixed a zero-day vulnerability in the Pulse Connect Secure (PCS) SSL VPN appliance that is being actively exploited to compromise the internal networks of defense firms and govt agencies. --------------------------------------------- https://www.bleepingcomputer.com/news/security/pulse-secure-fixes-vpn-zero-… ∗∗∗ 8 geben: Python-Standard-Library ignoriert das Oktalystem in IP-Adressen ∗∗∗ --------------------------------------------- Die Library ipaddress prüft IP-Adressen seit 2019 nicht mehr auf führende Nullen. Ein Patch ist in Sicht, aber noch nicht veröffentlicht. --------------------------------------------- https://heise.de/-6034508 ∗∗∗ SQL Injection Vulnerability Patched in CleanTalk AntiSpam Plugin ∗∗∗ --------------------------------------------- On March 4, 2021, the Wordfence Threat Intelligence team initiated responsible disclosure for a Time-Based Blind SQL Injection vulnerability discovered in Spam protection, AntiSpam, FireWall by CleanTalk, a WordPress plugin installed on over 100,000 sites. This vulnerability could be used to extract sensitive information from a site’s database, including user emails and password hashes, all [...] --------------------------------------------- https://www.wordfence.com/blog/2021/05/sql-injection-vulnerability-patched-… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (bind, GNOME, java-1.8.0-openjdk, java-11-openjdk, nss and nspr, xstream, and xterm), Debian (bind9 and libimage-exiftool-perl), Fedora (ansible, babel, java-11-openjdk, and java-latest-openjdk), Gentoo (chromium, clamav, firefox, git, grub, python, thunderbird, tiff, webkit-gtk, and xorg-server), Mageia (kernel, nvidia-current, nvidia390, qtbase5, and sdl2), openSUSE (Chromium, cifs-utils, cups, giflib, gsoap, libnettle, librsvg, netdata, postsrsd, [...] --------------------------------------------- https://lwn.net/Articles/855217/ ∗∗∗ Synology-SA-21:16 ISC BIND ∗∗∗ --------------------------------------------- A vulnerability allows remote attackers to obtain sensitive information or conduct denial-of-service attacks via a susceptible version of Synology DNS Server. --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_21_16 ∗∗∗ Synology-SA-21:17 Samba ∗∗∗ --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_21_17 ∗∗∗ Epic Games Rocket League 1.95 (AK::MemoryMgr::GetPoolName) Stack Buffer Overrun ∗∗∗ --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5651.php ∗∗∗ Epic Games Psyonix Rocket League v1.95 Insecure Permissions ∗∗∗ --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5650.php ∗∗∗ Security Bulletin: Vulnerability in bind affects IBM Integrated Analytics System ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-bind-aff… ∗∗∗ Security Bulletin: Vulnerability in bind affects IBM Integrated Analytics System ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-bind-aff… ∗∗∗ Security Bulletin: IBM App Connect Enterprise Certified Container may be vulnerable to multiple denial of service through the Node.js runtime ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… ∗∗∗ Security Bulletin: A vulnerability in IBM® SDK, Java™ Technology Edition may affect IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-sd… ∗∗∗ Security Bulletin: Vulnerability in OpenSSL affects IBM Integrated Analytics System ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-openssl-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM® SDK, Java™ Technology Edition may affect IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM App Connect Enterprise Certified Container may be vulnerable to a command injection vulnerability (CVE-2021-23337) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… ∗∗∗ Security Bulletin: IBM® Db2® is vulnerable to a denial of service (CVE-2020-5024) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-… ∗∗∗ Security Bulletin: A vulnerability in IBM® SDK, Java™ Technology Edition may affect IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-sd… ∗∗∗ Security Bulletin: IBM App Connect Enterprise Certified Container may be affected by OpenSSL vulnerabilities (CVE-2021-3449 and CVE-2021-3450) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 30.04.2021
by Daily end-of-shift report 30 Apr '21

30 Apr '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 29-04-2021 18:00 − Freitag 30-04-2021 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Qnap-NAS mit veralteter Firmware fallen AgeLocker-Ransomware zum Opfer ∗∗∗ --------------------------------------------- Erneut hat es ein Verschlüsselungstrojaner auf Netzwerkspeicher (NAS) von Qnap abgesehen. --------------------------------------------- https://heise.de/-6032831 ∗∗∗ Anlagebetrug: Alexander Van der Bellen wirbt nicht für Bitcoin-Investments! ∗∗∗ --------------------------------------------- Immer wieder berichten wir davon, dass Promis ungerechtfertigt genutzt werden, um unseriöse Trading-Plattformen zu bewerben. Aktuell haben es die Kriminellen auf den österreichischen Bundespräsidenten Alexander Van der Bellen abgesehen. Dieser soll erfundenen Berichten zu Folge unseriöse Plattformen wie „Bitcoin Era“, „Bitcoin Prime“ oder „Crypto Revolt“ nutzen, um zusätzliches Geld zu verdienen. Glauben Sie diesen Berichten nicht. --------------------------------------------- https://www.watchlist-internet.at/news/anlagebetrug-alexander-van-der-belle… ∗∗∗ Codecov begins notifying affected customers, discloses IOCs ∗∗∗ --------------------------------------------- Codecov has now started notifying the maintainers of software repositories affected by the recent supply-chain attack. These notifications, delivered via both email and the Codecov application interface, state that the company believes the affected repositories were downloaded by threat actors. --------------------------------------------- https://www.bleepingcomputer.com/news/security/codecov-begins-notifying-aff… ∗∗∗ DomainTools And Digital Archeology: A Look At RotaJakiro ∗∗∗ --------------------------------------------- Gain additional insight into the malware dubbed RotaJakiro by Netlab with analysis by Chad Anderson on additional infrastructure unearthed including IP addresses, C2 domains, and more. --------------------------------------------- https://www.domaintools.com/resources/blog/domaintools-and-digital-archeolo… ∗∗∗ Babuk Ransomware Gang Mulls Retirement ∗∗∗ --------------------------------------------- The RaaS operators have been posting, tweaking and taking down a goodbye note, saying that theyll be open-sourcing their data encryption malware for other crooks to use. --------------------------------------------- https://threatpost.com/babuk-ransomware-gang-mulls-retirement/165742/ ∗∗∗ Security baseline for Microsoft 365 Apps for enterprise v2104 - FINAL ∗∗∗ --------------------------------------------- Microsoft is pleased to announce the final release of the recommended security configuration baseline settings for Microsoft 365 Apps for enterprise, version 2104. Please download the content from the Microsoft Security Compliance Toolkit, test the recommended configurations, and implement as appropriate. If you have questions or issues, please let us know via the Security Baseline Community or this post. --------------------------------------------- https://techcommunity.microsoft.com/t5/microsoft-security-baselines/securit… ∗∗∗ Qiling: A true instrumentable binary emulation framework, (Fri, Apr 30th) ∗∗∗ --------------------------------------------- A while ago, during the FLARE On 7 challenge last autumn, I had my first experience with the Qiling framework. It helped me to solve the challenge CrackInstaller by Paul Tarter (@Hefrpidge). If you want to read more about this (very interesting) challenge: https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/flareon7-challeng…. --------------------------------------------- https://isc.sans.edu/diary/rss/27372 ∗∗∗ How to Find & Fix Mixed Content Issues with SSL / HTTPS ∗∗∗ --------------------------------------------- Note: We’ve updated this post to reflect the evolving security standards around mixed content, SSLs, and server access as a whole. With the web’s increased emphasis on security, all sites should operate on HTTPS. Installing an SSL allows you to make that transition with your website. But it can also have an unintended consequence for sites that have been operating on HTTP previously: Mixed content warnings. Today, let’s look at these common errors, what causes them, and how [...] --------------------------------------------- https://blog.sucuri.net/2021/04/how-to-find-fix-mixed-content-issues-with-s… ∗∗∗ UNC2447 SOMBRAT and FIVEHANDS Ransomware: A Sophisticated Financial Threat ∗∗∗ --------------------------------------------- Mandiant has observed an aggressive financially motivated group, UNC2447, exploiting one SonicWall VPN zero-day vulnerability prior to a patch being available and deploying sophisticated malware previously reported by other vendors as SOMBRAT. Mandiant has linked the use of SOMBRAT to the deployment of ransomware, which has not been previously reported publicly. --------------------------------------------- https://www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fi… ∗∗∗ IoT riddled with BadAlloc vulnerabilities ∗∗∗ --------------------------------------------- A set of memory allocation vulnerabilities, dubbed BadAlloc, has been found in a massive number of IoT and OT devices. --------------------------------------------- https://blog.malwarebytes.com/reports/2021/04/iot-riddled-with-badalloc-vul… ===================== = Vulnerabilities = ===================== ∗∗∗ Sicherheitslücke verrät Standorte von Elektro-Zweirädern und Telefonnummern ∗∗∗ --------------------------------------------- Die API des Zweiradherstellers Supersoco hat eine schwere Sicherheitslücke, aber weder der Hersteller noch der D/AT-Importeur kümmern sich. --------------------------------------------- https://heise.de/-6032820 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (bind, chromium, firefox, gitlab, libupnp, nimble, opera, thunderbird, virtualbox, and vivaldi), Debian (composer, edk2, and libhibernate3-java), Fedora (java-1.8.0-openjdk, jetty, and samba), openSUSE (nim), Oracle (bind and runc), Red Hat (bind), SUSE (cifs-utils, cups, ldb, samba, permissions, samba, and tomcat), and Ubuntu (samba). --------------------------------------------- https://lwn.net/Articles/855029/ ∗∗∗ Texas Instruments SimpleLink ∗∗∗ --------------------------------------------- This advisory contains mitigations for Stack-based Buffer Overflow and Integer Overflow or Wraparound vulnerabilities in Texas Instruments SimpleLink wireless microcontrollers. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-119-01 ∗∗∗ Cassia Networks Access Controller ∗∗∗ --------------------------------------------- This advisory contains mitigations for a Path Traversal vulnerability in Cassia Networks Access Controller Bluetooth network management tool. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-119-02 ∗∗∗ Johnson Controls Exacq Technologies exacqVision ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Off-by-one Error vulnerability in the Ubunty operating system of Exacq Technologies exacqVision. Exacq Technologies is a subsidiary of Johnson Controls. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-119-03 ∗∗∗ Multiple RTOS ∗∗∗ --------------------------------------------- CISA is aware of a public report, known as “BadAlloc” that details vulnerabilities found in multiple real-time operating systems (RTOS) and supporting libraries. This advisory contains mitigations for Integer Overflow or Wraparound vulnerabilities associated with this "BadAlloc" report. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-119-04 ∗∗∗ ctrlX CORE - IDE App affected by OpenSSL and Python Vulnerabilities ∗∗∗ --------------------------------------------- BOSCH-SA-017743: Multiple vulnerabilities affecting OpenSSL Versions previous to 1.1.1k and Python 0 through 3.9.1, have been reported. Affected versions are included in the ctrlX CORE - IDE App. In order to successfully exploit these vulnerabilities, an attacker requires access to the network or system. Two vulnerabilities (CVE-2021-3177 and CVE-2021-27619) are notably critical, as they can be easily exploited. The exploitation of these vulnerabilities can lead to remote code execution --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-017743.html ∗∗∗ FTP Backdoor for Rexroth Fieldbus Couplers S20 and Inline ∗∗∗ --------------------------------------------- BOSCH-SA-428397: On some Fieldbus Couplers, there is a hidden, password-protected FTP area for the root directory. --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-428397.html ∗∗∗ Parallels Desktop RDPMC Hypercall Interface and Vulnerabilities ∗∗∗ --------------------------------------------- Parallels Desktop implements a hypercall interface using an RDPMC instruction (“Read Performance-Monitoring Counter”) for communication between guest and host. More interestingly, this interface is accessible even to an unprivileged guest user. Though the HYPER-CUBE: High-Dimensional Hypervisor Fuzzing [PDF] paper by Ruhr-University Bochum has a brief mention of this interface, we have not seen many details made public. This blog post gives a brief description of the interface and [...] --------------------------------------------- https://www.thezdi.com/blog/2021/4/26/parallels-desktop-rdpmc-hypercall-int… ∗∗∗ QNAP NAS: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0462 ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Rational Directory Server (Tivoli) & Rational Directory Administrator ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM App Connect Enterprise Certified Container may be vulnerable to a denial of service attack through a DNS lookup that returns a large number of responses (CVE-2020-8277) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… ∗∗∗ Security Bulletin: IBM App Connect Enterprise Certified Container may be vulnerable to a Server-Side Request Forgery vulnerability (CVE-2020-28168) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… ∗∗∗ Security Bulletin: Images built from IBM App Connect Enterprise Certified Container images may be vulnerable to information exposure via CVE-2020-15095 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-images-built-from-ibm-app… ∗∗∗ Security Bulletin: IBM App Connect Enterprise Certified Container may be vulnerable to multiple denial of service and HTTP request smuggling vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… ∗∗∗ Security Bulletin: iOS Vulnerable Minimum OS Version Supported ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ios-vulnerable-minimum-os… ∗∗∗ Security Bulletin: z/TPF is affected by an OpenSSL vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-z-tpf-is-affected-by-an-o… ∗∗∗ Security Bulletin: IBM Informix Dynamic Server is vulnerable to a stack based buffer overflow, caused by improper bounds checking. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-informix-dynamic-serv… ∗∗∗ Security Bulletin: IBM App Connect Enterprise Certified Container flows may be vulnerable to spoofing attacks (CVE-2020-26291) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… ∗∗∗ Security Bulletin: IBM App Connect Enterprise Certified Container Designer Authoring components may be vulnerable to a denial of service attack (CVE-2020-28477) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 29.04.2021
by Daily end-of-shift report 29 Apr '21

29 Apr '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 28-04-2021 18:00 − Donnerstag 29-04-2021 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Google: Androids Corona-Kontaktverfolgung leakt Daten ∗∗∗ --------------------------------------------- Eigentlich sollte nur das Exposure Notification Framework auf die gesammelten Kontakte zugreifen können, doch Android schreibt sie in ein Log. --------------------------------------------- https://www.golem.de/news/corona-warn-app-androids-corona-kontaktverfolgung… ∗∗∗ Threat Alert: New update from Sysrv-hello, now infecting victims‘ webpages to push malicious exe to end users ∗∗∗ --------------------------------------------- >From the end of last year to now, we have see the uptick of the mining botnet families. While new families have been popping up, some old ones are get frequently updated. Our BotMon system has recently reported about the [rinfo][z0miner]. And the latest case comes from Sysrv-hello [...] --------------------------------------------- https://blog.netlab.360.com/threat-alert-new-update-from-sysrv-hello-now-in… ∗∗∗ Announcing the New Report Delta Mode Option ∗∗∗ --------------------------------------------- A new opt-in feature in our reporting mechanism will allow for reporting only the changes of the data from day to day: the report delta mode option. In this mode, every Sunday we will continue to deliver a full set of reports on all events observed on a report recipients’s network. For the rest of the week, for every distinct report type we will report only the difference between events seen on that day relative to the Sunday report. This will continue throughout the week until the [...] --------------------------------------------- https://www.shadowserver.org/news/announcing-the-new-report-delta-mode-opti… ∗∗∗ Digital Ocean springs a leak: Miscreant exploits hole to peep on unlucky customers billing details for two weeks ∗∗∗ --------------------------------------------- First that IPO and now this Digital Ocean on Wednesday said someone was able to snoop on some of its cloud subscribers billing information via a now-patched vulnerability. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2021/04/29/digital_ocea… ∗∗∗ [SANS ISC] From Python to .Net ∗∗∗ --------------------------------------------- I published the following diary on isc.sans.edu: “From Python to .Net“: The Microsoft operating system provides the .Net framework to developers. It allows to fully interact with the OS and write powerful applications… but also malicious ones. In a previous diary, I talked about a malicious Python script that interacted with the [...] --------------------------------------------- https://blog.rootshell.be/2021/04/29/sans-isc-from-python-to-net/ ∗∗∗ Task Force Seeks to Disrupt Ransomware Payments ∗∗∗ --------------------------------------------- Some of the worlds top tech firms are backing a new industry task force focused on disrupting cybercriminal ransomware gangs by limiting their ability to get paid, and targeting the individuals and finances of the organized thieves behind these crimes. --------------------------------------------- https://krebsonsecurity.com/2021/04/task-force-seeks-to-disrupt-ransomware-… ∗∗∗ Bitcoin scammers phish for wallet recovery codes on Twitter ∗∗∗ --------------------------------------------- Cryptocurrency scammers are on the prowl for wallet recovery phrases, under the pretence of trying to be helpful. --------------------------------------------- https://blog.malwarebytes.com/social-engineering/2021/04/bitcoin-scammers-p… ∗∗∗ Anatomy of how you get pwned ∗∗∗ --------------------------------------------- Today, somebody had a problem: they kept seeing a popup on their screen, and obvious scam trying to sell them McAfee anti-virus. Where was this coming from? In this blogpost, I follow this rabbit hole on down. It starts with "search engine optimization" links and leads to an entire industry of tricks, scams, exploiting popups, trying to infect your machine with viruses, and stealing emails or credit card numbers. --------------------------------------------- https://blog.erratasec.com/2021/04/anatomy-of-how-you-get-pwned.html ∗∗∗ Betrügerische Kleinanzeigen auf hyperanzeigen.at ∗∗∗ --------------------------------------------- Immer wieder erreichen die Watchlist Internet Meldungen zu unseriösen Angeboten auf hyperanzeigen.at. Ein genauerer Blick auf die Plattform selbst lässt aber auch Zweifel an deren Seriosität aufkommen. Bei einer Überprüfung von 15 Anzeigen aus unterschiedlichen Kategorien konnten wir keine einzige echte finden. Weiters fehlen Kontaktmöglichkeiten und ein Impressum. --------------------------------------------- https://www.watchlist-internet.at/news/betruegerische-kleinanzeigen-auf-hyp… ∗∗∗ New Shameless Commodity Cryptocurrency Stealer (WeSteal) and Commodity RAT (WeControl) ∗∗∗ --------------------------------------------- We analyze commodity malware WeSteal, detail its techniques and examine its customers, as well as sharing details of a newly observed RAT, WeControl. --------------------------------------------- https://unit42.paloaltonetworks.com/westeal/ ===================== = Vulnerabilities = ===================== ∗∗∗ A New PHP Composer Bug Could Enable Widespread Supply-Chain Attacks ∗∗∗ --------------------------------------------- The maintainers of Composer, a package manager for PHP, have shipped an update to address a critical vulnerability that could have allowed an attacker to execute arbitrary commands and "backdoor every PHP package," resulting in a supply-chain attack. Tracked as CVE-2021-29472, the security issue was discovered and reported on April 22 by researchers from SonarSource, following which a hotfix was [...] --------------------------------------------- https://thehackernews.com/2021/04/a-new-php-composer-bug-could-enable.html ∗∗∗ Cisco Security Advisories ∗∗∗ --------------------------------------------- Cisco hat Advisories zu 13 Schwachstellen veröffentlicht. Keine davon wird als "Critical" eingestuft, fünf als "High". --------------------------------------------- https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&first… ∗∗∗ Overview of F5 vulnerabilities (April 2021) ∗∗∗ --------------------------------------------- Overview of F5 vulnerabilities (April 2021) Security Advisory Security Advisory Description On April 28th, 2021, F5 announced the following security issues. This document is intended to serve as [...] --------------------------------------------- https://support.f5.com/csp/article/K96639388 ∗∗∗ Vulnerability Exposes F5 BIG-IP to Kerberos KDC Hijacking Attacks ∗∗∗ --------------------------------------------- F5 Networks this week released patches to address an authentication bypass vulnerability affecting BIG-IP Access Policy Manager (APM), but fixes are not available for all impacted versions. --------------------------------------------- https://www.securityweek.com/vulnerability-exposes-f5-big-ip-kerberos-kdc-h… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (ceph, jetty, kernel, kernel-headers, kernel-tools, openvpn, and shim-unsigned-x64), Mageia (firefox and thunderbird), Oracle (nss and openldap), Red Hat (bind), Slackware (bind), SUSE (firefox, giflib, java-1_7_0-openjdk, libnettle, librsvg, thunderbird, and webkit2gtk3), and Ubuntu (bind9 and gst-plugins-good1.0). --------------------------------------------- https://lwn.net/Articles/854880/ ∗∗∗ ZDI-21-490: (0Day) Advantech WebAccess/HMI Designer PM3 File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-21-490/ ∗∗∗ ZDI-21-489: (0Day) Advantech WebAccess/HMI Designer PM3 File Parsing Memory Corruption Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-21-489/ ∗∗∗ ZDI-21-488: (0Day) Advantech WebAccess/HMI Designer PM3 File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-21-488/ ∗∗∗ ZDI-21-487: (0Day) Advantech WebAccess/HMI Designer PM3 File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-21-487/ ∗∗∗ Security Advisory - Denial of Service Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- https://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210428… ∗∗∗ Security Bulletin: App Connect Enterprise Certified Container may be vulnerable to a denial of service vulnerability (CVE-2020-1971) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-app-connect-enterprise-ce… ∗∗∗ Security Bulletin: IBM API Connect is vulnerable to cookie forgery via PHP (CVE-2020-7070) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connect-is-vulner… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Rational Directory Server (Tivoli) & Rational Directory Administrator ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Internet Systems Consortium BIND: Mehrere Schwachstellen ermöglichen Denial of Service ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0452 ∗∗∗ Samba: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0451 ∗∗∗ Drupal: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0459 ∗∗∗ PHP: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0458 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.04.2021
by Daily end-of-shift report 28 Apr '21

28 Apr '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 27-04-2021 18:00 − Mittwoch 28-04-2021 18:00 Handler: Stephan Richter Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Security: Juristische Konsequenzen durch den Cellebrite-Hack ∗∗∗ --------------------------------------------- Urteile, in denen die Forensiksoftware zur Beweissicherung verwendet wurde, werden nach Aufdeckung der schweren Sicherheitslücken in Frage gestellt. --------------------------------------------- https://www.golem.de/news/security-juristische-konsequenzen-durch-den-celle… ∗∗∗ RotaJakiro: A long live secret backdoor with 0 VT detection ∗∗∗ --------------------------------------------- On March 25, 2021, 360 NETLABs BotMon system flagged a suspiciousELF file (MD5=64f6cfe44ba08b0babdd3904233c4857) with 0 VT detection, the sample communicates with 4 domains on TCP 443 (HTTPS), but the traffic is not of TLS/SSL. --------------------------------------------- https://blog.netlab.360.com/stealth_rotajakiro_backdoor_en/ ∗∗∗ Abusing Replication: Stealing AD FS Secrets Over the Network ∗∗∗ --------------------------------------------- Organizations are increasingly adopting cloud-based services such as Microsoft 365 to host applications and data. Sophisticated threat actors are catching on and Mandiant has observed an increased focus on long-term persistent access to Microsoft 365 as one of their primary objectives. --------------------------------------------- https://www.fireeye.com/blog/threat-research/2021/04/abusing-replication-st… ∗∗∗ Emotet: Gut 4 Millionen kopierter Mail-Adressen bei Prüfdienst Have I Been Pwned ∗∗∗ --------------------------------------------- Um Betroffene besser informieren zu können, hat das FBI über vier Mio. E-Mail-Adressen, die der Ex-"König der Schadsoftware" Emotet abgriff, mit HIBP geteilt. --------------------------------------------- https://heise.de/-6030480 ∗∗∗ User Empowerment: Password Security ∗∗∗ --------------------------------------------- World Password Day (who knew that was a thing?) is upon us. --------------------------------------------- https://malicious.link/post/2021/user-empowerment-password-security/ ∗∗∗ Österreichische Gesundheitskasse warnt vor betrügerischen Anrufen ∗∗∗ --------------------------------------------- Versicherte der Österreichischen Gesundheitskasse (ÖGK) werden derzeit von BetrügerInnen angerufen. Die BetrügerInnen geben sich als MitarbeiterInnen der ÖGK aus und rufen von einer vermeintlich österreichischen Nummer an. --------------------------------------------- https://www.watchlist-internet.at/news/oesterreichische-gesundheitskasse-wa… ∗∗∗ Microsoft mulls over tweaks to threat data, code-sharing scheme following Exchange Server debacle ∗∗∗ --------------------------------------------- It has been suspected that exploit code used in the wave of attacks may have been sourced from the program. --------------------------------------------- https://www.zdnet.com/article/microsoft-mulls-over-threat-data-code-sharing… ∗∗∗ Two million database servers are currently exposed across cloud providers ∗∗∗ --------------------------------------------- Censys said it scanned for MySQL, Postgres, Redis, MSSQL, MongoDB, Elasticsearch, Memcached, and Oracle databases and found that almost 60% of all exposed servers were MySQL databases, which accounted for 1.15 million of the total 1.93 million exposed DBs. --------------------------------------------- https://therecord.media/two-million-database-servers-are-currently-exposed-… ∗∗∗ Ransomware gang targets Microsoft SharePoint servers ∗∗∗ --------------------------------------------- Microsoft SharePoint servers have now joined the list of network devices being abused as an entry vector into corporate networks by ransomware gangs. --------------------------------------------- https://therecord.media/ransomware-gang-targets-microsoft-sharepoint-server… ===================== = Vulnerabilities = ===================== ∗∗∗ Schadcode-Lücke in IBM Spectrum Protect gefährdet Server ∗∗∗ --------------------------------------------- Es gibt wichtige Sicherheitsupdates für IBMs Datenschutzlösung Spectrum Protect und Spectrum Protect Plus. --------------------------------------------- https://heise.de/-6030379 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium and shibboleth-sp), Fedora (ceph and salt), Oracle (thunderbird), Red Hat (etcd), Scientific Linux (nss and openldap), SUSE (curl, gdm, and libnettle), and Ubuntu (openjdk-8, openjdk-lts and underscore). --------------------------------------------- https://lwn.net/Articles/854756/ ∗∗∗ Synology-SA-21:15 Antivirus Essential ∗∗∗ --------------------------------------------- A vulnerability allows remote authenticated users to obtain privileges without consent via a susceptible version of Antivirus Essential. --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_21_15 ∗∗∗ WordPress plugin "WP Fastest Cache" vulnerable to directory traversal ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN35240327/ ∗∗∗ ZDI-21-485: (0Day) Siemens JT2Go DXF File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-485/ ∗∗∗ Security Advisory - Denial of Service Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210428-… ∗∗∗ Security Bulletin: Multiple vulnerabilities of Mozilla Firefox (less than Firefox 78.9.0 ESR + CVE-2020-16044) have affected Synthetic Playback Agent 8.1.4.0-8.1.4 IF13 + ICAM2019.3.0 – 2020.2.0 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Embedded WebSphere Application Server is vulnerable to an XML External Entity (XXE) Injection vulnerability affects Content Collector for Email ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-embedded-websphere-applic… ∗∗∗ Security Bulletin: Multiple vulnerabilities of Mozilla Firefox (less than Firefox 78.9.0 ESR + CVE-2021-23954) have affected Synthetic Playback Agent 8.1.4.0-8.1.4 IF13 + ICAM2019.3.0 – 2020.2.0 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Embedded WebSphere Application Server is vulnerable to a directory traversal vulnerability affects Content Collector for Email ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-embedded-websphere-applic… ∗∗∗ Security Bulletin: Multiple vulnerabilities of Mozilla Firefox (less than Firefox 78.9.0 ESR + CVE-2021-23987) have affected Synthetic Playback Agent 8.1.4.0-8.1.4 IF13 + ICAM2019.3.0 – 2020.2.0 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities of Mozilla Firefox (less than Firefox 78.9.0 ESR + CVE-2020-26974) have affected Synthetic Playback Agent 8.1.4.0-8.1.4 IF13 + ICAM2019.3.0 – 2020.2.0 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities affect IBM Tivoli Monitoring installed WebSphere Application Server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities of Mozilla Firefox (less than Firefox 78.9.0 ESR + CVE-2021-23978) have affected Synthetic Playback Agent 8.1.4.0-8.1.4 IF13 + ICAM2019.3.0 – 2020.2.0 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Resource Administrator or Administrator role authenticated local command execution vulnerability CVE-2021-23012 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K04234247 ∗∗∗ TMM vulnerability CVE-2021-23011 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K10751325 ∗∗∗ BIG-IP Advanced WAF and ASM Brute Force Protection feature may not properly support the Post-Redirect-Get application flow ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K91414704 ∗∗∗ Running a CTU Diagnostics Report may leave elevated command prompt after report generation ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K03544414 ∗∗∗ TMM with HTTP/2 vulnerability (CVE-2021-23009) ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K90603426 ∗∗∗ BIG-IP ASM and Advanced WAF WebSocket vulnerability CVE-2021-23010 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K18570111 ∗∗∗ BIG-IP Advanced WAF and ASM REST API vulnerability CVE-2021-23014 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K23203045 ∗∗∗ BIG-IP APM AD authentication vulnerability CVE-2021-23008 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K51213246 ∗∗∗ Appliance Mode authenticated iControl REST vulnerability CVE-2021-23015 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K74151369 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.04.2021
by Daily end-of-shift report 27 Apr '21

27 Apr '21

===================== = End-of-Day report = ===================== Timeframe: Montag 26-04-2021 18:00 − Dienstag 27-04-2021 18:00 Handler: Stephan Richter Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ 15 open source GitHub projects for security pros ∗∗∗ --------------------------------------------- Whether you are a sysadmin, a threat intel analyst, a malware researcher, forensics expert, or even a software developer looking to build secure software, these 15 free tools from GitHub or GitLab can easily fit into your day-to-day work activities and provide added advantages. --------------------------------------------- https://www.csoonline.com/article/3058594/19-open-source-github-projects-fo… ∗∗∗ CAD: .DGN and .MVBA Files, (Mon, Apr 26th) ∗∗∗ --------------------------------------------- Regularly I receive questions about MicroStation files, since I wrote a diary entry about AutoCAD drawings containing VBA code. --------------------------------------------- https://isc.sans.edu/diary/rss/27354 ∗∗∗ Aggrokatz: pypykatz trifft Cobalt Strike ∗∗∗ --------------------------------------------- Das Tool "aggrokatz", welches von SEC Consult intern zum Parsen von LSASS-Dump-Dateien in Cobalt Strike eingesetzt wird, wurde soeben als Open Source Tool veröffentlicht! --------------------------------------------- https://sec-consult.com/de/blog/detail/aggrokatz-pypykatz-trifft-cobalt-str… ∗∗∗ The March/April 2021 issue of our SWITCH Security Report is available! ∗∗∗ --------------------------------------------- A new issue of our bi-monthly SWITCH Security Report is available! The topics covered in this report are: Exploit on Exchange --------------------------------------------- https://securityblog.switch.ch/2021/04/27/the-march-april-2021-issue-of-our… ∗∗∗ Vulnerability Spotlight: Information disclosure vulnerability in the Linux Kernel ∗∗∗ --------------------------------------------- Cisco Talos recently discovered an information disclosure vulnerability in the Linux Kernel. --------------------------------------------- https://blog.talosintelligence.com/2021/04/vuln-spotlight-linux-kernel.html ∗∗∗ Data From The Emotet Malware is Now Searchable in Have I Been Pwned, Courtesy of the FBI and NHTCU ∗∗∗ --------------------------------------------- Earlier this year, the FBI in partnership with the Dutch National High Technical Crimes Unit (NHTCU), German Federal Criminal Police Office (BKA) and other international law enforcement agencies brought down what Europol rereferred to as the worlds most dangerous malware: Emotet. --------------------------------------------- https://www.troyhunt.com/data-from-the-emotet-malware-is-now-searchable-in-… ∗∗∗ WhatsApp-NutzerInnen aufgepasst: Kriminelle versuchen Ihr WhatsApp-Konto zu stehlen ∗∗∗ --------------------------------------------- Sie wurden auf WhatsApp gebeten, einen 6-stelligen-Code weiterzuleiten? Tun Sie das auf gar keinen Fall, dieser Code ist der Schlüssel zu Ihrem WhatsApp-Account. Kriminelle versuchen Sie mit unterschiedlichsten Begründungen zu überzeugen, diesen weiterzuleiten. --------------------------------------------- https://www.watchlist-internet.at/news/whatsapp-nutzerinnen-aufgepasst-krim… ∗∗∗ CISA and NIST Release New Interagency Resource: Defending Against Software Supply Chain Attacks ∗∗∗ --------------------------------------------- A software supply chain attack—such as the recent SolarWinds Orion attack—occurs when a cyber threat actor infiltrates a software vendor’s network and employs malicious code to compromise the software before the vendor sends it to their customers. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/04/26/cisa-and-nist-rel… ===================== = Vulnerabilities = ===================== ∗∗∗ All Your Macs Are Belong To Us ∗∗∗ --------------------------------------------- Here, we detail a bug that trivially bypasses many core Apple security mechanisms, leaving Mac users at grave risk! --------------------------------------------- https://objective-see.com/blog/blog_0x64.html ∗∗∗ Citrix ShareFile storage zones controller security update ∗∗∗ --------------------------------------------- A security issue has been identified in the Citrix ShareFile storage zones controller which, if exploited, would allow an unauthenticated attacker to remotely compromise the storage zones controller. --------------------------------------------- https://support.citrix.com/article/CTX310780 ∗∗∗ Severe Unpatched Vulnerabilities Leads to Closure of Store Locator Plus Plugin ∗∗∗ --------------------------------------------- On March 5, 2021, the Wordfence Threat Intelligence team wrapped up an investigation that led to the discovery of a privilege escalation vulnerability along with several additional vulnerabilities in Store Locator Plus, a WordPress plugin installed on over 9,000 sites. --------------------------------------------- https://www.wordfence.com/blog/2021/04/severe-unpatched-vulnerabilities-lea… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (gst-libav1.0, gst-plugins-bad1.0, gst-plugins-base1.0, and gst-plugins-ugly1.0), Fedora (kernel, kernel-headers, kernel-tools, and rust), openSUSE (firefox), Oracle (firefox, mariadb:10.3 and mariadb-devel:10.3, thunderbird, and xstream), Red Hat (kernel, kernel-alt, kpatch-patch, nss, and openldap), Scientific Linux (firefox, thunderbird, and xstream), SUSE (firefox), and Ubuntu (file-roller, firefox, and ruby2.7). --------------------------------------------- https://lwn.net/Articles/854623/ ∗∗∗ NTLM Relay Attack Abuses Windows RPC Protocol Vulnerability ∗∗∗ --------------------------------------------- A newly identified NTLM (New Technology LAN Manager) relay attack abuses a remote procedure call (RPC) vulnerability to enable elevation of privilege, researchers from cybersecurity firm SentinelOne reveal. --------------------------------------------- https://www.securityweek.com/ntlm-relay-attack-abuses-windows-rpc-protocol-… ∗∗∗ Apple Security Updates 2021-04-26 ∗∗∗ --------------------------------------------- https://support.apple.com/en-us/HT201222 ∗∗∗ Security Bulletin: IBM® Db2® db2fm is vulnerable to a buffer overflow (CVE-2020-5025) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-db2fm-is-vulnerab… ∗∗∗ Security Bulletin: IBM Content Navigator is vulnerable to cross-site scripting. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-content-navigator-is-… ∗∗∗ Security Bulletin: Vulnerability in Apache MyFaces affects Liberty for Java for IBM Cloud (CVE-2021-26296) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-m… ∗∗∗ Security Bulletin: Buffer Overflow Vulnerability in IBM SDK Affects IBM Transformation Extender ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-buffer-overflow-vulnerabi… ∗∗∗ Security Bulletin: IBM® Db2® is vulnerable to a denial of service (CVE-2020-5024) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-… ∗∗∗ Security Bulletin: Vulnerability in IBM Java Runtime affects IBM Spectrum Protect Snapshot on AIX and Linux (CVE-2020-27221) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java… ∗∗∗ Security Bulletin: IBM Content Navigator is vulnerable to cross-site scripting ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-content-navigator-is-… ∗∗∗ Security Bulletin: Multiple vulnerabilities affect the IBM Spectrum Scale GUI ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM® Db2® is vulnerable to weak file permissions allowing access to specific files (CVE-2020-4976) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-… ∗∗∗ Nvidia Treiber: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0440 ∗∗∗ Red Hat OpenShift: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0447 ∗∗∗ TYPO3 Extension: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0449 ∗∗∗ Google Releases Security Updates for Chrome ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/04/27/google-releases-s… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 26.04.2021
by Daily end-of-shift report 26 Apr '21

26 Apr '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 23-04-2021 18:00 − Montag 26-04-2021 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Qnap: NAS-Ransomware erpresst in wenigen Tagen 230.000 Euro ∗∗∗ --------------------------------------------- Mit einer trivialen Sicherheitslücke konnte die Ransomware Qlocker binnen weniger Tage Tausende Euro von Qnap-NAS-Besitzern erpressen. --------------------------------------------- https://www.golem.de/news/qnap-nas-ransomware-erpresst-in-wenigen-tagen-230… ∗∗∗ Passwordstate: Passwort-Manager von Click Studios gehackt ∗∗∗ --------------------------------------------- Angreifern ist die Kompromittierung einer Upgrade-Funktion von Click Studios gelungen. Nutzer von Passwordstate sollen ihre Passwörter zurücksetzen. --------------------------------------------- https://heise.de/-6027188 ∗∗∗ "Tschüss Emotet": Malware deinstalliert sich selbst ∗∗∗ --------------------------------------------- Der "König der Schad-Software" machte still und leise einen Abgang. --------------------------------------------- https://heise.de/-6028392 ∗∗∗ Unsecured Kubernetes Instances Could Be Vulnerable to Exploitation ∗∗∗ --------------------------------------------- We discuss how malware and malicious activities can occur in unsecured Kubernetes instances and how better configuration can help. --------------------------------------------- https://unit42.paloaltonetworks.com/unsecured-kubernetes-instances/ ∗∗∗ This password-stealing Android malware is spreading quickly: Heres what to watch out for ∗∗∗ --------------------------------------------- FluBot is designed to steal personal information including bank details - and infected users are being exploited to spread the malware to their contacts. --------------------------------------------- https://www.zdnet.com/article/this-password-stealing-android-malware-is-spr… ∗∗∗ Hacking campaign targets FileZen file-sharing network appliances ∗∗∗ --------------------------------------------- Threat actors are using two vulnerabilities in a popular file-sharing server to breach corporate and government systems and steal sensitive data as part of a global hacking campaign that has already hit a major target in the Japanese Prime Ministers Cabinet Office. --------------------------------------------- https://therecord.media/hacking-campaign-targets-filezen-file-sharing-netwo… ∗∗∗ Fake Microsoft DirectX 12 site pushes crypto-stealing malware ∗∗∗ --------------------------------------------- Cybercriminals have created a fake Microsoft DirectX 12 download page to distribute malware that steals your cryptocurrency wallets and passwords. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fake-microsoft-directx-12-si… ∗∗∗ Base64 Hashes Used in Web Scanning, (Sat, Apr 24th) ∗∗∗ --------------------------------------------- I have honeypot activity logs going back to May 2018 and I was curious what type of username:password combination was stored in the web traffic logs following either the Proxy-Authorization: Basic or Authorization: Basic in each logs. This graph illustrate an increase in web scanning activity for username:password over the past 3 years. --------------------------------------------- https://isc.sans.edu/diary/rss/27346 ===================== = Vulnerabilities = ===================== ∗∗∗ Critical RCE Bug Found in Homebrew Package Manager for macOS and Linux ∗∗∗ --------------------------------------------- A recently identified security vulnerability in the official Homebrew Cask repository could have been exploited by an attacker to execute arbitrary code on users machines that have Homebrew installed. The issue, which was reported to the maintainers on April 18 by a Japanese security researcher named RyotaK, stemmed from the way code changes in its GitHub repository were handled, resulting in a [...] --------------------------------------------- https://thehackernews.com/2021/04/critical-rce-bug-found-in-homebrew.html ∗∗∗ SSD Advisory – Hongdian H8922 Multiple Vulnerabilities ∗∗∗ --------------------------------------------- The H8922 “4G industrial router is based on 3G/4G wireless network and adopts a high-performance 32-bit embedded operating system with full industrial design. It supports wired and wireless network backup, and its high reliability and convenient networking make it suitable for large-scale distributed industrial applications. Such as smart lockers, charging piles, bank ATM machines, tower monitoring, electricity, water conservancy, environmental protection”. Several vulnerabilities in the H8922 device allow remote attackers to cause the device to execute arbitrary commands with root privileges due to the fact that user provided data is not properly filtered as well as a backdoor account allows access via port 5188/tcp. --------------------------------------------- https://ssd-disclosure.com/ssd-advisory-hongdian-h8922-multiple-vulnerabili… ∗∗∗ [PDF] Beckhoff Security Advisory 2021-001: DoS-Vulnerability for TwinCAT OPC UA Server and IPC Diagnostics UA Server ∗∗∗ --------------------------------------------- Some TwinCAT OPC UA Server and IPC Diagnostics UA Server versions from Beckhoff Automation GmbH & Co. KG are vulnerable to denial of service attacks. The attacker needs to send several specifically crafted requests to the running OPC UA server. After some of these requests the OPC UA server is no longer responsive to any client. This is without effect to the real-time functionality of IPCs. --------------------------------------------- https://download.beckhoff.com/download/document/product-security/Advisories… ∗∗∗ Erneut Sicherheitslücke bei Corona-Schnelltests ∗∗∗ --------------------------------------------- Aufgrund einer Sicherheitslücke in einer Schnelltest-Software konnten Unbefugte auf sensible Informationen zugreifen. Die Lücke ist mittlerweile geschlossen. --------------------------------------------- https://heise.de/-6027394 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (drupal7, gst-libav1.0, gst-plugins-bad1.0, gst-plugins-base1.0, gst-plugins-good1.0, gst-plugins-ugly1.0, jackson-databind, libspring-java, opendmarc, openjdk-11, and pjproject), Fedora (buildah, containers-common, crun, firefox, java-11-openjdk, nextcloud-client, openvpn, podman, python3-docs, python3.9, runc, and xorg-x11-server), Mageia (connman, krb5-appl, and virtualbox), openSUSE (apache-commons-io, ImageMagick, jhead, libdwarf, nim, [...] --------------------------------------------- https://lwn.net/Articles/854504/ ∗∗∗ MB connect line: multiple products partially affected by DNSspooq ∗∗∗ --------------------------------------------- Multiple flaws have been found in dnsmasq before version 2.83 [...] --------------------------------------------- https://cert.vde.com/de-de/advisories/vde-2021-012 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Red Hat Enterprise Linux: Mehrere Schwachstellen ermöglichen Codeausführung ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0436 ∗∗∗ Webmin: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0438 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.04.2021
by Daily end-of-shift report 23 Apr '21

23 Apr '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 22-04-2021 18:00 − Freitag 23-04-2021 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ [SANS ISC] Malicious PowerPoint Add-On: “Small Is Beautiful” ∗∗∗ --------------------------------------------- I published the following diary on isc.sans.edu: “Malicious PowerPoint Add-On: ‘Small Is Beautiful‘”: Yesterday I spotted a DHL-branded phishing campaign that used a PowerPoint file to compromise the victim. The malicious attachment is a PowerPoint add-in. This technique is not new, I already analyzed such a sample in a previous [...] --------------------------------------------- https://blog.rootshell.be/2021/04/23/sans-isc-malicious-powerpoint-add-on-s… ∗∗∗ Erpressungstrojaner eCh0raix und Qlocker haben es auf Qnap NAS abgesehen ∗∗∗ --------------------------------------------- Aufgrund von aktuellen Ransomware-Attacken auf Netzwerkspeicher (NAS) von Qnap sollten alle Besitzer die Software auf aktuellem Stand halten. --------------------------------------------- https://heise.de/-6026483 ∗∗∗ Sicherheitsforscher: AirDrop kann Kontaktdaten des iPhone-Besitzers preisgeben ∗∗∗ --------------------------------------------- Telefonnumer und Mail-Adresse sind gehasht, lassen sich von nahen Angreifern aber zurückrechnen, so die Forscher. Apple kenne die Lücke seit zwei Jahren. --------------------------------------------- https://heise.de/-6026661 ∗∗∗ Microsoft ruft an? Legen Sie lieber auf! ∗∗∗ --------------------------------------------- Aktuell häufen sich wieder Anrufe von vermeintlichen Microsoft-MitarbeiterInnen. Dabei handelt es sich um BetrügerInnen, die wahllos Menschen anrufen und von einem Problem mit dem Computer der Opfer sprechen. Die Masche dahinter: Kriminelle wollen sich Zugang zu Ihrem Computer verschaffen und sensible Daten abgreifen. Legen Sie bei solchen Anrufen sofort auf! --------------------------------------------- https://www.watchlist-internet.at/news/microsoft-ruft-an-legen-sie-lieber-a… ∗∗∗ Network Attack Trends: Internet of Threats (November 2020-January 2021) ∗∗∗ --------------------------------------------- Network attack trends in the Winter quarter of 2020 revealed some interesting trends, such as increased attacker preference for newly released vulnerabilities and a large uptick in attacks deemed Critical. In addition to details of the newly observed exploits, in this blog, we also dive deep into the exploitation analysis, vendor analysis, attack origin, and attack category distribution. --------------------------------------------- https://unit42.paloaltonetworks.com/network-attack-trends-winter-2020/ ∗∗∗ Angriff auf Anti-Phishing-Banner in E-Mails ∗∗∗ --------------------------------------------- Bei der Analyse von Warnungen vor Phishing-Mails stellte die SySS erhebliche Mängel fest, die es Angreifenden ermöglichen, solche Banner auszublenden. --------------------------------------------- https://www.syss.de/pentest-blog/angriff-auf-anti-phishing-banner-in-e-mails ∗∗∗ Sysrv: A new crypto-mining botnet is silently growing in the shadows ∗∗∗ --------------------------------------------- If you forget to update or properly secure an internet-connected server or web app, the chances are that a crypto-mining botnet will infect it first, long before any nation-state hacking group. Crypto-mining botnets have been a plague on the internet for the past three years, and despite the space being more than saturated, new botnets are being built and discovered on a re.gular basis, driven mainly by cybercriminals unquenched thirst for easy money. --------------------------------------------- https://therecord.media/sysrv-a-new-crypto-mining-botnet-is-silently-growin… ===================== = Vulnerabilities = ===================== ∗∗∗ Sipwise C5 NGCP CSC CSRF Click2Dial Exploit ∗∗∗ --------------------------------------------- The application interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site. --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5649.php ∗∗∗ Sipwise C5 NGCP CSC Multiple Stored/Reflected XSS Vulnerabilities ∗∗∗ --------------------------------------------- Sipwise software platform suffers from multiple authenticated stored and reflected cross-site scripting vulnerabilities when input passed via several parameters to several scripts is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a users browser session in context of an affected site. --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5648.php ∗∗∗ BOSCH-SA-918106 - ctrlX Multiple Vulnerabilities ∗∗∗ --------------------------------------------- Multiple vulnerabilities in operating system libraries and the Linux kernel have been reported which in a worst case scenario could allow an attacker to compromise the system by provoking a crash or the execution of malicious code. The affected functions are not used directly by any Rexroth software component and therefore the risk of an attacker being able to exploit the vulnerability is considered as low. Nevertheless, it cannot be completely ruled out that the functions might be called [...] --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-918106.html ∗∗∗ Security Bulletin: Trend Micro HouseCall for Home Networks Incorrect Permission Assignment Privilege Escalation Vulnerabilities ∗∗∗ --------------------------------------------- Trend Micro has released an updated version of Trend Micro HouseCall for Home Networks which resolve two incorrect permission assignment vulnerabilities that may lead to privilege escalation. --------------------------------------------- https://helpcenter.trendmicro.com/en-us/article/TMKA-10310 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr, openjdk-8, and wpa), openSUSE (irssi, jhead, opera, and python-django-registration), SUSE (firefox and qemu), and Ubuntu (dnsmasq and shibboleth-sp). --------------------------------------------- https://lwn.net/Articles/854215/ ∗∗∗ Horner Automation Cscape ∗∗∗ --------------------------------------------- This advisory contains mitigations for Improper Input Validation, and Improper Access Controls vulnerabilities in Horner Automation Cscape control system application programming software. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-112-01 ∗∗∗ Mitsubishi Electric GOT ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Improper Authentication vulnerability in Mitsubishi Electrics GOT human-machine interface products. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-112-02 ∗∗∗ Security Bulletin: Series of vulnerabilities in FasterXML jackson-databind affect Apache Solr shipped with IBM Operations Analytics – Log Analysis ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-series-of-vulnerabilities… ∗∗∗ Security Bulletin: A vulnerability in IBM® Runtime Environments Java™ Technology Edition Versions affects IBM® Db2®. (January 2021 CPU) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ru… ∗∗∗ Security Bulletin: IBM® Db2® could allow a local authenticated attacker to execute arbitrary code on the system, caused by DLL search order hijacking vulnerability in Microsoft Windows client. (CVE-2020-4739) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-could-allow-a-loc… ∗∗∗ Security Bulletin: Multiple IBM DB2 Server Vulnerabilities Affect IBM Emptoris Sourcing ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-ibm-db2-server-v… ∗∗∗ Security Bulletin: Multiple IBM DB2 Server Vulnerabilities Affect IBM Emptoris Strategic Supply Management Platform ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-ibm-db2-server-v… ∗∗∗ Security Bulletin: Vulnerability in Apache MyFaces affects Liberty for Java for IBM Cloud (CVE-2021-26296) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-m… ∗∗∗ Security Bulletin: Multiple IBM DB2 Server Vulnerabilities Affect IBM Emptoris Contract Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-ibm-db2-server-v… ∗∗∗ Security Bulletin: IBM DB2 Server Vulnerabilities Affect IBM Emptoris Emptoris Supplier Lifecycle Mgmt ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-server-vulnerabil… ∗∗∗ Security Bulletin: Vulnerability in Apache Solr affects IBM Operations Analytics – Log Analysis (CVE-2017-1000190) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-s… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.04.2021
by Daily end-of-shift report 22 Apr '21

22 Apr '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 21-04-2021 18:00 − Donnerstag 22-04-2021 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Macher des Signal-Messenger hacken Spionage-Software von Cellebrite ∗∗∗ --------------------------------------------- Die Signal-Entwickler zeigen per Video, wie ein präpariertes iPhone die von Ermittlungsbehörden verwendete Software von Cellebrite aushebelt. --------------------------------------------- https://heise.de/-6024421 ∗∗∗ Massive Qlocker ransomware attack uses 7zip to encrypt QNAP devices ∗∗∗ --------------------------------------------- A massive ransomware campaign targeting QNAP devices worldwide is underway, and users are finding their files now stored in password-protected 7zip archives. --------------------------------------------- https://www.bleepingcomputer.com/news/security/massive-qlocker-ransomware-a… ∗∗∗ Attackers can hide external sender email warnings with HTML and CSS ∗∗∗ --------------------------------------------- The "external sender" warnings shown to email recipients by clients like Microsoft Outlook can be hidden by the sender, as demonstrated by a researcher. Turns out, all it takes for attackers to alter the "external sender" warning, or remove it altogether from emails is just a few lines of HTML and CSS code. --------------------------------------------- https://www.bleepingcomputer.com/news/security/attackers-can-hide-external-… ∗∗∗ Telegram Platform Abused in ‘ToxicEye’ Malware Campaigns ∗∗∗ --------------------------------------------- Even if the app is not installed or in use, threat actors can use it to spread malware through email campaigns and take over victims’ machines, new research has found. --------------------------------------------- https://threatpost.com/telegram-toxiceye-malware/165543/ ∗∗∗ Announcing the New Reports API ∗∗∗ --------------------------------------------- We are happy to announce a completely new way of accessing our reports - via a RESTful API. Every report recipient can now choose to opt in to this delivery method and receive a unique API key and unique secret. --------------------------------------------- https://www.shadowserver.org/news/announcing-the-new-reports-api/ ∗∗∗ All Your Databases Belong To Me! A Blind SQLi Case Study ∗∗∗ --------------------------------------------- The following blog post does not include any novel attack vectors. On the contrary, it serves as a humble reminder that the same software bugs discovered more than a decade ago are also found in commercial software products in 2021. It also highlights once more the necessity of conducting security assessments on a regular basis. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/all-your-da… ∗∗∗ Researchers Find Additional Infrastructure Used By SolarWinds Hackers ∗∗∗ --------------------------------------------- The sprawling SolarWinds cyberattack which came to light last December was known for its sophistication in the breadth of tactics used to infiltrate and persist in the target infrastructure, so much so that Microsoft went on to call the threat actor behind the campaign "skillful and methodic operators who follow operations security (OpSec) best practices to minimize traces, stay under the radar, [...] --------------------------------------------- https://thehackernews.com/2021/04/researchers-find-additional.html ∗∗∗ [SANS ISC] How Safe Are Your Docker Images? ∗∗∗ --------------------------------------------- I published the following diary on isc.sans.edu: “How Safe Are Your Docker Images?“: Today, I don’t know any organization that is not using Docker today. For only test and development only or to full production systems, containers are deployed everywhere! In the same way, most popular tools today have a "dockerized" version ready to use, sometimes maintained by the developers themselves, sometimes maintained by third parties. An example is the Docker container that I created with all Didier’s tools. Today, we are also facing a new threat: supply chain attacks (think about Solarwinds or, more recently, CodeCov). Let’s mix the attraction for container technologies and this threat, we realize that Docker images are a great way to compromise an organization! --------------------------------------------- https://blog.rootshell.be/2021/04/22/sans-isc-how-safe-are-your-docker-imag… ∗∗∗ PSA: Remove Kaswara Modern WPBakery Page Builder Addons Plugin Immediately ∗∗∗ --------------------------------------------- Today, April 21, 2021, the Wordfence Threat Intelligence team became aware of a critical 0-day vulnerability that is being actively exploited in Kaswara Modern WPBakery Page Builder Addons, a premium plugin that we estimate has over 10,000 installations. This vulnerability was reported this morning to WPScan by “Robin Goodfellow.” The exploited flaw makes it possible [...] --------------------------------------------- https://www.wordfence.com/blog/2021/04/psa-remove-kaswara-modern-wpbakery-p… ∗∗∗ Now this botnet is hunting for unpatched Microsoft Exchange servers ∗∗∗ --------------------------------------------- Prometei botnets key goal is cryptojacking - but its powerful capabilities could see it deployed for much more dangerous attacks. --------------------------------------------- https://www.zdnet.com/article/now-this-botnet-is-hunting-for-unpatched-micr… ∗∗∗ CISA Incident Response to SUPERNOVA Malware ∗∗∗ --------------------------------------------- CISA has released AR21-112A: CISA Identifies SUPERNOVA Malware During Incident Response to provide analysis of a compromise in an organization’s enterprise network by an advance persistent threat actor. This report provides tactics, techniques, and procedures CISA observed during the incident response engagement. CISA encourages organizations to review AR21-112A for more information. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/04/22/cisa-incident-res… ∗∗∗ AirDrop bugs expose Apple users' email addresses, phone numbers ∗∗∗ --------------------------------------------- A team of academics from a German university said it discovered two vulnerabilities that can be abused to extract phone numbers and email addresses from Apples AirDrop file transfer feature. --------------------------------------------- https://therecord.media/airdrop-bugs-expose-apple-users-email-addresses-pho… ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco Security Advisories zu Cisco SD-WAN vManage Software ∗∗∗ --------------------------------------------- Cisco hat 5 Security Advisories zu Cisco SD-WAN vManage Software veröffentlicht, die alle als "Medium" klassifiziert werden. --------------------------------------------- https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&first… ∗∗∗ Sicherheitsupdates: Statische Zugangsdaten gefährden Qnap NAS ∗∗∗ --------------------------------------------- Eine kritische Lücke in HBS 3 Hybrid Backup Sync bringt Netzwerkspeicher (NAS) von Qnap in Gefahr. --------------------------------------------- https://heise.de/-6025271 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (thunderbird and wordpress), Fedora (curl, firefox, mediawiki, mingw-binutils, os-autoinst, and rpm-ostree), Oracle (java-1.8.0-openjdk and java-11-openjdk), SUSE (kernel, pcp, and tomcat6), and Ubuntu (linux, linux-aws, linux-gke-5.3, linux-hwe, linux-kvm, linux-lts-xenial, linux-oem-5.6, linux-raspi2-5.3, linux-snapdragon). --------------------------------------------- https://lwn.net/Articles/853953/ ∗∗∗ Google rushes out fix for zero‑day vulnerability in Chrome ∗∗∗ --------------------------------------------- The update patches a total of seven security flaws in the desktop versions of the popular web browser --------------------------------------------- https://www.welivesecurity.com/2021/04/21/google-fix-zero-day-vulnerability… ∗∗∗ Drupal: Schwachstelle ermöglicht Cross-Site Scripting ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0432 ∗∗∗ Red Hat OpenShift: Mehrere Schwachstellen ermöglichen Denial of Service ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0431 ∗∗∗ Stored XSS (veraltete Software-Bibliothek) in BMDWeb 2.0 ∗∗∗ --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/stored-xss-veraltete-… ∗∗∗ Security Bulletin: Vulnerability in Dojo affects WebSphere Application Server (CVE-2020-5258) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-dojo-aff… ∗∗∗ Security Bulletin: Vulnerabilities in Java affects IBM Cloud Application Business Insights ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-java-a… ∗∗∗ Security Bulletin: Tensor Flow security vulnerabilities on IBM Watson Machine Learning Server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-tensor-flow-security-vuln… ∗∗∗ Security Bulletin: Multiple security vulnerabilities with IBM Content Navigator component in IBM Business Automation Workflow – CVE-2020-4757, PSIRT-ADV0028011, CVE-2020-4934 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: Multiple vulnerabilities in GNU Binutils affect IBM Netezza Performance Server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.04.2021
by Daily end-of-shift report 21 Apr '21

21 Apr '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 20-04-2021 18:00 − Mittwoch 21-04-2021 18:00 Handler: Stephan Richter Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Brace yourselves. Facebook has a new mega-leak on its hands ∗∗∗ --------------------------------------------- Facebook Email Search v1.0 can process 5 million email addresses per day, researcher says. --------------------------------------------- https://arstechnica.com/?p=1758893 ∗∗∗ Logins for 1.3 million Windows RDP servers collected from hacker market ∗∗∗ --------------------------------------------- The login names and passwords for 1.3 million current and historically compromised Windows Remote Desktop servers have been leaked by UAS, the largest hacker marketplace for stolen RDP credentials. --------------------------------------------- https://www.bleepingcomputer.com/news/security/logins-for-13-million-window… ∗∗∗ New article: Run your malicious VBA macros anywhere! ∗∗∗ --------------------------------------------- Kurt Natvig explains how he recompiled malicious VBA macro code to valid harmless Python 3.x code. --------------------------------------------- https://www.virusbulletin.com/blog/2021/04/new-article-run-your-malicious-v… ∗∗∗ CVE-2021-30481: Source engine remote code execution via game invites ∗∗∗ --------------------------------------------- In this blog post, we will look at how an attacker can use the Steamworks API in combination with various features and properties of the Source engine to gain remote code execution (RCE) through malicious Steam game invites. --------------------------------------------- https://secret.club/2021/04/20/source-engine-rce-invite.html ∗∗∗ A year of Fajan evolution and Bloomberg themed campaigns ∗∗∗ --------------------------------------------- Some malware campaigns are designed to spread malware to as many people as possible — while some others carefully choose their targets. Cisco Talos recently discovered a malware campaign that does not fit in any of the two categories. --------------------------------------------- https://blog.talosintelligence.com/2021/04/a-year-of-fajan-evolution-and-bl… ∗∗∗ Kleinanzeigenbetrug: Vorsicht bei Abwicklung über erfundene Speditionen! ∗∗∗ --------------------------------------------- Der Verkauf von gebrauchten Waren über Kleinanzeigenportale wie willhaben.at, shpock.com oder ebay.at boomt. Doch Vorsicht: Auch der Betrug auf solchen Plattformen wird uns derzeit häufig gemeldet. Besonders beliebt unter den Kriminellen ist die Kaufabwicklung über erfundene Speditionen. --------------------------------------------- https://www.watchlist-internet.at/news/kleinanzeigenbetrug-vorsicht-bei-abw… ∗∗∗ WhatsApp Pink: Watch out for this fake update ∗∗∗ --------------------------------------------- The malware sends automated replies to messages on WhatsApp and other major chat apps. --------------------------------------------- https://www.welivesecurity.com/2021/04/20/whatsapp-pink-watch-out-fake-upda… ===================== = Vulnerabilities = ===================== ∗∗∗ Update Your Chrome Browser ASAP to Patch a Week Old Public Exploit ∗∗∗ --------------------------------------------- Google on Tuesday released an update for Chrome web browser for Windows, Mac, and Linux, with a total of seven security fixes, including one flaw for which it says an exploit exists in the wild. --------------------------------------------- https://thehackernews.com/2021/04/update-your-chrome-browser-immediately.ht… ∗∗∗ Oracle veröffentlicht 390 Sicherheitsupdates für MySQL, Java & Co. ∗∗∗ --------------------------------------------- In seinem Quartalsupdate patcht sich Oracle durch sein Software-Portfolio und schließt unter anderem einige kritische Sicherheitslücken. --------------------------------------------- https://heise.de/-6022746 ∗∗∗ Jetzt patchen! Attacken auf E-Mail Security Appliances von SonicWall ∗∗∗ --------------------------------------------- Es gibt wichtige Updates für SonicWalls "Email Security". Angreifer nutzen eine Lücke derzeit aktiv aus. --------------------------------------------- https://heise.de/-6022716 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr, php-pear, wordpress, and zabbix), Oracle (java-1.8.0-openjdk and java-11-openjdk), Red Hat (java-1.8.0-openjdk, java-11-openjdk, kernel, and kpatch-patch), Scientific Linux (java-1.8.0-openjdk and java-11-openjdk), Slackware (seamonkey), SUSE (apache-commons-io, ImageMagick, kvm, ruby2.5, and sudo), and Ubuntu (edk2, libcaca, ntp, and ruby2.3, ruby2.5, ruby2.7). --------------------------------------------- https://lwn.net/Articles/853759/ ∗∗∗ VU#567764: MySQL for Windows is vulnerable to privilege escalation due to OPENSSLDIR location ∗∗∗ --------------------------------------------- https://kb.cert.org/vuls/id/567764 ∗∗∗ ZDI-21-442: (0Day) Advantech WebAccess/HMI Designer SNF File Parsing Memory Corruption Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-442/ ∗∗∗ ZDI-21-441: (0Day) Advantech WebAccess/HMI Designer PLF File Parsing Memory Corruption Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-441/ ∗∗∗ Security Bulletin: Multiple vulnerabilities in Eclipse Jetty affect Apache Solr shipped with IBM Operations Analytics – Log Analysis ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerability in Apache Solr affects IBM Operations Analytics – Log Analysis (CVE-2019-17558) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-s… ∗∗∗ Security Bulletin: WebSphere Application Server is vulnerable to an XML External Entity (XXE) Injection vulnerability (CVE-2021-20454) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-websphere-application-ser… ∗∗∗ Security Bulletin: Vulnerability in jersey affect Apache Zookeeper shipped with IBM Operations Analytics – Log Analysis (CVE-2014-3643) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-jersey-a… ∗∗∗ Security Bulletin: Security Bulletin: IBM SDK Java Quarterly CPU Oct 2020 Vulnerabilities Affect IBM Transformation Extender ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-bulletin-ibm-sdk… ∗∗∗ Security Bulletin: SMTP for IBM i is affected by CVE-2021-20501 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-smtp-for-ibm-i-is-affecte… ∗∗∗ Security Bulletin: Update available for OpenSSL vulnerabilities affecting IBM Watson Speech Services 1.2.1 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-update-available-for-open… ∗∗∗ Security Bulletin: protobuf Vulnerability in Apache Solr affect IBM Operations Analytics – Log Analysis Analysis (CVE-2015-5237) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-protobuf-vulnerability-in… ∗∗∗ Security Bulletin: Vulnerabilities in IBM Java and Apache Tomcat affect IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem V9000 products ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-ja… ∗∗∗ Security Bulletin: Vulnerability in Apache Ant affect IBM Operations Analytics – Log Analysis Analysis (CVE-2020-1945) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-a… ∗∗∗ Severe Vulnerabilities Patched in Redirection for Contact Form 7 Plugin ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2021/04/severe-vulnerabilities-patched-in-re… ∗∗∗ Hitachi ABB Power Grids Ellipse APM ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-110-01 ∗∗∗ Rockwell Automation Stratix Switches ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-110-02 ∗∗∗ Delta Industrial Automation COMMGR ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-110-03 ∗∗∗ Delta Electronics CNCSoft ScreenEditor ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-110-04 ∗∗∗ Delta Electronics CNCSoft-B ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-110-05 ∗∗∗ Eaton Intelligent Power Manager ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-110-06 ∗∗∗ Siemens Mendix ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-110-07 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.04.2021
by Daily end-of-shift report 20 Apr '21

20 Apr '21

===================== = End-of-Day report = ===================== Timeframe: Montag 19-04-2021 18:00 − Dienstag 20-04-2021 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Remote Code Execution: Angriffe auf VPN-Geräte von Pulse Secure ∗∗∗ --------------------------------------------- Produkte von Pulse Secure sind von einer kritischen Sicherheitslücke betroffen, für die es keinen Patch gibt. Angriffe finden bereits statt. --------------------------------------------- https://www.golem.de/news/remote-code-execution-angriffe-auf-vpn-geraete-vo… ∗∗∗ Google Play apps with 700k installs steal texts and charge you money ∗∗∗ --------------------------------------------- Google removes eight apps after receiving report from researchers. --------------------------------------------- https://arstechnica.com/?p=1758227 ∗∗∗ Fake Microsoft Store, Spotify sites spread info-stealing malware ∗∗∗ --------------------------------------------- Attackers are promoting sites impersonating the Microsoft Store, Spotify, and an online document converter that distribute malware to steal credit cards and passwords saved in web browsers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fake-microsoft-store-spotify… ∗∗∗ Breaking ABUS Secvest internet-connected alarm systems (CVE-2020-28973) ∗∗∗ --------------------------------------------- ABUS Secvest is a wireless alarm system that is marketed at consumers and small businesses. It is usually deployed by a specialized company. A Secvest FUAA50000 controller costs about EUR400. A typical deployment with motion sensors, a siren and door/window sensors can cost thousands of euro’s. In this article I will describe how more than 10.000 internet-connected alarm systems could be hacked and deactivated remotely. --------------------------------------------- https://eye.security/en/blog/breaking-abus-secvest-internet-connected-alarm… ∗∗∗ Firefox & Thunderbird: Sicherheitsrelevante Updates für Browser & E-Mail-Client ∗∗∗ --------------------------------------------- Mozilla hat Firefox 88 nebst ESR-Pendant sowie Thunderbird 78.10 veröffentlicht. Im Gepäck haben die Releases unter anderem auch wichtige Schwachstellen-Fixes. --------------------------------------------- https://heise.de/-6021309 ∗∗∗ Facebook Messenger users targeted by a large-scale scam ∗∗∗ --------------------------------------------- A large-scale scam campaign targeting Facebook Messenger users all over the world has been detected by Group-IB. Digital Risk Protection (DRP) analysts have found evidence proving that users in over 80 countries in Europe, Asia, the MEA region, North and South America might have been affected. By distributing ads promoting an allegedly updated version of Facebook Messenger, cybercriminals harvested users’ login credentials. --------------------------------------------- https://www.helpnetsecurity.com/2021/04/20/facebook-messenger-scam/ ∗∗∗ E-Mail: UnternehmerInnen werden aufgefordert, Corona-Tests bei "testversand.com" zu kaufen ∗∗∗ --------------------------------------------- In Deutschland müssen ArbeitgeberInnen ab heute für MitarbeiterInnen, die nicht im Home-Office sind, Corona-Tests bereitstellen. Diese Maßnahme nutzen Kriminelle und kontaktieren zahlreiche UnternehmerInnen, um den unseriösen Online-Shop für Corona-Tests "testversand.com" zu empfehlen. Es ist anzunehmen, dass dieses E-Mail auch an österreichische UnternehmerInnen versendet wird. --------------------------------------------- https://www.watchlist-internet.at/news/e-mail-unternehmerinnen-werden-aufge… ∗∗∗ Multi-factor authentication: Use it for all the people that access your network, all the time ∗∗∗ --------------------------------------------- The vast majority of cyberattacks involve a password being hacked - providing your employees with multi-factor authentication could go a long way towards stopping cyber criminals breaking into your network. --------------------------------------------- https://www.zdnet.com/article/multi-factor-authentication-use-it-for-all-th… ===================== = Vulnerabilities = ===================== ∗∗∗ Vulnerability Spotlight: Multiple vulnerabilities in Synology DiskStation Manager ∗∗∗ --------------------------------------------- Cisco Talos recently discovered multiple vulnerabilities in Synology DiskStation Manager. DSM is the Linux-based operating system for every Synology network-attached storage device (NAS). --------------------------------------------- https://blog.talosintelligence.com/2021/04/vuln-spotlight-synology-dsm.html ∗∗∗ Widespread Attacks Continue Targeting Vulnerabilities in The Plus Addons for Elementor Pro ∗∗∗ --------------------------------------------- Over the past 10 days, Wordfence has blocked over 14 million attacks targeting Privilege Escalation Vulnerabilities in The Plus Addons for Elementor Pro on over 75% of sites reporting attacks during this period. By April 13, 2021, this campaign was targeting more sites than all other campaigns put together. --------------------------------------------- https://www.wordfence.com/blog/2021/04/widespread-attacks-continue-targetin… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (xorg-server), Fedora (CImg, gmic, leptonica, mingw-binutils, mingw-glib2, mingw-leptonica, mingw-python3, nodejs, and seamonkey), openSUSE (irssi, kernel, nextcloud-desktop, python-django-registration, and thunderbird), Red Hat (389-ds:1.4, kernel, kernel-rt, perl, and pki-core:10.6), SUSE (kernel, sudo, and xen), and Ubuntu (clamav and openslp-dfsg). --------------------------------------------- https://lwn.net/Articles/853614/ ∗∗∗ Security Bulletin: Vulnerabilities in Java affects IBM Cloud Application Business Insights ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-java-a… ∗∗∗ Security Bulletin: WebSphere Application Server is vulnerable to an XML External Entity (XXE) Injection vulnerability (CVE-2021-20453) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-websphere-application-ser… ∗∗∗ Security Bulletin: Vulnerabilities in OpenSSL affect IBM Integration Bus and IBM App Connect Enterprise (CVE-2020-1968) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-openss… ∗∗∗ Security Bulletin: Vulnerabilities in OpenSSL affect IBM Integration Bus and IBM App Connect Enterprise (CVE-2020-1971). ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-openss… ∗∗∗ Security Bulletin: An unspecified vulnerability in Java SE related to the Libraries component could affect InfoSphere Streams version 4.3 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-an-unspecified-vulnerabil… ∗∗∗ Security Bulletin: Multiple vulnerabilites in Node.js affect IBM Integration Bus & IBM App Connect Enterprise V11 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilites-i… ∗∗∗ Security Bulletin: IBM Operations Analytics – Log Analysis is affected by an Apache Zookeeper vulnerability (CVE-2019-0201) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-operations-analytics-… ∗∗∗ Security Bulletin: Apache Solr, shipped with IBM Operations Analytics – Log Analysis, susceptible to vulnerability in Apache POI (CVE-2019-12415) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-solr-shipped-with-… ∗∗∗ Security Bulletin: An unspecified vulnerability in Java SE related to the JNDI component could affect InfoSphere Streams ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-an-unspecified-vulnerabil… ∗∗∗ Security Bulletin: Potential TLS vulnerability using Diffie-Hellman TLS ciphersuites in IBM DataPower Gateway (CVE-2020-1968) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-potential-tls-vulnerabili… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.04.2021
by Daily end-of-shift report 19 Apr '21

19 Apr '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 16-04-2021 18:00 − Montag 19-04-2021 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Codecov: Gehacktes Entwickler-Tool Bash Uploader zum Datendiebstahl missbraucht ∗∗∗ --------------------------------------------- Unbekannte manipulierten den Bash Uploader-Code. Der Vorfall, der zwei Monate lang unbemerkt blieb, betrifft potenziell auch einige bekannte Firmen. --------------------------------------------- https://heise.de/-6019302 ∗∗∗ Ryuk ransomware operation updates hacking techniques ∗∗∗ --------------------------------------------- Recent attacks from Ryuk ransomware operators show that the actors have a new preference when it comes to gaining initial access to the victim network. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ryuk-ransomware-operation-up… ∗∗∗ NitroRansomware Distributed as A Fake Free Nitro Gift Code Generator ∗∗∗ --------------------------------------------- BleepingComputer owner Lawrence Abrams reported infections of new singular ransomware dubbed NitroRansomware which demands a Discord Nitro gift code to the victims to decrypt their files. --------------------------------------------- https://heimdalsecurity.com/blog/nitroransomware-distributed-as-a-fake-free… ∗∗∗ BazarLoader Malware Abuses Slack, BaseCamp Clouds ∗∗∗ --------------------------------------------- Two cyberattack campaigns are making the rounds using unique social-engineering techniques. --------------------------------------------- https://threatpost.com/bazarloader-malware-slack-basecamp/165455/ ∗∗∗ Serious Security: Rowhammer is back, but now it’s called SMASH ∗∗∗ --------------------------------------------- Simply put: reading from RAM in your program could write to RAM in someone elses --------------------------------------------- https://nakedsecurity.sophos.com/2021/04/19/serious-security-rowhammer-is-b… ∗∗∗ Querying Spamhaus for IP reputation, (Fri, Apr 16th) ∗∗∗ --------------------------------------------- Way back in 2018 I posted a diary describing how I have been using the Neutrino API to do IP reputation checks. In the subsequent 2+ years that python script has evolved some which hopefully I can go over at some point in the future, but for now I would like to show you the most recent capability I added into that script. --------------------------------------------- https://isc.sans.edu/diary/rss/27320 ∗∗∗ Decoding Cobalt Strike Traffic, (Sun, Apr 18th) ∗∗∗ --------------------------------------------- In diary entry "Example of Cleartext Cobalt Strike Traffic (Thanks Brad)" I share a capture file I found with unencrypted Cobalt Strike traffic. The traffic is unencrypted since the malicious actors used a trial version of Cobalt Strike. --------------------------------------------- https://isc.sans.edu/diary/rss/27322 ∗∗∗ Hunting phishing websites with favicon hashes, (Mon, Apr 19th) ∗∗∗ --------------------------------------------- HTTP favicons are often used by bug bounty hunters and red teamers to discover vulnerable services in a target AS or IP range. It makes sense - since different tools (and sometimes even different versions of the same tool) use different favicons[1] and services such as Shodan calculate MurmurHash values[2] for all favicons they discover and let us search through them, it can be quite easy to find specific services and devices this way. --------------------------------------------- https://isc.sans.edu/diary/rss/27326 ∗∗∗ Malware Spreads Via Xcode Projects Now Targeting Apples M1-based Macs ∗∗∗ --------------------------------------------- A Mac malware campaign targeting Xcode developers has been retooled to add support for Apples new M1 chips and expand its features to steal confidential information from cryptocurrency apps. XCSSET came into the spotlight in August 2020 after it was found to spread via modified Xcode IDE projects, which, upon the building, were configured to execute the payload. --------------------------------------------- https://thehackernews.com/2021/04/malware-spreads-via-xcode-projects-now.ht… ∗∗∗ Malvertisers hacked 120 ad servers to load malicious ads ∗∗∗ --------------------------------------------- A malvertising operation known under the codename of Tag Barnakle has breached more than 120 ad servers over the past year and inserted malicious code into legitimate ads that redirected website visitors to sites promoting scams and malware. --------------------------------------------- https://therecord.media/malvertisers-hacked-120-ad-servers-to-load-maliciou… ∗∗∗ Fuzzing and PR’ing: How We Found Bugs in a Popular Third-Party EtherNet/IP Protocol Stack ∗∗∗ --------------------------------------------- The Claroty Research Team today announces that it has added the necessary infrastructure to incorporate the popular AFL fuzzer into the OpENer EtherNet/IP stack. --------------------------------------------- https://claroty.com/2021/04/15/blog-research-fuzzing-and-pring/ ===================== = Vulnerabilities = ===================== ∗∗∗ Kritische Schadcode-Lücken in NAS-Systemen von Qnap geschlossen ∗∗∗ --------------------------------------------- Fehler in verschiedenen Komponenten machen Netzwerkspeicher (NAS) von Qnap verwundbar. Sicherheitsupdates sind verfügbar. --------------------------------------------- https://heise.de/-6019234 ∗∗∗ VMSA-2021-0006 ∗∗∗ --------------------------------------------- A privilege escalation vulnerability in VMware NSX-T was privately reported to VMware. Updates are available to remediate this vulnerability in affected VMware product. --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2021-0006.html ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (nettle, squid, and thunderbird), Debian (libebml, python-bleach, and python2.7), Fedora (batik, gnuchess, kernel-headers, kernel-tools, ruby, singularity, and xorg-x11-server), Mageia (clamav, kernel, kernel-linus, and python3), openSUSE (chromium, fluidsynth, opensc, python-bleach, and wpa_supplicant), Oracle (gnutls and nettle), Red Hat (dpdk, gnutls and nettle, mariadb:10.3 and mariadb-devel:10.3, and redhat-ds:11), and SUSE (kernel, qemu, and [...] --------------------------------------------- https://lwn.net/Articles/853420/ ∗∗∗ iApps vulnerability CVE-2020-17507 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K11542555 ∗∗∗ libcroco vulnerability CVE-2020-12825 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K01074825 ∗∗∗ Dell integrated Dell Remote Access Controller: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0397 ∗∗∗ Security Bulletin: Vulnerability with Apache Tika in Apache Solr affects IBM Operations Analytics – Log Analysis Analysis (CVE-2018-8017) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-with-apache… ∗∗∗ Security Bulletin: Multiple vulnerabilities in Apache Tika affects Apache Solr shipped with IBM Operations Analytics – Log Analysis ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in FasterXML jackson-databind affect Apache Solr shipped with IBM Operations Analytics – Log Analysis ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM® Db2® db2fm is vulnerable to a buffer overflow (CVE-2020-5025) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-db2fm-is-vulnerab… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: Financial Transaction Manager for Corporate Payment Services is affected by a potential code injection vulnerability (CVE-2020-5268) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-financial-transaction-man… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by Oracle MySQL vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Watson OpenScale on Cloud Pak for Data is impacted by Vulnerabilities in Node.js ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-openscale-on-c… ∗∗∗ Security Bulletin: Vulnerability in Apache PDFBox affects Apache Solr shipped with IBM Operations Analytics – Log Analysis (CVE-2018-8036) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-p… ∗∗∗ Security Bulletin: Vulnerabilities in IBM Java Runtime affecting Tivoli Netcool/OMNIbus (Multiple CVEs) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-ja… ∗∗∗ Security Bulletin: IBM Resilient SOAR is vulnerable to command injection (CVE-2021-20527) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-resilient-soar-is-vul… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 16.04.2021
by Daily end-of-shift report 16 Apr '21

16 Apr '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 15-04-2021 18:00 − Freitag 16-04-2021 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Sicherheitslücken: Google Project Zero gibt Nutzern 30 Tage zum Patchen ∗∗∗ --------------------------------------------- Mit der neuen Regelung hofft Googles Project Zero auf mehr Sicherheit für die Nutzer und schnellere Patches. --------------------------------------------- https://www.golem.de/news/sicherheitsluecken-google-project-zero-gibt-nutze… ∗∗∗ [SANS ISC] HTTPS Support for All Internal Services ∗∗∗ --------------------------------------------- I published the following diary on isc.sans.edu: “HTTPS Support for All Internal Services“: SSL/TLS has been on stage for a while with deprecated protocols, free certificates for everybody. The landscape is changing to force more and more people to switch to encrypted communications and this is good! Like Johannes explained yesterday, [...] --------------------------------------------- https://blog.rootshell.be/2021/04/16/sans-isc-https-support-for-all-interna… ∗∗∗ The rise of QakBot ∗∗∗ --------------------------------------------- AT&T Alien Labs closely monitors the evolution of crimeware such as the QakBot malware family and campaigns in connection with QakBot. The jointly coordinated takedown of the actors behind Emotet in late January has left a gap in the cybercrime landscape, which QakBot seems poised to fill. --------------------------------------------- https://cybersecurity.att.com/blogs/labs-research/the-rise-of-qakbot ∗∗∗ “Huge upsurge” in DDoS attacks during pandemic ∗∗∗ --------------------------------------------- A new report by Netscout sets yet out another way in which why 2020 was a record-breaking year for for all the wrong reasons. --------------------------------------------- https://blog.malwarebytes.com/reports/2021/04/huge-upsurge-in-ddos-attacks-… ∗∗∗ Security vs User Journey ∗∗∗ --------------------------------------------- Something I often think about is how my recommendations for clients to fix small security issues can spoil / complicate their users’ journey. UX matters I understand that UX is [...] --------------------------------------------- https://www.pentestpartners.com/security-blog/security-vs-user-journey/ ∗∗∗ Are Your Nagios XI Servers Turning Into Cryptocurrency Miners for Attackers? ∗∗∗ --------------------------------------------- Unit 42 researchers found an attack in the wild targeting Nagios XI 5.7.5 that exploits CVE-2021-25296 and drops a cryptocurrency miner. Read more for an analysis of the vulnerable code, the resulting command injection, and the malicious scripts. --------------------------------------------- https://unit42.paloaltonetworks.com/nagios-xi-vulnerability-cryptomining/ ∗∗∗ CISA and CNMF Analysis of SolarWinds-related Malware ∗∗∗ --------------------------------------------- CISA and the Department of Defense (DoD) Cyber National Mission Force (CNMF) have analyzed additional SolarWinds-related malware variants—referred to as SUNSHUTTLE and SOLARFLARE. One of the analyzed files was identified as a China Chopper webshell server-side component that was observed on a network with an active SUNSHUTTLE infection. The webshell can provide a cyber threat actor an alternative method of accessing a network, even if the SUNSHUTTLE [...] --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/04/15/cisa-and-cnmf-ana… ∗∗∗ Codecov discloses 2.5-month-long supply chain attack ∗∗∗ --------------------------------------------- Codecov, a software company that provides code testing and code statistics solutions, disclosed on Thursday a major security breach after a threat actor managed to breach its platform and add a credentials harvester to one of its tools. --------------------------------------------- https://therecord.media/codecov-discloses-2-5-month-long-supply-chain-attac… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (smarty3), Fedora (libpano13, python3.8, and seamonkey), Mageia (chromium-browser-stable, gstreamer1.0, thunderbird, and x11-server), Oracle (libldb and thunderbird), SUSE (grafana and system-user-grafana, kernel, and openldap2), and Ubuntu (linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gcp, linux-gcp-5.4, linux-gke-5.3, linux-gke-5.4, linux-gkeop, linux-gkeop-5.4, linux-hwe, linux-hwe-5.4, linux-hwe-5.8, linux-kvm, [...] --------------------------------------------- https://lwn.net/Articles/852978/ ∗∗∗ Schneider Electric C-Bus Toolkit ∗∗∗ --------------------------------------------- This advisory contains mitigations for Improper Privilege Management and Path Traversal vulnerabilities in the Schneider Electric C-Bus Toolkit. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-105-01 ∗∗∗ EIPStackGroup OpENer Ethernet/IP ∗∗∗ --------------------------------------------- This advisory contains mitigations for Incorrect Conversion Between Numeric Types, Stack-based Buffer Overflow, and Out-of-bounds Read vulnerabilities in EIPStackGroup OpENer Ethernet IP. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-105-02 ∗∗∗ Multiple NSS vulnerabilities CVE-2020-6829, CVE-2020-12400, CVE-2020-12401, and CVE-2020-12402 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K61267093 ∗∗∗ NSS vulnerability CVE-2020-12403 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K13290208 ∗∗∗ LibreOffice: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0393 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 15.04.2021
by Daily end-of-shift report 15 Apr '21

15 Apr '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 14-04-2021 18:00 − Donnerstag 15-04-2021 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Sicherheitslücken: Link anklicken führt zu Remote Code Execution ∗∗∗ --------------------------------------------- In zahlreichen Applikationen finden sich Sicherheitslücken bei der Verarbeitung von Links, betroffen sind unter anderem VLC, Libreoffice und Telegram. --------------------------------------------- https://www.golem.de/news/sicherheitsluecken-link-anklicken-fuehrt-zu-remot… ∗∗∗ WordPress Continues to Fall Victim to Carding Attacks ∗∗∗ --------------------------------------------- Unsurprisingly, as WordPress continues to increase in popularity as an e-commerce platform, attackers continue to attempt to steal credit card information from unsuspecting clients. Currently, the WordPress plugin WooCommerce accounts for roughly a quarter of all online stores. Over recent years, attackers whose goal it is to fradulently obtain credit card information have mostly focused on e-commerce specific platforms such as Magento, PrestaShop and OpenCart [...] --------------------------------------------- https://blog.sucuri.net/2021/04/credit-card-swipers-in-wordpress.html ∗∗∗ Exploit for Second Unpatched Chromium Flaw Made Public Just After First Is Patched ∗∗∗ --------------------------------------------- A researcher has made public an exploit and details for an unpatched vulnerability affecting Chrome, Edge and other web browsers that are based on the open source Chromium project. This is the second Chromium proof-of-concept (PoC) exploit released this week. --------------------------------------------- https://www.securityweek.com/exploit-second-unpatched-chromium-flaw-made-pu… ===================== = Vulnerabilities = ===================== ∗∗∗ SSA-875726 V1.0: Privilege Escalation Vulnerability in Mendix ∗∗∗ --------------------------------------------- The latest updates for Mendix fix a vulnerability in Mendix Applications that could allow malicious authorized users to escalate their privileges. Mendix has released an update for Mendix and recommends to update to the latest version. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-875726.txt ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (xorg-server), Fedora (kernel), openSUSE (clamav, fluidsynth, python-bleach, spamassassin, and xorg-x11-server), Red Hat (gnutls and nettle, libldb, and thunderbird), Scientific Linux (thunderbird), SUSE (clamav, util-linux, and xorg-x11-server), and Ubuntu (network-manager and underscore). --------------------------------------------- https://lwn.net/Articles/852726/ ∗∗∗ Juniper JUNOS: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, anonymer oder lokaler Angreifer kann mehrere Schwachstellen in Juniper JUNOS, Juniper Junos Evolved und Juniper SRX Series ausnutzen, um einen Denial of Service Angriff durchführen, Sicherheitsmaßnahmen zu umgehen, Informationen offenzulegen, Code zur Ausführung zu bringen, seine Privilegien zu erweitern und beliebigen Code mit Administratorrechten auszuführen. https://kb.juniper.net/InfoCenter/index?page=content&channel=SECURITY_ADVIS… --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0387 ∗∗∗ Red Hat Virtualization Engine: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in der Red Hat Virtualization Engine ausnutzen, um einen Cross-Site Scripting Angriff durchzuführen, beliebigen Code auszuführen, einen Denial of Service Zustand auszulösen und kryptographische Maßnahmen zu umgehen. --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0385 ∗∗∗ WordPress: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0391 ∗∗∗ Atlassian Jira Software: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0390 ∗∗∗ McAfee Endpoint Security: Schwachstelle ermöglicht Manipulation von Daten ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0388 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.04.2021
by Daily end-of-shift report 14 Apr '21

14 Apr '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 13-04-2021 18:00 − Mittwoch 14-04-2021 18:00 Handler: Dimitri Robl Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Microsoft schließt weitere Lücken in Windows und Mail/Groupware-System Exchange ∗∗∗ --------------------------------------------- Microsoft veröffentlicht über 2700 kritische und wichtige Updates für Exchange und Windows 10, aber auch für Windows 7 und 8.1 sowie ältere Serversysteme. --------------------------------------------- https://heise.de/-6015002 ∗∗∗ Patchday: Adobe verteilt Sicherheitsupdates gegen teils kritische Lücken ∗∗∗ --------------------------------------------- Aus Adobe Photoshop, Digital Editions & Bridge (Windows, macOS) wurden kritische Sicherheitslücken entfernt. Auch RoboHelp für Win bekam ein wichtiges Update. --------------------------------------------- https://heise.de/-6015086 ∗∗∗ Microsoft-Patchday: Updates entfernen aktiv genutzten Angriffsweg aus Windows ∗∗∗ --------------------------------------------- Zum Patchday hat Microsoft unter anderem eine Schwachstelle im Desktop Window Manager in Win 10 & Server-Pendants behoben, die derzeit aktiv ausgenutzt wird. --------------------------------------------- https://heise.de/-6015082 ∗∗∗ Vulnerability Spotlight: Multiple remote code execution vulnerabilities in Microsoft Azure Sphere ∗∗∗ --------------------------------------------- Cisco Talos researchers recently discovered multiple vulnerabilities in Microsoft’s Azure Sphere, a cloud-connected and custom SoC platform designed specifically with IoT application security [...] --------------------------------------------- https://blog.talosintelligence.com/2021/04/vuln-spotlight-azure-sphere-apri… ∗∗∗ Vorsicht! Unseriöse Praktiken bei über 120 Datingplattformen von Date4Friend AG! ∗∗∗ --------------------------------------------- Die Schweizer Firma Date4Friend AG betreibt zahlreiche Datingplattformen im deutschsprachigen Raum. Doch viele NutzerInnen ärgern sich über die Angebote von Date4Friend AG. So entpuppen sich eigentlich günstige Abos rasch als teure Abo-Falle. VerbraucherInnen beschweren sich zudem darüber, dass Abo-Kündigungen nicht angenommen werden. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-unserioese-praktiken-bei-ue… ∗∗∗ 100,000 Google Sites Used to Install SolarMarket RAT ∗∗∗ --------------------------------------------- Search-engine optimization (SEO) tactics direct users searching for common business forms such as invoices, receipts or other templates to hacker-controlled Google-hosted domains. --------------------------------------------- https://threatpost.com/google-sites-solarmarket-rat/165396/ ∗∗∗ Jahresbericht 2020 von CERT.at und GovCERT Austria veröffentlicht ∗∗∗ --------------------------------------------- 2020 war einiges los in Bezug auf IT-Sicherheit in Österreich: Im Jänner sorgten CVE-2019-19781 a.k.a. "Shitrix" und der Angriff auf das BMEIA für einen turbulenten Start und den Rest des Jahres beschäftigten uns unter anderem Emotet, Ransomware und nicht eingespielte Updates. Aber auch abseits vom Tagesgeschäft der IT-Sicherheit hat sich einiges getan [...] --------------------------------------------- https://cert.at/de/aktuelles/2021/4/jahresbericht-2020-von-certat-und-govce… ===================== = Vulnerabilities = ===================== ∗∗∗ CVE-2021-28480, CVE-2021-28481, CVE-2021-28482, CVE-2021-28483: Four Critical Microsoft Exchange Server Vulnerabilities Patched in April Patch Tuesday ∗∗∗ --------------------------------------------- One month after disclosing four zero-day vulnerabilities in Exchange Server, Microsoft addresses four additional vulnerabilities discovered by the National Security Agency (NSA). --------------------------------------------- https://de.tenable.com/blog/cve-2021-28480-cve-2021-28481-cve-2021-28482-cv… ∗∗∗ New WhatsApp Bugs Couldve Let Attackers Hack Your Phone Remotely ∗∗∗ --------------------------------------------- Facebook-owned WhatsApp recently addressed two security vulnerabilities in its messaging app for Android that could have been exploited to execute malicious code remotely on the device and even compromise encrypted communications. The flaws take aim at devices running Android versions up to and including Android 9 by carrying out whats known as a "man-in-the-disk" attack [...] --------------------------------------------- https://thehackernews.com/2021/04/new-whatsapp-bug-couldve-let-attackers.ht… ∗∗∗ Recent Patches Rock the Elementor Ecosystem ∗∗∗ --------------------------------------------- Over the last few weeks, the Wordfence Threat Intelligence team has responsibly disclosed vulnerabilities in more than 15 of the most popular addon plugins for Elementor, which are collectively installed on over 3.5 million sites. All together, our team found over 100 vulnerable endpoints. --------------------------------------------- https://www.wordfence.com/blog/2021/04/recent-patches-rock-the-elementor-ec… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (screen), Debian (clamav, courier-authlib, and tomcat9), Red Hat (thunderbird), SUSE (clamav, glibc, kernel, open-iscsi, opensc, spamassassin, thunderbird, wpa_supplicant, and xorg-x11-server), and Ubuntu (linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gcp, linux-gcp-5.4, linux-gke-5.4, linux-gkeop, linux-gkeop-5.4, linux-hwe-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux, linux-aws, [...] --------------------------------------------- https://lwn.net/Articles/852627/ ∗∗∗ New Vulnerability Affecting Container Engines CRI-O and Podman (CVE-2021-20291) ∗∗∗ --------------------------------------------- CVE-2021-20291 leads to a denial of service of the container engines CRI-O and Podman when pulling a malicious image from a registry. --------------------------------------------- https://unit42.paloaltonetworks.com/cve-2021-20291/ ∗∗∗ Schneider Electric SoMachine Basic ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Improper Restriction of XML External Entity Reference vulnerability in Schneider Electric SoMachine Basic software. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-103-01 ∗∗∗ Advantech WebAccessSCADA ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Incorrect Permission Assignment for Critical Resource vulnerability in Advantech WebAccess/SCADA browser-based software. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-103-02 ∗∗∗ JTEKT TOYOPUC products ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Improper Resource Shutdown or Release vulnerability in JTEKT TOYOPUC programmable logic controller products. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-103-03 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Reflected cross-site scripting in Microsoft Azure DevOps Server ∗∗∗ --------------------------------------------- https://sec-consult.com/vulnerability-lab/advisory/reflected-xss-in-microso… ∗∗∗ vBulletin Connect: Schwachstelle ermöglicht nicht spezifizierten Angriff ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0373 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.04.2021
by Daily end-of-shift report 13 Apr '21

13 Apr '21

===================== = End-of-Day report = ===================== Timeframe: Montag 12-04-2021 18:00 − Dienstag 13-04-2021 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ NAME:WRECK DNS vulnerabilities affect over 100 million devices ∗∗∗ --------------------------------------------- Security researchers today disclosed nine vulnerabilities affecting implementations of the Domain Name System protocol in popular TCP/IP network communication stacks running on at least 100 million devices. --------------------------------------------- https://www.bleepingcomputer.com/news/security/name-wreck-dns-vulnerabiliti… ∗∗∗ RCE Exploit Released for Unpatched Chrome, Opera, and Brave Browsers ∗∗∗ --------------------------------------------- An Indian security researcher has publicly published a proof-of-concept (PoC) exploit code for a newly discovered flaw impacting Google Chrome and other Chromium-based browsers like Microsoft Edge, Opera, and Brave. --------------------------------------------- https://thehackernews.com/2021/04/rce-exploit-released-for-unpatched.html ∗∗∗ CISA Details Malware Found on Hacked Exchange Servers ∗∗∗ --------------------------------------------- The U.S. Cybersecurity and Infrastructure Security Agency (CISA) this week published details on additional malware identified on compromised Microsoft Exchange servers, namely China Chopper webshells and DearCry ransomware. --------------------------------------------- https://www.securityweek.com/cisa-details-malware-found-hacked-exchange-ser… ∗∗∗ Unseriöse Kreditkartenabbuchungen von screenacy.co ∗∗∗ --------------------------------------------- Wenn von Ihrer Kreditkarte monatlich ein Betrag von screenacy.co abgebucht wird, ohne dass Sie etwas bestellt oder abonniert haben, sind Sie höchstwahrscheinlich in eine Abo-Falle getappt. Viele Betroffene können nicht nachvollziehen, wo und warum es zu einem Vertragsabschluss gekommen ist - meist aber durch bewusste Täuschung. --------------------------------------------- https://www.watchlist-internet.at/news/unserioese-kreditkartenabbuchungen-v… ∗∗∗ Winter 2020 Network Attack Trends: Internet of Threats ∗∗∗ --------------------------------------------- Network attack trends in the Winter quarter of 2020 revealed some interesting trends, such as increased attacker preference for newly released vulnerabilities and a large uptick in attacks deemed Critical. In addition to details of the newly observed exploits, in this blog, we also dive deep into the exploitation analysis, vendor analysis, attack origin, and attack category distribution. --------------------------------------------- https://unit42.paloaltonetworks.com/network-attack-trends-winter-2020/ ∗∗∗ Threat Assessment: Clop Ransomware ∗∗∗ --------------------------------------------- In response to an uptick in Clop ransomware activity, we provide an overview and courses of action that can be used to mitigate it. --------------------------------------------- https://unit42.paloaltonetworks.com/clop-ransomware/ ∗∗∗ Threat Actor Type Inference and Characterization within Cyber Threat Intelligence. (arXiv:2103.02301v3 [cs.CR] UPDATED) ∗∗∗ --------------------------------------------- As the cyber threat landscape is constantly becoming increasingly complex and polymorphic, the more critical it becomes to understand the enemy and its modus operandi for anticipatory threat reduction. Even though the cyber security community has developed a certain maturity in describing and sharing technical indicators for informing defense components, we still struggle with non-uniform, unstructured, and ambiguous higher-level information, such as the threat actor context, thereby limiting our ability to correlate with different sources to derive more contextual, accurate, and relevant intelligence. --------------------------------------------- https://arxiv.org/abs/2103.02301 ===================== = Vulnerabilities = ===================== ∗∗∗ [20210402] - Core - Inadequate filters on module layout settings ∗∗∗ --------------------------------------------- Inadequate filters on module layout settings could lead to an LFI. --------------------------------------------- https://developer.joomla.org:443/security-centre/851-20210402-core-inadequa… ∗∗∗ [20210401] - Core - Escape xss in logo parameter error pages ∗∗∗ --------------------------------------------- Inadequate escaping allowed XSS attacks using the logo parameter of the default templates on error pages. --------------------------------------------- https://developer.joomla.org:443/security-centre/850-20210401-core-escape-x… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libpano13), Fedora (mosquitto and perl-Net-CIDR-Lite), Mageia (curl, mongodb, pdfbox, python-jinja2, rygel, spamassassin, tor, velocity, webkit2, and wireshark), openSUSE (umoci), Oracle (389-ds:1.4, kernel, and virt:ol and virt-devel:rhel), Red Hat (kernel and kpatch-patch), Slackware (dnsmasq and irssi), and SUSE (cifs-utils, rubygem-actionpack-4_2, and spamassassin). --------------------------------------------- https://lwn.net/Articles/852526/ ∗∗∗ Exploit Released for Critical Vulnerability Affecting QNAP NAS Devices ∗∗∗ --------------------------------------------- An exploit is now publicly available for a remote code execution vulnerability affecting QNAP network-attached storage (NAS) devices that run the Surveillance Station video management system. --------------------------------------------- https://www.securityweek.com/exploit-released-critical-vulnerability-affect… ∗∗∗ SAP Patchday April ∗∗∗ --------------------------------------------- Ein entfernter, authentisierter oder anonymer Angreifer kann mehrere Schwachstellen in SAP Produkten und Anwendungskomponenten ausnutzen, um die Vertraulichkeit, Verfügbarkeit und die Integrität der Anwendungen zu gefährden. --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0370 ∗∗∗ ZDI-21-406: (0Day) Microsoft 3D Builder PLY File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-21-406/ ∗∗∗ ZDI-21-405: (0Day) Microsoft Print 3D PLY File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-21-405/ ∗∗∗ D-Bus vulnerability CVE-2020-12049 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K16729408 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ SSA-163226 V1.0: CELL File Parsing Vulnerability in Tecnomatix RobotExpert ∗∗∗ --------------------------------------------- Siemens Tecnomatix RobotExpert version V16.1 fixes a vulnerability that could be triggered when the application reads CELL files. If a user is tricked to open a malicious file with the affected application, this could lead to a crash, and potentially also to arbitrary code execution or data extraction on the target host system. Siemens recommends to update to the latest version and to avoid opening of untrusted files from unknown sources. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-163226.txt ∗∗∗ SSA-185699 V1.0: Out of Bounds Write Vulnerabilities (NAME:WRECK) in the DNS Module of Nucleus Products ∗∗∗ --------------------------------------------- Security researchers discovered and disclosed 9 vulnerabilities in several DNS implementations, also known as “NAME:WRECK” vulnerabilities. The vulnerabilities described in this advisories are from this set. The DNS client of affected products contains two out of bounds write vulnerabilities in the handling of DNS responses that could allow an attacker to cause a denial-of-service condition or to remotely execute code. Siemens has released updates for several affected products [...] --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-185699.txt ∗∗∗ SSA-187092 V1.0: Several Buffer-Overflow Vulnerabilities in Web Server of SCALANCE X-200 ∗∗∗ --------------------------------------------- Several SCALANCE X-200 switches contain buffer overflow vulnerabilities in the web server. In the most severe case an attacker could potentially remotely execute code. Siemens is preparing updates and recommends specific countermeasures for products where updates are not, or not yet available. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-187092.txt ∗∗∗ SSA-201384 V1.0: Predictable UDP Port Number Vulnerability (NAME:WRECK) in the DNS Module of Nucleus Products ∗∗∗ --------------------------------------------- Security researchers discovered and disclosed 9 vulnerabilities in several DNS implementations, also known as “NAME:WRECK” vulnerabilities. The vulnerability described in this advisories is from this set. The DNS client of affected products contains a vulnerability related to the handling of UDP port numbers in DNS requests that could allow an attacker to poison the DNS cache or spoof DNS resolving. Siemens has released updates for several affected products and recommends to update [...] --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-201384.txt ∗∗∗ SSA-248289 V1.0: Denial-of-Service Vulnerabilities in the IPv6 Stack of Nucleus Products ∗∗∗ --------------------------------------------- The IPv6 stack of affected products contains two vulnerabilities when processing IPv6 headers which could allow an attacker to cause a denial-of-service condition. Siemens has released updates for several affected products and recommends to update to the latest versions. Siemens is preparing updates and recommends specific countermeasures for products where updates are not, or not yet available. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-248289.txt ∗∗∗ SSA-292794 V1.0: Multiple Denial-of-Service Vulnerabilities in SINEMA Remote Connect Server ∗∗∗ --------------------------------------------- The latest update for SINEMA Remote Connect Server fixes two Denial-of-Service vulnerabilities in the underlying third-party XML parser. Siemens has released updates for the affected product and recommends to update to the latest versions. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-292794.txt ∗∗∗ SSA-497656 V1.0: Multiple NTP Vulnerabilities in TIM 4R-IE Devices ∗∗∗ --------------------------------------------- There are multiple vulnerabilities in the underlying NTP component of the affected TIM 4R-IE. Siemens recommends specific countermeasures for products where updates are not, or not yet available. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-497656.txt ∗∗∗ SSA-574442 V1.0: Multiple PAR and DFT File Parsing Vulnerabilities in Solid Edge ∗∗∗ --------------------------------------------- Siemens has released a new version for Solid Edge to fix multiple vulnerabilities that could be triggered when the application reads files in different file formats (PAR, DFT extensions). If a user is tricked to open a malicious file with the affected application, this could lead to a crash, and potentially also to arbitrary code execution or data extraction on the target host system. Siemens recommends to update to the latest version and to avoid opening of untrusted files from unknown sources. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-574442.txt ∗∗∗ SSA-669158 V1.0: DNS Client Vulnerabilities in SIMOTICS CONNECT 400 ∗∗∗ --------------------------------------------- SIMOTICS CONNECT 400 is affected by DNS Client vulnerabilities as initially reported in Siemens Security Advisory SSA-705111 for the Mentor DNS Module. Siemens is preparing updates and recommends countermeasures for products where updates are not, or not yet available. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-669158.txt ∗∗∗ SSA-705111 V1.0: Vulnerabilities (NAME:WRECK) in DNS Module of Nucleus Products ∗∗∗ --------------------------------------------- Security researchers discovered and disclosed 9 vulnerabilities in several DNS implementations, also known as “NAME:WRECK” vulnerabilities. The vulnerabilities described in this advisories are from this set. The DNS client of affected products contains multiple vulnerabilities related to the handling of DNS responses and requests. The most severe could allow an attacker to manipulate the DNS responses and cause a denial-of-service condition. Siemens has released updates for several --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-705111.txt ∗∗∗ SSA-761844 V1.0: Multiple Vulnerabilities in Control Center Server (CCS) ∗∗∗ --------------------------------------------- The advisory informs about multiple vulnerabilities in the Central Control Server (CCS) application, as initially reported in SSA-761617 on 2019-12-10 and SSA-844761 on 2020-03-10. The vulnerabilities involve authentication bypass (CVE-2019-18337, CVE-2019-18341), path traversal (CVE-2019-18338, CVE-2019-19290), information disclosure (CVE-2019-13947, CVE-2019-18340, CVE-2019-19291), privilege escalation (CVE-2019-18342), SQL injection (CVE-2019-19292), cross-site scripting [...] --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-761844.txt ∗∗∗ SSA-788287 V1.0: Disclosure of Private Data ∗∗∗ --------------------------------------------- Due to SmartClient Installation technology (ClickOnce) a customer/integrator needs to create a customer specific Smartclient installer. The mentioned products delivered a trusted but yet expired codesigning certificate. An attacker could have exploited the vulnerability by spoofing the code-signing certificate and signing a malicious executable resulting in having a trusted digital signature from a trusted provider. The certificate was revoked immediately. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-788287.txt ∗∗∗ SSA-853866 V1.0: User Credentials Disclosure Vulnerability in Siveillance Video Open Network Bridge (ONVIF) ∗∗∗ --------------------------------------------- Siemens has released hotfixes for Siveillance Video Open Network Bridge (ONVIF) which fix a security vulnerability related to unsecure storage of ONVIF user credentials. The vulnerability could allow an authenticated remote attacker to retrieve and decrypt all user credentials stored on the ONVIF server. Siemens recommends to apply the hotfixes at the earliest opportunity. See also the chapter Additional Information, how to apply the hotfix. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-853866.txt ∗∗∗ SSA-983300 V1.0: Vulnerabilities in LOGO! Soft Comfort ∗∗∗ --------------------------------------------- Two vulnerabilities have been identified in the LOGO! Soft Comfort software. These could allow an attacker to take over a system with the affected software installed. Siemens is preparing updates and recommends specific countermeasures for products where updates are not, or not yet available. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-983300.txt -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.04.2021
by Daily end-of-shift report 12 Apr '21

12 Apr '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 09-04-2021 18:00 − Montag 12-04-2021 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ The Top 10 Secrets of Admin Users ∗∗∗ --------------------------------------------- Administrative rights can be some of the most powerful tools in the arsenal of any malicious agent. Look at any enterprise breach of the last few years and you will see admin accounts almost invariably play a central role. --------------------------------------------- https://www.beyondtrust.com/blog/entry/the-top-10-secrets-of-admin-users ∗∗∗ Pulse Secure VPN users cant login due to expired certificate ∗∗∗ --------------------------------------------- Users worldwide cannot connect to Pulse Secure VPN devices after a code signing certificate used to digitally sign and verify software components has expired. --------------------------------------------- https://www.bleepingcomputer.com/news/security/pulse-secure-vpn-users-cant-… ∗∗∗ Microsoft warnt vor Banking-Trojanern ∗∗∗ --------------------------------------------- Eine neue Angriffsmethode von Banking-Trojanern beunruhigt Microsoft. IcedID, auch bekannt als BokBot, ist ein modularer Banking-Trojaner, der es auf die Finanzdaten der Anwender abgesehen hat und als Dropper für andere Malware fungieren kann. --------------------------------------------- https://www.zdnet.de/88394286/microsoft-warnt-vor-banking-trojanern/ ∗∗∗ Messenger-Dienst: Angreifer können Whatsapp-Nutzer aus dem Dienst aussperren ∗∗∗ --------------------------------------------- Durch den massenhaften Versuch, eine Telefonnummer bei Whatsapp zu registrieren, könnte diese letztlich von dem Dienst ausgeschlossen werden. --------------------------------------------- https://www.golem.de/news/messenger-dienst-angreifer-koennen-whatsapp-nutze… ∗∗∗ APKPure: Schadcode in App des alternativen Android-Stores entdeckt ∗∗∗ --------------------------------------------- Wer Android-Anwendungen über APKPure bezieht und dazu die gleichnamige App verwendet, sollte jetzt updaten: Forscher fanden Schadcode in der vorherigen Version. --------------------------------------------- https://heise.de/-6011340 ∗∗∗ Zahlreiche Probleme auf all4you-fashion.com ∗∗∗ --------------------------------------------- Immer häufiger beschäftigen die Watchlist Internet problematische Dropshipping-Angebote. Sie richten sich an österreichische und deutsche KonsumentInnen, halten dabei aber rechtliche Vorgaben nicht ein. Wer beispielsweise auf all4you-fashion.com bestellt, soll trotz „garantierten 30-tägigen Rückgaberechts“ Bearbeitungsgebühren für den Rücktritt bezahlen. Rechtlich muss ein solcher Widerruf aber kostenlos möglich sein. --------------------------------------------- https://www.watchlist-internet.at/news/zahlreiche-probleme-auf-all4you-fash… ∗∗∗ Schadsoftware infiziert halbe Million Huawei-Smartphones über offizielle App Gallery ∗∗∗ --------------------------------------------- Joker Malware war in mehreren Programmen versteckt - SMS-Betrug seit 2017 in immer neuen Formen --------------------------------------------- https://www.derstandard.at/story/2000125753278/schadsoftware-infiziert-halb… ∗∗∗ Building an IDS Sensor with Suricata & Zeek with Logs to ELK, (Sat, Apr 10th) ∗∗∗ --------------------------------------------- Over the past several years I have used multiple pre-built sensors using readily available ISO images (rockNSM, SO, OPNSense, etc) but what I was really looking for was just a sensor to parse traffic (i.e Zeek) and IDS alerts (Suricata) to ELK. --------------------------------------------- https://isc.sans.edu/diary/rss/27296 ∗∗∗ How ransomware gangs are connected, sharing resources and tactics ∗∗∗ --------------------------------------------- New research by Analyst1 sheds light on the cooperation between some of the ransomware gangs dominating the cybersecurity news. --------------------------------------------- https://blog.malwarebytes.com/ransomware/2021/04/how-ransomware-gangs-are-c… ∗∗∗ Recording: Analyzing Android Malware — >From triage to reverse-engineering ∗∗∗ --------------------------------------------- Its easy to get wrapped up worry about large-scale ransomware attacks on the threat landscape. These are the types of attacks that make headlines and strike fear into the hearts of CISOs everywhere. But if you want to defend the truly prolific and widespread threats that target some of the devices [...] --------------------------------------------- https://blog.talosintelligence.com/2021/04/recording-analyzing-android-malw… ∗∗∗ Emotet Command and Control Case Study ∗∗∗ --------------------------------------------- We provide a step-by-step technical analysis of Emotet command and control, based on observations from before Emotet threat actors were disrupted. --------------------------------------------- https://unit42.paloaltonetworks.com/emotet-command-and-control/ ∗∗∗ Criminals spread malware using website contact forms with Google URLs ∗∗∗ --------------------------------------------- Crooks are using social engineering to exploit workers efforts to do their jobs. --------------------------------------------- https://www.zdnet.com/article/criminals-spread-malware-using-website-contac… ∗∗∗ Critical security alert: If you havent patched this old VPN vulnerability, assume your network is compromised ∗∗∗ --------------------------------------------- Hundreds of organisations that havent applied a Fortinet VPN security update released in 2019 should assume that cyber criminals are trying to take advantage, NCSC warns. --------------------------------------------- https://www.zdnet.com/article/critical-security-alert-if-you-havent-patched… ===================== = Vulnerabilities = ===================== ∗∗∗ Tripwire Patch Priority Index for March 2021 ∗∗∗ --------------------------------------------- Tripwire’s March 2021 Patch Priority Index (PPI) brings together important vulnerabilities from SaltStack, VWware, BIG-IP and Microsoft. First on the patch priority list this month are patches for vulnerabilities in Microsoft Exchange (CVE-2021-27065, CVE-2021-26855), SaltStack (CVE-2021-25282, CVE-2021-25281), BIG-IP (CVE-2021-22986) and VMware vCenter (CVE-2021-21972). Exploits for these vulnerabilities have been recently added to the Metasploit Exploit [...] --------------------------------------------- https://www.tripwire.com/state-of-security/vert/tripwire-patch-priority-ind… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (kernel and libldb), Debian (mediawiki, qemu, ruby-kramdown, and xen), Fedora (grub2, libldb, libopenmpt, python-pikepdf, python39, samba, squid, and webkit2gtk3), openSUSE (bcc, ceph, gssproxy, hostapd, isync, kernel, openexr, openSUSE KMPs, and tpm2-tss-engine), SUSE (fwupdate and wpa_supplicant), and Ubuntu (spamassassin). --------------------------------------------- https://lwn.net/Articles/852339/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.04.2021
by Daily end-of-shift report 09 Apr '21

09 Apr '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 08-04-2021 18:00 − Freitag 09-04-2021 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Facebook-Leak: So könnten die Daten abhanden gekommen sein ∗∗∗ --------------------------------------------- Facebook und Linkedin bestreiten, dass es einen Einbruch gab. Andererseits enthalten die Leaks etwa Telefonnumern, die nicht öffentlich einsehbar sein sollten. --------------------------------------------- https://heise.de/-6009896 ∗∗∗ Gehackt: Windows, Ubuntu, Exchange, Teams, Zoom, Chrome, Safari und Edge ∗∗∗ --------------------------------------------- Für Prämien von insgesamt über 1 Million US-Dollar demonstrierten Hacker beim Pwn2Own 2021 erneut Sicherheitslücken in wichtigen IT-Produkten. --------------------------------------------- https://heise.de/-6010171 ∗∗∗ Sony bestätigt PS5-Betrug durch Fake-Shop "playstation-sony.eu" ∗∗∗ --------------------------------------------- Der aufwendig gestaltete Online-Shop gehört nicht zum Sony-Konzern. Analysen deuten auf ein großes Betrugs-Netzwerk hin. Spuren führen in die Ukraine. --------------------------------------------- https://heise.de/-6009907 ∗∗∗ Cisco: Keine Patches mehr für angreifbare SoHo-Router ∗∗∗ --------------------------------------------- Weil die Produkte nicht mehr unterstützt werden, will Cisco keine Fixes bereit stellen. Die Kunden sollen neuere Modelle kaufen. --------------------------------------------- https://heise.de/-6010387 ∗∗∗ Trojan detected in APKPure Android app store client software ∗∗∗ --------------------------------------------- Doctor Web specialists have discovered a malicious functionality in APKPure - an official client application of popular third-party Android app store. The trojan built into it downloads and installs various apps, including other malware, without users’ permission. The APKPure is one of the oldest and the most popular third-party games and software catalogs for the Android OS. --------------------------------------------- https://news.drweb.com/show/?i=14188&lng=en&c=9 ∗∗∗ IcedID Banking Trojan Surges: The New Emotet? ∗∗∗ --------------------------------------------- A widespread email campaign using malicious Microsoft Excel attachments and Excel 4 macros is delivering IcedID at high volumes, suggesting its filling the Emotet void. --------------------------------------------- https://threatpost.com/icedid-banking-trojan-surges-emotet/165314/ ∗∗∗ Threat matrix for storage services ∗∗∗ --------------------------------------------- Storage services are one of the most popular services in the cloud. In this blog, we outline potential risks that you should be aware of when deploying, configuring, or monitoring your storage environment. --------------------------------------------- https://www.microsoft.com/security/blog/2021/04/08/threat-matrix-for-storag… ∗∗∗ [SANS ISC] No Python Interpreter? This Simple RAT Installs Its Own Copy ∗∗∗ --------------------------------------------- I published the following diary on isc.sans.edu: "No Python Interpreter? This Simple RAT Installs Its Own Copy": For a while, I’m keeping an eye on malicious Python code targeting Windows environments. If Python looks more and more popular, attackers are facing a major issue: Python is not installed by default on most Windows operating systems. --------------------------------------------- https://blog.rootshell.be/2021/04/09/sans-isc-no-python-interpreter-this-si… ∗∗∗ Detecting Exposed Cobalt Strike DNS Redirectors ∗∗∗ --------------------------------------------- This research will focus on some of the active detections that can be used to fingerprint exposed Cobalt Strike servers that are using DNS as a communication channel. Although the research approach will be a bit different, the outcome will be similar to what JARM did for HTTP/HTTPs restricted to the scope of Cobalt Strike. --------------------------------------------- https://labs.f-secure.com/blog/detecting-exposed-cobalt-strike-dns-redirect… ∗∗∗ Sysrv Botnet Expands and Gains Persistence ∗∗∗ --------------------------------------------- On March 4, 2021, Juniper Threat Labs identified a surge of activity of the Sysrv botnet. The botnet spread itself into Windows and Linux systems by exploiting multiple vulnerabilities, which we will cover in this blog. The threat actor’s objective is to install a Monero cryptominer. The attack remains active. Here’s what we’ve seen so far. --------------------------------------------- https://blogs.juniper.net/en-us/threat-research/sysrv-botnet-expands-and-ga… ∗∗∗ Cryptomining containers caught coining cryptocurrency covertly ∗∗∗ --------------------------------------------- Research has uncovered 30 compromised images in 10 different Docker Hub accounts, representing over 20 million pulls. --------------------------------------------- https://blog.malwarebytes.com/web-threats/2021/04/cryptomining-containers-c… ∗∗∗ A deep dive into Saint Bot, a new downloader ∗∗∗ --------------------------------------------- Saint Bot is a downloader that has been used to drop stealers. We take a deep look at it and its accompanying panel. --------------------------------------------- https://blog.malwarebytes.com/threat-analysis/2021/04/a-deep-dive-into-sain… ∗∗∗ Vorsicht vor Kreditbetrug auf Facebook! ∗∗∗ --------------------------------------------- Die Auswirkungen der Corona-Krise sorgen immer noch dafür, dass viele Menschen von Finanzhilfen abhängig sind. Kriminelle nutzen dies aus und bieten auf Facebook angebliche Kredite und Darlehen an. Durch Kommentare und Privatnachrichten versuchen die BetrügerInnen das Vertrauen der Opfer zu gewinnen. Die Kredite werden jedoch niemals ausgezahlt, stattdessen sollen die Opfer Vorschusszahlungen leisten. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-kreditbetrug-auf-facebo… ∗∗∗ Using Aviary to Analyze Post-Compromise Threat Activity in M365 Environments ∗∗∗ --------------------------------------------- Aviary is a new dashboard that CISA and partners developed to help visualize and analyze outputs from its Sparrow detection tool released in December 2020. Sparrow helps network defenders detect possible compromised accounts and applications in Azure/Microsoft O365 environments. CISA created Sparrow to support hunts for threat activity following the SolarWinds compromise. Aviary - a Splunk-based dashboard - facilitates analysis of Sparrow data [...] --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/04/08/using-aviary-to-a… ===================== = Vulnerabilities = ===================== ∗∗∗ Vulnerabilities Patched in WP Page Builder ∗∗∗ --------------------------------------------- On February 15, 2021, the Wordfence Threat Intelligence team began the responsible disclosure process for several vulnerabilities in WP Page Builder, a plugin installed on over 10,000 sites. These vulnerabilities allowed any logged-in user, including subscribers, to access the page builder’s editor and make changes to existing posts on the site by default. Additionally, any [...] --------------------------------------------- https://www.wordfence.com/blog/2021/04/vulnerabilities-patched-in-wp-page-b… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (lib3mf, php-pear, and python-django), Fedora (perl-Net-Netmask), openSUSE (flatpak, libostree, xdg-desktop-portal,, fwupd, fwupdate, and hostapd), Oracle (kernel, libldb, nettle, and squid), Red Hat (nettle), and SUSE (fwupdate, tpm2-tss-engine, and umoci). --------------------------------------------- https://lwn.net/Articles/852110/ ∗∗∗ FATEK Automation WinProladder ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Integer Underflow vulnerability in the FATEK Automation WinProladder programmable logic controller. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-098-01 ∗∗∗ MediaWiki: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0366 ∗∗∗ Red Hat Enterprise Linux: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0364 ∗∗∗ Atlassian Jira Software: Schwachstelle ermöglicht Offenlegung von Informationen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0362 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.04.2021
by Daily end-of-shift report 08 Apr '21

08 Apr '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 07-04-2021 18:00 − Donnerstag 08-04-2021 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Warnung vor täuschend echtem Fake-Shop, der PS5 verkauft ∗∗∗ --------------------------------------------- Der Online-Store scheint auf den ersten Blick seriös. Dahinter verstecken sich aber Betrüger. --------------------------------------------- https://futurezone.at/games/warnung-vor-taeuschend-echtem-fake-shop-der-ps5… ∗∗∗ Hackerangriffe auf Logistikunternehmen ∗∗∗ --------------------------------------------- ESET hat herausgefunden, dass die Lazarus-Gruppe Logistikunternehmen gezielt angreift. Das ist heikel, denn Ausfälle in der weltweiten Frachtlogistik können gravierende Folgen haben. --------------------------------------------- https://www.zdnet.de/88394254/hackerangriffe-auf-logistikunternehmen/ ∗∗∗ How to Know If You Are Under DDoS Attack ∗∗∗ --------------------------------------------- Nowadays, the term DDoS probably raises the heart rate of most webmasters. Though many don’t know exactly what a DDoS attack is, they do know the effect: an extremely sluggish or shut-down website. In this article, we’ll focus on how to know if your website is under attack and how to protect it. --------------------------------------------- https://blog.sucuri.net/2021/04/how-to-know-if-you-are-under-a-ddos-attack.… ∗∗∗ [SANS ISC] Simple Powershell Ransomware Creating a 7Z Archive of your Files ∗∗∗ --------------------------------------------- I published the following diary on isc.sans.edu: “Simple Powershell Ransomware Creating a 7Z Archive of your Files“: If some ransomware families are based on PE files with complex features, it’s easy to write quick-and-dirty ransomware in other languages like Powershell. I found this sample while hunting. I’m pretty confident that this [...] --------------------------------------------- https://blog.rootshell.be/2021/04/08/sans-isc-simple-powershell-ransomware-… ∗∗∗ Vulnerability in Fortigate VPN servers is exploited in Cring ransomware attacks ∗∗∗ --------------------------------------------- In Q1 2021, threat actors conducted a series of attacks using the Cring ransomware. These attacks were mentioned in a Swisscom CSIRT tweet, but it remained unclear how the ransomware infects an organization's network. An incident investigation conducted by Kaspersky ICS CERT experts at one of the attacked enterprises revealed that attacks of the Cring ransomware exploit a vulnerability in Fortigate VPN servers. --------------------------------------------- https://ics-cert.kaspersky.com/reports/2021/04/07/vulnerability-in-fortigat… ∗∗∗ Update on git.php.net incident ∗∗∗ --------------------------------------------- Hi everyone, I would like to provide an update regarding the git.php.net security incident. To briefly summarize the most important information: - We no longer believe the git.php.net server has been compromised. However, it is possible that the master.php.net user database leaked. - master.php.net has been migrated to a new system main.php.net. - All php.net passwords have been reset. Go to https://main.php.net/forgot.php to set a new password. - git.php.net and svn.php.net are both read-only now, but will remain available for the time being. The following is a more detailed explanation of what happened and which actions were taken. --------------------------------------------- https://externals.io/message/113981 ∗∗∗ Office 365 phishing campaign uses publicly hosted JavaScript code ∗∗∗ --------------------------------------------- A new phishing campaign targeting Office 365 users cleverly tries to bypass email security protections by combining chunks of HTML code delivered via publicly hosted JavaScript code. The phishing email and page The subject of the phishing email says "price revision" and it contains no body - just an attachment (hercus-Investment 547183-xlsx.Html) that, at first glance, looks like an Excel document, but is actually an HTML document that contains encoded text pointing to two [...] --------------------------------------------- https://www.helpnetsecurity.com/2021/04/08/office-365-phishing-javascript/ ∗∗∗ Zoom zero-day discovery makes calls safer, hackers $200,000 richer ∗∗∗ --------------------------------------------- White hat hackers have demonstrated a Remote Code Execution attack against Zoom at the Pwn2Own event. --------------------------------------------- https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/04/zoom-zer… ∗∗∗ Library Dependencies and the Open Source Supply Chain Nightmare ∗∗∗ --------------------------------------------- It’s a bigger problem than is immediately apparent, and has the potential for hacks as big as Equifax and as widespread as SolarWinds. --------------------------------------------- https://www.securityweek.com/library-dependencies-and-open-source-supply-ch… ∗∗∗ appleiphoneunlock.uk: Unseriöse Praktiken beim Entfernen der iCloud-Aktivierungssperre! ∗∗∗ --------------------------------------------- Sie haben ein gebrauchtes iPhone gekauft und erst im Nachhinein festgestellt, dass Sie es mit Ihrer iCloud-ID gar nicht nutzen können? Die Lösung: Die iCloud-Aktivierungssperre muss freigeschalten werden. Aber Achtung: Unseriöse Seiten bieten solche Entsperrungsdienste an. So zum Beispiel appleiphoneunlock.uk. KonsumentInnen berichten, dass die Angaben beim Bestellprozess irreführend sind und immer wieder weitere Kosten anfallen. --------------------------------------------- https://www.watchlist-internet.at/news/appleiphoneunlockuk-unserioese-prakt… ∗∗∗ Weiter fake Willhaben-SMS zu angeblicher PayLivery-Zahlung ∗∗∗ --------------------------------------------- Zahlreiche KonsumentInnen wenden sich momentan an die Watchlist Internet, da sie eine betrügerische SMS zu einer Willhaben-Anzeige erhalten haben. Die Nachricht der Kriminellen täuscht eine Zahlung vor und leitet auf gefälschte Willhaben-Seiten weiter. Die SMS müssen ignoriert werden, ansonsten droht ein Geld- und Datenverlust! --------------------------------------------- https://www.watchlist-internet.at/news/weiter-fake-willhaben-sms-zu-angebli… ∗∗∗ GamerInnen aufgepasst: So versuchen Kriminelle Ihren Steam-Account zu klauen! ∗∗∗ --------------------------------------------- Mit mehr als einer Milliarde aktiven NutzerInnen und mit über 30.000 Spielen ist Steam die größte Gaming-Plattform. Kein Wunder, dass die Plattform auch ein beliebtes Ziel für BetrügerInnen ist. Immer wieder geben sich Kriminelle als Steam-MitarbeiterInnen aus, um an die Accounts der SpielerInnen zu kommen. Wir zeigen Ihnen wie die Masche funktioniert und wie Sie sich schützen. --------------------------------------------- https://www.watchlist-internet.at/news/gamerinnen-aufgepasst-so-versuchen-k… ===================== = Vulnerabilities = ===================== ∗∗∗ Azure Functions Weakness Allows Privilege Escalation ∗∗∗ --------------------------------------------- Microsofts cloud-container technology allows attackers to directly write to files, researchers said. --------------------------------------------- https://threatpost.com/azure-functions-privilege-escalation/165307/ ∗∗∗ Cisco: Wichtige Updates beseitigen aus der Ferne attackierbare Sicherheitslücken ∗∗∗ --------------------------------------------- Die ersten Cisco-Updates nach den Feiertagen zielen unter anderem auf die SD-WAN vManage Software und Small Business RV Router. Zwei Lücken gelten als kritisch. --------------------------------------------- https://heise.de/-6008277 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (chromium, libldb, rpm, samba, and seamonkey), openSUSE (isync), Oracle (kernel), Red Hat (openssl and squid), SUSE (ceph, flatpak, libostree, xdg-desktop-portal, xdg-desktop-portal-gtk, fwupd, fwupdate, and openexr), and Ubuntu (curl, linux-lts-trusty, and lxml). --------------------------------------------- https://lwn.net/Articles/851956/ ∗∗∗ ImageMagick: Schwachstelle ermöglicht Offenlegung von Informationen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0361 ∗∗∗ ClamAV: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0358 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.04.2021
by Daily end-of-shift report 07 Apr '21

07 Apr '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 06-04-2021 18:00 − Mittwoch 07-04-2021 18:00 Handler: Dimitri Robl Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Windows XP makes ransomware gangs work harder for their money ∗∗∗ --------------------------------------------- A recently created ransomware decryptor illustrates how threat actors have to support Windows XP, even when Microsoft dropped supporting it seven years ago. --------------------------------------------- https://www.bleepingcomputer.com/news/security/windows-xp-makes-ransomware-… ∗∗∗ Top Cybercriminal Gangs Are Using EtterSilent Maldoc Builder ∗∗∗ --------------------------------------------- A malicious document builder named EtterSilent is becoming popular amongst cybercriminals as the developers keep improving it in order to avoid being detected by security solutions. --------------------------------------------- https://heimdalsecurity.com/blog/top-cybercriminal-gangs-are-using-ettersil… ∗∗∗ Malspam with Lokibot vs. Outlook and RFCs, (Tue, Apr 6th) ∗∗∗ --------------------------------------------- Couple of weeks ago, my phishing/spam trap caught an interesting e-mail carrying what turned out to be a sample of the Lokibot Infostealer. --------------------------------------------- https://isc.sans.edu/diary/rss/27282 ∗∗∗ WiFi IDS and Private MAC Addresses, (Wed, Apr 7th) ∗∗∗ --------------------------------------------- Nzyme does focus on WiFi-specific attacks, so it does not care about payload but inspects the 802.11 headers that escape traditional, wired IDSs. --------------------------------------------- https://isc.sans.edu/diary/rss/27288 ∗∗∗ New article: Dissecting the design and vulnerabilities in AZORult C&C panels ∗∗∗ --------------------------------------------- In a new article, Aditya K Sood looks at the command-and-control (C&C) design of the AZORult malware, discussing his teams findings related to the C&C design and some security issues they identified. --------------------------------------------- https://www.virusbulletin.com/blog/2021/04/new-article-dissecting-design-an… ∗∗∗ Aurora campaign: Attacking Azerbaijan using multiple RATs ∗∗∗ --------------------------------------------- We identified a new Python-based RAT targeting Azerbaijan from the same threat actor we profiled a month ago. --------------------------------------------- https://blog.malwarebytes.com/threat-analysis/2021/04/aurora-campaign-attac… ∗∗∗ Fake Trezor app steals more that $1 million worth of crypto coins ∗∗∗ --------------------------------------------- Several users of Trezor, a small hardware device that acts as a cryptocurrency wallet, have lost fortunes after being duped by a phishing app. --------------------------------------------- https://blog.malwarebytes.com/social-engineering/2021/04/fake-trezor-app-st… ∗∗∗ White Hats Earn $440,000 for Hacking Microsoft Products on First Day of Pwn2Own 2021 ∗∗∗ --------------------------------------------- On the first day of the Pwn2Own 2021 hacking competition, participants earned more than half a million dollars, including $440,000 for demonstrating exploits against Microsoft products. --------------------------------------------- https://www.securityweek.com/white-hats-earn-440000-hacking-microsoft-produ… ∗∗∗ New wormable Android malware poses as Netflix to hijack WhatsApp sessions ∗∗∗ --------------------------------------------- Users are lured in with the promise of a free premium subscription. --------------------------------------------- https://www.zdnet.com/article/new-android-malware-poses-as-netflix-to-hijac… ∗∗∗ Flexible taxonomies and new software for the tag2domain project ∗∗∗ --------------------------------------------- Domain Names are the center piece of locating services on the internet and they can be used for a variety of purposes and services. Understanding the type of services a Domain Name offers is one of the key aspects of Internet Security. --------------------------------------------- https://cert.at/en/blog/2021/4/flexible-taxonomies-and-new-software-for-the… ===================== = Vulnerabilities = ===================== ∗∗∗ Notenmanipulation möglich: Große Schwachstelle in Lern-Software Moodle ∗∗∗ --------------------------------------------- Die freie Lernplattform Moodle wies über Jahre eine Sicherheitslücke auf, mit der Schüler unter anderem ihre Noten manipulieren konnten. --------------------------------------------- https://www.golem.de/news/notenmanipulation-moeglich-grosse-schwachstelle-i… ∗∗∗ Upload beliebiger Dateien und Umgehung von .htaccess Regeln in Monospace Directus Headless CMS ∗∗∗ --------------------------------------------- Monospace Directus CMS Docker Images, welche Apache als Webserver mit lokalem Storage nutzen, sind von einer Schwachstelle betroffen, über die jeder authentifizierte Nutzer beliebige Dateien und Ordner hochladen kann. In unveränderter Standard-Konfiguration ist Directus somit anfällig für Remote Code Execution und Veränderung von Webserver .htaccess Regeln. --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/arbitrary-file-upload… ∗∗∗ SAP-Produkte: CISA warnt vor Gefahren durch verschleppte Sicherheitsupdates ∗∗∗ --------------------------------------------- Die CISA und Forscher von Onapsis warnen vor Angriffsmöglichkeiten auf SAP-Produkte über sechs ältere Schwachstellen. Updates sind teils schon lange verfügbar. --------------------------------------------- https://heise.de/-6007209 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by openSUSE (chromium), Oracle (flatpak and kernel), Red Hat (virt:8.3 and virt-devel:8.3), and SUSE (gssproxy and xen). --------------------------------------------- https://lwn.net/Articles/851868/ ∗∗∗ Hitachi ABB Power Grids Multiple Products ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Improper Input Validation vulnerability in some Hitachi ABB Power Grids products using IED 61850 interfaces. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-096-01 ∗∗∗ Security Advisory - Pointer Double Free Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210407-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.04.2021
by Daily end-of-shift report 06 Apr '21

06 Apr '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 02-04-2021 18:00 − Dienstag 06-04-2021 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Malicious cheats for Call of Duty: Warzone are circulating online ∗∗∗ --------------------------------------------- The cheat is fake, but the malware it installs is the real thing. --------------------------------------------- https://arstechnica.com/?p=1754269 ∗∗∗ Telefonnummer, E-Mail: Bin ich im Facebook-Leak? ∗∗∗ --------------------------------------------- Auf verschiedenen Webseiten können Nutzer prüfen, ob sie zu den 533 Millionen Betroffenen des Facebook-Datenlecks gehören. --------------------------------------------- https://www.golem.de/news/telefonnummer-e-mail-bin-ich-im-facebook-leak-210… ∗∗∗ Kryptomining: Coinhive-Skripte warnen vor sich selbst ∗∗∗ --------------------------------------------- Der Sicherheitsforscher Troy Hunt hat die Domains des Kryptominers Coinhive bekommen. Mit ihnen macht er auf Sicherheitsprobleme aufmerksam. --------------------------------------------- https://www.golem.de/news/kryptomining-coinhive-skripte-warnen-vor-sich-sel… ∗∗∗ The leap of a Cycldek-related threat actor ∗∗∗ --------------------------------------------- The investigation described in this article started with one such file which caught our attention due to the various improvements it brought to this well-known infection vector. --------------------------------------------- https://securelist.com/the-leap-of-a-cycldek-related-threat-actor/101243/ ∗∗∗ From PowerShell to Payload: An Analysis of Weaponized Malware ∗∗∗ --------------------------------------------- John Hammond, security researcher with Huntress, takes a deep-dive into a stagers technical and coding aspects. --------------------------------------------- https://threatpost.com/powershell-payload-analysis-malware/165188/ ∗∗∗ YARA and CyberChef: ZIP, (Sun, Apr 4th) ∗∗∗ --------------------------------------------- When processing the result of "unzip" in CyberChef, for example with YARA rules, all files contained inside the ZIP file, are concatenated together. --------------------------------------------- https://isc.sans.edu/diary/rss/27276 ∗∗∗ Gigaset: Malware-Befall von Android-Geräten des Herstellers gibt Rätsel auf ∗∗∗ --------------------------------------------- Besitzer von Android-Smartphones von Gigaset kämpfen seit einigen Tagen mit Malware. Einiges deutet auf einen kompromittierten Update-Server als Quelle hin. --------------------------------------------- https://heise.de/-6006464 ∗∗∗ Man in the Terminal ∗∗∗ --------------------------------------------- By using path hijacking and modification on Unix-like machines, we can achieve pseudo-keylogging functionality by prioritizing malicious middleware binaries to record and transfer standard input/output streams. --------------------------------------------- https://posts.specterops.io/man-in-the-terminal-65476e6165b9 ∗∗∗ 2020 Phishing Trends With PDF Files ∗∗∗ --------------------------------------------- We analyzed recent phishing trends with PDF files and noted a dramatic increase in the practice, as well as five approaches popular with attackers. --------------------------------------------- https://unit42.paloaltonetworks.com/phishing-trends-with-pdf-files/ ∗∗∗ SAP issues advisory on the exploit of old vulnerabilities to target enterprise applications ∗∗∗ --------------------------------------------- New research also reveals that SAP vulnerabilities, on average, are weaponized in less than 72 hours. --------------------------------------------- https://www.zdnet.com/article/sap-issues-advisory-on-vulnerable-application… ===================== = Vulnerabilities = ===================== ∗∗∗ Vulnerability Spotlight: Out-of-bounds write vulnerabilities in Accusoft ImageGear ∗∗∗ --------------------------------------------- Cisco Talos recently discovered multiple out-of-bounds write vulnerabilities in Accusoft ImageGear that an adversary could exploit to corrupt memory on the targeted machine. The ImageGear library is a [...] --------------------------------------------- https://blog.talosintelligence.com/2021/03/vuln-spotlight-accusoft-image-ge… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libxstream-java, php-nette, and smarty3), Fedora (curl, openssl, spamassassin, and webkit2gtk3), Mageia (ant, batik, kernel, kernel-linus, nodejs-chownr, nodejs-yargs-parser, python-bottle, and ruby-em-http-request), openSUSE (curl and OpenIPMI), and Red Hat (openssl). --------------------------------------------- https://lwn.net/Articles/851640/ ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium, netty, python-bleach, and python3.5), Fedora (libmediainfo, libzen, and mediainfo), Mageia (openssl), openSUSE (chromium), Red Hat (389-ds:1.4, flatpak, kernel, kernel-rt, kpatch-patch, libldb, and virt:rhel and virt-devel:rhel), and Ubuntu (python-django and ruby-rack). --------------------------------------------- https://lwn.net/Articles/851772/ ∗∗∗ Android Patchday April ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Google Android ausnutzen, um beliebigen Programmcode mit Administratorrechten auszuführen, seine Privilegien zu erhöhen oder Informationen offenzulegen. --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0344 ∗∗∗ QTS 4.3.6.1620 Build 20210322 ∗∗∗ --------------------------------------------- Security Updates Fixed a command injection vulnerability (CVE-2020-2509). Fixed a vulnerability in Apache HTTP server (CVE-2020-9490). --------------------------------------------- https://www.qnap.com/en/release-notes/qts/4.3.6.1620/20210322 ∗∗∗ Shodan Verified Vulns 2021-04-01 ∗∗∗ --------------------------------------------- Der März verging Dank (?) den Exchange-Schachstellen wie im Flug und wir werfen entsprechend wieder einen Blick auf jene Schwachstellen, die Shodan in Österreich sieht. Mit Stand 2021-04-01 ergab sich Folgendes: Es ist also passiert! Mit einem Schlag sind die TLS-Schwachstellen (fast) vom Thron gestoßen – die Microsoft Exchange Lücken greifen nach der Spitze. --------------------------------------------- https://cert.at/de/aktuelles/2021/4/shodan-verified-vulns-2021-04-01 ∗∗∗ April 5, 2021 TNS-2021-07 [R1] Nessus 8.14.0 Fixes One Vulnerability ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2021-07 ∗∗∗ Grafana vulnerability CVE-2019-15043 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K00843201 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.04.2021
by Daily end-of-shift report 02 Apr '21

02 Apr '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 01-04-2021 18:00 − Freitag 02-04-2021 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ 5 steps to respond to a data breach ∗∗∗ --------------------------------------------- This blog was written by an independent guest blogger. You’ve just been breached. What do you do next? Depending on personality, preparation, and ability under crisis, there are a variety of responses to choose from, some effective and some not. Hopefully, you’re the rare breed who plans in advance how to respond. Even better if this planning includes how to prevent them. But to execute a logical, effective response, keep reading. --------------------------------------------- https://cybersecurity.att.com/blogs/security-essentials/5-steps-to-respond-… ∗∗∗ VMware fixes authentication bypass in data center security software ∗∗∗ --------------------------------------------- VMware has addressed a critical vulnerability in the VMware Carbon Black Cloud Workload appliance that could allow attackers to bypass authentication after exploiting vulnerable servers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/vmware-fixes-authentication-… ∗∗∗ New ‘BazarCall’ Malware Uses Call Centers to Trick its Victims into Infecting Themselves ∗∗∗ --------------------------------------------- Today’s hackers have never been more old-fashioned – they are currently using a telephone call as a “brand new “technique to infect their victim’s devices. --------------------------------------------- https://heimdalsecurity.com/blog/bazarcall-malware-uses-call-centers-to-tri… ∗∗∗ Browser lockers: extortion disguised as a fine ∗∗∗ --------------------------------------------- In this article we discuss browser lockers that mimic law enforcement websites. --------------------------------------------- https://securelist.com/browser-lockers-extortion-disguised-as-a-fine/101735/ ∗∗∗ Automating threat actor tracking: Understanding attacker behavior for intelligence and contextual alerting ∗∗∗ --------------------------------------------- A probabilistic graphical modeling framework used by Microsoft 365 Defender research and intelligence teams for threat actor tracking enables us to quickly predict the likely threat group responsible for an attack, as well as the likely next attack stages. --------------------------------------------- https://www.microsoft.com/security/blog/2021/04/01/automating-threat-actor-… ∗∗∗ [SANS ISC] C2 Activity: Sandboxes or Real Victims? ∗∗∗ --------------------------------------------- I published the following diary on isc.sans.edu: “C2 Activity: Sandboxes or Real Victims?“: In my last diary, I mentioned that I was able to access screenshots exfiltrated by the malware sample. During the first analysis, there were approximately 460 JPEG files available. I continued to keep an eye on the [...] --------------------------------------------- https://blog.rootshell.be/2021/04/02/sans-isc-c2-activity-sandboxes-or-real… ∗∗∗ A “txt file” can steal all your secrets ∗∗∗ --------------------------------------------- Recently, 360 Security Center’s threat monitoring platform has detected an email phishing attack. This attack uses a secret-stealing Trojan called Poulight. --------------------------------------------- https://blog.360totalsecurity.com/en/a-txt-file-can-steal-all-your-secrets/ ∗∗∗ Unpatched RCE Flaws Affect Tens of Thousands of QNAP SOHO NAS Devices ∗∗∗ --------------------------------------------- A pair of unpatched vulnerabilities in QNAP small office/home office (SOHO) network attached storage (NAS) devices could allow attackers to execute code remotely, according to a warning from security researchers at SAM Seamless Network. --------------------------------------------- https://www.securityweek.com/unpatched-rce-flaws-affect-tens-thousands-qnap… ∗∗∗ Nine Critical Flaws in FactoryTalk Product Pose Serious Risk to Industrial Firms ∗∗∗ --------------------------------------------- Industrial automation giant Rockwell Automation on Thursday informed customers that it has patched nine critical vulnerabilities in its FactoryTalk AssetCentre product. --------------------------------------------- https://www.securityweek.com/nine-critical-flaws-factorytalk-product-pose-s… ∗∗∗ Financial Sector Remains Most Targeted by Threat Actors: IBM ∗∗∗ --------------------------------------------- Organizations in the financial and insurance sectors were the most targeted by threat actors in 2020, continuing a trend that was first observed roughly five years ago, IBM Security reports. --------------------------------------------- https://www.securityweek.com/financial-sector-remains-most-targeted-threat-… ∗∗∗ Hancitor’s Use of Cobalt Strike and a Noisy Network Ping Tool ∗∗∗ --------------------------------------------- We review samples of recent Hancitor infections, share relatively new indicators and provide examples of an associated network ping tool. --------------------------------------------- https://unit42.paloaltonetworks.com/hancitor-infections-cobalt-strike/ ∗∗∗ The best laid plans or lack thereof: Security decision-making of different stakeholder groups. (arXiv:2104.00284v1 [cs.CR]) ∗∗∗ --------------------------------------------- Cyber security requirements are influenced by the priorities and decisions of a range of stakeholders. Board members and CISOs determine strategic priorities. Managers have responsibility for resource allocation and project management. Legal professionals concern themselves with regulatory compliance. Little is understood about how the security decision-making approaches of these different stakeholders contrast, and if particular groups of stakeholders have a better appreciation of security [...] --------------------------------------------- http://arxiv.org/abs/2104.00284 ∗∗∗ FBI-CISA Joint Advisory on Exploitation of Fortinet FortiOS Vulnerabilities ∗∗∗ --------------------------------------------- The Federal Bureau of Investigation (FBI) and CISA have released a Joint Cybersecurity Advisory (CSA) to warn users and administrators of the likelihood that advanced persistent threat (APT) actors are actively exploiting known Fortinet FortiOS vulnerabilities CVE-2018-13379, CVE-2020-12812, and CVE-2019-5591. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/04/02/fbi-cisa-joint-ad… ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco Jabber for Windows DLL Preloading Vulnerability ∗∗∗ --------------------------------------------- Version: 1.2 Description: Added information about additional software fixes because of a regression that reintroduced this vulnerability in subsequent software versions. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ F5 BIG-IP 16.0.x - iControl REST Remote Code Execution (Unauthenticated) ∗∗∗ --------------------------------------------- # Exploit Title: F5 BIG-IP 16.0.x - iControl REST Remote Code Execution (Unauthenticated) # Exploit Author: Al1ex # Vendor Homepage: https://www.f5.com/products/big-ip-services # Version: 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, and 12.1.x before 12.1.5.3 amd BIG-IQ 7.1.0.x before 7.1.0.3 and 7.0.0.x before 7.0.0.2 # CVE : CVE-2021-22986 https://github.com/Al1ex/CVE-2021-22986 --------------------------------------------- https://www.exploit-db.com/exploits/49738 ∗∗∗ K03009991: iControl REST unauthenticated remote command execution vulnerability CVE-2021-22986 ∗∗∗ --------------------------------------------- Indicators of compromise Important: F5 last updated this section on March 26, 2021 at 5:45 PM Pacific time. The information in this section is based on evidence that F5 has collected and believes to be reliable indicators of compromise. It is important to note that exploited systems may show different indicators, and a skilled attacker may be able to remove traces of their work. It is impossible to prove a device is not compromised; if you have any uncertainty, consider the device to be compromised. --------------------------------------------- https://support.f5.com/csp/article/K03009991 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (busybox, ldb, openjpeg2, spamassassin, and underscore), Fedora (kernel, kernel-headers, and kernel-tools), Mageia (privoxy, python and python3, and rpm), openSUSE (ovmf, tar, and tomcat), SUSE (curl, firefox, OpenIPMI, and tomcat), and Ubuntu (openexr). --------------------------------------------- https://lwn.net/Articles/851511/ ∗∗∗ March 31, 2021 TNS-2021-05 [R1] Nessus 8.13.2 Fixes Multiple Third-party Vulnerabilities ∗∗∗ --------------------------------------------- http://www.tenable.com/security/tns-2021-05 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 01.04.2021
by Daily end-of-shift report 01 Apr '21

01 Apr '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 31-03-2021 18:00 − Donnerstag 01-04-2021 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Sicherheitslücke: Datenleck bei Ubiquiti war deutlich umfassender ∗∗∗ --------------------------------------------- Laut einem Bericht konnten die Angreifer auf Quellcode und Credentials von Ubiquiti zugreifen. Der Netzwerkgerätehersteller widerspricht nicht. --------------------------------------------- https://www.golem.de/news/sicherheitsluecke-datenleck-bei-ubiquiti-war-deut… ∗∗∗ Who Contains the Containers? ∗∗∗ --------------------------------------------- This is a short blog post about a research project I conducted on Windows Server Containers that resulted in four privilege escalations which Microsoft fixed in March 2021. In the post, I describe what led to this research, my research process, and insights into what to look for if you’re researching this area. --------------------------------------------- https://googleprojectzero.blogspot.com/2021/04/who-contains-containers.html ∗∗∗ Changes in Sinkhole and Honeypot Report Types and Formats ∗∗∗ --------------------------------------------- Over the years, Shadowserver’s report list has grown considerably from when we originally started. When some of these reports were originally set up, the requirements were different to those needed today. We have therefore decided to implement changes with some of the existing report types, especially those related to our sinkholes and honeypots, as well as remove some legacy reports. Changes will come into effect on 2021-06-01. --------------------------------------------- https://www.shadowserver.org/news/changes-in-sinkhole-and-honeypot-report-t… ∗∗∗ The Importance of Website Backups ∗∗∗ --------------------------------------------- Today is World Backup Day. This date was created to remind people of the importance of having backups set up for everything that matters. I am pretty sure your website falls into the category of precious digital assets --------------------------------------------- https://blog.sucuri.net/2021/03/the-importance-of-website-backups.html ∗∗∗ Back in a Bit: Attacker Use of the Windows Background IntelligentTransfer Service ∗∗∗ --------------------------------------------- Microsoft introduced the Background Intelligent Transfer Service (BITS) with Windows XP to simplify and coordinate downloading and uploading large files. Applications and system components, most notably Windows Update, use BITS to deliver operating system and application updates so they can be downloaded with minimal user disruption. [...] As is the case with many technologies, BITS can be used both by legitimate applications and by attackers. When malicious applications create BITS jobs, files are downloaded or uploaded in the context of the service host process. This can be useful for evading firewalls that may block malicious or unknown processes, and it helps to obscure which application requested the transfer. --------------------------------------------- https://www.fireeye.com/blog/threat-research/2021/03/attacker-use-of-window… ∗∗∗ DoS-Lücke in Virtualisierungsplattform Citrix Hypervisor geschlossen ∗∗∗ --------------------------------------------- Abgesicherte Versionen von Citrix Hypervisor verhindern Zugriffe auf Host-Systeme. --------------------------------------------- https://heise.de/-6003757 ∗∗∗ Report: USB threats to ICS systems have nearly doubled ∗∗∗ --------------------------------------------- The latest Honeywell USB Threat Report 2020 indicates that the number of threats specifically targeting Operational Technology systems has nearly doubled from 16% to 28%, while the number of threats capable of disrupting those systems rose from 26% to 59% over the same period. --------------------------------------------- https://www.tripwire.com/state-of-security/ics-security/report-usb-threats-… ∗∗∗ Digital Forensics vs. Anti-Digital Forensics: Techniques, Limitations and Recommendations. (arXiv:2103.17028v1 [cs.CR]) ∗∗∗ --------------------------------------------- The number of cyber attacks has increased tremendously in the last few years. This resulted into both human and financial losses at the individual and organization levels. Recently, cyber-criminals are leveraging new skills and capabilities by employing anti-forensics activities, techniques and tools to cover their tracks and evade any possible detection. --------------------------------------------- http://arxiv.org/abs/2103.17028 ∗∗∗ Is your dishwasher trying to kill you? ∗∗∗ --------------------------------------------- Does every device in your home really need to be connected to the internet? And could it be turned against you? --------------------------------------------- https://www.welivesecurity.com/2021/04/01/is-your-dishwasher-trying-kill-yo… ∗∗∗ CISA Releases Supplemental Direction on Emergency Directive for Microsoft Exchange Server Vulnerabilities ∗∗∗ --------------------------------------------- CISA has issued supplemental direction to Emergency Directive (ED) 21-02: Mitigate Microsoft Exchange On-Premises Product Vulnerabilities providing additional forensic triage and server hardening, requirements for federal agencies. Specifically, this update directs federal departments and agencies to run newly developed tools - Microsoft’s Test-ProxyLogon.ps1 script and Safety Scanner MSERT - to investigate whether their Microsoft Exchange [...] --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/03/31/cisa-releases-sup… ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI-21-399: (0Day) D-Link DIR-882 HNAP Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of D-Link DIR-882 routers. Authentication is not required to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-399/ ∗∗∗ Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: March 2021 ∗∗∗ --------------------------------------------- On March 25, 2021, the OpenSSL Project released a security advisory, OpenSSL Security Advisory [25 March 2021], that disclosed two vulnerabilities. Exploitation of these vulnerabilities could allow an attacker to use a valid non-certificate authority (CA) certificate to act as a CA and sign a certificate for an arbitrary organization, user or device, or to cause a denial of service (DoS) condition.This advisory will be updated as additional information becomes available. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco IOS XE Software Fast Reload Vulnerabilities ∗∗∗ --------------------------------------------- Version: 1.1 Description: Added Catalyst 3650 switches as affected products. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ SECURITY BULLETIN: March 2021 Security Bulletin for Trend Micro Apex One and Apex One as a Service ∗∗∗ --------------------------------------------- Trend Micro has released new patches for Trend Micro Apex One (On Premise) and Apex One as a Service (SaaS). These patches resolve multiple vulnerabilities related to improper access control and incorrect permission assignment privilege escalation as well as insecure file permissions. --------------------------------------------- https://success.trendmicro.com/solution/000286019 ∗∗∗ VMSA-2021-0005 ∗∗∗ --------------------------------------------- VMware Carbon Black Cloud Workload appliance update addresses incorrect URL handling vulnerability (CVE-2021-21982) --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2021-0005.html ∗∗∗ VMSA-2021-0004.1 - VMware vRealize Operations updates address Server Side Request Forgery and Arbitrary File Write vulnerabilities (CVE-2021-21975, CVE-2021-21983) ∗∗∗ --------------------------------------------- 2021-03-31: VMSA-2021-0004.1 - Updated advisory with information on vROps 7.0.0 workarounds. --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2021-0004.html ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (underscore), Fedora (busybox, linux-firmware, and xmlgraphics-commons), Oracle (kernel and kernel-container), Slackware (curl and seamonkey), SUSE (firefox and opensc), and Ubuntu (spamassassin). --------------------------------------------- https://lwn.net/Articles/851381/ ∗∗∗ Rockwell Automation FactoryTalk AssetCentre ∗∗∗ --------------------------------------------- This advisory contains mitigations for OS Command Injection, Deserialization of Untrusted Data, SQL Injection, and Improperly Restricted Functions vulnerabilities in Rockwell Automation FactoryTalk AssetCentre automation software products. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-091-01 ∗∗∗ Security Advisory - Out of Bounds Write Vulnerability in Huawei Smartphone ∗∗∗ --------------------------------------------- https://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210331… ∗∗∗ Security Advisory - Arbitrary Memory Write Vulnerability in Huawei Smart Phone ∗∗∗ --------------------------------------------- https://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210331… ∗∗∗ March 31, 2021 TNS-2021-06 [R1] Tenable.sc 5.18.0 Fixes One Third-party Vulnerability ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2021-06 ∗∗∗ Atlassian Jira Software: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0334 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 31.03.2021
by Daily end-of-shift report 31 Mar '21

31 Mar '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 30-03-2021 18:00 − Mittwoch 31-03-2021 18:00 Handler: Stephan Richter Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Financial Cyberthreats in 2020 ∗∗∗ --------------------------------------------- This research is a continuation of our annual financial threat reports providing an overview of the latest trends and key events across the financial threat landscape. The study covers the common phishing threats, along with Windows and Android-based financial malware. --------------------------------------------- https://securelist.com/financial-cyberthreats-in-2020/101638/ ∗∗∗ Ziggy Ransomware Gang Offers Refunds to Victims ∗∗∗ --------------------------------------------- Ziggy joins Fonix ransomware group and shuts down, with apologies to targets. --------------------------------------------- https://threatpost.com/ziggy-ransomware-gang-offers-refund-to-victims/16512… ∗∗∗ 3MinMax Series Topic Review - Apple Acquisition ∗∗∗ --------------------------------------------- Apple devices are an entirely different platform than Windows, and there are many different considerations when preparing to acquire an Apple machine. --------------------------------------------- https://www.sans.org/blog/3minmax-series-topic-review---apple-acquisition ∗∗∗ [SANS ISC] Quick Analysis of a Modular InfoStealer ∗∗∗ --------------------------------------------- This morning, an interesting phishing email landed in my spam trap. The mail was redacted in Spanish and, as usual, asked the recipient to urgently process the attached document. --------------------------------------------- https://blog.rootshell.be/2021/03/31/sans-isc-quick-analysis-of-a-modular-i… ∗∗∗ Whistleblower: Ubiquiti Breach “Catastrophic” ∗∗∗ --------------------------------------------- On Jan. 11, Ubiquiti Inc. [NYSE:UI] — a major vendor of cloud-enabled Internet of Things (IoT) devices such as routers, network video recorders and security cameras — disclosed that a breach involving a third-party cloud provider had exposed customer account credentials. --------------------------------------------- https://krebsonsecurity.com/2021/03/whistleblower-ubiquiti-breach-catastrop… ∗∗∗ The Often-Overlooked Element of a Hack: Endpoints ∗∗∗ --------------------------------------------- It is Vital to Maintain Granular Visibility and Control Over Access Points to Establish Resilience --------------------------------------------- https://www.securityweek.com/often-overlooked-element-hack-endpoints ∗∗∗ Vorsicht beim Fahrrad-Kauf: marti-bosom.de ist ein Fake-Shop! ∗∗∗ --------------------------------------------- Mit den wärmer werdenden Temperaturen beginnt die Fahrrad-Saison. Für viele ist es die Zeit, um sich ein neues Fahrrad zu kaufen. Aufgrund der anhaltenden Corona-Krise passiert das immer öfter online. Hier gilt es jedoch vorsichtig zu sein, da es auch in diesem Bereich betrügerische Fake-Shops gibt. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-beim-fahrrad-kauf-marti-bos… ∗∗∗ Ransomware: Why were now facing a perfect storm ∗∗∗ --------------------------------------------- Normalising the act of paying a ransom to cyber criminals does nothing to protect anyone against ransomware, warns report. --------------------------------------------- https://www.zdnet.com/article/ransomware-why-were-now-facing-a-perfect-stor… ∗∗∗ Gaming mods, cheat engines are spreading Trojan malware and planting backdoors ∗∗∗ --------------------------------------------- Mods and cheat systems for games are being exploited to deploy information-stealing malware. --------------------------------------------- https://www.zdnet.com/article/gaming-tools-backdoored-cheat-engines-are-now… ∗∗∗ BLEKeeper: Response Time Behavior Based Man-In-The-Middle Attack Detection ∗∗∗ --------------------------------------------- Bluetooth Low Energy (BLE) has become one of the most popular wireless communication protocols and is used in billions of smart devices. Despite several security features, the hardware and software limitations of thesedevices makes them vulnerable to man-in-the-middle (MITM) attacks. --------------------------------------------- http://arxiv.org/abs/2103.16235 ===================== = Vulnerabilities = ===================== ∗∗∗ Fake jQuery files infect WordPress sites with malware ∗∗∗ --------------------------------------------- Researchers have spotted counterfeit versions of the jQuery Migrate plugin injected on dozens of websites which contains obfuscated code to load malware. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fake-jquery-files-infect-wor… ∗∗∗ Angreifer könnten Admin-Zugangsdaten von VMware vRealize kopieren ∗∗∗ --------------------------------------------- Es gibt wichtige Sicherheitsupdates für die Management-Software für Cloud-Umgebungen vRealize Operations. --------------------------------------------- https://heise.de/-6002805 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (curl, ldb, leptonlib, and linux-4.19), Fedora (busybox), Gentoo (openssl, redis, salt, and sqlite), Mageia (firefox, fwupd, glib2.0, python-aiohttp, radare2, thunderbird, and zeromq), openSUSE (firefox), SUSE (ovmf, tomcat, and zabbix), and Ubuntu (curl, lxml, and pygments). --------------------------------------------- https://lwn.net/Articles/851269/ ∗∗∗ Google Releases Security Updates for Chrome ∗∗∗ --------------------------------------------- Google has released Chrome version 89.0.4389.114 for Windows, Mac, and Linux. This version addresses vulnerabilities that an attacker could exploit to take control of an affected system. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/03/31/google-releases-s… ∗∗∗ SECURITY BULLETIN: March 2021 Security Bulletin for Trend Micro OfficeScan XG SP1 ∗∗∗ --------------------------------------------- https://success.trendmicro.com/solution/000286157 ∗∗∗ Multiple dnsmasq vulnerabilities CVE-2020-25684, CVE-2020-25685, and CVE-2020-25686 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K98221124 ∗∗∗ cURL: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0333 ∗∗∗ Denial of Service in Rexroth ActiveMover using EtherNet/IP protocol ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-282922.html ∗∗∗ Denial of Service in Rexroth ActiveMover using Profinet protocol ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-637429.html ∗∗∗ SYSS-2021-006: SQL Injection-Schwachstelle in FireEye EX ∗∗∗ --------------------------------------------- https://www.syss.de/pentest-blog/syss-2021-006-sql-injection-schwachstelle-… ∗∗∗ SYSS-2021-005: SQL Injection-Schwachstelle in FireEye EX ∗∗∗ --------------------------------------------- https://www.syss.de/pentest-blog/syss-2021-005-sql-injection-schwachstelle-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 30.03.2021
by Daily end-of-shift report 30 Mar '21

30 Mar '21

===================== = End-of-Day report = ===================== Timeframe: Montag 29-03-2021 18:00 − Dienstag 30-03-2021 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Card Complete: Warnung vor täuschend echten Phishing-Mails ∗∗∗ --------------------------------------------- Es sind aktuell vermeintliche Mails von Card Complete im Umlauf, die täuschend echt aussehen. --------------------------------------------- https://futurezone.at/digital-life/card-complete-warnung-vor-taeuschend-ech… ∗∗∗ IT-Sicherheitsexperte: "Bei den Exchange-Fällen waren wir am Limit" ∗∗∗ --------------------------------------------- Tim Philipp Schäfers hilft aktuell Firmen, Sicherheitslücken in Exchange zu schließen. Einige hätten Schäden recht einfach verhindern können, sagt er. Ein Interview von Moritz Tremmel --------------------------------------------- https://www.golem.de/news/it-sicherheitsexperte-bei-den-exchange-faellen-wa… ∗∗∗ New Security Signals study shows firmware attacks on the rise; here’s how Microsoft is working to help eliminate this entire class of threats ∗∗∗ --------------------------------------------- The March 2021 Security Signals report showed that more than 80% of enterprises have experienced at least one firmware attack in the past two years, but only 29% of security budgets are allocated to protect firmware. --------------------------------------------- https://www.microsoft.com/security/blog/2021/03/30/new-security-signals-stu… ∗∗∗ Old TLS versions - gone, but not forgotten... well, not really "gone" either, (Tue, Mar 30th) ∗∗∗ --------------------------------------------- With the recent official deprecation of TLS 1.0 and TLS 1.1 by RFC 8996[1], a step, which has long been in preparation and which was preceded by many recommendations to discontinue the use of both protocols (as well as by the removal of support for them from all mainstream web browsers[2]), one might assume that the use of old TLS versions on the internet would have significantly decreased over the last few months. This has however not been the case. --------------------------------------------- https://isc.sans.edu/diary/rss/27260 ∗∗∗ You Just Received 25k USD in Your BTC Account! A Practical Phishing Defense Tutorial ∗∗∗ --------------------------------------------- >From time to time, we all receive some unexpected messages. Either through social media or email. Usually, these are harmless, meant to advertise a product or a service. However, sometimes they can be malicious, with an intent to steal our data and eventually our money, this is a so-called “phishing” attack. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/you-just-re… ∗∗∗ Unfair exchange: ransomware attacks surge globally amid Microsoft Exchange Server vulnerabilities ∗∗∗ --------------------------------------------- Following the recent disclosure of vulnerabilities affecting Microsoft Exchange Servers, Check Point Research (CPR) has observed a global surge in the number of ransomware attacks. In fact, since the beginning of 2021, there has been a 9% increase monthly in organizations affected ransomware. This uptick includes a 57% increase in organizations affected by ransomware in the past 6 months. --------------------------------------------- https://blog.checkpoint.com/2021/03/30/unfair-exchange-ransomware-attacks-s… ∗∗∗ Malicious commits found in PHP code repository: What you need to know ∗∗∗ --------------------------------------------- The PHP Git repository compromise is in the news. We break it down for you, and tell you what you need to know. --------------------------------------------- https://blog.malwarebytes.com/hacking-2/2021/03/malicious-commits-found-in-… ∗∗∗ Akamai Sees Largest DDoS Extortion Attack Known to Date ∗∗∗ --------------------------------------------- Distributed denial of service (DDoS) attacks are growing bigger in volume, and they have also become more targeted and increasingly persistent, according to web security services provider Akamai. --------------------------------------------- https://www.securityweek.com/akamai-sees-largest-ddos-extortion-attack-know… ∗∗∗ Kaufen Sie Corona-Tests nicht auf Kleinanzeigenplattformen ∗∗∗ --------------------------------------------- Durch die Initiative "Alles gurgelt" erhalten Wienerinnen und Wiener kostenlose PCR-Gurgeltests in allen Wiener BIPA-Filialen. Pro Person können bis zu 4 Selbsttests pro Woche abgeholt werden. Einige versuchen sich mit diesem Angebot jedoch ein kleines Taschengeld dazu zu verdienen und bieten die Gratis-Tests in Kleinanzeigenportalen an. Die Stadt Wien rät davon ab, die kostenlosen Tests auf Kleinanzeigenportalen zu kaufen. --------------------------------------------- https://www.watchlist-internet.at/news/kaufen-sie-corona-tests-nicht-auf-kl… ∗∗∗ Attack landscape update: Ransomware 2.0, automated recon, and supply chain attacks ∗∗∗ --------------------------------------------- Data-stealing ransomware attacks, information harvesting malware, and supply chain attacks are some of the critical threats facing organizations highlighted in F-Secure's latest attack landscape update. --------------------------------------------- https://blog.f-secure.com/attack-landscape-update-h1-2021/ ===================== = Vulnerabilities = ===================== ∗∗∗ Multiple Cisco Products Snort TCP Fast Open File Policy Bypass Vulnerability ∗∗∗ --------------------------------------------- Multiple Cisco products are affected by a vulnerability with TCP Fast Open (TFO) when used in conjunction with the Snort detection engine that could allow an unauthenticated, remote attacker to bypass a configured file policy for HTTP. The vulnerability is due to incorrect detection of the HTTP payload if it is contained at least partially within the TFO connection handshake. An attacker could exploit this vulnerability by sending crafted TFO packets with an HTTP payload through an [...] --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ ArcGIS general raster security update ∗∗∗ --------------------------------------------- Multiple vulnerabilities have been identified when processing specially crafted files that may allow arbitrary code execution in Esri ArcReader, ArcGIS Desktop, ArcGIS Engine 10.8.1 (and earlier) and ArcGIS Pro 2.7 (and earlier). Esri has released updates for the affected products that resolve the high-risk vulnerabilities here. --------------------------------------------- https://www.esri.com/arcgis-blog/products/arcgis/administration/security-ad… ∗∗∗ Xen Security Advisory CVE-2021-28688 / XSA-371 - Linux: blkback driver may leak persistent grants ∗∗∗ --------------------------------------------- A malicious or buggy frontend driver may be able to cause resource leaks from the corresponding backend driver. This can result in a host-wide Denial of Sevice (DoS). --------------------------------------------- https://xenbits.xen.org/xsa/advisory-371.html ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (lxml), Fedora (openssl, pdfbox, rpm, and rubygem-kramdown), openSUSE (eclipse), Oracle (flatpak and openssl), Red Hat (curl, kernel, kpatch-patch, mariadb, nss-softokn, openssl, perl, and tomcat), and SUSE (firefox, ovmf, and tar). --------------------------------------------- https://lwn.net/Articles/851164/ ∗∗∗ Citrix Hypervisor Security Update ∗∗∗ --------------------------------------------- Two security issues have been identified in Citrix Hypervisor (formerly Citrix XenServer) that may allow privileged code in a guest VM to cause the host to crash or become unresponsive. These issues affect all currently supported versions of Citrix Hypervisor up to and including Citrix Hypervisor 8.2 LTSR. --------------------------------------------- https://support.citrix.com/article/CTX306565 ∗∗∗ Red Hat Enterprise Linux: Schwachstelle ermöglicht Manipulation von Dateien ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0327 ∗∗∗ Red Hat OpenShift: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0325 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 29.03.2021
by Daily end-of-shift report 29 Mar '21

29 Mar '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 26-03-2021 18:00 − Montag 29-03-2021 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Git-Hosting: Angriff auf PHPs Code-Repository ∗∗∗ --------------------------------------------- Im Git-Repository von PHP wurden zwei Hintertüren eingefügt. Als Konsequenz will man den Code künftig nicht mehr selbst hosten. --------------------------------------------- https://www.golem.de/news/git-hosting-angriff-auf-phps-code-repository-2103… ∗∗∗ Spyware: Android-Malware gibt sich als Systemupdate aus ∗∗∗ --------------------------------------------- Über den Trojaner, der sich als Android-Update ausgibt, lassen sich die betroffenen Geräte komplett übernehmen. --------------------------------------------- https://www.golem.de/news/spyware-android-malware-gibt-sich-als-systemupdat… ∗∗∗ Here Are the Free Ransomware Decryption Tools You Need to Use [2021 Updated] ∗∗∗ --------------------------------------------- If your network gets infected with ransomware, follow the steps below to recover essential data: Step 1: Do not pay the ransom because there is no guarantee that the ransomware creators will give you access to your data. Step 2: Find any available backups you have, and consider keeping your data backups in secure, off-site locations. Step [...] --------------------------------------------- https://heimdalsecurity.com/blog/ransomware-decryption-tools/ ∗∗∗ Malware Analysis with elastic-agent and Microsoft Sandbox, (Fri, Mar 26th) ∗∗∗ --------------------------------------------- Microsoft describes the "Windows Sandbox supports simple configuration files, which provide a minimal set of customization parameters for Sandbox. [...] Windows Sandbox configuration files are formatted as XML and are associated with Sandbox via the .wsb file extension."[6] --------------------------------------------- https://isc.sans.edu/diary/rss/27248 ∗∗∗ [SANS ISC] Jumping into Shellcode ∗∗∗ --------------------------------------------- I published the following diary on isc.sans.edu: “Jumping into Shellcode“: Malware analysis is exciting because you never know what you will find. In previous diaries, I already explained why it’s important to have a look at groups of interesting Windows API call to detect some behaviors. The classic example is code [...] --------------------------------------------- https://blog.rootshell.be/2021/03/29/sans-isc-jumping-into-shellcode/ ∗∗∗ Analyzing And Micropatching With Tetrane REVEN (Part 1, CVE-2021-26897) ∗∗∗ --------------------------------------------- March 2021 Windows Updates included fixes for seven vulnerabilities in Windows DNS Server, two of which were marked by Microsoft as "Exploitation More Likely": CVE-2021-26877 and CVE-2021-26897. They were not known to be exploited and no details were publicly available until security researchers Eoin Carroll and Kevin McGrath published their analysis on McAfee Labs blog. Their article included enough information for us to reproduce both vulnerabilities, [...] --------------------------------------------- https://blog.0patch.com/2021/03/analyzing-and-micropatching-with.html ∗∗∗ Hades Ransomware Hits Big Firms, but Operators Slow to Respond to Victims ∗∗∗ --------------------------------------------- Researchers from CrowdStrike, Accenture, and Awake Security have dissected some of the attacks involving the Hades ransomware and published information on both the malware itself and the tactics, techniques and procedures (TTPs) employed by its operators. --------------------------------------------- https://www.securityweek.com/hades-ransomware-hits-big-firms-operators-slow… ∗∗∗ Threat Assessment: Matrix Ransomware ∗∗∗ --------------------------------------------- We provide an overview of the Matrix ransomware family and offer indicators of compromise in this companion to the Unit 42 Ransomware Threat Report. --------------------------------------------- https://unit42.paloaltonetworks.com/matrix-ransomware/ ∗∗∗ Sodinokibi (aka REvil) Ransomware ∗∗∗ --------------------------------------------- Intro Sodinokibi (aka REvil) has been one of the most prolific ransomware as a service (RaaS) groups over the last couple years. The ransomware family was purported to be behind [...] --------------------------------------------- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ ===================== = Vulnerabilities = ===================== ∗∗∗ Exchange Server Post-Compromise Attack Activity Shared by Microsoft ∗∗∗ --------------------------------------------- In the context of ongoing Exchange Server attacks, Microsoft has shared information detailing post-compromise activity which has infected vulnerable targets with ransomware and a botnet. --------------------------------------------- https://heimdalsecurity.com/blog/exchange-server-post-compromise-attack-act… ∗∗∗ Sicherheitslücke: npm-Paket Netmask ignoriert das Oktalsystem in IP-Adressen ∗∗∗ --------------------------------------------- Die verbreitete Library wertet Oktalzahlen nicht korrekt aus und interpretiert dadurch unter anderem private Adressen potenziell als öffentlich und umgekehrt. --------------------------------------------- https://heise.de/-6000759 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (awstats, busybox, dotnet-runtime, dotnet-runtime-3.1, dotnet-sdk, dotnet-sdk-3.1, gitlab, godot, groovy, libebml, mkinitcpio-busybox, openssl, python2, vivaldi, webkit2gtk, and wpewebkit), CentOS (firefox and thunderbird), Debian (pygments, spamassassin, thunderbird, and webkit2gtk), Fedora (CGAL, dotnet3.1, dotnet5.0, firefox, kernel, qt, and xen), Mageia (imagemagick, jackson-databind, openscad, redis, and unbound), openSUSE [...] --------------------------------------------- https://lwn.net/Articles/851061/ ∗∗∗ Newly-Discovered Vulnerabilities Could Allow for Bypass of Spectre Mitigations in Linux ∗∗∗ --------------------------------------------- Bugs could allow a malicious user to access data belonging to other users. --------------------------------------------- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/sp… ∗∗∗ Philips Gemini PET/CT Family ∗∗∗ --------------------------------------------- This advisory contains mitigations for a Storage of Sensitive Data in a Mechanism Without Access Control vulnerability in Philips Gemini PET/CT Family scanners. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsma-21-084-01 ∗∗∗ Weintek EasyWeb cMT ∗∗∗ --------------------------------------------- This advisory contains mitigations for Code Injection, Improper Access Control, and Cross-site Scripting vulnerabilities in Weintek EasyWeb cMT human-machine interface (HMI) products. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-082-01 ∗∗∗ Apple Security Updates March 26 2021 - Possible in the Wild Exploitation ∗∗∗ --------------------------------------------- Apple has published security updates for iOS, iOS and iPadOS, and watchOS. The updates all address the same, single vulnerability, in WebKit. The vulnerability may have been exploited in the wild. --------------------------------------------- https://exchange.xforce.ibmcloud.com/collection/f7a453892e4d0d7f1e0a77077ea… ∗∗∗ CVE-2021-25646: Getting Code Execution on Apache Druid ∗∗∗ --------------------------------------------- In this excerpt of a Trend Micro Vulnerability Research Service vulnerability report, Pengsu Cheng and Prosenjit Sinha of the Trend Micro Research Team detail a recent code execution vulnerability in the Apache Druid database. The bug was originally discovered and reported by Litch1 from the Security Team of Alibaba Cloud. The following is a portion of their write-up covering CVE-2021-25646, with a few minimal modifications. --------------------------------------------- https://www.thezdi.com/blog/2021/3/25/cve-2021-25646-getting-code-execution… ∗∗∗ [webapps] WordPress Plugin WP Super Cache 1.7.1 - Remote Code Execution (Authenticated) ∗∗∗ --------------------------------------------- https://www.exploit-db.com/exploits/49718 ∗∗∗ OpenSSL vulnerability CVE-2021-3449 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K83623027 ∗∗∗ OpenSSL vulnerability CVE-2021-3450 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K52171694 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 26.03.2021
by Daily end-of-shift report 26 Mar '21

26 Mar '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 25-03-2021 18:00 − Freitag 26-03-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ FBI exposes weakness in Mamba ransomware, DiskCryptor ∗∗∗ --------------------------------------------- An alert from the U.S. Federal Bureau of Investigation about Mamba ransomware reveals a weak spot in the encryption process that could help targeted organizations recover from the attack without paying the ransom. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fbi-exposes-weakness-in-mamb… ∗∗∗ Office macro execution evidence, (Fri, Mar 26th) ∗∗∗ --------------------------------------------- Microsoft Office Macros continue to be the security nightmare that they have been for the past 3 decades. System and security admins everywhere continue to try to protect their users from prevalent macro malware, but they find Microsoft's tooling often less than helpful. --------------------------------------------- https://isc.sans.edu/diary/rss/27244 ∗∗∗ New 5G Flaw Exposes Priority Networks to Location Tracking and Other Attacks ∗∗∗ --------------------------------------------- New research into 5G architecture has uncovered a security flaw in its network slicing and virtualized network functions that could be exploited to allow data access and denial of service attacks between different network slices on a mobile operators 5G network. AdaptiveMobile shared its findings with the GSM Association (GSMA) on February 4, 2021, following which the weaknesses were [...] --------------------------------------------- https://thehackernews.com/2021/03/new-5g-flaw-exposes-priority-networks.html ∗∗∗ Perkiler malware turns to SMB brute force to spread ∗∗∗ --------------------------------------------- Perkiler is now using SMB brute force attacks to spread. Which is not a new concept, but why attack SMB instead of RDP? --------------------------------------------- https://blog.malwarebytes.com/trojans/2021/03/perkiler-malware-turns-to-smb… ∗∗∗ Dumping LSASS in memory undetected using MirrorDump ∗∗∗ --------------------------------------------- As I am sure some of you are aware from the occasional ramblings and screenshots on twitter, I am a big fan of .NET based offensive tooling. Not because [...] --------------------------------------------- https://www.pentestpartners.com/security-blog/dumping-lsass-in-memory-undet… ∗∗∗ 20 Million Miners: Finding Malicious Cryptojacking Images in Docker Hub ∗∗∗ --------------------------------------------- Container images are a simple way to distribute software - including malicious cryptojacking images attackers use to distribute cryptominers. --------------------------------------------- https://unit42.paloaltonetworks.com/malicious-cryptojacking-images/ ∗∗∗ Exchange Server attacks: Microsoft shares intelligence on post-compromise activities ∗∗∗ --------------------------------------------- If youre cleaning up a infected Exchange server, you need to look for traces of multiple threats, warns Microsoft. --------------------------------------------- https://www.zdnet.com/article/exchange-server-attacks-microsoft-shares-inte… ∗∗∗ Aktuelle Information zu den ProxyLogon Exchange Schwachstellen in Österreich ∗∗∗ --------------------------------------------- TL;DR 254 Exchange Server nach wie vor ungepatcht (Stand: 2021-03-26). Am 18. März waren es noch 839. Von 23. März bis 26.März wurden insgesamt 437 Webshells in Österreich gefunden. Die Patch-Rate hat etwas abgenommen. Wir sehen die übliche exponentielle Abnahme der verwundbaren Systeme. Allerdings dürfte die ab 18. März durch Microsoft Defender automatisch durchgeführte Mitigation ihren Zweck erfüllt haben. --------------------------------------------- https://cert.at/de/aktuelles/2021/3/aktuelle-zahlen-zu-den-proxylogon-excha… ∗∗∗ PsExec Privilege Escalation in Windows Fixed ∗∗∗ --------------------------------------------- A component of Microsofts Sysinternals utility was found in January 2021 to be vulnerable to privilege escalation. According to the release notes from Microsoft: "This update to PsExec mitigates named pipe squatting attacks that can be leveraged by an attacker to intercept credentials or elevate to System privilege. --------------------------------------------- https://exchange.xforce.ibmcloud.com/collection/e97cd1b85394822631fcc1589f7… ===================== = Vulnerabilities = ===================== ∗∗∗ Microsoft releases Windows 10 SSU to fix security update issue ∗∗∗ --------------------------------------------- Microsoft has released the Windows 10 1909 KB5000850 cumulative update preview and a new KB5001205 Servicing Stack Update that resolves a Secure Boot vulnerability. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-releases-windows-… ∗∗∗ Another Critical RCE Flaw Discovered in SolarWinds Orion Platform ∗∗∗ --------------------------------------------- IT infrastructure management provider SolarWinds on Thursday released a new update to its Orion networking monitoring tool with fixes for four security vulnerabilities, counting two weaknesses that could be exploited by an authenticated attacker to achieve remote code execution (RCE). Chief among them is a JSON deserialization flaw that allows an authenticated user to execute arbitrary code via [...] --------------------------------------------- https://thehackernews.com/2021/03/solarwinds-orion-vulnerability.html ∗∗∗ Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: March 2021 ∗∗∗ --------------------------------------------- On March 25, 2021, the OpenSSL Project released a security advisory, OpenSSL Security Advisory [25 March 2021], that disclosed two vulnerabilities. Exploitation of these vulnerabilities could allow an attacker to use a valid non-certificate authority (CA) certificate to act as a CA and sign a certificate for an arbitrary organization, user or device, or to cause a denial of service (DoS) condition. This advisory will be updated as additional information becomes available. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Sicherheitsupdates: Angreifer könnten Samba-LDAP-Server crashen ∗∗∗ --------------------------------------------- Mehrere Schwachstellen in Samba gefährden Systeme. Abgesicherte Versionen stehen zum Download bereit. --------------------------------------------- https://heise.de/-5999401 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr, jquery, openssl, and thunderbird), openSUSE (openssl-1_1 and tor), Oracle (firefox and thunderbird), Scientific Linux (firefox and thunderbird), SUSE (libzypp, zypper and openssl-1_1), and Ubuntu (firefox, ldb, openssl, and ruby2.0). --------------------------------------------- https://lwn.net/Articles/850703/ ∗∗∗ Synology-SA-21:13 Samba AD DC ∗∗∗ --------------------------------------------- Multiple vulnerabilities allow remote attackers and remote authenticated users to conduct denial-of-service attacks via a susceptible version of Synology Directory Server. --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_21_13 ∗∗∗ Security Advisory - Denial of Service Vulnerability in Huawei Product ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210324-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM License Metric Tool v9. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Security vulnerabilities in Java SE affects Rational Build Forge ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in node.js may affect configuration editor used in IBM Business Automation Workflow and IBM Business Process Manager (BPM) – CVE-2020-1971, CVE-2020-8265, CVE-2020-8287 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: A vulnerability in IBM Java SDK affects IBM License Metric Tool v9 (CVE-2020-14782). ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… ∗∗∗ Intel Ethernet Controller vulnerabilities CVE-2020-24497, CVE-2020-24498, CVE-2020-24500, CVE-2020-24501, and CVE-2020-24505 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K85738358 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 25.03.2021
by Daily end-of-shift report 25 Mar '21

25 Mar '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 24-03-2021 18:00 − Donnerstag 25-03-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Cisco fixt Remote-Lücken in Jabber-Clients für Windows, macOS & mobile Systeme ∗∗∗ --------------------------------------------- Ein Update schließt teils als kritisch eingestufte Einfallstore in Ciscos Jabber-Client für Win, macOS, Android & iOS. Auch weitere Produkte erhielten Updates. --------------------------------------------- https://heise.de/-5997987 ∗∗∗ IETF erklärt TLS-Urväter 1.0 und 1.1 als veraltet ∗∗∗ --------------------------------------------- Schwache Kryptografie und reichlich Sicherheitslücken haben zum Ende von TLS 1.0 und 1.1 geführt. --------------------------------------------- https://heise.de/-5997963 ∗∗∗ Fleeceware lockt in Abofallen ∗∗∗ --------------------------------------------- Forscher von Avast haben Hunderte von Fleeceware-Mobilfunk-Apps auf Google Play und im Apple App Store entdeckt, mit denen ihre Entwickler Millionen von Dollar verdienen. --------------------------------------------- https://www.zdnet.de/88394043/fleeceware-lockt-in-abofallen/ ∗∗∗ QNAP warns of ongoing brute-force attacks against NAS devices ∗∗∗ --------------------------------------------- QNAP warns customers of ongoing attacks targeting QNAP NAS (network-attached storage) devices and urges them to immediately take action to mitigate them. --------------------------------------------- https://www.bleepingcomputer.com/news/security/qnap-warns-of-ongoing-brute-… ∗∗∗ Threat landscape for industrial automation systems. Statistics for H2 2020 ∗∗∗ --------------------------------------------- We continued our observations and identified a number of trends that could, in our opinion, be due to circumstances connected with the pandemic in one way or another, as well as the reaction of governments, organizations and people to these circumstances. --------------------------------------------- https://securelist.com/threat-landscape-for-industrial-automation-systems-s… ∗∗∗ Microsoft Exchange Vulnerability (CVE-2021-26855) Scan Analysis ∗∗∗ --------------------------------------------- On March 2, 2021, Microsoft disclosed a remote code execution vulnerability in Microsoft Exchange server[1]. We customized our Anglerfish honeypot to simulate and deploy Microsoft Exchange honeypot plug-in on March 3, and soon we started to see a large amount of related data, so far, we have already [...] --------------------------------------------- https://blog.netlab.360.com/microsoft-exchange-vulnerability-cve-2021-26855… ∗∗∗ From Creative Password Hashes to Administrator: Gone in 60 Seconds (Or Thereabouts) ∗∗∗ --------------------------------------------- Picture the scene, you’re on an application penetration test (as a normal user) and you’ve managed to bag yourself some password hashes from the application. This can happen in various ways but in my experience, this is often the result of either a SQL injection vulnerability (resulting in the dumping of the users table) or finding that the application (or associated API) spits these hashes out in responses (because they are only hashes and what could go wrong!?). --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/from-creati… ∗∗∗ Recently Patched Vulnerability in Thrive Themes Actively Exploited in the Wild ∗∗∗ --------------------------------------------- On March 23, 2021, the Wordfence Threat Intelligence Team discovered two recently patched vulnerabilities being actively exploited in Thrive Theme’s "Legacy" Themes and Thrive Theme plugins that were chained together to allow unauthenticated attackers to upload arbitrary files on vulnerable WordPress sites. We estimate that more than 100,000 WordPress sites are using Thrive Theme products [...] --------------------------------------------- https://www.wordfence.com/blog/2021/03/recently-patched-vulnerability-in-th… ∗∗∗ Mamba Ransomware Leverages DiskCryptor for Encryption, FBI Warns ∗∗∗ --------------------------------------------- The Federal Bureau of Investigation (FBI) this week published an alert to warn of the fact that the Mamba ransomware is abusing the DiskCryptor open source tool to encrypt entire drives, including the operating system. --------------------------------------------- https://www.securityweek.com/mamba-ransomware-leverages-diskcryptor-encrypt… ∗∗∗ Webshells Observed in Post-Compromised Exchange Servers ∗∗∗ --------------------------------------------- CISA has added two new Malware Analysis Reports (MARs) to Alert AA21-062A: Mitigate Microsoft Exchange Server Vulnerabilities. Each new MAR (AR21-084A and AR21-084B) identifies a webshell observed in post-compromised Microsoft Exchange Servers. After successful exploiting a Microsoft Exchange Server vulnerability for initial accesses, a malicious cyber actor can upload a webshell to enable remote administration of the affected system. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/03/25/webshells-observe… ===================== = Vulnerabilities = ===================== ∗∗∗ Kryptobibliothek: OpenSSL-Lücke in Zertifikatschecks ∗∗∗ --------------------------------------------- Ein Fehler von OpenSSL bei der Zertifikatsvalidierung betrifft nur wenige Anwendungen, ein weiterer Bug lässt Server abstürzen. --------------------------------------------- https://www.golem.de/news/kryptobibliothek-openssl-luecke-in-zertifikatsche… ∗∗∗ SAP® Privilege Escalation durch ABAP Code Injection in SAP® Business Warehouse ∗∗∗ --------------------------------------------- Dieser Blogpost soll einen Überblick über eine kritische ABAP Code Injection-Schwachstelle innerhalb des Funktionsbausteins RSDMD_BATCH_CALL im SAP® Business Warehouse geben und dessen Auswirkungen verdeutlichen. --------------------------------------------- https://sec-consult.com/de/blog/detail/privilege-escalation-abap-code-injec… ∗∗∗ Two Vulnerabilities Patched in Facebook for WordPress Plugin ∗∗∗ --------------------------------------------- On December 22, 2020, our Threat Intelligence team responsibly disclosed a vulnerability in Facebook for WordPress, formerly known as Official Facebook Pixel, a WordPress plugin installed on over 500,000 sites. This flaw made it possible for unauthenticated attackers with access to a site’s secret salts and keys to achieve remote code execution through a deserialization [...] --------------------------------------------- https://www.wordfence.com/blog/2021/03/two-vulnerabilities-patched-in-faceb… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr and lxml), Fedora (jasper), openSUSE (gnutls, hawk2, ldb, libass, nghttp2, and ruby2.5), Oracle (pki-core:10.6), Red Hat (firefox and thunderbird), SUSE (evolution-data-server, ldb, python3, and zstd), and Ubuntu (ldb, linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-dell300x, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, linux-signed, linux-snapdragon, and linux, linux-lts-xenial). --------------------------------------------- https://lwn.net/Articles/850498/ ∗∗∗ Intel Ethernet controller vulnerabilities CVE-2020-24492, CVE-2020-24493, CVE-2020-24494, CVE-2020-24495, CVE-2020-24496 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K91610944?utm_source=f5support&utm_mediu… ∗∗∗ Red Hat OpenShift: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0308 ∗∗∗ Security Bulletin: IBM Cloud Pak for Integration is vulnerable to Go vulnerabilities (CVE-2020-28851 and CVE-2020-28852) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-integra… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Security Directory Server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Operations Dashboard is vulnerable to Go vulnerabilities (CVE-2021-3114 and CVE-2021-3115) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-operations-dashboard-is-v… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM® SDK, Java™ Technology Edition affect IBM Operational Decision Manager (Oct 2020 and Jan 2021 CPUs) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerability affects Watson Explorer Foundational Components (CVE-2020-1971) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-affects-wat… ∗∗∗ Security Bulletin: App Connect for Manufacturing 2.0 is affected by vulnerabilities of log4j 1.2.17 – Log4j Deserialization Remote Code Execution (CVE-2019-17571) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-app-connect-for-manufactu… ∗∗∗ Security Bulletin: IBM Cloud Pak for Integration is vulnerable to Node.js vulnerabilities (CVE-2020-1971, CVE-2020-8265, and CVE-2020-8287) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-integra… ∗∗∗ Security Bulletin: A security vulnerability has been identified in Xstream, which is a required product for IBM Tivoli Network Configuration Manager (CVE-2020-26217) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: Security vulnerabilities in Java SE affects Rational Build Forge ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ Security Bulletin: A security vulnerability has been identified in Xstream, which is a required product for IBM Tivoli Network Configuration Manager (CVE-2020-26258, CVE-2020-26259) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 24.03.2021
by Daily end-of-shift report 24 Mar '21

24 Mar '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 23-03-2021 18:00 − Mittwoch 24-03-2021 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Microsoft warns of phishing attacks bypassing email gateways ∗∗∗ --------------------------------------------- An ongoing phishing operation that stole an estimated 400,000 OWA and Office 365 credentials since December has now expanded to abuse new legitimate services to bypass secure email gateways (SEGs). --------------------------------------------- https://www.bleepingcomputer.com/news/security/microsoft-warns-of-phishing-… ∗∗∗ Purple Fox Rootkit Can Now Spread Itself to Other Windows Computers ∗∗∗ --------------------------------------------- Purple Fox, a Windows malware previously known for infecting machines by using exploit kits and phishing emails, has now added a new technique to its arsenal that gives it worm-like propagation capabilities. --------------------------------------------- https://thehackernews.com/2021/03/purple-fox-rootkit-can-now-spread.html ∗∗∗ Zahlreiche negative Bewertungen zu fashionmanufaktur.at ∗∗∗ --------------------------------------------- Seit Monaten häufen sich negative Erfahrungen und Bewertungen zahlreicher KonsumentInnen zum Online-Shop fashionmanufaktur.at. --------------------------------------------- https://www.watchlist-internet.at/news/zahlreiche-negative-bewertungen-zu-f… ∗∗∗ Fake Websites Used in COVID-19 Themed Phishing Attacks, Impersonating Brands Like Pfizer and BioNTech ∗∗∗ --------------------------------------------- We describe trends in COVID-19 themed phishing attacks since the start of the pandemic to gain insight into the topics that attackers try to exploit. --------------------------------------------- https://unit42.paloaltonetworks.com/covid-19-themed-phishing-attacks/ ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI-21-354: (0Day) Lepide Active Directory Self Service Backup Missing Authentication Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to disclose sensitive information on affected installations of Lepide Active Directory Self Service. Authentication is not required to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-354/ ∗∗∗ Cisco Security Advisories 2021-03-24 ∗∗∗ --------------------------------------------- 1 Critical, 18 High, 19 Medium severity --------------------------------------------- https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&secur… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (imagemagick and squid), Fedora (jasper and kernel), Red Hat (pki-core), SUSE (gnutls, go1.15, go1.16, hawk2, jetty-minimal, libass, nghttp2, openssl, ruby2.5, sudo, and wavpack), and Ubuntu (linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gcp, linux-gcp-5.4, linux-gke-5.3, linux-gke-5.4, linux-gkeop, linux-gkeop-5.4, linux-hwe, linux-hwe-5.4, linux-hwe-5.8, linux-kvm, linux-oem-5.10, linux-oem-5.6, linux-oracle, linux-oracle-5.4,[...] --------------------------------------------- https://lwn.net/Articles/850352/ ∗∗∗ SaltStack revises partial patch for command injection, privilege escalation vulnerability ∗∗∗ --------------------------------------------- The second fix was reportedly necessary after SaltStack did not participate in coordinated disclosure. --------------------------------------------- https://www.zdnet.com/article/saltstack-revises-partial-patch-for-command-i… ∗∗∗ Uncontrolled Search Path Element in Multiple Bosch Products ∗∗∗ --------------------------------------------- BOSCH-SA-835563-BT: Multiple Bosch software applications are affected by a security vulnerability, which potentially allows an attacker to load additional code in the form of DLLs (commonly known as "DLL Hijacking" or "DLL Preloading"). --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-835563-bt.html ∗∗∗ Security Bulletin: Multiple Vulnerabilities in IBM Java Runtime Affect IBM Sterling Connect:Direct for UNIX ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: A vulnerability has been identified in IBM Elastic Storage System where an attacker could cause a denial of service (CVE-2020-5015) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-has-been-… ∗∗∗ Security Bulletin: IBM® Db2® db2fm is vulnerable to a buffer overflow (CVE-2020-5025) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-db2fm-is-vulnerab… ∗∗∗ Security Bulletin: IBM Kenexa LMS On Premise -[All] jQuery (Publicly disclosed vulnerability) – 180875 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-kenexa-lms-on-premise… ∗∗∗ Security Bulletin: A vulnerability in IBM Java SE affects IBM Elastic Storage Server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in IBM Java Runtime Affect IBM Sterling Connect:Direct for UNIX ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli Netcool Impact (CVE-2020-14803, CVE-2020-27221) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Security Directory Server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: A security vulnerability has been identified in IBM® SDK, Java™ Technology Edition shipped with IBM Tivoli Netcool Impact (CVE-2020-14781) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: Rational Asset Analyzer is affected by a vulnerability in WebSphere Application Server Liberty (CVE-2020-4590) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-rational-asset-analyzer-i… ∗∗∗ Intel I210 network adapter vulnerability CVE-2020-0522 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K37283878 ∗∗∗ Intel I210 network adapter vulnerability CVE-2020-0523 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K31445234 ∗∗∗ Intel I210 network adapter vulnerability CVE-2020-0524 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K83504933 ∗∗∗ Intel I210 network adapter vulnerability CVE-2020-0525 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K44482551 ∗∗∗ Linux Kernel: Schwachstelle ermöglicht Codeausführung ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0306 ∗∗∗ Pro-FTPd: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0304 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.03.2021
by Daily end-of-shift report 23 Mar '21

23 Mar '21

===================== = End-of-Day report = ===================== Timeframe: Montag 22-03-2021 18:00 − Dienstag 23-03-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ A Popular Remote Lesson Monitoring Program Might be Exploited by Attackers ∗∗∗ --------------------------------------------- Netop is a software specialized in providing visibility over student activities, that lets teachers see what their students see, in this way the teachers can also share their screen, lock student screens and keyboards and block websites with the click of a button. The software designed and advertised for helping teachers keep control of lessons [...] --------------------------------------------- https://heimdalsecurity.com/blog/lesson-monitoring-program-exploited/ ∗∗∗ Secure containerized environments with updated threat matrix for Kubernetes ∗∗∗ --------------------------------------------- The updated threat matrix for Kubernetes adds new techniques found by Microsoft researchers, as well as techniques that were suggested by the community. --------------------------------------------- https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-env… ∗∗∗ Nim Strings, (Mon, Mar 22nd) ∗∗∗ --------------------------------------------- On Tuesday's Stormcast, Johannes talked about malware written in the Nim Programming language. --------------------------------------------- https://isc.sans.edu/diary/rss/27230 ∗∗∗ Intel-Prozessoren: Zwei undokumentierte Befehle für Microcode enttarnt ∗∗∗ --------------------------------------------- Sicherheitsexperten entdecken Befehle, mit denen sich das Verhalten von Intel-Prozessoren ändern lässt - bisher jedoch nur in einem speziellen Debugging-Modus. --------------------------------------------- https://heise.de/-5994965 ∗∗∗ Erpressung per E-Mail: Kriminelle fordern Bitcoins ∗∗∗ --------------------------------------------- Momentan werden vermehrt betrügerische Erpressungsmails versendet. Kriminelle behaupten darin, sie hätten Ihre Geräte gehackt und könnten nun alles was Sie tun, live beobachten. Angeblich hätten sie Beweise, dass Sie regelmäßig auf Porno-Seiten surfen. Sogar ein Video, das Sie beim Masturbieren zeigt, sollte existieren. Damit dieses von den Kriminellen nicht veröffentlicht wird, fordern sie die Überweisung von Bitcoins. --------------------------------------------- https://www.watchlist-internet.at/news/erpressung-per-e-mail-kriminelle-for… ∗∗∗ Ransomware gangs have found another set of new targets: Schools and universities ∗∗∗ --------------------------------------------- National Cyber Security Centre issues advice on how to protect networks from cyber criminals after a spike in ransomware attacks causing disruption across the education sector over the last month --------------------------------------------- https://www.zdnet.com/article/ransomware-attacks-against-schools-are-rocket… ===================== = Vulnerabilities = ===================== ∗∗∗ Neue Versionen: Firefox 87, Firefox ESR und Thunderbird 78.9 mit Security-Fixes ∗∗∗ --------------------------------------------- Updates für Firefox, Firefox ESR und den E-Mail-Client Thunderbird umfassen neben funktionalen Neuerungen auch Fixes für Schwachstellen. --------------------------------------------- https://heise.de/-5996236 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (dnsmasq, libmediainfo, and mariadb-10.1), Fedora (dotnet5.0, moodle, and radare2), Mageia (kernel and kernel-linus), Oracle (python27:2.7, python36:3.6, and python38:3.8), Red Hat (pki-core:10.6), and Ubuntu (privoxy). --------------------------------------------- https://lwn.net/Articles/850188/ ∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2021-0002 ∗∗∗ --------------------------------------------- Several vulnerabilities were discovered in WebKitGTK and WPE WebKit. --------------------------------------------- https://webkitgtk.org/security/WSA-2021-0002.html ∗∗∗ Synology-SA-21:12 Synology Calendar ∗∗∗ --------------------------------------------- A vulnerability allows remote attackers to bypass security constraints via a susceptible version of Synology Calendar. --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_21_12 ∗∗∗ Weintek EasyWeb cMT ∗∗∗ --------------------------------------------- This advisory contains mitigations for Code Injection, Improper Access Control, and Cross-site Scripting vulnerabilities in Weintek EasyWeb cMT human-machine interface (HMI) products. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-20-082-01 ∗∗∗ GE MU320E ∗∗∗ --------------------------------------------- This advisory contains mitigations for Use of Hard-coded Password, Execution with Unnecessary Privileges, and Inadequate Encryption Strength vulnerabilities in GE MU320E firmware. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-082-02 ∗∗∗ GE Reason DR60 ∗∗∗ --------------------------------------------- This advisory contains mitigations for Hard-coded Password, Code Injection, and Execution with Unnecessary Privileges vulnerabilities in GE Reason DR60 digital fault recorder products. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-082-03 ∗∗∗ Ovarro TBox ∗∗∗ --------------------------------------------- This updated advisory is a follow-up to the original advisory titled ICSA-21-054-04P Ovarro TBox that posted to the HSIN ICS library on February 23, 2021 This advisory contains mitigations for Code Injection, Incorrect Permission Assignment for Critical Resource, Uncontrolled Resource Consumption, Insufficiently Protected Credentials, and Use of Hard-coded Cryptographic Key vulnerabilities in Ovarro TBox remote terminal units (RTUs). --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-054-04 ∗∗∗ Security Bulletin: Multiple vulnerabilities is affecting Tivoli Netcool/OMNIbus WebGUI (CVE-2021-20336, CVE-2020-17530) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Lift ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-lift/ ∗∗∗ OTRS: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0299 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.03.2021
by Daily end-of-shift report 22 Mar '21

22 Mar '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 19-03-2021 18:00 − Montag 22-03-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ DDoS booters now abuse DTLS servers to amplify attacks ∗∗∗ --------------------------------------------- DDoS-for-hire services are now actively abusing misconfigured or out-of-date Datagram Transport Layer Security (D/TLS) servers to amplify Distributed Denial of Service (DDoS) attacks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ddos-booters-now-abuse-dtls-… ∗∗∗ Microsoft Exchange servers now targeted by BlackKingdom ransomware ∗∗∗ --------------------------------------------- Another ransomware operation known as BlackKingdom is exploiting the Microsoft Exchange Server ProxyLogon vulnerabilities to encrypt servers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-n… ∗∗∗ Office 365 Phishing Attack Targets Financial Execs ∗∗∗ --------------------------------------------- Attackers move on new CEOs, using transition confusion to harvest Microsoft credentials. --------------------------------------------- https://threatpost.com/office-365-phishing-attack-financial-execs/164925/ ∗∗∗ Critical F5 BIG-IP Bug Under Active Attacks After PoC Exploit Posted Online ∗∗∗ --------------------------------------------- Almost 10 days after application security company F5 Networks released patches for critical vulnerabilities in its BIG-IP and BIG-IQ products, adversaries have begun opportunistically mass scanning and targeting exposed and unpatched networking devices to break into enterprise networks. News of in the wild exploitation comes on the heels of a proof-of-concept exploit code that surfaced online [...] --------------------------------------------- https://thehackernews.com/2021/03/latest-f5-big-ip-bug-under-active.html ∗∗∗ Multi-factor Authentication. Reset MFA you say? ∗∗∗ --------------------------------------------- MFA is a no brainer. It helps mitigate the risk of password re-use, overly simple passwords and more. Just don’t confuse it with 2SV... Anyway, when we’re red teaming, MFA [...] --------------------------------------------- https://www.pentestpartners.com/security-blog/multi-factor-authentication-r… ∗∗∗ Auf Willhaben inseriert? Vorsicht vor mob-willhaben.at SMS! ∗∗∗ --------------------------------------------- Zahlreiche Willhaben-UserInnen wenden sich derzeit an die Watchlist Internet, weil sie eine betrügerische SMS zu einer Willhaben-Anzeige erhalten haben. Das Gemeine an der Sache: Die Personen bieten gerade tatsächlich Waren auf Willhaben an. In der SMS wird meist behauptet, jemand habe für die Ware bezahlt. Ein enhaltener Link führt auf eine gefälschte Willhaben-Seite, die Daten abgreifen und einen Trojaner installieren möchte. --------------------------------------------- https://www.watchlist-internet.at/news/auf-willhaben-inseriert-vorsicht-vor… ∗∗∗ Metamorfo/Mekotio Banking Trojan Uses AutoHotKey Scripting ∗∗∗ --------------------------------------------- The Cofense Phishing Defense Center (PDC) takes a brief look at Mekotio, also known as Metamorfo, a banking Trojan with Latin American origins that is now expanding its reach to victims across Europe. This trojan is one that makes use of a little known scripting language known as AutoHotKey (AHK). --------------------------------------------- https://exchange.xforce.ibmcloud.com/collection/6e934f1121d09aff346710499c0… ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI-21-342: Samsung Galaxy S20 libimagecodec Out-Of-Bounds Read Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to disclose sensitive information on affected installations of Samsung Galaxy S20. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-342/ ∗∗∗ Apache OFBiz: Update beseitigt Remote-Lücke aus Open-Source-ERP-Software ∗∗∗ --------------------------------------------- Die quelloffene Enterprise Resource Planning-Software OFBiz war aus der Ferne angreifbar. Eine abgesicherte Version und ein Patch stehen bereit. --------------------------------------------- https://heise.de/-5994429 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (chromium, ffmpeg, flatpak, git, gnutls, minio, openssh, opera, and wireshark-qt), Debian (cloud-init, pygments, and xterm), Fedora (flatpak, glib2, kernel, kernel-headers, kernel-tools, pki-core, and upx), Mageia (glibc, htmlunit, koji, and python-cairosvg), openSUSE (chromium, connman, froxlor, grub2, libmysofa, netty, privoxy, python-markdown2, tor, and velocity), Oracle (ipa), SUSE (evolution-data-server, glib2, openssl, python3, python36, and [...] --------------------------------------------- https://lwn.net/Articles/850068/ ∗∗∗ Adobe Patches Critical ColdFusion Security Flaw ∗∗∗ --------------------------------------------- Adobe has released an urgent patch for a potentially dangerous security vulnerability in Adobe ColdFusion, the platform used for building and deploying mobile and web apps. --------------------------------------------- https://www.securityweek.com/adobe-patches-critical-coldfusion-security-flaw ∗∗∗ TMM vulnerability CVE-2021-23007 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K37451543 ∗∗∗ Atlassian Jira Software: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0297 ∗∗∗ UNIVERGE Aspire series PBX vulnerable to denial-of-service (DoS) ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN12737530/ ∗∗∗ Security updates available in Foxit Reader 10.1.3, Foxit PhantomPDF 10.1.3 and 3D Plugin Beta 10.1.3.37598 ∗∗∗ --------------------------------------------- https://www.foxitsoftware.com/support/security-bulletins.html ∗∗∗ Security Bulletin: IBM MQ for HP NonStop Server is affected by OpenSSL vulnerabilities CVE-2021-23839, CVE-2021-23840 and CVE-2021-23841 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-for-hp-nonstop-ser… ∗∗∗ Security Bulletin: IBM Planning Analytics Workspace is affected by security vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-planning-analytics-wo… ∗∗∗ Security Bulletin: Websphere Application Server is vulnerable to a directory traversal vulnerability (CVE-2020-5016) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-websphere-application-ser… ∗∗∗ Security Bulletin: IBM® Db2® db2fm is vulnerable to a buffer overflow (CVE-2020-5025) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-db2fm-is-vulnerab… ∗∗∗ Security Bulletin: Vulnerabilities in IBM Java SDK affect IBM WebSphere Cast Iron Solution & App Connect Professional ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-ja… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation for Multiplatforms Oct 2020 CPU (CVE-2020-14782) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: A vulnerability in IBM® SDK, Java™ Technology Edition affects IBM Elastic Storage System ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-sd… ∗∗∗ Security Bulletin: IBM® Db2® is vulnerable to a denial of service (CVE-2020-5024) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM WebSphere Cast Iron Solution & App Connect Professional ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerability in Apache Struts framework affects IBM Spectrum Symphony ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-s… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.03.2021
by Daily end-of-shift report 19 Mar '21

19 Mar '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 18-03-2021 18:00 − Freitag 19-03-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Microsoft Defender Antivirus behebt Sicherheitslücken in Exchange Server ∗∗∗ --------------------------------------------- Microsoft hat ein automatisches Entschärfungstool in Defender Antivirus implementiert, um kritische Sicherheitslücken in Exchange Server zu schließen, denn auch nach Wochen sind immer noch zehntausende Server ungepatcht. --------------------------------------------- https://www.zdnet.de/88393956/microsoft-defender-antivirus-behebt-sicherhei… ∗∗∗ New CopperStealer malware steals Google, Apple, Facebook accounts ∗∗∗ --------------------------------------------- Previously undocumented account-stealing malware distributed via fake software crack sites targets the users of major service providers, including Google, Facebook, Amazon, and Apple. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-copperstealer-malware-st… ∗∗∗ REvil ransomware has a new ‘Windows Safe Mode’ encryption mode ∗∗∗ --------------------------------------------- The REvil ransomware operation has added a new ability to encrypt files in Windows Safe Mode, likely to evade detection by security software and for greater success when encrypting files. --------------------------------------------- https://www.bleepingcomputer.com/news/security/revil-ransomware-has-a-new-w… ∗∗∗ Sicherheitslücken: Hackergruppe nutzte 11 Zero Days in einem Jahr ∗∗∗ --------------------------------------------- Googles Project Zero berichtet über eine Hacker-Gruppe, die reihenweise Zero Days nutzte, um komplett gepatchte Geräte ihrer Opfer zu hacken. --------------------------------------------- https://www.golem.de/news/sicherheitsluecken-hackergruppe-nutzte-11-zero-da… ∗∗∗ Easy SMS Hijacking ∗∗∗ --------------------------------------------- Vice is reporting on a cell phone vulnerability caused by commercial SMS services. One of the things these services permit is text message forwarding. It turns out that with a little bit of anonymous money - in this case, $16 off an anonymous prepaid credit card - and a few lies, you can forward the text messages from any phone to any other phone. --------------------------------------------- https://www.schneier.com/blog/archives/2021/03/easy-sms-hijacking.html ∗∗∗ Vorsicht bei der Urlaubsbuchung: Unseriöse Webseiten verlocken mit günstigen Angeboten ∗∗∗ --------------------------------------------- Lust auf die Malediven? Vielleicht auch auf Phuket? Oder wollen Sie aufgrund der anhaltenden Corona-Krise doch lieber Urlaub zuhause machen: In Wien? Oder im Tiroler Mayrhofen? Unterkünfte in diesen Reisezielen werden derzeit von unseriösen Buchungsplattformen angeboten. Wir zeigen Ihnen, auf welchen Webseiten Sie lieber nicht buchen sollten. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-bei-der-urlaubsbuchung-unse… ∗∗∗ Beware Android trojan posing as Clubhouse app ∗∗∗ --------------------------------------------- The malware can grab login credentials for more than 450 apps and bypass SMS-based two-factor authentication --------------------------------------------- https://www.welivesecurity.com/2021/03/18/beware-android-trojan-posing-club… ∗∗∗ AA21-077A: Detecting Post-Compromise Threat Activity Using the CHIRP IOC Detection Tool ∗∗∗ --------------------------------------------- This Alert announces the CISA Hunt and Incident Response Program (CHIRP) tool. CHIRP is a forensics collection tool that CISA developed to help network defenders find indicators of compromise (IOCs) associated with activity detailed in the following CISA Alerts: AA20-352A: Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations, which primarily focuses on an advanced persistent threat [...] --------------------------------------------- https://us-cert.cisa.gov/ncas/alerts/aa21-077a ===================== = Vulnerabilities = ===================== ∗∗∗ Mehrere Schwachstellen in SOYAL Biometric Access Control System 5.0 ∗∗∗ --------------------------------------------- Zeroscience hat mehrere Schwachstellen im Produkt Biometric Access Control System des Herstellers SOYAL gefunden. --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ ∗∗∗ Mehrere Schwachstellen in KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 ∗∗∗ --------------------------------------------- Zeroscience hat mehrere Schwachstellen in Wi-Fi/VoIP CPEs der Hersteller KZ Broadband Technologies, Jaton und Neotel gefunden, darunter auch eine RCE --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (kernel and pki-core), Debian (shibboleth-sp, shibboleth-sp2, and squid3), openSUSE (libmysofa and privoxy), Oracle (bind), and Ubuntu (ruby2.3, ruby2.5, ruby2.7). --------------------------------------------- https://lwn.net/Articles/849847/ ∗∗∗ Johnson Controls Exacq Technologies exacqVision ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Information Exposure vulnerability in Exacq Technologies exacqVision web service. Exacq Technologies is a subsidiary of Johnson Controls. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-077-01 ∗∗∗ Hitachi ABB Power Grids eSOMS ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Hitachi ABB Power Grids eSOMS software. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-077-02 ∗∗∗ Hitachi ABB Power Grids eSOMS Telerik ∗∗∗ --------------------------------------------- This advisory contains mitigations for Path Traversal, Deserialization of Untrusted Data, Improper Input Validation, Inadequate Encryption Strength, and Insufficiently Protected Credentials vulnerabilities in some Hitachi ABB Power Grids eSOMS products using Telerik software. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-077-03 ∗∗∗ Rockwell Automation Logix Controllers (Update A) ∗∗∗ --------------------------------------------- This updated advisory is a follow-up to the original advisory titled ICSA-21-056-03 Rockwell Automation Logix Controllers that was published February 25, 2021, to the ICS webpage on us-cert.cisa.gov. This advisory contains mitigations for an Insufficiently Protected Credentials vulnerability in Rockwell Automation Studio 5000 Logix Designer, RSLogix 5000, and Logix Controllers. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-056-03 ∗∗∗ Fuji Xerox multifunction devices and printers vulnerable to denial-of-service (DoS) ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN37607293/ ∗∗∗ March 17, 2021 TNS-2021-04 [R1] Nessus Agent 8.2.3 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2021-04-0 ∗∗∗ Security Bulletin: Multiple security vulnerabilities in Node.js affect IBM Voice Gateway ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: Multiple security vulnerabilities in Node.js affect IBM Voice Gateway ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: Multiple security vulnerabilities in IBM Java SDK affects IBM Voice Gateway ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: Vulnerability in IBM Java Runtime Environment affects installation and uninstallation of IBM Spectrum Protect for Enterprise Resource Planning on AIX and Linux (CVE-2020-27221) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in IBM Java Runtime Affect IBM Sterling Connect:Direct for Microsoft Windows ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Cloud Pak for Security vulnerable to a stack-based buffer overflow (CVE-2020-27221) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-securit… ∗∗∗ Security Bulletin: A Vulnerability in IBM Java Runtime Affects IBM Sterling Connect:Direct for Microsoft Windows ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… ∗∗∗ Security Bulletin: A Vulnerability in IBM Java Runtime Affects IBM Sterling Connect:Direct for Microsoft Windows ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.03.2021
by Daily end-of-shift report 18 Mar '21

18 Mar '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 17-03-2021 18:00 − Donnerstag 18-03-2021 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ UK Foreign, Commonwealth & Development Office funds Shadowserver surge in Africa and Indo-Pacific regions ∗∗∗ --------------------------------------------- Can you help Shadowserver sign up more countries/networks in Africa and the Info-Pacific to receive our free daily network reports and help secure the Internet? We are running a UK FCDO funded surge in Feb/March 2021, aimed at increasing outreach and expanding our honeypot sensor network in those regions. We are seeking introductions, contacts and hosting so please get in touch if you can help us achieve these goals. --------------------------------------------- https://www.shadowserver.org/news/uk-foreign-commonwealth-development-offic… ∗∗∗ SolarWinds-linked hacking group SilverFish abuses enterprise victims for sandbox tests ∗∗∗ --------------------------------------------- Existing victim networks are used to test out payloads as a novel form of sandbox. --------------------------------------------- https://www.zdnet.com/article/solarwinds-linked-hacking-group-silverfish-ab… ∗∗∗ TTP Table for Detecting APT Activity Related to SolarWinds and Active Directory/M365 Compromise ∗∗∗ --------------------------------------------- CISA has released a table of tactics, techniques, and procedures (TTPs) used by the advanced persistent threat (APT) actor involved with the recent SolarWinds and Active Directory/M365 compromise. The table uses the MITRE ATT&CK framework to identify APT TTPs and includes detection recommendations. This information will assist network defenders in detecting and responding to this activity. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/03/17/ttp-table-detecti… ∗∗∗ ~4,300 publicly reachable servers are posing a new DDoS hazard to the Internet ∗∗∗ --------------------------------------------- DDoS-for-hire services adopt new technique that amplifies attacks 37 fold. --------------------------------------------- https://arstechnica.com/?p=1750512 ∗∗∗ New XcodeSpy malware targets iOS devs in supply-chain attack ∗∗∗ --------------------------------------------- A malicious Xcode project known as XcodeSpy is targeting iOS devs in a supply-chain attack to install a macOS backdoor on the developers computer. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-xcodespy-malware-targets… ∗∗∗ Convuster: macOS adware now in Rust ∗∗∗ --------------------------------------------- Convuster adware for macOS is written in Rust and able to use Gatekeeper to evade analysis. --------------------------------------------- https://securelist.com/convuster-macos-adware-in-rust/101258/ ∗∗∗ Necro upgrades again, using Tor + dynamic domain DGA and aiming at both Windows & Linux ∗∗∗ --------------------------------------------- Back in January, we blogged about a new botnet Necro and shortly after our report, it stopped spreading. On March 2nd, we noticed a new variant of Necro showing up on our BotMon tracking radar March 2nd, the BotMon system has detected that Necro has started spreading again, [...] --------------------------------------------- https://blog.netlab.360.com/necro-upgrades-again-using-tor-dynamic-domain-d… ∗∗∗ Server Side Data Exfiltration via Telegram API ∗∗∗ --------------------------------------------- One of the themes commonly highlighted on this blog includes the many creative methods and techniques attackers employ to steal data from compromised websites. Credit card skimmers, credential and password hijackers, SQL injections, and even malware on the server level can be used for data exfiltration. What’s more, attackers may be able to accomplish this feat with a few mere lines of code. --------------------------------------------- https://blog.sucuri.net/2021/03/server-side-data-exfiltration-via-telegram-… ∗∗∗ Simple Python Keylogger ∗∗∗ --------------------------------------------- A keylogger is one of the core features implemented by many malware to exfiltrate interesting data and learn about the victim. Besides the fact that interesting keystrokes can reveal sensitive information (usernames, passwords, IP addresses, hostnames, ...), just by having a look at the text typed on the keyboard, the attacker can profile his target and estimate if its a juicy one or not. --------------------------------------------- https://isc.sans.edu/diary/rss/27216 ∗∗∗ Satori: Mirai Botnet Variant Targeting Vantage Velocity Field Unit RCE Vulnerability ∗∗∗ --------------------------------------------- On Feb. 20, 2021, Unit 42 researchers observed attempts to exploit CVE-2020-9020, which is a Remote Command Execution (RCE) vulnerability in Iteris’ Vantage Velocity field unit version 2.3.1, 2.4.2 and 3.0. As a travel data measurement system, Vantage Velocity captures travel data with a large number of vehicles. If a device is compromised, [...] --------------------------------------------- https://unit42.paloaltonetworks.com/satori-mirai-botnet-variant-targeting-v… ∗∗∗ NimzaLoader Malware ∗∗∗ --------------------------------------------- NimzaLoader is a new initial access malware that is relatively unique in its usage of the Nim programming language. Proofpoint observed this malware being distributed in a TA800 email campaign in place of BazaLoader --------------------------------------------- https://exchange.xforce.ibmcloud.com/collection/0a3e6c8474f098e6b497c889ebd… ===================== = Vulnerabilities = ===================== ∗∗∗ SYSS-2020-044: Sicherheitsproblem in Screen Sharing-Funktionalität von Zoom (CVE-2021-28133) ∗∗∗ --------------------------------------------- SySS Proof of Concept Video demonstriert ein Sicherheitsproblem in der Screen Sharing-Funktion der Videokonferenzsoftware Zoom. --------------------------------------------- https://www.syss.de/pentest-blog/syss-2020-044-sicherheitsproblem-in-screen… ∗∗∗ Tutor LMS for WordPress Open to Info-Stealing Security Holes ∗∗∗ --------------------------------------------- The popular learning-management system for teacher-student communication is rife with SQL-injection vulnerabilities. --------------------------------------------- https://threatpost.com/tutor-lms-wordpress-security-holes/164868/ ∗∗∗ Critical RCE Flaw Reported in MyBB Forum Software—Patch Your Sites ∗∗∗ --------------------------------------------- A pair of critical vulnerabilities in a popular bulletin board software called MyBB could have been chained together to achieve remote code execution (RCE) without the need for prior access to a privileged account. The flaws, which were discovered by independent security researchers Simon Scannell and Carl Smith, were reported to the MyBB Team on February 22, following which it released an [...] --------------------------------------------- https://thehackernews.com/2021/03/critical-rce-flaw-reported-in-mybb.html ∗∗∗ ZDI-21-337: Hewlett Packard Enterprise Network Orchestrator uaf-token SQL Injection Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to disclose sensitive information on affected installations of Hewlett Packard Enterprise Network Orchestrator. Authentication is not required to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-337/ ∗∗∗ ZDI-21-341: (0Day) (Pwn2Own) Sony X800H Smart TV Vewd Type-Confusion Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of Sony X800H Smart TV. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-341/ ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (velocity-tools), Fedora (switchboard-plug-bluetooth), Mageia (discover, flatpak, and xmlgraphics-commons), openSUSE (chromium and python), Oracle (kernel, kernel-container, and pki-core), Red Hat (openvswitch2.11 and ovn2.11, python-django, qemu-kvm-rhev, and rubygem-em-http-request), and SUSE (crmsh, openssl1, and php53). --------------------------------------------- https://lwn.net/Articles/849737/ ∗∗∗ Xen: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0289 ∗∗∗ Drupal: Schwachstelle ermöglicht Offenlegung von Informationen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0287 ∗∗∗ Security Bulletin: z/TPF is affected by OpenSSL vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-z-tpf-is-affected-by-open… ∗∗∗ Security Bulletin: March 2021 : Vulnerability in IBM Java Runtime affect CICS Transaction Gateway ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-march-2021-vulnerability-… ∗∗∗ Security Bulletin: March 2021 : Vulnerability in IBM Java Runtime affects CICS Transaction Gateway ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-march-2021-vulnerability-… ∗∗∗ Security Bulletin: IBM RackSwitch firmware products are affected by vulnerabilities in Libxml2 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-rackswitch-firmware-p… ∗∗∗ Security Bulletin: IBM RackSwitch firmware products are affected by a vulnerability in libcurl (CVE-2019-5436) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-rackswitch-firmware-p… ∗∗∗ Security Bulletin: IBM Security Guardium External S-TAP is affected by an Execution with Unnecessary Privileges vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-ext… ∗∗∗ Security Bulletin: IBM Flex System switch firmware products are affected by a vulnerability in libcurl (CVE-2019-5436) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-flex-system-switch-fi… ∗∗∗ Security Bulletin: March 2021 : Multiple vulnerabilities in IBM Java Runtime affect CICS Transaction Gateway ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-march-2021-multiple-vulne… ∗∗∗ Security Bulletin: A vulnerability in IBM® SDK, Java™ Technology Edition affects IBM Spectrum Scale ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-sd… ∗∗∗ Security Bulletin: IBM Resilient vulnerable to username enumeration (CVE-2020-4635) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-resilient-vulnerable-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.03.2021
by Daily end-of-shift report 17 Mar '21

17 Mar '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 16-03-2021 18:00 − Mittwoch 17-03-2021 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Mimecast says SolarWinds hackers breached its network and spied on customers ∗∗∗ --------------------------------------------- Mimecast-issued certificate used to connect to customers’ Microsoft 365 tenants. --------------------------------------------- https://arstechnica.com/?p=1750098 ∗∗∗ Twitter images can be abused to hide ZIP, MP3 files — heres how ∗∗∗ --------------------------------------------- Yesterday, a researcher disclosed a method of hiding up to three MB of data inside a Twitter image. In his demonstration, the researcher showed both MP3 audio files and ZIP archives contained within the PNG images hosted on Twitter. --------------------------------------------- https://www.bleepingcomputer.com/news/security/twitter-images-can-be-abused… ∗∗∗ Guidance for responders: Investigating and remediating on-premises Exchange Server vulnerabilities ∗∗∗ --------------------------------------------- This guidance will help customers address threats taking advantage of the recently disclosed Microsoft Exchange Server on-premises vulnerabilities CVE-2021-26855, CVE-2021-26858, CVE-2021-26857, and CVE-2021-27065. --------------------------------------------- https://msrc-blog.microsoft.com:443/2021/03/16/guidance-for-responders-inve… ∗∗∗ Microsoft Exchange Server: These quarterly updates include fixes for security flaws ∗∗∗ --------------------------------------------- Microsoft releases Exchange Server 2016 and 2019 cumulative updates that address critical flaws. --------------------------------------------- https://www.zdnet.com/article/microsoft-exchange-server-these-quarterly-upd… ∗∗∗ New ICS Threat Activity Group: VANADINITE ∗∗∗ --------------------------------------------- The new VANADINITE activity group targets electric utilities, oil and gas, manufacturing, telecommunications, and transportation. --------------------------------------------- https://www.dragos.com/blog/industry-news/new-ics-threat-activity-group-van… ∗∗∗ So hacken Kriminelle unbemerkt Ihre Website, um Fake-Shops zu betreiben ∗∗∗ --------------------------------------------- Sicherheitslücken auf Websites von Unternehmen und Vereinen werden auch genutzt, um Fake-Shops zu platzieren. Mittels Cloaking leiten Kriminelle die BesucherInnen zu Fake-Shops um. Die betroffenen Unternehmen und Vereine wissen nichts davon. Wir erklären Ihnen, wie Cloaking funktioniert und was Sie dagegen machen können. --------------------------------------------- https://www.watchlist-internet.at/news/so-hacken-kriminelle-unbemerkt-ihre-… ∗∗∗ New Mirai Variant Targeting Network Security Devices ∗∗∗ --------------------------------------------- We discovered ongoing attacks leveraging IoT vulnerabilities, including in network security devices, to serve a Mirai variant. --------------------------------------------- https://unit42.paloaltonetworks.com/mirai-variant-iot-vulnerabilities/ ∗∗∗ NIS2 Proposal: First feedback on the normative text ∗∗∗ --------------------------------------------- After looking at the recitals a few weeks ago, here is my feedback on the normative text of the NIS2 proposal. --------------------------------------------- https://cert.at/en/blog/2021/3/nis2-proposal-first-feedback-on-the-normativ… ∗∗∗ CISA-FBI Joint Advisory on TrickBot Malware ∗∗∗ --------------------------------------------- CISA and the Federal Bureau of Investigation (FBI) have released a Joint Cybersecurity Advisory (CSA) on TrickBot malware. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/03/17/cisa-fbi-joint-ad… ∗∗∗ CVE-2021-27076: A Replay-Style Deserialization Attack Against SharePoint ∗∗∗ --------------------------------------------- An attacker is frequently in the position of having to find a technique to evade some data integrity measure implemented by a target. --------------------------------------------- https://www.thezdi.com/blog/2021/3/17/cve-2021-27076-a-replay-style-deseria… ===================== = Vulnerabilities = ===================== ∗∗∗ Researcher adds their package to Microsoft Azure SDK releases list ∗∗∗ --------------------------------------------- A security researcher was able to add their own test package to the official list of Microsoft Azure SDK latest releases. The simple trick if abused by an attacker can give off the impression that their malicious package is part of the Azure SDK suite. --------------------------------------------- https://www.bleepingcomputer.com/news/security/researcher-adds-their-packag… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (shadow, tor, and velocity), Fedora (gsoap, qt5-qtsvg, and switchboard-plug-bluetooth), Mageia (batik, chromium-browser-stable, glibc, ksh, and microcode), openSUSE (389-ds, connman, freeradius-server, froxlor, openssl-1_0_0, openssl-1_1, postgresql12, and python-markdown2), Red Hat (bind, curl, kernel, nss and nss-softokn, perl, python, and tomcat), Scientific Linux (ipa, kernel, and pki-core), SUSE (glib2 and velocity), and Ubuntu (containerd). --------------------------------------------- https://lwn.net/Articles/849622/ ∗∗∗ WordPress plugin "Paid Memberships Pro" vulnerable to SQL injection ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN08191557/ ∗∗∗ Cisco Small Business RV132W and RV134W Routers Management Interface Remote Command Execution and Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Security Bulletin: IBM Network Performance Insight 1.3.1 was affected by multiple vulnerabilities in jackson-databind ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-network-performance-i… ∗∗∗ Security Bulletin: CVE-2020-14782 may affect IBM® SDK, Java™ Technology Edition for Content Collector for SAP Applications ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2020-14782-may-affect… ∗∗∗ Security Bulletin: Multiple security vulnerabilities have been identified in IBM® Java SDK that affect IBM Security Directory Suite ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: Rational Application Developer is vulnerable to CVE-2020-2773 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-rational-application-deve… ∗∗∗ Security Bulletin: IBM Security Directory Suite is affected by a vulnerability (CVE-2020-4329) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-directory-su… ∗∗∗ Security Bulletin: IBM SDK, Java Technology Edition, Security Update February 2021 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sdk-java-technology-e… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM® SDK, Java™ Technology Edition may affect IBM Content Collector for SAP Applications ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Content Collector for SAP Applications ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: A vulnerability was identified and remediated in the IBM MaaS360 Cloud Extender (CVE-2020-13434, CVE-2020-13435) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-was-ident… ∗∗∗ Security Bulletin: Multiple Security Vulnerabilties have been fixed in the IBM Security Access Manager and IBM Security Verify Access appliances. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Cross-Site Scripting Vulnerabilities in Elementor Impact Over 7 Million Sites ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2021/03/cross-site-scripting-vulnerabilities… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 16.03.2021
by Daily end-of-shift report 16 Mar '21

16 Mar '21

===================== = End-of-Day report = ===================== Timeframe: Montag 15-03-2021 18:30 − Dienstag 16-03-2021 18:30 Handler: Dimitri Robl Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ FBI warns of escalating Pysa ransomware attacks on education orgs ∗∗∗ --------------------------------------------- The Federal Bureau of Investigation (FBI) Cyber Division has warned system administrators and cybersecurity professionals of increased Pysa ransomware activity targeting educational institutions. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fbi-warns-of-escalating-pysa… ∗∗∗ One-Click Microsoft Exchange On-Premises Mitigation Tool – March 2021 ∗∗∗ --------------------------------------------- We have been actively working with customers through our customer support teams, third-party hosters, and partner network to help them secure their environments and respond to associated threats from the recent Exchange Server on-premises attacks. Based on these engagements we realized that there was a need for a simple, easy to use, automated solution that [...] --------------------------------------------- https://msrc-blog.microsoft.com:443/2021/03/15/one-click-microsoft-exchange… ∗∗∗ Videokonferenzen: Damit Vertrauliches vertraulich bleibt ∗∗∗ --------------------------------------------- Durch die Corona-Pandemie hat die Nutzung von Videokonferenzlösungen in Verwaltung und Wirtschaft erheblich zugenommen. Die Systeme dienen dabei nicht nur der Kommunikation, sondern auch dem gemeinsamen Erstellen und Bearbeiten von Dokumenten. --------------------------------------------- https://www.bsi.bund.de/DE/Service-Navi/Presse/Pressemitteilungen/Presse202… ∗∗∗ Eine Rasterbrille auf ayurreadpro.com kaufen? – Wir raten davon ab! ∗∗∗ --------------------------------------------- Wer online nach Möglichkeiten zur Verbesserung der Sehkraft oder Methoden zum Augentraining sucht, stoßt höchstwahrscheinlich auf Rasterbrillen. Rasterbrillen sind schwarze Kunststoffbrillen mit Lochmuster in den „Gläsern“, die angeblich Sehschwächen vorbeugen und verbessern. Für die Wirksamkeit der knapp 60 Euro-Brille gibt es jedoch keine wissenschaftlich bestätigten Studien. Im Extremfall könnten sogar ernstzunehmende Schäden [...] --------------------------------------------- https://www.watchlist-internet.at/news/eine-rasterbrille-auf-ayurreadprocom… ∗∗∗ Finding Metasploit & Cobalt Strike URLs, (Mon, Mar 15th) ∗∗∗ --------------------------------------------- Metasploit and Cobalt Strike generate shellcode for http(s) shells. The URLs found in this shellcode have a path that consist of 4 random alphanumeric characters. But they are not completely random: their 8-bit checksum is a member of a small set of constants. --------------------------------------------- https://isc.sans.edu/diary/rss/27204 ∗∗∗ Malware Can Exploit New Flaw in Intel CPUs to Launch Side-Channel Attacks ∗∗∗ --------------------------------------------- A new research has yielded yet another means to pilfer sensitive data by exploiting whats the first "on-chip, cross-core" side-channel attack targeting the ring interconnect used in Intel Coffee Lake and Skylake processors. Published by a group of academics from the University of Illinois at Urbana-Champaign, the findings are expected to be presented at the USENIX Security Symposium coming this [...] --------------------------------------------- https://thehackernews.com/2021/03/malware-can-exploit-new-flaw-in-intel.html ∗∗∗ Bug discovery diaries: Abusing VoIPmonitor for Remote Code Execution ∗∗∗ --------------------------------------------- We fuzzed VoIPmonitor by using SIPVicious PRO and got a crash in the software’s live sniffer feature when it is switched on. We identified the cause of the crash by looking at the source code, which was a classic buffer overflow. Then we realized that was fully exploitable since the binaries distributed do not have any memory corruption protection. --------------------------------------------- https://www.rtcsec.com/post/2021/03/bug-discovery-diaries-abusing-voipmonit… ∗∗∗ Hackers are targeting telecoms companies to steal 5G secrets ∗∗∗ --------------------------------------------- Cybersecurity researchers at McAfee detail an ongoing cyber espionage campaign which is targeting telecoms companies around the world. --------------------------------------------- https://www.zdnet.com/article/hackers-are-targeting-telecoms-companies-to-s… ∗∗∗ Exploring my doorbell ∗∗∗ --------------------------------------------- Ive talked about my doorbell before, but started looking at it again this week because sometimes it simply doesnt send notifications to my Home Assistant setup - the push notifications appear on my phone, but the doorbell simply doesnt trigger the HTTP callback its meant to[1]. This is obviously suboptimal, but its also tricky to debug a device when you have no access to it. --------------------------------------------- https://mjg59.dreamwidth.org/56345.html ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (tomcat8), Fedora (git), openSUSE (opera), Oracle (python), Red Hat (ipa, kernel, kernel-rt, kpatch-patch, and pki-core), SUSE (compat-openssl098 and python), and Ubuntu (glib2.0, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gcp, linux-gcp-5.4, linux-gke-5.4, linux-gkeop, linux-gkeop-5.4, linux-hwe-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux, linux-aws, linux-aws-hwe, linux-azure, [...] --------------------------------------------- https://lwn.net/Articles/849501/ ∗∗∗ This years-old Microsoft Office vulnerability is still popular with hackers, so patch now ∗∗∗ --------------------------------------------- Despite receiving a security update in 2017, cyber criminals are still finding success with this old vulnerability for delivering malware. --------------------------------------------- https://www.zdnet.com/article/this-years-old-microsoft-office-vulnerability… ∗∗∗ Aktuelle Zahlen zu den Exchange Schwachstellen in Österreich ∗∗∗ --------------------------------------------- TL;DR 1074 Exchange Server nach wie vor ungepatched (Stand: 2021-03-16). Nach den ersten aktiven Scans zwischen dem 9. und 12. März waren es noch 2236. Bisher wurden 465 Webshells von Shadowserver und Kryptos Logic in Österreich gefunden. Die initiale Patch-Disziplin war anscheinend hoch. Wenn möglich, Microsofts Script unter https://github.com/microsoft/CSS-Exchange/tree/main/Security#exchange-on-pr… zum Finden und Mitigieren von Webshells [...] --------------------------------------------- https://cert.at/de/aktuelles/2021/3/aktuelle-zahlen-zu-den-exchange-schwach… ∗∗∗ Advantech WebAccess/SCADA ∗∗∗ --------------------------------------------- This advisory contains mitigations for a Cross-site Scripting vulnerability in Advantech WebAccess/SCADA browser-based software. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-075-01 ∗∗∗ GE UR family ∗∗∗ --------------------------------------------- This advisory contains mitigations for multiple vulnerabilities in GE UR family of protection and control relays. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-075-02 ∗∗∗ Hitachi ABB Power Grids AFS Series ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Infinite Loop vulnerability in Hitachi ABB Power Grids AFS Series products. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-075-03 ∗∗∗ BD Alaris 8015 PC Unit (Update B) ∗∗∗ --------------------------------------------- [...] This advisory contains compensating controls to reduce the risk of exploitation of insufficiently protected credentials and security features vulnerabilities in BD Alaris 8015 Point of Care units, which provide a common user interface for programming [...] --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsma-17-017-02 ∗∗∗ DP API encryption ineffective in Windows containers: Publicly Available Cryptographic Keys (CVE-2021-1645) ∗∗∗ --------------------------------------------- We recently discovered a vulnerability in the DP API key management of Windows containers. This vulnerability was assigned CVE-2021-1645 by Microsoft [1] and allowed attackers to decrypt any data that was encrypted with DP API keys in Windows containers. This vulnerability was discovered in close cooperation with SignPath [2]. --------------------------------------------- https://certitude.consulting/blog/en/windows-docker-dp-api-vulnerability-cv… ∗∗∗ Apache Tomcat vulnerability CVE-2021-25329 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K73648110 ∗∗∗ Apache Tomcat vulnerability CVE-2021-25122 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K00174195 ∗∗∗ TYPO3 Extensions: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0276 ∗∗∗ TYPO3 Core: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0275 ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Integration Bus and IBM App Connect Enterpise v11. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerabilities in Curl affect PowerSC (CVE-2020-8284, CVE-2020-8285, and CVE-2020-8286) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-curl-a… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect AIX ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities affect the IBM Spectrum Scale GUI. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Flex System Chassis Management Module (CMM) is affected by vulnerabilities in Libxml2 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-flex-system-chassis-m… ∗∗∗ Security Bulletin: A vulnerability in IBM Spectrum Scale allows to inject malicious content into log files (CVE-2020-4851) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-sp… ∗∗∗ Security Bulletin: A vulnerability in IBM Java SE affects IBM Spectrum Scale ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 15.03.2021
by Daily end-of-shift report 15 Mar '21

15 Mar '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 12-03-2021 18:30 − Montag 15-03-2021 18:30 Handler: Dimitri Robl Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Protecting on-premises Exchange Servers against recent attacks ∗∗∗ --------------------------------------------- While Microsoft has regular methods for providing tools to update software, this extraordinary situation calls for a heightened approach. In addition to our regular software updates, we are also providing specific updates for older and out-of-support software with the intent to make it as easy as possible to quickly protect your business. --------------------------------------------- https://www.microsoft.com/security/blog/2021/03/12/protecting-on-premises-e… ∗∗∗ Update verfügbar! ∗∗∗ --------------------------------------------- Zum internationalen Weltverbrauchertag gibt das BSI Informationen und Hinweise zur einfachen und automatischen Installation von Software-Aktualisierungen. --------------------------------------------- https://www.bsi.bund.de/DE/Service-Navi/Presse/Alle-Meldungen-News/Meldunge… ∗∗∗ Research: Security Agencies Expose Information via Improperly Sanitized PDFs ∗∗∗ --------------------------------------------- Most security agencies fail to properly sanitize Portable Document Format (PDF) files before publishing them, thus exposing potentially sensitive information and opening the door for attacks, researchers have discovered. read more --------------------------------------------- https://www.securityweek.com/research-security-agencies-expose-information-… ===================== = Vulnerabilities = ===================== ∗∗∗ Three Flaws in the Linux Kernel Since 2006 Could Grant Root Privileges ∗∗∗ --------------------------------------------- "Three recently unearthed vulnerabilities in the Linux kernel, located in the iSCSI module used for accessing shared data storage facilities, could allow root privileges to anyone with a user account," reports SC Media: "If you already had execution on a box, either because you have a user account on the machine, or youve compromised some service that doesnt have repaired permissions, you can do whatever you want basically," said Adam Nichols, [...] --------------------------------------------- http://rss.slashdot.org/~r/Slashdot/slashdot/~3/d0iuqi9zTtI/three-flaws-in-… ∗∗∗ Sicherheitsupdate: Angreifer nehmen erneut Google Chrome ins Visier ∗∗∗ --------------------------------------------- Die Chrome-Entwickler haben im Webbrowser fünf Sicherheitslücken geschlossen. Eine Schwachstellen sollen Angreifer derzeit ausnutzen. --------------------------------------------- https://heise.de/-5987831 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (ca-certificates, flatpak, golang-1.7, golang-1.8, mupdf, pygments, and tiff), Fedora (containerd, golang-github-containerd-cri, mingw-gdk-pixbuf, mingw-glib2, mingw-jasper, mingw-python-jinja2, mingw-python-pillow, mingw-python3, python-django, python-pillow, and python2-pillow), Mageia (git, mediainfo, netty, python-django, and quartz), openSUSE (crmsh, git, glib2, kernel-firmware, openldap2, stunnel, and wpa_supplicant), Oracle (qemu), Red Hat [...] --------------------------------------------- https://lwn.net/Articles/849406/ ∗∗∗ GnuTLS: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0273 ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation for Multiplatforms Apr 2020 CPU (CVE-2020-2773) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM® Db2® db2fm is vulnerable to a buffer overflow (CVE-2020-5025) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-db2fm-is-vulnerab… ∗∗∗ Security Bulletin: Streams Flows might be affected by some underlying Node.js vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-streams-flows-might-be-af… ∗∗∗ Security Bulletin: App Connect Enterprise Certified Container may be vulnerable to a denial of service vulnerability (CVE-2020-1971) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-app-connect-enterprise-ce… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affects IBM Storwize V7000 Unified ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation Application Manager Oct 2020 CPU (CVE-2020-14781) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by an Execution with Unnecessary Privileges vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM InfoSphere Information Server is affected by a cross-site scripting vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-informatio… ∗∗∗ Security Bulletin: Vulnerability in IBM Java Runtime Environment affects installation and uninstallation of IBM Spectrum Protect for Enterprise Resource Planning on AIX and Linux (CVE-2020-27221) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation for Multiplatforms Oct 2020 CPU (CVE-2020-14781) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM API Connect's API Manager is vulnerable to invitation and registration link tampering (CVE-2021-20440) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connects-api-mana… ∗∗∗ Security Bulletin: Vulnerability in NX-OS Firmware used by IBM c-type SAN directors and switches. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-nx-os-fi… ∗∗∗ Security Bulletin: IBM Security Privileged Identity Manager is affected by a code execution vulnerability (CVE-2020-4448) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-privileged-i… ∗∗∗ Security Bulletin: IBM Security Privileged Identity Manager is affected by remote code execution (CVE-2020-4450) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-privileged-i… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.03.2021
by Daily end-of-shift report 12 Mar '21

12 Mar '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 11-03-2021 18:30 − Freitag 12-03-2021 18:30 Handler: Dimitri Robl Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Sie warten auf ein Paket? Vorsicht vor dieser betrügerischen E-Mail! ∗∗∗ --------------------------------------------- Immer wieder versuchen Kriminelle Sie durch falsche Behauptungen in eine Abo-Falle zu locken oder an Ihre Daten zu kommen. Derzeit melden uns LeserInnen betrügerische E-Mails, in denen behauptet wird, dass ein Paket nicht zugestellt werden kann, da die Adresse fehle. Doch Vorsicht: Es handelt sich um Betrug! --------------------------------------------- https://www.watchlist-internet.at/news/sie-warten-auf-ein-paket-vorsicht-vo… ∗∗∗ Zusatzkosten & lange Lieferzeiten? So vermeiden Sie Probleme bei Online-Shops außerhalb der EU! ∗∗∗ --------------------------------------------- Immer wieder werden uns Online-Shops gemeldet, die zwar keine Fake-Shops, aber trotzdem problematisch sind. Das gilt insbesondere für Shops, die entweder Ihren Sitz außerhalb der EU haben oder von außerhalb der EU liefern lassen. Wir zeigen Ihnen, auf was Sie achten müssen, damit Sie keine bösen Überraschungen beim Online-Shopping im Ausland erleben! --------------------------------------------- https://www.watchlist-internet.at/news/zusatzkosten-lange-lieferzeiten-so-v… ∗∗∗ New DEARCRY Ransomware is targeting Microsoft Exchange Servers ∗∗∗ --------------------------------------------- A new ransomware called DEARCRY is targeting Microsoft Exchange servers, with one victim stating they were infected via the ProxyLogon vulnerabilities. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-dearcry-ransomware-is-ta… ∗∗∗ What Are BEC Attacks? ∗∗∗ --------------------------------------------- Otherwise known as BEC, Business e-mail compromise happens when an attacker hacks into a corporate e-mail account and impersonates the real owner with the sole purpose to defraud the company, its customers, partners and/or employees into sending money or sensitive data to the attacker’s account. Also known as the “man-in-the-email” attack, BEC scams start with [...] --------------------------------------------- https://heimdalsecurity.com/blog/what-are-bec-attacks/ ∗∗∗ New Threat: ZHtrap botnet implements honeypot to facilitate finding more victims ∗∗∗ --------------------------------------------- In the security community, when people talk about honeypot, by default we would assume this is one of the most used toolkits for security researchers to lure the bad guys. But recently we came across a botnet uses honeypot to harvest other infected devices, which is quite interesting. --------------------------------------------- https://blog.netlab.360.com/new_threat_zhtrap_botnet_en/ ∗∗∗ A Spectre proof-of-concept for a Spectre-proof web ∗∗∗ --------------------------------------------- Three years ago, Spectre changed the way we think about security boundaries on the web. It quickly became clear that flaws in modern processors undermined the guarantees that web browsers could make about preventing data leaks between applications. As a result, web browser vendors have been continuously collaborating on approaches intended to harden the platform at scale. Nevertheless, this class of attacks still [...] --------------------------------------------- https://security.googleblog.com/2021/03/a-spectre-proof-of-concept-for-spec… ∗∗∗ Mac Malware XCSSET Adapted for Devices With M1 Chips ∗∗∗ --------------------------------------------- An increasing number of Mac malware developers have started creating variants that are specifically designed to run on devices powered by Apple’s M1 chip. --------------------------------------------- https://www.securityweek.com/mac-malware-xcsset-adapted-devices-m1-chips ∗∗∗ New Browser Attack Allows Tracking Users Online With JavaScript Disabled ∗∗∗ --------------------------------------------- [...] the latest research released this week aims to bypass such browser-based mitigations by implementing a side-channel attack called "CSS Prime+Probe" constructed solely using HTML and CSS, allowing the attack to work even in hardened browsers like Tor, Chrome Zero, and DeterFox that have JavaScript fully disabled or limit the resolution of the timer API. --------------------------------------------- https://thehackernews.com/2021/03/new-browser-attack-allows-tracking.html ===================== = Vulnerabilities = ===================== ∗∗∗ Advisory: D-Link DIR-3060 Authenticated RCE (CVE-2021-28144) ∗∗∗ --------------------------------------------- The D-Link DIR-3060 (running firmware versions below v1.11b04) is affected by a post-authentication command injection vulnerability. Anybody with authenticated access to a DIR-3060 would be able to run arbitrary system commands on the device as the system "admin" user, with root privileges. D-Link has released a patched firmware version v1.11b04 Hotfix 2 to address this issue. Affected users are advised to apply the patch. --------------------------------------------- https://www.iot-inspector.com/blog/advisory-d-link-dir-3060/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (mupdf and pygments), Fedora (arm-none-eabi-newlib, nodejs, python3.10, and suricata), Mageia (ansible, ceph, firejail, glib2.0, gnuplot, libcaca, mumble, openssh, postgresql, python-cryptography, python-httplib2, python-yaml, roundcubemail, and ruby-mechanize), Scientific Linux (wpa_supplicant), Slackware (git), SUSE (crmsh, libsolv, libzypp, yast2-installation, zypper, openssl-1_0_0, python, and stunnel), and Ubuntu (pillow). --------------------------------------------- https://lwn.net/Articles/849208/ ∗∗∗ Schneider Electric IGSS SCADA Software ∗∗∗ --------------------------------------------- This advisory contains mitigations for Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerabilities in Schneider Electric IGSS SCADA software. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-070-01 ∗∗∗ Wireshark: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0266 ∗∗∗ NetBSD Foundation NetBSD OS: Schwachstelle ermöglicht Offenlegung von Informationen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0270 ∗∗∗ Security Bulletin: IBM Watson OpenScale on Cloud Pak for Data is impacted by CVE-2020-8277 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-openscale-on-c… ∗∗∗ Security Bulletin: A security vulnerability in Vault affects Bastion Service of IBM Cloud Pak for Multicloud Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: IBM® Db2® db2fm is vulnerable to a buffer overflow (CVE-2020-5025) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-db2fm-is-vulnerab… ∗∗∗ Security Bulletin: IBM BladeCenter Advanced Management Module (AMM) is affected by a vulnerability in libcurl (CVE-2019-5436) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-bladecenter-advanced-… ∗∗∗ Security Bulletin: IBM® Db2® is vulnerable to a Denial of Service on Windows (CVE-2020-4642) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-… ∗∗∗ Security Bulletin: IBM® Db2® is vulnerable to a denial of service (CVE-2020-5024) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-… ∗∗∗ Security Bulletin: IBM DataPower Gateway vulnerability in TLS (CVE-2020-4831) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-datapower-gateway-vul… ∗∗∗ Security Bulletin: IBM BladeCenter Advanced Management Module (AMM) is affected by vulnerabilities in Libxml2 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-bladecenter-advanced-… ∗∗∗ Security Bulletin: A security vulnerability in Vault affects Bastion Service of IBM Cloud Pak for Multicloud Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: IBM Watson OpenScale on Cloud Pak for Data is impacted by CVE-2020-26116 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-openscale-on-c… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.03.2021
by Daily end-of-shift report 11 Mar '21

11 Mar '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 10-03-2021 18:30 − Donnerstag 11-03-2021 18:30 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Der Hafnium Exchange-Server-Hack: Anatomie einer Katastrophe ∗∗∗ --------------------------------------------- Hätte Microsoft den Massenhack von Exchange-Servern mit rascheren Reaktionen verhindern verhindern können? Der Ablauf der Ereignisse wirft Fragen auf. --------------------------------------------- https://heise.de/-5077269 ∗∗∗ NAT-Slipstreaming-Angriffe: Es kommt noch schlimmer ∗∗∗ --------------------------------------------- Zeit zu handeln: Mit dem NAT-Slipstreaming 2.0 können Kriminelle nicht nur das Gerät des Opfers, sondern jede IP-Adresse im Netzwerk angreifen. --------------------------------------------- https://heise.de/-5078104 ∗∗∗ Exchange-Lücken: Jetzt kommt die Cybercrime-Welle mit Erpressung ∗∗∗ --------------------------------------------- Ein öffentlicher Exploit für die Sicherheitslücken in Microsoft Exchange bedeutet, dass die ersten Erpressungsfälle vor der Tür stehen. --------------------------------------------- https://heise.de/-5078180 ∗∗∗ F5 Announces Critical BIG-IP pre-auth RCE bug ∗∗∗ --------------------------------------------- F5 Networks is a leading provider of enterprise networking gear, with software and hardware customers like governments, Fortune 500 firms, banks, internet service providers, and largely known consumer brands (Microsoft, Oracle, and Facebook). The patch refers to the four critical vulnerabilities listed below and also includes a pre-auth RCE security flaw (CVE-2021-22986) that allows unauthenticated [...] --------------------------------------------- https://heimdalsecurity.com/blog/f5-announces-critical-bug/ ∗∗∗ FIN8 Resurfaces with Revamped Backdoor Malware ∗∗∗ --------------------------------------------- The financial cyber-gang is running limited attacks ahead of broader offensives on point-of-sale systems. --------------------------------------------- https://threatpost.com/fin8-resurfaces-backdoor-malware/164684/ ∗∗∗ Piktochart - Phishing with Infographics, (Thu, Mar 11th) ∗∗∗ --------------------------------------------- In line with our recent diaries featuring unique attack vectors for credential theft, such as phishing over LinkedIn Mail[1] and pretending to be an Outlook version update[2], we've recently learned of a phishing campaign targetting users of the Infographic service Piktochart. --------------------------------------------- https://isc.sans.edu/diary/rss/27194 ∗∗∗ Magento 2 PHP Credit Card Skimmer Saves to JPG ∗∗∗ --------------------------------------------- Bad actors often leverage creative techniques to conceal malicious behaviour and harvest sensitive information from ecommerce websites. A recent investigation for a compromised Magento 2 website revealed a malicious injection that was capturing POST request data from site visitors. Located on the checkout page, it was found to encode captured data before saving it to a .JPG file. --------------------------------------------- https://blog.sucuri.net/2021/03/magento-2-php-credit-card-skimmer-saves-to-… ∗∗∗ Home Assistant, Pwned Passwords and Security Misconceptions ∗∗∗ --------------------------------------------- Two of my favourite things these days are Have I Been Pwned and Home Assistant. The former is an obvious choice, the latter Ive come to love as Ive embarked on my home automation journey. So, it was with great pleasure that I saw the two integrated recently:always something. --------------------------------------------- https://www.troyhunt.com/home-assistant-pwned-passwords-and-security-miscon… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (zeromq3), Oracle (dotnet, dotnet3.1, python3, and wpa_supplicant), and Red Hat (wpa_supplicant). --------------------------------------------- https://lwn.net/Articles/849088/ ∗∗∗ Security Advisory - Sudo Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- https://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210310… ∗∗∗ Paessler PRTG: Schwachstelle ermöglicht Offenlegung von Informationen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0260 ∗∗∗ Linux kernel ext3/ext4 file system vulnerability CVE-2020-14314 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K67830124 ∗∗∗ glibc vulnerability CVE-2019-25013 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K68251873 ∗∗∗ glibc vulnerability CVE-2020-29573 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K27238230 ∗∗∗ Security Bulletin: IBM Sterling Connect:Express for UNIX is Affected by Multiple Vulnerabilities in OpenSSL ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectexpre… ∗∗∗ Security Bulletin: IBM® Db2® is vulnerable to denial of service (CVE-2020-4135). ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-… ∗∗∗ Security Bulletin: IBM® Db2® is vulnerable to an information disclosure. (CVE-2020-4386) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-… ∗∗∗ Security Bulletin: Symbolic Link Permissions Problem Modeler Subscription Installer ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-symbolic-link-permissions… ∗∗∗ Security Bulletin: IBM® Db2® db2fm is vulnerable to a buffer overflow (CVE-2020-5025) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-db2fm-is-vulnerab… ∗∗∗ Security Bulletin: OpenSSL publicly disclosed vulnerability affects IBM MobileFirst Platform (CVE-2020-1971) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-openssl-publicly-disclose… ∗∗∗ Security Bulletin: IBM® Db2® is vulnerable to denial of service (CVE-2020-4200). ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-… ∗∗∗ Security Bulletin: IBM Network Performance Insight 1.3.1 was affected by vulnerability in jackson-databind (CVE-2020-25649) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-network-performance-i… ∗∗∗ Security Bulletin: IBM® Db2® is vulnerable to a buffer overflow (CVE-2020-4701) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-… ∗∗∗ Security Bulletin: IBM® Db2® is vulnerable to a Denial of Service on Windows (CVE-2020-4642) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.03.2021
by Daily end-of-shift report 10 Mar '21

10 Mar '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 09-03-2021 18:30 − Mittwoch 10-03-2021 18:30 Handler: Dimitri Robl Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Exchange-Hack: Microsoft-365-Migrationstool durch Textdatei ausgetauscht ∗∗∗ --------------------------------------------- Ein Golem.de-Leser wollte Exchange-Konten des Arbeitgebers auf Microsoft 365 migrieren. Statt des Hilfstools gab es eine Textdatei mit Nachricht. --------------------------------------------- https://www.golem.de/news/exchange-hack-microsoft-365-migrationstool-durch-… ∗∗∗ Unauthenticated MQTT endpoints on Linksys Velop routers enable local DoS ∗∗∗ --------------------------------------------- (Edit: this is CVE-2021-1000002)Linksys produces a series of wifi mesh routers under the Velop line. These routers use MQTT to send messages to each other for coordination purposes. In the version I tested against, there was zero authentication on this - anyone on the local network is able to connect to the MQTT interface on a router and send commands. --------------------------------------------- https://mjg59.dreamwidth.org/56106.html ∗∗∗ Microsoft Exchange Server Vulnerabilities Mitigations – updated March 9, 2021 ∗∗∗ --------------------------------------------- Microsoft previously blogged our strong recommendation that customers upgrade their on-premises Exchange environments to the latest supported version. For customers that are not able to quickly apply updates, we are providing the following alternative mitigation techniques to help Microsoft Exchange customers who need more time to patch their deployments and are willing to make risk and service function trade-offs. These mitigations are not a remediation if your Exchange servers have already been compromised, nor are they full protection against attack. --------------------------------------------- https://msrc-blog.microsoft.com:443/2021/03/05/microsoft-exchange-server-vu… ∗∗∗ SharpRDP - PSExec without PSExec, PSRemoting without PowerShell, (Wed, Mar 10th) ∗∗∗ --------------------------------------------- With the amount of remediation folks have these days to catch malicious execution of powershell or the use of tools like psexec, red teams have to be asking themselves - what approach is next for lateral movement after you get that first foothold? --------------------------------------------- https://isc.sans.edu/diary/rss/27188 ∗∗∗ Researchers Unveil New Linux Malware Linked to Chinese Hackers ∗∗∗ --------------------------------------------- Dubbed "RedXOR" by Intezer, the backdoor masquerades as a polkit daemon, with similarities found between the malware and those previously associated with the Winnti Umbrella (or Axiom) threat group such as PWNLNX, XOR.DDOS and Groundhog. --------------------------------------------- https://thehackernews.com/2021/03/researchers-unveil-new-linux-malware.html ∗∗∗ Unpatched Flaws in Netgear Business Switches Expose Organizations to Attacks ∗∗∗ --------------------------------------------- Security researchers have identified multiple vulnerabilities in ProSAFE Plus JGS516PE and GS116Ev2 business switches from Netgear, the most severe of which could allow a remote, unauthenticated attacker to execute arbitrary code. --------------------------------------------- https://www.securityweek.com/unpatched-flaws-netgear-business-switches-expo… ∗∗∗ Targeted HelloKitty Ransomware Attack ∗∗∗ --------------------------------------------- SentinelOne has published a blog post analyzing the HelloKitty ransomware family, which was recently leveraged in a targeted attack against CD Projekt Red. HelloKitty appeared in late 2020 and is relatively rudimentary compared to other ransomware families. --------------------------------------------- https://exchange.xforce.ibmcloud.com/collection/78d773e3e014982f6b10f60ac70… ===================== = Vulnerabilities = ===================== ∗∗∗ Microsoft Patch Tuesday - March 2021 ∗∗∗ --------------------------------------------- In their March 2021 security updates, Microsoft list eighty-three CVE numbered vulnerabilities. Of those, ten are rated as Critical with the remainder being rated as Important. Aside from the already well publicized exploitation of the Exchange server vulnerabilities, an Internet Explorer vulnerability is reported as being exploited in the wild. --------------------------------------------- https://exchange.xforce.ibmcloud.com/collection/c82f6a928a7278759e5eec21b3e… ∗∗∗ Patchday Adobe: Schadcode-Lücken in Connect, Creative Cloud und Framemaker ∗∗∗ --------------------------------------------- Der Software-Hersteller Adobe hat in verschiedenen Anwendungen mehrere kritische Sicherheitslücken geschlossen. --------------------------------------------- https://heise.de/-5076338 ∗∗∗ Versionsverwaltung Git 2.30.2. behebt Sicherheitslücke beim Klonen ∗∗∗ --------------------------------------------- Die Schwachstelle ermöglicht unter bestimmten Umständen das Ausführen von Skripten beim Klonen von Repositories. --------------------------------------------- https://heise.de/-5076502 ∗∗∗ SAP-Patchday: Kritische Lücken aus SAP MII und NetWeaver AS für Java beseitigt ∗∗∗ --------------------------------------------- SAP hat unter anderem zwei Sicherheitslücken in Manufacturing Integration and Intelligence (MII) & NetWeaver AS JAVA mit CVSS-Scores nahe der 10 geschlossen. --------------------------------------------- https://heise.de/-5076543 ∗∗∗ Vulnerability Spotlight: Use-after-free vulnerability in 3MF Consortium lib3mf ∗∗∗ --------------------------------------------- 3MF Consortium’s lib3mf library is vulnerable to a use-after-free vulnerability that could allow an adversary to execute remote code on the victim machine. The lib3mf library is an open-source implementation of the 3MF file format and standard, mainly used for 3D-printing. An attacker could send a target a specially crafted file to create a use-after-free condition. --------------------------------------------- https://blog.talosintelligence.com/2021/03/vuln-spotlight-3mf-lib-.html ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (kernel and privoxy), Fedora (libtpms, privoxy, and x11vnc), openSUSE (chromium), Red Hat (.NET 5.0, .NET Core, .NET Core 2.1, .NET Core 3.1, dotnet, and dotnet3.1), SUSE (git, kernel, openssl-1_1, and wpa_supplicant), and Ubuntu (git and openssh). --------------------------------------------- https://lwn.net/Articles/848973/ ∗∗∗ QEMU: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode mit den Rechten des Dienstes ∗∗∗ --------------------------------------------- CB-K21/0250: QEMU: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode mit den Rechten des Dienstes --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0250 ∗∗∗ SSA-979775 V1.0: Stack Overflow Vulnerability in SCALANCE and RUGGEDCOM Devices ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-979775.txt ∗∗∗ Security Bulletin: IBM Security Privileged Identity Manager is affected by a denial of service vulnerability (CVE-2020-2781) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-privileged-i… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation for Multiplatforms Jan 2021 CPU (CVE-2020-27221) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Security Guardium Insights is affected by a Go denial of service vulnerability (CVE-2020-7919) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-ins… ∗∗∗ Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU – Oct 2020 and Jan 2021 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sdk-java-technology-e… ∗∗∗ Security Bulletin: IBM Security Privileged Identity Manager is affected by a code execution vulnerability (CVE-2020-4464) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-privileged-i… ∗∗∗ Security Bulletin: IBM API Connect is impacted by vulnerabilities in Docker (CVE-2021-21285, CVE-2021-21284) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connect-is-impact… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Cognos Planning (Q12021) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation Application Manager Oct 2020 CPU (CVE-2020-14782) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: WebSphere Application Server is vulnerable to a Directory Traversal vulnerability (CVE-2020-5016) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-websphere-application-ser… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation Application Manager Jan 2021 CPU (CVE-2020-27221) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ BIG-IQ DCD vulnerability CVE-2021-22996 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K16352404?utm_source=f5support&utm_mediu… ∗∗∗ BIG-IQ HA vulnerability CVE-2021-22995 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K13155201?utm_source=f5support&utm_mediu… ∗∗∗ BIG-IQ HA vulnerability CVE-2021-22997 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K34074377?utm_source=f5support&utm_mediu… ∗∗∗ F5 TMUI XSS vulnerability CVE-2021-22994 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K66851119?utm_source=f5support&utm_mediu… ∗∗∗ BIG-IP MPTCP vulnerability CVE-2021-23003 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K43470422?utm_source=f5support&utm_mediu… ∗∗∗ BIG-IP ASM iControl REST vulnerability CVE-2021-23001 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K06440657?utm_source=f5support&utm_mediu… ∗∗∗ BIG-IP Advanced WAF and ASM XSS vulnerability CVE-2021-22993 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K55237223?utm_source=f5support&utm_mediu… ∗∗∗ BIG-IP TMM vulnerability CVE-2021-23000 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K34441555?utm_source=f5support&utm_mediu… ∗∗∗ BIG-IP SNAT vulnerability CVE-2021-22998 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K31934524?utm_source=f5support&utm_mediu… ∗∗∗ BIG-IQ HA vulnerability CVE-2021-23005 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K01243064?utm_source=f5support&utm_mediu… ∗∗∗ BIG-IP MPTCP vulnerability CVE-2021-23004 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K31025212?utm_source=f5support&utm_mediu… ∗∗∗ BIG-IQ XSS vulnerability CVE-2021-23006 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K30585021?utm_source=f5support&utm_mediu… ∗∗∗ BIG-IP APM VPN vulnerability CVE-2021-23002 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K71891773?utm_source=f5support&utm_mediu… ∗∗∗ TMM buffer-overflow vulnerability CVE-2021-22991 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K56715231?utm_source=f5support&utm_mediu… ∗∗∗ TMUI authenticated remote command execution vulnerability CVE-2021-22988 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K70031188?utm_source=f5support&utm_mediu… ∗∗∗ Advanced WAF/ASM TMUI authenticated remote command execution vulnerability CVE-2021-22990 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K45056101?utm_source=f5support&utm_mediu… ∗∗∗ BIG-IP HTTP/2 vulnerability CVE-2021-22999 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K02333782?utm_source=f5support&utm_mediu… ∗∗∗ Appliance mode TMUI authenticated remote command execution vulnerability CVE-2021-22987 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K18132488?utm_source=f5support&utm_mediu… ∗∗∗ iControl REST unauthenticated remote command execution vulnerability CVE-2021-22986 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K03009991?utm_source=f5support&utm_mediu… ∗∗∗ Advanced WAF/ASM buffer-overflow vulnerability CVE-2021-22992 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K52510511?utm_source=f5support&utm_mediu… ∗∗∗ Appliance mode Advanced WAF/ASM TMUI authenticated remote command execution vulnerability CVE-2021-22989 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K56142644?utm_source=f5support&utm_mediu… ∗∗∗ glibc vulnerability CVE-2021-3326 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K44945790?utm_source=f5support&utm_mediu… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.03.2021
by Daily end-of-shift report 09 Mar '21

09 Mar '21

===================== = End-of-Day report = ===================== Timeframe: Montag 08-03-2021 18:30 − Dienstag 09-03-2021 18:30 Handler: Dimitri Robl Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ z0Miner botnet hunts for unpatched ElasticSearch, Jenkins servers ∗∗∗ --------------------------------------------- A cryptomining botnet spotted last year is now targeting and attempting to take control of Jenkins and ElasticSearch servers to mine for Monero (XMR) cryptocurrency. --------------------------------------------- https://www.bleepingcomputer.com/news/security/z0miner-botnet-hunts-for-unp… ∗∗∗ GitHub Fixed a Bug impacting Authenticated Sessions ∗∗∗ --------------------------------------------- Earlier this month GitHub received a report of anomalous behavior from an external party, therefore they fixed the bug trying to protect user accounts against a potentially serious security vulnerability. The weird behavior was generated by a race condition vulnerability that misrouted the GitHub user’s login session to the web browser of another logged-in user, [...] --------------------------------------------- https://heimdalsecurity.com/blog/github-fixes-bug/ ∗∗∗ Serious Security: Webshells explained in the aftermath of HAFNIUM attacks ∗∗∗ --------------------------------------------- Webshells explained, with some (safe) examples you can try at home if you want to learn more. --------------------------------------------- https://nakedsecurity.sophos.com/2021/03/09/serious-security-webshells-expl… ∗∗∗ 9 Android Apps On Google Play Caught Distributing AlienBot Banker and MRAT Malware ∗∗∗ --------------------------------------------- Cybersecurity researchers have discovered a new malware dropper contained in as many as 9 Android apps distributed via Google Play Store that deploys a second stage malware capable of gaining intrusive access to the financial accounts of victims as well as full control of their devices. "This dropper, dubbed Clast82, utilizes a series of techniques to avoid detection by Google Play Protect [...] --------------------------------------------- https://thehackernews.com/2021/03/9-android-apps-on-google-play-caught.html ∗∗∗ Fuzzing grub: part 1 ∗∗∗ --------------------------------------------- Recently a set of 8 vulnerabilities were disclosed for the grub bootloader. I found 2 of them (CVE-2021-20225 and CVE-2021-20233), and contributed a number of other fixes for crashing bugs which we dont believe are exploitable. I found them by applying fuzz testing to grub. Heres how. --------------------------------------------- https://sthbrx.github.io/blog/2021/03/04/fuzzing-grub-part-1/ ∗∗∗ Vorsicht vor betrügerischen Wohnungsinseraten im Facebook-Marketplace ∗∗∗ --------------------------------------------- Auch im Facebook-Marketplace werden Miet- und Eigentumswohnungen inseriert. Ist der Preis jedoch sehr günstig, sollten Sie vorsichtig sein, denn es könnte sich um Betrug handeln. Behaupten VermieterInnen, dass sie im Ausland sind und sie die Besichtigung und Übermittlung der Kaution über Airbnb abwickeln, können Sie eindeutig von Betrug ausgehen! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-betruegerischen-wohnung… ∗∗∗ Overview of dnsmasq Vulnerabilities: The Dangers of DNS Cache Poisoning ∗∗∗ --------------------------------------------- We review vulnerabilities in dnsmasq, an open source DNS resolver, deep dive into DNS cache poisoning and describe effects on cloud products. --------------------------------------------- https://unit42.paloaltonetworks.com/overview-of-dnsmasq-vulnerabilities-the… ===================== = Vulnerabilities = ===================== ∗∗∗ Adobe fixes critical Creative Cloud, Adobe Connect vulnerabilities ∗∗∗ --------------------------------------------- Adobe has released security updates that fix vulnerabilities in Adobe Creative Cloud Desktop, Framemaker, and Connect. --------------------------------------------- https://www.bleepingcomputer.com/news/security/adobe-fixes-critical-creativ… ∗∗∗ Apple Plugs Severe WebKit Remote Code-Execution Hole ∗∗∗ --------------------------------------------- Apple pushed out security updates for a memory-corruption bug to devices running on iOS, macOS, watchOS and for Safari. --------------------------------------------- https://threatpost.com/apple-webkit-remote-code-execution/164595/ ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (firefox, kernel, kernel-headers, kernel-tools, libebml, and wpa_supplicant), openSUSE (mbedtls), Oracle (kernel, kernel-container, and screen), Red Hat (curl, kernel, kernel-rt, kpatch-patch, nss-softokn, python, and virt:rhel and virt-devel:rhel), Scientific Linux (screen), SUSE (389-ds, crmsh, openldap2, openssl-1_0_0, and wpa_supplicant), and Ubuntu (glib2.0, gnome-autoar, golang-1.10, golang-1.14, and libzstd). --------------------------------------------- https://lwn.net/Articles/848835/ ∗∗∗ Siemens Releases Several Advisories for Vulnerabilities in Third-Party Components ∗∗∗ --------------------------------------------- Siemens on Tuesday published 12 new security advisories to inform customers about nearly two dozen vulnerabilities affecting its products. --------------------------------------------- https://www.securityweek.com/siemens-releases-several-advisories-vulnerabil… ∗∗∗ Synology-SA-21:11 Download Station ∗∗∗ --------------------------------------------- A vulnerability allows remote authenticated users to execute arbitrary code via a susceptible version of Download Station. --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_21_11 ∗∗∗ Synology-SA-21:10 Media Server ∗∗∗ --------------------------------------------- A vulnerability allows remote attackers to access intranet resources via a susceptible version of Media Server. --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_21_10 ∗∗∗ SAP Security Patch Day - March 2021 ∗∗∗ --------------------------------------------- On 9th of March 2021, SAP Security Patch Day saw the release of 9 Security Notes. There were 4 updates to previously released Patch Day Security Notes. --------------------------------------------- https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=571343107 ∗∗∗ Microsoft Exchange attacks: Now Microsoft rushes out a patch for these unsupported Exchange servers, too ∗∗∗ --------------------------------------------- Microsoft provides more patches for critical Exchange vulnerabilities that are being exploited widely on the internet. --------------------------------------------- https://www.zdnet.com/article/microsoft-exchange-attacks-now-microsoft-rush… ∗∗∗ Squid: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0241 ∗∗∗ Red Hat Enterprise Linux: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode mit den Rechten des Dienstes ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0247 ∗∗∗ Security Bulletin: IBM Cloud Pak for Multicloud Management Monitoring returns potentially sensitive information in headers which could lead to further attacks against the system. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-multicl… ∗∗∗ Security Bulletin: Google Protocol Buffers as used by IBM QRadar SIEM is vulnerable to arbitrary code execution (CVE-2015-5237) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-google-protocol-buffers-a… ∗∗∗ Security Bulletin: Information leakage vulnerability affect IBM Business Automation Workflow – CVE-2021-20358 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-information-leakage-vulne… ∗∗∗ Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU – Oct 2020 – Includes Oracle Oct 2020 CPU affects IBM Tivoli Composite Application Manager for Transactions-Robotic Response Time ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sdk-java-technology-e… ∗∗∗ Security Bulletin: Multiple security vulnerabilities with IBM Content Navigator component in IBM Business Automation Workflow – CVE-2020-4687, CVE-2020-4760, CVE-2020-4704 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: Multiple security vulnerabilities in JAVA affects IBM Cloud Pak for Multicloud Management Monitoring ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: Publicly disclosed vulnerability from Kernel affects IBM Netezza Host Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-publicly-disclosed-vulner… ∗∗∗ Security Bulletin: Vulnerability in FasterXML Jackson libraries affect IBM Cúram Social Program Management (CVE-2020-25649) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-fasterxm… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.03.2021
by Daily end-of-shift report 08 Mar '21

08 Mar '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 05-03-2021 18:30 − Montag 08-03-2021 18:30 Handler: Dimitri Robl Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Angriffe auf Exchange-Server – Microsoft stellt Prüf-Skript für Admins bereit ∗∗∗ --------------------------------------------- Sicherheitslücken im Exchange-Server ziehen derzeit Angriffe auf sich. Microsoft stellt ein Skript bereit, mit dem Administratoren ihre Systeme prüfen können. --------------------------------------------- https://heise.de/-5073827 ∗∗∗ A Basic Timeline of the Exchange Mass-Hack ∗∗∗ --------------------------------------------- Sometimes when a complex story takes us by surprise or knocks us back on our heels, it pays to revisit the events in a somewhat linear fashion. Heres a brief timeline of what we know leading up to last weeks mass-hack, when hundreds of thousands of Microsoft Exchange Server systems got compromised and seeded with a powerful backdoor Trojan horse program. --------------------------------------------- https://krebsonsecurity.com/2021/03/a-basic-timeline-of-the-exchange-mass-h… ∗∗∗ Ransomware gang plans to call victims business partners about attacks ∗∗∗ --------------------------------------------- The REvil ransomware operation announced this week that they are using DDoS attacks and voice calls to journalists and victims business partners to generate ransom payments. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ransomware-gang-plans-to-cal… ∗∗∗ Spotting the Red Team on VirusTotal!, (Sat, Mar 6th) ∗∗∗ --------------------------------------------- Many security researchers like to use the VirusTotal platform. The provided services are amazing: You can immediately have a clear overview of the dangerousness level of a file but... VirusTotal remains a cloud service. It means that, once you uploaded a file to scan it, you have to consider it as "lost" and available to a lot of (good or bad) people! --------------------------------------------- https://isc.sans.edu/diary/rss/27174 ∗∗∗ The January/February 2021 issue of our SWITCH Security Report is available! ∗∗∗ --------------------------------------------- Dear Reader! A new issue of our bi-monthly SWITCH Security Report is available! The topics covered in this report are: Dependency confusion - when trust is too good to be true Water hacking - not a new trendy sport, but [...] --------------------------------------------- https://securityblog.switch.ch/2021/03/08/the-january-february-2021-issue-o… ∗∗∗ Domain dumpster diving ∗∗∗ --------------------------------------------- By Jaeson Schultz. Dumpster diving - searching through the trash looking for items of value - has long been a staple of hacking culture. In the 1995 movie "Hackers," Acid Burn and Crash Override are seen dumpster diving for information they can use to help them "hack the Gibson." Of course, not all trash is physical garbage located in a dumpster behind an office building. Some trash is virtual. --------------------------------------------- https://blog.talosintelligence.com/2021/03/domain-dumpster-diving.html ∗∗∗ Bazar Drops the Anchor ∗∗∗ --------------------------------------------- The malware identified as Anchor first entered the scene in late 2018 and has been linked to the same group as Trickbot, due to similarities in code and usage [...] --------------------------------------------- https://thedfirreport.com/2021/03/08/bazar-drops-the-anchor/ ===================== = Vulnerabilities = ===================== ∗∗∗ Critical 0-day in The Plus Addons for Elementor Allows Site Takeover ∗∗∗ --------------------------------------------- Today, March 8, 2021, the Wordfence Threat Intelligence team became aware of a critical 0-day in The Plus Addons for Elementor, a premium plugin that we estimate has over 30,000 installations. This vulnerability was reported this morning to WPScan by Seravo, a hosting company. The flaw makes it possible for attackers to create new administrative [...] --------------------------------------------- https://www.wordfence.com/blog/2021/03/critical-0-day-in-the-plus-addons-fo… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (activemq, libcaca, libupnp, mqtt-client, and xcftools), Fedora (ceph, mupdf, nagios, python-PyMuPDF, and zathura-pdf-mupdf), Mageia (cups, kernel, pngcheck, and python-pygments), openSUSE (bind, chromium, gnome-autoar, kernel, mbedtls, nodejs8, and thunderbird), and Red Hat (nodejs:10, nodejs:12, nodejs:14, screen, and virt:8.2 and virt-devel:8.2). --------------------------------------------- https://lwn.net/Articles/848710/ ∗∗∗ Linux kernel vulnerability CVE-2019-18282 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K32380005 ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation Application Manager Oct 2020 CPU (CVE-2020-14779,CVE-2020-14796, CVE-2020-14797,CVE-2020-14798) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect TPF Toolkit ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerability in jackson-databind affect IBM Spectrum Symphony ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-jackson-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affects WebSphere Application Server January 2021 CPU that is bundled with IBM WebSphere Application Server Patterns ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM API Connect's provider org registration flow is vulnerable to impersonation and sensitive information leak. CVE-2020-4903) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connects-provider… ∗∗∗ Security Bulletin: IBM API Connect is vulnerable to denial of service (DoS) via Node.js (CVE-2020-8277) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connect-is-vulner… ∗∗∗ Security Bulletin: IBM API Connect V10 is impacted by insecure communications during database replication (CVE-2020-4695) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connect-v10-is-im… ∗∗∗ Security Bulletin: IBM API Connect is impacted by multiple vulnerabilities in Java SE. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connect-is-impact… ∗∗∗ Security Bulletin: IBM DataPower Gateway vulnerable to an RCE attack (CVE-2020-5014) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-datapower-gateway-vul… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.03.2021
by Daily end-of-shift report 05 Mar '21

05 Mar '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 04-03-2021 18:30 − Freitag 05-03-2021 18:30 Handler: Dimitri Robl Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Microsoft: Exchange updates can install without fixing vulnerabilities ∗∗∗ --------------------------------------------- Due to the critical nature of recently issued Microsoft Exchange security updates, admins need to know that the updates may have installation issues on servers where User Account Control (UAC) is enabled. --------------------------------------------- https://www.bleepingcomputer.com/news/security/microsoft-exchange-updates-c… ∗∗∗ D-Link, IoT Devices Under Attack By Tor-Based Gafgyt Variant ∗∗∗ --------------------------------------------- A new variant of the Gafgyt botnet - thats actively targeting vulnerable D-Link and Internet of Things devices - is the first variant of the malware to rely on Tor communications, researchers say. --------------------------------------------- https://threatpost.com/d-link-iot-tor-gafgyt-variant/164529/ ∗∗∗ QNAP NAS users, make sure you check your system ∗∗∗ --------------------------------------------- On March 2, 2021, 360Netlab Threat Detection System started to report attacks targeting the widely used QNAP NAS devices via the unauthorized remote command execution vulnerability (CVE-2020-2506 & CVE-2020-2507)[1], upon successful attack, the attacker will gain root privilege on the device and perform malicious mining activities. --------------------------------------------- https://blog.netlab.360.com/qnap-nas-users-make-sure-you-check-your-system/ ∗∗∗ Spam Farm Spotted in the Wild, (Fri, Mar 5th) ∗∗∗ --------------------------------------------- If there is a place where you can always find juicy information, it's your spam folder! Yes, I like spam and I don't delete my spam before having a look at it for hunting purposes. Besides emails flagged as spam, NDR or "Non-Delivery Receipt" messages also deserve some attention. One of our readers (thanks to him!) reported yesterday how he found a "spam farm" based on bounced emails. --------------------------------------------- https://isc.sans.edu/diary/rss/27170 ∗∗∗ Kampf der Excel-Schadsoftware: AMSI gegen verseuchten XML-Code ∗∗∗ --------------------------------------------- Microsoft baut sein Antimalware Scan Interface (AMSI) aus. Neben VBA- kann es jetzt auch XML-Code scannen. --------------------------------------------- https://heise.de/-5073364 ∗∗∗ QNAPCrypt and SunCrypt Ransomware Connection ∗∗∗ --------------------------------------------- Intezer has published a blog posting that provides an analysis of the connections between the QNAPCrypt and SunCrypt ransomware. SunCrypt is affiliate ransomware service while QNAPCrypt surfaced in 2019 and was used to target devices from QNAP and Synology. The analysis concludes that the current SunCrypt ransomware shares many similarities [...] --------------------------------------------- https://exchange.xforce.ibmcloud.com/collection/75ee68a919cad9c434c63bfb0e3… ∗∗∗ GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence ∗∗∗ --------------------------------------------- Microsoft has identified three new pieces of malware being used in late-stage activity by NOBELIUM - the actor behind the SolarWinds attacks, SUNBURST, and TEARDROP. --------------------------------------------- https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot… ===================== = Vulnerabilities = ===================== ∗∗∗ Grub 2: Acht neue Schwachstellen im Bootloader ∗∗∗ --------------------------------------------- Die Entwickler von Grub 2 haben mehrere Lücken gemeldet. Einige davon können erneut Secure Boot aushebeln, was den Update-Prozess deutlich verkompliziert. --------------------------------------------- https://heise.de/-5073481 ∗∗∗ Benchmarking-Tool VMware View Planner ist für Schadcode anfällig ∗∗∗ --------------------------------------------- Es gibt ein wichtiges Sicherheitsupdate für VMware View Planner. Unter bestimmten Voraussetzungen könnten Angreifer eigene Befehle ausführen. --------------------------------------------- https://heise.de/-5073000 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (389-ds-base, dogtag-pki, dpdk, freeipa, isync, openvswitch, pki-core, and screen), Mageia (bind, chromium-browser-stable, gnome-autoar, jasper, openldap, openssl and compat-openssl10, screen, webkit2, and xpdf), Oracle (grub2), Red Hat (java-1.7.1-ibm, java-1.8.0-ibm, nodejs:10, and nodejs:12), SUSE (freeradius-server), and Ubuntu (wpa). --------------------------------------------- https://lwn.net/Articles/848416/ ∗∗∗ Supermicro, Pulse Secure Respond to Trickbots Ability to Target Firmware ∗∗∗ --------------------------------------------- Server and storage technology giant Supermicro and secure access solutions provider Pulse Secure have issued advisories to inform users that some of their products are vulnerable to the Trickbot malware’s ability to target firmware. --------------------------------------------- https://www.securityweek.com/supermicro-pulse-secure-respond-trickbots-abil… ∗∗∗ ICS-CERT Advisories March 04 2021 ∗∗∗ --------------------------------------------- The ICS-CERT has published 2 advisories that affect Rockwell Automation 1734-AENTR Series B and Series C, and Schneider Electric EcoStruxure Building Operation (EBO). Further information is available from the advisories which are summarised below. https://us-cert.cisa.gov/ics/advisories/icsa-21-063-01 https://us-cert.cisa.gov/ics/advisories/icsa-21-063-02 --------------------------------------------- https://exchange.xforce.ibmcloud.com/collection/32af714c7074693f32dfa23b263… ∗∗∗ BIND vulnerability CVE-2020-8625 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K13591074?utm_source=f5support&utm_mediu… ∗∗∗ Dell integrated Dell Remote Access Controller: Schwachstelle ermöglicht Manipulation von Dateien ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0238 ∗∗∗ Security Bulletin: Google-api-client as used by IBM QRadar SIEM is vulnerable to authorization bypass (CVE-2020-7692) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-google-api-client-as-used… ∗∗∗ Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in Python ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-discovery-for-… ∗∗∗ Security Bulletin: Multiple vulnerabilities affect IBM Cloud Object Storage Systems (March 2021) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in IBM Java Runtime Affect IBM Connect:Direct Web Services ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple Vulnerabilities have been identified in IBM WebSphere Application Server shipped with IBM StoredIQ for Legal ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.03.2021
by Daily end-of-shift report 04 Mar '21

04 Mar '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 03-03-2021 18:30 − Donnerstag 04-03-2021 18:30 Handler: Dimitri Robl Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Researcher bitsquats Microsofts windows.com to steal traffic ∗∗∗ --------------------------------------------- A researcher was able to bitsquat Microsofts windows.com domain by cybersquatting variations of windows.com. Adversaries can abuse this tactic to conduct automated attacks or collect data due to the nature of bit flipping. --------------------------------------------- https://www.bleepingcomputer.com/news/security/researcher-bitsquats-microso… ∗∗∗ Trojan Spyware and BEC Attacks ∗∗∗ --------------------------------------------- When it comes to an organization’s security, business email compromise (BEC) attacks are a big problem. One primary reason impacts are so significant is that attacks often use a human victim to authorize a fraudulent transaction to bypass existing security controls that would normally be used to prevent fraud. Another reason is that social engineering lures may be expertly crafted by the attacker after they have been monitoring a victim’s activity for some time, resulting in more [...] --------------------------------------------- https://blog.sucuri.net/2021/03/trojan-spyware-and-bec-attacks.html ∗∗∗ Cybercriminals Finding Ways to Bypass 3D Secure Fraud Prevention System ∗∗∗ --------------------------------------------- Security researchers with threat intelligence firm Gemini Advisory say they have observed dark web activities related to bypassing 3D Secure (3DS), which is designed to improve the security of online credit and debit card transactions. --------------------------------------------- https://www.securityweek.com/cybercriminals-finding-ways-bypass-3d-secure-f… ∗∗∗ Kryptowährung einzahlen und das Doppelte zurückerhalten? FAKE! ∗∗∗ --------------------------------------------- Die Watchlist Internet sowie die Internet Ombudsstelle erhalten immer häufiger Nachrichten verzweifelter KonsumentInnen. Sie bezahlen hohe Beträge in Kryptowährungen wie Bitcoin, Ethereum oder Ripple auf betrügerischen Plattformen ein, die eine Rückzahlung des Doppelten oder eines Vielfachen des Betrags versprechen. Jegliche Einzahlung ist verloren und das Geld kann nicht mehr zurückgeholt werden! --------------------------------------------- https://www.watchlist-internet.at/news/kryptowaehrung-einzahlen-und-das-dop… ===================== = Vulnerabilities = ===================== ∗∗∗ Windows DNS SIGRed bug gets first public RCE PoC exploit ∗∗∗ --------------------------------------------- A working proof-of-concept (PoC) exploit is now publicly available for the critical SIGRed Windows DNS Server remote code execution (RCE) vulnerability. --------------------------------------------- https://www.bleepingcomputer.com/news/security/windows-dns-sigred-bug-gets-… ∗∗∗ D-Link: Update für Wireless Access Point DAP-2020 beseitigt drei Schwachstellen ∗∗∗ --------------------------------------------- Ein wichtiges Firmware-Update beseitigt Angriffsmöglichkeiten aus benachbarten Netzwerken ohne Authentifizierung. --------------------------------------------- https://heise.de/-5071286 ∗∗∗ XSA-367 - Linux: netback fails to honor grant mapping errors ∗∗∗ --------------------------------------------- A malicious or buggy networking frontend driver may be able to crash the corresponding backend driver, potentially affecting the entire domain running the backend driver. In a typical (non-disaggregated) system that is a host-wide denial of service (DoS). --------------------------------------------- https://xenbits.xen.org/xsa/advisory-367.html ∗∗∗ XSA-369 - Linux: special config may crash when trying to map foreign pages ∗∗∗ --------------------------------------------- A Dom0 or driver domain based on a Linux kernel (configured as described above) can be crashed by a malicious guest administrator, or possibly malicious unprivileged guest processes. --------------------------------------------- https://xenbits.xen.org/xsa/advisory-369.html ∗∗∗ Critical Vulnerability Patched in WooCommerce Upload Files ∗∗∗ --------------------------------------------- On December 29, 2020, the Wordfence Threat Intelligence team was alerted to a potential 0-day vulnerability in the WooCommerce Upload Files plugin, an add-on for WooCommerce with over 5,000 installations. Please note that this is a separate plugin from the main WooCommerce plugin and is designed as an add-on to that plugin. After confirming the [...] --------------------------------------------- https://www.wordfence.com/blog/2021/03/critical-vulnerability-patched-in-wo… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (389-ds-base, dogtag-pki, freeipa, isync, pki-core, and screen), Mageia (firefox, kernel, kernel-linus, libtiff, nonfree-firmware, and thunderbird), Red Hat (bind and java-1.8.0-ibm), Scientific Linux (grub2), and SUSE (kernel-firmware, openldap2, postgresql12, and python-cryptography). --------------------------------------------- https://lwn.net/Articles/848223/ ∗∗∗ High severity Linux network security holes found, fixed ∗∗∗ --------------------------------------------- This nasty set of bugs can lead to an attacker gaining root access, but the patch is already available. --------------------------------------------- https://www.zdnet.com/article/linux-network-security-holes-found-fixed/ ∗∗∗ Shodan Verified Vulns 2021-03-01 ∗∗∗ --------------------------------------------- Ein weiteres Monat ist vorbei und wir werfen wieder einen Blick auf die Schwachstellen, die Shodan in Österreich sieht. Mit Stand 2021-03-01 ergibt sich folgendes Bild: Zum Vormonat hat sich damit fast gar nichts verändert, nur der Gastauftritt von CVE-2019-19781 a.k.a. "Shitrix" im Jänner ist anscheinend wieder vorbei. Eine Übersicht und weiterführende Links zu allen "Verified Vulnerabilities", die Shodan in Österreich gefunden hat, findet [...] --------------------------------------------- https://cert.at/de/aktuelles/2021/3/shodan-verified-vulns-2021-03-01 ∗∗∗ Security Bulletin: Open Source Apache Tomcat vulnerabilities affect IBM Tivoli Application Dependency Discovery Manager (CVE-2021-24122) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-open-source-apache-tomcat… ∗∗∗ Security Bulletin: Vulnerabilities in Node.js affect IBM App Connect Enterprise v11 ( CVE-2020-7788) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-node-j… ∗∗∗ Security Bulletin: IBM InfoSphere Information Server is affected by a cross-site request forgery vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-informatio… ∗∗∗ Security Bulletin: IBM MQ Appliance is affected by a systemd vulnerability (CVE-2019-20386) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-is-affec… ∗∗∗ Security Bulletin: IBM MQ Appliance is affected by libexpat vulnerabilities (CVE-2018-20843, CVE-2019-15903) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-is-affec… ∗∗∗ Security Bulletin: Multiple vulnerabilities affect IBM Rational® Application Developer for WebSphere® Software ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM MQ Appliance is affected by an OpenSSL vulnerability (CVE-2020-1971) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-is-affec… ∗∗∗ Security Bulletin: IBM InfoSphere Information Server is affected by a cross-site scripting vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-informatio… ∗∗∗ Security Bulletin: IBM MQ Appliance is affected by libxslt vulnerabilities (CVE-2019-11068, CVE-2019-18197) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-is-affec… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily