- Daily - CERT.at

Tageszusammenfassung - 24.08.2021
by Daily end-of-shift report 24 Aug '21

24 Aug '21

===================== = End-of-Day report = ===================== Timeframe: Montag 23-08-2021 18:00 − Dienstag 24-08-2021 18:00 Handler: Dimitri Robl Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Triada Trojan in WhatsApp MOD ∗∗∗ --------------------------------------------- We discovered that the Trojan Triada snook into one of modified versions of the WhatsApp messenger called FMWhatsapp 16.80.0 together with the advertising software development kit (SDK). --------------------------------------------- https://securelist.com/triada-trojan-in-whatsapp-mod/103679/ ∗∗∗ Effective Threat-Hunting Queries in a Redacted World ∗∗∗ --------------------------------------------- Chad Anderson, senior security researcher for DomainTools, demonstrates how seemingly disparate pieces of infrastructure information can form perfect fingerprints for tracking cyberattackers infrastructure. --------------------------------------------- https://threatpost.com/effective-threat-hunting-queries/168864/ ∗∗∗ Attackers Hunting For Twilio Credentials, (Tue, Aug 24th) ∗∗∗ --------------------------------------------- Twilio is a popular service used to send/receive SMS messages and phone calls. --------------------------------------------- https://isc.sans.edu/diary/rss/27782 ∗∗∗ Power-Apps-Portale von Microsoft: 38 Millionen Datensätze lagen offen ∗∗∗ --------------------------------------------- Sicherheitsforscher haben in Power-Apps-Portalen 38 Millionen Datensätze mit teils sensiblen Daten entdeckt – laut Microsoft aufgrund von Konfigurationsfehlern. --------------------------------------------- https://heise.de/-6173306 ∗∗∗ Vorsicht vor EU Compensation E-Mail! ∗∗∗ --------------------------------------------- Aktuell werden betrügerische E-Mails von „EU Compensation“ versendet. Eine ominöse europäische Behörde behauptet, Betrugsopfer mit einer hohen Geldsumme zu entschädigen. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-eu-compensation-e-mail/ ∗∗∗ Ransomware Groups to Watch: Emerging Threats ∗∗∗ --------------------------------------------- Emerging ransomware groups to watch, according to Unit 42 researchers: AvosLocker, Hive Ransomware, HelloKitty and LockBit 2.0. --------------------------------------------- https://unit42.paloaltonetworks.com/emerging-ransomware-groups/ ∗∗∗ FBI sends its first-ever alert about a ‘ransomware affiliate’ ∗∗∗ --------------------------------------------- The US Federal Bureau of Investigations has published today its first-ever public advisory detailing the modus operandi of a "ransomware affiliate." --------------------------------------------- https://therecord.media/fbi-sends-its-first-ever-alert-about-a-ransomware-a… ===================== = Vulnerabilities = ===================== ∗∗∗ New zero-click iPhone exploit used to deploy NSO spyware ∗∗∗ --------------------------------------------- Digital threat researchers at Citizen Lab have uncovered a new zero-click iMessage exploit used to deploy NSO Groups Pegasus spyware on devices belonging to Bahraini activists. --------------------------------------------- https://www.bleepingcomputer.com/news/apple/new-zero-click-iphone-exploit-u… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (ledgersmb, tnef, and tor), Fedora (nodejs-underscore and tor), openSUSE (aws-cli, python-boto3, python-botocore,, fetchmail, firefox, and isync), SUSE (aws-cli, python-boto3, python-botocore, python-service_identity, python-trustme, python-urllib3 and python-PyYAML), and Ubuntu (linux-aws-5.8, linux-azure-5.8, linux-gcp-5.8, linux-oracle-5.8). --------------------------------------------- https://lwn.net/Articles/867247/ ∗∗∗ [20210801] - Core - Insufficient access control for com_media deletion endpoint ∗∗∗ --------------------------------------------- https://developer.joomla.org/security-centre/861-20210801-core-insufficient… ∗∗∗ Security Bulletin: CVE-2020-2773 (deferred from Oracle Apr 2020 CPU) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2020-2773-deferred-fr… ∗∗∗ Security Bulletin: Apache CXF (Publicly disclosed vulnerability) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-cxf-publicly-discl… ∗∗∗ Security Bulletin: XStream (Publicly disclosed vulnerability) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-xstream-publicly-disclose… ∗∗∗ Security Bulletin: Multiple security vulnerabilities have been identified in IBM® Java SDK that affect IBM Security Directory Suite ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: Update Secure Gateway Client in IBM DataPower Gateway to address several CVEs ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-update-secure-gateway-cli… ∗∗∗ Security Bulletin: Vulnerabilities in IBM Java Runtime affect IBM Integration Bus and IBM App Connect Enterpise v11, v12 (CVE-2020-27221) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-ja… ∗∗∗ Security Bulletin: IBM Resilient Disaster Recovery (DR) system allows connections over TLS 1.0 (CVE-2021-29704) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-resilient-disaster-re… ∗∗∗ Security Bulletin: CVE-2020-14781 (deferred from Oracle Oct 2020 CPU for Java 8) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2020-14781-deferred-f… ∗∗∗ OpenSSL: SM2 Decryption Buffer Overflow (CVE-2021-3711) ∗∗∗ --------------------------------------------- https://openssl.org/news/secadv/20210824.txt ∗∗∗ Overview of F5 vulnerabilities (August 2021) ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K50974556 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.08.2021
by Daily end-of-shift report 23 Aug '21

23 Aug '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 20-08-2021 18:00 − Montag 23-08-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ ProxyShell: Massive Angriffswelle auf ungepatchte Exchange-Server ∗∗∗ --------------------------------------------- Die Lücken sind bekannt, Patches da - trotzdem sind tausende Exchange-Server angreifbar. Nun rollt eine massive Angriffswelle, die die Schwachstellen ausnutzt. --------------------------------------------- https://heise.de/-6171597 ∗∗∗ SynAck ransomware decryptor lets victims recover files for free ∗∗∗ --------------------------------------------- Emsisoft has released a decryptor for the SynAck Ransomware, allowing victims to decrypt their encrypted files for free. --------------------------------------------- https://www.bleepingcomputer.com/news/security/synack-ransomware-decryptor-… ∗∗∗ Kubernetes hardening: Drilling down on the NSA/CISA guidance ∗∗∗ --------------------------------------------- Kubernetes has become the de facto choice for container orchestration. Some studies report that up to 88% of organizations are using Kubernetes for their container orchestration needs and 74% of that occurring in production environments. That said, security remains a critical concern with as many as 94% of organizations reporting at least one security incident in their Kubernetes environments in the last 12 months. --------------------------------------------- https://www.csoonline.com/article/3629049/kubernetes-hardening-drilling-dow… ∗∗∗ Gaming-related cyberthreats in 2020 and 2021 ∗∗∗ --------------------------------------------- In this report, you will find statistics and other information about gaming-related malware, phishing schemes and other threats in 2020 and the first half of 2021. --------------------------------------------- https://securelist.com/game-related-cyberthreats/103675/ ∗∗∗ Web Censorship Systems Can Facilitate Massive DDoS Attacks ∗∗∗ --------------------------------------------- Systems are ripe for abuse by attackers who can abuse systems to launch DDoS attacks. --------------------------------------------- https://threatpost.com/censorship-systems-ddos-attacks/168853/ ∗∗∗ Out of Band Phishing. Using SMS messages to Evade Network Detection, (Thu, Aug 19th) ∗∗∗ --------------------------------------------- Many companies have extensive security tools to monitor employee computers. But these precautions often fail for "out of band" access that uses cellular networks instead of Ethernet/WiFi networks. Our reader Isabella sent us this phishing email that they received: [...] --------------------------------------------- https://isc.sans.edu/diary/rss/27768 ∗∗∗ Researchers Detail Modus Operandi of ShinyHunters Cyber Crime Group ∗∗∗ --------------------------------------------- ShinyHunters, a notorious cybercriminal underground group thats been on a data breach spree since last year, has been observed searching companies GitHub repository source code for vulnerabilities that can be abused to stage larger scale attacks, an analysis of the hackers modus operandi has revealed. --------------------------------------------- https://thehackernews.com/2021/08/researchers-detail-modus-operandi-of.html ∗∗∗ Details Disclosed for Critical Vulnerability in Sophos Appliances ∗∗∗ --------------------------------------------- Organizations using security appliances from Sophos have been advised to make sure their devices are up to date after a researcher disclosed the details of a critical vulnerability patched last year. --------------------------------------------- https://www.securityweek.com/details-disclosed-critical-vulnerability-sopho… ∗∗∗ LockFile: Ransomware Uses PetitPotam Exploit to Compromise Windows Domain Controllers ∗∗∗ --------------------------------------------- Previously unseen ransomware hit at least 10 organizations in ongoing campaign. --------------------------------------------- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lo… ===================== = Vulnerabilities = ===================== ∗∗∗ Das Anstecken einer Razer-Maus macht Angreifer zu Windows-10-Admins ∗∗∗ --------------------------------------------- Eine Schwachstelle in der Konfigurationssoftware Synapse von Razer gefährdet Windows-PCs. Ein Sicherheitspatch steht noch aus. --------------------------------------------- https://heise.de/-6171968 ∗∗∗ Attackers Actively Exploiting Realtek SDK Flaws ∗∗∗ --------------------------------------------- Multiple vulnerabilities in software used by 65 vendors under active attack. --------------------------------------------- https://threatpost.com/attackers-exploiting-realtek/168856/ ∗∗∗ Top 15 Vulnerabilities Attackers Exploited Millions of Times to Hack Linux Systems ∗∗∗ --------------------------------------------- Close to 14 million Linux-based systems are directly exposed to the Internet, making them a lucrative target for an array of real-world attacks that could result in the deployment of malicious web shells, coin miners, ransomware, and other trojans. Thats according to an in-depth look at the Linux threat landscape published by U.S.-Japanese cybersecurity firm Trend Micro, detailing the top [...] --------------------------------------------- https://thehackernews.com/2021/08/top-15-vulnerabilities-attackers.html ∗∗∗ Micropatching MSHTML Remote Code Execution Issue (CVE-2021-33742) ∗∗∗ --------------------------------------------- June 2021 Windows Updates brought a fix for CVE-2021-33742, a remote code execution in the MSHTML component, exploitable via Microsoft browsers and potentially other applications using this component, e.g. via a malicious Microsoft Word document. Discovery of this issue was attributed to Clément Lecigne of Google’s Threat Analysis Group, while Googles security researcher Maddie Stone wrote a detailed analysis. --------------------------------------------- https://blog.0patch.com/2021/08/micropatching-mshtml-remote-code.html ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (ffmpeg, ircii, and scrollz), Fedora (kernel, krb5, libX11, and rust-actix-http), Mageia (kernel and kernel-linus), openSUSE (aspell, chromium, dbus-1, isync, java-1_8_0-openjdk, krb5, libass, libhts, libvirt, prosody, systemd, and tor), SUSE (cpio, dbus-1, libvirt, php7, qemu, and systemd), and Ubuntu (inetutils). --------------------------------------------- https://lwn.net/Articles/867149/ ∗∗∗ Planned Vembu Full Disclosure ∗∗∗ --------------------------------------------- If you are using Vembu BDR version 3.7.0, 3.9.1 Update 1, 4.2.0 or 4.2.0.1 and have your instances exposed to public internet, you are strongly advices to upgrade to Vembu BDR v4.2.0.2. On the 25th of August we plan to release the full details of the following CVEs: CVE-2021-26471, CVE-2021-26472, and CVE-2021-26473 All of these vulnerabilities are unauthenticated remote code execution vulnerabilities. --------------------------------------------- https://csirt.divd.nl/2021/08/20/Planned-Vembu-Full-Disclosure/ ∗∗∗ Security Bulletin: Vulnerabilities in IBM Java Runtime affect IBM Integration Bus and IBM App Connect Enterpise v11, v12 (CVE-2020-27221) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-ja… ∗∗∗ F-Secure Produkte: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0898 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.08.2021
by Daily end-of-shift report 20 Aug '21

20 Aug '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 19-08-2021 18:00 − Freitag 20-08-2021 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Securing Machine (Non-Human) Identities ∗∗∗ --------------------------------------------- We spend considerable time and focus on securing identities used by individuals and groups within our environment. While these are essential activities, we sometimes lose sight of a whole other set of identities, often highly privileged, that are just beneath the surface. --------------------------------------------- https://www.beyondtrust.com/blog/entry/securing-machine-non-human-identities ∗∗∗ You can post LinkedIn jobs as almost ANY employer — so can attackers ∗∗∗ --------------------------------------------- Anyone can create a job listing on the leading recruitment platform LinkedIn on behalf of any employer—no verification needed. And worse, the employer cannot easily take these down. --------------------------------------------- https://www.bleepingcomputer.com/news/security/you-can-post-linkedin-jobs-a… ∗∗∗ Pegasus iPhone hacks used as lure in extortion scheme ∗∗∗ --------------------------------------------- A new extortion scam is underway that attempts to capitalize on the recent Pegasus iOS spyware attacks to scare people into paying a blackmail demand. --------------------------------------------- https://www.bleepingcomputer.com/news/security/pegasus-iphone-hacks-used-as… ∗∗∗ Waiting for the C2 to Show Up, (Fri, Aug 20th) ∗∗∗ --------------------------------------------- Keep this in mind: "Patience is key". Sometimes when you are working on a malware sample, you depend on online resources. I'm working on a classic case: a Powershell script decodes then injects a shellcode into a process. --------------------------------------------- https://isc.sans.edu/diary/rss/27772 ∗∗∗ Project Zero: Understanding Network Access in Windows AppContainers ∗∗∗ --------------------------------------------- Being able to bypass network restrictions in AppContainer sandboxes is interesting as it expands the attack surface available to the application, such as being able to access services on localhost, as well as granting access to intranet resources in an Enterprise. --------------------------------------------- https://googleprojectzero.blogspot.com/2021/08/understanding-network-access… ∗∗∗ Gefährliche Liebschaften – Love Scammer brechen nicht nur Herzen ∗∗∗ --------------------------------------------- Mit diesen Maschen versuchen Online-Betrüger Geld aus der Partnersuche auf Dating-Plattformen herauszuschlagen. --------------------------------------------- https://www.welivesecurity.com/deutsch/2021/08/19/gefaehrliche-liebschaften… ∗∗∗ How to install Frida into an Android application ∗∗∗ --------------------------------------------- On a recent job I was testing a rather interesting piece of technology that had several server side checks but they wanted to add some additional security on the client side. --------------------------------------------- https://www.pentestpartners.com/security-blog/how-to-install-frida-into-an-… ∗∗∗ Unternehmen aufgepasst: Ignorieren Sie Fax von Branchen-Stadtplan! ∗∗∗ --------------------------------------------- UnternehmerInnen erhalten derzeit ein Fax von „Branchen-Stadtplan. Handel – Gewerbe – Industrie – Vereine & Co.“. Die Unternehmen werden aufgefordert ihre Firmendaten zu überprüfen oder zu ergänzen und das Fax unterschrieben zurückzusenden. --------------------------------------------- https://www.watchlist-internet.at/news/unternehmen-aufgepasst-ignorieren-si… ∗∗∗ RansomClave project uses Intel SGX enclaves for ransomware attacks ∗∗∗ --------------------------------------------- Academics have developed a proof-of-concept ransomware strain that uses highly secure Intel SGX enclaves to hide and keep encryption keys safe from the prying eyes of security tools. --------------------------------------------- https://therecord.media/ransomclave-project-uses-intel-sgx-enclaves-for-ran… ∗∗∗ Cloudflare says it mitigated a record-breaking 17.2M rps DDoS attack ∗∗∗ --------------------------------------------- Internet infrastructure company Cloudflare disclosed today that it mitigated the largest volumetric distributed denial of service (DDoS) attack that was recorded to date. --------------------------------------------- https://therecord.media/cloudflare-says-it-mitigated-a-record-breaking-17-2… ∗∗∗ Mozi botnet gains the ability to tamper with its victims’ traffic ∗∗∗ --------------------------------------------- A new version of Mozi, a botnet that targets routers and IoT devices, is now capable of tampering with the web traffic of infected systems via techniques such as DNS spoofing and HTTP session hijacking, a capability that could be abused to redirect users to malicious sites. --------------------------------------------- https://therecord.media/mozi-botnet-gains-the-ability-to-tamper-with-its-vi… ===================== = Vulnerabilities = ===================== ∗∗∗ New unofficial Windows patch fixes more PetitPotam attack vectors ∗∗∗ --------------------------------------------- A second unofficial patch for the Windows PetitPotam NTLM relay attack has been released to fix further issues not addressed by Microsofts official security update. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-unofficial-windows-patch… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (libtpms and mingw-exiv2), openSUSE (389-ds, aspell, c-ares, fetchmail, firefox, go1.15, go1.16, haproxy, java-1_8_0-openjdk, krb5, libass, libmspack, libsndfile, openexr, php7, qemu, and tor), Oracle (compat-exiv2-023 and compat-exiv2-026), and SUSE (389-ds, aspell, djvulibre, fetchmail, firefox, go1.15, go1.16, java-1_8_0-openjdk, krb5, libass, libmspack, nodejs8, openexr, postgresql10, qemu, and spice-vdagent). --------------------------------------------- https://lwn.net/Articles/866906/ ∗∗∗ AVEVA SuiteLink Server ∗∗∗ --------------------------------------------- This advisory contains mitigations for Heap-based Buffer Overflow, Null Pointer Dereference, and Improper Handling of Exceptional Conditions vulnerabilities in AVEVA SuiteLink Server system management software. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-231-01 ∗∗∗ Security Bulletin: Vulnerabilities in IBM Java Runtime affect IBM Integration Bus and IBM App Connect Enterpise v11, v12 (CVE-2020-27221) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-ja… ∗∗∗ Synology-SA-21:23 ISC BIND ∗∗∗ --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_21_23 ∗∗∗ MISP: Schwachstelle ermöglicht SQL-Injection ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0894 ∗∗∗ Mehrere Schwachstellen in NetModule Router Software (NRSW) ∗∗∗ --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/mehrere-schwachstelle… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.08.2021
by Daily end-of-shift report 19 Aug '21

19 Aug '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 18-08-2021 18:00 − Donnerstag 19-08-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Cisco meldet gefährliche Remote-Angriffsmöglichkeiten auf Small Business-Router ∗∗∗ --------------------------------------------- Ein aktuelles Advisory von Cisco beschreibt eine kritische Sicherheitslücke, die mehrere Small Business-Router betrifft. Updates wird es nicht geben. --------------------------------------------- https://heise.de/-6169343 ∗∗∗ Ransomware-Attacken nehmen dramatisch zu ∗∗∗ --------------------------------------------- Mehr Ransomware-Angriffe, höhere Lösegeldforderungen und eine effizientere Verteilung - die Entwicklung der Datenerpressungsbranche ist besorgniserregend. --------------------------------------------- https://heise.de/-6169583 ∗∗∗ A Short History of Essay Spam (How We Got from Pills to Plagiarism) ∗∗∗ --------------------------------------------- >From answering beginner questions like 'What is SEO spam?' to breaking down the spammers' code and exactly how they hide their injections in compromised websites, we have written regularly about spam at Sucuri. If you’ve ever operated a WordPress website you will have certainly seen, at the very least, a litany of spam comments posted on your comments section. --------------------------------------------- https://blog.sucuri.net/2021/08/a-short-history-of-essay-spam-how-we-got-fr… ∗∗∗ Oh, Behave! Figuring Out User Behavior ∗∗∗ --------------------------------------------- I decided to embark on a journey to understand user behavior without knowing exactly how I would gather details about user activity as a research topic. A major component of this research is finding a way to gather data on user behavior without making too much noise or triggering detections in a live environment. --------------------------------------------- https://www.trustedsec.com/blog/oh-behave-figuring-out-user-behavior/ ∗∗∗ How to spot a DocuSign phish and what to do about it ∗∗∗ --------------------------------------------- Phishing scammers love well known brand names, particularly if youre expecting to hear from them. --------------------------------------------- https://blog.malwarebytes.com/social-engineering/2021/08/how-to-spot-a-docu… ∗∗∗ Health authorities in 40 countries targeted by COVID‑19 vaccine scammers ∗∗∗ --------------------------------------------- Fraudsters impersonate vaccine manufacturers and authorities overseeing vaccine distribution efforts, INTERPOL warns --------------------------------------------- https://www.welivesecurity.com/2021/08/18/health-authorities-40-countries-t… ∗∗∗ CISA Provides Recommendations for Protecting Information from Ransomware-Caused Data Breaches ∗∗∗ --------------------------------------------- CISA has released the fact sheet Protecting Sensitive and Personal Information from Ransomware-Caused Data Breaches to address the increase in malicious cyber actors using ransomware to exfiltrate data and then threatening to sell or leak the exfiltrated data if the victim does not pay the ransom. These data breaches, often involving sensitive or personal information, can cause financial loss to the victim organization and erode customer trust. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/08/18/cisa-provides-rec… ∗∗∗ Cisco: Security devices are vulnerable to SNIcat data exfiltration technique ∗∗∗ --------------------------------------------- Networking equipment vendor Cisco said today that some of its security products fail to detect and stop traffic to malicious servers that abuse a technique called SNIcat to covertly steal data from inside corporate networks. --------------------------------------------- https://therecord.media/cisco-security-devices-are-vulnerable-to-snicat-dat… ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco Security Advisories 2021-08-18 ∗∗∗ --------------------------------------------- 2 critical, 5 medium severity --------------------------------------------- https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&secur… ∗∗∗ SSA-816035: Code Execution Vulnerability in SINEMA Remote Connect Client ∗∗∗ --------------------------------------------- The latest update for SINEMA Remote Connect Client fixes a vulnerability that could allow a local attacker to escalate privileges or even allow remote code execution under certain circumstances. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-816035.txt ∗∗∗ VMSA-2021-0017 ∗∗∗ --------------------------------------------- VMware Workspace ONE UEM console patches address a denial of service vulnerability (CVE-2021-22029) --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2021-0017.html ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (exiv2, firefox, and thunderbird), Fedora (libsndfile, python-docx, and xscreensaver), openSUSE (haproxy), and SUSE (haproxy). --------------------------------------------- https://lwn.net/Articles/866753/ ∗∗∗ Positive Technologies helps to fix dangerous vulnerability in CODESYS ICS software ∗∗∗ --------------------------------------------- [...] This high-severity vulnerability (CVE-2021-36764) was discovered in the CODESYS V3 Runtime System software package (version 3.15.9.10). By exploiting it, an attacker can disable the PLC and disrupt the technological process. The vulnerability (NULL Pointer Dereference) was found in the CmpGateway component. An attacker with network access to the industrial controller can send a specially formed TCP packet and interrupt the operation of the PLC. Also, it has been found that this software contains another vulnerability (Local Privilege Escalation), which is currently being reviewed by the vendor. --------------------------------------------- https://www.ptsecurity.com/ww-en/about/news/positive-technologies-helps-to-… ∗∗∗ Red Hat JBoss Enterprise Application Platform: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0892 ∗∗∗ Internet Systems Consortium BIND: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0890 ∗∗∗ Kritische Schwachstellen in Altus Sistemas de Automacao Produkten ∗∗∗ --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/kritische-schwachstel… ∗∗∗ Security Bulletin: IBM Cloud Pak for Multicloud Management Monitoring has applied security fixes for its use of Golang Go ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-multicl… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affects WebSphere Application Server July 2021 CPU that is bundled with IBM WebSphere Application Server Patterns ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in IBM® Java SDK affect WebSphere Application Server July 2021 CPU ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Cloud Pak for Multicloud Management Monitoring has applied security fixes for its use of Apache HttpClient ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-multicl… ∗∗∗ Security Bulletin: Multiple vulnerabilities may affect IBM® SDK, Java™ Technology Edition ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Security Directory Server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Linux kernel eBPF vulnerability CVE-2021-3490 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K43346111 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.08.2021
by Daily end-of-shift report 18 Aug '21

18 Aug '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 17-08-2021 18:00 − Mittwoch 18-08-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Kritische Lücke in Blackberry QNX OS gefährdet medizinische Geräte ∗∗∗ --------------------------------------------- Blackberry hat in seinem Echtzeitbetriebssystem QNX einer gefährliche Schwachstelle geschlossen. --------------------------------------------- https://heise.de/-6168793 ∗∗∗ Kritische Sicherheitslücke: Angreifer könnten Millionen IoT-Geräte belauschen ∗∗∗ --------------------------------------------- Sicherheitsforscher warnen vor einer Schwachstelle, die etwa Millionen Babyphones und IP-Kameras gefährdet. Geräte lassen sich nicht ohne Weiteres schützen. --------------------------------------------- https://heise.de/-6168381 ∗∗∗ Fortinet: Wichtiges Sicherheitsupdate für FortiWeb OS in Vorbereitung ∗∗∗ --------------------------------------------- Für eine Lücke mit High-Einstufung liegt Exploit-Code vor, Fixes kommen aber erst Ende August. Betreiber von FortiWeb WAFs sollten Vorsichtsmaßnahmen treffen. --------------------------------------------- https://heise.de/-6168205 ∗∗∗ Vorsicht! Kostenloses Antivirenprogramm „Total AV“ entpuppt sich als Kostenfalle ∗∗∗ --------------------------------------------- Immer wieder melden uns verunsicherte LeserInnen das Antivirenprogramm „Total AV“. Der Grund dafür sind nicht-transparente Kosten sowie Probleme beim Kündigen des Abo-Vertrags. Gleichzeitig wird „Total AV“ auf vielen Seiten als das beste kostenlose Antivirenprogramm beworben. Wir haben uns das Programm genauer angesehen. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-kostenloses-antivirenprogra… ∗∗∗ Sicherheitswarnung für Synology DiskStation Manager und UC SkyNAS ∗∗∗ --------------------------------------------- Der Hersteller Synology hat eine Sicherheitswarnung für seinen DiskStation Manager (Version <6.2.4-25556-2 ; 7.0) herausgegeben. In der Firmware der Geräte gibt es gleich mehrere Sicherheitslücken. Gefährdet sind auch UC SkyNAS-Einheiten. Von Synology gibt es bereits erste Firmware-Updates. Von der Ransomware eCh0raix gibt es eine neue Variante, die einen neuen Bug in QNAP und Synology NAS Devices ausnutzen kann. --------------------------------------------- https://www.borncity.com/blog/2021/08/18/sicherheitswarnung-fr-synology-dis… ∗∗∗ Diavol ransomware sample shows stronger connection to TrickBot gang ∗∗∗ --------------------------------------------- A new analysis of a Diavol ransomware sample shows a more clear connection with the gang behind the TrickBot botnet and the evolution of the malware. --------------------------------------------- https://www.bleepingcomputer.com/news/security/diavol-ransomware-sample-sho… ∗∗∗ Kerberos Authentication Spoofing: Don’t Bypass the Spec ∗∗∗ --------------------------------------------- Yaron Kassner, CTO at Silverfort, discusses authentication-bypass bugs in Cisco ASA, F5 Big-IP, IBM QRadar and Palo Alto Networks PAN-OS. --------------------------------------------- https://threatpost.com/kerberos-authentication-spoofing/168767/ ∗∗∗ 5 Things to Consider Before Moving Back to the Office, (Wed, Aug 18th) ∗∗∗ --------------------------------------------- Many readers will likely continue to enjoy working from home. Having not worked out of an office for about 20 years myself, I can certainly understand the appeal of working from home. But for some, this isn't an option and probably not even the preferred way to work. Having likely worked from home for over a year now, there are some things that you need to "readjust" as you are moving back. --------------------------------------------- https://isc.sans.edu/diary/rss/27762 ∗∗∗ Detecting Embedded Content in OOXML Documents ∗∗∗ --------------------------------------------- On Advanced Practices, we are always looking for new ways to find malicious activity and track adversaries over time. Today we’re sharing a technique we use to detect and cluster Microsoft Office documents - specifically those in the Office Open XML (OOXML) file format. Additionally, we’re releasing a tool so analysts and defenders can automatically generate YARA rules using this technique. --------------------------------------------- https://www.fireeye.com/blog/threat-research/2021/08/detecting-embedded-con… ∗∗∗ WordPress Malware Camouflaged As Code ∗∗∗ --------------------------------------------- In today’s post we discuss emerging techniques that attackers are using to hide the presence of malware. In the example we discuss below, the attacker’s goal is to make everything look routine to an analyst so that they do not dig deeper and discover the presence of malware and what it is doing. --------------------------------------------- https://www.wordfence.com/blog/2021/08/wordpress-malware-camouflaged-as-cod… ∗∗∗ IT Risk Team Discovers Previously Unknown Vulnerability in Autodesk Software During Client Penetration Test ∗∗∗ --------------------------------------------- During a recent client engagement, the DGC penetration testing team identified a previously unknown vulnerability affecting the Autodesk Licensing Service, a software component bundled with nearly all licensed Autodesk products. The vulnerability exists in a software component common to most Autodesk products and impacts nearly all organizations using licensed Autodesk software in any capacity. --------------------------------------------- https://www.tripwire.com/state-of-security/security-data-protection/risk-te… ∗∗∗ Houdini Malware Returns and Amazons Sidewalk Enter Corporate Networks ∗∗∗ --------------------------------------------- The nature of a secure access service edge (SASE) platform provides visibility into a large number of internet data flows - and the larger the platform, the more dataflows can be analyzed. An analysis of more than 250 billion network flows during Q2 2021 shows increasing threats, a new use of an old malware, and the growing incidence of consumer devices in the workplace. --------------------------------------------- https://www.securityweek.com/houdini-malware-returns-and-amazons-sidewalk-e… ∗∗∗ Breaking the Android Bootloader on the Qualcomm Snapdragon 660 ∗∗∗ --------------------------------------------- This post is a companion to the DEF CON 29 video available here. A few months ago I purchased an Android phone to do some research around a specific series [...] --------------------------------------------- https://www.pentestpartners.com/security-blog/breaking-the-android-bootload… ∗∗∗ Dumpster diving is a filthy business ∗∗∗ --------------------------------------------- One man's trash is another man's treasure - here's why you should think twice about what you toss in the recycling bin --------------------------------------------- https://www.welivesecurity.com/2021/08/17/dumpster-diving-is-filthy-busines… ∗∗∗ Cobalt Strike: Detect this Persistent Threat ∗∗∗ --------------------------------------------- Cobalt Strike is a penetration testing tool created by Raphael Mudge in 2012. To this day, it remains extremely popular in red team activities and used for malicious purposes by threat actors. --------------------------------------------- https://www.intezer.com/blog/malware-analysis/cobalt-strike-detect-this-per… ===================== = Vulnerabilities = ===================== ∗∗∗ Adobe sichert Photoshop & Co. außer der Reihe ab ∗∗∗ --------------------------------------------- Der Softwarehersteller Adobe schließt unter anderem in Bridge, Media Encoder und XMP Toolkit SDK Sicherheitslücken. --------------------------------------------- https://heise.de/-6168132 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (haproxy), Fedora (c-ares, hivex, kernel, libtpms, newsflash, python-django, rust-gettext-rs, and rust-gettext-sys), openSUSE (c-ares and libsndfile), Scientific Linux (cloud-init, edk2, exiv2, firefox, kernel, kpatch-patch, microcode_ctl, sssd, and thunderbird), SUSE (c-ares, fetchmail, haproxy, kernel, libmspack, libsndfile, rubygem-puma, spice-vdagent, and webkit2gtk3), and Ubuntu (exiv2, haproxy, linux, linux-aws, linux-aws-5.4, linux-azure, [...] --------------------------------------------- https://lwn.net/Articles/866669/ ∗∗∗ ThroughTek Kalay P2P SDK ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Improper Access Control vulnerability in the ThroughTek Kalay P2P SDK software kit. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-229-01 ∗∗∗ Advantech WebAccess/NMS ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Improper Authentication vulnerability in Advantech WebAccess/NMS network management systems. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-229-02 ∗∗∗ xArrow SCADA ∗∗∗ --------------------------------------------- This advisory contains mitigations for Cross-site Scripting, and Improper Input Validation vulnerability in the xArrow SCADA human-machine interface. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-229-03 ∗∗∗ Huawei EchoLife HG8045Q vulnerable to OS command injection ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN41646618/ ∗∗∗ Firefox & Thunderbird: Security-Fixes für Browser und Mail-Client verfügbar ∗∗∗ --------------------------------------------- https://heise.de/-6168771 ∗∗∗ glibc vulnerability CVE-2021-35942 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K98121587 ∗∗∗ Atlassian Jira Software: Schwachstelle ermöglicht Offenlegung von Informationen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0880 ∗∗∗ QEMU: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode mit Benutzerrechten ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0885 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.08.2021
by Daily end-of-shift report 17 Aug '21

17 Aug '21

===================== = End-of-Day report = ===================== Timeframe: Montag 16-08-2021 18:00 − Dienstag 17-08-2021 18:00 Handler: Dimitri Robl Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Malware dev infects own PC and data ends up on intel platform ∗∗∗ --------------------------------------------- A malware developer unleashed their creation on their system to try out new features and the data ended up on a cybercrime intelligence platform, exposing a glimpse of the cybercriminal endeavor. --------------------------------------------- https://www.bleepingcomputer.com/news/security/malware-dev-infects-own-pc-a… ∗∗∗ Copyright scammers turn to phone numbers instead of web links ∗∗∗ --------------------------------------------- Forewarned is forearmed. Here's our advice on dealing with "copyright infringement" scammers. --------------------------------------------- https://nakedsecurity.sophos.com/2021/08/16/copyright-scammers-turn-to-phon… ∗∗∗ Laravel (<=v8.4.2) exploit attempts for CVE-2021-3129 (debug mode: Remote code execution), (Tue, Aug 17th) ∗∗∗ --------------------------------------------- The vulnerability and this PoC exploit are well documented as CVE-2021-3129. The vulnerability takes advantage of the Ignition "Solutions." Solutions enable the developer to inject code snippets to aid in debugging. --------------------------------------------- https://isc.sans.edu/diary/rss/27758 ∗∗∗ Vorsicht vor Fake-Zahlungsbestätigungen von Kriminellen auf bazar.at ∗∗∗ --------------------------------------------- Wer auf bazar.at Waren zum Verkauf anbietet, muss sich momentan vor kriminellen InteressentInnen in Acht nehmen! Diese fragen nach der Verfügbarkeit und behaupten, die Zahlung über bazar.at abzuwickeln. Achtung: bazar.at bietet keine solche Zahlungsart und die Bestätigungsseiten sind gefälscht! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-fake-zahlungsbestaetigu… ∗∗∗ Thoughts on Detection ∗∗∗ --------------------------------------------- After helping with many clients with numerous detection rules, I observed one consistent theme that kept popping up, many of the rules were written in a way that seemed to be missing a large portion of the potential detection opportunities. --------------------------------------------- https://posts.specterops.io/thoughts-on-detection-3c5cab66f511 ∗∗∗ 1Password Secret Retrieval — Methodology and Implementation ∗∗∗ --------------------------------------------- 1Password is a password manager developed by AgileBits Inc., providing a place for users to store various passwords, software licenses, and other sensitive information in a virtual vaults secured with a PBKDF2 master password. --------------------------------------------- https://posts.specterops.io/1password-secret-retrieval-methodology-and-impl… ∗∗∗ Personal VPN and Its Evasions: Risk Factors and How to Maintain Network Visibility ∗∗∗ --------------------------------------------- Personal VPN usage on organizations’ networks can obscure network visibility and open the door to cybercrime such as data exfiltration. --------------------------------------------- https://unit42.paloaltonetworks.com/person-vpn-network-visibility/ ∗∗∗ ProxyShell in Österreich ∗∗∗ --------------------------------------------- In seinem Talk auf der BlackHat US 2021 stellte Sicherheitsforscher Orange Tsai eine weitere Kombination von Lücken vor, die es AngreiferInnen ermöglicht, beliebige Befehle als NT Authority\System über das Netzwerk auszuführen, ohne sich authentifizieren zu müssen. --------------------------------------------- https://cert.at/de/aktuelles/2021/8/proxyshell-in-osterreich ∗∗∗ New HolesWarm botnet targets Windows and Linux servers ∗∗∗ --------------------------------------------- A new botnet named HolesWarm has been slowly growing in the shadows since June this year, exploiting more than 20 known vulnerabilities to break into Windows and Linux servers and then deploy cryptocurrency-mining malware. --------------------------------------------- https://therecord.media/new-holeswarm-botnet-targets-windows-and-linux-serv… ===================== = Vulnerabilities = ===================== ∗∗∗ Fortinet patches bug letting attackers takeover servers remotely ∗∗∗ --------------------------------------------- Fortinet has released security updates to address a command injection vulnerability that can let attackers take complete control of servers running vulnerable FortiWeb web application firewall (WAF) installations. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fortinet-patches-bug-letting… ∗∗∗ Security: Glibc-Bugfix machte Lücke einfacher ausnutzbar ∗∗∗ --------------------------------------------- Das Beheben von Sicherheitslücken ist nicht immer so einfach, wie es anfangs scheint, was nun auch das Team der Glibc erfahren musste. --------------------------------------------- https://www.golem.de/news/security-glibc-bugfix-machte-luecke-einfacher-aus… ∗∗∗ ZDI-21-971: (Pwn2Own) Zoom Heap based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of Zoom Clients. Authentication is not required to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-971/ ∗∗∗ Sicherheitsupdate für Google Chrome beseitigt Angriffsmöglichkeiten ∗∗∗ --------------------------------------------- Für die Desktop-Fassungen des Chrome-Browsers (Win, macOS & Linux) ist eine Aktualisierung verfügbar, die mehrere Schwachstellen beseitigt. --------------------------------------------- https://heise.de/-6167542 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (firefox), openSUSE (cpio and rpm), Oracle (compat-exiv2-026, exiv2, firefox, kernel, kernel-container, qemu, sssd, and thunderbird), Red Hat (cloud-init, edk2, kernel, kpatch-patch, microcode_ctl, and sssd), and SUSE (cpio, firefox, and libcares2). --------------------------------------------- https://lwn.net/Articles/866567/ ∗∗∗ Millions of IoT Devices Exposed to Attacks Due to Cloud Platform Vulnerability ∗∗∗ --------------------------------------------- Researchers at FireEye’s threat intelligence and incident response unit Mandiant have identified a critical vulnerability that exposes millions of IoT devices to remote attacks. --------------------------------------------- https://www.securityweek.com/millions-iot-devices-exposed-attacks-due-cloud… ∗∗∗ iCloud for Windows 12.5 ∗∗∗ --------------------------------------------- https://support.apple.com/kb/HT212607 ∗∗∗ Security Bulletin: Vulnerabilities in Node.js in IBM DataPower Gateway ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-node-j… ∗∗∗ Security Bulletin: IBM Security Privileged Identity Manager is affected by security vulnerabilities (CVE-2020-1971, CVE-2020-15999, CVE-2017-12652) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-privileged-i… ∗∗∗ Security Bulletin: IBM DataPower Gateway potentially vulnerable to CSRF attack ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-datapower-gateway-pot… ∗∗∗ Security Bulletin: IBM API Connect on cloud is impacted by HTTP header injection vulnerability (CVE-2020-4706) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connect-on-cloud-… ∗∗∗ Security Bulletin: Prototype pollution flaw in y18n in IBM DataPower Gateway ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-prototype-pollution-flaw-… ∗∗∗ Security Bulletin: IBM API Connect is impacted by a vulnerability in Golang (CVE-2021-27919) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connect-is-impact… ∗∗∗ Security Bulletin: Multiple vulnerabilities in AngularJS ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Potential DoS in IBM DataPower Gateway ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-potential-dos-in-ibm-data… ∗∗∗ Security Bulletin: IBM DataPower Gateway vulnerable to a DoS ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-datapower-gateway-vul… ∗∗∗ Synology-SA-21:22 DSM ∗∗∗ --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_21_22 ∗∗∗ Apache HTTP Server: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0878 ∗∗∗ Integer Overflow to RCE — ManageEngine Asset Explorer Agent (CVE-2021–20082) ∗∗∗ --------------------------------------------- https://medium.com/tenable-techblog/integer-overflow-to-rce-manageengine-as… ∗∗∗ Stored XSS to RCE Chain as SYSTEM in ManageEngine ServiceDesk Plus ∗∗∗ --------------------------------------------- https://medium.com/tenable-techblog/stored-xss-to-rce-chain-as-system-in-ma… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 16.08.2021
by Daily end-of-shift report 16 Aug '21

16 Aug '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 13-08-2021 18:00 − Montag 16-08-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Keine Panik nach Ransomware-Angriff ∗∗∗ --------------------------------------------- Sieben Maßnahmen, die Opfer während oder nach einem erfolgreichen Ransomware-Angriff ergreifen sollten, schildert Daniel Clayton, Vice President of Global Services and Support bei Bitdefender, in einem Gastbeitrag. --------------------------------------------- https://www.zdnet.de/88396234/keine-panik-nach-ransomware-angriff/ ∗∗∗ USA: 100 Millionen T-Mobile-Kunden von Datenleck betroffen ∗∗∗ --------------------------------------------- Kriminelle haben Server von T-Mobile gehackt und umfangreiche Kundendaten kopiert. Diese bieten sie nun zum Verkauf an. --------------------------------------------- https://www.golem.de/news/usa-100-millionen-t-mobile-kunden-von-datenleck-b… ∗∗∗ Microsoft Teams korrekt absichern – Teil 2 ∗∗∗ --------------------------------------------- Wie die Absicherung der beliebten Kollaborations-Software am besten gelingt, schildert Bert Skorupski, Senior Manager Sales Engineering bei Quest Software, im zweiten Teil seines Gastbeitrages. --------------------------------------------- https://www.zdnet.de/88396232/microsoft-teams-korrekt-absichern-teil-2/ ∗∗∗ Firewalls and middleboxes can be weaponized for gigantic DDoS attacks ∗∗∗ --------------------------------------------- In an award-winning paper today, academics said they discovered a way to abuse the TCP protocol, firewalls, and other network middleboxes to launch giant distributed denial of service (DDoS) attacks against any target on the internet. --------------------------------------------- https://therecord.media/firewalls-and-middleboxes-can-be-weaponized-for-gig… ∗∗∗ The sextortion Scams: The Numbers Show That What We Have Is A Failure Of Education ∗∗∗ --------------------------------------------- Subject: Your account was under attack! Change your credentials! [...] Did you receive a message phrased more or less like that, which then went on to say that they have a video of you performing an embarrasing activity while visiting an "adult" site, which they will send to all your contacts unless you buy Bitcoin and send to a specific ID? The good news is that the video does not exist. I know this, because neither does our friend Adnan here. --------------------------------------------- https://bsdly.blogspot.com/2020/02/the-sextortion-scams-numbers-show-that.h… ∗∗∗ Windows 365 exposes Microsoft Azure credentials in plaintext ∗∗∗ --------------------------------------------- A security researcher has figured out a way to dump a users unencrypted plaintext Microsoft Azure credentials from Microsofts new Windows 365 Cloud PC service using Mimikatz. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/windows-365-exposes-microso… ∗∗∗ Colonial Pipeline reports data breach after May ransomware attack ∗∗∗ --------------------------------------------- Colonial Pipeline, the largest fuel pipeline in the United States, is sending notification letters to individuals affected by the data breach resulting from the DarkSide ransomware attack that hit its network in May. --------------------------------------------- https://www.bleepingcomputer.com/news/security/colonial-pipeline-reports-da… ∗∗∗ Simple Tips For Triage Of MALWARE Bazaars Daily Malware Batches, (Sun, Aug 15th) ∗∗∗ --------------------------------------------- I was asked for tips to triage MALWARE Bazaar's daily malware batches. On Linux / macOS, you can unzip a malware batch and triage it with the file command. There is no file command on Windows, but there are Windows versions you can install, and you can also use my file-magic tool (it's a Python tool that uses Python module python-magic-bin). --------------------------------------------- https://isc.sans.edu/diary/rss/27750 ∗∗∗ Discovering CAPTCHA Protected Phishing Campaigns ∗∗∗ --------------------------------------------- CAPTCHA-protected phishing campaigns are becoming more popular. We share techniques to detect malicious content despite these evasions. --------------------------------------------- https://unit42.paloaltonetworks.com/captcha-protected-phishing/ ∗∗∗ Trickbot Deploys a Fake 1Password Installer ∗∗∗ --------------------------------------------- Over the past years, Trickbot has established itself as modular and multifunctional malware. Initially focusing on bank credential theft, the Trickbot operators have extended its capabilities. --------------------------------------------- https://thedfirreport.com/2021/08/16/trickbot-deploys-a-fake-1password-inst… ===================== = Vulnerabilities = ===================== ∗∗∗ Security Advisories for COMMAX Products ∗∗∗ --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5667.php https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5666.php https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5665.php https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5664.php https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5663.php https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5662.php https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5661.php https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5660.php --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ ∗∗∗ Advisory: Multiple Issues in Realtek SDK Affects Hundreds of Thousands of Devices Down the Supply Chain ∗∗∗ --------------------------------------------- At least 65 vendors affected by severe vulnerabilities that enable unauthenticated attackers to fully compromise the target device and execute arbitrary code with the highest level of privilege. --------------------------------------------- https://www.iot-inspector.com/blog/advisory-multiple-issues-realtek-sdk-iot… ∗∗∗ XSS Vulnerability Patched in SEOPress Affects 100,000 sites ∗∗∗ --------------------------------------------- On July 29, 2021 the Wordfence Threat Intelligence team initiated the responsible disclosure process for a vulnerability that we discovered in SEOPress, a WordPress plugin installed on over 100,000 sites. This flaw made it possible for an attacker to inject arbitrary web scripts on a vulnerable site which would execute anytime a user accessed the [...] --------------------------------------------- https://www.wordfence.com/blog/2021/08/xss-vulnerability-patched-in-seopres… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (c-ares, firefox, fossil, gitlab, jupyterlab, loki, lynx, opera, prosody, and vivaldi), Debian (amd64-microcode, exiv2, ffmpeg, thunderbird, and trafficserver), Fedora (libsndfile, rust-argh, rust-argh_derive, rust-argh_shared, rust-askalono-cli, rust-asyncgit, rust-bugreport, rust-crosstermion, rust-diskonaut, rust-dua-cli, rust-fancy-regex, rust-fedora-update-feedback, rust-filetreelist, rust-git-version, rust-git-version-macro, rust-gitui, [...] --------------------------------------------- https://lwn.net/Articles/866473/ ∗∗∗ PEPPERL+FUCHS: WirelessHART-Gateway - Vulnerability may allow remote attackers to cause a Denial Of Service ∗∗∗ --------------------------------------------- PEPPERL+FUCHS: Critical vulnerabilities have been discovered in the product and in the utilized components jQuery by jQuery Team and TLS Version 1.0/1.1. --------------------------------------------- https://cert.vde.com/de-de/advisories/vde-2021-027 ∗∗∗ Security Bulletin: Multiple Vulnerabilities in IBM® Java SDK affect WebSphere Application Server July 2021 CPU ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Transparent Cloud Tiering is affected by a vulnerability in Apache Commons IO ( CVE-2021-29425) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-transparent-cloud-tie… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.08.2021
by Daily end-of-shift report 13 Aug '21

13 Aug '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 12-08-2021 18:00 − Freitag 13-08-2021 18:00 Handler: Dimitri Robl Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Angreifer kombinieren ProxyShell-Lücken und attackieren Microsoft Exchange ∗∗∗ --------------------------------------------- Nach gezielten Scans gibt es nun erste Attacken auf Exchange Server. In Deutschland gibt es tausende verwundbare Systeme. Patches sind verfügbar. --------------------------------------------- https://heise.de/-6164957 ∗∗∗ Unseriöse Shops kopieren Webseiten von beliebten Schuhmarken! ∗∗∗ --------------------------------------------- Wer Dr. Marten- oder Skecher-Schuhe in einem Online-Shop kaufen will, sollte sich vorher vergewissern, ob der Shop auch seriös ist. Denn derzeit werden der Watchlist Internet vermehrt Markenfälscher-Shops gemeldet, die unglaublich günstige Markenschuhe anbieten. Wenn das Impressum fehlt und die Schuhe zu unglaublichen Preisen angeboten werden, sollten Sie lieber Abstand von einem Einkauf nehmen. --------------------------------------------- https://www.watchlist-internet.at/news/unserioese-shops-kopieren-webseiten-… ∗∗∗ SynAck ransomware releases decryption keys after El_Cometa rebrand ∗∗∗ --------------------------------------------- The SynAck ransomware gang released the master decryption keys for their operation after rebranding as the new El_Cometa group. --------------------------------------------- https://www.bleepingcomputer.com/news/security/synack-ransomware-releases-d… ∗∗∗ WordPress Sites Abused in Aggah Spear-Phishing Campaign ∗∗∗ --------------------------------------------- The Pakistan-linked threat groups campaign uses compromised WordPress sites to deliver the Warzone RAT to manufacturing companies in Taiwan and South Korea. --------------------------------------------- https://threatpost.com/aggah-wordpress-spearphishing/168657/ ∗∗∗ Example of Danabot distributed through malspam, (Fri, Aug 13th) ∗∗∗ --------------------------------------------- Danabot is an information stealer known for targeting banking data on infected Windows hosts. According to Proofpoint, Danabot version 4 started appearing in the wild in October 2020. We recently discovered a Danabot sample during an infection kicked off by an email attachment sent on Thursday 2021-08-12. Today's diary reviews this Danabot infection. --------------------------------------------- https://isc.sans.edu/diary/rss/27744 ∗∗∗ Using AI to Scale Spear Phishing ∗∗∗ --------------------------------------------- The problem with spear phishing it that it takes time and creativity to create individualized enticing phishing emails. Researchers are using GPT-3 to attempt to solve that problem: The researchers used OpenAI's GPT-3 platform in conjunction with other AI-as-a-service products focused on personality analysis to generate phishing emails tailored to their colleagues' backgrounds and traits. --------------------------------------------- https://www.schneier.com/blog/archives/2021/08/using-ai-to-scale-spear-phis… ∗∗∗ Phishing campaign goes old school, dusts off Morse code ∗∗∗ --------------------------------------------- Sometimes new technology just doesnt get the job done. --------------------------------------------- https://blog.malwarebytes.com/reports/2021/08/phishing-campaign-goes-old-sc… ∗∗∗ Examining threats to device security in the hybrid workplace ∗∗∗ --------------------------------------------- As employees split their time between office and off-site work, there's a greater potential for company devices and data to fall into the wrong hands --------------------------------------------- https://www.welivesecurity.com/2021/08/12/examining-threats-device-security… ∗∗∗ Hackers tried to exploit two zero-days in Trend Micro's Apex One EDR platform ∗∗∗ --------------------------------------------- Cyber-security firm Trend Micro said hackers tried to exploit two zero-day vulnerabilities in its Apex One EDR platform in an attempt to go after its customers in attacks that took place earlier this year. --------------------------------------------- https://therecord.media/hackers-tried-to-exploit-two-zero-days-in-trend-mic… ===================== = Vulnerabilities = ===================== ∗∗∗ Drupal core - Moderately critical - Third-party libraries - SA-CORE-2021-005 ∗∗∗ --------------------------------------------- The Drupal project uses the CKEditor, library for WYSIWYG editing. CKEditor has released a security update that impacts Drupal. Vulnerabilities are possible if Drupal is configured to allow use of the CKEditor library for WYSIWYG editing. --------------------------------------------- https://www.drupal.org/sa-core-2021-005 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (commons-io, curl, and firefox-esr), Fedora (perl-Encode), openSUSE (golang-github-prometheus-prometheus, grafana, and python-reportlab), Oracle (.NET Core 2.1, 389-ds:1.4, cloud-init, go-toolset:ol8, nodejs:12, nodejs:14, and rust-toolset:ol8), SUSE (aspell, firefox, kernel, and rpm), and Ubuntu (linux, linux-aws, linux-kvm, linux-lts-xenial and postgresql-10, postgresql-12, postgresql-13). --------------------------------------------- https://lwn.net/Articles/866185/ ∗∗∗ Cognex In-Sight OPC Server ∗∗∗ --------------------------------------------- This advisory contains mitigations for a Deserialization of Untrusted Data vulnerability in Cognex In-Sight OPC Server industrial software. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-224-01 ∗∗∗ Horner Automation Cscape ∗∗∗ --------------------------------------------- This advisory contains mitigations for Out-of-bounds Write, Access of Uninitialized Pointer, and Out-of-bounds Read vulnerabilities in Horner Automation Cscape control system application programming software. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-224-02 ∗∗∗ Sensormatic Electronics C-CURE 9000 (Update A) ∗∗∗ --------------------------------------------- This updated advisory is a follow-up to the original advisory titled ICSA-21-182-02 Sensormatic Electronics C-CURE 9000 that was published July 1, 2021, to the ICS webpage on us-cert.cisa.gov. This advisory contains mitigations for an Improper Input Validation vulnerability in Sensormatic Electronics C-CURE 9000 industrial software. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-182-02 ∗∗∗ Security Bulletin: De-serialization Vulnerability Affects IBM Partner Engagement Manager (CVE-2021-29781) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-de-serialization-vulnerab… ∗∗∗ Security Bulletin: IBM QRadar SIEM is vulnerable to possible information disclosure in a multi-domain deployment. (CVE-2021-29880) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-is-vulner… ∗∗∗ Security Bulletin: Vulnerability in self-service console affects IBM Cloud Pak System (CVE-2021-20478) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-self-ser… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.08.2021
by Daily end-of-shift report 12 Aug '21

12 Aug '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 11-08-2021 18:00 − Donnerstag 12-08-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ PrintNightmare: Schon wieder eine Drucker-Lücke in Windows ohne Patch ∗∗∗ --------------------------------------------- Microsoft kriegt seine Druckerverwaltung offensichtlich nicht in den Griff, Angreifer könnten sich erneut System-Rechte verschaffen. --------------------------------------------- https://heise.de/-6163743 ∗∗∗ Accenture Opfer der Lockbit Ransomware ∗∗∗ --------------------------------------------- Das IT-Beratungsunternehmen Accenture ist wohl Opfer eines Cyber-Angriffs mit der Lockbit-Ransomware geworden. Das Unternehmen hat den Angriff inzwischen eingestanden. Bei dem Ransomware-Befall scheinen auch Daten abgezogen worden zu sein. Hier einige Informationen, was inzwischen bekannt ist. --------------------------------------------- https://www.borncity.com/blog/2021/08/12/accenture-opfer-der-lockbit-ransom… ∗∗∗ QR Code Scammers Get Creative with Bitcoin ATMs ∗∗∗ --------------------------------------------- Threat actors are targeting everyone from job hunters to Bitcoin traders to college students wanting a break on their student loans, by exploiting the popular technologys trust relationship with users. --------------------------------------------- https://threatpost.com/qr-code-scammers-bitcoin-atms/168621/ ∗∗∗ 7 ways to harden your environment against compromise ∗∗∗ --------------------------------------------- Here at the global Microsoft Compromise Recovery Security Practice (CRSP), we work with customers who have experienced disruptive security incidents to restore trust in identity systems and remove adversary control. During 2020, the team responded to many incidents involving ransomware and the deployment of crypto-mining tools. --------------------------------------------- https://www.microsoft.com/security/blog/2021/08/11/7-ways-to-harden-your-en… ∗∗∗ Best Practices for Web Form Security ∗∗∗ --------------------------------------------- Web form security ⁠— the set of tools and practices intended to protect web forms from attacks and abuse ⁠— is one of the most critical aspects of overall website security. Web forms allow users to interact with your site and enable a lot of useful functionality. However, once a user can interact with your site to do something useful there is a new attack surface for a hacker to exploit. --------------------------------------------- https://blog.sucuri.net/2021/08/best-practices-for-web-form-security.html ∗∗∗ Experts Shed Light On New Russian Malware-as-a-Service Written in Rust ∗∗∗ --------------------------------------------- A nascent information-stealing malware sold and distributed on underground Russian underground forums has been written in Rust, signalling a new trend where threat actors are increasingly adopting exotic programming languages to bypass security protections, evade analysis, and hamper reverse engineering efforts. --------------------------------------------- https://thehackernews.com/2021/08/experts-shed-light-on-new-russian.html ∗∗∗ Signed MSI files, Raccoon and Amadey are used for installing ServHelper RAT ∗∗∗ --------------------------------------------- Group TA505 has been active for at least seven years, making wide-ranging connections with other threat actors involved in ransomware, stealing credit card numbers and exfiltrating data. One of the common tools in TA505s arsenal is ServHelper. --------------------------------------------- https://blog.talosintelligence.com/2021/08/raccoon-and-amadey-install-servh… ∗∗∗ Why No HTTPS? The 2021 Version ∗∗∗ --------------------------------------------- More than 3 years ago now, Scott Helme and I launched a little project called Why No HTTPS? It listed the worlds largest websites that didnt properly redirect insecure requests to secure ones. We updated it December before last and pleasingly, noted that more websites than [...] --------------------------------------------- https://www.troyhunt.com/why-no-https-the-2021-version/ ∗∗∗ August 2021 ICS Patch Tuesday: Siemens, Schneider Address Over 50 Flaws ∗∗∗ --------------------------------------------- Siemens and Schneider Electric on Tuesday released 18 security advisories addressing a total of more than 50 vulnerabilities affecting their products. The vendors have provided patches, mitigations, and general security recommendations for reducing the risk of attacks. --------------------------------------------- https://www.securityweek.com/august-2021-ics-patch-tuesday-siemens-schneide… ∗∗∗ IISerpent: Malware‑driven SEO fraud as a service ∗∗∗ --------------------------------------------- The last in our series on IIS threats introduces a malicious IIS extension used to manipulate page rankings for third-party websites --------------------------------------------- https://www.welivesecurity.com/2021/08/11/iiserpent-malware-driven-seo-frau… ∗∗∗ Affiliates Unlocked: Gangs Switch Between Different Ransomware Families ∗∗∗ --------------------------------------------- The demise of Sodinokibi has led to a surge in LockBit activity, while there’s evidence affiliates are using multiple ransomware families to achieve their goals. --------------------------------------------- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ra… ∗∗∗ CobaltSpam tool can flood Cobalt Strike malware servers ∗∗∗ --------------------------------------------- A security researcher has published this week a tool to flood Cobalt Strike servers—often used by malware gangs—with fake beacons in order to corrupt their internal databases of infected systems. --------------------------------------------- https://therecord.media/cobaltspam-tool-can-flood-cobalt-strike-malware-ser… ===================== = Vulnerabilities = ===================== ∗∗∗ Intel schließt Sicherheitslücken in Laptops, Linux-Treibern & Co. ∗∗∗ --------------------------------------------- Angreifer könnten Intel-PCs attackieren und im schlimmsten Fall die volle Kontrolle über Computer erlangen. Sicherheitsupdates sind verfügbar. --------------------------------------------- https://heise.de/-6163478 ∗∗∗ JavaScript-Framework: Next.js 11.1 behebt eine Open-Redirect-Sicherheitslücke ∗∗∗ --------------------------------------------- Das React-Framework Next.js erhält knapp zwei Monate nach der letzten Hauptversion ein Update auf Version 11.1, um mögliche Open Redirects zu verhindern. --------------------------------------------- https://heise.de/-6163575 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (java-1.8.0-openjdk), Debian (firefox-esr, libspf2, and openjdk-11-jre-dcevm), Fedora (bluez, fetchmail, and prosody), Oracle (edk2, glib2, kernel, and libuv), Red Hat (.NET Core 3.1), SUSE (cpio), and Ubuntu (firefox and openssh). --------------------------------------------- https://lwn.net/Articles/866076/ ∗∗∗ Plone vulnerable to open redirect ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN50804280/ ∗∗∗ Security Bulletin: IBM Maximo Asset Management is vulnerable to CSV Injection (CVE-2021-20509) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-asset-manageme… ∗∗∗ Security Vulnerabilities fixed in Thunderbird 91 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2021-36/ ∗∗∗ TRUMPF Laser GmbH: multiple products prone to codesys runtime vulnerabilities ∗∗∗ --------------------------------------------- https://cert.vde.com/de-de/advisories/vde-2021-033 ∗∗∗ Node.js: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0866 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.08.2021
by Daily end-of-shift report 11 Aug '21

11 Aug '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 10-08-2021 18:00 − Mittwoch 11-08-2021 18:00 Handler: Dimitri Robl Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Kaseyas universal REvil decryption key leaked on a hacking forum ∗∗∗ --------------------------------------------- The universal decryption key for REvils attack on Kaseyas customers has been leaked on hacking forums allowing researchers their first glimpse of the mysterious key. --------------------------------------------- https://www.bleepingcomputer.com/news/security/kaseyas-universal-revil-decr… ∗∗∗ New AdLoad malware variant slips through Apples XProtect defenses ∗∗∗ --------------------------------------------- A new AdLoad malware variant is slipping through Apples YARA signature-based XProtect built-in antivirus tech to infect Macs. --------------------------------------------- https://www.bleepingcomputer.com/news/apple/new-adload-malware-variant-slip… ∗∗∗ TA551 (Shathak) continues pushing BazarLoader, infections lead to Cobalt Strike, (Wed, Aug 11th) ∗∗∗ --------------------------------------------- TA551 (also known as Shathak) represents a threat actor behind malspam that has pushed different families of malware over the past few years. --------------------------------------------- https://isc.sans.edu/diary/rss/27738 ∗∗∗ Das Conti-Leak: Bedienungsanleitung für Ransomware ∗∗∗ --------------------------------------------- In den Handbüchern für Affiliates beschreiben die Kriminellen minutiös, wie man ein Netz auskundschaftet, Zugang ausweitet und schließlich Daten verschlüsselt. --------------------------------------------- https://heise.de/-6160551 ∗∗∗ Anonym im Internet: Sicherheitsupdates für Tor Browser und Tails OS erschienen ∗∗∗ --------------------------------------------- Die Entwickler haben Komponenten von Tor Browser und Tails aktualisiert, um die Sicherheit aufrechtzuerhalten. --------------------------------------------- https://heise.de/-6161195 ∗∗∗ 5 Costly Mistakes in Cyber Incident Response Preparation ∗∗∗ --------------------------------------------- Even with the best preparation and retainers, incident response is rarely an inexpensive endeavor in terms of money, people, operational disruption, or time. --------------------------------------------- https://www.dragos.com/blog/industry-news/5-costly-mistakes-in-cyber-incide… ∗∗∗ Conducting Architecture Reviews in Light of the New TSA Directives ∗∗∗ --------------------------------------------- TSA, the sector-specific agency for pipelines, released its first directive to the pipeline industry on May 27th and followed up with a second directive on July 20th. --------------------------------------------- https://www.dragos.com/blog/industry-news/conducting-architecture-reviews-i… ∗∗∗ Why Are Ransomware Attacks Against OT Increasing? ∗∗∗ --------------------------------------------- Most discussions around cybersecurity understandably focus on information technology (IT). Assets like cloud services and data centers are typically what companies spend the most time and effort securing. Recently, though, operational technology (OT) has come under increasing scrutiny from leading security experts in both the private and public sectors. --------------------------------------------- https://www.tripwire.com/state-of-security/ics-security/why-are-ransomware-… ∗∗∗ Hacker kapern Instagram-Profil und erpressen Opfer ∗∗∗ --------------------------------------------- BetrügerInnen haben es auf Instagram-Accounts mit vielen FollowerInnen abgesehen: Sie hacken deren Konten und verlangen anschließend Lösegeld. Wird nicht bezahlt, drohen die Hacker, das Profil zu löschen. --------------------------------------------- https://www.watchlist-internet.at/news/hacker-kapern-instagram-profil-und-e… ===================== = Vulnerabilities = ===================== ∗∗∗ VU#608209: NicheStack embedded TCP/IP has vulnerabilities ∗∗∗ --------------------------------------------- HCC Embeddeds software called InterNiche stack (NicheStack) and NicheLite, which provides TCP/IP networking capability to embedded systems, is impacted by multiple vulnerabilities. --------------------------------------------- https://kb.cert.org/vuls/id/608209 ∗∗∗ Patchday: Microsoft meldet abermals Attacken auf Windows ∗∗∗ --------------------------------------------- Es gibt wichtige Sicherheitsupdates für unter anderem kritische Lücken in Azure, Edge und verschiedenen Windows-Versionen. --------------------------------------------- https://heise.de/-6160526 ∗∗∗ Free Micropatches for "PetitPotam" (CVE-2021-36942) ∗∗∗ --------------------------------------------- Update 8/11/2021-B: Neither Microsofts August fix nor our micropatch seem to have covered all PetitPotam affected code. Both fixed the anonymous attack vector but we're investigating additional authenticated paths now and looking for the best way to patch that too. --------------------------------------------- https://blog.0patch.com/2021/08/free-micropatches-for-petitpotam.html ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (ceph), Fedora (buildah, containernetworking-plugins, and podman), openSUSE (chromium, kernel, php7, python-CairoSVG, python-Pillow, seamonkey, and transfig), Red Hat (microcode_ctl), SUSE (kernel and libcares2), and Ubuntu (c-ares). --------------------------------------------- https://lwn.net/Articles/865978/ ∗∗∗ Intel Releases Multiple Security Updates ∗∗∗ --------------------------------------------- Intel has released security updates to address vulnerabilities multiple products. An attacker could exploit some of these vulnerabilities to take control of an affected system. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/08/10/intel-releases-mu… ∗∗∗ iTunes 12.11.4 for Windows ∗∗∗ --------------------------------------------- https://support.apple.com/kb/HT212609 ∗∗∗ Security Bulletin: IBM Security Guardium is affected by an Improper Restriction of Excessive Authentication Attempts vulnerability (CVE-2021-20427) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by an OpenLDAP vulnerability (CVE-2020-25692) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Disconnected Log Collector is vulnerable to using components with known vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-disconnected-log-coll… ∗∗∗ Security Bulletin: Vulnerability in npm affects IBM VM Recovery Manager DR ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-npm-affe… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a Reliance on Untrusted Inputs in Security Descision ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a Weak Password Policy vulnerability (CVE-2021-20418) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: A vulnerability was identified and remediated in the IBM MaaS360 Cloud Extender (V2.103.000.051) and Modules ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-was-ident… ∗∗∗ VMSA-2021-0016 ∗∗∗ --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2021-0016.html ∗∗∗ AMD Prozessoren: Mehrere Schwachstellen ermöglichen Offenlegung von Informationen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0852 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.08.2021
by Daily end-of-shift report 10 Aug '21

10 Aug '21

===================== = End-of-Day report = ===================== Timeframe: Montag 09-08-2021 18:00 − Dienstag 10-08-2021 18:00 Handler: Dimitri Robl Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ eCh0raix ransomware now targets both QNAP and Synology NAS devices ∗∗∗ --------------------------------------------- A newly discovered eCh0raix ransomware variant has added support for encrypting both QNAP and Synology Network-Attached Storage (NAS) devices. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ech0raix-ransomware-now-targ… ∗∗∗ Team Cymru’s Threat Hunting Maturity Model Explained ∗∗∗ --------------------------------------------- In this four part series we’ll be looking at Team Cymru’s Threat Hunting Maturity Model. --------------------------------------------- https://team-cymru.com/blog/2021/08/09/team-cymrus-threat-hunting-maturity-… ∗∗∗ Chaos Malware Walks Line Between Ransomware and Wiper ∗∗∗ --------------------------------------------- The dangerous malware has been rapidly developed since June and could be released into the wild soon. --------------------------------------------- https://threatpost.com/chaos-malware-ransomware-wiper/168520/ ∗∗∗ Vulnerability Management Resources ∗∗∗ --------------------------------------------- SANS Vulnerability Management Resources collected in one place for easy access. --------------------------------------------- https://www.sans.org/blog/vulnerability-management-resources ∗∗∗ XLSM Malware with MacroSheets ∗∗∗ --------------------------------------------- Excel-based malware has been around for decades and has been in the limelight in recent years. --------------------------------------------- https://www.mcafee.com/blogs/other-blogs/mcafee-labs/xlsm-malware-with-macr… ∗∗∗ Gefälschtes E-Mail der Post im Umlauf ∗∗∗ --------------------------------------------- Sie warten auf ein Paket? Dann nehmen Sie sich vor gefälschten Benachrichtigungen der Post in Acht. BetrügerInnen behaupten in einer E-Mail, dass Ihr Paket nicht zugestellt werden konnte und Sie über einen Link einen weiteren Zustellversuch anfordern müssen. --------------------------------------------- https://www.watchlist-internet.at/news/gefaelschtes-e-mail-der-post-im-umla… ===================== = Vulnerabilities = ===================== ∗∗∗ Root-Lücke in VPN-Lösung Pulse Connect Secure als Schadcode-Schlupfloch ∗∗∗ --------------------------------------------- Ein wichtiges Sicherheitsupdates schließt Schwachstellen in der Fernzugriff-Software Pulse Connect Secure. --------------------------------------------- https://heise.de/-6159492 ∗∗∗ Firefox und Firefox ESR gegen verschiedene Attacken abgesichert ∗∗∗ --------------------------------------------- Mozilla hat mehrere Sicherheitslücken in seinem Webbrowser Firefox geschlossen. --------------------------------------------- https://heise.de/-6160037 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (flatpak and microcode_ctl), Debian (c-ares, lynx, openjdk-8, and tomcat9), Fedora (kernel), openSUSE (apache-commons-compress, aria2, djvulibre, fastjar, kernel, libvirt, linuxptp, mysql-connector-java, nodejs8, virtualbox, webkit2gtk3, and wireshark), Oracle (kernel, kernel-container, and microcode_ctl), Red Hat (glib2, kernel, kernel-rt, kpatch-patch, and rust-toolset-1.52 and rust-toolset-1.52-rust), Scientific Linux (microcode_ctl), [...] --------------------------------------------- https://lwn.net/Articles/865872/ ∗∗∗ Adobe Releases Security Updates for Multiple Products ∗∗∗ --------------------------------------------- Adobe has released security updates to address vulnerabilities in multiple Adobe products. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/08/10/adobe-releases-se… ∗∗∗ WordPress Plugin "Quiz And Survey Master" vulnerable to cross-site scripting ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN65388002/ ∗∗∗ SSA-938030: DGN and PAR File Parsing Vulnerabilities in JT2Go and Teamcenter Visualization before V13.2.0.2 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-938030.txt ∗∗∗ SSA-865327: Incorrect Authorization Vulnerability in Industrial Products ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-865327.txt ∗∗∗ SSA-830194: Missing Authentication Vulnerability in S7-1200 Devices ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-830194.txt ∗∗∗ SSA-818688: Multiple Vulnerabilities in Solid Edge before SE2021MP7 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-818688.txt ∗∗∗ SSA-756744: OS Command Injection Vulnerability in SINEC NMS ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-756744.txt ∗∗∗ SSA-679335: Multiple Vulnerabilities in Embedded FTP Server of SIMATIC NET CP Modules ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-679335.txt ∗∗∗ SSA-553445: DNS "Name:Wreck" Vulnerabilities in Multiple Siemens Energy AGT and SGT solutions ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-553445.txt ∗∗∗ SSA-365397: Multiple File Parsing Vulnerabilities in JT2Go and Teamcenter Visualization before V13.2.0.1 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-365397.txt ∗∗∗ SSA-309571: IPU 2021.1 Vulnerabilities in Siemens Industrial Products using Intel CPUs (June 2021) ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-309571.txt ∗∗∗ SSA-158827: Denial-of-Service Vulnerability in Automation License Manager ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-158827.txt ∗∗∗ Security Bulletin: A vulnerability in glibc impacts IBM Watson™ Speech Services ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-glibc-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a jackson-databind vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a kernel vulnerability (CVE-2020-25705, CVE-2020-28374) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: A Vulnerability in IBM Java Runtime Affects IBM Sterling Connect:Direct File Agent ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… ∗∗∗ Security Bulletin: IBM Planning Analytics Spreadsheet Services is affected by security vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-planning-analytics-sp… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a Spring Framework vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a Oracle MySQL vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: Vulnerability in self-service console affects IBM Cloud Pak System (CVE-2021-20478) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-self-ser… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ XSA-357 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-357.html ∗∗∗ TYPO3 Core: Schwachstelle ermöglicht Cross-Site Scripting ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0842 ∗∗∗ SAP Patchday August 2021: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0847 ∗∗∗ Citrix ShareFile storage zones controller security update ∗∗∗ --------------------------------------------- https://support.citrix.com/article/CTX322787 ∗∗∗ XML External Entity Expansion in MobileTogether Server ∗∗∗ --------------------------------------------- https://www.redteam-pentesting.de/en/advisories/rt-sa-2021-002/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.08.2021
by Daily end-of-shift report 09 Aug '21

09 Aug '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 06-08-2021 18:00 − Montag 09-08-2021 18:00 Handler: Dimitri Robl Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Verschlüsselung: Sicherheitsrisiko STARTTLS ∗∗∗ --------------------------------------------- Das STARTTLS-Verfahren hat zahlreiche Sicherheitsrisiken. Überall, wo es möglich ist, hat die direkte Nutzung von TLS nur Vorteile. --------------------------------------------- https://www.golem.de/news/verschluesselung-sicherheitsrisiko-starttls-2108-… ∗∗∗ Black Hat: DNS-as-a-Service könnte Netzwerkinfrastruktur verraten ∗∗∗ --------------------------------------------- Durch einen Trick konnten Sicherheitsforscher Informationen über die Netzwerkinfrastruktur der Kunden eines DNS-as-a-Service-Anbieters erlangen. --------------------------------------------- https://heise.de/-6157720 ∗∗∗ Exchange ProxyShell-Lücke: Scans suchen nach verwundbaren Servern ∗∗∗ --------------------------------------------- Mehrere tausend Server sind allein in Deutschland für die neue Exchange-Lücke anfällig. Dabei gibt es längst Patches von Microsoft. --------------------------------------------- https://heise.de/-6158946 ∗∗∗ Die Anatomie nativer IIS‑Malware ∗∗∗ --------------------------------------------- ESET-Forscher veröffentlichen ein Whitepaper, das Bedrohungen durch IIS-Webserver genau unter die Lupe nimmt --------------------------------------------- https://www.welivesecurity.com/deutsch/2021/08/06/die-anatomie-nativer-iis-… ∗∗∗ IQ-Test auf offiziell-qi-test.com führt in die Abo-Falle! ∗∗∗ --------------------------------------------- Mit nur 30 Fragen kann man einen zertifizierten IQ-Test durchführen, heißt es auf der Webseite offiziell-qi-test.com. Erst nachdem der Test durchgeführt wurde, wird man erstmals auf Kosten hingewiesen: Um das Ergebnis zu sehen soll man 3,90 Euro zahlen. Doch Achtung: Im Kleingedruckten finden sich weitere Kosten und eine Abo-Falle! --------------------------------------------- https://www.watchlist-internet.at/news/iq-test-auf-offiziell-qi-testcom-fue… ∗∗∗ Cisco: Firewall manager RCE bug is a zero-day, patch incoming ∗∗∗ --------------------------------------------- In a Thursday security advisory update, Cisco revealed that a remote code execution (RCE) vulnerability in the Adaptive Security Device Manager (ADSM) Launcher disclosed last month is a zero-day bug that has yet to receive a security update. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cisco-firewall-manager-rce-b… ∗∗∗ Synology warns of malware infecting NAS devices with ransomware ∗∗∗ --------------------------------------------- Taiwan-based NAS maker Synology has warned customers that the StealthWorker botnet is targeting their network-attached storage devices in ongoing brute-force attacks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/synology-warns-of-malware-in… ∗∗∗ SQL Injection in WordPress Plugins: ORDER and ORDER BY as Overlooked Injection Points ∗∗∗ --------------------------------------------- Trustwave SpiderLabs recently undertook a survey of some 100 popular WordPress plugins for possible SQL Injection vulnerabilities. Some good news is that in the vast majority, no such vulnerabilities were identified. Most plugins were found to be using either prepared statements or suitable sanitization when incorporating user-controlled data in a query. Of the five vulnerable plugins identified, some patterns emerged, [...] --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/sql-injecti… ∗∗∗ Beware! New Android Malware Hacks Thousands of Facebook Accounts ∗∗∗ --------------------------------------------- A new Android trojan has been found to compromise Facebook accounts of over 10,000 users in at least 144 countries since March 2021 via fraudulent apps distributed through Google Play Store and other third-party app marketplaces. Dubbed "FlyTrap," the previously undocumented malware is believed to be part of a family of trojans that employ social engineering tricks to breach Facebook accounts [...] --------------------------------------------- https://thehackernews.com/2021/08/beware-new-android-malware-hacks.html ∗∗∗ Phishing Sites Targeting Scammers and Thieves ∗∗∗ --------------------------------------------- I was preparing to knock off work on a recent Friday evening when a curious and annoying email came in via the contact form on this site: “Hello I go by the username Nuclear27 on your site Briansclub[.]com,” wrote “Mitch,” confusing me with the proprietor of perhaps the underground’s largest bazaar for stolen credit and identity data. “I made a deposit to my wallet on the site but nothing has shown up yet and I would like to know why.” --------------------------------------------- https://krebsonsecurity.com/2021/08/phishing-sites-targeting-scammers-and-t… ∗∗∗ Routers and modems running Arcadyan firmware are under attack ∗∗∗ --------------------------------------------- Routers and modems running a version of the Arcadyan firmware, including devices from ASUS, Orange, Vodafone, and Verizon, are currently under attack from a threat actor attempting to ensnare the devices into their DDoS botnet. --------------------------------------------- https://therecord.media/routers-and-modems-running-arcadyan-firmware-are-un… ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI-21-951: (0Day) Delta Industrial Automation DOPSoft XLS File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of Delta Industrial Automation DOPSoft. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-951/ ∗∗∗ Sicherheitsrelevanter Bug in net-Bibliothek von Go und Rust ∗∗∗ --------------------------------------------- Die Bibliothek net in Go und Rust verhält sich nicht standardkonform und verschluckt führende Nullen. Angreifer könnten so falsche IP-Adressen einschleusen. --------------------------------------------- https://heise.de/-6157969 ∗∗∗ Exchange Server jetzt patchen: Angreifer suchen aktiv nach neuer Lücke ∗∗∗ --------------------------------------------- Admins sollten ihre Exchange Server zügig aktualisieren. Nachdem Forscher einen neuen Angriff vorgestellt haben, probieren Angreifer ihn offenbar gezielt aus. --------------------------------------------- https://heise.de/-6158190 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (ansible and bluez), Fedora (curl, kernel, mod_auth_openidc, rust-rav1e, and webkit2gtk3), Mageia (kernel and kernel-linus), openSUSE (php7 and python-reportlab), Oracle (ruby:2.7), Red Hat (microcode_ctl), SUSE (fastjar, kvm, mariadb, php7, php72, php74, and python-Pillow), and Ubuntu (docker.io). --------------------------------------------- https://lwn.net/Articles/865680/ ∗∗∗ Apple fixes AWDL bug that could be used to escape air-gapped networks ∗∗∗ --------------------------------------------- Apple has fixed a vulnerability in its Apple Wireless Direct Link (AWDL) technology that could have been abused by threat actors to escape and steal data from air-gapped networks. --------------------------------------------- https://therecord.media/apple-fixed-awdl-bug-that-could-be-used-to-escape-a… ∗∗∗ Apache Tomcat vulnerability CVE-2021-33037 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K32469285 ∗∗∗ Security Bulletin: Vulnerability in IBM® SDK Java™ Technology Edition, Version 7, Version 8, that is used by IBM Workload Scheduler. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-sdk-… ∗∗∗ Security Bulletin: Vulnerability in IBM® SDK Java™ Technology Edition, Version 7, Version 8, that is used by IBM Workload Scheduler. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-sdk-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in OpenSSL may affect IBM Workload Scheduler ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: CVE-2020-1968 vulnerability in OpenSSL may affect IBM Workload Scheduler ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2020-1968-vulnerabili… ∗∗∗ Security Bulletin: Multiple vulnerabilities in OpenSSL may affect IBM Workload Scheduler ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in GNU Binutils affect IBM Netezza Platform Software ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: ICN Is Vulnerable to Improper Input Validation ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-icn-is-vulnerable-to-impr… ∗∗∗ Security Bulletin: Vulnerability in bind (CVE-2021-25215) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-bind-cve… ∗∗∗ Security Bulletin: Vulnerabilities in IBM Java included with IBM Tivoli Monitoring ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-ja… ∗∗∗ Security Bulletin: openSSL and Apache Hadoop vulnerability impacting Aspera High-Speed Transfer Server, Aspera High-Speed Transfer Endpoint, Aspera Desktop Client, Aspera On Demand (CVE-2020-1971, CVE-2020-9492) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-openssl-and-apache-hadoop… ∗∗∗ Security Bulletin: Vulnerability in Dojo affects WebSphere Application Server (CVE-2020-5258) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-dojo-aff… ∗∗∗ Security Bulletin: Stack overflow via TIS_CODESET environment variable in IBM Workload Scheduler ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-stack-overflow-via-tis_co… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.08.2021
by Daily end-of-shift report 06 Aug '21

06 Aug '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 05-08-2021 18:00 − Freitag 06-08-2021 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Linux version of BlackMatter ransomware targets VMware ESXi servers ∗∗∗ --------------------------------------------- The BlackMatter gang has joined the ranks of ransomware operations to develop a Linux encryptor that targets VMwares ESXi virtual machine platform. --------------------------------------------- https://www.bleepingcomputer.com/news/security/linux-version-of-blackmatter… ∗∗∗ Lockbit 2.0: Ransomware will Firmen-Insider rekrutieren ∗∗∗ --------------------------------------------- Die Ransomware-Gruppe Lockbit sucht auf ungewöhnliche Weise nach Insidern, die ihr Zugangsdaten übermitteln sollen. --------------------------------------------- https://www.golem.de/news/lockbit-2-0-ransomware-will-firmen-insider-rekrut… ∗∗∗ Malicious Microsoft Word Remains A Key Infection Vector, (Fri, Aug 6th) ∗∗∗ --------------------------------------------- Despite Microsoft's attempts to make its Office suite more secure and disable many automatic features, despite the fact that users are warned that suspicious documents should not be opened, malicious Word documents remain a key infection vector today. --------------------------------------------- https://isc.sans.edu/diary/rss/27716 ∗∗∗ Using “Master Faces” to Bypass Face-Recognition Authenticating Systems ∗∗∗ --------------------------------------------- A master face is a face image that passes face-based identity-authentication for a large portion of the population. These faces can be used to impersonate, with a high probability of success, any user, without having access to any user-information. --------------------------------------------- https://www.schneier.com/blog/archives/2021/08/using-master-faces-to-bypass… ∗∗∗ EU officials investigating breach of Cybersecurity Atlas project ∗∗∗ --------------------------------------------- The European Commission is investigating a breach of its Cybersecurity Atlas project after a copy of the site’s backend database was put up for sale on an underground cybercrime forum on Monday. --------------------------------------------- https://therecord.media/eu-officials-investigating-breach-of-cybersecurity-… ∗∗∗ Security-Oscars: And the Pwnie goes to … ∗∗∗ --------------------------------------------- Der Pandemie zum Trotz hat die Pwnie-Jury auch in diesem Jahr die Security-Oscars verliehen – und natürlich auch "Goldene Himbeeren". --------------------------------------------- https://heise.de/-6157581 ∗∗∗ What is Tor? ∗∗∗ --------------------------------------------- We give a brief overview of Tor, the secure communications tool. We explain what it is, how you can use it, and some of the potential drawbacks. --------------------------------------------- https://blog.malwarebytes.com/privacy-2/2021/08/what-is-tor/ ∗∗∗ Black Hat: How cybersecurity incidents can become a legal minefield ∗∗∗ --------------------------------------------- Facing a cyberattack? Pick up the phone and talk to legal help as well as incident response. --------------------------------------------- https://www.zdnet.com/article/black-hat-how-cybersecurity-can-be-a-legal-mi… ∗∗∗ Disgruntled ransomware affiliate leaks the Conti gang’s technical manuals ∗∗∗ --------------------------------------------- A disgruntled member of the Conti ransomware program has leaked today the manuals and technical guides used by the Conti gang to train affiliate members on how to access, move laterally, and escalate access inside a hacked company and then exfiltrate its data before encrypting files. --------------------------------------------- https://therecord.media/disgruntled-ransomware-affiliate-leaks-the-conti-ga… ===================== = Vulnerabilities = ===================== ∗∗∗ VU#357312: HTTP Request Smuggling in Web Proxies ∗∗∗ --------------------------------------------- HTTP web proxies and web accelerators that support HTTP/2 for an HTTP/1.1 backend webserver are vulnerable to HTTP Request Smuggling. --------------------------------------------- https://kb.cert.org/vuls/id/357312 ∗∗∗ Kindle: Mit Schadcode infizierte E-Books konnten Amazon-Account kapern ∗∗∗ --------------------------------------------- Mit infizierten E-Books konnten Sicherheitsforscher Kindle-Reader und sogar Amazon-Konten übernehmen. Amazon hat die Lücke mittlerweile geschlossen. --------------------------------------------- https://heise.de/-6157512 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (tomcat8), Mageia (bluez, exiv2, fetchmail, libsndfile, nodejs, php-pear, python-pillow, and rabbitmq-server), openSUSE (apache-commons-compress, balsa, djvulibre, mariadb, mysql-connector-java, nodejs8, opera, and spice-vdagent), Red Hat (ruby:2.7), SUSE (apache-commons-compress, djvulibre, java-11-openjdk, libsndfile, mariadb, nodejs8, and spice-vdagent), and Ubuntu (docker.io). --------------------------------------------- https://lwn.net/Articles/865465/ ∗∗∗ Black Hat: BadAlloc bugs expose millions of IoT devices to hijack ∗∗∗ --------------------------------------------- BadAlloc vulnerabilities impact millions of devices worldwide. --------------------------------------------- https://www.zdnet.com/article/black-hat-badalloc-bugs-expose-millions-of-io… ∗∗∗ Security Bulletin: Vulnerability in IBM® SDK Java™ Technology Edition, Version 7, Version 8, that is used by IBM Workload Scheduler. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-sdk-… ∗∗∗ Security Bulletin: Vulnerability in IBM® SDK Java™ Technology Edition, Version 7, Version 8, that is used by IBM Workload Scheduler. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-sdk-… ∗∗∗ Free Micropatches for "PetitPotam" ∗∗∗ --------------------------------------------- https://blog.0patch.com/2021/08/free-micropatches-for-petitpotam.html ∗∗∗ HCC Embedded InterNiche TCP/IP stack, NicheLite ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-217-01 ∗∗∗ FATEK Automation FvDesigner ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-217-02 ∗∗∗ mySCADA myPRO ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-217-03 ∗∗∗ Advantech WebAccess SCADA ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-217-04 ∗∗∗ CISA Releases Security Advisory for InterNiche Products ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/08/05/cisa-releases-sec… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.08.2021
by Daily end-of-shift report 05 Aug '21

05 Aug '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 04-08-2021 18:00 − Donnerstag 05-08-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Ransomware: Unternehmen beklagen immense Schäden durch Cyberangriffe ∗∗∗ --------------------------------------------- Die Angriffe mit Ransomware nehmen massiv zu, zeigt nun auch der Bitkom-Verband. Auch das Homeoffice wird sicherheitskritisch. --------------------------------------------- https://www.golem.de/news/ransomware-unternehmen-beklagen-immense-schaeden-… ∗∗∗ Cisco beseitigt kritische Schwachstellen aus Small Business-Routern der RV-Serie ∗∗∗ --------------------------------------------- Jetzt updaten: Remote Code Execution und Denial-of-Service wären mögliche Angriffskonsequenzen. Auch für weitere Cisco-Produkte sind wichtige Updates verfügbar. --------------------------------------------- https://heise.de/-6155856 ∗∗∗ Sicherheitsforscher entdecken Schwachstellen in Industriekontrollsystemen von Mitsubishi ∗∗∗ --------------------------------------------- Die Patches sind bereits in Arbeit, aber noch nicht erhältlich. Grund dafür ist ein aufwändiges Zertifizierungsverfahren. Möglicherweise sind auch Produkte anderer Hersteller betroffen. --------------------------------------------- https://www.zdnet.de/88396132/sicherheitsforscher-entdecken-schwachstellen-… ∗∗∗ Black Hat USA 2021: Security Advisories – mehr Durchblick dank Automatisierung ∗∗∗ --------------------------------------------- Uneinheitliche Advisory-Formate kosten wertvolle Zeit. Und wie beschreibt man eigentlich eine "Nicht-Verwundbarkeit"? CSAF und VEX sollen Abhilfe schaffen. --------------------------------------------- https://heise.de/-6155594 ∗∗∗ Microsoft Teams korrekt absichern ∗∗∗ --------------------------------------------- Microsoft Teams ist beliebt, gerät aber immer stärker ins Visier von Hackern. Wie Sie den Schutz der Kollaborations-Software am besten bewerkstelligen, schildert Bert Skorupski, Senior Manager Sales Engineering bei Quest Software, im ersten Teil eines zweiteiligen Gastbeitrages. --------------------------------------------- https://www.zdnet.de/88396112/microsoft-teams-korrekt-absichern/ ∗∗∗ Vorsicht vor mykundenservice.com: Hohe Telefonrechnung droht! ∗∗∗ --------------------------------------------- Während die meisten Unternehmen Kontakttelefonnummern offen kommunizieren, tun dies andere nicht. Da wäre eine Sammlung von Kontaktnummern durchaus hilfreich. Auf mykundenservice.com verspricht man zwar eine solche Sammlung, doch eigentlich lockt man zum Anruf einer 0900-Nummer. Achtung: Hier entstehen hohe Kosten! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-mykundenservicecom-hohe… ∗∗∗ How to Protect against EMOTET - "The World’s Most Dangerous Malware" ∗∗∗ --------------------------------------------- In the summer of 2020, malware infections were on a clear rise. Many new variants were appearing, and enterprises, government agencies, business leaders, and public officials were all voicing concern. Yet, seven years after it was first discovered, the spread of the EMOTET malware was arguably most concerning of all. --------------------------------------------- https://www.beyondtrust.com/blog/entry/how-to-protect-against-emotet-the-wo… ∗∗∗ Windows admins now can block external devices via layered Group Policy ∗∗∗ --------------------------------------------- Microsoft has added support for layered Group Policies, which allow IT admins to control what internal or external devices users can be installed on corporate endpoints across their organizations network. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/windows-admins-now-can-bloc… ∗∗∗ MacOS Flaw in Telegram Retrieves Deleted Messages ∗∗∗ --------------------------------------------- Telegram declined to fix a scenario in which the flaw can be exploited, spurring a Trustwave researcher to decline a bug bounty and to disclose his findings instead. --------------------------------------------- https://threatpost.com/macos-flaw-in-telegram-retrieves-deleted-messages/16… ∗∗∗ Examining Unique Magento Backdoors ∗∗∗ --------------------------------------------- During a recent investigation into a compromised Magento ecommerce environment, we discovered the presence of five different backdoors that would provide attackers with code execution capabilities. The techniques used by the attackers in these backdoors illustrates the ever-changing landscape of website security and highlights some of the tactics used to avoid traditional backdoor detection. --------------------------------------------- https://blog.sucuri.net/2021/08/examining-unique-magento-backdoors.html ∗∗∗ Microsoft Patched the Issue With Windows Containers That Enabled Siloscape ∗∗∗ --------------------------------------------- Microsoft recently added additional security checks that address the Windows container escape that enabled Siloscape. --------------------------------------------- https://unit42.paloaltonetworks.com/windows-container-escape-patch/ ∗∗∗ Meet Prometheus, the secret TDS behind some of today’s malware campaigns ∗∗∗ --------------------------------------------- A recently discovered cybercrime service is helping malware gangs distribute their malicious payloads to unsuspecting users using a network of hacked websites. --------------------------------------------- https://therecord.media/meet-prometheus-the-secret-tds-behind-some-of-today… ∗∗∗ Pegasus Spyware: How It Works and What It Collects ∗∗∗ --------------------------------------------- An NSO document leaked to the internet reveals how the Pegasus spyware - sold to intelligence and law enforcement agencies around the world - can be used to spy on targeted mobile phones. --------------------------------------------- https://zetter.substack.com/p/pegasus-spyware-how-it-works-and ∗∗∗ From Stranger to DA // Using PetitPotam to NTLM relay to Domain Administrator ∗∗∗ --------------------------------------------- Knock knock, who’s there? Your new DA! Several vulnerabilities that have been recently disclosed, namely: MS-EFSRPC – AKA PetitPotam Credential Relaying abusing the AD CS role Any attacker with internal network access, such as a phished client or a malicious planted device in the network, can take over the entire Active Directory domain without any [...] --------------------------------------------- https://blog.truesec.com/2021/08/05/from-stranger-to-da-using-petitpotam-to… ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco Security Advisories 2021-08-04 ∗∗∗ --------------------------------------------- 1 critical, 4 high, 2 medium severity --------------------------------------------- https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&secur… ∗∗∗ SA44858 - 9.1R12 Security Fixes ∗∗∗ --------------------------------------------- [...] Fixes for all the CVEs listed above have been included in the latest version of PCS, 9.1R12, which was released on 2 August 2021. We strongly encourage you to upgrade to ensure your organization is protected. --------------------------------------------- https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44858 ∗∗∗ VMSA-2021-0016 ∗∗∗ --------------------------------------------- VMware Workspace One Access, Identity Manager and vRealize Automation address multiple vulnerabilities (CVE-2021-22002, CVE-2021-22003) --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2021-0016.html ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (jetty9 and openexr), openSUSE (mariadb and virtualbox), Red Hat (go-toolset-1.15 and go-toolset-1.15-golang), SUSE (djvulibre and mariadb), and Ubuntu (opencryptoki). --------------------------------------------- https://lwn.net/Articles/865306/ ∗∗∗ Amazon and Google patch major bug in their DNS-as-a-Service platforms ∗∗∗ --------------------------------------------- At the Black Hat security conference today, two security researchers have disclosed a security issue impacting hosted DNS service providers that can be abused to hijack the platforms nodes, intercept some of the incoming DNS traffic, and then map customers internal networks. --------------------------------------------- https://therecord.media/amazon-and-google-patch-major-bug-in-their-dns-as-a… ∗∗∗ IBM Security Bulletins 2021-08-04 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ BIG-IP LTM HTTP/2 desync attacks: malicious CRLF placement security exposure ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K97045220 ∗∗∗ BIG-IP LTM HTTP/2 desync attacks: request line injection ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K63312282 ∗∗∗ ffmpeg: Schwachstelle ermöglicht nicht spezifizierten Angriff ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0832 ∗∗∗ Red Hat OpenShift: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0835 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.08.2021
by Daily end-of-shift report 04 Aug '21

04 Aug '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 03-08-2021 18:00 − Mittwoch 04-08-2021 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ New Cobalt Strike bugs allow takedown of attackers’ servers ∗∗∗ --------------------------------------------- Security researchers have discovered Cobalt Strike denial of service (DoS) vulnerabilities that allow blocking beacon command-and-control (C2) communication channels and new deployments. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-cobalt-strike-bugs-allow… ∗∗∗ Phishing Campaign Dangles SharePoint File-Shares ∗∗∗ --------------------------------------------- Attackers spoof sender addresses to appear legitimate in a crafty campaign that can slip past numerous detections, Microsoft researchers have discovered. --------------------------------------------- https://threatpost.com/phishing-sharepoint-file-shares/168356/ ∗∗∗ Three Problems with Two Factor Authentication, (Tue, Aug 3rd) ∗∗∗ --------------------------------------------- Usability remains a challenge for two-factor authentication. I recently came across a review of a healthcare-related mobile app, and a one-star review complained about how unusable the application is due to its two-factor requirement. --------------------------------------------- https://isc.sans.edu/diary/rss/27704 ∗∗∗ Pivoting and Hunting for Shenanigans from a Reported Phishing Domain, (Wed, Aug 4th) ∗∗∗ --------------------------------------------- I was alerted to a web page masquerading as a local financial institution earlier in the day. The phishing web page was constructed well, looked extremely similar to the financial institutions actual page and had input fields for victims to input their credentials. --------------------------------------------- https://isc.sans.edu/diary/rss/27710 ∗∗∗ SAML is insecure by design ∗∗∗ --------------------------------------------- SAML uses signatures based on computed values. The practice is inherently insecure and thus SAML as a design is insecure. --------------------------------------------- https://joonas.fi/2021/08/saml-is-insecure-by-design/ ∗∗∗ Vulnerability Spotlight: Use-after-free vulnerability in tinyobjloader ∗∗∗ --------------------------------------------- Cisco Talos recently discovered a use-after-free vulnerability in a specific function of tinyobjloader. --------------------------------------------- https://blog.talosintelligence.com/2021/08/vuln-spotlight-.html ∗∗∗ Value of PLC Key Switch Monitoring to Keep Critical Systems More Secure ∗∗∗ --------------------------------------------- Programmable Logic Controllers (PLC) and Safety Instrumented Systems (SIS) Controllers have historically included an external switch, generally in the form of a key, to perform maintenance and troubleshooting. --------------------------------------------- https://www.dragos.com/blog/industry-news/value-of-plc-key-switch-monitorin… ∗∗∗ OpSec Leaky Images ∗∗∗ --------------------------------------------- Hackers love your marketing department. Fact! Your marketing department love telling the world what happens in your company, then they attach images to the posts, often of staff at work. --------------------------------------------- https://www.pentestpartners.com/security-blog/opsec-leaky-images/ ∗∗∗ Achtung Scheckbetrug: Restaurant-BesitzerInnen erhalten betrügerische Reservierungsanfragen! ∗∗∗ --------------------------------------------- BetrügerInnen versuchen mit vermeintlichen Reservierungen an das Geld von Restaurant-BesitzerInnen zu kommen: Wenn ein vermeintlicher Gast aus dem Ausland für eine größere Gruppe reservieren und das Geld vorab per Scheck bezahlen will, gilt es vorsichtig zu sein. --------------------------------------------- https://www.watchlist-internet.at/news/achtung-scheckbetrug-restaurant-besi… ∗∗∗ IntelMQ 3.0 - Configuration, Domain based workflow, IEPs ∗∗∗ --------------------------------------------- We are happy to announce the completion of the IntelMQ 3.0 milestone. --------------------------------------------- https://cert.at/en/blog/2021/8/intelmq-30-domain-based-workflow-ieps ∗∗∗ Shodan Verified Vulns 2021-08-01 ∗∗∗ --------------------------------------------- Schwachstellen machen leider keine Pause im Sommer und entsprechend haben wir auch diesen Monat wieder einen Blick auf jene geworfen, die Shodan in Österreich sieht. --------------------------------------------- https://cert.at/de/aktuelles/2021/8/shodan-verified-vulns-2021-08-01 ===================== = Vulnerabilities = ===================== ∗∗∗ INFRA:HALT: Neue Schwachstellen im TCP/IP-Stack von Industriegeräten entdeckt ∗∗∗ --------------------------------------------- Das Forscherteam um "Amnesia:33", "Number:Jack" und Co. hat weitere Schwachstellen gefunden – diesmal im "NicheStack" für den Bereich Operational Technology. --------------------------------------------- https://heise.de/-6154631 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (asterisk, libpam-tacplus, and wordpress), Fedora (buildah and podman), openSUSE (thunderbird and webkit2gtk3), Oracle (kernel and varnish:6), SUSE (kernel, kvm, and webkit2gtk3), and Ubuntu (libdbi-perl and php-pear). --------------------------------------------- https://lwn.net/Articles/865192/ ∗∗∗ Security Bulletin: IBM App Connect Enterprise Certified Container could allow a remote attacker to execute arbitrary code due to CVE-2021-33195 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… ∗∗∗ Security Bulletin: Vulnerability in Apache Commons IO may affect Cúram Social Program Management (CVE-2021-29425) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-c… ∗∗∗ Security Bulletin: Vulnerability in Dojo may affect Cúram Social Program Management (CVE-2020-5258) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-dojo-may… ∗∗∗ Security Bulletin: IBM API Connect is impacted by reflected cross site scripting (CVE-2020-4707) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connect-is-impact… ∗∗∗ PHOENIX CONTACT : Products utilizing WIBU SYSTEMS CodeMeter components in versions prior to V7.21a ∗∗∗ --------------------------------------------- https://cert.vde.com/de-de/advisories/vde-2021-036 ∗∗∗ PHOENIX CONTACT : DoS for PLCnext Control devices in versions prior to 2021.0.5 LTS ∗∗∗ --------------------------------------------- https://cert.vde.com/de-de/advisories/vde-2021-029 ∗∗∗ Dell integrated Dell Remote Access Controller: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0830 ∗∗∗ Cross Site Request Forgery (CSRF) vulnerability in Bosch IP cameras ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-033305-bt.html ∗∗∗ SYSS-2021-042: Tiny Java Web Server and Servlet Container (TJWS) – Reflected Cross-Site Scripting ∗∗∗ --------------------------------------------- https://www.syss.de/pentest-blog/syss-2021-042-tiny-java-web-server-and-ser… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.08.2021
by Daily end-of-shift report 03 Aug '21

03 Aug '21

===================== = End-of-Day report = ===================== Timeframe: Montag 02-08-2021 18:00 − Dienstag 03-08-2021 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Supply-Chain-Angriffe: EU-Behörde empfiehlt Code-Checks für Abhängigkeiten ∗∗∗ --------------------------------------------- Als Reaktion auf Angriffe wie bei Solarwinds hat die zuständige EU-Behörde einen einfachen Rat. Doch entsprechende Maßnahmen kann offenbar nicht mal Microsoft umsetzen. --------------------------------------------- https://www.golem.de/news/supply-chain-angriffe-eu-behoerde-empfiehlt-code-… ∗∗∗ Do You Trust Your Smart TV? ∗∗∗ --------------------------------------------- Did you ever stop to think that the office smart TV used for company presentations, Zoom meetings, and other work-related activities may not be so trustworthy? --------------------------------------------- https://securityaffairs.co/wordpress/120752/iot/smart-tv-security.html ∗∗∗ Android-Patchday: Google bessert unter anderem beim Media Framework nach ∗∗∗ --------------------------------------------- Updates für das mobile Betriebssystem zielen wieder einmal auf das Media Framework, beseitigen aber etwa auch kritische Lücken aus Qualcomm-Komponenten. --------------------------------------------- https://heise.de/-6154130 ∗∗∗ RDP brute force attacks explained ∗∗∗ --------------------------------------------- A simple and straightforward explanation of what RDP brute force attacks are, why they are so dangerous, and what you can do about them. --------------------------------------------- https://blog.malwarebytes.com/explained/2021/08/rdp-brute-force-attacks-exp… ∗∗∗ Gefälschte A1-Rechnung führt zu Schadsoftware ∗∗∗ --------------------------------------------- Aktuell werden gefälschte A1-E-Mails mit dem Betreff "Rechnung vom 04.07.2021" versendet. Im E-Mail wird behauptet, dass eine Zahlung nicht bearbeitet werden konnte. --------------------------------------------- https://www.watchlist-internet.at/news/gefaelschte-a1-rechnung-fuehrt-zu-sc… ∗∗∗ Raccoon stealer-as-a-service will now try to grab your cryptocurrency ∗∗∗ --------------------------------------------- The malware has been upgraded to target even more financial information. --------------------------------------------- https://www.zdnet.com/article/raccoon-stealer-as-a-service-will-now-try-to-… ∗∗∗ CISA and NSA Release Kubernetes Hardening Guidance ∗∗∗ --------------------------------------------- The National Security Agency (NSA) and CISA have released Kubernetes Hardening Guidance, a cybersecurity technical report detailing the complexities of securely managing Kubernetes—an open-source, container-orchestration system used to automate deploying, scaling, and managing containerized applications. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/08/02/cisa-and-nsa-rele… ∗∗∗ Positive Technologies: APT group targeting government agencies around the world detected in Russia for the first time ∗∗∗ --------------------------------------------- Positive Technologies Expert Security Center (PT ESC) revealed new attacks by APT31 and analyzed its new tool—a malicious software that allows criminals to control a victim’s computer or network by using remote access. --------------------------------------------- https://www.ptsecurity.com/ww-en/about/news/positive-technologies-apt-group… ∗∗∗ PetitPotam-Angriffe auf Windows durch RPC-Filter blocken ∗∗∗ --------------------------------------------- Sicherheitsforscher haben kürzlich einen neuen Angriffsvektor namens PetitPotam offen gelegt. Mittels eines NTLM-Relay-Angriffs kann jeder Windows Domain Controller übernommen werden. --------------------------------------------- https://www.borncity.com/blog/2021/08/03/petitpotam-angriffe-auf-windows-du… ===================== = Vulnerabilities = ===================== ∗∗∗ VU#405600: Microsoft Windows Active Directory Certificate Services can allow for AD compromise via PetitPotam NTLM relay attacks ∗∗∗ --------------------------------------------- Microsoft Windows Active Directory Certificate Services (AD CS) by default can be used as a target for NTLM relay attacks, which can allow a domain-joined computer to take over the entire Active Directory. --------------------------------------------- https://kb.cert.org/vuls/id/405600 ∗∗∗ PwnedPiper: Rohrpostsysteme in US-Krankenhäusern über Firmware-Lücken angreifbar ∗∗∗ --------------------------------------------- Sicherheitslücken erlaubten Forschern die komplette Übernahme von "Translogic"-Rohrpostsystemen. Hersteller Swisslog Healthcare hat Updates veröffentlicht. --------------------------------------------- https://heise.de/-6153319 ∗∗∗ Chrome: Browser-Update für den Desktop schließt Sicherheitslücken ∗∗∗ --------------------------------------------- Für die Windows-, Linux- und macOS-Ausgaben des Chrome-Browsers ist ein Update mit insgesamt zehn Security-Fixes verfügbar. --------------------------------------------- https://heise.de/-6153994 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (chromium, nodejs, nodejs-lts-erbium, and nodejs-lts-fermium), Debian (pyxdg, shiro, and vlc), openSUSE (qemu), Oracle (lasso), Red Hat (glibc, lasso, rh-php73-php, rh-varnish6-varnish, and varnish:6), Scientific Linux (lasso), SUSE (dbus-1, lasso, python-Pillow, and qemu), and Ubuntu (exiv2, gnutls28, and qpdf). --------------------------------------------- https://lwn.net/Articles/865029/ ∗∗∗ Code Execution Flaw Found in Cisco Firepower Device Manager On-Box Software ∗∗∗ --------------------------------------------- Cisco has addressed a vulnerability in the Firepower Device Manager (FDM) On-Box software that could be exploited to gain code execution on vulnerable devices. --------------------------------------------- https://www.securityweek.com/code-execution-flaw-found-cisco-firepower-devi… ∗∗∗ Bypassing Authentication on Arcadyan Routers with CVE-2021–20090 and rooting some Buffalo ∗∗∗ --------------------------------------------- In the following sections we will look at how I took the Buffalo devices apart, did a not-so-great solder job, and used a shell offered up on UART to help find a couple of bugs that could let users bypass authentication to the web interface and enable a root BusyBox shell on telnet. --------------------------------------------- https://medium.com/tenable-techblog/bypassing-authentication-on-arcadyan-ro… ∗∗∗ Spyware-ähnliche Funktionen in China-App Bejing One Pass gefunden ∗∗∗ --------------------------------------------- Ausländische Firmen, die in China tätig sind, benötigen die App Beijing One Pass, um Zugang zu einer digitalen Plattform für die Verwaltung der staatlichen Leistungen für Arbeitnehmer zu erhalten. Nun haben Sicherheitsspezialisten in dieser App Spyware ähnliche Funktionen gefunden. --------------------------------------------- https://www.borncity.com/blog/2021/08/02/spyware-hnliche-funktionen-in-chin… ∗∗∗ Security Bulletin: A vulneraqbility in SQLite affects IBM Cloud Application Performance Managment R esponse Time Monitoring Agent (CVE-2021-20227) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulneraqbility-in-sqlit… ∗∗∗ Security Bulletin: A vulnerabilty in encoding/unicode in the UTF-16 decoder has been found in x/text package before v0.3.3 for Go that could lead to an infinite loop and denial of service, affecting IBM Cloud Pak for Applications ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerabilty-in-encodin… ∗∗∗ Security Bulletin: A vulneraqbility in SQLite affects IBM Cloud Application Performance Managment R esponse Time Monitoring Agent (CVE-2021-20227) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulneraqbility-in-sqlit… ∗∗∗ Security Bulletin: Vulnerability in ksh affects AIX (CVE-2021-29741) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ksh-affe… ∗∗∗ JSA11209 ∗∗∗ --------------------------------------------- https://kb.juniper.net/InfoCenter/index?page=content&id=JSA11209 ∗∗∗ Linux kernel vulnerability CVE-2021-33909 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K75133288?utm_source=f5support&utm_mediu… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.08.2021
by Daily end-of-shift report 02 Aug '21

02 Aug '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 30-07-2021 18:00 − Montag 02-08-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Linux eBPF bug gets root privileges on Ubuntu - Exploit released ∗∗∗ --------------------------------------------- CVE-2021-3490. A security researcher released exploit code for a high-severity vulnerability in Linux kernel eBPF (Extended Berkeley Packet Filter) that can give an attacker increased privileges on Ubuntu machines. ... If properly exploited, a local attacker could get kernel privileges to run arbitrary code on the machine. --------------------------------------------- https://www.bleepingcomputer.com/news/security/linux-ebpf-bug-gets-root-pri… ∗∗∗ Remote print server gives anyone Windows admin privileges on a PC ∗∗∗ --------------------------------------------- A researcher has created a remote print server allowing any Windows user with limited privileges to gain complete control over a device simply by installing a print driver. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/remote-print-server-gives-a… ∗∗∗ New APT Hacking Group Targets Microsoft IIS Servers with ASP.NET Exploits ∗∗∗ --------------------------------------------- A new highly capable and persistent threat actor has been targeting major high-profile public and private entities in the U.S. as part of a series of targeted cyber intrusion attacks by exploiting internet-facing Microsoft Internet Information Services (IIS) servers to infiltrate their networks. --------------------------------------------- https://thehackernews.com/2021/08/new-apt-hacking-group-targets-microsoft.h… ∗∗∗ PwnedPiper threatens thousands of hospitals worldwide, patch your systems now ∗∗∗ --------------------------------------------- Nine critical vulnerabilities in a popular hospital pneumatic tube software could give attackers control of infrastructure and allow them to launch additional attacks that cripple healthcare operations. Discovered by researchers at security platform provider Armis and dubbed PwnedPiper, the vulnerabilities are in the Nexus Control Panel software used by Translogic pneumatic tube systems (PTS) built by Swisslog Healthcare. --------------------------------------------- https://www.techrepublic.com/article/pwnedpiper-threatens-thousands-of-hosp… ∗∗∗ Vultur: Android-Trojaner späht Login-Daten für Bankkonten und E-Wallets aus ∗∗∗ --------------------------------------------- Die fernsteuerbare Malware Vultur für Android-Smartphones nutzt Funktionen zur Bildschirmaufzeichnung, um sensible Informationen auf Handys zu stehlen. --------------------------------------------- https://heise.de/-6152250 ∗∗∗ Palo Alto Networks Discloses New Attack Surface Targeting Microsoft IIS and SQL Server at Black Hat Asia 2021 ∗∗∗ --------------------------------------------- The technique allows attackers to remotely attack IIS and SQL Server to gain SYSTEM privileges by using Microsoft Jet database engine vulnerabilities. ... In response to this research, Microsoft released a complex patch to mitigate this attack surface. However, the patch is turned off by default and most Jet vulnerabilities are still not patched. We highly recommend that our customers proactively turn on mitigation to disable remote tables access in the registry and stay cautious of these kinds of attacks. --------------------------------------------- https://unit42.paloaltonetworks.com/iis-and-sql-server/ ∗∗∗ Decryptor released for Prometheus ransomware victims ∗∗∗ --------------------------------------------- Taiwanese security firm CyCraft has released a free application that can help victims of the Prometheus ransomware recover and decrypt some of their files. --------------------------------------------- https://therecord.media/decryptor-released-for-prometheus-ransomware-victim… ===================== = Vulnerabilities = ===================== ∗∗∗ Foxit PDF Reader und Editor: Updates beseitigen zahlreiche Schwachstellen ∗∗∗ --------------------------------------------- Für Foxits PDF-Software für Windows und macOS stehen Aktualisierungen bereit, die unter anderem vor Remote Code Execution-Angriffen schützen sollen. --------------------------------------------- https://heise.de/-6152683 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (389-ds-base, consul, containerd, geckodriver, powerdns, vivaldi, webkit2gtk, and wpewebkit), Debian (aspell, condor, libsndfile, linuxptp, and lrzip), and Fedora (bluez, buildah, java-1.8.0-openjdk, java-11-openjdk, java-latest-openjdk, kernel, kernel-tools, mbedtls, mingw-exiv2, mingw-python-pillow, mrxvt, python-pillow, python2-pillow, redis, and seamonkey). --------------------------------------------- https://lwn.net/Articles/864898/ ∗∗∗ MISP: Schwachstellen ermöglichen Cross-Site Scripting ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in MISP ausnutzen, um einen Cross-Site Scripting Angriff durchzuführen. --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0823 ∗∗∗ Security Bulletin: October 2020 Patch Update for Java ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-october-2020-patch-update… ∗∗∗ Security Bulletin: Apache Commons ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-commons/ ∗∗∗ Security Bulletin: Vulnerability in ksh affects AIX (CVE-2021-29741) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ksh-affe… ∗∗∗ Security Bulletin: Potential vulnerability with Node.js lodash module ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-potential-vulnerability-w… ∗∗∗ Security Bulletin: Potential vulnerability with FasterXML jackson-databind ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-potential-vulnerability-w… ∗∗∗ Security Bulletin: Cloud Pak for Security has several security vulnerabilities addressed in the latest version ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cloud-pak-for-security-ha… ∗∗∗ Security Bulletin: Potential vulnerability with Node.js ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-potential-vulnerability-w… ∗∗∗ Security Bulletin: January 2021 Patch Update for Java ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-january-2021-patch-update… ∗∗∗ Security Bulletin: Oct 2020 Patch Update for Java ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-oct-2020-patch-update-for… ∗∗∗ Security Bulletin: IBM API Connect is impacted by multiple OpenSSL vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connect-is-impact… ∗∗∗ Security Bulletin: Potential vulnerability with Node.js ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-potential-vulnerability-w… ∗∗∗ Security Bulletin: Potential vulnerability in Java ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-potential-vulnerability-i… ∗∗∗ Security Bulletin: Potential vulnerability with Node.js ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-potential-vulnerability-w… ∗∗∗ Security Bulletin: October 2020 Patch Update for Java ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-october-2020-patch-update… ∗∗∗ Security Bulletin: User Behavior Analytics application add on to IBM QRadar SIEM performs improper CSRF checking for some components ( CVE-2021-29757) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-user-behavior-analytics-a… ∗∗∗ Security Bulletin: Potential vulnerability with Node.js lodash module ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-potential-vulnerability-w… ∗∗∗ Security Bulletin: IBM Security Privileged Identity Manager is affected by XML External Entity Injection vulnerability in WebSphere (CVE-2020-4949) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-privileged-i… ∗∗∗ Security Bulletin: Potential vulnerability with Node.js ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-potential-vulnerability-w… ∗∗∗ Security Bulletin: Vulnerability in npm affects IBM VM Recovery Manager DR ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-npm-affe… ∗∗∗ Security Bulletin: Potential vulnerability in OpenSSL ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-potential-vulnerability-i… ∗∗∗ Security Bulletin: Vulnerability in npm affects IBM VM Recovery Manager HA ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-npm-affe… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 30.07.2021
by Daily end-of-shift report 30 Jul '21

30 Jul '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 29-07-2021 18:00 − Freitag 30-07-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ [SANS ISC] Infected With a .reg File ∗∗∗ --------------------------------------------- I published the following diary on isc.sans.edu: “Infected With a .reg File“: Yesterday, I reported a piece of malware that uses archive.org to fetch its next stage. Today, I spotted another file that is also interesting: A Windows Registry file (with a “.reg” extension). Such files are text files created by exporting values [...] --------------------------------------------- https://blog.rootshell.be/2021/07/30/sans-isc-infected-with-a-reg-file/ ∗∗∗ The Life Cycle of a Breached Database ∗∗∗ --------------------------------------------- Every time there is another data breach, we are asked to change our password at the breached entity. But the reality is that in most cases by the time the victim organization discloses an incident publicly the information has already been harvested many times over by profit-seeking cybercriminals. Heres a closer look at what typically transpires in the weeks or months before an organization notifies its users about a breached database. --------------------------------------------- https://krebsonsecurity.com/2021/07/the-life-cycle-of-a-breached-database/ ∗∗∗ Threat Spotlight: Solarmarker ∗∗∗ --------------------------------------------- Cisco Talos has observed new activity from Solarmarker, a highly modular .NET-based information stealer and keylogger.A previous staging module, "d.m," used with this malware has been replaced by a new module dubbed "Mars." --------------------------------------------- https://blog.talosintelligence.com/2021/07/threat-spotlight-solarmarker.html ∗∗∗ This Week in Security: Fail2RCE, TPM Sniffing, Fishy Leaks, and Decompiling ∗∗∗ --------------------------------------------- Fail2ban is a great tool for dynamically blocking IP addresses that show bad behavior, like making repeated login attempts. It was just announced that a vulnerability could allow an attacker [...] --------------------------------------------- https://hackaday.com/2021/07/30/this-week-in-security-fail2rce-tpm-sniffing… ∗∗∗ Bear Tracks: Infrastructure Patterns Lead to More Than 30 Active APT29 C2 Servers ∗∗∗ --------------------------------------------- RiskIQs Team Atlas has uncovered still more infrastructure actively serving WellMess/WellMail. The timing here is notable. Only one month ago, the American and Russian heads of state held a summit wherein Russias aggressive cyber campaigns topped the list of President Bidens strategic concerns. Given this context, RiskIQ’s Team Atlas paid particular attention to APT around and after this summit, which took place on June 16. This report will be of particular interest to those tracking APT29 and targets and victims of WellMess/WellMail, who may benefit from the tactical intelligence provided below. --------------------------------------------- https://www.riskiq.com/blog/external-threat-management/apt29-bear-tracks/ ∗∗∗ NSA Releases Guidance on Securing Wireless Devices While in Public ∗∗∗ --------------------------------------------- The National Security Agency (NSA) has released an information sheet with guidance on securing wireless devices while in public for National Security System, Department of Defense, and Defense Industrial Base teleworkers, as well as the general public. This information sheet provides information on malicious techniques used by cyber actors to target wireless devices and ways to protect against it. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/07/30/nsa-releases-guid… ∗∗∗ Python team fixes bug that allowed takeover of PyPI repository ∗∗∗ --------------------------------------------- The Python security team has fixed today three vulnerabilities impacting the Python Package Index (PyPI), the official repository for Python libraries, including one that could have allowed a threat actor to take full control over the portal. --------------------------------------------- https://therecord.media/python-team-fixes-bug-that-allowed-takeover-of-pypi… ===================== = Vulnerabilities = ===================== ∗∗∗ Panasonic Sanyo CCTV Network Camera 2.03-0x CSRF Disable Authentication / Change Password ∗∗∗ --------------------------------------------- The application interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. These actions can be exploited to perform authentication detriment and account password change with administrative privileges if a logged-in user visits a malicious web site. --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5659.php ∗∗∗ Cisco Web Security Appliance Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the configuration management of Cisco AsyncOS for Cisco Web Security Appliance (WSA) could allow an authenticated, remote attacker to perform command injection and elevate privileges to root. This vulnerability is due to insufficient validation of user-supplied XML input for the web interface. An attacker could exploit this vulnerability by uploading crafted XML configuration files that contain scripting code to a vulnerable device. (Version 1.1 - Added a new fixed release.) --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Multiple Vulnerabilities Patched in WordPress Download Manager ∗∗∗ --------------------------------------------- On May 4, 2021, the Wordfence Threat Intelligence Team initiated the responsible disclosure process for WordPress Download Manager, a WordPress plugin installed on over 100,000 sites. We found two separate vulnerabilities, including a sensitive information disclosure as well as a file upload vulnerability which could have resulted in Remote Code Execution in some configurations. --------------------------------------------- https://www.wordfence.com/blog/2021/07/wordpress-download-manager-vulnerabi… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libsndfile and openjdk-11), Fedora (php-pear and seamonkey), openSUSE (fastjar and php7), SUSE (php72, qemu, and sqlite3), and Ubuntu (libsndfile, php-pear, and qpdf). --------------------------------------------- https://lwn.net/Articles/864684/ ∗∗∗ PEPPERL+FUCHS: Security Advisory for PrintNightmare Vulnerability in multiple HMI Devices ∗∗∗ --------------------------------------------- A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. --------------------------------------------- https://cert.vde.com/de-de/advisories/vde-2021-034 ∗∗∗ Hitachi ABB Power Grids eSOMS ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Insufficiently Protected Credentials vulnerability in Hitachi ABB Power Grids eSOMS management software. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-210-01 ∗∗∗ Wibu-Systems CodeMeter Runtime ∗∗∗ --------------------------------------------- This advisory contains mitigations for Buffer Over-read vulnerabilities in Wibu-Systems CodeMeter Runtime license manager software. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-210-02 ∗∗∗ Security Bulletin: De-serialization Vulnerability Affects IBM Partner Engagement Manager (CVE-2021-29781) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-de-serialization-vulnerab… ∗∗∗ Security Bulletin: Vulnerabilities in Java and WLP affects IBM Cloud Application Business Insights ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-java-a… ∗∗∗ Security Bulletin: WebSphere Application Server is vulnerable to a Privilege Escalation vulnerability (CVE-2021-29736) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-websphere-application-ser… ∗∗∗ Security Bulletin: Vulnerability in BIND affects AIX (CVE-2021-25215) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-bind-aff… ∗∗∗ Security Bulletin: i2 Analyze has an information disclosure vulnerability (CVE-2019-17638) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-i2-analyze-has-an-informa… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in IBM Guardium Data Encryption (GDE) ( CVE-2021-20417, CVE-2021-20415) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 29.07.2021
by Daily end-of-shift report 29 Jul '21

29 Jul '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 28-07-2021 18:00 − Donnerstag 29-07-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Verschlüsselung: Windows-Verschlüsselung Bitlocker trotz TPM-Schutz umgangen ∗∗∗ --------------------------------------------- Eine mit Bitlocker verschlüsselte SSD mit TPM-Schutz lässt sich relativ einfach knacken. Ein Passwort schützt, ist aber nicht der Standard. --------------------------------------------- https://www.golem.de/news/verschluesselung-windows-verschluesselung-bitlock… ∗∗∗ Voucher von EUSC 2021 für kostenlose Hotelübernachtungen? Versteckte Kosten! ∗∗∗ --------------------------------------------- Auf Facebook und Instagram wird von „EUCS 2021“ eine Umfrage zu Tourismuspräferenzen beworben. Als Dankeschön für die Teilnahme wird ein Voucher für 3 kostenlose Übernachtungen für 2 Personen versprochen. Beim Einlösen dieses Gutscheins werden jedoch unterschiedliche Gebühren fällig. --------------------------------------------- https://www.watchlist-internet.at/news/voucher-von-eusc-2021-fuer-kostenlos… ∗∗∗ Microsoft Security Update Revisions (29. Juli 2021) ∗∗∗ --------------------------------------------- Kurzinformation für Windows-Admins im Firmenumfeld. Microsoft hat die Nacht zum 29.7.2021 revidierte Sicherheitsupdates zur Abschwächung der NTLM Relay Attacken auf Active Directory-Zertifikate und zur Schwachstelle CVE-2021-36934 (Windows Elevation of Privilege Vulnerability) veröffentlicht. Ich stelle es man unkommentiert hier zur Info [...] --------------------------------------------- https://www.borncity.com/blog/2021/07/29/microsoft-security-update-revision… ∗∗∗ DoppelPaymer ransomware gang rebrands as the Grief group ∗∗∗ --------------------------------------------- After a period of little to no activity, the DoppelPaymer ransomware operation has made a rebranding move, now going by the name Grief (a.k.a. Pay or Grief). --------------------------------------------- https://www.bleepingcomputer.com/news/security/doppelpaymer-ransomware-gang… ∗∗∗ Tools To Quickly Extract Indicators of Compromise ∗∗∗ --------------------------------------------- Brush up on indicators of compromise, their relationship to your internal threat intelligence, and tools to help you quickly extract them from PDFs and plain text. --------------------------------------------- https://www.domaintools.com/resources/blog/tools-to-quickly-extract-indicat… ∗∗∗ APT trends report Q2 2021 ∗∗∗ --------------------------------------------- This is our latest summary of advanced persistent threat (APT) activity, focusing on significant events that we observed during Q2 2021: attacks against Microsoft Exchange servers, APT29 and APT31 activities, targeting campaigns, etc. --------------------------------------------- https://securelist.com/apt-trends-report-q2-2021/103517/ ∗∗∗ Reboot of PunkSpider Tool at DEF CON Stirs Debate ∗∗∗ --------------------------------------------- Researchers plan to introduce a revamp of PunkSpider, which helps identify flaws in websites so companies can make their back-end systems more secure, at DEF CON. --------------------------------------------- https://threatpost.com/punkspider-def-con-debate/168223/ ∗∗∗ Six Malicious Linux Shell Scripts Used to Evade Defenses and How to Stop Them ∗∗∗ --------------------------------------------- Uptycs Threat Research outline how malicious Linux shell scripts are used to cloak attacks and how defenders can detect and mitigate against them. --------------------------------------------- https://threatpost.com/six-malicious-linux-shell-scripts-how-to-stop-them/1… ∗∗∗ BazaCall: Phony call centers lead to exfiltration and ransomware ∗∗∗ --------------------------------------------- Our continued investigation into BazaCall campaigns, those that use fraudulent call centers that trick unsuspecting users into downloading the BazaLoader malware, shows that this threat is more dangerous than what’s been discussed publicly in other security blogs and covered by the media. --------------------------------------------- https://www.microsoft.com/security/blog/2021/07/29/bazacall-phony-call-cent… ∗∗∗ Malicious Content Delivered Through archive.org, (Thu, Jul 29th) ∗∗∗ --------------------------------------------- archive.org[1], also known as the "way back machine" is a very popular Internet site that allows you to travel back in time and browse old versions of a website (like the ISC website[2]). It works like regular search engines and continuously crawls the internet via bots. But there is another way to store content on archive.org: You may create an account and upload some content by yourself. --------------------------------------------- https://isc.sans.edu/diary/rss/27688 ∗∗∗ Stylish Magento Card Stealer loads Without Script Tags ∗∗∗ --------------------------------------------- Recently one of our analysts, Weston H., found a very interesting credit card stealer in a Magento environment which loads a malicious JavaScript without using any script tags. In this post I will go over how it was found, how to decode it and how it works! --------------------------------------------- https://blog.sucuri.net/2021/07/stylish-magento-card-stealer-loads-without-… ∗∗∗ Crimea "manifesto" deploys VBA Rat using double attack vectors ∗∗∗ --------------------------------------------- On July 21, 2021, we identified a suspicious document named "Манифест.docx" ("Manifest.docx") that downloads and executes two templates: one is macro-enabled and the other is an html object that contains an Internet Explorer exploit. While both techniques rely on template injection to drop a full-featured Remote Access Trojan, the IE exploit (CVE-2021-26411) previously used by the Lazarus APT is an unusual discovery. --------------------------------------------- https://blog.malwarebytes.com/threat-intelligence/2021/07/crimea-manifesto-… ∗∗∗ “Netfilter Rootkit II ” Continues to Hold WHQL Signatures ∗∗∗ --------------------------------------------- Recently, 360 Security Center discovered that a malicious driver “Netfilter rootkit” with WHQL signature was revealed in mid-June. WHQL signature means that after the [...] --------------------------------------------- https://blog.360totalsecurity.com/en/netfilter-rootkit-ii-continues-to-hold… ∗∗∗ Turn Off, Turn On: Simple Step Can Thwart Top Phone Hackers ∗∗∗ --------------------------------------------- Regularly rebooting smartphones can make even the most sophisticated hackers work harder to maintain access and steal data from a phone --------------------------------------------- https://www.securityweek.com/turn-turn-simple-step-can-thwart-top-phone-hac… ∗∗∗ McAfee: Babuk ransomware decryptor causes encryption beyond repair ∗∗∗ --------------------------------------------- Babuk announced earlier this year that it would be targeting Linux/UNIX and ESXi or VMware systems with ransomware. --------------------------------------------- https://www.zdnet.com/article/mcafee-babuk-ransomware-decryptor-causes-encr… ∗∗∗ New Android malware records smartphones via VNC to steal passwords ∗∗∗ --------------------------------------------- Security researchers have discovered a novel piece of Android malware that uses the VNC technology to record a victims smartphone screen in order to collect and steal their passwords. --------------------------------------------- https://therecord.media/new-android-malware-records-smartphones-via-vnc-to-… ∗∗∗ Communication during a hacker attack ∗∗∗ --------------------------------------------- You cannot trust your office PC during a major incident. You can neither trust your usual communication and collaboration tools. If an attacker can authenticate on any domain-joined device with any domain user, the game is over. --------------------------------------------- https://securityguide.me/issues/communication-during-a-hacker-attack ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI-21-909: (0Day) Microsoft 3D Viewer 3MF File Parsing Use-After-Free Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of Microsoft 3D Viewer. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-909/ ∗∗∗ Drupal: Wichtiges Sicherheitsupdate für "Pages Restriction Access"-Modul ∗∗∗ --------------------------------------------- Ein Update für "Pages Restriction Access" für die 8er-Versionsreihe des CMS Drupal beseitigt Zugriffsmöglichkeiten über eine kritische Sicherheitslücke. --------------------------------------------- https://heise.de/-6150416 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (webkit2gtk), Fedora (ruby and webkit2gtk3), Mageia (aspell and varnish), openSUSE (git), SUSE (ardana-cobbler, cassandra, cassandra-kit, crowbar-core, crowbar-openstack, documentation-suse-openstack-cloud, grafana, kibana, openstack-heat-templates, openstack-monasca-installer, openstack-nova, python-Django, python-elementpath, python-eventlet, python-py, python-pysaml2, python-six, python-xmlschema and git), and Ubuntu (libsndfile, mariadb-10.3, and [...] --------------------------------------------- https://lwn.net/Articles/864577/ ∗∗∗ Tomcat vulnerability CVE-2021-30640 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K35033051 ∗∗∗ Apache Tomcat vulnerability CVE-2021-30639 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K87895241 ∗∗∗ Security Bulletin: Multiple vulnerabilities in OpenSSL affects IBM InfoSphere Information Server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: glibc vulnerability affects IBM Elastic Storage System (CVE-2021-27219) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-glibc-vulnerability-affec… ∗∗∗ Security Bulletin: A vulnerability in IBM WebSphere Application Server Liberty affects IBM Elastic Storage System (CVE-2020-5258) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-we… ∗∗∗ Security Bulletin: IBM® Db2® could allow a local authenticated attacker to execute arbitrary code on the system, caused by DLL search order hijacking vulnerability in Microsoft Windows client. (CVE-2020-4739) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-could-allow-a-loc… ∗∗∗ Security Bulletin: This Power System update is being released to address CVE 2021-20505 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-this-power-system-update-… ∗∗∗ Security Bulletin: A vulnerability in IBM WebSphere Application Server affects IBM Spectrum Scale. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-we… ∗∗∗ Security Bulletin: Multiple Security Vulnerabilities fixed in Openssl as shipped with IBM Security Verify products ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.07.2021
by Daily end-of-shift report 28 Jul '21

28 Jul '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 27-07-2021 18:00 − Mittwoch 28-07-2021 18:00 Handler: Robert Waldner Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Haron and BlackMatter are the latest groups to crash the ransomware party ∗∗∗ --------------------------------------------- The additions come as the number of high-severity ransomware attacks ratchet up. --------------------------------------------- https://arstechnica.com/?p=1783582 ∗∗∗ LockBit ransomware now encrypts Windows domains using group policies ∗∗∗ --------------------------------------------- An new version of the LockBit 2.0 ransomware has been found that automates the encryption of a Windows domain using Active Directory group policies. --------------------------------------------- https://www.bleepingcomputer.com/news/security/lockbit-ransomware-now-encry… ∗∗∗ Sicherheitswarnung: BSI sieht kaum Schutzmöglichkeiten vor Pegasus ∗∗∗ --------------------------------------------- Das BSI hat eine offizielle Warnung vor der Spionagesoftware Pegasus veröffentlicht. Die Bedrohungslage wird aber nicht als kritisch eingestuft. --------------------------------------------- https://www.golem.de/news/sicherheitswarnung-bsi-sieht-kaum-schutzmoeglichk… ∗∗∗ UBEL is the New Oscorp — Android Credential Stealing Malware Active in the Wild ∗∗∗ --------------------------------------------- An Android malware that was observed abusing accessibility services in the device to hijack user credentials from European banking applications has morphed into an entirely new botnet as part of a renewed campaign that began in May 2021. --------------------------------------------- https://thehackernews.com/2021/07/ubel-is-new-oscorp-android-credential.html ∗∗∗ Top 25 der Sicherheitslücken: Buffer Overflows als größte Gefahrenquelle ∗∗∗ --------------------------------------------- Eine kürzlich veröffentlichte Auswertung von häufigen Softwareschwachstellen liefert eine Übersicht über die 25 gefährlichsten Arten. --------------------------------------------- https://heise.de/-6148053 ∗∗∗ Vorsicht bei der Urlaubsbuchung: BetrügerInnen geben sich als türkische Luxus-Hotels aus! ∗∗∗ --------------------------------------------- Wer einen Urlaub in der Türkei buchen will, sollte sich vor BetrügerInnen in Acht nehmen, die Webseiten türkischer Luxus-Hotels kopieren. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-bei-der-urlaubsbuchung-betr… ∗∗∗ THOR: Previously Unseen PlugX Variant Deployed During Microsoft Exchange Server Attacks by PKPLUG Group ∗∗∗ --------------------------------------------- We provide a technical overview of the previously unseen PlugX variant THOR, indicators of compromise and a new tool for payload decryption. --------------------------------------------- https://unit42.paloaltonetworks.com/thor-plugx-variant/ ∗∗∗ Ransomware Families: 2021 Data to Supplement the Unit 42 Ransomware Threat Report ∗∗∗ --------------------------------------------- We discuss the propagation of different ransomware families we observed in the wild in early 2021 and the different types of extortion used. --------------------------------------------- https://unit42.paloaltonetworks.com/ransomware-families/ ∗∗∗ Top Routinely Exploited Vulnerabilities ∗∗∗ --------------------------------------------- CISA, the Australian Cyber Security Centre (ACSC), the United Kingdom’s National Cyber Security Centre (NCSC), and the U.S. Federal Bureau of Investigation (FBI) have released the Joint Cybersecurity Advisory Top Routinely Exploited Vulnerabilities, which details the top vulnerabilities routinely exploited by malicious actors in 2020 and those being widely exploited thus far in 2021. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/07/28/top-routinely-exp… ===================== = Vulnerabilities = ===================== ∗∗∗ Critical Microsoft Hyper-V bug could haunt orgs for a long time ∗∗∗ --------------------------------------------- Technical details are now available for a vulnerability that affects Hyper-V, Microsofts native hypervisor for creating virtual machines on Windows systems and in Azure cloud computing environment. --------------------------------------------- https://www.bleepingcomputer.com/news/security/critical-microsoft-hyper-v-b… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (golang), Mageia (curl, filezilla, jdom/jdom2, netty, pdfbox, perl-Mojolicious, perl-Net-CIDR-Lite, perl-Net-Netmask, python-urllib3, python3, quassel, transfig, and virtualbox), openSUSE (umoci), Red Hat (rh-nodejs12-nodejs and rh-nodejs12-nodejs-nodemon and rh-nodejs14-nodejs and rh-nodejs14-nodejs-nodemon), and SUSE (firefox, glibc, libsndfile, linuxptp, qemu, and umoci). --------------------------------------------- https://lwn.net/Articles/864497/ ∗∗∗ Security Bulletin: A security vulnerability in Ruby on Rails affects IBM Cloud Pak for Multicloud Management Infrastructure Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: Oracle Database Server Vulnerability Affects IBM Emptoris Supplier Lifecycle Mgmt (CVE-2021-2207) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-oracle-database-server-vu… ∗∗∗ Security Bulletin: Multiple Oracle Database Server Vulnerabilities Affect IBM Emptoris Contract Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-oracle-database-… ∗∗∗ Security Bulletin: Multiple Oracle Database Server Vulnerabilities Affect IBM Emptoris Program Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-oracle-database-… ∗∗∗ Security Bulletin: Vulnerability deferred from Oracle Oct 2020 CPU for Java 8 (CVE-2020-14781 ) may affect IBM® SDK, Java™ Technology Edition and IBM Operations Analytics Predictive Insights ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-deferred-fr… ∗∗∗ Security Bulletin: Multiple Oracle Database Server Vulnerabilities Affect IBM Emptoris Sourcing ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-oracle-database-… ∗∗∗ Security Bulletin: IBM QRadar SIEM is vulnerable to Using Components with Known Vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-is-vulner… ∗∗∗ Security Bulletin: IBM Analyst's Notebook Premium uses a component with known vulnerabilities (CVE-2020-16013, CVE-2020-16009, CVE-2020-15999) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-analysts-notebook-pre… ∗∗∗ Security Bulletin: Vulnerabilities in Java and WLP affects IBM Cloud Application Business Insights ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-java-a… ∗∗∗ Security Bulletin: Vulnerabilities in IBM Guardium Data Encryption (GDE) (CVE-2020-7676) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-gu… ∗∗∗ Security Bulletin: Vulnerability in npm affects IBM VM Recovery Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-npm-affe… ∗∗∗ Security Bulletin: IBM QRadar SIEM is vulnerable to Using Components with Known Vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-is-vulner… ∗∗∗ Security Bulletin: HTTP Header Vulnerability Affects IBM Sterling Connect:Direct Browser User Interface (CVE-2021-20560) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-http-header-vulnerability… ∗∗∗ Security Bulletin: Multiple vulnerabilites affect Engineering Lifecycle Management and IBM Engineering products. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilites-a… ∗∗∗ Security Bulletin: RabbitMQ as used by IBM QRadar SIEM is vulnerable to unsafe deserialization (CVE-2020-36282) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-rabbitmq-as-used-by-ibm-q… ∗∗∗ Security Bulletin: Information disclosure vulnerability in IBM i2 Analyze (CVE-2021-29766) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-information-disclosure-vu… ∗∗∗ Security Bulletin: IBM Transparent Could Tiering is affected by a vulnerability in Apache Commons IO ( CVE-2021-29425) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-transparent-could-tie… ∗∗∗ Security Bulletin: i2 Analyse and Analyst's Notebook Premium have hyperlink clicking vulnerability (CVE-2021-29770) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-i2-analyse-and-analysts-n… ∗∗∗ Security Bulletin: Vulnerability in npm affects IBM VM Recovery Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-npm-affe… ∗∗∗ SECURITY BULLETIN: July 28, 2021, Security Bulletin for Worry-Free Business Security ∗∗∗ --------------------------------------------- https://success.trendmicro.com/solution/000287820 ∗∗∗ SECURITY BULLETIN: July 28, 2021, Security Bulletin for Trend Micro Apex One and Apex One as a Service ∗∗∗ --------------------------------------------- https://success.trendmicro.com/solution/000287819 ∗∗∗ MISP: Schwachstelle ermöglicht Cross-Site Scripting ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0814 ∗∗∗ KUKA KR C4 ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-208-01 ∗∗∗ Mitsubishi Electric GOT2000 series and GT SoftGOT2000 ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-208-02 ∗∗∗ Geutebrück G-Cam E2 and G-Code ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-208-03 ∗∗∗ LCDS LAquis SCADA ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-208-04 ∗∗∗ Delta Electronics DIAScreen ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-208-05 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.07.2021
by Daily end-of-shift report 27 Jul '21

27 Jul '21

===================== = End-of-Day report = ===================== Timeframe: Montag 26-07-2021 18:00 − Dienstag 27-07-2021 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Failed Malspam: Recovering The Password, (Mon, Jul 26th) ∗∗∗ --------------------------------------------- Jan's diary entry "One way to fail at malspam - give recipients the wrong password for an encrypted attachment" got my attention: it's an opportunity for me to do some password cracking. --------------------------------------------- https://isc.sans.edu/diary/rss/27674 ∗∗∗ Hiding Malware in ML Models ∗∗∗ --------------------------------------------- “EvilModel: Hiding Malware Inside of Neural Network Models”. --------------------------------------------- https://www.schneier.com/blog/archives/2021/07/hiding-malware-in-ml-models.… ∗∗∗ OSX.XLoader hides little except its main purpose: What we learned in the installation process ∗∗∗ --------------------------------------------- We dig into OSX.XLoader, also known as X Loader, which is the latest threat to macOS that bears some similarities to novice malware. --------------------------------------------- https://blog.malwarebytes.com/mac/2021/07/osx-xloader-hides-little-except-i… ∗∗∗ Malware developers turn to exotic programming languages to thwart researchers ∗∗∗ --------------------------------------------- They are focused on exploiting pain points in code analysis and reverse-engineering. --------------------------------------------- https://www.zdnet.com/article/malware-developers-turn-to-exotic-programming… ∗∗∗ Wie MSPs am besten mit der Ransomware-Krise umgehen können ∗∗∗ --------------------------------------------- Managed Service Provider (MSPs) spielen eine kritische Rolle im Kampf gegen Schadsoftware. Allerdings traf die Ransomware-Attacke auf Kaseya dutzende von MSPs mit voller Wucht und dadurch mittelbar auch deren Kunden. --------------------------------------------- https://www.zdnet.de/88395971/wie-msps-am-besten-mit-der-ransomware-krise-u… ∗∗∗ Praying Mantis APT targets IIS servers with ASP.NET exploits ∗∗∗ --------------------------------------------- A new advanced persistent threat (APT) group has been seen carrying out attacks against Microsoft IIS web servers using old exploits in ASP.NET applications in order to plant a backdoor and then pivot to companys internal networks. --------------------------------------------- https://therecord.media/praying-mantis-apt-targets-iis-servers-with-asp-net… ===================== = Vulnerabilities = ===================== ∗∗∗ Apple fixes zero-day affecting iPhones and Macs, exploited in the wild ∗∗∗ --------------------------------------------- Apple has released security updates to address a zero-day vulnerability exploited in the wild and impacting iPhones, iPads, and Macs. --------------------------------------------- https://www.bleepingcomputer.com/news/apple/apple-fixes-zero-day-affecting-… ∗∗∗ Researchers warn of unpatched Kaseya Unitrends backup vulnerabilities ∗∗∗ --------------------------------------------- Security researchers warn of new zero-day vulnerabilities in the Kaseya Unitrends service and advise users not to expose the service to the Internet. --------------------------------------------- https://www.bleepingcomputer.com/news/security/researchers-warn-of-unpatche… ∗∗∗ Moodle: Neue Versionen beseitigen Remote-Angriffsmöglichkeit via Shibboleth ∗∗∗ --------------------------------------------- Mehrere Versionen der Lernplattform sind, allerdings nur bei aktivierter Shibboleth-Authentifizierung, aus der Ferne angreifbar. Updates stehen bereit. --------------------------------------------- https://heise.de/-6148879 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (drupal7), Fedora (linux-firmware), openSUSE (qemu), Oracle (kernel and thunderbird), Red Hat (thunderbird), Scientific Linux (java-1.8.0-openjdk, java-11-openjdk, kernel, and thunderbird), SUSE (dbus-1, libvirt, linuxptp, qemu, and slurm), and Ubuntu (aspell and mysql-5.7, mysql-8.0). --------------------------------------------- https://lwn.net/Articles/864439/ ∗∗∗ Vulnerabilities Allow Hacking of Zimbra Webmail Servers With Single Email ∗∗∗ --------------------------------------------- Vulnerabilities in the Zimbra enterprise webmail solution could allow an attacker to gain unrestricted access to an organization’s sent and received email messages, software security firm SonarSource reveals. --------------------------------------------- https://www.securityweek.com/vulnerabilities-allow-hacking-zimbra-webmail-s… ∗∗∗ Security Bulletin: A security vulnerability in Golang Go affects IBM Cloud Pak for Multicloud Management Managed services ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: XSS Security Vulnerabilty Affects Mailbox UI of IBM Sterling B2B Integrator (CVE-2021-20562) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-xss-security-vulnerabilty… ∗∗∗ Security Bulletin: A security vulnerability in Ruby on Rails affects IBM Cloud Pak for Multicloud Management Infrastructure Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: GRUB2 as used by IBM QRadar SIEM is vulnerable to arbitrary code execution ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-grub2-as-used-by-ibm-qrad… ∗∗∗ Security Bulletin: IBM QRadar SIEM is vulnerable to an XML External Entity Injection (XXE) attack (CVE-2021-20399) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-is-vulner… ∗∗∗ MIT Kerberos: Schwachstelle ermöglicht Offenlegung von Informationen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0809 ∗∗∗ VLC: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0807 ∗∗∗ Foxit Reader: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0812 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 26.07.2021
by Daily end-of-shift report 26 Jul '21

26 Jul '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 23-07-2021 18:00 − Montag 26-07-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Windows-Netze verwundbar für Relay-Angriff PetitPotam ∗∗∗ --------------------------------------------- Forscher demonstrieren einen neuen Weg, sich zum König einer Windows-Domäne aufzuschwingen. Microsoft zuckt mit den Achseln und verweist auf Härtungsmaßnahmen. --------------------------------------------- https://heise.de/-6147467 ∗∗∗ GitLab schickt Package Hunter auf die Jagd nach Schadcode ∗∗∗ --------------------------------------------- Das neue Open-Source-Tool Package Hunter soll Schadcode in Dependencies erkennen können. --------------------------------------------- https://heise.de/-6147526 ∗∗∗ No More Ransom: We Prevented Ransomware Operators From Earning $1 Billion ∗∗∗ --------------------------------------------- No More Ransom is celebrating its 5th anniversary and the project says it has helped more than 6 million ransomware victims recover their files and prevented cybercriminals from earning roughly $1 billion. No More Ransom is a joint effort of law enforcement and cybersecurity companies whose goal is to help victims of ransomware attacks recover their files without having to pay the ransom demanded by criminals. --------------------------------------------- https://www.securityweek.com/no-more-ransom-we-prevented-ransomware-operato… ∗∗∗ Microsoft warns of weeks-long malspam campaign abusing HTML smuggling ∗∗∗ --------------------------------------------- The Microsoft security team said it detected a weeks-long email spam campaign abusing a technique known as “HTML smuggling” to bypass email security systems and deliver malware to user devices. HTML smugging, as explained by SecureTeam and Outflank, is a technique that allows threat actors to assemble malicious files on users’ device by clever use of HTML5 and JavaScript code. --------------------------------------------- https://therecord.media/microsoft-warns-of-weeks-long-malspam-campaign-abus… ∗∗∗ RemotePotato0: Privilege Escalation-Schwachstelle im Windows RPC Protocol ∗∗∗ --------------------------------------------- Jedes Windows-System ist anfällig für eine bestimmte NTLM-Relay-Attacke, die es Angreifern ermöglichen könnte, die Privilegien vom Benutzer zum Domain-Admin zu erweitern. Diese Schwachstelle besitzt den Status „wird nicht behoben“ und war Gegenstand des PetitPotam-Ansatzes, den ich am Wochenende thematisiert hatte. Nun hat Antonio Cocomazzi auf die RemotePotato0 genannte Schwachstelle hingewiesen. Diese verwendet das Windows RPC Protocol für eine Privilegien-Ausweitung. --------------------------------------------- https://www.borncity.com/blog/2021/07/26/remotepotato0-privilege-escalation… ===================== = Vulnerabilities = ===================== ∗∗∗ Collabora Online: Update schützt vor unbefugten Dateizugriffen aus der Ferne ∗∗∗ --------------------------------------------- Das Collabora Online-Team rät zur Aktualisierung der Online-Officeanwendung, um eine als "kritisch" eingestufte Remote-Angriffsmöglichkeit zu beseitigen. --------------------------------------------- https://heise.de/-6147967 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (aspell, intel-microcode, krb5, rabbitmq-server, and ruby-actionpack-page-caching), Fedora (chromium, containernetworking-plugins, containers-common, crun, fossil, podman, skopeo, varnish-modules, and vmod-uuid), Gentoo (leptonica, libsdl2, and libyang), Mageia (golang, lib3mf, nodejs, python-pip, redis, and xstream), openSUSE (containerd, crmsh, curl, icinga2, and systemd), Oracle (containerd), and Red Hat (thunderbird). --------------------------------------------- https://lwn.net/Articles/864346/ ∗∗∗ OTRS: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter authentisierter oder anonymer Angreifer kann mehrere Schwachstellen in OTRS ausnutzen, um Sicherheitsvorkehrungen zu umgehen und einen Cross-Site-Scripting-Angriff durchzuführen. --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0805 ∗∗∗ Security Bulletin: FasterXML Vulnerability in Jackson-Databind Affects IBM Sterling Connect:Direct File Agent (CVE-2018-7489) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-fasterxml-vulnerability-i… ∗∗∗ Security Bulletin: Apache Commons Configuration Vulnerability Affects IBM Sterling Connect:Direct File Agent (CVE-2020-1953) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-commons-configurat… ∗∗∗ Security Bulletin: IBM i2 Analyze missing security header (CVE-2021-29769) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-i2-analyze-missing-se… ∗∗∗ Security Bulletin: IBM i2 Analyze and i2 Analyst's Notebook Premium has session handling vulnerability (CVE-2021-20431) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-i2-analyze-and-i2-ana… ∗∗∗ Security Bulletin: Apache PDFBox as used by IBM QRadar Incident Forensics is vulnerable to denial of service (CVE-2021-27807, CVE-2021-27906) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-pdfbox-as-used-by-… ∗∗∗ Security Bulletin: IBM i2 Analyst's Notebook Premium has an information disclosure vulnerability (CVE-2021-29767) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-i2-analysts-notebook-… ∗∗∗ Security Bulletin: IBM i2 iBase vulnerable to DLL highjacking (CVE-2020-4623) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-i2-ibase-vulnerable-t… ∗∗∗ Security Bulletin: IBM i2 Analyst's Notebook Premium has an information disclosure vulnerability (CVE-2021-29784) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-i2-analysts-notebook-… ∗∗∗ Security Bulletin: IBM QRadar SIEM uses weaker than expected cryptographic algorithms (CVE-2021-20337) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-uses-weak… ∗∗∗ Security Bulletin: IBM i2 Analyze has an information disclosure vulnerability (CVE-2021-20430) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-i2-analyze-has-an-inf… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.07.2021
by Daily end-of-shift report 23 Jul '21

23 Jul '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 22-07-2021 18:00 − Freitag 23-07-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Nach Lieferkettenangriff: Kaseya will Daten retten dank Entschlüsselungs-Tool ∗∗∗ --------------------------------------------- Fast drei Wochen nach dem verheerenden LIeferkettenangriff auf Kunden von Kaseya gibt es Hoffnung für die Opfer. Die US-Firma hat einen Generalschlüssel. --------------------------------------------- https://heise.de/-6145950 ∗∗∗ The NSO “Surveillance List”: What It Is and Isn’t ∗∗∗ --------------------------------------------- A series of blockbuster stories published this week around a leaked list of 50,000 phone numbers have created confusion about whether the owners of those numbers were targets of surveillance or not. --------------------------------------------- https://zetter.substack.com/p/the-nso-surveillance-list-what-it ∗∗∗ Phish Swims Past Email Security With Milanote Pages ∗∗∗ --------------------------------------------- The “Evernote for creatives” is anchoring a rapidly spiking phishing campaign, evading SEGs with ease. --------------------------------------------- https://threatpost.com/phish-email-security-milanote/168021/ ∗∗∗ When coin miners evolve, Part 1: Exposing LemonDuck and LemonCat, modern mining malware infrastructure ∗∗∗ --------------------------------------------- LemonDuck, an actively updated and robust malware that’s primarily known for its botnet and cryptocurrency mining objectives, adopted more sophisticated behavior and escalated its operations. Today, beyond using resources for its traditional bot and mining activities, LemonDuck steals credentials, removes security controls, spreads via emails, moves laterally, and ultimately drops more tools for human-operated activity. --------------------------------------------- https://www.microsoft.com/security/blog/2021/07/22/when-coin-miners-evolve-… ∗∗∗ Uncovering Shenanigans in an IP Address Block via Hurricane Electrics BGP Toolkit (II), (Fri, Jul 23rd) ∗∗∗ --------------------------------------------- Today's diary revisits hunting for dodgy domains via Hurricane Electric's BGP Toolkit [1]. This was previously done in an earlier diary [2], and I plan to do this occasionally to share potential or identified threats so that readers can be aware of them. --------------------------------------------- https://isc.sans.edu/diary/rss/27664 ∗∗∗ Nasty macOS Malware XCSSET Now Targets Google Chrome, Telegram Software ∗∗∗ --------------------------------------------- A malware known for targeting macOS operating system has been updated once again to add more features to its toolset that allows it to amass and exfiltrate sensitive data stored in a variety of apps, including apps such as Google Chrome and Telegram, as part of further "refinements in its tactics." --------------------------------------------- https://thehackernews.com/2021/07/nasty-macos-malware-xcsset-now-targets.ht… ∗∗∗ Wake up! Identify API Vulnerabilities Proactively, From Production Back to Code ∗∗∗ --------------------------------------------- After more than 20 years in the making, now its official: APIs are everywhere. In a 2021 survey, 73% of enterprises reported that they already publish more than 50 APIs, and this number is constantly growing. APIs have crucial roles to play in virtually every industry today, and their importance is increasing steadily, as they move to the forefront of business strategies. --------------------------------------------- https://thehackernews.com/2021/07/wake-up-identify-api-vulnerabilities.html ∗∗∗ This Week in Security: NSO, Print Spooler, and a Mysterious Decryptor ∗∗∗ --------------------------------------------- The NSO Group has been in the news again recently, with multiple stories reporting on their Pegasus spyware product. The research and reporting spearheaded by Amnesty International is collectively known [...] --------------------------------------------- https://hackaday.com/2021/07/23/this-week-in-security-nso-print-spooler-and… ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco Unified Customer Voice Portal Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the web-based management interface of Cisco Unified Customer Voice Portal (CVP) could allow an unauthenticated, remote attacker to perform a cross-site scripting (XSS) attack against a user. This vulnerability is due to insufficient input validation of a parameter that is used by the web-based management interface. An attacker could exploit this vulnerability by persuading a user to click a malicious link. A successful exploit could allow the attacker to execute [...] --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (chromium, curl, impacket, jdk11-openjdk, jre-openjdk, jre-openjdk-headless, jre11-openjdk-headless, kernel, lib32-curl, lib32-libcurl-compat, lib32-libcurl-gnutls, libcurl-compat, libcurl-gnutls, libpano13, linux-hardened, linux-lts, linux-zen, nvidia-utils, opera, systemd, and virtualbox), CentOS (java-11-openjdk and kernel), Debian (lemonldap-ng), Fedora (curl and podman), Gentoo (icedtea-web and velocity), openSUSE (bluez, go1.15, go1.16, [...] --------------------------------------------- https://lwn.net/Articles/864158/ ∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2021-0004 ∗∗∗ --------------------------------------------- Date Reported: July 23, 2021 Advisory ID: WSA-2021-0004 CVE identifiers: CVE-2021-1817, CVE-2021-1820,CVE-2021-1825, CVE-2021-1826,CVE-2021-21775, CVE-2021-21779,CVE-2021-21806, CVE-2021-30661,CVE-2021-30663, CVE-2021-30665,CVE-2021-30666, CVE-2021-30682,CVE-2021-30689, CVE-2021-30720,CVE-2021-30734, CVE-2021-30744,CVE-2021-30749, CVE-2021-30758,CVE-2021-30761, CVE-2021-30762,CVE-2021-30795, CVE-2021-30797,CVE-2021-30799. Several vulnerabilities were discovered in WebKitGTK and WPE WebKit. --------------------------------------------- https://webkitgtk.org/security/WSA-2021-0004.html ∗∗∗ Security Advisory - Insufficient Input Validation Vulnerability in Some Huawei Smartphones ∗∗∗ --------------------------------------------- https://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210721… ∗∗∗ Security Bulletin: Multiple Oracle Database Server Vulnerabilities Affect IBM Emptoris Supplier Lifecycle Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-oracle-database-… ∗∗∗ Security Bulletin: IBM Integration Bus and IBM App Connect Enterprise v11 are affected by vulnerabilities in Node.js (CVE-2021-3450, CVE-2021-3449) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-integration-bus-and-i… ∗∗∗ Security Bulletin: Oracle Database Server Vulnerability Affects IBM Emptoris Program Management (CVE-2021-2207) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-oracle-database-server-vu… ∗∗∗ Security Bulletin: Oracle Database Server Vulnerability Affects IBM Emptoris Contract Management (CVE-2021-2207) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-oracle-database-server-vu… ∗∗∗ Security Bulletin: Multiple Oracle Database Server Vulnerabilities Affect IBM Emptoris Strategic Supply Management Platform ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-oracle-database-… ∗∗∗ Security Bulletin: Oracle Database Server Vulnerability Affects IBM Emptoris Strategic Supply Management Platform (CVE-2021-2207) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-oracle-database-server-vu… ∗∗∗ Security Bulletin: Oracle Database Server Vulnerability Affects IBM Emptoris Sourcing (CVE-2021-2207) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-oracle-database-server-vu… ∗∗∗ Microsoft Chrome Based Edge: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0800 ∗∗∗ Asterisk: Mehrere Schwachstellen ermöglichen Denial of Service ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0799 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.07.2021
by Daily end-of-shift report 22 Jul '21

22 Jul '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 21-07-2021 18:00 − Donnerstag 22-07-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Cisco: Wichtiges Sicherheitsupdate für Intersight Virtual Appliance verfügbar ∗∗∗ --------------------------------------------- Für die virtuelle Cisco Intersight-Appliance, aber auch für weitere Produkte des Netzwerkausrüsters stehen sicherheitsrelevante Aktualisierungen bereit. --------------------------------------------- https://heise.de/-6144993 ∗∗∗ HP, Samsung & Xerox: Lücke in Windows-Druckertreibern gefixt – nach 16 Jahren ∗∗∗ --------------------------------------------- Wer die seit Mitte Mai verfügbaren Druckertreiber-Updates noch nicht installiert hat, sollte dies zügig nachholen: Angreifer könnten Systeme übernehmen. --------------------------------------------- https://heise.de/-6145114 ∗∗∗ Recovery Scams: Weitere Schäden statt Geld zurück! ∗∗∗ --------------------------------------------- Wer Opfer einer betrügerischen Investitionsplattform wird, erleidet mitunter beträchtlichen finanziellen Schaden. Damit nicht genug, folgen wenig später E-Mails oder Anrufe der Kriminellen, die hinter dem Investitionsbetrug steckten. Diesmal geben sie sich jedoch nicht als InvestmentberaterInnen aus, sondern Schlüpfen in eine andere Rolle: Gegen Vorabzahlung versprechen sie Hilfe beim Zurückholen des verlorenen Geldes. --------------------------------------------- https://www.watchlist-internet.at/news/recovery-scams-weitere-schaeden-stat… ∗∗∗ MITRE updates list of top 25 most dangerous software bugs ∗∗∗ --------------------------------------------- MITRE has shared this years top 25 list of most common and dangerous weaknesses plaguing software throughout the previous two years. --------------------------------------------- https://www.bleepingcomputer.com/news/security/mitre-updates-list-of-top-25… ∗∗∗ Microsoft Issues Windows 10 Workaround Fix for ‘SeriousSAM’ Bug ∗∗∗ --------------------------------------------- A privilege elevation bug in Windows 10 opens all systems to attackers to access data and create new accounts on systems. --------------------------------------------- https://threatpost.com/win-10-serioussam/168034/ ∗∗∗ Compromising a Network Using an "Info" Level Finding ∗∗∗ --------------------------------------------- Anyone who has ever read a vulnerability scan report will know that scanners often include a large number of findings they classify as "Info". Typically this is meant to convey general information about the target systems which does not pose any risk. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/compromisin… ∗∗∗ Vulnerable Plugin Exploited in Spam Redirect Campaign ∗∗∗ --------------------------------------------- Some weeks ago a critical unauthenticated privilege escalation vulnerability was discovered in old, unpatched versions of the wp-user-avatar plugin. It also allows for arbitrary file uploads, which is where we have been seeing the infections start. This plugin has over 400,000 installations so we have seen a sustained campaign to infect sites with this plugin installed. In this post I will review a common infection seen as a result of this vulnerability in the wp-user-avatar plugin. --------------------------------------------- https://blog.sucuri.net/2021/07/vulnerable-plugin-exploited-in-spam-redirec… ∗∗∗ Oracle Warns of Critical Remotely Exploitable Weblogic Server Flaws ∗∗∗ --------------------------------------------- Oracle on Tuesday released its quarterly Critical Patch Update for July 2021 with 342 fixes spanning across multiple products, some of which could be exploited by a remote attacker to take control of an affected system. Chief among them is CVE-2019-2729, a critical deserialization vulnerability via XMLDecoder in Oracle WebLogic Server Web Services thats remotely exploitable without authentication. It's worth noting that the weakness was originally addressed as part of an out-of-band security update in June 2019. --------------------------------------------- https://thehackernews.com/2021/07/oracle-warns-of-critical-remotely.html ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (pillow and redis), Fedora (kernel-headers, kernel-tools, kernelshark, libbpf, libtraceevent, libtracefs, nextcloud, and trace-cmd), Gentoo (chromium and singularity), Mageia (kernel, kernel-linus, and systemd), openSUSE (caribou, chromium, curl, and qemu), Oracle (java-1.8.0-openjdk, java-11-openjdk, kernel, and systemd), Slackware (curl), SUSE (curl, kernel, linuxptp, python-pip, and qemu), and Ubuntu (ruby2.3, ruby2.5, ruby2.7). --------------------------------------------- https://lwn.net/Articles/863997/ ∗∗∗ Atlassian Patches Critical Vulnerability in Jira Data Center Products ∗∗∗ --------------------------------------------- Software development and collaboration solutions provider Atlassian on Wednesday informed customers that it has patched a critical code execution vulnerability affecting some of its Jira products. --------------------------------------------- https://www.securityweek.com/atlassian-patches-critical-vulnerability-jira-… ∗∗∗ IDEMIA fixed biometric identification devices vulnerabilities discovered by Positive Technologies ∗∗∗ --------------------------------------------- https://www.ptsecurity.com/ww-en/about/news/idemia-fixed-biometric-identifi… ∗∗∗ July 22, 2021 TNS-2021-14 [R1] Tenable.sc 5.19.0 Fixes Multiple Third-party Vulnerabilities ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2021-14 ∗∗∗ Drupal: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0793 ∗∗∗ cURL: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0797 ∗∗∗ MB connect line: Apache Guacamole related vulnerabilities in mbCONNECT24, mymbCONNECT24 <= 2.8.0 ∗∗∗ --------------------------------------------- https://cert.vde.com/de-de/advisories/vde-2021-031 ∗∗∗ MB connect line: two vulnerabilities in mymbCONNECT24, mbCONNECT24 <= 2.8.0 ∗∗∗ --------------------------------------------- https://cert.vde.com/de-de/advisories/vde-2021-030 ∗∗∗ MB connect line: Privilege escalation in mbDIALUP <= 3.9R0.0 ∗∗∗ --------------------------------------------- https://cert.vde.com/de-de/advisories/vde-2021-017 ∗∗∗ ZDI-21-893: (0Day) Apple macOS ImageIO WEBP File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-893/ ∗∗∗ ZDI-21-892: (0Day) Apple macOS ImageIO WEBP File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-892/ ∗∗∗ ZDI-21-891: (0Day) Apple macOS ImageIO TIFF File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-891/ ∗∗∗ ZDI-21-890: (0Day) Apple macOS AudioToolboxCore LOAS File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-890/ ∗∗∗ Security Bulletin: A vulnerability in IBM Java SDK (April 2021) affects IBM InfoSphere Information Server (CVE-2021-2161) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… ∗∗∗ Security Bulletin: Addressing the Sqlite Vulnerability CVE-2021-20227 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-addressing-the-sqlite-vul… ∗∗∗ Security Bulletin: Publicly disclosed vulnerabilities from Kernel affect IBM Netezza Host Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-publicly-disclosed-vulner… ∗∗∗ Security Bulletin: IBM InfoSphere Information Server is vulnerable to SQL injection ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-informatio… ∗∗∗ Security Bulletin: Security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Security Directory Server (CVE-2020-5258) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerability-ha… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.07.2021
by Daily end-of-shift report 21 Jul '21

21 Jul '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 20-07-2021 18:00 − Mittwoch 21-07-2021 18:00 Handler: Robert Waldner Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Trügerische Gewinnversprechen ∗∗∗ --------------------------------------------- Der Onlinehandel mit Finanzinstrumenten wird bei Anlegern immer beliebter. Diesen Trend machen sich Betrüger zunutze. Sie versprechen hohe Gewinne mit betrügerischen Cybertrading-Plattformen. --------------------------------------------- https://www.bmi.gv.at/news.aspx?id=4661724A4D466861696B4D3D ∗∗∗ XLoader malware steals logins from macOS and Windows systems ∗∗∗ --------------------------------------------- A highly popular malware for stealing information from Windows systems has been modified into a new strain called XLoader, which can also target macOS systems. --------------------------------------------- https://www.bleepingcomputer.com/news/security/xloader-malware-steals-login… ∗∗∗ NPM package steals Chrome passwords on Windows via recovery tool ∗∗∗ --------------------------------------------- New npm malware has been caught stealing credentials from the Google Chrome web browser by using legitimate password recovery tools on Windows systems. --------------------------------------------- https://www.bleepingcomputer.com/news/security/npm-package-steals-chrome-pa… ∗∗∗ Betrügerische E-Mail im Namen der Raiffeisen Bank im Umlauf ∗∗∗ --------------------------------------------- Zahlreiche InternetnutzerInnen finden derzeit ein vermeintliches E-Mail der Raiffeisen Bank in ihrem Posteingang. Darin wird behauptet, dass aufgrund aktueller Betrugsversuche ein neues Sicherheitssystem notwendig sei. --------------------------------------------- https://www.watchlist-internet.at/news/betruegerische-e-mail-im-namen-der-r… ∗∗∗ CVE-2021-31969: Underflowing in the Clouds ∗∗∗ --------------------------------------------- You can now have your storage in the cloud while exploring it locally on your system. On Windows, this is done via the Cloud Sync Engine. This component exposes a native API known as the Cloud Filter API. --------------------------------------------- https://www.thezdi.com/blog/2021/7/19/cve-2021-31969-underflowing-in-the-cl… ∗∗∗ New Attacks on Kubernetes via Misconfigured Argo Workflows ∗∗∗ --------------------------------------------- Intezer has detected a new attack vector against Kubernetes (K8s) clusters via misconfigured Argo Workflows instances. --------------------------------------------- https://www.intezer.com/blog/container-security/new-attacks-on-kubernetes-v… ===================== = Vulnerabilities = ===================== ∗∗∗ Nasty Linux Systemd Security Bug Revealed ∗∗∗ --------------------------------------------- Qualys has discovered a new systemd security bug that enables any unprivileged user to cause a denial of service via a kernel panic. --------------------------------------------- https://it.slashdot.org/story/21/07/20/211230/nasty-linux-systemd-security-… ∗∗∗ Vulnerability in ON24 Plugin for macOS Shares More Than Just Your Screen ∗∗∗ --------------------------------------------- ON24 presenter mode requires you to install a plugin that is used to share your screen. For the macOS app (DesktopScreenShare.app), the plugin is started automatically once a user logs on. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/vulnerabili… ∗∗∗ HiveNightmare: Nutzer können die Windows-Passwort-Datenbank auslesen ∗∗∗ --------------------------------------------- Fehlerhafte Zugriffsrechte verursachen eine Sicherheitslücke in Windows 10 und 11. Einen Patch gibt es noch nicht – wir zeigen aber erste Workarounds. --------------------------------------------- https://heise.de/-6143746 ∗∗∗ Sicherheitsupdates: Adobe patcht Photoshop & Co. außer der Reihe ∗∗∗ --------------------------------------------- Angreifer könnten Computer, auf denen unter anderem Adobe After Effects oder Prelude laufen, mit Schadcode attackieren. --------------------------------------------- https://heise.de/-6143780 ∗∗∗ Root-Kernel-Lücke bedroht viele Linux-Distributionen ∗∗∗ --------------------------------------------- Sicherheitsforscher demonstrieren erfolgreiche Attacken auf Debian, Fedora und Ubuntu. Im Anschluss hatten sie Root-Rechte. Patches schaffen Abhilfe. --------------------------------------------- https://heise.de/-6144023 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (ant, code, dino, firefox-ublock-origin, go, libuv, nextcloud-app-mail, nodejs-lts-erbium, nodejs-lts-fermium, openvswitch, putty, racket, telegram-desktop, and wireshark-cli), Debian (kernel, linux-4.19, and systemd), Fedora (kernel, kernel-headers, kernel-tools, and krb5), Gentoo (systemd), Mageia (perl-Convert-ASN1 and wireshark), openSUSE (caribou, containerd, crmsh, fossil, icinga2, kernel, nextcloud, and systemd), Red Hat (389-ds:1.4, glibc,[...] --------------------------------------------- https://lwn.net/Articles/863861/ ∗∗∗ Apple Releases Security Updates ∗∗∗ --------------------------------------------- Apple has released security updates to address vulnerabilities in Safari 14.1.2 and iOS 14.7. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/07/21/apple-releases-se… ∗∗∗ Malware Targeting Pulse Secure Devices ∗∗∗ --------------------------------------------- As part of CISA’s ongoing response to Pulse Secure compromises, CISA has analyzed 13 malware samples related to exploited Pulse Secure devices. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/07/21/malware-targeting… ∗∗∗ VU#914124: Arcadyan-based routers and modems vulnerable to authentication bypass ∗∗∗ --------------------------------------------- https://kb.cert.org/vuls/id/914124 ∗∗∗ Dell OpenManage Enterprise Hardcoded Credentails / Privilege Escalation / Deserialization ∗∗∗ --------------------------------------------- https://cxsecurity.com/issue/WLB-2021070121 ∗∗∗ Security Bulletin: Multiple vulnerabilities in F5 NGINX Controller affect IBM Cloud Pak for Automation ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Nvidia GPU Display Treiber: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0769 ∗∗∗ PuTTY: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0790 ∗∗∗ Mitsubishi Electric MELSEC-F Series ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-201-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily