Daily August 2021

daily@lists.cert.at

1 participants
22 discussions

Tageszusammenfassung - 31.08.2021
by Daily end-of-shift report 31 Aug '21

31 Aug '21

===================== = End-of-Day report = ===================== Timeframe: Montag 30-08-2021 18:00 − Dienstag 31-08-2021 18:00 Handler: Stephan Richter Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Cybercriminal sells tool to hide malware in AMD, NVIDIA GPUs ∗∗∗ --------------------------------------------- Cybercriminals are making strides towards attacks with malware that executes code from the graphics processing unit (GPU) of a compromised system. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cybercriminal-sells-tool-to-… ∗∗∗ LockFile Ransomware Uses Never-Before Seen Encryption to Avoid Detection ∗∗∗ --------------------------------------------- Researchers from Sophos discovered the emerging threat in July, which exploits the ProxyShell vulnerabilities in Microsoft Exchange servers to attack systems. --------------------------------------------- https://threatpost.com/lockfile-ransomware-avoid-detection/169042/ ∗∗∗ Top 3 APIs Vulnerabilities: Why Apps are Owned by Cyberattackers ∗∗∗ --------------------------------------------- Jason Kent, hacker-in-residence at Cequence, talks about how cybercriminals target apps and how to thwart them. --------------------------------------------- https://threatpost.com/top-3-api-vulnerabilities-cyberattackers/169048/ ∗∗∗ BrakTooth: Impacts, Implications and Next Steps, (Tue, Aug 31st) ∗∗∗ --------------------------------------------- Today, the Automated Systems SEcuriTy (ASSET) Research Group from the Singapore University of Technology and Design (SUTD) revealed the BrakTooth family of vulnerabilities in commercial Bluetooth (BT) Classic stacks for various System-on-Chips (SoC). --------------------------------------------- https://isc.sans.edu/diary/rss/27802 ∗∗∗ Code Generated by GitHub Copilot Can Introduce Vulnerabilities: Researchers ∗∗∗ --------------------------------------------- A group of researchers has discovered that roughly 40% of the code produced by the GitHub Copilot language model is vulnerable. --------------------------------------------- https://www.securityweek.com/code-generated-github-copilot-can-introduce-vu… ∗∗∗ SWR-Verbrauchermagazin „Marktcheck“ warnt vor Fake-Shops auf Instagram ∗∗∗ --------------------------------------------- Betrügerische Online-Shops schalten im großen Stil auf Social-Media-Plattformen wie Instagram Werbeanzeigen. --------------------------------------------- https://www.watchlist-internet.at/news/swr-verbrauchermagazin-marktcheck-wa… ∗∗∗ DNS Rebinding Attack: How Malicious Websites Exploit Private Networks ∗∗∗ --------------------------------------------- DNS rebinding allows attackers to take advantage of web-based consoles to exploit internal networks by abusing the domain name system. --------------------------------------------- https://unit42.paloaltonetworks.com/dns-rebinding/ ∗∗∗ Cyberattackers are now quietly selling off their victims internet bandwidth ∗∗∗ --------------------------------------------- Proxyware is yet another way for criminals to generate revenue from their victims. --------------------------------------------- https://www.zdnet.com/article/cyberattackers-are-now-quietly-selling-off-th… ===================== = Vulnerabilities = ===================== ∗∗∗ NAS und Sicherheit: Qnap und Synology von OpenSSL-Lücke betroffen ∗∗∗ --------------------------------------------- Produkte beider NAS-Hersteller sind von einer bereits geschlossenen OpenSSL-Lücke betroffen. Sie arbeiten an einem Fix. --------------------------------------------- https://www.golem.de/news/nas-und-sicherheit-qnap-und-synology-von-openssl-… ∗∗∗ HPE Warns Sudo Bug Gives Attackers Root Privileges to Aruba Platform ∗∗∗ --------------------------------------------- HPE joins Apple in warning customers of a high-severity Sudo vulnerability. --------------------------------------------- https://threatpost.com/hpe-sudo-bug-aruba-platform/169038/ ∗∗∗ Kritische Rechte-Lücke in PostgreSQL-Modul geschlossen ∗∗∗ --------------------------------------------- Es gibt ein wichtiges Sicherheitsupdate für das set_user-Extension-Modul der Open-Source-Datenbank PostgreSQL. --------------------------------------------- https://heise.de/-6177973 ∗∗∗ CPU-Sicherheitslücke: AMD Ryzen und Epyc per Seitenkanal verwundbar ∗∗∗ --------------------------------------------- Sicherheitsforscher der TU Dresden beweisen, dass komplizierte Angriffe der Meltdown-Klasse grundsätzlich auch bei AMDs Ryzen-Prozessoren funktionieren. --------------------------------------------- https://heise.de/-6178386 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (libsndfile and libX11), Debian (ledgersmb, libssh, and postgresql-9.6), Fedora (squashfs-tools), openSUSE (389-ds, nodejs12, php7, spectre-meltdown-checker, and thunderbird), Oracle (kernel, libsndfile, and libX11), Red Hat (bind, cloud-init, edk2, glibc, hivex, kernel, kernel-rt, kpatch-patch, microcode_ctl, python3, and sssd), SUSE (bind, mysql-connector-java, nodejs12, sssd, and thunderbird), and Ubuntu (apr, squashfs-tools, thunderbird, [...] --------------------------------------------- https://lwn.net/Articles/867917/ ∗∗∗ Companies Release Security Advisories in Response to New OpenSSL Vulnerabilities ∗∗∗ --------------------------------------------- Updates announced by the OpenSSL Project on August 24 patched CVE-2021-3711, a high-severity buffer overflow related to SM2 decryption, and CVE-2021-3712, a medium-severity flaw that can be exploited for denial-of-service (DoS) attacks, and possibly for the disclosure of private memory contents. --------------------------------------------- https://www.securityweek.com/companies-release-security-advisories-response… ∗∗∗ Vulnerabilities Can Allow Hackers to Disarm Fortress Home Security Systems ∗∗∗ --------------------------------------------- Researchers at cybersecurity firm Rapid7 have identified a couple of vulnerabilities that they claim can be exploited by hackers to remotely disarm one of the home security systems offered by Fortress Security Store. --------------------------------------------- https://www.securityweek.com/vulnerabilities-can-allow-hackers-disarm-fortr… ∗∗∗ Crashing SIP Clients with a Single Slash ∗∗∗ --------------------------------------------- Claroty’s Team82 has disclosed a vulnerability in Belledonne Communications’ Linphone SIP Protocol Stack. --------------------------------------------- https://claroty.com/2021/08/31/blog-research-crashing-sip-clients-with-a-si… ∗∗∗ Synology-SA-21:25 DSM ∗∗∗ --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_21_25 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 30.08.2021
by Daily end-of-shift report 30 Aug '21

30 Aug '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 27-08-2021 18:00 − Montag 30-08-2021 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Exchange Server: Authentifizierungs-Bypass mit ProxyToken ∗∗∗ --------------------------------------------- Im Juni 2021 hat Microsoft mit den kumulativen Updates eine Schwachstelle in seinen on-premises Exchange Servern beseitigt, über die Angreifer ohne Authentifizierung die Konfigurierung verändern konnten. So wäre es für einen nicht authentifizierten Angreifer möglich gewesen, die Konfiguration für Postfächer beliebiger Benutzer zu ändern. So hätten alle an ein E-Mail-Konto adressierten E-Mails kopiert und an ein vom Angreifer kontrolliertes Konto weitergeleitet werden können. --------------------------------------------- https://www.borncity.com/blog/2021/08/30/exchange-server-authentifizierungs… ∗∗∗ [SANS ISC] Cryptocurrency Clipboard Swapper Delivered With Love ∗∗∗ --------------------------------------------- I published the following diary on isc.sans.edu: “Cryptocurrency Clipboard Swapper Delivered With Love“: Be careful if you’re a user of cryptocurrencies. My goal is not to re-open a debate about them and their associated financial risks. No, I’m talking here about technical risk. --------------------------------------------- https://blog.rootshell.be/2021/08/30/sans-isc-cryptocurrency-clipboard-swap… ∗∗∗ Understanding Cobalt Strike Profiles ∗∗∗ --------------------------------------------- I really enjoy the process of red teaming especially when it comes to evading detection and lining up against a good blue team. Probably one of the most common commercially available Command and Control(C2) frameworks used today is Cobalt Strike(CS). So popular in fact it is classified on its own as a malware family by many defensive security products. Using CS in red team operations is common practice for a lot of companies offering red teaming to their clients and my milage is no different [...] --------------------------------------------- https://blog.zsec.uk/cobalt-strike-profiles/ ∗∗∗ Cobalt Strike, a Defender’s Guide ∗∗∗ --------------------------------------------- In our research, we expose adversarial Tactics, Techniques and Procedures (TTPs) as well as the tools they use to execute their mission objectives. In most of our cases, we [...] --------------------------------------------- https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/ ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI-21-1052: Trend Micro Maximum Security Directory Junction Denial-of-Service Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows local attackers to create a denial-of-service condition on affected installations of Trend Micro Maximum Security. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-1052/ ∗∗∗ ZDI-21-1051: NETGEAR Multiple Routers mini_httpd Authentication Bypass Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of multiple NETGEAR routers. Authentication is not required to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-1051/ ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (exiv2, grilo, gthumb, and redis), Fedora (krb5, nbdkit, and rubygem-addressable), Mageia (libass and opencontainers-runc), openSUSE (cacti, cacti-spine, go1.15, opera, qemu, and spectre-meltdown-checker), Red Hat (java-1.7.1-ibm, java-1.8.0-ibm, libsndfile, and libX11), SUSE (389-ds, qemu, and spectre-meltdown-checker), and Ubuntu (grilo). --------------------------------------------- https://lwn.net/Articles/867791/ ∗∗∗ Out-of-Bounds Read Vulnerability in OpenSSL ∗∗∗ --------------------------------------------- An out-of-bounds read vulnerability in OpenSSL has been reported to affect QNAP NAS running QTS, QuTS hero, and QuTScloud. --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-21-40 ∗∗∗ Out-of-Bounds Vulnerabilities in OpenSSL ∗∗∗ --------------------------------------------- Two out-of-bounds vulnerabilities in OpenSSL have been reported to affect QNAP NAS running HBS 3 (Hybrid Backup Sync). --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-21-39 ∗∗∗ Security Bulletin: IBM API Connect V5 is impacted by a vulnerability in nginx. (CVE-2021-23017) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connect-v5-is-imp… ∗∗∗ Security Bulletin: Vulnerability in IBM Java SDK and IBM Java Runtime affects Rational Business Developer ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java… ∗∗∗ Atlassian Jira Software: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0920 ∗∗∗ ZDI-21-1038: (0Day) Fuji Electric Tellus Lite V9 File Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-21-1038/ ∗∗∗ ZDI-21-1037: (0Day) Fuji Electric Tellus Lite V9 File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-21-1037/ ∗∗∗ ZDI-21-1036: (0Day) Fuji Electric Tellus Lite V-Simulator 6 V9 File Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-21-1036/ ∗∗∗ ZDI-21-1035: (0Day) Fuji Electric Tellus Lite V-Simulator 6 V9 File Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-21-1035/ ∗∗∗ ZDI-21-1034: (0Day) Fuji Electric Tellus Lite V-Simulator 6 V9 File Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-21-1034/ ∗∗∗ ZDI-21-1033: (0Day) Fuji Electric Tellus Lite V-Simulator 6 V9 File Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-21-1033/ ∗∗∗ ZDI-21-1032: (0Day) Fuji Electric Tellus Lite V-Simulator 6 V9 File Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-21-1032/ ∗∗∗ ZDI-21-1031: (0Day) Fuji Electric Tellus Lite V-Simulator 6 V9 File Parsing Memory Corruption Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-21-1031/ ∗∗∗ ZDI-21-1050: (0Day) Fuji Electric Tellus Lite V-Simulator V8 File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-21-1050/ ∗∗∗ ZDI-21-1049: (0Day) Fuji Electric Tellus Lite V-Simulator V8 File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-21-1049/ ∗∗∗ ZDI-21-1048: (0Day) Fuji Electric Tellus Lite V-Simulator V8 File Parsing Uninitialized Pointer Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-21-1048/ ∗∗∗ ZDI-21-1047: (0Day) Fuji Electric Tellus Lite V-Simulator V8 File Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-21-1047/ ∗∗∗ ZDI-21-1046: (0Day) Fuji Electric Tellus Lite V-Simulator V8 File Parsing Untrusted Pointer Dereference Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-21-1046/ ∗∗∗ ZDI-21-1045: (0Day) Fuji Electric Tellus Lite V9 File Parsing Memory Corruption Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-21-1045/ ∗∗∗ ZDI-21-1044: (0Day) Fuji Electric Tellus Lite V9 File Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-21-1044/ ∗∗∗ ZDI-21-1043: (0Day) Fuji Electric Tellus Lite V9 File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-21-1043/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.08.2021
by Daily end-of-shift report 27 Aug '21

27 Aug '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 26-08-2021 18:00 − Freitag 27-08-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Cosmos DB: Tausende Azure-Nutzer von Sicherheitslücke betroffen ∗∗∗ --------------------------------------------- Angreifer hätten an die Schlüssel zu Cosmos-Datenbanken gelangen können. Viele große Firmen wie Coca-Cola setzen auf den Azure-Datenbankdienst. --------------------------------------------- https://www.golem.de/news/cosmos-db-tausende-azure-nutzer-von-sicherheitslu… ∗∗∗ Ragnarok Master-Decryptor-Schlüssel veröffentlicht ∗∗∗ --------------------------------------------- Opfer der Ragnarok-Ransomware, deren Daten bei einem Angriff verschlüsselt wurden, können wieder hoffen. Nachdem die Cyber-Kriminellen gerade ihren Betrieb eingestellt hat, wurde der Master-Decryptor-Schlüssel veröffentlicht. Damit sollten sich die verschlüsselten Dateien wiederherstellen lassen. --------------------------------------------- https://www.borncity.com/blog/2021/08/27/ragnarok-master-decryptor-schlssel… ∗∗∗ Widespread credential phishing campaign abuses open redirector links ∗∗∗ --------------------------------------------- Microsoft has been actively tracking a widespread credential phishing campaign using open redirector links, which allow attackers to use a URL in a trusted domain and embed the eventual final malicious URL as a parameter. --------------------------------------------- https://www.microsoft.com/security/blog/2021/08/26/widespread-credential-ph… ∗∗∗ Big bad decryption bug in OpenSSL – but no cause for alarm ∗∗∗ --------------------------------------------- The buggy codes in there, alright. Fortunately, its hard to get OpenSSL to use it even if you want to, which mitigates the risk. --------------------------------------------- https://nakedsecurity.sophos.com/2021/08/27/big-bad-decryption-bug-in-opens… ∗∗∗ How Passwords Get Hacked ∗∗∗ --------------------------------------------- Can you think of an online service that doesn’t require a password? Everything on the internet requires a password. However, constantly creating and remembering new and ever more complex passwords is no small task. In fact, 66% of people polled admitted to using the same password more than once because of how hard it is to remember passwords that are considered strong. Taking steps to make passwords easier to remember can also make them easier for hackers to guess. --------------------------------------------- https://blog.sucuri.net/2021/08/how-passwords-get-hacked-2.html ∗∗∗ AWS ReadOnlyAccess: Not Even Once ∗∗∗ --------------------------------------------- You need to give your AWS role a set of permissions, but you still want to feel warm and safe on the inside. "Why not ReadOnlyAccess?" you ask. "I can just deny the permissions I don’t like" you proclaim. Let me show you how your faith in ReadOnly access will betray you and leave you with trust issues. --------------------------------------------- https://posts.specterops.io/aws-readonlyaccess-not-even-once-ffbceb9fc908 ∗∗∗ FBI Releases Indicators of Compromise Associated with Hive Ransomware ∗∗∗ --------------------------------------------- The Federal Bureau of Investigation (FBI) has released a Flash report detailing indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) associated with ransomware attacks by Hive, a likely Ransomware-as-a-Service organization consisting of a number of actors using multiple mechanisms to compromise business networks, exfiltrate data and encrypt data on the networks, and attempt to collect a ransom in exchange for access to the [...] --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/08/27/fbi-releases-indi… ∗∗∗ Academics bypass PINs for Mastercard and Maestro contactless payments ∗∗∗ --------------------------------------------- A team of scientists from a Swiss university has discovered a way to bypass PIN codes on contactless cards from Mastercard and Maestro. --------------------------------------------- https://therecord.media/academics-bypass-pins-for-mastercard-and-maestro-co… ===================== = Vulnerabilities = ===================== ∗∗∗ Sicherheitsupdates: Root-Kernel-Lücke bedroht IBMs Betriebssystem AIX ∗∗∗ --------------------------------------------- Angreifer könnten Systeme mit IBM AIX attackieren und sich Root-Rechte verschaffen. Sicherheitsupdates schaffen Abhilfe. --------------------------------------------- https://heise.de/-6176064 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (haproxy and libopenmpt), openSUSE (aws-cli, python-boto3, python-botocore,, dbus-1, and qemu), Oracle (rh-postgresql10-postgresql), Red Hat (compat-exiv2-023, compat-exiv2-026, exiv2, libsndfile, microcode_ctl, python27, rh-nodejs12-nodejs and rh-nodejs12-nodejs-nodemon, rh-nodejs14-nodejs and rh-nodejs14-nodejs-nodemon, and rh-python38), Scientific Linux (compat-exiv2-023 and compat-exiv2-026), SUSE (compat-openssl098), and Ubuntu (libssh, openssl, [...] --------------------------------------------- https://lwn.net/Articles/867636/ ∗∗∗ Johnson Controls Controlled Electronic Management Systems CEM Systems AC2000 ∗∗∗ --------------------------------------------- This advisory contains mitigation for an Improper Authorization vulnerability in Johnson Controls Controlled Electronic Management Systems CEM Systems AC2000, an enterprise access control and integrated security management system. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-238-01 ∗∗∗ Annke Network Video Recorder ∗∗∗ --------------------------------------------- This advisory contains mitigation for a Stack-based Buffer Overflow vulnerability in the Annke N48PBB Network Video Recorder. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-238-02 ∗∗∗ Delta Electronics DIAEnergie ∗∗∗ --------------------------------------------- This advisory contains mitigations for Use of Password Hash with Insufficient Computational Effort, Incorrect Authorization, Unrestricted Upload of File with Dangerous Type, SQL Injection, and Cross-site Request Forgery vulnerabilities in the Delta Electronics DIAEnergie industrial energy management system. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-238-03 ∗∗∗ Delta Electronics DOPSoft ∗∗∗ --------------------------------------------- This advisory contains mitigations for a Stack-based Buffer Overflow vulnerability in Delta Electronics DOPSoft HMI editing software --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-238-04 ∗∗∗ SYSS-2021-035, SySS-2021-036, SySS-2021-037, SySS-2021-038, SySS-2021-039: Mehrere Schwachstellen im MIK.starlight-Server ∗∗∗ --------------------------------------------- Mehrere Funktionen im MIK.starlight-Server deserialisieren Daten auf unsichere Weise und erlauben einem Angreifer dadurch die Übernahme des Systems. --------------------------------------------- https://www.syss.de/pentest-blog/syss-2021-035-syss-2021-036-syss-2021-037-… ∗∗∗ libssh: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0918 ∗∗∗ Authenticated RCE in BSCW Server ∗∗∗ --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/authenticated-rce-in-… ∗∗∗ XML Tag Injection in BSCW Server ∗∗∗ --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/xml-tag-injection-in-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 26.08.2021
by Daily end-of-shift report 26 Aug '21

26 Aug '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 25-08-2021 18:00 − Donnerstag 26-08-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Dimitri Robl ===================== = News = ===================== ∗∗∗ Microsoft: ProxyShell bugs “might be exploited,” patch servers now! ∗∗∗ --------------------------------------------- Microsoft has finally published guidance today for the actively exploited ProxyShell vulnerabilities impacting multiple on-premises Microsoft Exchange versions. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-proxyshell-bugs-m… ∗∗∗ Valuable Datasets to Analyze Network Infrastructure | Part 3 ∗∗∗ --------------------------------------------- In the final installment of this series, learn about Passive DNS and how it works, explore valuable artifacts for investigations, and study our handy cheat sheet. --------------------------------------------- https://www.domaintools.com/resources/blog/valuable-datasets-to-analyze-net… ∗∗∗ Plug and Play: Adminrechte bekommt man auch mit Steelseries-Mäusen ∗∗∗ --------------------------------------------- Eine Maus einstecken und den dazugehörigen Installer für erweiterte Rechte ausnutzen: Das funktioniert bei Razer und auch bei Steelseries. --------------------------------------------- https://www.golem.de/news/plug-and-play-adminrechte-bekommt-man-auch-mit-st… ∗∗∗ Secure PLC Coding Practices ∗∗∗ --------------------------------------------- In the world of operational technology, programmable logic controllers (PLCs) control physical elements such as a municipal water supply system, the room temperature in offices or a chocolate bar packaging machine. --------------------------------------------- https://securityblog.switch.ch/2021/08/26/secure-plc-coding-practices/ ∗∗∗ Engineering Workstations Are Concerning Initial Access Vector in OT Attacks ∗∗∗ --------------------------------------------- Organizations that use industrial control systems (ICS) and other operational technology (OT) are increasingly concerned about cyber threats, and while they have taken steps to address risks, many don’t know if they have suffered a breach, according to a survey conducted by the SANS Institute on behalf of industrial cybersecurity firm Nozomi Networks. --------------------------------------------- https://www.securityweek.com/engineering-workstations-are-concerning-initia… ∗∗∗ Admin password re-use. Don’t do it ∗∗∗ --------------------------------------------- As a pentester, one of the most disappointing sights is see on a test is extensive local admin password reuse. I know others get excited as it means easy pwnage [...] --------------------------------------------- https://www.pentestpartners.com/security-blog/admin-password-re-use-dont-do… ∗∗∗ Betrug mit angeblichen Nachrichten des Mobilfunkbetreibers ∗∗∗ --------------------------------------------- Erneut werden massenhaft betrügerische SMS ausgeschickt. Es soll sich um eine „Neue Nachricht des Mobilfunkbetreibers“ handeln. Für mehr Infos soll man einem Link folgen. Achtung: Der Link führt auf eine betrügerische Website mit Schadsoftware! Die Nachricht kommt nicht vom Netzbetreiber. --------------------------------------------- https://www.watchlist-internet.at/news/betrug-mit-angeblichen-nachrichten-d… ===================== = Vulnerabilities = ===================== ∗∗∗ Atlassian: Kritische Sicherheitslücke in Confluence ∗∗∗ --------------------------------------------- Nutzer, die die Wiki-Software Confluence von Atlassian selbst hosten, sind zum Update aufgefordert --------------------------------------------- https://www.golem.de/news/atlassian-kritische-sicherheitsluecke-in-confluen… ∗∗∗ ZDI-21-1026: (0Day) D-Link DIR-2055 HNAP PrivateLogin Incorrect Implementation of Authentication Algorithm Authentication Bypass Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of D-Link DIR-2055 routers. Authentication is not required to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-1026/ ∗∗∗ ZDI-21-1025: (0Day) D-Link DIR-2055 HNAP Incorrect Comparison Authentication Bypass Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of D-Link DIR-2055 routers. Authentication is not required to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-1025/ ∗∗∗ Ethereum-Client Geth: Dringendes Update wegen schwerer Lücke ∗∗∗ --------------------------------------------- Eine schwerwiegende Lücke im verbreiteten Ethereum-Client Geth könnte damit betriebene Blockchain-Knoten lahmlegen. Eine gepatchte Version steht aber bereit. --------------------------------------------- https://heise.de/-6174832 ∗∗∗ Updates verfügbar: Cisco fixt unter anderem kritische Lücke in APIC & Cloud APIC ∗∗∗ --------------------------------------------- Für die Verwaltungskomponente von Ciscos Application Centric Infrastructure (ACI) und viele weitere Produkte stehen wichtige Aktualisierungen bereit. --------------------------------------------- https://heise.de/-6174789 ∗∗∗ Drupal: Updates sichern zwei Module gegen Angriffe ab ∗∗∗ --------------------------------------------- Die Module "Webform" und "Admin Toolbar" für das Content Management System Drupal waren unter bestimmten Voraussetzungen via Cross-Site-Scripting angreifbar. --------------------------------------------- https://heise.de/-6175086 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (community-mysql, containerd, dotnet3.1, dotnet5.0, perl-Encode, and tor), Mageia (gpsd), openSUSE (cacti, cacti-spine, go1.16, jetty-minimal, libmspack, mariadb, openexr, and tor), SUSE (aspell, jetty-minimal, libesmtp, mariadb, and unrar), and Ubuntu (firefox and mongodb). --------------------------------------------- https://lwn.net/Articles/867492/ ∗∗∗ Synology-SA-21:24 OpenSSL ∗∗∗ --------------------------------------------- Multiple vulnerabilities allow remote attackers to conduct denial-of-service attack or execute arbitrary code via a susceptible version of Synology DiskStation Manager (DSM), Synology Router Manager (SRM), VPN Plus Server or VPN Server. --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_21_24 ∗∗∗ Kaseya Unitrends update ∗∗∗ --------------------------------------------- Mid July 2021 we opened case DIVD-2021-00014 tracking multiple vulnerabilities in Kaseya Unitrends. These vulnerabilities consited of: An authenticated remote code execution vulnerability on the server, a privilege escaltion vulnerability from read-only user to admin on the server and a (yet) undisclosed vulnerability on the client [...] --------------------------------------------- https://csirt.divd.nl/2021/08/26/Kaseya-Unitrends-update/ ∗∗∗ Teamviewer: August Updates - Security Patches ∗∗∗ --------------------------------------------- https://community.teamviewer.com/English/discussion/117794/august-updates-s… ∗∗∗ Security Bulletin: CVE-2020-2773 (deferred from Oracle Apr 2020 CPU) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2020-2773-deferred-fr… ∗∗∗ VMSA-2021-0019 ∗∗∗ --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2021-0019.html ∗∗∗ PHOENIX CONTACT : Security Advisory for FL SWITCH SMCS series (UPDATE A) ∗∗∗ --------------------------------------------- https://cert.vde.com/de-de/advisories/vde-2021-023 ∗∗∗ HP OfficeJet: Schwachstelle ermöglicht Cross-Site Scripting ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0909 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 25.08.2021
by Daily end-of-shift report 25 Aug '21

25 Aug '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 24-08-2021 18:00 − Mittwoch 25-08-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Medizin: Sicherheitslücken in Infusionspumpen entdeckt ∗∗∗ --------------------------------------------- Medizinische Infusionspumpen versorgen Patienten mit Medikamenten. Können Angreifer unbemerkt die Dosis manipulieren, kann das schwere Folgen haben. --------------------------------------------- https://www.golem.de/news/medizin-sicherheitsluecken-in-infusionspumpen-ent… ∗∗∗ Sicherheitsupdates: Netzwerk-Equipment von F5 für Attacken anfällig ∗∗∗ --------------------------------------------- F5 hat mehrere gefährliche Sicherheitslücken in verschiedenen BIG-IP Appliances geschlossen. --------------------------------------------- https://heise.de/-6174378 ∗∗∗ Gefahr durch alte Schwachstellen ∗∗∗ --------------------------------------------- Trend Micro fordert Unternehmen dazu auf, sich bei ihren Patching-Maßnahmen auf die Schwachstellen zu fokussieren, von denen das größte Risiko für ihr Unternehmen ausgeht - auch wenn diese schon mehrere Jahre alt sind. Rund ein Viertel der im cyberkriminellen Untergrund gehandelten Exploits sind über drei Jahre alt. --------------------------------------------- https://www.zdnet.de/88396365/gefahr-durch-alte-schwachstellen/ ∗∗∗ Vorsicht vor angeblicher Ärztin aus Afghanistan, die Ihre Wohnung kaufen will! ∗∗∗ --------------------------------------------- Haben Sie derzeit eine Immobilie im Internet inseriert? Dann sollten Sie sich einer vermeintlichen Interessentin aus Afghanistan in Acht nehmen. Eine angebliche Ärztin schreibt derzeit willkürlich Menschen an, die eine Wohnung inseriert haben und gibt vor nach Europa ziehen zu wollen. Als Grund gibt sie an, dass sie unter den Taliban nicht als Ärztin arbeiten kann. Achtung Betrug! Hier nutzen Kriminelle die Not der Bevölkerung in Afghanistan aus. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-angeblicher-aerztin-aus… ∗∗∗ Ransomware gangs script shows exactly the files theyre after ∗∗∗ --------------------------------------------- A PowerShell script used by the Pysa ransomware operation gives us a sneak peek at the types of data they attempt to steal during a cyberattack. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ransomware-gangs-script-show… ∗∗∗ FIN8 cybercrime gang backdoors US orgs with new Sardonic malware ∗∗∗ --------------------------------------------- A financially motivated cybercrime gang has breached and backdoored the network of a US financial organization with a new malware known dubbed Sardonic by Bitdefender researchers who first spotted it. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fin8-cybercrime-gang-backdoo… ∗∗∗ There may be (many) more SPF records than we might expect, (Wed, Aug 25th) ∗∗∗ --------------------------------------------- The Sender Policy Framework (SPF[1]) is a simple but fairly powerful mechanism that may be used (ideally in connection with DKIM[2] and DMARC[3]) to combat phishing to some degree. Basically, it allows a domain name owner to publish a special DNS TXT record containing a list of servers that are authorized to send e-mails for that domain. --------------------------------------------- https://isc.sans.edu/diary/rss/27786 ∗∗∗ 7 Ways to Secure Magento 1 ∗∗∗ --------------------------------------------- While unpatched installations of Magento 2 contain many vulnerabilities, I’m going to focus my attention on Magento 1 for this article. This is because Magento 2 provides regularly updated patches for many of the most common vulnerabilities targeting the platform. While Magento 1 also contains patches for many known vulnerabilities, those patches are not currently maintained. Magento 1 reached its end-of-support on June 30, 2020. --------------------------------------------- https://blog.sucuri.net/2021/08/securing-magento-1.html ∗∗∗ RiskIQ Analysis Links EITest and Gootloader Campaigns, Once Thought to Be Disparate ∗∗∗ --------------------------------------------- As RiskIQ tracks malware families to identify infrastructure patterns and common threads between threat campaigns via our Internet Intelligence Graph, we often surface strong links between seemingly disparate threat campaigns. In the case of EITest and GootLoader, these campaigns may have turned out to be one and the same. --------------------------------------------- https://www.riskiq.com/blog/external-threat-management/eitest-gootloader/ ∗∗∗ The SideWalk may be as dangerous as the CROSSWALK ∗∗∗ --------------------------------------------- Meet SparklingGoblin, a member of the Winnti family --------------------------------------------- https://www.welivesecurity.com/2021/08/24/sidewalk-may-be-as-dangerous-as-c… ∗∗∗ CISA Releases Five Pulse Secure-Related MARs ∗∗∗ --------------------------------------------- As part of CISA’s ongoing response to Pulse Secure compromises, CISA has analyzed five malware samples related to exploited Pulse Secure devices. CISA encourages users and administrators to review the following five malware analysis reports (MARs) for threat actor tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs), and review CISA’s Alert, Exploitation of Pulse Connect Secure Vulnerabilities, for more information. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/08/24/cisa-releases-fiv… ∗∗∗ North Korean BLUELIGHT Special: InkySquid Deploys RokRAT ∗∗∗ --------------------------------------------- In a recent blog post, Volexity disclosed details on a portion of the operations by a North Korean threat actor it tracks as InkySquid. This threat actor compromised a news portal to use recently patched browser exploits to deliver a custom malware family known as BLUELIGHT. This follow-up post describes findings from a recent investigation undertaken by Volexity in which the BLUELIGHT malware was discovered being delivered to a victim alongside RokRAT (aka DOGCALL). --------------------------------------------- https://www.volexity.com/blog/2021/08/24/north-korean-bluelight-special-ink… ===================== = Vulnerabilities = ===================== ∗∗∗ BlackBerry QNX-2021-001 Vulnerability Affecting Cisco Products: August 2021 ∗∗∗ --------------------------------------------- On August 17, 2021, BlackBerry released a security advisory, QNX-2021-001, that disclosed an integer overflow vulnerability in the following BlackBerry software releases: - QNX Software Development Platform (SDP) - 6.5.0SP1 and earlier - QNX OS for Medical - 1.1 and earlier - QNX OS for Safety - 1.0.1 and earlier A successful exploit could allow an attacker to execute arbitrary code or cause a denial of service (DoS). --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco NX-OS Software Python Parser Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- Update from August 25, 2021: Cisco found that this vulnerability was present in additional releases of Cisco NX-OS Software with the introduction of Python 3 support. For more information, see the Fixed Software section of this advisory. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ VMSA-2021-0018 ∗∗∗ --------------------------------------------- VMware vRealize Operations updates address multiple security vulnerabilities (CVE-2021-22022, CVE-2021-22023, CVE-2021-22024, CVE-2021-22025, CVE-2021-22026, CVE-2021-22027) --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2021-0018.html ∗∗∗ Critical Authentication Bypass Vulnerability Patched in Booster for WooCommerce ∗∗∗ --------------------------------------------- On July 30, 2021 the Wordfence Threat Intelligence team initiated the responsible disclosure process for a vulnerability that we discovered in Booster for WooCommerce, a WordPress plugin installed on over 80,000 sites. This flaw made it possible for an attacker to log in as any user, as long as certain options were enabled in the [...] --------------------------------------------- https://www.wordfence.com/blog/2021/08/critical-authentication-bypass-vulne… ∗∗∗ Nested Pages Patches Post Deletion Vulnerability ∗∗∗ --------------------------------------------- On August 13, 2021, the Wordfence Threat Intelligence team responsibly disclosed two vulnerabilities in Nested Pages, a WordPress plugin installed on over 80,000 sites that provides drag and drop functionality to manage your page structure and post ordering. These vulnerabilities included a Cross-Site Request Forgery vulnerability that allowed posts and pages to be deleted, unpublished [...] --------------------------------------------- https://www.wordfence.com/blog/2021/08/nested-pages-patches-post-deletion-v… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (openssl), openSUSE (libspf2, openssl-1_0_0, and openssl-1_1), Oracle (libsndfile), SUSE (nodejs10, nodejs12, openssl, openssl-1_0_0, openssl-1_1, and openssl1), and Ubuntu (openssl). --------------------------------------------- https://lwn.net/Articles/867354/ ∗∗∗ Hitachi ABB Power Grids TropOS ∗∗∗ --------------------------------------------- This advisory contains mitigations for Injection, Inadequate Encryption Strength, Missing Authentication for Critical Function, Improper Authentication, Improper Validation of Integrity Check Value, and Improper Input Validation vulnerabilities in Hitachi ABB Power Grids TropOS firmware. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-236-01 ∗∗∗ Hitachi ABB Power Grids Utility Retail Operations and CSB Products ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Insufficiently Protected Credentials vulnerability in Retail Operations and Counterparty Settlement Billing (CSB) utility usage and billing software products. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-236-02 ∗∗∗ Delta Electronics TPEditor ∗∗∗ --------------------------------------------- This advisory contains mitigations for a Heap-based Buffer Overflow vulnerability in Delta Electronics TPEditor programming software. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-236-03 ∗∗∗ Vembu BDR Full Disclosure ∗∗∗ --------------------------------------------- On 15 May 2021 we published case DIVD-2020-00011, which dealt with four vulnerabilities in Vembu BDR and related products. These four vulnerabilities here confidentially reported to Vembu in November 2020 and again in Februari 2021. Current status: From recent scan data we know that the three most damaging vulnerabilities have practically seized to be present on the internet, therefore we have decided to release the full technical details on these vulnerabilities. --------------------------------------------- https://csirt.divd.nl/2021/08/25/Vembu-BDR-Full-Disclosure/ ∗∗∗ Xen Security Advisory CVE-2021-28700 / XSA-383 ∗∗∗ --------------------------------------------- xen/arm: No memory limit for dom0less domUs --------------------------------------------- https://xenbits.xen.org/xsa/advisory-383.html ∗∗∗ Xen Security Advisory CVE-2021-28699 / XSA-382 ∗∗∗ --------------------------------------------- inadequate grant-v2 status frames array bounds check --------------------------------------------- https://xenbits.xen.org/xsa/advisory-382.html ∗∗∗ Xen Security Advisory CVE-2021-28698 / XSA-380 ∗∗∗ --------------------------------------------- long running loops in grant table handling --------------------------------------------- https://xenbits.xen.org/xsa/advisory-380.html ∗∗∗ Xen Security Advisory CVE-2021-28697 / XSA-379 ∗∗∗ --------------------------------------------- grant table v2 status pages may remain accessible after de-allocation --------------------------------------------- https://xenbits.xen.org/xsa/advisory-379.html ∗∗∗ Xen Security Advisory CVE-2021-28694,CVE-2021-28695,CVE-2021-28696 / XSA-378 ∗∗∗ --------------------------------------------- IOMMU page mapping issues on x86 --------------------------------------------- https://xenbits.xen.org/xsa/advisory-378.html ∗∗∗ The installers of multiple Sony products may insecurely load Dynamic Link Libraries ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN80288258/ ∗∗∗ QEMU: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0908 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 24.08.2021
by Daily end-of-shift report 24 Aug '21

24 Aug '21

===================== = End-of-Day report = ===================== Timeframe: Montag 23-08-2021 18:00 − Dienstag 24-08-2021 18:00 Handler: Dimitri Robl Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Triada Trojan in WhatsApp MOD ∗∗∗ --------------------------------------------- We discovered that the Trojan Triada snook into one of modified versions of the WhatsApp messenger called FMWhatsapp 16.80.0 together with the advertising software development kit (SDK). --------------------------------------------- https://securelist.com/triada-trojan-in-whatsapp-mod/103679/ ∗∗∗ Effective Threat-Hunting Queries in a Redacted World ∗∗∗ --------------------------------------------- Chad Anderson, senior security researcher for DomainTools, demonstrates how seemingly disparate pieces of infrastructure information can form perfect fingerprints for tracking cyberattackers infrastructure. --------------------------------------------- https://threatpost.com/effective-threat-hunting-queries/168864/ ∗∗∗ Attackers Hunting For Twilio Credentials, (Tue, Aug 24th) ∗∗∗ --------------------------------------------- Twilio is a popular service used to send/receive SMS messages and phone calls. --------------------------------------------- https://isc.sans.edu/diary/rss/27782 ∗∗∗ Power-Apps-Portale von Microsoft: 38 Millionen Datensätze lagen offen ∗∗∗ --------------------------------------------- Sicherheitsforscher haben in Power-Apps-Portalen 38 Millionen Datensätze mit teils sensiblen Daten entdeckt – laut Microsoft aufgrund von Konfigurationsfehlern. --------------------------------------------- https://heise.de/-6173306 ∗∗∗ Vorsicht vor EU Compensation E-Mail! ∗∗∗ --------------------------------------------- Aktuell werden betrügerische E-Mails von „EU Compensation“ versendet. Eine ominöse europäische Behörde behauptet, Betrugsopfer mit einer hohen Geldsumme zu entschädigen. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-eu-compensation-e-mail/ ∗∗∗ Ransomware Groups to Watch: Emerging Threats ∗∗∗ --------------------------------------------- Emerging ransomware groups to watch, according to Unit 42 researchers: AvosLocker, Hive Ransomware, HelloKitty and LockBit 2.0. --------------------------------------------- https://unit42.paloaltonetworks.com/emerging-ransomware-groups/ ∗∗∗ FBI sends its first-ever alert about a ‘ransomware affiliate’ ∗∗∗ --------------------------------------------- The US Federal Bureau of Investigations has published today its first-ever public advisory detailing the modus operandi of a "ransomware affiliate." --------------------------------------------- https://therecord.media/fbi-sends-its-first-ever-alert-about-a-ransomware-a… ===================== = Vulnerabilities = ===================== ∗∗∗ New zero-click iPhone exploit used to deploy NSO spyware ∗∗∗ --------------------------------------------- Digital threat researchers at Citizen Lab have uncovered a new zero-click iMessage exploit used to deploy NSO Groups Pegasus spyware on devices belonging to Bahraini activists. --------------------------------------------- https://www.bleepingcomputer.com/news/apple/new-zero-click-iphone-exploit-u… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (ledgersmb, tnef, and tor), Fedora (nodejs-underscore and tor), openSUSE (aws-cli, python-boto3, python-botocore,, fetchmail, firefox, and isync), SUSE (aws-cli, python-boto3, python-botocore, python-service_identity, python-trustme, python-urllib3 and python-PyYAML), and Ubuntu (linux-aws-5.8, linux-azure-5.8, linux-gcp-5.8, linux-oracle-5.8). --------------------------------------------- https://lwn.net/Articles/867247/ ∗∗∗ [20210801] - Core - Insufficient access control for com_media deletion endpoint ∗∗∗ --------------------------------------------- https://developer.joomla.org/security-centre/861-20210801-core-insufficient… ∗∗∗ Security Bulletin: CVE-2020-2773 (deferred from Oracle Apr 2020 CPU) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2020-2773-deferred-fr… ∗∗∗ Security Bulletin: Apache CXF (Publicly disclosed vulnerability) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-cxf-publicly-discl… ∗∗∗ Security Bulletin: XStream (Publicly disclosed vulnerability) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-xstream-publicly-disclose… ∗∗∗ Security Bulletin: Multiple security vulnerabilities have been identified in IBM® Java SDK that affect IBM Security Directory Suite ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: Update Secure Gateway Client in IBM DataPower Gateway to address several CVEs ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-update-secure-gateway-cli… ∗∗∗ Security Bulletin: Vulnerabilities in IBM Java Runtime affect IBM Integration Bus and IBM App Connect Enterpise v11, v12 (CVE-2020-27221) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-ja… ∗∗∗ Security Bulletin: IBM Resilient Disaster Recovery (DR) system allows connections over TLS 1.0 (CVE-2021-29704) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-resilient-disaster-re… ∗∗∗ Security Bulletin: CVE-2020-14781 (deferred from Oracle Oct 2020 CPU for Java 8) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2020-14781-deferred-f… ∗∗∗ OpenSSL: SM2 Decryption Buffer Overflow (CVE-2021-3711) ∗∗∗ --------------------------------------------- https://openssl.org/news/secadv/20210824.txt ∗∗∗ Overview of F5 vulnerabilities (August 2021) ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K50974556 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.08.2021
by Daily end-of-shift report 23 Aug '21

23 Aug '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 20-08-2021 18:00 − Montag 23-08-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ ProxyShell: Massive Angriffswelle auf ungepatchte Exchange-Server ∗∗∗ --------------------------------------------- Die Lücken sind bekannt, Patches da - trotzdem sind tausende Exchange-Server angreifbar. Nun rollt eine massive Angriffswelle, die die Schwachstellen ausnutzt. --------------------------------------------- https://heise.de/-6171597 ∗∗∗ SynAck ransomware decryptor lets victims recover files for free ∗∗∗ --------------------------------------------- Emsisoft has released a decryptor for the SynAck Ransomware, allowing victims to decrypt their encrypted files for free. --------------------------------------------- https://www.bleepingcomputer.com/news/security/synack-ransomware-decryptor-… ∗∗∗ Kubernetes hardening: Drilling down on the NSA/CISA guidance ∗∗∗ --------------------------------------------- Kubernetes has become the de facto choice for container orchestration. Some studies report that up to 88% of organizations are using Kubernetes for their container orchestration needs and 74% of that occurring in production environments. That said, security remains a critical concern with as many as 94% of organizations reporting at least one security incident in their Kubernetes environments in the last 12 months. --------------------------------------------- https://www.csoonline.com/article/3629049/kubernetes-hardening-drilling-dow… ∗∗∗ Gaming-related cyberthreats in 2020 and 2021 ∗∗∗ --------------------------------------------- In this report, you will find statistics and other information about gaming-related malware, phishing schemes and other threats in 2020 and the first half of 2021. --------------------------------------------- https://securelist.com/game-related-cyberthreats/103675/ ∗∗∗ Web Censorship Systems Can Facilitate Massive DDoS Attacks ∗∗∗ --------------------------------------------- Systems are ripe for abuse by attackers who can abuse systems to launch DDoS attacks. --------------------------------------------- https://threatpost.com/censorship-systems-ddos-attacks/168853/ ∗∗∗ Out of Band Phishing. Using SMS messages to Evade Network Detection, (Thu, Aug 19th) ∗∗∗ --------------------------------------------- Many companies have extensive security tools to monitor employee computers. But these precautions often fail for "out of band" access that uses cellular networks instead of Ethernet/WiFi networks. Our reader Isabella sent us this phishing email that they received: [...] --------------------------------------------- https://isc.sans.edu/diary/rss/27768 ∗∗∗ Researchers Detail Modus Operandi of ShinyHunters Cyber Crime Group ∗∗∗ --------------------------------------------- ShinyHunters, a notorious cybercriminal underground group thats been on a data breach spree since last year, has been observed searching companies GitHub repository source code for vulnerabilities that can be abused to stage larger scale attacks, an analysis of the hackers modus operandi has revealed. --------------------------------------------- https://thehackernews.com/2021/08/researchers-detail-modus-operandi-of.html ∗∗∗ Details Disclosed for Critical Vulnerability in Sophos Appliances ∗∗∗ --------------------------------------------- Organizations using security appliances from Sophos have been advised to make sure their devices are up to date after a researcher disclosed the details of a critical vulnerability patched last year. --------------------------------------------- https://www.securityweek.com/details-disclosed-critical-vulnerability-sopho… ∗∗∗ LockFile: Ransomware Uses PetitPotam Exploit to Compromise Windows Domain Controllers ∗∗∗ --------------------------------------------- Previously unseen ransomware hit at least 10 organizations in ongoing campaign. --------------------------------------------- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lo… ===================== = Vulnerabilities = ===================== ∗∗∗ Das Anstecken einer Razer-Maus macht Angreifer zu Windows-10-Admins ∗∗∗ --------------------------------------------- Eine Schwachstelle in der Konfigurationssoftware Synapse von Razer gefährdet Windows-PCs. Ein Sicherheitspatch steht noch aus. --------------------------------------------- https://heise.de/-6171968 ∗∗∗ Attackers Actively Exploiting Realtek SDK Flaws ∗∗∗ --------------------------------------------- Multiple vulnerabilities in software used by 65 vendors under active attack. --------------------------------------------- https://threatpost.com/attackers-exploiting-realtek/168856/ ∗∗∗ Top 15 Vulnerabilities Attackers Exploited Millions of Times to Hack Linux Systems ∗∗∗ --------------------------------------------- Close to 14 million Linux-based systems are directly exposed to the Internet, making them a lucrative target for an array of real-world attacks that could result in the deployment of malicious web shells, coin miners, ransomware, and other trojans. Thats according to an in-depth look at the Linux threat landscape published by U.S.-Japanese cybersecurity firm Trend Micro, detailing the top [...] --------------------------------------------- https://thehackernews.com/2021/08/top-15-vulnerabilities-attackers.html ∗∗∗ Micropatching MSHTML Remote Code Execution Issue (CVE-2021-33742) ∗∗∗ --------------------------------------------- June 2021 Windows Updates brought a fix for CVE-2021-33742, a remote code execution in the MSHTML component, exploitable via Microsoft browsers and potentially other applications using this component, e.g. via a malicious Microsoft Word document. Discovery of this issue was attributed to Clément Lecigne of Google’s Threat Analysis Group, while Googles security researcher Maddie Stone wrote a detailed analysis. --------------------------------------------- https://blog.0patch.com/2021/08/micropatching-mshtml-remote-code.html ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (ffmpeg, ircii, and scrollz), Fedora (kernel, krb5, libX11, and rust-actix-http), Mageia (kernel and kernel-linus), openSUSE (aspell, chromium, dbus-1, isync, java-1_8_0-openjdk, krb5, libass, libhts, libvirt, prosody, systemd, and tor), SUSE (cpio, dbus-1, libvirt, php7, qemu, and systemd), and Ubuntu (inetutils). --------------------------------------------- https://lwn.net/Articles/867149/ ∗∗∗ Planned Vembu Full Disclosure ∗∗∗ --------------------------------------------- If you are using Vembu BDR version 3.7.0, 3.9.1 Update 1, 4.2.0 or 4.2.0.1 and have your instances exposed to public internet, you are strongly advices to upgrade to Vembu BDR v4.2.0.2. On the 25th of August we plan to release the full details of the following CVEs: CVE-2021-26471, CVE-2021-26472, and CVE-2021-26473 All of these vulnerabilities are unauthenticated remote code execution vulnerabilities. --------------------------------------------- https://csirt.divd.nl/2021/08/20/Planned-Vembu-Full-Disclosure/ ∗∗∗ Security Bulletin: Vulnerabilities in IBM Java Runtime affect IBM Integration Bus and IBM App Connect Enterpise v11, v12 (CVE-2020-27221) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-ja… ∗∗∗ F-Secure Produkte: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0898 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.08.2021
by Daily end-of-shift report 20 Aug '21

20 Aug '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 19-08-2021 18:00 − Freitag 20-08-2021 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Securing Machine (Non-Human) Identities ∗∗∗ --------------------------------------------- We spend considerable time and focus on securing identities used by individuals and groups within our environment. While these are essential activities, we sometimes lose sight of a whole other set of identities, often highly privileged, that are just beneath the surface. --------------------------------------------- https://www.beyondtrust.com/blog/entry/securing-machine-non-human-identities ∗∗∗ You can post LinkedIn jobs as almost ANY employer — so can attackers ∗∗∗ --------------------------------------------- Anyone can create a job listing on the leading recruitment platform LinkedIn on behalf of any employer—no verification needed. And worse, the employer cannot easily take these down. --------------------------------------------- https://www.bleepingcomputer.com/news/security/you-can-post-linkedin-jobs-a… ∗∗∗ Pegasus iPhone hacks used as lure in extortion scheme ∗∗∗ --------------------------------------------- A new extortion scam is underway that attempts to capitalize on the recent Pegasus iOS spyware attacks to scare people into paying a blackmail demand. --------------------------------------------- https://www.bleepingcomputer.com/news/security/pegasus-iphone-hacks-used-as… ∗∗∗ Waiting for the C2 to Show Up, (Fri, Aug 20th) ∗∗∗ --------------------------------------------- Keep this in mind: "Patience is key". Sometimes when you are working on a malware sample, you depend on online resources. I'm working on a classic case: a Powershell script decodes then injects a shellcode into a process. --------------------------------------------- https://isc.sans.edu/diary/rss/27772 ∗∗∗ Project Zero: Understanding Network Access in Windows AppContainers ∗∗∗ --------------------------------------------- Being able to bypass network restrictions in AppContainer sandboxes is interesting as it expands the attack surface available to the application, such as being able to access services on localhost, as well as granting access to intranet resources in an Enterprise. --------------------------------------------- https://googleprojectzero.blogspot.com/2021/08/understanding-network-access… ∗∗∗ Gefährliche Liebschaften – Love Scammer brechen nicht nur Herzen ∗∗∗ --------------------------------------------- Mit diesen Maschen versuchen Online-Betrüger Geld aus der Partnersuche auf Dating-Plattformen herauszuschlagen. --------------------------------------------- https://www.welivesecurity.com/deutsch/2021/08/19/gefaehrliche-liebschaften… ∗∗∗ How to install Frida into an Android application ∗∗∗ --------------------------------------------- On a recent job I was testing a rather interesting piece of technology that had several server side checks but they wanted to add some additional security on the client side. --------------------------------------------- https://www.pentestpartners.com/security-blog/how-to-install-frida-into-an-… ∗∗∗ Unternehmen aufgepasst: Ignorieren Sie Fax von Branchen-Stadtplan! ∗∗∗ --------------------------------------------- UnternehmerInnen erhalten derzeit ein Fax von „Branchen-Stadtplan. Handel – Gewerbe – Industrie – Vereine & Co.“. Die Unternehmen werden aufgefordert ihre Firmendaten zu überprüfen oder zu ergänzen und das Fax unterschrieben zurückzusenden. --------------------------------------------- https://www.watchlist-internet.at/news/unternehmen-aufgepasst-ignorieren-si… ∗∗∗ RansomClave project uses Intel SGX enclaves for ransomware attacks ∗∗∗ --------------------------------------------- Academics have developed a proof-of-concept ransomware strain that uses highly secure Intel SGX enclaves to hide and keep encryption keys safe from the prying eyes of security tools. --------------------------------------------- https://therecord.media/ransomclave-project-uses-intel-sgx-enclaves-for-ran… ∗∗∗ Cloudflare says it mitigated a record-breaking 17.2M rps DDoS attack ∗∗∗ --------------------------------------------- Internet infrastructure company Cloudflare disclosed today that it mitigated the largest volumetric distributed denial of service (DDoS) attack that was recorded to date. --------------------------------------------- https://therecord.media/cloudflare-says-it-mitigated-a-record-breaking-17-2… ∗∗∗ Mozi botnet gains the ability to tamper with its victims’ traffic ∗∗∗ --------------------------------------------- A new version of Mozi, a botnet that targets routers and IoT devices, is now capable of tampering with the web traffic of infected systems via techniques such as DNS spoofing and HTTP session hijacking, a capability that could be abused to redirect users to malicious sites. --------------------------------------------- https://therecord.media/mozi-botnet-gains-the-ability-to-tamper-with-its-vi… ===================== = Vulnerabilities = ===================== ∗∗∗ New unofficial Windows patch fixes more PetitPotam attack vectors ∗∗∗ --------------------------------------------- A second unofficial patch for the Windows PetitPotam NTLM relay attack has been released to fix further issues not addressed by Microsofts official security update. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-unofficial-windows-patch… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (libtpms and mingw-exiv2), openSUSE (389-ds, aspell, c-ares, fetchmail, firefox, go1.15, go1.16, haproxy, java-1_8_0-openjdk, krb5, libass, libmspack, libsndfile, openexr, php7, qemu, and tor), Oracle (compat-exiv2-023 and compat-exiv2-026), and SUSE (389-ds, aspell, djvulibre, fetchmail, firefox, go1.15, go1.16, java-1_8_0-openjdk, krb5, libass, libmspack, nodejs8, openexr, postgresql10, qemu, and spice-vdagent). --------------------------------------------- https://lwn.net/Articles/866906/ ∗∗∗ AVEVA SuiteLink Server ∗∗∗ --------------------------------------------- This advisory contains mitigations for Heap-based Buffer Overflow, Null Pointer Dereference, and Improper Handling of Exceptional Conditions vulnerabilities in AVEVA SuiteLink Server system management software. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-231-01 ∗∗∗ Security Bulletin: Vulnerabilities in IBM Java Runtime affect IBM Integration Bus and IBM App Connect Enterpise v11, v12 (CVE-2020-27221) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-ja… ∗∗∗ Synology-SA-21:23 ISC BIND ∗∗∗ --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_21_23 ∗∗∗ MISP: Schwachstelle ermöglicht SQL-Injection ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0894 ∗∗∗ Mehrere Schwachstellen in NetModule Router Software (NRSW) ∗∗∗ --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/mehrere-schwachstelle… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.08.2021
by Daily end-of-shift report 19 Aug '21

19 Aug '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 18-08-2021 18:00 − Donnerstag 19-08-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Cisco meldet gefährliche Remote-Angriffsmöglichkeiten auf Small Business-Router ∗∗∗ --------------------------------------------- Ein aktuelles Advisory von Cisco beschreibt eine kritische Sicherheitslücke, die mehrere Small Business-Router betrifft. Updates wird es nicht geben. --------------------------------------------- https://heise.de/-6169343 ∗∗∗ Ransomware-Attacken nehmen dramatisch zu ∗∗∗ --------------------------------------------- Mehr Ransomware-Angriffe, höhere Lösegeldforderungen und eine effizientere Verteilung - die Entwicklung der Datenerpressungsbranche ist besorgniserregend. --------------------------------------------- https://heise.de/-6169583 ∗∗∗ A Short History of Essay Spam (How We Got from Pills to Plagiarism) ∗∗∗ --------------------------------------------- >From answering beginner questions like 'What is SEO spam?' to breaking down the spammers' code and exactly how they hide their injections in compromised websites, we have written regularly about spam at Sucuri. If you’ve ever operated a WordPress website you will have certainly seen, at the very least, a litany of spam comments posted on your comments section. --------------------------------------------- https://blog.sucuri.net/2021/08/a-short-history-of-essay-spam-how-we-got-fr… ∗∗∗ Oh, Behave! Figuring Out User Behavior ∗∗∗ --------------------------------------------- I decided to embark on a journey to understand user behavior without knowing exactly how I would gather details about user activity as a research topic. A major component of this research is finding a way to gather data on user behavior without making too much noise or triggering detections in a live environment. --------------------------------------------- https://www.trustedsec.com/blog/oh-behave-figuring-out-user-behavior/ ∗∗∗ How to spot a DocuSign phish and what to do about it ∗∗∗ --------------------------------------------- Phishing scammers love well known brand names, particularly if youre expecting to hear from them. --------------------------------------------- https://blog.malwarebytes.com/social-engineering/2021/08/how-to-spot-a-docu… ∗∗∗ Health authorities in 40 countries targeted by COVID‑19 vaccine scammers ∗∗∗ --------------------------------------------- Fraudsters impersonate vaccine manufacturers and authorities overseeing vaccine distribution efforts, INTERPOL warns --------------------------------------------- https://www.welivesecurity.com/2021/08/18/health-authorities-40-countries-t… ∗∗∗ CISA Provides Recommendations for Protecting Information from Ransomware-Caused Data Breaches ∗∗∗ --------------------------------------------- CISA has released the fact sheet Protecting Sensitive and Personal Information from Ransomware-Caused Data Breaches to address the increase in malicious cyber actors using ransomware to exfiltrate data and then threatening to sell or leak the exfiltrated data if the victim does not pay the ransom. These data breaches, often involving sensitive or personal information, can cause financial loss to the victim organization and erode customer trust. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/08/18/cisa-provides-rec… ∗∗∗ Cisco: Security devices are vulnerable to SNIcat data exfiltration technique ∗∗∗ --------------------------------------------- Networking equipment vendor Cisco said today that some of its security products fail to detect and stop traffic to malicious servers that abuse a technique called SNIcat to covertly steal data from inside corporate networks. --------------------------------------------- https://therecord.media/cisco-security-devices-are-vulnerable-to-snicat-dat… ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco Security Advisories 2021-08-18 ∗∗∗ --------------------------------------------- 2 critical, 5 medium severity --------------------------------------------- https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&secur… ∗∗∗ SSA-816035: Code Execution Vulnerability in SINEMA Remote Connect Client ∗∗∗ --------------------------------------------- The latest update for SINEMA Remote Connect Client fixes a vulnerability that could allow a local attacker to escalate privileges or even allow remote code execution under certain circumstances. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-816035.txt ∗∗∗ VMSA-2021-0017 ∗∗∗ --------------------------------------------- VMware Workspace ONE UEM console patches address a denial of service vulnerability (CVE-2021-22029) --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2021-0017.html ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (exiv2, firefox, and thunderbird), Fedora (libsndfile, python-docx, and xscreensaver), openSUSE (haproxy), and SUSE (haproxy). --------------------------------------------- https://lwn.net/Articles/866753/ ∗∗∗ Positive Technologies helps to fix dangerous vulnerability in CODESYS ICS software ∗∗∗ --------------------------------------------- [...] This high-severity vulnerability (CVE-2021-36764) was discovered in the CODESYS V3 Runtime System software package (version 3.15.9.10). By exploiting it, an attacker can disable the PLC and disrupt the technological process. The vulnerability (NULL Pointer Dereference) was found in the CmpGateway component. An attacker with network access to the industrial controller can send a specially formed TCP packet and interrupt the operation of the PLC. Also, it has been found that this software contains another vulnerability (Local Privilege Escalation), which is currently being reviewed by the vendor. --------------------------------------------- https://www.ptsecurity.com/ww-en/about/news/positive-technologies-helps-to-… ∗∗∗ Red Hat JBoss Enterprise Application Platform: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0892 ∗∗∗ Internet Systems Consortium BIND: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0890 ∗∗∗ Kritische Schwachstellen in Altus Sistemas de Automacao Produkten ∗∗∗ --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/kritische-schwachstel… ∗∗∗ Security Bulletin: IBM Cloud Pak for Multicloud Management Monitoring has applied security fixes for its use of Golang Go ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-multicl… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affects WebSphere Application Server July 2021 CPU that is bundled with IBM WebSphere Application Server Patterns ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in IBM® Java SDK affect WebSphere Application Server July 2021 CPU ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Cloud Pak for Multicloud Management Monitoring has applied security fixes for its use of Apache HttpClient ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-multicl… ∗∗∗ Security Bulletin: Multiple vulnerabilities may affect IBM® SDK, Java™ Technology Edition ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Security Directory Server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Linux kernel eBPF vulnerability CVE-2021-3490 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K43346111 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.08.2021
by Daily end-of-shift report 18 Aug '21

18 Aug '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 17-08-2021 18:00 − Mittwoch 18-08-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Kritische Lücke in Blackberry QNX OS gefährdet medizinische Geräte ∗∗∗ --------------------------------------------- Blackberry hat in seinem Echtzeitbetriebssystem QNX einer gefährliche Schwachstelle geschlossen. --------------------------------------------- https://heise.de/-6168793 ∗∗∗ Kritische Sicherheitslücke: Angreifer könnten Millionen IoT-Geräte belauschen ∗∗∗ --------------------------------------------- Sicherheitsforscher warnen vor einer Schwachstelle, die etwa Millionen Babyphones und IP-Kameras gefährdet. Geräte lassen sich nicht ohne Weiteres schützen. --------------------------------------------- https://heise.de/-6168381 ∗∗∗ Fortinet: Wichtiges Sicherheitsupdate für FortiWeb OS in Vorbereitung ∗∗∗ --------------------------------------------- Für eine Lücke mit High-Einstufung liegt Exploit-Code vor, Fixes kommen aber erst Ende August. Betreiber von FortiWeb WAFs sollten Vorsichtsmaßnahmen treffen. --------------------------------------------- https://heise.de/-6168205 ∗∗∗ Vorsicht! Kostenloses Antivirenprogramm „Total AV“ entpuppt sich als Kostenfalle ∗∗∗ --------------------------------------------- Immer wieder melden uns verunsicherte LeserInnen das Antivirenprogramm „Total AV“. Der Grund dafür sind nicht-transparente Kosten sowie Probleme beim Kündigen des Abo-Vertrags. Gleichzeitig wird „Total AV“ auf vielen Seiten als das beste kostenlose Antivirenprogramm beworben. Wir haben uns das Programm genauer angesehen. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-kostenloses-antivirenprogra… ∗∗∗ Sicherheitswarnung für Synology DiskStation Manager und UC SkyNAS ∗∗∗ --------------------------------------------- Der Hersteller Synology hat eine Sicherheitswarnung für seinen DiskStation Manager (Version <6.2.4-25556-2 ; 7.0) herausgegeben. In der Firmware der Geräte gibt es gleich mehrere Sicherheitslücken. Gefährdet sind auch UC SkyNAS-Einheiten. Von Synology gibt es bereits erste Firmware-Updates. Von der Ransomware eCh0raix gibt es eine neue Variante, die einen neuen Bug in QNAP und Synology NAS Devices ausnutzen kann. --------------------------------------------- https://www.borncity.com/blog/2021/08/18/sicherheitswarnung-fr-synology-dis… ∗∗∗ Diavol ransomware sample shows stronger connection to TrickBot gang ∗∗∗ --------------------------------------------- A new analysis of a Diavol ransomware sample shows a more clear connection with the gang behind the TrickBot botnet and the evolution of the malware. --------------------------------------------- https://www.bleepingcomputer.com/news/security/diavol-ransomware-sample-sho… ∗∗∗ Kerberos Authentication Spoofing: Don’t Bypass the Spec ∗∗∗ --------------------------------------------- Yaron Kassner, CTO at Silverfort, discusses authentication-bypass bugs in Cisco ASA, F5 Big-IP, IBM QRadar and Palo Alto Networks PAN-OS. --------------------------------------------- https://threatpost.com/kerberos-authentication-spoofing/168767/ ∗∗∗ 5 Things to Consider Before Moving Back to the Office, (Wed, Aug 18th) ∗∗∗ --------------------------------------------- Many readers will likely continue to enjoy working from home. Having not worked out of an office for about 20 years myself, I can certainly understand the appeal of working from home. But for some, this isn't an option and probably not even the preferred way to work. Having likely worked from home for over a year now, there are some things that you need to "readjust" as you are moving back. --------------------------------------------- https://isc.sans.edu/diary/rss/27762 ∗∗∗ Detecting Embedded Content in OOXML Documents ∗∗∗ --------------------------------------------- On Advanced Practices, we are always looking for new ways to find malicious activity and track adversaries over time. Today we’re sharing a technique we use to detect and cluster Microsoft Office documents - specifically those in the Office Open XML (OOXML) file format. Additionally, we’re releasing a tool so analysts and defenders can automatically generate YARA rules using this technique. --------------------------------------------- https://www.fireeye.com/blog/threat-research/2021/08/detecting-embedded-con… ∗∗∗ WordPress Malware Camouflaged As Code ∗∗∗ --------------------------------------------- In today’s post we discuss emerging techniques that attackers are using to hide the presence of malware. In the example we discuss below, the attacker’s goal is to make everything look routine to an analyst so that they do not dig deeper and discover the presence of malware and what it is doing. --------------------------------------------- https://www.wordfence.com/blog/2021/08/wordpress-malware-camouflaged-as-cod… ∗∗∗ IT Risk Team Discovers Previously Unknown Vulnerability in Autodesk Software During Client Penetration Test ∗∗∗ --------------------------------------------- During a recent client engagement, the DGC penetration testing team identified a previously unknown vulnerability affecting the Autodesk Licensing Service, a software component bundled with nearly all licensed Autodesk products. The vulnerability exists in a software component common to most Autodesk products and impacts nearly all organizations using licensed Autodesk software in any capacity. --------------------------------------------- https://www.tripwire.com/state-of-security/security-data-protection/risk-te… ∗∗∗ Houdini Malware Returns and Amazons Sidewalk Enter Corporate Networks ∗∗∗ --------------------------------------------- The nature of a secure access service edge (SASE) platform provides visibility into a large number of internet data flows - and the larger the platform, the more dataflows can be analyzed. An analysis of more than 250 billion network flows during Q2 2021 shows increasing threats, a new use of an old malware, and the growing incidence of consumer devices in the workplace. --------------------------------------------- https://www.securityweek.com/houdini-malware-returns-and-amazons-sidewalk-e… ∗∗∗ Breaking the Android Bootloader on the Qualcomm Snapdragon 660 ∗∗∗ --------------------------------------------- This post is a companion to the DEF CON 29 video available here. A few months ago I purchased an Android phone to do some research around a specific series [...] --------------------------------------------- https://www.pentestpartners.com/security-blog/breaking-the-android-bootload… ∗∗∗ Dumpster diving is a filthy business ∗∗∗ --------------------------------------------- One man's trash is another man's treasure - here's why you should think twice about what you toss in the recycling bin --------------------------------------------- https://www.welivesecurity.com/2021/08/17/dumpster-diving-is-filthy-busines… ∗∗∗ Cobalt Strike: Detect this Persistent Threat ∗∗∗ --------------------------------------------- Cobalt Strike is a penetration testing tool created by Raphael Mudge in 2012. To this day, it remains extremely popular in red team activities and used for malicious purposes by threat actors. --------------------------------------------- https://www.intezer.com/blog/malware-analysis/cobalt-strike-detect-this-per… ===================== = Vulnerabilities = ===================== ∗∗∗ Adobe sichert Photoshop & Co. außer der Reihe ab ∗∗∗ --------------------------------------------- Der Softwarehersteller Adobe schließt unter anderem in Bridge, Media Encoder und XMP Toolkit SDK Sicherheitslücken. --------------------------------------------- https://heise.de/-6168132 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (haproxy), Fedora (c-ares, hivex, kernel, libtpms, newsflash, python-django, rust-gettext-rs, and rust-gettext-sys), openSUSE (c-ares and libsndfile), Scientific Linux (cloud-init, edk2, exiv2, firefox, kernel, kpatch-patch, microcode_ctl, sssd, and thunderbird), SUSE (c-ares, fetchmail, haproxy, kernel, libmspack, libsndfile, rubygem-puma, spice-vdagent, and webkit2gtk3), and Ubuntu (exiv2, haproxy, linux, linux-aws, linux-aws-5.4, linux-azure, [...] --------------------------------------------- https://lwn.net/Articles/866669/ ∗∗∗ ThroughTek Kalay P2P SDK ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Improper Access Control vulnerability in the ThroughTek Kalay P2P SDK software kit. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-229-01 ∗∗∗ Advantech WebAccess/NMS ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Improper Authentication vulnerability in Advantech WebAccess/NMS network management systems. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-229-02 ∗∗∗ xArrow SCADA ∗∗∗ --------------------------------------------- This advisory contains mitigations for Cross-site Scripting, and Improper Input Validation vulnerability in the xArrow SCADA human-machine interface. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-229-03 ∗∗∗ Huawei EchoLife HG8045Q vulnerable to OS command injection ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN41646618/ ∗∗∗ Firefox & Thunderbird: Security-Fixes für Browser und Mail-Client verfügbar ∗∗∗ --------------------------------------------- https://heise.de/-6168771 ∗∗∗ glibc vulnerability CVE-2021-35942 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K98121587 ∗∗∗ Atlassian Jira Software: Schwachstelle ermöglicht Offenlegung von Informationen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0880 ∗∗∗ QEMU: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode mit Benutzerrechten ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0885 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily August 2021