Daily April 2021

daily@lists.cert.at

1 participants
21 discussions

Tageszusammenfassung - 30.04.2021
by Daily end-of-shift report 30 Apr '21

30 Apr '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 29-04-2021 18:00 − Freitag 30-04-2021 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Qnap-NAS mit veralteter Firmware fallen AgeLocker-Ransomware zum Opfer ∗∗∗ --------------------------------------------- Erneut hat es ein Verschlüsselungstrojaner auf Netzwerkspeicher (NAS) von Qnap abgesehen. --------------------------------------------- https://heise.de/-6032831 ∗∗∗ Anlagebetrug: Alexander Van der Bellen wirbt nicht für Bitcoin-Investments! ∗∗∗ --------------------------------------------- Immer wieder berichten wir davon, dass Promis ungerechtfertigt genutzt werden, um unseriöse Trading-Plattformen zu bewerben. Aktuell haben es die Kriminellen auf den österreichischen Bundespräsidenten Alexander Van der Bellen abgesehen. Dieser soll erfundenen Berichten zu Folge unseriöse Plattformen wie „Bitcoin Era“, „Bitcoin Prime“ oder „Crypto Revolt“ nutzen, um zusätzliches Geld zu verdienen. Glauben Sie diesen Berichten nicht. --------------------------------------------- https://www.watchlist-internet.at/news/anlagebetrug-alexander-van-der-belle… ∗∗∗ Codecov begins notifying affected customers, discloses IOCs ∗∗∗ --------------------------------------------- Codecov has now started notifying the maintainers of software repositories affected by the recent supply-chain attack. These notifications, delivered via both email and the Codecov application interface, state that the company believes the affected repositories were downloaded by threat actors. --------------------------------------------- https://www.bleepingcomputer.com/news/security/codecov-begins-notifying-aff… ∗∗∗ DomainTools And Digital Archeology: A Look At RotaJakiro ∗∗∗ --------------------------------------------- Gain additional insight into the malware dubbed RotaJakiro by Netlab with analysis by Chad Anderson on additional infrastructure unearthed including IP addresses, C2 domains, and more. --------------------------------------------- https://www.domaintools.com/resources/blog/domaintools-and-digital-archeolo… ∗∗∗ Babuk Ransomware Gang Mulls Retirement ∗∗∗ --------------------------------------------- The RaaS operators have been posting, tweaking and taking down a goodbye note, saying that theyll be open-sourcing their data encryption malware for other crooks to use. --------------------------------------------- https://threatpost.com/babuk-ransomware-gang-mulls-retirement/165742/ ∗∗∗ Security baseline for Microsoft 365 Apps for enterprise v2104 - FINAL ∗∗∗ --------------------------------------------- Microsoft is pleased to announce the final release of the recommended security configuration baseline settings for Microsoft 365 Apps for enterprise, version 2104. Please download the content from the Microsoft Security Compliance Toolkit, test the recommended configurations, and implement as appropriate. If you have questions or issues, please let us know via the Security Baseline Community or this post. --------------------------------------------- https://techcommunity.microsoft.com/t5/microsoft-security-baselines/securit… ∗∗∗ Qiling: A true instrumentable binary emulation framework, (Fri, Apr 30th) ∗∗∗ --------------------------------------------- A while ago, during the FLARE On 7 challenge last autumn, I had my first experience with the Qiling framework. It helped me to solve the challenge CrackInstaller by Paul Tarter (@Hefrpidge). If you want to read more about this (very interesting) challenge: https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/flareon7-challeng…. --------------------------------------------- https://isc.sans.edu/diary/rss/27372 ∗∗∗ How to Find & Fix Mixed Content Issues with SSL / HTTPS ∗∗∗ --------------------------------------------- Note: We’ve updated this post to reflect the evolving security standards around mixed content, SSLs, and server access as a whole. With the web’s increased emphasis on security, all sites should operate on HTTPS. Installing an SSL allows you to make that transition with your website. But it can also have an unintended consequence for sites that have been operating on HTTP previously: Mixed content warnings. Today, let’s look at these common errors, what causes them, and how [...] --------------------------------------------- https://blog.sucuri.net/2021/04/how-to-find-fix-mixed-content-issues-with-s… ∗∗∗ UNC2447 SOMBRAT and FIVEHANDS Ransomware: A Sophisticated Financial Threat ∗∗∗ --------------------------------------------- Mandiant has observed an aggressive financially motivated group, UNC2447, exploiting one SonicWall VPN zero-day vulnerability prior to a patch being available and deploying sophisticated malware previously reported by other vendors as SOMBRAT. Mandiant has linked the use of SOMBRAT to the deployment of ransomware, which has not been previously reported publicly. --------------------------------------------- https://www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fi… ∗∗∗ IoT riddled with BadAlloc vulnerabilities ∗∗∗ --------------------------------------------- A set of memory allocation vulnerabilities, dubbed BadAlloc, has been found in a massive number of IoT and OT devices. --------------------------------------------- https://blog.malwarebytes.com/reports/2021/04/iot-riddled-with-badalloc-vul… ===================== = Vulnerabilities = ===================== ∗∗∗ Sicherheitslücke verrät Standorte von Elektro-Zweirädern und Telefonnummern ∗∗∗ --------------------------------------------- Die API des Zweiradherstellers Supersoco hat eine schwere Sicherheitslücke, aber weder der Hersteller noch der D/AT-Importeur kümmern sich. --------------------------------------------- https://heise.de/-6032820 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (bind, chromium, firefox, gitlab, libupnp, nimble, opera, thunderbird, virtualbox, and vivaldi), Debian (composer, edk2, and libhibernate3-java), Fedora (java-1.8.0-openjdk, jetty, and samba), openSUSE (nim), Oracle (bind and runc), Red Hat (bind), SUSE (cifs-utils, cups, ldb, samba, permissions, samba, and tomcat), and Ubuntu (samba). --------------------------------------------- https://lwn.net/Articles/855029/ ∗∗∗ Texas Instruments SimpleLink ∗∗∗ --------------------------------------------- This advisory contains mitigations for Stack-based Buffer Overflow and Integer Overflow or Wraparound vulnerabilities in Texas Instruments SimpleLink wireless microcontrollers. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-119-01 ∗∗∗ Cassia Networks Access Controller ∗∗∗ --------------------------------------------- This advisory contains mitigations for a Path Traversal vulnerability in Cassia Networks Access Controller Bluetooth network management tool. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-119-02 ∗∗∗ Johnson Controls Exacq Technologies exacqVision ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Off-by-one Error vulnerability in the Ubunty operating system of Exacq Technologies exacqVision. Exacq Technologies is a subsidiary of Johnson Controls. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-119-03 ∗∗∗ Multiple RTOS ∗∗∗ --------------------------------------------- CISA is aware of a public report, known as “BadAlloc” that details vulnerabilities found in multiple real-time operating systems (RTOS) and supporting libraries. This advisory contains mitigations for Integer Overflow or Wraparound vulnerabilities associated with this "BadAlloc" report. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-119-04 ∗∗∗ ctrlX CORE - IDE App affected by OpenSSL and Python Vulnerabilities ∗∗∗ --------------------------------------------- BOSCH-SA-017743: Multiple vulnerabilities affecting OpenSSL Versions previous to 1.1.1k and Python 0 through 3.9.1, have been reported. Affected versions are included in the ctrlX CORE - IDE App. In order to successfully exploit these vulnerabilities, an attacker requires access to the network or system. Two vulnerabilities (CVE-2021-3177 and CVE-2021-27619) are notably critical, as they can be easily exploited. The exploitation of these vulnerabilities can lead to remote code execution --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-017743.html ∗∗∗ FTP Backdoor for Rexroth Fieldbus Couplers S20 and Inline ∗∗∗ --------------------------------------------- BOSCH-SA-428397: On some Fieldbus Couplers, there is a hidden, password-protected FTP area for the root directory. --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-428397.html ∗∗∗ Parallels Desktop RDPMC Hypercall Interface and Vulnerabilities ∗∗∗ --------------------------------------------- Parallels Desktop implements a hypercall interface using an RDPMC instruction (“Read Performance-Monitoring Counter”) for communication between guest and host. More interestingly, this interface is accessible even to an unprivileged guest user. Though the HYPER-CUBE: High-Dimensional Hypervisor Fuzzing [PDF] paper by Ruhr-University Bochum has a brief mention of this interface, we have not seen many details made public. This blog post gives a brief description of the interface and [...] --------------------------------------------- https://www.thezdi.com/blog/2021/4/26/parallels-desktop-rdpmc-hypercall-int… ∗∗∗ QNAP NAS: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0462 ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Rational Directory Server (Tivoli) & Rational Directory Administrator ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM App Connect Enterprise Certified Container may be vulnerable to a denial of service attack through a DNS lookup that returns a large number of responses (CVE-2020-8277) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… ∗∗∗ Security Bulletin: IBM App Connect Enterprise Certified Container may be vulnerable to a Server-Side Request Forgery vulnerability (CVE-2020-28168) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… ∗∗∗ Security Bulletin: Images built from IBM App Connect Enterprise Certified Container images may be vulnerable to information exposure via CVE-2020-15095 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-images-built-from-ibm-app… ∗∗∗ Security Bulletin: IBM App Connect Enterprise Certified Container may be vulnerable to multiple denial of service and HTTP request smuggling vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… ∗∗∗ Security Bulletin: iOS Vulnerable Minimum OS Version Supported ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ios-vulnerable-minimum-os… ∗∗∗ Security Bulletin: z/TPF is affected by an OpenSSL vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-z-tpf-is-affected-by-an-o… ∗∗∗ Security Bulletin: IBM Informix Dynamic Server is vulnerable to a stack based buffer overflow, caused by improper bounds checking. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-informix-dynamic-serv… ∗∗∗ Security Bulletin: IBM App Connect Enterprise Certified Container flows may be vulnerable to spoofing attacks (CVE-2020-26291) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… ∗∗∗ Security Bulletin: IBM App Connect Enterprise Certified Container Designer Authoring components may be vulnerable to a denial of service attack (CVE-2020-28477) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 29.04.2021
by Daily end-of-shift report 29 Apr '21

29 Apr '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 28-04-2021 18:00 − Donnerstag 29-04-2021 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Google: Androids Corona-Kontaktverfolgung leakt Daten ∗∗∗ --------------------------------------------- Eigentlich sollte nur das Exposure Notification Framework auf die gesammelten Kontakte zugreifen können, doch Android schreibt sie in ein Log. --------------------------------------------- https://www.golem.de/news/corona-warn-app-androids-corona-kontaktverfolgung… ∗∗∗ Threat Alert: New update from Sysrv-hello, now infecting victims‘ webpages to push malicious exe to end users ∗∗∗ --------------------------------------------- >From the end of last year to now, we have see the uptick of the mining botnet families. While new families have been popping up, some old ones are get frequently updated. Our BotMon system has recently reported about the [rinfo][z0miner]. And the latest case comes from Sysrv-hello [...] --------------------------------------------- https://blog.netlab.360.com/threat-alert-new-update-from-sysrv-hello-now-in… ∗∗∗ Announcing the New Report Delta Mode Option ∗∗∗ --------------------------------------------- A new opt-in feature in our reporting mechanism will allow for reporting only the changes of the data from day to day: the report delta mode option. In this mode, every Sunday we will continue to deliver a full set of reports on all events observed on a report recipients’s network. For the rest of the week, for every distinct report type we will report only the difference between events seen on that day relative to the Sunday report. This will continue throughout the week until the [...] --------------------------------------------- https://www.shadowserver.org/news/announcing-the-new-report-delta-mode-opti… ∗∗∗ Digital Ocean springs a leak: Miscreant exploits hole to peep on unlucky customers billing details for two weeks ∗∗∗ --------------------------------------------- First that IPO and now this Digital Ocean on Wednesday said someone was able to snoop on some of its cloud subscribers billing information via a now-patched vulnerability. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2021/04/29/digital_ocea… ∗∗∗ [SANS ISC] From Python to .Net ∗∗∗ --------------------------------------------- I published the following diary on isc.sans.edu: “From Python to .Net“: The Microsoft operating system provides the .Net framework to developers. It allows to fully interact with the OS and write powerful applications… but also malicious ones. In a previous diary, I talked about a malicious Python script that interacted with the [...] --------------------------------------------- https://blog.rootshell.be/2021/04/29/sans-isc-from-python-to-net/ ∗∗∗ Task Force Seeks to Disrupt Ransomware Payments ∗∗∗ --------------------------------------------- Some of the worlds top tech firms are backing a new industry task force focused on disrupting cybercriminal ransomware gangs by limiting their ability to get paid, and targeting the individuals and finances of the organized thieves behind these crimes. --------------------------------------------- https://krebsonsecurity.com/2021/04/task-force-seeks-to-disrupt-ransomware-… ∗∗∗ Bitcoin scammers phish for wallet recovery codes on Twitter ∗∗∗ --------------------------------------------- Cryptocurrency scammers are on the prowl for wallet recovery phrases, under the pretence of trying to be helpful. --------------------------------------------- https://blog.malwarebytes.com/social-engineering/2021/04/bitcoin-scammers-p… ∗∗∗ Anatomy of how you get pwned ∗∗∗ --------------------------------------------- Today, somebody had a problem: they kept seeing a popup on their screen, and obvious scam trying to sell them McAfee anti-virus. Where was this coming from? In this blogpost, I follow this rabbit hole on down. It starts with "search engine optimization" links and leads to an entire industry of tricks, scams, exploiting popups, trying to infect your machine with viruses, and stealing emails or credit card numbers. --------------------------------------------- https://blog.erratasec.com/2021/04/anatomy-of-how-you-get-pwned.html ∗∗∗ Betrügerische Kleinanzeigen auf hyperanzeigen.at ∗∗∗ --------------------------------------------- Immer wieder erreichen die Watchlist Internet Meldungen zu unseriösen Angeboten auf hyperanzeigen.at. Ein genauerer Blick auf die Plattform selbst lässt aber auch Zweifel an deren Seriosität aufkommen. Bei einer Überprüfung von 15 Anzeigen aus unterschiedlichen Kategorien konnten wir keine einzige echte finden. Weiters fehlen Kontaktmöglichkeiten und ein Impressum. --------------------------------------------- https://www.watchlist-internet.at/news/betruegerische-kleinanzeigen-auf-hyp… ∗∗∗ New Shameless Commodity Cryptocurrency Stealer (WeSteal) and Commodity RAT (WeControl) ∗∗∗ --------------------------------------------- We analyze commodity malware WeSteal, detail its techniques and examine its customers, as well as sharing details of a newly observed RAT, WeControl. --------------------------------------------- https://unit42.paloaltonetworks.com/westeal/ ===================== = Vulnerabilities = ===================== ∗∗∗ A New PHP Composer Bug Could Enable Widespread Supply-Chain Attacks ∗∗∗ --------------------------------------------- The maintainers of Composer, a package manager for PHP, have shipped an update to address a critical vulnerability that could have allowed an attacker to execute arbitrary commands and "backdoor every PHP package," resulting in a supply-chain attack. Tracked as CVE-2021-29472, the security issue was discovered and reported on April 22 by researchers from SonarSource, following which a hotfix was [...] --------------------------------------------- https://thehackernews.com/2021/04/a-new-php-composer-bug-could-enable.html ∗∗∗ Cisco Security Advisories ∗∗∗ --------------------------------------------- Cisco hat Advisories zu 13 Schwachstellen veröffentlicht. Keine davon wird als "Critical" eingestuft, fünf als "High". --------------------------------------------- https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&first… ∗∗∗ Overview of F5 vulnerabilities (April 2021) ∗∗∗ --------------------------------------------- Overview of F5 vulnerabilities (April 2021) Security Advisory Security Advisory Description On April 28th, 2021, F5 announced the following security issues. This document is intended to serve as [...] --------------------------------------------- https://support.f5.com/csp/article/K96639388 ∗∗∗ Vulnerability Exposes F5 BIG-IP to Kerberos KDC Hijacking Attacks ∗∗∗ --------------------------------------------- F5 Networks this week released patches to address an authentication bypass vulnerability affecting BIG-IP Access Policy Manager (APM), but fixes are not available for all impacted versions. --------------------------------------------- https://www.securityweek.com/vulnerability-exposes-f5-big-ip-kerberos-kdc-h… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (ceph, jetty, kernel, kernel-headers, kernel-tools, openvpn, and shim-unsigned-x64), Mageia (firefox and thunderbird), Oracle (nss and openldap), Red Hat (bind), Slackware (bind), SUSE (firefox, giflib, java-1_7_0-openjdk, libnettle, librsvg, thunderbird, and webkit2gtk3), and Ubuntu (bind9 and gst-plugins-good1.0). --------------------------------------------- https://lwn.net/Articles/854880/ ∗∗∗ ZDI-21-490: (0Day) Advantech WebAccess/HMI Designer PM3 File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-21-490/ ∗∗∗ ZDI-21-489: (0Day) Advantech WebAccess/HMI Designer PM3 File Parsing Memory Corruption Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-21-489/ ∗∗∗ ZDI-21-488: (0Day) Advantech WebAccess/HMI Designer PM3 File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-21-488/ ∗∗∗ ZDI-21-487: (0Day) Advantech WebAccess/HMI Designer PM3 File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-21-487/ ∗∗∗ Security Advisory - Denial of Service Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- https://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210428… ∗∗∗ Security Bulletin: App Connect Enterprise Certified Container may be vulnerable to a denial of service vulnerability (CVE-2020-1971) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-app-connect-enterprise-ce… ∗∗∗ Security Bulletin: IBM API Connect is vulnerable to cookie forgery via PHP (CVE-2020-7070) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connect-is-vulner… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Rational Directory Server (Tivoli) & Rational Directory Administrator ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Internet Systems Consortium BIND: Mehrere Schwachstellen ermöglichen Denial of Service ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0452 ∗∗∗ Samba: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0451 ∗∗∗ Drupal: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0459 ∗∗∗ PHP: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0458 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.04.2021
by Daily end-of-shift report 28 Apr '21

28 Apr '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 27-04-2021 18:00 − Mittwoch 28-04-2021 18:00 Handler: Stephan Richter Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Security: Juristische Konsequenzen durch den Cellebrite-Hack ∗∗∗ --------------------------------------------- Urteile, in denen die Forensiksoftware zur Beweissicherung verwendet wurde, werden nach Aufdeckung der schweren Sicherheitslücken in Frage gestellt. --------------------------------------------- https://www.golem.de/news/security-juristische-konsequenzen-durch-den-celle… ∗∗∗ RotaJakiro: A long live secret backdoor with 0 VT detection ∗∗∗ --------------------------------------------- On March 25, 2021, 360 NETLABs BotMon system flagged a suspiciousELF file (MD5=64f6cfe44ba08b0babdd3904233c4857) with 0 VT detection, the sample communicates with 4 domains on TCP 443 (HTTPS), but the traffic is not of TLS/SSL. --------------------------------------------- https://blog.netlab.360.com/stealth_rotajakiro_backdoor_en/ ∗∗∗ Abusing Replication: Stealing AD FS Secrets Over the Network ∗∗∗ --------------------------------------------- Organizations are increasingly adopting cloud-based services such as Microsoft 365 to host applications and data. Sophisticated threat actors are catching on and Mandiant has observed an increased focus on long-term persistent access to Microsoft 365 as one of their primary objectives. --------------------------------------------- https://www.fireeye.com/blog/threat-research/2021/04/abusing-replication-st… ∗∗∗ Emotet: Gut 4 Millionen kopierter Mail-Adressen bei Prüfdienst Have I Been Pwned ∗∗∗ --------------------------------------------- Um Betroffene besser informieren zu können, hat das FBI über vier Mio. E-Mail-Adressen, die der Ex-"König der Schadsoftware" Emotet abgriff, mit HIBP geteilt. --------------------------------------------- https://heise.de/-6030480 ∗∗∗ User Empowerment: Password Security ∗∗∗ --------------------------------------------- World Password Day (who knew that was a thing?) is upon us. --------------------------------------------- https://malicious.link/post/2021/user-empowerment-password-security/ ∗∗∗ Österreichische Gesundheitskasse warnt vor betrügerischen Anrufen ∗∗∗ --------------------------------------------- Versicherte der Österreichischen Gesundheitskasse (ÖGK) werden derzeit von BetrügerInnen angerufen. Die BetrügerInnen geben sich als MitarbeiterInnen der ÖGK aus und rufen von einer vermeintlich österreichischen Nummer an. --------------------------------------------- https://www.watchlist-internet.at/news/oesterreichische-gesundheitskasse-wa… ∗∗∗ Microsoft mulls over tweaks to threat data, code-sharing scheme following Exchange Server debacle ∗∗∗ --------------------------------------------- It has been suspected that exploit code used in the wave of attacks may have been sourced from the program. --------------------------------------------- https://www.zdnet.com/article/microsoft-mulls-over-threat-data-code-sharing… ∗∗∗ Two million database servers are currently exposed across cloud providers ∗∗∗ --------------------------------------------- Censys said it scanned for MySQL, Postgres, Redis, MSSQL, MongoDB, Elasticsearch, Memcached, and Oracle databases and found that almost 60% of all exposed servers were MySQL databases, which accounted for 1.15 million of the total 1.93 million exposed DBs. --------------------------------------------- https://therecord.media/two-million-database-servers-are-currently-exposed-… ∗∗∗ Ransomware gang targets Microsoft SharePoint servers ∗∗∗ --------------------------------------------- Microsoft SharePoint servers have now joined the list of network devices being abused as an entry vector into corporate networks by ransomware gangs. --------------------------------------------- https://therecord.media/ransomware-gang-targets-microsoft-sharepoint-server… ===================== = Vulnerabilities = ===================== ∗∗∗ Schadcode-Lücke in IBM Spectrum Protect gefährdet Server ∗∗∗ --------------------------------------------- Es gibt wichtige Sicherheitsupdates für IBMs Datenschutzlösung Spectrum Protect und Spectrum Protect Plus. --------------------------------------------- https://heise.de/-6030379 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium and shibboleth-sp), Fedora (ceph and salt), Oracle (thunderbird), Red Hat (etcd), Scientific Linux (nss and openldap), SUSE (curl, gdm, and libnettle), and Ubuntu (openjdk-8, openjdk-lts and underscore). --------------------------------------------- https://lwn.net/Articles/854756/ ∗∗∗ Synology-SA-21:15 Antivirus Essential ∗∗∗ --------------------------------------------- A vulnerability allows remote authenticated users to obtain privileges without consent via a susceptible version of Antivirus Essential. --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_21_15 ∗∗∗ WordPress plugin "WP Fastest Cache" vulnerable to directory traversal ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN35240327/ ∗∗∗ ZDI-21-485: (0Day) Siemens JT2Go DXF File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-485/ ∗∗∗ Security Advisory - Denial of Service Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210428-… ∗∗∗ Security Bulletin: Multiple vulnerabilities of Mozilla Firefox (less than Firefox 78.9.0 ESR + CVE-2020-16044) have affected Synthetic Playback Agent 8.1.4.0-8.1.4 IF13 + ICAM2019.3.0 – 2020.2.0 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Embedded WebSphere Application Server is vulnerable to an XML External Entity (XXE) Injection vulnerability affects Content Collector for Email ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-embedded-websphere-applic… ∗∗∗ Security Bulletin: Multiple vulnerabilities of Mozilla Firefox (less than Firefox 78.9.0 ESR + CVE-2021-23954) have affected Synthetic Playback Agent 8.1.4.0-8.1.4 IF13 + ICAM2019.3.0 – 2020.2.0 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Embedded WebSphere Application Server is vulnerable to a directory traversal vulnerability affects Content Collector for Email ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-embedded-websphere-applic… ∗∗∗ Security Bulletin: Multiple vulnerabilities of Mozilla Firefox (less than Firefox 78.9.0 ESR + CVE-2021-23987) have affected Synthetic Playback Agent 8.1.4.0-8.1.4 IF13 + ICAM2019.3.0 – 2020.2.0 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities of Mozilla Firefox (less than Firefox 78.9.0 ESR + CVE-2020-26974) have affected Synthetic Playback Agent 8.1.4.0-8.1.4 IF13 + ICAM2019.3.0 – 2020.2.0 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities affect IBM Tivoli Monitoring installed WebSphere Application Server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities of Mozilla Firefox (less than Firefox 78.9.0 ESR + CVE-2021-23978) have affected Synthetic Playback Agent 8.1.4.0-8.1.4 IF13 + ICAM2019.3.0 – 2020.2.0 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Resource Administrator or Administrator role authenticated local command execution vulnerability CVE-2021-23012 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K04234247 ∗∗∗ TMM vulnerability CVE-2021-23011 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K10751325 ∗∗∗ BIG-IP Advanced WAF and ASM Brute Force Protection feature may not properly support the Post-Redirect-Get application flow ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K91414704 ∗∗∗ Running a CTU Diagnostics Report may leave elevated command prompt after report generation ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K03544414 ∗∗∗ TMM with HTTP/2 vulnerability (CVE-2021-23009) ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K90603426 ∗∗∗ BIG-IP ASM and Advanced WAF WebSocket vulnerability CVE-2021-23010 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K18570111 ∗∗∗ BIG-IP Advanced WAF and ASM REST API vulnerability CVE-2021-23014 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K23203045 ∗∗∗ BIG-IP APM AD authentication vulnerability CVE-2021-23008 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K51213246 ∗∗∗ Appliance Mode authenticated iControl REST vulnerability CVE-2021-23015 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K74151369 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.04.2021
by Daily end-of-shift report 27 Apr '21

27 Apr '21

===================== = End-of-Day report = ===================== Timeframe: Montag 26-04-2021 18:00 − Dienstag 27-04-2021 18:00 Handler: Stephan Richter Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ 15 open source GitHub projects for security pros ∗∗∗ --------------------------------------------- Whether you are a sysadmin, a threat intel analyst, a malware researcher, forensics expert, or even a software developer looking to build secure software, these 15 free tools from GitHub or GitLab can easily fit into your day-to-day work activities and provide added advantages. --------------------------------------------- https://www.csoonline.com/article/3058594/19-open-source-github-projects-fo… ∗∗∗ CAD: .DGN and .MVBA Files, (Mon, Apr 26th) ∗∗∗ --------------------------------------------- Regularly I receive questions about MicroStation files, since I wrote a diary entry about AutoCAD drawings containing VBA code. --------------------------------------------- https://isc.sans.edu/diary/rss/27354 ∗∗∗ Aggrokatz: pypykatz trifft Cobalt Strike ∗∗∗ --------------------------------------------- Das Tool "aggrokatz", welches von SEC Consult intern zum Parsen von LSASS-Dump-Dateien in Cobalt Strike eingesetzt wird, wurde soeben als Open Source Tool veröffentlicht! --------------------------------------------- https://sec-consult.com/de/blog/detail/aggrokatz-pypykatz-trifft-cobalt-str… ∗∗∗ The March/April 2021 issue of our SWITCH Security Report is available! ∗∗∗ --------------------------------------------- A new issue of our bi-monthly SWITCH Security Report is available! The topics covered in this report are: Exploit on Exchange --------------------------------------------- https://securityblog.switch.ch/2021/04/27/the-march-april-2021-issue-of-our… ∗∗∗ Vulnerability Spotlight: Information disclosure vulnerability in the Linux Kernel ∗∗∗ --------------------------------------------- Cisco Talos recently discovered an information disclosure vulnerability in the Linux Kernel. --------------------------------------------- https://blog.talosintelligence.com/2021/04/vuln-spotlight-linux-kernel.html ∗∗∗ Data From The Emotet Malware is Now Searchable in Have I Been Pwned, Courtesy of the FBI and NHTCU ∗∗∗ --------------------------------------------- Earlier this year, the FBI in partnership with the Dutch National High Technical Crimes Unit (NHTCU), German Federal Criminal Police Office (BKA) and other international law enforcement agencies brought down what Europol rereferred to as the worlds most dangerous malware: Emotet. --------------------------------------------- https://www.troyhunt.com/data-from-the-emotet-malware-is-now-searchable-in-… ∗∗∗ WhatsApp-NutzerInnen aufgepasst: Kriminelle versuchen Ihr WhatsApp-Konto zu stehlen ∗∗∗ --------------------------------------------- Sie wurden auf WhatsApp gebeten, einen 6-stelligen-Code weiterzuleiten? Tun Sie das auf gar keinen Fall, dieser Code ist der Schlüssel zu Ihrem WhatsApp-Account. Kriminelle versuchen Sie mit unterschiedlichsten Begründungen zu überzeugen, diesen weiterzuleiten. --------------------------------------------- https://www.watchlist-internet.at/news/whatsapp-nutzerinnen-aufgepasst-krim… ∗∗∗ CISA and NIST Release New Interagency Resource: Defending Against Software Supply Chain Attacks ∗∗∗ --------------------------------------------- A software supply chain attack—such as the recent SolarWinds Orion attack—occurs when a cyber threat actor infiltrates a software vendor’s network and employs malicious code to compromise the software before the vendor sends it to their customers. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/04/26/cisa-and-nist-rel… ===================== = Vulnerabilities = ===================== ∗∗∗ All Your Macs Are Belong To Us ∗∗∗ --------------------------------------------- Here, we detail a bug that trivially bypasses many core Apple security mechanisms, leaving Mac users at grave risk! --------------------------------------------- https://objective-see.com/blog/blog_0x64.html ∗∗∗ Citrix ShareFile storage zones controller security update ∗∗∗ --------------------------------------------- A security issue has been identified in the Citrix ShareFile storage zones controller which, if exploited, would allow an unauthenticated attacker to remotely compromise the storage zones controller. --------------------------------------------- https://support.citrix.com/article/CTX310780 ∗∗∗ Severe Unpatched Vulnerabilities Leads to Closure of Store Locator Plus Plugin ∗∗∗ --------------------------------------------- On March 5, 2021, the Wordfence Threat Intelligence team wrapped up an investigation that led to the discovery of a privilege escalation vulnerability along with several additional vulnerabilities in Store Locator Plus, a WordPress plugin installed on over 9,000 sites. --------------------------------------------- https://www.wordfence.com/blog/2021/04/severe-unpatched-vulnerabilities-lea… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (gst-libav1.0, gst-plugins-bad1.0, gst-plugins-base1.0, and gst-plugins-ugly1.0), Fedora (kernel, kernel-headers, kernel-tools, and rust), openSUSE (firefox), Oracle (firefox, mariadb:10.3 and mariadb-devel:10.3, thunderbird, and xstream), Red Hat (kernel, kernel-alt, kpatch-patch, nss, and openldap), Scientific Linux (firefox, thunderbird, and xstream), SUSE (firefox), and Ubuntu (file-roller, firefox, and ruby2.7). --------------------------------------------- https://lwn.net/Articles/854623/ ∗∗∗ NTLM Relay Attack Abuses Windows RPC Protocol Vulnerability ∗∗∗ --------------------------------------------- A newly identified NTLM (New Technology LAN Manager) relay attack abuses a remote procedure call (RPC) vulnerability to enable elevation of privilege, researchers from cybersecurity firm SentinelOne reveal. --------------------------------------------- https://www.securityweek.com/ntlm-relay-attack-abuses-windows-rpc-protocol-… ∗∗∗ Apple Security Updates 2021-04-26 ∗∗∗ --------------------------------------------- https://support.apple.com/en-us/HT201222 ∗∗∗ Security Bulletin: IBM® Db2® db2fm is vulnerable to a buffer overflow (CVE-2020-5025) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-db2fm-is-vulnerab… ∗∗∗ Security Bulletin: IBM Content Navigator is vulnerable to cross-site scripting. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-content-navigator-is-… ∗∗∗ Security Bulletin: Vulnerability in Apache MyFaces affects Liberty for Java for IBM Cloud (CVE-2021-26296) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-m… ∗∗∗ Security Bulletin: Buffer Overflow Vulnerability in IBM SDK Affects IBM Transformation Extender ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-buffer-overflow-vulnerabi… ∗∗∗ Security Bulletin: IBM® Db2® is vulnerable to a denial of service (CVE-2020-5024) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-… ∗∗∗ Security Bulletin: Vulnerability in IBM Java Runtime affects IBM Spectrum Protect Snapshot on AIX and Linux (CVE-2020-27221) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java… ∗∗∗ Security Bulletin: IBM Content Navigator is vulnerable to cross-site scripting ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-content-navigator-is-… ∗∗∗ Security Bulletin: Multiple vulnerabilities affect the IBM Spectrum Scale GUI ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM® Db2® is vulnerable to weak file permissions allowing access to specific files (CVE-2020-4976) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-… ∗∗∗ Nvidia Treiber: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0440 ∗∗∗ Red Hat OpenShift: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0447 ∗∗∗ TYPO3 Extension: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0449 ∗∗∗ Google Releases Security Updates for Chrome ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/04/27/google-releases-s… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 26.04.2021
by Daily end-of-shift report 26 Apr '21

26 Apr '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 23-04-2021 18:00 − Montag 26-04-2021 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Qnap: NAS-Ransomware erpresst in wenigen Tagen 230.000 Euro ∗∗∗ --------------------------------------------- Mit einer trivialen Sicherheitslücke konnte die Ransomware Qlocker binnen weniger Tage Tausende Euro von Qnap-NAS-Besitzern erpressen. --------------------------------------------- https://www.golem.de/news/qnap-nas-ransomware-erpresst-in-wenigen-tagen-230… ∗∗∗ Passwordstate: Passwort-Manager von Click Studios gehackt ∗∗∗ --------------------------------------------- Angreifern ist die Kompromittierung einer Upgrade-Funktion von Click Studios gelungen. Nutzer von Passwordstate sollen ihre Passwörter zurücksetzen. --------------------------------------------- https://heise.de/-6027188 ∗∗∗ "Tschüss Emotet": Malware deinstalliert sich selbst ∗∗∗ --------------------------------------------- Der "König der Schad-Software" machte still und leise einen Abgang. --------------------------------------------- https://heise.de/-6028392 ∗∗∗ Unsecured Kubernetes Instances Could Be Vulnerable to Exploitation ∗∗∗ --------------------------------------------- We discuss how malware and malicious activities can occur in unsecured Kubernetes instances and how better configuration can help. --------------------------------------------- https://unit42.paloaltonetworks.com/unsecured-kubernetes-instances/ ∗∗∗ This password-stealing Android malware is spreading quickly: Heres what to watch out for ∗∗∗ --------------------------------------------- FluBot is designed to steal personal information including bank details - and infected users are being exploited to spread the malware to their contacts. --------------------------------------------- https://www.zdnet.com/article/this-password-stealing-android-malware-is-spr… ∗∗∗ Hacking campaign targets FileZen file-sharing network appliances ∗∗∗ --------------------------------------------- Threat actors are using two vulnerabilities in a popular file-sharing server to breach corporate and government systems and steal sensitive data as part of a global hacking campaign that has already hit a major target in the Japanese Prime Ministers Cabinet Office. --------------------------------------------- https://therecord.media/hacking-campaign-targets-filezen-file-sharing-netwo… ∗∗∗ Fake Microsoft DirectX 12 site pushes crypto-stealing malware ∗∗∗ --------------------------------------------- Cybercriminals have created a fake Microsoft DirectX 12 download page to distribute malware that steals your cryptocurrency wallets and passwords. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fake-microsoft-directx-12-si… ∗∗∗ Base64 Hashes Used in Web Scanning, (Sat, Apr 24th) ∗∗∗ --------------------------------------------- I have honeypot activity logs going back to May 2018 and I was curious what type of username:password combination was stored in the web traffic logs following either the Proxy-Authorization: Basic or Authorization: Basic in each logs. This graph illustrate an increase in web scanning activity for username:password over the past 3 years. --------------------------------------------- https://isc.sans.edu/diary/rss/27346 ===================== = Vulnerabilities = ===================== ∗∗∗ Critical RCE Bug Found in Homebrew Package Manager for macOS and Linux ∗∗∗ --------------------------------------------- A recently identified security vulnerability in the official Homebrew Cask repository could have been exploited by an attacker to execute arbitrary code on users machines that have Homebrew installed. The issue, which was reported to the maintainers on April 18 by a Japanese security researcher named RyotaK, stemmed from the way code changes in its GitHub repository were handled, resulting in a [...] --------------------------------------------- https://thehackernews.com/2021/04/critical-rce-bug-found-in-homebrew.html ∗∗∗ SSD Advisory – Hongdian H8922 Multiple Vulnerabilities ∗∗∗ --------------------------------------------- The H8922 “4G industrial router is based on 3G/4G wireless network and adopts a high-performance 32-bit embedded operating system with full industrial design. It supports wired and wireless network backup, and its high reliability and convenient networking make it suitable for large-scale distributed industrial applications. Such as smart lockers, charging piles, bank ATM machines, tower monitoring, electricity, water conservancy, environmental protection”. Several vulnerabilities in the H8922 device allow remote attackers to cause the device to execute arbitrary commands with root privileges due to the fact that user provided data is not properly filtered as well as a backdoor account allows access via port 5188/tcp. --------------------------------------------- https://ssd-disclosure.com/ssd-advisory-hongdian-h8922-multiple-vulnerabili… ∗∗∗ [PDF] Beckhoff Security Advisory 2021-001: DoS-Vulnerability for TwinCAT OPC UA Server and IPC Diagnostics UA Server ∗∗∗ --------------------------------------------- Some TwinCAT OPC UA Server and IPC Diagnostics UA Server versions from Beckhoff Automation GmbH & Co. KG are vulnerable to denial of service attacks. The attacker needs to send several specifically crafted requests to the running OPC UA server. After some of these requests the OPC UA server is no longer responsive to any client. This is without effect to the real-time functionality of IPCs. --------------------------------------------- https://download.beckhoff.com/download/document/product-security/Advisories… ∗∗∗ Erneut Sicherheitslücke bei Corona-Schnelltests ∗∗∗ --------------------------------------------- Aufgrund einer Sicherheitslücke in einer Schnelltest-Software konnten Unbefugte auf sensible Informationen zugreifen. Die Lücke ist mittlerweile geschlossen. --------------------------------------------- https://heise.de/-6027394 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (drupal7, gst-libav1.0, gst-plugins-bad1.0, gst-plugins-base1.0, gst-plugins-good1.0, gst-plugins-ugly1.0, jackson-databind, libspring-java, opendmarc, openjdk-11, and pjproject), Fedora (buildah, containers-common, crun, firefox, java-11-openjdk, nextcloud-client, openvpn, podman, python3-docs, python3.9, runc, and xorg-x11-server), Mageia (connman, krb5-appl, and virtualbox), openSUSE (apache-commons-io, ImageMagick, jhead, libdwarf, nim, [...] --------------------------------------------- https://lwn.net/Articles/854504/ ∗∗∗ MB connect line: multiple products partially affected by DNSspooq ∗∗∗ --------------------------------------------- Multiple flaws have been found in dnsmasq before version 2.83 [...] --------------------------------------------- https://cert.vde.com/de-de/advisories/vde-2021-012 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Red Hat Enterprise Linux: Mehrere Schwachstellen ermöglichen Codeausführung ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0436 ∗∗∗ Webmin: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0438 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.04.2021
by Daily end-of-shift report 23 Apr '21

23 Apr '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 22-04-2021 18:00 − Freitag 23-04-2021 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ [SANS ISC] Malicious PowerPoint Add-On: “Small Is Beautiful” ∗∗∗ --------------------------------------------- I published the following diary on isc.sans.edu: “Malicious PowerPoint Add-On: ‘Small Is Beautiful‘”: Yesterday I spotted a DHL-branded phishing campaign that used a PowerPoint file to compromise the victim. The malicious attachment is a PowerPoint add-in. This technique is not new, I already analyzed such a sample in a previous [...] --------------------------------------------- https://blog.rootshell.be/2021/04/23/sans-isc-malicious-powerpoint-add-on-s… ∗∗∗ Erpressungstrojaner eCh0raix und Qlocker haben es auf Qnap NAS abgesehen ∗∗∗ --------------------------------------------- Aufgrund von aktuellen Ransomware-Attacken auf Netzwerkspeicher (NAS) von Qnap sollten alle Besitzer die Software auf aktuellem Stand halten. --------------------------------------------- https://heise.de/-6026483 ∗∗∗ Sicherheitsforscher: AirDrop kann Kontaktdaten des iPhone-Besitzers preisgeben ∗∗∗ --------------------------------------------- Telefonnumer und Mail-Adresse sind gehasht, lassen sich von nahen Angreifern aber zurückrechnen, so die Forscher. Apple kenne die Lücke seit zwei Jahren. --------------------------------------------- https://heise.de/-6026661 ∗∗∗ Microsoft ruft an? Legen Sie lieber auf! ∗∗∗ --------------------------------------------- Aktuell häufen sich wieder Anrufe von vermeintlichen Microsoft-MitarbeiterInnen. Dabei handelt es sich um BetrügerInnen, die wahllos Menschen anrufen und von einem Problem mit dem Computer der Opfer sprechen. Die Masche dahinter: Kriminelle wollen sich Zugang zu Ihrem Computer verschaffen und sensible Daten abgreifen. Legen Sie bei solchen Anrufen sofort auf! --------------------------------------------- https://www.watchlist-internet.at/news/microsoft-ruft-an-legen-sie-lieber-a… ∗∗∗ Network Attack Trends: Internet of Threats (November 2020-January 2021) ∗∗∗ --------------------------------------------- Network attack trends in the Winter quarter of 2020 revealed some interesting trends, such as increased attacker preference for newly released vulnerabilities and a large uptick in attacks deemed Critical. In addition to details of the newly observed exploits, in this blog, we also dive deep into the exploitation analysis, vendor analysis, attack origin, and attack category distribution. --------------------------------------------- https://unit42.paloaltonetworks.com/network-attack-trends-winter-2020/ ∗∗∗ Angriff auf Anti-Phishing-Banner in E-Mails ∗∗∗ --------------------------------------------- Bei der Analyse von Warnungen vor Phishing-Mails stellte die SySS erhebliche Mängel fest, die es Angreifenden ermöglichen, solche Banner auszublenden. --------------------------------------------- https://www.syss.de/pentest-blog/angriff-auf-anti-phishing-banner-in-e-mails ∗∗∗ Sysrv: A new crypto-mining botnet is silently growing in the shadows ∗∗∗ --------------------------------------------- If you forget to update or properly secure an internet-connected server or web app, the chances are that a crypto-mining botnet will infect it first, long before any nation-state hacking group. Crypto-mining botnets have been a plague on the internet for the past three years, and despite the space being more than saturated, new botnets are being built and discovered on a re.gular basis, driven mainly by cybercriminals unquenched thirst for easy money. --------------------------------------------- https://therecord.media/sysrv-a-new-crypto-mining-botnet-is-silently-growin… ===================== = Vulnerabilities = ===================== ∗∗∗ Sipwise C5 NGCP CSC CSRF Click2Dial Exploit ∗∗∗ --------------------------------------------- The application interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site. --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5649.php ∗∗∗ Sipwise C5 NGCP CSC Multiple Stored/Reflected XSS Vulnerabilities ∗∗∗ --------------------------------------------- Sipwise software platform suffers from multiple authenticated stored and reflected cross-site scripting vulnerabilities when input passed via several parameters to several scripts is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a users browser session in context of an affected site. --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5648.php ∗∗∗ BOSCH-SA-918106 - ctrlX Multiple Vulnerabilities ∗∗∗ --------------------------------------------- Multiple vulnerabilities in operating system libraries and the Linux kernel have been reported which in a worst case scenario could allow an attacker to compromise the system by provoking a crash or the execution of malicious code. The affected functions are not used directly by any Rexroth software component and therefore the risk of an attacker being able to exploit the vulnerability is considered as low. Nevertheless, it cannot be completely ruled out that the functions might be called [...] --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-918106.html ∗∗∗ Security Bulletin: Trend Micro HouseCall for Home Networks Incorrect Permission Assignment Privilege Escalation Vulnerabilities ∗∗∗ --------------------------------------------- Trend Micro has released an updated version of Trend Micro HouseCall for Home Networks which resolve two incorrect permission assignment vulnerabilities that may lead to privilege escalation. --------------------------------------------- https://helpcenter.trendmicro.com/en-us/article/TMKA-10310 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr, openjdk-8, and wpa), openSUSE (irssi, jhead, opera, and python-django-registration), SUSE (firefox and qemu), and Ubuntu (dnsmasq and shibboleth-sp). --------------------------------------------- https://lwn.net/Articles/854215/ ∗∗∗ Horner Automation Cscape ∗∗∗ --------------------------------------------- This advisory contains mitigations for Improper Input Validation, and Improper Access Controls vulnerabilities in Horner Automation Cscape control system application programming software. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-112-01 ∗∗∗ Mitsubishi Electric GOT ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Improper Authentication vulnerability in Mitsubishi Electrics GOT human-machine interface products. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-112-02 ∗∗∗ Security Bulletin: Series of vulnerabilities in FasterXML jackson-databind affect Apache Solr shipped with IBM Operations Analytics – Log Analysis ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-series-of-vulnerabilities… ∗∗∗ Security Bulletin: A vulnerability in IBM® Runtime Environments Java™ Technology Edition Versions affects IBM® Db2®. (January 2021 CPU) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ru… ∗∗∗ Security Bulletin: IBM® Db2® could allow a local authenticated attacker to execute arbitrary code on the system, caused by DLL search order hijacking vulnerability in Microsoft Windows client. (CVE-2020-4739) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-could-allow-a-loc… ∗∗∗ Security Bulletin: Multiple IBM DB2 Server Vulnerabilities Affect IBM Emptoris Sourcing ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-ibm-db2-server-v… ∗∗∗ Security Bulletin: Multiple IBM DB2 Server Vulnerabilities Affect IBM Emptoris Strategic Supply Management Platform ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-ibm-db2-server-v… ∗∗∗ Security Bulletin: Vulnerability in Apache MyFaces affects Liberty for Java for IBM Cloud (CVE-2021-26296) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-m… ∗∗∗ Security Bulletin: Multiple IBM DB2 Server Vulnerabilities Affect IBM Emptoris Contract Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-ibm-db2-server-v… ∗∗∗ Security Bulletin: IBM DB2 Server Vulnerabilities Affect IBM Emptoris Emptoris Supplier Lifecycle Mgmt ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-server-vulnerabil… ∗∗∗ Security Bulletin: Vulnerability in Apache Solr affects IBM Operations Analytics – Log Analysis (CVE-2017-1000190) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-s… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.04.2021
by Daily end-of-shift report 22 Apr '21

22 Apr '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 21-04-2021 18:00 − Donnerstag 22-04-2021 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Macher des Signal-Messenger hacken Spionage-Software von Cellebrite ∗∗∗ --------------------------------------------- Die Signal-Entwickler zeigen per Video, wie ein präpariertes iPhone die von Ermittlungsbehörden verwendete Software von Cellebrite aushebelt. --------------------------------------------- https://heise.de/-6024421 ∗∗∗ Massive Qlocker ransomware attack uses 7zip to encrypt QNAP devices ∗∗∗ --------------------------------------------- A massive ransomware campaign targeting QNAP devices worldwide is underway, and users are finding their files now stored in password-protected 7zip archives. --------------------------------------------- https://www.bleepingcomputer.com/news/security/massive-qlocker-ransomware-a… ∗∗∗ Attackers can hide external sender email warnings with HTML and CSS ∗∗∗ --------------------------------------------- The "external sender" warnings shown to email recipients by clients like Microsoft Outlook can be hidden by the sender, as demonstrated by a researcher. Turns out, all it takes for attackers to alter the "external sender" warning, or remove it altogether from emails is just a few lines of HTML and CSS code. --------------------------------------------- https://www.bleepingcomputer.com/news/security/attackers-can-hide-external-… ∗∗∗ Telegram Platform Abused in ‘ToxicEye’ Malware Campaigns ∗∗∗ --------------------------------------------- Even if the app is not installed or in use, threat actors can use it to spread malware through email campaigns and take over victims’ machines, new research has found. --------------------------------------------- https://threatpost.com/telegram-toxiceye-malware/165543/ ∗∗∗ Announcing the New Reports API ∗∗∗ --------------------------------------------- We are happy to announce a completely new way of accessing our reports - via a RESTful API. Every report recipient can now choose to opt in to this delivery method and receive a unique API key and unique secret. --------------------------------------------- https://www.shadowserver.org/news/announcing-the-new-reports-api/ ∗∗∗ All Your Databases Belong To Me! A Blind SQLi Case Study ∗∗∗ --------------------------------------------- The following blog post does not include any novel attack vectors. On the contrary, it serves as a humble reminder that the same software bugs discovered more than a decade ago are also found in commercial software products in 2021. It also highlights once more the necessity of conducting security assessments on a regular basis. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/all-your-da… ∗∗∗ Researchers Find Additional Infrastructure Used By SolarWinds Hackers ∗∗∗ --------------------------------------------- The sprawling SolarWinds cyberattack which came to light last December was known for its sophistication in the breadth of tactics used to infiltrate and persist in the target infrastructure, so much so that Microsoft went on to call the threat actor behind the campaign "skillful and methodic operators who follow operations security (OpSec) best practices to minimize traces, stay under the radar, [...] --------------------------------------------- https://thehackernews.com/2021/04/researchers-find-additional.html ∗∗∗ [SANS ISC] How Safe Are Your Docker Images? ∗∗∗ --------------------------------------------- I published the following diary on isc.sans.edu: “How Safe Are Your Docker Images?“: Today, I don’t know any organization that is not using Docker today. For only test and development only or to full production systems, containers are deployed everywhere! In the same way, most popular tools today have a "dockerized" version ready to use, sometimes maintained by the developers themselves, sometimes maintained by third parties. An example is the Docker container that I created with all Didier’s tools. Today, we are also facing a new threat: supply chain attacks (think about Solarwinds or, more recently, CodeCov). Let’s mix the attraction for container technologies and this threat, we realize that Docker images are a great way to compromise an organization! --------------------------------------------- https://blog.rootshell.be/2021/04/22/sans-isc-how-safe-are-your-docker-imag… ∗∗∗ PSA: Remove Kaswara Modern WPBakery Page Builder Addons Plugin Immediately ∗∗∗ --------------------------------------------- Today, April 21, 2021, the Wordfence Threat Intelligence team became aware of a critical 0-day vulnerability that is being actively exploited in Kaswara Modern WPBakery Page Builder Addons, a premium plugin that we estimate has over 10,000 installations. This vulnerability was reported this morning to WPScan by “Robin Goodfellow.” The exploited flaw makes it possible [...] --------------------------------------------- https://www.wordfence.com/blog/2021/04/psa-remove-kaswara-modern-wpbakery-p… ∗∗∗ Now this botnet is hunting for unpatched Microsoft Exchange servers ∗∗∗ --------------------------------------------- Prometei botnets key goal is cryptojacking - but its powerful capabilities could see it deployed for much more dangerous attacks. --------------------------------------------- https://www.zdnet.com/article/now-this-botnet-is-hunting-for-unpatched-micr… ∗∗∗ CISA Incident Response to SUPERNOVA Malware ∗∗∗ --------------------------------------------- CISA has released AR21-112A: CISA Identifies SUPERNOVA Malware During Incident Response to provide analysis of a compromise in an organization’s enterprise network by an advance persistent threat actor. This report provides tactics, techniques, and procedures CISA observed during the incident response engagement. CISA encourages organizations to review AR21-112A for more information. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/04/22/cisa-incident-res… ∗∗∗ AirDrop bugs expose Apple users' email addresses, phone numbers ∗∗∗ --------------------------------------------- A team of academics from a German university said it discovered two vulnerabilities that can be abused to extract phone numbers and email addresses from Apples AirDrop file transfer feature. --------------------------------------------- https://therecord.media/airdrop-bugs-expose-apple-users-email-addresses-pho… ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco Security Advisories zu Cisco SD-WAN vManage Software ∗∗∗ --------------------------------------------- Cisco hat 5 Security Advisories zu Cisco SD-WAN vManage Software veröffentlicht, die alle als "Medium" klassifiziert werden. --------------------------------------------- https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&first… ∗∗∗ Sicherheitsupdates: Statische Zugangsdaten gefährden Qnap NAS ∗∗∗ --------------------------------------------- Eine kritische Lücke in HBS 3 Hybrid Backup Sync bringt Netzwerkspeicher (NAS) von Qnap in Gefahr. --------------------------------------------- https://heise.de/-6025271 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (thunderbird and wordpress), Fedora (curl, firefox, mediawiki, mingw-binutils, os-autoinst, and rpm-ostree), Oracle (java-1.8.0-openjdk and java-11-openjdk), SUSE (kernel, pcp, and tomcat6), and Ubuntu (linux, linux-aws, linux-gke-5.3, linux-hwe, linux-kvm, linux-lts-xenial, linux-oem-5.6, linux-raspi2-5.3, linux-snapdragon). --------------------------------------------- https://lwn.net/Articles/853953/ ∗∗∗ Google rushes out fix for zero‑day vulnerability in Chrome ∗∗∗ --------------------------------------------- The update patches a total of seven security flaws in the desktop versions of the popular web browser --------------------------------------------- https://www.welivesecurity.com/2021/04/21/google-fix-zero-day-vulnerability… ∗∗∗ Drupal: Schwachstelle ermöglicht Cross-Site Scripting ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0432 ∗∗∗ Red Hat OpenShift: Mehrere Schwachstellen ermöglichen Denial of Service ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0431 ∗∗∗ Stored XSS (veraltete Software-Bibliothek) in BMDWeb 2.0 ∗∗∗ --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/stored-xss-veraltete-… ∗∗∗ Security Bulletin: Vulnerability in Dojo affects WebSphere Application Server (CVE-2020-5258) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-dojo-aff… ∗∗∗ Security Bulletin: Vulnerabilities in Java affects IBM Cloud Application Business Insights ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-java-a… ∗∗∗ Security Bulletin: Tensor Flow security vulnerabilities on IBM Watson Machine Learning Server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-tensor-flow-security-vuln… ∗∗∗ Security Bulletin: Multiple security vulnerabilities with IBM Content Navigator component in IBM Business Automation Workflow – CVE-2020-4757, PSIRT-ADV0028011, CVE-2020-4934 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: Multiple vulnerabilities in GNU Binutils affect IBM Netezza Performance Server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.04.2021
by Daily end-of-shift report 21 Apr '21

21 Apr '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 20-04-2021 18:00 − Mittwoch 21-04-2021 18:00 Handler: Stephan Richter Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Brace yourselves. Facebook has a new mega-leak on its hands ∗∗∗ --------------------------------------------- Facebook Email Search v1.0 can process 5 million email addresses per day, researcher says. --------------------------------------------- https://arstechnica.com/?p=1758893 ∗∗∗ Logins for 1.3 million Windows RDP servers collected from hacker market ∗∗∗ --------------------------------------------- The login names and passwords for 1.3 million current and historically compromised Windows Remote Desktop servers have been leaked by UAS, the largest hacker marketplace for stolen RDP credentials. --------------------------------------------- https://www.bleepingcomputer.com/news/security/logins-for-13-million-window… ∗∗∗ New article: Run your malicious VBA macros anywhere! ∗∗∗ --------------------------------------------- Kurt Natvig explains how he recompiled malicious VBA macro code to valid harmless Python 3.x code. --------------------------------------------- https://www.virusbulletin.com/blog/2021/04/new-article-run-your-malicious-v… ∗∗∗ CVE-2021-30481: Source engine remote code execution via game invites ∗∗∗ --------------------------------------------- In this blog post, we will look at how an attacker can use the Steamworks API in combination with various features and properties of the Source engine to gain remote code execution (RCE) through malicious Steam game invites. --------------------------------------------- https://secret.club/2021/04/20/source-engine-rce-invite.html ∗∗∗ A year of Fajan evolution and Bloomberg themed campaigns ∗∗∗ --------------------------------------------- Some malware campaigns are designed to spread malware to as many people as possible — while some others carefully choose their targets. Cisco Talos recently discovered a malware campaign that does not fit in any of the two categories. --------------------------------------------- https://blog.talosintelligence.com/2021/04/a-year-of-fajan-evolution-and-bl… ∗∗∗ Kleinanzeigenbetrug: Vorsicht bei Abwicklung über erfundene Speditionen! ∗∗∗ --------------------------------------------- Der Verkauf von gebrauchten Waren über Kleinanzeigenportale wie willhaben.at, shpock.com oder ebay.at boomt. Doch Vorsicht: Auch der Betrug auf solchen Plattformen wird uns derzeit häufig gemeldet. Besonders beliebt unter den Kriminellen ist die Kaufabwicklung über erfundene Speditionen. --------------------------------------------- https://www.watchlist-internet.at/news/kleinanzeigenbetrug-vorsicht-bei-abw… ∗∗∗ WhatsApp Pink: Watch out for this fake update ∗∗∗ --------------------------------------------- The malware sends automated replies to messages on WhatsApp and other major chat apps. --------------------------------------------- https://www.welivesecurity.com/2021/04/20/whatsapp-pink-watch-out-fake-upda… ===================== = Vulnerabilities = ===================== ∗∗∗ Update Your Chrome Browser ASAP to Patch a Week Old Public Exploit ∗∗∗ --------------------------------------------- Google on Tuesday released an update for Chrome web browser for Windows, Mac, and Linux, with a total of seven security fixes, including one flaw for which it says an exploit exists in the wild. --------------------------------------------- https://thehackernews.com/2021/04/update-your-chrome-browser-immediately.ht… ∗∗∗ Oracle veröffentlicht 390 Sicherheitsupdates für MySQL, Java & Co. ∗∗∗ --------------------------------------------- In seinem Quartalsupdate patcht sich Oracle durch sein Software-Portfolio und schließt unter anderem einige kritische Sicherheitslücken. --------------------------------------------- https://heise.de/-6022746 ∗∗∗ Jetzt patchen! Attacken auf E-Mail Security Appliances von SonicWall ∗∗∗ --------------------------------------------- Es gibt wichtige Updates für SonicWalls "Email Security". Angreifer nutzen eine Lücke derzeit aktiv aus. --------------------------------------------- https://heise.de/-6022716 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr, php-pear, wordpress, and zabbix), Oracle (java-1.8.0-openjdk and java-11-openjdk), Red Hat (java-1.8.0-openjdk, java-11-openjdk, kernel, and kpatch-patch), Scientific Linux (java-1.8.0-openjdk and java-11-openjdk), Slackware (seamonkey), SUSE (apache-commons-io, ImageMagick, kvm, ruby2.5, and sudo), and Ubuntu (edk2, libcaca, ntp, and ruby2.3, ruby2.5, ruby2.7). --------------------------------------------- https://lwn.net/Articles/853759/ ∗∗∗ VU#567764: MySQL for Windows is vulnerable to privilege escalation due to OPENSSLDIR location ∗∗∗ --------------------------------------------- https://kb.cert.org/vuls/id/567764 ∗∗∗ ZDI-21-442: (0Day) Advantech WebAccess/HMI Designer SNF File Parsing Memory Corruption Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-442/ ∗∗∗ ZDI-21-441: (0Day) Advantech WebAccess/HMI Designer PLF File Parsing Memory Corruption Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-441/ ∗∗∗ Security Bulletin: Multiple vulnerabilities in Eclipse Jetty affect Apache Solr shipped with IBM Operations Analytics – Log Analysis ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerability in Apache Solr affects IBM Operations Analytics – Log Analysis (CVE-2019-17558) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-s… ∗∗∗ Security Bulletin: WebSphere Application Server is vulnerable to an XML External Entity (XXE) Injection vulnerability (CVE-2021-20454) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-websphere-application-ser… ∗∗∗ Security Bulletin: Vulnerability in jersey affect Apache Zookeeper shipped with IBM Operations Analytics – Log Analysis (CVE-2014-3643) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-jersey-a… ∗∗∗ Security Bulletin: Security Bulletin: IBM SDK Java Quarterly CPU Oct 2020 Vulnerabilities Affect IBM Transformation Extender ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-bulletin-ibm-sdk… ∗∗∗ Security Bulletin: SMTP for IBM i is affected by CVE-2021-20501 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-smtp-for-ibm-i-is-affecte… ∗∗∗ Security Bulletin: Update available for OpenSSL vulnerabilities affecting IBM Watson Speech Services 1.2.1 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-update-available-for-open… ∗∗∗ Security Bulletin: protobuf Vulnerability in Apache Solr affect IBM Operations Analytics – Log Analysis Analysis (CVE-2015-5237) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-protobuf-vulnerability-in… ∗∗∗ Security Bulletin: Vulnerabilities in IBM Java and Apache Tomcat affect IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem V9000 products ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-ja… ∗∗∗ Security Bulletin: Vulnerability in Apache Ant affect IBM Operations Analytics – Log Analysis Analysis (CVE-2020-1945) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-a… ∗∗∗ Severe Vulnerabilities Patched in Redirection for Contact Form 7 Plugin ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2021/04/severe-vulnerabilities-patched-in-re… ∗∗∗ Hitachi ABB Power Grids Ellipse APM ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-110-01 ∗∗∗ Rockwell Automation Stratix Switches ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-110-02 ∗∗∗ Delta Industrial Automation COMMGR ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-110-03 ∗∗∗ Delta Electronics CNCSoft ScreenEditor ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-110-04 ∗∗∗ Delta Electronics CNCSoft-B ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-110-05 ∗∗∗ Eaton Intelligent Power Manager ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-110-06 ∗∗∗ Siemens Mendix ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-110-07 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.04.2021
by Daily end-of-shift report 20 Apr '21

20 Apr '21

===================== = End-of-Day report = ===================== Timeframe: Montag 19-04-2021 18:00 − Dienstag 20-04-2021 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Remote Code Execution: Angriffe auf VPN-Geräte von Pulse Secure ∗∗∗ --------------------------------------------- Produkte von Pulse Secure sind von einer kritischen Sicherheitslücke betroffen, für die es keinen Patch gibt. Angriffe finden bereits statt. --------------------------------------------- https://www.golem.de/news/remote-code-execution-angriffe-auf-vpn-geraete-vo… ∗∗∗ Google Play apps with 700k installs steal texts and charge you money ∗∗∗ --------------------------------------------- Google removes eight apps after receiving report from researchers. --------------------------------------------- https://arstechnica.com/?p=1758227 ∗∗∗ Fake Microsoft Store, Spotify sites spread info-stealing malware ∗∗∗ --------------------------------------------- Attackers are promoting sites impersonating the Microsoft Store, Spotify, and an online document converter that distribute malware to steal credit cards and passwords saved in web browsers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fake-microsoft-store-spotify… ∗∗∗ Breaking ABUS Secvest internet-connected alarm systems (CVE-2020-28973) ∗∗∗ --------------------------------------------- ABUS Secvest is a wireless alarm system that is marketed at consumers and small businesses. It is usually deployed by a specialized company. A Secvest FUAA50000 controller costs about EUR400. A typical deployment with motion sensors, a siren and door/window sensors can cost thousands of euro’s. In this article I will describe how more than 10.000 internet-connected alarm systems could be hacked and deactivated remotely. --------------------------------------------- https://eye.security/en/blog/breaking-abus-secvest-internet-connected-alarm… ∗∗∗ Firefox & Thunderbird: Sicherheitsrelevante Updates für Browser & E-Mail-Client ∗∗∗ --------------------------------------------- Mozilla hat Firefox 88 nebst ESR-Pendant sowie Thunderbird 78.10 veröffentlicht. Im Gepäck haben die Releases unter anderem auch wichtige Schwachstellen-Fixes. --------------------------------------------- https://heise.de/-6021309 ∗∗∗ Facebook Messenger users targeted by a large-scale scam ∗∗∗ --------------------------------------------- A large-scale scam campaign targeting Facebook Messenger users all over the world has been detected by Group-IB. Digital Risk Protection (DRP) analysts have found evidence proving that users in over 80 countries in Europe, Asia, the MEA region, North and South America might have been affected. By distributing ads promoting an allegedly updated version of Facebook Messenger, cybercriminals harvested users’ login credentials. --------------------------------------------- https://www.helpnetsecurity.com/2021/04/20/facebook-messenger-scam/ ∗∗∗ E-Mail: UnternehmerInnen werden aufgefordert, Corona-Tests bei "testversand.com" zu kaufen ∗∗∗ --------------------------------------------- In Deutschland müssen ArbeitgeberInnen ab heute für MitarbeiterInnen, die nicht im Home-Office sind, Corona-Tests bereitstellen. Diese Maßnahme nutzen Kriminelle und kontaktieren zahlreiche UnternehmerInnen, um den unseriösen Online-Shop für Corona-Tests "testversand.com" zu empfehlen. Es ist anzunehmen, dass dieses E-Mail auch an österreichische UnternehmerInnen versendet wird. --------------------------------------------- https://www.watchlist-internet.at/news/e-mail-unternehmerinnen-werden-aufge… ∗∗∗ Multi-factor authentication: Use it for all the people that access your network, all the time ∗∗∗ --------------------------------------------- The vast majority of cyberattacks involve a password being hacked - providing your employees with multi-factor authentication could go a long way towards stopping cyber criminals breaking into your network. --------------------------------------------- https://www.zdnet.com/article/multi-factor-authentication-use-it-for-all-th… ===================== = Vulnerabilities = ===================== ∗∗∗ Vulnerability Spotlight: Multiple vulnerabilities in Synology DiskStation Manager ∗∗∗ --------------------------------------------- Cisco Talos recently discovered multiple vulnerabilities in Synology DiskStation Manager. DSM is the Linux-based operating system for every Synology network-attached storage device (NAS). --------------------------------------------- https://blog.talosintelligence.com/2021/04/vuln-spotlight-synology-dsm.html ∗∗∗ Widespread Attacks Continue Targeting Vulnerabilities in The Plus Addons for Elementor Pro ∗∗∗ --------------------------------------------- Over the past 10 days, Wordfence has blocked over 14 million attacks targeting Privilege Escalation Vulnerabilities in The Plus Addons for Elementor Pro on over 75% of sites reporting attacks during this period. By April 13, 2021, this campaign was targeting more sites than all other campaigns put together. --------------------------------------------- https://www.wordfence.com/blog/2021/04/widespread-attacks-continue-targetin… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (xorg-server), Fedora (CImg, gmic, leptonica, mingw-binutils, mingw-glib2, mingw-leptonica, mingw-python3, nodejs, and seamonkey), openSUSE (irssi, kernel, nextcloud-desktop, python-django-registration, and thunderbird), Red Hat (389-ds:1.4, kernel, kernel-rt, perl, and pki-core:10.6), SUSE (kernel, sudo, and xen), and Ubuntu (clamav and openslp-dfsg). --------------------------------------------- https://lwn.net/Articles/853614/ ∗∗∗ Security Bulletin: Vulnerabilities in Java affects IBM Cloud Application Business Insights ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-java-a… ∗∗∗ Security Bulletin: WebSphere Application Server is vulnerable to an XML External Entity (XXE) Injection vulnerability (CVE-2021-20453) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-websphere-application-ser… ∗∗∗ Security Bulletin: Vulnerabilities in OpenSSL affect IBM Integration Bus and IBM App Connect Enterprise (CVE-2020-1968) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-openss… ∗∗∗ Security Bulletin: Vulnerabilities in OpenSSL affect IBM Integration Bus and IBM App Connect Enterprise (CVE-2020-1971). ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-openss… ∗∗∗ Security Bulletin: An unspecified vulnerability in Java SE related to the Libraries component could affect InfoSphere Streams version 4.3 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-an-unspecified-vulnerabil… ∗∗∗ Security Bulletin: Multiple vulnerabilites in Node.js affect IBM Integration Bus & IBM App Connect Enterprise V11 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilites-i… ∗∗∗ Security Bulletin: IBM Operations Analytics – Log Analysis is affected by an Apache Zookeeper vulnerability (CVE-2019-0201) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-operations-analytics-… ∗∗∗ Security Bulletin: Apache Solr, shipped with IBM Operations Analytics – Log Analysis, susceptible to vulnerability in Apache POI (CVE-2019-12415) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-solr-shipped-with-… ∗∗∗ Security Bulletin: An unspecified vulnerability in Java SE related to the JNDI component could affect InfoSphere Streams ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-an-unspecified-vulnerabil… ∗∗∗ Security Bulletin: Potential TLS vulnerability using Diffie-Hellman TLS ciphersuites in IBM DataPower Gateway (CVE-2020-1968) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-potential-tls-vulnerabili… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.04.2021
by Daily end-of-shift report 19 Apr '21

19 Apr '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 16-04-2021 18:00 − Montag 19-04-2021 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Codecov: Gehacktes Entwickler-Tool Bash Uploader zum Datendiebstahl missbraucht ∗∗∗ --------------------------------------------- Unbekannte manipulierten den Bash Uploader-Code. Der Vorfall, der zwei Monate lang unbemerkt blieb, betrifft potenziell auch einige bekannte Firmen. --------------------------------------------- https://heise.de/-6019302 ∗∗∗ Ryuk ransomware operation updates hacking techniques ∗∗∗ --------------------------------------------- Recent attacks from Ryuk ransomware operators show that the actors have a new preference when it comes to gaining initial access to the victim network. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ryuk-ransomware-operation-up… ∗∗∗ NitroRansomware Distributed as A Fake Free Nitro Gift Code Generator ∗∗∗ --------------------------------------------- BleepingComputer owner Lawrence Abrams reported infections of new singular ransomware dubbed NitroRansomware which demands a Discord Nitro gift code to the victims to decrypt their files. --------------------------------------------- https://heimdalsecurity.com/blog/nitroransomware-distributed-as-a-fake-free… ∗∗∗ BazarLoader Malware Abuses Slack, BaseCamp Clouds ∗∗∗ --------------------------------------------- Two cyberattack campaigns are making the rounds using unique social-engineering techniques. --------------------------------------------- https://threatpost.com/bazarloader-malware-slack-basecamp/165455/ ∗∗∗ Serious Security: Rowhammer is back, but now it’s called SMASH ∗∗∗ --------------------------------------------- Simply put: reading from RAM in your program could write to RAM in someone elses --------------------------------------------- https://nakedsecurity.sophos.com/2021/04/19/serious-security-rowhammer-is-b… ∗∗∗ Querying Spamhaus for IP reputation, (Fri, Apr 16th) ∗∗∗ --------------------------------------------- Way back in 2018 I posted a diary describing how I have been using the Neutrino API to do IP reputation checks. In the subsequent 2+ years that python script has evolved some which hopefully I can go over at some point in the future, but for now I would like to show you the most recent capability I added into that script. --------------------------------------------- https://isc.sans.edu/diary/rss/27320 ∗∗∗ Decoding Cobalt Strike Traffic, (Sun, Apr 18th) ∗∗∗ --------------------------------------------- In diary entry "Example of Cleartext Cobalt Strike Traffic (Thanks Brad)" I share a capture file I found with unencrypted Cobalt Strike traffic. The traffic is unencrypted since the malicious actors used a trial version of Cobalt Strike. --------------------------------------------- https://isc.sans.edu/diary/rss/27322 ∗∗∗ Hunting phishing websites with favicon hashes, (Mon, Apr 19th) ∗∗∗ --------------------------------------------- HTTP favicons are often used by bug bounty hunters and red teamers to discover vulnerable services in a target AS or IP range. It makes sense - since different tools (and sometimes even different versions of the same tool) use different favicons[1] and services such as Shodan calculate MurmurHash values[2] for all favicons they discover and let us search through them, it can be quite easy to find specific services and devices this way. --------------------------------------------- https://isc.sans.edu/diary/rss/27326 ∗∗∗ Malware Spreads Via Xcode Projects Now Targeting Apples M1-based Macs ∗∗∗ --------------------------------------------- A Mac malware campaign targeting Xcode developers has been retooled to add support for Apples new M1 chips and expand its features to steal confidential information from cryptocurrency apps. XCSSET came into the spotlight in August 2020 after it was found to spread via modified Xcode IDE projects, which, upon the building, were configured to execute the payload. --------------------------------------------- https://thehackernews.com/2021/04/malware-spreads-via-xcode-projects-now.ht… ∗∗∗ Malvertisers hacked 120 ad servers to load malicious ads ∗∗∗ --------------------------------------------- A malvertising operation known under the codename of Tag Barnakle has breached more than 120 ad servers over the past year and inserted malicious code into legitimate ads that redirected website visitors to sites promoting scams and malware. --------------------------------------------- https://therecord.media/malvertisers-hacked-120-ad-servers-to-load-maliciou… ∗∗∗ Fuzzing and PR’ing: How We Found Bugs in a Popular Third-Party EtherNet/IP Protocol Stack ∗∗∗ --------------------------------------------- The Claroty Research Team today announces that it has added the necessary infrastructure to incorporate the popular AFL fuzzer into the OpENer EtherNet/IP stack. --------------------------------------------- https://claroty.com/2021/04/15/blog-research-fuzzing-and-pring/ ===================== = Vulnerabilities = ===================== ∗∗∗ Kritische Schadcode-Lücken in NAS-Systemen von Qnap geschlossen ∗∗∗ --------------------------------------------- Fehler in verschiedenen Komponenten machen Netzwerkspeicher (NAS) von Qnap verwundbar. Sicherheitsupdates sind verfügbar. --------------------------------------------- https://heise.de/-6019234 ∗∗∗ VMSA-2021-0006 ∗∗∗ --------------------------------------------- A privilege escalation vulnerability in VMware NSX-T was privately reported to VMware. Updates are available to remediate this vulnerability in affected VMware product. --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2021-0006.html ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (nettle, squid, and thunderbird), Debian (libebml, python-bleach, and python2.7), Fedora (batik, gnuchess, kernel-headers, kernel-tools, ruby, singularity, and xorg-x11-server), Mageia (clamav, kernel, kernel-linus, and python3), openSUSE (chromium, fluidsynth, opensc, python-bleach, and wpa_supplicant), Oracle (gnutls and nettle), Red Hat (dpdk, gnutls and nettle, mariadb:10.3 and mariadb-devel:10.3, and redhat-ds:11), and SUSE (kernel, qemu, and [...] --------------------------------------------- https://lwn.net/Articles/853420/ ∗∗∗ iApps vulnerability CVE-2020-17507 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K11542555 ∗∗∗ libcroco vulnerability CVE-2020-12825 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K01074825 ∗∗∗ Dell integrated Dell Remote Access Controller: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0397 ∗∗∗ Security Bulletin: Vulnerability with Apache Tika in Apache Solr affects IBM Operations Analytics – Log Analysis Analysis (CVE-2018-8017) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-with-apache… ∗∗∗ Security Bulletin: Multiple vulnerabilities in Apache Tika affects Apache Solr shipped with IBM Operations Analytics – Log Analysis ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in FasterXML jackson-databind affect Apache Solr shipped with IBM Operations Analytics – Log Analysis ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM® Db2® db2fm is vulnerable to a buffer overflow (CVE-2020-5025) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-db2fm-is-vulnerab… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: Financial Transaction Manager for Corporate Payment Services is affected by a potential code injection vulnerability (CVE-2020-5268) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-financial-transaction-man… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by Oracle MySQL vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Watson OpenScale on Cloud Pak for Data is impacted by Vulnerabilities in Node.js ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-openscale-on-c… ∗∗∗ Security Bulletin: Vulnerability in Apache PDFBox affects Apache Solr shipped with IBM Operations Analytics – Log Analysis (CVE-2018-8036) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-p… ∗∗∗ Security Bulletin: Vulnerabilities in IBM Java Runtime affecting Tivoli Netcool/OMNIbus (Multiple CVEs) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-ja… ∗∗∗ Security Bulletin: IBM Resilient SOAR is vulnerable to command injection (CVE-2021-20527) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-resilient-soar-is-vul… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily April 2021