Daily May 2021

daily@lists.cert.at

1 participants
19 discussions

Tageszusammenfassung - 31.05.2021
by Daily end-of-shift report 31 May '21

31 May '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 28-05-2021 18:00 − Montag 31-05-2021 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Sicherheitsupdate: Root-Lücke in Sonicwalls Network Security Manager ∗∗∗ --------------------------------------------- Angreifer könnten durch eine Schwachstelle in der Firewall-Verwaltungssoftware Network Security Manager schlüpfen. --------------------------------------------- https://heise.de/-6057794 ∗∗∗ Client Puzzle Protocols (CPPs) als Gegenmaßnahmen gegen automatisierte Gefahren für Webapplikationen ∗∗∗ --------------------------------------------- Client Puzzle Protocols (CPPs) können effektive Maßnahmen gegen Denial-of-Service-Attacken sein. Sie müssen aber auf ihre Effektivität überprüft werden. --------------------------------------------- https://www.syss.de/pentest-blog/fachartikel-von-it-security-consultant-vla… ∗∗∗ Threat spotlight: Conti, the ransomware used in the HSE healthcare attack ∗∗∗ --------------------------------------------- [...] In this blog, we’ll home in on Conti, the strain identified by some as the successor, cousin or relative of Ryuk ransomware, due to similarities in code use and distribution tactics. --------------------------------------------- https://blog.malwarebytes.com/threat-spotlight/2021/05/threat-spotlight-con… ∗∗∗ PoC published for new Microsoft PatchGuard (KPP) bypass ∗∗∗ --------------------------------------------- A security researcher has discovered a bug in PatchGuard––a crucial Windows security feature––that can allow threat actors to load unsigned (malicious) code into the Windows operating system kernel. --------------------------------------------- https://therecord.media/poc-published-for-new-microsoft-patchguard-kpp-bypa… ∗∗∗ WooCommerce Credit Card Skimmer Hides in Plain Sight ∗∗∗ --------------------------------------------- Recently, a client’s customers were receiving a warning from their anti-virus software when they navigated to the checkout page of the client’s ecommerce website. Antivirus software such as Kaspersky and ESET would issue a warning but only once a product had been added to the cart and a customer was about to enter their payment information. This is, of course, a tell-tale sign that there is something seriously wrong with the website and likely a case of credit card exfiltration. --------------------------------------------- https://blog.sucuri.net/2021/05/woocommerce-credit-card-skimmer.html ∗∗∗ On the Taxonomy and Evolution of Ransomware ∗∗∗ --------------------------------------------- Not all ransomware is the same! Oliver Tavakoli, CTO at Vectra AI, discusses the different species of this growing scourge. --------------------------------------------- https://threatpost.com/taxonomy-evolution-ransomware/166462/ ∗∗∗ Spear-phishing Email Targeting Outlook Mail Clients , (Sat, May 29th) ∗∗∗ --------------------------------------------- In February I posted about spam pretending to be an Outlook Version update [1] and now for the past several weeks I have been receiving spear-phishing emails that pretend to be coming from Microsoft Outlook to "Sign in to verify" my account, new terms of services, new version, etc. There also have been some reports this week about large ongoing spear-phishing campaign [2][3] worth reading. Here are some samples which always include a sense of urgency to login as soon as possible: [...] --------------------------------------------- https://isc.sans.edu/diary/rss/27472 ∗∗∗ Sysinternals: Procmon, Sysmon, TcpView and Process Explorer update, (Sun, May 30th) ∗∗∗ --------------------------------------------- New versions of Sysinternals' tools Procmon, Sysmon, TcpView and Process Explorer were released. --------------------------------------------- https://isc.sans.edu/diary/rss/27476 ∗∗∗ Video: Cobalt Strike & DNS - Part 1, (Sun, May 30th) ∗∗∗ --------------------------------------------- One of the Cobalt Strike servers reported by Brad Duncan also communicates over DNS. --------------------------------------------- https://isc.sans.edu/diary/rss/27478 ∗∗∗ IT threat evolution Q1 2021 ∗∗∗ --------------------------------------------- SolarWinds attacks, MS Exchange vulnerabilities, fake adblocker distributing miner, malware for Apple Silicon platform and other threats in Q1 2021. --------------------------------------------- https://securelist.com/it-threat-evolution-q1-2021/102382/ ∗∗∗ IT threat evolution Q1 2021. Mobile statistics ∗∗∗ --------------------------------------------- In the first quarter of 2021 we detected 1.45M mobile installation packages, of which 25K packages were related to mobile banking Trojans and 3.6K packages were mobile ransomware Trojans. --------------------------------------------- https://securelist.com/it-threat-evolution-q1-2021-mobile-statistics/102547/ ∗∗∗ IT threat evolution Q1 2021. Non-mobile statistics ∗∗∗ --------------------------------------------- In Q1 2021, we blocked more than 2 billion attacks launched from online resources across the globe, detected 77.4M unique malicious and potentially unwanted objects, and recognized 614M unique URLs as malicious. --------------------------------------------- https://securelist.com/it-threat-evolution-q1-2021-non-mobile-statistics/10… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (hyperkitty, libxml2, nginx, openjdk-11-jre-dcevm, rxvt-unicode, samba, and webkit2gtk), Fedora (exiv2, java-1.8.0-openjdk-aarch32, mingw-python-pillow, opendmarc, php-symfony3, php-symfony4, python-pillow, runc, rust-cranelift-codegen-shared, rust-cranelift-entity, and rxvt-unicode), openSUSE (curl, hivex, libu2f-host, libX11, libxls, singularity, and upx), Oracle (dotnet3.1 and dotnet5.0), Red Hat (docker, glib2, and runc), and Ubuntu (lz4). --------------------------------------------- https://lwn.net/Articles/857737/ ∗∗∗ Security Bulletin: CVE-2021-2161 may affect IBM® SDK, Java™ Technology Edition ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2021-2161-may-affect-… ∗∗∗ Security Bulletin: IBM Cognos Analytics has addressed multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cognos-analytics-has-… ∗∗∗ Security Bulletin: Multiple Security Vulnerabilities have been resolved in IBM Application Gateway (CVE-2021-20576, CVE-2021-20575, CVE-2021-29665) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.05.2021
by Daily end-of-shift report 28 May '21

28 May '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 27-05-2021 18:00 − Freitag 28-05-2021 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ FBI to share compromised passwords with Have I Been Pwned ∗∗∗ --------------------------------------------- The FBI will soon begin to share compromised passwords with Have I Been Pwneds Password Pwned service that were discovered during law enforcement investigations. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fbi-to-share-compromised-pas… ∗∗∗ Ransomware gangs slow decryptors prompt victims to seek alternatives ∗∗∗ --------------------------------------------- Recently, two highly publicized ransomware victims received a decryptor that was too slow to make it effective in quickly restoring the victims network. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ransomware-gangs-slow-decryp… ∗∗∗ Tracking BokBot (a.k.a. IcedID) Infrastructure ∗∗∗ --------------------------------------------- BokBot (also known as IcedID) started life as a banking trojan using man-in-the-browser attacks to steal credentials from online banking sessions and initiate fraudulent transactions. Over time, the operator(s) of BokBot have also developed its use as a delivery mechanism for other malware, in particular ransomware. --------------------------------------------- https://team-cymru.com/blog/2021/05/19/tracking-bokbot-infrastructure/ ∗∗∗ Malicious PowerShell Hosted on script.google.com, (Fri, May 28th) ∗∗∗ --------------------------------------------- Google has an incredible portfolio of services. Besides the classic ones, there are less known services and... they could be very useful for attackers too. One of them is Google Apps Script[1]. Google describes it like this: [...] --------------------------------------------- https://isc.sans.edu/diary/rss/27468 ∗∗∗ Jetzt patchen! Kritische Lücke in HPE SIM geschlossen ∗∗∗ --------------------------------------------- Es ist ein wichtiges Sicherheitsupdate für Hewlett Packard Enterprise Systems Insight Manager (SIM) erschienen. --------------------------------------------- https://heise.de/-6056415 ∗∗∗ Falsifying and weaponizing certified PDFs ∗∗∗ --------------------------------------------- Certified PDFs are supposed to control modifications so that recipients know they havent been tampered with. It doesnt always work. --------------------------------------------- https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/05/falsifyi… ∗∗∗ Do you know your OpSec? ∗∗∗ --------------------------------------------- Open Source Intelligence (OSINT) is any information in the public domain that an attacker can dig up about you. Because of that it forms the basis of every Red Team [...] --------------------------------------------- https://www.pentestpartners.com/security-blog/do-you-know-your-opsec/ ∗∗∗ Urlaubsreif? Buchen Sie nicht über ferienhauspartner.co, fewopartner.co, holidaypartner.co & ferienpartner.co! ∗∗∗ --------------------------------------------- Sind Sie auf der Suche nach ein Urlaubsdomizil für den nahenden Sommer? Wenn ja, könnten Sie auf betrügerische Webseiten stoßen. Denn Kriminelle bieten derzeit Ferienhäuser und Ferienwohnungen in Deutschland und Dänemark an, die per Vorkasse gebucht werden können. Doch Vorsicht: Das bezahlte Geld landet direkt in den Händen der Kriminellen, eine aufrechte Buchung gibt es nicht! --------------------------------------------- https://www.watchlist-internet.at/news/urlaubsreif-buchen-sie-nicht-ueber-f… ∗∗∗ MobileInter: A Popular Magecart Skimmer Redesigned For Your Phone ∗∗∗ --------------------------------------------- To truly understand the Magecart skimming groups that have become a mainstay of the e-commerce threat landscape, you have to understand the tools of the trade. The Inter Skimmer kit is one of todays most common digital skimming solutions globally. However, a hallmark of widely used skimmers is their propensity to evolve as more actors use and tweak them to suit their unique needs and purposes. --------------------------------------------- https://www.riskiq.com/blog/external-threat-management/mobile-inter/ ∗∗∗ Docker Honeypot Reveals Cryptojacking as Most Common Cloud Threat ∗∗∗ --------------------------------------------- A Docker honeypot captured 33 types of attacks over a total of 850 attempts. Here’s what we learned about the cloud threat landscape. --------------------------------------------- https://unit42.paloaltonetworks.com/docker-honeypot/ ∗∗∗ CVE-2021-31440: An Incorrect Bounds Calculation in the Linux Kernel eBPF Verifier ∗∗∗ --------------------------------------------- In April 2021, the ZDI received a Linux kernel submission that turned out to be an incorrect bounds calculation bug in the extended Berkeley Packet Filter (eBPF) verifier. This bug was submitted to the program by Manfred Paul (@_manfp) of the RedRocket CTF team (@redrocket_ctf). Manfred Paul had successfully exploited two other eBPF verifier bugs in Pwn2Own 2020 and 2021 respectively. --------------------------------------------- https://www.thezdi.com/blog/2021/5/26/cve-2021-31440-an-incorrect-bounds-ca… ∗∗∗ The Race to Native Code Execution in PLCs ∗∗∗ --------------------------------------------- Claroty has found a severe memory protection bypass vulnerability (CVE-2020-15782) in Siemens PLCs, the SIMATIC S7-1200 and S7-1500. An attacker could abuse this vulnerability on PLCs with disabled access protection to gain read and write access anywhere on the PLC and remotely execute malicious code. --------------------------------------------- https://claroty.com/2021/05/28/blog-research-race-to-native-code-execution-… ∗∗∗ Suspected APT29 Operation Launches Election Fraud Themed Phishing Campaigns ∗∗∗ --------------------------------------------- On May 25, 2021, Volexity identified a phishing campaign targeting multiple organizations based in the United States and Europe. The following industries have been observed being targeted thus far: NGOs, Research Institutions, Government Agencies, International Agencies The campaign’s phishing e-mails purported to originate from the USAID government agency and contained a malicious link that resulted in an ISO file being delivered. This file contained a malicious LNK file, a malicious DLL [...] --------------------------------------------- https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches… ===================== = Vulnerabilities = ===================== ∗∗∗ SonicWall urges customers to immediately patch NSM On-Prem bug ∗∗∗ --------------------------------------------- SonicWall urges customers to immediately patch a post-authentication vulnerability impacting on-premises versions of the Network Security Manager (NSM) multi-tenant firewall management solution. --------------------------------------------- https://www.bleepingcomputer.com/news/security/sonicwall-urges-customers-to… ∗∗∗ SSA-434534: Memory Protection Bypass Vulnerability in SIMATIC S7-1200 and S7-1500 CPU Families ∗∗∗ --------------------------------------------- SIMATIC S7-1200 and S7-1500 CPU products contain a memory protection bypass vulnerability that could allow an attacker to write arbitrary data and code to protected memory areas or read sensitive data to launch further attacks. Siemens has released updates for several affected products and strongly recommends to update to the latest versions. Siemens is preparing further updates and recommends specific countermeasures for products where updates are not, or not yet available. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-434534.txt ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (nginx), Fedora (chromium, curl, kernel, php-symfony3, php-symfony4, python-lxml, python-pip, and runc), Mageia (ceph and wireshark), openSUSE (mpv), Oracle (bind, idm:DL1, redis:6, slapi-nis, squid:4, and xorg-x11-server), SUSE (curl, nginx, postgresql10, postgresql12, postgresql13, slurm, slurm_18_08, and slurm_20_11), and Ubuntu (nginx). --------------------------------------------- https://lwn.net/Articles/857581/ ∗∗∗ Several Vulnerabilities in Bosch B426, B426-CN/B429-CN, and B426-M ∗∗∗ --------------------------------------------- BOSCH-SA-196933-BT: A security vulnerability affects the Bosch B426, B426-CN/B429-CN, and B426-M. The vulnerability is exploitable via the network interface. Bosch rates this vulnerability at 8.0 (High) and recommends customers to update vulnerable components with fixed software versions. A second vulnerable condition was found when using http protocol, in which the user password is transmitted as a clear text parameter. Latest firmware versions allow only https. If a software update is not [...] --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-196933-bt.html ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM WebSphere eXtreme Scale Liberty Deployment. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerabilities in Java affecting Watson Knowledge Catalog for IBM Cloud Pak for Data ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-java-a… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.05.2021
by Daily end-of-shift report 27 May '21

27 May '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 26-05-2021 18:00 − Donnerstag 27-05-2021 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Achtung: Kriminelle fälschen „Grünen Pass“! ∗∗∗ --------------------------------------------- In Österreich wird bald der „Grüne Pass“ eingeführt, der den Zugang zu Gastronomie und körpernahen Dienstleistungen erleichtern soll. Dieser ist erst in der zweiten Juni-Woche verfügbar, doch Kriminelle verbreiten bereits jetzt eine „Variante“ des Grünen Passes. Wir gehen davon aus, dass dabei personenbezogene Daten abgegriffen werden. Wer die unseriöse App als gültigen Impf-, Test- oder Genesungsnachweis verwendet, könnte könnte sich außerdem strafbar machen. --------------------------------------------- https://www.watchlist-internet.at/news/achtung-kriminelle-faelschen-gruenen… ∗∗∗ Exploit veröffentlicht: Gefixte WebKit-Schwachstelle steht auf iPhones offen ∗∗∗ --------------------------------------------- Ein Patch im Open-Source-Unterbau aller iOS-Browser ist selbst nach Wochen noch nicht in Apples Betriebssysteme eingeflossen, warnt eine Sicherheitsfirma. --------------------------------------------- https://heise.de/-6055716 ∗∗∗ BazaLoader Masquerades as Movie-Streaming Service ∗∗∗ --------------------------------------------- The website for “BravoMovies” features fake movie posters and a FAQ with a rigged Excel spreadsheet for “cancelling” the service, but all it downloads is malware. --------------------------------------------- https://threatpost.com/bazaloader-fake-movie-streaming-service/166489/ ∗∗∗ “Unpatchable” vuln in Apple’s new Mac chip – what you need to know ∗∗∗ --------------------------------------------- Its all over the news! The bug you cant fix! Fortunately, you dont need to. We explain why. --------------------------------------------- https://nakedsecurity.sophos.com/2021/05/27/unpatchable-vuln-in-apples-new-… ∗∗∗ Analysis report of the Facefish rootkit ∗∗∗ --------------------------------------------- In Feb 2021, we came across an ELF sample using some CWP’s Ndays exploits, we did some analysis, but after checking with a partner who has some nice visibility in network traffic in some China areas, we discovered there is literarily 0 hit for the C2 traffic. --------------------------------------------- https://blog.netlab.360.com/ssh_stealer_facefish_en/ ∗∗∗ All your Base are...nearly equal when it comes to AV evasion, but 64-bit executables are not, (Thu, May 27th) ∗∗∗ --------------------------------------------- Malware authors like to use a variety of techniques to avoid detection of their creations by anti-malware tools. As the old saying goes, necessity is the mother of invention and in the case of malware, it has lead its authors to devise some very interesting ways to hide from detection over the years - from encoding of executable files into valid bitmap images[1] to multi-stage encryption of malicious payloads[2] and much further. --------------------------------------------- https://isc.sans.edu/diary/rss/27466 ∗∗∗ Saving Your Access ∗∗∗ --------------------------------------------- After revisiting old internal discussions, an area of interest was the possibility of using screensavers for persistence on macOS. This is an established persistence method on Windows, as noted on the MITRE ATT&CK page. --------------------------------------------- https://posts.specterops.io/saving-your-access-d562bf5bf90b ∗∗∗ Crimes of Opportunity: Increasing Frequency of Low Sophistication Operational Technology Compromises ∗∗∗ --------------------------------------------- Attacks on control processes supported by operational technology (OT) are often perceived as necessarily complex. This is because disrupting or modifying a control process to cause a predictable effect is often quite difficult and can require a lot of time and resources. However, Mandiant Threat Intelligence has observed simpler attacks, where actors with varying levels of skill and resources use common IT tools and techniques to gain access to and interact with exposed OT systems. --------------------------------------------- https://www.fireeye.com/blog/threat-research/2021/05/increasing-low-sophist… ===================== = Vulnerabilities = ===================== ∗∗∗ HPE fixes critical zero-day vulnerability disclosed in December ∗∗∗ --------------------------------------------- Hewlett Packard Enterprise (HPE) has released a security update to address a zero-day remote code execution vulnerability disclosed last year, in December. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hpe-fixes-critical-zero-day-… ∗∗∗ Drupal: Update schließt Cross-Site-Scripting-Lücke in mehreren CMS-Versionen ∗∗∗ --------------------------------------------- Die Programmbibliothek CKEditor, die vom Drupal-Core verwendet wird, barg unter bestimmten Umständen Angriffsmöglichkeiten. Für Core & Library gibt es Updates. --------------------------------------------- https://heise.de/-6055672 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (djvulibre), Fedora (slapi-nis and upx), Gentoo (ceph and nginx), openSUSE (python-httplib2 and rubygem-actionpack-5_1), Slackware (curl), SUSE (curl, libX11, and python-httplib2), and Ubuntu (isc-dhcp, lz4, and nginx). --------------------------------------------- https://lwn.net/Articles/857460/ ∗∗∗ Vulnerabilities in Visual Studio Code Extensions Expose Developers to Attacks ∗∗∗ --------------------------------------------- Vulnerabilities in Visual Studio Code extensions could be exploited by malicious attackers to steal valuable information from developers and even compromise organizations, researchers with open-source software security firm Snyk say. --------------------------------------------- https://www.securityweek.com/vulnerabilities-visual-studio-code-extensions-… ∗∗∗ GENIVI Alliance DLT ∗∗∗ --------------------------------------------- This advisory contains mitigations for a Heap-based Buffer Overflow vulnerability in GENIVI Alliance DLT-Daemon software component. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-147-01 ∗∗∗ Johnson Controls Sensormatic Electronics VideoEdge ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Off-by-one Error vulnerability in Sensormatic Electronics VideoEdge surveillance systems. Sensormatic Electronics is a subsidiary of Johnson Controls. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-147-02 ∗∗∗ Siemens JT2Go and Teamcenter Visualization ∗∗∗ --------------------------------------------- This advisory contains mitigations for Untrusted Pointer Dereference, Out-of-bounds Read, and Stack-based Buffer Overflow vulnerabilities in Siemens JT2Go and Teamcenter Visualization products. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-147-04 ∗∗∗ Mitsubishi Electric MELSEC iQ-R Series ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Uncontrolled Resource Consumption vulnerability in Mitsubishi Electric iQ-R Series CPU modules. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-147-05 ∗∗∗ Internet Systems Consortium DHCP: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0587 ∗∗∗ CommScope Ruckus IoT Controller 1.7.1.0 Undocumented Account ∗∗∗ --------------------------------------------- https://cxsecurity.com/issue/WLB-2021050156 ∗∗∗ CommScope Ruckus IoT Controller 1.7.1.0 Hard-Coded Web Application Administrator Password ∗∗∗ --------------------------------------------- https://cxsecurity.com/issue/WLB-2021050155 ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Security Guardium ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM has announced a release for IBM Security Identity Governance and Intelligence in response to a security vulnerability (CVE-2020-4996) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-has-announced-a-relea… ∗∗∗ Security Bulletin: Security Bypass Vulnerability in PostgreSQL Affects IBM Connect:Direct Web Services (CVE-2021-20229) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-bypass-vulnerabi… ∗∗∗ Security Bulletin: IBM MQ is vulnerable to an issue within IBM® Runtime Environment Java™ Technology Edition (CVE-2020-27221) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-is-vulnerable-to-a… ∗∗∗ Security Bulletin: Security Bypass Vulnerability in PostgreSQL Affects IBM Connect:Direct Web Services ( CVE-2021-3393) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-bypass-vulnerabi… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affects WebSphere Application Server April 2021 CPU that is bundled with IBM WebSphere Application Server Patterns ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerability in Java affecting Watson Knowledge Catalog for IBM Cloud Pak for Data ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-java-aff… ∗∗∗ Security Bulletin: Vulnerability in IBM Java Runtime affects IBM Spectrum Protect Snapshot on AIX and Linux (CVE-2020-27221) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java… ∗∗∗ Security Bulletin: IBM MQ is vulnerable to an issue in IBM® Runtime Environment Java™ Technology Edition. (CVE-2020-14779) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-is-vulnerable-to-a… ∗∗∗ Security Bulletin: Security Bypass Vulnerability in PostgreSQL Affects IBM Connect:Direct Web Services (CVE-2020-10733) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-bypass-vulnerabi… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 26.05.2021
by Daily end-of-shift report 26 May '21

26 May '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 25-05-2021 18:00 − Mittwoch 26-05-2021 18:00 Handler: Dimitri Robl Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Kaspersky Security Bulletin 2020-2021. EU statistics ∗∗∗ --------------------------------------------- The statistics in this report cover the period from May 2020 to April 2021, inclusive. --------------------------------------------- https://securelist.com/kaspersky-security-bulletin-2020-2021-eu-statistics/… ∗∗∗ Smart lighting security ∗∗∗ --------------------------------------------- RJ45 connections delivering Power over Ethernet are becoming prevalent in light fittings, a result of the lower power demands from LED fittings. This creates potential for uninformed installers to inadvertently bridge network security controls through connecting the light fittings to existing networking equipment. ... Radio protocols can also lead to compromise if not done securely; Bluetooth Classic, BLE, Z-Wave and many other protocols can be exploited if not configured correctly. --------------------------------------------- https://www.pentestpartners.com/security-blog/smart-lighting-security/ ∗∗∗ The Attack Path Management Manifesto ∗∗∗ --------------------------------------------- The primary goal of Attack Path Management (APM) is to directly solve the problem of Attack Paths. Today, the problem of Attack Paths is felt most acutely in the world of Microsoft Active Directory and Azure Active Directory. These platforms provide the greatest payoff for attackers, since taking control of the fundamental identity platform for an enterprise grants full control of all users, systems, and data in that enterprise --------------------------------------------- https://posts.specterops.io/the-attack-path-management-manifesto-3a3b117f5e5 ∗∗∗ CVE-2021-22909- Digging into a Ubiquiti Firmware Update bug ∗∗∗ --------------------------------------------- Back In February, Ubiquiti released a new firmware update for the Ubiquiti EdgeRouter, fixing CVE-2021-22909/ZDI-21-601. The vulnerability lies in the firmware update procedure and allows a man-in-the-middle (MiTM) attacker to execute code as root on the device by serving a malicious firmware image when the system performs an automatic firmware update. ... The impact of this vulnerability is quite nuanced and worthy of further discussion. --------------------------------------------- https://www.thezdi.com/blog/2021/5/24/cve-2021-22909-digging-into-a-ubiquit… ===================== = Vulnerabilities = ===================== ∗∗∗ VU#799380: Devices supporting Bluetooth Core and Mesh Specifications are vulnerable to impersonation attacks and AuthValue disclosure ∗∗∗ --------------------------------------------- Devices supporting the Bluetooth Core and Mesh Specifications are vulnerable to impersonation attacks and AuthValue disclosure that could allow an attacker to impersonate a legitimate device during pairing. --------------------------------------------- https://kb.cert.org/vuls/id/799380 ∗∗∗ CVE-2020-14145 ∗∗∗ --------------------------------------------- A vulnerability in OpenSSH <= 8.6 allows a man in the middle attack to determine, if a client already has prior knowledge of the remote hosts fingerprint. Using this information leak it is possible to ignore clients, which will show an error message during an man in the middle attack, while new clients can be intercepted without alerting them of the man in the middle attack. [...] At the moment, the only option to mitigate this vulnerability is to set HostKeyAlgorithms in your config file. --------------------------------------------- https://docs.ssh-mitm.at/CVE-2020-14145.html ∗∗∗ Sicherheitsupdates: Kritische Schadcode-Lücke bedroht VMware vCenter Server ∗∗∗ --------------------------------------------- Die Servermanagementsoftware vCenter Server ist verwundbar. Angreifer könnten Schadcode ausführen. --------------------------------------------- https://heise.de/-6054003 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (djvulibre, dotnet-runtime, dotnet-runtime-3.1, dotnet-sdk, dotnet-sdk-3.1, gupnp, hivex, lz4, matrix-synapse, prometheus, python-pydantic, runc, thunderbird, and websvn), Fedora (composer, moodle, and wordpress), Gentoo (bash, boost, busybox, containerd, curl, dnsmasq, ffmpeg, firejail, gnome-autoar, gptfdisk, icu, lcms, libX11, mariadb, mumble, mupdf, mutt, mysql, nettle, nextcloud-client, opensmtpd, openssh, openvpn, php, postgresql, prosody, rxvt-unicode, samba, screen, smarty, spamassassin, squid, stunnel, tar, tcpreplay, telegram-desktop), openSUSE (Botan), Red Hat (kernel), Slackware (gnutls), SUSE (hivex, libu2f-host, rubygem-actionpack-5_1), Ubuntu (apport, exiv2, libx11). --------------------------------------------- https://lwn.net/Articles/857352/ ∗∗∗ Cisco ADE-OS Local File Inclusion Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Small Business 100, 300, and 500 Series Wireless Access Points Command Injection Vulnerabilities ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Finesse Cross-Site Scripting Vulnerabilities ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Finesse Open Redirect Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco DNA Spaces Connector Privilege Escalation Vulnerabilities ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco DNA Spaces Connector Command Injection Vulnerabilities ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ SSA-119468: Luxion KeyShot Vulnerabilities in Solid Edge ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-119468.txt ∗∗∗ Security Advisory - Out-of-Bounds Read Vulnerability On Several Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210526-… ∗∗∗ Security Advisory - Possible Out-Of-Bounds Read Vulnerability in Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210526-… ∗∗∗ Security Advisory - Improper Licenses Management Vulnerability in Some Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210407-… ∗∗∗ Security Bulletin: Mitigations are being announced to address CVE-2020-4839 and CVE-2021-29695 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-mitigations-are-being-ann… ∗∗∗ Security Bulletin: WebSphere Application Server Java Batch is vulnerable to an XML External Entity Injection (XXE) vulnerability (CVE-2021-20492) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-websphere-application-ser… ∗∗∗ Security Bulletin: IBM® Db2® 'Check for Updates' process is vulnerable to DLL hijacking (CVE-2019-4588) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-check-for-updates… ∗∗∗ Security Bulletin: Mitigations are being announced to address CVE-2020-4839 and CVE-2021-29695 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-mitigations-are-being-ann… ∗∗∗ Security Bulletin: Data protection rules and policies are not enforced on virtualized objects ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-data-protection-rules-and… ∗∗∗ Security Bulletin: This Power System update is being released to address CVE-2021-20487 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-this-power-system-update-… ∗∗∗ Security Bulletin: Information disclosure vulnerability in WebSphere Application Server Liberty ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-information-disclosure-vu… ∗∗∗ Security Bulletin: Information disclosure vulnerability in WebSphere Application Server Liberty ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-information-disclosure-vu… ∗∗∗ Security Bulletin: IBM License Key Server Administration and Reporting Tool is impacted by multiple vulnerabilities in jQuery, Bootstrap and AngularJS ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-license-key-server-ad… ∗∗∗ Overview of NGINX vulnerabilities (May 2021) ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K52559937?utm_source=f5support&utm_mediu… ∗∗∗ NGINX Plus and Open Source vulnerability CVE-2021-23017 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K12331123?utm_source=f5support&utm_mediu… ∗∗∗ Datakit Libraries bundled in Luxion KeyShot ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-145-01 ∗∗∗ Rockwell Automation Micro800 and MicroLogix 1400 ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-145-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 25.05.2021
by Daily end-of-shift report 25 May '21

25 May '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 21-05-2021 18:00 − Dienstag 25-05-2021 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Vorsicht bei SMS-Benachrichtigungen zum Lieferstatus einer Bestellung ∗∗∗ --------------------------------------------- Sie erwarten ein Paket? Dann sollten Sie besonders vorsichtig sein, wenn Sie per SMS, Informationen über den Status Ihrer Bestellung erhalten, denn Kriminelle versenden momentan massenhaft gefälschte Lieferbenachrichtigungen. Um Details zu erfahren, werden Sie aufgefordert auf einen Link zu klicken. Tun Sie das keinesfalls, [...] --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-bei-sms-benachrichtigungen-… ∗∗∗ Jetzt patchen! Kritische Windows-Lücke betrifft mehr Systeme als gedacht ∗∗∗ --------------------------------------------- Ein Sicherheitsforscher hat eine weitere verwundbare Komponente in Windows-Systemen entdeckt. Updates sind bereits verfügbar. --------------------------------------------- https://heise.de/-6052749 ∗∗∗ Qnap sichert NAS spät gegen Qlocker-Attacken ab ∗∗∗ --------------------------------------------- Seit April hat es ein Erpressungstrojaner auf Netzwerkspeicher von Qnap abgesehen. Erst jetzt gibt es Sicherheitspatches. --------------------------------------------- https://heise.de/-6052783 ∗∗∗ Evolution of JSWorm ransomware ∗∗∗ --------------------------------------------- There are times when a single ransomware family has evolved from a mass-scale operation to a highly targeted threat - all in the span of two years. In this post we want to talk about one of those families, named JSWorm. --------------------------------------------- https://securelist.com/evolution-of-jsworm-ransomware/102428/ ∗∗∗ "Serverless" Phishing Campaign, (Sat, May 22nd) ∗∗∗ --------------------------------------------- The Internet is full of code snippets and free resources that you can embed in your projects. SmtpJS is one of those small projects that are very interesting for developers but also bad guys. It's the first time that I spot a phishing campaign that uses this piece of JavaScript code. --------------------------------------------- https://isc.sans.edu/diary/rss/27446 ∗∗∗ Video: Making Sense Of Encrypted Cobalt Strike Traffic, (Sun, May 23rd) ∗∗∗ --------------------------------------------- Brad posted another malware analysis with capture file of Cobalt Strike traffic. --------------------------------------------- https://isc.sans.edu/diary/rss/27448 ∗∗∗ Web Applications and Internal Penetration Tests ∗∗∗ --------------------------------------------- Until recently, I really didnt care about web applications on an internal penetration test. Whether it was as an entry point or target, I was not interested, since I typically had far better targets and could compromise the networks anyway. However, the times have changed, internal environments are much more restricted, not many services are exposed, and applications are the main reason for the tests. This is not supposed to be a guide to analyze web applications, but some thoughts [...] --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/web-applica… ∗∗∗ Apple‌ Issues Patches to Combat Ongoing 0-Day Attacks on macOS, tvOS ∗∗∗ --------------------------------------------- Apple on Monday rolled out security updates for iOS, macOS, tvOS, watchOS, and Safari web browser to fix multiple vulnerabilities, including an actively exploited zero-day flaw in macOS Big Sur and expand patches for two previously disclosed zero-day flaws. Tracked as CVE-2021-30713, the zero-day concerns a permissions issue in Apples Transparency, Consent, and Control (TCC) framework in macOS --------------------------------------------- https://thehackernews.com/2021/05/apple-issues-patches-to-combat-ongoing.ht… ∗∗∗ OT Systems Increasingly Targeted by Unsophisticated Hackers: Mandiant ∗∗∗ --------------------------------------------- Unsophisticated threat actors - in many cases motivated by financial gain - have increasingly targeted internet-exposed operational technology (OT) systems, according to research conducted by Mandiant, FireEye’s threat intelligence and incident response unit. --------------------------------------------- https://www.securityweek.com/ot-systems-increasingly-targeted-unsophisticat… ∗∗∗ DarkChronicles: the consequences of the Colonial Pipeline attack ∗∗∗ --------------------------------------------- This article began as an overview of the Colonial Pipeline incident. However, the events unfolded so rapidly that the scope of the publication has gone beyond a single incident. --------------------------------------------- https://ics-cert.kaspersky.com/reports/2021/05/21/darkchronicles-the-conseq… ===================== = Vulnerabilities = ===================== ∗∗∗ VU#799380: Devices supporting Bluetooth Core and Mesh Specifications are vulnerable to impersonation attacks and AuthValue disclosure ∗∗∗ --------------------------------------------- Devices supporting the Bluetooth Core and Mesh Specifications are vulnerable to impersonation attacks and AuthValue disclosure that could allow an attacker to impersonate a legitimate device during pairing. --------------------------------------------- https://kb.cert.org/vuls/id/799380 ∗∗∗ VU#667933: Pulse Connect Secure Samba buffer overflow ∗∗∗ --------------------------------------------- Pulse Connect Secure (PCS) gateway contains a buffer overflow vulnerability in Samba-related code that may allow an authenticated remote attacker to execute arbitrary code. --------------------------------------------- https://kb.cert.org/vuls/id/667933 ∗∗∗ Trend Micro: Home Network Security Station gegen drei Schwachstellen abgesichert ∗∗∗ --------------------------------------------- Ein Firmware-Update schützt Home Network Security Stations vor Angriffsmöglichkeiten, von denen zwei, obwohl nur lokal ausnutzbar, hohe Risiken bergen sollen. --------------------------------------------- https://heise.de/-6053146 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libx11, prosody, and ring), Fedora (ceph, glibc, kernel, libxml2, python-pip, slurm, and tpm2-tss), Mageia (bind, libx11, mediawiki, openjpeg2, postgresql, and thunderbird), openSUSE (Botan, cacti, cacti-spine, chromium, djvulibre, fribidi, graphviz, java-1_8_0-openj9, kernel, libass, libxml2, lz4, and python-httplib2), and Slackware (expat). --------------------------------------------- https://lwn.net/Articles/857132/ ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (python-eventlet), openSUSE (grub2 and mpv), and Red Hat (kpatch-patch and rh-ruby25-ruby). --------------------------------------------- https://lwn.net/Articles/857212/ ∗∗∗ [20210503] - Core - CSRF in data download endpoints ∗∗∗ --------------------------------------------- https://developer.joomla.org:443/security-centre/854-20210503-core-csrf-in-… ∗∗∗ [20210502] - Core - CSRF in AJAX reordering endpoint ∗∗∗ --------------------------------------------- https://developer.joomla.org:443/security-centre/853-20210502-core-csrf-in-… ∗∗∗ [20210501] - Core - Adding HTML to the executable block list of MediaHelper::canUpload ∗∗∗ --------------------------------------------- https://developer.joomla.org:443/security-centre/852-20210501-core-adding-h… ∗∗∗ Pulse Secure VPNs Get Quick Fix for Critical RCE ∗∗∗ --------------------------------------------- https://threatpost.com/pulse-secure-vpns-critical-rce/166437/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ NGINX Controller vulnerability CVE-2021-23018 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K97002210 ∗∗∗ NGINX Controller vulnerability CVE-2021-23021 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K36926027 ∗∗∗ NGINX Controller vulnerability CVE-2021-23020 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K45263486 ∗∗∗ SYSS-2021-010: Path Traversal in LANCOM R&S Unified Firewalls ∗∗∗ --------------------------------------------- https://www.syss.de/pentest-blog/syss-2021-010-path-traversal-in-lancom-rs-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.05.2021
by Daily end-of-shift report 21 May '21

21 May '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 20-05-2021 18:00 − Freitag 21-05-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Mail-Verschlüsselung: Thunderbird schlampte mit PGP-Schlüsseln ∗∗∗ --------------------------------------------- Die OpenPGP-Implementierung des Open-Source-Mailers Thunderbird speicherte die geheimen Schlüssel im Klartext. --------------------------------------------- https://heise.de/-6051767 ∗∗∗ QNAP confirms Qlocker ransomware used HBS backdoor account ∗∗∗ --------------------------------------------- QNAP is advising customers to update the HBS 3 disaster recovery app to block Qlocker ransomware attacks targeting their Internet-exposed Network Attached Storage (NAS) devices. --------------------------------------------- https://www.bleepingcomputer.com/news/security/qnap-confirms-qlocker-ransom… ∗∗∗ Locking Kernel32.dll As Anti-Debugging Technique, (Fri, May 21st) ∗∗∗ --------------------------------------------- For bad guys, the implementation of techniques to prevent Security Analysts to perform their job is key! The idea is to make our life more difficult (read: "frustrating"). There are plenty of techniques that can be implemented but it's an ever-ongoing process. --------------------------------------------- https://isc.sans.edu/diary/rss/27444 ∗∗∗ Double-Encrypting Ransomware ∗∗∗ --------------------------------------------- This seems to be a new tactic: Emsisoft has identified two distinct tactics. In the first, hackers encrypt data with ransomware A and then re-encrypt that data with ransomware B. The other path involves what Emsisoft calls a “side-by-side encryption” attack, in which attacks encrypt some of an organization’s systems with ransomware A and others with ransomware B. In that case, data is only encrypted once, but a victim would need both decryption keys to unlock everything. --------------------------------------------- https://www.schneier.com/blog/archives/2021/05/double-encrypting-ransomware… ∗∗∗ 21nails: Reporting on Vulnerable SMTP/Exim Servers ∗∗∗ --------------------------------------------- We have recently started to perform a full IPv4 Internet-wide scan for accessible SMTP services and will report out possible vulnerabilities that have been observed, with a current focus on Exim (in the future non-Exim vulnerabilities may be added). We scan by performing a connection to port 25, recognizing an SMTP response and collecting the banner served. These connections look just like a normal SMTP connection, there is not any attempt to exploit the port, only to collect the banner [...] --------------------------------------------- https://www.shadowserver.org/news/21nails-reporting-on-vulnerable-smtp-exim… ∗∗∗ Project Zero: Fuzzing iOS code on macOS at native speed ∗∗∗ --------------------------------------------- This short post explains how code compiled for iOS can be run natively on Apple Silicon Macs. --------------------------------------------- https://googleprojectzero.blogspot.com/2021/05/fuzzing-ios-code-on-macos-at… ∗∗∗ Microsoft Unveils SimuLand: Open Source Attack Techniques Simulator ∗∗∗ --------------------------------------------- Microsoft this week announced the availability of SimuLand, an open source tool that enables security researchers to reproduce attack techniques in lab environments. --------------------------------------------- https://www.securityweek.com/microsoft-unveils-simuland-open-source-attack-… ∗∗∗ Getting a persistent shell on a 747 IFE ∗∗∗ --------------------------------------------- TL:DR The Coronavirus pandemic has hit the airline industry hard. One sad consequence was early retirement of most of the 747 passenger fleet. This does however create opportunities for aviation security research, [...] --------------------------------------------- https://www.pentestpartners.com/security-blog/getting-a-persistent-shell-on… ∗∗∗ New YouTube Video Series: Everything you ever wanted to know about DNS and more!, (Thu, May 20th) ∗∗∗ --------------------------------------------- [...] I planned this video series a couple months ago, and figured that this would be easy. I know DNS... but each time I look at DNS, I learn something new, so it has taken a while to get the first episodes together, and today I am releasing the first one. --------------------------------------------- https://isc.sans.edu/diary/rss/27440 ===================== = Vulnerabilities = ===================== ∗∗∗ Vulnerability Spotlight: Heap-based buffer overflow in Google Chrome could lead to code execution ∗∗∗ --------------------------------------------- Cisco Talos recently discovered an exploitable heap-based buffer overflow vulnerability in Google Chrome. --------------------------------------------- https://blog.talosintelligence.com/2021/05/vuln-spotlight-google-chrome-hea… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (ceph, chromium, firefox, gitlab, hedgedoc, keycloak, libx11, mariadb, opendmarc, prosody, python-babel, python-flask-security-too, redmine, squid, and vivaldi), Debian (lz4), Fedora (ceph and python-pydantic), and openSUSE (cacti, cacti-spine). --------------------------------------------- https://lwn.net/Articles/856902/ ∗∗∗ Security Advisory - Improper Authorization Vulnerability in Huawei Products ∗∗∗ --------------------------------------------- https://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210519… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in IBM® Java SDK affect WebSphere Application Server April 2021 CPU ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: A security vulnerabilitiy has been fixed in IBM Security Identity Manager Virtual Appliance(CVE-2019-17006) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerabilitiy… ∗∗∗ Security Bulletin: IBM InfoSphere Information Server is affected by an Information disclosure vulnerability. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-informatio… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect Rational Service Tester ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerabilities in XStream, Java, OpenSSL, WebSphere Application Server Liberty and Node.js affect IBM Spectrum Control ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-xstrea… ∗∗∗ Security Bulletin: IBM Spectrum Scale Transparent Cloud Tiering is affected by a vulnerability which could allow access to sensitive information ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-spectrum-scale-transp… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect Rational Performance Tester ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.05.2021
by Daily end-of-shift report 20 May '21

20 May '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 19-05-2021 18:00 − Donnerstag 20-05-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Exchange bleibt Hauptangriffsziel in der Microsoft-Cloud ∗∗∗ --------------------------------------------- Vectra AI hat die zehn wichtigsten Bedrohungen in Azure AD und Office 365 aufgelistet. Exchange bleibt für Angreifer offenbar unverändert attraktiv. --------------------------------------------- https://heise.de/-6050650 ∗∗∗ Cisco bringt Security-Updates ∗∗∗ --------------------------------------------- Cisco hat einige Updates zu Sicherheitsprodukten angekündigt, darunter das Major Release 7.0 der Secure Firewall Threat Defense und die Integration von Snort 3. --------------------------------------------- https://heise.de/-6049957 ∗∗∗ Attacken auf Android: Jetzt patchen! Wenn es denn Sicherheitsupdates gibt ... ∗∗∗ --------------------------------------------- Derzeit haben es Angreifer auf Android-Geräte abgesehen. Patches gibt es aber in der Regel nur für aktuelle Smartphones und Tablets. --------------------------------------------- https://heise.de/-6050515 ∗∗∗ Fake-Shops: So erkennen Sie betrügerische Online-Shops! ∗∗∗ --------------------------------------------- Das Problem betrügerischer Online-Shops - besser bekannt als Fake-Shops - nimmt weiterhin zu. Damit Sie die unterschiedlichen Arten von Fake-Shops schnell erkennen, beschreiben wir im folgenden Artikel die gängigsten Formen und worauf bei diesen besonders aufzupassen ist. Ein Einkauf in einem Fake-Shop kann Sie nämlich wahrlich teuer zu stehen kommen. --------------------------------------------- https://www.watchlist-internet.at/news/fake-shops-so-erkennen-sie-betrueger… ∗∗∗ Qlocker ransomware shuts down after extorting hundreds of QNAP users ∗∗∗ --------------------------------------------- The Qlocker ransomware gang has shut down their operation after earning $350,000 in a month by exploiting vulnerabilities in QNAP NAS devices. --------------------------------------------- https://www.bleepingcomputer.com/news/security/qlocker-ransomware-shuts-dow… ∗∗∗ Keksec Cybergang Debuts Simps Botnet for Gaming DDoS ∗∗∗ --------------------------------------------- The newly discovered malware infects IoT devices in tandem with the prolific Gafgyt botnet, using known security vulnerabilities. --------------------------------------------- https://threatpost.com/keksec-simps-botnet-gaming-ddos/166306/ ∗∗∗ BazarCall: Call Centers Help Spread BazarLoader Malware ∗∗∗ --------------------------------------------- Call center operators offer to personally guide victims through a process designed to infect vulnerable computers with BazarLoader malware. --------------------------------------------- https://unit42.paloaltonetworks.com/bazarloader-malware/ ∗∗∗ Update to CISA-FBI Joint Cybersecurity Advisory on DarkSide Ransomware ∗∗∗ --------------------------------------------- CISA and the Federal Bureau of Investigation (FBI) have updated Joint Cybersecurity Advisory AA21-131A: DarkSide Ransomware: Best Practices for Preventing Disruption from Ransomware Attacks, originally released May 11, 2021. This update provides a downloadable STIX file of indicators of compromise (IOCs) to help network defenders find and mitigate activity associated with DarkSide ransomware. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/05/19/update-cisa-fbi-j… ∗∗∗ Misconfiguration of third party cloud services exposed data of over 100 million users ∗∗∗ --------------------------------------------- After examining 23 Android applications, Check Point Research (CPR) noticed mobile app developers potentially exposed the personal data of over 100 million users through a variety of misconfigurations of third party cloud services. Personal data included emails, chat messages, location, passwords and photos, which, in the hands of malicious actors could lead to fraud, identity-theft and service swipes. --------------------------------------------- https://blog.checkpoint.com/2021/05/20/misconfiguration-of-third-party-clou… ∗∗∗ Microsoft warns of malware campaign spreading a RAT masquerading as ransomware ∗∗∗ --------------------------------------------- The Microsoft security team has published details on Wednesday about a malware campaign that is currently spreading a remote access trojan named STRRAT that steals data from infected systems while masquerading as a ransomware attack. --------------------------------------------- https://therecord.media/microsoft-warns-of-malware-campaign-spreading-a-rat… ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI-21-601: Ubiquiti Networks EdgeOS Improper Certificate Validation Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ubiquiti Networks EdgeOS on EdgeRouter X, EdgeRouter Pro X SFP, EdgeRouter 10X and EdgePoint 6-port routers. User interaction is required to exploit this vulnerability in that an administrator must perform a firmware update on the device. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-601/ ∗∗∗ Vulnerability Spotlight: Information disclosure vulnerability in macOS SMB server ∗∗∗ --------------------------------------------- Cisco Talos recently discovered an exploitable integer overflow vulnerability in Apple macOS’ SMB server that could lead to information disclosure. --------------------------------------------- https://blog.talosintelligence.com/2021/05/vuln-spotlight-smb-information-d… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (cacti, cacti-spine, exif, firefox, kernel, mariadb, and thunderbird), Mageia (kernel, kernel-linus, and libxml2), openSUSE (exim and jhead), Oracle (slapi-nis and xorg-x11-server), Scientific Linux (slapi-nis and xorg-x11-server), Slackware (libX11), SUSE (djvulibre, fribidi, graphviz, grub2, libass, libxml2, lz4, python-httplib2, redis, rubygem-actionpack-4_2, and xen), and Ubuntu (pillow and python-babel). --------------------------------------------- https://lwn.net/Articles/856775/ ∗∗∗ Cisco Releases Security Updates for Multiple Products ∗∗∗ --------------------------------------------- Cisco has released security updates to address vulnerabilities in multiple Cisco products. A remote attacker could exploit some of these vulnerabilities to take control of an affected system. For updates addressing lower severity vulnerabilities, see the Cisco Security Advisories page. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/05/20/cisco-releases-se… ∗∗∗ Security Bulletin: A vulnerability in IBM Java affects IBM Developer for z Systems. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… ∗∗∗ Security Bulletin: Vulnerabilities in IBM Java SDK affect IBM WebSphere Cast Iron Solution & App Connect Professional ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-ja… ∗∗∗ Security Bulletin: Security vulnerabilities have been fixed in IBM Security Identity Manager Virtual Appliance ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ Security Bulletin: IBM MQ is affected by a vulnerability within libcurl (CVE-2020-8284) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-is-affected-by-a-v… ∗∗∗ Security Bulletin: A security vulnerability in Node.js netmask module affects IBM Cloud Pak for Multicloud Management Managed Service ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: A security vulnerability in Node.js netmask module affects IBM Cloud Automation Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: IBM Spectrum Scale Transparent Cloud Tiering is affected by a vulnerability in IBM® Runtime Environment Java™ ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-spectrum-scale-transp… ∗∗∗ Security Bulletin: A security vulnerability in Node.js braces and netmask module affects IBM Cloud Pak for Multicloud Management Managed Service ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: There are multiple vulnerabilities in the Linux Kernel used in IBM Elastic Storage System ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-there-are-multiple-vulner… ∗∗∗ Security Bulletin: A security vulnerability in Node.js lodash module affects IBM Cloud Pak for Multicloud Management Managed Service ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: Security vulnerabilities have been fixed in IBM Security Identity Manager (CVE-2021-29687, CVE-2021-29688) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ WAGO: Multiple Vulnerabilities in CODESYS Runtime 2.3 ∗∗∗ --------------------------------------------- https://cert.vde.com/de-de/advisories/vde-2021-014 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.05.2021
by Daily end-of-shift report 19 May '21

19 May '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 18-05-2021 18:00 − Mittwoch 19-05-2021 18:00 Handler: Dimitri Robl Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ MountLocker ransomware uses Windows API to worm through networks ∗∗∗ --------------------------------------------- The MountLocker ransomware operation now uses enterprise Windows Active Directory APIs to worm through networks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/mountlocker-ransomware-uses-… ∗∗∗ Transparent Tribe APT Infrastructure Mapping ∗∗∗ --------------------------------------------- Transparent Tribe (APT36, Mythic Leopard, ProjectM, Operation C-Major) is the name given to a threat actor group largely targeting Indian entities and assets. --------------------------------------------- https://team-cymru.com/blog/2021/04/16/transparent-tribe-apt-infrastructure… ∗∗∗ May 2021 Forensic Contest: Answers and Analysis, (Wed, May 19th) ∗∗∗ --------------------------------------------- You can still find the pcap for our May 2021 forensic contest at this Github repository. --------------------------------------------- https://isc.sans.edu/diary/rss/27430 ∗∗∗ When Intrusions Don’t Align: A New Water Watering Hole and Oldsmar ∗∗∗ --------------------------------------------- The purpose behind this investigative anecdote on the “water watering hole” is educational and highlights how sometimes two intrusions just don’t line up together no matter how much coincidence there is. --------------------------------------------- https://www.dragos.com/blog/industry-news/a-new-water-watering-hole/ ∗∗∗ Instagram-NutzerInnen aufgepasst: Unseriöse Shops locken mit angeblicher Kooperation! ∗∗∗ --------------------------------------------- Auf Instagram tauchen immer wieder unseriöse Online-Shops auf. Die BetreiberInnen dieser Shops wenden unterschiedliche Maschen an, um ihre Produkte zu bewerben. --------------------------------------------- https://www.watchlist-internet.at/news/instagram-nutzerinnen-aufgepasst-uns… ∗∗∗ Crypto-mining gangs are running amok on free cloud computing platforms ∗∗∗ --------------------------------------------- Over the course of the last few months, some crypto-mining gangs have switched their modus operandi from attacking and hijacking unpatched servers to abusing the free tiers of cloud computing platforms. --------------------------------------------- https://therecord.media/crypto-mining-gangs-are-running-amok-on-free-cloud-… ===================== = Vulnerabilities = ===================== ∗∗∗ Pega Infinity patches authentication vulnerability ∗∗∗ --------------------------------------------- Pega Infinity is a popular enterprise software and researchers found a flaw in the authentication process by using a password reset weakness. --------------------------------------------- https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/05/pega-inf… ∗∗∗ Over 600,000 Sites Impacted by WP Statistics Patch ∗∗∗ --------------------------------------------- On March 13, 2021, the Wordfence Threat Intelligence team initiated responsible disclosure for a vulnerability in WP Statistics, a plugin installed on over 600,000 WordPress sites. --------------------------------------------- https://www.wordfence.com/blog/2021/05/over-600000-sites-impacted-by-wp-sta… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (cacti, cacti-spine, exif, and hivex), Red Hat (bash, bind, bluez, brotli, container-tools:rhel8, cpio, curl, dotnet3.1, dotnet5.0, dovecot, evolution, exiv2, freerdp, ghostscript, glibc, GNOME, go-toolset:rhel8, grafana, gssdp and gupnp, httpd:2.4, idm:DL1, idm:DL1 and idm:client, ipa, kernel, kernel-rt, krb5, libdb, libvncserver, libxml2, linux-firmware, mailman:2.1, mingw packages, NetworkManager and libnma, opensc, p11-kit, pandoc, perl, [...] --------------------------------------------- https://lwn.net/Articles/856649/ ∗∗∗ Researchers Find Exploitable Bugs in Mercedes-Benz Cars ∗∗∗ --------------------------------------------- Following an eight-month audit of the code in the latest infotainment system in Mercedes-Benz cars, security researchers with Tencent Security Keen Lab identified five vulnerabilities, four of which could be exploited for remote code execution. --------------------------------------------- https://www.securityweek.com/researchers-find-exploitable-bugs-mercedes-ben… ∗∗∗ Security Advisory - Denial of Service Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210519-… ∗∗∗ Security Advisory - Resource Management Error Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210519-… ∗∗∗ Security Advisory - Denial of Service Vulnerability in Huawei Smartphone ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210519-… ∗∗∗ Security Advisory - Out of Bounds Write Vulnerability in Huawei CloudEngine Product ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210519-… ∗∗∗ Security Bulletin: Client-side HTTP Parameter Pollution in WAS Intelligent Management Admin console ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-client-side-http-paramete… ∗∗∗ Security Bulletin: Multiple Security Vulnerabilities in Jackson-Databind Affect IBM Sterling B2B Integrator ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: Access Control Security Vulnerability Exists in Dashboard User Interface of IBM Sterling B2B Integrator (CVE-2020-4646) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-access-control-security-v… ∗∗∗ Security Bulletin: IBM Resilient SOAR is Using Components with Known Vulnerabilities – Java SE (CVE-2020-14782) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-resilient-soar-is-usi… ∗∗∗ Security Bulletin: A vulnerability in Java affects IBM Cloud Pak for Multicloud Management Monitoring ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-java-a… ∗∗∗ Security Bulletin: IBM WebSphere Application Server 7.0, 8.0, 8.5, 9.0, and Liberty could allow a remote attacker to obtain sensitive information when a stack trace is returned in the browser. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-websphere-application… ∗∗∗ Security Bulletin: Multiple Security Vulnerabilities in IBM WebSphere Application Server Affect IBM Sterling B2B Integrator ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: Vulnerablities in IBM SDK, Java Technology Edition Quarterly. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerablities-in-ibm-sdk… ∗∗∗ Security Bulletin: A vulnerability in Java affects IBM Cloud Pak for Multicloud Management Monitoring ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-java-a… ∗∗∗ Security Bulletin: A vulnerability in IBM Java affects IBM Developer for z Systems. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… ∗∗∗ Gdk-pixbuf vulnerability CVE-2017-2862 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K36984830 ∗∗∗ Linux kernel vulnerability CVE-2019-20811 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K52525232 ∗∗∗ BIND vulnerability CVE-2021-25215 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K96223611 ∗∗∗ BIND vulnerability CVE-2021-25214 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K11426315 ∗∗∗ BOSCH-SA-350374: Vulnerability in the routing protocol of the PLC runtime ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-350374.html -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.05.2021
by Daily end-of-shift report 18 May '21

18 May '21

===================== = End-of-Day report = ===================== Timeframe: Montag 17-05-2021 18:00 − Dienstag 18-05-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Sicherheitsupdate steht noch aus: Root-Lücke in Pulse Connect Secure ∗∗∗ --------------------------------------------- Angreifer könnten VPN Appliances vom Typ Pulse Connect Secure attackieren. Bislang ist nur eine Übergangslösung zu Absicherung verfügbar. --------------------------------------------- https://heise.de/-6048342 ∗∗∗ Unternehmen erhalten gefälschtes Schreiben vom "WD - Wirtschaftsdienst für Industrie, Handel & Gewerbe" ∗∗∗ --------------------------------------------- Zahlreiche UnternehmerInnen erhalten momentan einen Brief vom „WD - Wirtschaftsdienst für Industrie, Handel & Gewerbe“ – angeblich eine Behörde zur Verwaltung von Firmendaten. Im Schreiben werden Sie aufgefordert, Ihre Daten zu überprüfen und ggf. zu korrigieren und zu ergänzen. Tun Sie das keinesfalls – es handelt sich um Betrug. Sie werden in eine Abo-Falle gelockt! --------------------------------------------- https://www.watchlist-internet.at/news/unternehmen-erhalten-gefaelschtes-sc… ∗∗∗ Ransomware victim shows why transparency in attacks matters ∗∗∗ --------------------------------------------- As devastating ransomware attacks continue to have far-reaching consequences, companies still try to hide the attacks rather than be transparent. Below we highlight a companys response to an attack that should be used as a model for all future disclosures. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ransomware-victim-shows-why-… ∗∗∗ Codecov hackers gained access to Monday.com source code ∗∗∗ --------------------------------------------- Monday.com has recently disclosed the impact of the Codecov supply-chain attack that affected multiple companies. As reported by BleepingComputer last month, popular code coverage tool Codecov had been a victim of a supply-chain attack that lasted for two months. --------------------------------------------- https://www.bleepingcomputer.com/news/security/codecov-hackers-gained-acces… ∗∗∗ DarkSide Hits Toshiba; XSS Forum Bans Ransomware ∗∗∗ --------------------------------------------- The criminal forum washed its hands of ransomware after DarkSides pipeline attack & alleged shutdown: A "loss of servers" that didnt stop another attack. --------------------------------------------- https://threatpost.com/darkside-toshiba-xss-bans-ransomware/166210/ ∗∗∗ From RunDLL32 to JavaScript then PowerShell, (Tue, May 18th) ∗∗∗ --------------------------------------------- I spotted an interesting script on VT a few days ago and it deserves a quick diary because it uses a nice way to execute JavaScript on the targeted system. The technique used in this case is based on very common LOLbin: RunDLL32.exe. The goal of the tool is, as the name says, to load a DLL and execute one of its exported function: [...] --------------------------------------------- https://isc.sans.edu/diary/rss/27428 ∗∗∗ Exploitation of Sharepoint 2016: Simple Things Matter – Case Study ∗∗∗ --------------------------------------------- This story started during one of my recent assessments when I was assigned for a test of an on-premise internal Sharepoint 2016 site. Initial enumeration showed that the target runs Sharepoint version 16.0.0.4681. I assumed this based on the response header MicrosoftSharePointTeamServices returned by the application (and you can estimate that version was released somewhere in April 2018). At that point, I started looking for publicly known exploits and research papers. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/exploitatio… ∗∗∗ Leveraging Microsoft Teams to persist and cover up Cobalt Strike traffic ∗∗∗ --------------------------------------------- During a recent operation, the Red Team got local admin privileges on a workstation where an EDR solution was identified. In this scenario, the next step to proceed with the engagement was to infect and persist on the compromised system, towards securing remote access. --------------------------------------------- https://www.blackarrow.net/leveraging-microsoft-teams-to-persist-and-cover-… ∗∗∗ Scammers Impersonating Windows Defender to Push Malicious Windows Apps ∗∗∗ --------------------------------------------- Summary points: Scammers are increasingly using Windows Push Notifications to impersonate legitimate alerts Recent campaigns pose as a Windows Defender Update Victims end up allowing the installation of a malicious Windows Application that targets user and system information Browser push notifications can highly resemble Windows system notifications. As recently discussed, scammers are abusing push notifications […]The post Scammers Impersonating Windows Defender to Push Malicious --------------------------------------------- https://www.mcafee.com/blogs/other-blogs/mcafee-labs/scammers-impersonating… ∗∗∗ CVE-2021-31166: A Wormable Code Execution Bug in HTTP.sys ∗∗∗ --------------------------------------------- In this excerpt of a Trend Micro Vulnerability Research Service vulnerability report, Kc Udonsi and Yazhi Wang of the Trend Micro Research Team detail a recent code execution vulnerability in the Microsoft Internet Information Services (IIS) for Windows. The bug was originally discovered by the Microsoft Platform Security & Vulnerability Research team. The following is a portion of their write-up covering CVE-2021-31166, with a few minimal modifications. --------------------------------------------- https://www.thezdi.com/blog/2021/5/17/cve-2021-31166-a-wormable-code-execut… ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI-21-594: (0Day) Microsoft Windows JET Database Engine Memory Corruption Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of Microsoft Windows. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-594/ ∗∗∗ About the security content of Boot Camp 6.1.14 ∗∗∗ --------------------------------------------- Impact: A malicious application may be able to elevate privileges Description: A memory corruption issue was addressed with improved state management. --------------------------------------------- https://support.apple.com/en-us/HT212517 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium, curl, prosody, and ruby-rack-cors), Fedora (dotnet3.1 and dotnet5.0), openSUSE (ibsim and prosody), SUSE (kernel and python3), and Ubuntu (caribou and djvulibre). --------------------------------------------- https://lwn.net/Articles/856496/ ∗∗∗ Emerson Rosemount X-STREAM ∗∗∗ --------------------------------------------- This advisory contains mitigations for Inadequate Encryption Strength, Unrestricted Upload of File with Dangerous Type, Path Traversal, Use of Persistent Cookies Containing Sensitive Information, Cross-site Scripting, and Improper Restriction of Rendered UI Layers or Frames vulnerabilities for the Rosemount X-STREAM Gas Analyzer. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-138-01 ∗∗∗ D-LINK Router: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0536 ∗∗∗ Dell integrated Dell Remote Access Controller: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0533 ∗∗∗ KLCERT-20-021: Moxa NPort IA5000A Series. Cleartext Transmission of Sensitive Information via Moxa Service ∗∗∗ --------------------------------------------- https://ics-cert.kaspersky.com/advisories/klcert-advisories/2021/05/11/klce… ∗∗∗ KLCERT-20-020: Moxa NPort IA5000A Series. Using the Telnet service ∗∗∗ --------------------------------------------- https://ics-cert.kaspersky.com/advisories/klcert-advisories/2021/05/11/klce… ∗∗∗ KLCERT-20-019: Moxa NPort IA5000A Series. Passwords stored in plaintext ∗∗∗ --------------------------------------------- https://ics-cert.kaspersky.com/advisories/klcert-advisories/2021/05/11/klce… ∗∗∗ KLCERT-20-018: Moxa NPort IA5000A Series. Broken access control ∗∗∗ --------------------------------------------- https://ics-cert.kaspersky.com/advisories/klcert-advisories/2021/05/11/klce… ∗∗∗ Security Bulletin: A vulnerabilities in IBM Java affects IBM Developer for z Systems. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerabilities-in-ibm-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java affect IBM Netezza Analytics for NPS ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple security vulnerabilities with IBM Content Navigator component in IBM Business Automation Workflow – CVE-2020-4757, PSIRT-ADV0028011, CVE-2020-4934 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in PostgreSQL Affect IBM Connect:Direct Web Service ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: OpenSSL Vulnerabilities Affect IBM Sterling Connect:Express for UNIX (CVE-2021-3449, CVE-2021-3450) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-openssl-vulnerabilities-a… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.05.2021
by Daily end-of-shift report 17 May '21

17 May '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 14-05-2021 18:00 − Montag 17-05-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Exploit released for wormable Windows HTTP vulnerability ∗∗∗ --------------------------------------------- Proof-of-concept exploit code has been released over the weekend for a critical wormable vulnerability in the latest Windows 10 and Windows Server versions. --------------------------------------------- https://www.bleepingcomputer.com/news/security/exploit-released-for-wormabl… ∗∗∗ Bizarro banking Trojan expands its attacks to Europe ∗∗∗ --------------------------------------------- Bizarro is yet another banking Trojan family originating from Brazil that steals credentials from customers of 70 banks from different European and South American countries. --------------------------------------------- https://securelist.com/bizarro-banking-trojan-expands-its-attacks-to-europe… ∗∗∗ Ransomware Defenses, (Mon, May 17th) ∗∗∗ --------------------------------------------- Ransomware attacks continue to be in the headlines everywhere, and are also an almost weekly reoccurring subject in the SANS Newsbites. As useful as many of the reports are that security firms and researchers publish on the subject, they often focus heavily on one particular incident or type of ransomware, and the associated "indicators of compromise" (IOCs). We already covered before how IOCs can turn into IOOI's (Indicators of Outdated Intelligence), and how to try to [...] --------------------------------------------- https://isc.sans.edu/diary/rss/27420 ∗∗∗ AHK RAT Loader Used in Unique Delivery Campaigns ∗∗∗ --------------------------------------------- The Morphisec Labs team has tracked a unique and ongoing RAT delivery campaign that started in February of this year. This campaign is unique in that it heavily uses the AutoHotKey scripting language - a fork of the AutoIt language that is frequently used for testing purposes. --------------------------------------------- https://blog.morphisec.com/ahk-rat-loader-leveraged-in-unique-delivery-camp… ∗∗∗ Take action now - FluBot malware may be on its way ∗∗∗ --------------------------------------------- Why FluBot is a major threat for Android users, how to avoid falling victim, and how to get rid of the malware if your device has already been compromised --------------------------------------------- https://www.welivesecurity.com/2021/05/17/take-action-now-flubot-malware-ma… ∗∗∗ Two attacks disclosed against AMD’s SEV virtual machine protection system ∗∗∗ --------------------------------------------- Chipmaker AMD has issued guidance this week for two attacks against its SEV (Secure Encrypted Virtualization) technology that protects virtual machines from rogue operating systems. The two attacks, documented in two academic papers, can allow a threat actor to inject malicious code inside SEV-encrypted virtual machines, giving them full control over the VMs operating system. --------------------------------------------- https://therecord.media/two-attacks-disclosed-against-amds-sev-virtual-mach… ===================== = Vulnerabilities = ===================== ∗∗∗ Beckhoff Security Advisory 2021-002: Stack Overflow and XXE vulnerability in various OPC UA products ∗∗∗ --------------------------------------------- The affected products can act as OPC UA client or server and are vulnerable to two different kind of attacks via the OPC UA protocol. --------------------------------------------- https://download.beckhoff.com/download/document/product-security/Advisories… ∗∗∗ SSA-695540: ASM and PAR File Parsing Vulnerabilities in JT2Go and Teamcenter Visualization before V13.1.0.2 ∗∗∗ --------------------------------------------- Siemens has released version V13.1.0.2 for JT2Go and Teamcenter Visualization to fix multiple vulnerabilities that could be triggered when the products read files in ASM and PAR file formats. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-695540.txt ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libimage-exiftool-perl and postgresql-9.6), Fedora (chromium, exiv2, firefox, kernel, kernel-headers, kernel-tools, mariadb, and python-impacket), Mageia (avahi), openSUSE (chromium, drbd-utils, dtc, ipvsadm, jhead, nagios, netdata, openvpn, opera, prosody, and virtualbox), Slackware (libxml2), SUSE (kernel and lz4), and Ubuntu (intel-microcode, python-eventlet, and rust-pleaser). --------------------------------------------- https://lwn.net/Articles/856437/ ∗∗∗ Security Bulletin: Multiple Apache Tomcat Vulnerabilities Affect IBM Control Center ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-apache-tomcat-vu… ∗∗∗ Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in XStream ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-discovery-for-… ∗∗∗ Security Bulletin: Guava Google Core Libraries Vulnerability Affects IBM Control Center (CVE-2020-8908) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-guava-google-core-librari… ∗∗∗ Security Bulletin: IBM InfoSphere DataStage is affected by an Information disclosure vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-datastage-… ∗∗∗ Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in FasterXML jackson-dataformat ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-discovery-for-… ∗∗∗ Security Bulletin: Apache Ant Vulnerabilities Affect IBM Control Center (CVE-2020-1945, CVE-2020-11979) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-ant-vulnerabilitie… ∗∗∗ Security Bulletin: Multiple CKEditor Vulnerabilities Affect IBM Control Center ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-ckeditor-vulnera… ∗∗∗ Security Bulletin: Security Vulnerabilities affect IBM Cloud Pak for Data – Python (CVE-2020-15801) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ Security Bulletin: Security Vulnerabilities affect IBM Cloud Pak for Data – OpenSSL ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ Security Bulletin: H2 Database Vulnerabilities Affect IBM Control Center (CVE-2018-10054, CVE-2018-14335) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-h2-database-vulnerabiliti… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily May 2021