Daily June 2021

daily@lists.cert.at

1 participants
21 discussions

Tageszusammenfassung - 16.06.2021
by Daily end-of-shift report 16 Jun '21

16 Jun '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 15-06-2021 18:00 − Mittwoch 16-06-2021 18:00 Handler: Dimitri Robl Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Avaddon ransomwares exit sheds light on victim landscape ∗∗∗ --------------------------------------------- A new report analyzes the recently released Avaddon ransomware decryption keys to shed light on the types of victims targeted by the threat actors and potential revenue they generated throughout their operation. --------------------------------------------- https://www.bleepingcomputer.com/news/security/avaddon-ransomwares-exit-she… ∗∗∗ Protecting Against Ransomware – From the Human Perspective ∗∗∗ --------------------------------------------- SANS blog post on what ransomware is, how it works, and most importantly, how to empower your workforce to protect against it. --------------------------------------------- https://www.sans.org/blog/protecting-against-ransomware-from-the-human-pers… ∗∗∗ Nokia Deepfield global analysis shows most DDoS attacks originate from fewer than 50 hosting companies ∗∗∗ --------------------------------------------- In-depth analysis across large sample of networks globally fingerprints and traces origins of most DDoS attacks (by frequency and traffic volume)[...] --------------------------------------------- https://www.nokia.com/about-us/news/releases/2021/06/14/nokia-deepfield-glo… ∗∗∗ The First Step: Initial Access Leads to Ransomware ∗∗∗ --------------------------------------------- Ransomware attacks still use email -- but not in the way you might think. Ransomware operators often buy access from independent cybercriminal groups who infiltrate major targets and then sell access to the ransomware actors for a slice of the ill-gotten gains. --------------------------------------------- https://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access… ∗∗∗ Achtung: Amazon-Bestellungen nicht außerhalb der Plattform abwickeln! ∗∗∗ --------------------------------------------- Über Amazon zu bestellen ist für viele ein einfacher Weg, um verschiedenste Produkte an einem Ort zu kaufen. Doch auch auf Amazon stößt man auf betrügerische Angebote! Wenn Amazon-HändlerInnen die Bestellung über E-Mail abwickeln wollen, sollten Sie vorsichtig sein. --------------------------------------------- https://www.watchlist-internet.at/news/achtung-amazon-bestellungen-nicht-au… ∗∗∗ On the Security of RFID-based TOTP Hardware Tokens ∗∗∗ --------------------------------------------- Matthias Deeg und Gerhard Klostermeier untersuchten zwei unterschiedliche RFID-basierte TOTP Hardware-Token, das OTCP-P2 und das Protectimus SLIM NFC. --------------------------------------------- https://www.syss.de/pentest-blog/on-the-security-of-rfid-based-totp-hardwar… ∗∗∗ Ukrainian police arrest Clop ransomware members, seize server infrastructure ∗∗∗ --------------------------------------------- Multiple suspects believed to be linked to the Clop ransomware cartel have been detained in Ukraine this week after a joint operation from law enforcement agencies from Ukraine, South Korea, and the US. --------------------------------------------- https://therecord.media/ukrainian-police-arrest-clop-ransomware-members-sei… ===================== = Vulnerabilities = ===================== ∗∗∗ Qnap: Updates für NAS beseitigen aus der Ferne ausnutzbare Schwachstelle ∗∗∗ --------------------------------------------- Betriebssystem-Updates für Qnaps Netzwerkspeicher (NAS) schließen zwei mit "Medium" bewertete Schwachstellen, von denen eine übers Internet attackierbar ist. --------------------------------------------- https://heise.de/-6072554 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (prosody, python-urllib3, and xen), Fedora (dino, dotnet3.1, dotnet5.0, and vmaf), Oracle (gupnp, kernel, and kernel-container), Red Hat (gupnp), Scientific Linux (kernel), SUSE (java-1_8_0-openjdk, kernel, snakeyaml, and xorg-x11-libX11), and Ubuntu (bluez). --------------------------------------------- https://lwn.net/Articles/860004/ ∗∗∗ ZDI-21-502: An Information Disclosure Bug in ISC BIND server ∗∗∗ --------------------------------------------- You should verify you have a patched version of BIND as many OS distributions provide BIND packages that differ from the official ISC release versions. --------------------------------------------- https://www.thezdi.com/blog/2021/6/15/zdi-21-502-an-information-disclosure-… ∗∗∗ Security Advisory - Out-Of-Bounds Read Vulnerability On Several Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210616-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM HTTP Server used by WebSphere Application Server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Liberty for Java for IBM Cloud is vulnerable to an XML External Entity Injection (XXE) attack (CVE-2021-20492) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-liberty-for-java-for-ibm-… ∗∗∗ Security Bulletin: Stack-based Buffer Overflow vulnerabilities in IBM Spectrum Protect Back-up Archive Client and IBM Spectrum Protect for Space Management (CVE-2021-29672, CVE-2021-20546) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-stack-based-buffer-overfl… ∗∗∗ Security Bulletin: Vulnerability in IBM Java SDK affecting IBM Application Discovery and Delivery Intelligence V5.1.0.8, V5.1.0.9 and V6.0.0.0 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java… ∗∗∗ Security Bulletin: Vulnerabilities in IBM Java Runtime affect IBM Spectrum Protect Snapshot for VMware (CVE-2020-27221, CVE-2020-14782) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-ja… ∗∗∗ Security Bulletin: IBM Resilient SOAR is Using Components with Known Vulnerabilities – Java SE (CVE-2020-14781) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-resilient-soar-is-usi… ∗∗∗ Security Bulletin: IBM® Db2® is vulnerable to a denial of service as the server terminates abnormally when executing a specifically crafted select statement. (CVE-2021-29702) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-… ∗∗∗ Security Bulletin: IBM Security Identity Manager Password Synchronization Plug-in for Windows AD affected by multiple vulnerabilities (CVE-2021-20483, CVE-2021-20488) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-identity-man… ∗∗∗ Security Bulletin: IBM MQ Appliance affected by an OpenSSL vulnerability (CVE-2020-1968) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-affected… ∗∗∗ Security Bulletin: Resilient App Host secrets are not encrypted (CVE-2021-20567) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-resilient-app-host-secret… ∗∗∗ Cross-Site Request Forgery Patched in WP Fluent Forms ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2021/06/cross-site-request-forgery-patched-i… ∗∗∗ Synology-SA-21:21 Audio Station ∗∗∗ --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_21_21 ∗∗∗ Trend Micro InterScan Web Security Virtual Appliance: Schwachstelle ermöglicht Cross-Site Scripting ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0660 ∗∗∗ ThroughTek P2P SDK ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-166-01 ∗∗∗ Automation Direct CLICK PLC CPU Modules ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-166-02 ∗∗∗ SYSS-2021-022, SYSS-2021-023, SYSS-2021-025, SYSS-2021-026: Mehrere Schwachstellen in HR-Software LOGA3 ∗∗∗ --------------------------------------------- https://www.syss.de/pentest-blog/syss-2021-022-syss-2021-023-syss-2021-025-… ∗∗∗ SYSS-2021-007: Protectimus SLIM NFC – External Control of System or Configuration Setting (CWE-15) (CVE-2021-32033) ∗∗∗ --------------------------------------------- https://www.syss.de/pentest-blog/syss-2021-007-protectimus-slim-nfc-externa… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 15.06.2021
by Daily end-of-shift report 15 Jun '21

15 Jun '21

===================== = End-of-Day report = ===================== Timeframe: Montag 14-06-2021 18:00 − Dienstag 15-06-2021 18:00 Handler: Dimitri Robl Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Paradise Ransomware source code released on a hacking forum ∗∗∗ --------------------------------------------- The complete source code for the Paradise Ransomware has been released on a hacking forum allowing any would-be cyber criminal to develop their own customized ransomware operation. --------------------------------------------- https://www.bleepingcomputer.com/news/security/paradise-ransomware-source-c… ∗∗∗ Andariel evolves to target South Korea with ransomware ∗∗∗ --------------------------------------------- In April 2021, we observed a suspicious Word document with a Korean file name and decoy. It revealed a novel infection scheme and an unfamiliar payload. --------------------------------------------- https://securelist.com/andariel-evolves-to-target-south-korea-with-ransomwa… ∗∗∗ Multi Perimeter Device Exploit Mirai Version Hunting For Sonicwall, DLink, Cisco and more, (Tue, Jun 15th) ∗∗∗ --------------------------------------------- Vulnerable perimeter devices remain a popular target, and we do see consistent exploit attempts against them. --------------------------------------------- https://isc.sans.edu/diary/rss/27528 ∗∗∗ Experts Shed Light On Distinctive Tactics Used by Hades Ransomware ∗∗∗ --------------------------------------------- Cybersecurity researchers on Tuesday disclosed "distinctive" tactics, techniques, and procedures (TTPs) adopted by operators of Hades ransomware that set it apart from the rest of the pack, attributing it to a financially motivated threat group called GOLD WINTER. --------------------------------------------- https://thehackernews.com/2021/06/experts-shed-light-on-distinctive.html ∗∗∗ What’s past is prologue – A new world of critical infrastructure security ∗∗∗ --------------------------------------------- Attackers have targeted American critical infrastructure several times over the past few years, putting at risk U.S. electrical grids, oil pipelines and water supply systems. --------------------------------------------- https://blog.talosintelligence.com/2021/06/new-world-after-pipeline-ransomw… ∗∗∗ Tracking Amazon delivery staff ∗∗∗ --------------------------------------------- The Amazon delivery tracking API allows ultra-precise tracking of drivers. Amazon claim that customers can only track the driver for the 10 stops prior to theirs. --------------------------------------------- https://www.pentestpartners.com/security-blog/tracking-amazon-delivery-staf… ∗∗∗ Beantragen Sie Kredite nicht auf ulacglobalfinanzen.com ∗∗∗ --------------------------------------------- Sie sind auf der Suche nach einem Kredit und recherchieren im Internet günstige Konditionen? Möglicherweise kommt Ihnen dann ulacglobalfinanzen.com unter – eine unseriöse Kreditgesellschaft mit großartigen Konditionen und unkomplizierter Abwicklung. Wer dort um einen Kredit ansucht, verliert jedoch Geld und übermittelt Kriminellen persönliche Daten! --------------------------------------------- https://www.watchlist-internet.at/news/beantragen-sie-kredite-nicht-auf-ula… ∗∗∗ Vishing: What is it and how do I avoid getting scammed? ∗∗∗ --------------------------------------------- How do vishing scams work, how do they impact businesses and individuals, and how can you protect yourself, your family and your business? --------------------------------------------- https://www.welivesecurity.com/2021/06/14/vishing-what-is-it-how-avoid-gett… ∗∗∗ Ransomware attacks continue to Surge, hitting a 93% increase year over year ∗∗∗ --------------------------------------------- Number of organizations impacted by ransomware has risen to 1210 in June 2021. Check Point Research sees a 41% increase in attacks since the beginning of 2021 and a 93% increase year over year. --------------------------------------------- https://blog.checkpoint.com/2021/06/14/ransomware-attacks-continue-to-surge… ===================== = Vulnerabilities = ===================== ∗∗∗ SonicWall schließt Denial-of-Service-Lücke in Firewall-Betriebssystem SonicOS ∗∗∗ --------------------------------------------- Das webbasierte Management-Interface einiger SonicOS-Versionen hätte mittels spezieller POST-Requests lahmgelegt werden können. Updates ändern das. --------------------------------------------- https://heise.de/-6071069 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (389-ds-base, dhcp, firefox, glib2, hivex, kernel, postgresql, qemu-kvm, qt5-qtimageformats, samba, and xorg-x11-server), Fedora (kernel and kernel-tools), Oracle (kernel and postgresql), Red Hat (dhcp and gupnp), Scientific Linux (gupnp and postgresql), SUSE (postgresql10 and xterm), and Ubuntu (imagemagick). --------------------------------------------- https://lwn.net/Articles/859842/ ∗∗∗ iOS 12.5.4 ∗∗∗ --------------------------------------------- https://support.apple.com/kb/HT212548 ∗∗∗ Security Bulletin: Financial Transaction Manager for Corporate Payment Services is affected by a potential Cross Site Scripting (XSS) CVE-2020-5000 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-financial-transaction-man… ∗∗∗ Security Bulletin: Vulnerabilities in OpenSSL affect IBM Spectrum Protect Backup-Archive Client NetApp Services (CVE-2020-1971, CVE-2021-23840, CVE-2021-23841) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-openss… ∗∗∗ Security Bulletin: Vulnerabilities in IBM Java Runtime affect IBM Spectrum Protect Backup-Archive Client, IBM Spectrum Protect for Space Management, and IBM Spectrum Protect for Virtual Environments (CVE-2020-27221, CVE-2020-14782) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-ja… ∗∗∗ Security Bulletin: IBM Event Streams is potentially affected by multiple node vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-event-streams-is-pote… ∗∗∗ Security Bulletin: Genivia gSOAP vulnerabilities affect IBM Spectrum Protect for Virtual Environments:Data Protection for VMware and Spectrum Protect Client (CVE-2020-13575, CVE-2020-13578, CVE-2020-13574, CVE-2020-13577, CVE-2020-13576, ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-genivia-gsoap-vulnerabili… ∗∗∗ Security Bulletin: WebSphere MQ for HP NonStop Server is affected by OpenSSL vulnerabilities (CVE-2021-3449 and CVE-2021-3450) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-websphere-mq-for-hp-nonst… ∗∗∗ Security Bulletin: IBM has announced a release for IBM Security Identity Governance and Intelligence in response to a security vulnerability (CVE-2020-10531) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-has-announced-a-relea… ∗∗∗ Security Bulletin: A vulnerability in Apache ActiveMQ affects IBM Operations Analytics Predictive Insights (CVE-2020-13947) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-apache… ∗∗∗ Security Bulletin: IBM Integration Bus & IBM App Connect Enterprise V11 are affected by vulnerabilities in Node.js (CVE-2021-27290) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-integration-bus-ibm-a… ∗∗∗ Security Bulletin: IBM MQ for HPE NonStop Server is affected by OpenSSL vulnerabilities (CVE-2021-3449 and CVE-2021-3450) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-for-hpe-nonstop-se… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.06.2021
by Daily end-of-shift report 14 Jun '21

14 Jun '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 11-06-2021 18:00 − Montag 14-06-2021 18:00 Handler: Dimitri Robl Co-Handler: Robert Waldner ===================== = News = ===================== *** DDoS Angriffe gegen Unternehmen in Österreich *** --------------------------------------------- Seit einigen Wochen versucht eine Gruppe, die sich "Fancy Lazarus" nennt, mittels DDoS-Angriffen und der Androhung von Folgeangriffen, Schutzgelder zu erpressen. Vergleichbare Angriffe gab es global auch schon ab August 2020 unter ähnlichen Namen. Nachdem wir Meldungen von Partner-CERTs an uns über Angriffe auf Ziele in anderen EU Staaten bekommen haben, sind jetzt auch in Österreich einige Fälle aufgetreten. --------------------------------------------- https://cert.at/de/warnungen/2021/6/ddos-angriffe-gegen-unternehmen-in-oste… ∗∗∗ Password Attacks 101 ∗∗∗ --------------------------------------------- According to the 2020 Data Breaches report by Verizon, 25% of all breaches involved the use of stolen credentials. And for small businesses, that number hit 30%. Brute force attacks have a similar share, accounting for 18% of all breaches, and 34% of those for small businesses. Why are password attacks like brute forcing so effective? And how exactly do they work? Let’s take a look at three kinds of password attacks that present a real threat to sites and businesses of all sizes. --------------------------------------------- https://blog.sucuri.net/2021/06/3-password-attacks-101.html ∗∗∗ Macher der Ransomware Avaddon geben auf und veröffentlichen Schlüssel ∗∗∗ --------------------------------------------- Es ist ein kostenloses Entschlüsselungstool für Opfer des Erpressungstrojaners Avaddon erschienen. --------------------------------------------- https://heise.de/-6070028 ∗∗∗ Malicious Attack Campaign Targeting Jetpack Users Reusing Passwords ∗∗∗ --------------------------------------------- The Wordfence Threat Intelligence and Site Cleaning teams have been tracking a malware campaign that redirects all site visitors to malvertising domains, while attempting to keep site administrators unaware of the infection. Since June 1, 2021, the number of sites we are tracking that have been infected with this malware has more than doubled, and we expect this campaign to continue gaining momentum as it relies on a mechanism that is difficult to block directly. --------------------------------------------- https://www.wordfence.com/blog/2021/06/malicious-attack-campaign-targeting-… ∗∗∗ Micropatch for Another Remote Code Execution Issue in Internet Explorer (CVE-2021-31959) ∗∗∗ --------------------------------------------- Windows Updates brought a fix for another "Exploitation More Likely" memory corruption vulnerability in Scripting Engine (CVE-2021-26419) discovered by Ivan Fratric of Google Project Zero, very similar to this vulnerability discovered also discovered by Ivan and patched in May.Ivan published details and a proof-of-concept three days ago and we took these to reproduce the vulnerability in our lab and create a micropatch for it. --------------------------------------------- https://blog.0patch.com/2021/06/micropatch-for-another-remote-code.html ∗∗∗ Stealing tokens, emails, files and more in Microsoft Teams through malicious tabs ∗∗∗ --------------------------------------------- I recently came across an interesting bug in the Microsoft Power Apps service which, despite its simplicity, can be leveraged by an attacker to gain persistent read/write access to a victim user’s email, Teams chats, OneDrive, Sharepoint and a variety of other services by way of a malicious Microsoft Teams tab and Power Automate flows. The bug has since been fixed by Microsoft, but in this blog we’re going to see how it /could/ have been exploited. --------------------------------------------- https://medium.com/tenable-techblog/stealing-tokens-emails-files-and-more-i… ===================== = Vulnerabilities = ===================== ∗∗∗ High Severity Vulnerability Patched in WooCommerce Stock Manager Plugin ∗∗∗ --------------------------------------------- We initially reached out to the plugin’s developer on May 21, 2021. After receiving confirmation of an appropriate communication channel, we provided the full disclosure details on May 24, 2021. A patch was quickly released on May 28, 2021 in version 2.6.0. We highly recommend updating to the latest patched version available, 2.6.0, immediately. --------------------------------------------- https://www.wordfence.com/blog/2021/06/high-severity-vulnerability-patched-… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (apache, gitlab, inetutils, isync, kube-apiserver, nettle, polkit, python-urllib3, python-websockets, thunderbird, and wireshark-cli), Debian (squid3), Fedora (glibc, libxml2, mingw-openjpeg2, and openjpeg2), Mageia (djvulibre, docker-containerd, exif, gnuchess, irssi, jasper, kernel, kernel-linus, microcode, python-lxml, python-pygments, rust, slurm, and wpa_supplicant, hostapd), openSUSE (389-ds and pam_radius), Oracle (.NET Core 3.1, container-tools:3.0, container-tools:ol8, krb5, microcode_ctl, postgresql:12, postgresql:13, and runc), Red Hat (dhcp, postgresql, postgresql:10, postgresql:12, postgresql:9.6, rh-postgresql10-postgresql, rh-postgresql12-postgresql, and rh-postgresql13-postgresql), Scientific Linux (dhcp and microcode_ctl), SUSE (ardana-neutron, ardana-swift, cassandra, crowbar-openstack, grafana, kibana, openstack-dashboard, openstack-ironic, openstack-neutron, openstack-neutron-gbp, openstack-nova, python-Django1, python-py, python-pysaml2, python-xmlschema, rubygem-activerecord-session_store, venv-openstack-keystone, crowbar-openstack, grafana, kibana, monasca-installer, python-Django, python-py, rubygem-activerecord-session_store, freeradius-server, libjpeg-turbo, spice, and squid), and Ubuntu (rpcbind). --------------------------------------------- https://lwn.net/Articles/859669/ ∗∗∗ Security Bulletin: Security Bulletin: Financial Transaction Manager for Corporate Payment Services is affected by a potential caching vulnerability (CVE-2020-5003 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-bulletin-financi… ∗∗∗ Security Bulletin: IBM Integration Bus & IBM App Connect Enterprise V11 are affected by vulnerabilities in Node.js (CVE-2021-23337) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-integration-bus-ibm-a… ∗∗∗ Security Bulletin: A vulnerability in Apache ActiveMQ affects IBM Operations Analytics Predictive Insights (CVE-2020-13947) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-apache… ∗∗∗ CISA Releases Advisory on ZOLL Defibrillator Dashboard ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/06/14/cisa-releases-adv… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.06.2021
by Daily end-of-shift report 11 Jun '21

11 Jun '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 10-06-2021 18:00 − Freitag 11-06-2021 18:00 Handler: Dimitri Robl Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Keeping an Eye on Dangerous Python Modules, (Fri, Jun 11th) ∗∗∗ --------------------------------------------- With Python getting more and more popular, especially on Microsoft Operating systems, it's common to find malicious Python scripts today. --------------------------------------------- https://isc.sans.edu/diary/rss/27514 ∗∗∗ SQL Injection: Gezielte Maßnahmen statt Block Lists ∗∗∗ --------------------------------------------- Bei Schwachstellen im Web nimmt SQL Injection nach wie vor eine führende Rolle ein, dabei ist die Abwehr gar nicht schwer. --------------------------------------------- https://heise.de/-6067640 ∗∗∗ Why hackers don’t fly coach ∗∗∗ --------------------------------------------- Physical security is relied on too heavily for cabin-based systems on the Airline Information Services Domain (AISD). --------------------------------------------- https://www.pentestpartners.com/security-blog/why-hackers-dont-fly-coach/ ∗∗∗ Unbefugter Zugriff auf Ihr PayPal-Konto? Ignorieren Sie diese E-Mail! ∗∗∗ --------------------------------------------- Aktuell versenden Kriminelle eine Phishing-Mail im Namen von PayPal. Angeblich gäbe es ungewöhnliche Aktivitäten auf Ihrem PayPal-Konto. Daher müssten Sie sich einloggen und Ihre Identität bestätigen. Gehen Sie nicht auf die Forderungen ein. Kriminelle versuchen Zugang zu Ihrem PayPal-Konto zu bekommen. --------------------------------------------- https://www.watchlist-internet.at/news/unbefugter-zugriff-auf-ihr-paypal-ko… ∗∗∗ Proxy Windows Tooling via SOCKS ∗∗∗ --------------------------------------------- Leveraging SOCKS to proxy tools from a Windows attacker machine through a compromised host is a topic that contains some nuance and room for confusion. --------------------------------------------- https://posts.specterops.io/proxy-windows-tooling-via-socks-c1af66daeef3 ∗∗∗ BackdoorDiplomacy: Upgrading from Quarian to Turian ∗∗∗ --------------------------------------------- ESET researchers discover a new campaign that evolved from the Quarian backdoor. --------------------------------------------- https://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quari… ∗∗∗ Breaking SSL Locks: App Developers Behaving Badly ∗∗∗ --------------------------------------------- Symantec analyzed five years’ worth of Android and iOS apps to see how many are sending data securely. --------------------------------------------- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/mo… ∗∗∗ Authorities seize SlilPP, a marketplace for stolen login credentials ∗∗∗ --------------------------------------------- The US Department of Justice announced today it seized the servers and domains of SlilPP, a well-known online marketplace where criminal groups assembled to trade stolen login credentials. --------------------------------------------- https://therecord.media/authorities-seize-slilpp-a-marketplace-for-stolen-l… ===================== = Vulnerabilities = ===================== ∗∗∗ Hackers can exploit bugs in Samsung pre-installed apps to spy on users ∗∗∗ --------------------------------------------- Samsung is working on patching multiple vulnerabilities affecting its mobile devices that could be used for spying or to take full control of the system. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-can-exploit-bugs-in-… ∗∗∗ Qnap sichert Switches und Netzwerkspeicher vor unberechtigten Zugriffen ab ∗∗∗ --------------------------------------------- Es gibt wichtige Sicherheitsupdates für verschiedene Netzwerkgeräte von Qnap. --------------------------------------------- https://heise.de/-6068667 ∗∗∗ Privilege escalation with polkit: How to get root on Linux with a seven-year-old bug (GitHub blog) ∗∗∗ --------------------------------------------- On the GitHub blog, Kevin Backhouse writes about a privilege escalation vulnerability in polkit, which enables an unprivileged local user to get a root shell on the system. CVE-2021-3560 is triggered by starting a dbus-send command but killing it while polkit is still in the middle of processing the request. --------------------------------------------- https://lwn.net/Articles/859064/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libwebp), Fedora (firefox, lasso, mod_auth_openidc, nginx, redis, and squid), Oracle (.NET 5.0, container-tools:2.0, dhcp, gupnp, hivex, kernel, krb5, libwebp, nginx:1.16, postgresql:10, and postgresql:9.6), SUSE (containerd, docker, runc, csync2, and salt), and Ubuntu (libimage-exiftool-perl, libwebp, and rpcbind). --------------------------------------------- https://lwn.net/Articles/859192/ ∗∗∗ WordPress plugin "Welcart e-Commerce" vulnerable to cross-site scripting ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN70566757/ ∗∗∗ Sonicwall SRA 4600 Targeted By an Old Vulnerability, (Fri, Jun 11th) ∗∗∗ --------------------------------------------- https://isc.sans.edu/diary/rss/27518 ∗∗∗ ZDI-21-682: (0Day) D-Link DAP-1330 HNAP Cookie Header Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-682/ ∗∗∗ ZDI-21-681: (0Day) D-Link DAP-1330 lighttpd http_parse_request Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-681/ ∗∗∗ ZDI-21-680: (0Day) D-Link DAP-1330 lighttpd get_soap_action Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-680/ ∗∗∗ ZDI-21-679: (0Day) D-Link DAP-1330 HNAP checkValidRequest Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-679/ ∗∗∗ Security Bulletin: WebSphere Application Server is vulnerable to a Privilege Escalation vulnerability (CVE-2021-29754) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-websphere-application-ser… ∗∗∗ Security Bulletin: Vulnerability in IBM Java SDK and IBM Java Runtime affects TPF Toolkit ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java… ∗∗∗ Security Bulletin: IBM Security QRadar Analyst Workflow App for IBM QRadar SIEM is vulnerable to cacheable SSL Pages (CVE-2021-20396) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-qradar-analy… ∗∗∗ Red Hat OpenShift: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0652 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.06.2021
by Daily end-of-shift report 10 Jun '21

10 Jun '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 09-06-2021 18:00 − Donnerstag 10-06-2021 18:00 Handler: Robert Waldner Co-Handler: Dimitri Robl ===================== = News = ===================== ∗∗∗ Cloud Atlas Navigates Us Into New Waters ∗∗∗ --------------------------------------------- Learn how to interpret nameserver activity to enumerate infrastructure in the context of a recent Cloud Atlas example investigated by Senior Security Researcher, Chad Anderson. --------------------------------------------- https://www.domaintools.com/resources/blog/cloud-atlas-navigates-us-into-ne… ∗∗∗ BloodHound – Sniffing Out the Path Through Windows Domains ∗∗∗ --------------------------------------------- BloodHound is as a tool allowing for the analysis of AD rights and relations, focusing on the ones that an attacker may abuse. --------------------------------------------- https://www.sans.org/blog/bloodhound-sniffing-out-path-through-windows-doma… ∗∗∗ Quarterly Report: Incident Response trends from Spring 2021 ∗∗∗ --------------------------------------------- While the security community made a great effort to warn users of the exploitation of several Microsoft Exchange Server zero-day vulnerabilities, it was still the biggest threat Cisco Talos Incident Response (CTIR) saw this past quarter. --------------------------------------------- https://blog.talosintelligence.com/2021/06/quarterly-report-incident-respon… ∗∗∗ CISA Addresses the Rise in Ransomware Targeting Operational Technology Assets ∗∗∗ --------------------------------------------- CISA has published the Rising Ransomware Threat to OT Assets fact sheet in response to the recent increase in ransomware attacks targeting operational technology (OT) assets and control systems. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/06/09/cisa-addresses-ri… ===================== = Vulnerabilities = ===================== ∗∗∗ Jetzt patchen! Attacken auf Googles Webbrowser Chrome könnten bevorstehen ∗∗∗ --------------------------------------------- Es ist eine gegen verschiedene Attacken abgesicherte Version des Webbrowsers Chrome erschienen. --------------------------------------------- https://heise.de/-6067353 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (htmldoc, lasso, and rails), Fedora (exiv2, firefox, and microcode_ctl), openSUSE (python-HyperKitty), Oracle (389-ds-base, qemu-kvm, qt5-qtimageformats, and samba), Red Hat (container-tools:3.0, container-tools:rhel8, postgresql:12, and postgresql:13), Scientific Linux (389-ds-base, hivex, libwebp, qemu-kvm, qt5-qtimageformats, samba, and thunderbird), SUSE (caribou, djvulibre, firefox, gstreamer-plugins-bad, kernel, libopenmpt, libxml2, --------------------------------------------- https://lwn.net/Articles/859008/ ∗∗∗ ZOLL Defibrillator Dashboard ∗∗∗ --------------------------------------------- This advisory contains mitigations for Unrestricted Upload of File with Dangerous Type, Use of Hard-coded Cryptographic Key, Cleartext Storage of Sensitive Information, Cross-site Scripting, Storing Passwords in a Recoverable Format, and Improper Privilege Management vulnerabilities in the ZOLL Defibrillator Dashboard software. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsma-21-161-01 ∗∗∗ Rockwell Automation FactoryTalk Services Platform ∗∗∗ --------------------------------------------- This advisory contains mitigations for a Protection Mechanism Failure vulnerability in Rockwell Automations Factory Talk Services Platform software. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-161-01 ∗∗∗ AGG Software Web Server Plugin ∗∗∗ --------------------------------------------- This advisory contains mitigations for Path Traversal, and Cross-site Scripting vulnerabilities in AGG Softwares Server Plugin. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-161-02 ∗∗∗ Security Advisory - Resource Management Error Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210609-… ∗∗∗ Security Bulletin: IBM Resilient SOAR is Using Components with Known Vulnerabilities – Java SE (CVE-2020-2773) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-resilient-soar-is-usi… ∗∗∗ Security Bulletin: IBM Resilient SOAR is Using Components with Known Vulnerabilities – Eclipse Jetty (CVE-2021-28163, CVE-2021-28164, CVE-2021-28165) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-resilient-soar-is-usi… ∗∗∗ Security Bulletin: Vulnerabilities in IBM Db2 affect IBM Spectrum Protect Server (CVE-2020-5024, CVE-2020-5025, CVE-2020-4976) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-db… ∗∗∗ Citrix Hypervisor Security Update ∗∗∗ --------------------------------------------- https://support.citrix.com/article/CTX316324 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.06.2021
by Daily end-of-shift report 09 Jun '21

09 Jun '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 08-06-2021 18:00 − Mittwoch 09-06-2021 18:00 Handler: Dimitri Robl Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Intel fixes 73 vulnerabilities in June 2021 Platform Update ∗∗∗ --------------------------------------------- Intel has addressed 73 security vulnerabilities as part of the June 2021 Patch Tuesday, including high severity ones impacting some versions of Intels Security Library and the BIOS firmware for Intel processors. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/intel-fixes-73-vulnerabiliti… ∗∗∗ PuzzleMaker attacks with Chrome zero-day exploit chain ∗∗∗ --------------------------------------------- We detected a wave of highly targeted attacks against multiple companies. Closer analysis revealed that all these attacks exploited a chain of Google Chrome and Microsoft Windows zero-day exploits. --------------------------------------------- https://securelist.com/puzzlemaker-chrome-zero-day-exploit-chain/102771/ ∗∗∗ Alpaca-Attacke: Angreifer könnten mit TLS gesicherte Verbindungen attackieren ∗∗∗ --------------------------------------------- Sicherheitsforscher zeigen theoretische Attacken auf TLS-Verbindungen. Angreifer könnten beispielsweise Sessions kapern. --------------------------------------------- https://heise.de/-6066915 ∗∗∗ Nameless Malware Discovered by NordLocker is Now in Have I Been Pwned ∗∗∗ --------------------------------------------- [...] they're sitting on a bunch of compromised personal info, now what? As with the two law enforcement agencies, NordLocker's goal is to inform impacted parties which is where HIBP comes in so as of now, all 1,121,484 compromised email addresses are searchable. --------------------------------------------- https://www.troyhunt.com/nameless-malware-discovered-by-nordlocker-is-now-i… ∗∗∗ Cisco Smart Install Protocol Still Abused in Attacks, 5 Years After First Warning ∗∗∗ --------------------------------------------- Cisco’s Smart Install protocol is still being abused in attacks — five years after the networking giant issued its first warning — and there are still roughly 18,000 internet-exposed devices that could be targeted by hackers. --------------------------------------------- https://www.securityweek.com/cisco-smart-install-protocol-still-abused-atta… ∗∗∗ Kleinanzeigen-Betrug: Potenzielle KäuferInnen wollen Zahlung über DHL abwickeln ∗∗∗ --------------------------------------------- Aktuell wenden Kriminelle in Kleinanzeigenplattformen wie willhaben, shpock und Co vermehrt den DHL-Trick an, um VerkäuferInnen Geld zu stehlen. Dabei geben sich Kriminelle als KäuferInnen aus und schlagen vor, die Zahlung über DHL abzuwickeln. Sie behaupten, DHL verwalte nun Zahlungen, um KäuferInnen und VerkäuferInnen eine sichere Abwicklung zu ermöglichen. In Wahrheit stecken die Kriminellen hinter den DHL-Nachrichten und versuchen so an Ihr Geld zu kommen. --------------------------------------------- https://www.watchlist-internet.at/news/kleinanzeigen-betrug-potenzielle-kae… ∗∗∗ The Sysrv-hello Cryptojacking Botnet: Here’s What’s New ∗∗∗ --------------------------------------------- The Sysrv-hello botnet is deployed on both Windows and Linux systems by exploiting multiple vulnerabilities and deployed via shell scripts. Like many of the threat actor tools weve covered, it continuously evolves to fit the needs of its operators and stay ahead of security researchers and law enforcement. Over time, there have been several slight changes in the shell scripts that install the Sysrv-hello implant on machines. --------------------------------------------- https://www.riskiq.com/blog/external-threat-management/sysrv-hello-cryptoja… ===================== = Vulnerabilities = ===================== ∗∗∗ Unsachgemäße Authentifizierung in SAP NetWeaver ABAP Server und ABAP Platform ∗∗∗ --------------------------------------------- Im Rahmen des Patchdays Juni 2021 veröffentlichte die SAP SE den Sicherheitshinweis 3007182, der einen schwerwiegenden Design-Fehler adressiert,… --------------------------------------------- https://sec-consult.com/de/blog/detail/unsachgemaesse-authentifizierung-in-… ∗∗∗ Updates verfügbar: Schwachstellen in Message-Brokern RabbitMQ, EMQ X und VerneMQ ∗∗∗ --------------------------------------------- Die Message-Broker sind für Denial-of-Service-Angriffe über das IoT-Protokoll MQTT anfällig. Aktuelle Patches sind verfügbar, Sie sollten sie schnell anwenden. --------------------------------------------- https://heise.de/-6065996 ∗∗∗ XSA-375 - Speculative Code Store Bypass ∗∗∗ --------------------------------------------- Impact: An attacker might be able to infer the contents of arbitrary host memory, including memory assigned to other guests. Resolution: Applying the appropriate attached patch resolves this issue. --------------------------------------------- https://xenbits.xen.org/xsa/advisory-375.html ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (eterm, mrxvt, and rxvt), Mageia (cgal, curl, exiv2, polkit, squid, thunderbird, and upx), openSUSE (firefox and libX11), Oracle (libwebp, nginx:1.18, and thunderbird), Red Hat (.NET 5.0, .NET Core 3.1, 389-ds-base, dhcp, gupnp, hivex, kernel, kernel-rt, libldb, libwebp, microcode_ctl, nettle, postgresql:10, postgresql:9.6, qemu-kvm, qt5-qtimageformats, rh-dotnet50-dotnet, and samba), SUSE (apache2-mod_auth_openidc, firefox, gstreamer-plugins-bad, kernel, libX11, pam_radius, qemu, runc, spice, and spice-gtk), and Ubuntu (intel-microcode and rpcbind). --------------------------------------------- https://lwn.net/Articles/858832/ ∗∗∗ Dell PowerEdge: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- DSA-2021-078: Dell PowerEdge Server Security Advisory for a Trusted Platform Module (TPM) 1.2 Firmware Vulnerability DSA-2021-103: Dell PowerEdge Server Security Update for BIOS Vulnerabilities --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0628 ∗∗∗ Xen: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein lokaler Angreifer kann mehrere Schwachstellen in Xen ausnutzen, um Informationen offenzulegen, seine Privilegien zu erhöhen oder einen Denial of Service Zustand herbeizuführen. * XSA-377: x86: TSX Async Abort protections not restored after S3 * XSA-374: Guest triggered use-after-free in Linux xen-netback * XSA-373: inappropriate x86 IOMMU timeout detection / handling * XSA-372: xen/arm: Boot modules are not scrubbed --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0627 ∗∗∗ Multiple vulnerabilities in Bosch IP cameras ∗∗∗ --------------------------------------------- BOSCH-SA-478243-BT: Multiple vulnerabilities for Bosch IP cameras have been discovered in a Penetration Test from Kaspersky ICS CERT during a certification effort from Bosch. Bosch rates these vulnerabilities with CVSSv3.1 base scores from 9.8 (Critical) to 4.9 (Medium), where the actual rating depends on the individual vulnerability and the final rating on the customer’s environment.Customers are strongly advised to upgrade to the fixed versions. --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-478243-bt.html ∗∗∗ Adobe Releases Security Updates for Multiple Products ∗∗∗ --------------------------------------------- Adobe has released security updates to address vulnerabilities in multiple Adobe products. An attacker could exploit some of these vulnerabilities to take control of an affected system. CISA encourages users and administrators to review Adobe’s Security Bulletins and apply the necessary updates. * APSB21-36 Security update available for Adobe Connect * APSB21-37 Security update available for Adobe Acrobat and Reader * APSB21-38 Security update available for Adobe Photoshop * APSB21-39 Security update available for Adobe Experience Manager * APSB21-41 Security update available for Adobe Creative Cloud Desktop Application * APSB21-44 Security update available for Adobe RoboHelp Server * APSB21-46 Security update available for Adobe Photoshop Elements * APSB21-47 Security update available for Adobe Premiere Elements * APSB21-49 Security update available for Adobe After Effects * APSB21-50 Security update available for Adobe Animate --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/06/08/adobe-releases-se… ∗∗∗ Security Bulletin: IBM Event Streams is affected by potential data integrity issue (CVE-2020-25649) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-event-streams-is-affe… ∗∗∗ Security Bulletin: IBM UrbanCode Deploy (UCD) stores keystore passwords in plain after a manuel edit, which can be read by a local user. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-urbancode-deploy-ucd-… ∗∗∗ Nettle cryptography library vulnerability CVE-2021-20305 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K33101555?utm_source=f5support&utm_mediu… ∗∗∗ Linux kernel vulnerability CVE-2019-11811 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K01512680?utm_source=f5support&utm_mediu… ∗∗∗ Johnson Controls Metasys ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-159-01 ∗∗∗ Open Design Alliance Drawings SDK ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-159-02 ∗∗∗ AVEVA InTouch ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-159-03 ∗∗∗ Schneider Electric IGSS ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-159-04 ∗∗∗ Schneider Electric Modicon X80 ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-159-05 ∗∗∗ Thales Sentinel LDK Run-Time Environment ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-159-06 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.06.2021
by Daily end-of-shift report 08 Jun '21

08 Jun '21

===================== = End-of-Day report = ===================== Timeframe: Montag 07-06-2021 18:00 − Dienstag 08-06-2021 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Microsoft Office MSGraph vulnerability could lead to code execution ∗∗∗ --------------------------------------------- Microsoft today will release a patch for a vulnerability affecting the Microsoft Office MSGraph component, responsible for displaying graphics and charts, that could be exploited to execute code on a target machine. --------------------------------------------- https://www.bleepingcomputer.com/news/security/microsoft-office-msgraph-vul… ∗∗∗ Picture this: Malware Hides in Steam Profile Images ∗∗∗ --------------------------------------------- SteamHide abuses the gaming platform Steam to serve payloads for malware downloaders. Malware operators can also update already infected machines by adding new profile images to Steam. The developers seem to have a few more ambitious goals. --------------------------------------------- https://www.gdatasoftware.com/blog/steamhide-malware-in-profile-images ∗∗∗ Sicherheitslücke FragAttacks: FritzOS-Updates für alte Fritzboxen ∗∗∗ --------------------------------------------- Der Mittelklasse-Router Fritzbox 3490 aus dem Jahr 2014 bekommt das aktuelle FritzOS 7.27 spendiert. Weitere Altmodelle könnten folgen. --------------------------------------------- https://heise.de/-6065367 ∗∗∗ Patchday Android: Kritische System- und Qualcomm-Lücken geschlossen ∗∗∗ --------------------------------------------- Angreifer könnten Android-Geräte attackieren und unter anderem Informationen leaken oder sogar Schadcode ausführen. --------------------------------------------- https://heise.de/-6064923 ∗∗∗ Organizations Warned About DoS Flaws in Popular Open Source Message Brokers ∗∗∗ --------------------------------------------- Organizations have been warned about denial of service (DoS) vulnerabilities found in RabbitMQ, EMQ X and VerneMQ, three widely used open source message brokers. --------------------------------------------- https://www.securityweek.com/organizations-warned-about-dos-flaws-popular-o… ∗∗∗ Vorsicht vor Werbung unseriöser Online-Shops! ∗∗∗ --------------------------------------------- Egal ob Facebook, Instagram, Tiktok oder Google: All diese Plattformen sind für Unternehmen attraktive Kanäle, um ihre Werbung zu platzieren. Das gilt allerdings nicht nur für seriöse, sondern auch für unseriöse Unternehmen. Immer wieder melden LeserInnen der Watchlist Internet, dass sie durch Werbeeinschaltungen auf einen problematischen Online-Shop gestoßen sind. Eine aktuelle Untersuchung der Arbeiterkammer Wien in Zusammenarbeit mit der Watchlist Internet [...] --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-werbung-unserioeser-onl… ∗∗∗ TeamTNT Using WatchDog TTPs to Expand Its Cryptojacking Footprint ∗∗∗ --------------------------------------------- We have identified indicators traditionally pointing to WatchDog operations being used by the TeamTNT cryptojacking group. --------------------------------------------- https://unit42.paloaltonetworks.com/teamtnt-cryptojacking-watchdog-operatio… ===================== = Vulnerabilities = ===================== ∗∗∗ Wago: Updates fixen gefährliche Lücken in industriellen Steuerungssystemen ∗∗∗ --------------------------------------------- Seit Mai veröffentlicht Wago nach und nach wichtige Firmware-Updates gegen kritische Lücken in speicherprogrammierbaren Steuerungen (PLC) der Serie 750. --------------------------------------------- https://heise.de/-6065199 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (nginx), Fedora (musl), Mageia (dnsmasq, firefox, graphviz, libebml, libpano13, librsvg, libxml2, lz4, mpv, tar, and vlc), openSUSE (csync2, python-py, and snakeyaml), Oracle (qemu), Red Hat (container-tools:2.0, kernel, kpatch-patch, nettle, nginx:1.16, and rh-nginx116-nginx), Slackware (httpd and polkit), SUSE (389-ds, gstreamer-plugins-bad, shim, and snakeyaml), and Ubuntu (gnome-autoar and isc-dhcp). --------------------------------------------- https://lwn.net/Articles/858644/ ∗∗∗ SAP Patchday Juni ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0616 ∗∗∗ Citrix Cloud Connector Security Update ∗∗∗ --------------------------------------------- https://support.citrix.com/article/CTX316690 ∗∗∗ Citrix Application Delivery Controller, Citrix Gateway, and Citrix SD-WAN WANOP appliance Security Update ∗∗∗ --------------------------------------------- https://support.citrix.com/article/CTX297155 ∗∗∗ SSA-133038: Multiple Modfem File Parsing Vulnerabilities in Simcenter Femap ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-133038.txt ∗∗∗ SSA-200951: Multiple Vulnerabilities in Third-Party Component libcurl of TIM Devices ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-200951.txt ∗∗∗ SSA-208356: DFT File Parsing Vulnerabilities in Solid Edge ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-208356.txt ∗∗∗ SSA-211752: Multiple NTP-Client Related Vulnerabilities in SIMATIC NET CP 443-1 OPC ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-211752.txt ∗∗∗ SSA-419820: Denial-of-Service Vulnerability in TIM 1531 IRC ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-419820.txt ∗∗∗ SSA-522654: Privilege Escalation Vulnerability in Mendix SAML Module ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-522654.txt ∗∗∗ SSA-645530: TIFF File Parsing Vulnerability in JT2Go and Teamcenter Visualization ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-645530.txt --------------------------------------------- https://new.siemens.com/global/en/products/services/cert.html ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Security Guardium ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM API Connect is impacted by multiple vulnerabilities in Oracle MySQL ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connect-is-impact… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a jackson-databind vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a kernel vulnerability (CVE-2020-25705, CVE-2020-28374) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a Privilege Escalation vulnerability (CVE-2020-4952) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Security Guardium ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Cloud Pak for Applications 4.3 nodejs and nodejs-express Appsody stacks is vulnerable to information disclosure, buffer overflow and prototype pollution exposures ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-applica… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a Oracle MySQL vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: An unspecified vulnerability in Java SE related to the Libraries component could allow an unauthenticated attacker ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-an-unspecified-vulnerabil… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.06.2021
by Daily end-of-shift report 07 Jun '21

07 Jun '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 04-06-2021 18:00 − Montag 07-06-2021 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Jetzt patchen! Angreifer attackieren VMware vCenter Server ∗∗∗ --------------------------------------------- Sicherheitsforscher warnen davor, dass Angreifer es auf eine kritische Lücke in vCenter Server abgesehen haben. --------------------------------------------- https://heise.de/-6063523 ∗∗∗ Exploit für kritische Lücke in Rocket.Chat veröffentlicht ∗∗∗ --------------------------------------------- Wer die im Mai geschlossene kritische Lücke in Rocket.Chat noch nicht gefixt hat, sollte das schleunigst nachholen. --------------------------------------------- https://heise.de/-6063795 ∗∗∗ Malware family naming hell is our own fault ∗∗∗ --------------------------------------------- EternalPetya has more than 10 different names. Many do not realize that CryptoLocker is long dead. These are not isolated cases but symptoms of a systemic problem: The way we name malware does not work. Why does it happen and how can we solve it? --------------------------------------------- https://www.gdatasoftware.com/blog/malware-family-naming-hell ∗∗∗ Gootkit: the cautious Trojan ∗∗∗ --------------------------------------------- Gootkit is complex multi-stage banking malware capable of stealing data from the browser, performing man-in-the-browser attacks, keylogging, taking screenshots and lots of other malicious actions. Its loader performs various virtual machine and sandbox checks and uses sophisticated persistence algorithms. --------------------------------------------- https://securelist.com/gootkit-the-cautious-trojan/102731/ ∗∗∗ OSX/Hydromac ∗∗∗ --------------------------------------------- In this guest blog post, the security researcher Taha Karim of ConfiantIntel, dives into a new macOS adware specimen: Hydromac. --------------------------------------------- https://objective-see.com/blog/blog_0x65.html ∗∗∗ WordPress Redirect Hack via Test0.com/Default7.com ∗∗∗ --------------------------------------------- Malicious redirect is a type of hack where website visitors are automatically redirected to some third-party website: usually it’s some malicious resource, scam site or a commercial site that buys traffic from cyber criminals (e.g. counterfeit drugs or replica merchandise). Types of Malicious Redirects There are two major types of malicious redirects: server-side redirects and client-side redirects. --------------------------------------------- https://blog.sucuri.net/2021/06/wordpress-redirect-hack-via-test0-com-defau… ∗∗∗ Siloscape: First Known Malware Targeting Windows Containers to Compromise Cloud Environments ∗∗∗ --------------------------------------------- The main purpose of Siloscape is to open a backdoor into poorly configured Kubernetes clusters in order to run malicious containers. --------------------------------------------- https://unit42.paloaltonetworks.com/siloscape/ ∗∗∗ This phishing email is pushing password-stealing malware to Windows PCs ∗∗∗ --------------------------------------------- An old form of trojan malware has been updated with new abilities, warn cybersecurity researchers. --------------------------------------------- https://www.zdnet.com/article/this-phishing-email-is-pushing-password-steal… ∗∗∗ Hacking space: How to pwn a satellite ∗∗∗ --------------------------------------------- Hacking an orbiting satellite is not light years away - here’s how things can go wrong in outer space --------------------------------------------- https://www.welivesecurity.com/2021/06/07/hacking-space-how-pwn-satellite/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libwebp, python-django, ruby-nokogiri, and thunderbird), Fedora (dhcp, polkit, transfig, and wireshark), openSUSE (chromium, inn, kernel, redis, and umoci), Oracle (pki-core:10.6), Red Hat (libwebp, nginx:1.18, rh-nginx118-nginx, and thunderbird), SUSE (gstreamer-plugins-bad), and Ubuntu (linux, linux-aws, linux-azure, linux-gcp, linux-hwe-5.8, linux-kvm, linux-oracle). --------------------------------------------- https://lwn.net/Articles/858561/ ∗∗∗ Microsoft Edge: Schwachstelle ermöglicht Cross-Site Scripting ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0612 ∗∗∗ Apache HTTP Server: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0611 ∗∗∗ QNAP NAS: Schwachstelle ermöglicht Cross-Site Scripting ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0613 ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a kernel vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: cURL libcurl vulnerabilites impacting Aspera High-Speed Transfer Server and Aspera High-Speed Transfer Endpoint 4.0 and earlier (CVE-2020-8284, CVE-2020-8286, CVE-2020-8285) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-curl-libcurl-vulnerabilit… ∗∗∗ Security Bulletin: OpenSSL vulnerabilites impacting Aspera High-Speed Transfer Server, Aspera High-Speed Transfer Endpoint, Aspera Desktop Client 4.0 and earlier (CVE-2021-23839, CVE-2021-23840, CVE-2021-23841) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-openssl-vulnerabilites-im… ∗∗∗ Security Bulletin: Multiple vulnerabilities may affect JRE in IBM DataPower Gateway ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities affect the IBM Elastic Storage Server GUI ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by Oracle MySQL vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM DataPower Gateway vulnerable to a DoS attack ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-datapower-gateway-vul… ∗∗∗ Security Bulletin: OpenSSL vulnerability impacting Aspera High-Speed Transfer Server, Aspera High-Speed Transfer Endpoint, Aspera Desktop Client 4.0, and earlier (CVE-2020-1971) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-openssl-vulnerability-imp… ∗∗∗ Security Bulletin: IBM DataPower Gateway GUI permits use of GET ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-datapower-gateway-gui… ∗∗∗ Security Bulletin: WebSphere Application Server ND is vulnerable to Directory Traversal vulnerability (CVE-2021-20517) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-websphere-application-ser… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.06.2021
by Daily end-of-shift report 04 Jun '21

04 Jun '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 02-06-2021 18:00 − Freitag 04-06-2021 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Vorsicht: Phishing-Mail von World4You im Umlauf! ∗∗∗ --------------------------------------------- Kriminelle versenden derzeit eine gefälschte World4You-Phishingmail an Webseiten-BetreiberInnnen. Darin heißt es, dass die registrierte Domain der EmpfängerInnen abläuft und daher verlängert werden muss. Gehen Sie nicht auf die Zahlungsforderung ein. Denn das Geld und Ihre Kreditkartendaten landen direkt in den Händen von Kriminellen. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-phishing-mail-von-world4you… ∗∗∗ Schlupflöcher für Schadcode in Videokonferenz-Software Cisco Webex geschlossen ∗∗∗ --------------------------------------------- Cisco hat Sicherheitsupdates für mehrere Produkte wie Router und Webex veröffentlicht. --------------------------------------------- https://heise.de/-6062229 ∗∗∗ Email spoofing: how attackers impersonate legitimate senders ∗∗∗ --------------------------------------------- This article analyzes different ways of the spoofing email addresses through changing the From header, which provides information about the senders name and address. --------------------------------------------- https://securelist.com/email-spoofing-types/102703/ ∗∗∗ Exchange Servers Targeted by ‘Epsilon Red’ Malware ∗∗∗ --------------------------------------------- REvil threat actors may be behind a set of PowerShell scripts developed for encryption and weaponized to exploit vulnerabilities in corporate networks, the ransom note suggests. --------------------------------------------- https://threatpost.com/exchange-servers-epsilon-red-ransomware/166640/ ∗∗∗ How to hack into 5500 accounts… just using “credential stuffing” ∗∗∗ --------------------------------------------- Passwords - dont just pay them lip service. --------------------------------------------- https://nakedsecurity.sophos.com/2021/06/04/how-to-hack-into-5500-accounts-… ∗∗∗ Russian Dolls VBS Obfuscation, (Fri, Jun 4th) ∗∗∗ --------------------------------------------- We received an interesting sample from one of our readers (thanks Henry!) and we like this. If you find something interesting, we are always looking for fresh meat! Henry's sample was delivered in a password-protected ZIP archive and the file was a VBS script called "presentation_37142.vbs" --------------------------------------------- https://isc.sans.edu/diary/rss/27494 ∗∗∗ Build, Hack, and Defend Azure Identity ∗∗∗ --------------------------------------------- An Introduction to PurpleCloud Hybrid + Identity Cyber Range --------------------------------------------- https://www.sans.org/blog/build-hack-defend-azure-identity?msc=rss ∗∗∗ Necro Python bot adds new exploits and Tezos mining to its bag of tricks ∗∗∗ --------------------------------------------- Some malware families stay static in terms of their functionality. But a newly discovered malware campaign utilizing the Necro Python bot shows this actor is adding new functionality and improving its chances of [...] --------------------------------------------- https://blog.talosintelligence.com/2021/06/necro-python-bot-adds-new-tricks… ∗∗∗ Organizations Warned: STUN Servers Increasingly Abused for DDoS Attacks ∗∗∗ --------------------------------------------- Application and network performance management company NETSCOUT warned organizations this week that STUN servers have been increasingly abused for distributed denial-of-service (DDoS) attacks, and there are tens of thousands of servers that could be abused for such attacks by malicious actors. --------------------------------------------- https://www.securityweek.com/organizations-warned-stun-servers-increasingly… ∗∗∗ ESET Threat Report T1 2021 ∗∗∗ --------------------------------------------- A view of the T1 2021 threat landscape as seen by ESET telemetry and from the perspective of ESET threat detection and research experts The post ESET Threat Report T1 2021 appeared first on WeLiveSecurity --------------------------------------------- https://www.welivesecurity.com/2021/06/03/eset-threat-report-t12021/ ∗∗∗ WebLogic RCE Leads to XMRig ∗∗∗ --------------------------------------------- This report will review an intrusion where, the threat actor took advantage of a WebLogic remote code execution vulnerability (CVE-2020–14882) to gain initial access to the system before installing [...] --------------------------------------------- https://thedfirreport.com/2021/06/03/weblogic-rce-leads-to-xmrig/ ∗∗∗ CISA Releases Best Practices for Mapping to MITRE ATT&CK® ∗∗∗ --------------------------------------------- As part of an effort to encourage a common language in threat actor analysis, CISA has released Best Practices for MITRE ATT&CK® Mapping. The guide shows analysts—through instructions and examples—how to map adversary behavior to the MITRE ATT&CK framework. CISA created this guide in partnership with the Homeland Security Systems Engineering and Development Institute™ (HSSEDI), a DHS-owned R&D center operated by MITRE, which [...] --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/06/02/cisa-releases-bes… ∗∗∗ FontPack: A dangerous update ∗∗∗ --------------------------------------------- Attribution secrets: Who is behind stealing credentials and bank card data by asking to install fake Flash Player, browser or font updates? --------------------------------------------- https://blog.group-ib.com/fontpack ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco Security Advisories ∗∗∗ --------------------------------------------- Cisco hat Advisories zu 13 Schwachstellen veröffentlicht. Keine davon wird als "Critical" eingestuft, fünf als "High". --------------------------------------------- https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&first… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (chromium, curl, dhclient, dhcp, firefox, keycloak, lib32-curl, lib32-libcurl-compat, lib32-libcurl-gnutls, libcurl-compat, libcurl-gnutls, opera, packagekit, pam-u2f, postgresql, rabbitmq, redis, ruby-bundler, and zint), Debian (caribou, firefox-esr, imagemagick, and isc-dhcp), Fedora (mapserver, mingw-python-pillow, and python-pillow), openSUSE (chromium), Red Hat (firefox, glib2, pki-core:10.6, polkit, rh-ruby26-ruby, and rh-ruby27-ruby), SUSE [...] --------------------------------------------- https://lwn.net/Articles/858144/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (lasso), Fedora (mingw-djvulibre, mingw-exiv2, python-lxml, and singularity), openSUSE (ceph, dhcp, inn, nginx, opera, polkit, upx, and xstream), Oracle (firefox, perl, and polkit), Scientific Linux (firefox), SUSE (avahi, csync2, djvulibre, libwebp, polkit, python-py, slurm, slurm_18_08, thunderbird, and umoci), and Ubuntu (linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gcp, linux-gcp-5.4, linux-gke, linux-gke-5.4, linux-gkeop, [...] --------------------------------------------- https://lwn.net/Articles/858331/ ∗∗∗ Advantech iView ∗∗∗ --------------------------------------------- This advisory contains mitigations for Missing Authentication for Critical Function, and SQL Injection vulnerabilities in Advantech iView IoT device management application. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-154-01 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Security Advisory - Command Injection Vulnerability in Huawei Products ∗∗∗ --------------------------------------------- https://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210602… ∗∗∗ Security Advisory - Race Condition Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- https://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210602… ∗∗∗ Drupal: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0610 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.06.2021
by Daily end-of-shift report 02 Jun '21

02 Jun '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 01-06-2021 18:00 − Mittwoch 02-06-2021 18:00 Handler: Dimitri Robl Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Producing a trustworthy x86-based Linux appliance ∗∗∗ --------------------------------------------- Lets say youre building some form of appliance on top of general purpose x86 hardware. You want to be able to verify the software its running hasnt been tampered with. Whats the best approach with existing technology? --------------------------------------------- https://mjg59.dreamwidth.org/57199.html ∗∗∗ Cobalt Strike, a penetration testing tool abused by criminals ∗∗∗ --------------------------------------------- Cobalt Strike is a pen-testing tool that often ends up in the hands of cybercriminals. Are we providing them with the tools to attack us? ... If you were to compose a list of tools and software developed by security and privacy defenders that ended up being abused by the bad guys, then Cobalt Strike would unfortunately be near the top of the list. Maybe only Metasploit could give it a run for the first place ranking. --------------------------------------------- https://blog.malwarebytes.com/researchers-corner/2021/06/cobalt-strike-a-pe… ∗∗∗ Jugendliche im Visier von Online‑Betrügern: 5 gängige Tricks ∗∗∗ --------------------------------------------- Von gefälschten Designerprodukten bis hin zu verlockenden Jobangeboten – wir stellen fünf verbreitete Betrugsmethoden vor, mit denen Kriminelle es auf Geld und Daten von Teenagern abgesehen haben --------------------------------------------- https://www.welivesecurity.com/deutsch/2021/06/01/jugendliche-im-visier-von… ∗∗∗ Webseiten-BetreiberInnen aufgepasst: TM Österreich versendet betrügerische Mail! ∗∗∗ --------------------------------------------- Webseiten-BetreiberInnen melden uns ein betrügerisches E-Mail der TM Österreich. Dort wird behauptet, dass jemand Ihre Domain mit einer anderen Endung registrieren möchte. TM Österreich bietet Ihnen an, diese zusätzliche Domain zu registrieren, um so Probleme wie Umsatzeinbußen oder Imageschäden zu vermeiden. Vorsicht: TM Österreich ist Fake. Nehmen Sie daher das Angebot auf keinen Fall an! --------------------------------------------- https://www.watchlist-internet.at/news/webseiten-betreiberinnen-aufgepasst-… ∗∗∗ Shodan Verified Vulns 2021-06-01 ∗∗∗ --------------------------------------------- Mit Stand 2021-06-01 boten unsere Shodan-Daten folgendes Bild der Schwachstellen in Österreich: Wie zu erwarten war, ist die Anzahl der verwundbaren Microsoft Exchange Server (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065) weiter zurückgegangen; laut unseren aktuellsten Scans ist die Zahl mittlerweile sogar unter 100. --------------------------------------------- https://cert.at/de/aktuelles/2021/6/shodan-verified-vulns-2021-06-01 ===================== = Vulnerabilities = ===================== ∗∗∗ Revisiting Realtek – A New Set of Critical Wi-Fi Vulnerabilities Discovered by Automated Zero-Day Analysis ∗∗∗ --------------------------------------------- On February 3rd we responsibly disclosed six critical issues in the Realtek RTL8195A Wi-Fi module... Following that successful detection and disclosure, we expanded our analysis to additional modules. This new analysis resulted in two new critical vulnerabilities discovered by scanning the modules in Vdoo’s product security platform, which contains a unique proprietary capability of detecting potential zero-days automatically. The new vulnerabilities werefixed by Realtek, following another responsible disclosure. --------------------------------------------- https://www.vdoo.com/blog/realtek-wifi-vulnerabilities-zero-day/ ∗∗∗ Overview of F5 vulnerabilities (June 2021) ∗∗∗ --------------------------------------------- On June 1, 2021, F5 announced the following security issues. High CVEs * K08503505: BIG-IP Edge Client for Windows vulnerability CVE-2021-23022, CVSS score: 7.0 (High) * K33757590: BIG-IP Edge Client for Windows vulnerability CVE-2021-23023, CVSS score: 7.0 (High) Medium CVEs * K06024431: BIG-IQ vulnerability CVE-2021-23024, CVSS score: 6.5 (Medium) --------------------------------------------- https://support.f5.com/csp/article/K67501282 ∗∗∗ Critical 0-day in Fancy Product Designer Under Active Attack ∗∗∗ --------------------------------------------- On May 31, 2021, the Wordfence Threat Intelligence team discovered a critical file upload vulnerability being actively exploited in Fancy Product Designer, a WordPress plugin installed on over 17,000 sites. ... Due to this vulnerability being actively attacked, we are publicly disclosing with minimal details even though it has not yet been patched in order to alert the community to take precautions to keep their sites protected. --------------------------------------------- https://www.wordfence.com/blog/2021/06/critical-0-day-in-fancy-product-desi… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (squid), Fedora (dhcp), openSUSE (gstreamer, gstreamer-plugins-bad, gstreamer-plugins-base, gstreamer-plugins-good, gstreamer-plugins-ugly and slurm), Oracle (glib2 and kernel), Red Hat (kernel, kernel-rt, perl, and tcpdump), Scientific Linux (glib2), SUSE (bind, dhcp, lz4, and shim), and Ubuntu (dnsmasq, lasso, and python-django). --------------------------------------------- https://lwn.net/Articles/857978/ ∗∗∗ Synology DiskStation Manager: Schwachstelle ermöglichen Codeausführung ∗∗∗ --------------------------------------------- CVE-2021-29088 Ein lokaler Angreifer kann eine Schwachstellen in Synology DiskStation Manager ausnutzen, um beliebigen Programmcode auszuführen. --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0596 ∗∗∗ XSS vulnerability found in popular WYSIWYG website editor [Froala] ∗∗∗ --------------------------------------------- ...the bug, tracked as CVE-2021-28114, impacts Froala version 3.2.6 and earlier. Froala is a lightweight What-You-See-Is-What-You-Get (WYSIWYG) HTML rich text editor for developers and content creators. --------------------------------------------- https://www.zdnet.com/article/xss-vulnerability-found-in-popular-wysiwyg-we… ∗∗∗ Security Bulletin: IBM has announced a release for IBM Security Identity Governance and Intelligence in response to a security vulnerability (CVE-2020-4590) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-has-announced-a-relea… ∗∗∗ Security Bulletin: Apache CXF vulnerability identified in IBM Tivoli Application Dependency Discovery Manager (CVE-2021-22696) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-cxf-vulnerability-… ∗∗∗ Security Bulletin: IBM has announced a release for IBM Security Identity Governance and Intelligence in response to a security vulnerability (CVE-2019-17006, CVE-2019-17023, CVE-2020-12403) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-has-announced-a-relea… ∗∗∗ Security Bulletin: Multiple vulnerabilites affect IBM Jazz Foundation and IBM Engineering products. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilites-a… ∗∗∗ Security Bulletin: IBM has announced a release for IBM Security Identity Governance and Intelligence in response to a security vulnerability (CVE-2020-11868, CVE-2020-13817) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-has-announced-a-relea… ∗∗∗ Security Bulletin: Embedded WebSphere Application Server is vulnerable to Server-side Request Forgery and affects Content Collector for Email ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-embedded-websphere-applic… ∗∗∗ Security Bulletin: Multiple vulnerabilities in Apache HttpComponents and HttpCommons affect embedded WebSphere Application Server, which affects Content Collector for Email ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Embedded WebSphere Application Server is vulnerable to an XML External Entity (XXE) Injection attack and affects Content Collector for Email ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-embedded-websphere-applic… ∗∗∗ Security Bulletin: IBM has announced a release for IBM Security Identity Governance and Intelligence in response to a security vulnerability (CVE-2020-14579, CVE-2020-14578, CVE-2020-14577) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-has-announced-a-relea… ∗∗∗ Security Bulletin: IBM has announced a release for IBM Security Identity Governance and Intelligence in response to a security vulnerability (CVE-2020-14782) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-has-announced-a-relea… ∗∗∗ Hillrom Medical Device Management ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsma-21-152-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily June 2021