Daily March 2021

daily@lists.cert.at

1 participants
23 discussions

Tageszusammenfassung - 31.03.2021
by Daily end-of-shift report 31 Mar '21

31 Mar '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 30-03-2021 18:00 − Mittwoch 31-03-2021 18:00 Handler: Stephan Richter Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Financial Cyberthreats in 2020 ∗∗∗ --------------------------------------------- This research is a continuation of our annual financial threat reports providing an overview of the latest trends and key events across the financial threat landscape. The study covers the common phishing threats, along with Windows and Android-based financial malware. --------------------------------------------- https://securelist.com/financial-cyberthreats-in-2020/101638/ ∗∗∗ Ziggy Ransomware Gang Offers Refunds to Victims ∗∗∗ --------------------------------------------- Ziggy joins Fonix ransomware group and shuts down, with apologies to targets. --------------------------------------------- https://threatpost.com/ziggy-ransomware-gang-offers-refund-to-victims/16512… ∗∗∗ 3MinMax Series Topic Review - Apple Acquisition ∗∗∗ --------------------------------------------- Apple devices are an entirely different platform than Windows, and there are many different considerations when preparing to acquire an Apple machine. --------------------------------------------- https://www.sans.org/blog/3minmax-series-topic-review---apple-acquisition ∗∗∗ [SANS ISC] Quick Analysis of a Modular InfoStealer ∗∗∗ --------------------------------------------- This morning, an interesting phishing email landed in my spam trap. The mail was redacted in Spanish and, as usual, asked the recipient to urgently process the attached document. --------------------------------------------- https://blog.rootshell.be/2021/03/31/sans-isc-quick-analysis-of-a-modular-i… ∗∗∗ Whistleblower: Ubiquiti Breach “Catastrophic” ∗∗∗ --------------------------------------------- On Jan. 11, Ubiquiti Inc. [NYSE:UI] — a major vendor of cloud-enabled Internet of Things (IoT) devices such as routers, network video recorders and security cameras — disclosed that a breach involving a third-party cloud provider had exposed customer account credentials. --------------------------------------------- https://krebsonsecurity.com/2021/03/whistleblower-ubiquiti-breach-catastrop… ∗∗∗ The Often-Overlooked Element of a Hack: Endpoints ∗∗∗ --------------------------------------------- It is Vital to Maintain Granular Visibility and Control Over Access Points to Establish Resilience --------------------------------------------- https://www.securityweek.com/often-overlooked-element-hack-endpoints ∗∗∗ Vorsicht beim Fahrrad-Kauf: marti-bosom.de ist ein Fake-Shop! ∗∗∗ --------------------------------------------- Mit den wärmer werdenden Temperaturen beginnt die Fahrrad-Saison. Für viele ist es die Zeit, um sich ein neues Fahrrad zu kaufen. Aufgrund der anhaltenden Corona-Krise passiert das immer öfter online. Hier gilt es jedoch vorsichtig zu sein, da es auch in diesem Bereich betrügerische Fake-Shops gibt. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-beim-fahrrad-kauf-marti-bos… ∗∗∗ Ransomware: Why were now facing a perfect storm ∗∗∗ --------------------------------------------- Normalising the act of paying a ransom to cyber criminals does nothing to protect anyone against ransomware, warns report. --------------------------------------------- https://www.zdnet.com/article/ransomware-why-were-now-facing-a-perfect-stor… ∗∗∗ Gaming mods, cheat engines are spreading Trojan malware and planting backdoors ∗∗∗ --------------------------------------------- Mods and cheat systems for games are being exploited to deploy information-stealing malware. --------------------------------------------- https://www.zdnet.com/article/gaming-tools-backdoored-cheat-engines-are-now… ∗∗∗ BLEKeeper: Response Time Behavior Based Man-In-The-Middle Attack Detection ∗∗∗ --------------------------------------------- Bluetooth Low Energy (BLE) has become one of the most popular wireless communication protocols and is used in billions of smart devices. Despite several security features, the hardware and software limitations of thesedevices makes them vulnerable to man-in-the-middle (MITM) attacks. --------------------------------------------- http://arxiv.org/abs/2103.16235 ===================== = Vulnerabilities = ===================== ∗∗∗ Fake jQuery files infect WordPress sites with malware ∗∗∗ --------------------------------------------- Researchers have spotted counterfeit versions of the jQuery Migrate plugin injected on dozens of websites which contains obfuscated code to load malware. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fake-jquery-files-infect-wor… ∗∗∗ Angreifer könnten Admin-Zugangsdaten von VMware vRealize kopieren ∗∗∗ --------------------------------------------- Es gibt wichtige Sicherheitsupdates für die Management-Software für Cloud-Umgebungen vRealize Operations. --------------------------------------------- https://heise.de/-6002805 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (curl, ldb, leptonlib, and linux-4.19), Fedora (busybox), Gentoo (openssl, redis, salt, and sqlite), Mageia (firefox, fwupd, glib2.0, python-aiohttp, radare2, thunderbird, and zeromq), openSUSE (firefox), SUSE (ovmf, tomcat, and zabbix), and Ubuntu (curl, lxml, and pygments). --------------------------------------------- https://lwn.net/Articles/851269/ ∗∗∗ Google Releases Security Updates for Chrome ∗∗∗ --------------------------------------------- Google has released Chrome version 89.0.4389.114 for Windows, Mac, and Linux. This version addresses vulnerabilities that an attacker could exploit to take control of an affected system. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/03/31/google-releases-s… ∗∗∗ SECURITY BULLETIN: March 2021 Security Bulletin for Trend Micro OfficeScan XG SP1 ∗∗∗ --------------------------------------------- https://success.trendmicro.com/solution/000286157 ∗∗∗ Multiple dnsmasq vulnerabilities CVE-2020-25684, CVE-2020-25685, and CVE-2020-25686 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K98221124 ∗∗∗ cURL: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0333 ∗∗∗ Denial of Service in Rexroth ActiveMover using EtherNet/IP protocol ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-282922.html ∗∗∗ Denial of Service in Rexroth ActiveMover using Profinet protocol ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-637429.html ∗∗∗ SYSS-2021-006: SQL Injection-Schwachstelle in FireEye EX ∗∗∗ --------------------------------------------- https://www.syss.de/pentest-blog/syss-2021-006-sql-injection-schwachstelle-… ∗∗∗ SYSS-2021-005: SQL Injection-Schwachstelle in FireEye EX ∗∗∗ --------------------------------------------- https://www.syss.de/pentest-blog/syss-2021-005-sql-injection-schwachstelle-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 30.03.2021
by Daily end-of-shift report 30 Mar '21

30 Mar '21

===================== = End-of-Day report = ===================== Timeframe: Montag 29-03-2021 18:00 − Dienstag 30-03-2021 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Card Complete: Warnung vor täuschend echten Phishing-Mails ∗∗∗ --------------------------------------------- Es sind aktuell vermeintliche Mails von Card Complete im Umlauf, die täuschend echt aussehen. --------------------------------------------- https://futurezone.at/digital-life/card-complete-warnung-vor-taeuschend-ech… ∗∗∗ IT-Sicherheitsexperte: "Bei den Exchange-Fällen waren wir am Limit" ∗∗∗ --------------------------------------------- Tim Philipp Schäfers hilft aktuell Firmen, Sicherheitslücken in Exchange zu schließen. Einige hätten Schäden recht einfach verhindern können, sagt er. Ein Interview von Moritz Tremmel --------------------------------------------- https://www.golem.de/news/it-sicherheitsexperte-bei-den-exchange-faellen-wa… ∗∗∗ New Security Signals study shows firmware attacks on the rise; here’s how Microsoft is working to help eliminate this entire class of threats ∗∗∗ --------------------------------------------- The March 2021 Security Signals report showed that more than 80% of enterprises have experienced at least one firmware attack in the past two years, but only 29% of security budgets are allocated to protect firmware. --------------------------------------------- https://www.microsoft.com/security/blog/2021/03/30/new-security-signals-stu… ∗∗∗ Old TLS versions - gone, but not forgotten... well, not really "gone" either, (Tue, Mar 30th) ∗∗∗ --------------------------------------------- With the recent official deprecation of TLS 1.0 and TLS 1.1 by RFC 8996[1], a step, which has long been in preparation and which was preceded by many recommendations to discontinue the use of both protocols (as well as by the removal of support for them from all mainstream web browsers[2]), one might assume that the use of old TLS versions on the internet would have significantly decreased over the last few months. This has however not been the case. --------------------------------------------- https://isc.sans.edu/diary/rss/27260 ∗∗∗ You Just Received 25k USD in Your BTC Account! A Practical Phishing Defense Tutorial ∗∗∗ --------------------------------------------- >From time to time, we all receive some unexpected messages. Either through social media or email. Usually, these are harmless, meant to advertise a product or a service. However, sometimes they can be malicious, with an intent to steal our data and eventually our money, this is a so-called “phishing” attack. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/you-just-re… ∗∗∗ Unfair exchange: ransomware attacks surge globally amid Microsoft Exchange Server vulnerabilities ∗∗∗ --------------------------------------------- Following the recent disclosure of vulnerabilities affecting Microsoft Exchange Servers, Check Point Research (CPR) has observed a global surge in the number of ransomware attacks. In fact, since the beginning of 2021, there has been a 9% increase monthly in organizations affected ransomware. This uptick includes a 57% increase in organizations affected by ransomware in the past 6 months. --------------------------------------------- https://blog.checkpoint.com/2021/03/30/unfair-exchange-ransomware-attacks-s… ∗∗∗ Malicious commits found in PHP code repository: What you need to know ∗∗∗ --------------------------------------------- The PHP Git repository compromise is in the news. We break it down for you, and tell you what you need to know. --------------------------------------------- https://blog.malwarebytes.com/hacking-2/2021/03/malicious-commits-found-in-… ∗∗∗ Akamai Sees Largest DDoS Extortion Attack Known to Date ∗∗∗ --------------------------------------------- Distributed denial of service (DDoS) attacks are growing bigger in volume, and they have also become more targeted and increasingly persistent, according to web security services provider Akamai. --------------------------------------------- https://www.securityweek.com/akamai-sees-largest-ddos-extortion-attack-know… ∗∗∗ Kaufen Sie Corona-Tests nicht auf Kleinanzeigenplattformen ∗∗∗ --------------------------------------------- Durch die Initiative "Alles gurgelt" erhalten Wienerinnen und Wiener kostenlose PCR-Gurgeltests in allen Wiener BIPA-Filialen. Pro Person können bis zu 4 Selbsttests pro Woche abgeholt werden. Einige versuchen sich mit diesem Angebot jedoch ein kleines Taschengeld dazu zu verdienen und bieten die Gratis-Tests in Kleinanzeigenportalen an. Die Stadt Wien rät davon ab, die kostenlosen Tests auf Kleinanzeigenportalen zu kaufen. --------------------------------------------- https://www.watchlist-internet.at/news/kaufen-sie-corona-tests-nicht-auf-kl… ∗∗∗ Attack landscape update: Ransomware 2.0, automated recon, and supply chain attacks ∗∗∗ --------------------------------------------- Data-stealing ransomware attacks, information harvesting malware, and supply chain attacks are some of the critical threats facing organizations highlighted in F-Secure's latest attack landscape update. --------------------------------------------- https://blog.f-secure.com/attack-landscape-update-h1-2021/ ===================== = Vulnerabilities = ===================== ∗∗∗ Multiple Cisco Products Snort TCP Fast Open File Policy Bypass Vulnerability ∗∗∗ --------------------------------------------- Multiple Cisco products are affected by a vulnerability with TCP Fast Open (TFO) when used in conjunction with the Snort detection engine that could allow an unauthenticated, remote attacker to bypass a configured file policy for HTTP. The vulnerability is due to incorrect detection of the HTTP payload if it is contained at least partially within the TFO connection handshake. An attacker could exploit this vulnerability by sending crafted TFO packets with an HTTP payload through an [...] --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ ArcGIS general raster security update ∗∗∗ --------------------------------------------- Multiple vulnerabilities have been identified when processing specially crafted files that may allow arbitrary code execution in Esri ArcReader, ArcGIS Desktop, ArcGIS Engine 10.8.1 (and earlier) and ArcGIS Pro 2.7 (and earlier). Esri has released updates for the affected products that resolve the high-risk vulnerabilities here. --------------------------------------------- https://www.esri.com/arcgis-blog/products/arcgis/administration/security-ad… ∗∗∗ Xen Security Advisory CVE-2021-28688 / XSA-371 - Linux: blkback driver may leak persistent grants ∗∗∗ --------------------------------------------- A malicious or buggy frontend driver may be able to cause resource leaks from the corresponding backend driver. This can result in a host-wide Denial of Sevice (DoS). --------------------------------------------- https://xenbits.xen.org/xsa/advisory-371.html ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (lxml), Fedora (openssl, pdfbox, rpm, and rubygem-kramdown), openSUSE (eclipse), Oracle (flatpak and openssl), Red Hat (curl, kernel, kpatch-patch, mariadb, nss-softokn, openssl, perl, and tomcat), and SUSE (firefox, ovmf, and tar). --------------------------------------------- https://lwn.net/Articles/851164/ ∗∗∗ Citrix Hypervisor Security Update ∗∗∗ --------------------------------------------- Two security issues have been identified in Citrix Hypervisor (formerly Citrix XenServer) that may allow privileged code in a guest VM to cause the host to crash or become unresponsive. These issues affect all currently supported versions of Citrix Hypervisor up to and including Citrix Hypervisor 8.2 LTSR. --------------------------------------------- https://support.citrix.com/article/CTX306565 ∗∗∗ Red Hat Enterprise Linux: Schwachstelle ermöglicht Manipulation von Dateien ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0327 ∗∗∗ Red Hat OpenShift: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0325 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 29.03.2021
by Daily end-of-shift report 29 Mar '21

29 Mar '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 26-03-2021 18:00 − Montag 29-03-2021 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Git-Hosting: Angriff auf PHPs Code-Repository ∗∗∗ --------------------------------------------- Im Git-Repository von PHP wurden zwei Hintertüren eingefügt. Als Konsequenz will man den Code künftig nicht mehr selbst hosten. --------------------------------------------- https://www.golem.de/news/git-hosting-angriff-auf-phps-code-repository-2103… ∗∗∗ Spyware: Android-Malware gibt sich als Systemupdate aus ∗∗∗ --------------------------------------------- Über den Trojaner, der sich als Android-Update ausgibt, lassen sich die betroffenen Geräte komplett übernehmen. --------------------------------------------- https://www.golem.de/news/spyware-android-malware-gibt-sich-als-systemupdat… ∗∗∗ Here Are the Free Ransomware Decryption Tools You Need to Use [2021 Updated] ∗∗∗ --------------------------------------------- If your network gets infected with ransomware, follow the steps below to recover essential data: Step 1: Do not pay the ransom because there is no guarantee that the ransomware creators will give you access to your data. Step 2: Find any available backups you have, and consider keeping your data backups in secure, off-site locations. Step [...] --------------------------------------------- https://heimdalsecurity.com/blog/ransomware-decryption-tools/ ∗∗∗ Malware Analysis with elastic-agent and Microsoft Sandbox, (Fri, Mar 26th) ∗∗∗ --------------------------------------------- Microsoft describes the "Windows Sandbox supports simple configuration files, which provide a minimal set of customization parameters for Sandbox. [...] Windows Sandbox configuration files are formatted as XML and are associated with Sandbox via the .wsb file extension."[6] --------------------------------------------- https://isc.sans.edu/diary/rss/27248 ∗∗∗ [SANS ISC] Jumping into Shellcode ∗∗∗ --------------------------------------------- I published the following diary on isc.sans.edu: “Jumping into Shellcode“: Malware analysis is exciting because you never know what you will find. In previous diaries, I already explained why it’s important to have a look at groups of interesting Windows API call to detect some behaviors. The classic example is code [...] --------------------------------------------- https://blog.rootshell.be/2021/03/29/sans-isc-jumping-into-shellcode/ ∗∗∗ Analyzing And Micropatching With Tetrane REVEN (Part 1, CVE-2021-26897) ∗∗∗ --------------------------------------------- March 2021 Windows Updates included fixes for seven vulnerabilities in Windows DNS Server, two of which were marked by Microsoft as "Exploitation More Likely": CVE-2021-26877 and CVE-2021-26897. They were not known to be exploited and no details were publicly available until security researchers Eoin Carroll and Kevin McGrath published their analysis on McAfee Labs blog. Their article included enough information for us to reproduce both vulnerabilities, [...] --------------------------------------------- https://blog.0patch.com/2021/03/analyzing-and-micropatching-with.html ∗∗∗ Hades Ransomware Hits Big Firms, but Operators Slow to Respond to Victims ∗∗∗ --------------------------------------------- Researchers from CrowdStrike, Accenture, and Awake Security have dissected some of the attacks involving the Hades ransomware and published information on both the malware itself and the tactics, techniques and procedures (TTPs) employed by its operators. --------------------------------------------- https://www.securityweek.com/hades-ransomware-hits-big-firms-operators-slow… ∗∗∗ Threat Assessment: Matrix Ransomware ∗∗∗ --------------------------------------------- We provide an overview of the Matrix ransomware family and offer indicators of compromise in this companion to the Unit 42 Ransomware Threat Report. --------------------------------------------- https://unit42.paloaltonetworks.com/matrix-ransomware/ ∗∗∗ Sodinokibi (aka REvil) Ransomware ∗∗∗ --------------------------------------------- Intro Sodinokibi (aka REvil) has been one of the most prolific ransomware as a service (RaaS) groups over the last couple years. The ransomware family was purported to be behind [...] --------------------------------------------- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ ===================== = Vulnerabilities = ===================== ∗∗∗ Exchange Server Post-Compromise Attack Activity Shared by Microsoft ∗∗∗ --------------------------------------------- In the context of ongoing Exchange Server attacks, Microsoft has shared information detailing post-compromise activity which has infected vulnerable targets with ransomware and a botnet. --------------------------------------------- https://heimdalsecurity.com/blog/exchange-server-post-compromise-attack-act… ∗∗∗ Sicherheitslücke: npm-Paket Netmask ignoriert das Oktalsystem in IP-Adressen ∗∗∗ --------------------------------------------- Die verbreitete Library wertet Oktalzahlen nicht korrekt aus und interpretiert dadurch unter anderem private Adressen potenziell als öffentlich und umgekehrt. --------------------------------------------- https://heise.de/-6000759 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (awstats, busybox, dotnet-runtime, dotnet-runtime-3.1, dotnet-sdk, dotnet-sdk-3.1, gitlab, godot, groovy, libebml, mkinitcpio-busybox, openssl, python2, vivaldi, webkit2gtk, and wpewebkit), CentOS (firefox and thunderbird), Debian (pygments, spamassassin, thunderbird, and webkit2gtk), Fedora (CGAL, dotnet3.1, dotnet5.0, firefox, kernel, qt, and xen), Mageia (imagemagick, jackson-databind, openscad, redis, and unbound), openSUSE [...] --------------------------------------------- https://lwn.net/Articles/851061/ ∗∗∗ Newly-Discovered Vulnerabilities Could Allow for Bypass of Spectre Mitigations in Linux ∗∗∗ --------------------------------------------- Bugs could allow a malicious user to access data belonging to other users. --------------------------------------------- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/sp… ∗∗∗ Philips Gemini PET/CT Family ∗∗∗ --------------------------------------------- This advisory contains mitigations for a Storage of Sensitive Data in a Mechanism Without Access Control vulnerability in Philips Gemini PET/CT Family scanners. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsma-21-084-01 ∗∗∗ Weintek EasyWeb cMT ∗∗∗ --------------------------------------------- This advisory contains mitigations for Code Injection, Improper Access Control, and Cross-site Scripting vulnerabilities in Weintek EasyWeb cMT human-machine interface (HMI) products. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-082-01 ∗∗∗ Apple Security Updates March 26 2021 - Possible in the Wild Exploitation ∗∗∗ --------------------------------------------- Apple has published security updates for iOS, iOS and iPadOS, and watchOS. The updates all address the same, single vulnerability, in WebKit. The vulnerability may have been exploited in the wild. --------------------------------------------- https://exchange.xforce.ibmcloud.com/collection/f7a453892e4d0d7f1e0a77077ea… ∗∗∗ CVE-2021-25646: Getting Code Execution on Apache Druid ∗∗∗ --------------------------------------------- In this excerpt of a Trend Micro Vulnerability Research Service vulnerability report, Pengsu Cheng and Prosenjit Sinha of the Trend Micro Research Team detail a recent code execution vulnerability in the Apache Druid database. The bug was originally discovered and reported by Litch1 from the Security Team of Alibaba Cloud. The following is a portion of their write-up covering CVE-2021-25646, with a few minimal modifications. --------------------------------------------- https://www.thezdi.com/blog/2021/3/25/cve-2021-25646-getting-code-execution… ∗∗∗ [webapps] WordPress Plugin WP Super Cache 1.7.1 - Remote Code Execution (Authenticated) ∗∗∗ --------------------------------------------- https://www.exploit-db.com/exploits/49718 ∗∗∗ OpenSSL vulnerability CVE-2021-3449 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K83623027 ∗∗∗ OpenSSL vulnerability CVE-2021-3450 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K52171694 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 26.03.2021
by Daily end-of-shift report 26 Mar '21

26 Mar '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 25-03-2021 18:00 − Freitag 26-03-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ FBI exposes weakness in Mamba ransomware, DiskCryptor ∗∗∗ --------------------------------------------- An alert from the U.S. Federal Bureau of Investigation about Mamba ransomware reveals a weak spot in the encryption process that could help targeted organizations recover from the attack without paying the ransom. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fbi-exposes-weakness-in-mamb… ∗∗∗ Office macro execution evidence, (Fri, Mar 26th) ∗∗∗ --------------------------------------------- Microsoft Office Macros continue to be the security nightmare that they have been for the past 3 decades. System and security admins everywhere continue to try to protect their users from prevalent macro malware, but they find Microsoft's tooling often less than helpful. --------------------------------------------- https://isc.sans.edu/diary/rss/27244 ∗∗∗ New 5G Flaw Exposes Priority Networks to Location Tracking and Other Attacks ∗∗∗ --------------------------------------------- New research into 5G architecture has uncovered a security flaw in its network slicing and virtualized network functions that could be exploited to allow data access and denial of service attacks between different network slices on a mobile operators 5G network. AdaptiveMobile shared its findings with the GSM Association (GSMA) on February 4, 2021, following which the weaknesses were [...] --------------------------------------------- https://thehackernews.com/2021/03/new-5g-flaw-exposes-priority-networks.html ∗∗∗ Perkiler malware turns to SMB brute force to spread ∗∗∗ --------------------------------------------- Perkiler is now using SMB brute force attacks to spread. Which is not a new concept, but why attack SMB instead of RDP? --------------------------------------------- https://blog.malwarebytes.com/trojans/2021/03/perkiler-malware-turns-to-smb… ∗∗∗ Dumping LSASS in memory undetected using MirrorDump ∗∗∗ --------------------------------------------- As I am sure some of you are aware from the occasional ramblings and screenshots on twitter, I am a big fan of .NET based offensive tooling. Not because [...] --------------------------------------------- https://www.pentestpartners.com/security-blog/dumping-lsass-in-memory-undet… ∗∗∗ 20 Million Miners: Finding Malicious Cryptojacking Images in Docker Hub ∗∗∗ --------------------------------------------- Container images are a simple way to distribute software - including malicious cryptojacking images attackers use to distribute cryptominers. --------------------------------------------- https://unit42.paloaltonetworks.com/malicious-cryptojacking-images/ ∗∗∗ Exchange Server attacks: Microsoft shares intelligence on post-compromise activities ∗∗∗ --------------------------------------------- If youre cleaning up a infected Exchange server, you need to look for traces of multiple threats, warns Microsoft. --------------------------------------------- https://www.zdnet.com/article/exchange-server-attacks-microsoft-shares-inte… ∗∗∗ Aktuelle Information zu den ProxyLogon Exchange Schwachstellen in Österreich ∗∗∗ --------------------------------------------- TL;DR 254 Exchange Server nach wie vor ungepatcht (Stand: 2021-03-26). Am 18. März waren es noch 839. Von 23. März bis 26.März wurden insgesamt 437 Webshells in Österreich gefunden. Die Patch-Rate hat etwas abgenommen. Wir sehen die übliche exponentielle Abnahme der verwundbaren Systeme. Allerdings dürfte die ab 18. März durch Microsoft Defender automatisch durchgeführte Mitigation ihren Zweck erfüllt haben. --------------------------------------------- https://cert.at/de/aktuelles/2021/3/aktuelle-zahlen-zu-den-proxylogon-excha… ∗∗∗ PsExec Privilege Escalation in Windows Fixed ∗∗∗ --------------------------------------------- A component of Microsofts Sysinternals utility was found in January 2021 to be vulnerable to privilege escalation. According to the release notes from Microsoft: "This update to PsExec mitigates named pipe squatting attacks that can be leveraged by an attacker to intercept credentials or elevate to System privilege. --------------------------------------------- https://exchange.xforce.ibmcloud.com/collection/e97cd1b85394822631fcc1589f7… ===================== = Vulnerabilities = ===================== ∗∗∗ Microsoft releases Windows 10 SSU to fix security update issue ∗∗∗ --------------------------------------------- Microsoft has released the Windows 10 1909 KB5000850 cumulative update preview and a new KB5001205 Servicing Stack Update that resolves a Secure Boot vulnerability. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-releases-windows-… ∗∗∗ Another Critical RCE Flaw Discovered in SolarWinds Orion Platform ∗∗∗ --------------------------------------------- IT infrastructure management provider SolarWinds on Thursday released a new update to its Orion networking monitoring tool with fixes for four security vulnerabilities, counting two weaknesses that could be exploited by an authenticated attacker to achieve remote code execution (RCE). Chief among them is a JSON deserialization flaw that allows an authenticated user to execute arbitrary code via [...] --------------------------------------------- https://thehackernews.com/2021/03/solarwinds-orion-vulnerability.html ∗∗∗ Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: March 2021 ∗∗∗ --------------------------------------------- On March 25, 2021, the OpenSSL Project released a security advisory, OpenSSL Security Advisory [25 March 2021], that disclosed two vulnerabilities. Exploitation of these vulnerabilities could allow an attacker to use a valid non-certificate authority (CA) certificate to act as a CA and sign a certificate for an arbitrary organization, user or device, or to cause a denial of service (DoS) condition. This advisory will be updated as additional information becomes available. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Sicherheitsupdates: Angreifer könnten Samba-LDAP-Server crashen ∗∗∗ --------------------------------------------- Mehrere Schwachstellen in Samba gefährden Systeme. Abgesicherte Versionen stehen zum Download bereit. --------------------------------------------- https://heise.de/-5999401 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr, jquery, openssl, and thunderbird), openSUSE (openssl-1_1 and tor), Oracle (firefox and thunderbird), Scientific Linux (firefox and thunderbird), SUSE (libzypp, zypper and openssl-1_1), and Ubuntu (firefox, ldb, openssl, and ruby2.0). --------------------------------------------- https://lwn.net/Articles/850703/ ∗∗∗ Synology-SA-21:13 Samba AD DC ∗∗∗ --------------------------------------------- Multiple vulnerabilities allow remote attackers and remote authenticated users to conduct denial-of-service attacks via a susceptible version of Synology Directory Server. --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_21_13 ∗∗∗ Security Advisory - Denial of Service Vulnerability in Huawei Product ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210324-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM License Metric Tool v9. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Security vulnerabilities in Java SE affects Rational Build Forge ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in node.js may affect configuration editor used in IBM Business Automation Workflow and IBM Business Process Manager (BPM) – CVE-2020-1971, CVE-2020-8265, CVE-2020-8287 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: A vulnerability in IBM Java SDK affects IBM License Metric Tool v9 (CVE-2020-14782). ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… ∗∗∗ Intel Ethernet Controller vulnerabilities CVE-2020-24497, CVE-2020-24498, CVE-2020-24500, CVE-2020-24501, and CVE-2020-24505 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K85738358 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 25.03.2021
by Daily end-of-shift report 25 Mar '21

25 Mar '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 24-03-2021 18:00 − Donnerstag 25-03-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Cisco fixt Remote-Lücken in Jabber-Clients für Windows, macOS & mobile Systeme ∗∗∗ --------------------------------------------- Ein Update schließt teils als kritisch eingestufte Einfallstore in Ciscos Jabber-Client für Win, macOS, Android & iOS. Auch weitere Produkte erhielten Updates. --------------------------------------------- https://heise.de/-5997987 ∗∗∗ IETF erklärt TLS-Urväter 1.0 und 1.1 als veraltet ∗∗∗ --------------------------------------------- Schwache Kryptografie und reichlich Sicherheitslücken haben zum Ende von TLS 1.0 und 1.1 geführt. --------------------------------------------- https://heise.de/-5997963 ∗∗∗ Fleeceware lockt in Abofallen ∗∗∗ --------------------------------------------- Forscher von Avast haben Hunderte von Fleeceware-Mobilfunk-Apps auf Google Play und im Apple App Store entdeckt, mit denen ihre Entwickler Millionen von Dollar verdienen. --------------------------------------------- https://www.zdnet.de/88394043/fleeceware-lockt-in-abofallen/ ∗∗∗ QNAP warns of ongoing brute-force attacks against NAS devices ∗∗∗ --------------------------------------------- QNAP warns customers of ongoing attacks targeting QNAP NAS (network-attached storage) devices and urges them to immediately take action to mitigate them. --------------------------------------------- https://www.bleepingcomputer.com/news/security/qnap-warns-of-ongoing-brute-… ∗∗∗ Threat landscape for industrial automation systems. Statistics for H2 2020 ∗∗∗ --------------------------------------------- We continued our observations and identified a number of trends that could, in our opinion, be due to circumstances connected with the pandemic in one way or another, as well as the reaction of governments, organizations and people to these circumstances. --------------------------------------------- https://securelist.com/threat-landscape-for-industrial-automation-systems-s… ∗∗∗ Microsoft Exchange Vulnerability (CVE-2021-26855) Scan Analysis ∗∗∗ --------------------------------------------- On March 2, 2021, Microsoft disclosed a remote code execution vulnerability in Microsoft Exchange server[1]. We customized our Anglerfish honeypot to simulate and deploy Microsoft Exchange honeypot plug-in on March 3, and soon we started to see a large amount of related data, so far, we have already [...] --------------------------------------------- https://blog.netlab.360.com/microsoft-exchange-vulnerability-cve-2021-26855… ∗∗∗ From Creative Password Hashes to Administrator: Gone in 60 Seconds (Or Thereabouts) ∗∗∗ --------------------------------------------- Picture the scene, you’re on an application penetration test (as a normal user) and you’ve managed to bag yourself some password hashes from the application. This can happen in various ways but in my experience, this is often the result of either a SQL injection vulnerability (resulting in the dumping of the users table) or finding that the application (or associated API) spits these hashes out in responses (because they are only hashes and what could go wrong!?). --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/from-creati… ∗∗∗ Recently Patched Vulnerability in Thrive Themes Actively Exploited in the Wild ∗∗∗ --------------------------------------------- On March 23, 2021, the Wordfence Threat Intelligence Team discovered two recently patched vulnerabilities being actively exploited in Thrive Theme’s "Legacy" Themes and Thrive Theme plugins that were chained together to allow unauthenticated attackers to upload arbitrary files on vulnerable WordPress sites. We estimate that more than 100,000 WordPress sites are using Thrive Theme products [...] --------------------------------------------- https://www.wordfence.com/blog/2021/03/recently-patched-vulnerability-in-th… ∗∗∗ Mamba Ransomware Leverages DiskCryptor for Encryption, FBI Warns ∗∗∗ --------------------------------------------- The Federal Bureau of Investigation (FBI) this week published an alert to warn of the fact that the Mamba ransomware is abusing the DiskCryptor open source tool to encrypt entire drives, including the operating system. --------------------------------------------- https://www.securityweek.com/mamba-ransomware-leverages-diskcryptor-encrypt… ∗∗∗ Webshells Observed in Post-Compromised Exchange Servers ∗∗∗ --------------------------------------------- CISA has added two new Malware Analysis Reports (MARs) to Alert AA21-062A: Mitigate Microsoft Exchange Server Vulnerabilities. Each new MAR (AR21-084A and AR21-084B) identifies a webshell observed in post-compromised Microsoft Exchange Servers. After successful exploiting a Microsoft Exchange Server vulnerability for initial accesses, a malicious cyber actor can upload a webshell to enable remote administration of the affected system. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/03/25/webshells-observe… ===================== = Vulnerabilities = ===================== ∗∗∗ Kryptobibliothek: OpenSSL-Lücke in Zertifikatschecks ∗∗∗ --------------------------------------------- Ein Fehler von OpenSSL bei der Zertifikatsvalidierung betrifft nur wenige Anwendungen, ein weiterer Bug lässt Server abstürzen. --------------------------------------------- https://www.golem.de/news/kryptobibliothek-openssl-luecke-in-zertifikatsche… ∗∗∗ SAP® Privilege Escalation durch ABAP Code Injection in SAP® Business Warehouse ∗∗∗ --------------------------------------------- Dieser Blogpost soll einen Überblick über eine kritische ABAP Code Injection-Schwachstelle innerhalb des Funktionsbausteins RSDMD_BATCH_CALL im SAP® Business Warehouse geben und dessen Auswirkungen verdeutlichen. --------------------------------------------- https://sec-consult.com/de/blog/detail/privilege-escalation-abap-code-injec… ∗∗∗ Two Vulnerabilities Patched in Facebook for WordPress Plugin ∗∗∗ --------------------------------------------- On December 22, 2020, our Threat Intelligence team responsibly disclosed a vulnerability in Facebook for WordPress, formerly known as Official Facebook Pixel, a WordPress plugin installed on over 500,000 sites. This flaw made it possible for unauthenticated attackers with access to a site’s secret salts and keys to achieve remote code execution through a deserialization [...] --------------------------------------------- https://www.wordfence.com/blog/2021/03/two-vulnerabilities-patched-in-faceb… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr and lxml), Fedora (jasper), openSUSE (gnutls, hawk2, ldb, libass, nghttp2, and ruby2.5), Oracle (pki-core:10.6), Red Hat (firefox and thunderbird), SUSE (evolution-data-server, ldb, python3, and zstd), and Ubuntu (ldb, linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-dell300x, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, linux-signed, linux-snapdragon, and linux, linux-lts-xenial). --------------------------------------------- https://lwn.net/Articles/850498/ ∗∗∗ Intel Ethernet controller vulnerabilities CVE-2020-24492, CVE-2020-24493, CVE-2020-24494, CVE-2020-24495, CVE-2020-24496 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K91610944?utm_source=f5support&utm_mediu… ∗∗∗ Red Hat OpenShift: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0308 ∗∗∗ Security Bulletin: IBM Cloud Pak for Integration is vulnerable to Go vulnerabilities (CVE-2020-28851 and CVE-2020-28852) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-integra… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Security Directory Server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Operations Dashboard is vulnerable to Go vulnerabilities (CVE-2021-3114 and CVE-2021-3115) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-operations-dashboard-is-v… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM® SDK, Java™ Technology Edition affect IBM Operational Decision Manager (Oct 2020 and Jan 2021 CPUs) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerability affects Watson Explorer Foundational Components (CVE-2020-1971) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-affects-wat… ∗∗∗ Security Bulletin: App Connect for Manufacturing 2.0 is affected by vulnerabilities of log4j 1.2.17 – Log4j Deserialization Remote Code Execution (CVE-2019-17571) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-app-connect-for-manufactu… ∗∗∗ Security Bulletin: IBM Cloud Pak for Integration is vulnerable to Node.js vulnerabilities (CVE-2020-1971, CVE-2020-8265, and CVE-2020-8287) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-integra… ∗∗∗ Security Bulletin: A security vulnerability has been identified in Xstream, which is a required product for IBM Tivoli Network Configuration Manager (CVE-2020-26217) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: Security vulnerabilities in Java SE affects Rational Build Forge ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ Security Bulletin: A security vulnerability has been identified in Xstream, which is a required product for IBM Tivoli Network Configuration Manager (CVE-2020-26258, CVE-2020-26259) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 24.03.2021
by Daily end-of-shift report 24 Mar '21

24 Mar '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 23-03-2021 18:00 − Mittwoch 24-03-2021 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Microsoft warns of phishing attacks bypassing email gateways ∗∗∗ --------------------------------------------- An ongoing phishing operation that stole an estimated 400,000 OWA and Office 365 credentials since December has now expanded to abuse new legitimate services to bypass secure email gateways (SEGs). --------------------------------------------- https://www.bleepingcomputer.com/news/security/microsoft-warns-of-phishing-… ∗∗∗ Purple Fox Rootkit Can Now Spread Itself to Other Windows Computers ∗∗∗ --------------------------------------------- Purple Fox, a Windows malware previously known for infecting machines by using exploit kits and phishing emails, has now added a new technique to its arsenal that gives it worm-like propagation capabilities. --------------------------------------------- https://thehackernews.com/2021/03/purple-fox-rootkit-can-now-spread.html ∗∗∗ Zahlreiche negative Bewertungen zu fashionmanufaktur.at ∗∗∗ --------------------------------------------- Seit Monaten häufen sich negative Erfahrungen und Bewertungen zahlreicher KonsumentInnen zum Online-Shop fashionmanufaktur.at. --------------------------------------------- https://www.watchlist-internet.at/news/zahlreiche-negative-bewertungen-zu-f… ∗∗∗ Fake Websites Used in COVID-19 Themed Phishing Attacks, Impersonating Brands Like Pfizer and BioNTech ∗∗∗ --------------------------------------------- We describe trends in COVID-19 themed phishing attacks since the start of the pandemic to gain insight into the topics that attackers try to exploit. --------------------------------------------- https://unit42.paloaltonetworks.com/covid-19-themed-phishing-attacks/ ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI-21-354: (0Day) Lepide Active Directory Self Service Backup Missing Authentication Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to disclose sensitive information on affected installations of Lepide Active Directory Self Service. Authentication is not required to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-354/ ∗∗∗ Cisco Security Advisories 2021-03-24 ∗∗∗ --------------------------------------------- 1 Critical, 18 High, 19 Medium severity --------------------------------------------- https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&secur… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (imagemagick and squid), Fedora (jasper and kernel), Red Hat (pki-core), SUSE (gnutls, go1.15, go1.16, hawk2, jetty-minimal, libass, nghttp2, openssl, ruby2.5, sudo, and wavpack), and Ubuntu (linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gcp, linux-gcp-5.4, linux-gke-5.3, linux-gke-5.4, linux-gkeop, linux-gkeop-5.4, linux-hwe, linux-hwe-5.4, linux-hwe-5.8, linux-kvm, linux-oem-5.10, linux-oem-5.6, linux-oracle, linux-oracle-5.4,[...] --------------------------------------------- https://lwn.net/Articles/850352/ ∗∗∗ SaltStack revises partial patch for command injection, privilege escalation vulnerability ∗∗∗ --------------------------------------------- The second fix was reportedly necessary after SaltStack did not participate in coordinated disclosure. --------------------------------------------- https://www.zdnet.com/article/saltstack-revises-partial-patch-for-command-i… ∗∗∗ Uncontrolled Search Path Element in Multiple Bosch Products ∗∗∗ --------------------------------------------- BOSCH-SA-835563-BT: Multiple Bosch software applications are affected by a security vulnerability, which potentially allows an attacker to load additional code in the form of DLLs (commonly known as "DLL Hijacking" or "DLL Preloading"). --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-835563-bt.html ∗∗∗ Security Bulletin: Multiple Vulnerabilities in IBM Java Runtime Affect IBM Sterling Connect:Direct for UNIX ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: A vulnerability has been identified in IBM Elastic Storage System where an attacker could cause a denial of service (CVE-2020-5015) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-has-been-… ∗∗∗ Security Bulletin: IBM® Db2® db2fm is vulnerable to a buffer overflow (CVE-2020-5025) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-db2fm-is-vulnerab… ∗∗∗ Security Bulletin: IBM Kenexa LMS On Premise -[All] jQuery (Publicly disclosed vulnerability) – 180875 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-kenexa-lms-on-premise… ∗∗∗ Security Bulletin: A vulnerability in IBM Java SE affects IBM Elastic Storage Server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in IBM Java Runtime Affect IBM Sterling Connect:Direct for UNIX ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli Netcool Impact (CVE-2020-14803, CVE-2020-27221) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Security Directory Server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: A security vulnerability has been identified in IBM® SDK, Java™ Technology Edition shipped with IBM Tivoli Netcool Impact (CVE-2020-14781) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: Rational Asset Analyzer is affected by a vulnerability in WebSphere Application Server Liberty (CVE-2020-4590) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-rational-asset-analyzer-i… ∗∗∗ Intel I210 network adapter vulnerability CVE-2020-0522 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K37283878 ∗∗∗ Intel I210 network adapter vulnerability CVE-2020-0523 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K31445234 ∗∗∗ Intel I210 network adapter vulnerability CVE-2020-0524 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K83504933 ∗∗∗ Intel I210 network adapter vulnerability CVE-2020-0525 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K44482551 ∗∗∗ Linux Kernel: Schwachstelle ermöglicht Codeausführung ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0306 ∗∗∗ Pro-FTPd: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0304 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.03.2021
by Daily end-of-shift report 23 Mar '21

23 Mar '21

===================== = End-of-Day report = ===================== Timeframe: Montag 22-03-2021 18:00 − Dienstag 23-03-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ A Popular Remote Lesson Monitoring Program Might be Exploited by Attackers ∗∗∗ --------------------------------------------- Netop is a software specialized in providing visibility over student activities, that lets teachers see what their students see, in this way the teachers can also share their screen, lock student screens and keyboards and block websites with the click of a button. The software designed and advertised for helping teachers keep control of lessons [...] --------------------------------------------- https://heimdalsecurity.com/blog/lesson-monitoring-program-exploited/ ∗∗∗ Secure containerized environments with updated threat matrix for Kubernetes ∗∗∗ --------------------------------------------- The updated threat matrix for Kubernetes adds new techniques found by Microsoft researchers, as well as techniques that were suggested by the community. --------------------------------------------- https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-env… ∗∗∗ Nim Strings, (Mon, Mar 22nd) ∗∗∗ --------------------------------------------- On Tuesday's Stormcast, Johannes talked about malware written in the Nim Programming language. --------------------------------------------- https://isc.sans.edu/diary/rss/27230 ∗∗∗ Intel-Prozessoren: Zwei undokumentierte Befehle für Microcode enttarnt ∗∗∗ --------------------------------------------- Sicherheitsexperten entdecken Befehle, mit denen sich das Verhalten von Intel-Prozessoren ändern lässt - bisher jedoch nur in einem speziellen Debugging-Modus. --------------------------------------------- https://heise.de/-5994965 ∗∗∗ Erpressung per E-Mail: Kriminelle fordern Bitcoins ∗∗∗ --------------------------------------------- Momentan werden vermehrt betrügerische Erpressungsmails versendet. Kriminelle behaupten darin, sie hätten Ihre Geräte gehackt und könnten nun alles was Sie tun, live beobachten. Angeblich hätten sie Beweise, dass Sie regelmäßig auf Porno-Seiten surfen. Sogar ein Video, das Sie beim Masturbieren zeigt, sollte existieren. Damit dieses von den Kriminellen nicht veröffentlicht wird, fordern sie die Überweisung von Bitcoins. --------------------------------------------- https://www.watchlist-internet.at/news/erpressung-per-e-mail-kriminelle-for… ∗∗∗ Ransomware gangs have found another set of new targets: Schools and universities ∗∗∗ --------------------------------------------- National Cyber Security Centre issues advice on how to protect networks from cyber criminals after a spike in ransomware attacks causing disruption across the education sector over the last month --------------------------------------------- https://www.zdnet.com/article/ransomware-attacks-against-schools-are-rocket… ===================== = Vulnerabilities = ===================== ∗∗∗ Neue Versionen: Firefox 87, Firefox ESR und Thunderbird 78.9 mit Security-Fixes ∗∗∗ --------------------------------------------- Updates für Firefox, Firefox ESR und den E-Mail-Client Thunderbird umfassen neben funktionalen Neuerungen auch Fixes für Schwachstellen. --------------------------------------------- https://heise.de/-5996236 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (dnsmasq, libmediainfo, and mariadb-10.1), Fedora (dotnet5.0, moodle, and radare2), Mageia (kernel and kernel-linus), Oracle (python27:2.7, python36:3.6, and python38:3.8), Red Hat (pki-core:10.6), and Ubuntu (privoxy). --------------------------------------------- https://lwn.net/Articles/850188/ ∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2021-0002 ∗∗∗ --------------------------------------------- Several vulnerabilities were discovered in WebKitGTK and WPE WebKit. --------------------------------------------- https://webkitgtk.org/security/WSA-2021-0002.html ∗∗∗ Synology-SA-21:12 Synology Calendar ∗∗∗ --------------------------------------------- A vulnerability allows remote attackers to bypass security constraints via a susceptible version of Synology Calendar. --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_21_12 ∗∗∗ Weintek EasyWeb cMT ∗∗∗ --------------------------------------------- This advisory contains mitigations for Code Injection, Improper Access Control, and Cross-site Scripting vulnerabilities in Weintek EasyWeb cMT human-machine interface (HMI) products. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-20-082-01 ∗∗∗ GE MU320E ∗∗∗ --------------------------------------------- This advisory contains mitigations for Use of Hard-coded Password, Execution with Unnecessary Privileges, and Inadequate Encryption Strength vulnerabilities in GE MU320E firmware. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-082-02 ∗∗∗ GE Reason DR60 ∗∗∗ --------------------------------------------- This advisory contains mitigations for Hard-coded Password, Code Injection, and Execution with Unnecessary Privileges vulnerabilities in GE Reason DR60 digital fault recorder products. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-082-03 ∗∗∗ Ovarro TBox ∗∗∗ --------------------------------------------- This updated advisory is a follow-up to the original advisory titled ICSA-21-054-04P Ovarro TBox that posted to the HSIN ICS library on February 23, 2021 This advisory contains mitigations for Code Injection, Incorrect Permission Assignment for Critical Resource, Uncontrolled Resource Consumption, Insufficiently Protected Credentials, and Use of Hard-coded Cryptographic Key vulnerabilities in Ovarro TBox remote terminal units (RTUs). --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-054-04 ∗∗∗ Security Bulletin: Multiple vulnerabilities is affecting Tivoli Netcool/OMNIbus WebGUI (CVE-2021-20336, CVE-2020-17530) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Lift ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-lift/ ∗∗∗ OTRS: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0299 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.03.2021
by Daily end-of-shift report 22 Mar '21

22 Mar '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 19-03-2021 18:00 − Montag 22-03-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ DDoS booters now abuse DTLS servers to amplify attacks ∗∗∗ --------------------------------------------- DDoS-for-hire services are now actively abusing misconfigured or out-of-date Datagram Transport Layer Security (D/TLS) servers to amplify Distributed Denial of Service (DDoS) attacks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ddos-booters-now-abuse-dtls-… ∗∗∗ Microsoft Exchange servers now targeted by BlackKingdom ransomware ∗∗∗ --------------------------------------------- Another ransomware operation known as BlackKingdom is exploiting the Microsoft Exchange Server ProxyLogon vulnerabilities to encrypt servers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-n… ∗∗∗ Office 365 Phishing Attack Targets Financial Execs ∗∗∗ --------------------------------------------- Attackers move on new CEOs, using transition confusion to harvest Microsoft credentials. --------------------------------------------- https://threatpost.com/office-365-phishing-attack-financial-execs/164925/ ∗∗∗ Critical F5 BIG-IP Bug Under Active Attacks After PoC Exploit Posted Online ∗∗∗ --------------------------------------------- Almost 10 days after application security company F5 Networks released patches for critical vulnerabilities in its BIG-IP and BIG-IQ products, adversaries have begun opportunistically mass scanning and targeting exposed and unpatched networking devices to break into enterprise networks. News of in the wild exploitation comes on the heels of a proof-of-concept exploit code that surfaced online [...] --------------------------------------------- https://thehackernews.com/2021/03/latest-f5-big-ip-bug-under-active.html ∗∗∗ Multi-factor Authentication. Reset MFA you say? ∗∗∗ --------------------------------------------- MFA is a no brainer. It helps mitigate the risk of password re-use, overly simple passwords and more. Just don’t confuse it with 2SV... Anyway, when we’re red teaming, MFA [...] --------------------------------------------- https://www.pentestpartners.com/security-blog/multi-factor-authentication-r… ∗∗∗ Auf Willhaben inseriert? Vorsicht vor mob-willhaben.at SMS! ∗∗∗ --------------------------------------------- Zahlreiche Willhaben-UserInnen wenden sich derzeit an die Watchlist Internet, weil sie eine betrügerische SMS zu einer Willhaben-Anzeige erhalten haben. Das Gemeine an der Sache: Die Personen bieten gerade tatsächlich Waren auf Willhaben an. In der SMS wird meist behauptet, jemand habe für die Ware bezahlt. Ein enhaltener Link führt auf eine gefälschte Willhaben-Seite, die Daten abgreifen und einen Trojaner installieren möchte. --------------------------------------------- https://www.watchlist-internet.at/news/auf-willhaben-inseriert-vorsicht-vor… ∗∗∗ Metamorfo/Mekotio Banking Trojan Uses AutoHotKey Scripting ∗∗∗ --------------------------------------------- The Cofense Phishing Defense Center (PDC) takes a brief look at Mekotio, also known as Metamorfo, a banking Trojan with Latin American origins that is now expanding its reach to victims across Europe. This trojan is one that makes use of a little known scripting language known as AutoHotKey (AHK). --------------------------------------------- https://exchange.xforce.ibmcloud.com/collection/6e934f1121d09aff346710499c0… ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI-21-342: Samsung Galaxy S20 libimagecodec Out-Of-Bounds Read Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to disclose sensitive information on affected installations of Samsung Galaxy S20. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-342/ ∗∗∗ Apache OFBiz: Update beseitigt Remote-Lücke aus Open-Source-ERP-Software ∗∗∗ --------------------------------------------- Die quelloffene Enterprise Resource Planning-Software OFBiz war aus der Ferne angreifbar. Eine abgesicherte Version und ein Patch stehen bereit. --------------------------------------------- https://heise.de/-5994429 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (chromium, ffmpeg, flatpak, git, gnutls, minio, openssh, opera, and wireshark-qt), Debian (cloud-init, pygments, and xterm), Fedora (flatpak, glib2, kernel, kernel-headers, kernel-tools, pki-core, and upx), Mageia (glibc, htmlunit, koji, and python-cairosvg), openSUSE (chromium, connman, froxlor, grub2, libmysofa, netty, privoxy, python-markdown2, tor, and velocity), Oracle (ipa), SUSE (evolution-data-server, glib2, openssl, python3, python36, and [...] --------------------------------------------- https://lwn.net/Articles/850068/ ∗∗∗ Adobe Patches Critical ColdFusion Security Flaw ∗∗∗ --------------------------------------------- Adobe has released an urgent patch for a potentially dangerous security vulnerability in Adobe ColdFusion, the platform used for building and deploying mobile and web apps. --------------------------------------------- https://www.securityweek.com/adobe-patches-critical-coldfusion-security-flaw ∗∗∗ TMM vulnerability CVE-2021-23007 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K37451543 ∗∗∗ Atlassian Jira Software: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0297 ∗∗∗ UNIVERGE Aspire series PBX vulnerable to denial-of-service (DoS) ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN12737530/ ∗∗∗ Security updates available in Foxit Reader 10.1.3, Foxit PhantomPDF 10.1.3 and 3D Plugin Beta 10.1.3.37598 ∗∗∗ --------------------------------------------- https://www.foxitsoftware.com/support/security-bulletins.html ∗∗∗ Security Bulletin: IBM MQ for HP NonStop Server is affected by OpenSSL vulnerabilities CVE-2021-23839, CVE-2021-23840 and CVE-2021-23841 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-for-hp-nonstop-ser… ∗∗∗ Security Bulletin: IBM Planning Analytics Workspace is affected by security vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-planning-analytics-wo… ∗∗∗ Security Bulletin: Websphere Application Server is vulnerable to a directory traversal vulnerability (CVE-2020-5016) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-websphere-application-ser… ∗∗∗ Security Bulletin: IBM® Db2® db2fm is vulnerable to a buffer overflow (CVE-2020-5025) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-db2fm-is-vulnerab… ∗∗∗ Security Bulletin: Vulnerabilities in IBM Java SDK affect IBM WebSphere Cast Iron Solution & App Connect Professional ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-ja… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation for Multiplatforms Oct 2020 CPU (CVE-2020-14782) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: A vulnerability in IBM® SDK, Java™ Technology Edition affects IBM Elastic Storage System ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-sd… ∗∗∗ Security Bulletin: IBM® Db2® is vulnerable to a denial of service (CVE-2020-5024) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM WebSphere Cast Iron Solution & App Connect Professional ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerability in Apache Struts framework affects IBM Spectrum Symphony ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-s… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.03.2021
by Daily end-of-shift report 19 Mar '21

19 Mar '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 18-03-2021 18:00 − Freitag 19-03-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Microsoft Defender Antivirus behebt Sicherheitslücken in Exchange Server ∗∗∗ --------------------------------------------- Microsoft hat ein automatisches Entschärfungstool in Defender Antivirus implementiert, um kritische Sicherheitslücken in Exchange Server zu schließen, denn auch nach Wochen sind immer noch zehntausende Server ungepatcht. --------------------------------------------- https://www.zdnet.de/88393956/microsoft-defender-antivirus-behebt-sicherhei… ∗∗∗ New CopperStealer malware steals Google, Apple, Facebook accounts ∗∗∗ --------------------------------------------- Previously undocumented account-stealing malware distributed via fake software crack sites targets the users of major service providers, including Google, Facebook, Amazon, and Apple. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-copperstealer-malware-st… ∗∗∗ REvil ransomware has a new ‘Windows Safe Mode’ encryption mode ∗∗∗ --------------------------------------------- The REvil ransomware operation has added a new ability to encrypt files in Windows Safe Mode, likely to evade detection by security software and for greater success when encrypting files. --------------------------------------------- https://www.bleepingcomputer.com/news/security/revil-ransomware-has-a-new-w… ∗∗∗ Sicherheitslücken: Hackergruppe nutzte 11 Zero Days in einem Jahr ∗∗∗ --------------------------------------------- Googles Project Zero berichtet über eine Hacker-Gruppe, die reihenweise Zero Days nutzte, um komplett gepatchte Geräte ihrer Opfer zu hacken. --------------------------------------------- https://www.golem.de/news/sicherheitsluecken-hackergruppe-nutzte-11-zero-da… ∗∗∗ Easy SMS Hijacking ∗∗∗ --------------------------------------------- Vice is reporting on a cell phone vulnerability caused by commercial SMS services. One of the things these services permit is text message forwarding. It turns out that with a little bit of anonymous money - in this case, $16 off an anonymous prepaid credit card - and a few lies, you can forward the text messages from any phone to any other phone. --------------------------------------------- https://www.schneier.com/blog/archives/2021/03/easy-sms-hijacking.html ∗∗∗ Vorsicht bei der Urlaubsbuchung: Unseriöse Webseiten verlocken mit günstigen Angeboten ∗∗∗ --------------------------------------------- Lust auf die Malediven? Vielleicht auch auf Phuket? Oder wollen Sie aufgrund der anhaltenden Corona-Krise doch lieber Urlaub zuhause machen: In Wien? Oder im Tiroler Mayrhofen? Unterkünfte in diesen Reisezielen werden derzeit von unseriösen Buchungsplattformen angeboten. Wir zeigen Ihnen, auf welchen Webseiten Sie lieber nicht buchen sollten. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-bei-der-urlaubsbuchung-unse… ∗∗∗ Beware Android trojan posing as Clubhouse app ∗∗∗ --------------------------------------------- The malware can grab login credentials for more than 450 apps and bypass SMS-based two-factor authentication --------------------------------------------- https://www.welivesecurity.com/2021/03/18/beware-android-trojan-posing-club… ∗∗∗ AA21-077A: Detecting Post-Compromise Threat Activity Using the CHIRP IOC Detection Tool ∗∗∗ --------------------------------------------- This Alert announces the CISA Hunt and Incident Response Program (CHIRP) tool. CHIRP is a forensics collection tool that CISA developed to help network defenders find indicators of compromise (IOCs) associated with activity detailed in the following CISA Alerts: AA20-352A: Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations, which primarily focuses on an advanced persistent threat [...] --------------------------------------------- https://us-cert.cisa.gov/ncas/alerts/aa21-077a ===================== = Vulnerabilities = ===================== ∗∗∗ Mehrere Schwachstellen in SOYAL Biometric Access Control System 5.0 ∗∗∗ --------------------------------------------- Zeroscience hat mehrere Schwachstellen im Produkt Biometric Access Control System des Herstellers SOYAL gefunden. --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ ∗∗∗ Mehrere Schwachstellen in KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 ∗∗∗ --------------------------------------------- Zeroscience hat mehrere Schwachstellen in Wi-Fi/VoIP CPEs der Hersteller KZ Broadband Technologies, Jaton und Neotel gefunden, darunter auch eine RCE --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (kernel and pki-core), Debian (shibboleth-sp, shibboleth-sp2, and squid3), openSUSE (libmysofa and privoxy), Oracle (bind), and Ubuntu (ruby2.3, ruby2.5, ruby2.7). --------------------------------------------- https://lwn.net/Articles/849847/ ∗∗∗ Johnson Controls Exacq Technologies exacqVision ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Information Exposure vulnerability in Exacq Technologies exacqVision web service. Exacq Technologies is a subsidiary of Johnson Controls. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-077-01 ∗∗∗ Hitachi ABB Power Grids eSOMS ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Hitachi ABB Power Grids eSOMS software. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-077-02 ∗∗∗ Hitachi ABB Power Grids eSOMS Telerik ∗∗∗ --------------------------------------------- This advisory contains mitigations for Path Traversal, Deserialization of Untrusted Data, Improper Input Validation, Inadequate Encryption Strength, and Insufficiently Protected Credentials vulnerabilities in some Hitachi ABB Power Grids eSOMS products using Telerik software. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-077-03 ∗∗∗ Rockwell Automation Logix Controllers (Update A) ∗∗∗ --------------------------------------------- This updated advisory is a follow-up to the original advisory titled ICSA-21-056-03 Rockwell Automation Logix Controllers that was published February 25, 2021, to the ICS webpage on us-cert.cisa.gov. This advisory contains mitigations for an Insufficiently Protected Credentials vulnerability in Rockwell Automation Studio 5000 Logix Designer, RSLogix 5000, and Logix Controllers. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-056-03 ∗∗∗ Fuji Xerox multifunction devices and printers vulnerable to denial-of-service (DoS) ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN37607293/ ∗∗∗ March 17, 2021 TNS-2021-04 [R1] Nessus Agent 8.2.3 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2021-04-0 ∗∗∗ Security Bulletin: Multiple security vulnerabilities in Node.js affect IBM Voice Gateway ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: Multiple security vulnerabilities in Node.js affect IBM Voice Gateway ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: Multiple security vulnerabilities in IBM Java SDK affects IBM Voice Gateway ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: Vulnerability in IBM Java Runtime Environment affects installation and uninstallation of IBM Spectrum Protect for Enterprise Resource Planning on AIX and Linux (CVE-2020-27221) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in IBM Java Runtime Affect IBM Sterling Connect:Direct for Microsoft Windows ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Cloud Pak for Security vulnerable to a stack-based buffer overflow (CVE-2020-27221) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-securit… ∗∗∗ Security Bulletin: A Vulnerability in IBM Java Runtime Affects IBM Sterling Connect:Direct for Microsoft Windows ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… ∗∗∗ Security Bulletin: A Vulnerability in IBM Java Runtime Affects IBM Sterling Connect:Direct for Microsoft Windows ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.03.2021
by Daily end-of-shift report 18 Mar '21

18 Mar '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 17-03-2021 18:00 − Donnerstag 18-03-2021 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ UK Foreign, Commonwealth & Development Office funds Shadowserver surge in Africa and Indo-Pacific regions ∗∗∗ --------------------------------------------- Can you help Shadowserver sign up more countries/networks in Africa and the Info-Pacific to receive our free daily network reports and help secure the Internet? We are running a UK FCDO funded surge in Feb/March 2021, aimed at increasing outreach and expanding our honeypot sensor network in those regions. We are seeking introductions, contacts and hosting so please get in touch if you can help us achieve these goals. --------------------------------------------- https://www.shadowserver.org/news/uk-foreign-commonwealth-development-offic… ∗∗∗ SolarWinds-linked hacking group SilverFish abuses enterprise victims for sandbox tests ∗∗∗ --------------------------------------------- Existing victim networks are used to test out payloads as a novel form of sandbox. --------------------------------------------- https://www.zdnet.com/article/solarwinds-linked-hacking-group-silverfish-ab… ∗∗∗ TTP Table for Detecting APT Activity Related to SolarWinds and Active Directory/M365 Compromise ∗∗∗ --------------------------------------------- CISA has released a table of tactics, techniques, and procedures (TTPs) used by the advanced persistent threat (APT) actor involved with the recent SolarWinds and Active Directory/M365 compromise. The table uses the MITRE ATT&CK framework to identify APT TTPs and includes detection recommendations. This information will assist network defenders in detecting and responding to this activity. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/03/17/ttp-table-detecti… ∗∗∗ ~4,300 publicly reachable servers are posing a new DDoS hazard to the Internet ∗∗∗ --------------------------------------------- DDoS-for-hire services adopt new technique that amplifies attacks 37 fold. --------------------------------------------- https://arstechnica.com/?p=1750512 ∗∗∗ New XcodeSpy malware targets iOS devs in supply-chain attack ∗∗∗ --------------------------------------------- A malicious Xcode project known as XcodeSpy is targeting iOS devs in a supply-chain attack to install a macOS backdoor on the developers computer. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-xcodespy-malware-targets… ∗∗∗ Convuster: macOS adware now in Rust ∗∗∗ --------------------------------------------- Convuster adware for macOS is written in Rust and able to use Gatekeeper to evade analysis. --------------------------------------------- https://securelist.com/convuster-macos-adware-in-rust/101258/ ∗∗∗ Necro upgrades again, using Tor + dynamic domain DGA and aiming at both Windows & Linux ∗∗∗ --------------------------------------------- Back in January, we blogged about a new botnet Necro and shortly after our report, it stopped spreading. On March 2nd, we noticed a new variant of Necro showing up on our BotMon tracking radar March 2nd, the BotMon system has detected that Necro has started spreading again, [...] --------------------------------------------- https://blog.netlab.360.com/necro-upgrades-again-using-tor-dynamic-domain-d… ∗∗∗ Server Side Data Exfiltration via Telegram API ∗∗∗ --------------------------------------------- One of the themes commonly highlighted on this blog includes the many creative methods and techniques attackers employ to steal data from compromised websites. Credit card skimmers, credential and password hijackers, SQL injections, and even malware on the server level can be used for data exfiltration. What’s more, attackers may be able to accomplish this feat with a few mere lines of code. --------------------------------------------- https://blog.sucuri.net/2021/03/server-side-data-exfiltration-via-telegram-… ∗∗∗ Simple Python Keylogger ∗∗∗ --------------------------------------------- A keylogger is one of the core features implemented by many malware to exfiltrate interesting data and learn about the victim. Besides the fact that interesting keystrokes can reveal sensitive information (usernames, passwords, IP addresses, hostnames, ...), just by having a look at the text typed on the keyboard, the attacker can profile his target and estimate if its a juicy one or not. --------------------------------------------- https://isc.sans.edu/diary/rss/27216 ∗∗∗ Satori: Mirai Botnet Variant Targeting Vantage Velocity Field Unit RCE Vulnerability ∗∗∗ --------------------------------------------- On Feb. 20, 2021, Unit 42 researchers observed attempts to exploit CVE-2020-9020, which is a Remote Command Execution (RCE) vulnerability in Iteris’ Vantage Velocity field unit version 2.3.1, 2.4.2 and 3.0. As a travel data measurement system, Vantage Velocity captures travel data with a large number of vehicles. If a device is compromised, [...] --------------------------------------------- https://unit42.paloaltonetworks.com/satori-mirai-botnet-variant-targeting-v… ∗∗∗ NimzaLoader Malware ∗∗∗ --------------------------------------------- NimzaLoader is a new initial access malware that is relatively unique in its usage of the Nim programming language. Proofpoint observed this malware being distributed in a TA800 email campaign in place of BazaLoader --------------------------------------------- https://exchange.xforce.ibmcloud.com/collection/0a3e6c8474f098e6b497c889ebd… ===================== = Vulnerabilities = ===================== ∗∗∗ SYSS-2020-044: Sicherheitsproblem in Screen Sharing-Funktionalität von Zoom (CVE-2021-28133) ∗∗∗ --------------------------------------------- SySS Proof of Concept Video demonstriert ein Sicherheitsproblem in der Screen Sharing-Funktion der Videokonferenzsoftware Zoom. --------------------------------------------- https://www.syss.de/pentest-blog/syss-2020-044-sicherheitsproblem-in-screen… ∗∗∗ Tutor LMS for WordPress Open to Info-Stealing Security Holes ∗∗∗ --------------------------------------------- The popular learning-management system for teacher-student communication is rife with SQL-injection vulnerabilities. --------------------------------------------- https://threatpost.com/tutor-lms-wordpress-security-holes/164868/ ∗∗∗ Critical RCE Flaw Reported in MyBB Forum Software—Patch Your Sites ∗∗∗ --------------------------------------------- A pair of critical vulnerabilities in a popular bulletin board software called MyBB could have been chained together to achieve remote code execution (RCE) without the need for prior access to a privileged account. The flaws, which were discovered by independent security researchers Simon Scannell and Carl Smith, were reported to the MyBB Team on February 22, following which it released an [...] --------------------------------------------- https://thehackernews.com/2021/03/critical-rce-flaw-reported-in-mybb.html ∗∗∗ ZDI-21-337: Hewlett Packard Enterprise Network Orchestrator uaf-token SQL Injection Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to disclose sensitive information on affected installations of Hewlett Packard Enterprise Network Orchestrator. Authentication is not required to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-337/ ∗∗∗ ZDI-21-341: (0Day) (Pwn2Own) Sony X800H Smart TV Vewd Type-Confusion Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of Sony X800H Smart TV. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-341/ ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (velocity-tools), Fedora (switchboard-plug-bluetooth), Mageia (discover, flatpak, and xmlgraphics-commons), openSUSE (chromium and python), Oracle (kernel, kernel-container, and pki-core), Red Hat (openvswitch2.11 and ovn2.11, python-django, qemu-kvm-rhev, and rubygem-em-http-request), and SUSE (crmsh, openssl1, and php53). --------------------------------------------- https://lwn.net/Articles/849737/ ∗∗∗ Xen: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0289 ∗∗∗ Drupal: Schwachstelle ermöglicht Offenlegung von Informationen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0287 ∗∗∗ Security Bulletin: z/TPF is affected by OpenSSL vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-z-tpf-is-affected-by-open… ∗∗∗ Security Bulletin: March 2021 : Vulnerability in IBM Java Runtime affect CICS Transaction Gateway ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-march-2021-vulnerability-… ∗∗∗ Security Bulletin: March 2021 : Vulnerability in IBM Java Runtime affects CICS Transaction Gateway ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-march-2021-vulnerability-… ∗∗∗ Security Bulletin: IBM RackSwitch firmware products are affected by vulnerabilities in Libxml2 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-rackswitch-firmware-p… ∗∗∗ Security Bulletin: IBM RackSwitch firmware products are affected by a vulnerability in libcurl (CVE-2019-5436) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-rackswitch-firmware-p… ∗∗∗ Security Bulletin: IBM Security Guardium External S-TAP is affected by an Execution with Unnecessary Privileges vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-ext… ∗∗∗ Security Bulletin: IBM Flex System switch firmware products are affected by a vulnerability in libcurl (CVE-2019-5436) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-flex-system-switch-fi… ∗∗∗ Security Bulletin: March 2021 : Multiple vulnerabilities in IBM Java Runtime affect CICS Transaction Gateway ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-march-2021-multiple-vulne… ∗∗∗ Security Bulletin: A vulnerability in IBM® SDK, Java™ Technology Edition affects IBM Spectrum Scale ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-sd… ∗∗∗ Security Bulletin: IBM Resilient vulnerable to username enumeration (CVE-2020-4635) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-resilient-vulnerable-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily March 2021