December 2021 - Daily

Tageszusammenfassung - 30.12.2021
by Daily end-of-shift report 30 Dec '21

30 Dec '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 29-12-2021 18:00 − Donnerstag 30-12-2021 18:00 Handler: Robert Waldner Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Hiding malware inside the flex capacity space on modern SSDs ∗∗∗ --------------------------------------------- Korean researchers have developed a set of attacks against some solid-state drives (SSDs) that could allow planting malware in a location thats beyond the reach of the user and security solutions. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hiding-malware-inside-the-fl… ∗∗∗ Agent Tesla Updates SMTP Data Exfiltration Technique, (Thu, Dec 30th) ∗∗∗ --------------------------------------------- Agent Tesla is a Windows-based keylogger and RAT that commonly uses SMTP or FTP to exfiltrate stolen data. This malware has been around since 2014, and SMTP is its most common method for data exfiltration. --------------------------------------------- https://isc.sans.edu/diary/rss/28190 ∗∗∗ LastPass Automated Warnings Linked to ‘Credential Stuffing’ Attack ∗∗∗ --------------------------------------------- Users of the popular LastPass password manager are being targeted in so-called “credential stuffing” attacks that use email addresses and passwords obtained from third-party breaches. --------------------------------------------- https://www.securityweek.com/lastpass-automated-warnings-linked-%E2%80%98cr… ∗∗∗ Android 12: Samsung überrascht zum Jahresende mit regelrechter Update-Flut ∗∗∗ --------------------------------------------- Updates für praktisch alle High-End-Smartphones der vergangenen drei Jahre veröffentlicht. Selbst erste Tablets werden schon bedient. --------------------------------------------- https://www.derstandard.at/story/2000132240383/android-12-samsung-ueberrasc… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (advancecomp, apache-log4j2, postgis, spip, uw-imap, and xorg-server), Mageia (kernel and kernel-linus), Scientific Linux (log4j), and SUSE (kernel-firmware and mariadb). --------------------------------------------- https://lwn.net/Articles/880039/ ∗∗∗ Security Bulletin: A vulnerability in Apache Log4j affects IBM Db2 Web Query for i (CVE-2021-45105) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-apache… ∗∗∗ Security Bulletin: Vulnerability in Apache Log4j affects some features of IBM® Db2® (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l… ∗∗∗ Security Bulletin: Vulnerability in Apache Log4j affects IBM Guardium Data Encryption (GDE) (CVE-2021-45105 and CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l… ∗∗∗ Trend Micro Apex One und Trend Micro Worry-Free Business Security: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-1320 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 29.12.2021
by Daily end-of-shift report 29 Dec '21

29 Dec '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 28-12-2021 18:00 − Mittwoch 29-12-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ RedLine malware shows why passwords shouldnt be saved in browsers ∗∗∗ --------------------------------------------- The RedLine information-stealing malware targets popular web browsers such as Chrome, Edge, and Opera, demonstrating why storing your passwords in browsers is a bad idea. --------------------------------------------- https://www.bleepingcomputer.com/news/security/redline-malware-shows-why-pa… ∗∗∗ Microsoft Defender Log4j scanner triggers false positive alerts ∗∗∗ --------------------------------------------- Microsoft Defender for Endpoint is currently showing "sensor tampering" alerts linked to the companys newly deployed Microsoft 365 Defender scanner for Log4j processes. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-defender-log4j-sc… ∗∗∗ Wieder Sicherheitslücken in Herzschrittmachern gefunden ∗∗∗ --------------------------------------------- Auf der Online-Konferenz RC3 zeigten zwei Sicherheitsforscher, wie sie Cardio-Geräte unter die Lupe genommen haben. --------------------------------------------- https://futurezone.at/digital-life/herzschrittmacher-sicherheitsluecken-rc3… ∗∗∗ Responsible Disclosure: Deine Software, die Sicherheitslücken und ich ∗∗∗ --------------------------------------------- Wie meldet man Sicherheitslücken eigentlich richtig? Und wie sollten Unternehmen damit umgehen? Zerforschung und CCC klären auf. Ein Bericht von Moritz Tremmel (rC3, API) --------------------------------------------- https://www.golem.de/news/responsible-disclosure-deine-software-die-sicherh… ∗∗∗ LotL Classifier tests for shells, exfil, and miners, (Tue, Dec 28th) ∗∗∗ --------------------------------------------- A supervised learning approach to Living off the Land attack classification from Adobe SI --------------------------------------------- https://isc.sans.edu/diary/rss/28184 ∗∗∗ Ongoing Autom Cryptomining Malware Attacks Using Upgraded Evasion Tactics ∗∗∗ --------------------------------------------- An ongoing crypto mining campaign has upgraded its arsenal while adding new defense evasion tactics that enable the threat actors to conceal the intrusions and fly under the radar, new research published today has revealed. [...] Initial attacks involved executing a malicious command upon running a vanilla image named "alpine:latest" that resulted in the download of a shell script named "autom.sh." "Adversaries commonly use vanilla images along with malicious commands to perform their attacks, because most organizations trust the official images and allow their use," --------------------------------------------- https://thehackernews.com/2021/12/ongoing-autom-cryptomining-malware.html ∗∗∗ Turning bad SSRF to good SSRF: Websphere Portal ∗∗∗ --------------------------------------------- In this blog post, we will explain how we discovered a multitude of SSRF vulnerabilities in HCL Websphere, as well as how we turned a restrictive, bad SSRF to a good SSRF. --------------------------------------------- https://blog.assetnote.io/2021/12/26/chained-ssrf-websphere/ ∗∗∗ Storage Devices of Major Vendors Impacted by Encryption Software Flaws ∗∗∗ --------------------------------------------- Earlier this month, SecurityWeek reported that Western Digital had updated its SanDisk SecureAccess product to address vulnerabilities that can be exploited to gain access to user data through brute force and dictionary attacks. SanDisk SecureAccess, recently rebranded SanDisk PrivateAccess, is a piece of software that allows users to encrypt files and folders stored in a protected vault on SanDisk USB flash drives.[...] Pelissier detailed his findings this week at the Chaos Computer Club’s Remote Chaos Experience (rC3) virtual conference, where he revealed that the vulnerabilities were actually discovered in the DataVault encryption software made by ENC Security. --------------------------------------------- https://www.securityweek.com/storage-devices-major-vendors-impacted-encrypt… ∗∗∗ Sicher kaufen auf Willhaben, Shpock & Co. ∗∗∗ --------------------------------------------- Sie sind auf der Suche nach gebrauchten Schnäppchen? Mit Kleinanzeigenplattformen wie willhaben, Shpock oder den Facebook Marketplace gibt es zahlreiche Möglichkeiten, um zu stöbern und das perfekte Schnäppchen zu finden. Allerdings sollten Sie beim Shoppen auf solchen Plattformen einige Punkte beachten. --------------------------------------------- https://www.watchlist-internet.at/news/sicher-kaufen-auf-willhaben-shpock-c… ∗∗∗ Threat actor uses HP iLO rootkit to wipe servers ∗∗∗ --------------------------------------------- An Iranian cyber-security firm said it discovered a first-of-its-kind rootkit that hides inside the firmware of HP iLO devices and which has been used in real-world attacks to wipe servers of Iranian organizations. --------------------------------------------- https://therecord.media/threat-actor-uses-hp-ilo-rootkit-to-wipe-servers/ ===================== = Vulnerabilities = ===================== ∗∗∗ Log4Shell vulnerability Number Four: “Much ado about something” ∗∗∗ --------------------------------------------- CVE-2021-44832; Its a Log4j bug, and you ought to patch it. But we dont think its a critical crisis like the last one. --------------------------------------------- https://nakedsecurity.sophos.com/2021/12/29/log4shell-vulnerability-number-… ∗∗∗ SSA-784507: Apache Log4j Vulnerability (CVE-2021-44832) via JDBC Appender - Impact to Siemens Products ∗∗∗ --------------------------------------------- This advisory informs about the impact of CVE-2021-44832 to Siemens products and the corresponding remediation and mitigation measures. The vulnerability is different from other JNDI lookup vulnerabilities, the impact of which is documented in SSA-661247. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-784507.txt ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr, python-gnupg, resiprocate, and ruby-haml), Fedora (mod_auth_mellon), openSUSE (thunderbird), Slackware (wpa_supplicant), and SUSE (gegl). --------------------------------------------- https://lwn.net/Articles/879995/ ∗∗∗ D-LINK Router (DIR-2640 <= 1.11B02): Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, anonymer oder authentisierter Angreifer kann mehrere Schwachstellen in D-LINK Router ausnutzen, um seine Privilegien zu erweitern, vertrauliche Informationen offenzulegen und beliebigen Code als root auszuführen. --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-1313 ∗∗∗ Citrix Security Advisory for CVE-2021-44228, CVE-2021-45046, CVE-2021-45105 and CVE-2021-44832. ∗∗∗ --------------------------------------------- Citrix continues to investigate the potential impact on customer-managed (on-premises) products. Please find below the present status of these products for CVE-2021-44228, CVE-2021-45046 and CVE-2021-45105. - Citrix Endpoint Management (Citrix XenMobile Server): Impacted – Customers are advised to apply the latest CEM rolling patch updates - Citrix Virtual Apps and Desktops (XenApp & XenDesktop): Impacted - Linux VDA (non-LTSR versions only) --------------------------------------------- https://support.citrix.com/article/CTX335705 ∗∗∗ Exposure of Sensitive Information in QTS, QuTS hero, and QuTScloud ∗∗∗ --------------------------------------------- CVE identifier: CVE-2021-34347 Affected products: All QNAP NAS A vulnerability involving exposure of sensitive information has been reported to affect QNAP NAS running QTS, QuTS hero, and QuTScloud. If exploited, this vulnerability allows attackers to compromise the security of the system. --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-21-53 ∗∗∗ Security Advisory - Cross-Site Scripting(XSS) Vulnerability in Huawei WS318n Product ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20211229-… ∗∗∗ Security Bulletin: Vulnerability in Apache Log4j affects IBM Spectrum Protect Snapshot for VMware (CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM SANnav software used by IBM b-type SAN directors and switches (CVE-2021-45105 and CV-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerability in Apache Log4j affects some features of IBM® Db2® (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l… ∗∗∗ Security Bulletin: Apache Log4j vulnerability in DCNM Network Management Software used by IBM c-type SAN directors and switches. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerabilit… ∗∗∗ Security Bulletin: Apache Log4j vulnerability in DCNM Network Management Software used by IBM c-type SAN directors and switches. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerabilit… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.12.2021
by Daily end-of-shift report 28 Dec '21

28 Dec '21

===================== = End-of-Day report = ===================== Timeframe: Montag 27-12-2021 18:00 − Dienstag 28-12-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Experts Detail Logging Tool of DanderSpritz Framework Used by Equation Group Hackers ∗∗∗ --------------------------------------------- Cybersecurity researchers have offered a detailed glimpse into a system called DoubleFeature thats dedicated to logging the different stages of post-exploitation stemming from the deployment of DanderSpritz, a full-featured malware framework used by the Equation Group. --------------------------------------------- https://thehackernews.com/2021/12/experts-detail-logging-tool-of.html ∗∗∗ V8 Heap pwn and /dev/memes - WebOS Root LPE ∗∗∗ --------------------------------------------- This is a writeup for my latest WebOS local root exploit chain, which Im calling WAMpage. ... This exploit is mainly of interest to other researchers - if you just want to root your TV, you probably want RootMyTV, which offers a reliable 1-click persistent root. --------------------------------------------- https://www.da.vidbuchanan.co.uk/blog/webos-wampage.html ∗∗∗ Threat Actors Abuse MSBuild for Cobalt Strike Beacon Execution ∗∗∗ --------------------------------------------- Recently observed malicious campaigns have abused Microsoft Build Engine (MSBuild) to execute a Cobalt Strike payload on compromised machines. [...] The threat actors typically gain access to the target environment using a valid remote desktop protocol (RDP) account, leverage remote Windows Services (SCM) for lateral movement, and abuse MSBuild to execute the Cobalt Strike Beacon payload. --------------------------------------------- https://www.securityweek.com/threat-actors-abuse-msbuild-cobalt-strike-beac… ===================== = Vulnerabilities = ===================== ∗∗∗ An update on the Apache Log4j 2.x vulnerabilities ∗∗∗ --------------------------------------------- Update December 28, 10:01am The list of products that are confirmed not impacted by Log4j 2.x CVE-2021-44228 and the list of products that have been remediated for Log4j 2.x CVE-2021-44228 has been updated. --------------------------------------------- https://www.ibm.com/blogs/psirt/an-update-on-the-apache-log4j-cve-2021-4422… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (djvulibre, libzip, monit, novnc, okular, paramiko, postgis, rdflib, ruby2.3, and zziplib), openSUSE (chromium, kafka, and permissions), and SUSE (net-snmp and permissions). --------------------------------------------- https://lwn.net/Articles/879952/ ∗∗∗ Security Bulletin:IBM SPSS Modeler is vulnerable to denial of service due to Apache Log4j (CVE-2021-45105) and arbitrary code execution due to Apache Log4j (CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletinibm-spss-modeler-is-vulner… ∗∗∗ Security Bulletin: Vulnerabilities in Apache Log4j affect IBM Spectrum Protect Operations Center (CVE-2021-45105, CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-apache… ∗∗∗ Security Bulletin: IBM Navigator for i is affected by security vulnerability (CVE-2021-38876) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-navigator-for-i-is-af… ∗∗∗ Security Bulletin: Multiple vulnerabilities in Apache Log4j affects some features of IBM® Db2® (CVE-2021-45046, CVE-2021-45105) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ SSA-661247 V2.0 (Last Update: 2021-12-27): Apache Log4j Vulnerabilities (Log4Shell, CVE-2021-44228, CVE-2021-45046) - Impact to Siemens Products ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/pdf/ssa-661247.pdf -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.12.2021
by Daily end-of-shift report 27 Dec '21

27 Dec '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 23-12-2021 18:00 − Montag 27-12-2021 18:00 Handler: Robert Waldner Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Rook ransomware is yet another spawn of the leaked Babuk code ∗∗∗ --------------------------------------------- A new ransomware operation named Rook has appeared recently on the cyber-crime space, declaring a desperate need to make "a lot of money" by breaching corporate networks and encrypting devices. --------------------------------------------- https://www.bleepingcomputer.com/news/security/rook-ransomware-is-yet-anoth… ∗∗∗ QNAP NAS devices hit in surge of ech0raix ransomware attacks ∗∗∗ --------------------------------------------- Users of QNAP network-attached storage (NAS) devices are reporting attacks on their systems with the eCh0raix ransomware, also known as QNAPCrypt. --------------------------------------------- https://www.bleepingcomputer.com/news/security/qnap-nas-devices-hit-in-surg… ∗∗∗ Example of how attackers are trying to push crypto miners via Log4Shell, (Fri, Dec 24th) ∗∗∗ --------------------------------------------- While following Log4Shell's exploit attempts hitting our honeypots, I came across another campaign trying to push a crypto miner on the victims machines. --------------------------------------------- https://isc.sans.edu/diary/rss/28172 ∗∗∗ More than 1,200 phishing toolkits capable of intercepting 2FA detected in the wild ∗∗∗ --------------------------------------------- A team of academics said it found more than 1,200 phishing toolkits deployed in the wild that are capable of intercepting and allowing cybercriminals to bypass two-factor authentication (2FA) security codes. --------------------------------------------- https://therecord.media/more-than-1200-phishing-toolkits-capable-of-interce… ∗∗∗ QNAP Firmware-Update Version QTS 5.0.0.1891 build 20211221 und log4j-Schwachstelle ∗∗∗ --------------------------------------------- Der Hersteller QNAP hat kurz vor Weihnachten ein Firmware-Update für sein QTS 5 freigegeben. Das Update schließt einige Schwachstellen. Zudem wurde eine log4j-Schwachstelle in QNAP-Software gemeldet. --------------------------------------------- https://www.borncity.com/blog/2021/12/26/qnap-firmware-update-version-qts-5… ===================== = Vulnerabilities = ===================== ∗∗∗ Garrett Walk-Through Metal Detectors Can Be Hacked Remotely ∗∗∗ --------------------------------------------- A number of security flaws have been uncovered in a networking component in Garrett Metal Detectors that could allow remote attackers to bypass authentication requirements, tamper with metal detector configurations, and even execute arbitrary code on the devices. --------------------------------------------- https://thehackernews.com/2021/12/garrett-walk-through-metal-detectors.html ∗∗∗ Remote Code Execution Vulnerabilities in Veritas Enterprise Vault ∗∗∗ --------------------------------------------- Veritas has discovered an issue where Veritas Enterprise Vault could allow Remote Code Execution on a vulnerable Enterprise Vault Server. CVSS v3.1 Base Score 9.8 CVEs: CVE-2021-44679, CVE-2021-44680, CVE-2021-44678, CVE-2021-44677, CVE-2021-44682, CVE-2021-44681 --------------------------------------------- https://www.veritas.com/content/support/en_US/security/VTS21-003 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- IBM hat 33 Security Bulletins veröffentlicht. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (webkit2gtk and wpewebkit), Fedora (httpd and singularity), Mageia (ldns, netcdf, php, ruby, thrift/golang-github-apache-thrift, thunderbird, and webkit2), openSUSE (go1.16, go1.17, libaom, and p11-kit), and SUSE (go1.16, go1.17, htmldoc, libaom, libvpx, logstash, openssh-openssl1, python3, and runc). --------------------------------------------- https://lwn.net/Articles/879791/ ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (apache-log4j2, libextractor, libpcap, and wireshark), Fedora (grub2, kernel, libopenmpt, log4j, mingw-binutils, mingw-python-lxml, and seamonkey), Mageia (golang, lapack/openblas, and samba), and openSUSE (go1.16, libaom, log4j12, logback, and runc). --------------------------------------------- https://lwn.net/Articles/879891/ ∗∗∗ SolarWinds - multiple advisories ∗∗∗ --------------------------------------------- https://www.solarwinds.com/trust-center/security-advisories ∗∗∗ Security Advisory - Apache log4j2 remote code execution vulnerabilities in some Huawei products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20211215-… ∗∗∗ K16090693: Apache HTTP server vulnerability CVE-2021-44224 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K16090693 ∗∗∗ Moxa MGate Protocol Gateways ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-357-01 ∗∗∗ Johnson Controls exacq Enterprise Manager ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-357-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.12.2021
by Daily end-of-shift report 23 Dec '21

23 Dec '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 22-12-2021 18:00 − Donnerstag 23-12-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Dridex malware trolls employees with fake job termination emails ∗∗∗ --------------------------------------------- A new Dridex malware phishing campaign is using fake employee termination emails as a lure to open a malicious Excel document, which then trolls the victim with a seasons greeting message. --------------------------------------------- https://www.bleepingcomputer.com/news/security/dridex-malware-trolls-employ… ∗∗∗ Microsoft Azure App Service flaw exposed customer source code ∗∗∗ --------------------------------------------- A security flaw found in Azure App Service, a Microsoft-managed platform for building and hosting web apps, led to the exposure of PHP, Node, Python, Ruby, or Java customer source code for at least four years, since 2017. --------------------------------------------- https://www.bleepingcomputer.com/news/security/microsoft-azure-app-service-… ∗∗∗ Honeypot experiment reveals what hackers want from IoT devices ∗∗∗ --------------------------------------------- A three-year-long honeypot experiment featuring simulated low-interaction IoT devices of various types and locations gives a clear idea of why actors target specific devices. --------------------------------------------- https://www.bleepingcomputer.com/news/security/honeypot-experiment-reveals-… ∗∗∗ Attackers, CSIRTs and Individual Rights: Clarified ∗∗∗ --------------------------------------------- A few years ago I wrote a post on how the GDPR copes with situations when there was a conflict between the obligation to prevent, detect and investigate incidents and the obligation to inform all those whose personal data you process. GDPR Article 14(5) provides a general tool for resolving that conflict: you don’t need to inform if doing so “is likely to render impossible or seriously impair the achievement of the objectives of that processing”. --------------------------------------------- https://regulatorydevelopments.jiscinvolve.org/wp/2021/12/22/attackers-csir… ∗∗∗ Microsoft Teams blockiert Notrufe mit Android-Handys – Update einspielen ∗∗∗ --------------------------------------------- Die Android-App für Microsoft Teams kann unter Umständen Notrufe vom Handy verhindern. Die aktuelle Version soll das unterlassen. [...] Wie es überhaupt dazu kommen kann, dass eine App ohne Root-Rechte die wichtigste Funktion des Telefons sabotieren kann, verraten weder Google noch Microsoft. [...] Das zugrundeliegende Sicherheitsproblem in Android möchte Google mit dem ersten Android-Sicherheitsupdate im neuen Jahr beheben. --------------------------------------------- https://heise.de/-6306221 ∗∗∗ Audio bugging with the Fisher Price Chatter Bluetooth Telephone ∗∗∗ --------------------------------------------- The Fisher Price Chatter Bluetooth Telephone is a reincarnation of a familiar kids toy. It acts as a Bluetooth headset, so the user can connect their smartphone to it and take calls using the kids phone handset. Cute! Unfortunately, little to no consideration has been given to privacy and security, resulting in it becoming an audio bug in some circumstances. --------------------------------------------- https://www.pentestpartners.com/security-blog/audio-bugging-with-the-fisher… ∗∗∗ This new ransomware has simple but very clever tricks to evade PC defenses ∗∗∗ --------------------------------------------- One of the key features of AvosLocker is using the AnyDesk remote IT administration tool and running it Windows Safe Mode. The latter option was used by REvil, Snatch and BlackMatter as a way to disable a target's intended security and IT admin tools. As Sophos points out, many endpoint security products do not run in Safe Mode – a special diagnostic configuration in which Windows disables most third-party drivers and software, and can render otherwise protected machines unsafe. --------------------------------------------- https://www.zdnet.com/article/this-new-ransomware-has-simple-but-very-cleve… ∗∗∗ Log4j Vulnerabilities: Attack Insights ∗∗∗ --------------------------------------------- Symantec [..] has observed numerous variations in attack requests primarily aimed at evading detection. [..] Attackers are predominantly using the LDAP and RMI protocols to download malicious payloads. We have also recorded vulnerability scans using protocols such as IIOP, DNS, HTTP, NIS etc. Payloads: Muhstik Botnet, XMRig miner, Malicious class file backdoor, Reverse Bash shell. Other publicly reported payloads include the Khonsari and Conti ransomware threats, the Orcus remote access Trojan (RAT), and the Dridex malware, among others. --------------------------------------------- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lo… ===================== = Vulnerabilities = ===================== ∗∗∗ Mail Login - Moderately critical - Access bypass - SA-CONTRIB-2021-047 ∗∗∗ --------------------------------------------- Project: Mail Login Security risk: Moderately critical Description: This modules enables users to login via email address.This module does not sufficiently check user status when authenticating.Solution: Install the latest version If you use the mail_login module for Drupal 8 or 9, upgrade to Mail Login 8.x-2.5 --------------------------------------------- https://www.drupal.org/sa-contrib-2021-047 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- IBM hat 46 Security Bulletins veröffentlicht. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ CVE-2021-44790: Apache HTTP Server / mod_lua ∗∗∗ --------------------------------------------- A carefully crafted request body can cause a buffer overflow in the mod_lua multipart parser (r:parsebody() called from Lua scripts). The Apache httpd team is not aware of an exploit for the vulnerabilty though it might be possible to craft one. This issue affects Apache HTTP Server 2.4.51 and earlier. --------------------------------------------- https://www.openwall.com/lists/oss-security/2021/12/20/4 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (openjdk-11), Fedora (keepalived and tang), openSUSE (openssh, p11-kit, runc, and thunderbird), Oracle (postgresql:12, postgresql:13, and virt:ol and virt-devel:ol), Red Hat (rh-maven36-log4j12), and SUSE (ansible, chrony, logstash, elasticsearch, kafka, zookeeper, openstack-monasca-agent, openstack-monasca-persister-java, openstack-monasca-thresh, openssh, p11-kit, python-Babel, and thunderbird). --------------------------------------------- https://lwn.net/Articles/879675/ ∗∗∗ QEMU: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- A malicious privileged user within the guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition. --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-1304 ∗∗∗ Security Advisory - Apache log4j2 remote code execution vulnerability in some Huawei products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20211215-… ∗∗∗ SSA-661247 V1.8 (Last Update: 2021-12-22): Apache Log4j Vulnerabilities (Log4Shell, CVE-2021-44228, CVE-2021-45046) - Impact to Siemens Products ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/pdf/ssa-661247.pdf -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.12.2021
by Daily end-of-shift report 22 Dec '21

22 Dec '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 21-12-2021 18:00 − Mittwoch 22-12-2021 18:00 Handler: Robert Waldner Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ CISA releases Apache Log4j scanner to find vulnerable apps ∗∗∗ --------------------------------------------- The Cybersecurity and Infrastructure Security Agency (CISA) has announced the release of a scanner for identifying web services impacted by& two Apache Log4j remote code execution vulnerabilities, tracked as CVE-2021-44228 and CVE-2021-45046. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cisa-releases-apache-log4j-s… ∗∗∗ The Biggest Cyber Security Developments in 2021 ∗∗∗ --------------------------------------------- As we charge towards another new year, we decided to pulse our threat intelligence team (@teamcymru_s2) for their views on what they perceive to be the biggest developments in cyber security over the past twelve months. --------------------------------------------- https://team-cymru.com/blog/2021/12/21/the-biggest-cyber-security-developme… ∗∗∗ Vorsicht vor betrügerischer BAWAG-SMS ∗∗∗ --------------------------------------------- Eine SMS-Falle kursiert, die dazu aufruft eine angebliche Sicherheits-App von der BAWAG-Bank zu installieren. --------------------------------------------- https://futurezone.at/digital-life/betrug-bawag-sms-phishing/401851228 ∗∗∗ Java Code Repository Riddled with Hidden Log4j Bugs; Here’s Where to Look ∗∗∗ --------------------------------------------- There are 17,000 unpatched Log4j packages in the Maven Central ecosystem, leaving massive supply-chain risk on the table from Log4Shell exploits. --------------------------------------------- https://threatpost.com/java-supply-chain-log4j-bug/177211/ ∗∗∗ December 2021 Forensic Contest: Answers and Analysis, (Wed, Dec 22nd) ∗∗∗ --------------------------------------------- Thanks to everyone who participated in our December 2021 forensic challenge! You can still find the pcap for our December 2021 forensic contest here. --------------------------------------------- https://isc.sans.edu/diary/rss/28160 ∗∗∗ Vorsicht beim Autokauf: Privatkäufe nicht über easycarpay.net abwickeln ∗∗∗ --------------------------------------------- Wer auf der Suche nach günstigen Gebrauchtautos ist, wird oft auf Kleinanzeigenplattformen fündig. Doch seien Sie vorsichtig, wenn Ihr Gegenüber sich plötzlich im Ausland befindet oder andere Ausreden erfindet, wieso eine Besichtigung des Fahrzeugs nicht möglich sei. Spätestens wenn die Verkäuferin oder der Verkäufer vorschlägt, den Kauf über die Webseite easycarpay.net abzuwickeln, sollten Sie den Kontakt abbrechen. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-beim-autokauf-privatkaeufe-… ∗∗∗ Ubisoft erneut Opfer eines Cyberangriffs ∗∗∗ --------------------------------------------- Der Spielegigant Ubisoft hat einen Cyberangriff auf seine IT-Infrastruktur bestätigt, der auf das beliebte Spiel Just Dance abzielte. Laut Ubisoft gab es einen Einbruch in die IT-Infrastruktur des Unternehmens. --------------------------------------------- https://www.zdnet.de/88398543/ubisoft-erneut-opfer-eines-cyberangriffs/ ∗∗∗ Mitigating Log4Shell and Other Log4j-Related Vulnerabilities ∗∗∗ --------------------------------------------- CISA, the Federal Bureau of Investigation (FBI), the National Security Agency (NSA), and the cybersecurity authorities of Australia, Canada, New Zealand, and the United Kingdom have released a joint Cybersecurity Advisory in response to multiple vulnerabilities in Apache’s Log4j software library. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/12/22/mitigating-log4sh… ===================== = Vulnerabilities = ===================== ∗∗∗ NVIDIA discloses applications impacted by Log4j vulnerability ∗∗∗ --------------------------------------------- NVIDIA has released a security advisory detailing what products are affected by the Log4Shell vulnerability that is currently exploited in a wide range of attacks worldwide. --------------------------------------------- https://www.bleepingcomputer.com/news/security/nvidia-discloses-application… ∗∗∗ VU#692873: Saviynt Enterprise Identity Cloud vulnerable to local user enumeration and authentication bypass ∗∗∗ --------------------------------------------- Saviynt Enterprise Identity Cloud contains user enumeration and authentication bypass vulnerabilities in the local password reset feature. Together, these vulnerabilities could allow a remote, unauthenticated attacker to gain administrative privileges if an SSO solution is not configured for authentication. --------------------------------------------- https://kb.cert.org/vuls/id/692873 ∗∗∗ Active Directory: Microsoft warnt vor einfacher Domain-Übernahme ∗∗∗ --------------------------------------------- Zwei bekannte und bereits behobene Fehler in Active Directory ließen sich leicht ausnutzen, warnt Microsoft und empfiehlt dringend Updates. --------------------------------------------- https://www.golem.de/news/active-directory-microsoft-warnt-vor-einfacher-do… ∗∗∗ Four Bugs in Microsoft Teams Left Platform Vulnerable Since March ∗∗∗ --------------------------------------------- Attackers exploiting bugs in the “link preview” feature in Microsoft Teams could abuse the flaws to spoof links, leak an Android user’s IP address and launch a DoS attack. --------------------------------------------- https://threatpost.com/microsoft-teams-bugs-vulnerable-march/177225/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- IBM hat 68 Security Bulletins veröffentlicht. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ WordPress-Plug-in: Kritische Lücke in All In One SEO bedroht Millionen Websites ∗∗∗ --------------------------------------------- Angreifer könnten WordPress-Websites mit All in One SEO mit Schadcode attackieren. Eine abgesicherte Version schafft Abhilfe. --------------------------------------------- https://heise.de/-6304412 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (firefox, ipa, log4j, and samba), Debian (sogo, spip, and xorg-server), Fedora (jansi and log4j), Mageia (apache, apache-mod_security, kernel, kernel-linus, and x11-server), openSUSE (log4j and xorg-x11-server), Oracle (kernel, log4j, and openssl), and SUSE (libqt4 and xorg-x11-server). --------------------------------------------- https://lwn.net/Articles/879492/ ∗∗∗ Vulnerabilities in Apache Log4j Library Affecting Cisco Products: December 2021 (UPDATE) ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ SSA-479842: Apache Log4j Vulnerabilities - Impact to Siemens Energy Sensformer (Platform, Basic and Advanced) ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-479842.txt -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.12.2021
by Daily end-of-shift report 21 Dec '21

21 Dec '21

===================== = End-of-Day report = ===================== Timeframe: Montag 20-12-2021 18:00 − Dienstag 21-12-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Malware: Wer hat Angst vor Androids Barrierefreiheit? ∗∗∗ --------------------------------------------- Schadsoftware unter Android nutzt häufig die Accessibility Services, um Sicherheitsfunktionen auszuhebeln. Doch Apps können sich schützen. --------------------------------------------- https://www.golem.de/news/malware-wer-hat-angst-vor-androids-barrierefreihe… ∗∗∗ Xcode: Hotfix soll Log4j-Lücke umfahren ∗∗∗ --------------------------------------------- Apples Entwicklungsumgebung enthält eine angreifbare Version der Java-Logging-Bibliothek log4j. Beim Upload von iOS-Apps soll aber ein Fix greifen. --------------------------------------------- https://heise.de/-6301988 ∗∗∗ Have I Been Pwned: 225 Millionen neue Passwörter von britischer Polizeibehörde ∗∗∗ --------------------------------------------- Der Datensatz des Passwort-Prüfdiensts wächst immer weiter. Für Strafverfolgungsbehörden gibt es nun einen Weg, sichergestellte Daten direkt einzuspeisen. --------------------------------------------- https://heise.de/-6301963 ∗∗∗ Google entfernt Malware-infizierte SMS-App aus Play Store ∗∗∗ --------------------------------------------- Auf mehr als 500.000 Installationen kam eine Messages-App in Googles App-Store, die die Malware Joker einschleppte. Inzwischen hat Google die App entfernt. --------------------------------------------- https://heise.de/-6302544 ∗∗∗ Sicher verkaufen auf Willhaben, Shpock & Co ∗∗∗ --------------------------------------------- Sie möchten ungenutzte Gegenstände weiterverkaufen? Mit Plattformen wie willhaben, shpock oder Facebook haben Sie zahlreiche Möglichkeiten, alte Möbel, vernachlässigte Sportausrüstung oder Elektrogeräte an den Mann oder die Frau zu bringen. Dabei gibt es aber einiges zu beachten! Wir zeigen Ihnen, wie Sie sicher über Kleinanzeigenplattformen verkaufen. --------------------------------------------- https://www.watchlist-internet.at/news/sicher-verkaufen-auf-willhaben-shpoc… ∗∗∗ Backdoor CVE-2021-40859 in Auerswald Telefonanlagen (z.B. COMpact 5500R 7.8A & 8.0B) gefixt ∗∗∗ --------------------------------------------- Auerswald ist ein deutscher Hersteller von Telefonanlagen für den Unternehmenseinsatz. Sicherheitsforscher haben in der Firmware von Auerswald Telefonanlagen (z.B. COMpact 5500R) Hintertüren entdeckt, über die man das Administrator-Passwort zurücksetzen konnte. Dies wurde zum 20.12.2021 offen gelegt. Hier einige Informationen dazu. --------------------------------------------- https://www.borncity.com/blog/2021/12/21/backdoor-cve-2021-40859-in-auerswa… ∗∗∗ Two Active Directory Bugs Lead to Easy Windows Domain Takeover ∗∗∗ --------------------------------------------- Microsoft is urging customers to patch two Active Directory domain controller bugs after a PoC tool was publicly released on Dec. 12. --------------------------------------------- https://threatpost.com/active-directory-bugs-windows-domain-takeover/177185/ ∗∗∗ Day 10: where we are with log4j from honeypot’s perspective ∗∗∗ --------------------------------------------- Our team spent great deal of effort on simulating different protocols, applications and vulnerabilities with our honeypot (Anglerfish and Apacket) system. When big event happens, we are always curious what we see from the honeypot side. Since log4j came to light 10 days ago, we have published two related blogs, --------------------------------------------- https://blog.netlab.360.com/apache-log4j2-vulnerability-attack-trend-from-t… ∗∗∗ [SANS ISC] More Undetected PowerShell Dropper ∗∗∗ --------------------------------------------- I published the following diary on isc.sans.edu: “More Undetected PowerShell Dropper“: Last week, I published a diary about a PowerShell backdoor running below the radar with a VT score of 0! This time, it’s a dropper with multiple obfuscation techniques in place. --------------------------------------------- https://blog.rootshell.be/2021/12/21/sans-isc-more-undetected-powershell-dr… ∗∗∗ Velociraptor & Loki ∗∗∗ --------------------------------------------- Velociraptor is a great DFIR tool that becomes more and more popular amongst Incident Handlers. Velociraptor works with agents that are deployed on endpoints. Once installed, the agent automatically “phones home” and keep s a connection with the server [...] --------------------------------------------- https://blog.rootshell.be/2021/12/21/velociraptor-loki/ ∗∗∗ RCE in Visual Studio Codes Remote WSL for Fun and Negative Profit ∗∗∗ --------------------------------------------- The Visual Studio Code server in Windows Subsystem for Linux uses a local WebSocket WebSocket connection to communicate with the Remote WSL extension. JavaScript in websites can connect to this server and execute arbitrary commands on the target system. --------------------------------------------- https://parsiya.net/blog/2021-12-20-rce-in-visual-studio-codes-remote-wsl-f… ∗∗∗ Log4j vulnerability: what should boards be asking? ∗∗∗ --------------------------------------------- Advice for board members of medium to large organisations that are at risk from the Apache Log4j vulnerability. --------------------------------------------- https://www.ncsc.gov.uk/blog-post/log4j-vulnerability-what-should-boards-be… ∗∗∗ FBI Sees APTs Exploiting Recent ManageEngine Desktop Central Vulnerability ∗∗∗ --------------------------------------------- The Federal Bureau of Investigation (FBI) has released an alert regarding the exploitation of a recent vulnerability in Zoho’s ManageEngine Desktop Central product. --------------------------------------------- https://www.securityweek.com/fbi-sees-apts-exploiting-recent-manageengine-d… ∗∗∗ After ransomware attack, global logistics firm Hellmann warns of scam calls and mail ∗∗∗ --------------------------------------------- Hellmann said customers need to make sure they are really communicating with an employee through all calls or mail. --------------------------------------------- https://www.zdnet.com/article/after-ransomware-attack-global-logistics-firm… ∗∗∗ Why vulnerabilities are like buses ∗∗∗ --------------------------------------------- How organisations can address the growing trend in which multiple vulnerabilities within a single product are exploited over a short period. --------------------------------------------- https://www.ncsc.gov.uk/blog-post/why-vulnerabilities-are-like-buses ===================== = Vulnerabilities = ===================== ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- IBM hat 30 Security Bulletins veröffentlicht. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Mageia (log4j), openSUSE (chromium, log4j, netdata, and nextcloud), Oracle (kernel and kernel-container), Red Hat (kernel, kernel-rt, log4j, openssl, postgresql:12, postgresql:13, and virt:rhel and virt-devel:rhel), Slackware (httpd), SUSE (xorg-x11-server), and Ubuntu (firefox). --------------------------------------------- https://lwn.net/Articles/879360/ ∗∗∗ mySCADA myPRO ∗∗∗ --------------------------------------------- This advisory contains mitigations for Authentication Bypass Using an Alternate Path or Channel, Use of Password Hash with Insufficient Computational Effort, Hidden Functionality, and OS Command Injection vulnerabilities in the mySCADA myPRO HMI/SCADA system. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-355-01 ∗∗∗ Horner Automation Cscape EnvisionRV ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Improper Input Validation vulnerability in Horner Automation Cscape EnvisionRV industrial remote viewing software. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-355-02 ∗∗∗ WECON LeviStudioU ∗∗∗ --------------------------------------------- This advisory contains mitigations for Stack-based Buffer Overflow, and Heap-based Buffer Overflow vulnerabilities in WECON LeviStudioU HMI programming software. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-355-03 ∗∗∗ Emerson DeltaV ∗∗∗ --------------------------------------------- This advisory contains mitigations for Missing Authentication for Critical Function, and Uncontrolled Search Path Element vulnerabilities in the Emerson DeltaV control system controllers and workstations. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-355-04 ∗∗∗ Schneider Electric Rack PDU (Update A) ∗∗∗ --------------------------------------------- This updated advisory is a follow-up to the original advisory titled ICSA-21-348-02 Schneider Electric Rack PDU that was published December 14, 2021, to the ICS webpage on www.cisa.gov/uscert. This advisory contains mitigations for an Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Schneider Electric Rack Power Distribution Unit (PDU). --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-348-02 ∗∗∗ Fresenius Kabi Agilia Connect Infusion System ∗∗∗ --------------------------------------------- This advisory contains mitigations for several vulnerabilities in the Fresenius Kabi Agilia Connect Infusion System. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsma-21-355-01 ∗∗∗ Apache Log4j Vulnerabilities - Impact on Bosch Rexroth Products ∗∗∗ --------------------------------------------- BOSCH-SA-572602: The Apache Software Foundation has published information about a vulnerability in the Java logging framework *log4j*, which allows an attacker to execute arbitrary code loaded from LDAP or JNDI related endpoints which are under control of the attacker. \[1\]Additionally, a further vulnerability might allow an attacker to cause a denial of service by sending a crafted string to the framework. From Bosch Rexroth, only the IoT Gateway software has been identified as affected. --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-572602.html ∗∗∗ SSA-397453: Apache Log4j Vulnerabilities (Log4Shell, CVE-2021-44228, CVE-2021-45046) - Impact to Siemens Energy TraceAlertServerPLUS ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-397453.txt ∗∗∗ Security Bulletin: IBM Cognos Controller 10.4.2 IF16: Apache Log4j vulnerability (CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cognos-controller-10-… ∗∗∗ An update on the Apache Log4j CVE-2021-44228 vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/an-update-on-the-apache-log4j-cve-2021-4422… ∗∗∗ CVE-2021-44228 Impact of Log4j Vulnerabilities CVE-2021-44228, CVE-2021-45046, and CVE-2021-45105 (Severity: CRITICAL) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2021-44228 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.12.2021
by Daily end-of-shift report 20 Dec '21

20 Dec '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 17-12-2021 18:00 − Montag 20-12-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== *** News zu Log4j *** --------------------------------------------- Upgraded to log4j 2.16? Surprise, theres a 2.17 fixing DoS: https://www.bleepingcomputer.com/news/security/upgraded-to-log4j-216-surpri… Log4j vulnerability now used to install Dridex banking malware: https://www.bleepingcomputer.com/news/security/log4j-vulnerability-now-used… Log4Shell: Mehrheit der Java-Pakete hat noch kein Log4J-Update: https://www.golem.de/news/log4shell-mehrheit-der-java-pakete-hat-noch-kein-… Answering Log4Shell-related questions: https://securelist.com/answering-log4shell-related-questions/105402/ Third Log4J Bug Can Trigger DoS; Apache Issues Patch: https://threatpost.com/third-log4j-bug-dos-apache-patch/177159/ TellYouThePass ransomware revived in Linux, Windows Log4j attacks: https://www.bleepingcomputer.com/news/security/tellyouthepass-ransomware-re… New Local Attack Vector Expands the Attack Surface of Log4j Vulnerability: https://thehackernews.com/2021/12/new-local-attack-vector-expands-attack.ht… Second Log4j Vulnerability (CVE-2021-45046) Discovered - New Patch Released: https://thehackernews.com/2021/12/second-log4j-vulnerability-cve-2021.html Google: OSS-Fuzz soll Log4j-Fehler in Open-Source-Software finden: https://heise.de/-6298560 Erster Wurm "kriecht" durch Log4j-Sicherheitslücke: https://heise.de/-6299080 Was Geschäftsführer jetzt über Log4Shell wissen sollten: https://www.welivesecurity.com/deutsch/2021/12/17/was-geschaeftsfuehrer-ueb… Apache releases new 2.17.0 patch for Log4j to solve denial of service vulnerability: https://www.zdnet.com/article/apache-releases-new-2-17-0-patch-for-log4j-to… Log4j-Infos, belgisches Verteidigungsministerium betroffen?: https://www.borncity.com/blog/2021/12/20/log4j-infos-belgisches-verteidigun… --------------------------------------------- https://cert.at/de/warnungen/2021/12/kritische-0-day-sicherheitslucke-in-ap… ∗∗∗ Western Digital warns customers to update their My Cloud devices ∗∗∗ --------------------------------------------- Western Digital is urging customers to update their WD My Cloud devices to the latest available firmware to keep receiving security updates on My Cloud OS firmware reaching the end of support. --------------------------------------------- https://www.bleepingcomputer.com/news/security/western-digital-warns-custom… ∗∗∗ Office 2021: VBA Project Version, (Sun, Dec 19th) ∗∗∗ --------------------------------------------- 2 years ago, in diary entry "VBA Office Document: Which Version?", I listed all internal VBA project version numbers for the Office versions I had access to. --------------------------------------------- https://isc.sans.edu/diary/rss/28150 ∗∗∗ Over 500,000 Android Users Downloaded a New Joker Malware App from Play Store ∗∗∗ --------------------------------------------- A malicious Android app with more than 500,000 downloads from the Google Play app store has been found hosting malware that stealthily exfiltrates users contact lists to an attacker-controlled server and signs up users to unwanted paid premium subscriptions without their knowledge. --------------------------------------------- https://thehackernews.com/2021/12/over-500000-android-users-downloaded.html ∗∗∗ Inside a PBX - Discovering a Firmware Backdoor ∗∗∗ --------------------------------------------- This blog post illustrates how RedTeam Pentesting discovered a real-world backdoor in a widely used Auerswald phone system (see also the advisory and CVE-2021-40859). --------------------------------------------- https://blog.redteam-pentesting.de/2021/inside-a-pbx/ ∗∗∗ Weniger Datenklau am Geldautomaten: "Skimming nicht mehr interessant" ∗∗∗ --------------------------------------------- Kriminelle können mit per Skimming erbeuteten Daten von Bankkunden immer weniger anfangen. Weitaus größere Schäden richten inzwischen andere Methoden an. --------------------------------------------- https://heise.de/-6298777 ∗∗∗ Erpressergruppe Conti nutzt Sicherheitslücke "Log4Shell" für ihre Ransomware ∗∗∗ --------------------------------------------- Der Erpressungstrojaner der bekannten Conti-Gang wird bereits auf die Lücke "Log4Shell" losgelassen. Damit wächst das Bedrohungspotenzial deutlich. --------------------------------------------- https://heise.de/-6298874 ∗∗∗ Sicherheitsrisiko: Support für einige NAS-Systeme von Western Digital läuft aus ∗∗∗ --------------------------------------------- Mehrere NAS-Modelle der My-Cloud-Serie bekommen bald keine Sicherheitsupdates mehr. Diese Geräte sollten nicht mehr am Internet hängen. --------------------------------------------- https://heise.de/-6299386 ∗∗∗ Analyse, wie TeamTNT Docker-Hub-Konten kompromittiert ∗∗∗ --------------------------------------------- Und schon sind wir beim 19. Türchen im Security-Adventskalender meines Blogs und ich schiebe mal ein weiteres Sicherheitsthema hinter dieses Türchen. Der Sicherheitsanbieter Trend Micro hat einen Bericht veröffentlicht, der beleuchtet, wie der Bedrohungsakteur TeamTNT vorgeht, um Konten von Docker-Hubs [...] --------------------------------------------- https://www.borncity.com/blog/2021/12/19/analyse-wie-teamtnt-docker-hub-kon… ∗∗∗ Understanding Cobalt Strike Profiles - Updated for Cobalt Strike 4.5 ∗∗∗ --------------------------------------------- A deep dive into specifics around cobalt strike malleable c2 profiles and key information that is new in cobalt strike 4.5 & 4.4. --------------------------------------------- https://blog.zsec.uk/cobalt-strike-profiles/ ∗∗∗ Kernel Karnage – Part 7 (Out of the Lab and Back to Reality) ∗∗∗ --------------------------------------------- This week I emerge from the lab and put on a different hat. 1. Switching hats With Interceptor being successful in blinding $vendor2 sufficiently to run a meterpreter reverse shell, it is time to put on the red team hat and get out of the perfect lab environment. --------------------------------------------- https://blog.nviso.eu/2021/12/20/kernel-karnage-part-7-out-of-the-lab-and-b… ∗∗∗ Case of Ransomware Infection in a Company Using Local Administrator Accounts Set with Same Password ∗∗∗ --------------------------------------------- After analyzing the infected systems of the company that suffered damage from the recent Lockis ransomware infection, the ASEC analysis team discovered that the attacker executed the ransomware after RDP accessing the infected systems with local Administrator accounts. An investigation of local Administrator information of the infected systems showed that their passwords have not been changed for 1-2 years and that they were all set with the same password. --------------------------------------------- https://asec.ahnlab.com/en/29871/ ===================== = Vulnerabilities = ===================== ∗∗∗ VMSA-2021-0029 ∗∗∗ --------------------------------------------- VMware Workspace ONE UEM console patches address SSRF vulnerability (CVE-2021-22054) --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2021-0029.html ∗∗∗ VMSA-2021-0030 ∗∗∗ --------------------------------------------- VMware Workspace ONE Access, Identity Manager and vRealize Automation updates address multiple vulnerabilities (CVE-2021-22056, CVE-2021-22057) --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2021-0030.html ∗∗∗ XSA-392 ∗∗∗ --------------------------------------------- Guest can force Linux netback driver to hog large amounts of kernel memory --------------------------------------------- https://xenbits.xen.org/xsa/advisory-392.html ∗∗∗ XSA-391 ∗∗∗ --------------------------------------------- Rogue backends can cause DoS of guests via high frequency events --------------------------------------------- https://xenbits.xen.org/xsa/advisory-391.html ∗∗∗ XSA-376 ∗∗∗ --------------------------------------------- frontends vulnerable to backends --------------------------------------------- https://xenbits.xen.org/xsa/advisory-376.html ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (apache-log4j2, firefox-esr, libssh2, modsecurity-apache, and tang), Fedora (lapack, log4j, rust-libsqlite3-sys, rust-rusqlite, xorg-x11-server, and xorg-x11-server-Xwayland), Mageia (bind, botan2, chromium-browser-stable, dovecot, hiredis, keepalived, log4j, matio, mediawiki, olm, openssh, pjproject, privoxy, vim, and watchdog), openSUSE (barrier, nim, and python-pip), Oracle (ipa and samba), Scientific Linux (ipa and samba), SUSE (log4j), and Ubuntu [...] --------------------------------------------- https://lwn.net/Articles/879228/ ∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2021-0007 ∗∗∗ --------------------------------------------- Several vulnerabilities were discovered in WebKitGTK and WPE WebKit. --------------------------------------------- https://webkitgtk.org/security/WSA-2021-0007.html ∗∗∗ Vulnerability Spotlight: Vulnerabilities in metal detector peripheral could allow attackers to manipulate security devices ∗∗∗ --------------------------------------------- Cisco Talos recently discovered multiple vulnerabilities in a device from Garrett Metal Detectors that could allow remote attackers to bypass authentication requirements, manipulate metal detector [...] --------------------------------------------- http://blog.talosintelligence.com/2021/12/vuln-spotlight-garrett-metal-dete… *** Log4j Security Advisories *** --------------------------------------------- Security Advisory - Apache Log4j2 CVE 2021-44228 (Log4Shell): https://www.beyondtrust.com/blog/entry/security-advisory-apache-log4j2-cve-… Vulnerabilities in Apache Log4j Library Affecting Cisco Products: December 2021: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… Log4j Vulnerability CVE-2021-45105: What You Need to Know: https://www.whitesourcesoftware.com/resources/blog/log4j-vulnerability-cve-… An update on the Apache Log4j CVE-2021-44228 vulnerability: https://www.ibm.com/blogs/psirt/an-update-on-the-apache-log4j-cve-2021-4422… Citrix Security Advisory for Apache CVE-2021-44228, CVE-2021-45046 and CVE-2021-45105: https://support.citrix.com/article/CTX335705 Log4j Zero-Day Vulnerability: https://exchange.xforce.ibmcloud.com/collection/4daa3df4f73a51590efced7fb90… CVE-2021-45105: Denial of Service via Uncontrolled Recursion in Log4j StrSubstitutor: https://www.thezdi.com/blog/2021/12/17/cve-2021-45105-denial-of-service-via… CVE-2021-44228 Impact of Log4j Vulnerability CVE-2021-44228 and CVE-2021-45046 (Severity: CRITICAL): https://security.paloaltonetworks.com/CVE-2021-44228 SSA-661247 V1.5 (Last Update: 2021-12-19): Apache Log4j Vulnerabilities (Log4Shell, CVE-2021-44228, CVE-2021-45046) - Impact to Siemens Products: https://cert-portal.siemens.com/productcert/txt/ssa-661247.txt SSA-501673 V1.0: Apache Log4j Denial of Service Vulnerability (CVE-2021-45105) - Impact to Siemens Products: https://cert-portal.siemens.com/productcert/txt/ssa-501673.txt Apache Log4j Vulnerability: http://security.googleblog.com/2021/12/apache-log4j-vulnerability.html Log4j Update Patches New Vulnerability That Allows DoS Attacks: https://www.securityweek.com/log4j-update-patches-new-vulnerability-allows-… --------------------------------------------- https://cert.at/de/warnungen/2021/12/kritische-0-day-sicherheitslucke-in-ap… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Apache HTTP Server: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-1296 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.12.2021
by Daily end-of-shift report 17 Dec '21

17 Dec '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 16-12-2021 18:00 − Freitag 17-12-2021 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Log4j attackers switch to RMI to inject code and mine Monero ∗∗∗ --------------------------------------------- Some threat actors exploiting the Apache Log4j vulnerability have switched from LDAP callback URLs to RMI or even used both in a single request for maximum chances of success. --------------------------------------------- https://www.bleepingcomputer.com/news/security/log4j-attackers-switch-to-rm… ∗∗∗ Log4j Scanning and CVE-2021-44228 Exploitation - Latest Observations (2021-12-16) ∗∗∗ --------------------------------------------- After our recent Special Report and blog post about vulnerable log4j servers, a quick and dirty update on the “log4shell” mass scanning and attempted CVE-2021-44228 exploitation activity we have been seeing across our global honeypot sensor network between Sunday December 11th and Thursday December 16th, including a quick analysis of the top ten Malware Callback URIs observed and server distribution. --------------------------------------------- https://www.shadowserver.org/news/log4j-scanning-and-cve-2021-44228-exploit… ∗∗∗ How to Find and Fix a WordPress Pharma Hack ∗∗∗ --------------------------------------------- Did you know that one quarter of all spam emails are accredited to pharmaceutical ads? Pharma hacks go beyond the inbox and spam websites by redirecting traffic and adding fake keywords and subdomains to the search results. Why, and how did the medical world get tangled up in spam emails, SEO spam, redirects, and website spam injection? The answer is - money. --------------------------------------------- https://blog.sucuri.net/2021/12/how-to-find-and-fix-a-wordpress-pharma-hack… ∗∗∗ SWITCH Security Report November/December 2021 ∗∗∗ --------------------------------------------- Dear Reader The latest issue of our bi-monthly SWITCH Security Report is available. The main topics of the current report are: GoldDust but no nuggets: seven REvil partners caught, but the real orchestrators are still out there / EasyHack? Data belonging to COVID-19 loan recipients stolen from EasyGov platform / Tor under siege: massive de-anonymisation attacks target Tor network [...] --------------------------------------------- https://securityblog.switch.ch/2021/12/17/switch-security-report-2021-10-11/ ∗∗∗ Kritische Lücke bedroht Desktop-Management-System VMware Workspace ONE UEM ∗∗∗ --------------------------------------------- Angreifer könnten auf Servern liegende Informationen einsehen. Dagegen abgesicherte Versionen von VMwares Management-Software sind erschienen. --------------------------------------------- https://heise.de/-6297742 ∗∗∗ CISA orders federal agencies to mitigate Log4J vulnerabilities in emergency directive ∗∗∗ --------------------------------------------- CISA had previously given civilian federal agencies until December 24 to apply any patches. --------------------------------------------- https://www.zdnet.com/article/cisa-orders-federal-agencies-to-mitigate-log4… ∗∗∗ NSA and CISA Release Final Part IV of Guidance on Securing 5G Cloud Infrastructures ∗∗∗ --------------------------------------------- CISA has announced the joint National Security Agency (NSA) and CISA publication of the final of a four-part series, Security Guidance for 5G Cloud Infrastructures. Part IV: Ensure Integrity of Cloud Infrastructure focuses on platform integrity, microservices infrastructure integrity, launch time integrity, and build time security to ensure that 5G cloud resources are not modified without authorization. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/12/16/nsa-and-cisa-rele… ∗∗∗ Conti ransomware group adopts Log4Shell exploit ∗∗∗ --------------------------------------------- The Conti gang has become the first professional ransomware operation to adopt and incorporate the Log4Shell vulnerability in their daily operations. --------------------------------------------- https://therecord.media/conti-ransomware-group-adopts-log4shell-exploit/ ∗∗∗ Insides zu Irlands Health Service Executive Ransomware-Fall im Mai 2021 ∗∗∗ --------------------------------------------- Heute ist Türchen Nummer 17 im Sicherheits-Adventskalender dran. Ich habe da einen besonderen "Leckerbissen" für Administratoren hinterlegt. Im Mai 2021 gab es einen Ransomware-Angriff auf die Gesundheitsbehörden Irlands (Health Service Executive, HSE). PricewaterhouseCoopers hat kürzlich eine Analyse vorgelegt, was da [...] --------------------------------------------- https://www.borncity.com/blog/2021/12/17/insides-zu-irlands-health-service-… ===================== = Vulnerabilities = ===================== ∗∗∗ UNIVERGE DT Series vulnerable to missing encryption of sensitive data ∗∗∗ --------------------------------------------- UNIVERGE IP Phone DT Series and PC tools for DT Series maintainers (IP Phone Manager and Data Maintenance Tool) provided by NEC Platforms, Ltd. contain a missing encryption vulnerability. --------------------------------------------- https://jvn.jp/en/jp/JVN13464252/ ∗∗∗ An update on the Apache Log4j CVE-2021-44228 vulnerability ∗∗∗ --------------------------------------------- Update December 17, 11:37 am IBM is focused on the original CVE-2021-44228 as the prevalent risk, requiring our attention and our customers’ attention. With so much active industry research on Log4j, we will continually see mitigation and remediation recommendations. We continue to review the latest information and share updates accordingly. --------------------------------------------- https://www.ibm.com/blogs/psirt/an-update-on-the-apache-log4j-cve-2021-4422… ∗∗∗ VMSA-2021-0028 ∗∗∗ --------------------------------------------- Revised advisory with updates to multiple products. In addition, added CVE-2021-45046 information and noted alignment with new Apache Software Foundation guidance. --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2021-0028.html ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (kernel), Fedora (dr_libs, libsndfile, and podman), openSUSE (fetchmail, log4j, log4j12, logback, python3, and seamonkey), Oracle (go-toolset:ol8, idm:DL1, and nodejs:16), Red Hat (go-toolset-1.16 and go-toolset-1.16-golang, ipa, rh-postgresql12-postgresql, rh-postgresql13-postgresql, and samba), Slackware (xorg), SUSE (log4j, log4j12, and python3), and Ubuntu (apache-log4j2 and openjdk-8, openjdk-lts). --------------------------------------------- https://lwn.net/Articles/879020/ ∗∗∗ Xylem AquaView ∗∗∗ --------------------------------------------- This advisory contains mitigations for a Use of Hard-coded Credentials vulnerability in the Xylem AquaView SCADA system. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-350-01 ∗∗∗ Delta Electronics CNCSoft ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Out-of-bounds Read vulnerability in Delta Electronics CNCSoft industrial automation software. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-350-02 ∗∗∗ Wibu-Systems CodeMeter Runtime ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Improper Privilege Management vulnerability in the Wibu-Systems CodeMeter Runtime server. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-350-03 ∗∗∗ Mitsubishi Electric GX Works2 ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Improper Handling of Length Parameter Inconsistency vulnerability in #Mitsubishi Electrics GX Works2 engineering software. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-350-04 ∗∗∗ Mitsubishi Electric FA Engineering Software ∗∗∗ --------------------------------------------- This advisory contains mitigations for Out-of-bounds Read, and Integer Underflow vulnerabilities in Mitsubishi Electrics FA Engineering Software engineering software. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-350-05 ∗∗∗ Security Bulletin: Vulnerability in Apache Log4j affects IBM Spectrum Protect Plus (CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l… ∗∗∗ Security Bulletin: IBM MQ Blockchain bridge dependencies are vulnerable to an issue in Apache Log4j (CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-blockchain-bridge-… ∗∗∗ Security Bulletin: Apache Log4J vulnerabilities affect IBM Cloud Object Storage File Access (CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerabilit… ∗∗∗ K32171392: Apache Log4j2 vulnerability CVE-2021-45046 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K32171392 ∗∗∗ Logback: Schwachstelle ermöglicht Codeausführung ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-1295 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 16.12.2021
by Daily end-of-shift report 16 Dec '21

16 Dec '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 15-12-2021 18:00 − Donnerstag 16-12-2021 18:00 Handler: Dimitri Robl Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Large-scale phishing study shows who bites the bait more often ∗∗∗ --------------------------------------------- A large-scale phishing study involving 14,733 participants over a 15-month experiment has produced some surprising findings that contradict previous research results that formed the basis for popular industry practices. --------------------------------------------- https://www.bleepingcomputer.com/news/security/large-scale-phishing-study-s… ∗∗∗ Emotet starts dropping Cobalt Strike again for faster attacks ∗∗∗ --------------------------------------------- Right in time for the holidays, the notorious Emotet malware is once again directly installing Cobalt Strike beacons for rapid cyberattacks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/emotet-starts-dropping-cobal… ∗∗∗ Hive ransomware enters big league with hundreds breached in four months ∗∗∗ --------------------------------------------- The Hive ransomware gang is more active and aggressive than its leak site shows, with affiliates attacking an average of three companies every day since the operation became known in late June. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hive-ransomware-enters-big-l… ∗∗∗ A deep dive into an NSO zero-click iMessage exploit: Remote Code Execution ∗∗∗ --------------------------------------------- Earlier this year, Citizen Lab managed to capture an NSO iMessage-based zero-click exploit being used to target a Saudi activist. In this two-part blog post series we will describe for the first time how an in-the-wild zero-click iMessage exploit works. --------------------------------------------- https://googleprojectzero.blogspot.com/2021/12/a-deep-dive-into-nso-zero-cl… ∗∗∗ PseudoManuscrypt: a mass-scale spyware attack campaign ∗∗∗ --------------------------------------------- Kaspersky ICS CERT experts identified malware whose loader has some similarities to the Manuscrypt malware, which is part of the Lazarus APT group’s arsenal. --------------------------------------------- https://securelist.com/pseudomanuscrypt-a-mass-scale-spyware-attack-campaig… ∗∗∗ 'DarkWatchman' RAT Shows Evolution in Fileless Malware ∗∗∗ --------------------------------------------- The new tool manipulates Windows Registry in unique ways to evade security detections and is likely being used by ransomware groups for initial network access. --------------------------------------------- https://threatpost.com/darkwatchman-rat-evolution-fileless-malware/177091/ ∗∗∗ How the "Contact Forms" campaign tricks people, (Thu, Dec 16th) ∗∗∗ --------------------------------------------- "Contact Forms" is a campaign that uses a web site's contact form to email malicious links disguised as some sort of legal complaint. --------------------------------------------- https://isc.sans.edu/diary/rss/28142 ∗∗∗ Log4j-Lücke: Erste Angriffe mit Ransomware und von staatlicher Akteuren ∗∗∗ --------------------------------------------- Die bisherigen Angriffsversuche waren wohl vor allem Tests. Doch jetzt wird es Ernst. Cybercrime und Geheimdienste nutzen die Lücke gezielt für ihre Zwecke. --------------------------------------------- https://heise.de/-6296549 ∗∗∗ When is a Scrape a Breach? ∗∗∗ --------------------------------------------- A decade and a bit ago during my tenure at Pfizer, a colleague's laptop containing information about customers, healthcare providers and other vendors was stolen from their car. It's not clear if the car was locked or not. Is this a data breach? --------------------------------------------- https://www.troyhunt.com/when-is-a-scrape-a-breach/ ∗∗∗ Achtung: giesswein-outdoor.de ist ein Fake-Shop! ∗∗∗ --------------------------------------------- Die Webseite giesswein-outdoor.de sieht auf den ersten Blick sehr seriös aus. Doch tatsächlich handelt es sich um einen Fake-Shop, der das österreichische Unternehmen Giesswein imitiert. --------------------------------------------- https://www.watchlist-internet.at/news/achtung-giesswein-outdoorde-ist-ein-… ∗∗∗ The dirty dozen of Latin America: From Amavaldo to Zumanek ∗∗∗ --------------------------------------------- The grand finale of our series dedicated to demystifying Latin American banking trojans. --------------------------------------------- https://www.welivesecurity.com/2021/12/15/dirty-dozen-latin-america-amavald… ∗∗∗ Noberus: Technical Analysis Shows Sophistication of New Rust-based Ransomware ∗∗∗ --------------------------------------------- New ransomware used in mid-November attack, ConnectWise was likely infection vector. --------------------------------------------- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/no… ∗∗∗ Phorpiex botnet is back with a new Twizt: Hijacking Hundreds of crypto transactions ∗∗∗ --------------------------------------------- Check Point Research (CPR) spots a botnet variant that has stolen nearly half a million dollars’ worth of cryptocurrency through a technique called “crypto clipping”. The new variant, named Twizt and a descendant of Phorpiex, steals cryptocurrency during transactions by automatically substituting the intended wallet address with the threat actor’s wallet address. --------------------------------------------- https://blog.checkpoint.com/2021/12/16/phorpiex-botnet-is-back-with-a-new-t… ===================== = Vulnerabilities = ===================== ∗∗∗ Lenovo laptops vulnerable to bug allowing admin privileges ∗∗∗ --------------------------------------------- Lenovo laptops, including ThinkPad and Yoga models, are vulnerable to a privilege elevation bug in the ImControllerService service allowing attackers to execute commands with admin privileges. --------------------------------------------- https://www.bleepingcomputer.com/news/security/lenovo-laptops-vulnerable-to… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (apache-log4j2 and mediawiki), Fedora (libmysofa, libolm, and vim), Oracle (httpd), Red Hat (go-toolset:rhel8), and Ubuntu (apache-log4j2 and mumble). --------------------------------------------- https://lwn.net/Articles/878844/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ SSA-714170: Apache Log4j Vulnerabilities (Log4Shell, CVE-2021-44228, CVE-2021-45046) - Impact to SPPA-T3000 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-714170.txt ∗∗∗ TYPO3-PSA-2021-004: Statement on Recent log4j/log4shell Vulnerabilities (CVE-2021-44228) ∗∗∗ --------------------------------------------- https://typo3.org/security/advisory/typo3-psa-2021-004 ∗∗∗ TYPO3-PSA-2021-003: Mitigation of Cache Poisoning Caused by Untrusted URL Query Parameters ∗∗∗ --------------------------------------------- https://typo3.org/security/advisory/typo3-psa-2021-003 ∗∗∗ MediaWiki: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-1290 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 15.12.2021
by Daily end-of-shift report 15 Dec '21

15 Dec '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 14-12-2021 18:00 − Mittwoch 15-12-2021 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ New ransomware now being deployed in Log4Shell attacks ∗∗∗ --------------------------------------------- The first public case of the Log4j Log4Shell vulnerability used to download and install ransomware has been discovered by researchers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-ransomware-now-being-dep… ∗∗∗ Simple but Undetected PowerShell Backdoor, (Wed, Dec 15th) ∗∗∗ --------------------------------------------- For a while, most security people agree on the fact that antivirus products are not enough for effective protection against malicious code. If they can block many threats, some of them remain undetected by classic technologies. Here is another example with a simple but effective PowerShell backdoor that I spotted yesterday. --------------------------------------------- https://isc.sans.edu/diary/rss/28138 ∗∗∗ GitHubs Antwort auf die kritische Log4j-Lücke ∗∗∗ --------------------------------------------- Zu der kritischen Sicherheitslücke im Log4j-Logging-Framework hat der Code-Hoster Sicherheitshinweise veröffentlicht. Ein Update auf Log4j 2.16 schafft Abhilfe. --------------------------------------------- https://heise.de/-6294120 ∗∗∗ Patchday: Kritische Sicherheitslücken in SAP-Geschäftssoftware ∗∗∗ --------------------------------------------- 15 Sicherheitslücken melden die Walldorfer zum Dezember-Patchday in ihrer Business-Software. Viele schätzt SAP als hohes oder gar kritisches Risiko ein. --------------------------------------------- https://heise.de/-6294773 ∗∗∗ Patchday: Adobe schließt kritische Lücken in Experience Manager & Co. ∗∗∗ --------------------------------------------- Es gibt wichtige Sicherheitsupdates für verschiedene Anwendungen von Adobe. In einigen Fällen könnten Angreifer Schadcode auf Computern ausführen. --------------------------------------------- https://heise.de/-6295316 ∗∗∗ Patchday: Sechs Windows-Lücken öffentlich bekannt, durch eine schlüpft Emotet ∗∗∗ --------------------------------------------- Microsoft schließt zahlreiche Sicherheitslücken in beispielsweise Azure, Office und Windows. Darunter sind auch als kritisch eingestufte Lücken. --------------------------------------------- https://heise.de/-6295264 ∗∗∗ Neue Probleme - Log4j-Patch genügt nicht ∗∗∗ --------------------------------------------- Version 2.15.0 von Log4j sollte die Log4Shell-Sicherheitslücke schließen. Das reichte jedoch nicht. Log4j 2.16.0 behebt nun noch eine weitere Schwachstelle. --------------------------------------------- https://heise.de/-6295343 ∗∗∗ Immediate Steps to Strengthen Critical Infrastructure against Potential Cyberattacks ∗∗∗ --------------------------------------------- CISA has released CISA Insights: Preparing For and Mitigating Potential Cyber Threats to provide critical infrastructure leaders with steps to proactively strengthen their organization’s operational resiliency against sophisticated threat --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/12/15/immediate-steps-s… ∗∗∗ No Unaccompanied Miners: Supply Chain Compromises Through Node.js Packages ∗∗∗ --------------------------------------------- NPM modules are a valuable target for threat actors due to their popularity amongst developers. They also have a high prevalence of complex dependencies, where one package installs another as a dependency often without the knowledge of the developer. --------------------------------------------- https://www.mandiant.com/resources/supply-chain-node-js ===================== = Vulnerabilities = ===================== ∗∗∗ Log4Shell Update: Second log4j Vulnerability Published (CVE-2021-44228 + CVE-2021-45046) ∗∗∗ --------------------------------------------- After the log4j maintainers released version 2.15.0 to address the Log4Shell vulnerability, an additional attack vector was identified and reported in CVE-2021-45046. --------------------------------------------- https://www.lunasec.io/docs/blog/log4j-zero-day-update-on-cve-2021-45046/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- Apache Log4J information, WebSphere Application Server, i2 Analyze, i2 Connect, Analyst’s Notebook Premium, Security Access Manager, Security Verify Access, App Connect, Integration Bus, QRadar SIEM Application Framework, Sterling File Gateway, Cloud Transformation Advisor, MQ Blockchain bridge, WebSphere Cast Iron, Power System, Rational Asset Analyzer, Disconnected Log Collector, SPSS Statistics, Power HMC --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Intel Product Advisory for Apache Log4j2 Vulnerabilities (CVE-2021-44228 & CVE-2021-45046) ∗∗∗ --------------------------------------------- Security vulnerabilities in Apache Log4j2 for some Intel® products may allow escalation of privilege or denial of service. --------------------------------------------- https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-0… ∗∗∗ Apache log4j vulnerabilities (Log4Shell) – impact on ABB products ∗∗∗ --------------------------------------------- ABB is still investigating the potentially affected products and to date ABB has identified the following products which are likely affected by the vulnerabilities in log4j (ABB products not listed are initially evaluated as not impacted). --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=9ADB012621&Language… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (libopenmpt), openSUSE (icu.691, log4j, nim, postgresql10, and xorg-x11-server), Red Hat (idm:DL1), SUSE (gettext-runtime, icu.691, runc, storm, storm-kit, and xorg-x11-server), and Ubuntu (xorg-server, xorg-server-hwe-18.04, xwayland). --------------------------------------------- https://lwn.net/Articles/878749/ ∗∗∗ Security Advisory - Intel Microarchitectural Data Sampling (MDS) vulnerabilities ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20190712-… ∗∗∗ Security Advisory - Apache log4j2 remote code execution vulnerability in some Huawei products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20211215-… ∗∗∗ Zoom Video Communications Zoom Client: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-1277 ∗∗∗ OpenSSL: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-1282 ∗∗∗ Authentication Bypass Vulnerabilities in FPC2 and SMM Firmware ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500458-AUTHENTICATION-BYPASS-V… ∗∗∗ Lenovo Vantage Component Vulnerabilities ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500461-LENOVO-VANTAGE-COMPONEN… ∗∗∗ TLB Poisoning Attacks on AMD Secure Encrypted Virtualization (SEV) ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500459-TLB-POISONING-ATTACKS-O… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.12.2021
by Daily end-of-shift report 14 Dec '21

14 Dec '21

===================== = End-of-Day report = ===================== Timeframe: Montag 13-12-2021 18:00 − Dienstag 14-12-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== *** News zu Log4j *** --------------------------------------------- Log4j: List of vulnerable products and vendor advisories https://www.bleepingcomputer.com/news/security/log4j-list-of-vulnerable-pro… Log4J-Lücke: BSI gibt vorschnell Entwarnung für Verbraucher https://www.golem.de/news/log4j-luecke-bsi-gibt-vorschnell-entwarnung-fuer-… Log4Shell Is Spawning Even Nastier Mutations https://threatpost.com/apache-log4j-log4shell-mutations/176962/ Log4j: Getting ready for the long haul (CVE-2021-44228), (Tue, Dec 14th) https://isc.sans.edu/diary/rss/28130 Log4j 2.16.0 verbessert Schutz vor Log4Shell-Lücke https://heise.de/-6294053 Kommentar zu Log4j: Es funktioniert wie spezifiziert https://heise.de/-6294476 GitHubs Antwort auf die kritische Log4j-Lücke https://heise.de/-6294120 Security company offers Log4j vaccine for systems that cant be updated immediately https://www.zdnet.com/article/security-company-offers-log4j-vaccine-for-sys… CISA Creates Webpage for Apache Log4j Vulnerability CVE-2021-44228 https://us-cert.cisa.gov/ncas/current-activity/2021/12/13/cisa-creates-webp… The numbers behind a cyber pandemic – detailed dive https://blog.checkpoint.com/2021/12/13/the-numbers-behind-a-cyber-pandemic-… Log4Shell (Log4j RCE): Detecting Post-Exploitation Evidence is Best Chance for Mitigation https://www.intezer.com/blog/cloud-security/log4shell-mitigation/ Log4Shell log4j vulnerability (CVE-2021-44228) - cheat-sheet reference guide https://www.techsolvency.com/story-so-far/cve-2021-44228-log4j-log4shell/ --------------------------------------------- https://www.techsolvency.com/story-so-far/cve-2021-44228-log4j-log4shell/ ∗∗∗ Anubis Android malware returns to target 394 financial apps ∗∗∗ --------------------------------------------- The Anubis Android banking malware is now targeting the customers of nearly 400 financial institutions in a new malware campaign. --------------------------------------------- https://www.bleepingcomputer.com/news/security/anubis-android-malware-retur… ∗∗∗ Malware und Security: Microsoft bietet Analyse potenziell gefährlicher Treiber an ∗∗∗ --------------------------------------------- Mit Hilfe eines Formulars können Kunden Treiber zu Microsoft schicken. Die werden erst automatisiert und bei Bedarf von Menschen geprüft. --------------------------------------------- https://www.golem.de/news/malware-und-security-microsoft-bietet-analyse-pot… ∗∗∗ Owowa: the add-on that turns your OWA into a credential stealer and remote access panel ∗∗∗ --------------------------------------------- We found a suspicious binary and determined it as an IIS module, aimed at stealing credentials and enabling remote command execution from OWA. --------------------------------------------- https://securelist.com/owowa-credential-stealer-and-remote-access/105219/ ∗∗∗ How Malware Gets On Your Website ∗∗∗ --------------------------------------------- Almost since the Internet’s inception malware infections have kept pace to be the biggest nuisance a site owner experiences. With an ever growing amount of sites making up the World Wide Web, malware infections only become more common. In this article we’ll discuss what malware is, the various types we’ve come across, the methods used to inject malware into a site, and how you can harden/protect your site from these methods. --------------------------------------------- https://blog.sucuri.net/2021/12/how-malware-gets-on-your-website.html ∗∗∗ Gefährliche Lücken in Server-Backupsoftware IBM Spectrum Protect geschlossen ∗∗∗ --------------------------------------------- Angreifer könnten Systeme mit IBM Spectrum Protect angreifen und im schlimmsten Fall Schadcode ausführen. Sicherheitsupdates sind verfügbar. --------------------------------------------- https://heise.de/-6294287 ∗∗∗ Patchday: Kritische Sicherheitslücken in SAP-Geschäftssoftware ∗∗∗ --------------------------------------------- 15 Sicherheitslücken melden die Walldorfer zum Dezember-Patchday in ihrer Business-Software. Viel schätzt SAP als hohes oder gar kritisches Risiko ein. --------------------------------------------- https://heise.de/-6294773 ∗∗∗ Vorsicht, wenn Ihre Internetbekanntschaft um Geld bittet ∗∗∗ --------------------------------------------- Sie haben auf einer Dating-Plattform einen Mann kennengelernt? Er ist zuvorkommend, gutaussehend und noch dazu gebildet? Es gibt nur einen Haken: Er befindet sich gerade im Ausland. Mit Ihrer finanziellen Unterstützung steht einem baldigen Treffen aber nichts im Weg. Achtung: Sie sind an einen Love-Scammer geraten! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-wenn-ihre-internetbekanntsc… ∗∗∗ Apple releases Android app to find rogue AirTags ∗∗∗ --------------------------------------------- Apple has released an Android app on Monday to help Android users detect malicious nearby AirTag devices that might be used to track them. --------------------------------------------- https://therecord.media/apple-releases-android-app-to-find-malicious-airtag… ===================== = Vulnerabilities = ===================== *** Advisories zur Log4j-Schwachstelle *** --------------------------------------------- SSA-661247: Apache Log4j Vulnerability (CVE-2021-44228, Log4Shell) - Impact to Siemens Products https://cert-portal.siemens.com/productcert/txt/ssa-661247.txt JSA11259 https://kb.juniper.net/InfoCenter/index?page=content&id=JSA11259 Vulnerability in Apache Log4j Library https://www.qnap.com/en-us/security-advisory/QSA-21-58 Apache Log4j Vulnerability https://support.lenovo.com/product_security/PS500457-APACHE-LOG4J-VULNERABI… Security Notice – Statement About Apache Log4j2 Remote Code Execution Vulnerability(CVE-2021-44228) https://www.huawei.com/en/psirt/security-notices/2021/huawei-sn-20211210-01… --------------------------------------------- https://www.huawei.com/en/psirt/security-notices/2021/huawei-sn-20211210-01… ∗∗∗ Dell driver fix still allows Windows Kernel-level attacks ∗∗∗ --------------------------------------------- Dells driver fix of the CVE-2021-21551 vulnerability leaves margin for catastrophic BYOVD attacks resulting in Windows kernel driver code execution. --------------------------------------------- https://www.bleepingcomputer.com/news/security/dell-driver-fix-still-allows… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- Info about Log4Shell in IBM Products, Novalink, WebSphere Application Server, WebSphere MQ for HP NonStop Server, MQ for HP NonStop Server, Tivoli Netcool, Netezza Analytics, Netezza Host Management --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Schwere Sicherheitslücken in iOS und macOS: Apple-Updates bald einspielen ∗∗∗ --------------------------------------------- iOS 15.2 und macOS 12.1 beseitigen Schwachstellen, die unter anderem den Remote-Jailbreak erlaubten. Für ältere Systemversionen fehlen Patches teilweise. --------------------------------------------- https://heise.de/-6294390 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libsamplerate and raptor2), Fedora (pam-u2f and python-markdown2), openSUSE (chromium, fetchmail, ImageMagick, and postgresql10), Oracle (samba), SUSE (fetchmail, postgresql10, python-pip, python3, and sles12sp2-docker-image), and Ubuntu (apache-log4j2, flatpak, glib, and samba). --------------------------------------------- https://lwn.net/Articles/878629/ ∗∗∗ Advantech R-SeeNet ∗∗∗ --------------------------------------------- This advisory contains mitigations for SQL Injection, and Improper Privilege Management vulnerabilities in the Advantech R-SeeNet monitoring application. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-348-01 ∗∗∗ Schneider Electric Rack PDU ∗∗∗ --------------------------------------------- This advisory contains mitigations for a Cross-site Scripting vulnerability in Schneider Electric Rack Power Distribution Unit (PDU). --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-348-02 ∗∗∗ K73710094: XSS vulnerability in undisclosed page of the NGINX Swagger UI ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K73710094 ∗∗∗ ZDI-21-1536: Trend Micro Maximum Security Link Following Denial-of-Service Vulnerability ∗∗∗ --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-21-1536/ ∗∗∗ ZDI-21-1535: McAfee Database Security Improper Access Control Denial-of-Service Vulnerability ∗∗∗ --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-21-1535/ *** Siemens Security Advisories *** --------------------------------------------- SSA-496292: Remote Code Execution Vulnerability in POWER METER SICAM Q100 https://cert-portal.siemens.com/productcert/txt/ssa-496292.txt SSA-463116: Multiple Access Control Vulnerabilities in Siveillance Identity before https://cert-portal.siemens.com/productcert/txt/ssa-463116.txt SSA-400332: Insufficient Design IP Protection in IEEE 1735 Recommended Practice - Impact to Questa and ModelSim https://cert-portal.siemens.com/productcert/txt/ssa-400332.txt SSA-396621: Multiple File Parsing Vulnerabilities in JTTK before V10.8.1.1 and JT Utilities before V12.8.1.1 https://cert-portal.siemens.com/productcert/txt/ssa-396621.txt SSA-390195: LibVNC Vulnerabilities in SIMATIC ITC Products https://cert-portal.siemens.com/productcert/txt/ssa-390195.txt SSA-352143: Multiple File Parsing Vulnerabilities in JTTK before V11.0.3.0 and JT Utilities before V13.0.3.0 https://cert-portal.siemens.com/productcert/txt/ssa-352143.txt SSA-199605: Arbitrary File Download Vulnerability in SIMATIC eaSie PCS 7 Skill Package https://cert-portal.siemens.com/productcert/txt/ssa-199605.txt SSA-161331: Scene File Parsing Vulnerability in Simcenter STAR-CCM+ Viewer before V2021.3.1 https://cert-portal.siemens.com/productcert/txt/ssa-161331.txt SSA-160202: Multiple Access Control Vulnerabilities in SiPass Integrated https://cert-portal.siemens.com/productcert/txt/ssa-160202.txt SSA-133772: Zip Path Traversal Vulnerability in Teamcenter Active Workspace https://cert-portal.siemens.com/productcert/txt/ssa-133772.txt SSA-523250: Improper Certificate Validation Vulnerability in SINUMERIK Edge https://cert-portal.siemens.com/productcert/txt/ssa-523250.txt SSA-595101: Multiple File Parsing Vulnerabilities in JT2Go and Teamcenter Visualization before V13.2.0.5 https://cert-portal.siemens.com/productcert/txt/ssa-595101.txt SSA-620288: Multiple Vulnerabilities (NUCLEUS:13) in CAPITAL VSTAR https://cert-portal.siemens.com/productcert/txt/ssa-620288.txt SSA-802578: Multiple File Parsing Vulnerabilities in JTTK before V11.1.1.0 and JT Utilities before V13.1.1.0 https://cert-portal.siemens.com/productcert/txt/ssa-802578.txt --------------------------------------------- https://new.siemens.com/global/en/products/services/cert.html#SecurityPubli… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.12.2021
by Daily end-of-shift report 13 Dec '21

13 Dec '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 10-12-2021 18:00 − Montag 13-12-2021 18:00 Handler: Dimitri Robl Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Schutz vor Log4j-Lücke – was hilft jetzt und was eher nicht ∗∗∗ --------------------------------------------- "Warnstufe Rot" für Anwender und Firmen, doch was bedeutet das konkret? So testen Sie Dienste auf die Log4j-Lücke und reduzieren ihr Risiko vor Angriffen. --------------------------------------------- https://heise.de/-6292961 ∗∗∗ log4j-scan ∗∗∗ --------------------------------------------- We have been researching the Log4J RCE (CVE-2021-44228) since it was released, and we worked in preventing this vulnerability with our customers. We are open-sourcing an open detection and scanning tool for discovering and fuzzing for Log4J RCE CVE-2021-44228 vulnerability. --------------------------------------------- https://github.com/fullhunt/log4j-scan ∗∗∗ Ten families of malicious samples are spreading using the Log4j2 vulnerability Now ∗∗∗ --------------------------------------------- On December 11, 2021, at 8:00 pm, we published a blog disclosing Mirai and Muhstik botnet samples propagating through Log4j2 RCE vulnerability[1]. Over the past 2 days, we have captured samples from other families, and now the list of families has exceeded 10. --------------------------------------------- https://blog.netlab.360.com/ten-families-of-malicious-samples-are-spreading… ∗∗∗ log4j-jndi-be-gone: A simple mitigation for CVE-2021-44228 ∗∗∗ --------------------------------------------- tl;dr Run add our new tool, -javaagent:log4j-jndi-be-gone-1.0.0-standalone.jar to all of your JVM Java stuff to stop log4j from loading classes remotely over LDAP. This will prevent malicious inputs from triggering the “Log4Shell” vulnerability and gaining remote code execution on your systems. In this post, we first offer some context on the vulnerability, the released fixes [...] --------------------------------------------- https://research.nccgroup.com/2021/12/12/log4j-jndi-be-gone-a-simple-mitiga… ∗∗∗ Malicious PyPI packages with over 10,000 downloads taken down ∗∗∗ --------------------------------------------- The Python Package Index (PyPI) registry has removed three malicious Python packages aimed at exfiltrating environment variables and dropping trojans on the infected machines. These malicious packages are estimated to have generated over 10,000 downloads and mirrors put together, according to the researchers report. --------------------------------------------- https://www.bleepingcomputer.com/news/security/malicious-pypi-packages-with… ∗∗∗ Karakurt: A New Emerging Data Theft and Cyber Extortion Hacking Group ∗∗∗ --------------------------------------------- A previously undocumented, financially motivated threat group has been connected to a string of data theft and extortion attacks on over 40 entities between September and November 2021. The hacker collective, which goes by the self-proclaimed name Karakurt and was first identified in June 2021, is capable of modifying its tactics and techniques to adapt to the targeted environment, [...] --------------------------------------------- https://thehackernews.com/2021/12/karakurt-new-emerging-data-theft-and.html ∗∗∗ HANCITOR DOC drops via CLIPBOARD ∗∗∗ --------------------------------------------- Hancitor, a loader that provides Malware as a Service, has been observed distributing malware such as FickerStealer, Pony, CobaltStrike, Cuba Ransomware, and many more. Recently at McAfee Labs, we observed Hancitor Doc VBA (Visual Basic for Applications) samples dropping the payload using the Windows clipboard through Selection.Copy method. --------------------------------------------- https://www.mcafee.com/blogs/other-blogs/mcafee-labs/hancitor-doc-drops-via… ∗∗∗ Diavol Ransomware ∗∗∗ --------------------------------------------- In the past, threat actors have used BazarLoader to deploy Ryuk and Conti ransomware, as reported on many occasions. In this intrusion, however, a BazarLoader infection resulted in deployment of Diavol Ransomware. --------------------------------------------- https://thedfirreport.com/2021/12/13/diavol-ransomware/ ∗∗∗ Bugs in the Cloud: How One Vulnerability Exposed 'Offline' Devices to a Security Risk ∗∗∗ --------------------------------------------- The post Bugs in the Cloud: How One Vulnerability Exposed ‘Offline’ Devices to a Security Risk appeared first on Claroty. --------------------------------------------- https://claroty.com/2021/12/13/blog-research-bugs-in-the-cloud-how-one-vuln… ∗∗∗ Von wegen Darknet – Ransomware-Gangs setzen Opfer per Social Media unter Druck ∗∗∗ --------------------------------------------- Ransomware-Gruppen nutzen soziale Netzwerkkanäle, um ihre Angriffe zu bewerben und damit ihre Opfer weiter zur Lösegeldzahlung unter Druck zu setzen. --------------------------------------------- https://blog.emsisoft.com/de/39431/von-wegen-darknet-ransomware-gangs-setze… ∗∗∗ Now You Serial, Now You Don't — Systematically Hunting for Deserialization Exploits ∗∗∗ --------------------------------------------- Deserialization vulnerabilities are a class of bugs that have plagued multiple languages and applications over the years. These include Exchange (CVE-2021-42321), Zoho ManageEngine (CVE-2020-10189), Jira (CVE-2020-36239), Telerik (CVE-2019-18935), Jenkins (CVE-2016-9299), and more. Fundamentally, these bugs are a result of applications placing too much trust in data that a user (or attacker) can tamper with. --------------------------------------------- https://www.mandiant.com/resources/hunting-deserialization-exploits ===================== = Vulnerabilities = ===================== ∗∗∗ Log4j Vulnerability (CVE-2021-44228) ∗∗∗ --------------------------------------------- This repo contains operational information regarding the vulnerability in the Log4j logging library (CVE-2021-44228). --------------------------------------------- https://github.com/NCSC-NL/log4shell ∗∗∗ VMSA-2021-0028 ∗∗∗ --------------------------------------------- [...] Synopsis: VMware Response to Apache Log4j Remote Code Execution Vulnerability (CVE-2021-44228) --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2021-0028.html ∗∗∗ Log4j Zero-Day Vulnerability ∗∗∗ --------------------------------------------- IBM X-Force Incident Command is following a recent disclosure regarding a vulnerability in the in the Log4j Java library. A report by LunaSec details the vulnerability as well as mitigation strategies for the vulnerability. --------------------------------------------- https://exchange.xforce.ibmcloud.com/collection/4daa3df4f73a51590efced7fb90… ∗∗∗ Bugs in billions of WiFi, Bluetooth chips allow password, data theft ∗∗∗ --------------------------------------------- Researchers at the University of Darmstadt, Brescia, CNIT, and the Secure Mobile Networking Lab, have published a paper that proves its possible to extract passwords and manipulate traffic on a WiFi chip by targeting a devices Bluetooth component. --------------------------------------------- https://www.bleepingcomputer.com/news/security/bugs-in-billions-of-wifi-blu… ∗∗∗ IBM Security Bulletins 2021-12-10 - 2021-13 ∗∗∗ --------------------------------------------- WebSphere Application Server, Rational Application Developer for WebSphere, Spectrum Copy Data Management, Tivoli Netcool, Spectrum Protect, i2 Analystss Notebook, Decision Optimization Center, ILOG CPLEX Optimization Studio, PowerVM, Db2 --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (chromium, firefox, gitlab, grafana, grafana-agent, thunderbird, and vivaldi), Debian (apache-log4j2, privoxy, and wireshark), Fedora (firefox, grub2, mariadb, mod_auth_openidc, rust-drg, rust-tiny_http, and rust-tiny_http0.6), Mageia (chromium-browser-stable, curaengine, fetchmail, firefox, libvirt, log4j, opencontainers-runc, python-django, speex, and thunderbird), openSUSE (clamav, firefox, glib-networking, glibc, gmp, ImageMagick, log4j, [...] --------------------------------------------- https://lwn.net/Articles/878520/ ∗∗∗ CISA Adds Thirteen Known Exploited Vulnerabilities to Catalog ∗∗∗ --------------------------------------------- CISA has added thirteen new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence that threat actors are actively exploiting the vulnerabilities listed in the table below. These types of vulnerabilities are a frequent attack vector for malicious cyber actors of all types and pose significant risk to the federal enterprise. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/12/10/cisa-adds-thirtee… ∗∗∗ Oracle Security Alert for CVE-2021-44228 - 10 December 2021 ∗∗∗ --------------------------------------------- https://www.oracle.com/security-alerts/alert-cve-2021-44228.html ∗∗∗ Vulnerability in Apache Log4j Library Affecting Cisco Products: December 2021 ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Citrix Security Advisory for Apache CVE-2021-44228 ∗∗∗ --------------------------------------------- https://support.citrix.com/article/CTX335705 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.12.2021
by Daily end-of-shift report 10 Dec '21

10 Dec '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 09-12-2021 18:00 − Freitag 10-12-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Kritische Zero-Day-Lücke in Log4j gefährdet zahlreiche Server und Apps ∗∗∗ --------------------------------------------- Eine Zero-Day-Schwachstelle in Apaches Log4j ermöglicht Angreifern, etwa auf Servern von Cloud-Diensten oder in Anwendungen Schadcode einzuschmuggeln. --------------------------------------------- https://heise.de/-6291653 ∗∗∗ Dark Mirai botnet targeting RCE on popular TP-Link router ∗∗∗ --------------------------------------------- The botnet known as Dark Mirai (aka MANGA) has been observed exploiting a new vulnerability on the TP-Link TL-WR840N EU V5, a popular inexpensive home router released in 2017. --------------------------------------------- https://www.bleepingcomputer.com/news/security/dark-mirai-botnet-targeting-… ∗∗∗ Python Shellcode Injection From JSON Data, (Fri, Dec 10th) ∗∗∗ --------------------------------------------- My hunting rules detected a niece piece of Python code. It's interesting to see how the code is simple, not deeply obfuscated, and with a very low VT score: 2/56![1]. I see more and more malicious Python code targeting the Windows environments. Thanks to the library ctypes[2], Python is able to use any native API calls provided by DLLs. --------------------------------------------- https://isc.sans.edu/diary/rss/28118 ∗∗∗ Click "OK" to defeat MFA ∗∗∗ --------------------------------------------- A sophisticated threat actor has been using a very unsophisticated method to defeat multi-factor authentication. --------------------------------------------- https://blog.malwarebytes.com/reports/2021/12/click-ok-to-defeat-mfa/ ∗∗∗ 1.6 Million WordPress Sites Hit With 13.7 Million Attacks In 36 Hours From 16,000 IPs ∗∗∗ --------------------------------------------- Today, on December 9, 2021, our Threat Intelligence team noticed a drastic uptick in attacks targeting vulnerabilities that make it possible for attackers to update arbitrary options on vulnerable sites. This led us into an investigation which uncovered an active attack targeting over a million WordPress sites. --------------------------------------------- https://www.wordfence.com/blog/2021/12/massive-wordpress-attack-campaign/ ∗∗∗ Winterurlaub geplant? Buchen Sie nicht über dein-berghuettenurlaub.de! ∗∗∗ --------------------------------------------- Bald ist der Lockdown in Österreich vorbei. Dementsprechend freuen sich wohl schon einige auf eine Auszeit über Weihnachten oder Silvester. Was wäre aufgrund der aktuellen Corona-Lage besser geeignet als eine einsame Hütte? Doch Vorsicht, wer online eine solche Hütte buchen will, könnte auf betrügerische Seiten stoßen! --------------------------------------------- https://www.watchlist-internet.at/news/winterurlaub-geplant-buchen-sie-nich… ∗∗∗ This old malware has just picked up some nasty new tricks ∗∗∗ --------------------------------------------- The crafty Qakbot trojan has added ransomware delivery to its malware building blocks. --------------------------------------------- https://www.zdnet.com/article/this-decade-old-malware-has-picked-up-some-na… ∗∗∗ Microsoft launches center for reporting malicious drivers ∗∗∗ --------------------------------------------- Microsoft has launched this week a special web portal where users and researchers can report malicious drivers to the companys security team. --------------------------------------------- https://therecord.media/microsoft-launches-center-for-reporting-malicious-d… ∗∗∗ Twitter-Thread zur log4j-Schwachstelle ∗∗∗ --------------------------------------------- https://twitter.com/TimPhSchaefers/status/1469271197993115655 ===================== = Vulnerabilities = ===================== ∗∗∗ RCE in log4j, Log4Shell, or how things can get bad quickly, (Fri, Dec 10th) ∗∗∗ --------------------------------------------- If you have been following developments on Twitter and various other security sources, by now you have undoubtedly heard about the latest vulnerability in the very popular Apache log4j library. --------------------------------------------- https://isc.sans.edu/diary/rss/28120 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (python-babel), Fedora (golang-github-opencontainers-image-spec and libmysofa), openSUSE (hiredis), Oracle (firefox and thunderbird), Red Hat (thunderbird and virt:8.2 and virt-devel:8.2), Scientific Linux (thunderbird), SUSE (kernel-rt and xen), and Ubuntu (firefox). --------------------------------------------- https://lwn.net/Articles/878279/ ∗∗∗ WD Updates SanDisk SecureAccess to Prevent Dictionary, Brute Force Attacks ∗∗∗ --------------------------------------------- Western Digital has updated its SanDisk SecureAccess product to address vulnerabilities that can be exploited to gain access to user data through brute force and dictionary attacks. --------------------------------------------- https://www.securityweek.com/wd-updates-sandisk-secureaccess-prevent-dictio… ∗∗∗ Cisco Releases Security Advisory for Multiple Products Affected by Apache HTTP Server Vulnerabilities ∗∗∗ --------------------------------------------- Cisco has released a security advisory to address Cisco products affected by multiple vulnerabilities in Apache HTTP Server 2.4.48 and earlier releases. An unauthenticated remote attacker could exploit this vulnerability to take control of an affected system. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/12/09/cisco-releases-se… ∗∗∗ Schwachstellen in Oracle-Datenbankservern (SYSS-2021-061/-062) ∗∗∗ --------------------------------------------- In Oracle-Datenbankservern wurden Schwachstellen identifiziert. Sie erlauben es Angreifern, Zugang zur Datenbank von legitimen Benutzern zu erhalten. --------------------------------------------- https://www.syss.de/pentest-blog/syss-2021-061/syss-2021-062 ∗∗∗ TR-65 - Vulnerabilities and Exploitation of Log4j (Remote code injection in Log4j) ∗∗∗ --------------------------------------------- CVE-2021-44228 vulnerability enables remote code injection on systems running Log4j. The attacker has to trigger a log entry generation containing a JNDI request. The vulnerability can be exploited without authentication. The exploit needs to be processed by Log4j. Impacted Log4j versions are: 2.0 to 2.14.1. --------------------------------------------- https://www.circl.lu/pub/tr-65 ∗∗∗ Trend Micro Produkte: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-1266 ∗∗∗ Security Bulletin: IBM® Db2® could allow a local user elevated privileges due to allowing modification of columns of existing tasks (CVE-2021-38926) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-could-allow-a-loc… ∗∗∗ Security Bulletin: IBM App Connect Enterprise v11 is affected by vulnerabilities in Node.js (CVE-2021-23358) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… ∗∗∗ Security Bulletin: Vulnerabilities in Node.js, IBM WebSphere Application Server Liberty, and OpenSSL affect IBM Spectrum Control ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-node-j… ∗∗∗ Security Bulletin: Multiple vulnerabilities affect IBM Cloud Object Storage Systems (Dec. 2021 V1) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM® Db2® may be vulnerable to an Information Disclosure when using the LOAD utility as under certain circumstances the LOAD utility does not enforce directory restrictions. (CVE-2021-20373) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-may-be-vulnerable… ∗∗∗ Security Bulletin: IBM® Db2® is vulnerable to an information disclosure as it uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. (CVE-2021-39002) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-… ∗∗∗ Security Bulletin: The PowerVM hypervisor is vulnerable to a carefully crafted IBMi hypervisor call that can lead to a system crash ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-the-powervm-hypervisor-is… ∗∗∗ Security Bulletin: IBM® Db2® is vulnerable to an Information Disclosure as a user with DBADM authority is able to access other databases and read or modify files (CVE-2021-29678) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-… ∗∗∗ Security Bulletin: The PowerVM hypervisor can allow an attacker that gains service access to the FSP to read and write system memory ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-the-powervm-hypervisor-ca… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.12.2021
by Daily end-of-shift report 09 Dec '21

09 Dec '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 07-12-2021 18:00 − Donnerstag 09-12-2021 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Malicious NPM packages are part of a malware “barrage” hitting repositories ∗∗∗ --------------------------------------------- Peoples trust in repositories make them the perfect vectors for malware. --------------------------------------------- https://arstechnica.com/?p=1818997 ∗∗∗ New Cerber ransomware targets Confluence and GitLab servers ∗∗∗ --------------------------------------------- Cerber ransomware is back, as a new ransomware family adopts the old name and targets Atlassian Confluence and GitLab servers using remote code execution vulnerabilities. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-cerber-ransomware-target… ∗∗∗ Grafana fixes zero-day vulnerability after exploits spread over Twitter ∗∗∗ --------------------------------------------- Open-source analytics and interactive visualization solution Grafana received an emergency update today to fix a high-severity, zero-day vulnerability that enabled remote access to local files. --------------------------------------------- https://www.bleepingcomputer.com/news/security/grafana-fixes-zero-day-vulne… ∗∗∗ Emotet now drops Cobalt Strike, fast forwards ransomware attacks ∗∗∗ --------------------------------------------- In a concerning development, the notorious Emotet malware now installs Cobalt Strike beacons directly, giving immediate network access to threat actors and making ransomware attacks imminent. --------------------------------------------- https://www.bleepingcomputer.com/news/security/emotet-now-drops-cobalt-stri… ∗∗∗ The life cycle of phishing pages ∗∗∗ --------------------------------------------- Weve analyzed the life cycle of phishing pages, how they transform during their active period, and the domains where they're located. --------------------------------------------- https://securelist.com/phishing-page-life-cycle/105171/ ∗∗∗ Moobot Botnet Chews Up Hikvision Surveillance Systems ∗∗∗ --------------------------------------------- Attackers are milking unpatched Hikvision video systems to drop a DDoS botnet, researchers warned. --------------------------------------------- https://threatpost.com/moobot-botnet-hikvision-surveillance-systems/176879/ ∗∗∗ PHP Re-Infectors – The Malware that Keeps On Giving ∗∗∗ --------------------------------------------- Attackers have developed some methods for protecting their work as we will explore in this post. We will also look at how you can remove this infection from a compromised website. --------------------------------------------- https://blog.sucuri.net/2021/12/php-re-infectors-the-malware-that-keeps-on-… ∗∗∗ Over 300,000 MikroTik Devices Found Vulnerable to Remote Hacking Bugs ∗∗∗ --------------------------------------------- At least 300,000 IP addresses associated with MikroTik devices have been found vulnerable to multiple remotely exploitable security vulnerabilities that have since been patched by the popular supplier of routers and wireless ISP devices. --------------------------------------------- https://thehackernews.com/2021/12/over-300000-mikrotik-devices-found.html ∗∗∗ Microsoft and GitHub OAuth Implementation Vulnerabilities Lead to Redirection Attacks ∗∗∗ --------------------------------------------- Vulnerabilities in Microsoft and others’ popular OAuth2.0 implementations lead to redirection attacks that bypass most phishing detection solutions and email security solutions. --------------------------------------------- https://www.proofpoint.com/us/blog/cloud-security/microsoft-and-github-oaut… ∗∗∗ Virtualisiertes USB als Sicherheitslücke ∗∗∗ --------------------------------------------- USB+Cloud=Gefahr. Lücken in USB-über-Ethernet-Treibern für Clouddienste erlauben Angreifern, lokal und serverseitig beliebigen Code im Kernel-Modus auszuführen. --------------------------------------------- https://heise.de/-6289521 ∗∗∗ Is your web browser vulnerable to data theft? XS-Leak explained ∗∗∗ --------------------------------------------- IT security researchers recently exposed new cross-site leak (XS-Leak) attacks against modern-day browsers. But what is XS-Leak anyway? --------------------------------------------- https://blog.malwarebytes.com/explained/2021/12/is-your-web-browser-vulnera… ∗∗∗ Was threat actor KAX17 de-anonymizing the Tor network? ∗∗∗ --------------------------------------------- A threat actor was found to be running a high percentage of the Tor Networks servers. --------------------------------------------- https://blog.malwarebytes.com/reports/2021/12/was-threat-actor-kax17-de-ano… ∗∗∗ Detecting Patient Zero Web Threats in Real Time With Advanced URL Filtering ∗∗∗ --------------------------------------------- Patient zero web threats are malicious URLs that are being seen for the first time. We discuss how to stop them despite attacker cloaking techniques. --------------------------------------------- https://unit42.paloaltonetworks.com/patient-zero-web-threats/ ∗∗∗ CISA Releases Guidance on Protecting Organization-Run Social Media Accounts ∗∗∗ --------------------------------------------- CISA has released Capability Enhancement Guide (CEG): Social Media Account Protection, which details ways to protect the security of organization-run social media accounts. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/12/09/cisa-releases-gui… ∗∗∗ Two Birds with One Stone: An Introduction to V8 and JIT Exploitation ∗∗∗ --------------------------------------------- In this special blog series, ZDI Vulnerability Researcher Hossein Lotfi looks at the exploitation of V8 – Google’s open-source high-performance JavaScript and WebAssembly engine – through the lens of a bug used during Pwn2Own Vancouver 2021. --------------------------------------------- https://www.thezdi.com/blog/2021/12/6/two-birds-with-one-stone-an-introduct… ∗∗∗ Kernel Karnage – Part 6 (Last Call) ∗∗∗ --------------------------------------------- Having covered process, thread and image callbacks in the previous blogposts, I think it’s only fair if we conclude this topic with registry and object callbacks. --------------------------------------------- https://blog.nviso.eu/2021/12/09/kernel-karnage-part-6-last-call/ ===================== = Vulnerabilities = ===================== ∗∗∗ SanDisk SecureAccess bug allows brute forcing vault passwords ∗∗∗ --------------------------------------------- Western Digital has fixed a security vulnerability that enabled attackers to brute force SanDisk SecureAccess passwords and access the users protected files. --------------------------------------------- https://www.bleepingcomputer.com/news/security/sandisk-secureaccess-bug-all… ∗∗∗ IBM Security Bulletins 2021-12-07 and 2021-12-08 ∗∗∗ --------------------------------------------- DB2, WebSphere Application Server, Tivoli Business Service Manager, PowerHA, Guardium Data Encryption, Watson Speech Services, Process Designer, Business Automation Workflow --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Jetzt patchen! Root-Lücke in Fernzugrifflösung SMA 100 von Sonicwall ∗∗∗ --------------------------------------------- Sicherheitsupdates schließen unter anderem kritische Schwachstellen in Secure-Mobile-Access-Appliances. --------------------------------------------- https://heise.de/-6290012 ∗∗∗ FortiOS- und FortiProxy-Updates schließen Sicherheitslücken, Check empfohlen ∗∗∗ --------------------------------------------- Fortinet ist auf ein unterwandertes System gestoßen und empfiehlt Administratoren die Überprüfung auf Einbruchsspuren. Zudem stehen Aktualisierungen bereit. --------------------------------------------- https://heise.de/-6290546 ∗∗∗ LibreOffice zieht Update wegen kritischer Schwachstelle vor ∗∗∗ --------------------------------------------- Eine Sicherheitslücke in der NSS-Bibliothek betrifft auch LibreOffice und ermöglicht das Unterschieben von Schadcode. Updates zur Absicherung stehen bereit. --------------------------------------------- https://heise.de/-6290069 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (nss), Fedora (rubygem-rmagick), openSUSE (xen), Red Hat (firefox and nss), SUSE (kernel and xen), and Ubuntu (mailman and nss). --------------------------------------------- https://lwn.net/Articles/878038/ ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (firefox, libopenmpt, matrix-synapse, vim, and xen), Mageia (gmp, heimdal, libsndfile, nginx/vsftpd, openjdk, sharpziplib/mono-tools, and vim), Red Hat (java-1.8.0-ibm), Scientific Linux (firefox), SUSE (kernel-rt), and Ubuntu (bluez). --------------------------------------------- https://lwn.net/Articles/878142/ ∗∗∗ Bentley BE-2021-0005: Out-of-bounds and use-after-free vulnerabilities in Bentley MicroStation and Bentley View ∗∗∗ --------------------------------------------- https://www.bentley.com/en/common-vulnerability-exposure/BE-2021-0005 ∗∗∗ Helmholz: Remote user enumeration in myREX24/myREX24-virtual ∗∗∗ --------------------------------------------- http://cert.vde.com/de/advisories/VDE-2021-058/ ∗∗∗ Helmholz: Privilege Escalation in shDialup ∗∗∗ --------------------------------------------- http://cert.vde.com/de/advisories/VDE-2021-057/ ∗∗∗ Hitachi Energy RTU500 OpenLDAP ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-341-01 ∗∗∗ Hitachi Energy XMC20 and FOX61x ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-341-02 ∗∗∗ FANUC Robot Controllers ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-243-02 ∗∗∗ Hillrom Welch Allyn Cardio Products ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsma-21-343-01 ∗∗∗ Hitachi Energy GMS600, PWC600, and Relion ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-343-01 ∗∗∗ WECON LeviStudioU ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-343-02 ∗∗∗ Multiple Vulnerabilities in Bosch BT software products ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-043434-bt.html ∗∗∗ Stack Buffer Overflow Vulnerability in Surveillance Station ∗∗∗ --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-21-46 ∗∗∗ Reflected XSS Vulnerability in Kazoo Server ∗∗∗ --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-21-54 ∗∗∗ Improper Authentication Vulnerability in Qfile ∗∗∗ --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-21-55 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.12.2021
by Daily end-of-shift report 07 Dec '21

07 Dec '21

===================== = End-of-Day report = ===================== Timeframe: Montag 06-12-2021 18:00 − Dienstag 07-12-2021 18:00 Handler: Robert Waldner Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Code-Schmuggel-Sicherheitslücke in Windows nur halbherzig geschlossen ∗∗∗ --------------------------------------------- Eine Lücke in Windows, die bösartige Webseiten zum Ausführen von Schadcode missbrauchen könnte, lässt sich trotz Update noch eingeschränkt missbrauchen. --------------------------------------------- https://heise.de/-6288402 ∗∗∗ Achtung: Jobangebote von „ab-group.info“ & „mctrl-marktforschung.com“ sind Fake ∗∗∗ --------------------------------------------- Homeoffice, flexible Arbeitszeiten, frei wählbare Anstellungsverhältnisse und obendrein gut bezahlt. Das versprechen Marktforschungsagenturen wie „ab-group.info“ & „mctrl-marktforschung.com“. Doch Vorsicht: Dabei handelt es sich um betrügerische Jobangebote. Interessierte übermitteln bei einer Bewerbung persönliche Daten sowie Ausweiskopien an Kriminelle. Im schlimmsten Fall werden im eigenen Namen Bankkonten für Kriminelle eröffnet! --------------------------------------------- https://www.watchlist-internet.at/news/achtung-jobangebote-von-ab-groupinfo… ∗∗∗ STOP Ransomware vaccine released to block encryption ∗∗∗ --------------------------------------------- German security software company G DATA has released a vaccine that will block STOP Ransomware from encrypting victims files after infection. --------------------------------------------- https://www.bleepingcomputer.com/news/security/stop-ransomware-vaccine-rele… ∗∗∗ Apache Kafka Cloud Clusters Expose Sensitive Data for Large Companies ∗∗∗ --------------------------------------------- The culprit is misconfigured Kafdrop interfaces, used for centralized management of the open-source platform. --------------------------------------------- https://threatpost.com/apache-kafka-cloud-clusters-expose-data/176778/ ∗∗∗ WooCommerce Credit Card Swiper Injected Into Random Plugin Files ∗∗∗ --------------------------------------------- It’s that time of year again! While website owners always need to be on guard, the holidays season is when online scams and credit card theft are most rampant. Administrators of ecommerce websites need to be extra vigilant as this case will demonstrate. --------------------------------------------- https://blog.sucuri.net/2021/12/woocommerce-credit-card-swiper-injected-int… ∗∗∗ Cryptominers arent just a headache – theyre a big neon sign that Bad Things are on your network ∗∗∗ --------------------------------------------- So says Sophos in warning about Tor2Mine Monero malware Cryptominer malware removal is a routine piece of the cybersecurity landscape these days. Yet if criminals are hijacking your compute cycles to mine cryptocurrencies, chances are theres something worse lurking on your network too. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2021/12/07/sophos_tor2m… ∗∗∗ Encryption Does Not Equal Invisibility – Detecting Anomalous TLS Certificates with the Half-Space-Trees Algorithm ∗∗∗ --------------------------------------------- Author: Margit Hazenbroek tl;dr An approach to detecting suspicious TLS certificates using an incremental anomaly detection model is discussed. This model utilizes the Half-Space-Trees algorithm and provides our security operations teams (SOC) with the opportunity to detect suspicious behavior, in real-time, even when network traffic is encrypted. --------------------------------------------- https://blog.fox-it.com/2021/12/07/encryption-does-not-equal-invisibility-d… ∗∗∗ XE Group – Exposed: 8 Years of Hacking & Card Skimming for Profit ∗∗∗ --------------------------------------------- In 2020 and 2021, Volexity identified multiple compromises related to a relatively unknown criminal threat actor that refers to itself as "XE Group". Volexity believes that XE Group is likely a Vietnamese-origin criminal threat actor whose intrusions follow an approximate pattern: Compromise of externally facing services via known exploits (e.g., Telerik UI vulnerabilities) Monetization of these compromises through installation of password theft or credit card skimming code for web [...] --------------------------------------------- https://www.volexity.com/blog/2021/12/07/xe-group-exposed-8-years-of-hackin… ===================== = Vulnerabilities = ===================== ∗∗∗ Angreifer attackieren PC-Management-Software Zoho ManageEngine Desktop Central ∗∗∗ --------------------------------------------- Nur die neusten Versionen schützen die Software. Zoho rät zu zügigen Updates. --------------------------------------------- https://heise.de/-6287937 ∗∗∗ 27 flaws in USB-over-network SDK affect millions of cloud users ∗∗∗ --------------------------------------------- Researchers have discovered 27 vulnerabilities in Eltima SDK, a library used by numerous cloud providers to remotely mount a local USB device. --------------------------------------------- https://www.bleepingcomputer.com/news/security/27-flaws-in-usb-over-network… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (nss), Debian (roundcube and runc), openSUSE (aaa_base, brotli, clamav, glib-networking, gmp, go1.16, hiredis, kernel, mozilla-nss, nodejs12, nodejs14, openexr, openssh, php7, python-Babel, ruby2.5, speex, wireshark, and xen), Oracle (kernel and nss), Red Hat (kpatch-patch, nss, rpm, and thunderbird), SUSE (brotli, clamav, glib-networking, gmp, kernel, mariadb, mozilla-nss, nodejs12, nodejs14, openssh, php7, python-Babel, and wireshark), and Ubuntu [...] --------------------------------------------- https://lwn.net/Articles/877945/ ∗∗∗ QNAP NAS: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-1252 ∗∗∗ Google Android: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-1251 ∗∗∗ Security Bulletin: Multiple vulnerabilities in Redis affecting the IBM Event Streams UI ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerability in IBM Event Streams through Apache Kafka key/password validation (CVE-2021-38153) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-even… ∗∗∗ Security Bulletin: IBM Event Streams affected by multiple vulnerabilities in the Java runtime ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-event-streams-affecte… ∗∗∗ Security Bulletin: A vulnerability in Samba affects IBM Spectrum Scale SMB protocol access method (CVE-2021-20254) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-samba-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in Mozilla Firefox affect IBM Cloud Pak for Multicloud Management Monitoring ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities affect IBM HTTP Server (powered by Apache) for i ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerabilities in Node.js affecting IBM Event Streams (CVE-2021-22960 and CVE-2021-22959) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-node-j… ∗∗∗ Security Bulletin: Publicly disclosed vulnerabilities from Kernel affect IBM Netezza Host Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-publicly-disclosed-vulner… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.12.2021
by Daily end-of-shift report 06 Dec '21

06 Dec '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 03-12-2021 18:00 − Montag 06-12-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Is My Site Hacked? 4 Gut Checks ∗∗∗ --------------------------------------------- Today, we’re looking at 4 quick gut check tests you can do to get the answer to the question, “is my site hacked?” --------------------------------------------- https://blog.sucuri.net/2021/12/is-my-site-hacked-4-gut-checks.html ∗∗∗ Warning: Yet Another Zoho ManageEngine Product Found Under Active Attacks ∗∗∗ --------------------------------------------- Enterprise software provider Zoho on Friday warned that a newly patched critical flaw in its Desktop Central and Desktop Central MSP is being actively exploited by malicious actors, marking the third security vulnerability in its products to be abused in the wild in a span of four months. The issue, assigned the identifier CVE-2021-44515, is an authentication bypass vulnerability ... --------------------------------------------- https://thehackernews.com/2021/12/warning-yet-another-zoho-manageengine.html ∗∗∗ Malicious KMSPico Windows Activator Stealing Users Cryptocurrency Wallets ∗∗∗ --------------------------------------------- Users looking to activate Windows without using a digital license or a product key are being targeted by tainted installers to deploy malware designed to plunder credentials and other information in cryptocurrency wallets. The malware, dubbed "CryptBot," is an information stealer capable of obtaining credentials for browsers, cryptocurrency wallets, browser cookies, credit cards, and capturing screenshots from the infected systems. --------------------------------------------- https://thehackernews.com/2021/12/malicious-kmspico-windows-activator.html ∗∗∗ The Importance of Out-of-Band Networks ∗∗∗ --------------------------------------------- Out-of-band (or "OoB") networks are usually dedicated to management tasks. Many security appliances and servers have dedicated management interfaces that are used to set up, control, and monitor the device. A best practice is to connect those management interfaces to a dedicated network that is not directly connected to the network used to carry applications/users data. --------------------------------------------- https://isc.sans.edu/diary/rss/28102 ∗∗∗ Who Is the Network Access Broker ‘Babam’? ∗∗∗ --------------------------------------------- Rarely do cybercriminal gangs that deploy ransomware gain the initial access to the target themselves. More commonly, that access is purchased from a cybercriminal broker who specializes in stealing remote access credentials -- such as usernames and passwords needed to remotely connect to the targets network. In this post well look at the clues left behind by "Babam," the handle chosen by a cybercriminal who has sold such access to ransomware groups on many occasions ... --------------------------------------------- https://krebsonsecurity.com/2021/12/who-is-the-network-access-broker-babam/ ∗∗∗ Emotet’s back and it isn’t wasting any time ∗∗∗ --------------------------------------------- Last month we reported on how another notorious bit of malware, TrickBot, was helping Emotet come back from the dead. And then yesterday, several security researchers saw another huge spike in Emotet’s activity. --------------------------------------------- https://blog.malwarebytes.com/trojans/2021/12/emotets-back-and-it-isnt-wast… ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco Small Business 220 Series Smart Switches Link Layer Discovery Protocol Vulnerabilities ∗∗∗ --------------------------------------------- Multiple vulnerabilities exist in the Link Layer Discovery Protocol (LLDP) implementation for Cisco Small Business 220 Series Smart Switches. An unauthenticated, adjacent attacker could perform the following: - Execute code on the affected device or cause it to reload unexpectedly - Cause LLDP database corruption on the affected device --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ IBM Security Bulletins 2021-12-03 ∗∗∗ --------------------------------------------- IBM Event Streams, IBM Cloud Automation Manager, IBM Data Studio Client, EDB PostreSQL with IBM, EDB Postgres Advanced Server with IBM, IBM Data Management Platform (Enterprise, Standard), IBM QRadar SIEM --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (isync, lib32-nss, nss, opera, and vivaldi), Debian (gerbv and xen), Fedora (autotrace, chafa, converseen, digikam, dmtx-utils, dvdauthor, eom, kxstitch, libsndfile, nss, pfstools, php-pecl-imagick, psiconv, q, R-magick, rss-glx, rubygem-rmagick, seamonkey, skopeo, synfig, synfigstudio, vdr-scraper2vdr, vdr-skinelchihd, vdr-skinnopacity, vdr-tvguide, vim, vips, and WindowMaker), Mageia (golang, kernel, kernel-linus, mariadb, and vim), openSUSE (aaa_base, python-Pygments, singularity, and tor), Red Hat (nss), Slackware (mozilla), SUSE (aaa_base, kernel, openssh, php74, and xen), and Ubuntu (libmodbus, lrzip, samba, and uriparser). --------------------------------------------- https://lwn.net/Articles/877821/ ∗∗∗ ABB Cyber Security Advisory: OmniCore RobotWare Missing Authentication Vulnerability CVE ID: CVE-2021-22279 ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=SI20265&LanguageCod… ∗∗∗ F5 K50839343: NGINX ModSecurity WAF vulnerability CVE-2021-42717 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K50839343 ∗∗∗ F5 K12705583: OpenSSH vulnerability CVE-2021-41617 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K12705583 ∗∗∗ Auerswald COMpact Multiple Backdoors ∗∗∗ --------------------------------------------- https://www.redteam-pentesting.de/en/advisories/rt-sa-2021-007/ ∗∗∗ Auerswald COMpact Arbitrary File Disclosure ∗∗∗ --------------------------------------------- https://www.redteam-pentesting.de/en/advisories/rt-sa-2021-006/ ∗∗∗ Auerswald COMpact Privilege Escalation ∗∗∗ --------------------------------------------- https://www.redteam-pentesting.de/en/advisories/rt-sa-2021-005/ ∗∗∗ Auerswald COMfortel 1400/2600/3600 IP Authentication Bypass ∗∗∗ --------------------------------------------- https://www.redteam-pentesting.de/en/advisories/rt-sa-2021-004/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.12.2021
by Daily end-of-shift report 06 Dec '21

06 Dec '21

-- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.12.2021
by Daily end-of-shift report 03 Dec '21

03 Dec '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 02-12-2021 18:00 − Freitag 03-12-2021 18:00 Handler: Robert Waldner Co-Handler: Dimitri Robl ===================== = News = ===================== ∗∗∗ Key Characteristics of Malicious Domains: Report ∗∗∗ --------------------------------------------- Newer top-level domains and certain hosting providers are frequent sources of malicious content, while newly registered domains and free SSL certificates are not any more likely than average to be risky, new research shows. --------------------------------------------- https://www.darkreading.com/threat-intelligence/research-outs-the-providers… ∗∗∗ Vorsicht: „Neue Weihnachts-Emoji für Whatsapp“ ist eine Falle ∗∗∗ --------------------------------------------- Über eine WhatsApp-Nachricht, die Weihnachts-Emoji verspricht, werden Abo-Fallen und Schadsoftware verbreitet. --------------------------------------------- https://futurezone.at/apps/vorsicht-neue-weihnachts-emoji-fuer-whatsapp-fal… ∗∗∗ The UPX Packer Will Never Die!, (Fri, Dec 3rd) ∗∗∗ --------------------------------------------- Today, many malware samples that you can find in the wild are "packed". The process of packing an executable file is not new and does not mean that it is de-facto malicious. Many developers decide to pack their software to protect the code. --------------------------------------------- https://isc.sans.edu/diary/rss/28096 ∗∗∗ Exploring Container Security: A Storage Vulnerability Deep Dive ∗∗∗ --------------------------------------------- Recently, the GKE Security team discovered a high severity vulnerability in Kubernetes (CVE-2021-25741) that allowed workloads to have access to parts of the host filesystem outside the mounted volumes boundaries. Although the vulnerability was patched back in September we thought it would be beneficial to write up a more in-depth analysis of the issue to share with the community. --------------------------------------------- https://security.googleblog.com/2021/12/exploring-container-security-storag… ∗∗∗ Analysis: AWS SageMaker Jupyter Notebook Instance Takeover ∗∗∗ --------------------------------------------- During our research about security in data science tools we decided to look at Amazon SageMaker which is a fully managed machine learning service in AWS. Here is the long and short of our recent discovery. [...] Using the access token, the attacker can read data from S3 buckets, create VPC endpoints and more actions that are allowed by the SageMaker execution role and the “AmazonSageMakerFullAccess” policy. We reported the vulnerability we discovered to the AWS security team [...] --------------------------------------------- https://blog.lightspin.io/aws-sagemaker-notebook-takeover-vulnerability ∗∗∗ Beispiele für Viren-Mails nach Übernahme eines Exchange-Servers ∗∗∗ --------------------------------------------- Und schon sind wir beim dritten Türchen im Security-Adventskalender meines Blogs. Ich hatte ja hier im Blog mehrfach gewarnt, dass ungepatchte Exchange-Server übernommen und zum Spam-Versand missbraucht werden. Ein Blog-Leser hat mir nun eine kurze Info zukommen lassen (danke), weil er einen kompromittierten Exchange-Server gefunden hat, der kompromittiert war und infizierte Spam-Mails verschickte. --------------------------------------------- https://www.borncity.com/blog/2021/12/03/beispiele-fr-viren-mails-nach-bern… ∗∗∗ Magnat campaigns use malvertising to deliver information stealer, backdoor and malicious Chrome extension ∗∗∗ --------------------------------------------- Talos recently observed a malicious campaign offering fake installers of popular software as bait to get users to execute malware on their systems. --------------------------------------------- https://blog.talosintelligence.com/2021/12/magnat-campaigns-use-malvertisin… ∗∗∗ Mehrwertdienste versuchen Sie in die Abo-Falle zu locken! ∗∗∗ --------------------------------------------- Einmal die falsche App am Handy installiert, einen falschen Link geöffnet oder auf einen vermeintlich harmlosen Button geklickt: Am Smartphone kann es sehr schnell passieren, dass Sie in einer Abo-Falle landen und Ihre Telefonrechnung plötzlich deutlich höher ausfällt als gewohnt. Doch keine Sorge: Auch wenn bereits Geld abgebucht wurde, können Sie die Rechnung bei Ihrem Mobilfunkanbieter beanstanden. --------------------------------------------- https://www.watchlist-internet.at/news/mehrwertdienste-versuchen-sie-in-die… ===================== = Vulnerabilities = ===================== ∗∗∗ Researchers discover 14 new data-stealing web browser attacks ∗∗∗ --------------------------------------------- IT security researchers from Ruhr-Universität Bochum (RUB) and the Niederrhein University of Applied Sciences have discovered 14 new types of XS-Leak cross-site leak attacks against modern web browsers, including Google Chrome, Microsoft Edge, Safari, and Mozilla Firefox. --------------------------------------------- https://www.bleepingcomputer.com/news/security/researchers-discover-14-new-… ∗∗∗ CISA and FBI Release Alert on Active Exploitation of CVE-2021-44077 in Zoho ManageEngine ServiceDesk Plus ∗∗∗ --------------------------------------------- This vulnerability was addressed by the update released by Zoho on September 16, 2021 for ServiceDesk Plus versions 11306 and above. If left unpatched, successful exploitation of the vulnerability allows an attacker to upload executable files and place webshells that enable post-exploitation activities, such as compromising administrator credentials, conducting lateral movement, and exfiltrating registry hives and Active Directory files. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/12/02/cisa-and-fbi-rele… ∗∗∗ IBM Security Bulletins 2021-12-02 ∗∗∗ --------------------------------------------- IBM Integration Bus, Power System, IBM Cloud Pak System, IBM SDK (Java Technology Edition), IBM Semeru Runtime, IBM Cognos Analytics --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Technical Advisory – Authenticated SQL Injection in SOAP Request in Broadcom CA Network Flow Analysis (CVE-2021-44050) ∗∗∗ --------------------------------------------- The Network Flow Analysis software (formerly known as CA Network Flow Analysis) is a network traffic monitoring solution, which is used to monitor and optimize the performance of network infrastructures. The “Interfaces” Section of the Network Flow Analysis web application made use of a Flash application, which performed SOAP requests. --------------------------------------------- https://research.nccgroup.com/2021/12/02/technical-advisory-authenticated-s… ∗∗∗ Free Micropatches for the "InstallerFileTakeOver" 0day ∗∗∗ --------------------------------------------- Wow, this is the third 0day found by the same researcher we're patching in the last two weeks. Abdelhamid Naceri, a talented security researcher, has been keeping us busy with 0days this year. In January we micropatched a local privilege escalation in Windows Installer they had found (already fixed by Microsoft), and in the last two weeks we fixed an incompletely patched local privilege escalation in User Profile Service and a local privilege escalation [...] --------------------------------------------- https://blog.0patch.com/2021/12/free-micropatches-for.html ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (krb5 and mailman), Debian (gmp and librecad), Fedora (php-symfony4 and wireshark), Mageia (bluez, busybox, docker-containerd, gfbgraph, hivex, nss, perl/perl-Encode, and udisks2/libblockdev), openSUSE (permissions), Oracle (mailman and mailman:2.1), Red Hat (mailman, mailman:2.1, and nss), Scientific Linux (mailman and nss), and SUSE (nodejs14). --------------------------------------------- https://lwn.net/Articles/877582/ ∗∗∗ Schneider Electric SESU ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Insufficient Entropy vulnerability in the Schneider Electric Software Update. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-336-01 ∗∗∗ Johnson Controls Entrapass ∗∗∗ --------------------------------------------- This advisory contains mitigations for a Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Johnson Controls Entrapass security management software. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-336-02 ∗∗∗ Distributed Data Systems WebHMI ∗∗∗ --------------------------------------------- This advisory contains mitigations for Authentication Bypass by Primary Weakness, and Unrestricted Upload of File with Dangerous Type vulnerabilities in Distributed Data Systems WebHMI SCADA systems. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-336-03 ∗∗∗ Hitachi Energy RTU500 series BCI ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Improper Input Validation vulnerability in Hitachi Energy RTU500 series BCI remote terminal units. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-336-04 ∗∗∗ Hitachi Energy Relion 670/650/SAM600-IO ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Insecure Default Initialization of Resource vulnerability in Hitachi Energy Relion 670/650/SAM600-IO Intelligent Electronic Devices (IEDs). --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-336-05 ∗∗∗ Hitachi Energy APM Edge ∗∗∗ --------------------------------------------- This advisory contains mitigations for a Using Components with Known Vulnerabilities vulnerability in Hitachi Energy Transformer Asset Performance Management (APM) Edge software. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-336-06 ∗∗∗ Hitachi Energy PCM600 Update Manager ∗∗∗ --------------------------------------------- This advisory contains mitigations for a Improper Certificate Validation vulnerability in Hitachi Energy PCM600 Update Manager protection and control IED software. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-336-07 ∗∗∗ Hitachi Energy RTU500 series ∗∗∗ --------------------------------------------- This advisory contains mitigations for Observable Discrepancy, Buffer Over-read, and Out-of-bounds Read vulnerabilities in Hitachi Energy RTU500 remote terminal units. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-336-08 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.12.2021
by Daily end-of-shift report 02 Dec '21

02 Dec '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 01-12-2021 18:00 − Donnerstag 02-12-2021 18:00 Handler: Wolfgang Menezes Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ New malware hides as legit nginx process on e-commerce servers ∗∗∗ --------------------------------------------- eCommerce servers are being targeted with remote access malware that hides on Nginx servers in a way that makes it virtually invisible to security solutions. [...] Because NginRAT hides as a normal Nginx process and the code exists only in the server’s memory, detecting it may be a challenge. However, the malware is launched using two variables, LD_PRELOAD and LD_L1BRARY_PATH. Administrators can use the latter, which contains the “typo,” to reveal the active malicious processes --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-malware-hides-as-legit-n… ∗∗∗ Nine WiFi routers used by millions were vulnerable to 226 flaws ∗∗∗ --------------------------------------------- Security researchers analyzed nine popular WiFi routers and found a total of 226 potential vulnerabilities in them, even when running the latest firmware. --------------------------------------------- https://www.bleepingcomputer.com/news/security/nine-wifi-routers-used-by-mi… ∗∗∗ WordPress Admin Creator – A Simple, But Effective Attack ∗∗∗ --------------------------------------------- Malicious admin users get added to vulnerable WordPress sites often. This can happen in a variety of different ways, and sometimes the malware that creates these malicious users can hide in plain sight. Injecting a malicious admin user into a WordPress site can allow attackers easy access back into a victims’ website after it has been cleaned. --------------------------------------------- https://blog.sucuri.net/2021/12/wordpress-admin-creator-a-simple-but-effect… ∗∗∗ pip-audit ∗∗∗ --------------------------------------------- pip-audit is a tool for scanning Python environments for packages with known vulnerabilities. It uses the Python Packaging Advisory Database via the PyPI JSON API as a source of vulnerability reports. --------------------------------------------- https://pypi.org/project/pip-audit/ ∗∗∗ Digitale Vignette nur in offiziellen Shops kaufen! ∗∗∗ --------------------------------------------- Bereits ab 1. Dezember ist die Vignette für das Jahr 2022 auf österreichischen Autobahnen gültig. Die digitale Vignette kann dabei nicht nur an verschiedenen offiziellen Verkaufsstellen, sondern auch online gekauft werde. Das machen sich unseriöse AnbieterInnen zu Nutze und bieten die digitale Vignette ungerechtfertigt zu höheren Preisen an. --------------------------------------------- https://www.watchlist-internet.at/news/digitale-vignette-nur-in-offiziellen… ∗∗∗ Azure Privilege Escalation via Azure API Permissions Abuse ∗∗∗ --------------------------------------------- In this post, I will explain how one of those permissions systems can be abused to escalate to Global Admin. I’ll explain how you as an attacker can abuse this system, and I will also explain how you as a defender can find, clean up, and prevent these abusable configurations. --------------------------------------------- https://posts.specterops.io/azure-privilege-escalation-via-azure-api-permis… ∗∗∗ Windows 10/11: Falle beim "trusted" Apps-Installer; Emotet nutzt das ∗∗∗ --------------------------------------------- Hoh hoh, Leute, wir können heute das zweite Türchen im Adventskalender öffnen und schauen, was Microsoft so schönes dahinter versteckt hat, um Administratoren zu erschrecken. Heute finden wir den AppX-Installer, der in Windows 10 und Windows 11 zum Installieren von Anwendungen und Apps verwendet wird. Hier ein kleiner Überblick, warum man das Wörtchen Trusted Apps nicht so ganz wörtlich nehmen soll. Denn der zugehörige Installer kann durchaus Malware auf das System spülen (Emotet nutzt das aktuell bei Angriffen), die Apps aber wegen eines gravierenden Design-Fehlers als Trusted ausweisen. --------------------------------------------- https://www.borncity.com/blog/2021/12/02/windows-10-11-falle-beim-trusted-a… ===================== = Vulnerabilities = ===================== ∗∗∗ BigSig-Lücke: Mozilla schließt kritische Schwachstelle in Krypto-Bibliothek NSS ∗∗∗ --------------------------------------------- Setzen Anwendungen zur sicheren Kommunikation Mozillas Network Security Services ein, könnte eine kritische Lücke für Probleme sorgen. [...] Die Programmbibliothek kommt beispielsweise im E-Mail-Client Thunderbird, LibreOffice und verschiedenen PDF-Betrachtern zum Einsatz. Einer Warnmeldung von Mozilla zufolge ist der hauseigene Webbrowser Firefox nicht von der als „kritisch“ eingestuften Sicherheitslücke (CVE-2021-43527) betroffen. --------------------------------------------- https://heise.de/-6281977 ∗∗∗ Multiple missing authorization vulnerabilities in WordPress Plugin "Advanced Custom Fields" ∗∗∗ --------------------------------------------- Users of this product may do the following: - Browse unauthorized data on the database - CVE-2021-20865 - Obtain a list of information that an user do not have the privilege for - CVE-2021-20866 - Move field groups that an user do not have permission to use - CVE-2021-20867 Solution: Update the plugin --------------------------------------------- https://jvn.jp/en/jp/JVN09136401/ ∗∗∗ ZDI-21-1373: Jenkins Report Info XML External Entity Processing Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to disclose sensitive information on affected installations of Jenkins Report Info. Authentication is required to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-1373/ ∗∗∗ Multiple vulnerabilities in OrbiTeam BSCW Server ∗∗∗ --------------------------------------------- The BSCW Server of OrbiTeam Software GmbH & Co. KG is prone to multiple vulnerabilities like reflected and stored XSS, LFI and Open Redirect. It is possible to chain these vulnerabilities and compromise the server even without a valid login. --------------------------------------------- https://sec-consult.com/vulnerability-lab/advisory/multiple-vulnerabilities… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (kernel, openssh, and rpm), Debian (nss), Fedora (seamonkey), Mageia (glibc), openSUSE (go1.16, go1.17, kernel, mariadb, netcdf, openexr, poppler, python-Pygments, python-sqlparse, ruby2.5, speex, and webkit2gtk3), Oracle (nss), Red Hat (nss), SUSE (clamav, glibc, gmp, go1.16, go1.17, kernel, mariadb, netcdf, OpenEXR, openexr, openssh, poppler, python-Pygments, python-sqlparse, ruby2.1, ruby2.5, speex, webkit2gtk3, and xen), and Ubuntu (nss and thunderbird). --------------------------------------------- https://lwn.net/Articles/877410/ ∗∗∗ Delta Electronics CNCSoft - ICS Advisory (ICSA-21-334-03) ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-334-03 ∗∗∗ Security Bulletin: OpenSSH for IBM i is affected by CVE-2021-41617 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-openssh-for-ibm-i-is-affe… ∗∗∗ Security Bulletin: Apache Commons FileUpload vulnerability affects IBM Tivoli Business Service Manager (CVE-2013-0248) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-commons-fileupload… ∗∗∗ Security Bulletin: Security Vulnerabilities in IBM SDK, Java Technology Edition Quarterly CPU – Oct 2020 – affect multiple IBM Continuous Engineering products based on IBM Jazz Technology ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Cloud Pak for Multicloud Management Monitoringhas applied security fixes for its use of Mozilla Firefox ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-multicl… ∗∗∗ Security Bulletin: IBM Cloud Pak for Multicloud Management Monitoring has applied security fixes for its use of Netty.io ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-multicl… ∗∗∗ Security Bulletin: IBM QRadar SIEM is vulnerable to using components with known vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-is-vulner… ∗∗∗ Security Bulletin: IBM Cloud Pak for Multicloud Management Monitoringhas applied security fixes for its use of Mozilla Firefox ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-multicl… ∗∗∗ Security Bulletin: IBM Cloud Pak for Multicloud Management Monitoring has applied security fixes for its use of Mozilla Firefox ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-multicl… ∗∗∗ Security Bulletin: IBM QRadar SIEM Application Framework v1 (CentOS6) is End of Life ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-applicati… ∗∗∗ Security Bulletin: IBM Cloud Pak for Multicloud Management has applied security fixes for its use of Apache Commons ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-multicl… ∗∗∗ Security Bulletin: Apache Wink as used by IBM Disconnected Log Collector is vulnerable to an XML External Entity Error (XXE) (CVE-2010-2245) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-wink-as-used-by-ib… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 01.12.2021
by Daily end-of-shift report 01 Dec '21

01 Dec '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 30-11-2021 18:00 − Mittwoch 01-12-2021 18:00 Handler: Wolfgang Menezes Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Microsoft Exchange servers hacked to deploy BlackByte ransomware ∗∗∗ --------------------------------------------- BlackByte ransomware actors were observed exploiting the ProxyShell set of vulnerabilities (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) to compromise Microsoft Exchange servers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-h… ∗∗∗ Info-Stealer Using webhook.site to Exfiltrate Data, (Wed, Dec 1st) ∗∗∗ --------------------------------------------- We already reported multiple times that, when you offer an online (cloud) service, there are a lot of chances that it will be abused for malicious purposes. I spotted an info-stealer that exfiltrates data through webhook.site. --------------------------------------------- https://isc.sans.edu/diary/rss/28088 ∗∗∗ Injection is the New Black: Novel RTF Template Inject Technique Poised for Widespread Adoption Beyond APT Actors ∗∗∗ --------------------------------------------- RTF template injection is a novel technique that is ideal for malicious phishing attachments because it is simple and allows threat actors to retrieve malicious content from a remote URL using an RTF file. --------------------------------------------- https://www.proofpoint.com/us/blog/threat-insight/injection-new-black-novel… ∗∗∗ l+f: Emotet-Fehlalarm vom Microsoft Defender ∗∗∗ --------------------------------------------- Microsofts Virenschutz hat Nutzer und Administratoren unnötig aufgeschreckt: Ein fehlerhaftes Erkennungs-Update sah Emotet-Infektionen, wo keine waren. --------------------------------------------- https://heise.de/-6280766 ∗∗∗ Tracking a P2P network related with TA505 ∗∗∗ --------------------------------------------- For the past few months, NCC Group has been tracking very closely the operations of TA505 and the development of different projects (e.g. Clop) by them. --------------------------------------------- https://research.nccgroup.com/2021/12/01/tracking-a-p2p-network-related-wit… ∗∗∗ Vulnerability Spotlight: Use-after-free condition in Google Chrome could lead to code execution ∗∗∗ --------------------------------------------- Cisco Talos recently discovered an exploitable use-after-free vulnerability in Google Chrome. --------------------------------------------- http://blog.talosintelligence.com/2021/12/vuln-spotlight-chrome-.html ∗∗∗ E-Mail: „Ihr Paket ist in der Warteschleife“ ist Fake ∗∗∗ --------------------------------------------- Warten Sie gerade auf ein Paket? Dann nehmen Sie sich vor E-Mails mit dem Betreff „Ihr Paket ist in der Warteschleife“ in Acht. Kriminelle geben sich als DHL aus und behaupten, dass Zollgebühren ausständig sind. --------------------------------------------- https://www.watchlist-internet.at/news/e-mail-ihr-paket-ist-in-der-wartesch… ∗∗∗ Play Your Cards Right: Detecting Wildcard DNS Abuse ∗∗∗ --------------------------------------------- Wildcard DNS records can be used constructively, but their flexibility also provides attackers with a variety of options for executing attacks. --------------------------------------------- https://unit42.paloaltonetworks.com/wildcard-dns-abuse/ ∗∗∗ Shodan Verified Vulns 2021-12-01 ∗∗∗ --------------------------------------------- Insgesamt gibt es kaum Veränderungen zum Vormonat, wobei die Anzahl der verwundbaren Microsoft Exchange Server relativ deutlich zurückging – Props an die Administrator:innen! --------------------------------------------- https://cert.at/de/aktuelles/2021/12/shodan-verified-vulns-2021-12-01 ∗∗∗ CISA Adds Five Known Exploited Vulnerabilities to Catalog ∗∗∗ --------------------------------------------- CISA has added five new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence that threat actors are actively exploiting the vulnerabilities listed in the table below. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/12/01/cisa-adds-five-kn… ∗∗∗ FBI document shows what data can be obtained from encrypted messaging apps ∗∗∗ --------------------------------------------- A recently discovered FBI training document shows that US law enforcement can gain limited access to the content of encrypted messages from secure messaging services like iMessage, Line, and WhatsApp, but not to messages sent via Signal, Telegram, Threema, Viber, WeChat, or Wickr. --------------------------------------------- https://therecord.media/fbi-document-shows-what-data-can-be-obtained-from-e… ===================== = Vulnerabilities = ===================== ∗∗∗ IBM Security Bulletins 2021-11-30 ∗∗∗ --------------------------------------------- IBM QRadar SIEM, IBM Integration Bus, IBM App Connect Enterprise, IBM HTTP Server, IBM Cloud Pak for Data, IBM Watson Discovery for IBM Cloud Pak for Data, IBM Match 360, IBM SDK (Java™ Technology Edition), IBM WebSphere Application Server --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (rsync, rsyslog, and uriparser), Fedora (containerd, freeipa, golang-github-containerd-ttrpc, libdxfrw, libldb, librecad, mingw-speex, moby-engine, samba, and xen), Red Hat (kernel, kernel-rt, kpatch-patch, and samba), and Ubuntu (linux, linux-aws, linux-aws-5.11, linux-azure, linux-azure-5.11, linux-gcp, linux-gcp-5.11, linux-hwe-5.11, linux-kvm, linux-oracle, linux-oracle-5.11, linux-raspi, linux, linux-aws, linux-aws-5.4, linux-azure, linux-gcp, [...]) --------------------------------------------- https://lwn.net/Articles/877284/ ∗∗∗ Verwaltungssoftware Jamf Pro für Apple-Geräte könnte Zugangsdaten leaken ∗∗∗ --------------------------------------------- https://heise.de/-6281352 ∗∗∗ Security Advisory - Buffer Overflow Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20211201-… ∗∗∗ XSS Vulnerability Patched in Plugin Designed to Enhance WooCommerce ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2021/12/xss-vulnerability-patched-in-plugin-… ∗∗∗ Mozilla Foundation Security Advisory 2021-51: Memory corruption in NSS via DER-encoded DSA and RSA-PSS signatures ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2021-51/ ∗∗∗ Mitsubishi Electric MELSEC and MELIPC Series ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-334-02 ∗∗∗ Johnson Controls CEM Systems AC2000 ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-334-04 ∗∗∗ Hitachi Energy Retail Operations and CSB Software ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-334-05 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily December 2021