Daily July 2021

daily@lists.cert.at

1 participants
22 discussions

Tageszusammenfassung - 02.07.2021
by Daily end-of-shift report 02 Jul '21

02 Jul '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 01-07-2021 18:00 − Freitag 02-07-2021 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Gelöschte Netz-Festplatten: Western Digital plant Hilfe bei Wiederherstellung ∗∗∗ --------------------------------------------- Die Daten angegriffener HDDs der WD-Baureihe My Book Live sollen sich wiederherstellen lassen. Western Digital will künftig entsprechende Dienste anbieten. --------------------------------------------- https://heise.de/-6127479 ∗∗∗ Scorecards 2.0: Sicherheitsrisiken in Open-Source-Software aufdecken ∗∗∗ --------------------------------------------- Das automatisierte Security-Tool Scorecards legt die Karten auf den Tisch - wie sicher ist Open-Source-Software? --------------------------------------------- https://heise.de/-6127588 ∗∗∗ Free Micropatches for PrintNightmare Vulnerability (CVE-2021-34527) ∗∗∗ --------------------------------------------- [Note: This blog post is expected to be updated as new micropatches are issued and new information becomes available.] June 2021 Windows Updates brought a fix for a vulnerability CVE-2021-1675 originally titled "Windows Print Spooler Local Code Execution Vulnerability". As usual, Microsofts advisory provided very little information about the vulnerability, and very few probably noticed that about two weeks later, the advisory was updated to [...] --------------------------------------------- https://blog.0patch.com/2021/07/free-micropatches-for-printnightmare.html ∗∗∗ Babuk ransomware is back, uses new version on corporate networks ∗∗∗ --------------------------------------------- After announcing their exit from the ransomware business in favor of data theft extortion, the Babuk gang appears to have slipped back into their old habit of encrypting corporate networks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/babuk-ransomware-is-back-use… ∗∗∗ Mongolian Certificate Authority Hacked to Distribute Backdoored CA Software ∗∗∗ --------------------------------------------- In yet another instance of software supply chain attack, unidentified hackers breached the website of MonPass, one of Mongolias major certificate authorities, to backdoor its installer software with Cobalt Strike binaries. The trojanized client was available for download between February 8, 2021, and March 3, 2021, said Czech cybersecurity software company Avast in a report published Thursday. --------------------------------------------- https://thehackernews.com/2021/07/mongolian-certificate-authority-hacked.ht… ∗∗∗ New Mirai-Inspired Botnet Could Be Using Your KGUARD DVRs in Cyber Attacks ∗∗∗ --------------------------------------------- Cybersecurity researchers on Thursday revealed details about a new Mirai-inspired botnet called "mirai_ptea" that leverages an undisclosed vulnerability in digital video recorders (DVR) provided by KGUARD to propagate and carry out distributed denial-of-service (DDoS) attacks. Chinese security firm Netlab 360 pinned the first probe against the flaw on March 23, 2021, before it detected active [...] --------------------------------------------- https://thehackernews.com/2021/07/new-mirai-inspired-botnet-could-be.html ∗∗∗ 2020 Report: ICS Endpoints as Starting Points for Threats ∗∗∗ --------------------------------------------- The use of Industrial Control Systems (ICS) makes operations more efficient for various industries. These systems are powered by the interconnection between IT (information technology) and OT (operational technology), which help boost efficiency and speed. Unfortunately, this very interconnection also inadvertently makes ICS susceptible to cyberthreats. Securing these systems is vital, and one of its components that must be protected from threats are endpoints. --------------------------------------------- https://www.trendmicro.com/vinfo/us/security/news/internet-of-things/2020-r… ∗∗∗ STIR/SHAKEN: Nordamerika signiert Rufnummern im Kampf gegen Spam ∗∗∗ --------------------------------------------- Nordamerikas Netzbetreiber signieren und verifizieren jetzt Telefonnummern nach dem STIR/SHAKEN-System. Das erschwert Anrufe mit gefälschten Anruferkennungen. --------------------------------------------- https://heise.de/-6127147 ∗∗∗ TrickBot and Zeus ∗∗∗ --------------------------------------------- TrickBot is an established and widespread multi-purpose trojan. Active since 2016 and modular in nature, it can accomplish a variety of goals ranging from credential theft to lateral movement. Many of the malware’s capabilities come as self-contained modules, which the malware is instructed to download from the C2. Initially, TrickBot’s main focus was bank fraud, but this later shifted toward corporate targetted ransomware attacks, eventually resulting in the [...] --------------------------------------------- https://www.kryptoslogic.com/blog/2021/07/trickbot-and-zeus/ ∗∗∗ Top 5 Scam Techniques: What You Need to Know ∗∗∗ --------------------------------------------- Scammers are increasingly resourceful when coming up with scam techniques. But they often rely on long-standing persuasion techniques for the scam to work. So, you may hear about a new scam that uses a novel narrative, but there is a good chance that the scam relies on proven scam techniques once the narrative is stripped [...] --------------------------------------------- https://www.tripwire.com/state-of-security/security-data-protection/top-sca… ∗∗∗ Ransomware. In the air? ∗∗∗ --------------------------------------------- Introduction As an exercise, we were asked to look at the potential vectors for ransomware to affect flight despatch and operations. In most cases, flight systems simply weren’t significantly exposed, [...] --------------------------------------------- https://www.pentestpartners.com/security-blog/ransomware-in-the-air/ ∗∗∗ Mysterious Node.js malware puzzles security researchers ∗∗∗ --------------------------------------------- Almost four months after it was first spotted in the wild, the infosec community is still scratching its head in regards to the purpose of a new malware strain named Lu0bot. --------------------------------------------- https://therecord.media/mysterious-node-js-malware-puzzles-security-researc… ∗∗∗ TrickBot: New attacks see the botnet deploy new banking module, new ransomware ∗∗∗ --------------------------------------------- Over the course of the past few weeks, new activity has been observed from TrickBot, one of todays largest malware botnets, with reports that its operators have helped create a new ransomware strain called Diavol and that the TrickBot gang is returning to its roots as a banking trojan with a new and updated banking module.The post TrickBot: New attacks see the botnet deploy new banking module, new ransomware appeared first on The Record by Recorded Future. --------------------------------------------- https://therecord.media/trickbot-new-attacks-see-the-botnet-deploy-new-bank… ∗∗∗ The Brothers Grim ∗∗∗ --------------------------------------------- The reversing tale of GrimAgent malware used by Ryuk --------------------------------------------- https://blog.group-ib.com/grimagent ===================== = Vulnerabilities = ===================== ∗∗∗ WAGO: Multiple Vulnerabilities in I/O-Check Service ∗∗∗ --------------------------------------------- Multiple vulnerabilities in the WAGO I/O-Check Service were reported. By exploiting the described vulnerabilities, the attacker potentially is able to manipulate or disrupt the device. --------------------------------------------- https://cert.vde.com/de-de/advisories/vde-2020-036 ∗∗∗ Update PowerShell versions 7.0 and 7.1 to protect against a vulnerability ∗∗∗ --------------------------------------------- If you manage yoiur Azure resources from PowerShell version 7.0 or 7.1, we’ve released new versions of PowerShell to address a .NET Core remote code execution vulnerability in versions 7.0 and 7.1. We recommend that you install the updated versions as soon as possible. Windows PowerShell 5.1 isn’t affected by this issue. --------------------------------------------- https://azure.microsoft.com/en-us/updates/update-powershell-versions-70-and… ∗∗∗ Jetzt handeln! Angreifer nutzen Drucker-Lücke PrintNightmare in Windows aus ∗∗∗ --------------------------------------------- Alle Windows-Systeme sind von der PrintNightmare-Schwachstelle bedroht. Derzeit finden Attacken statt. So geht der Workaround zur Absicherung. --------------------------------------------- https://heise.de/-6127265 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (ansible and seamonkey), openSUSE (go1.15 and opera), Oracle (kernel and microcode_ctl), and Red Hat (go-toolset-1.15 and go-toolset-1.15-golang). --------------------------------------------- https://lwn.net/Articles/861679/ ∗∗∗ Johnson Controls Facility Explorer ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Improper Privilege Management vulnerability in Johnson Controls Facility Explorer industrial Ethernet controllers. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-182-01 ∗∗∗ Sensormatic Electronics C-CURE 9000 ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Improper Input Validation vulnerability in Sensormatic Electronics C-CURE 9000 industrial software. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-182-02 ∗∗∗ Delta Electronics DOPSoft ∗∗∗ --------------------------------------------- This advisory contains mitigations for Out-of-bounds Read vulnerabilities in Delta Electronics DOPSoft software. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-182-03 ∗∗∗ Mitsubishi Electric Air Conditioning System ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Incorrect Implementation of Authentication Algorithm vulnerability in Mitsubishi Electric air conditioning systems. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-182-04 ∗∗∗ Mitsubishi Electric Air Conditioning Systems ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Improper Restriction of XML External Entity Reference vulnerability in Mitsubishi Electric Air Conditioning Systems. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-182-05 ∗∗∗ All Bachmann M1 System Processor Modules ∗∗∗ --------------------------------------------- This updated advisory is a follow-up to the advisory titled ICSA-21-026-01P All Bachmann M1 System Processor Modules, posted to the HSIN ICS library on January 26, 2021. This advisory is now being released to the ICS webpage on us-cert.cisa.gov. This advisory contains mitigations for a Use of Password Hash with Insufficient Computational Effort vulnerability in Bachmann M1 system processor modules. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-026-01-0 ∗∗∗ Apigee Edge - Moderately critical - Access bypass - SA-CONTRIB-2021-020 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2021-020 ∗∗∗ WEIDMUELLER: Multiple vulnerabilities in Industrial WLAN devices (UPDATE A) ∗∗∗ --------------------------------------------- https://cert.vde.com/de-de/advisories/vde-2021-026 ∗∗∗ Node.js: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0714 ∗∗∗ Red Hat Developer Tools: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0715 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 01.07.2021
by Daily end-of-shift report 01 Jul '21

01 Jul '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 30-06-2021 18:00 − Donnerstag 01-07-2021 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ "Drucker-Albtraum": Offene Sicherheitslücke erlaubt die Übernahme gesamter Windows-Netzwerke ∗∗∗ --------------------------------------------- Sicherheitsforscher veröffentlichen versehentlich passenden Schadcode, nun herrscht akuter Handlungsbedarf für Windows-Administratoren --------------------------------------------- https://www.derstandard.at/story/2000127868579/drucker-albtraum-offene-sich… ∗∗∗ Vorschussbetrug mit Krediten auf befinax.com ∗∗∗ --------------------------------------------- Auf der Suche nach Krediten, Hypotheken oder Versicherungen stoßen Sie womöglich auf befinax.com. Die Seite ist schön aufgebaut, verspricht schnelle Kreditvergaben und wirbt mit den Logos und Namen großer und bekannter Banken. Doch Vorsicht: Hier werden Sie betrogen! Vorab zu bezahlende Gebühren landen direkt in den Händen Krimineller und Kredit gibt es keinen. --------------------------------------------- https://www.watchlist-internet.at/news/vorschussbetrug-mit-krediten-auf-bef… ∗∗∗ The Most Prolific Ransomware Families: A Defenders Guide ∗∗∗ --------------------------------------------- In this article, DomainTools researchers provide a look at the three most prolific ransomware families and their toolsets. --------------------------------------------- https://www.domaintools.com/resources/blog/the-most-prolific-ransomware-fam… ∗∗∗ Linux: RPM prüft Signaturen nicht richtig ∗∗∗ --------------------------------------------- Eigentlich werden RPM-Pakte unter Linux signiert. Viele wichtige Teile der Signaturprüfung sind bisher aber gar nicht implementiert. --------------------------------------------- https://www.golem.de/news/linux-rpm-prueft-signaturen-nicht-richtig-2107-15… ∗∗∗ Another Exploit Hits WD My Book Live Owners ∗∗∗ --------------------------------------------- While it will come as no comfort to those who had their Western Digital My Book Live NAS drives wiped last week, it seems they were attacked by a combination of two exploits, and possibly caught in the fallout of a rivalry between two different teams of hackers. Toms Hardware reports: Initially, after the news broke on Friday, it was thought a known exploit from 2018 was to blame, allowing attackers to gain root access to the devices. However, it now seems that a previously unknown exploit was [...] --------------------------------------------- https://hardware.slashdot.org/story/21/06/30/2319243/another-exploit-hits-w… ∗∗∗ We Infiltrated a Counterfeit Check Ring! Now What? ∗∗∗ --------------------------------------------- Imagine waking up each morning knowing the identities of thousands of people who are about to be mugged for thousands of dollars each. You know exactly when and where each of those muggings will take place, and youve shared this information in advance with the authorities each day for a year with no outward indication that they are doing anything about it. How frustrated would you be? Such is the curse of the fraud fighter known online by the handles “Brianna Ware” and [...] --------------------------------------------- https://krebsonsecurity.com/2021/06/we-infiltrated-a-counterfeit-check-ring… ∗∗∗ Becoming Elon Musk - the Danger of Artificial Intelligence ∗∗∗ --------------------------------------------- A Tel Aviv, Israel-based artificial intelligence (AI) firm, with a mission to build trust in AI and protect AI from cyber threats, privacy issues, and safety incidents, has developed the opposite: an attack against facial recognition systems that can fool the algorithm into misinterpreting the image. --------------------------------------------- https://www.securityweek.com/becoming-elon-musk-%E2%80%93-danger-artificial… ∗∗∗ CISA’s CSET Tool Sets Sights on Ransomware Threat ∗∗∗ --------------------------------------------- CISA has released a new module in its Cyber Security Evaluation Tool (CSET): the Ransomware Readiness Assessment (RRA). CSET is a desktop software tool that guides network defenders through a step-by-step process to evaluate their cybersecurity practices on their networks. CSET—applicable to both information technology (IT) and industrial control system (ICS) networks—enables users to perform a comprehensive evaluation of their cybersecurity [...] --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/06/30/cisas-cset-tool-s… ∗∗∗ Two years later, the NSABuffMiner botnet is still alive and kicking ∗∗∗ --------------------------------------------- A crypto-mining botnet named NSABuffMiner (or Indexsinas) is still active and infecting Windows systems using three leaked NSA exploits, security firm Guardicore said today. --------------------------------------------- https://therecord.media/two-years-later-the-nsabuffminer-botnet-is-still-al… ===================== = Vulnerabilities = ===================== ∗∗∗ VU#383432: Microsoft Windows Print Spooler RpcAddPrinterDriverEx() function allows for RCE ∗∗∗ --------------------------------------------- The Microsoft Windows Print Spooler service fails to restrict access to the RpcAddPrinterDriverEx() function, which can allow a remote authenticated attacker to execute arbitrary code with SYSTEM privileges on a vulnerable system. --------------------------------------------- https://kb.cert.org/vuls/id/383432 ∗∗∗ Sicherheitsupdate: Microsoft entdeckt kritische Lücke in Netgear-Router ∗∗∗ --------------------------------------------- Es gibt ein wichtiges Sicherheitsupdate für den WLAN Router DGN2200v1 von Netgear. --------------------------------------------- https://heise.de/-6126662 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (htmldoc, ipmitool, and node-bl), Fedora (libgcrypt and libtpms), Mageia (dhcp, glibc, p7zip, sqlite3, systemd, and thunar), openSUSE (arpwatch, go1.15, and kernel), SUSE (curl, dbus-1, go1.15, and qemu), and Ubuntu (xorg-server). --------------------------------------------- https://lwn.net/Articles/861521/ ∗∗∗ EC-CUBE fails to restrict access permissions ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN57942445/ ∗∗∗ Block Content Revision UI - Moderately critical - Access bypass - SA-CONTRIB-2021-022 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2021-022 ∗∗∗ Linky Revision UI - Moderately critical - Access bypass - SA-CONTRIB-2021-021 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2021-021 ∗∗∗ Apigee Edge - Moderately critical - Access bypass - SA-CONTRIB-2021-020 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2021-020 ∗∗∗ Security Advisory - Path Traversal Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210630-… ∗∗∗ Security Notice – Statement About the Media Report on the Use of GEA-1 Weak Algorithm in Certain Phones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-notices/2021/huawei-sn-20210618-01-… ∗∗∗ Security Bulletin: Security Vulnerabilities in IBM® Java SDK April 2021 CPU plus affect multiple IBM Continuous Engineering products based on IBM Jazz Technology ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ Security Bulletin: Using XSS attack, an attacker may inject Javascript code by modifying input fields in Datacap Navigator ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-using-xss-attack-an-attac… ∗∗∗ Security Bulletin: IBM MQ Appliance vulnerability in TLS (CVE-2020-4831) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-vulnerab… ∗∗∗ Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in Go ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-discovery-for-… ∗∗∗ Security Bulletin: IBM MQ Appliance is affected by an OpenSSL vulnerability (CVE-2021-3449) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-is-affec… ∗∗∗ Security Bulletin: SQL injection from various input fields may affect Datacap Navigator ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-sql-injection-from-variou… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily July 2021