Daily February 2021

daily@lists.cert.at

1 participants
20 discussions

Tageszusammenfassung - 12.02.2021
by Daily end-of-shift report 12 Feb '21

12 Feb '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 11-02-2021 18:00 − Freitag 12-02-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Dimitri Robl ===================== = News = ===================== ∗∗∗ Buggy WordPress plugin exposes 100K sites to takeover attacks ∗∗∗ --------------------------------------------- Critical and high severity vulnerabilities in the Responsive Menu WordPress plugin exposed over 100,000 sites to takeover attacks as discovered by Wordfence. --------------------------------------------- https://www.bleepingcomputer.com/news/security/buggy-wordpress-plugin-expos… ∗∗∗ Internet Explorer 11 zero-day vulnerability gets unofficial micropatch ∗∗∗ --------------------------------------------- An Internet Explorer 11 zero-day vulnerability used against security researchers, not yet fixed by Microsoft, today received a micropatch that prevents exploitation. --------------------------------------------- https://www.bleepingcomputer.com/news/security/internet-explorer-11-zero-da… ∗∗∗ Web shell attacks continue to rise ∗∗∗ --------------------------------------------- A year ago, we reported the steady increase in the use of web shells in attacks worldwide. The latest Microsoft 365 Defender data shows that this trend not only continued, it accelerated. --------------------------------------------- https://www.microsoft.com/security/blog/2021/02/11/web-shell-attacks-contin… ∗∗∗ AgentTesla Dropped Through Automatic Click in Microsoft Help File, (Fri, Feb 12th) ∗∗∗ --------------------------------------------- Attackers have plenty of resources to infect our systems. If some files may look suspicious because the extension is less common (like .xsl files), others look really safe and make the victim confident to open it. I spotted a phishing campaign that delivers a fake invoice. The attached file is a classic ZIP archive but it contains a .chm file: a Microsoft compiled HTML Help file. --------------------------------------------- https://isc.sans.edu/diary/rss/27092 ∗∗∗ Vorsicht Finanzbetrug: Zahlen Sie keine 250 Euro auf horizoninvest.cc ein! ∗∗∗ --------------------------------------------- Die österreichische Finanzmarktaufsicht (FMA) warnt derzeit mit einer aktuellen Kampagne vor Anlage- und Finanzbetrug. Auch bei der Watchlist Internet werden zunehmend betrügerische Plattformen gemeldet, die leicht verdientes Geld durch Investments, versprechen. Aktuell melden LeserInnen vermehrt horizoninvest.cc. Zahlen Sie dort auf keinen Fall Geld ein! Dieses landet nämlich direkt in den Händen der Kriminellen. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-finanzbetrug-zahlen-sie-kei… ∗∗∗ Free decrypter released for Avaddon ransomware victims... aaand, its gone! ∗∗∗ --------------------------------------------- The Avaddon ransomware gang said in a forum post they already updated their code to counter the tools release. --------------------------------------------- https://www.zdnet.com/article/free-decrypter-released-for-avaddon-ransomwar… ===================== = Vulnerabilities = ===================== ∗∗∗ Sicherheitsupdates: Angreifer könnten BIG-IP Appliances von F5 übernehmen ∗∗∗ --------------------------------------------- Verschiedene Netzwerkprodukte von F5 sind attackierbar. Angreifer könnten Geräte lahmlegen oder sogar eigene Befehle ausführen. --------------------------------------------- https://heise.de/-5053268 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (ansible, chromium, cups, docker, firefox, gitlab, glibc, helm, lib32-glibc, minio, nextcloud, opendoas, opera, php, php7, privoxy, python-django, python-jinja, python2-jinja, thunderbird, vivaldi, and wireshark-cli), Fedora (jasper, linux-firmware, php, python-cryptography, spice-vdagent, subversion, and thunderbird), Mageia (gssproxy and phpldapadmin), openSUSE (chromium, containerd, docker, docker-runc,, librepo, nextcloud, and privoxy), SUSE --------------------------------------------- https://lwn.net/Articles/845999/ ∗∗∗ Security Bulletin: Multiple security vulnerability has been identified in Oracle Java shipped with IBM® Intelligent Operations Center ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: Multiple vulnerabilities may affect IBM® SDK, Java™ Technology Edition ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: CVE-2020-14782 may affect IBM® SDK, Java™ Technology Edition ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2020-14782-may-affect… ∗∗∗ Security Bulletin: IBM Security Verify Information Queue does not sufficiently safeguard session IDs from session fixation attacks (CVE-2021-20411) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-verify-infor… ∗∗∗ Security Bulletin: CVE-2020-2773 may affect IBM® SDK, Java™ Technology Edition ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2020-2773-may-affect-… ∗∗∗ Security Bulletin: a security vulnerability has been identified in Oracle Java shipped with IBM® Intelligent Operations Center (CVE-2020-2590) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: IBM Security Verify Information Queue does not sufficiently protect the key that encrypts and decrypts product credentials (CVE-2021-20408) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-verify-infor… ∗∗∗ Security Bulletin: A security vulnerability has been identified in Oracle Java shipped with IBM® Intelligent Operations Center (CVE-2020-2601) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: IBM Security Verify Information Queue discloses sensitive information in source code (CVE-2021-20407) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-verify-infor… ∗∗∗ Security Bulletin: IBM Security Verify Information Queue uses a relatively weak cryptographic algorithm to protect application data (CVE-2021-20406) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-verify-infor… ∗∗∗ Multiple Embedded TCP/IP stacks ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-042-01 ∗∗∗ Rockwell Automation DriveTools SP and Drives AOP ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-042-02 ∗∗∗ Wibu-Systems CodeMeter (Update E) ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-20-203-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.02.2021
by Daily end-of-shift report 11 Feb '21

11 Feb '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 10-02-2021 18:00 − Donnerstag 11-02-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Dimitri Robl ===================== = News = ===================== ∗∗∗ TrickBots BazarBackdoor malware is now coded in Nim to evade antivirus ∗∗∗ --------------------------------------------- TrickBots stealthy BazarBackdoor malware has been rewritten in the Nim programming language, likely to evade detection by security software. --------------------------------------------- https://www.bleepingcomputer.com/news/security/trickbots-bazarbackdoor-malw… ∗∗∗ Hybrid, Older Users Most-Targeted by Gmail Attackers ∗∗∗ --------------------------------------------- Researchers at Google and Stanford analyzed a 1.2 billion malicious emails to find out what makes users likely to get attacked. 2FA wasnt a big factor. --------------------------------------------- https://threatpost.com/hybrid-older-users-gmail-attackers/163826/ ∗∗∗ Agent Tesla hidden in a historical anti-malware tool, (Thu, Feb 11th) ∗∗∗ --------------------------------------------- While going through attachments of e-mails, which were caught in my e-mail quarantine since the beginning of February, I found an ISO file with what turned out to be a sample of the Agent Tesla infostealer. That, by itself, would not be that unusual, but the Agent Tesla sample turned out to be unconventional in more ways than one [...] --------------------------------------------- https://isc.sans.edu/diary/rss/27088 ∗∗∗ Microsoft Launches Phase 2 Mitigation for Netlogon Remote Code Execution Vulnerability (CVE-2020-1472) ∗∗∗ --------------------------------------------- Microsoft addressed a critical remote code execution vulnerability affecting the Netlogon protocol (CVE-2020-1472) on August 11, 2020. Beginning with the February 9, 2021 Security Update release, Domain Controllers will be placed in enforcement mode. This will require all Windows and non-Windows devices to use secure Remote Procedure Call (RPC) with Netlogon secure channel or to explicitly allow the account by adding an exception for any non-compliant --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/02/10/microsoft-launche… ∗∗∗ Zeoticus 2.0: Ransomware With No C2 Required ∗∗∗ --------------------------------------------- Zeoticus ransomware first appeared for sale in various underground forums and markets in early 2020. The ransomware is currently Windows-specific and, according to the developers, functions on all “supported versions of Windows”. --------------------------------------------- https://labs.sentinelone.com/zeoticus-2-0-ransomware-with-no-c2-required/ ∗∗∗ FBI warnt vor Windows 7 und TeamViewer ∗∗∗ --------------------------------------------- Die US-Bundespolizei FBI hat anlässlich des Giftangriffes auf ein Wasserwerk in Florida eine offizielle Warnung vor dem Einsatz von Windows 7 und TeamViewer ausgesprochen. --------------------------------------------- https://www.zdnet.de/88393353/fbi-warnt-vor-windows-7-und-teamviewer/ ===================== = Vulnerabilities = ===================== ∗∗∗ SAP Commerce Critical Security Bug Allows RCE ∗∗∗ --------------------------------------------- The critical SAP cybersecurity flaw could allow for the compromise of an application used by e-commerce businesses. --------------------------------------------- https://threatpost.com/sap-commerce-critical-security-bug/163822/ ∗∗∗ DoS- und Schadcode-Attacken gegen McAfee Total Protection möglich ∗∗∗ --------------------------------------------- Es gibt ein wichtiges Sicherheitsupdate für McAfee Total Protection unter Windows. --------------------------------------------- https://heise.de/-5052175 ∗∗∗ WIndows Print Spooler Keeps Delivering Vulnerabilities, And We Keep Patching Them (CVE-2020-1030) ∗∗∗ --------------------------------------------- by Mitja Kolsek, the 0patch Team Security researcher Victor Mata of Accenture published a detailed analysis of a binary planting vulnerability in Windows Print Spooler (CVE-2020-1030), which they had previously reported to Microsoft in May 2020, and a fix for which was included in September 2020 Windows Updates. --------------------------------------------- https://blog.0patch.com/2021/02/print-spooler-keeps-delivering.html ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firejail and netty), Fedora (java-1.8.0-openjdk, java-11-openjdk, rubygem-mechanize, and xpdf), Mageia (gstreamer1.0-plugins-bad, nethack, and perl-Email-MIME and perl-Email-MIME-ContentType), openSUSE (firejail, java-11-openjdk, python, and rclone), Red Hat (dotnet, dotnet3.1, dotnet5.0, and rh-nodejs12-nodejs), SUSE (firefox, kernel, python, python36, and subversion), and Ubuntu (gnome-autoar, junit4, openvswitch, postsrsd, and sqlite3). --------------------------------------------- https://lwn.net/Articles/845750/ ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Rational Developer for i – July 2020. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Security Verify Information Queue does not properly encode error messages sent to web users (CVE-2021-20405) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-verify-infor… ∗∗∗ Security Bulletin: IBM Security Verify Information Queue uses a Node.js package with a cross-site scripting vulnerability (CVE-2020-7676) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-verify-infor… ∗∗∗ Security Bulletin: Multiple IBM DB2 Server Vulnerabilities Affect IBM Emptoris Strategic Supply Management Platform ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-ibm-db2-server-v… ∗∗∗ Security Bulletin: Multiple IBM DB2 Server Vulnerabilities Affect IBM Emptoris Program Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-ibm-db2-server-v… ∗∗∗ Security Bulletin: IBM Security Verify Information Queue uses a Node.js package with known vulnerabilities (CVE-2020-11023, CVE-2020-11022) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-verify-infor… ∗∗∗ Security Bulletin: Multiple IBM DB2 Server Vulnerabilities Affect IBM Emptoris Sourcing ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-ibm-db2-server-v… ∗∗∗ Security Bulletin: Cross Site Scripting may affect IBM Business Automation Workflow and IBM Case Manager (ICM) – CVE-2020-4768 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cross-site-scripting-may-… ∗∗∗ Security Bulletin: IBM Verify Gateway does not sufficiently guard against unauthorized API calls (CVE-2020-4847) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-verify-gateway-does-n… ∗∗∗ Security Bulletin: Multiple IBM DB2 Server Vulnerabilities Affect IBM Emptoris Contract Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-ibm-db2-server-v… ∗∗∗ VMSA-2021-0001 ∗∗∗ --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2021-0001.html ∗∗∗ Squid: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0147 ∗∗∗ Trend Micro Produkte: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0169 ∗∗∗ F5 BIG-IP: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0163 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.02.2021
by Daily end-of-shift report 10 Feb '21

10 Feb '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 09-02-2021 18:00 − Mittwoch 10-02-2021 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Rinfo Is Making A Comeback and Is Scanning and Mining in Full Speed ∗∗∗ --------------------------------------------- In 2018 we blogged about a scanning&mining botnet family that uses ngrok.io to propagate samples: "A New Mining Botnet Blends Its C2s into ngrok Service", and since mid-October 2020, our BotMon system started to see a new variant of this family [...] --------------------------------------------- https://blog.netlab.360.com/rinfo-is-making-a-comeback-and-is-scanning-and-… ∗∗∗ Kaufen Sie keine Paysafecard um Zollgebühren zu bezahlen! ∗∗∗ --------------------------------------------- Eine neue Massenmail landet derzeit im Posteingang zahlreicher InternetnutzerInnen. Die Nachricht wird angeblich vom Kundenservice des deutschen oder schweizerischen Zolls gesendet. --------------------------------------------- https://www.watchlist-internet.at/news/kaufen-sie-keine-paysafecard-um-zoll… ===================== = Vulnerabilities = ===================== ∗∗∗ Apple fixes SUDO root privilege escalation flaw in macOS ∗∗∗ --------------------------------------------- Apple has fixed a sudo vulnerability in macOS Big Sur, Catalina, and Mojave, allowing any local user to gain root-level privileges. --------------------------------------------- https://www.bleepingcomputer.com/news/apple/apple-fixes-sudo-root-privilege… ∗∗∗ Confusion Attack: Microsoft warnt vor einfacher Übernahme interner Pakete ∗∗∗ --------------------------------------------- Haben internes und externes Paket den gleichen Namen, lassen sich Trojaner einschleusen. --------------------------------------------- https://www.golem.de/news/confusion-attack-microsoft-warnt-vor-einfacher-ue… ∗∗∗ Microsoft February 2021 Patch Tuesday, (Tue, Feb 9th) ∗∗∗ --------------------------------------------- This month we got patches for 56 vulnerabilities. Of these, 11 are critical, 1 is being exploited and 6 were previously disclosed. --------------------------------------------- https://isc.sans.edu/diary/rss/27080 ∗∗∗ Patchday: Adobe kümmert sich um kritische Lücken in Acrobat, Photoshop & Co. ∗∗∗ --------------------------------------------- Derzeit haben es Angreifer auf Windows-Nutzer mit Adobe Reader abgesehen. Sicherheitsupdates stehen zum Download bereit. --------------------------------------------- https://heise.de/-5050997 ∗∗∗ Patchday: Intel stellt aktualisierte Treiber, Firm- und Software bereit ∗∗∗ --------------------------------------------- Von Intel diesmal meist als Downloads für Endnutzer verfügbare Updates beseitigen Schwachstellen mit teils hoher Gefahreneinstufung aus diversen Produkten. --------------------------------------------- https://heise.de/-5051084 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (connman, firejail, libzstd, slirp, and xcftools), Fedora (chromium, jackson-databind, and privoxy), openSUSE (chromium), Oracle (kernel and kernel-container), Slackware (dnsmasq), SUSE (java-11-openjdk, kernel, and python), and Ubuntu (linux, linux-aws, linux-azure, linux-gcp, linux-hwe-5.8, linux-kvm, linux-oem-5.6, linux-oracle, linux-raspi, linux, linux-gke-5.0, linux-gke-5.3, linux-hwe, linux-raspi2-5.3, openjdk-8, openjdk-lts, and snapd). --------------------------------------------- https://lwn.net/Articles/845602/ ∗∗∗ This old security vulnerability left millions of Internet of Things devices vulnerable to attacks ∗∗∗ --------------------------------------------- Historys repeating, warn security researchers, who find that a computer security issue thats been known about for decades could be used to manipulate IoT devices - so apply the patches now. --------------------------------------------- https://www.zdnet.com/article/this-old-security-vulnerability-left-millions… ∗∗∗ GE Digital HMI/SCADA iFIX ∗∗∗ --------------------------------------------- This advisory contains mitigations for Incorrect Permission Assignment for Critical Resource vulnerabilities in the GE Digital HMI/SCADA iFIX software component. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-040-01 ∗∗∗ Advantech iView ∗∗∗ --------------------------------------------- This advisory contains mitigations for SQL Injection, Path Traversal, and Missing Authentication for Critical Function vulnerabilities in the Advantech iView device management application. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-040-02 ∗∗∗ Security Advisory - Denial of Service Vulnerability in Some Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210210-… ∗∗∗ Security Advisory - Memory Leak Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210210-… ∗∗∗ Security Bulletin: IBM MQ is vulnerable to an error within Eclipse Jetty (CVE-2020-27216) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-is-vulnerable-to-a… ∗∗∗ Security Bulletin: IBM has announced a release for IBM Security Identity Governance and Intelligence in response to a security vulnerability (CVE-2020-4996) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-has-announced-a-relea… ∗∗∗ Security Bulletin: IBM has announced a release for IBM Security Identity Governance and Intelligence in response to a security vulnerability (CVE-2020-4791) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-has-announced-a-relea… ∗∗∗ Security Bulletin: IBM Security QRadar Analyst Workflow add on to IBM QRadar SIEM is vulnerable to using components with known vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-qradar-analy… ∗∗∗ Security Bulletin: IBM has announced a release for IBM Security Identity Governance and Intelligence in response to a security vulnerability (CVE-2020-4995) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-has-announced-a-relea… ∗∗∗ Security Bulletin: Vulnerabilities in Node.js and FasterXML jackson-databind affect IBM Spectrum Protect Plus ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-node-j… ∗∗∗ Security Bulletin: IBM has announced a release for IBM Security Identity Governance and Intelligence in response to a security vulnerability (CVE-2020-4795) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-has-announced-a-relea… ∗∗∗ Security Bulletin: IBM Planning Analytics has addressed a security vulnerability (CVE-2016-2183) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-planning-analytics-ha… ∗∗∗ Security Bulletin: IBM QRadar SIEM is vulnerable to Arbitrary File Read (CVE-2020-4789) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-is-vulner… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by an "Apache CXF" jar vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM has announced a release for IBM Security Identity Governance and Intelligence in response to a security vulnerability (CVE-2020-4790) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-has-announced-a-relea… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.02.2021
by Daily end-of-shift report 09 Feb '21

09 Feb '21

===================== = End-of-Day report = ===================== Timeframe: Montag 08-02-2021 18:00 − Dienstag 09-02-2021 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Android Devices Hunted by LodaRAT Windows Malware ∗∗∗ --------------------------------------------- The LodaRAT - known for targeting Windows devices - has been discovered also targeting Android devices in a new espionage campaign. --------------------------------------------- https://threatpost.com/android-devices-lodarat-windows/163769/ ∗∗∗ Florida: Hacker wollte Trinkwasser aus der Ferne vergiften ∗∗∗ --------------------------------------------- Kriminelle haben ein Trinkwasserwerk in Florida gehackt und die Natriumhydroxid-Zufuhr vervielfacht. Ein Mitarbeiter beobachtete die Tat und stoppte sie. --------------------------------------------- https://heise.de/-5049266 ∗∗∗ Arrest, Raids Tied to ‘U-Admin’ Phishing Kit ∗∗∗ --------------------------------------------- Cyber cops in Ukraine carried out an arrest and several raids last week in connection with the author of a U-Admin, a software package used to administer what’s being called “one of the world’s largest phishing services.” --------------------------------------------- https://krebsonsecurity.com/2021/02/arrest-raids-tied-to-u-admin-phishing-k… ∗∗∗ BendyBear: Novel Chinese Shellcode Linked With Cyber Espionage Group BlackTech ∗∗∗ --------------------------------------------- The novel Chinese shellcode "BendyBear" is one of the most sophisticated, well-engineered and difficult-to-detect samples employed by an APT. --------------------------------------------- https://unit42.paloaltonetworks.com/bendybear-shellcode-blacktech/ ∗∗∗ PyPI, GitLab dealing with spam attacks ∗∗∗ --------------------------------------------- Both sites have been flooded over the weekend with garbage content. --------------------------------------------- https://www.zdnet.com/article/pypi-gitlab-dealing-with-spam-attacks/ ===================== = Vulnerabilities = ===================== ∗∗∗ Sicherheitsupdate: Kritische Lücke in WordPress-Plug-in NextGen Gallery ∗∗∗ --------------------------------------------- Ein Schlupfloch in NextGen Gallery könnte Schadcode auf 800.000 WordPress-Websites lassen. --------------------------------------------- https://heise.de/-5049401 ∗∗∗ Linux kernel CVE-2020-10769 ∗∗∗ --------------------------------------------- A buffer over-read flaw was found in RH kernel versions before 5.0 in crypto_authenc_extractkeys in crypto/authenc.c in the IPsec Cryptographic algorithm's module. --------------------------------------------- https://support.f5.com/csp/article/K62532228 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (flatpak), Debian (connman, golang-1.11, and openjpeg2), Fedora (pngcheck), Mageia (php, phppgadmin, and wpa_supplicant), openSUSE (privoxy), Oracle (flatpak and kernel), Red Hat (qemu-kvm-rhev), SUSE (kernel, python-urllib3, and python3), and Ubuntu (firefox). --------------------------------------------- https://lwn.net/Articles/845504/ ∗∗∗ ZDI-21-153: Micro Focus Operations Bridge Reporter userName Command Injection Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-153/ ∗∗∗ SSA-379803: Vulnerabilities in RUGGEDCOM ROX II ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-379803.txt ∗∗∗ SSA-428051: Privilege Escalation Vulnerability in TIA Administrator ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-428051.txt ∗∗∗ SSA-686152: Denial-of-Service Vulnerability in ARP Protocol of SCALANCE W780 and W740 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-686152.txt ∗∗∗ SSA-663999: Multiple File Parsing Vulnerabilities in JT2Go and Teamcenter Visualization before V13.1.0.1 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-663999.txt ∗∗∗ SSA-536315: Privilege escalation vulnerability in DIGSI 4 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-536315.txt ∗∗∗ SSA-944678: Potential Password Protection Bypass in SIMATIC WinCC ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-944678.txt ∗∗∗ SSA-794542: Insecure Folder Permissions in SIMARIS configuration ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-794542.txt ∗∗∗ SSA-362164: Predictable Initial Sequence Numbers in Mentor Nucleus TCP stack ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-362164.txt ∗∗∗ SSA-156833: Zip-Slip Directory Traversal Vulnerability in SINEMA Server and SINEC NMS ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-156833.txt ∗∗∗ SAP Patchday Februar 2021: Mehrere Schwachstellen ermöglichen Privilegieneskalation ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0139 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.02.2021
by Daily end-of-shift report 08 Feb '21

08 Feb '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 05-02-2021 18:00 − Montag 08-02-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ IT-Security: Google bietet Datenbank zu Lücken in Open-Source-Software ∗∗∗ --------------------------------------------- Ob eigene Software oder Abhängigkeiten von Sicherheitslücken betroffen ist, ist teils nicht leicht herauszufinden. Google will hier helfen. --------------------------------------------- https://www.golem.de/news/it-security-google-bietet-datenbank-zu-luecken-in… ∗∗∗ FOSDEM: Hacker auf dem eigenen Honeypot-Server beobachten ∗∗∗ --------------------------------------------- Auf der FOSDEM haben zwei Entwickler eine raffinierte Methode vorgestellt, einen eigenen SSH-Honeypot zu bauen und den Hackern über die Schulter zu schauen. --------------------------------------------- https://heise.de/-5048084 ∗∗∗ Die Macher der Ransomware Ziggy bereuen ihre Taten und geben auf ∗∗∗ --------------------------------------------- Wer sich den Erpressungstrojaner Ziggy eingefangen hat, kann seine Daten nun mit einem kostenlosen Tool entschlüsseln. --------------------------------------------- https://heise.de/-5048379 ∗∗∗ Barcode Scanner app on Google Play infects 10 million users with one update ∗∗∗ --------------------------------------------- In a single update, a popular barcode scanner app that had been on Google Play for years turned into malware. ... Google quickly removed the app from its store. ... Removing an app from the Google Play store does not necessarily mean it will be removed from affected mobile devices. Unless Google Play Protect removes it after the fact, it remains on the device. This is exactly what users are experiencing with Barcode Scanner. --------------------------------------------- https://blog.malwarebytes.com/android/2021/02/barcode-scanner-app-on-google… ∗∗∗ Reverse Engineering Keys from Firmware.A how-to ∗∗∗ --------------------------------------------- It is possible to reverse engineer keys from firmware with some tips: * Always looks for strings/constants. * Make guesses about the original source. * Find a function you can recognise and work backwards to identify other functions. * It helps if they use open-source code so you can crib from it. --------------------------------------------- https://www.pentestpartners.com/security-blog/reverse-engineering-keys-from… ∗∗∗ Erpressung per E-Mail: Kriminelle behaupten, Sie beim Masturbieren gefilmt zu haben ∗∗∗ --------------------------------------------- Aktuell werden wieder massenhaft betrügerische Erpressungsmails versendet. Kriminelle behaupten, sie hätten Ihren Computer gehackt und Sie beim Surfen auf Porno-Webseiten erwischt. Angeblich wurden Sie dabei beim Masturbieren gefilmt. Der unbekannte Absender droht nun damit, dieses Video an all Ihre Kontakte zu senden. Ignorieren Sie dieses E-Mail und antworten Sie auch nicht! --------------------------------------------- https://www.watchlist-internet.at/news/erpressung-per-e-mail-kriminelle-beh… ===================== = Vulnerabilities = ===================== ∗∗∗ Firefox und Tor Browser: Update schließt kritische Lücke und blockiert NTFS-Bug ∗∗∗ --------------------------------------------- Versionsupdates für Firefox, Firefox ESR und Tor Browser beseitigen eine Windows-spezifische Sicherheitslücke und bringen zudem einige Bugfixes mit. --------------------------------------------- https://heise.de/-5048403 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium, gdisk, intel-microcode, privoxy, and wireshark), Fedora (mingw-binutils, mingw-jasper, mingw-SDL2, php, python-pygments, python3.10, wireshark, wpa_supplicant, and zeromq), Mageia (gdisk and tomcat), openSUSE (chromium, cups, kernel, nextcloud, openvswitch, RT kernel, and rubygem-nokogiri), SUSE (nutch-core), and Ubuntu (openldap, php-pear, and qemu). --------------------------------------------- https://lwn.net/Articles/845426/ ∗∗∗ ImageMagick: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- ImageMagick ist eine Sammlung von Programmbibliotheken und Werkzeugen, die Grafiken in zahlreichen Formaten verarbeiten kann. Ein lokaler Angreifer kann eine Schwachstelle in ImageMagick ausnutzen, um einen Denial of Service Angriff durchzuführen. --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0135 ∗∗∗ BlackBerry Powered by Android Security Bulletin - February 2021 ∗∗∗ --------------------------------------------- http://support.blackberry.com/kb/articleDetail?language=en_US&articleNumber… ∗∗∗ Security Bulletin: The Ubuntu ca-certificates have been updated in Watson Machine Learning Community Edition containers due to expiration. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-the-ubuntu-ca-certificate… ∗∗∗ Security Bulletin: Multiple vulnerabilities affect IBM Cloud Pak for Automation ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.02.2021
by Daily end-of-shift report 05 Feb '21

05 Feb '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 04-02-2021 18:00 − Freitag 05-02-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Dimitri Robl ===================== = News = ===================== ∗∗∗ Hackers steal StormShield firewall source code in data breach ∗∗∗ --------------------------------------------- Leading French cybersecurity company StormShield disclosed that their systems were hacked, allowing a threat actor to access the companys support ticket system and steal source code for Stormshield Network Security firewall software. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-steal-stormshield-fi… ∗∗∗ Free coffee! Belgian researcher hacks prepaid vending machines ∗∗∗ --------------------------------------------- Only try this at home, folks! As easy as it might look, its illegal in the wild, with good reason. --------------------------------------------- https://nakedsecurity.sophos.com/2021/02/04/free-coffee-dutch-researcher-ha… ∗∗∗ Stack Canaries – Gingerly Sidestepping the Cage ∗∗∗ --------------------------------------------- Tell-tale values added to binaries during compilation to protect critical stack values like the Return Pointer against buffer overflow attacks. --------------------------------------------- https://www.sans.org/blog/stack-canaries-gingerly-sidestepping-the-cage ∗∗∗ [SANS ISC] VBA Macro Trying to Alter the Application Menus ∗∗∗ --------------------------------------------- I published the following diary on isc.sans.edu: “VBA Macro Trying to Alter the Application Menus‘”: Who remembers the worm Melissa? It started to spread in March 1999! In information security, it looks like speaking about prehistory but I spotted a VBA macro that tried to use the same defensive techniqueThe post [SANS ISC] VBA Macro Trying to Alter the Application Menus appeared first on /dev/random. --------------------------------------------- https://blog.rootshell.be/2021/02/05/sans-isc-vba-macro-trying-to-alter-the… ∗∗∗ Abusing Google Chrome extension syncing for data exfiltration and C&C ∗∗∗ --------------------------------------------- I had a pleasure (or not) of working on another incident where, among other things, attackers were using a pretty novel way of exfiltrating data and using that channel for C&C communication. --------------------------------------------- https://isc.sans.edu/diary/rss/27066 ∗∗∗ besondereprasente.com: Fordern Sie Ihr Geld zurück! ∗∗∗ --------------------------------------------- Obwohl die Webseite besondereprasente.com gar nicht mehr existiert, erhält die Watchlist Internet nach wie vor zahlreiche Meldungen zu diesem Fake-Shop. Der Grund: Wer bei besondereprasente.com bestellt, tappt in eine teure Abo-Falle. --------------------------------------------- https://www.watchlist-internet.at/news/besondereprasentecom-fordern-sie-ihr… ∗∗∗ Plex Media servers are being abused for DDoS attacks ∗∗∗ --------------------------------------------- Cyber-security firm Netscout warns of new DDoS attack vector. --------------------------------------------- https://www.zdnet.com/article/plex-media-servers-are-being-abused-for-ddos-… ∗∗∗ Kasperksy warnt vor Krypto-Scam ∗∗∗ --------------------------------------------- Kapersky hat ein neues Scam-System entdeckt, das es mit verlockenden Angeboten von angeblichen neuen Kryptobörsen auf Anwender von Discord abgesehen hat. --------------------------------------------- https://www.zdnet.de/88393274/kasperksy-warnt-vor-krypto-scam/ ===================== = Vulnerabilities = ===================== ∗∗∗ Zero-Day im Chrome-Browser: Jetzt Update einspielen ∗∗∗ --------------------------------------------- Eine aktiv ausgenutzte Schwachstelle im Chrome-Browser gefährdet die meisten Betriebssysteme. Google hat ein Update. --------------------------------------------- https://heise.de/-5046783 ∗∗∗ Unpatched Vulnerability: 50,000 WP Sites Must Find Alternative for Contact Form 7 Style ∗∗∗ --------------------------------------------- On December 9, 2020, the Wordfence Threat Intelligence team discovered a Cross-Site Request Forgery (CSRF) to Stored Cross Site Scripting (XSS) vulnerability in Contact Form 7 Style, a WordPress plugin installed on over 50,000 sites. --------------------------------------------- https://www.wordfence.com/blog/2021/02/unpatched-vulnerability-50000-wp-sit… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (java-11-openjdk, kernel, and monitorix), Mageia (mutt, nodejs, and nodejs-ini), Oracle (flatpak, glibc, and kernel), Red Hat (rh-nodejs14-nodejs), Scientific Linux (flatpak), and Ubuntu (flatpak and minidlna). --------------------------------------------- https://lwn.net/Articles/845191/ ∗∗∗ WordPress Plugin "Name Directory" vulnerable to cross-site request forgery ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN50470170/ ∗∗∗ Security Bulletin: Watson Machine Learning Community Edition docker containers have been updated to fix a security issue in libcurl ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-watson-machine-learning-c… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in IBM Java Runtime Affect Connect:Direct Web Services ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: TensorFlow in Watson Machine Learning 1.6.2 and 1.7.0 has been patched for various security issues in nanopb. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-tensorflow-in-watson-mach… ∗∗∗ Security Bulletin: IBM API Connect is impacted by insecure web server configuration (CVE-2020-4825) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connect-is-impact… ∗∗∗ Security Bulletin: TensorFlow in Watson Machine Learning Community Edition 1.6.2 and 1.7.0 has been patched for various security issues. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-tensorflow-in-watson-mach… ∗∗∗ Security Bulletin: Content Collector for Email is affected by a embedded WebSphere Application Server Admin Console ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-content-collector-for-ema… ∗∗∗ Security Bulletin: Vulnerabilities in Websphere Liberty server (WLP) affects IBM Cloud Application Business Insights ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-websph… ∗∗∗ Security Bulletin: Security vulnerabilities in Go affect IBM Cloud Pak for Multicloud Management Hybrid GRC. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ Security Bulletin: PowerHA System Mirror for AIX vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-powerha-system-mirror-for… ∗∗∗ Security Bulletin: Vulnerabilities in Node.js affect IBM App Connect Enterprise and IBM Integration Bus (CVE-2020-7754) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-node-j… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.02.2021
by Daily end-of-shift report 04 Feb '21

04 Feb '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 03-02-2021 18:00 − Donnerstag 04-02-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Dimitri Robl ===================== = News = ===================== ∗∗∗ Malicious Chrome and Edge add-ons had a novel way to hide on 3 million devices ∗∗∗ --------------------------------------------- 28 malicious extensions disguised traffic as Google Analytics data. --------------------------------------------- https://arstechnica.com/?p=1739523 ∗∗∗ New Fonix ransomware decryptor can recover victims files for free ∗∗∗ --------------------------------------------- Kaspersky has released a decryptor for the Fonix Ransomware (XONIF) that allows victims to recover their encrypted files for free. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-fonix-ransomware-decrypt… ∗∗∗ How to Audit Password Changes in Active Directory ∗∗∗ --------------------------------------------- Todays admins certainly have plenty on their plates, and boosting ecosystem security remains a top priority. On-premises, and especially remote, accounts are gateways for accessing critical information. Password management makes this possible. After all, authentication should ensure that a user is whom they claim to be. --------------------------------------------- https://thehackernews.com/2021/02/how-to-audit-password-changes-in-active.h… ∗∗∗ Project Zero: Déjà vu-lnerability ∗∗∗ --------------------------------------------- A Year in Review of 0-days Exploited In-The-Wild in 2020 --------------------------------------------- https://googleprojectzero.blogspot.com/2021/02/deja-vu-lnerability.html ∗∗∗ E-Tretroller sind leicht zu überwachen und zu manipulieren ∗∗∗ --------------------------------------------- Die Apps der Verleiher sind sehr auskunftsfreudig. Mit den übertragenen Daten lässt sich ein E-Tretroller sogar während der Fahrt abschalten. --------------------------------------------- https://heise.de/-5045945 ∗∗∗ Browser sync—what are the risks of turning it on? ∗∗∗ --------------------------------------------- Browser synchronization is a handy feature but it comes with a few risks. Heres what you should be asking yourself before you switch it on. --------------------------------------------- https://blog.malwarebytes.com/privacy-2/2021/02/browser-sync-what-are-the-r… ∗∗∗ This old form of ransomware has returned with new tricks and new targets ∗∗∗ --------------------------------------------- Cerber was once the most common form of ransomware - and now its back, years after its heyday. --------------------------------------------- https://www.zdnet.com/article/this-old-form-of-ransomware-has-returned-with… ===================== = Vulnerabilities = ===================== ∗∗∗ Upcoming Security Updates for Adobe Acrobat and Reader (APSB21-09) ∗∗∗ --------------------------------------------- A prenotification security advisory (APSB21-09) has been posted regarding upcoming Adobe Acrobat and Reader updates scheduled for the week of February 09, 2021. --------------------------------------------- https://blogs.adobe.com/psirt/?p=1967 ∗∗∗ Critical Bugs Found in Popular Realtek Wi-Fi Module for Embedded Devices ∗∗∗ --------------------------------------------- Major vulnerabilities have been discovered in the Realtek RTL8195A Wi-Fi module that could have been exploited to gain root access and take complete control of a devices wireless communications. --------------------------------------------- https://thehackernews.com/2021/02/critical-bugs-found-in-popular-realtek.ht… ∗∗∗ Jetzt patchen! Sicherheitsupdate für SonicWall SMA 100 ist da ∗∗∗ --------------------------------------------- Derzeit haben es Angreifer auf das Fernzugriffsystem SMA 100 von SonicWall abgesehen. Nun gibt es Patches. --------------------------------------------- https://heise.de/-5045657 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (glibc, linux-firmware, perl, and qemu-kvm), Debian (dnsmasq), Fedora (netpbm), Mageia (firefox, messagelib, python and python3, ruby-nokogiri, and thunderbird), Oracle (kernel, perl, and qemu-kvm), Red Hat (flatpak), and SUSE (openvswitch and python-urllib3). --------------------------------------------- https://lwn.net/Articles/845088/ ∗∗∗ Panasonic Video Insight VMS vulnerable to arbitrary code execution ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN42252698/ ∗∗∗ ZDI-21-151: (0Day) Hewlett Packard Enterprise Moonshot Provisioning Manager khuploadfile Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-151/ ∗∗∗ ZDI-21-150: (0Day) Hewlett Packard Enterprise Moonshot Provisioning Manager khuploadfile Directory Traversal Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-150/ ∗∗∗ Security Bulletin: IBM Java SDK and IBM Java Runtime for IBM i are affected by CVE-2020-14781 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-java-sdk-and-ibm-java… ∗∗∗ Security Bulletin: IBM SDK Java Quarterly CPU Jul 2020 Vulnerabilities Affect IBM Transformation Extender ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sdk-java-quarterly-cp… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect IBM i ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ wpa_supplicant: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0129 ∗∗∗ Citrix Hypervisor Security Update ∗∗∗ --------------------------------------------- https://support.citrix.com/article/CTX291439 ∗∗∗ Luxion KeyShot ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-035-01 ∗∗∗ Horner Automation Cscape ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-035-02 ∗∗∗ WAGO M&M Software fdtCONTAINER (Update A) ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-021-05 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.02.2021
by Daily end-of-shift report 03 Feb '21

03 Feb '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 02-02-2021 18:00 − Mittwoch 03-02-2021 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Excel spreadsheets push SystemBC malware, (Wed, Feb 3rd) ∗∗∗ --------------------------------------------- This Excel spreadsheet pushed what might be SystemBC malware when I tested it in my lab environment on Monday 2021-02-01. --------------------------------------------- https://isc.sans.edu/diary/rss/27060 ∗∗∗ Interview with a LockBit ransomware operator ∗∗∗ --------------------------------------------- In September 2020, Cisco Talos established contact with a self-described LockBit operator and experienced threat actor. Over the course of several weeks, we conducted multiple interviews. --------------------------------------------- https://blog.talosintelligence.com/2021/02/interview-with-lockbit-ransomwar… ∗∗∗ Hildegard: New TeamTNT Malware Targeting Kubernetes ∗∗∗ --------------------------------------------- Hildegard is a new malware campaign believed to originate from TeamTNT. It targets Kubernetes clusters and launches cryptojacking operations. --------------------------------------------- https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/ ∗∗∗ Gefälschte Rechnung für Desinfektionsmittel im Umlauf! ∗∗∗ --------------------------------------------- Viele Unternehmen müssen aufgrund der Coronakrise stärkere Hygienemaßnahmen umsetzen. Dazu zählt auch die Bereitstellung von Desinfektionsmittel. Für viele ist es daher wohl wenig überraschend, wenn sich im E-Mail-Posteingang eine Rechnung für bestellte Desinfektionsmittel findet. --------------------------------------------- https://www.watchlist-internet.at/news/gefaelschte-rechnung-fuer-desinfekti… ===================== = Vulnerabilities = ===================== ∗∗∗ Full System Control with New SolarWinds Orion-based and Serv-U FTP Vulnerabilities ∗∗∗ --------------------------------------------- In this blog, I will be discussing three new security issues that I recently found in several SolarWinds products. All three are severe bugs with the most critical one allowing remote code execution with high privileges. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/full-system… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (open-build-service and openldap), Fedora (jasper, libebml, and tcmu-runner), openSUSE (segv_handler), Red Hat (thunderbird), Scientific Linux (kernel), SUSE (cups and openvswitch), and Ubuntu (apport and ca-certificates). --------------------------------------------- https://lwn.net/Articles/844948/ ∗∗∗ Recent root-giving Sudo bug also impacts macOS ∗∗∗ --------------------------------------------- A bug in the Sudo app can let attackers with access to a local system to elevate their access to a root-level account. --------------------------------------------- https://www.zdnet.com/article/recent-root-giving-sudo-bug-also-impacts-maco… ∗∗∗ Cisco Security Advisories 2021-02-03 ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&secur… ∗∗∗ Security Advisory - Improper Resource Management Vulnerability in eUDC660 Product ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210203-… ∗∗∗ Security Advisory - Improper Information Processing Vulnerability in Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210203-… ∗∗∗ Security Advisory - Improper Permission Assignment Vulnerability in Huawei ManageOne Product ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210203-… ∗∗∗ Security Advisory - Information Leakage Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210203-… ∗∗∗ Security Advisory - Information Leakage Vulnerability in Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210202-… ∗∗∗ Security Bulletin: Vulnerability in IBM WebSphere Application Server Liberty affects IBM Spectrum Protect Backup-Archive Client web user interface, IBM Spectrum Protect for Space Management, and IBM Spectrum Protect for Virtual Environments ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-webs… ∗∗∗ Security Bulletin: App Connect Enterprise Certified Container may be vulnerable to a remote code execution vulnerability (CVE-2020-4682) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-app-connect-enterprise-ce… ∗∗∗ Security Bulletin: Vulnerabilities in Apache Commons and Log4j affect IBM Spectrum Protect Backup-Archive Client and IBM Spectrum Protect for Virtual Environments ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-apache… ∗∗∗ Security Bulletin: IBM Network Performance Insight 1.3.1 affected by Apache Cassandra vulnerability (CVE-2020-13946) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-network-performance-i… ∗∗∗ Security Bulletin: IBM API Connect is impacted by multiple vulnerabilities in Node.js.(CVE-2020-8201 CVE-2020-8251 CVE-2020-8252 ) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connect-is-impact… ∗∗∗ Security Bulletin: IBM API Connect is vulnerable to denial of service (DoS) via etcd (CVE-2020-15106 CVE-2020-15112 CVE-2020-15113) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connect-is-vulner… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in IBM Sterling Connect:Direct Browser User Interface ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: jackson-databind vulnerability CVE-2021-20190 impacts IBM Aspera High-Speed Transfer Server and Aspera High-Speed Transfer Endpoint versions prior to V4.0 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-jackson-databind-vulnerab… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in IBM Java Runtime affect IBM Cognos Command Center ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM API Connect's Developer Portal is vulnerable to arbitrary code excution in Drupal Core (CVE-2020-13671) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connects-develope… ∗∗∗ Security Bulletin: IBM Cloud Pak For Security vulnerable to potential information disclosure through HTTP headers (CVE-2020-4967) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-securit… ∗∗∗ Security Bulletin: A vulnerability in IBM Spectrum Scale allows to inject malicious content into command log files (CVE-2020-4889) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-sp… ∗∗∗ Security Bulletin: IBM QRadar SIEM is vulnerable to Server Side Request Forgery (SSRF) (CVE-2020-4787) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-is-vulner… ∗∗∗ Security Bulletin: Multiple Oracle Database Server Vulnerabilities Affect IBM Emptoris Program Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-oracle-database-… ∗∗∗ Security Bulletin: Multiple Security Vulnerabilities Affect IBM WebSphere Application Server in IBM Cloud ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: IBM Security Guardium Insights is affected by a ClickJacking vulnerability (CVE-2020-4165) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-ins… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affects WebSphere Application Server October 2020 CPU that is bundled with IBM WebSphere Application Server Patterns ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM has announced a release for IBM Security Identity Governance and Intelligence in response to a security vulnerability. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-has-announced-a-relea… ∗∗∗ Security Bulletin: WebSphere Application Server is vulnerable to an XML External Entity (XXE) Injection Vulnerability (CVE-2020-4949) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-websphere-application-ser… ∗∗∗ Security Bulletin: Bouncy Castle Vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-bouncy-castle-vulnerabili… ∗∗∗ February 2, 2021 TNS-2021-01 [R1] Nessus AMI 8.13.1 Fixes One Vulnerability ∗∗∗ --------------------------------------------- http://www.tenable.com/security/tns-2021-01 ∗∗∗ Linux kernel vulnerability CVE-2020-14385 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K84900646 ∗∗∗ D-LINK Router DNS-320: Schwachstelle ermöglicht Codeausführung ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0122 ∗∗∗ Rockwell Automation MicroLogix 1400 ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-033-01 ∗∗∗ Siemens SIMATIC HMI Comfort Panels & SIMATIC HMI KTP Mobile Panels ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-033-02 ∗∗∗ 2019-08Hirschmann RSP, RSPE, and OS2 series HSR denial of service vulnerability ∗∗∗ --------------------------------------------- https://www.belden.com/dfsmedia/f1e38517e0cd4caa8b1acb6619890f5e/12276-sour… ∗∗∗ 2021-02ICX35 Local Web Based Configuration Interface Password Set ∗∗∗ --------------------------------------------- https://www.belden.com/dfsmedia/f1e38517e0cd4caa8b1acb6619890f5e/12277-sour… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.02.2021
by Daily end-of-shift report 02 Feb '21

02 Feb '21

===================== = End-of-Day report = ===================== Timeframe: Montag 01-02-2021 18:00 − Dienstag 02-02-2021 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ New Linux malware steals SSH credentials from supercomputers ∗∗∗ --------------------------------------------- A new backdoor has been targeting supercomputers across the world, often stealing the credentials for secure network connections by using a trojanized version of the OpenSSH software. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-linux-malware-steals-ssh… ∗∗∗ Malicious script steals credit card info stolen by other hackers ∗∗∗ --------------------------------------------- A threat actor has infected an e-commerce store with a custom credit card skimmer designed to siphon data stolen by a previously deployed Magento card stealer. --------------------------------------------- https://www.bleepingcomputer.com/news/security/malicious-script-steals-cred… ∗∗∗ New Threat: Matryosh Botnet Is Spreading ∗∗∗ --------------------------------------------- On January 25, 2021, 360 netlab BotMon system labeled a suspicious ELF file as Mirai, but the network traffic did not match Mirais characteristics. --------------------------------------------- https://blog.netlab.360.com/matryosh-botnet-is-spreading-en/ ∗∗∗ New Example of XSL Script Processing aka "Mitre T1220", (Tue, Feb 2nd) ∗∗∗ --------------------------------------------- Last week, Brad posted a diary about TA551. A few days later, one of our readers submitted another sample belonging to the same campaign. --------------------------------------------- https://isc.sans.edu/diary/rss/27056 ∗∗∗ Agent Tesla Malware Spotted Using New Delivery & Evasion Techniques ∗∗∗ --------------------------------------------- Security researchers on Tuesday uncovered new delivery and evasion techniques adopted by Agent Tesla remote access trojan (RAT) to get around defense barriers and monitor its victims. --------------------------------------------- https://thehackernews.com/2021/02/agent-tesla-malware-spotted-using-new.html ∗∗∗ Operation Dream Job by Lazarus ∗∗∗ --------------------------------------------- Lazarus (also known as Hidden Cobra) is known to use various kinds of malware in its attack operations, and we have introduced some of them in our past articles. In this article, we present two more; Torisma and LCPDot. --------------------------------------------- https://blogs.jpcert.or.jp/en/2021/01/Lazarus_malware2.html ∗∗∗ New Trickbot module uses Masscan for local network reconnaissance ∗∗∗ --------------------------------------------- The new Trickbot module is used to scan local networks for other nearby systems with open ports that could be hacked for quick lateral movement inside a company. --------------------------------------------- https://www.zdnet.com/article/new-trickbot-module-uses-masscan-for-local-ne… ∗∗∗ Microsoft tracked a system sending a million malware emails a month. Heres what it discovered ∗∗∗ --------------------------------------------- Emerging attacker email infrastructure now sends over a million malware-laden emails each month. --------------------------------------------- https://www.zdnet.com/article/microsoft-tracked-a-system-sending-a-million-… ∗∗∗ Operation NightScout: Supply‑chain attack targets online gaming in Asia ∗∗∗ --------------------------------------------- ESET researchers uncover a supply-chain attack used in a cyberespionage operation targeting online‑gaming communities in Asia. --------------------------------------------- https://www.welivesecurity.com/2021/02/01/operation-nightscout-supply-chain… ∗∗∗ Gewinnspiel im Namen von Hofer führt in Abo-Falle ∗∗∗ --------------------------------------------- Vorsicht: Kriminelle geben sich als Hofer aus und informieren via E-Mail über einen angeblichen Gewinn. --------------------------------------------- https://www.watchlist-internet.at/news/gewinnspiel-im-namen-von-hofer-fuehr… ===================== = Vulnerabilities = ===================== ∗∗∗ VU#125331: Adobe ColdFusion is vulnerable to privilege escalation due to weak ACLs ∗∗∗ --------------------------------------------- Adobe ColdFusion fails to properly set ACLs, which can allow an unprivileged Windows user to be able to run arbitrary code with SYSTEM privileges. --------------------------------------------- https://kb.cert.org/vuls/id/125331 ∗∗∗ DSA-4843 linux - security update ∗∗∗ --------------------------------------------- Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. --------------------------------------------- https://www.debian.org/security/2021/dsa-4843 ∗∗∗ Apple Releases Security Updates ∗∗∗ --------------------------------------------- Apple has released security updates to address vulnerabilities in macOS Big Sur 11.0.1, macOS Catalina 10.15.7, and macOS Mojave 10.14.6. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/02/02/apple-releases-se… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr, libdatetime-timezone-perl, python-django, thunderbird, and tzdata), Fedora (kf5-messagelib and qt5-qtwebengine), Mageia (kernel-linus), openSUSE (firefox, jackson-databind, and messagelib), Oracle (flatpak), Red Hat (glibc, kernel, kernel-alt, kernel-rt, linux-firmware, net-snmp, perl, qemu-kvm, and qemu-kvm-ma), SUSE (firefox, java-11-openjdk, openvswitch, terraform, and thunderbird), and Ubuntu (fastd, firefox, python-django, and qemu). --------------------------------------------- https://lwn.net/Articles/844865/ ∗∗∗ Ransomware gangs are abusing VMWare ESXi exploits to encrypt virtual hard disks ∗∗∗ --------------------------------------------- Two VMWare ESXi vulnerabilities, CVE-2019-5544 and CVE-2020-3992, reported as abused in the wild. --------------------------------------------- https://www.zdnet.com/article/ransomware-gangs-are-abusing-vmware-esxi-expl… ∗∗∗ Google Android: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0115 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 01.02.2021
by Daily end-of-shift report 01 Feb '21

01 Feb '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 29-01-2021 18:00 − Montag 01-02-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Taking a Shot at Reverse Shell Attacks, CNC Phone Home and Data Exfil from Servers, (Mon, Feb 1st) ∗∗∗ --------------------------------------------- Over the last number of weeks (after the Solarwinds Orion news) there's been a lot of discussion on how to detect if a server-based applcation is compromised. The discussions have ranged from buying new sophisticated tools, auditing the development pipeline, to diffing patches. But really, for me it's as simple as saying "should my application server really be able to connect to any internet host on any protocol". --------------------------------------------- https://isc.sans.edu/diary/rss/27054 ∗∗∗ Hintermänner der Fonix-Ransomware geben auf und veröffentlichen Master-Schlüssel ∗∗∗ --------------------------------------------- Opfer des Verschlüsselungstrojaner Fonix sehen Licht am Ende des Tunnels. --------------------------------------------- https://heise.de/-5041914 ∗∗∗ SonicWall zero-day exploited in the wild ∗∗∗ --------------------------------------------- Security firm NCC Group said it detected "indiscriminate" exploitation of a mysterious SonicWall zero-day. --------------------------------------------- https://www.zdnet.com/article/sonicwall-zero-day-exploited-in-the-wild/ ∗∗∗ Shodan Verified Vulns 2021-02-01 ∗∗∗ --------------------------------------------- Wieder ist ein Monat vergangen und damit auch wieder die Zeit gekommen, um einen Blick auf Shodans Daten zu den Verified Vulnerabilities in Österreich zu werfen. --------------------------------------------- https://cert.at/de/aktuelles/2021/2/shodan-verified-vulns-2021-02-01 ∗∗∗ Trickbot feiert Comeback ∗∗∗ --------------------------------------------- Kaum ist die Freude über die Zerschlagung von Emotet verklungen, feiert ein anderes Malware-Netzwerk namens Trickbot nach einigen Monaten Stille ein Comeback. --------------------------------------------- https://www.zdnet.de/88393163/trickbot-feiert-comeback/ ===================== = Vulnerabilities = ===================== ∗∗∗ Sudo Privilege Escalation Vulnerability Affecting Cisco Products: January 2021 ∗∗∗ --------------------------------------------- A vulnerability in the command line parameter parsing code of Sudo could allow an authenticated, local attacker to execute commands or binaries with root privileges. [...] Cisco is investigating its product line to determine which products may be affected by this vulnerability. As the investigation progresses, Cisco will update this advisory with information about affected products. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ WordPress-Plug-in Popup Builder: Angreifer könnten Newsletter verschicken ∗∗∗ --------------------------------------------- Es gibt ein wichtiges Sicherheitsupdate für das WordPress-Plug-in Popup Builder. --------------------------------------------- https://heise.de/-5041788 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (home-assistant, libgcrypt, libvirt, and mutt), Debian (ffmpeg, kernel, libonig, libsdl2, mariadb-10.1, and thunderbird), Fedora (chromium, firefox, jasper, libebml, mingw-python3, netpbm, opensmtpd, thunderbird, and xen), Gentoo (firefox and thunderbird), Mageia (db53, dnsmasq, kernel, kernel-linus, and php-pear), openSUSE (go1.14, go1.15, messagelib, nodejs8, segv_handler, and thunderbird), Oracle (firefox, kernel, and thunderbird), Red Hat (flatpak), SUSE (firefox, rubygem-nokogiri) and Ubuntu (mysql-5.7, mysql-8.0, python-django). --------------------------------------------- https://lwn.net/Articles/844749/ ∗∗∗ Sudo vulnerability CVE-2021-3156 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K86488846?utm_source=f5support&utm_mediu… ∗∗∗ Critical vulnerability in Apple iOS WebKit browser components can impact users of the BIG-IP APM F5 Access client ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K58149033?utm_source=f5support&utm_mediu… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily February 2021