Daily March 2021

daily@lists.cert.at

1 participants
23 discussions

Tageszusammenfassung - 17.03.2021
by Daily end-of-shift report 17 Mar '21

17 Mar '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 16-03-2021 18:00 − Mittwoch 17-03-2021 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Mimecast says SolarWinds hackers breached its network and spied on customers ∗∗∗ --------------------------------------------- Mimecast-issued certificate used to connect to customers’ Microsoft 365 tenants. --------------------------------------------- https://arstechnica.com/?p=1750098 ∗∗∗ Twitter images can be abused to hide ZIP, MP3 files — heres how ∗∗∗ --------------------------------------------- Yesterday, a researcher disclosed a method of hiding up to three MB of data inside a Twitter image. In his demonstration, the researcher showed both MP3 audio files and ZIP archives contained within the PNG images hosted on Twitter. --------------------------------------------- https://www.bleepingcomputer.com/news/security/twitter-images-can-be-abused… ∗∗∗ Guidance for responders: Investigating and remediating on-premises Exchange Server vulnerabilities ∗∗∗ --------------------------------------------- This guidance will help customers address threats taking advantage of the recently disclosed Microsoft Exchange Server on-premises vulnerabilities CVE-2021-26855, CVE-2021-26858, CVE-2021-26857, and CVE-2021-27065. --------------------------------------------- https://msrc-blog.microsoft.com:443/2021/03/16/guidance-for-responders-inve… ∗∗∗ Microsoft Exchange Server: These quarterly updates include fixes for security flaws ∗∗∗ --------------------------------------------- Microsoft releases Exchange Server 2016 and 2019 cumulative updates that address critical flaws. --------------------------------------------- https://www.zdnet.com/article/microsoft-exchange-server-these-quarterly-upd… ∗∗∗ New ICS Threat Activity Group: VANADINITE ∗∗∗ --------------------------------------------- The new VANADINITE activity group targets electric utilities, oil and gas, manufacturing, telecommunications, and transportation. --------------------------------------------- https://www.dragos.com/blog/industry-news/new-ics-threat-activity-group-van… ∗∗∗ So hacken Kriminelle unbemerkt Ihre Website, um Fake-Shops zu betreiben ∗∗∗ --------------------------------------------- Sicherheitslücken auf Websites von Unternehmen und Vereinen werden auch genutzt, um Fake-Shops zu platzieren. Mittels Cloaking leiten Kriminelle die BesucherInnen zu Fake-Shops um. Die betroffenen Unternehmen und Vereine wissen nichts davon. Wir erklären Ihnen, wie Cloaking funktioniert und was Sie dagegen machen können. --------------------------------------------- https://www.watchlist-internet.at/news/so-hacken-kriminelle-unbemerkt-ihre-… ∗∗∗ New Mirai Variant Targeting Network Security Devices ∗∗∗ --------------------------------------------- We discovered ongoing attacks leveraging IoT vulnerabilities, including in network security devices, to serve a Mirai variant. --------------------------------------------- https://unit42.paloaltonetworks.com/mirai-variant-iot-vulnerabilities/ ∗∗∗ NIS2 Proposal: First feedback on the normative text ∗∗∗ --------------------------------------------- After looking at the recitals a few weeks ago, here is my feedback on the normative text of the NIS2 proposal. --------------------------------------------- https://cert.at/en/blog/2021/3/nis2-proposal-first-feedback-on-the-normativ… ∗∗∗ CISA-FBI Joint Advisory on TrickBot Malware ∗∗∗ --------------------------------------------- CISA and the Federal Bureau of Investigation (FBI) have released a Joint Cybersecurity Advisory (CSA) on TrickBot malware. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/03/17/cisa-fbi-joint-ad… ∗∗∗ CVE-2021-27076: A Replay-Style Deserialization Attack Against SharePoint ∗∗∗ --------------------------------------------- An attacker is frequently in the position of having to find a technique to evade some data integrity measure implemented by a target. --------------------------------------------- https://www.thezdi.com/blog/2021/3/17/cve-2021-27076-a-replay-style-deseria… ===================== = Vulnerabilities = ===================== ∗∗∗ Researcher adds their package to Microsoft Azure SDK releases list ∗∗∗ --------------------------------------------- A security researcher was able to add their own test package to the official list of Microsoft Azure SDK latest releases. The simple trick if abused by an attacker can give off the impression that their malicious package is part of the Azure SDK suite. --------------------------------------------- https://www.bleepingcomputer.com/news/security/researcher-adds-their-packag… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (shadow, tor, and velocity), Fedora (gsoap, qt5-qtsvg, and switchboard-plug-bluetooth), Mageia (batik, chromium-browser-stable, glibc, ksh, and microcode), openSUSE (389-ds, connman, freeradius-server, froxlor, openssl-1_0_0, openssl-1_1, postgresql12, and python-markdown2), Red Hat (bind, curl, kernel, nss and nss-softokn, perl, python, and tomcat), Scientific Linux (ipa, kernel, and pki-core), SUSE (glib2 and velocity), and Ubuntu (containerd). --------------------------------------------- https://lwn.net/Articles/849622/ ∗∗∗ WordPress plugin "Paid Memberships Pro" vulnerable to SQL injection ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN08191557/ ∗∗∗ Cisco Small Business RV132W and RV134W Routers Management Interface Remote Command Execution and Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Security Bulletin: IBM Network Performance Insight 1.3.1 was affected by multiple vulnerabilities in jackson-databind ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-network-performance-i… ∗∗∗ Security Bulletin: CVE-2020-14782 may affect IBM® SDK, Java™ Technology Edition for Content Collector for SAP Applications ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2020-14782-may-affect… ∗∗∗ Security Bulletin: Multiple security vulnerabilities have been identified in IBM® Java SDK that affect IBM Security Directory Suite ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: Rational Application Developer is vulnerable to CVE-2020-2773 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-rational-application-deve… ∗∗∗ Security Bulletin: IBM Security Directory Suite is affected by a vulnerability (CVE-2020-4329) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-directory-su… ∗∗∗ Security Bulletin: IBM SDK, Java Technology Edition, Security Update February 2021 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sdk-java-technology-e… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM® SDK, Java™ Technology Edition may affect IBM Content Collector for SAP Applications ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Content Collector for SAP Applications ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: A vulnerability was identified and remediated in the IBM MaaS360 Cloud Extender (CVE-2020-13434, CVE-2020-13435) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-was-ident… ∗∗∗ Security Bulletin: Multiple Security Vulnerabilties have been fixed in the IBM Security Access Manager and IBM Security Verify Access appliances. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Cross-Site Scripting Vulnerabilities in Elementor Impact Over 7 Million Sites ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2021/03/cross-site-scripting-vulnerabilities… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 16.03.2021
by Daily end-of-shift report 16 Mar '21

16 Mar '21

===================== = End-of-Day report = ===================== Timeframe: Montag 15-03-2021 18:30 − Dienstag 16-03-2021 18:30 Handler: Dimitri Robl Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ FBI warns of escalating Pysa ransomware attacks on education orgs ∗∗∗ --------------------------------------------- The Federal Bureau of Investigation (FBI) Cyber Division has warned system administrators and cybersecurity professionals of increased Pysa ransomware activity targeting educational institutions. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fbi-warns-of-escalating-pysa… ∗∗∗ One-Click Microsoft Exchange On-Premises Mitigation Tool – March 2021 ∗∗∗ --------------------------------------------- We have been actively working with customers through our customer support teams, third-party hosters, and partner network to help them secure their environments and respond to associated threats from the recent Exchange Server on-premises attacks. Based on these engagements we realized that there was a need for a simple, easy to use, automated solution that [...] --------------------------------------------- https://msrc-blog.microsoft.com:443/2021/03/15/one-click-microsoft-exchange… ∗∗∗ Videokonferenzen: Damit Vertrauliches vertraulich bleibt ∗∗∗ --------------------------------------------- Durch die Corona-Pandemie hat die Nutzung von Videokonferenzlösungen in Verwaltung und Wirtschaft erheblich zugenommen. Die Systeme dienen dabei nicht nur der Kommunikation, sondern auch dem gemeinsamen Erstellen und Bearbeiten von Dokumenten. --------------------------------------------- https://www.bsi.bund.de/DE/Service-Navi/Presse/Pressemitteilungen/Presse202… ∗∗∗ Eine Rasterbrille auf ayurreadpro.com kaufen? – Wir raten davon ab! ∗∗∗ --------------------------------------------- Wer online nach Möglichkeiten zur Verbesserung der Sehkraft oder Methoden zum Augentraining sucht, stoßt höchstwahrscheinlich auf Rasterbrillen. Rasterbrillen sind schwarze Kunststoffbrillen mit Lochmuster in den „Gläsern“, die angeblich Sehschwächen vorbeugen und verbessern. Für die Wirksamkeit der knapp 60 Euro-Brille gibt es jedoch keine wissenschaftlich bestätigten Studien. Im Extremfall könnten sogar ernstzunehmende Schäden [...] --------------------------------------------- https://www.watchlist-internet.at/news/eine-rasterbrille-auf-ayurreadprocom… ∗∗∗ Finding Metasploit & Cobalt Strike URLs, (Mon, Mar 15th) ∗∗∗ --------------------------------------------- Metasploit and Cobalt Strike generate shellcode for http(s) shells. The URLs found in this shellcode have a path that consist of 4 random alphanumeric characters. But they are not completely random: their 8-bit checksum is a member of a small set of constants. --------------------------------------------- https://isc.sans.edu/diary/rss/27204 ∗∗∗ Malware Can Exploit New Flaw in Intel CPUs to Launch Side-Channel Attacks ∗∗∗ --------------------------------------------- A new research has yielded yet another means to pilfer sensitive data by exploiting whats the first "on-chip, cross-core" side-channel attack targeting the ring interconnect used in Intel Coffee Lake and Skylake processors. Published by a group of academics from the University of Illinois at Urbana-Champaign, the findings are expected to be presented at the USENIX Security Symposium coming this [...] --------------------------------------------- https://thehackernews.com/2021/03/malware-can-exploit-new-flaw-in-intel.html ∗∗∗ Bug discovery diaries: Abusing VoIPmonitor for Remote Code Execution ∗∗∗ --------------------------------------------- We fuzzed VoIPmonitor by using SIPVicious PRO and got a crash in the software’s live sniffer feature when it is switched on. We identified the cause of the crash by looking at the source code, which was a classic buffer overflow. Then we realized that was fully exploitable since the binaries distributed do not have any memory corruption protection. --------------------------------------------- https://www.rtcsec.com/post/2021/03/bug-discovery-diaries-abusing-voipmonit… ∗∗∗ Hackers are targeting telecoms companies to steal 5G secrets ∗∗∗ --------------------------------------------- Cybersecurity researchers at McAfee detail an ongoing cyber espionage campaign which is targeting telecoms companies around the world. --------------------------------------------- https://www.zdnet.com/article/hackers-are-targeting-telecoms-companies-to-s… ∗∗∗ Exploring my doorbell ∗∗∗ --------------------------------------------- Ive talked about my doorbell before, but started looking at it again this week because sometimes it simply doesnt send notifications to my Home Assistant setup - the push notifications appear on my phone, but the doorbell simply doesnt trigger the HTTP callback its meant to[1]. This is obviously suboptimal, but its also tricky to debug a device when you have no access to it. --------------------------------------------- https://mjg59.dreamwidth.org/56345.html ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (tomcat8), Fedora (git), openSUSE (opera), Oracle (python), Red Hat (ipa, kernel, kernel-rt, kpatch-patch, and pki-core), SUSE (compat-openssl098 and python), and Ubuntu (glib2.0, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gcp, linux-gcp-5.4, linux-gke-5.4, linux-gkeop, linux-gkeop-5.4, linux-hwe-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux, linux-aws, linux-aws-hwe, linux-azure, [...] --------------------------------------------- https://lwn.net/Articles/849501/ ∗∗∗ This years-old Microsoft Office vulnerability is still popular with hackers, so patch now ∗∗∗ --------------------------------------------- Despite receiving a security update in 2017, cyber criminals are still finding success with this old vulnerability for delivering malware. --------------------------------------------- https://www.zdnet.com/article/this-years-old-microsoft-office-vulnerability… ∗∗∗ Aktuelle Zahlen zu den Exchange Schwachstellen in Österreich ∗∗∗ --------------------------------------------- TL;DR 1074 Exchange Server nach wie vor ungepatched (Stand: 2021-03-16). Nach den ersten aktiven Scans zwischen dem 9. und 12. März waren es noch 2236. Bisher wurden 465 Webshells von Shadowserver und Kryptos Logic in Österreich gefunden. Die initiale Patch-Disziplin war anscheinend hoch. Wenn möglich, Microsofts Script unter https://github.com/microsoft/CSS-Exchange/tree/main/Security#exchange-on-pr… zum Finden und Mitigieren von Webshells [...] --------------------------------------------- https://cert.at/de/aktuelles/2021/3/aktuelle-zahlen-zu-den-exchange-schwach… ∗∗∗ Advantech WebAccess/SCADA ∗∗∗ --------------------------------------------- This advisory contains mitigations for a Cross-site Scripting vulnerability in Advantech WebAccess/SCADA browser-based software. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-075-01 ∗∗∗ GE UR family ∗∗∗ --------------------------------------------- This advisory contains mitigations for multiple vulnerabilities in GE UR family of protection and control relays. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-075-02 ∗∗∗ Hitachi ABB Power Grids AFS Series ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Infinite Loop vulnerability in Hitachi ABB Power Grids AFS Series products. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-075-03 ∗∗∗ BD Alaris 8015 PC Unit (Update B) ∗∗∗ --------------------------------------------- [...] This advisory contains compensating controls to reduce the risk of exploitation of insufficiently protected credentials and security features vulnerabilities in BD Alaris 8015 Point of Care units, which provide a common user interface for programming [...] --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsma-17-017-02 ∗∗∗ DP API encryption ineffective in Windows containers: Publicly Available Cryptographic Keys (CVE-2021-1645) ∗∗∗ --------------------------------------------- We recently discovered a vulnerability in the DP API key management of Windows containers. This vulnerability was assigned CVE-2021-1645 by Microsoft [1] and allowed attackers to decrypt any data that was encrypted with DP API keys in Windows containers. This vulnerability was discovered in close cooperation with SignPath [2]. --------------------------------------------- https://certitude.consulting/blog/en/windows-docker-dp-api-vulnerability-cv… ∗∗∗ Apache Tomcat vulnerability CVE-2021-25329 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K73648110 ∗∗∗ Apache Tomcat vulnerability CVE-2021-25122 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K00174195 ∗∗∗ TYPO3 Extensions: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0276 ∗∗∗ TYPO3 Core: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0275 ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Integration Bus and IBM App Connect Enterpise v11. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerabilities in Curl affect PowerSC (CVE-2020-8284, CVE-2020-8285, and CVE-2020-8286) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-curl-a… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect AIX ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities affect the IBM Spectrum Scale GUI. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Flex System Chassis Management Module (CMM) is affected by vulnerabilities in Libxml2 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-flex-system-chassis-m… ∗∗∗ Security Bulletin: A vulnerability in IBM Spectrum Scale allows to inject malicious content into log files (CVE-2020-4851) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-sp… ∗∗∗ Security Bulletin: A vulnerability in IBM Java SE affects IBM Spectrum Scale ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 15.03.2021
by Daily end-of-shift report 15 Mar '21

15 Mar '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 12-03-2021 18:30 − Montag 15-03-2021 18:30 Handler: Dimitri Robl Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Protecting on-premises Exchange Servers against recent attacks ∗∗∗ --------------------------------------------- While Microsoft has regular methods for providing tools to update software, this extraordinary situation calls for a heightened approach. In addition to our regular software updates, we are also providing specific updates for older and out-of-support software with the intent to make it as easy as possible to quickly protect your business. --------------------------------------------- https://www.microsoft.com/security/blog/2021/03/12/protecting-on-premises-e… ∗∗∗ Update verfügbar! ∗∗∗ --------------------------------------------- Zum internationalen Weltverbrauchertag gibt das BSI Informationen und Hinweise zur einfachen und automatischen Installation von Software-Aktualisierungen. --------------------------------------------- https://www.bsi.bund.de/DE/Service-Navi/Presse/Alle-Meldungen-News/Meldunge… ∗∗∗ Research: Security Agencies Expose Information via Improperly Sanitized PDFs ∗∗∗ --------------------------------------------- Most security agencies fail to properly sanitize Portable Document Format (PDF) files before publishing them, thus exposing potentially sensitive information and opening the door for attacks, researchers have discovered. read more --------------------------------------------- https://www.securityweek.com/research-security-agencies-expose-information-… ===================== = Vulnerabilities = ===================== ∗∗∗ Three Flaws in the Linux Kernel Since 2006 Could Grant Root Privileges ∗∗∗ --------------------------------------------- "Three recently unearthed vulnerabilities in the Linux kernel, located in the iSCSI module used for accessing shared data storage facilities, could allow root privileges to anyone with a user account," reports SC Media: "If you already had execution on a box, either because you have a user account on the machine, or youve compromised some service that doesnt have repaired permissions, you can do whatever you want basically," said Adam Nichols, [...] --------------------------------------------- http://rss.slashdot.org/~r/Slashdot/slashdot/~3/d0iuqi9zTtI/three-flaws-in-… ∗∗∗ Sicherheitsupdate: Angreifer nehmen erneut Google Chrome ins Visier ∗∗∗ --------------------------------------------- Die Chrome-Entwickler haben im Webbrowser fünf Sicherheitslücken geschlossen. Eine Schwachstellen sollen Angreifer derzeit ausnutzen. --------------------------------------------- https://heise.de/-5987831 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (ca-certificates, flatpak, golang-1.7, golang-1.8, mupdf, pygments, and tiff), Fedora (containerd, golang-github-containerd-cri, mingw-gdk-pixbuf, mingw-glib2, mingw-jasper, mingw-python-jinja2, mingw-python-pillow, mingw-python3, python-django, python-pillow, and python2-pillow), Mageia (git, mediainfo, netty, python-django, and quartz), openSUSE (crmsh, git, glib2, kernel-firmware, openldap2, stunnel, and wpa_supplicant), Oracle (qemu), Red Hat [...] --------------------------------------------- https://lwn.net/Articles/849406/ ∗∗∗ GnuTLS: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0273 ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation for Multiplatforms Apr 2020 CPU (CVE-2020-2773) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM® Db2® db2fm is vulnerable to a buffer overflow (CVE-2020-5025) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-db2fm-is-vulnerab… ∗∗∗ Security Bulletin: Streams Flows might be affected by some underlying Node.js vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-streams-flows-might-be-af… ∗∗∗ Security Bulletin: App Connect Enterprise Certified Container may be vulnerable to a denial of service vulnerability (CVE-2020-1971) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-app-connect-enterprise-ce… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affects IBM Storwize V7000 Unified ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation Application Manager Oct 2020 CPU (CVE-2020-14781) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by an Execution with Unnecessary Privileges vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM InfoSphere Information Server is affected by a cross-site scripting vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-informatio… ∗∗∗ Security Bulletin: Vulnerability in IBM Java Runtime Environment affects installation and uninstallation of IBM Spectrum Protect for Enterprise Resource Planning on AIX and Linux (CVE-2020-27221) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation for Multiplatforms Oct 2020 CPU (CVE-2020-14781) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM API Connect's API Manager is vulnerable to invitation and registration link tampering (CVE-2021-20440) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connects-api-mana… ∗∗∗ Security Bulletin: Vulnerability in NX-OS Firmware used by IBM c-type SAN directors and switches. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-nx-os-fi… ∗∗∗ Security Bulletin: IBM Security Privileged Identity Manager is affected by a code execution vulnerability (CVE-2020-4448) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-privileged-i… ∗∗∗ Security Bulletin: IBM Security Privileged Identity Manager is affected by remote code execution (CVE-2020-4450) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-privileged-i… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.03.2021
by Daily end-of-shift report 12 Mar '21

12 Mar '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 11-03-2021 18:30 − Freitag 12-03-2021 18:30 Handler: Dimitri Robl Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Sie warten auf ein Paket? Vorsicht vor dieser betrügerischen E-Mail! ∗∗∗ --------------------------------------------- Immer wieder versuchen Kriminelle Sie durch falsche Behauptungen in eine Abo-Falle zu locken oder an Ihre Daten zu kommen. Derzeit melden uns LeserInnen betrügerische E-Mails, in denen behauptet wird, dass ein Paket nicht zugestellt werden kann, da die Adresse fehle. Doch Vorsicht: Es handelt sich um Betrug! --------------------------------------------- https://www.watchlist-internet.at/news/sie-warten-auf-ein-paket-vorsicht-vo… ∗∗∗ Zusatzkosten & lange Lieferzeiten? So vermeiden Sie Probleme bei Online-Shops außerhalb der EU! ∗∗∗ --------------------------------------------- Immer wieder werden uns Online-Shops gemeldet, die zwar keine Fake-Shops, aber trotzdem problematisch sind. Das gilt insbesondere für Shops, die entweder Ihren Sitz außerhalb der EU haben oder von außerhalb der EU liefern lassen. Wir zeigen Ihnen, auf was Sie achten müssen, damit Sie keine bösen Überraschungen beim Online-Shopping im Ausland erleben! --------------------------------------------- https://www.watchlist-internet.at/news/zusatzkosten-lange-lieferzeiten-so-v… ∗∗∗ New DEARCRY Ransomware is targeting Microsoft Exchange Servers ∗∗∗ --------------------------------------------- A new ransomware called DEARCRY is targeting Microsoft Exchange servers, with one victim stating they were infected via the ProxyLogon vulnerabilities. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-dearcry-ransomware-is-ta… ∗∗∗ What Are BEC Attacks? ∗∗∗ --------------------------------------------- Otherwise known as BEC, Business e-mail compromise happens when an attacker hacks into a corporate e-mail account and impersonates the real owner with the sole purpose to defraud the company, its customers, partners and/or employees into sending money or sensitive data to the attacker’s account. Also known as the “man-in-the-email” attack, BEC scams start with [...] --------------------------------------------- https://heimdalsecurity.com/blog/what-are-bec-attacks/ ∗∗∗ New Threat: ZHtrap botnet implements honeypot to facilitate finding more victims ∗∗∗ --------------------------------------------- In the security community, when people talk about honeypot, by default we would assume this is one of the most used toolkits for security researchers to lure the bad guys. But recently we came across a botnet uses honeypot to harvest other infected devices, which is quite interesting. --------------------------------------------- https://blog.netlab.360.com/new_threat_zhtrap_botnet_en/ ∗∗∗ A Spectre proof-of-concept for a Spectre-proof web ∗∗∗ --------------------------------------------- Three years ago, Spectre changed the way we think about security boundaries on the web. It quickly became clear that flaws in modern processors undermined the guarantees that web browsers could make about preventing data leaks between applications. As a result, web browser vendors have been continuously collaborating on approaches intended to harden the platform at scale. Nevertheless, this class of attacks still [...] --------------------------------------------- https://security.googleblog.com/2021/03/a-spectre-proof-of-concept-for-spec… ∗∗∗ Mac Malware XCSSET Adapted for Devices With M1 Chips ∗∗∗ --------------------------------------------- An increasing number of Mac malware developers have started creating variants that are specifically designed to run on devices powered by Apple’s M1 chip. --------------------------------------------- https://www.securityweek.com/mac-malware-xcsset-adapted-devices-m1-chips ∗∗∗ New Browser Attack Allows Tracking Users Online With JavaScript Disabled ∗∗∗ --------------------------------------------- [...] the latest research released this week aims to bypass such browser-based mitigations by implementing a side-channel attack called "CSS Prime+Probe" constructed solely using HTML and CSS, allowing the attack to work even in hardened browsers like Tor, Chrome Zero, and DeterFox that have JavaScript fully disabled or limit the resolution of the timer API. --------------------------------------------- https://thehackernews.com/2021/03/new-browser-attack-allows-tracking.html ===================== = Vulnerabilities = ===================== ∗∗∗ Advisory: D-Link DIR-3060 Authenticated RCE (CVE-2021-28144) ∗∗∗ --------------------------------------------- The D-Link DIR-3060 (running firmware versions below v1.11b04) is affected by a post-authentication command injection vulnerability. Anybody with authenticated access to a DIR-3060 would be able to run arbitrary system commands on the device as the system "admin" user, with root privileges. D-Link has released a patched firmware version v1.11b04 Hotfix 2 to address this issue. Affected users are advised to apply the patch. --------------------------------------------- https://www.iot-inspector.com/blog/advisory-d-link-dir-3060/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (mupdf and pygments), Fedora (arm-none-eabi-newlib, nodejs, python3.10, and suricata), Mageia (ansible, ceph, firejail, glib2.0, gnuplot, libcaca, mumble, openssh, postgresql, python-cryptography, python-httplib2, python-yaml, roundcubemail, and ruby-mechanize), Scientific Linux (wpa_supplicant), Slackware (git), SUSE (crmsh, libsolv, libzypp, yast2-installation, zypper, openssl-1_0_0, python, and stunnel), and Ubuntu (pillow). --------------------------------------------- https://lwn.net/Articles/849208/ ∗∗∗ Schneider Electric IGSS SCADA Software ∗∗∗ --------------------------------------------- This advisory contains mitigations for Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerabilities in Schneider Electric IGSS SCADA software. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-070-01 ∗∗∗ Wireshark: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0266 ∗∗∗ NetBSD Foundation NetBSD OS: Schwachstelle ermöglicht Offenlegung von Informationen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0270 ∗∗∗ Security Bulletin: IBM Watson OpenScale on Cloud Pak for Data is impacted by CVE-2020-8277 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-openscale-on-c… ∗∗∗ Security Bulletin: A security vulnerability in Vault affects Bastion Service of IBM Cloud Pak for Multicloud Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: IBM® Db2® db2fm is vulnerable to a buffer overflow (CVE-2020-5025) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-db2fm-is-vulnerab… ∗∗∗ Security Bulletin: IBM BladeCenter Advanced Management Module (AMM) is affected by a vulnerability in libcurl (CVE-2019-5436) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-bladecenter-advanced-… ∗∗∗ Security Bulletin: IBM® Db2® is vulnerable to a Denial of Service on Windows (CVE-2020-4642) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-… ∗∗∗ Security Bulletin: IBM® Db2® is vulnerable to a denial of service (CVE-2020-5024) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-… ∗∗∗ Security Bulletin: IBM DataPower Gateway vulnerability in TLS (CVE-2020-4831) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-datapower-gateway-vul… ∗∗∗ Security Bulletin: IBM BladeCenter Advanced Management Module (AMM) is affected by vulnerabilities in Libxml2 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-bladecenter-advanced-… ∗∗∗ Security Bulletin: A security vulnerability in Vault affects Bastion Service of IBM Cloud Pak for Multicloud Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: IBM Watson OpenScale on Cloud Pak for Data is impacted by CVE-2020-26116 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-openscale-on-c… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.03.2021
by Daily end-of-shift report 11 Mar '21

11 Mar '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 10-03-2021 18:30 − Donnerstag 11-03-2021 18:30 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Der Hafnium Exchange-Server-Hack: Anatomie einer Katastrophe ∗∗∗ --------------------------------------------- Hätte Microsoft den Massenhack von Exchange-Servern mit rascheren Reaktionen verhindern verhindern können? Der Ablauf der Ereignisse wirft Fragen auf. --------------------------------------------- https://heise.de/-5077269 ∗∗∗ NAT-Slipstreaming-Angriffe: Es kommt noch schlimmer ∗∗∗ --------------------------------------------- Zeit zu handeln: Mit dem NAT-Slipstreaming 2.0 können Kriminelle nicht nur das Gerät des Opfers, sondern jede IP-Adresse im Netzwerk angreifen. --------------------------------------------- https://heise.de/-5078104 ∗∗∗ Exchange-Lücken: Jetzt kommt die Cybercrime-Welle mit Erpressung ∗∗∗ --------------------------------------------- Ein öffentlicher Exploit für die Sicherheitslücken in Microsoft Exchange bedeutet, dass die ersten Erpressungsfälle vor der Tür stehen. --------------------------------------------- https://heise.de/-5078180 ∗∗∗ F5 Announces Critical BIG-IP pre-auth RCE bug ∗∗∗ --------------------------------------------- F5 Networks is a leading provider of enterprise networking gear, with software and hardware customers like governments, Fortune 500 firms, banks, internet service providers, and largely known consumer brands (Microsoft, Oracle, and Facebook). The patch refers to the four critical vulnerabilities listed below and also includes a pre-auth RCE security flaw (CVE-2021-22986) that allows unauthenticated [...] --------------------------------------------- https://heimdalsecurity.com/blog/f5-announces-critical-bug/ ∗∗∗ FIN8 Resurfaces with Revamped Backdoor Malware ∗∗∗ --------------------------------------------- The financial cyber-gang is running limited attacks ahead of broader offensives on point-of-sale systems. --------------------------------------------- https://threatpost.com/fin8-resurfaces-backdoor-malware/164684/ ∗∗∗ Piktochart - Phishing with Infographics, (Thu, Mar 11th) ∗∗∗ --------------------------------------------- In line with our recent diaries featuring unique attack vectors for credential theft, such as phishing over LinkedIn Mail[1] and pretending to be an Outlook version update[2], we've recently learned of a phishing campaign targetting users of the Infographic service Piktochart. --------------------------------------------- https://isc.sans.edu/diary/rss/27194 ∗∗∗ Magento 2 PHP Credit Card Skimmer Saves to JPG ∗∗∗ --------------------------------------------- Bad actors often leverage creative techniques to conceal malicious behaviour and harvest sensitive information from ecommerce websites. A recent investigation for a compromised Magento 2 website revealed a malicious injection that was capturing POST request data from site visitors. Located on the checkout page, it was found to encode captured data before saving it to a .JPG file. --------------------------------------------- https://blog.sucuri.net/2021/03/magento-2-php-credit-card-skimmer-saves-to-… ∗∗∗ Home Assistant, Pwned Passwords and Security Misconceptions ∗∗∗ --------------------------------------------- Two of my favourite things these days are Have I Been Pwned and Home Assistant. The former is an obvious choice, the latter Ive come to love as Ive embarked on my home automation journey. So, it was with great pleasure that I saw the two integrated recently:always something. --------------------------------------------- https://www.troyhunt.com/home-assistant-pwned-passwords-and-security-miscon… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (zeromq3), Oracle (dotnet, dotnet3.1, python3, and wpa_supplicant), and Red Hat (wpa_supplicant). --------------------------------------------- https://lwn.net/Articles/849088/ ∗∗∗ Security Advisory - Sudo Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- https://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210310… ∗∗∗ Paessler PRTG: Schwachstelle ermöglicht Offenlegung von Informationen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0260 ∗∗∗ Linux kernel ext3/ext4 file system vulnerability CVE-2020-14314 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K67830124 ∗∗∗ glibc vulnerability CVE-2019-25013 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K68251873 ∗∗∗ glibc vulnerability CVE-2020-29573 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K27238230 ∗∗∗ Security Bulletin: IBM Sterling Connect:Express for UNIX is Affected by Multiple Vulnerabilities in OpenSSL ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectexpre… ∗∗∗ Security Bulletin: IBM® Db2® is vulnerable to denial of service (CVE-2020-4135). ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-… ∗∗∗ Security Bulletin: IBM® Db2® is vulnerable to an information disclosure. (CVE-2020-4386) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-… ∗∗∗ Security Bulletin: Symbolic Link Permissions Problem Modeler Subscription Installer ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-symbolic-link-permissions… ∗∗∗ Security Bulletin: IBM® Db2® db2fm is vulnerable to a buffer overflow (CVE-2020-5025) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-db2fm-is-vulnerab… ∗∗∗ Security Bulletin: OpenSSL publicly disclosed vulnerability affects IBM MobileFirst Platform (CVE-2020-1971) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-openssl-publicly-disclose… ∗∗∗ Security Bulletin: IBM® Db2® is vulnerable to denial of service (CVE-2020-4200). ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-… ∗∗∗ Security Bulletin: IBM Network Performance Insight 1.3.1 was affected by vulnerability in jackson-databind (CVE-2020-25649) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-network-performance-i… ∗∗∗ Security Bulletin: IBM® Db2® is vulnerable to a buffer overflow (CVE-2020-4701) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-… ∗∗∗ Security Bulletin: IBM® Db2® is vulnerable to a Denial of Service on Windows (CVE-2020-4642) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.03.2021
by Daily end-of-shift report 10 Mar '21

10 Mar '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 09-03-2021 18:30 − Mittwoch 10-03-2021 18:30 Handler: Dimitri Robl Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Exchange-Hack: Microsoft-365-Migrationstool durch Textdatei ausgetauscht ∗∗∗ --------------------------------------------- Ein Golem.de-Leser wollte Exchange-Konten des Arbeitgebers auf Microsoft 365 migrieren. Statt des Hilfstools gab es eine Textdatei mit Nachricht. --------------------------------------------- https://www.golem.de/news/exchange-hack-microsoft-365-migrationstool-durch-… ∗∗∗ Unauthenticated MQTT endpoints on Linksys Velop routers enable local DoS ∗∗∗ --------------------------------------------- (Edit: this is CVE-2021-1000002)Linksys produces a series of wifi mesh routers under the Velop line. These routers use MQTT to send messages to each other for coordination purposes. In the version I tested against, there was zero authentication on this - anyone on the local network is able to connect to the MQTT interface on a router and send commands. --------------------------------------------- https://mjg59.dreamwidth.org/56106.html ∗∗∗ Microsoft Exchange Server Vulnerabilities Mitigations – updated March 9, 2021 ∗∗∗ --------------------------------------------- Microsoft previously blogged our strong recommendation that customers upgrade their on-premises Exchange environments to the latest supported version. For customers that are not able to quickly apply updates, we are providing the following alternative mitigation techniques to help Microsoft Exchange customers who need more time to patch their deployments and are willing to make risk and service function trade-offs. These mitigations are not a remediation if your Exchange servers have already been compromised, nor are they full protection against attack. --------------------------------------------- https://msrc-blog.microsoft.com:443/2021/03/05/microsoft-exchange-server-vu… ∗∗∗ SharpRDP - PSExec without PSExec, PSRemoting without PowerShell, (Wed, Mar 10th) ∗∗∗ --------------------------------------------- With the amount of remediation folks have these days to catch malicious execution of powershell or the use of tools like psexec, red teams have to be asking themselves - what approach is next for lateral movement after you get that first foothold? --------------------------------------------- https://isc.sans.edu/diary/rss/27188 ∗∗∗ Researchers Unveil New Linux Malware Linked to Chinese Hackers ∗∗∗ --------------------------------------------- Dubbed "RedXOR" by Intezer, the backdoor masquerades as a polkit daemon, with similarities found between the malware and those previously associated with the Winnti Umbrella (or Axiom) threat group such as PWNLNX, XOR.DDOS and Groundhog. --------------------------------------------- https://thehackernews.com/2021/03/researchers-unveil-new-linux-malware.html ∗∗∗ Unpatched Flaws in Netgear Business Switches Expose Organizations to Attacks ∗∗∗ --------------------------------------------- Security researchers have identified multiple vulnerabilities in ProSAFE Plus JGS516PE and GS116Ev2 business switches from Netgear, the most severe of which could allow a remote, unauthenticated attacker to execute arbitrary code. --------------------------------------------- https://www.securityweek.com/unpatched-flaws-netgear-business-switches-expo… ∗∗∗ Targeted HelloKitty Ransomware Attack ∗∗∗ --------------------------------------------- SentinelOne has published a blog post analyzing the HelloKitty ransomware family, which was recently leveraged in a targeted attack against CD Projekt Red. HelloKitty appeared in late 2020 and is relatively rudimentary compared to other ransomware families. --------------------------------------------- https://exchange.xforce.ibmcloud.com/collection/78d773e3e014982f6b10f60ac70… ===================== = Vulnerabilities = ===================== ∗∗∗ Microsoft Patch Tuesday - March 2021 ∗∗∗ --------------------------------------------- In their March 2021 security updates, Microsoft list eighty-three CVE numbered vulnerabilities. Of those, ten are rated as Critical with the remainder being rated as Important. Aside from the already well publicized exploitation of the Exchange server vulnerabilities, an Internet Explorer vulnerability is reported as being exploited in the wild. --------------------------------------------- https://exchange.xforce.ibmcloud.com/collection/c82f6a928a7278759e5eec21b3e… ∗∗∗ Patchday Adobe: Schadcode-Lücken in Connect, Creative Cloud und Framemaker ∗∗∗ --------------------------------------------- Der Software-Hersteller Adobe hat in verschiedenen Anwendungen mehrere kritische Sicherheitslücken geschlossen. --------------------------------------------- https://heise.de/-5076338 ∗∗∗ Versionsverwaltung Git 2.30.2. behebt Sicherheitslücke beim Klonen ∗∗∗ --------------------------------------------- Die Schwachstelle ermöglicht unter bestimmten Umständen das Ausführen von Skripten beim Klonen von Repositories. --------------------------------------------- https://heise.de/-5076502 ∗∗∗ SAP-Patchday: Kritische Lücken aus SAP MII und NetWeaver AS für Java beseitigt ∗∗∗ --------------------------------------------- SAP hat unter anderem zwei Sicherheitslücken in Manufacturing Integration and Intelligence (MII) & NetWeaver AS JAVA mit CVSS-Scores nahe der 10 geschlossen. --------------------------------------------- https://heise.de/-5076543 ∗∗∗ Vulnerability Spotlight: Use-after-free vulnerability in 3MF Consortium lib3mf ∗∗∗ --------------------------------------------- 3MF Consortium’s lib3mf library is vulnerable to a use-after-free vulnerability that could allow an adversary to execute remote code on the victim machine. The lib3mf library is an open-source implementation of the 3MF file format and standard, mainly used for 3D-printing. An attacker could send a target a specially crafted file to create a use-after-free condition. --------------------------------------------- https://blog.talosintelligence.com/2021/03/vuln-spotlight-3mf-lib-.html ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (kernel and privoxy), Fedora (libtpms, privoxy, and x11vnc), openSUSE (chromium), Red Hat (.NET 5.0, .NET Core, .NET Core 2.1, .NET Core 3.1, dotnet, and dotnet3.1), SUSE (git, kernel, openssl-1_1, and wpa_supplicant), and Ubuntu (git and openssh). --------------------------------------------- https://lwn.net/Articles/848973/ ∗∗∗ QEMU: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode mit den Rechten des Dienstes ∗∗∗ --------------------------------------------- CB-K21/0250: QEMU: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode mit den Rechten des Dienstes --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0250 ∗∗∗ SSA-979775 V1.0: Stack Overflow Vulnerability in SCALANCE and RUGGEDCOM Devices ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-979775.txt ∗∗∗ Security Bulletin: IBM Security Privileged Identity Manager is affected by a denial of service vulnerability (CVE-2020-2781) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-privileged-i… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation for Multiplatforms Jan 2021 CPU (CVE-2020-27221) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Security Guardium Insights is affected by a Go denial of service vulnerability (CVE-2020-7919) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-ins… ∗∗∗ Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU – Oct 2020 and Jan 2021 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sdk-java-technology-e… ∗∗∗ Security Bulletin: IBM Security Privileged Identity Manager is affected by a code execution vulnerability (CVE-2020-4464) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-privileged-i… ∗∗∗ Security Bulletin: IBM API Connect is impacted by vulnerabilities in Docker (CVE-2021-21285, CVE-2021-21284) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connect-is-impact… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Cognos Planning (Q12021) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation Application Manager Oct 2020 CPU (CVE-2020-14782) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: WebSphere Application Server is vulnerable to a Directory Traversal vulnerability (CVE-2020-5016) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-websphere-application-ser… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation Application Manager Jan 2021 CPU (CVE-2020-27221) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ BIG-IQ DCD vulnerability CVE-2021-22996 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K16352404?utm_source=f5support&utm_mediu… ∗∗∗ BIG-IQ HA vulnerability CVE-2021-22995 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K13155201?utm_source=f5support&utm_mediu… ∗∗∗ BIG-IQ HA vulnerability CVE-2021-22997 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K34074377?utm_source=f5support&utm_mediu… ∗∗∗ F5 TMUI XSS vulnerability CVE-2021-22994 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K66851119?utm_source=f5support&utm_mediu… ∗∗∗ BIG-IP MPTCP vulnerability CVE-2021-23003 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K43470422?utm_source=f5support&utm_mediu… ∗∗∗ BIG-IP ASM iControl REST vulnerability CVE-2021-23001 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K06440657?utm_source=f5support&utm_mediu… ∗∗∗ BIG-IP Advanced WAF and ASM XSS vulnerability CVE-2021-22993 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K55237223?utm_source=f5support&utm_mediu… ∗∗∗ BIG-IP TMM vulnerability CVE-2021-23000 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K34441555?utm_source=f5support&utm_mediu… ∗∗∗ BIG-IP SNAT vulnerability CVE-2021-22998 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K31934524?utm_source=f5support&utm_mediu… ∗∗∗ BIG-IQ HA vulnerability CVE-2021-23005 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K01243064?utm_source=f5support&utm_mediu… ∗∗∗ BIG-IP MPTCP vulnerability CVE-2021-23004 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K31025212?utm_source=f5support&utm_mediu… ∗∗∗ BIG-IQ XSS vulnerability CVE-2021-23006 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K30585021?utm_source=f5support&utm_mediu… ∗∗∗ BIG-IP APM VPN vulnerability CVE-2021-23002 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K71891773?utm_source=f5support&utm_mediu… ∗∗∗ TMM buffer-overflow vulnerability CVE-2021-22991 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K56715231?utm_source=f5support&utm_mediu… ∗∗∗ TMUI authenticated remote command execution vulnerability CVE-2021-22988 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K70031188?utm_source=f5support&utm_mediu… ∗∗∗ Advanced WAF/ASM TMUI authenticated remote command execution vulnerability CVE-2021-22990 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K45056101?utm_source=f5support&utm_mediu… ∗∗∗ BIG-IP HTTP/2 vulnerability CVE-2021-22999 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K02333782?utm_source=f5support&utm_mediu… ∗∗∗ Appliance mode TMUI authenticated remote command execution vulnerability CVE-2021-22987 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K18132488?utm_source=f5support&utm_mediu… ∗∗∗ iControl REST unauthenticated remote command execution vulnerability CVE-2021-22986 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K03009991?utm_source=f5support&utm_mediu… ∗∗∗ Advanced WAF/ASM buffer-overflow vulnerability CVE-2021-22992 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K52510511?utm_source=f5support&utm_mediu… ∗∗∗ Appliance mode Advanced WAF/ASM TMUI authenticated remote command execution vulnerability CVE-2021-22989 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K56142644?utm_source=f5support&utm_mediu… ∗∗∗ glibc vulnerability CVE-2021-3326 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K44945790?utm_source=f5support&utm_mediu… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.03.2021
by Daily end-of-shift report 09 Mar '21

09 Mar '21

===================== = End-of-Day report = ===================== Timeframe: Montag 08-03-2021 18:30 − Dienstag 09-03-2021 18:30 Handler: Dimitri Robl Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ z0Miner botnet hunts for unpatched ElasticSearch, Jenkins servers ∗∗∗ --------------------------------------------- A cryptomining botnet spotted last year is now targeting and attempting to take control of Jenkins and ElasticSearch servers to mine for Monero (XMR) cryptocurrency. --------------------------------------------- https://www.bleepingcomputer.com/news/security/z0miner-botnet-hunts-for-unp… ∗∗∗ GitHub Fixed a Bug impacting Authenticated Sessions ∗∗∗ --------------------------------------------- Earlier this month GitHub received a report of anomalous behavior from an external party, therefore they fixed the bug trying to protect user accounts against a potentially serious security vulnerability. The weird behavior was generated by a race condition vulnerability that misrouted the GitHub user’s login session to the web browser of another logged-in user, [...] --------------------------------------------- https://heimdalsecurity.com/blog/github-fixes-bug/ ∗∗∗ Serious Security: Webshells explained in the aftermath of HAFNIUM attacks ∗∗∗ --------------------------------------------- Webshells explained, with some (safe) examples you can try at home if you want to learn more. --------------------------------------------- https://nakedsecurity.sophos.com/2021/03/09/serious-security-webshells-expl… ∗∗∗ 9 Android Apps On Google Play Caught Distributing AlienBot Banker and MRAT Malware ∗∗∗ --------------------------------------------- Cybersecurity researchers have discovered a new malware dropper contained in as many as 9 Android apps distributed via Google Play Store that deploys a second stage malware capable of gaining intrusive access to the financial accounts of victims as well as full control of their devices. "This dropper, dubbed Clast82, utilizes a series of techniques to avoid detection by Google Play Protect [...] --------------------------------------------- https://thehackernews.com/2021/03/9-android-apps-on-google-play-caught.html ∗∗∗ Fuzzing grub: part 1 ∗∗∗ --------------------------------------------- Recently a set of 8 vulnerabilities were disclosed for the grub bootloader. I found 2 of them (CVE-2021-20225 and CVE-2021-20233), and contributed a number of other fixes for crashing bugs which we dont believe are exploitable. I found them by applying fuzz testing to grub. Heres how. --------------------------------------------- https://sthbrx.github.io/blog/2021/03/04/fuzzing-grub-part-1/ ∗∗∗ Vorsicht vor betrügerischen Wohnungsinseraten im Facebook-Marketplace ∗∗∗ --------------------------------------------- Auch im Facebook-Marketplace werden Miet- und Eigentumswohnungen inseriert. Ist der Preis jedoch sehr günstig, sollten Sie vorsichtig sein, denn es könnte sich um Betrug handeln. Behaupten VermieterInnen, dass sie im Ausland sind und sie die Besichtigung und Übermittlung der Kaution über Airbnb abwickeln, können Sie eindeutig von Betrug ausgehen! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-betruegerischen-wohnung… ∗∗∗ Overview of dnsmasq Vulnerabilities: The Dangers of DNS Cache Poisoning ∗∗∗ --------------------------------------------- We review vulnerabilities in dnsmasq, an open source DNS resolver, deep dive into DNS cache poisoning and describe effects on cloud products. --------------------------------------------- https://unit42.paloaltonetworks.com/overview-of-dnsmasq-vulnerabilities-the… ===================== = Vulnerabilities = ===================== ∗∗∗ Adobe fixes critical Creative Cloud, Adobe Connect vulnerabilities ∗∗∗ --------------------------------------------- Adobe has released security updates that fix vulnerabilities in Adobe Creative Cloud Desktop, Framemaker, and Connect. --------------------------------------------- https://www.bleepingcomputer.com/news/security/adobe-fixes-critical-creativ… ∗∗∗ Apple Plugs Severe WebKit Remote Code-Execution Hole ∗∗∗ --------------------------------------------- Apple pushed out security updates for a memory-corruption bug to devices running on iOS, macOS, watchOS and for Safari. --------------------------------------------- https://threatpost.com/apple-webkit-remote-code-execution/164595/ ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (firefox, kernel, kernel-headers, kernel-tools, libebml, and wpa_supplicant), openSUSE (mbedtls), Oracle (kernel, kernel-container, and screen), Red Hat (curl, kernel, kernel-rt, kpatch-patch, nss-softokn, python, and virt:rhel and virt-devel:rhel), Scientific Linux (screen), SUSE (389-ds, crmsh, openldap2, openssl-1_0_0, and wpa_supplicant), and Ubuntu (glib2.0, gnome-autoar, golang-1.10, golang-1.14, and libzstd). --------------------------------------------- https://lwn.net/Articles/848835/ ∗∗∗ Siemens Releases Several Advisories for Vulnerabilities in Third-Party Components ∗∗∗ --------------------------------------------- Siemens on Tuesday published 12 new security advisories to inform customers about nearly two dozen vulnerabilities affecting its products. --------------------------------------------- https://www.securityweek.com/siemens-releases-several-advisories-vulnerabil… ∗∗∗ Synology-SA-21:11 Download Station ∗∗∗ --------------------------------------------- A vulnerability allows remote authenticated users to execute arbitrary code via a susceptible version of Download Station. --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_21_11 ∗∗∗ Synology-SA-21:10 Media Server ∗∗∗ --------------------------------------------- A vulnerability allows remote attackers to access intranet resources via a susceptible version of Media Server. --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_21_10 ∗∗∗ SAP Security Patch Day - March 2021 ∗∗∗ --------------------------------------------- On 9th of March 2021, SAP Security Patch Day saw the release of 9 Security Notes. There were 4 updates to previously released Patch Day Security Notes. --------------------------------------------- https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=571343107 ∗∗∗ Microsoft Exchange attacks: Now Microsoft rushes out a patch for these unsupported Exchange servers, too ∗∗∗ --------------------------------------------- Microsoft provides more patches for critical Exchange vulnerabilities that are being exploited widely on the internet. --------------------------------------------- https://www.zdnet.com/article/microsoft-exchange-attacks-now-microsoft-rush… ∗∗∗ Squid: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0241 ∗∗∗ Red Hat Enterprise Linux: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode mit den Rechten des Dienstes ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0247 ∗∗∗ Security Bulletin: IBM Cloud Pak for Multicloud Management Monitoring returns potentially sensitive information in headers which could lead to further attacks against the system. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-multicl… ∗∗∗ Security Bulletin: Google Protocol Buffers as used by IBM QRadar SIEM is vulnerable to arbitrary code execution (CVE-2015-5237) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-google-protocol-buffers-a… ∗∗∗ Security Bulletin: Information leakage vulnerability affect IBM Business Automation Workflow – CVE-2021-20358 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-information-leakage-vulne… ∗∗∗ Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU – Oct 2020 – Includes Oracle Oct 2020 CPU affects IBM Tivoli Composite Application Manager for Transactions-Robotic Response Time ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sdk-java-technology-e… ∗∗∗ Security Bulletin: Multiple security vulnerabilities with IBM Content Navigator component in IBM Business Automation Workflow – CVE-2020-4687, CVE-2020-4760, CVE-2020-4704 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: Multiple security vulnerabilities in JAVA affects IBM Cloud Pak for Multicloud Management Monitoring ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: Publicly disclosed vulnerability from Kernel affects IBM Netezza Host Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-publicly-disclosed-vulner… ∗∗∗ Security Bulletin: Vulnerability in FasterXML Jackson libraries affect IBM Cúram Social Program Management (CVE-2020-25649) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-fasterxm… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.03.2021
by Daily end-of-shift report 08 Mar '21

08 Mar '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 05-03-2021 18:30 − Montag 08-03-2021 18:30 Handler: Dimitri Robl Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Angriffe auf Exchange-Server – Microsoft stellt Prüf-Skript für Admins bereit ∗∗∗ --------------------------------------------- Sicherheitslücken im Exchange-Server ziehen derzeit Angriffe auf sich. Microsoft stellt ein Skript bereit, mit dem Administratoren ihre Systeme prüfen können. --------------------------------------------- https://heise.de/-5073827 ∗∗∗ A Basic Timeline of the Exchange Mass-Hack ∗∗∗ --------------------------------------------- Sometimes when a complex story takes us by surprise or knocks us back on our heels, it pays to revisit the events in a somewhat linear fashion. Heres a brief timeline of what we know leading up to last weeks mass-hack, when hundreds of thousands of Microsoft Exchange Server systems got compromised and seeded with a powerful backdoor Trojan horse program. --------------------------------------------- https://krebsonsecurity.com/2021/03/a-basic-timeline-of-the-exchange-mass-h… ∗∗∗ Ransomware gang plans to call victims business partners about attacks ∗∗∗ --------------------------------------------- The REvil ransomware operation announced this week that they are using DDoS attacks and voice calls to journalists and victims business partners to generate ransom payments. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ransomware-gang-plans-to-cal… ∗∗∗ Spotting the Red Team on VirusTotal!, (Sat, Mar 6th) ∗∗∗ --------------------------------------------- Many security researchers like to use the VirusTotal platform. The provided services are amazing: You can immediately have a clear overview of the dangerousness level of a file but... VirusTotal remains a cloud service. It means that, once you uploaded a file to scan it, you have to consider it as "lost" and available to a lot of (good or bad) people! --------------------------------------------- https://isc.sans.edu/diary/rss/27174 ∗∗∗ The January/February 2021 issue of our SWITCH Security Report is available! ∗∗∗ --------------------------------------------- Dear Reader! A new issue of our bi-monthly SWITCH Security Report is available! The topics covered in this report are: Dependency confusion - when trust is too good to be true Water hacking - not a new trendy sport, but [...] --------------------------------------------- https://securityblog.switch.ch/2021/03/08/the-january-february-2021-issue-o… ∗∗∗ Domain dumpster diving ∗∗∗ --------------------------------------------- By Jaeson Schultz. Dumpster diving - searching through the trash looking for items of value - has long been a staple of hacking culture. In the 1995 movie "Hackers," Acid Burn and Crash Override are seen dumpster diving for information they can use to help them "hack the Gibson." Of course, not all trash is physical garbage located in a dumpster behind an office building. Some trash is virtual. --------------------------------------------- https://blog.talosintelligence.com/2021/03/domain-dumpster-diving.html ∗∗∗ Bazar Drops the Anchor ∗∗∗ --------------------------------------------- The malware identified as Anchor first entered the scene in late 2018 and has been linked to the same group as Trickbot, due to similarities in code and usage [...] --------------------------------------------- https://thedfirreport.com/2021/03/08/bazar-drops-the-anchor/ ===================== = Vulnerabilities = ===================== ∗∗∗ Critical 0-day in The Plus Addons for Elementor Allows Site Takeover ∗∗∗ --------------------------------------------- Today, March 8, 2021, the Wordfence Threat Intelligence team became aware of a critical 0-day in The Plus Addons for Elementor, a premium plugin that we estimate has over 30,000 installations. This vulnerability was reported this morning to WPScan by Seravo, a hosting company. The flaw makes it possible for attackers to create new administrative [...] --------------------------------------------- https://www.wordfence.com/blog/2021/03/critical-0-day-in-the-plus-addons-fo… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (activemq, libcaca, libupnp, mqtt-client, and xcftools), Fedora (ceph, mupdf, nagios, python-PyMuPDF, and zathura-pdf-mupdf), Mageia (cups, kernel, pngcheck, and python-pygments), openSUSE (bind, chromium, gnome-autoar, kernel, mbedtls, nodejs8, and thunderbird), and Red Hat (nodejs:10, nodejs:12, nodejs:14, screen, and virt:8.2 and virt-devel:8.2). --------------------------------------------- https://lwn.net/Articles/848710/ ∗∗∗ Linux kernel vulnerability CVE-2019-18282 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K32380005 ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation Application Manager Oct 2020 CPU (CVE-2020-14779,CVE-2020-14796, CVE-2020-14797,CVE-2020-14798) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect TPF Toolkit ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerability in jackson-databind affect IBM Spectrum Symphony ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-jackson-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affects WebSphere Application Server January 2021 CPU that is bundled with IBM WebSphere Application Server Patterns ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM API Connect's provider org registration flow is vulnerable to impersonation and sensitive information leak. CVE-2020-4903) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connects-provider… ∗∗∗ Security Bulletin: IBM API Connect is vulnerable to denial of service (DoS) via Node.js (CVE-2020-8277) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connect-is-vulner… ∗∗∗ Security Bulletin: IBM API Connect V10 is impacted by insecure communications during database replication (CVE-2020-4695) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connect-v10-is-im… ∗∗∗ Security Bulletin: IBM API Connect is impacted by multiple vulnerabilities in Java SE. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connect-is-impact… ∗∗∗ Security Bulletin: IBM DataPower Gateway vulnerable to an RCE attack (CVE-2020-5014) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-datapower-gateway-vul… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.03.2021
by Daily end-of-shift report 05 Mar '21

05 Mar '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 04-03-2021 18:30 − Freitag 05-03-2021 18:30 Handler: Dimitri Robl Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Microsoft: Exchange updates can install without fixing vulnerabilities ∗∗∗ --------------------------------------------- Due to the critical nature of recently issued Microsoft Exchange security updates, admins need to know that the updates may have installation issues on servers where User Account Control (UAC) is enabled. --------------------------------------------- https://www.bleepingcomputer.com/news/security/microsoft-exchange-updates-c… ∗∗∗ D-Link, IoT Devices Under Attack By Tor-Based Gafgyt Variant ∗∗∗ --------------------------------------------- A new variant of the Gafgyt botnet - thats actively targeting vulnerable D-Link and Internet of Things devices - is the first variant of the malware to rely on Tor communications, researchers say. --------------------------------------------- https://threatpost.com/d-link-iot-tor-gafgyt-variant/164529/ ∗∗∗ QNAP NAS users, make sure you check your system ∗∗∗ --------------------------------------------- On March 2, 2021, 360Netlab Threat Detection System started to report attacks targeting the widely used QNAP NAS devices via the unauthorized remote command execution vulnerability (CVE-2020-2506 & CVE-2020-2507)[1], upon successful attack, the attacker will gain root privilege on the device and perform malicious mining activities. --------------------------------------------- https://blog.netlab.360.com/qnap-nas-users-make-sure-you-check-your-system/ ∗∗∗ Spam Farm Spotted in the Wild, (Fri, Mar 5th) ∗∗∗ --------------------------------------------- If there is a place where you can always find juicy information, it's your spam folder! Yes, I like spam and I don't delete my spam before having a look at it for hunting purposes. Besides emails flagged as spam, NDR or "Non-Delivery Receipt" messages also deserve some attention. One of our readers (thanks to him!) reported yesterday how he found a "spam farm" based on bounced emails. --------------------------------------------- https://isc.sans.edu/diary/rss/27170 ∗∗∗ Kampf der Excel-Schadsoftware: AMSI gegen verseuchten XML-Code ∗∗∗ --------------------------------------------- Microsoft baut sein Antimalware Scan Interface (AMSI) aus. Neben VBA- kann es jetzt auch XML-Code scannen. --------------------------------------------- https://heise.de/-5073364 ∗∗∗ QNAPCrypt and SunCrypt Ransomware Connection ∗∗∗ --------------------------------------------- Intezer has published a blog posting that provides an analysis of the connections between the QNAPCrypt and SunCrypt ransomware. SunCrypt is affiliate ransomware service while QNAPCrypt surfaced in 2019 and was used to target devices from QNAP and Synology. The analysis concludes that the current SunCrypt ransomware shares many similarities [...] --------------------------------------------- https://exchange.xforce.ibmcloud.com/collection/75ee68a919cad9c434c63bfb0e3… ∗∗∗ GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence ∗∗∗ --------------------------------------------- Microsoft has identified three new pieces of malware being used in late-stage activity by NOBELIUM - the actor behind the SolarWinds attacks, SUNBURST, and TEARDROP. --------------------------------------------- https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot… ===================== = Vulnerabilities = ===================== ∗∗∗ Grub 2: Acht neue Schwachstellen im Bootloader ∗∗∗ --------------------------------------------- Die Entwickler von Grub 2 haben mehrere Lücken gemeldet. Einige davon können erneut Secure Boot aushebeln, was den Update-Prozess deutlich verkompliziert. --------------------------------------------- https://heise.de/-5073481 ∗∗∗ Benchmarking-Tool VMware View Planner ist für Schadcode anfällig ∗∗∗ --------------------------------------------- Es gibt ein wichtiges Sicherheitsupdate für VMware View Planner. Unter bestimmten Voraussetzungen könnten Angreifer eigene Befehle ausführen. --------------------------------------------- https://heise.de/-5073000 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (389-ds-base, dogtag-pki, dpdk, freeipa, isync, openvswitch, pki-core, and screen), Mageia (bind, chromium-browser-stable, gnome-autoar, jasper, openldap, openssl and compat-openssl10, screen, webkit2, and xpdf), Oracle (grub2), Red Hat (java-1.7.1-ibm, java-1.8.0-ibm, nodejs:10, and nodejs:12), SUSE (freeradius-server), and Ubuntu (wpa). --------------------------------------------- https://lwn.net/Articles/848416/ ∗∗∗ Supermicro, Pulse Secure Respond to Trickbots Ability to Target Firmware ∗∗∗ --------------------------------------------- Server and storage technology giant Supermicro and secure access solutions provider Pulse Secure have issued advisories to inform users that some of their products are vulnerable to the Trickbot malware’s ability to target firmware. --------------------------------------------- https://www.securityweek.com/supermicro-pulse-secure-respond-trickbots-abil… ∗∗∗ ICS-CERT Advisories March 04 2021 ∗∗∗ --------------------------------------------- The ICS-CERT has published 2 advisories that affect Rockwell Automation 1734-AENTR Series B and Series C, and Schneider Electric EcoStruxure Building Operation (EBO). Further information is available from the advisories which are summarised below. https://us-cert.cisa.gov/ics/advisories/icsa-21-063-01 https://us-cert.cisa.gov/ics/advisories/icsa-21-063-02 --------------------------------------------- https://exchange.xforce.ibmcloud.com/collection/32af714c7074693f32dfa23b263… ∗∗∗ BIND vulnerability CVE-2020-8625 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K13591074?utm_source=f5support&utm_mediu… ∗∗∗ Dell integrated Dell Remote Access Controller: Schwachstelle ermöglicht Manipulation von Dateien ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0238 ∗∗∗ Security Bulletin: Google-api-client as used by IBM QRadar SIEM is vulnerable to authorization bypass (CVE-2020-7692) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-google-api-client-as-used… ∗∗∗ Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in Python ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-discovery-for-… ∗∗∗ Security Bulletin: Multiple vulnerabilities affect IBM Cloud Object Storage Systems (March 2021) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in IBM Java Runtime Affect IBM Connect:Direct Web Services ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple Vulnerabilities have been identified in IBM WebSphere Application Server shipped with IBM StoredIQ for Legal ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.03.2021
by Daily end-of-shift report 04 Mar '21

04 Mar '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 03-03-2021 18:30 − Donnerstag 04-03-2021 18:30 Handler: Dimitri Robl Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Researcher bitsquats Microsofts windows.com to steal traffic ∗∗∗ --------------------------------------------- A researcher was able to bitsquat Microsofts windows.com domain by cybersquatting variations of windows.com. Adversaries can abuse this tactic to conduct automated attacks or collect data due to the nature of bit flipping. --------------------------------------------- https://www.bleepingcomputer.com/news/security/researcher-bitsquats-microso… ∗∗∗ Trojan Spyware and BEC Attacks ∗∗∗ --------------------------------------------- When it comes to an organization’s security, business email compromise (BEC) attacks are a big problem. One primary reason impacts are so significant is that attacks often use a human victim to authorize a fraudulent transaction to bypass existing security controls that would normally be used to prevent fraud. Another reason is that social engineering lures may be expertly crafted by the attacker after they have been monitoring a victim’s activity for some time, resulting in more [...] --------------------------------------------- https://blog.sucuri.net/2021/03/trojan-spyware-and-bec-attacks.html ∗∗∗ Cybercriminals Finding Ways to Bypass 3D Secure Fraud Prevention System ∗∗∗ --------------------------------------------- Security researchers with threat intelligence firm Gemini Advisory say they have observed dark web activities related to bypassing 3D Secure (3DS), which is designed to improve the security of online credit and debit card transactions. --------------------------------------------- https://www.securityweek.com/cybercriminals-finding-ways-bypass-3d-secure-f… ∗∗∗ Kryptowährung einzahlen und das Doppelte zurückerhalten? FAKE! ∗∗∗ --------------------------------------------- Die Watchlist Internet sowie die Internet Ombudsstelle erhalten immer häufiger Nachrichten verzweifelter KonsumentInnen. Sie bezahlen hohe Beträge in Kryptowährungen wie Bitcoin, Ethereum oder Ripple auf betrügerischen Plattformen ein, die eine Rückzahlung des Doppelten oder eines Vielfachen des Betrags versprechen. Jegliche Einzahlung ist verloren und das Geld kann nicht mehr zurückgeholt werden! --------------------------------------------- https://www.watchlist-internet.at/news/kryptowaehrung-einzahlen-und-das-dop… ===================== = Vulnerabilities = ===================== ∗∗∗ Windows DNS SIGRed bug gets first public RCE PoC exploit ∗∗∗ --------------------------------------------- A working proof-of-concept (PoC) exploit is now publicly available for the critical SIGRed Windows DNS Server remote code execution (RCE) vulnerability. --------------------------------------------- https://www.bleepingcomputer.com/news/security/windows-dns-sigred-bug-gets-… ∗∗∗ D-Link: Update für Wireless Access Point DAP-2020 beseitigt drei Schwachstellen ∗∗∗ --------------------------------------------- Ein wichtiges Firmware-Update beseitigt Angriffsmöglichkeiten aus benachbarten Netzwerken ohne Authentifizierung. --------------------------------------------- https://heise.de/-5071286 ∗∗∗ XSA-367 - Linux: netback fails to honor grant mapping errors ∗∗∗ --------------------------------------------- A malicious or buggy networking frontend driver may be able to crash the corresponding backend driver, potentially affecting the entire domain running the backend driver. In a typical (non-disaggregated) system that is a host-wide denial of service (DoS). --------------------------------------------- https://xenbits.xen.org/xsa/advisory-367.html ∗∗∗ XSA-369 - Linux: special config may crash when trying to map foreign pages ∗∗∗ --------------------------------------------- A Dom0 or driver domain based on a Linux kernel (configured as described above) can be crashed by a malicious guest administrator, or possibly malicious unprivileged guest processes. --------------------------------------------- https://xenbits.xen.org/xsa/advisory-369.html ∗∗∗ Critical Vulnerability Patched in WooCommerce Upload Files ∗∗∗ --------------------------------------------- On December 29, 2020, the Wordfence Threat Intelligence team was alerted to a potential 0-day vulnerability in the WooCommerce Upload Files plugin, an add-on for WooCommerce with over 5,000 installations. Please note that this is a separate plugin from the main WooCommerce plugin and is designed as an add-on to that plugin. After confirming the [...] --------------------------------------------- https://www.wordfence.com/blog/2021/03/critical-vulnerability-patched-in-wo… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (389-ds-base, dogtag-pki, freeipa, isync, pki-core, and screen), Mageia (firefox, kernel, kernel-linus, libtiff, nonfree-firmware, and thunderbird), Red Hat (bind and java-1.8.0-ibm), Scientific Linux (grub2), and SUSE (kernel-firmware, openldap2, postgresql12, and python-cryptography). --------------------------------------------- https://lwn.net/Articles/848223/ ∗∗∗ High severity Linux network security holes found, fixed ∗∗∗ --------------------------------------------- This nasty set of bugs can lead to an attacker gaining root access, but the patch is already available. --------------------------------------------- https://www.zdnet.com/article/linux-network-security-holes-found-fixed/ ∗∗∗ Shodan Verified Vulns 2021-03-01 ∗∗∗ --------------------------------------------- Ein weiteres Monat ist vorbei und wir werfen wieder einen Blick auf die Schwachstellen, die Shodan in Österreich sieht. Mit Stand 2021-03-01 ergibt sich folgendes Bild: Zum Vormonat hat sich damit fast gar nichts verändert, nur der Gastauftritt von CVE-2019-19781 a.k.a. "Shitrix" im Jänner ist anscheinend wieder vorbei. Eine Übersicht und weiterführende Links zu allen "Verified Vulnerabilities", die Shodan in Österreich gefunden hat, findet [...] --------------------------------------------- https://cert.at/de/aktuelles/2021/3/shodan-verified-vulns-2021-03-01 ∗∗∗ Security Bulletin: Open Source Apache Tomcat vulnerabilities affect IBM Tivoli Application Dependency Discovery Manager (CVE-2021-24122) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-open-source-apache-tomcat… ∗∗∗ Security Bulletin: Vulnerabilities in Node.js affect IBM App Connect Enterprise v11 ( CVE-2020-7788) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-node-j… ∗∗∗ Security Bulletin: IBM InfoSphere Information Server is affected by a cross-site request forgery vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-informatio… ∗∗∗ Security Bulletin: IBM MQ Appliance is affected by a systemd vulnerability (CVE-2019-20386) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-is-affec… ∗∗∗ Security Bulletin: IBM MQ Appliance is affected by libexpat vulnerabilities (CVE-2018-20843, CVE-2019-15903) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-is-affec… ∗∗∗ Security Bulletin: Multiple vulnerabilities affect IBM Rational® Application Developer for WebSphere® Software ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM MQ Appliance is affected by an OpenSSL vulnerability (CVE-2020-1971) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-is-affec… ∗∗∗ Security Bulletin: IBM InfoSphere Information Server is affected by a cross-site scripting vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-informatio… ∗∗∗ Security Bulletin: IBM MQ Appliance is affected by libxslt vulnerabilities (CVE-2019-11068, CVE-2019-18197) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-is-affec… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily March 2021