Daily November 2021

daily@lists.cert.at

1 participants
21 discussions

Tageszusammenfassung - 16.11.2021
by Daily end-of-shift report 16 Nov '21

16 Nov '21

===================== = End-of-Day report = ===================== Timeframe: Montag 15-11-2021 18:00 − Dienstag 16-11-2021 18:00 Handler: Dimitri Robl Co-Handler: Wolfgang Menezes ===================== = News = ===================== ∗∗∗ Malware: Emotet ist zurück ∗∗∗ --------------------------------------------- Sicherheitsforscher haben eine neue Variante von Emotet entdeckt. Noch wird der Schädling von einer anderen Malware nachgeladen. --------------------------------------------- https://www.golem.de/news/malware-emotet-ist-zurueck-2111-161124-rss.html ∗∗∗ Windows Sonder-Updates gegen DC-Authentifizierungsprobleme und Druckprobleme ∗∗∗ --------------------------------------------- Die Sicherheitsupdates vom November für Windows verursachen teils Authentifizierungsprobleme bei Domain Controllern sowie Druckprobleme. Microsoft patcht nach. --------------------------------------------- https://heise.de/-6267784 ∗∗∗ Fake Ransomware Infection Spooks Website Owners ∗∗∗ --------------------------------------------- Starting this past Friday we have seen a number of websites showing a fake ransomware infection. Google search results for “FOR RESTORE SEND 0.1 BITCOIN” were sitting at 6 last week and increased to 291 at the time of writing this. --------------------------------------------- https://blog.sucuri.net/2021/11/fake-ransomware-infection-spooks-website-ow… ∗∗∗ GitHub Confirms Another Major NPM Security Defect ∗∗∗ --------------------------------------------- Microsoft-owned GitHub is again flagging major security problems in the npm registry, warning that a pair of newly discovered vulnerabilities continue to expose the soft underbelly of the open-source software supply chain. --------------------------------------------- https://www.securityweek.com/github-confirms-another-major-npm-security-def… ∗∗∗ Black Friday: Vorsicht vor Fake-Angeboten ∗∗∗ --------------------------------------------- Am 26. November 2021 ist Black Friday. Und darauf folgt am 29. November schon der Cyber Monday - für Schnäppchenjäger wahre Shopping-Feiertage. Wir raten aber zur Vorsicht: Nicht nur seriöse Anbieter locken mit günstigen Preisen und Rabatten, auch Fake-Shops werben mit Black Friday Angeboten. --------------------------------------------- https://www.watchlist-internet.at/news/black-friday-vorsicht-vor-fake-angeb… ∗∗∗ An update on the state of the NIS2 draft ∗∗∗ --------------------------------------------- This is a TLP:WHITE summary of my presentation at the 15th CSIRTs Network meeting in Ljubljana on November 11th. This is not a complete review of the current state of the NIS2 discussions. --------------------------------------------- https://cert.at/en/blog/2021/11/an-update-on-the-state-of-the-nis2-draft ∗∗∗ New Federal Government Cybersecurity Incident and Vulnerability Response Playbooks ∗∗∗ --------------------------------------------- [...] today, CISA published the Federal Government Cybersecurity Incident and Vulnerability Response Playbooks. The playbooks provide federal civilian executive branch (FCEB) agencies with operational procedures for planning and conducting cybersecurity incident and vulnerability response activities. The playbooks provide illustrated decision trees and detail each step for both incident and vulnerability response. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/11/16/new-federal-gover… ∗∗∗ A new Android banking trojan named SharkBot is makings its presence felt ∗∗∗ --------------------------------------------- Security researchers have discovered a new Android banking trojan capable of hijacking users smartphones and emptying out e-banking and cryptocurrency accounts. --------------------------------------------- https://therecord.media/a-new-android-banking-trojan-named-sharkbot-is-maki… ∗∗∗ New Type of Supply Chain Attack Could Put Popular Admin Tools at Risk ∗∗∗ --------------------------------------------- Research between Intezer and Checkmarx describes ChainJacking, a type of software supply chain attack that could be potentially exploited by threat actors and puts common admin tools at risk. We have identified a number of open-source Go packages that are susceptible to ChainJacking given that some of these vulnerable packages are embedded in popular admin [...] --------------------------------------------- https://www.intezer.com/blog/malware-analysis/chainjacking-supply-chain-att… ∗∗∗ Kernel Karnage – Part 3 (Challenge Accepted) ∗∗∗ --------------------------------------------- [...] The past weeks I mostly experimented with existing tooling and got acquainted with the basics of kernel driver development. I managed to get a quick win versus $vendor1 but that didn’t impress our blue team, so I received a challenge to bypass $vendor2. I have to admit, after trying all week to get around the protections, $vendor2 is definitely a bigger beast to tame. --------------------------------------------- https://blog.nviso.eu/2021/11/16/kernel-karnage-part-3-challenge-accepted/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libxml-security-java), Fedora (botan2), openSUSE (drbd-utils, kernel, and samba), Red Hat (kernel and webkit2gtk3), SUSE (drbd-utils and samba), and Ubuntu (vim). --------------------------------------------- https://lwn.net/Articles/876227/ ∗∗∗ Synology-SA-21:28 Mail Station ∗∗∗ --------------------------------------------- A vulnerability allows remote authenticated users to execute arbitrary commands via a susceptible version of Mail Station. --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_21_28 ∗∗∗ AMD Windows 10-Grafiktreiber mit Schwachstellen (Nov. 2021) ∗∗∗ --------------------------------------------- Nutzer mit AMD-Grafikkarten und Windows 10 sollten sich mit dem Thema Aktualisierung von AMD-Grafiktreibern befassten. Der Hersteller hat eingestanden, dass seine Windows 10-Grafiktreiber zahlreiche Sicherheitslücken aufweisen. Einige Schwachstellen (z.B. im Grafiktreiber) werden als sicherheitstechnisch Hoch eingestuft. --------------------------------------------- https://www.borncity.com/blog/2021/11/16/amd-windows-10-treiber-mit-schwach… ∗∗∗ WAGO: Denial of Service Vulnerability in CODESYS Runtime 2.3 ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2021-049/ ∗∗∗ WAGO: Multiple devices affected by Vulnerabilities in NUCLEUS TCP Stack. ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2021-050/ ∗∗∗ WAGO: Multiple Vulnerabilities in CODESYS Runtime 2.3 and WebVisualisation ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2021-056/ ∗∗∗ Grafana: Schwachstelle ermöglicht Privilegieneskalation ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-1205 ∗∗∗ Red Hat JBoss Enterprise Application Platform: Mehrere Schwachstellen ermöglichen Denial of Service ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-1207 ∗∗∗ ZDI-21-1312: Open Design Alliance (ODA) ODAViewer DWG File Parsing Use-After-Free Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-21-1312/ ∗∗∗ ZDI-21-1311: Open Design Alliance (ODA) ODAViewer U3D File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-21-1311/ ∗∗∗ ZDI-21-1310: Open Design Alliance (ODA) ODAViewer U3D File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-21-1310/ ∗∗∗ Security Bulletin: A vulnerability in filesystem audit logging affects IBM Spectrum Scale. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-filesy… ∗∗∗ Security Bulletin: Vulnerability in IBM SDK Java affects IBM Cloud Pak System (CVE-2020-27221) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-sdk-… ∗∗∗ Security Bulletin: IBM MQ for HP NonStop Server is affected by OpenSSL vulnerability CVE-2021-3711 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-for-hp-nonstop-ser… ∗∗∗ Security Bulletin: IBM MQ is vulnerable to an issue in Eclipse Jetty (CVE-2021-28165) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-is-vulnerable-to-a… ∗∗∗ Security Bulletin: IBM WebSphere MQ for HP NonStop Server is affected by OpenSSL vulnerability CVE-2021-3711 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-websphere-mq-for-hp-n… ∗∗∗ Security Bulletin: IBM MQ is vulnerable to an issue in Eclipse (CVE-2020-27225) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-is-vulnerable-to-a… ∗∗∗ Security Bulletin: IBM MQ can inadvertently display cleartext credentials via diagnostic logs (CVE-2021-38949) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-can-inadvertently-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 15.11.2021
by Daily end-of-shift report 15 Nov '21

15 Nov '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 12-11-2021 18:00 − Montag 15-11-2021 18:00 Handler: Dimitri Robl Co-Handler: Wolfgang Menezes ===================== = News = ===================== ∗∗∗ PSA: Apple isn’t actually patching all the security holes in older versions of macOS ∗∗∗ --------------------------------------------- Big Sur got a fix 234 days before Catalina did, although both are supported. --------------------------------------------- https://arstechnica.com/?p=1812611 ∗∗∗ FTC shares ransomware defense tips for small US businesses ∗∗∗ --------------------------------------------- The US Federal Trade Commission (FTC) has shared guidance for small businesses on how to secure their networks from ransomware attacks by blocking threat actors attempts to exploit vulnerabilities using social engineering or exploits targeting technology. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ftc-shares-ransomware-defens… ∗∗∗ Video: Obfuscated Maldoc: Reversed BASE64, (Sun, Nov 14th) ∗∗∗ --------------------------------------------- I made a video of the maldoc analysis I explained in yesterday's diary entry "Obfuscated Maldoc: Reversed BASE64". --------------------------------------------- https://isc.sans.edu/diary/rss/28032 ∗∗∗ Changing your AD Password Using the Clipboard - Not as Easy as Youd Think!, (Mon, Nov 15th) ∗∗∗ --------------------------------------------- Let me know if this scenario is familiar? [...] Microsoft won't allow you to paste a password into their GUI "password change". Apparantly Microsoft wants us to continue to use passwords like "Passw0rd1!" and "Winter2021!" forever, until all AD domains are "passwordless" --------------------------------------------- https://isc.sans.edu/diary/rss/28036 ∗∗∗ Microsoft Out of Band Update Resolves Kerberos Issue, (Mon, Nov 15th) ∗∗∗ --------------------------------------------- Since Patch Tuesday, we've been tracking a Kerboros issue in November's patch bundle that affected authentication in several deployment scenarios: [...] This was fixed out of band yesterday (November 14, 2021). If you have applied November's update and are affected, you'll want to apply the "November-take-two" update on any affected servers. --------------------------------------------- https://isc.sans.edu/diary/rss/28040 ∗∗∗ Exploiting CSP in Webkit to Break Authentication & Authorization ∗∗∗ --------------------------------------------- [...] Long story short, there was a vulnerability that we reported to Safari that Apple didn’t consider severe enough to fix quickly which then after waiting for a significant amount of time, we decided to exploit and earn some bounties by reporting them to bug bounty programs. --------------------------------------------- https://threatnix.io/blog/exploiting-csp-in-webkit-to-break-authentication-… ∗∗∗ E-Mail-Server des FBI gehackt - für Fake-Warnungen über Cyber-Angriffe genutzt ∗∗∗ --------------------------------------------- Cyberkriminelle haben einen E-Mail-Server des FBI gekapert. Anschließend verschickten sie über 100.000 Spam-Mails mit einer Warnung vor einem Cyberangriff. --------------------------------------------- https://heise.de/-6266349 ∗∗∗ POC2021 – Pwning the Windows 10 Kernel with NFTS and WNF Slides ∗∗∗ --------------------------------------------- Alex Plaskett presented “Pwning the Windows 10 Kernel with NTFS and WNF” at Power Of Community (POC) on the 11th of November 2021. The abstract of the talk is as follows: A local privilege escalation vulnerability (CVE-2021-31956) 0day was identified as being exploited in the wild by Kaspersky. At the time it affected a broad [...] --------------------------------------------- https://research.nccgroup.com/2021/11/15/poc2021-pwning-the-windows-10-kern… ∗∗∗ Exchange Exploit Leads to Domain Wide Ransomware ∗∗∗ --------------------------------------------- In late September, we observed an intrusion in which initial access was gained by the threat actor exploiting multiple vulnerabilities in Microsoft Exchange. ProxyShell is a name given to [...] --------------------------------------------- https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-… ∗∗∗ AutoPoC - Validating the Lack of Validation in PoCs ∗∗∗ --------------------------------------------- HoneyPoC was a project to look at how popular CVE PoCs could be. AutoPoC took that concept and enabled the mass creation of disinformation. Also, Data is beautiful. --------------------------------------------- https://blog.zsec.uk/honeypoc-ultimate/ ∗∗∗ AT&T Alien Labs finds new Golang malware (BotenaGo) targeting millions of routers and IoT devices with more than 30 exploits ∗∗∗ --------------------------------------------- AT&T Alien Labs™ has found new malware written in the open source programming language Golang. Deployed with more than 30 exploits, it has the potential of targeting millions of routers and IoT devices. --------------------------------------------- https://cybersecurity.att.com/blogs/labs-research/att-alien-labs-finds-new-… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (ffmpeg and tomcat9), Fedora (et and kernel), openSUSE (binutils, rubygem-activerecord-5_1, samba, and tinyxml), Oracle (freerdp and httpd:2.4), Red Hat (devtoolset-11-gcc, gcc-toolset-10-binutils, kernel, kernel-rt, and kpatch-patch), and Scientific Linux (freerdp). --------------------------------------------- https://lwn.net/Articles/876135/ ∗∗∗ Security Bulletin: Use of a one way hash without a salt in IBM Security Guardium Key Lifecycle Manager (CVE-2021-38979) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-use-of-a-one-way-hash-wit… ∗∗∗ Security Bulletin: Hazardous Input Validation in IBM Security Guardium Key Lifecycle Manager (CVE-2021-38972) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-hazardous-input-validatio… ∗∗∗ Security Bulletin: Password stored in cleartext in IBM Security Guardium Key Lifecycle Manager (CVE-2021-38976) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-password-stored-in-cleart… ∗∗∗ Security Bulletin: Missing http strict transport security header in in IBM Security Guardium Key Lifecycle Manager (CVE-2021-38978) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-missing-http-strict-trans… ∗∗∗ Security Bulletin: Cross-Site scripting in IBM Security Guardium Key Lifecycle Manager (CVE-2021-38982) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cross-site-scripting-in-i… ∗∗∗ Security Bulletin: Missing cookie secure attribute in IBM Security Guardium Key Lifecycle Manager (CVE-2021-38977) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-missing-cookie-secure-att… ∗∗∗ Security Bulletin: Hazardous input validation in IBM Security Guardium Key Lifecycle Manager (CVE-2021-38985) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-hazardous-input-validatio… ∗∗∗ Security Bulletin: Inadequate encryption strength in IBM Security Guardium Key Lifecycle Manager (CVE-2021-38983) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-inadequate-encryption-str… ∗∗∗ Security Bulletin: Using components with known vulnerabilities in IBM Security Guardium Key Lifecycle Manager (CVE-2021-20492) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-using-components-with-kno… ∗∗∗ Security Bulletin: Vulnerabilities in Node.js affect IBM Integration Bus v10 (CVE-2021-32803) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-node-j… ∗∗∗ Security Bulletin: Denial of service in IBM Security Guardium Key Lifecycle Manager (CVE-2021-38974) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-denial-of-service-in-ibm-… ∗∗∗ Security Bulletin: Hazardous input validation in IBM Security Guardium Key Lifecycle Manager (CVE-2021-38973) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-hazardous-input-validatio… ∗∗∗ Security Bulletin: Information exposure in IBM Security Guardium Key Lifecycle Manager 4.1.1 (CVE-2021-38975) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-information-exposure-in-i… ∗∗∗ Security Bulletin: Inadequate encryption strength in IBM Security Guardium Key Lifecycle Manager (CVE-2021-38984) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-inadequate-encryption-str… ∗∗∗ Security Bulletin: Application error in IBM Security Guardium Key Lifecycle Manager 4.1.1 (CVE-2021-38981) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-application-error-in-ibm-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.11.2021
by Daily end-of-shift report 12 Nov '21

12 Nov '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 11-11-2021 18:00 − Freitag 12-11-2021 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Zoom dichtet Sicherheitslücken in mehreren Produkten und Clients ab ∗∗∗ --------------------------------------------- In einigen Produkten des Webkonferenz-Anbieters Zoom hat der Hersteller Sicherheitslücken geschlossen. --------------------------------------------- https://heise.de/-6265648 ∗∗∗ Kriminelle versenden betrügerische Mails im Namen der Post! ∗∗∗ --------------------------------------------- Derzeit melden uns zahlreiche LeserInnen ein betrügerisches E-Mail, das im Namen der Post verschickt wird. Darin behaupten die Kriminellen, dass für eine Bestellung zusätzliche Einfuhrgebühren notwendig seien. Auch wenn Sie gerade auf ein Paket warten, sollten Sie bei solchen E-Mails skeptisch sein. In diesem Fall versuchen die BetrügerInnen an Ihr Geld zu kommen! --------------------------------------------- https://www.watchlist-internet.at/news/kriminelle-versenden-betruegerische-… ∗∗∗ HTML smuggling surges: Highly evasive loader technique increasingly used in banking malware, targeted attacks ∗∗∗ --------------------------------------------- HTML smuggling, a highly evasive malware delivery technique that leverages legitimate HTML5 and JavaScript features, is increasingly used in email campaigns that deploy banking malware, remote access Trojans (RATs), and other payloads related to targeted attacks. --------------------------------------------- https://www.microsoft.com/security/blog/2021/11/11/html-smuggling-surges-hi… ∗∗∗ Malware uses namesilo Parking pages and Googles custom pages to spread ∗∗∗ --------------------------------------------- Recently, we found a suspicious GoELFsample, which is a downloder mainly to spread mining malwares. The interesting part is that we noticed it using namesilos Parking page and Googles user-defined page to spread the sample and configuration. Apparently this is yet another attempt to hide control channel to avoid [...] --------------------------------------------- https://blog.netlab.360.com/zhatuniubility-malware-uses-namesilo-parking-pa… ∗∗∗ Murder-for-hire, money laundering, and more: How organised criminals work online ∗∗∗ --------------------------------------------- Europol has released an extensive report into serious and organized crime, including how these groups use the internet to aid in their criminal behaviour. --------------------------------------------- https://blog.malwarebytes.com/reports/2021/11/murder-for-hire-money-launder… ∗∗∗ “We wait, because we know you.” Inside the ransomware negotiation economics. ∗∗∗ --------------------------------------------- Organizations worldwide continue to face waves of digital extortion in the form of targeted ransomware. Digital extortion is now classified as the most prominent form of cybercrime and the most devastating and pervasive threat to functioning [...] --------------------------------------------- https://research.nccgroup.com/2021/11/12/we-wait-because-we-know-you-inside… ∗∗∗ Researcher Shows Windows Flaw More Serious After Microsoft Releases Incomplete Patch ∗∗∗ --------------------------------------------- A researcher has discovered that a Windows vulnerability for which Microsoft released an incomplete patch in August is more serious than initially believed. --------------------------------------------- https://www.securityweek.com/researcher-shows-windows-flaw-more-serious-aft… ∗∗∗ When the alarms go off: 10 key steps to take after a data breach ∗∗∗ --------------------------------------------- It’s often said that data breaches are no longer a matter of ‘if’, but ‘when’ – here’s what your organization should do, and avoid doing, in the case of a security breach --------------------------------------------- https://www.welivesecurity.com/2021/11/11/alarms-go-off-10-steps-take-data-… ∗∗∗ Network Code on Cybersecurity is out for public consultation ∗∗∗ --------------------------------------------- The draft for the Network Code for cybersecurity aspects of cross-border electricity flows has been released today for public consultation. ENCS has collaborated on the writing of the Network Code as part of the drafting team. During the public consultation period, stakeholders within the energy sector have the opportunity of sharing their views on the [...] --------------------------------------------- https://encs.eu/news/network-code-on-cybersecurity-is-out-for-public-consul… ∗∗∗ Number of Malicious Shopping Websites Jumps 178% ahead of November e-Shopping Holidays, Breaking Records ∗∗∗ --------------------------------------------- Highlights: Check Point Research (CPR) spots over 5300 different malicious websites per week, marking the highest since the beginning of 2021 Numbers show a 178% increase compared to 2021 so far 1 out of 38 corporate networks are being impacted on average per week in November, compared to 1 in 47 in October, and [...] --------------------------------------------- https://blog.checkpoint.com/2021/11/12/number-of-malicious-shopping-website… ===================== = Vulnerabilities = ===================== ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- IBM hat 15 Security Bulletins veröffentlicht. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Technical Advisory – Multiple Vulnerabilities in Victure WR1200 WiFi Router (CVE-2021-43282, CVE-2021-43283, CVE-2021-43284) ∗∗∗ --------------------------------------------- Victure’s WR1200 WiFi router, also sometimes referred to as AC1200, was found to have multiple vulnerabilities exposing its owners to potential intrusion in their local WiFi network and complete overtake of the device. Three vulnerabilities were uncovered, with links to the associated technical advisories below: [...] --------------------------------------------- https://research.nccgroup.com/2021/11/12/technical-advisory-multiple-vulner… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (node-tar, postgresql-11, postgresql-13, and postgresql-9.6), Fedora (autotrace, botan2, chafa, converseen, digikam, dmtx-utils, dvdauthor, eom, kxstitch, pfstools, php-pecl-imagick, psiconv, q, R-magick, radeontop, rss-glx, rubygem-rmagick, synfig, synfigstudio, vdr-scraper2vdr, vdr-skinelchihd, vdr-skinnopacity, vdr-tvguide, and WindowMaker), Mageia (kernel, kernel-linus, and openafs), openSUSE (kernel), Red Hat (freerdp), SUSE (bind and kernel), [...] --------------------------------------------- https://lwn.net/Articles/875931/ ∗∗∗ WECON PLC Editor ∗∗∗ --------------------------------------------- This advisory contains mitigation for Stack-based Buffer Overflow, and Out-of-bounds Write vulnerabilities in WECON PLC Editor ladder logic software. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-315-01 ∗∗∗ Multiple Data Distribution Service (DDS) Implementations ∗∗∗ --------------------------------------------- This advisory contains mitigations for several vulnerabilities in Multiple Data Distribution Service (DDS) Implementations developed by a number of different vendors. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-315-02 ∗∗∗ VMware Releases Security Update for Tanzu Application Service for VMs ∗∗∗ --------------------------------------------- VMware has released a security update to address a vulnerability in Tanzu Application Service for VMs. A remote attacker could exploit this vulnerability to cause a denial-of-service condition. CISA encourages users and administrators to review VMware Security Advisory VMSA-2021-0026 and apply the necessary update. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/11/12/vmware-releases-s… ∗∗∗ SYSS-2021-057: Open Redirect durch HTML Injection in Cryptshare ∗∗∗ --------------------------------------------- Im Cryptshare-Server besteht eine Schwachstelle. Sie erlaubt Angreifenden, die Empfänger einer manipulierten Nachricht auf beliebige Seiten weiterzuleiten. --------------------------------------------- https://www.syss.de/pentest-blog/syss-2021-057-open-redirect-durch-html-inj… ∗∗∗ Unlimited Sitemap Generator vulnerable to cross-site request forgery ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN58407606/ ∗∗∗ PostgreSQL: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-1201 ∗∗∗ Red Hat Enterprise Linux: Schwachstelle ermöglicht Codeausführung ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-1198 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.11.2021
by Daily end-of-shift report 11 Nov '21

11 Nov '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 10-11-2021 18:00 − Donnerstag 11-11-2021 18:00 Handler: Dimitri Robl Co-Handler: Wolfgang Menezes ===================== = News = ===================== ∗∗∗ Sophos 2022 Threat Report: Malware, Mobile, Machine learning and more! ∗∗∗ --------------------------------------------- The crooks have shown that the'yre willing to learn and adapt their attacks, so we need to make sure we learn and adapt, too. --------------------------------------------- https://nakedsecurity.sophos.com/2021/11/09/2022-threat-report/ ∗∗∗ Understanding .htaccess Malware ∗∗∗ --------------------------------------------- The .htaccess file is notorious for being targeted by attackers. Whether it’s using the file to hide malware, redirect search engines to other sites with blackhat SEO tactics, hide backdoors, inject content, modify php.ini values; the possibilities are endless. Many site owners are unaware of this file, due to it starting with a “.” making it a hidden file. .htaccess malware can be hard to pinpoint and clean on a server [...] --------------------------------------------- https://blog.sucuri.net/2021/11/understanding-htaccess-malware.html ∗∗∗ A Detailed Analysis of Lazarus’ RAT Called FALLCHILL ∗∗∗ --------------------------------------------- FALLCHILL is a RAT that has been used by Lazarus Group since 2016. It implements a custom algorithm that is used to decode multiple DLL names and export functions, which will be imported at runtime. --------------------------------------------- https://lifars.com/knowledge-center/a-detailed-analysis-of-lazarus-rat-call… ∗∗∗ The Newest Malicious Actor: “Squirrelwaffle” Malicious Doc. ∗∗∗ --------------------------------------------- Authored By Kiran Raj Due to their widespread use, Office Documents are commonly used by Malicious actors as a way...The post The Newest Malicious Actor: “Squirrelwaffle” Malicious Doc. appeared first on McAfee Blogs. --------------------------------------------- https://www.mcafee.com/blogs/other-blogs/mcafee-labs/the-newest-malicious-a… ∗∗∗ ClusterFuzzLite: Continuous fuzzing for all ∗∗∗ --------------------------------------------- Posted by Jonathan Metzman, Google Open Source Security TeamIn recent years, continuous fuzzing has become an essential part of the software development lifecycle. By feeding unexpected or random data into a program, fuzzing catches bugs that would otherwise slip through the most thorough manual checks and provides coverage that would take staggering human effort to replicate. NIST’s guidelines for software verification, recently released in response to the White House Executive Order on --------------------------------------------- http://security.googleblog.com/2021/11/clusterfuzzlite-continuous-fuzzing-f… ∗∗∗ HändlerInnen aufgepasst: BetrügerInnen geben Fake-Bestellungen im Namen von ATOS auf ∗∗∗ --------------------------------------------- Kriminelle geben sich derzeit als das Unternehmen ATOS aus und bekunden per Mail Interesse an einer Großbestellung. Für die betroffenen HändlerInnen mag das nach einem schnellen und leichten Geschäft klingen, doch tatsächlich hat die seriöse Firma ATOS nichts mit dieser Bestellung am Hut. Stattdessen würden Sie ihre Produkte an Kriminelle versenden, Geld dafür erhalten Sie nicht. --------------------------------------------- https://www.watchlist-internet.at/news/haendlerinnen-aufgepasst-betruegerin… ∗∗∗ Capability Abstraction Case Study: Detecting Malicious Boot Configuration Modifications ∗∗∗ --------------------------------------------- [...] In simple terms, capability abstraction provides a way to describe how a given attack technique interacts with the internal components of a targeted system. The abstraction map that this process produces helps us to understand the common denominator between distinct implementations of the same technique. --------------------------------------------- https://posts.specterops.io/capability-abstraction-case-study-detecting-mal… ∗∗∗ A Peek into Top-Level Domains and Cybercrime ∗∗∗ --------------------------------------------- We analyze which top-level domains (TLDs) have the highest rate of malicious domains and why, and suggest strategies for blocking malicious domains. --------------------------------------------- https://unit42.paloaltonetworks.com/top-level-domains-cybercrime/ ∗∗∗ BazarBackdoor now abuses Windows 10 apps feature in call me back attack ∗∗∗ --------------------------------------------- AppInstaller.exe has been twisted in a new form of phishing attack. --------------------------------------------- https://www.zdnet.com/article/bazarloader-now-abuses-windows-10-apps-featur… ∗∗∗ October 2021’s Most Wanted Malware: Trickbot Takes Top Spot for Fifth Time ∗∗∗ --------------------------------------------- Check Point Research reveals that Trickbot is the most prevalent malware and a new vulnerability in Apache is one of the most exploited vulnerabilities worldwide. --------------------------------------------- https://blog.checkpoint.com/2021/11/11/october-2021s-most-wanted-malware-tr… ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI-21-1303: NETGEAR R6400v2 UPnP uuid Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of NETGEAR R6400v2 routers. Authentication is not required to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-1303/ ∗∗∗ Wordpress-Plug-in WP Reset Pro fixt kritische Sicherheitslücke ∗∗∗ --------------------------------------------- In WP Reset Pro klaffte eine Sicherheitslücke, durch die angemeldete Nutzer auch ohne entsprechende Rechte ganze Wordpress-Webauftritte löschen konnten. --------------------------------------------- https://heise.de/-6264564 ∗∗∗ Sicherheitsupdate: Kritische Root-Lücke bedroht Firewalls von Palo Alto ∗∗∗ --------------------------------------------- Sind bestimmte Einstellungen aktiviert und Voraussetzungen gegeben, könnten Angreifer Palo-Alto-Firewalls attackieren. --------------------------------------------- https://heise.de/-6264656 ∗∗∗ Over 1 Million Sites Impacted by Vulnerability in Starter Templates Plugin ∗∗∗ --------------------------------------------- On October 4, 2021, the Wordfence Threat Intelligence team initiated the responsible disclosure process for the Starter Templates plugin, which is installed on over 1 Million WordPress websites. The full name of the WordPress plugin is “Starter Templates — Elementor, Gutenberg & Beaver Builder Templates” [...] --------------------------------------------- https://www.wordfence.com/blog/2021/11/over-1-million-sites-impacted-by-vul… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (icinga2, libxstream-java, ruby-kaminari, and salt), Fedora (awscli, cacti, cacti-spine, python-boto3, python-botocore, radeontop, and rust), Mageia (firefox, libesmtp, libzapojit, sssd, and thunderbird), openSUSE (samba and samba and ldb), SUSE (firefox, pcre, qemu, samba, and samba and ldb), and Ubuntu (firejail, linux-bluefield, linux-gke-5.4, linux-oracle, linux-oracle-5.4, linux-oem-5.10, linux-oem-5.14, and python-py). --------------------------------------------- https://lwn.net/Articles/875813/ ∗∗∗ iCloud for Windows 13 ∗∗∗ --------------------------------------------- https://support.apple.com/kb/HT212953 ∗∗∗ Security Bulletin: Multiple Vulnerabilities in IBM Sterling Connect:Direct Browser User Interface ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Security SiteProtector System is affected by Cross-Site Scripting (CVE-2020-4140) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-siteprotecto… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in IBM Java Runtime Affect IBM Connect:Direct Web Services ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM API Connect is impacted by multiple vulnerabilities in Oracle MySQL ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connect-is-impact… ∗∗∗ Security Bulletin: IBM Security SiteProtector System is affected by vulnerability CVE-2020-4146 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-siteprotecto… ∗∗∗ VMSA-2021-0026 ∗∗∗ --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2021-0026.html ∗∗∗ NGINX Ingress Controller vulnerability CVE-2021-23055 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K01051452?utm_source=f5support&utm_mediu… ∗∗∗ Micropatching Incompletely Patched Local Privilege Escalation in User Profile Service (CVE-2021-34484) ∗∗∗ --------------------------------------------- https://blog.0patch.com/2021/11/micropatching-incompletely-patched.html ∗∗∗ Stack Buffer Overflow Vulnerability in Multimedia Console ∗∗∗ --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-21-45 ∗∗∗ Reflected XSS Vulnerability in QmailAgent ∗∗∗ --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-21-47 ∗∗∗ TR-64 - Exploited Exchange Servers - Mails with links to malware from known/valid senders ∗∗∗ --------------------------------------------- https://www.circl.lu/pub/tr-64 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.11.2021
by Daily end-of-shift report 10 Nov '21

10 Nov '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 09-11-2021 18:00 − Mittwoch 10-11-2021 18:00 Handler: Stephan Richter Co-Handler: Wolfgang Menezes ===================== = News = ===================== ∗∗∗ Researcher Details Vulnerabilities Found in AWS API Gateway ∗∗∗ --------------------------------------------- AWS fixed the security flaws that left the API service at risk of so-called HTTP header-smuggling attacks, says the researcher who discovered them. --------------------------------------------- https://www.darkreading.com/vulnerabilities-threats/researcher-details-vuln… ∗∗∗ Unboxing BusyBox – 14 new vulnerabilities uncovered by Claroty and JFrog ∗∗∗ --------------------------------------------- Using static and dynamic techniques, Claroty’s Team82 and JFrog discovered 14 vulnerabilities affecting the latest version of BusyBox. All vulnerabilities were privately disclosed and fixed by BusyBox in version 1.34.0. --------------------------------------------- https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by… ∗∗∗ Patchday: Microsoft warnt vor Attacken auf Excel und Exchange ∗∗∗ --------------------------------------------- Abermals haben es Angreifer Exchange Server abgesehen. Außerdem gibt es wichtige Sicherheitsupdates für Azure, Office, Windows & Co. --------------------------------------------- https://heise.de/-6263036 ∗∗∗ Patchday: SAP schließt kritische Sicherheitslücke ∗∗∗ --------------------------------------------- Am Patch-Tuesday hat auch SAP Aktualisierungen für seine Produkte veröffentlicht. Ein Fix behandelt eine kritische Lücke im ABAP Platform Kernel. --------------------------------------------- https://heise.de/-6263099 ∗∗∗ Cisco Talos finds 10 vulnerabilities in Azure Sphere’s Linux kernel, Security Monitor and Pluton ∗∗∗ --------------------------------------------- Today, we’re disclosing another 10 vulnerabilities in Azure Sphere — two of which are on the Linux side, seven that exist in Security Monitor and one in the Pluton security subsystem. --------------------------------------------- https://blog.talosintelligence.com/2021/11/cisco-talos-finds-10-vulnerabili… ∗∗∗ Achtung: Momentan kursieren zahlreiche E-Mails mit Schadsoftware ∗∗∗ --------------------------------------------- Kriminelle versenden momentan gefälschte E-Mails im Namen von Electrolux, Weitzer Parkett Vertriebs GmbH und der TU Wien. Wer ein komisches E-Mail mit der Aufforderung einen Anhang zu öffnen erhält, sollte besonders vorsichtig sein. Im Anhang befindet sich Schadsoftware! --------------------------------------------- https://www.watchlist-internet.at/news/achtung-momentan-kursieren-zahlreich… ===================== = Vulnerabilities = ===================== ∗∗∗ AMD Server Vulnerabilities – November 2021 ∗∗∗ --------------------------------------------- During security reviews in collaboration with Google, Microsoft, and Oracle, potential vulnerabilities in the AMD Platform Security Processor (PSP), AMD System Management Unit (SMU), AMD Secure Encrypted Virtualization (SEV) and other platform components were discovered and have been mitigated in AMD EPYC™ AGESA™ PI packages. --------------------------------------------- https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1021 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- Cloud Pak for Multicloud Management Infrastructure Management, Cloud Pak for Multicloud Management Managed Services, Rational Business Developer, InfoSphere Information Server --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Open Design Alliance (ODA) Security Advisories ∗∗∗ --------------------------------------------- ODA PRC SDK, Drawings SDK, ODA Viewer --------------------------------------------- https://www.opendesign.com/security-advisories ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (openjdk-8 and samba), Fedora (community-mysql, firefox, and vim), openSUSE (binutils, kernel, and tinyxml), Red Hat (annobin, autotrace, babel, bind, binutils, bluez, compat-exiv2-026, container-tools:2.0, container-tools:3.0, container-tools:rhel8, cups, curl, dnf, dnsmasq, edk2, exiv2, file, file-roller, firefox, gcc, gcc-toolset-10-annobin, gcc-toolset-10-binutils, gcc-toolset-10-gcc, gcc-toolset-11-annobin, gcc-toolset-11-binutils,[...] --------------------------------------------- https://lwn.net/Articles/875708/ ∗∗∗ Adobe Releases Security Updates for Multiple Products ∗∗∗ --------------------------------------------- Adobe has released security updates to address vulnerabilities in multiple Adobe products. An attacker could exploit some of these vulnerabilities to take control of an affected system. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/11/09/adobe-releases-se… ∗∗∗ BSRT-2021-003 Vulnerabilities Impact BlackBerry Protect for Windows ∗∗∗ --------------------------------------------- https://support.blackberry.com/kb/articleDetail?language=en_US&articleNumbe… ∗∗∗ ZDI-21-1302: Ivanti Avalanche EnterpriseServer Service SQL Injection Authentication Bypass Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-1302/ ∗∗∗ ZDI-21-1301: Ivanti Avalanche EnterpriseServer Service Unrestricted File Upload Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-1301/ ∗∗∗ ZDI-21-1300: Ivanti Avalanche User Management Improper Authentication Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-1300/ ∗∗∗ ZDI-21-1299: Ivanti Avalanche Filestore Management Arbitrary File Upload Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-1299/ ∗∗∗ ZDI-21-1298: Ivanti Avalanche JNLP File Improper Access Control Authentication Bypass Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-1298/ ∗∗∗ Technical Advisory – Arbitrary Signature Forgery in Stark Bank ECDSA Libraries (CVE-2021-43572, CVE-2021-43570, CVE-2021-43569, CVE-2021-43568, CVE-2021-43571) ∗∗∗ --------------------------------------------- https://research.nccgroup.com/2021/11/08/technical-advisory-arbitrary-signa… ∗∗∗ INTEL-SA-00481 ∗∗∗ --------------------------------------------- https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-0… ∗∗∗ INTEL-SA-00560 ∗∗∗ --------------------------------------------- https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-0… ∗∗∗ INTEL-SA-00568 ∗∗∗ --------------------------------------------- https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-0… ∗∗∗ INTEL-SA-00569 ∗∗∗ --------------------------------------------- https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-0… ∗∗∗ INTEL-SA-00567 ∗∗∗ --------------------------------------------- https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-0… ∗∗∗ VMSA-2021-0025 ∗∗∗ --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2021-0025.html ∗∗∗ Samba 4.15.2, 4.14.10, 4.13.14 security releases available ∗∗∗ --------------------------------------------- https://lwn.net/Articles/875565/ ∗∗∗ Philips MRI 1.5T and 3T ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsma-21-313-01 ∗∗∗ OSIsoft PI Vision ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-313-05 ∗∗∗ OSIsoft PI Web API ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-313-06 ∗∗∗ NVIDIA GPU Display Driver Advisory - October 2021 ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500449-NVIDIA-GPU-DISPLAY-DRIV… ∗∗∗ NetApp Clustered Data ONTAP Vulnerabilities ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500448-NETAPP-CLUSTERED-DATA-O… ∗∗∗ Realtek Driver Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500447-REALTEK-DRIVER-PRIVILEG… ∗∗∗ Multi-vendor BIOS Security Vulnerabilities (November 2021) ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500446-MULTI-VENDOR-BIOS-SECUR… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.11.2021
by Daily end-of-shift report 09 Nov '21

09 Nov '21

===================== = End-of-Day report = ===================== Timeframe: Montag 08-11-2021 18:00 − Dienstag 09-11-2021 18:00 Handler: Dimitri Robl Co-Handler: Wolfgang Menezes ===================== = News = ===================== ∗∗∗ Threat actor DEV-0322 exploiting ZOHO ManageEngine ADSelfService Plus ∗∗∗ --------------------------------------------- Microsoft has detected exploits being used to compromise systems running the ZOHO ManageEngine ADSelfService Plus software versions vulnerable to CVE-2021-40539 in a targeted campaign. Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to DEV-0322. --------------------------------------------- https://www.microsoft.com/security/blog/2021/11/08/threat-actor-dev-0322-ex… ∗∗∗ Abcbot, an evolving botnet ∗∗∗ --------------------------------------------- Business on the cloud and security on the cloud is one of the industry trends in recent years. 360Netlab is also continuing to focus on security incidents and trends on the cloud from its own expertise in the technology field. The following is a recent security incident we observed, --------------------------------------------- https://blog.netlab.360.com/abcbot_an_evolving_botnet_en/ ∗∗∗ (Ab)Using Security Tools & Controls for the Bad, (Mon, Nov 8th) ∗∗∗ --------------------------------------------- As security practitioners, we give daily advice to our customers to increase the security level of their infrastructures. Install this tool, enable this feature, disable this function, etc. When enabled, these techniques can also be (ab)used by attackers to perform nasty actions. --------------------------------------------- https://isc.sans.edu/diary/rss/28014 ∗∗∗ WooCommerce Skimmer Spoofs Checkout Page ∗∗∗ --------------------------------------------- Recently a client of ours was reporting a bogus checkout page appearing on their website. When trying to access their “my-account” page an unfamiliar prompt appeared in their browser soliciting credit card billing information: This form was foreign to our client and was clearly placed during a website compromise. Interestingly, the website itself doesn’t even accept payments at all. If this was an attempt at a targeted credit card theft infection (as quite a few of them are) [...] --------------------------------------------- https://blog.sucuri.net/2021/11/woocommerce-skimmer-spoofs-checkout-page.ht… ∗∗∗ ICS Patch Tuesday: Siemens and Schneider Electric Address Over 50 Security Flaws ∗∗∗ --------------------------------------------- Industrial giants Siemens and Schneider Electric have released a total of 20 Patch Tuesday advisories to address more than 50 vulnerabilities affecting their products. --------------------------------------------- https://www.securityweek.com/ics-patch-tuesday-siemens-and-schneider-electr… ∗∗∗ „media-markt-outlet.de“ ist Fake ∗∗∗ --------------------------------------------- Die Webseite media-markt-outlet.de gibt vor, ein Outlet-Store von Media Markt zu sein. Da es sich bei diesem Fake-Shop angeblich um ein Outlet handelt, erscheinen die günstigen Preise auf dem ersten Blick nicht untypisch. Doch Vorsicht: media-markt-outlet.de ist Fake - Sie erhalten trotz Bezahlung keine Ware. --------------------------------------------- https://www.watchlist-internet.at/news/media-markt-outletde-ist-fake/ ∗∗∗ The Invisible JavaScript Backdoor ∗∗∗ --------------------------------------------- A few months ago we saw a post on the r/programminghorror subreddit: A developer describes the struggle of identifying a syntax error resulting from an invisible Unicode character hidden in JavaScript source code. This post inspired an idea: What if a backdoor literally cannot be seen and thus evades detection even from thorough code reviews? --------------------------------------------- https://certitude.consulting/blog/en/invisible-backdoor/ ===================== = Vulnerabilities = ===================== ∗∗∗ Jetzt patchen! Attacken auf CMS Sitecore Experience Platform beobachtet ∗∗∗ --------------------------------------------- Angreifer haben es derzeit auf eine Schadcode-Lücke im Content Management System Sitecore XP abgesehen. Sicherheitspatches gibt es bereits seit Oktober 2021. --------------------------------------------- https://heise.de/-6262157 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (firefox, grafana, jenkins, opera, and thunderbird), Debian (botan1.10 and ckeditor), openSUSE (chromium, kernel, qemu, and rubygem-activerecord-5_1), SUSE (qemu and rubygem-activerecord-5_1), and Ubuntu (docker.io, kernel, linux, linux-aws, linux-aws-5.11, linux-azure, linux-azure-5.11, linux-gcp, linux-gcp-5.11, linux-hwe-5.11, linux-kvm, linux-oem-5.13, linux-oracle, linux-oracle-5.11, linux, linux-aws, linux-aws-5.4, linux-azure, [...] --------------------------------------------- https://lwn.net/Articles/875531/ ∗∗∗ Adobe Patches Critical RoboHelp Server Security Flaw ∗∗∗ --------------------------------------------- Software maker Adobe on Tuesday released patches to cover at least four documented security defects that expose users to malicious hacker attacks. The most serious of the flaw was addressed in RoboHelp Server and is rated “critical” because it exposes corporate environments to arbitrary code execution attacks. --------------------------------------------- https://www.securityweek.com/adobe-patches-critical-robohelp-server-securit… ∗∗∗ IPAS: Security Advisories for November 2021 ∗∗∗ --------------------------------------------- Hi everyone, Today we released 25 security advisories addressing 72 vulnerabilities. Through our internal security research and the investment we make in our bug bounty programs, 96% of the issues being addressed today are the result of our proactive product security assurance efforts. Given that almost half of today’s advisories address drivers in various components, [...] --------------------------------------------- https://blogs.intel.com/technology/2021/11/intel-security-advisories-for-no… ∗∗∗ NUCLEUS:13 vulnerabilities impact Siemens medical & industrial equipment ∗∗∗ --------------------------------------------- Security researchers have disclosed today a set of 13 vulnerabilities that impact a crucial Siemens software library that is included with medical devices, automotive, and industrial systems. --------------------------------------------- https://therecord.media/nucleus13-vulnerabilities-impact-siemens-medical-in… ∗∗∗ Citrix Application Delivery Controller, Citrix Gateway, and Citrix SD-WAN WANOP Edition appliance Security Update ∗∗∗ --------------------------------------------- https://support.citrix.com/article/CTX330728 ∗∗∗ Security Bulletin: IBM Tivoli Netcool Impact is affected by an Apache Ant vulnerability (CVE-2021-36374) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-tivoli-netcool-impact… ∗∗∗ Security Bulletin: A vulnerability in IBM Java SDK affects IBM Tivoli Netcool Impact (CVE-2021-2388, CVE-2021-2369, CVE-2021-2432) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… ∗∗∗ Security Bulletin: IBM Tivoli Netcool Impact is affected by an Apache Ant vulnerability (CVE-2021-36373) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-tivoli-netcool-impact… ∗∗∗ Security Bulletin: IBM App Connect Enterprise Certified Container may be affected by CVE-2021-23509 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… ∗∗∗ Security Bulletin: IBM Event Streams affected by multiple vulnerabilities in Golang ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-event-streams-affecte… ∗∗∗ Security Bulletin: A vulnerability in Apache Commons Compress Library affects IBM LKS ART and Agent ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-apache… ∗∗∗ Security Bulletin: A vulnerability in IBM Java SDK (July 2021) affects IBM InfoSphere Information Server (CVE-2021-2432) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… ∗∗∗ Security Bulletin: IBM QRadar Network Security is affected by multiple vulnerabilities (CVE-2020-25648, CVE-2021-31535, CVE-2021-20305, CVE-2020-25692) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-network-securi… ∗∗∗ Security Bulletin: IBM QRadar Network Security is affected by multiple vulnerabilities (CVE-2020-4152, CVE-2020-4160, CVE-2020-4153) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-network-securi… ∗∗∗ Security Bulletin: IBM Safer Payments v5.7 to v6.3 releases are affected by an OpenSSL Security Advisory (CVE-2021-3711) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-safer-payments-v5-7-t… ∗∗∗ Security Bulletin: Multiple vulnerabilities affect IBM Cloud Object Storage Systems (Nov. 2021 V1) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.11.2021
by Daily end-of-shift report 08 Nov '21

08 Nov '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 05-11-2021 18:00 − Montag 08-11-2021 18:00 Handler: Dimitri Robl Co-Handler: Wolfgang Menezes ===================== = News = ===================== ∗∗∗ Unbekannte infiltrieren Paketmanager npm und verseuchen Tools mit Schadcode ∗∗∗ --------------------------------------------- Die Betreiber des Paketmanagers npm warnen davor, dass Unbefugte die Pakete coa und rc trojanisiert haben. --------------------------------------------- https://heise.de/-6260153 ∗∗∗ Targeted Attack Campaign Against ManageEngine ADSelfService Plus Delivers Godzilla Webshells, NGLite Trojan and KdcSponge Stealer ∗∗∗ --------------------------------------------- A malicious campaign against ManageEngine ADSelfService Plus used Godzilla webshells, the NGLite backdoor and KdcSponge, a credential stealer. --------------------------------------------- https://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/ ∗∗∗ Pwn2Own: Printer plays AC/DC, Samsung Galaxy S21 hacked twice ∗∗∗ --------------------------------------------- Trend Micros ZDI has awarded $1,081,250 for 61 zero-days exploited at Pwn2Own Austin 2021, with competitors successfully pwning the Samsung Galaxy S21 again and hacking an HP LaserJet printer to play AC/DCs Thunderstruck on the contests third day. --------------------------------------------- https://www.bleepingcomputer.com/news/security/pwn2own-printer-plays-ac-dc-… ∗∗∗ Sitecore XP RCE flaw patched last month now actively exploited ∗∗∗ --------------------------------------------- The Australian Cyber Security Center (ACSC) is alerting web admins of the active exploitation of CVE-2021-42237, a remote code execution flaw in the Sitecore Experience Platform (Sitecore XP). --------------------------------------------- https://www.bleepingcomputer.com/news/security/sitecore-xp-rce-flaw-patched… ∗∗∗ Video: Decrypting Cobalt Strike Traffic With Keys Extracted From Process Memory, (Sun, Nov 7th) ∗∗∗ --------------------------------------------- I made a video showing the steps to take to decrypt Cobalt Strike traffic that I covered in my diary entry "Decrypting Cobalt Strike Traffic With Keys Extracted From Process Memory". --------------------------------------------- https://isc.sans.edu/diary/rss/28008 ∗∗∗ ICS Threat Hunting: “Theyre Shootin’ at the Lights!” - PART 2 ∗∗∗ --------------------------------------------- [...] In this PART 2 of the blog series we will: Identify several critical and targeted ICS assets to protect, Identify related data sources for those assets, Focus on aspects of threat intel to use for a hunt, Build a threat hunt package template to prepare for executing the actual hunt --------------------------------------------- https://www.sans.org/blog/ics-threat-hunting-they-are-shootin-at-the-lights… ∗∗∗ TA505 exploits SolarWinds Serv-U vulnerability (CVE-2021-35211) for initial access ∗∗∗ --------------------------------------------- NCC Group’s global Cyber Incident Response Team have observed an increase in Clop ransomware victims in the past weeks. The surge can be traced back to a vulnerability in SolarWinds Serv-U that is being abused by the TA505 threat actor. TA505 is a known cybercrime threat actor, who is known for extortion attacks using the [...] --------------------------------------------- https://blog.fox-it.com/2021/11/08/ta505-exploits-solarwinds-serv-u-vulnera… ∗∗∗ DDoS Attack Trends for Q3 2021 ∗∗∗ --------------------------------------------- The third quarter of 2021 was a busy quarter for DDoS attackers. Cloudflare observed and mitigated record-setting HTTP DDoS attacks, terabit-strong network-layer attacks, one of the largest botnets ever deployed (Meris), and more recently, ransom DDoS attacks on voice over IP (VoIP) service providers and their network infrastructure around the world. --------------------------------------------- https://blog.cloudflare.com/ddos-attack-trends-for-2021-q3/ ∗∗∗ ASEC Weekly Malware Statistics (October 25th, 2021 – October 31st, 2021) ∗∗∗ --------------------------------------------- The ASEC analysis team is using the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from October 25th, 2021 (Monday) to October 31st, 2021 (Sunday). For the main category, info-stealer ranked top with 48.3%, followed by RAT (Remote Administration Tool) malware with 24.5%, Downloader with 18.3%, Backdoor malware with 4.6%, Ransomware with 4.1%, and Banking malware with 0.2%. --------------------------------------------- https://asec.ahnlab.com/en/28464/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (containerd, redis, and sqlalchemy), Fedora (kernel, radeontop, rpki-client, and webkit2gtk3), openSUSE (java-1_8_0-openj9, libvirt, mailman, transfig, and webkit2gtk3), Oracle (thunderbird), SUSE (libvirt), and Ubuntu (icu). --------------------------------------------- https://lwn.net/Articles/875420/ ∗∗∗ Security Bulletin:Multiple Security Vulnerabilities fixed in Openssl as shipped with IBM Security Verify products (CVE-2021-3711, CVE-2021-3712) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletinmultiple-security-vulnerab… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a Cross-Site Scripting in Guardium STAP vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: XSS vulerability in Dojo affects IBM Tivoli Business Service Manager (CVE-2018-15494) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-xss-vulerability-in-dojo-… ∗∗∗ Security Bulletin: IBM MQ Appliance vulnerable to a denial of service attack (CVE-2021-29843) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-vulnerab… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by an Oracle MySQL vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: Multiple Apache Commons FileUpload vulnerabilities affects IBM Tivoli Business Service Manager (CVE-2014-0034, CVE-2014-0050, CVE-2013-2186, CVE-2016-3092) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-apache-commons-f… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.11.2021
by Daily end-of-shift report 05 Nov '21

05 Nov '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 04-11-2021 18:00 − Freitag 05-11-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Phishing emails deliver spooky zombie-themed MirCop ransomware ∗∗∗ --------------------------------------------- A new phishing campaign pretending to be supply lists infects users with the MirCop ransomware that encrypts a target system in under fifteen minutes. --------------------------------------------- https://www.bleepingcomputer.com/news/security/phishing-emails-deliver-spoo… ∗∗∗ Bluetooth-Lücken Braktooth: Das Patchen geht nur schleppend voran ∗∗∗ --------------------------------------------- Für Braktooth-Attacken anfällige Bluetooth-Geräte könnten zeitnah in den Fokus von Angreifern rücken. Patches sind noch längst nicht flächendeckend verfügbar. --------------------------------------------- https://heise.de/-6254474 ∗∗∗ SSL certificate research highlights pitfalls for company data, competition ∗∗∗ --------------------------------------------- Analysis reveals hidden risks for organizations that do not monitor their certificate usage. --------------------------------------------- https://www.zdnet.com/article/ssl-certificate-research-highlights-pitfalls-… ∗∗∗ The IoT is getting a lot bigger, but security is still getting left behind ∗∗∗ --------------------------------------------- Four in five Internet of Things device vendors dont provide any information on how to disclose security vulnerabilities. That means problems just dont get fixed. --------------------------------------------- https://www.zdnet.com/article/the-iot-is-getting-a-lot-bigger-but-security-… ∗∗∗ Malware found in coa and rc, two npm packages with 23M weekly downloads ∗∗∗ --------------------------------------------- The security team of the npm JavaScript package manager has warned users that two of its most popular packages had been hijacked by a threat actor who released new versions laced with what appeared to be password-stealing malware. --------------------------------------------- https://therecord.media/malware-found-in-coa-and-rc-two-npm-packages-with-2… ∗∗∗ Datenbank mit Millionen Daten von VPN-Nutzern ungeschützt im Internet (Okt. 2021) ∗∗∗ --------------------------------------------- Wer VPN-Anbieter nutzt, muss sich auf deren Sicherheit und Integrität verlassen können. Sicherheitsforscher Bob Diachenko von comparitech ist kürzlich im Internet auf eine ungeschützte Datenbank (kein Passwort) gestoßen, die mehr als 300 Millionen Datensätze mit den persönlichen Daten [...] --------------------------------------------- https://www.borncity.com/blog/2021/11/05/datenbank-mit-millionen-daten-von-… ∗∗∗ Phishing PDF Files with CAPTCHA Screen Being Mass-distributed ∗∗∗ --------------------------------------------- Phishing PDF files that have CAPTCHA screens are rapidly being mass-distributed this year. A CAPTCHA screen appears upon running the PDF file, but it is not an invalid CAPTCHA. It is simply an image with a link that redirects to a malicious URL. Related types that have been collected by AhnLab’s ASD infrastructure since July up till now amount to 1,500,000. --------------------------------------------- https://asec.ahnlab.com/en/28431/ ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI-21-1278: Hewlett Packard Enterprise iLO Amplifier Pack backup Directory Traversal Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hewlett Packard Enterprise iLO Amplifier Pack. Authentication is not required to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-1278/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (python3.5, redis, and udisks2), Fedora (rust), openSUSE (binutils, java-1_8_0-openj9, and qemu), Oracle (firefox and httpd), Red Hat (thunderbird), Scientific Linux (thunderbird), and SUSE (binutils, qemu, and systemd). --------------------------------------------- https://lwn.net/Articles/875212/ ∗∗∗ SYSS-2021-048/SYSS-2021-049: PHP Event Calendar – SQL Injection und Persistent Cross-Site Scripting ∗∗∗ --------------------------------------------- Im "PHP Event Calendar" wurden zwei Sicherheitslücken gefunden. So kann die Datenbank ausgelesen oder die Sitzung anderer Nutzer kompromittiert werden. --------------------------------------------- https://www.syss.de/pentest-blog/syss-2021-048/syss-2021-049-php-event-cale… ∗∗∗ D-LINK Router: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-1157 ∗∗∗ Security Bulletin: IBM Security Guardium is affected by an OpenLDAP vulnerability (CVE-2020-25692) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: Information disclosure vulnerability affect IBM Business Automation Workflow and IBM Business Process Manager (BPM) – CVE-2021-29753 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-information-disclosure-vu… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Security Guardium ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by the following vulnerabilities ( CVE-2021-29773, CVE-2021-2161) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a jackson-databind vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a kernel vulnerability (CVE-2020-25705, CVE-2020-28374) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Event Streams affected by multiple vulnerabilities in Golang ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-event-streams-affecte… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a Reliance on Untrusted Inputs in Security Descision ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a Weak Password Policy vulnerability (CVE-2021-20418) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by multiple vulnerabilites ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a Oracle MySQL vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.11.2021
by Daily end-of-shift report 04 Nov '21

04 Nov '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 03-11-2021 18:00 − Donnerstag 04-11-2021 18:00 Handler: Dimitri Robl Co-Handler: Wolfgang Menezes ===================== = News = ===================== ∗∗∗ Wichtige Cisco-Updates: Recycelte SSH-Keys vereinfachten unbefugte Root-Zugriffe ∗∗∗ --------------------------------------------- Neue Versionen schließen eine kritische Lücke in Ciscos Policy Suite. Auch Catalyst PON Switches & weitere Produkte wurden gegen Angriffe abgesichert. --------------------------------------------- https://heise.de/-6251668 ∗∗∗ BSI-Paper: Technische Grundlagen sicherer Messenger-Dienste ∗∗∗ --------------------------------------------- Milliardenfach kommt weltweit ein Kommunikationsmittel zum Zuge: Messenger-Dienste. Die kurze geschriebene oder gesprochene Nachricht überrundet schon lange die SMS. Doch wie funktionieren Messenger? Was macht sie sicher und was eher nicht? Auf diese und weitere Fragen gibt das BSI-Paper „Moderne Messenger – heute verschlüsselt, morgen interoperabel?“ Antwort. --------------------------------------------- https://www.bsi.bund.de/DE/Service-Navi/Presse/Pressemitteilungen/Presse202… ∗∗∗ Cyberkriminelle verkaufen Zugänge zu internationalen Logistikfirmen ∗∗∗ --------------------------------------------- Es handelt sich oft um Schwachstellen in RDP und VPN. Angeboten werden aber auch gestohlene Zugangsdaten. Sicherheitsforscher warnen vor weiteren negativen Folgen für die Lieferkette. --------------------------------------------- https://www.zdnet.de/88397581/cyberkriminelle-verkaufen-zugaenge-zu-interna… ∗∗∗ Betrug mit Verdopplung Ihrer Bitcoins und Kryptowährungen! ∗∗∗ --------------------------------------------- Kriminelle machen ein attraktives Angebot: Sie versprechen eine Verdopplung eingezahlter Kryptowährungen durch einfaches Übetragen auf eine Wallet. Der Haken an der Sache: Übertragene Währungen sind verloren, denn sie landen direkt auf den Wallets der Kriminellen. Genau das passiert auch auf spacegetbonus.com mit Bitcoin, Ethereum und Dogecoin! --------------------------------------------- https://www.watchlist-internet.at/news/betrug-mit-verdopplung-ihrer-bitcoin… ∗∗∗ Microsoft Exchange ProxyShell exploits used to deploy Babuk ransomware ∗∗∗ --------------------------------------------- A new threat actor is hacking Microsoft Exchange servers and breaching corporate networks using the ProxyShell vulnerability to deploy the Babuk Ransomware. --------------------------------------------- https://www.bleepingcomputer.com/news/security/microsoft-exchange-proxyshel… ∗∗∗ Samsung Galaxy S21 hacked on second day of Pwn2Own Austin ∗∗∗ --------------------------------------------- Contestants hacked the Samsung Galaxy S21 smartphone during the second day of the Pwn2Own Austin 2021 competition, as well as routers, NAS devices, speakers, and printers from Cisco, TP-Link, Western Digital, Sonos, Canon, Lexmark, and HP. --------------------------------------------- https://www.bleepingcomputer.com/news/security/samsung-galaxy-s21-hacked-on… ∗∗∗ 5 MITRE ATT&CK Tactics Most Frequently Detected by Cisco Secure Firewalls ∗∗∗ --------------------------------------------- Cisco Security examines the most frequently encountered MITRE ATT&CK tactics and techniques. --------------------------------------------- https://www.darkreading.com/edge-threat-monitor/5-mitre-attck-tactics-most-… ∗∗∗ Webinject Panel Administration: A Vantage Point into Multiple Threat Actor Campaigns ∗∗∗ --------------------------------------------- Much has been written about the role of webinjects in the evolution of banking trojans, facilitating the interception and manipulation of victim connections to the customer portals of a burgeoning list of targets which now includes e-commerce, retail, and telecommunications brands. --------------------------------------------- https://team-cymru.com/blog/2021/11/03/webinject-panel-administration-a-van… ∗∗∗ Credit card skimmer evades Virtual Machines ∗∗∗ --------------------------------------------- After code obfuscation, anti-debugger tricks we now see virtual machine detection used by credit card skimmers. --------------------------------------------- https://blog.malwarebytes.com/threat-intelligence/2021/11/credit-card-skimm… ∗∗∗ The Vagabon Kit Highlights ‘Frankenstein’ Trend in Phishing ∗∗∗ --------------------------------------------- In early 2021, RiskIQ first detected a new phishing campaign targeting PayPal. The campaign, authored by an actor calling themself "Vagabon," looks to collect PayPal login credentials and complete credit card information from the victim. The kit doesnt display many unique characteristics and is a textbook example of a "Frankenstein" kit. In this increasingly popular trend, threat actors piece together new phish kits from modular, free, or readily available kits and services. --------------------------------------------- https://www.riskiq.com/blog/external-threat-management/vagabon-kit-frankens… ∗∗∗ Conducting Digital Forensics Incident Response (DFIR) on an Infected GitLab Server ∗∗∗ --------------------------------------------- GitLab servers are under attack with a now-patched critical vulnerability Earlier this week we investigated an incident that occurred on a new Intezer Protect user’s GitLab server. After the user installed the Intezer Protect sensor on their server, an initial runtime scan was performed. An alert was immediately triggered on the execution of a malicious metasploit [...] --------------------------------------------- https://www.intezer.com/blog/cloud-security/dfir-infected-gitlab-server/ ∗∗∗ Cobalt Strike: Using Process Memory To Decrypt Traffic – Part 3 ∗∗∗ --------------------------------------------- We decrypt Cobalt Strike traffic with cryptographic keys extracted from process memory. This series of blog posts describes different methods to decrypt Cobalt Strike traffic. --------------------------------------------- https://blog.nviso.eu/2021/11/03/cobalt-strike-using-process-memory-to-decr… ===================== = Vulnerabilities = ===================== ∗∗∗ Critical RCE Vulnerability Reported in Linux Kernels TIPC Module ∗∗∗ --------------------------------------------- Cybersecurity researchers have disclosed a security flaw in the Linux Kernels Transparent Inter Process Communication (TIPC) module that could potentially be leveraged both locally as well as remotely to execute arbitrary code within the kernel and take control of vulnerable machines. The heap overflow vulnerability "can be exploited locally or remotely within a network to gain kernel [...] --------------------------------------------- https://thehackernews.com/2021/11/critical-rce-vulnerability-reported-in.ht… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (ansible, chromium, kernel, mupdf, python-PyMuPDF, rust, and zathura-pdf-mupdf), openSUSE (qemu and webkit2gtk3), Red Hat (firefox and kpatch-patch), Scientific Linux (firefox), SUSE (qemu, tomcat, and webkit2gtk3), and Ubuntu (firefox and thunderbird). --------------------------------------------- https://lwn.net/Articles/875106/ ∗∗∗ Beckhoff: Relative path traversal vulnerability through TwinCAT OPC UA Server ∗∗∗ --------------------------------------------- [...] Summary: Through specific nodes of the server configuration interface of the TwinCAT OPC UA Server administrators are able to remotely create and delete any files on the system which the server is running on, though this access should have been restricted to specific directories. In case that configuration interface is combined with not recommended settings to allow anonymous access via the TwinCAT OPC UA Server then this kind of file access is even possible for any unauthenticated user from remote. --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2021-051/ ∗∗∗ VISAM VBASE Editor ∗∗∗ --------------------------------------------- This advisory contains mitigations for Improper Access Control, Cross-site Scripting, Using Components with Known Vulnerabilities, and Improper Restriction of XML External Entity Reference vulnerabilities in the VISAM VBASE Editor automation platform. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-308-01 ∗∗∗ AzeoTech DAQFactory ∗∗∗ --------------------------------------------- This advisory contains mitigations for Use of Inherently Dangerous Function, Deserialization of Untrusted Data, Cleartext Transmission of Sensitive Information, and Modification of Assumed-Immutable Data (MAID) vulnerabilities in the AzeoTech DAQFactory software and application development platform. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-308-02 ∗∗∗ BrakTooth Proof of Concept Tool Demonstrates Bluetooth Vulnerabilities ∗∗∗ --------------------------------------------- On November 1, 2021, researchers publicly released a BrakTooth proof-of-concept (PoC) tool to test Bluetooth-enabled devices against potential Bluetooth exploits using the researcher’s software tools. BrakTooth—originally disclosed in August 2021—is a family of security vulnerabilities in commercial Bluetooth stacks. An attacker could exploit BrakTooth vulnerabilities to cause a range of effects from denial-of-service to arbitrary code execution. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/11/04/braktooth-proof-c… ∗∗∗ Security Bulletin: Vulnerability in Oracle, Java SE Affecting Watson Speech Services ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-oracle-j… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a Bouncy Castle vulnerability (CVE-2020-26939) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Reflected cross-site scripting vulnerability in IBM Sterling B2B Integrator ∗∗∗ --------------------------------------------- https://sec-consult.com/vulnerability-lab/advisory/reflected-cross-site-scr… ∗∗∗ Grafana: Schwachstelle ermöglicht Cross-Site Scripting ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-1154 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.11.2021
by Daily end-of-shift report 03 Nov '21

03 Nov '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 02-11-2021 18:00 − Mittwoch 03-11-2021 18:00 Handler: Dimitri Robl Co-Handler: Wolfgang Menezes ===================== = News = ===================== ∗∗∗ A Technical Analysis of CVE-2021-30864: Bypassing App Sandbox Restrictions ∗∗∗ --------------------------------------------- This article provides an overview of what the App Sandbox is and the vulnerability details as disclosed to Apple. --------------------------------------------- https://perception-point.io/a-technical-analysis-of-cve-2021-30864-bypassin… ∗∗∗ Ransomware: "BlackMatter"-Gang will aufhören – mal wieder ∗∗∗ --------------------------------------------- Druck von Ermittlern veranlasst BlackMatter zum Aufhören. Ein endgültiger Abschied der alten Hasen aus dem Erpresser-Business scheint aber eher fraglich. --------------------------------------------- https://heise.de/-6247924 ∗∗∗ Sicherheitsforscher warnen vor zehntausenden verwundbaren GitLab-Servern ∗∗∗ --------------------------------------------- Obwohl es bereits mehrere Monate Sicherheitspatches für eine kritische Lücke gibt, sind einem Bericht zufolge immer noch viele GitLab-Server angreifbar. --------------------------------------------- https://heise.de/-6249588 ∗∗∗ This Steam phish baits you with free Discord Nitro ∗∗∗ --------------------------------------------- Theres another scam making rounds on Discord. And its cleverly phishing for Steam credentials. --------------------------------------------- https://blog.malwarebytes.com/malwarebytes-news/2021/11/this-steam-phish-ba… ∗∗∗ Kleinanzeigenbetrug mit angeblichem Post-Kurier boomt! ∗∗∗ --------------------------------------------- Zahlreiche LeserInnen wenden sich derzeit an uns, da Kriminelle eine gefälschte Webseite der Post für Kleinanzeigenbetrug verwenden. Dabei suchen die BetrügerInnen auf Willhaben, Ebay, Shpock und Co. nach teuren Angeboten und erklären den VerkäuferInnen, dass der Kauf über einen Kurierdienst der Post abgewickelt werden soll. --------------------------------------------- https://www.watchlist-internet.at/news/kleinanzeigenbetrug-mit-angeblichem-… ∗∗∗ Almost half of rootkits are used for cyberattacks against government organizations ∗∗∗ --------------------------------------------- On Wednesday, Positive Technologies released a report on the evolution and application of rootkits in cyberattacks, noting that 77% of rootkits are utilized for cyberespionage. --------------------------------------------- https://www.zdnet.com/article/almost-half-of-rootkits-are-used-to-strike-go… ∗∗∗ "Trojan Source": Was ist da dran? ∗∗∗ --------------------------------------------- An sich schätze ich Brian Krebs, er schreibt wirklich gute Artikel, aber bei ‘Trojan Source’ Bug Threatens the Security of All Code hat er etwas übertrieben. --------------------------------------------- https://cert.at/de/aktuelles/2021/11/trojan-source-was-ist-da-dran ∗∗∗ CISA Issues BOD 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities ∗∗∗ --------------------------------------------- CISA has issued Binding Operational Directive (BOD) 22-01, Reducing the Significant Risk of Known Exploited Vulnerabilities to addresses vulnerabilities that establishes specific timeframes for federal civilian agencies to remediate vulnerabilities that are being actively exploited by known adversaries. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/11/03/cisa-issues-bod-2… ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco Security Advisories ∗∗∗ --------------------------------------------- Cisco hat 16 Security Advisories veröffentlicht. Zwei davon werden als "Critical" eingestuft, zwei als "High", und zwölf als "Medium". --------------------------------------------- https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&secur… ∗∗∗ Patchday: Angreifer attackieren gezielt Android-Geräte ∗∗∗ --------------------------------------------- Es gibt wichtige Sicherheitsupdates für verschiedene Android-Versionen. Eine Lücke im Kernel nutzen Angreifer derzeit aus. --------------------------------------------- https://heise.de/-6247997 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (CuraEngine, curl, firefox, php, and vim), openSUSE (apache2, pcre, salt, transfig, and util-linux), Oracle (.NET 5.0, curl, kernel, libsolv, python3, samba, and webkit2gtk3), and Red Hat (flatpak). --------------------------------------------- https://lwn.net/Articles/874980/ ∗∗∗ ZDI-21-1277: (0Day) Bitdefender Total Security Unnecessary Privileges Local Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-1277/ ∗∗∗ ZDI-21-1276: (0Day) Bitdefender Total Security Unnecessary Privileges Local Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-1276/ ∗∗∗ Security Advisory - Privilege Escalation Vulnerability in Huawei Product ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20211103-… ∗∗∗ Security Bulletin: Vulnerabilities in HAProxy Watson Knowledge Catalog for IBM Cloud Pak for Data ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-haprox… ∗∗∗ Security Vulnerabilities fixed in Thunderbird 91.3 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2021-50/ ∗∗∗ Red Hat Integration - Service Registry: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-1143 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily November 2021