- Daily - CERT.at

Tageszusammenfassung - 24.11.2021
by Daily end-of-shift report 24 Nov '21

24 Nov '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 23-11-2021 18:00 − Mittwoch 24-11-2021 18:00 Handler: Wolfgang Menezes Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Phishing page hiding itself using dynamically adjusted IP-based allow list, (Wed, Nov 24th) ∗∗∗ --------------------------------------------- It can be instructive to closely examine even completely usual-looking phishing messages from time to time, since they may lead one to unusual phishing sites or may perhaps use some novel technique that might not be obvious at first glance. --------------------------------------------- https://isc.sans.edu/diary/rss/28070 ∗∗∗ Hunting for Persistence in Linux (Part 1): Auditd, Sysmon, Osquery, and Webshells ∗∗∗ --------------------------------------------- This blog series explores methods attackers might use to maintain persistent access to a compromised linux system. --------------------------------------------- https://pberba.github.io/security/2021/11/22/linux-threat-hunting-for-persi… ∗∗∗ Nach Windows-Update: Zero-Day-Lücke erlaubt lokale Rechteausweitung ∗∗∗ --------------------------------------------- Eines der Windows-Updates im November sollte eine gefährliche Lücke schließen. Doch sie lässt sich noch immer zur Erhöhung der eigenen Rechte missbrauchen. --------------------------------------------- https://heise.de/-6274893 ∗∗∗ Vorsicht vor Love Scams auf Facebook Dating! ∗∗∗ --------------------------------------------- Immer wieder melden uns besorgte LeserInnen sogenannte Love- oder Romance-Scammer. Dabei handelt es sich um Online-Bekanntschaften, die sich durch Liebesbeteuerungen das Vertrauen der Opfer erschleichen. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-love-scams-auf-facebook… ∗∗∗ New JavaScript malware works as a “RAT dispenser” ∗∗∗ --------------------------------------------- Cybersecurity experts from HP said they discovered a new strain of JavaScript malware that criminals are using as a way to infect systems and then deploy much dangerous remote access trojans (RATs). --------------------------------------------- https://therecord.media/new-javascript-malware-works-as-a-rat-dispenser/ ∗∗∗ ASEC Weekly Malware Statistics (November 15th, 2021 – November 21st, 2021) ∗∗∗ --------------------------------------------- This post will list weekly statistics collected from November 15th, 2021 (Monday) to November 21st, 2021 (Sunday). --------------------------------------------- https://asec.ahnlab.com/en/28954/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (openjdk-17), Fedora (libxls, roundcubemail, and vim), openSUSE (bind, java-1_8_0-openjdk, and redis), Red Hat (kernel, kernel-rt, kpatch-patch, krb5, mailman:2.1, openssh, and rpm), Scientific Linux (kernel, krb5, openssh, and rpm), SUSE (bind, java-1_8_0-openjdk, redis, and webkit2gtk3), and Ubuntu (bluez). --------------------------------------------- https://lwn.net/Articles/876799/ ∗∗∗ Schwachstelle in MediaTek-Chips von Android-Smartphones ∗∗∗ --------------------------------------------- Sicherheitsforscher von Check Point haben in einer Android-APU, die APU ist die AI Processing Unit in MediaTek-Chips, eine Schwachstelle entdeckt. Die Sicherheitsforscher warnen, dass Nutzer über den Audio-Prozessor abgehört werden können. Die Mediatek-Chips sind in 37 % aller Android-Geräte verbaut. --------------------------------------------- https://www.borncity.com/blog/2021/11/24/schwachstelle-in-mediatek-chips-vo… ∗∗∗ ZDI-21-1333: Adobe Creative Cloud Incorrect Permission Assignment Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-1333/ ∗∗∗ Security Advisory - Possible Out-Of-Bounds Read Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20211124-… ∗∗∗ Security Bulletin: Weak Cryptographic Control Vulnerability Affects IBM Sterling Connect:Direct Web Services (CVE-2021-38891) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-weak-cryptographic-contro… ∗∗∗ Security Bulletin: IBM Planning Analytics Workspace is affected by security vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-planning-analytics-wo… ∗∗∗ Security Bulletin: Account Lockout Vulnerability Affects IBM Sterling Connect:Direct Web Services (CVE-2021-38890) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-account-lockout-vulnerabi… ∗∗∗ Security Bulletin: PostgreSQL Sensitive Information Exposure Vulnerability Affects IBM Connect:Direct Web Services (CVE-2021-32029) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-postgresql-sensitive-info… ∗∗∗ K20072454: Linux kernel vulnerability CVE-2021-43267 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K20072454 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.11.2021
by Daily end-of-shift report 23 Nov '21

23 Nov '21

===================== = End-of-Day report = ===================== Timeframe: Montag 22-11-2021 18:00 − Dienstag 23-11-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Warnung: ProxyShell, Squirrelwaffle und ein PoC-Eploit, patcht endlich eure Exchange-Server ∗∗∗ --------------------------------------------- Wie oft denn noch? Aktuell warne ich fast im Tagesrhythmus vor dem Betrieb ungepatchter Exchange-Schwachstellen und ProxyShell-Angriffen. Vor einigen Tagen hat Trend Micro eine Warnung vor Angriffen auf die ProxyShell-Schwachstellen über den Squirrelwaffle-Exploit und der Übernahme der Exchange-E-Mail-Postfächer gewarnt. Seit wenigen Stunden ist ein weitere Exploit als Proof of Concept öffentlich, die Ausnutzung gegen ungepatchte Exchange-Server ist wahrscheinlich. Patcht also endlich die Systeme. --------------------------------------------- https://www.borncity.com/blog/2021/11/23/warnung-proxyshell-squirrelwaffle-… ∗∗∗ GoDaddy-Datenpanne betrifft 1,2 Millionen WordPress-Kunden ∗∗∗ --------------------------------------------- Hacker verschafft sich Zugang zu den persönlichen Daten von mehr als 1,2 Millionen Kunden des WordPress-Hostingdienstes von GoDaddy. --------------------------------------------- https://heise.de/-6274187 ∗∗∗ FBI warnt vor Einbrüchen via VPN-Software ∗∗∗ --------------------------------------------- Bei Untersuchungen stießen Strafverfolger vom FBI auf Sicherheitslücken in VPN-Software, durch die Cyberkriminelle derzeit in Netzwerke eindringen. --------------------------------------------- https://heise.de/-6274101 ∗∗∗ ZDF-Reportage: Wie Betrüger online abzocken ∗∗∗ --------------------------------------------- Wer sind die Cyber-Kriminellen hinter den unzähligen Fake-Shops und wie können sie entlarvt werden? "WISO crime" - ein ZDF-Format berichtet über Fake-Shops im Internet und versucht, einem Fake-Shop-Betreiber auf die Schliche zu kommen. --------------------------------------------- https://www.watchlist-internet.at/news/zdf-reportage-wie-betrueger-online-a… ∗∗∗ Over nine million Android devices infected by info-stealing trojan ∗∗∗ --------------------------------------------- A large-scale malware campaign on Huaweis AppGallery has led to approximately 9,300,000 installs of Android trojans masquerading as over 190 different apps --------------------------------------------- https://www.bleepingcomputer.com/news/security/over-nine-million-android-de… ∗∗∗ How to investigate service provider trust chains in the cloud ∗∗∗ --------------------------------------------- This blog outlines DART’s recommendations for incident responders to investigate potential abuse of these delegated admin permissions, independent of the threat actor. --------------------------------------------- https://www.microsoft.com/security/blog/2021/11/22/how-to-investigate-servi… ∗∗∗ Simple YARA Rules for Office Maldocs, (Mon, Nov 22nd) ∗∗∗ --------------------------------------------- In diary entry "Extra Tip For Triage Of MALWARE Bazaar's Daily Malware Batches" I shared 2 simple YARA rules to triage Office documents with VBA code. --------------------------------------------- https://isc.sans.edu/diary/rss/28062 ∗∗∗ Observing Attacks Against Hundreds of Exposed Services in Public Clouds ∗∗∗ --------------------------------------------- Insecurely exposed services are common misconfigurations in cloud environments. We used a honeypot infrastructure to learn about attacks against them. --------------------------------------------- https://unit42.paloaltonetworks.com/exposed-services-public-clouds/ ∗∗∗ What to do if you receive a data breach notice ∗∗∗ --------------------------------------------- Receiving a breach notification doesn't mean you’re doomed - here's what you should consider doing in the hours and days after learning that your personal data has been exposed --------------------------------------------- https://www.welivesecurity.com/2021/11/22/what-do-if-you-receive-data-breac… ∗∗∗ GÉANT launches new security services website ∗∗∗ --------------------------------------------- As technology becomes more complex and threats more sophisticated, it’s a challenge to keep any organisation’s online environment and physical infrastructure secure. Security services protect both the networks and services from attacks, but also help secure individuals using the networks. --------------------------------------------- https://connect.geant.org/2021/11/23/geant-launches-new-security-services-w… ∗∗∗ The digital operational resilience act (DORA): what you need to know about it, the requirements and challenges we see. ∗∗∗ --------------------------------------------- TL;DR - In this blogpost, we will give you an introduction to DORA, as well as how you can prepare yourself to be ready for it. More specifically, throughout this blogpost we will try to formulate an answer to following questions: What is DORA and what are the key requirements of DORA? What are the biggest [...] --------------------------------------------- https://blog.nviso.eu/2021/11/23/the-digital-operational-resilience-act-dor… ∗∗∗ GoSecure Investigates Abusing Windows Server Update Services (WSUS) to Enable NTLM Relaying Attacks ∗∗∗ --------------------------------------------- In part three of a series, GoSecure ethical hackers have found another way to exploit insecure Windows Server Update Services (WSUS) configurations. By taking advantage of the authentication provided by the Windows update client and relaying it to other domain services, we found this can lead to remote code execution. In this blog, we’ll share our findings and recommend mitigations. --------------------------------------------- https://www.gosecure.net/blog/2021/11/22/gosecure-investigates-abusing-wind… ===================== = Vulnerabilities = ===================== ∗∗∗ VMSA-2021-0027 ∗∗∗ --------------------------------------------- VMware vCenter Server updates address arbitrary file read and SSRF vulnerabilities (CVE-2021-21980, CVE-2021-22049) --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2021-0027.html ∗∗∗ Xen Security Advisories ∗∗∗ --------------------------------------------- XSA-385 - guests may exceed their designated memory limit XSA-387 - grant table v2 status pages may remain accessible after de-allocation (take two) XSA-388 - PoD operations on misaligned GFNs XSA-389 - issues with partially successful P2M updates on x86 --------------------------------------------- https://xenbits.xen.org/xsa/ ∗∗∗ Vulnerability Spotlight: PHP deserialize vulnerability in CloudLinux Imunity360 could lead to arbitrary code execution ∗∗∗ --------------------------------------------- Cisco Talos recently discovered a vulnerability in the Ai-Bolit functionality of CloudLinux Inc Imunify360 that could lead to arbitrary code execution. Imunify360 is a security platform for web-hosting servers that allows users to configure various settings for real-time website protection and web server security. --------------------------------------------- https://blog.talosintelligence.com/2021/11/vulnerability-spotlight-php-dese… ∗∗∗ A review of Azure Sphere vulnerabilities: Unsigned code execs, kernel bugs, escalation chains and firmware downgrades ∗∗∗ --------------------------------------------- Summary of all the vulnerabilities reported by Cisco Talos in Microsoft Azure Sphere --------------------------------------------- https://blog.talosintelligence.com/2021/11/a-review-of-azure-sphere.html ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (mbedtls), Red Hat (kernel and rpm), and Ubuntu (freerdp2). --------------------------------------------- https://lwn.net/Articles/876723/ ∗∗∗ 0-Day LPE-Schwachstelle im Windows Installer (Nov. 2021) ∗∗∗ --------------------------------------------- Ein Sicherheitsforscher hat eine eine 0-Day-Schwachstelle im Windows Installer gefunden, über die ein lokaler Angreifer Administratorrechte erlangen kann. Die Windows Installer Elevation of Privilege"-Schwachstelle CVE-2021-41379 ist zwar im November 2021 gepatcht worden. Aber es gibt eine Umgehungslösung, der Patch ist wirkungslos. Betroffen sind alle Windows-Versionen, einschließlich Windows 10, dass brandneue Windows 11 sowie alle Windows Server-Versionen. --------------------------------------------- https://www.borncity.com/blog/2021/11/23/0-day-lpe-schwachstelle-im-windows… ∗∗∗ Security Bulletin: IBM MQ is vulnerable to multiple issues within the IBM® Runtime Environment Java™ Technology Edition, Version 8 shipped with IBM MQ (CVE-2021-2432, CVE-2021-2388) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-is-vulnerable-to-m… ∗∗∗ Security Bulletin: Vulnerability in MIT Kerberos 5 (CVE-2020-28196) affects HMC ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-mit-kerb… ∗∗∗ Security Bulletin: Vulnerability in Apache HTTP (CVE-2018-17199 and CVE-2020-11993) affects HMC ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-h… ∗∗∗ Security Bulletin: Application error in IBM Security Guardium Key Lifecycle Manager (CVE-2021-38980) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-application-error-in-ibm-… ∗∗∗ Security Bulletin: Vulnerability in Apache Tomcat (CVE-2021-42340) affects HMC ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-t… ∗∗∗ Security Bulletin: IBM MQ is vulnerable to a denial of service attack caused by an error processing messages. (CVE-2021-38875) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-is-vulnerable-to-a… ∗∗∗ Security Bulletin: Vulnerability in Bash (CVE-2019-18276) affects HMC ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-bash-cve… ∗∗∗ Security Bulletin: Vulnerability in bind (CVE-2021-25215) affects Power HMC ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-bind-cve… ∗∗∗ Security Bulletin: Vulnerability in glib2 (CVE-2021-27218 and CVE-2021-27219) affects Power HMC ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-glib2-cv… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.11.2021
by Daily end-of-shift report 22 Nov '21

22 Nov '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 19-11-2021 18:00 − Montag 22-11-2021 18:00 Handler: Wolfgang Menezes Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Picky PPID Spoofing ∗∗∗ --------------------------------------------- Parent Process ID (PPID) Spoofing is one of the techniques employed by malware authors to blend in the target system. This is done by making the malicious process look like it was spawned by another process. This helps evade detections that are based on anomalous parent-child process relationships. --------------------------------------------- https://captmeelo.com/redteam/maldev/2021/11/22/picky-ppid-spoofing.html ∗∗∗ Command injection prevention for Python ∗∗∗ --------------------------------------------- This is a command/code injection prevention cheat sheet by r2c. It contains code patterns of potential ways to run an OS command or arbitrary code in an application. Instead of scrutinizing code for exploitable vulnerabilities, the recommendations in this cheat sheet pave a safe road for developers that mitigates the possibility of command/code injection in your code. --------------------------------------------- https://semgrep.dev/docs/cheat-sheets/python-command-injection/ ∗∗∗ Missing Link: Wie sicher ist der Anonymisierungsdienst Tor? ∗∗∗ --------------------------------------------- Tor gilt als Wunderwaffe gegen den Überwachungswahn von Geheimdiensten. Wie gut lässt sich die Technologie knacken? Ist Tor tatsächlich NSA- und BND-proof? --------------------------------------------- https://heise.de/-6272025 ∗∗∗ Virtuelle Mobilfunknetze mit Open RAN: BSI sieht Sicherheitsrisiken ∗∗∗ --------------------------------------------- Mehr "Security by Design" empfehlen die Autoren einer Risikoanalyse des BSI für die Weiterentwicklung von Open RAN – nachträgliche Korrekturen seien aufwändig. --------------------------------------------- https://heise.de/-6274060 ∗∗∗ UEFI virtual machine firmware hardening through snapshots and attack surface reduction. (arXiv:2111.10167v1 [cs.SE]) ∗∗∗ --------------------------------------------- This paper introduces Amaranth project - a solution to some of the contemporary security issues related to UEFI firmware. In this work we focused our attention on virtual machines as it allowed us to simplify the development of secure UEFI firmware. Security hardening of our firmware is achieved through several techniques, the most important of which are an operating system integrity checking mechanism (through snapshots) and overall firmware size reduction. --------------------------------------------- http://arxiv.org/abs/2111.10167 ∗∗∗ Oh ... Ransomware verschlüsselt meine virtuellen Maschinen direkt im Hypervisor ... Wie jetzt? ∗∗∗ --------------------------------------------- Viele Ransomware- oder Ransomware-as-a-Service (RaaS)- Gruppen besitzen inzwischen die Fähigkeit, virtuelle Maschinen direkt auf Hypervisor-Ebene zu verschlüsseln. Das heisst, es sind nicht einzelne Clients, Workstations oder Server auf Windows Betriebsystem-Ebene, sondern alle Maschinen, die virtualisiert - auf zum Beispiel VMware ESXi oder Microsoft Hyper-V - laufen, gleichzeitig betroffen. Die Cybersecurityfirma Crowdstrike hat dieser Thematik zwei interessante Blog-Posts gewidmet --------------------------------------------- https://cert.at/de/blog/2021/11/oh-ransomware-verschlusselt-meine-virtuelle… ∗∗∗ NSA and CISA Release Guidance on Securing 5G Cloud Infrastructures ∗∗∗ --------------------------------------------- CISA has announced the joint National Security Agency (NSA) and CISA publication of the second of a four-part series, Security Guidance for 5G Cloud Infrastructures. Part II: Securely Isolate Network Resources examines threats to 5G container-centric or hybrid container/virtual network, also known as Pods. The guidance provides several aspects of pod security including limiting permissions on deployed containers, avoiding resource contention and denial-of-service attacks, and implementing real-time threat detection. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/11/19/nsa-and-cisa-rele… ===================== = Vulnerabilities = ===================== ∗∗∗ Vulnerability Spotlight: Multiple vulnerabilities in Advantech R-SeeNet ∗∗∗ --------------------------------------------- R-SeeNet is the software system used for monitoring Advantech routers. It continuously collects information from individual routers in the network and records the data into a SQL database. The vulnerabilities Talos discovered exist in various scripts inside of R-SeeNet's web applications. CVEs: CVE-2021-21920, CVE-2021-21921, CVE-2021-21922, CVE-2021-21923, CVE-2021-21915, CVE-2021-21916, CVE-2021-21917, CVE-2021-21918, CVE-2021-21919, CVE-2021-21910, CVE-2021-21911, CVE-2021-21912 --------------------------------------------- http://blog.talosintelligence.com/2021/11/re-see-net-advantched-vuln-spotli… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firebird3.0, libmodbus, and salt), Fedora (js-jquery-ui and wordpress), Mageia (arpwatch, chromium-browser-stable, php, rust, and wireshark), openSUSE (barrier, firefox, hylafax+, opera, postgresql12, postgresql13, postgresql14, and tomcat), SUSE (ardana-ansible, ardana-monasca, crowbar-openstack, influxdb, kibana, openstack-cinder, openstack-ec2-api, openstack-heat-gbp, openstack-heat-templates, openstack-horizon-plugin-gbp-ui, openstack-keystone, openstack-neutron-gbp, openstack-nova, python-eventlet, rubygem-redcarpet, rubygem-puma, ardana-ansible, ardana-monasca, documentation-suse-openstack-cloud, openstack-ec2-api, openstack-heat-templates, python-Django, python-monasca-common, rubygem-redcarpet, rubygem-puma, firefox, kernel, postgresql, postgresql13, postgresql14, postgresql10, postgresql12, postgresql13, postgresql14, postgresql96, and samba), and Ubuntu (libreoffice). --------------------------------------------- https://lwn.net/Articles/876655/ ∗∗∗ Serious Vulnerabilities Found in Wi-Fi Module Designed for Critical Industrial Applications ∗∗∗ --------------------------------------------- Talos has published 18 separate advisories describing the vulnerabilities. The researchers have reproduced the vulnerabilities on Lantronix PremierWave 2050 version 8.9.0.0R4, and Talos claims there are no official patches for the security holes, despite the vendor knowing about them since June 15. --------------------------------------------- https://www.securityweek.com/serious-vulnerabilities-found-wi-fi-module-des… ∗∗∗ ZDI-21-1332: Commvault CommCell AppStudioUploadHandler Arbitrary File Upload Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-1332/ ∗∗∗ ZDI-21-1331: Commvault CommCell Demo_ExecuteProcessOnGroup Exposed Dangerous Function Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-1331/ ∗∗∗ ZDI-21-1330: Commvault CommCell DownloadCenterUploadHandler Arbitrary File Upload Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-1330/ ∗∗∗ ZDI-21-1329: Commvault CommCell DataProvider JavaScript Sandbox Escape Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-1329/ ∗∗∗ ZDI-21-1328: Commvault CommCell CVSearchService Authentication Bypass Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-1328/ ∗∗∗ Security Bulletin: IBM MQ is vulnerable to a denial of service attack caused by an issue processing message properties. (CVE-2021-29843) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-is-vulnerable-to-a… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.11.2021
by Daily end-of-shift report 19 Nov '21

19 Nov '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 18-11-2021 18:00 − Freitag 19-11-2021 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Sicherheitsbedrohungen im Web: Die größten Risiken laut OWASP Top Ten 2021 ∗∗∗ --------------------------------------------- Die OWASP Top Ten 2021 aktualisiert die Liste der Sicherheitsbedrohungen im Web. Defekte Zugriffsbeschränkungen stehen an erster Stelle. --------------------------------------------- https://heise.de/-6271591 ∗∗∗ Qnap veröffentlicht NAS-Updates und deaktiviert aus Sicherheitsgründen eine App ∗∗∗ --------------------------------------------- Angreifer könnten Netzwerkspeicher von Qnap attackieren. Der Sicherheitspatch für eine Lücke steht noch aus. --------------------------------------------- https://heise.de/-6272271 ∗∗∗ Azure Active Directory: Sicherheitslücke entblößt private Schlüssel ∗∗∗ --------------------------------------------- In Azure Automation waren private Schlüssel für jeden Nutzer des AD einsehbar. Obwohl Microsoft das Problem gelöst hat, ist ein Schlüsseltausch angeraten. --------------------------------------------- https://heise.de/-6272248 ∗∗∗ ProxyNoShell: Mandiant warnt vor neuen Angriffsmethoden auf Exchange-Server (Nov. 2021) ∗∗∗ --------------------------------------------- Cyber-Angreifer verwenden seit Monaten drei bekannte Schwachstellen in Microsofts Exchange Servern, für die es bereits seit Monaten Updates gibt. Trotzdem sind um die 30.000 Microsoft Exchange Sever per Internet erreichbar, die über diese Schwachstellen angreifbar sind. Sicherheitsforscher haben jetzt eine [...] --------------------------------------------- https://www.borncity.com/blog/2021/11/19/proxynoshell-mandiant-warnt-vor-ne… ∗∗∗ Malware downloaded from PyPI 41,000 times was surprisingly stealthy ∗∗∗ --------------------------------------------- Malware infiltrating open source repositories is getting more sophisticated. --------------------------------------------- https://arstechnica.com/?p=1814211 ∗∗∗ Android malware BrazKing returns as a stealthier banking trojan ∗∗∗ --------------------------------------------- The BrazKing Android banking trojan has returned with dynamic banking overlays and a new implementation trick that enables it to operate without requesting risky permissions. --------------------------------------------- https://www.bleepingcomputer.com/news/security/android-malware-brazking-ret… ∗∗∗ Ransomware Phishing Emails Sneak Through SEGs ∗∗∗ --------------------------------------------- The MICROP ransomware spreads via Google Drive and locally stored passwords. --------------------------------------------- https://threatpost.com/ransomware-phishing-emails-segs/176470/ ∗∗∗ Downloader Disguised as Excel Add-In (XLL), (Fri, Nov 19th) ∗∗∗ --------------------------------------------- At the Internet Storm Center, we like to show how exotic extensions can be used to make victims feel confident to open malicious files. There is an interesting webpage that maintains a list of dangerous extensions used by attackers: filesec.io[1]. The list is regularly updated and here is an example of malicious file that is currently not listed: "XLL". It's not a typo, it's not a "DLL" but close to! --------------------------------------------- https://isc.sans.edu/diary/rss/28052 ∗∗∗ New Side Channel Attacks Re-Enable Serious DNS Cache Poisoning Attacks ∗∗∗ --------------------------------------------- Researchers have demonstrated yet another variant of the SAD DNS cache poisoning attack that leaves about 38% of the domain name resolvers vulnerable, enabling attackers to redirect traffic originally destined to legitimate websites to a server under their control. "The attack allows an off-path attacker to inject a malicious DNS record into a DNS cache," University of California researchers Keyu Man, Xin'an Zhou, and Zhiyun Qian said. --------------------------------------------- https://thehackernews.com/2021/11/new-side-channel-attacks-re-enable.html ∗∗∗ Web trust dies in darkness: Hidden Certificate Authorities undermine public crypto infrastructure ∗∗∗ --------------------------------------------- Security researchers have checked the webs public key infrastructure and have measured a long-known but little-analyzed security threat: hidden root Certificate Authorities. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2021/11/19/web_trust_ce… ∗∗∗ Patch now! FatPipe VPN zero-day actively exploited ∗∗∗ --------------------------------------------- The FBI has revealed that APT actors have been abusing a zero-day in FatPipes MPVPN, WARP, and IPVPN products since May. --------------------------------------------- https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/11/patch-no… ∗∗∗ New Aggah Campaign Hijacks Clipboards to Replace Cryptocurrency Addresses ∗∗∗ --------------------------------------------- Aggah is a threat group known for espionage and information theft worldwide, as well as its deft use of free and open-source infrastructure to conduct its attacks. Weve recently reported that the group is linked with the Mana Tools malware distribution and command and control (C2) panel. RiskIQ recently identified a new Aggah campaign via our global monitoring of malicious VBScript code posted on websites. In this latest campaign, operators deployed clipboard hijacking code that replaces a [...] --------------------------------------------- https://www.riskiq.com/blog/external-threat-management/aggah-clipboard-hija… ∗∗∗ Ransomware is now a giant black hole that is sucking in all other forms of cybercrime ∗∗∗ --------------------------------------------- File-encrypting malware is where the money is -- and thats changing the whole online crime ecosystem. --------------------------------------------- https://www.zdnet.com/article/ransomware-is-now-a-giant-black-hole-that-is-… ∗∗∗ All Roads Lead to OpenVPN: Pwning Industrial Remote Access Clients ∗∗∗ --------------------------------------------- [...] Team82’s research uncovered four vulnerabilities in popular industrial VPN solutions from vendors HMS Industrial Networks, Siemens, PerFact, and MB connect line. The vulnerabilities expose users to remote and arbitrary code execution attacks, and also enable attackers to elevate privileges. All four vendors have either provided a fix in an updated version of their respective products, or suggested mitigations. --------------------------------------------- https://claroty.com/2021/11/19/blog-research-all-roads-lead-to-openvpn-pwni… ∗∗∗ Kernel Karnage – Part 4 (Inter(ceptor)mezzo) ∗∗∗ --------------------------------------------- To make up for the long wait between parts 2 and 3, we’re releasing another blog post this week. Part 4 is a bit smaller than the others, an intermezzo between parts 3 and 5 if you will, discussing interceptor. --------------------------------------------- https://blog.nviso.eu/2021/11/19/kernel-karnage-part-4-interceptormezzo/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security Bulletin: Vulnerability in sed affects IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem V9000 products ∗∗∗ --------------------------------------------- A vulnerability in the sed command could allow an authenticated attacker to escape from a restricted shell to obtain sensitive information and cause a denial of service. --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-sed-affe… ∗∗∗ Security Bulletin: IBM MQ for HP NonStop Server is affected by vulnerability CVE-2021-29843 ∗∗∗ --------------------------------------------- IBM MQ is vulnerable to a denial of service attack caused by an issue processing message properties. The issue is described by CVE-2021-29843. --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-for-hp-nonstop-ser… ∗∗∗ Xen Security Advisory CVE-2021-28710 / XSA-390 - certain VT-d IOMMUs may not work in shared page table mode ∗∗∗ --------------------------------------------- Impact: A malicious guest may be able to escalate its privileges to that of the host. --------------------------------------------- https://xenbits.xen.org/xsa/advisory-390.html ∗∗∗ Vulnerability Spotlight: Use-after-free vulnerability in Google Chrome could lead to code execution ∗∗∗ --------------------------------------------- Cisco Talos recently discovered an exploitable use-after-free vulnerability in Google Chrome. --------------------------------------------- https://blog.talosintelligence.com/2021/11/vulnerability-spotlight-user-aft… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (chromium, grafana, kubectl-ingress-nginx, and opera), Debian (netkit-rsh and salt), Fedora (freeipa and samba), Mageia (opensc, python-django-filter, qt4, tinyxml, and transfig), openSUSE (opera and transfig), Red Hat (devtoolset-11-annobin, devtoolset-11-binutils, and llvm-toolset:rhel8), SUSE (php72 and php74), and Ubuntu (mailman and thunderbird). --------------------------------------------- https://lwn.net/Articles/876528/ ∗∗∗ QNX-2021-002 Vulnerability in BMP Image Codec Impacts BlackBerry QNX Software Development Platform (SDP) ∗∗∗ --------------------------------------------- https://support.blackberry.com/kb/articleDetail?language=en_US&articleNumbe… ∗∗∗ K48382137: Bootstrap vulnerability CVE-2018-14040 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K48382137 ∗∗∗ K19785240: Bootstrap vulnerability CVE-2018-14042 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K19785240 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.11.2021
by Daily end-of-shift report 18 Nov '21

18 Nov '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 17-11-2021 18:00 − Donnerstag 18-11-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ PerSwaysion Phishing Campaign Continues to Be an Active Threat for Organizations ∗∗∗ --------------------------------------------- Research shows that multiple attack groups have been using the Microsoft file-sharing service - leveraging phishing kit for much longer than previously thought. --------------------------------------------- https://www.darkreading.com/vulnerabilities-threats/-perswaysion-phishing-c… ∗∗∗ Fake Ransomware Infection Hits WordPress Sites ∗∗∗ --------------------------------------------- WordPress sites have been splashed with ransomware warnings that are as real as dime-store cobwebs made out of spun polyester. --------------------------------------------- https://threatpost.com/fake-ransomware-infection-wordpress/176410/ ∗∗∗ Guidance for Azure Active Directory (AD) keyCredential property Information Disclosure in Application and Service Principal APIs ∗∗∗ --------------------------------------------- Microsoft recently mitigated an information disclosure issue, CVE-2021-42306, to prevent private key data from being stored by some Azure services in the keyCredentials property of an Azure Active Directory (Azure AD) Application and/or Service Principal, and prevent reading of private key data previously stored in the keyCredentials property. [...] As a precautionary measure, Microsoft is recommending customers using these services take action as described in “Affected products/services,”... --------------------------------------------- https://msrc-blog.microsoft.com:443/2021/11/17/guidance-for-azure-active-di… ∗∗∗ [Conti] Ransomware Group In-Depth Analysis ∗∗∗ --------------------------------------------- Providing a detailed perspective towards different fundamental aspects of Conti's Operation, our report approaches this case through different angles such as "Business Model", "Conti Attack Kill Chain", "Management Panel" and "Money Operation". --------------------------------------------- https://www.prodaft.com/resource/detail/conti-ransomware-group-depth-analys… ∗∗∗ Portable Malware Analyzis Lab ∗∗∗ --------------------------------------------- Short tutorial about the installation of a malware analyzis lab on Proxmox. --------------------------------------------- https://blog.rootshell.be/2021/11/17/portable-malware-analyzis-lab/ ∗∗∗ New ETW Attacks Can Allow Hackers to Blind Security Products ∗∗∗ --------------------------------------------- Researchers have described two new attack methods that can be used to “blind” cybersecurity products that rely on a logging mechanism named Event Tracing for Windows (ETW). ETW, which is present by default in Windows since Windows XP, is designed for tracing and logging events associated with user-mode applications and kernel-mode drivers. --------------------------------------------- https://www.securityweek.com/new-etw-attacks-can-allow-hackers-blind-securi… ∗∗∗ biovea.net und biovea.com: Häufig Probleme bei Bestellungen ∗∗∗ --------------------------------------------- Biovea bietet auf den Websites biovea.net und biovea.com diverse Nahrungsergänzungsmittel, Körperpflegeprodukte und Waren aus dem Gesundheitsbereich an. Bestellte Produkte werden tatsächlich versandt, doch fehlende Kontaktinformationen, Versand teils aus Amerika und der Import der Produkte beim Zoll können zu zahlreichen Problemen für Bestellende führen. --------------------------------------------- https://www.watchlist-internet.at/news/bioveanet-und-bioveacom-haeufig-prob… ===================== = Vulnerabilities = ===================== ∗∗∗ Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2021-011 ∗∗∗ --------------------------------------------- 13∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default The Drupal project uses the CKEditor library for WYSIWYG editing. CKEditor has released a security update that impacts Drupal.Vulnerabilities are possible if Drupal is configured to allow use of the CKEditor library for WYSIWYG editing. An attacker that can create or edit content (even without access to --------------------------------------------- https://www.drupal.org/sa-core-2021-011 ∗∗∗ Drupal: OpenID Connect Microsoft Azure Active Directory client - Moderately critical - Access Bypass - SA-CONTRIB-2021-044 ∗∗∗ --------------------------------------------- 14∕25 AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:Default This module enables users to authenticate through their Microsoft Azure AD account.The module does not sufficiently check authorization before updating user profile information in certain non-default configurations. This could lead a user being able to hijack another --------------------------------------------- https://www.drupal.org/sa-contrib-2021-044 ∗∗∗ Vulnerability Spotlight: Multiple code execution vulnerabilities in LibreCAD ∗∗∗ --------------------------------------------- Cisco Talos recently discovered three vulnerabilities in LibreCAD’s libdfxfw open-source library. This library reads and writes .dxf and .dwg files — the primary file format for vector graphics in CAD software. LibreCAD, a free computer-aided design software for 2-D models, uses this libdfxfw. [...] Users are encouraged to update these affected products as soon as possible: LibreCad libdxfrw, version 2.2.0-rc2-19-ge02f3580. Talos tested and confirmed these versions of the library could be exploited by this vulnerability. --------------------------------------------- http://blog.talosintelligence.com/2021/11/libre-cad-vuln-spotlight-.html ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (binutils, firefox, flatpak, freerdp, httpd, java-1.8.0-openjdk, java-11-openjdk, kernel, openssl, and thunderbird), Fedora (python-sport-activities-features, rpki-client, and vim), and Red Hat (devtoolset-10-annobin and devtoolset-10-binutils). --------------------------------------------- https://lwn.net/Articles/876413/ ∗∗∗ Reflected XSS Vulnerability in Ragic Cloud DB ∗∗∗ --------------------------------------------- A reflected cross-site scripting (XSS) vulnerability has been reported to affect QNAP NAS running Ragic Cloud DB. If exploited, this vulnerability allows remote attackers to inject malicious code. We have already disabled and removed Ragic Cloud DB from the QNAP App Center, pending a security patch from Ragic. To secure your device, we recommend uninstalling Ragic Cloud DB until a security patch is available. --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-21-48 ∗∗∗ CSRF Vulnerability in QmailAgent ∗∗∗ --------------------------------------------- A cross-site request forgery (CSRF) vulnerability has been reported to affect QNAP NAS running QmailAgent. If exploited, this vulnerability allows remote attackers to trick a victim into performing unintended actions on the web application while the victim is logged in. We have already fixed this vulnerability in the following versions of QmailAgent: QmailAgent 3.0.2 (2021/08/25) and later --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-21-49 ∗∗∗ Heap-Based Buffer Overflow Vulnerability in QTS and QuTS hero ∗∗∗ --------------------------------------------- A heap-based buffer overflow vulnerability has been reported to affect QNAP NAS devices that have Apple File Protocol (AFP) enabled in QTS or QuTS hero. If exploited, this vulnerability allows attackers to execute arbitrary code. We have already fixed this vulnerability in the following versions of QTS and QuTS hero: [...] --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-21-50 ∗∗∗ Security Bulletin: Vulnerabilitiy affects IBM Observability with Instana ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilitiy-affects-ib… ∗∗∗ Security Bulletin: Multiple vulnerabilities affect IBM Cloud Object Storage Systems (Nov V2) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Philips IntelliBridge EC 40 and EC 80 Hub ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsma-21-322-01 ∗∗∗ Philips Patient Information Center iX (PIC iX) and Efficia CM Series ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsma-21-322-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.11.2021
by Daily end-of-shift report 17 Nov '21

17 Nov '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 16-11-2021 18:00 − Mittwoch 17-11-2021 18:00 Handler: Wolfgang Menezes Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ These are the cryptomixers hackers use to clean their ransoms ∗∗∗ --------------------------------------------- Cryptomixers have always been at the epicenter of cybercrime activity, allowing hackers to "clean" cryptocurrency stolen from victims and making it hard for law enforcement to track them. --------------------------------------------- https://www.bleepingcomputer.com/news/security/these-are-the-cryptomixers-h… ∗∗∗ 6 Tips To Keep in Mind for Ransomware Defense ∗∗∗ --------------------------------------------- Ransomware is everywhere, including the nightly news. Most people know what it is, but how do ransomware attackers get in, and how can we defend against them? --------------------------------------------- https://www.darkreading.com/edge-articles/6-tips-to-keep-in-mind-for-ransom… ∗∗∗ Github: NPM-Pakete konnten beliebig überschrieben werden ∗∗∗ --------------------------------------------- Ein Fehler in der NPM-Registry hat das Überschreiben von Paketen ermöglicht. Github weiß nicht sicher, ob dies ausgenutzt wurde. --------------------------------------------- https://www.golem.de/news/github-npm-pakete-konnten-beliebig-ueberschrieben… ∗∗∗ Infect If Needed | A Deeper Dive Into Targeted Backdoor macOS.Macma ∗∗∗ --------------------------------------------- Thanks to the work of Google’s TAG team, we were able to grab two versions of the backdoor used by the threat actors, which we will label UserAgent 2019 and UserAgent 2021. --------------------------------------------- https://www.sentinelone.com/labs/infect-if-needed-a-deeper-dive-into-target… ∗∗∗ Lücken in Industrie-IoT-Protokoll ermöglichen Fremdsteuerung ∗∗∗ --------------------------------------------- Implementierungen eines Datenaustauschprotokolls für industrielle Steuerungen sind anfällig für Manipulationen, die zu Schäden führen könnten. --------------------------------------------- https://heise.de/-6268372 ∗∗∗ Bestellung auf fotoexperte24.de führt in Abo-Falle! ∗∗∗ --------------------------------------------- Auf der Webseite fotoexperte24.de können günstige Passbilder für verschiedene Ausweise bestellt werden. Doch tatsächlich handelt es sich um einen Fake-Shop, der keine Bilder liefert. Stattdessen bucht der unseriöse Anbieter deutlich mehr Geld von der Kreditkarte ab als beim Bestellprozess angezeigt wurde. --------------------------------------------- https://www.watchlist-internet.at/news/bestellung-auf-fotoexperte24de-fuehr… ∗∗∗ Cobalt Strike: Decrypting Obfuscated Traffic – Part 4 ∗∗∗ --------------------------------------------- Encrypted Cobalt Strike C2 traffic can be obfuscated with malleable C2 data transforms. We show how to deobfuscate such traffic. --------------------------------------------- https://blog.nviso.eu/2021/11/17/cobalt-strike-decrypting-obfuscated-traffi… ∗∗∗ ProxyNoShell: A Change in Tactics Exploiting ProxyShell Vulnerabilities ∗∗∗ --------------------------------------------- In several recent Incident Response engagements, Mandiant has observed threat actors exploiting the vulnerabilities in different ways than previously reported. --------------------------------------------- https://www.mandiant.com/resources/change-tactics-proxyshell-vulnerabilities ===================== = Vulnerabilities = ===================== ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- IBM hat 15 Security Bulletins veröffentlicht. Davon wird eine als "Kritisch", sechs als "High", und acht als "Medium" eingestuft. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (389-ds-base and libxml2), Debian (atftp, axis, and ntfs-3g), Fedora (digikam, freerdp, guacamole-server, and remmina), openSUSE (java-11-openjdk, kernel, samba, and tomcat), SUSE (firefox, java-11-openjdk, kernel, libarchive, samba, and tomcat), and Ubuntu (accountsservice, hivex, and openexr). --------------------------------------------- https://lwn.net/Articles/876327/ ∗∗∗ Netgear patches severe pre-auth RCE in 61 router and modem models ∗∗∗ --------------------------------------------- Networking equipment vendor Netgear has patched the fifth set of dangerous remote code execution bugs impacting its small office and small home (SOHO) routers this year. --------------------------------------------- https://therecord.media/netgear-deals-with-its-fifth-wave-of-severe-rce-bug… ∗∗∗ ZDI-21-1320: Trend Micro Antivirus for Mac Improper Access Control Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-1320/ ∗∗∗ ZDI-21-1319: (0Day) Autodesk Design Review PNG File Parsing Use-After-Free Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-1319/ ∗∗∗ ZDI-21-1317: (0Day) Autodesk Design Review PDF File Parsing Type Confusion Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-1317/ ∗∗∗ ZDI-21-1316: (0Day) Autodesk Design Review PDF File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-1316/ ∗∗∗ ZDI-21-1315: (0Day) Autodesk Design Review PDF File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-1315/ ∗∗∗ Cisco Common Services Platform Collector Improper Logging Restriction Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Common Services Platform Collector Stored Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Common Services Platform Collector SQL Injection Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ WooCommerce Extension – Reflected XSS Vulnerability ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2021/11/woocommerce-extension-reflected-xss-… ∗∗∗ Synology-SA-21:29 Samba ∗∗∗ --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_21_29 ∗∗∗ FATEK Automation WinProladder ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-320-01 ∗∗∗ Mitsubishi Electric GOT products ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-320-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 16.11.2021
by Daily end-of-shift report 16 Nov '21

16 Nov '21

===================== = End-of-Day report = ===================== Timeframe: Montag 15-11-2021 18:00 − Dienstag 16-11-2021 18:00 Handler: Dimitri Robl Co-Handler: Wolfgang Menezes ===================== = News = ===================== ∗∗∗ Malware: Emotet ist zurück ∗∗∗ --------------------------------------------- Sicherheitsforscher haben eine neue Variante von Emotet entdeckt. Noch wird der Schädling von einer anderen Malware nachgeladen. --------------------------------------------- https://www.golem.de/news/malware-emotet-ist-zurueck-2111-161124-rss.html ∗∗∗ Windows Sonder-Updates gegen DC-Authentifizierungsprobleme und Druckprobleme ∗∗∗ --------------------------------------------- Die Sicherheitsupdates vom November für Windows verursachen teils Authentifizierungsprobleme bei Domain Controllern sowie Druckprobleme. Microsoft patcht nach. --------------------------------------------- https://heise.de/-6267784 ∗∗∗ Fake Ransomware Infection Spooks Website Owners ∗∗∗ --------------------------------------------- Starting this past Friday we have seen a number of websites showing a fake ransomware infection. Google search results for “FOR RESTORE SEND 0.1 BITCOIN” were sitting at 6 last week and increased to 291 at the time of writing this. --------------------------------------------- https://blog.sucuri.net/2021/11/fake-ransomware-infection-spooks-website-ow… ∗∗∗ GitHub Confirms Another Major NPM Security Defect ∗∗∗ --------------------------------------------- Microsoft-owned GitHub is again flagging major security problems in the npm registry, warning that a pair of newly discovered vulnerabilities continue to expose the soft underbelly of the open-source software supply chain. --------------------------------------------- https://www.securityweek.com/github-confirms-another-major-npm-security-def… ∗∗∗ Black Friday: Vorsicht vor Fake-Angeboten ∗∗∗ --------------------------------------------- Am 26. November 2021 ist Black Friday. Und darauf folgt am 29. November schon der Cyber Monday - für Schnäppchenjäger wahre Shopping-Feiertage. Wir raten aber zur Vorsicht: Nicht nur seriöse Anbieter locken mit günstigen Preisen und Rabatten, auch Fake-Shops werben mit Black Friday Angeboten. --------------------------------------------- https://www.watchlist-internet.at/news/black-friday-vorsicht-vor-fake-angeb… ∗∗∗ An update on the state of the NIS2 draft ∗∗∗ --------------------------------------------- This is a TLP:WHITE summary of my presentation at the 15th CSIRTs Network meeting in Ljubljana on November 11th. This is not a complete review of the current state of the NIS2 discussions. --------------------------------------------- https://cert.at/en/blog/2021/11/an-update-on-the-state-of-the-nis2-draft ∗∗∗ New Federal Government Cybersecurity Incident and Vulnerability Response Playbooks ∗∗∗ --------------------------------------------- [...] today, CISA published the Federal Government Cybersecurity Incident and Vulnerability Response Playbooks. The playbooks provide federal civilian executive branch (FCEB) agencies with operational procedures for planning and conducting cybersecurity incident and vulnerability response activities. The playbooks provide illustrated decision trees and detail each step for both incident and vulnerability response. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/11/16/new-federal-gover… ∗∗∗ A new Android banking trojan named SharkBot is makings its presence felt ∗∗∗ --------------------------------------------- Security researchers have discovered a new Android banking trojan capable of hijacking users smartphones and emptying out e-banking and cryptocurrency accounts. --------------------------------------------- https://therecord.media/a-new-android-banking-trojan-named-sharkbot-is-maki… ∗∗∗ New Type of Supply Chain Attack Could Put Popular Admin Tools at Risk ∗∗∗ --------------------------------------------- Research between Intezer and Checkmarx describes ChainJacking, a type of software supply chain attack that could be potentially exploited by threat actors and puts common admin tools at risk. We have identified a number of open-source Go packages that are susceptible to ChainJacking given that some of these vulnerable packages are embedded in popular admin [...] --------------------------------------------- https://www.intezer.com/blog/malware-analysis/chainjacking-supply-chain-att… ∗∗∗ Kernel Karnage – Part 3 (Challenge Accepted) ∗∗∗ --------------------------------------------- [...] The past weeks I mostly experimented with existing tooling and got acquainted with the basics of kernel driver development. I managed to get a quick win versus $vendor1 but that didn’t impress our blue team, so I received a challenge to bypass $vendor2. I have to admit, after trying all week to get around the protections, $vendor2 is definitely a bigger beast to tame. --------------------------------------------- https://blog.nviso.eu/2021/11/16/kernel-karnage-part-3-challenge-accepted/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libxml-security-java), Fedora (botan2), openSUSE (drbd-utils, kernel, and samba), Red Hat (kernel and webkit2gtk3), SUSE (drbd-utils and samba), and Ubuntu (vim). --------------------------------------------- https://lwn.net/Articles/876227/ ∗∗∗ Synology-SA-21:28 Mail Station ∗∗∗ --------------------------------------------- A vulnerability allows remote authenticated users to execute arbitrary commands via a susceptible version of Mail Station. --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_21_28 ∗∗∗ AMD Windows 10-Grafiktreiber mit Schwachstellen (Nov. 2021) ∗∗∗ --------------------------------------------- Nutzer mit AMD-Grafikkarten und Windows 10 sollten sich mit dem Thema Aktualisierung von AMD-Grafiktreibern befassten. Der Hersteller hat eingestanden, dass seine Windows 10-Grafiktreiber zahlreiche Sicherheitslücken aufweisen. Einige Schwachstellen (z.B. im Grafiktreiber) werden als sicherheitstechnisch Hoch eingestuft. --------------------------------------------- https://www.borncity.com/blog/2021/11/16/amd-windows-10-treiber-mit-schwach… ∗∗∗ WAGO: Denial of Service Vulnerability in CODESYS Runtime 2.3 ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2021-049/ ∗∗∗ WAGO: Multiple devices affected by Vulnerabilities in NUCLEUS TCP Stack. ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2021-050/ ∗∗∗ WAGO: Multiple Vulnerabilities in CODESYS Runtime 2.3 and WebVisualisation ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2021-056/ ∗∗∗ Grafana: Schwachstelle ermöglicht Privilegieneskalation ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-1205 ∗∗∗ Red Hat JBoss Enterprise Application Platform: Mehrere Schwachstellen ermöglichen Denial of Service ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-1207 ∗∗∗ ZDI-21-1312: Open Design Alliance (ODA) ODAViewer DWG File Parsing Use-After-Free Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-21-1312/ ∗∗∗ ZDI-21-1311: Open Design Alliance (ODA) ODAViewer U3D File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-21-1311/ ∗∗∗ ZDI-21-1310: Open Design Alliance (ODA) ODAViewer U3D File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-21-1310/ ∗∗∗ Security Bulletin: A vulnerability in filesystem audit logging affects IBM Spectrum Scale. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-filesy… ∗∗∗ Security Bulletin: Vulnerability in IBM SDK Java affects IBM Cloud Pak System (CVE-2020-27221) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-sdk-… ∗∗∗ Security Bulletin: IBM MQ for HP NonStop Server is affected by OpenSSL vulnerability CVE-2021-3711 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-for-hp-nonstop-ser… ∗∗∗ Security Bulletin: IBM MQ is vulnerable to an issue in Eclipse Jetty (CVE-2021-28165) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-is-vulnerable-to-a… ∗∗∗ Security Bulletin: IBM WebSphere MQ for HP NonStop Server is affected by OpenSSL vulnerability CVE-2021-3711 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-websphere-mq-for-hp-n… ∗∗∗ Security Bulletin: IBM MQ is vulnerable to an issue in Eclipse (CVE-2020-27225) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-is-vulnerable-to-a… ∗∗∗ Security Bulletin: IBM MQ can inadvertently display cleartext credentials via diagnostic logs (CVE-2021-38949) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-can-inadvertently-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 15.11.2021
by Daily end-of-shift report 15 Nov '21

15 Nov '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 12-11-2021 18:00 − Montag 15-11-2021 18:00 Handler: Dimitri Robl Co-Handler: Wolfgang Menezes ===================== = News = ===================== ∗∗∗ PSA: Apple isn’t actually patching all the security holes in older versions of macOS ∗∗∗ --------------------------------------------- Big Sur got a fix 234 days before Catalina did, although both are supported. --------------------------------------------- https://arstechnica.com/?p=1812611 ∗∗∗ FTC shares ransomware defense tips for small US businesses ∗∗∗ --------------------------------------------- The US Federal Trade Commission (FTC) has shared guidance for small businesses on how to secure their networks from ransomware attacks by blocking threat actors attempts to exploit vulnerabilities using social engineering or exploits targeting technology. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ftc-shares-ransomware-defens… ∗∗∗ Video: Obfuscated Maldoc: Reversed BASE64, (Sun, Nov 14th) ∗∗∗ --------------------------------------------- I made a video of the maldoc analysis I explained in yesterday's diary entry "Obfuscated Maldoc: Reversed BASE64". --------------------------------------------- https://isc.sans.edu/diary/rss/28032 ∗∗∗ Changing your AD Password Using the Clipboard - Not as Easy as Youd Think!, (Mon, Nov 15th) ∗∗∗ --------------------------------------------- Let me know if this scenario is familiar? [...] Microsoft won't allow you to paste a password into their GUI "password change". Apparantly Microsoft wants us to continue to use passwords like "Passw0rd1!" and "Winter2021!" forever, until all AD domains are "passwordless" --------------------------------------------- https://isc.sans.edu/diary/rss/28036 ∗∗∗ Microsoft Out of Band Update Resolves Kerberos Issue, (Mon, Nov 15th) ∗∗∗ --------------------------------------------- Since Patch Tuesday, we've been tracking a Kerboros issue in November's patch bundle that affected authentication in several deployment scenarios: [...] This was fixed out of band yesterday (November 14, 2021). If you have applied November's update and are affected, you'll want to apply the "November-take-two" update on any affected servers. --------------------------------------------- https://isc.sans.edu/diary/rss/28040 ∗∗∗ Exploiting CSP in Webkit to Break Authentication & Authorization ∗∗∗ --------------------------------------------- [...] Long story short, there was a vulnerability that we reported to Safari that Apple didn’t consider severe enough to fix quickly which then after waiting for a significant amount of time, we decided to exploit and earn some bounties by reporting them to bug bounty programs. --------------------------------------------- https://threatnix.io/blog/exploiting-csp-in-webkit-to-break-authentication-… ∗∗∗ E-Mail-Server des FBI gehackt - für Fake-Warnungen über Cyber-Angriffe genutzt ∗∗∗ --------------------------------------------- Cyberkriminelle haben einen E-Mail-Server des FBI gekapert. Anschließend verschickten sie über 100.000 Spam-Mails mit einer Warnung vor einem Cyberangriff. --------------------------------------------- https://heise.de/-6266349 ∗∗∗ POC2021 – Pwning the Windows 10 Kernel with NFTS and WNF Slides ∗∗∗ --------------------------------------------- Alex Plaskett presented “Pwning the Windows 10 Kernel with NTFS and WNF” at Power Of Community (POC) on the 11th of November 2021. The abstract of the talk is as follows: A local privilege escalation vulnerability (CVE-2021-31956) 0day was identified as being exploited in the wild by Kaspersky. At the time it affected a broad [...] --------------------------------------------- https://research.nccgroup.com/2021/11/15/poc2021-pwning-the-windows-10-kern… ∗∗∗ Exchange Exploit Leads to Domain Wide Ransomware ∗∗∗ --------------------------------------------- In late September, we observed an intrusion in which initial access was gained by the threat actor exploiting multiple vulnerabilities in Microsoft Exchange. ProxyShell is a name given to [...] --------------------------------------------- https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-… ∗∗∗ AutoPoC - Validating the Lack of Validation in PoCs ∗∗∗ --------------------------------------------- HoneyPoC was a project to look at how popular CVE PoCs could be. AutoPoC took that concept and enabled the mass creation of disinformation. Also, Data is beautiful. --------------------------------------------- https://blog.zsec.uk/honeypoc-ultimate/ ∗∗∗ AT&T Alien Labs finds new Golang malware (BotenaGo) targeting millions of routers and IoT devices with more than 30 exploits ∗∗∗ --------------------------------------------- AT&T Alien Labs™ has found new malware written in the open source programming language Golang. Deployed with more than 30 exploits, it has the potential of targeting millions of routers and IoT devices. --------------------------------------------- https://cybersecurity.att.com/blogs/labs-research/att-alien-labs-finds-new-… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (ffmpeg and tomcat9), Fedora (et and kernel), openSUSE (binutils, rubygem-activerecord-5_1, samba, and tinyxml), Oracle (freerdp and httpd:2.4), Red Hat (devtoolset-11-gcc, gcc-toolset-10-binutils, kernel, kernel-rt, and kpatch-patch), and Scientific Linux (freerdp). --------------------------------------------- https://lwn.net/Articles/876135/ ∗∗∗ Security Bulletin: Use of a one way hash without a salt in IBM Security Guardium Key Lifecycle Manager (CVE-2021-38979) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-use-of-a-one-way-hash-wit… ∗∗∗ Security Bulletin: Hazardous Input Validation in IBM Security Guardium Key Lifecycle Manager (CVE-2021-38972) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-hazardous-input-validatio… ∗∗∗ Security Bulletin: Password stored in cleartext in IBM Security Guardium Key Lifecycle Manager (CVE-2021-38976) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-password-stored-in-cleart… ∗∗∗ Security Bulletin: Missing http strict transport security header in in IBM Security Guardium Key Lifecycle Manager (CVE-2021-38978) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-missing-http-strict-trans… ∗∗∗ Security Bulletin: Cross-Site scripting in IBM Security Guardium Key Lifecycle Manager (CVE-2021-38982) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cross-site-scripting-in-i… ∗∗∗ Security Bulletin: Missing cookie secure attribute in IBM Security Guardium Key Lifecycle Manager (CVE-2021-38977) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-missing-cookie-secure-att… ∗∗∗ Security Bulletin: Hazardous input validation in IBM Security Guardium Key Lifecycle Manager (CVE-2021-38985) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-hazardous-input-validatio… ∗∗∗ Security Bulletin: Inadequate encryption strength in IBM Security Guardium Key Lifecycle Manager (CVE-2021-38983) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-inadequate-encryption-str… ∗∗∗ Security Bulletin: Using components with known vulnerabilities in IBM Security Guardium Key Lifecycle Manager (CVE-2021-20492) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-using-components-with-kno… ∗∗∗ Security Bulletin: Vulnerabilities in Node.js affect IBM Integration Bus v10 (CVE-2021-32803) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-node-j… ∗∗∗ Security Bulletin: Denial of service in IBM Security Guardium Key Lifecycle Manager (CVE-2021-38974) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-denial-of-service-in-ibm-… ∗∗∗ Security Bulletin: Hazardous input validation in IBM Security Guardium Key Lifecycle Manager (CVE-2021-38973) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-hazardous-input-validatio… ∗∗∗ Security Bulletin: Information exposure in IBM Security Guardium Key Lifecycle Manager 4.1.1 (CVE-2021-38975) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-information-exposure-in-i… ∗∗∗ Security Bulletin: Inadequate encryption strength in IBM Security Guardium Key Lifecycle Manager (CVE-2021-38984) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-inadequate-encryption-str… ∗∗∗ Security Bulletin: Application error in IBM Security Guardium Key Lifecycle Manager 4.1.1 (CVE-2021-38981) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-application-error-in-ibm-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.11.2021
by Daily end-of-shift report 12 Nov '21

12 Nov '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 11-11-2021 18:00 − Freitag 12-11-2021 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Zoom dichtet Sicherheitslücken in mehreren Produkten und Clients ab ∗∗∗ --------------------------------------------- In einigen Produkten des Webkonferenz-Anbieters Zoom hat der Hersteller Sicherheitslücken geschlossen. --------------------------------------------- https://heise.de/-6265648 ∗∗∗ Kriminelle versenden betrügerische Mails im Namen der Post! ∗∗∗ --------------------------------------------- Derzeit melden uns zahlreiche LeserInnen ein betrügerisches E-Mail, das im Namen der Post verschickt wird. Darin behaupten die Kriminellen, dass für eine Bestellung zusätzliche Einfuhrgebühren notwendig seien. Auch wenn Sie gerade auf ein Paket warten, sollten Sie bei solchen E-Mails skeptisch sein. In diesem Fall versuchen die BetrügerInnen an Ihr Geld zu kommen! --------------------------------------------- https://www.watchlist-internet.at/news/kriminelle-versenden-betruegerische-… ∗∗∗ HTML smuggling surges: Highly evasive loader technique increasingly used in banking malware, targeted attacks ∗∗∗ --------------------------------------------- HTML smuggling, a highly evasive malware delivery technique that leverages legitimate HTML5 and JavaScript features, is increasingly used in email campaigns that deploy banking malware, remote access Trojans (RATs), and other payloads related to targeted attacks. --------------------------------------------- https://www.microsoft.com/security/blog/2021/11/11/html-smuggling-surges-hi… ∗∗∗ Malware uses namesilo Parking pages and Googles custom pages to spread ∗∗∗ --------------------------------------------- Recently, we found a suspicious GoELFsample, which is a downloder mainly to spread mining malwares. The interesting part is that we noticed it using namesilos Parking page and Googles user-defined page to spread the sample and configuration. Apparently this is yet another attempt to hide control channel to avoid [...] --------------------------------------------- https://blog.netlab.360.com/zhatuniubility-malware-uses-namesilo-parking-pa… ∗∗∗ Murder-for-hire, money laundering, and more: How organised criminals work online ∗∗∗ --------------------------------------------- Europol has released an extensive report into serious and organized crime, including how these groups use the internet to aid in their criminal behaviour. --------------------------------------------- https://blog.malwarebytes.com/reports/2021/11/murder-for-hire-money-launder… ∗∗∗ “We wait, because we know you.” Inside the ransomware negotiation economics. ∗∗∗ --------------------------------------------- Organizations worldwide continue to face waves of digital extortion in the form of targeted ransomware. Digital extortion is now classified as the most prominent form of cybercrime and the most devastating and pervasive threat to functioning [...] --------------------------------------------- https://research.nccgroup.com/2021/11/12/we-wait-because-we-know-you-inside… ∗∗∗ Researcher Shows Windows Flaw More Serious After Microsoft Releases Incomplete Patch ∗∗∗ --------------------------------------------- A researcher has discovered that a Windows vulnerability for which Microsoft released an incomplete patch in August is more serious than initially believed. --------------------------------------------- https://www.securityweek.com/researcher-shows-windows-flaw-more-serious-aft… ∗∗∗ When the alarms go off: 10 key steps to take after a data breach ∗∗∗ --------------------------------------------- It’s often said that data breaches are no longer a matter of ‘if’, but ‘when’ – here’s what your organization should do, and avoid doing, in the case of a security breach --------------------------------------------- https://www.welivesecurity.com/2021/11/11/alarms-go-off-10-steps-take-data-… ∗∗∗ Network Code on Cybersecurity is out for public consultation ∗∗∗ --------------------------------------------- The draft for the Network Code for cybersecurity aspects of cross-border electricity flows has been released today for public consultation. ENCS has collaborated on the writing of the Network Code as part of the drafting team. During the public consultation period, stakeholders within the energy sector have the opportunity of sharing their views on the [...] --------------------------------------------- https://encs.eu/news/network-code-on-cybersecurity-is-out-for-public-consul… ∗∗∗ Number of Malicious Shopping Websites Jumps 178% ahead of November e-Shopping Holidays, Breaking Records ∗∗∗ --------------------------------------------- Highlights: Check Point Research (CPR) spots over 5300 different malicious websites per week, marking the highest since the beginning of 2021 Numbers show a 178% increase compared to 2021 so far 1 out of 38 corporate networks are being impacted on average per week in November, compared to 1 in 47 in October, and [...] --------------------------------------------- https://blog.checkpoint.com/2021/11/12/number-of-malicious-shopping-website… ===================== = Vulnerabilities = ===================== ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- IBM hat 15 Security Bulletins veröffentlicht. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Technical Advisory – Multiple Vulnerabilities in Victure WR1200 WiFi Router (CVE-2021-43282, CVE-2021-43283, CVE-2021-43284) ∗∗∗ --------------------------------------------- Victure’s WR1200 WiFi router, also sometimes referred to as AC1200, was found to have multiple vulnerabilities exposing its owners to potential intrusion in their local WiFi network and complete overtake of the device. Three vulnerabilities were uncovered, with links to the associated technical advisories below: [...] --------------------------------------------- https://research.nccgroup.com/2021/11/12/technical-advisory-multiple-vulner… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (node-tar, postgresql-11, postgresql-13, and postgresql-9.6), Fedora (autotrace, botan2, chafa, converseen, digikam, dmtx-utils, dvdauthor, eom, kxstitch, pfstools, php-pecl-imagick, psiconv, q, R-magick, radeontop, rss-glx, rubygem-rmagick, synfig, synfigstudio, vdr-scraper2vdr, vdr-skinelchihd, vdr-skinnopacity, vdr-tvguide, and WindowMaker), Mageia (kernel, kernel-linus, and openafs), openSUSE (kernel), Red Hat (freerdp), SUSE (bind and kernel), [...] --------------------------------------------- https://lwn.net/Articles/875931/ ∗∗∗ WECON PLC Editor ∗∗∗ --------------------------------------------- This advisory contains mitigation for Stack-based Buffer Overflow, and Out-of-bounds Write vulnerabilities in WECON PLC Editor ladder logic software. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-315-01 ∗∗∗ Multiple Data Distribution Service (DDS) Implementations ∗∗∗ --------------------------------------------- This advisory contains mitigations for several vulnerabilities in Multiple Data Distribution Service (DDS) Implementations developed by a number of different vendors. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-315-02 ∗∗∗ VMware Releases Security Update for Tanzu Application Service for VMs ∗∗∗ --------------------------------------------- VMware has released a security update to address a vulnerability in Tanzu Application Service for VMs. A remote attacker could exploit this vulnerability to cause a denial-of-service condition. CISA encourages users and administrators to review VMware Security Advisory VMSA-2021-0026 and apply the necessary update. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/11/12/vmware-releases-s… ∗∗∗ SYSS-2021-057: Open Redirect durch HTML Injection in Cryptshare ∗∗∗ --------------------------------------------- Im Cryptshare-Server besteht eine Schwachstelle. Sie erlaubt Angreifenden, die Empfänger einer manipulierten Nachricht auf beliebige Seiten weiterzuleiten. --------------------------------------------- https://www.syss.de/pentest-blog/syss-2021-057-open-redirect-durch-html-inj… ∗∗∗ Unlimited Sitemap Generator vulnerable to cross-site request forgery ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN58407606/ ∗∗∗ PostgreSQL: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-1201 ∗∗∗ Red Hat Enterprise Linux: Schwachstelle ermöglicht Codeausführung ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-1198 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.11.2021
by Daily end-of-shift report 11 Nov '21

11 Nov '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 10-11-2021 18:00 − Donnerstag 11-11-2021 18:00 Handler: Dimitri Robl Co-Handler: Wolfgang Menezes ===================== = News = ===================== ∗∗∗ Sophos 2022 Threat Report: Malware, Mobile, Machine learning and more! ∗∗∗ --------------------------------------------- The crooks have shown that the'yre willing to learn and adapt their attacks, so we need to make sure we learn and adapt, too. --------------------------------------------- https://nakedsecurity.sophos.com/2021/11/09/2022-threat-report/ ∗∗∗ Understanding .htaccess Malware ∗∗∗ --------------------------------------------- The .htaccess file is notorious for being targeted by attackers. Whether it’s using the file to hide malware, redirect search engines to other sites with blackhat SEO tactics, hide backdoors, inject content, modify php.ini values; the possibilities are endless. Many site owners are unaware of this file, due to it starting with a “.” making it a hidden file. .htaccess malware can be hard to pinpoint and clean on a server [...] --------------------------------------------- https://blog.sucuri.net/2021/11/understanding-htaccess-malware.html ∗∗∗ A Detailed Analysis of Lazarus’ RAT Called FALLCHILL ∗∗∗ --------------------------------------------- FALLCHILL is a RAT that has been used by Lazarus Group since 2016. It implements a custom algorithm that is used to decode multiple DLL names and export functions, which will be imported at runtime. --------------------------------------------- https://lifars.com/knowledge-center/a-detailed-analysis-of-lazarus-rat-call… ∗∗∗ The Newest Malicious Actor: “Squirrelwaffle” Malicious Doc. ∗∗∗ --------------------------------------------- Authored By Kiran Raj Due to their widespread use, Office Documents are commonly used by Malicious actors as a way...The post The Newest Malicious Actor: “Squirrelwaffle” Malicious Doc. appeared first on McAfee Blogs. --------------------------------------------- https://www.mcafee.com/blogs/other-blogs/mcafee-labs/the-newest-malicious-a… ∗∗∗ ClusterFuzzLite: Continuous fuzzing for all ∗∗∗ --------------------------------------------- Posted by Jonathan Metzman, Google Open Source Security TeamIn recent years, continuous fuzzing has become an essential part of the software development lifecycle. By feeding unexpected or random data into a program, fuzzing catches bugs that would otherwise slip through the most thorough manual checks and provides coverage that would take staggering human effort to replicate. NIST’s guidelines for software verification, recently released in response to the White House Executive Order on --------------------------------------------- http://security.googleblog.com/2021/11/clusterfuzzlite-continuous-fuzzing-f… ∗∗∗ HändlerInnen aufgepasst: BetrügerInnen geben Fake-Bestellungen im Namen von ATOS auf ∗∗∗ --------------------------------------------- Kriminelle geben sich derzeit als das Unternehmen ATOS aus und bekunden per Mail Interesse an einer Großbestellung. Für die betroffenen HändlerInnen mag das nach einem schnellen und leichten Geschäft klingen, doch tatsächlich hat die seriöse Firma ATOS nichts mit dieser Bestellung am Hut. Stattdessen würden Sie ihre Produkte an Kriminelle versenden, Geld dafür erhalten Sie nicht. --------------------------------------------- https://www.watchlist-internet.at/news/haendlerinnen-aufgepasst-betruegerin… ∗∗∗ Capability Abstraction Case Study: Detecting Malicious Boot Configuration Modifications ∗∗∗ --------------------------------------------- [...] In simple terms, capability abstraction provides a way to describe how a given attack technique interacts with the internal components of a targeted system. The abstraction map that this process produces helps us to understand the common denominator between distinct implementations of the same technique. --------------------------------------------- https://posts.specterops.io/capability-abstraction-case-study-detecting-mal… ∗∗∗ A Peek into Top-Level Domains and Cybercrime ∗∗∗ --------------------------------------------- We analyze which top-level domains (TLDs) have the highest rate of malicious domains and why, and suggest strategies for blocking malicious domains. --------------------------------------------- https://unit42.paloaltonetworks.com/top-level-domains-cybercrime/ ∗∗∗ BazarBackdoor now abuses Windows 10 apps feature in call me back attack ∗∗∗ --------------------------------------------- AppInstaller.exe has been twisted in a new form of phishing attack. --------------------------------------------- https://www.zdnet.com/article/bazarloader-now-abuses-windows-10-apps-featur… ∗∗∗ October 2021’s Most Wanted Malware: Trickbot Takes Top Spot for Fifth Time ∗∗∗ --------------------------------------------- Check Point Research reveals that Trickbot is the most prevalent malware and a new vulnerability in Apache is one of the most exploited vulnerabilities worldwide. --------------------------------------------- https://blog.checkpoint.com/2021/11/11/october-2021s-most-wanted-malware-tr… ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI-21-1303: NETGEAR R6400v2 UPnP uuid Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of NETGEAR R6400v2 routers. Authentication is not required to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-1303/ ∗∗∗ Wordpress-Plug-in WP Reset Pro fixt kritische Sicherheitslücke ∗∗∗ --------------------------------------------- In WP Reset Pro klaffte eine Sicherheitslücke, durch die angemeldete Nutzer auch ohne entsprechende Rechte ganze Wordpress-Webauftritte löschen konnten. --------------------------------------------- https://heise.de/-6264564 ∗∗∗ Sicherheitsupdate: Kritische Root-Lücke bedroht Firewalls von Palo Alto ∗∗∗ --------------------------------------------- Sind bestimmte Einstellungen aktiviert und Voraussetzungen gegeben, könnten Angreifer Palo-Alto-Firewalls attackieren. --------------------------------------------- https://heise.de/-6264656 ∗∗∗ Over 1 Million Sites Impacted by Vulnerability in Starter Templates Plugin ∗∗∗ --------------------------------------------- On October 4, 2021, the Wordfence Threat Intelligence team initiated the responsible disclosure process for the Starter Templates plugin, which is installed on over 1 Million WordPress websites. The full name of the WordPress plugin is “Starter Templates — Elementor, Gutenberg & Beaver Builder Templates” [...] --------------------------------------------- https://www.wordfence.com/blog/2021/11/over-1-million-sites-impacted-by-vul… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (icinga2, libxstream-java, ruby-kaminari, and salt), Fedora (awscli, cacti, cacti-spine, python-boto3, python-botocore, radeontop, and rust), Mageia (firefox, libesmtp, libzapojit, sssd, and thunderbird), openSUSE (samba and samba and ldb), SUSE (firefox, pcre, qemu, samba, and samba and ldb), and Ubuntu (firejail, linux-bluefield, linux-gke-5.4, linux-oracle, linux-oracle-5.4, linux-oem-5.10, linux-oem-5.14, and python-py). --------------------------------------------- https://lwn.net/Articles/875813/ ∗∗∗ iCloud for Windows 13 ∗∗∗ --------------------------------------------- https://support.apple.com/kb/HT212953 ∗∗∗ Security Bulletin: Multiple Vulnerabilities in IBM Sterling Connect:Direct Browser User Interface ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Security SiteProtector System is affected by Cross-Site Scripting (CVE-2020-4140) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-siteprotecto… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in IBM Java Runtime Affect IBM Connect:Direct Web Services ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM API Connect is impacted by multiple vulnerabilities in Oracle MySQL ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connect-is-impact… ∗∗∗ Security Bulletin: IBM Security SiteProtector System is affected by vulnerability CVE-2020-4146 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-siteprotecto… ∗∗∗ VMSA-2021-0026 ∗∗∗ --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2021-0026.html ∗∗∗ NGINX Ingress Controller vulnerability CVE-2021-23055 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K01051452?utm_source=f5support&utm_mediu… ∗∗∗ Micropatching Incompletely Patched Local Privilege Escalation in User Profile Service (CVE-2021-34484) ∗∗∗ --------------------------------------------- https://blog.0patch.com/2021/11/micropatching-incompletely-patched.html ∗∗∗ Stack Buffer Overflow Vulnerability in Multimedia Console ∗∗∗ --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-21-45 ∗∗∗ Reflected XSS Vulnerability in QmailAgent ∗∗∗ --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-21-47 ∗∗∗ TR-64 - Exploited Exchange Servers - Mails with links to malware from known/valid senders ∗∗∗ --------------------------------------------- https://www.circl.lu/pub/tr-64 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.11.2021
by Daily end-of-shift report 10 Nov '21

10 Nov '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 09-11-2021 18:00 − Mittwoch 10-11-2021 18:00 Handler: Stephan Richter Co-Handler: Wolfgang Menezes ===================== = News = ===================== ∗∗∗ Researcher Details Vulnerabilities Found in AWS API Gateway ∗∗∗ --------------------------------------------- AWS fixed the security flaws that left the API service at risk of so-called HTTP header-smuggling attacks, says the researcher who discovered them. --------------------------------------------- https://www.darkreading.com/vulnerabilities-threats/researcher-details-vuln… ∗∗∗ Unboxing BusyBox – 14 new vulnerabilities uncovered by Claroty and JFrog ∗∗∗ --------------------------------------------- Using static and dynamic techniques, Claroty’s Team82 and JFrog discovered 14 vulnerabilities affecting the latest version of BusyBox. All vulnerabilities were privately disclosed and fixed by BusyBox in version 1.34.0. --------------------------------------------- https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by… ∗∗∗ Patchday: Microsoft warnt vor Attacken auf Excel und Exchange ∗∗∗ --------------------------------------------- Abermals haben es Angreifer Exchange Server abgesehen. Außerdem gibt es wichtige Sicherheitsupdates für Azure, Office, Windows & Co. --------------------------------------------- https://heise.de/-6263036 ∗∗∗ Patchday: SAP schließt kritische Sicherheitslücke ∗∗∗ --------------------------------------------- Am Patch-Tuesday hat auch SAP Aktualisierungen für seine Produkte veröffentlicht. Ein Fix behandelt eine kritische Lücke im ABAP Platform Kernel. --------------------------------------------- https://heise.de/-6263099 ∗∗∗ Cisco Talos finds 10 vulnerabilities in Azure Sphere’s Linux kernel, Security Monitor and Pluton ∗∗∗ --------------------------------------------- Today, we’re disclosing another 10 vulnerabilities in Azure Sphere — two of which are on the Linux side, seven that exist in Security Monitor and one in the Pluton security subsystem. --------------------------------------------- https://blog.talosintelligence.com/2021/11/cisco-talos-finds-10-vulnerabili… ∗∗∗ Achtung: Momentan kursieren zahlreiche E-Mails mit Schadsoftware ∗∗∗ --------------------------------------------- Kriminelle versenden momentan gefälschte E-Mails im Namen von Electrolux, Weitzer Parkett Vertriebs GmbH und der TU Wien. Wer ein komisches E-Mail mit der Aufforderung einen Anhang zu öffnen erhält, sollte besonders vorsichtig sein. Im Anhang befindet sich Schadsoftware! --------------------------------------------- https://www.watchlist-internet.at/news/achtung-momentan-kursieren-zahlreich… ===================== = Vulnerabilities = ===================== ∗∗∗ AMD Server Vulnerabilities – November 2021 ∗∗∗ --------------------------------------------- During security reviews in collaboration with Google, Microsoft, and Oracle, potential vulnerabilities in the AMD Platform Security Processor (PSP), AMD System Management Unit (SMU), AMD Secure Encrypted Virtualization (SEV) and other platform components were discovered and have been mitigated in AMD EPYC™ AGESA™ PI packages. --------------------------------------------- https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1021 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- Cloud Pak for Multicloud Management Infrastructure Management, Cloud Pak for Multicloud Management Managed Services, Rational Business Developer, InfoSphere Information Server --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Open Design Alliance (ODA) Security Advisories ∗∗∗ --------------------------------------------- ODA PRC SDK, Drawings SDK, ODA Viewer --------------------------------------------- https://www.opendesign.com/security-advisories ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (openjdk-8 and samba), Fedora (community-mysql, firefox, and vim), openSUSE (binutils, kernel, and tinyxml), Red Hat (annobin, autotrace, babel, bind, binutils, bluez, compat-exiv2-026, container-tools:2.0, container-tools:3.0, container-tools:rhel8, cups, curl, dnf, dnsmasq, edk2, exiv2, file, file-roller, firefox, gcc, gcc-toolset-10-annobin, gcc-toolset-10-binutils, gcc-toolset-10-gcc, gcc-toolset-11-annobin, gcc-toolset-11-binutils,[...] --------------------------------------------- https://lwn.net/Articles/875708/ ∗∗∗ Adobe Releases Security Updates for Multiple Products ∗∗∗ --------------------------------------------- Adobe has released security updates to address vulnerabilities in multiple Adobe products. An attacker could exploit some of these vulnerabilities to take control of an affected system. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/11/09/adobe-releases-se… ∗∗∗ BSRT-2021-003 Vulnerabilities Impact BlackBerry Protect for Windows ∗∗∗ --------------------------------------------- https://support.blackberry.com/kb/articleDetail?language=en_US&articleNumbe… ∗∗∗ ZDI-21-1302: Ivanti Avalanche EnterpriseServer Service SQL Injection Authentication Bypass Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-1302/ ∗∗∗ ZDI-21-1301: Ivanti Avalanche EnterpriseServer Service Unrestricted File Upload Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-1301/ ∗∗∗ ZDI-21-1300: Ivanti Avalanche User Management Improper Authentication Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-1300/ ∗∗∗ ZDI-21-1299: Ivanti Avalanche Filestore Management Arbitrary File Upload Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-1299/ ∗∗∗ ZDI-21-1298: Ivanti Avalanche JNLP File Improper Access Control Authentication Bypass Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-1298/ ∗∗∗ Technical Advisory – Arbitrary Signature Forgery in Stark Bank ECDSA Libraries (CVE-2021-43572, CVE-2021-43570, CVE-2021-43569, CVE-2021-43568, CVE-2021-43571) ∗∗∗ --------------------------------------------- https://research.nccgroup.com/2021/11/08/technical-advisory-arbitrary-signa… ∗∗∗ INTEL-SA-00481 ∗∗∗ --------------------------------------------- https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-0… ∗∗∗ INTEL-SA-00560 ∗∗∗ --------------------------------------------- https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-0… ∗∗∗ INTEL-SA-00568 ∗∗∗ --------------------------------------------- https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-0… ∗∗∗ INTEL-SA-00569 ∗∗∗ --------------------------------------------- https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-0… ∗∗∗ INTEL-SA-00567 ∗∗∗ --------------------------------------------- https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-0… ∗∗∗ VMSA-2021-0025 ∗∗∗ --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2021-0025.html ∗∗∗ Samba 4.15.2, 4.14.10, 4.13.14 security releases available ∗∗∗ --------------------------------------------- https://lwn.net/Articles/875565/ ∗∗∗ Philips MRI 1.5T and 3T ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsma-21-313-01 ∗∗∗ OSIsoft PI Vision ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-313-05 ∗∗∗ OSIsoft PI Web API ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-313-06 ∗∗∗ NVIDIA GPU Display Driver Advisory - October 2021 ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500449-NVIDIA-GPU-DISPLAY-DRIV… ∗∗∗ NetApp Clustered Data ONTAP Vulnerabilities ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500448-NETAPP-CLUSTERED-DATA-O… ∗∗∗ Realtek Driver Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500447-REALTEK-DRIVER-PRIVILEG… ∗∗∗ Multi-vendor BIOS Security Vulnerabilities (November 2021) ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500446-MULTI-VENDOR-BIOS-SECUR… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.11.2021
by Daily end-of-shift report 09 Nov '21

09 Nov '21

===================== = End-of-Day report = ===================== Timeframe: Montag 08-11-2021 18:00 − Dienstag 09-11-2021 18:00 Handler: Dimitri Robl Co-Handler: Wolfgang Menezes ===================== = News = ===================== ∗∗∗ Threat actor DEV-0322 exploiting ZOHO ManageEngine ADSelfService Plus ∗∗∗ --------------------------------------------- Microsoft has detected exploits being used to compromise systems running the ZOHO ManageEngine ADSelfService Plus software versions vulnerable to CVE-2021-40539 in a targeted campaign. Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to DEV-0322. --------------------------------------------- https://www.microsoft.com/security/blog/2021/11/08/threat-actor-dev-0322-ex… ∗∗∗ Abcbot, an evolving botnet ∗∗∗ --------------------------------------------- Business on the cloud and security on the cloud is one of the industry trends in recent years. 360Netlab is also continuing to focus on security incidents and trends on the cloud from its own expertise in the technology field. The following is a recent security incident we observed, --------------------------------------------- https://blog.netlab.360.com/abcbot_an_evolving_botnet_en/ ∗∗∗ (Ab)Using Security Tools & Controls for the Bad, (Mon, Nov 8th) ∗∗∗ --------------------------------------------- As security practitioners, we give daily advice to our customers to increase the security level of their infrastructures. Install this tool, enable this feature, disable this function, etc. When enabled, these techniques can also be (ab)used by attackers to perform nasty actions. --------------------------------------------- https://isc.sans.edu/diary/rss/28014 ∗∗∗ WooCommerce Skimmer Spoofs Checkout Page ∗∗∗ --------------------------------------------- Recently a client of ours was reporting a bogus checkout page appearing on their website. When trying to access their “my-account” page an unfamiliar prompt appeared in their browser soliciting credit card billing information: This form was foreign to our client and was clearly placed during a website compromise. Interestingly, the website itself doesn’t even accept payments at all. If this was an attempt at a targeted credit card theft infection (as quite a few of them are) [...] --------------------------------------------- https://blog.sucuri.net/2021/11/woocommerce-skimmer-spoofs-checkout-page.ht… ∗∗∗ ICS Patch Tuesday: Siemens and Schneider Electric Address Over 50 Security Flaws ∗∗∗ --------------------------------------------- Industrial giants Siemens and Schneider Electric have released a total of 20 Patch Tuesday advisories to address more than 50 vulnerabilities affecting their products. --------------------------------------------- https://www.securityweek.com/ics-patch-tuesday-siemens-and-schneider-electr… ∗∗∗ „media-markt-outlet.de“ ist Fake ∗∗∗ --------------------------------------------- Die Webseite media-markt-outlet.de gibt vor, ein Outlet-Store von Media Markt zu sein. Da es sich bei diesem Fake-Shop angeblich um ein Outlet handelt, erscheinen die günstigen Preise auf dem ersten Blick nicht untypisch. Doch Vorsicht: media-markt-outlet.de ist Fake - Sie erhalten trotz Bezahlung keine Ware. --------------------------------------------- https://www.watchlist-internet.at/news/media-markt-outletde-ist-fake/ ∗∗∗ The Invisible JavaScript Backdoor ∗∗∗ --------------------------------------------- A few months ago we saw a post on the r/programminghorror subreddit: A developer describes the struggle of identifying a syntax error resulting from an invisible Unicode character hidden in JavaScript source code. This post inspired an idea: What if a backdoor literally cannot be seen and thus evades detection even from thorough code reviews? --------------------------------------------- https://certitude.consulting/blog/en/invisible-backdoor/ ===================== = Vulnerabilities = ===================== ∗∗∗ Jetzt patchen! Attacken auf CMS Sitecore Experience Platform beobachtet ∗∗∗ --------------------------------------------- Angreifer haben es derzeit auf eine Schadcode-Lücke im Content Management System Sitecore XP abgesehen. Sicherheitspatches gibt es bereits seit Oktober 2021. --------------------------------------------- https://heise.de/-6262157 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (firefox, grafana, jenkins, opera, and thunderbird), Debian (botan1.10 and ckeditor), openSUSE (chromium, kernel, qemu, and rubygem-activerecord-5_1), SUSE (qemu and rubygem-activerecord-5_1), and Ubuntu (docker.io, kernel, linux, linux-aws, linux-aws-5.11, linux-azure, linux-azure-5.11, linux-gcp, linux-gcp-5.11, linux-hwe-5.11, linux-kvm, linux-oem-5.13, linux-oracle, linux-oracle-5.11, linux, linux-aws, linux-aws-5.4, linux-azure, [...] --------------------------------------------- https://lwn.net/Articles/875531/ ∗∗∗ Adobe Patches Critical RoboHelp Server Security Flaw ∗∗∗ --------------------------------------------- Software maker Adobe on Tuesday released patches to cover at least four documented security defects that expose users to malicious hacker attacks. The most serious of the flaw was addressed in RoboHelp Server and is rated “critical” because it exposes corporate environments to arbitrary code execution attacks. --------------------------------------------- https://www.securityweek.com/adobe-patches-critical-robohelp-server-securit… ∗∗∗ IPAS: Security Advisories for November 2021 ∗∗∗ --------------------------------------------- Hi everyone, Today we released 25 security advisories addressing 72 vulnerabilities. Through our internal security research and the investment we make in our bug bounty programs, 96% of the issues being addressed today are the result of our proactive product security assurance efforts. Given that almost half of today’s advisories address drivers in various components, [...] --------------------------------------------- https://blogs.intel.com/technology/2021/11/intel-security-advisories-for-no… ∗∗∗ NUCLEUS:13 vulnerabilities impact Siemens medical & industrial equipment ∗∗∗ --------------------------------------------- Security researchers have disclosed today a set of 13 vulnerabilities that impact a crucial Siemens software library that is included with medical devices, automotive, and industrial systems. --------------------------------------------- https://therecord.media/nucleus13-vulnerabilities-impact-siemens-medical-in… ∗∗∗ Citrix Application Delivery Controller, Citrix Gateway, and Citrix SD-WAN WANOP Edition appliance Security Update ∗∗∗ --------------------------------------------- https://support.citrix.com/article/CTX330728 ∗∗∗ Security Bulletin: IBM Tivoli Netcool Impact is affected by an Apache Ant vulnerability (CVE-2021-36374) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-tivoli-netcool-impact… ∗∗∗ Security Bulletin: A vulnerability in IBM Java SDK affects IBM Tivoli Netcool Impact (CVE-2021-2388, CVE-2021-2369, CVE-2021-2432) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… ∗∗∗ Security Bulletin: IBM Tivoli Netcool Impact is affected by an Apache Ant vulnerability (CVE-2021-36373) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-tivoli-netcool-impact… ∗∗∗ Security Bulletin: IBM App Connect Enterprise Certified Container may be affected by CVE-2021-23509 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… ∗∗∗ Security Bulletin: IBM Event Streams affected by multiple vulnerabilities in Golang ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-event-streams-affecte… ∗∗∗ Security Bulletin: A vulnerability in Apache Commons Compress Library affects IBM LKS ART and Agent ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-apache… ∗∗∗ Security Bulletin: A vulnerability in IBM Java SDK (July 2021) affects IBM InfoSphere Information Server (CVE-2021-2432) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… ∗∗∗ Security Bulletin: IBM QRadar Network Security is affected by multiple vulnerabilities (CVE-2020-25648, CVE-2021-31535, CVE-2021-20305, CVE-2020-25692) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-network-securi… ∗∗∗ Security Bulletin: IBM QRadar Network Security is affected by multiple vulnerabilities (CVE-2020-4152, CVE-2020-4160, CVE-2020-4153) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-network-securi… ∗∗∗ Security Bulletin: IBM Safer Payments v5.7 to v6.3 releases are affected by an OpenSSL Security Advisory (CVE-2021-3711) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-safer-payments-v5-7-t… ∗∗∗ Security Bulletin: Multiple vulnerabilities affect IBM Cloud Object Storage Systems (Nov. 2021 V1) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.11.2021
by Daily end-of-shift report 08 Nov '21

08 Nov '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 05-11-2021 18:00 − Montag 08-11-2021 18:00 Handler: Dimitri Robl Co-Handler: Wolfgang Menezes ===================== = News = ===================== ∗∗∗ Unbekannte infiltrieren Paketmanager npm und verseuchen Tools mit Schadcode ∗∗∗ --------------------------------------------- Die Betreiber des Paketmanagers npm warnen davor, dass Unbefugte die Pakete coa und rc trojanisiert haben. --------------------------------------------- https://heise.de/-6260153 ∗∗∗ Targeted Attack Campaign Against ManageEngine ADSelfService Plus Delivers Godzilla Webshells, NGLite Trojan and KdcSponge Stealer ∗∗∗ --------------------------------------------- A malicious campaign against ManageEngine ADSelfService Plus used Godzilla webshells, the NGLite backdoor and KdcSponge, a credential stealer. --------------------------------------------- https://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/ ∗∗∗ Pwn2Own: Printer plays AC/DC, Samsung Galaxy S21 hacked twice ∗∗∗ --------------------------------------------- Trend Micros ZDI has awarded $1,081,250 for 61 zero-days exploited at Pwn2Own Austin 2021, with competitors successfully pwning the Samsung Galaxy S21 again and hacking an HP LaserJet printer to play AC/DCs Thunderstruck on the contests third day. --------------------------------------------- https://www.bleepingcomputer.com/news/security/pwn2own-printer-plays-ac-dc-… ∗∗∗ Sitecore XP RCE flaw patched last month now actively exploited ∗∗∗ --------------------------------------------- The Australian Cyber Security Center (ACSC) is alerting web admins of the active exploitation of CVE-2021-42237, a remote code execution flaw in the Sitecore Experience Platform (Sitecore XP). --------------------------------------------- https://www.bleepingcomputer.com/news/security/sitecore-xp-rce-flaw-patched… ∗∗∗ Video: Decrypting Cobalt Strike Traffic With Keys Extracted From Process Memory, (Sun, Nov 7th) ∗∗∗ --------------------------------------------- I made a video showing the steps to take to decrypt Cobalt Strike traffic that I covered in my diary entry "Decrypting Cobalt Strike Traffic With Keys Extracted From Process Memory". --------------------------------------------- https://isc.sans.edu/diary/rss/28008 ∗∗∗ ICS Threat Hunting: “Theyre Shootin’ at the Lights!” - PART 2 ∗∗∗ --------------------------------------------- [...] In this PART 2 of the blog series we will: Identify several critical and targeted ICS assets to protect, Identify related data sources for those assets, Focus on aspects of threat intel to use for a hunt, Build a threat hunt package template to prepare for executing the actual hunt --------------------------------------------- https://www.sans.org/blog/ics-threat-hunting-they-are-shootin-at-the-lights… ∗∗∗ TA505 exploits SolarWinds Serv-U vulnerability (CVE-2021-35211) for initial access ∗∗∗ --------------------------------------------- NCC Group’s global Cyber Incident Response Team have observed an increase in Clop ransomware victims in the past weeks. The surge can be traced back to a vulnerability in SolarWinds Serv-U that is being abused by the TA505 threat actor. TA505 is a known cybercrime threat actor, who is known for extortion attacks using the [...] --------------------------------------------- https://blog.fox-it.com/2021/11/08/ta505-exploits-solarwinds-serv-u-vulnera… ∗∗∗ DDoS Attack Trends for Q3 2021 ∗∗∗ --------------------------------------------- The third quarter of 2021 was a busy quarter for DDoS attackers. Cloudflare observed and mitigated record-setting HTTP DDoS attacks, terabit-strong network-layer attacks, one of the largest botnets ever deployed (Meris), and more recently, ransom DDoS attacks on voice over IP (VoIP) service providers and their network infrastructure around the world. --------------------------------------------- https://blog.cloudflare.com/ddos-attack-trends-for-2021-q3/ ∗∗∗ ASEC Weekly Malware Statistics (October 25th, 2021 – October 31st, 2021) ∗∗∗ --------------------------------------------- The ASEC analysis team is using the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from October 25th, 2021 (Monday) to October 31st, 2021 (Sunday). For the main category, info-stealer ranked top with 48.3%, followed by RAT (Remote Administration Tool) malware with 24.5%, Downloader with 18.3%, Backdoor malware with 4.6%, Ransomware with 4.1%, and Banking malware with 0.2%. --------------------------------------------- https://asec.ahnlab.com/en/28464/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (containerd, redis, and sqlalchemy), Fedora (kernel, radeontop, rpki-client, and webkit2gtk3), openSUSE (java-1_8_0-openj9, libvirt, mailman, transfig, and webkit2gtk3), Oracle (thunderbird), SUSE (libvirt), and Ubuntu (icu). --------------------------------------------- https://lwn.net/Articles/875420/ ∗∗∗ Security Bulletin:Multiple Security Vulnerabilities fixed in Openssl as shipped with IBM Security Verify products (CVE-2021-3711, CVE-2021-3712) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletinmultiple-security-vulnerab… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a Cross-Site Scripting in Guardium STAP vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: XSS vulerability in Dojo affects IBM Tivoli Business Service Manager (CVE-2018-15494) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-xss-vulerability-in-dojo-… ∗∗∗ Security Bulletin: IBM MQ Appliance vulnerable to a denial of service attack (CVE-2021-29843) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-vulnerab… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by an Oracle MySQL vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: Multiple Apache Commons FileUpload vulnerabilities affects IBM Tivoli Business Service Manager (CVE-2014-0034, CVE-2014-0050, CVE-2013-2186, CVE-2016-3092) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-apache-commons-f… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.11.2021
by Daily end-of-shift report 05 Nov '21

05 Nov '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 04-11-2021 18:00 − Freitag 05-11-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Phishing emails deliver spooky zombie-themed MirCop ransomware ∗∗∗ --------------------------------------------- A new phishing campaign pretending to be supply lists infects users with the MirCop ransomware that encrypts a target system in under fifteen minutes. --------------------------------------------- https://www.bleepingcomputer.com/news/security/phishing-emails-deliver-spoo… ∗∗∗ Bluetooth-Lücken Braktooth: Das Patchen geht nur schleppend voran ∗∗∗ --------------------------------------------- Für Braktooth-Attacken anfällige Bluetooth-Geräte könnten zeitnah in den Fokus von Angreifern rücken. Patches sind noch längst nicht flächendeckend verfügbar. --------------------------------------------- https://heise.de/-6254474 ∗∗∗ SSL certificate research highlights pitfalls for company data, competition ∗∗∗ --------------------------------------------- Analysis reveals hidden risks for organizations that do not monitor their certificate usage. --------------------------------------------- https://www.zdnet.com/article/ssl-certificate-research-highlights-pitfalls-… ∗∗∗ The IoT is getting a lot bigger, but security is still getting left behind ∗∗∗ --------------------------------------------- Four in five Internet of Things device vendors dont provide any information on how to disclose security vulnerabilities. That means problems just dont get fixed. --------------------------------------------- https://www.zdnet.com/article/the-iot-is-getting-a-lot-bigger-but-security-… ∗∗∗ Malware found in coa and rc, two npm packages with 23M weekly downloads ∗∗∗ --------------------------------------------- The security team of the npm JavaScript package manager has warned users that two of its most popular packages had been hijacked by a threat actor who released new versions laced with what appeared to be password-stealing malware. --------------------------------------------- https://therecord.media/malware-found-in-coa-and-rc-two-npm-packages-with-2… ∗∗∗ Datenbank mit Millionen Daten von VPN-Nutzern ungeschützt im Internet (Okt. 2021) ∗∗∗ --------------------------------------------- Wer VPN-Anbieter nutzt, muss sich auf deren Sicherheit und Integrität verlassen können. Sicherheitsforscher Bob Diachenko von comparitech ist kürzlich im Internet auf eine ungeschützte Datenbank (kein Passwort) gestoßen, die mehr als 300 Millionen Datensätze mit den persönlichen Daten [...] --------------------------------------------- https://www.borncity.com/blog/2021/11/05/datenbank-mit-millionen-daten-von-… ∗∗∗ Phishing PDF Files with CAPTCHA Screen Being Mass-distributed ∗∗∗ --------------------------------------------- Phishing PDF files that have CAPTCHA screens are rapidly being mass-distributed this year. A CAPTCHA screen appears upon running the PDF file, but it is not an invalid CAPTCHA. It is simply an image with a link that redirects to a malicious URL. Related types that have been collected by AhnLab’s ASD infrastructure since July up till now amount to 1,500,000. --------------------------------------------- https://asec.ahnlab.com/en/28431/ ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI-21-1278: Hewlett Packard Enterprise iLO Amplifier Pack backup Directory Traversal Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hewlett Packard Enterprise iLO Amplifier Pack. Authentication is not required to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-1278/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (python3.5, redis, and udisks2), Fedora (rust), openSUSE (binutils, java-1_8_0-openj9, and qemu), Oracle (firefox and httpd), Red Hat (thunderbird), Scientific Linux (thunderbird), and SUSE (binutils, qemu, and systemd). --------------------------------------------- https://lwn.net/Articles/875212/ ∗∗∗ SYSS-2021-048/SYSS-2021-049: PHP Event Calendar – SQL Injection und Persistent Cross-Site Scripting ∗∗∗ --------------------------------------------- Im "PHP Event Calendar" wurden zwei Sicherheitslücken gefunden. So kann die Datenbank ausgelesen oder die Sitzung anderer Nutzer kompromittiert werden. --------------------------------------------- https://www.syss.de/pentest-blog/syss-2021-048/syss-2021-049-php-event-cale… ∗∗∗ D-LINK Router: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-1157 ∗∗∗ Security Bulletin: IBM Security Guardium is affected by an OpenLDAP vulnerability (CVE-2020-25692) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: Information disclosure vulnerability affect IBM Business Automation Workflow and IBM Business Process Manager (BPM) – CVE-2021-29753 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-information-disclosure-vu… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Security Guardium ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by the following vulnerabilities ( CVE-2021-29773, CVE-2021-2161) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a jackson-databind vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a kernel vulnerability (CVE-2020-25705, CVE-2020-28374) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Event Streams affected by multiple vulnerabilities in Golang ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-event-streams-affecte… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a Reliance on Untrusted Inputs in Security Descision ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a Weak Password Policy vulnerability (CVE-2021-20418) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by multiple vulnerabilites ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a Oracle MySQL vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.11.2021
by Daily end-of-shift report 04 Nov '21

04 Nov '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 03-11-2021 18:00 − Donnerstag 04-11-2021 18:00 Handler: Dimitri Robl Co-Handler: Wolfgang Menezes ===================== = News = ===================== ∗∗∗ Wichtige Cisco-Updates: Recycelte SSH-Keys vereinfachten unbefugte Root-Zugriffe ∗∗∗ --------------------------------------------- Neue Versionen schließen eine kritische Lücke in Ciscos Policy Suite. Auch Catalyst PON Switches & weitere Produkte wurden gegen Angriffe abgesichert. --------------------------------------------- https://heise.de/-6251668 ∗∗∗ BSI-Paper: Technische Grundlagen sicherer Messenger-Dienste ∗∗∗ --------------------------------------------- Milliardenfach kommt weltweit ein Kommunikationsmittel zum Zuge: Messenger-Dienste. Die kurze geschriebene oder gesprochene Nachricht überrundet schon lange die SMS. Doch wie funktionieren Messenger? Was macht sie sicher und was eher nicht? Auf diese und weitere Fragen gibt das BSI-Paper „Moderne Messenger – heute verschlüsselt, morgen interoperabel?“ Antwort. --------------------------------------------- https://www.bsi.bund.de/DE/Service-Navi/Presse/Pressemitteilungen/Presse202… ∗∗∗ Cyberkriminelle verkaufen Zugänge zu internationalen Logistikfirmen ∗∗∗ --------------------------------------------- Es handelt sich oft um Schwachstellen in RDP und VPN. Angeboten werden aber auch gestohlene Zugangsdaten. Sicherheitsforscher warnen vor weiteren negativen Folgen für die Lieferkette. --------------------------------------------- https://www.zdnet.de/88397581/cyberkriminelle-verkaufen-zugaenge-zu-interna… ∗∗∗ Betrug mit Verdopplung Ihrer Bitcoins und Kryptowährungen! ∗∗∗ --------------------------------------------- Kriminelle machen ein attraktives Angebot: Sie versprechen eine Verdopplung eingezahlter Kryptowährungen durch einfaches Übetragen auf eine Wallet. Der Haken an der Sache: Übertragene Währungen sind verloren, denn sie landen direkt auf den Wallets der Kriminellen. Genau das passiert auch auf spacegetbonus.com mit Bitcoin, Ethereum und Dogecoin! --------------------------------------------- https://www.watchlist-internet.at/news/betrug-mit-verdopplung-ihrer-bitcoin… ∗∗∗ Microsoft Exchange ProxyShell exploits used to deploy Babuk ransomware ∗∗∗ --------------------------------------------- A new threat actor is hacking Microsoft Exchange servers and breaching corporate networks using the ProxyShell vulnerability to deploy the Babuk Ransomware. --------------------------------------------- https://www.bleepingcomputer.com/news/security/microsoft-exchange-proxyshel… ∗∗∗ Samsung Galaxy S21 hacked on second day of Pwn2Own Austin ∗∗∗ --------------------------------------------- Contestants hacked the Samsung Galaxy S21 smartphone during the second day of the Pwn2Own Austin 2021 competition, as well as routers, NAS devices, speakers, and printers from Cisco, TP-Link, Western Digital, Sonos, Canon, Lexmark, and HP. --------------------------------------------- https://www.bleepingcomputer.com/news/security/samsung-galaxy-s21-hacked-on… ∗∗∗ 5 MITRE ATT&CK Tactics Most Frequently Detected by Cisco Secure Firewalls ∗∗∗ --------------------------------------------- Cisco Security examines the most frequently encountered MITRE ATT&CK tactics and techniques. --------------------------------------------- https://www.darkreading.com/edge-threat-monitor/5-mitre-attck-tactics-most-… ∗∗∗ Webinject Panel Administration: A Vantage Point into Multiple Threat Actor Campaigns ∗∗∗ --------------------------------------------- Much has been written about the role of webinjects in the evolution of banking trojans, facilitating the interception and manipulation of victim connections to the customer portals of a burgeoning list of targets which now includes e-commerce, retail, and telecommunications brands. --------------------------------------------- https://team-cymru.com/blog/2021/11/03/webinject-panel-administration-a-van… ∗∗∗ Credit card skimmer evades Virtual Machines ∗∗∗ --------------------------------------------- After code obfuscation, anti-debugger tricks we now see virtual machine detection used by credit card skimmers. --------------------------------------------- https://blog.malwarebytes.com/threat-intelligence/2021/11/credit-card-skimm… ∗∗∗ The Vagabon Kit Highlights ‘Frankenstein’ Trend in Phishing ∗∗∗ --------------------------------------------- In early 2021, RiskIQ first detected a new phishing campaign targeting PayPal. The campaign, authored by an actor calling themself "Vagabon," looks to collect PayPal login credentials and complete credit card information from the victim. The kit doesnt display many unique characteristics and is a textbook example of a "Frankenstein" kit. In this increasingly popular trend, threat actors piece together new phish kits from modular, free, or readily available kits and services. --------------------------------------------- https://www.riskiq.com/blog/external-threat-management/vagabon-kit-frankens… ∗∗∗ Conducting Digital Forensics Incident Response (DFIR) on an Infected GitLab Server ∗∗∗ --------------------------------------------- GitLab servers are under attack with a now-patched critical vulnerability Earlier this week we investigated an incident that occurred on a new Intezer Protect user’s GitLab server. After the user installed the Intezer Protect sensor on their server, an initial runtime scan was performed. An alert was immediately triggered on the execution of a malicious metasploit [...] --------------------------------------------- https://www.intezer.com/blog/cloud-security/dfir-infected-gitlab-server/ ∗∗∗ Cobalt Strike: Using Process Memory To Decrypt Traffic – Part 3 ∗∗∗ --------------------------------------------- We decrypt Cobalt Strike traffic with cryptographic keys extracted from process memory. This series of blog posts describes different methods to decrypt Cobalt Strike traffic. --------------------------------------------- https://blog.nviso.eu/2021/11/03/cobalt-strike-using-process-memory-to-decr… ===================== = Vulnerabilities = ===================== ∗∗∗ Critical RCE Vulnerability Reported in Linux Kernels TIPC Module ∗∗∗ --------------------------------------------- Cybersecurity researchers have disclosed a security flaw in the Linux Kernels Transparent Inter Process Communication (TIPC) module that could potentially be leveraged both locally as well as remotely to execute arbitrary code within the kernel and take control of vulnerable machines. The heap overflow vulnerability "can be exploited locally or remotely within a network to gain kernel [...] --------------------------------------------- https://thehackernews.com/2021/11/critical-rce-vulnerability-reported-in.ht… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (ansible, chromium, kernel, mupdf, python-PyMuPDF, rust, and zathura-pdf-mupdf), openSUSE (qemu and webkit2gtk3), Red Hat (firefox and kpatch-patch), Scientific Linux (firefox), SUSE (qemu, tomcat, and webkit2gtk3), and Ubuntu (firefox and thunderbird). --------------------------------------------- https://lwn.net/Articles/875106/ ∗∗∗ Beckhoff: Relative path traversal vulnerability through TwinCAT OPC UA Server ∗∗∗ --------------------------------------------- [...] Summary: Through specific nodes of the server configuration interface of the TwinCAT OPC UA Server administrators are able to remotely create and delete any files on the system which the server is running on, though this access should have been restricted to specific directories. In case that configuration interface is combined with not recommended settings to allow anonymous access via the TwinCAT OPC UA Server then this kind of file access is even possible for any unauthenticated user from remote. --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2021-051/ ∗∗∗ VISAM VBASE Editor ∗∗∗ --------------------------------------------- This advisory contains mitigations for Improper Access Control, Cross-site Scripting, Using Components with Known Vulnerabilities, and Improper Restriction of XML External Entity Reference vulnerabilities in the VISAM VBASE Editor automation platform. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-308-01 ∗∗∗ AzeoTech DAQFactory ∗∗∗ --------------------------------------------- This advisory contains mitigations for Use of Inherently Dangerous Function, Deserialization of Untrusted Data, Cleartext Transmission of Sensitive Information, and Modification of Assumed-Immutable Data (MAID) vulnerabilities in the AzeoTech DAQFactory software and application development platform. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-308-02 ∗∗∗ BrakTooth Proof of Concept Tool Demonstrates Bluetooth Vulnerabilities ∗∗∗ --------------------------------------------- On November 1, 2021, researchers publicly released a BrakTooth proof-of-concept (PoC) tool to test Bluetooth-enabled devices against potential Bluetooth exploits using the researcher’s software tools. BrakTooth—originally disclosed in August 2021—is a family of security vulnerabilities in commercial Bluetooth stacks. An attacker could exploit BrakTooth vulnerabilities to cause a range of effects from denial-of-service to arbitrary code execution. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/11/04/braktooth-proof-c… ∗∗∗ Security Bulletin: Vulnerability in Oracle, Java SE Affecting Watson Speech Services ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-oracle-j… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a Bouncy Castle vulnerability (CVE-2020-26939) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Reflected cross-site scripting vulnerability in IBM Sterling B2B Integrator ∗∗∗ --------------------------------------------- https://sec-consult.com/vulnerability-lab/advisory/reflected-cross-site-scr… ∗∗∗ Grafana: Schwachstelle ermöglicht Cross-Site Scripting ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-1154 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.11.2021
by Daily end-of-shift report 03 Nov '21

03 Nov '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 02-11-2021 18:00 − Mittwoch 03-11-2021 18:00 Handler: Dimitri Robl Co-Handler: Wolfgang Menezes ===================== = News = ===================== ∗∗∗ A Technical Analysis of CVE-2021-30864: Bypassing App Sandbox Restrictions ∗∗∗ --------------------------------------------- This article provides an overview of what the App Sandbox is and the vulnerability details as disclosed to Apple. --------------------------------------------- https://perception-point.io/a-technical-analysis-of-cve-2021-30864-bypassin… ∗∗∗ Ransomware: "BlackMatter"-Gang will aufhören – mal wieder ∗∗∗ --------------------------------------------- Druck von Ermittlern veranlasst BlackMatter zum Aufhören. Ein endgültiger Abschied der alten Hasen aus dem Erpresser-Business scheint aber eher fraglich. --------------------------------------------- https://heise.de/-6247924 ∗∗∗ Sicherheitsforscher warnen vor zehntausenden verwundbaren GitLab-Servern ∗∗∗ --------------------------------------------- Obwohl es bereits mehrere Monate Sicherheitspatches für eine kritische Lücke gibt, sind einem Bericht zufolge immer noch viele GitLab-Server angreifbar. --------------------------------------------- https://heise.de/-6249588 ∗∗∗ This Steam phish baits you with free Discord Nitro ∗∗∗ --------------------------------------------- Theres another scam making rounds on Discord. And its cleverly phishing for Steam credentials. --------------------------------------------- https://blog.malwarebytes.com/malwarebytes-news/2021/11/this-steam-phish-ba… ∗∗∗ Kleinanzeigenbetrug mit angeblichem Post-Kurier boomt! ∗∗∗ --------------------------------------------- Zahlreiche LeserInnen wenden sich derzeit an uns, da Kriminelle eine gefälschte Webseite der Post für Kleinanzeigenbetrug verwenden. Dabei suchen die BetrügerInnen auf Willhaben, Ebay, Shpock und Co. nach teuren Angeboten und erklären den VerkäuferInnen, dass der Kauf über einen Kurierdienst der Post abgewickelt werden soll. --------------------------------------------- https://www.watchlist-internet.at/news/kleinanzeigenbetrug-mit-angeblichem-… ∗∗∗ Almost half of rootkits are used for cyberattacks against government organizations ∗∗∗ --------------------------------------------- On Wednesday, Positive Technologies released a report on the evolution and application of rootkits in cyberattacks, noting that 77% of rootkits are utilized for cyberespionage. --------------------------------------------- https://www.zdnet.com/article/almost-half-of-rootkits-are-used-to-strike-go… ∗∗∗ "Trojan Source": Was ist da dran? ∗∗∗ --------------------------------------------- An sich schätze ich Brian Krebs, er schreibt wirklich gute Artikel, aber bei ‘Trojan Source’ Bug Threatens the Security of All Code hat er etwas übertrieben. --------------------------------------------- https://cert.at/de/aktuelles/2021/11/trojan-source-was-ist-da-dran ∗∗∗ CISA Issues BOD 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities ∗∗∗ --------------------------------------------- CISA has issued Binding Operational Directive (BOD) 22-01, Reducing the Significant Risk of Known Exploited Vulnerabilities to addresses vulnerabilities that establishes specific timeframes for federal civilian agencies to remediate vulnerabilities that are being actively exploited by known adversaries. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/11/03/cisa-issues-bod-2… ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco Security Advisories ∗∗∗ --------------------------------------------- Cisco hat 16 Security Advisories veröffentlicht. Zwei davon werden als "Critical" eingestuft, zwei als "High", und zwölf als "Medium". --------------------------------------------- https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&secur… ∗∗∗ Patchday: Angreifer attackieren gezielt Android-Geräte ∗∗∗ --------------------------------------------- Es gibt wichtige Sicherheitsupdates für verschiedene Android-Versionen. Eine Lücke im Kernel nutzen Angreifer derzeit aus. --------------------------------------------- https://heise.de/-6247997 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (CuraEngine, curl, firefox, php, and vim), openSUSE (apache2, pcre, salt, transfig, and util-linux), Oracle (.NET 5.0, curl, kernel, libsolv, python3, samba, and webkit2gtk3), and Red Hat (flatpak). --------------------------------------------- https://lwn.net/Articles/874980/ ∗∗∗ ZDI-21-1277: (0Day) Bitdefender Total Security Unnecessary Privileges Local Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-1277/ ∗∗∗ ZDI-21-1276: (0Day) Bitdefender Total Security Unnecessary Privileges Local Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-1276/ ∗∗∗ Security Advisory - Privilege Escalation Vulnerability in Huawei Product ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20211103-… ∗∗∗ Security Bulletin: Vulnerabilities in HAProxy Watson Knowledge Catalog for IBM Cloud Pak for Data ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-haprox… ∗∗∗ Security Vulnerabilities fixed in Thunderbird 91.3 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2021-50/ ∗∗∗ Red Hat Integration - Service Registry: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-1143 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.11.2021
by Daily end-of-shift report 02 Nov '21

02 Nov '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 29-10-2021 18:00 − Dienstag 02-11-2021 18:00 Handler: Wolfgang Menezes Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Trojan Source: Programmiersprachen lassen sich per Unicode trojanisieren ∗∗∗ --------------------------------------------- Ein Forschungsteam zeigt systematisch, wie sich mit Unicode-Tricks Code manipulieren lässt. Open-Source-Communitys und die IT-Industrie reagieren. --------------------------------------------- https://www.golem.de/news/trojan-source-programmiersprachen-lassen-sich-per… ∗∗∗ BlackMatter Ransomware Operators Develop Custom Data Exfiltration Tool ∗∗∗ --------------------------------------------- The cybercriminals operating the BlackMatter ransomware have started using a custom data exfiltration tool in their attacks, Symantec reports. --------------------------------------------- https://www.securityweek.com/blackmatter-ransomware-operators-develop-custo… ∗∗∗ FBI Publishes IOCs for Hello Kitty Ransomware ∗∗∗ --------------------------------------------- The Federal Bureau of Investigation (FBI) has published a flash alert to share details on the tactics, techniques and procedures (TTPs) and indicators of compromise (IOCs) associated with the Hello Kitty ransomware, which is also known as FiveHands. --------------------------------------------- https://www.securityweek.com/fbi-publishes-iocs-hello-kitty-ransomware ∗∗∗ Webseiten-BetreiberInnen aufgepasst: Gefälschte E-Mails von WORLD4YOU im Umlauf ∗∗∗ --------------------------------------------- Zahlreiche Webseiten-BetreiberInnen erhalten momentan betrügerische E-Mails im Namen von Wordl4You. In den betrügerischen E-Mails wird behauptet, dass die Domain gesperrt wurde, abgelaufen ist oder verlängert werden muss. --------------------------------------------- https://www.watchlist-internet.at/news/webseiten-betreiberinnen-aufgepasst-… ∗∗∗ EU Digital Green Certificate: Was gilt eigentlich bei uns? ∗∗∗ --------------------------------------------- Nachdem der digitale grüne Pass gerade in den Medien ist, und ich für den Standard den Erklärbären mache, will ich hier ein paar technische Informationen dokumentieren, die für einen Zeitungsartikel dann doch zu technisch sind. --------------------------------------------- https://cert.at/de/blog/2021/10/eu-digital-green-certificate-was-gilt-eigen… ∗∗∗ Shodan Verified Vulns 2021-11-01 ∗∗∗ --------------------------------------------- Das "Cyber-Security-Month" Oktober ist vorbei, aber, wie ein Blick in unsere Shodan-Daten vom 2021-11-01 verrät, hatte es keinen direkt sichtbaren Effekt: Die Veränderungen zu Anfang Oktober sind überschaubar. --------------------------------------------- https://cert.at/de/aktuelles/2021/11/shodan-verified-vulns-2021-11-01 ∗∗∗ From Zero to Domain Admin ∗∗∗ --------------------------------------------- This report will go through an intrusion from July that began with an email, which included a link to Google’s Feed Proxy service that was used to download a malicious Word document. --------------------------------------------- https://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/ ===================== = Vulnerabilities = ===================== ∗∗∗ Android November patch fixes actively exploited kernel bug ∗∗∗ --------------------------------------------- Google has released the Android November 2021 security updates, which address 18 vulnerabilities in the framework and system components, and 18 more flaws in the kernel and vendor components. --------------------------------------------- https://www.bleepingcomputer.com/news/security/android-november-patch-fixes… ∗∗∗ Alert! Hackers Exploiting GitLab Unauthenticated RCE Flaw in the Wild ∗∗∗ --------------------------------------------- A now-patched critical remote code execution (RCE) vulnerability in GitLabs web interface has been detected as actively exploited in the wild, cybersecurity researchers warn, rendering a large number of internet-facing GitLab instances susceptible to attacks. --------------------------------------------- https://thehackernews.com/2021/11/alert-hackers-exploiting-gitlab.html ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- Tivoli Composite Application Manager for Transactions, InfoSphere Information Server, InfoSphere DataStage Flow Designer, API Connect, Application Discovery and Delivery Intelligence, MessageGateway, PowerSC. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Firefox-Updates schließen zahlreiche Sicherheitslücken ∗∗∗ --------------------------------------------- Die Entwickler der Mozilla Foundation haben im Webbrowser Firefox mehr als ein Dutzend Sicherheitslücken gestopft. --------------------------------------------- https://heise.de/-6245344 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (bind, chromium, freerdp, opera, webkit2gtk, and wpewebkit), Debian (cron, cups, elfutils, ffmpeg, libmspack, libsdl1.2, libsdl2, opencv, and tiff), Fedora (java-latest-openjdk, stb, and thunderbird), Mageia (cairo, cloud-init, docker, ffmpeg, libcaca, php, squid, and webkit2), openSUSE (busybox, chromium, civetweb, containerd, docker, runc, dnsmasq, fetchmail, flatpak, go1.16, krb5, ncurses, python, python-Pygments, squid, strongswan, transfig, webkit2gtk). --------------------------------------------- https://lwn.net/Articles/874623/ ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (asterisk, bind9, glusterfs, and openjdk-11), Fedora (ansible and CuraEngine), openSUSE (mailman and opera), Oracle (binutils and flatpak), Red Hat (curl, flatpak, java-1.8.0-ibm, kernel, kernel-rt, libsolv, python3, samba, and webkit2gtk3), Scientific Linux (binutils and flatpak), SUSE (binutils and transfig), and Ubuntu (ceph and mailman). --------------------------------------------- https://lwn.net/Articles/874818/ ∗∗∗ Kaspersky Patches Vulnerability That Can Lead to Unbootable System ∗∗∗ --------------------------------------------- Kaspersky published two advisories on Monday to warn customers about a vulnerability that can lead to unbootable systems and a phishing campaign involving messages sent from a Kaspersky email address. --------------------------------------------- https://www.securityweek.com/kaspersky-patches-vulnerability-can-lead-unboo… ∗∗∗ November 1, 2021 TNS-2021-18 [R1] Nessus 10.0.0 Fixes One Vulnerability ∗∗∗ --------------------------------------------- http://www.tenable.com/security/tns-2021-18 ∗∗∗ Synology-SA-21:27 ISC BIND ∗∗∗ --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_21_27 ∗∗∗ Sensormatic Electronics VideoEdge ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-306-01 ∗∗∗ WECON PI Studio (Update A) ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/ICSA-18-277-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 29.10.2021
by Daily end-of-shift report 29 Oct '21

29 Oct '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 28-10-2021 18:00 − Freitag 29-10-2021 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Wie Ransomware eine Stadtverwaltung Tage lang lahmlegte ∗∗∗ --------------------------------------------- Neustadt am Rübenberge war Ziel eines großen IT-Angriffs. Der Fall zeigt, wie stark sich das auswirken kann, welche Lehren Institutionen daraus ziehen sollten. --------------------------------------------- https://heise.de/-6236592 ∗∗∗ Betrügerische Mails und SMS im Namen der Volksbank im Umlauf! ∗∗∗ --------------------------------------------- Derzeit geben sich BetrügerInnen vermehrt als Volksbank aus, um per Mail oder SMS an die Online-Banking-Zugangsdaten von potenziellen Opfer zu kommen. Die Kriminellen behaupten dabei, dass eine App installiert werden müsste oder der Zugang zu dieser App gesperrt wurde. Achtung: Es handelt sich um Phishing und Smishing! --------------------------------------------- https://www.watchlist-internet.at/news/betruegerische-mails-und-sms-im-name… ∗∗∗ SEO Poisoning Used to Distribute Ransomware ∗∗∗ --------------------------------------------- This tactic - used to distribute REvil ransomware and the SolarMarker backdoor - is part of a broader increase in such attacks in recent months, researchers say. --------------------------------------------- https://www.darkreading.com/attacks-breaches/seo-poisoning-used-to-distribu… ∗∗∗ Google Chrome is Abused to Deliver Malware as ‘Legit’ Win 10 App ∗∗∗ --------------------------------------------- Malware delivered via a compromised website on Chrome browsers can bypass User Account Controls to infect systems and steal sensitive data, such as credentials and cryptocurrency. --------------------------------------------- https://threatpost.com/chrome-deliver-malware-as-legit-win-10-app/175884/ ∗∗∗ Pink, a botnet that competed with the vendor to control the massive infected devices ∗∗∗ --------------------------------------------- Most of the following article was completed around early 2020, at that time the vendor was trying different ways to recover the massive amount of infected devices, we shared our findings with the vendor, as well as to CNCERT, and decided to not publish the blog while the vendors working [...] --------------------------------------------- https://blog.netlab.360.com/pink-en/ ∗∗∗ This New Android Malware Can Gain Root Access to Your Smartphones ∗∗∗ --------------------------------------------- An unidentified threat actor has been linked to a new Android malware strain that features the ability to root smartphones and take complete control over infected smartphones while simultaneously taking steps to evade detection. The malware has been named "AbstractEmu" owing to its use of code abstraction and anti-emulation checks to avoid running while under analysis. --------------------------------------------- https://thehackernews.com/2021/10/this-new-android-malware-can-gain-root.ht… ∗∗∗ Update your OptinMonster WordPress plugin immediately ∗∗∗ --------------------------------------------- We look at a recent WordPress plugin compromise, explain what it is, and also what you have to do to ensure your blog and visitors are safe. --------------------------------------------- https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/10/update-y… ∗∗∗ Network Scanning Traffic Observed in Public Clouds ∗∗∗ --------------------------------------------- Cybercriminals can use scanning results to identify potential victims. We share our observations of network scanning traffic in public clouds. --------------------------------------------- https://unit42.paloaltonetworks.com/cloud-network-scanning-traffic/ ∗∗∗ NSA-CISA Series on Securing 5G Cloud Infrastructures ∗∗∗ --------------------------------------------- The National Security Agency (NSA) and CISA have published the first of a four-part series, Security Guidance for 5G Cloud Infrastructures. Security Guidance for 5G Cloud Infrastructures – Part I: Prevent and Detect Lateral Movement provides recommendations for mitigating lateral movement attempts by threat actors who have gained initial access to cloud infrastructures. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/10/28/nsa-cisa-series-s… ===================== = Vulnerabilities = ===================== ∗∗∗ All Windows versions impacted by new LPE zero-day vulnerability ∗∗∗ --------------------------------------------- A security researcher has disclosed technical details for a Windows zero-day privilege elevation vulnerability and a public proof-of-concept (PoC) exploit that gives SYSTEM privileges under certain conditions. --------------------------------------------- https://www.bleepingcomputer.com/news/security/all-windows-versions-impacte… ∗∗∗ Multiple vulnerabilities in CLUSTERPRO X and EXPRESSCLUSTER X ∗∗∗ --------------------------------------------- CLUSTERPRO X and EXPRESSCLUSTER X provided by NEC Corporation contain multiple vulnerabilities. --------------------------------------------- https://jvn.jp/en/jp/JVN69304877/ ∗∗∗ Shrootless: Microsoft finds Apple macOS vulnerability ∗∗∗ --------------------------------------------- Shrootless is a vulnerability found in macOS that can bypass the System Integrity Protection by abusing inherited permissions. --------------------------------------------- https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/10/shrootle… ∗∗∗ XSS Vulnerability in NextScripts: Social Networks Auto-Poster Plugin Impacts 100,000 Sites ∗∗∗ --------------------------------------------- On August 19, 2021, the Wordfence Threat Intelligence team began the disclosure process for a reflected Cross-Site Scripting(XSS) vulnerability we found in NextScripts: Social Networks Auto-Poster, a WordPress plugin with over 100,000 installations. --------------------------------------------- https://www.wordfence.com/blog/2021/10/xss-vulnerability-in-nextscripts-soc… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (bind9, gpsd, jbig2dec, libdatetime-timezone-perl, tzdata, webkit2gtk, and wpewebkit), Fedora (flatpak, java-1.8.0-openjdk, java-11-openjdk, and php), SUSE (qemu), and Ubuntu (bind9). --------------------------------------------- https://lwn.net/Articles/874354/ ∗∗∗ Sensormatic Electronics victor ∗∗∗ --------------------------------------------- This advisory contains mitigations for a Use of Hard-coded Credentials vulnerability in Sensormatic Electronics victor video management systems. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-301-01 ∗∗∗ Delta Electronics DOPSoft (Update A) ∗∗∗ --------------------------------------------- This updated advisory is a follow-up to the original advisory titled ICSA-21-238-04 Delta Electronics DOPSoft that was published August 26, 2021, to the ICS webpage on us-cert.cisa.gov. This advisory contains mitigations for a Stack-based Buffer Overflow vulnerability in Delta Electronics DOPSoft HMI editing software. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-238-04 ∗∗∗ GoCD Authentication Vulnerability ∗∗∗ --------------------------------------------- GoCD has released a security update to address a critical authentication vulnerability in GoCD versions 20.6.0 through 21.2.0. GoCD is an open-source Continuous Integration and Continuous Delivery system. A remote attacker could exploit this vulnerability to obtain sensitive information. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/10/29/gocd-authenticati… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Advisory: RCE Vulnerability in Automation Studio ∗∗∗ --------------------------------------------- https://www.br-automation.com/downloads_br_productcatalogue/assets/16341384… ∗∗∗ Advisory: ZipSlip Vulnerability in Automation Studio Project Import ∗∗∗ --------------------------------------------- https://www.br-automation.com/downloads_br_productcatalogue/assets/16341384… ∗∗∗ Advisory: DLL Hijacking Vulnerability in Automation Studio ∗∗∗ --------------------------------------------- https://www.br-automation.com/downloads_br_productcatalogue/assets/16341384… ∗∗∗ ESET Cyber Security and ESET Endpoint series vulnerable to denial-of-service (DoS) ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN60553023/ ∗∗∗ ZDI-21-1273: (0Day) Bitdefender Total Security Unnecessary Privileges Local Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-1273/ ∗∗∗ ZDI-21-1272: (0Day) Bitdefender Total Security Unnecessary Privileges Local Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-1272/ ∗∗∗ ZDI-21-1271: (0Day) Bitdefender Endpoint Security Unnecessary Privileges Local Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-1271/ ∗∗∗ ZDI-21-1270: (0Day) Bitdefender Endpoint Security Unnecessary Privileges Local Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-1270/ ∗∗∗ ZDI-21-1275: NETGEAR Multiple Routers httpd Missing Authentication for Critical Function Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-1275/ ∗∗∗ ZDI-21-1274: NETGEAR Multiple Routers httpd Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-1274/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.10.2021
by Daily end-of-shift report 28 Oct '21

28 Oct '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 27-10-2021 18:00 − Donnerstag 28-10-2021 18:00 Handler: Wolfgang Menezes Co-Handler: Dimitri Robl ===================== = News = ===================== ∗∗∗ QR Codes Help Attackers Sneak Emails Past Security Controls ∗∗∗ --------------------------------------------- A recently discovered campaign shows how attackers are constantly developing new techniques to deceive phishing victims. --------------------------------------------- https://www.darkreading.com/attacks-breaches/qr-codes-help-attackers-sneak-… ∗∗∗ How we took part in MLSEC and (almost) won ∗∗∗ --------------------------------------------- How we took part in the Machine Learning Security Evasion Competition (MLSEC) — a series of trials testing contestants’ ability to create and attack machine learning models. --------------------------------------------- https://securelist.com/how-we-took-part-in-mlsec-and-almost-won/104699/ ∗∗∗ EU’s Green Pass Vaccination ID Private Key Leaked ∗∗∗ --------------------------------------------- The private key used to sign the vaccine passports was leaked and is being passed around to create fake passes for the likes of Mickey Mouse and Adolf Hitler. --------------------------------------------- https://threatpost.com/eus-green-pass-vaccination-id-private-key-leaked/175… ∗∗∗ New Wslink Malware Loader Runs as a Server and Executes Modules in Memory ∗∗∗ --------------------------------------------- Cybersecurity researchers on Wednesday took the wraps off a "simple yet remarkable" malware loader for malicious Windows binaries targeting Central Europe, North America and the Middle East. Codenamed "Wslink" by ESET, this previously undocumented malware stands apart from the rest in that it runs as a server and executes received modules in memory. --------------------------------------------- https://thehackernews.com/2021/10/new-wslink-malware-loader-runs-as.html ∗∗∗ Threat profile: Ranzy Locker ransomware ∗∗∗ --------------------------------------------- What you need to know about Ranzy Locker ransomware. --------------------------------------------- https://blog.malwarebytes.com/ransomware/2021/10/threat-profile-ranzy-locke… ∗∗∗ PSA: Widespread Remote Working Scam Underway ∗∗∗ --------------------------------------------- Attackers are posting jobs pretending to be from existing companies and steal money and/or personal information from jobseekers. --------------------------------------------- https://www.wordfence.com/blog/2021/10/psa-widespread-remote-working-scam-u… ∗∗∗ Trends und Entwicklungen bei Fake-Shops ∗∗∗ --------------------------------------------- Fake-Shops gibt es wie Sand am Meer - und auch sie entwickeln sich nach Trends: Von E-Bikes bis zur Playstation5. Diese Trends sind von der Saison, aber auch von Angebot und Nachfrage abhängig. Was die Watchlist Internet im letzten Jahr über Fake-Shop-Trends erfahren hat, lesen Sie hier. --------------------------------------------- https://www.watchlist-internet.at/news/trends-und-entwicklungen-bei-fake-sh… ∗∗∗ Free decrypters released for AtomSilo, Babuk, and LockFile ransomware strains ∗∗∗ --------------------------------------------- Antivirus maker and cyber-security firm Avast has released today free decryption utilities to recover files that have been encrypted by three ransomware strains—AtomSilo, Babuk, and LockFile. --------------------------------------------- https://therecord.media/free-decrypters-released-for-atomsilo-babuk-and-loc… ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco Security Advisories ∗∗∗ --------------------------------------------- Cisco hat 19 Security Advisories veröffentlicht. Keines davon wird als "Critical" eingestuft, neun als "High". --------------------------------------------- https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&lastP… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by openSUSE (salt), Slackware (bind), SUSE (salt), and Ubuntu (php5, php7.0, php7.2, php7.4, php8.0). --------------------------------------------- https://lwn.net/Articles/874210/ ∗∗∗ 2021 CWE Most Important Hardware Weaknesses ∗∗∗ --------------------------------------------- The Homeland Security Systems Engineering and Development Institute, sponsored by the Department of Homeland Security and operated by MITRE, has released the 2021 Common Weakness Enumeration (CWE) Most Important Hardware Weaknesses List. The 2021 Hardware List is a compilation of the most frequent and critical errors that can lead to serious vulnerabilities in hardware. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/10/28/2021-cwe-most-imp… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.10.2021
by Daily end-of-shift report 27 Oct '21

27 Oct '21

===================== = End-of-Day report = ===================== Timeframe: Montag 25-10-2021 18:00 − Mittwoch 27-10-2021 18:00 Handler: Dimitri Robl Co-Handler: Wolfgang Menezes ===================== = News = ===================== ∗∗∗ Babuk ransomware decryptor released to recover files for free ∗∗∗ --------------------------------------------- Czech cybersecurity software firm Avast has created and released a decryption tool to help Babuk ransomware victims recover their files for free. --------------------------------------------- https://www.bleepingcomputer.com/news/security/babuk-ransomware-decryptor-r… ∗∗∗ Vorsicht: Neue Betrugswelle mit vermeintlichen DHL-SMS ∗∗∗ --------------------------------------------- Wieder sind betrügerische SMS zu Paketlieferungen im Umlauf. Ziel ist es, eine Schadsoftware aufs Handy zu bringen. --------------------------------------------- https://futurezone.at/digital-life/betrug-dhl-sms-phishing-ausstehendes-pak… ∗∗∗ Millions of Android Users Scammed in SMS Fraud Driven by Tik-Tok Ads ∗∗∗ --------------------------------------------- UltimaSMS leverages at least 151 apps that have been downloaded collectively more than 10 million times, to extort money through a fake premium SMS subscription service. --------------------------------------------- https://threatpost.com/android-scammed-sms-fraud-tik-tok/175739/ ∗∗∗ Mozilla Firefox Blocks Malicious Add-Ons Installed by 455K Users ∗∗∗ --------------------------------------------- The misbehaving Firefox add-ons were misusing an API that controls how Firefox connects to the internet. --------------------------------------------- https://threatpost.com/mozilla-firefox-blocks-malicious-add-ons-installed-b… ∗∗∗ Conti Ransom Gang Starts Selling Access to Victims ∗∗∗ --------------------------------------------- The Conti ransomware affiliate program appears to have altered its business plan recently. Organizations infected with Contis malware who refuse to negotiate a ransom payment are added to Contis victim shaming blog, where confidential files stolen from victims may be published or sold. --------------------------------------------- https://krebsonsecurity.com/2021/10/conti-ransom-gang-starts-selling-access… ∗∗∗ „Hallo Mama“ - Vorsicht vor Betrug über WhatsApp! ∗∗∗ --------------------------------------------- Aktuell versuchen BetrügerInnen über WhatsApp an das Geld von potentiellen Opfern zu kommen. Dafür geben Sie sich in einer Nachricht als Tochter oder Sohn der EmpfängerInnen aus und fordern die Überweisung von mehreren tausend Euro. --------------------------------------------- https://www.watchlist-internet.at/news/hallo-mama-vorsicht-vor-betrug-ueber… ===================== = Vulnerabilities = ===================== ∗∗∗ WordPress: Erneute Sicherheitslücke im Plugin Ninja Forms ∗∗∗ --------------------------------------------- Das beliebte Formular-Framework ist erneut von einer Sicherheitslücke betroffen. Das WordPress-Plugin ist auf mehr als einer Million Webseiten aktiv. --------------------------------------------- https://heise.de/-6229249 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (php7.3 and php7.4), Mageia (kernel and kernel-linus), openSUSE (chromium and virtualbox), Oracle (xstream), Red Hat (kernel, rh-ruby30-ruby, and samba), and Ubuntu (binutils and mysql-5.7). --------------------------------------------- https://lwn.net/Articles/874045/ ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (mosquitto and php7.0), Fedora (python-django-filter and qt), Mageia (fossil, opencryptoki, and qtbase5), openSUSE (apache2, busybox, dnsmasq, ffmpeg, pcre, and wireguard-tools), Red Hat (kpatch-patch), SUSE (apache2, busybox, dnsmasq, ffmpeg, java-11-openjdk, libvirt, open-lldp, pcre, python, qemu, util-linux, and wireguard-tools), and Ubuntu (apport and libslirp). --------------------------------------------- https://lwn.net/Articles/874143/ ∗∗∗ Belden Security Bulletin – BSECV-2020-03: Potential denial of service vulnerability in PROFINET Devices via DCE-RPC Packets ∗∗∗ --------------------------------------------- A vulnerability in the PROFINET stack implementation in Classic Firmware, HiOS, and HiLCOS could lead to a denial of service via an out of memory condition. --------------------------------------------- https://dam.belden.com/dmm3bwsv3/assetstream.aspx?assetid=13688&mediaformat… ∗∗∗ Security Bulletin: A vulnerability exists in the restricted shell of the IBM FlashSystem 900 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-exists-in… ∗∗∗ Security Bulletin: Cross-Site Scripting Vulnerability Affects Dashboard UI of IBM Sterling B2B Integrator (CVE-2021-29764) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cross-site-scripting-vuln… ∗∗∗ Security Bulletin: IBM Planning Analytics Workspace is affected by security vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-planning-analytics-wo… ∗∗∗ Security Bulletin: Multiple vulnerabilities affect IBM Rational® Application Developer for WebSphere® Software – September 2021 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilites affect Engineering Lifecycle Management and IBM Engineering products. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilites-a… ∗∗∗ Security Bulletin: Openstack Compute (Nova) noVNC proxy ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-openstack-compute-nova-no… ∗∗∗ Security Bulletin: Insufficient session expiration in IBM i2 iBase ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-insufficient-session-expi… ∗∗∗ Grafana vulnerability CVE-2021-39226 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K22322802 ∗∗∗ Paessler PRTG: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode mit den Rechten des Dienstes ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-1114 ∗∗∗ Red Hat OpenShift: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-1121 ∗∗∗ Fuji Electric Tellus Lite V-Simulator and V-Server Lite ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-299-01 ∗∗∗ Adobe Releases Security Updates for Multiple Products ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/10/27/adobe-releases-se… ∗∗∗ Apple Releases Security Updates for Multiple Products ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/10/27/apple-releases-se… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 25.10.2021
by Daily end-of-shift report 25 Oct '21

25 Oct '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 22-10-2021 18:00 − Montag 25-10-2021 18:00 Handler: Wolfgang Menezes Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ CISA Urges Sites to Patch Critical RCE in Discourse ∗∗∗ --------------------------------------------- The patch, urgently rushed out on Friday, is an emergency fix for the widely deployed platform, whose No. 1 most trafficked site is Amazon’s Seller Central. --------------------------------------------- https://threatpost.com/cisa-critical-rce-discourse/175705/ ∗∗∗ Schadcode in weit verbreiteter JavaScript-Bibliothek UAParser.js entdeckt ∗∗∗ --------------------------------------------- Angreifer haben die JavaScript-Bibliothek UAParser.js mit Schadcode versehen, der auf betroffenen Rechnern Kryptogeld-Miner installiert. --------------------------------------------- https://heise.de/-6226975 ∗∗∗ Ransomware BlackMatter: Forscher bieten Gratis-Decryption für einige Varianten ∗∗∗ --------------------------------------------- Wer in den letzten Monaten eine Erpresserbotschaft der "BlackMatter"-Gang auf seinen Systemen entdeckt hat, kann jetzt auf Hilfe hoffen. --------------------------------------------- https://heise.de/-6227925 ∗∗∗ Betrügerische Smartphone-Ortungsdienste ∗∗∗ --------------------------------------------- Sie haben Ihr Handy verloren – was nun? Eine Google-Suche nach „Handyortung“ ergibt über 1,5 Millionen Treffer. Apps und Services zur Handyortung erfreuen sich großer Beliebtheit. Doch Vorsicht vor „gratis“ Ortungs-Apps wie www.locating.mobi, www.geolite.mobi, www.goandfind.online. Diese führen in eine Abo-Falle. --------------------------------------------- https://www.watchlist-internet.at/news/betruegerische-smartphone-ortungsdie… ∗∗∗ Bericht: Ransomware-Gruppe REvil durch koordinierte Aktion mehrerer Staaten zerschlagen ∗∗∗ --------------------------------------------- An der Aktion sind unter anderem die USA beteiligt. In Sicherheitskreisen ist die Aktion wohl schon seit mehreren Tagen bekannt. --------------------------------------------- https://www.zdnet.de/88397355/bericht-ransomware-gruppe-revil-durch-koordin… ∗∗∗ DDoS attacks hit multiple email providers ∗∗∗ --------------------------------------------- At least six email service providers have been hit by large distributed denial of service (DDoS) attacks on Friday, resulting in prolonged outages, The Record has learned. --------------------------------------------- https://therecord.media/ddos-attacks-hit-multiple-email-providers/ ===================== = Vulnerabilities = ===================== ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- IBM hat 21 Security Bulletins veröffentlicht. --------------------------------------------- https://www.ibm.com/blogs/psirt ∗∗∗ JSA11236 ∗∗∗ --------------------------------------------- 2021-10 Security Bulletin: Junos OS: QFX5000 Series: Traffic from the network internal to the device (128.0.0.0) may be forwarded to egress interfaces (CVE-2021-31371) --------------------------------------------- https://kb.juniper.net/InfoCenter/index?page=content&id=JSA11236 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (faad2 and mailman), Fedora (java-11-openjdk, libzapojit, nodejs, python-reportlab, vim, and watchdog), Mageia (ansible, docker-containerd, flatpak, tomcat, and virtualbox), openSUSE (containerd, docker, runc), Oracle (firefox and thunderbird), Red Hat (xstream), Scientific Linux (xstream), SUSE (cairo and containerd, docker, runc), and Ubuntu (apport and mysql-5.7, mysql-8.0). --------------------------------------------- https://lwn.net/Articles/873965/ ∗∗∗ Red Hat Enterprise Linux (xstream): Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-1107 ∗∗∗ Atlassian Jira Software: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode mit Benutzerrechten ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-1109 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.10.2021
by Daily end-of-shift report 22 Oct '21

22 Oct '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 21-10-2021 18:00 − Freitag 22-10-2021 18:00 Handler: Dimitri Robl Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Evil Corp demands $40 million in new Macaw ransomware attacks ∗∗∗ --------------------------------------------- Evil Corp has launched a new ransomware called Macaw Locker to evade US sanctions that prevent victims from making ransom payments. --------------------------------------------- https://www.bleepingcomputer.com/news/security/evil-corp-demands-40-million… ∗∗∗ Hacking gang creates fake firm to hire pentesters for ransomware attacks ∗∗∗ --------------------------------------------- The FIN7 hacking group is attempting to join the highly profitable ransomware space by creating fake cybersecurity companies that conduct network attacks under the guise of pentesting. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hacking-gang-creates-fake-fi… ∗∗∗ Using Kerberos for Authentication Relay Attacks ∗∗∗ --------------------------------------------- This blog post is a summary of some research I've been doing into relaying Kerberos authentication in Windows domain environments. To keep this blog shorter I am going to assume you have a working knowledge of Windows network authentication, and specifically Kerberos and NTLM. For a quick primer on Kerberos see this page which is part of Microsoft's Kerberos extension documentation or you can always read RFC4120. --------------------------------------------- https://googleprojectzero.blogspot.com/2021/10/using-kerberos-for-authentic… ∗∗∗ Windows Exploitation Tricks: Relaying DCOM Authentication ∗∗∗ --------------------------------------------- In my previous blog post I discussed the possibility of relaying Kerberos authentication from a DCOM connection. I was originally going to provide a more in-depth explanation of how that works, but as it's quite involved I thought it was worthy of its own blog post. This is primarily a technique to get relay authentication from another user on the same machine and forward that to a network service such as LDAP. You could use this to escalate privileges on a host using a technique similar to a blog post from Shenanigans Labs but removing the requirement for the WebDAV service. Let's get straight to it. --------------------------------------------- https://googleprojectzero.blogspot.com/2021/10/windows-exploitation-tricks-… ∗∗∗ GPS Daemon (GPSD) Rollover Bug ∗∗∗ --------------------------------------------- Critical Infrastructure (CI) owners and operators and other users who obtain Coordinated Universal Time (UTC) from Global Positioning System (GPS) devices should be aware of a GPS Daemon (GPSD) bug in GPSD versions 3.20 (released December 31, 2019) through 3.22 (released January 8, 2021). On October 24, 2021, Network Time Protocol (NTP) servers using bugged GPSD versions 3.20-3.22 may rollback the date 1,024 weeks—to March 2002—which may cause systems and services to become unavailable or unresponsive. CISA urges affected CI owners and operators to ensure systems—that use GPSD to obtain timing information from GPS devices—are using GPSD version 3.23 (released August 8, 2021) or newer. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/10/21/gps-daemon-gpsd-r… ∗∗∗ CVE-2021-28632 & CVE-2021-39840: Bypassing Locks in Adobe Reader ∗∗∗ --------------------------------------------- Over the past few months, Adobe has patched several remote code execution bugs in Adobe Acrobat and Reader that were reported by researcher Mark Vincent Yason (@MarkYason) through our program. Two of these bugs, in particular, CVE-2021-28632 and CVE-2021-39840, are related Use-After-Free bugs even though they were patched months apart. Mark has graciously provided this detailed write-up of these vulnerabilities and their root cause. --------------------------------------------- https://www.thezdi.com/blog/2021/10/20/cve-2021-28632-amp-cve-2021-39840-by… ∗∗∗ ASEC Weekly Malware Statistics (October 11th, 2021 – October 17th, 2021) ∗∗∗ --------------------------------------------- The ASEC analysis team is using the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from October 11th, 2021 (Monday) to October 17th, 2021 (Sunday). For the main category, info-stealer ranked top with 58.2%, followed by Downloader with 24.6%, RAT (Remote Administration Tool) malware with 7.4%, Backdoor malware with 4.7%, Ransomware with 4.1%, and Banking malware with 0.9%. --------------------------------------------- https://asec.ahnlab.com/en/28007/ ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco SD-WAN Security Bug Allows Root Code Execution ∗∗∗ --------------------------------------------- The high-severity bug, tracked as CVE-2021-1529, is an OS command-injection flaw. --------------------------------------------- https://threatpost.com/cisco-sd-wan-bug-code-execution-root/175669/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (apache, chromium, nodejs, nodejs-lts-erbium, nodejs-lts-fermium, and virtualbox), Fedora (vsftpd and watchdog), Oracle (java-1.8.0-openjdk, java-11-openjdk, and redis:6), and Ubuntu (libcaca, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gke, linux-gke-5.4, linux-gkeop, linux-gkeop-5.4, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux-azure-5.8, and mailman). --------------------------------------------- https://lwn.net/Articles/873746/ ∗∗∗ Pulse Secure Pulse Connect Secure: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-1103 ∗∗∗ QNAP NAS: Schwachstelle ermöglicht Codeausführung ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-1105 ∗∗∗ Security Bulletin: PostgreSQL Vulnerability Affects IBM Connect:Direct Web Service (CVE-2021-32028) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-postgresql-vulnerability-… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in VMware ESXi affect IBM Cloud Pak System (CVE-2021-21994, CVE-2021-21995) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple security vulnerabilities in Node.js affect IBM Voice Gateway ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: Cross-Site scripting vulnerability affect IBM Business Automation Workflow – CVE-2021-29835 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cross-site-scripting-vuln… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.10.2021
by Daily end-of-shift report 21 Oct '21

21 Oct '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 20-10-2021 18:00 − Donnerstag 21-10-2021 18:00 Handler: Dimitri Robl Co-Handler: Wolfgang Menezes ===================== = News = ===================== ∗∗∗ Cybercrime matures as hackers are forced to work smarter ∗∗∗ --------------------------------------------- An analysis of 500 hacking incidents across a wide range of industries has revealed trends that characterize a maturity in the way hacking groups operate today. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cybercrime-matures-as-hacker… ∗∗∗ Franken-phish: TodayZoo built from other phishing kits ∗∗∗ --------------------------------------------- A phishing kit built using pieces of code copied from other kits, some available for sale through publicly accessible scam sellers or are reused and repackaged by other kit resellers, provides rich insight into the state of the economy that drives phishing and email threats today. --------------------------------------------- https://www.microsoft.com/security/blog/2021/10/21/franken-phish-todayzoo-b… ∗∗∗ "Stolen Images Evidence" campaign pushes Sliver-based malware, (Thu, Oct 21st) ∗∗∗ --------------------------------------------- On Wednesday 2021-10-20, Proofpoint reported the TA551 (Shathak) campaign started pushing malware based on Sliver. Sliver is a framework used by red teams for adversary simluation and penetration testing. --------------------------------------------- https://isc.sans.edu/diary/rss/27954 ∗∗∗ Die Rückkehr der Rootkits – signiert von Microsoft ∗∗∗ --------------------------------------------- Forscher haben in den vergangenen Monaten verstärkt die vermeintlich ausgestorbenen Kernelschadprogramme wiederentdeckt. Eingeschleust werden sie heute anders. --------------------------------------------- https://heise.de/-6224944 ∗∗∗ Innovation aus Österreich: Fake-Shop Detector entlarvt Online-Betrüger ∗∗∗ --------------------------------------------- Fake-Shops im Internet werden immer zahlreicher und zugleich schwieriger zu erkennen. Unterstützung bietet ab sofort die Beta-Version des Fake-Shop Detectors: Das Tool untersucht im Internet-Browser in Echtzeit, ob es sich um seriöse oder betrügerische Onlineshops handelt und stellt somit ein Best Practice für den Nutzen und die Chancen des Einsatzes von Künstlicher Intelligenz für Konsumentinnen und Konsumenten dar. --------------------------------------------- https://www.watchlist-internet.at/news/innovation-aus-oesterreich-fake-shop… ∗∗∗ Using Discord infrastructure for malicious intent ∗∗∗ --------------------------------------------- Research by: Idan Shechter & Omer Ventura Check Point Research (CPR) spotted a multi-functional malware with the capability to take screenshots, download and execute additional files, and perform keylogging – all by using the core features of Discord There are currently over 150 million monthly active users on Discord Users must be aware that Discord’s bot… --------------------------------------------- https://blog.checkpoint.com/2021/10/21/using-discord-infrastructure-for-mal… ∗∗∗ Google unmasks two-year-old phishing & malware campaign targeting YouTube users ∗∗∗ --------------------------------------------- Almost two years after a wave of complaints flooded Googles support forums about YouTube accounts getting hijacked even if users had two-factor authentication enabled, Googles security team has finally tracked down the root cause of these attacks. --------------------------------------------- https://therecord.media/google-unmasks-two-year-old-phishing-malware-campai… ∗∗∗ Kernel Karnage – Part 1 ∗∗∗ --------------------------------------------- I start the first week of my internship in true spooktober fashion as I dive into a daunting subject that’s been scaring me for some time now: The Windows Kernel. 1. KdPrint(“Hello, world!\n”); --------------------------------------------- https://blog.nviso.eu/2021/10/21/kernel-karnage-part-1/ ===================== = Vulnerabilities = ===================== ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- IBM veröffentlichte 19 Security Bulletins. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Cisco Security Advisories ∗∗∗ --------------------------------------------- Cisco hat acht Security Advisories veröffentlicht. Keines davon wird als "Critical" eingestuft, eines als "High". --------------------------------------------- https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&first… ∗∗∗ Anonymous User is Able to Access Query Component JQL Endpoint - CVE-2021-39127 ∗∗∗ --------------------------------------------- Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to the query component JQL endpoint via a Broken Access Control vulnerability (BAC) vulnerability. --------------------------------------------- https://jira.atlassian.com/browse/JRASERVER-72003 ∗∗∗ WinRAR’s vulnerable trialware: when free software isn’t free ∗∗∗ --------------------------------------------- In this article we discuss a vulnerability in the trial version of WinRAR which has significant consequences for the management of third-party software. This vulnerability allows an attacker to intercept and modify requests sent to the user of the application. --------------------------------------------- https://swarm.ptsecurity.com/winrars-vulnerable-trialware-when-free-softwar… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (python-babel, squashfs-tools, and uwsgi), Fedora (gfbgraph and rust-coreos-installer), Mageia (aom, libslirp, redis, and vim), openSUSE (fetchmail, go1.16, go1.17, mbedtls, ncurses, python, squid, and ssh-audit), Red Hat (java-1.8.0-openjdk and java-11-openjdk), Scientific Linux (java-1.8.0-openjdk and java-11-openjdk), SUSE (fetchmail, git, go1.16, go1.17, ncurses, postgresql10, python, python36, and squid), and Ubuntu (linux, linux-aws, --------------------------------------------- https://lwn.net/Articles/873601/ ∗∗∗ B. Braun Infusomat Space Large Volume Pump ∗∗∗ --------------------------------------------- This advisory contains mitigation for Unrestricted Upload of File with Dangerous Type, Cleartext Transmission of Sensitive Information, Missing Authentication for Critical Function, Insufficient Verification of Data Authenticity, and Improper Input Validation vulnerabilities in the B. Braun Infusomat Space Large Volume Pump. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsma-21-294-01 ∗∗∗ ICONICS GENESIS64 and Mitsubishi Electric MC Works64 ∗∗∗ --------------------------------------------- This advisory contains mitigations for Out-of-bounds Read, and Out-of-bounds Write vulnerabilities in ICONICS GENESIS64 and Mitsubishi Electric MC Works64 HMI SCADA systems. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-294-01 ∗∗∗ Delta Electronics DIALink ∗∗∗ --------------------------------------------- This advisory contains mitigations for Cleartext Transmission of Sensitive Information, Cross-site Scripting, Improper Neutralization of Formula Elements in a CSV File, Cleartext Storage of Sensitive Information, Uncontrolled Search Path Element, and Incorrect Default Permissions vulnerabilities in the Delta Electronics DIALink industrial automation server. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-294-02 ∗∗∗ ICONICS GENESIS64 and Mitsubishi Electric MC Works64 OPC UA ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Uncontrolled Recursion vulnerability in ICONICS GENESIS64, Mitsubishi Electric MC Works64 third-party OPC Foundation products. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-294-03 ∗∗∗ RCE in GridPro Request Management for Windows Azure Pack (CVE-2021-40371) ∗∗∗ --------------------------------------------- We recently discovered a vulnerability in GridPro Request Management versions <=2.0.7905 for Windows Azure Pack by GridPro Software. The vulnerability was assigned CVE-2021-40371 by GridPro and in the worst case scenario allows attackers to remotely execute code on the server. --------------------------------------------- https://certitude.consulting/blog/en/rce-in-gridpro-request-management-for-… ∗∗∗ Security Advisory - Path Traversal Vulnerability in Huawei FusionCube Product ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20211020-… ∗∗∗ Security Advisory - CSV Injection Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20211020-… ∗∗∗ Security Advisory - Improper Signature Management Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20211020-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.10.2021
by Daily end-of-shift report 20 Oct '21

20 Oct '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 19-10-2021 18:00 − Mittwoch 20-10-2021 18:00 Handler: Dimitri Robl Co-Handler: Wolfgang Menezes ===================== = News = ===================== ∗∗∗ How a simple Linux kernel memory corruption bug can lead to complete system compromise ∗∗∗ --------------------------------------------- This blog post describes a straightforward Linux kernel locking bug and how I exploited it against Debian Busters 4.19.0-13-amd64 kernel. --------------------------------------------- https://googleprojectzero.blogspot.com/2021/10/how-simple-linux-kernel-memo… ∗∗∗ SuDump: Exploiting suid binaries through the kernel ∗∗∗ --------------------------------------------- We will show bugs we found in the Linux kernel that allow unprivileged users to create root-owned core files, and how we were able to use them to get an LPE through the sudo program on machines that have been configured by administrators to allow running a single innocent command. --------------------------------------------- https://alephsecurity.com/2021/10/20/sudump/ ∗∗∗ q-logger skimmer keeps Magecart attacks going ∗∗∗ --------------------------------------------- This case reminds us that web skimming attacks are ongoing even if we dont always hear about them. The post q-logger skimmer keeps Magecart attacks going appeared first on Malwarebytes Labs. --------------------------------------------- https://blog.malwarebytes.com/threat-intelligence/2021/10/q-logger-skimmer-… ∗∗∗ VNC Malware (TinyNuke, TightVNC) Used by Kimsuky Group ∗∗∗ --------------------------------------------- While monitoring Kimsuky-related malware, the ASEC analysis team has recently discovered that VNC malware was installed via AppleSeed remote control malware. --------------------------------------------- https://asec.ahnlab.com/en/27346/ ===================== = Vulnerabilities = ===================== ∗∗∗ Oracle Critical Patch Update Advisory - October 2021 ∗∗∗ --------------------------------------------- This Critical Patch Update contains 419 new security patches across the product families listed below. --------------------------------------------- https://www.oracle.com/security-alerts/cpuoct2021.html ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (ffmpeg, smarty3, and strongswan), Fedora (udisks2), openSUSE (flatpak, strongswan, util-linux, and xstream), Oracle (redis:5), Red Hat (java-1.8.0-openjdk, java-11-openjdk, openvswitch2.11, redis:5, redis:6, and rh-redis5-redis), SUSE (flatpak, python-Pygments, python3, strongswan, util-linux, and xstream), and Ubuntu (linux, linux-aws, linux-aws-5.11, linux-azure, linux-azure-5.11, linux-gcp, linux-gcp-5.11, linux-hwe-5.11, linux-kvm, linux-raspi, strongswan). --------------------------------------------- https://lwn.net/Articles/873462/ ∗∗∗ Security Advisory - Out of Bounds Write Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20211020-… ∗∗∗ Security Bulletin: IBM QRadar Advisor With Watson is vulnerable to cross site scripting ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-advisor-with-w… ∗∗∗ Security Bulletin: Cloud Pak for Security uses packages that are vulnerable to several CVEs ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cloud-pak-for-security-us… ∗∗∗ Security Bulletin: IBM® Db2® could allow a local user to read and write specific files due to weak file permissions (CVE-2020-4976) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-could-allow-a-loc… ∗∗∗ Security Bulletin: IBM® Db2® is vulnerable to an information disclosure, exposing remote storage credentials to privileged users under specific conditions.(CVE-2021-29752) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-… ∗∗∗ Security Bulletin: Multiple vulnerabilities affect IBM Cloud Object Storage Systems (Oct. 2021 V1) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM® Db2® could disclose sensitive information when using ADMIN_CMD with LOAD or BACKUP. (CVE-2021-29825) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-could-disclose-se… ∗∗∗ Security Bulletin: Multiple vulnerabilities affect IBM Cloud Object Storage Systems (Oct. 2021 V2) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM® Db2® under very specific conditions, could allow a local user to keep running a procedure that could cause the system to run out of memory.and cause a denial of service. (CVE-2021-29763) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-under-very-specif… ∗∗∗ Security Bulletin: IBM API Connect is impacted by a vulnerability in Drupal core (CVE-2021-32610) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connect-is-impact… ∗∗∗ Security Bulletin: Cross-Site Scripting Vulnerability Affects the Dashboard User Interface of IBM Sterling B2B Integrator (CVE-2021-20571) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cross-site-scripting-vuln… ∗∗∗ VMSA-2021-0024 ∗∗∗ --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2021-0024.html ∗∗∗ Apache HTTPD vulnerability CVE-2021-36160 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K13401920 ∗∗∗ AUVESY Versiondog ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-292-01 ∗∗∗ Trane HVAC Systems Controls ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-292-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.10.2021
by Daily end-of-shift report 19 Oct '21

19 Oct '21

===================== = End-of-Day report = ===================== Timeframe: Montag 18-10-2021 18:00 − Dienstag 19-10-2021 18:00 Handler: Wolfgang Menezes Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Umfrage: Komplexe IT und Firmenstrukturen gefährden die Cybersicherheit ∗∗∗ --------------------------------------------- Manager in Deutschland erachten unübersichtliche Technologien, Datenbestände, Betriebsumgebungen und Lieferketten als große Einfallstore für Cyberangreifer. --------------------------------------------- https://heise.de/-6222835 ∗∗∗ Sicherheitsforscher: Microsoft-Cloud verteilt zu leichtfertig Malware ∗∗∗ --------------------------------------------- IT-Spezialisten und Insider werfen Microsoft vor, auf ihren Cloud-Diensten gehostete Malware viel zu langsam zu entfernen. --------------------------------------------- https://heise.de/-6222542 ∗∗∗ SMS über eine ausständige Geldstrafe ist Fake ∗∗∗ --------------------------------------------- Viele ÖsterreicherInnen erhalten momentan ein SMS, das über ein angeblich ausstehendes Bußgeld informiert. In der Nachricht werden Sie aufgefordert, die Zahlung sofort vorzunehmen, ansonsten drohen rechtliche Schritte. Um die Zahlung zu tätigen, sollte ein Link angeklickt werden. Vorsicht: Diese Benachrichtigung ist nicht echt! Sie werden auf eine gefälschte oesterreich.gv.at-Seite geführt. Kriminelle versuchen dort an Ihre Bankdaten zu kommen. --------------------------------------------- https://www.watchlist-internet.at/news/sms-ueber-eine-ausstaendige-geldstra… ∗∗∗ Free BlackByte decryptor released, after researchers say they found flaw in ransomware code ∗∗∗ --------------------------------------------- Security experts have released a free decryption tool that can be used by BlackByte ransomware victims to decrypt and recover their files. Thats right - you dont need to pay the ransom. Predictably, the ransomware gang isnt happy. --------------------------------------------- https://grahamcluley.com/free-blackbyte-decryptor-released-after-researcher… ∗∗∗ CISA, FBI, and NSA Release Joint Cybersecurity Advisory on BlackMatter Ransomware ∗∗∗ --------------------------------------------- CISA, the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) have released joint Cybersecurity Advisory (CSA): BlackMatter Ransomware. Since July 2021, malicious cyber actors have used BlackMatter ransomware to target multiple U.S. critical infrastructure entities, including a U.S. Food and Agriculture Sector organization. Using an analyzed sample of BlackMatter ransomware and information from trusted third parties, this CSA [...] --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/10/18/cisa-fbi-and-nsa-… ∗∗∗ LightBasin hacking group breaches 13 global telecoms in two years ∗∗∗ --------------------------------------------- A group of hackers that security researchers call LightBasin has been compromising mobile telecommunication systems across the world for the past five years. --------------------------------------------- https://www.bleepingcomputer.com/news/security/lightbasin-hacking-group-bre… ∗∗∗ Trickbot module descriptions ∗∗∗ --------------------------------------------- In this article we describe the functionality of the Trickbot (aka TrickLoader or Trickster) banking malware modules and provide a tip on how to download and analyze these modules. --------------------------------------------- https://securelist.com/trickbot-module-descriptions/104603/ ∗∗∗ A New Variant of FlawedGrace Spreading Through Mass Email Campaigns ∗∗∗ --------------------------------------------- Cybersecurity researchers on Tuesday took the wraps off a mass volume email attack staged by a prolific cybercriminal gang affecting a wide range of industries, with one of its region-specific operations notably targeting Germany and Austria. Enterprise security firm Proofpoint tied the malware campaign with high confidence to TA505, [...] --------------------------------------------- https://thehackernews.com/2021/10/a-new-variant-of-flawedgrace-spreading.ht… ∗∗∗ “Killware”: Is it just as bad as it sounds? ∗∗∗ --------------------------------------------- "Killware," as USA TODAY put it, is the latest cyberthreat thats even eclipsing ransomware. But is it all its hyped up to be? --------------------------------------------- https://blog.malwarebytes.com/cybercrime/2021/10/killware-is-it-just-as-bad… ===================== = Vulnerabilities = ===================== ∗∗∗ Microsoft fixes Surface Pro 3 TPM bypass with public exploit code ∗∗∗ --------------------------------------------- Microsoft has patched a security feature bypass vulnerability impacting Surface Pro 3 tablets that enables threat actors to introduce malicious devices within enterprise environments. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-fixes-surface-pro… ∗∗∗ Squirrel Engine Bug Could Let Attackers Hack Games and Cloud Services ∗∗∗ --------------------------------------------- Researchers have disclosed an out-of-bounds read vulnerability in the Squirrel programming language that can be abused by attackers to break out of the sandbox restrictions and execute arbitrary code within a SquirrelVM, thus giving a malicious actor complete access to the underlying machine. Tracked as CVE-2021-41556, the issue occurs when a game library referred to as Squirrel Engine is used [...] --------------------------------------------- https://thehackernews.com/2021/10/squirrel-engine-bug-could-let-attackers.h… ∗∗∗ Security Bulletin for Trend Micro Apex One and Apex One as a Service ∗∗∗ --------------------------------------------- Trend Micro hat Security Advisories zu acht Schwachstellen veröffentlicht. Die Lücken sind zwischen "Low" und "High" eingestuft. --------------------------------------------- https://success.trendmicro.com/solution/000289229 ∗∗∗ Security Bulletin for Trend Micro Worry-Free Business Security and Worry-Free Business Security Services ∗∗∗ --------------------------------------------- Trend Micro has released new patches for Trend Micro Worry-Free Business Security 10.0 SP1 and Worry-Free Services (SaaS) that resolve several vulnerabilities listed below. --------------------------------------------- https://success.trendmicro.com/solution/000289230 ∗∗∗ RHSA-2021:3759 - Security Advisory ∗∗∗ --------------------------------------------- Red Hat OpenShift Container Platform release 4.9.0 is now available with updates to packages and images that fix several bugs and add enhancements. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. --------------------------------------------- https://access.redhat.com/errata/RHSA-2021:3759 ∗∗∗ Vulnerability Spotlight: Multiple vulnerabilities in ZTE MF971R LTE router ∗∗∗ --------------------------------------------- Cisco Talos recently discovered multiple vulnerabilities in the ZTE MF971R LTE portable router. The MF971R is a portable router with Wi-Fi support and works as an LTE/GSM modem. An attacker could [...] --------------------------------------------- https://blog.talosintelligence.com/2021/10/vuln-spotlight-.html ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (redmine and strongswan), Fedora (containerd, fail2ban, grafana, moby-engine, and thunderbird), openSUSE (curl, firefox, glibc, kernel, libqt5-qtsvg, rpm, ssh-audit, systemd, and webkit2gtk3), Red Hat (389-ds:1.4, curl, kernel, kernel-rt, redis:5, and systemd), SUSE (util-linux), and Ubuntu (ardour, linux-azure, linux-azure-5.11, and strongswan). --------------------------------------------- https://lwn.net/Articles/873307/ ∗∗∗ Security Bulletin: IBM Security Risk Manager on CP4S is affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-risk-manager… ∗∗∗ Security Bulletin: Vulnerability in IBM Java Runtime affects IBM Storwize V7000 Unified (CVE-2021-2341) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java… ∗∗∗ Security Bulletin: Cross-Site Scripting Vulnerability Affects Dashboard UI of IBM Sterling B2B Integrator (CVE-2021-29764) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cross-site-scripting-vuln… ∗∗∗ Security Bulletin: IBM Security Risk Manager on CP4S is affected by multiple vulnerabilities (CVE-2020-15168, CVE-2021-29912) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-risk-manager… ∗∗∗ Security Bulletin: IBM Java SDK and IBM Java Runtime for IBM i are affected by CVE-2021-2369 and CVE-2021-2432 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-java-sdk-and-ibm-java… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily