Daily January 2021

daily@lists.cert.at

1 participants
19 discussions

Tageszusammenfassung - 15.01.2021
by Daily end-of-shift report 15 Jan '21

15 Jan '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 14-01-2021 18:00 − Freitag 15-01-2021 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ ErpresserInnen kennen Ihre persönlichen Daten? Nicht einschüchtern lassen! ∗∗∗ --------------------------------------------- Immer wieder werden uns erpresserische E-Mails gemeldet, in denen persönliche Daten der Betroffenen genannt werden. Aktuell ist eine Erpressungsmail im Umlauf, in der die Kriminellen vorgeben einiges über die EmpfängerInnen zu wissen. Als Beweis geben sie die Adresse und die Telefonnummer an. Auch wenn dieses Wissen verunsichert, sollten Sie sich nicht einschüchtern lassen und die Forderungen der ErpresserInnen ignorieren. --------------------------------------------- https://www.watchlist-internet.at/news/erpresserinnen-kennen-ihre-persoenli… ∗∗∗ Hunting for Bugs in Windows Mini-Filter Drivers ∗∗∗ --------------------------------------------- In December Microsoft fixed 4 issues in Windows in the Cloud Filter and Windows Overlay Filter (WOF) drivers (CVE-2020-17103, CVE-2020-17134, CVE-2020-17136, CVE-2020-17139). These 4 issues were 3 local privilege escalations and a security feature bypass, and they were all present in Windows file system filter drivers. I’ve found a number of issues in filter drivers previously, including 6 in the LUAFV driver which implements UAC file virtualization. --------------------------------------------- https://googleprojectzero.blogspot.com/2021/01/hunting-for-bugs-in-windows-… ∗∗∗ Cyber Security advice for Finance staff ∗∗∗ --------------------------------------------- Working in the finance team at PTP I’m constantly reminded just how little attention is paid to hacking and cyber crime in accounting and finance training and education. When I [...] --------------------------------------------- https://www.pentestpartners.com/security-blog/cyber-security-advice-for-fin… ∗∗∗ Throwback Friday: An Example of Rig Exploit Kit, (Fri, Jan 15th) ∗∗∗ --------------------------------------------- https://isc.sans.edu/diary/rss/26990 ===================== = Vulnerabilities = ===================== ∗∗∗ Netlogon Domain Controller Enforcement Mode is enabled by default beginning with the February 9, 2021 Security Update, related to CVE-2020-1472 ∗∗∗ --------------------------------------------- Microsoft addressed a Critical RCE vulnerability affecting the Netlogon protocol (CVE-2020-1472) on August 11, 2020. We are reminding our customers that beginning with the February 9, 2021 Security Update release we will be enabling Domain Controller enforcement mode by default. This will block vulnerable connections from non-compliant devices. DC enforcement mode requires that all Windows and non-Windows devices use secure RPC with Netlogon secure channel unless customers have explicitly [...] --------------------------------------------- https://msrc-blog.microsoft.com:443/2021/01/14/netlogon-domain-controller-e… ∗∗∗ Apache Releases Security Advisory for Tomcat ∗∗∗ --------------------------------------------- The Apache Software Foundation has released a security advisory to address a vulnerability affecting multiple versions of Apache Tomcat. An attacker could exploit this vulnerability to obtain sensitive information. CISA encourages users and administrators to review the Apache security advisory for CVE-2021-24122 and upgrade to the appropriate version. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/01/15/apache-releases-s… ∗∗∗ ZDI-21-068: Panasonic Control FPWIN Pro Project File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of Panasonic Control FPWIN Pro. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-068/ ∗∗∗ Mitsubishi Electric Factory Automation Products Path Traversal (Update A) ∗∗∗ --------------------------------------------- This updated advisory is a follow-up to the original advisory titled ICSA-20-212-03 Mitsubishi Electric Factory Automation Products Path Traversal that was published July 30, 2020, to the ICS webpage on us-cert.cisa.gov. This advisory contains mitigations for a Path Traversal vulnerability in Mitsubishi Electric Factory Automation products. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-20-212-03 ∗∗∗ Mitsubishi Electric Factory Automation Engineering Products (Update B) ∗∗∗ --------------------------------------------- This updated advisory is a follow-up to the advisory update titled ICSA-20-212-04 Mitsubishi Electric Factory Automation Engineering Products (Update A) that was published November 5, 2020, to the ICS webpage on us-cert.cisa.gov. This advisory contains mitigations for an Unquoted Search Path or Element vulnerability in Mitsubishi Electric Factory Automation Engineering products. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-20-212-04 ∗∗∗ Security Bulletin: Vulnerability in Apache Solr affecting Watson Knowledge Catalog for IBM Cloud Pak for Data ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-s… ∗∗∗ Security Bulletin: Malicious file upload and download could affect Watson Knowledge Catalog for IBM Cloud Pak for Data ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-malicious-file-upload-and… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in Java affecting Watson Knowledge Catalog for IBM Cloud Pak for Data ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Cross Site Scripting vulnerability in Google Web Toolkit may affect IBM Business Automation Workflow and IBM Business Process Manager (BPM) – CVE-2012-5920 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cross-site-scripting-vuln… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.01.2021
by Daily end-of-shift report 14 Jan '21

14 Jan '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 13-01-2021 18:00 − Donnerstag 14-01-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Dimitri Robl ===================== = News = ===================== ∗∗∗ Big Sur: Apple erlaubt wieder Firewall-Filter für Systemdienste ∗∗∗ --------------------------------------------- In aktuellen MacOS-Versionen hatte Apple seine Systemdienste von Firewall-Regeln ausgenommen. Eine Betaversion macht das nun rückgängig. --------------------------------------------- https://www.golem.de/news/big-sur-apple-erlaubt-wieder-firewall-filter-fuer… ∗∗∗ Sysdig beobachtet einen Shift Left bei Container Security ∗∗∗ --------------------------------------------- Während Docker als Container Runtime an Bedeutung verliert, scannen immer mehr Anwender ihre Images schon früh im Build-Prozess ihrer CI/CD-Pipelines. --------------------------------------------- https://heise.de/-5024624 ∗∗∗ Cisco says it wont patch 74 security bugs in older RV routers that reached EOL ∗∗∗ --------------------------------------------- Cisco advises RV110W, RV130, RV130W, and RV215W device owners to migrate to newer gear. --------------------------------------------- https://www.zdnet.com/article/cisco-says-it-wont-patch-74-security-bugs-in-… ∗∗∗ Telegram-based phishing service Classiscam hits European marketplaces ∗∗∗ --------------------------------------------- Dozens of cybercriminal gangs are publishing fake ads on popular online marketplaces to lure interested users to fraudulent merchant sites or to phishing pages that steal payment data. --------------------------------------------- https://www.bleepingcomputer.com/news/security/telegram-based-phishing-serv… ∗∗∗ Windows 10 bug corrupts your hard drive on seeing this files icon ∗∗∗ --------------------------------------------- An unpatched zero-day in Microsoft Windows 10 allows attackers to corrupt an NTFS-formatted hard drive with a one-line command. --------------------------------------------- https://www.bleepingcomputer.com/news/security/windows-10-bug-corrupts-your… ∗∗∗ Dynamically analyzing a heavily obfuscated Excel 4 macro malicious file, (Thu, Jan 14th) ∗∗∗ --------------------------------------------- Recently I had to analyze an Excel malicious file that was caught in the wild, in a real attack. The file was used in a spear phishing attack where a victim was enticed into opening the file with Excel and, of course, enabling macros. --------------------------------------------- https://isc.sans.edu/diary/rss/26986 ∗∗∗ Attackers Exploit Poor Cyber Hygiene to Compromise Cloud Security Environments ∗∗∗ --------------------------------------------- CISA is aware of several recent successful cyberattacks against various organizations’ cloud services. Threat actors used a variety of tactics and techniques, including phishing and brute force logins, to attempt to exploit weaknesses in cloud security practices. In response, CISA has released Analysis Report AR21-013A: Strengthening Security Configurations to Defend Against Attackers Targeting Cloud Services which provides technical details and [...] --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/01/13/attackers-exploit… ∗∗∗ Opening “STEELCORGI”: A Sophisticated APT Swiss Army Knife ∗∗∗ --------------------------------------------- This time we decided to dissect and share intelligence information about another piece of the TH-239 arsenal: a tiny and mysterious tool dubbed “STEELCORGI” on FireEye research. This tool was heavily protected using a novel technique able to make things really difficult to any DFIR Team tackling with TH-239 intrusion, but it’s contents reveal huge surprises and unattended capabilities. --------------------------------------------- https://yoroi.company/research/opening-steelcorgi-a-sophisticated-apt-swiss… ∗∗∗ A Global Perspective of the SideWinder APT ∗∗∗ --------------------------------------------- AT&T Alien Labs has conducted an investigation on the adversary group publicly known as SideWinder in order to historically document its highly active campaigns and identify a more complete picture of targets, motivations, and objectives. --------------------------------------------- https://cybersecurity.att.com/blogs/labs-research/a-global-perspective-of-t… ===================== = Vulnerabilities = ===================== ∗∗∗ Office January security updates fix remote code execution bugs ∗∗∗ --------------------------------------------- Microsoft addresses important severity remote code execution vulnerabilities affecting multiple Office products in the January 2021 Office security updates released during this months Patch Tuesday. --------------------------------------------- https://www.bleepingcomputer.com/news/security/office-january-security-upda… ∗∗∗ Juniper Networks Releases Security Updates for Multiple Products ∗∗∗ --------------------------------------------- Juniper Networks has released security updates to address vulnerabilities affecting multiple products. An attacker could exploit some of these vulnerabilities to cause take control of an affected system. CISA encourages users and administrators to review the Juniper Networks security advisories page and apply the necessary updates. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/01/14/juniper-networks-… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (adplug, audacious-plugins, cpu-x, kernel, kernel-headers, ocp, php, and python-lxml), openSUSE (crmsh, firefox, and hawk2), Oracle (thunderbird), Red Hat (kernel-rt), SUSE (kernel and rubygem-archive-tar-minitar), and Ubuntu (openvswitch and tar). --------------------------------------------- https://lwn.net/Articles/842673/ ∗∗∗ Pepperl+Fuchs IO-Link Master Series 1.36 CSRF / XSS / Command Injection ∗∗∗ --------------------------------------------- https://cxsecurity.com/issue/WLB-2021010110 ∗∗∗ OpenSSL vulnerability CVE-2020-1971 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K42910051 ∗∗∗ Red Hat Decision Manager: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode mit den Rechten des Dienstes ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0037 ∗∗∗ Security Advisory - Denial of Service Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210113-… ∗∗∗ Security Advisory - Insufficient Integrity Check Vulnerability in Huawei Sound X Product ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210113-… ∗∗∗ Security Advisory - Logic Vulnerability in Huawei Gauss100 Product ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210113-… ∗∗∗ Security Bulletin: Vulnerability in Python affects IBM Spectrum Protect Plus Microsoft File Systems Agent (CVE-2020-26116) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-python-a… ∗∗∗ Security Bulletin: IBM Security Guardium Insights is affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-ins… ∗∗∗ Security Bulletin: Security Vulnerabilities in GNU glibc affect IBM Cloud Pak for Data – GNU glibc (CVE-2020-1751) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in IBM Guardium Data Encryption (GDE) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Security Privileged Identity Manager is affected by security vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-privileged-i… ∗∗∗ Security Bulletin: PostgreSQL Vulnerability Affects IBM Sterling Connect:Direct for Microsoft Windows (CVE-2020-25696) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-postgresql-vulnerability-… ∗∗∗ Security Bulletin: IBM Security Privileged Identity Manager is affected by security vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-privileged-i… ∗∗∗ Security Bulletin: IBM Security Privileged Identity Manager is affected by security vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-privileged-i… ∗∗∗ Security Bulletin: A vulnerability in Spring Framework affects IBM Tivoli Application Dependency Discovery Manager (CVE-2020-5421). ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-spring… ∗∗∗ Security Bulletin: Vulnerabilities in Node.js affect IBM App Connect Enterprise and IBM Integration Bus (CVE-2020-7769) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-node-j… ∗∗∗ Security Bulletin: A vulnerability was identified and remediated in the IBM MaaS360 Cloud Extender (CVE-2020-15358) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-was-ident… ∗∗∗ Security Bulletin: IBM Security Privileged Identity Manager is affected by security vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-privileged-i… ∗∗∗ Security Bulletin: IBM has announced a release for IBM Security Identity Governance and Intelligence in response to security vulnerabilities (CVE-2015-9381, CVE-2015-9382) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-has-announced-a-relea… ∗∗∗ Security Bulletin: Multiple vulnerabilities may affect IBM® SDK, Java™ Technology Edition, that is used by IBM Workload Scheduler. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM MaaS360 Mobile Enterprise Gateway has security vulnerabilities (CVE-2019-2044, CVE-2019-2045) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maas360-mobile-enterp… ∗∗∗ Security Bulletin: IBM has announced a release for IBM Security Identity Governance and Intelligence in response to a security vulnerability (CVE-2019-11745) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-has-announced-a-relea… ∗∗∗ Security Bulletin: IBM API Connect V5 Developer Portal is vulnerable to cross-site scripting (CVE-2020-4838) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connect-v5-develo… ∗∗∗ Security Bulletin: CVE-2020-2601 may affect IBM® SDK, Java™ Technology Edition, that is used by IBM Workload Scheduler. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2020-2601-may-affect-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.01.2021
by Daily end-of-shift report 13 Jan '21

13 Jan '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 12-01-2021 18:00 − Mittwoch 13-01-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Hackers steal Mimecast certificate used to encrypt customers’ M365 traffic ∗∗∗ --------------------------------------------- Compromise by "sophisticated threat actor" prompts company to issue new certificate. --------------------------------------------- https://arstechnica.com/?p=1734653 ∗∗∗ MegaCortex Ransomware: The Cyber-Threat Looming Over Corporate Networks ∗∗∗ --------------------------------------------- Cybercriminals only want one thing these days, and that thing is substantial payouts. This is why most hackers focus on big game hunting, directing the vast majority of their efforts towards company networks rather than individual home users. --------------------------------------------- https://heimdalsecurity.com/blog/megacortex-ransomware/ ∗∗∗ Hancitor activity resumes after a hoilday break, (Wed, Jan 13th) ∗∗∗ --------------------------------------------- Campaigns spreading Hancitor malware were active from October through December 2020, but Hancitor went quiet after 2020-12-17. On Tuesday 2021-01-12, criminals started sending malicious spam (malspam) pushing Hancitor again. --------------------------------------------- https://isc.sans.edu/diary/rss/26980 ∗∗∗ Obfuscation Techniques in Ransomweb “Ransomware” ∗∗∗ --------------------------------------------- As vital assets for many business operations, websites and their hosting servers are often the target of ransomware attacks — and if they get taken offline, this can cause major issues for a business’ data, revenue, and ultimately reputation. --------------------------------------------- https://blog.sucuri.net/2021/01/obfuscation-techniques-in-ransomweb-ransomw… ∗∗∗ A Rare Look Inside a Cryptojacking Campaign and its Profit ∗∗∗ --------------------------------------------- This post details an ongoing cryptojacking campaign targeting Linux machines, using exposed Docker API ports as an initial access vector to a victim’s machine. The attacker then installs a Golang binary, which is undetected in VirusTotal at the time of this writing. --------------------------------------------- https://www.intezer.com/blog/research/a-rare-look-inside-a-cryptojacking-ca… ∗∗∗ Ubiquiti breach, and other IoT security problems ∗∗∗ --------------------------------------------- Ubiquiti informed its customers about unauthorized access to its online customer portal. Heres what you need to know. --------------------------------------------- https://blog.malwarebytes.com/iot/2021/01/ubiquiti-breach-and-other-iot-sec… ∗∗∗ Rogue Android RAT Can Take Control of Devices, Steal Data ∗∗∗ --------------------------------------------- A recently discovered Mobile Remote Access Trojan (MRAT) can take control of the infected Android devices and exfiltrate a trove of user data, Check Point security researchers warn. --------------------------------------------- https://www.securityweek.com/rogue-android-rat-can-take-control-devices-ste… ∗∗∗ Google reveals sophisticated Windows and Android hacking operation ∗∗∗ --------------------------------------------- The attackers used a combination of Android, Chrome, and Windows vulnerabilities, including both zero-days and n-days exploits. --------------------------------------------- https://www.zdnet.com/article/google-reveals-sophisticated-windows-android-… ∗∗∗ Vorsicht vor gefälschten Rechnungen von Austria IT, Vicca Security & Online Service Support ∗∗∗ --------------------------------------------- Derzeit werden uns gehäuft betrügerische E-Mails mit gefälschten Rechnungen von „Austria IT“, „Vicca Security“ und „Online Service Support“ gemeldet. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-gefaelschten-rechnungen… ===================== = Vulnerabilities = ===================== ∗∗∗ Microsoft January 2021 Patch Tuesday fixes 83 flaws, 1 zero-day ∗∗∗ --------------------------------------------- With the January 2021 Patch Tuesday security updates release, Microsoft has released fixes for 83 vulnerabilities, with ten classified as Critical and 73 as Important. There is also one zero-day and one previously disclosed vulnerabilities fixed as part of the January 2021 updates. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-january-2021-patc… ∗∗∗ Microsoft fixes Secure Boot bug allowing Windows rootkit installation ∗∗∗ --------------------------------------------- Microsoft has fixed a security feature bypass vulnerability in Secure Boot that allows attackers to compromise the operating systems booting process even when Secure Boot is enabled. --------------------------------------------- https://www.bleepingcomputer.com/news/security/microsoft-fixes-secure-boot-… ∗∗∗ Cisco Security Advisories 2021-01-13 ∗∗∗ --------------------------------------------- 0 Critical, 4 High, 19 Medium severity --------------------------------------------- https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&secur… ∗∗∗ Sicherheitsupdate: Kritische Schadcode-Lücke in Thunderbird ∗∗∗ --------------------------------------------- Mozilla hat seinen Mail-Client abgesichert. Nutzer sollten schnell updaten. --------------------------------------------- https://heise.de/-5022816 ∗∗∗ Multiple Vulnerabilities Patched in Orbit Fox by ThemeIsle Plugin ∗∗∗ --------------------------------------------- On November 19, 2020, our Threat Intelligence team responsibly disclosed two vulnerabilities in Orbit Fox by ThemeIsle, a WordPress plugin used by over 400,000 sites. --------------------------------------------- https://www.wordfence.com/blog/2021/01/multiple-vulnerabilities-patched-in-… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (coturn, imagemagick, and spice-vdagent), Fedora (roundcubemail and sympa), Gentoo (asterisk and virtualbox), Oracle (kernel and kernel-container), Red Hat (dotnet3.1, dotnet5.0, and thunderbird), SUSE (crmsh, firefox, hawk2, ImageMagick, kernel, libzypp, zypper, nodejs10, nodejs14, openstack-dashboard, release-notes-suse-openstack-cloud, and tcmu-runner), and Ubuntu (coturn). --------------------------------------------- https://lwn.net/Articles/842557/ ∗∗∗ The installer of SKYSEA Client View may insecurely load Dynamic Link Libraries ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN69635538/ ∗∗∗ Security Bulletin: CVE-2020-1968 vulnerability in OpenSSL may affect IBM Workload Scheduler ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2020-1968-vulnerabili… ∗∗∗ Local Privilege Escalation in VMware vRealize Automation (vRA) Guest Agent Service ∗∗∗ --------------------------------------------- https://medium.com/@bridge_004/local-privilege-escalation-in-vmware-vrealiz… ∗∗∗ SOOIL Dana Diabecare RS Products ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsma-21-012-01 ∗∗∗ Schneider Electric EcoStruxure Power Build-Rapsody ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-012-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.01.2021
by Daily end-of-shift report 12 Jan '21

12 Jan '21

===================== = End-of-Day report = ===================== Timeframe: Montag 11-01-2021 18:00 − Dienstag 12-01-2021 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Gefälschte Kundeninformation im Namen der bank99 im Umlauf ∗∗∗ --------------------------------------------- Zahlreiche BankkundInnen werden aktuell angeblich von der bank99 per E-Mail aufgefordert, eine App herunterzuladen. Bei Nichtdurchführung droht angeblich eine Bearbeitungsgebühr. Vorsicht: Bei diesem E-Mail handelt es sich um Betrug. Kriminelle geben sich als bank99 aus und versuchen mit dieser E-Mail an Ihre Bankdaten zu kommen. Verschieben Sie es in Ihren Spam-Ordner! --------------------------------------------- https://www.watchlist-internet.at/news/gefaelschte-kundeninformation-im-nam… ∗∗∗ Mac malware uses run-only AppleScripts to evade analysis ∗∗∗ --------------------------------------------- A cryptocurrency mining campaign targeting macOS is using malware that has evolved into a complex variant giving researchers a lot of trouble analyzing it. --------------------------------------------- https://www.bleepingcomputer.com/news/security/mac-malware-uses-run-only-ap… ∗∗∗ Microsoft Sysmon now detects malware process tampering attempts ∗∗∗ --------------------------------------------- Microsoft has released Sysmon 13 with a new security feature that detects if a process has been tampered using process hollowing or process herpaderping techniques. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-sysmon-now-detect… ∗∗∗ Protecting Against Supply Chain Attacks by Profiling Suppliers ∗∗∗ --------------------------------------------- Learn how to better spot supply chain attacks targeting your organization. This blog outlines how defenders can use the techniques and tools they already use to profile suppliers and get ahead of potential threats. --------------------------------------------- https://www.domaintools.com/resources/blog/protecting-against-supply-chain-… ∗∗∗ Stealing Your Private YouTube Videos, One Frame at a Time ∗∗∗ --------------------------------------------- * In the real world you would have to know the ID of the target video. Mass-leaking those would be considered a bug on its own. * Since these are just images, you can’t access audio. * The resolution is very low. (but it’s high enough to see what is happening) --------------------------------------------- https://bugs.xdavidhu.me/google/2021/01/11/stealing-your-private-videos-one… ∗∗∗ Ubiquiti: Change Your Password, Enable 2FA ∗∗∗ --------------------------------------------- Ubiquiti, a major vendor of cloud-enabled Internet of Things (IoT) devices such as routers, network video recorders, security cameras and access control systems, is urging customers to change their passwords and enable multi-factor authentication. The company says an incident at a third-party cloud provider may have exposed customer account information and credentials used to remotely manage Ubiquiti gear. --------------------------------------------- https://krebsonsecurity.com/2021/01/ubiquiti-change-your-password-enable-2f… ∗∗∗ CES 2021: Intel adds ransomware detection capabilities at the silicon level ∗∗∗ --------------------------------------------- Intel 11th Gen Intel Core vPro CPUs with support for the Hardware Shield and TDT features will be able to detect ransomware attacks at the hardware level, many layers below antivirus software. --------------------------------------------- https://www.zdnet.com/article/ces-2021-intel-adds-ransomware-detection-capa… ∗∗∗ Third malware strain discovered in SolarWinds supply chain attack ∗∗∗ --------------------------------------------- CrowdStrike, one of the two security firms formally investigating the hack, sheds some light on how hackers compromised the SolarWinds Orion app build process. --------------------------------------------- https://www.zdnet.com/article/third-malware-strain-discovered-in-solarwinds… ===================== = Vulnerabilities = ===================== ∗∗∗ Security Bulletins Posted ∗∗∗ --------------------------------------------- Adobe has published security bulletins for Adobe Photoshop (APSB21-01), Adobe Illustrator (APSB21-02), Adobe Animate (APSB21-03), Adobe Campaign Classic (APSB21-04), Adobe InCopy (APSB21-05), Adobe Captivate (APSB21-06) and Adobe Bridge (APSB21-07). Adobe recommends users update their product installations to the latest versions using the instructions referenced in the relevant bulletin. --------------------------------------------- https://blogs.adobe.com/psirt/?p=1960 ∗∗∗ Microsoft Releases Security Updates for Edge ∗∗∗ --------------------------------------------- Microsoft has released a security update to address multiple vulnerabilities in Edge (Chromium-based). An attacker could exploit some of these vulnerabilities to take control of an affected system. CISA encourages users and administrators to review the latest entry for Microsoft Security Advisory ADV200002 and apply the necessary updates. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/01/11/microsoft-release… ∗∗∗ SAP Releases January 2021 Security Updates ∗∗∗ --------------------------------------------- SAP has released security updates to address vulnerabilities affecting multiple products. An attacker could exploit some of these vulnerabilities to take control of an affected system. CISA encourages users and administrators to review the SAP Security Notes for January 2021 and apply the necessary updates. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/01/12/sap-releases-janu… ∗∗∗ Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the implementation of the Lua interpreter integrated in Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an authenticated, remote attacker to execute arbitrary code with root privileges on the underlying Linux operating system of an affected device. The vulnerability is due to insufficient restrictions on the allowed Lua function calls within the context of user-supplied Lua scripts. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ SSA-139628 V1.0: Vulnerabilities in Web Server for Scalance X Products ∗∗∗ --------------------------------------------- Several SCALANCE X switches contain vulnerabilities in the web server of the affected devices.An unauthenticated attacker could reboot, cause denial-of-service conditions and potentially impact the system by other means through heap and buffer overflow vulnerabilities.Siemens has released updates for several affected products and recommends to update to the latest version(s). Siemens recommends countermeasures where fixes are not currently available. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-139628.txt ∗∗∗ SSA-274900 V1.0: Use of hardcoded key in Scalance X devices under certain conditions ∗∗∗ --------------------------------------------- Scalance X devices might not generate a unique random key after factory reset, and use a private key shipped with the firmwareSiemens has released updates for some devices, is working on updates for the remaining affected products and recommends specific countermeasures until fixes are available. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-274900.txt ∗∗∗ SSA-622830 V1.0: Multiple Vulnerabilities in JT2Go and Teamcenter Visualization ∗∗∗ --------------------------------------------- JT2Go and Teamcenter Visualization are affected by multiple vulnerabilities that could lead to arbitrary code execution or data extraction on the target host system. Siemens has released updates for both affected products and recommends to update to the latest versions. Siemens is also preparing further updates and recommends specific countermeasures until remaining fixes are available. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-622830.txt ∗∗∗ SSA-979834 V1.0: Multiple vulnerabilities in Solid Edge ∗∗∗ --------------------------------------------- Solid Edge is affected by multiple vulnerabilities that could allow arbitrary code execution on an affected system. Siemens has released an update for Solid Edge and recommends to update to the latest version. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-979834.txt ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by openSUSE (chromium), Oracle (firefox), Red Hat (kernel), Scientific Linux (firefox), Slackware (sudo), SUSE (firefox, nodejs10, nodejs12, and nodejs14), and Ubuntu (apt, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-4.15, linux-azure-5.4, linux-gcp, linux-gcp-5.4, linux-hwe-5.4, linux-hwe-5.8, linux-oem-5.6, linux-oracle, linux-oracle-5.4, nvidia-graphics-drivers-390, nvidia-graphics-drivers-450, nvidia-graphics-drivers-460, python-apt, and [...] --------------------------------------------- https://lwn.net/Articles/842382/ ∗∗∗ [20210103] - Core - XSS in com_tags image parameters ∗∗∗ --------------------------------------------- https://developer.joomla.org:443/security-centre/838-20210103-core-xss-in-c… ∗∗∗ [20210102] - Core - XSS in mod_breadcrumbs aria-label attribute ∗∗∗ --------------------------------------------- https://developer.joomla.org:443/security-centre/837-20210102-core-xss-in-m… ∗∗∗ [20210101] - Core - com_modules exposes module names ∗∗∗ --------------------------------------------- https://developer.joomla.org:443/security-centre/836-20210101-core-com-modu… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.01.2021
by Daily end-of-shift report 11 Jan '21

11 Jan '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 08-01-2021 18:00 − Montag 11-01-2021 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Bitcoin-Höhenflug spielt betrügerischen Plattformen in die Karten ∗∗∗ --------------------------------------------- Der neuerliche Höhenflug des Bitcoins sorgt für großes mediales Interesse und laufende Berichterstattung. Diese Aufmerksamkeit nützen auch Kriminelle aus. Sie bewerben betrügerische Investitionsplattformen mit erfundenen News-Beiträgen. Vorsicht: Wer in solche Plattformen investiert, verliert das Geld! Schadenssummen in Höhe mehrerer hundertausend Euro sind keine Seltenheit. --------------------------------------------- https://www.watchlist-internet.at/news/bitcoin-hoehenflug-spielt-betruegeri… ∗∗∗ New version of Sysinternals released, Process Hollowing detection added in Sysmon, new registry access detection added to Procmon https://docs.microsoft.com/en-us/sysinternals/, (Mon, Jan 11th) ∗∗∗ --------------------------------------------- https://isc.sans.edu/diary/rss/26972 ∗∗∗ Using the NVD Database and API to Keep Up with Vulnerabilities and Patches - Tool Drop: CVEScan (Part 3 of 3), (Mon, Jan 11th) ∗∗∗ --------------------------------------------- Now with a firm approach to or putting an inventory and using the NVD API (https://isc.sans.edu/forums/diary/Using+the+NIST+Database+and+API+to+Keep+U… and https://isc.sans.edu/forums/diary/Using+the+NIST+Database+and+API+to+Keep+U…), for any client I typically create 4 inventories: [...] --------------------------------------------- https://isc.sans.edu/diary/rss/26974 ∗∗∗ Detecting Post-Compromise Threat Activity in Microsoft Cloud Environments ∗∗∗ --------------------------------------------- This Advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework. See the ATT&CK for Enterprise for all referenced threat actor tactics and techniques. This Alert is a companion alert to AA20-352A: Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations. --------------------------------------------- https://us-cert.cisa.gov/ncas/alerts/aa21-008a ∗∗∗ How I stole the data in millions of people’s Google accounts ∗∗∗ --------------------------------------------- As many of you may have suspected, this post is not entirely truthful. I have not released this fitness app onto the Play Store, nor have I collected millions of master tokens. ... But yes, these methods do work. I absolutely could release such an app, and so could anyone else (and maybe they have). --------------------------------------------- https://ethanblake4.medium.com/how-i-stole-the-data-in-millions-of-peoples-… ∗∗∗ Free decrypter released for victims of Darkside ransomware ∗∗∗ --------------------------------------------- A new tool released today by Romanian security firm Bitdefender allows victims of the Darkside ransomware to recover their files without paying the ransom demand. --------------------------------------------- https://www.zdnet.com/article/free-decrypter-released-for-victims-of-darksi… ∗∗∗ Trickbot Still Alive and Well ∗∗∗ --------------------------------------------- In October of 2020, the group behind the infamous botnet known as Trickbot had a bad few days. The group was under concerted pressure applied by US Cyber Command infiltrating … Read MoreThe post Trickbot Still Alive and Well appeared first on The DFIR Report. --------------------------------------------- https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/ ∗∗∗ Shodan Verified Vulns 2020-12-01 ∗∗∗ --------------------------------------------- Auch im Dezember wollen wir einen Blick auf Schwachstellen werfen, die Shodan in Österreich sieht. Die folgende Grafik basiert auf den Daten vom 2020-12-01: Die Daten zeigen abermals kaum Veränderungen zu den Vormonaten: der Rückgang der SSL-Schwachstellen setzt sich grundsätzlich fort, auch wenn die Änderungen erstmals seit wir die Daten erheben (also seit 2020-09) nur im zweistelligen Bereich sind. Einen Überblick über die bisherige Entwicklung bietet der [...] --------------------------------------------- https://cert.at/de/aktuelles/2020/12/shodan-verified-vulns-2020-12 ===================== = Vulnerabilities = ===================== ∗∗∗ Typeform fixes Zendesk Sell form data hijacking vulnerability ∗∗∗ --------------------------------------------- Online survey and form creator Typeform has quietly patched a data hijacking vulnerability in its Zendesk Sell integration. If exploited, the vulnerability could let attacks redirect the form submissions containing potentially sensitive information to themselves. --------------------------------------------- https://www.bleepingcomputer.com/news/security/typeform-fixes-zendesk-sell-… ∗∗∗ QNAP: Command Injection Vulnerability in QTS and QuTS hero ∗∗∗ --------------------------------------------- CVE identifier: CVE-2020-2508 Affected products: All QNAP NAS Summary: A command injection vulnerability has been reported to affect QTS and QuTS hero. If exploited, this vulnerability allows attackers to execute arbitrary commands in a compromised application. --------------------------------------------- https://www.qnap.com/de-de/security-advisory/QSA-21-01 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (chromium, firefox, and mbedtls), Debian (coturn), Fedora (firefox, flac, and nodejs), Gentoo (ark, chromium, dovecot, firefox, firejail, ipmitool, nodejs, and pillow), Mageia (alpine, c-client, binutils, busybox, cherokee, firefox, golang, guava, imagemagick, libass, openexr, squirrelmail, tomcat, and xrdp), openSUSE (chromium, cobbler, rpmlint, and tomcat), Oracle (kernel), Red Hat (firefox, libpq, and openssl), SUSE (python-defusedxml, [...] --------------------------------------------- https://lwn.net/Articles/842304/ ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime 1.8 affect IBM Sterling Secure Proxy ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: An Eclipse Jetty Vulnerability Affects IBM Sterling Secure External Authentication Server (CVE-2020-27216) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-an-eclipse-jetty-vulnerab… ∗∗∗ Security Bulletin: Vulnerability in Eclipse Jetty affects IBM Sterling Secure Proxy (CVE-2020-27216) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-eclipse-… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in IBM Java Runtime Affect IBM Sterling External Authentication Server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM DataPower Gateway Java security update ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-datapower-gateway-jav… ∗∗∗ Security Bulletin: IBM MQ Appliance is affected by a denial of service vulnerability (CVE-2020-4869) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-is-affec… ∗∗∗ Security Bulletin: Vulnerability in Apache ActiveMQ affects IBM Sterling Secure Proxy (CVE-2020-13920) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-a… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.01.2021
by Daily end-of-shift report 08 Jan '21

08 Jan '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 07-01-2021 18:00 − Freitag 08-01-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Zwei-Faktor-Authentifizierung: Strahlung verrät Schlüssel von Googles Titan-Token ∗∗∗ --------------------------------------------- Der privaten Schlüssel eines Hardware-Sicherheitstokens von Google lässt sich anhand der Strahlung rekonstruieren. --------------------------------------------- https://www.golem.de/news/zwei-faktor-authentifizierung-strahlung-verraet-s… ∗∗∗ Using the NIST Database and API to Keep Up with Vulnerabilities and Patches - Playing with Code (Part 2 of 3), (Fri, Jan 8th) ∗∗∗ --------------------------------------------- Building on yesterday's story - now that we have an inventory built in CPE format, let's take an example CVE from that and write some code. What's in the NVD database (and API) that you can access, then use in your organization? --------------------------------------------- https://isc.sans.edu/diary/rss/26964 ∗∗∗ Evaluating Cookies to Hide Backdoors ∗∗∗ --------------------------------------------- Identifying website backdoors is not always an easy task. Since a backdoors primary function is to conceal itself while providing unauthorized access, they are often developed using a variety of techniques that can make it challenging to detect. For example, an attacker can inject a single line of code containing less than 130 characters into a website file. While this may not seem like a lot of code, this short string can be used to load PHP web shells on your website [...] --------------------------------------------- https://blog.sucuri.net/2021/01/evaluating-cookies-to-hide-backdoors.html ∗∗∗ Achtung bei der Schnäppchenjagd: Fake-Shop mydealz.live lockt mit Technik-Restposten ∗∗∗ --------------------------------------------- Schnäppchen-JägerInnen aufgepasst: Auf mydealz.live gibt es statt günstigen Angeboten nur teure Abzocke. Viele KonsumentInnen stoßen derzeit auf diese Webseite, da Sie glauben auf der Plattform mydealz.de zu sein. Doch tatsächlich handelt es sich bei mydealz.live um einen Fake-Shop, der günstige Technik-Restposten verspricht, aber nicht liefert. --------------------------------------------- https://www.watchlist-internet.at/news/achtung-bei-der-schnaeppchenjagd-fak… ∗∗∗ A crypto-mining botnet is now stealing Docker and AWS credentials ∗∗∗ --------------------------------------------- After if began stealing AWS credentials last summer, the TeamTNT botnet is now also stealing Docker API logins, making the use of firewalls mandatory for all internet-exposed Docker interfaces. --------------------------------------------- https://www.zdnet.com/article/a-crypto-mining-botnet-is-now-stealing-docker… ===================== = Vulnerabilities = ===================== ∗∗∗ Nvidia Warns Windows Gamers of High-Severity Graphics Driver Flaws ∗∗∗ --------------------------------------------- In all, Nvidia patched flaws tied to 16 CVEs across its graphics drivers and vGPU software, in its first security update of 2021. --------------------------------------------- https://threatpost.com/nvidia-windows-gamers-graphics-driver-flaws/162857/ ∗∗∗ Sicherheitsupdates: Schadcode-Attacken auf Frühwarnsystem FortiDeceptor möglich ∗∗∗ --------------------------------------------- Fortinet hat wichtige Sicherheitspatches für FortiDeceptor, FortiWeb und FortiGate SSL VPN veröffentlicht. --------------------------------------------- https://heise.de/-5018396 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr and libxstream-java), Fedora (awstats and dia), Mageia (c-ares, dash, and dovecot), openSUSE (dovecot23, gimp, kitty, and python-notebook), Oracle (kernel), SUSE (python-paramiko and tomcat), and Ubuntu (edk2, firefox, ghostscript, and openjpeg2). --------------------------------------------- https://lwn.net/Articles/842093/ ∗∗∗ Innokas Yhtymä Oy Vital Signs Monitor ∗∗∗ --------------------------------------------- This advisory contains mitigations for Cross-site Scripting, and Improper Neutralization of Special Elements in Output Used by a Downstream Component vulnerabilities in the Innokas Yhtymä Oy Vital Signs Monitor. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsma-21-007-01 ∗∗∗ Hitachi ABB Power Grids FOX615 Multiservice-Multiplexer ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Improper Authentication vulnerability in the Hitachi ABB Power Grids FOX615 Multiservice-Multiplexer device. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-007-01 ∗∗∗ Omron CX-One ∗∗∗ --------------------------------------------- This advisory contains mitigations for Untrusted Pointer Dereference, Stack-based Buffer Overflow, and Type Confusion vulnerabilities in Omrons CX-One automation software suite. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-007-02 ∗∗∗ Eaton EASYsoft ∗∗∗ --------------------------------------------- This advisory contains mitigations for Type Confusion, and Out-of-bounds Read vulnerabilities in Eatons EASYsoft controller software. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-007-03 ∗∗∗ Delta Electronics CNCSoft-B ∗∗∗ --------------------------------------------- This advisory contains mitigations for Out-of-bounds Write, Out-of-bounds Read, Untrusted Pointer Dereference, and Type Confusion vulnerabilities in the Delta Electronics CNCSoft-B software management platform. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-007-04 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.01.2021
by Daily end-of-shift report 07 Jan '21

07 Jan '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 05-01-2021 18:00 − Donnerstag 07-01-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ l+f: Security-Albtraum SMB im Browser ∗∗∗ --------------------------------------------- Security-Puristen warnten schon lange vor Techniken wie Webassembly und Websockets. Jetzt zeigt ein Hacker, was damit alles geht. --------------------------------------------- https://heise.de/-5005070 ∗∗∗ PayPal‑Nutzer sind Ziel einer neuen SMS‑Phishing‑Kampagne ∗∗∗ --------------------------------------------- Der Betrug beginnt mit einer SMS, die Nutzer vor verdächtigen Aktivitäten auf ihren Konten warnt. --------------------------------------------- https://www.welivesecurity.com/deutsch/2021/01/06/paypal-nutzer-sind-ziel-e… ∗∗∗ Phishing-Nachrichten auf Facebook im Umlauf! ∗∗∗ --------------------------------------------- Derzeit verschicken Kriminelle Nachrichten über den Facebook-Messenger. Darin befindet sich ein Link, der vorgibt zum Werbemanager von Facebook weiterzuleiten. Tatsächlich handelt es sich jedoch, um eine nachgeahmte und betrügerische Seite. Die Kriminellen hoffen darauf, dass Sie Ihre Daten eingeben und so Zugang zu Ihrem Facebook-Konto und zu Ihren Kreditkartendaten erhalten! --------------------------------------------- https://www.watchlist-internet.at/news/phishing-nachrichten-auf-facebook-im… ∗∗∗ Malware using new Ezuri memory loader ∗∗∗ --------------------------------------------- Multiple threat actors have recently started using a Go language (Golang) tool to act as a packer and avoid Antivirus detection. Additionally, the Ezuri memory loader tool acts as a malware loader and executes its payload in memory, without writing the file to disk. While this technique is known and commonly used by Windows malware, it is less popular in Linux environments. --------------------------------------------- https://cybersecurity.att.com/blogs/labs-research/malware-using-new-ezuri-m… ∗∗∗ Babuk Locker is the first new enterprise ransomware of 2021 ∗∗∗ --------------------------------------------- Its a new year, and with it comes a new ransomware called Babuk Locker that targets corporate victims in human-operated attacks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/babuk-locker-is-the-first-ne… ∗∗∗ FBI warns of Egregor ransomware extorting businesses worldwide ∗∗∗ --------------------------------------------- The US Federal Bureau of Investigation (FBI) has sent a security alert warning private sector companies that the Egregor ransomware operation is actively targeting and extorting businesses worldwide. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fbi-warns-of-egregor-ransomw… ∗∗∗ Holiday Bazar: Tracking a TrickBot-Related Ransomware Incident ∗∗∗ --------------------------------------------- DomainTools researchers recently learned of a ransomware campaign targeting multiple entities. The incident highlighted several methods of network and malware analysis that can be used to gain a greater understanding of individual campaigns. --------------------------------------------- https://www.domaintools.com/resources/blog/tracking-a-trickbot-related-rans… ∗∗∗ NSA Urges SysAdmins to Replace Obsolete TLS Protocols ∗∗∗ --------------------------------------------- The NSA released new guidance providing system administrators with the tools to update outdated TLS protocols. --------------------------------------------- https://threatpost.com/nsa-urges-sysadmins-to-replace-obsolete-tls-protocol… ∗∗∗ Bogus CSS Injection Leads to Stolen Credit Card Details ∗∗∗ --------------------------------------------- A client recently reported their customers were receiving antivirus warnings when trying to access and purchase products from a Magento ecommerce website. This is almost always a telltale sign that something is amiss, and so I began my investigation. Malware in Database Tables As is pretty common with Magento credit card swiper investigations, my initial scans came up clean. Attackers are writing new pieces of malware like it’s going out of style, so there are very frequently new [...] --------------------------------------------- https://blog.sucuri.net/2021/01/bogus-css-injection-leads-to-stolen-credit-… ∗∗∗ A Deep Dive into Lokibot Infection Chain ∗∗∗ --------------------------------------------- Lokibot is one of the most well-known information stealers on the malware landscape. In this post, well provide a technical breakdown of one of the latest Lokibot campaigns. Talos also has a new script to unpack the droppers third stage. --------------------------------------------- https://blog.talosintelligence.com/2021/01/a-deep-dive-into-lokibot-infecti… ∗∗∗ TA551: Email Attack Campaign Switches from Valak to IcedID ∗∗∗ --------------------------------------------- We continue to monitor the email attack campaign TA551, AKA Shathak, which has recently pushed IcedID, a family of information-stealing malware. --------------------------------------------- https://unit42.paloaltonetworks.com/ta551-shathak-icedid/ ∗∗∗ Cobalt Strike and Metasploit accounted for a quarter of all malware C&C servers in 2020 ∗∗∗ --------------------------------------------- Security firm Recorded Future said it tracked more than 10,000 malware command and control servers last year, used across more than 80 malware families. --------------------------------------------- https://www.zdnet.com/article/cobalt-strike-and-metasploit-accounted-for-a-… ∗∗∗ A DoppelPaymer Ransomware Overview ∗∗∗ --------------------------------------------- Believed to be based on the BitPaymer ransomware, the DoppelPaymer ransomware emerged in 2019. Since then it has been used in number of high profile attacks. Trend Micro Research has published an overview of the DoppelPaymer ransomware. --------------------------------------------- https://exchange.xforce.ibmcloud.com/collection/7c157bb8989d76730fed733016c… ===================== = Vulnerabilities = ===================== ∗∗∗ Gefährliche Sicherheitslücken in Office-Anwendung TextMaker ∗∗∗ --------------------------------------------- Angreifer könnten TextMaker-Nutzer attackieren. Die Gefahrenstufe gilt als hoch. --------------------------------------------- https://heise.de/-5005181 ∗∗∗ Vulnerability Spotlight: Multiple vulnerabilities in Genivia gSOAP ∗∗∗ --------------------------------------------- Cisco Talos recently discovered multiple vulnerabilities in various Genivia gSOAP toolkit plugins. These vulnerabilities could allow an attacker to carry out a variety of malicious activities, including causing a denial of service on the victim machine or gaining the ability to execute arbitrary code. The gSOAP toolkit is a C/C++ library for developing XML-based web services. --------------------------------------------- https://blog.talosintelligence.com/2021/01/vuln-spotlight-genivia-gsoap-.ht… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (cairo, dovecot, and minidlna), Oracle (ImageMagick), Scientific Linux (ImageMagick), SUSE (clamav, dovecot23, java-1_8_0-ibm, and tomcat), and Ubuntu (linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gcp, linux-gcp-5.4, linux-gke-5.4, linux-hwe-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-gcp, linux-gcp-4.15, linux-gke-4.15, [...] --------------------------------------------- https://lwn.net/Articles/841873/ ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (golang-websocket, nodejs, and pacemaker), Fedora (mingw-binutils and rubygem-em-http-request), and Ubuntu (linux-oem-5.6 and p11-kit). --------------------------------------------- https://lwn.net/Articles/841977/ ∗∗∗ Vulnerabilities in Fortinet WAF Can Expose Corporate Networks to Attacks ∗∗∗ --------------------------------------------- Several potentially serious vulnerabilities discovered in Fortinet’s FortiWeb web application firewall (WAF) could expose corporate networks to attacks, according to the researcher who found them. --------------------------------------------- https://www.securityweek.com/vulnerabilities-fortinet-waf-can-expose-corpor… ∗∗∗ ICS-CERT Security Advisories - January 5th, 2021 ∗∗∗ --------------------------------------------- ICS-CERT has released six security advisories addressing vulnerabilities in ICS-related devices and software. --------------------------------------------- https://exchange.xforce.ibmcloud.com/collection/f9e8dce556fb93fa97530e3e1dd… ∗∗∗ Security Bulletin: Spectrum Discover has addressed multiple security vulnerabilities (CVE-2020-13401, CVE-2019-20372) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-spectrum-discover-has-add… ∗∗∗ Security Bulletin: Stored Cross-Site Scripting Vulnerability Affects IBM Emptoris Sourcing (CVE-2020-4895) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-stored-cross-site-scripti… ∗∗∗ Security Bulletin: IBM Event Streams is affected by multiple Go vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-event-streams-is-affe… ∗∗∗ Security Bulletin: Upgrade to IBP v2.5.1 to address recent concerns/issues with Golang versions other than 1.14.12 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-upgrade-to-ibp-v2-5-1-to-… ∗∗∗ Security Bulletin: Enterprise Content Management System Monitor is affected by a vulnerability in IBM® SDK Java™ Technology Edition ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-enterprise-content-manage… ∗∗∗ Security Bulletin: Communication between burst buffer processes not properly secured ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-communication-between-bur… ∗∗∗ Security Bulletin: Lucky 13 Vulnerability Affects IBM Emptoris Strategic Supply Management Platform (CVE-2020-4898) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-lucky-13-vulnerability-af… ∗∗∗ Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU – Oct 2020 – Includes Oracle Oct 2020 CPU minus CVE-2020-14782 affects Liberty for Java for IBM Cloud ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sdk-java-technology-e… ∗∗∗ Security Bulletin: Information Disclosure Vulnerability Affects IBM Emptoris Spend Analysis (CVE-2020-4897) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-information-disclosure-vu… ∗∗∗ Security Bulletin: IBM Cloud Pak for Integration is affected by multiple Node.js vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-integra… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.01.2021
by Daily end-of-shift report 05 Jan '21

05 Jan '21

===================== = End-of-Day report = ===================== Timeframe: Montag 04-01-2021 18:00 − Dienstag 05-01-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ WLAN: Schadsoftware prüft den Standort via Wi-Fi ∗∗∗ --------------------------------------------- Es ist nicht ungewöhnlich, dass eine Malware den Standort des infizierten Rechners überprüft. Dazu wurde bisher jedoch meist die IP-Adresse verwendet. --------------------------------------------- https://www.golem.de/news/wlan-schadsoftware-prueft-den-standort-via-wi-fi-… ∗∗∗ Medizin-IT: BSI-Studie bescheinigt schlechtes Security-Niveau ∗∗∗ --------------------------------------------- Viele Schwachstellen fand das BSI in seinen neuen Studien zur IT-Sicherheit in der Medizin. Penetrationstests oder Sicherheitsevaluierungen fehlten völlig. --------------------------------------------- https://heise.de/-5004126 ∗∗∗ Vorsicht vor WOTOBA.de! ∗∗∗ --------------------------------------------- Das Shoppen online boomt. Doch Vorsicht ist geboten! Viele Angebote online sind zu gut, um wahr zu sein – auch WOTOBA.de. Der Shop wirbt mit heißen Preisen, günstigen Angeboten und großen Rabatten. Kommt die qualitativ minderwertige Bestellung an, dann mit großer Verspätung und womöglich einer Rechnung vom Zollamt. Oft wird die bestellte und bezahlte Ware jedoch nie geliefert. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-wotobade/ ∗∗∗ Cryptocurrency stealer for Windows, macOS, and Linux went undetected for a year ∗∗∗ --------------------------------------------- ElectroRAT was written from scratch and was likely installed by thousands. --------------------------------------------- https://arstechnica.com/?p=1732897 ∗∗∗ Ryuk ransomware is the top threat for the healthcare sector ∗∗∗ --------------------------------------------- Healthcare organizations continue to be a prime target for cyberattacks of all kinds, with ransomware incidents, Ryuk in particular, being more prevalent. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ryuk-ransomware-is-the-top-t… ∗∗∗ Netfox Detective: An Alternative Open-Source Packet Analysis Tool , (Tue, Jan 5th) ∗∗∗ --------------------------------------------- [This is a guest diary by Yee Ching Tok (personal website here (https://poppopretn.com)). Feedback welcome either via comments or our contact page (https://isc.sans.edu/contact.html)] --------------------------------------------- https://isc.sans.edu/diary/rss/26950 ∗∗∗ Hackers Exploiting Recently Disclosed Zyxel Vulnerability ∗∗∗ --------------------------------------------- Security researchers have observed the first attempts to compromise Zyxel devices using a recently disclosed vulnerability related to the existence of hardcoded credentials. --------------------------------------------- https://www.securityweek.com/hackers-start-exploiting-recently-disclosed-zy… ===================== = Vulnerabilities = ===================== ∗∗∗ Patchday: Android unter anderem gegen Remote Code Execution abgesichert ∗∗∗ --------------------------------------------- Die neuesten Sicherheitsupdates für Googles mobiles Betriebssystem Android fixen neben vier kritischen Lücken noch zahlreiche weitere Sicherheitsprobleme. --------------------------------------------- https://heise.de/-5003473 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (dovecot, poppler, roundcubemail, and rsync), Debian (csync2 and gssproxy), Fedora (grafana, perl-Convert-ASN1, and python-py), openSUSE (privoxy), Oracle (kernel), Red Hat (ImageMagick and kernel), SUSE (ceph, dovecot22, flac, java-1_7_1-ibm, openssh, and python), and Ubuntu (dovecot, horizon, openexr, and python-apt). --------------------------------------------- https://lwn.net/Articles/841792/ ∗∗∗ Node.js: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0006 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.01.2021
by Daily end-of-shift report 04 Jan '21

04 Jan '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 30-12-2020 18:00 − Montag 04-01-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Citrix adds NetScaler ADC setting to block recent DDoS attacks ∗∗∗ --------------------------------------------- Citrix has released a feature enhancement designed to block attackers from using the Datagram Transport Layer Security (DTLS) feature of NetScaler ADC devices as an amplification vector in DDoS attacks. [...] https://support.citrix.com/article/CTX289674 --------------------------------------------- https://www.bleepingcomputer.com/news/security/citrix-adds-netscaler-adc-se… ∗∗∗ Malware: Wurm macht Windows- und Linux-Server zu Monero-Minern ∗∗∗ --------------------------------------------- Die Schadsoftware nutzt offene Ports von Diensten wie MySQL aus und setzt darauf, dass sie mit schwachen Passwörtern gesichert sind. --------------------------------------------- https://www.golem.de/news/malware-wurm-macht-windows-und-linux-server-zu-mo… ∗∗∗ From a small BAT file to Mass Logger infostealer, (Mon, Jan 4th) ∗∗∗ --------------------------------------------- Since another year went by, Ive decided to once again check all of the malicious files, which were caught in my e-mail quarantine during its course. Last year, when I went through the batch of files from 2019, I found couple of very large samples[1] and I wanted to see whether Iɽ find something similar in the 2020 batch. --------------------------------------------- https://isc.sans.edu/diary/rss/26946 ∗∗∗ Cyber-Attacke über SolarWinds: Angreifer hatten Zugriff auf Microsoft-Quellcode ∗∗∗ --------------------------------------------- Microsoft hat eingeräumt, dass die Angreifer im Fall SolarWinds sehr tief in die konzerninternen Netzwerke eingedrungen und bis zum Quellcode gelangt sind. --------------------------------------------- https://heise.de/-5001678 ∗∗∗ IntelOwl 2.0: Freies Tool für Threat-Intelligence-Analysen ∗∗∗ --------------------------------------------- In der neuen Major Release 2.0 erhält das Threat-Intelligence-Werkzeug IntelOwl mehrere neue Analysatoren. Das Tool erscheint als Open-Source-Software. --------------------------------------------- https://heise.de/-5002685 ===================== = Vulnerabilities = ===================== ∗∗∗ Zend Framework remote code execution vulnerability revealed ∗∗∗ --------------------------------------------- An untrusted deserialization vulnerability has been disclosed in Zend Framework which can be used by attackers to achieve remote code execution on PHP sites. Portions of Laminas Project may also be impacted by this flaw, tracked as CVE-2021-3007. --------------------------------------------- https://www.bleepingcomputer.com/news/security/zend-framework-remote-code-e… ∗∗∗ Zyxel hat Backdoor in Firewalls einprogrammiert ∗∗∗ --------------------------------------------- Zyxel Networks hat in Firewalls und Access-Point-Controller Hintertüren eingebaut und das Passwort verraten. Für die Firewalls gibt es ein Update. --------------------------------------------- https://heise.de/-5002067 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (firefox, openjpeg2, openssl, qemu, tensorflow, and thunderbird) and Debian (highlight.js). --------------------------------------------- https://lwn.net/Articles/841498/ ∗∗∗ Security updates for the start of 2021 ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libxstream-java and p11-kit), Mageia (curl and minidlna), and openSUSE (groovy). --------------------------------------------- https://lwn.net/Articles/841544/ ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium, dovecot, flac, influxdb, libhibernate3-java, and p11-kit), Fedora (ceph and guacamole-server), Mageia (audacity, gdm, libxml2, rawtherapee, and vlc), openSUSE (jetty-minimal and privoxy), Red Hat (kernel and kernel-rt), SUSE (gimp), and Ubuntu (libproxy). --------------------------------------------- https://lwn.net/Articles/841653/ ∗∗∗ Security Advisory - Out-of-Bounds Read Vulnerability in Huawei CloudEngine Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20201230-… ∗∗∗ Apache Tomcat vulnerability CVE-2020-17527 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K44415301 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily January 2021