- Daily - CERT.at

Tageszusammenfassung - 18.10.2021
by Daily end-of-shift report 18 Oct '21

18 Oct '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 15-10-2021 18:00 − Montag 18-10-2021 18:00 Handler: Dimitri Robl Co-Handler: Wolfgang Menezes ===================== = News = ===================== ∗∗∗ Unternehmensbetrug: Diese Gefahren sollten Unternehmen und ihre MitarbeiterInnen kennen! ∗∗∗ --------------------------------------------- Internetbetrug betrifft nicht nur Privatpersonen, auch Unternehmen sind eine beliebte Zielscheibe für Cyberkriminelle. Angegriffen wird allerdings nicht nur die technische Infrastruktur von Unternehmen, vielmehr zielen Attacken hauptsächlich auf die MitarbeiterInnen ab. Im Rahmen des Projekts „CyberSec“ will sich die Watchlist Internet daher verstärkt dem Thema Unternehmensbetrug widmen, um Betriebe im Bereich der Internetsicherheit zu stärken. --------------------------------------------- https://www.watchlist-internet.at/news/unternehmensbetrug-diese-gefahren-so… ∗∗∗ REvil ransomware shuts down again after Tor sites were hijacked ∗∗∗ --------------------------------------------- The REvil ransomware operation has likely shut down once again after an unknown person hijacked their Tor payment portal and data leak blog. --------------------------------------------- https://www.bleepingcomputer.com/news/security/revil-ransomware-shuts-down-… ∗∗∗ Microsoft asks admins to patch PowerShell to fix WDAC bypass ∗∗∗ --------------------------------------------- Microsoft has asked system administrators to patch PowerShell 7 against two vulnerabilities allowing attackers to bypass Windows Defender Application Control (WDAC) enforcements and gain access to plain text credentials. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-asks-admins-to-pa… ∗∗∗ Warranty Repairs and Non-Removable Storage Risks, (Fri, Oct 15th) ∗∗∗ --------------------------------------------- I have been asked several times in recent months about addressing risks of warranty repair service of laptops/tablets. With each of these situations, the question boiled down to the same underlying issue: non-removable storage --------------------------------------------- https://isc.sans.edu/diary/rss/27938 ∗∗∗ Malicious PowerShell Using Client Certificate Authentication, (Mon, Oct 18th) ∗∗∗ --------------------------------------------- Attackers have many ways to protect their C2 servers from unwanted connections. They can check some specific headers, the user-agent, the IP address location (GeoIP), etc. I spotted an interesting PowerShell sample that implements a client certificate authentication mechanism to access its C2 server. --------------------------------------------- https://isc.sans.edu/diary/rss/27944 ∗∗∗ Security Risks with Private 5G in Manufacturing Companies ∗∗∗ --------------------------------------------- Private 5G is said to bring about the "democratization of communications." This technology allows private companies and local governments to take the driving seat in operating the latest information communication systems. --------------------------------------------- https://www.trendmicro.com/en_us/research/21/j/security-risks-with-private-… ∗∗∗ Ransomware in a global context ∗∗∗ --------------------------------------------- This report is the first step in what we hope will become an ongoing community effort to discover and share actionable information on malware trends. Over the last 16 years, we have processed more than 2 million files per day across 232 countries. --------------------------------------------- https://storage.googleapis.com/vtpublic/vt-ransomware-report-2021.pdf ∗∗∗ Case Study: From BazarLoader to Network Reconnaissance ∗∗∗ --------------------------------------------- BazarLoader Windows-based malware provides backdoor access that criminals can use to perform reconnaissance to map the victims network. --------------------------------------------- https://unit42.paloaltonetworks.com/bazarloader-network-reconnaissance/ ∗∗∗ This particularly dangerous phishing attack features a weaponized Excel file ∗∗∗ --------------------------------------------- Security researchers warn about a sneaky phishing campaign from one of the most creative cybercrime groups on the internet. --------------------------------------------- https://www.zdnet.com/article/this-particularly-dangerous-phishing-attack-f… ∗∗∗ Virus Bulletin: Old malware never dies – it just gets more targeted ∗∗∗ --------------------------------------------- Putting a precision payload on top of more generic malware makes perfect sense for malware operators --------------------------------------------- https://www.welivesecurity.com/2021/10/15/virus-bulletin-old-malware-never-… ∗∗∗ IcedID to XingLocker Ransomware in 24 hours ∗∗∗ --------------------------------------------- Towards the end of July, we observed an intrusion that began with IcedID malware and ended in XingLocker ransomware, a Mountlocker variant. XingLocker made its first appearance in early [...] --------------------------------------------- https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-… ∗∗∗ ASEC Weekly Malware Statistics (October 4th, 2021 – October 10th, 2021) ∗∗∗ --------------------------------------------- The ASEC analysis team is using the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from October 4th, 2021 (Monday) to October 10th, 2021 (Sunday). For the main category, info-stealer ranked top with 68.4%, followed by Downloader with 12.6%, RAT (Remote Administration Tool) malware with 8.6%, Backdoor Downloader with 6.3%, Ransomware with 3.7%, and Banking malware with 0.3%. --------------------------------------------- https://asec.ahnlab.com/en/27824/ ===================== = Vulnerabilities = ===================== ∗∗∗ WordPress: Beliebtes Plugin "WP Fastest Cache" braucht dringend ein Update ∗∗∗ --------------------------------------------- Jetzt updaten: Das Cache-Plugin WP Fastest Cache wies Schwachstellen auf, die WordPress-Installationen unter bestimmten Voraussetzungen angreifbar machten. --------------------------------------------- https://heise.de/-6220994 ∗∗∗ 2021-10 Security Bulletin: CTPView: HSTS not being enforced on CTPView server. (CVE-2021-0296) ∗∗∗ --------------------------------------------- The Juniper Networks CTPView server is not enforcing HTTP Strict Transport Security (HSTS). --------------------------------------------- https://kb.juniper.net/InfoCenter/index?page=content&id=JSA11210 ∗∗∗ 2021-10 Security Bulletin: Junos OS: MX Series: Receipt of specific packet on MS-MPC/MS-MIC causes line card reset (CVE-2021-31351) ∗∗∗ --------------------------------------------- An Improper Check for Unusual or Exceptional Conditions in packet processing on the MS-MPC/MS-MIC utilized by Juniper Networks Junos OS allows a malicious attacker to send a specific packet, triggering the MS-MPC/MS-MIC to reset, causing a Denial of Service (DoS). --------------------------------------------- https://kb.juniper.net/InfoCenter/index?page=content&id=JSA11216 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (amd64-microcode, libreoffice, linux-4.19, and nghttp2), Fedora (chromium, libopenmpt, vim, and xen), openSUSE (firefox, kernel, krb5, libaom, and opera), Oracle (thunderbird), SUSE (firefox, firefox, rust-cbindgen, iproute2, javapackages-tools, javassist, mysql-connector-java, protobuf, python-python-gflags, and krb5), and Ubuntu (nginx). --------------------------------------------- https://lwn.net/Articles/873210/ ∗∗∗ 128 Technology Session Smart Router vulnerable to authentication bypass ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN85073657/ ∗∗∗ Eclipse Jetty vulnerability CVE-2021-28165 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K15338344?utm_source=f5support&utm_mediu… ∗∗∗ Node.js vulnerabilities CVE-2021-3672 and CVE-2021-22931 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K53225395?utm_source=f5support&utm_mediu… ∗∗∗ OTRS: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-1077 ∗∗∗ Security Bulletin: IBM Cloud Pak for Integration is vulnerable to jzsip (CVE-2021-23413) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-integra… ∗∗∗ Security Bulletin: A vulnerability in Spring Framework affects IBM Watson Machine Learning Accelerator ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-spring… ∗∗∗ Security Bulletin: Cross site scripting vulnerability affecting Case Builder in IBM Business Automation Workflow – CVE-2021-29878 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cross-site-scripting-vuln… ∗∗∗ Security Bulletin: Multiple Security Vulnerabilities Have been addressed in IBM Security Access Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: IBM Cloud Pak for Integration is vulnerable to multiple Node.js vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-integra… ∗∗∗ Security Bulletin: IBM Cloud Pak for Integration is vulnerable to multiple Go vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-integra… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 15.10.2021
by Daily end-of-shift report 15 Oct '21

15 Oct '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 14-10-2021 18:00 − Freitag 15-10-2021 18:00 Handler: Dimitri Robl Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Accenture confirms data breach after August ransomware attack ∗∗∗ --------------------------------------------- Global IT consultancy giant Accenture confirmed that LockBit ransomware operators stole data from its systems during an attack that hit the companys systems in August 2021. --------------------------------------------- https://www.bleepingcomputer.com/news/security/accenture-confirms-data-brea… ∗∗∗ BlackByte Ransomware – Pt. 1 In-depth Analysis ∗∗∗ --------------------------------------------- During a recent malware incident response case, we encountered an interesting piece of ransomware that goes by the name of BlackByte. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/blackbyte-r… ∗∗∗ BlackByte Ransomware – Pt 2. Code Obfuscation Analysis ∗∗∗ --------------------------------------------- We received the original launcher file from an Incident Response case. It was about 630 KB of JScript code which was seemingly full of garbage code – hiding the real intent. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/blackbyte-r… ∗∗∗ Employee offboarding: Why companies must close a crucial gap in their security strategy ∗∗∗ --------------------------------------------- There are various ways a departing employee could put your organization at risk of a data breach. How do you offboard employees the right way and ensure your data remains safe? --------------------------------------------- https://www.welivesecurity.com/2021/10/14/employee-offboarding-companies-cl… ∗∗∗ Ongoing Cyber Threats to U.S. Water and Wastewater Systems Sector Facilities ∗∗∗ --------------------------------------------- CISA, the Federal Bureau of Investigation (FBI), the Environmental Protection Agency (EPA), and the National Security Agency (NSA) have released a joint Cybersecurity Advisory (CSA) that details ongoing cyber threats to U.S. Water and Wastewater Systems (WWS) Sector. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/10/14/ongoing-cyber-thr… ∗∗∗ A malware botnet has made more than $24.7 million since 2019 ∗∗∗ --------------------------------------------- The operators of a malware botnet known as MyKings are believed to have made more than $24.7 million through what security researchers call a "clipboard hijacker." --------------------------------------------- https://therecord.media/a-malware-botnet-has-made-more-than-24-7-million-si… ===================== = Vulnerabilities = ===================== ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- IBM hat 11 Security Bulletins veröffentlicht. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (squashfs-tools, tomcat9, and wordpress), Fedora (openssh), openSUSE (kernel, mbedtls, and rpm), Oracle (httpd, kernel, and kernel-container), SUSE (firefox, kernel, and rpm), and Ubuntu (linux-azure, linux-azure-5.4). --------------------------------------------- https://lwn.net/Articles/873056/ ∗∗∗ ZDI-21-1211: (0Day) Fuji Electric Alpha5 A5V File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-1211/ ∗∗∗ ZDI-21-1210: (0Day) Fuji Electric Alpha5 Servo Operator C5P File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-1210/ ∗∗∗ ZDI-21-1209: (0Day) Fuji Electric Alpha5 Servo Operator C5P File Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-1209/ ∗∗∗ ZDI-21-1208: (0Day) Fuji Electric Alpha5 Servo Operator C5P File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-1208/ ∗∗∗ Schneider Electric CNM ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-287-01 ∗∗∗ Uffizio GPS Tracker ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-287-02 ∗∗∗ Mitsubishi Electric MELSEC iQ-R Series ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-287-03 ∗∗∗ Siemens RUGGEDCOM ROX (Update A) ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-259-01 ∗∗∗ Apache Releases Security Advisory for Tomcat ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/10/15/apache-releases-s… ∗∗∗ SYSS-2019-018/SYSS-2019-019: Unsichere Dateisystemberechtigungen und Installationsmodi in Ivanti DSM ∗∗∗ --------------------------------------------- https://www.syss.de/pentest-blog/syss-2019-018/syss-2019-019-unsichere-date… ∗∗∗ Change in Magniber Ransomware Vulnerability (CVE-2021-40444) ∗∗∗ --------------------------------------------- https://asec.ahnlab.com/en/27264/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.10.2021
by Daily end-of-shift report 14 Oct '21

14 Oct '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 13-10-2021 18:00 − Donnerstag 14-10-2021 18:00 Handler: Dimitri Robl Co-Handler: Wolfgang Menezes ===================== = News = ===================== ∗∗∗ Nach Datenleck: Hausdurchsuchung statt Dankeschön ∗∗∗ --------------------------------------------- Rund 700.000 Personen sind von einem Datenleck betroffen. Ein Programmierer hatte die Lücke entdeckt und gemeldet - und erhielt eine Anzeige. Von Moritz Tremmel (Datenleck, Server) --------------------------------------------- https://www.golem.de/news/nach-datenleck-hausdurchsuchung-statt-dankeschoen… ∗∗∗ Romance scams with a cryptocurrency twist – new research from SophosLabs ∗∗∗ --------------------------------------------- Romance scams and dating site treachery with a new twist - "theres an app for that!" --------------------------------------------- https://nakedsecurity.sophos.com/2021/10/13/romance-scams-with-a-cryptocurr… ∗∗∗ A Handshake with MySQL Bots ∗∗∗ --------------------------------------------- It’s well known that we just don’t put services or devices on the edge of the Internet without strong purpose justification. Services, whether maintained by end-users or administrators, have a ton of security challenges. Databases belong to a group that often needs direct access to the Internet - no doubt that security requirements are a priority here. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/handshake-w… ∗∗∗ We analyzed 80 million ransomware samples – here’s what we learned ∗∗∗ --------------------------------------------- [...] VirusTotal’s first Ransomware Activity Report provides a holistic view of ransomware attacks by combining more than 80 million potential ransomware-related samples submitted over the last year and a half. --------------------------------------------- https://blog.google/technology/safety-security/we-analyzed-80-million-ranso… ∗∗∗ “Free Steam game” scams on TikTok are Among Us ∗∗∗ --------------------------------------------- We look at a dubious free game offer via TikTok, and explore what the site owners expect you to do in order to snag a supposed freebie. --------------------------------------------- https://blog.malwarebytes.com/scams/2021/10/free-steam-game-scams-on-tiktok… ∗∗∗ Wege in Fake-Shops ∗∗∗ --------------------------------------------- Betrügerische und unseriöse Shops sind ein großes Problem im Online-Handel. Doch wie kommen Konsumentinnen und Konsumenten eigentlich zu Fake-Shops? Mit dieser Frage hat sich die Watchlist Internet in den Sommermonaten beschäftigt. Klar wurde: Google- und Facebook-Werbung sind die größten Zubringer zu Fake-Shops. Über diese Wege kommt der Großteil der Opfer auf betrügerische Online-Shops. --------------------------------------------- https://www.watchlist-internet.at/news/wege-in-fake-shops/ ∗∗∗ Don’t get phished! How to be the one that got away ∗∗∗ --------------------------------------------- If it looks like a duck, swims like a duck, and quacks like a duck, then its probably a duck. Now, how do you apply the duck test to defense against phishing? --------------------------------------------- https://www.welivesecurity.com/2021/10/13/phishing-how-be-one-got-away/ ∗∗∗ New Yanluowang ransomware used in targeted attacks ∗∗∗ --------------------------------------------- New arrival to the targeted ransomware scene appears to be still in development. --------------------------------------------- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ya… ∗∗∗ Acer confirms second security breach this year ∗∗∗ --------------------------------------------- A spokesperson for Taiwanese computer maker Acer has confirmed today that the company suffered a second security breach this year after hackers advertised the sale of more than 60 GB of data on an underground cybercrime forum.The post Acer confirms second security breach this year appeared first on The Record by Recorded Future. --------------------------------------------- https://therecord.media/acer-confirms-second-security-breach-this-year/ ∗∗∗ Q&A: Secure PLC Programming Insights ∗∗∗ --------------------------------------------- Members of the Top 20 Secure PLC Coding Practices project recently joined Claroty’s Aperture podcast to discuss the group’s list of top 20 secure coding practices for programmable logic controllers (PLCs). What follows is an edited transcript of our discussion with Martin Scheu of SWITCH-CERT and Dirk Rotermund of gefeba Engineering GmbH. --------------------------------------------- https://claroty.com/2021/10/13/blog-qa-secure-plc-programming-insights/ ∗∗∗ Windows Oktober 2021-Updates: PrintNightmare-Stand und Netzwerk-Druckprobleme ∗∗∗ --------------------------------------------- Zum 12. Oktober 2021 hat Microsoft neue Schwachstellen im Umfeld der als PrintNightmare bekannten Sicherheitslücken per Update adressiert. Daher ein kurzer Blick auf das betreffende Thema, welches auch weiterhin nicht vom Tisch ist. --------------------------------------------- https://www.borncity.com/blog/2021/10/14/windows-oktober-2021-updates-print… ===================== = Vulnerabilities = ===================== ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- IBM hat 16 Security Bulletins veröffentlicht. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Mageia (golang, grilo, mediawiki, plib, python-flask-restx, python-mpmath, thunderbird, and xstream/xmlpull/mxparser), Oracle (389-ds-base, grafana, httpd:2.4, kernel, libxml2, and openssl), Red Hat (httpd), and SUSE (kernel). --------------------------------------------- https://lwn.net/Articles/872945/ ∗∗∗ Loft Data Grids - Moderately critical - XML External Entity (XXE) Processing - SA-CONTRIB-2021-043 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2021-043 ∗∗∗ Juniper JUNOS und Juniper JUNOS Evolved: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-1070 ∗∗∗ Microsoft Exchange Server: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-1069 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.10.2021
by Daily end-of-shift report 13 Oct '21

13 Oct '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 12-10-2021 18:00 − Mittwoch 13-10-2021 18:00 Handler: Dimitri Robl Co-Handler: Wolfgang Menezes ===================== = News = ===================== ∗∗∗ MysterySnail attacks with Windows zero-day ∗∗∗ --------------------------------------------- We detected attacks with the use of an elevation of privilege exploit on multiple Microsoft Windows servers. Variants of the malware payload used along with the zero-day exploit were detected in widespread espionage campaigns. --------------------------------------------- https://securelist.com/mysterysnail-attacks-with-windows-zero-day/104509/ ∗∗∗ Defining Cobalt Strike Components So You Can BEA-CONfident in Your Analysis ∗∗∗ --------------------------------------------- Cobalt Strike is a commercial adversary simulation software that is marketed to red teams but is also stolen and actively used by a wide range of threat actors from ransomware operators to espionage-focused Advanced Persistent Threats (APTs). --------------------------------------------- https://www.mandiant.com/resources/defining-cobalt-strike-components ∗∗∗ 2021: Apples Jahr der Zero-Days ∗∗∗ --------------------------------------------- In dieser Woche hat Apple erneut eine bereits ausgenutzte iPhone-Lücke gepatcht. Seit Februar gab es mehr als ein Dutzend in den Systemen des Konzerns. --------------------------------------------- https://heise.de/-6215715 ∗∗∗ Azure Privilege Escalation via Service Principal Abuse ∗∗∗ --------------------------------------------- In this blog post, I’ll explain how a particular kind of attack path can emerge in Azure based on Azure’s RBAC system — an attack path we have seen in the vast majority of Azure tenants we’ve gotten access to. --------------------------------------------- https://posts.specterops.io/azure-privilege-escalation-via-service-principa… ===================== = Vulnerabilities = ===================== ∗∗∗ SAP-Patchday: NetWeaver AS & Environmental Compliance bargen kritische Lücken ∗∗∗ --------------------------------------------- Zum monatlichen Patchday hat SAP Updates für viele Produkte veröffentlicht. Zwei beseitigten Sicherheitsproblemen wurden CVSS-Scores nahe der 10 zugeordnet. --------------------------------------------- https://heise.de/-6215952 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (flatpak and ruby2.3), Fedora (flatpak, httpd, mediawiki, redis, and xstream), openSUSE (kernel, libaom, libqt5-qtsvg, systemd, and webkit2gtk3), Red Hat (.NET 5.0, 389-ds-base, httpd:2.4, kernel, kernel-rt, libxml2, openssl, and thunderbird), Scientific Linux (389-ds-base, kernel, libxml2, and openssl), SUSE (apache2-mod_auth_openidc, curl, glibc, kernel, libaom, libqt5-qtsvg, systemd, and webkit2gtk3), and Ubuntu (squashfs-tools). --------------------------------------------- https://lwn.net/Articles/872843/ ∗∗∗ The October 2021 Security Update Review ∗∗∗ --------------------------------------------- The second Tuesday of the month is here, and that means the latest security updates from Adobe and Microsoft have arrived. --------------------------------------------- https://www.thezdi.com/blog/2021/10/12/the-october-2021-security-update-rev… ∗∗∗ Sicherheitsupdates für Exchange Server (Oktober 2021) ∗∗∗ --------------------------------------------- Microsoft hat zum 12. Oktober 2021 Sicherheitsupdates für Exchange Server 2013, Exchange Server 2016 und Exchange Server 2019 veröffentlicht. --------------------------------------------- https://www.borncity.com/blog/2021/10/13/sicherheitsupdates-fr-exchange-ser… ∗∗∗ ZDI-21-1147: Adobe Illustrator PDF File Parsing Memory Corruption Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-1147/ ∗∗∗ ZDI-21-1146: Adobe Illustrator PDF File Parsing Use-After-Free Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-1146/ ∗∗∗ ZDI-21-1148: Linux Kernel eBPF Type Confusion Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-1148/ ∗∗∗ VMSA-2021-0021 ∗∗∗ --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2021-0021.html ∗∗∗ VMSA-2021-0022 ∗∗∗ --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2021-0022.html ∗∗∗ VMSA-2021-0023 ∗∗∗ --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2021-0023.html ∗∗∗ Apache HTTPD vulnerability CVE-2021-34798 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K72382141 ∗∗∗ Multiple Vulnerabilities in Brizy Page Builder Plugin Allow Site Takeover ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2021/10/multiple-vulnerabilities-in-brizy-pa… ∗∗∗ Cross-Site Scripting in myfactory.FMS ∗∗∗ --------------------------------------------- https://www.redteam-pentesting.de/en/advisories/rt-sa-2021-001/ ∗∗∗ IPAS: Security Advisories for October 2021 ∗∗∗ --------------------------------------------- https://blogs.intel.com/technology/2021/10/intel-security-advisories-for-oc… ∗∗∗ SYSS-2021-014, SYSS-2021-015 und SYSS-2021-019: Schwachstellen in Softphones von Linphone und MicroSIP ∗∗∗ --------------------------------------------- https://www.syss.de/pentest-blog/syss-2021-014-syss-2021-015-und-syss-2021-… ∗∗∗ ThinkPad BIOS Vulnerabilities ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500444-THINKPAD-BIOS-VULNERABI… ∗∗∗ NetApp Clustered Data ONTAP X-Frame-Options Header Vulnerability ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500442-NETAPP-CLUSTERED-DATA-O… ∗∗∗ AMD x86 PREFETCH instruction related side-channels ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500445-AMD-X86-PREFETCH-INSTRU… ∗∗∗ Intel SGX SDK Advisory ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500443-INTEL-SGX-SDK-ADVISORY -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.10.2021
by Daily end-of-shift report 12 Oct '21

12 Oct '21

===================== = End-of-Day report = ===================== Timeframe: Montag 11-10-2021 18:00 − Dienstag 12-10-2021 18:00 Handler: Dimitri Robl Co-Handler: Wolfgang Menezes ===================== = News = ===================== ∗∗∗ Javascript: RSA-Schlüsselerzeugung mit vielen Nullen ∗∗∗ --------------------------------------------- Github sperrt unsichere SSH-Schlüssel, die durch einen Fehler in einer Javascript-Bibliothek erzeugt wurden. --------------------------------------------- https://www.golem.de/news/javascript-rsa-schluesselerzeugung-mit-vielen-nul… ∗∗∗ iOS 15.0.2 und watchOS 8.0.1: Viele Bugfixes – und wieder ein Exploit im Umlauf ∗∗∗ --------------------------------------------- Apple hat in der Nacht zum Dienstag seine iPhone-, iPad- und Apple-Watch-Betriebssysteme nachgebessert. Bei Telefon und Tablet geht es auch um die Sicherheit. --------------------------------------------- https://heise.de/-6214563 ∗∗∗ Johnson Controls: Lücken boten Remote-Zugriffsmöglichkeiten auf Videoüberwachung ∗∗∗ --------------------------------------------- Updates für die Videoüberwachungslösung exacqVision von Johnson Controls/Exacq Technologies schließen zwei Sicherheitslücken. Eine gilt als kritisch. --------------------------------------------- https://heise.de/-6215264 ∗∗∗ Vorsicht vor Microsoft-Anrufen ∗∗∗ --------------------------------------------- Legen Sie sofort auf, wenn Sie angeblich von Microsoft angerufen werden. Kriminelle geben sich als Microsoft-MitarbeiterInnen aus und behaupten, sie hätten auf Ihrem Computer einen Virus entdeckt. Die Fake-Microsoft-MitarbeiterInnen verwickeln Sie dann in ein Gespräch und bieten Ihnen an, das Problem gemeinsam zu lösen. Achtung: Es handelt sich um eine Betrugsmasche! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-microsoft-anrufen/ ∗∗∗ Photo editor Android app STILL sitting on Google Play store is malware ∗∗∗ --------------------------------------------- An Android app sitting on the Google Play store touts itself to be a photo editor app. But, it contains code that steals the users Facebook credentials to potentially run ad campaigns on the users behalf, with their payment information. The app has scored over 5K installs, with similar spyware apps having 500K+ installs. --------------------------------------------- https://www.bleepingcomputer.com/news/security/photo-editor-android-app-sti… ∗∗∗ How cyberattacks are changing according to new Microsoft Digital Defense Report ∗∗∗ --------------------------------------------- Get the latest expert insights on human-operated ransomware, phishing attacks, malware, and more to get ahead of these threats before they begin. --------------------------------------------- https://www.microsoft.com/security/blog/2021/10/11/how-cyberattacks-are-cha… ∗∗∗ SnapMC skips ransomware, steals data ∗∗∗ --------------------------------------------- Over the past few months NCC Group has observed an increasing number of data breach extortion cases, where the attacker steals data and threatens to publish said data online if the victim decides not to pay. Given the current threat landscape, most notable is the absence of ransomware or any technical attempt at disrupting the [...] --------------------------------------------- https://blog.fox-it.com/2021/10/11/snapmc-skips-ransomware-steals-data/ ∗∗∗ Reverse engineering and decrypting CyberArk vault credential files ∗∗∗ --------------------------------------------- This blog will be a technical deep-dive into CyberArk credential files and how the credentials stored in these files are encrypted and decrypted. I discovered it was possible to reverse engineer the encryption and key generation algorithms and decrypt the encrypted vault password. --------------------------------------------- https://blog.fox-it.com/2021/10/12/reverse-engineering-and-decrypting-cyber… ∗∗∗ New Trickbot and BazarLoader campaigns use multiple delivery vectors ∗∗∗ --------------------------------------------- Trickbot has been active since 2016 and is linked to a large number of malicious campaigns involving bitcoin mining and theft of banking information, personal identifying information (PII), and credentials. BazarLoader is a spinoff of this trojan, developed by the same authors. Both are particularly dangerous as they are easily modifiable and capable of delivering multi-stage payloads, as well as taking over computers entirely. --------------------------------------------- https://www.zscaler.com/blogs/security-research/new-trickbot-and-bazarloade… ∗∗∗ Inside Apple: How macOS attacks are evolving ∗∗∗ --------------------------------------------- Our Apple expert Thomas Reed went to the Objective by the Sea security conference. Heres what he learned about macOS attacks. --------------------------------------------- https://blog.malwarebytes.com/malwarebytes-news/2021/10/inside-apple-how-ma… ∗∗∗ ICS Patch Tuesday: Siemens and Schneider Electric Address Over 50 Vulnerabilities ∗∗∗ --------------------------------------------- Industrial giants Siemens and Schneider Electric on Tuesday released nearly a dozen security advisories describing a total of more than 50 vulnerabilities affecting their products. The companies have released patches and mitigations to address these vulnerabilities. --------------------------------------------- https://www.securityweek.com/ics-patch-tuesday-siemens-and-schneider-electr… ∗∗∗ ASEC Weekly Malware Statistics (September 27th, 2021 – October 3rd, 2021) ∗∗∗ --------------------------------------------- The ASEC analysis team is using the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from September 27th, 2021 (Monday) to October 3rd, 2021 (Sunday). For the main category, info-stealer ranked top with 63.2%, followed by Downloader with 19.2%, RAT (Remote Administration Tool) malware with 10.7%, Backdoor Downloader with 3.7%, Ransomware with 1.9%, CoinMiner with 1.1%, and Banking malware with 0.2%. --------------------------------------------- https://asec.ahnlab.com/en/27577/ ===================== = Vulnerabilities = ===================== ∗∗∗ Angreifer könnten digitale Unterschrift in LibreOffice und OpenOffice fälschen ∗∗∗ --------------------------------------------- Es gibt wichtige Sicherheitsupdates für die Office-Pakete LibreOffice und OpenOffice. --------------------------------------------- https://heise.de/-6214784 ∗∗∗ Vulnerability Spotlight: Vulnerabilities in Anker Eufy Homebase could lead to code execution, buffer overflows ∗∗∗ --------------------------------------------- Cisco Talos recently discovered two vulnerabilities in the Anker Eufy Homebase. The Eufy Homebase 2 is the video storage and networking gateway that works with Anker’s Eufy Smarthome ecosystem. --------------------------------------------- https://blog.talosintelligence.com/2021/10/vuln-spotlight-anker-.html ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr, hiredis, and icu), Fedora (kernel), Mageia (libreoffice), openSUSE (chromium, firefox, git, go1.16, kernel, mbedtls, mupdf, and nodejs8), Oracle (firefox and kernel), Red Hat (firefox, grafana, kernel, kpatch-patch, and rh-mysql80-mysql), and SUSE (apache2, containerd, docker, runc, curl, firefox, kernel, libqt5-qtsvg, and squid). --------------------------------------------- https://lwn.net/Articles/872696/ ∗∗∗ # SSA-163251: Multiple Vulnerabilities in SINEC NMS ∗∗∗ --------------------------------------------- The latest update for SINEC NMS fixes multiple vulnerabilities. The most severe could allow an authenticated remote attacker to execute arbitrary code on the system, with system privileges, under certain conditions. Siemens has released an update for SINEC NMS and recommends to update to the latest version. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-163251.txt ∗∗∗ # SSA-173565: Denial-of-Service Vulnerability in RUGGEDCOM ROX Devices ∗∗∗ --------------------------------------------- The latest update for RUGGEDCOM ROX devices fixes a vulnerability that could allow an unauthenticated attacker to cause a permanent Denial-of-Service condition under certain conditions. Siemens has released updates for the affected products and recommends to update to the latest versions. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-173565.txt ∗∗∗ # SSA-178380: Denial-of-Service Vulnerability in SINUMERIK Controllers ∗∗∗ --------------------------------------------- A Denial-of-Service vulnerability found in SINUMERIK Controllers could allow an unauthenticated attacker with network access to the affected devices to cause system failure with total loss of availability. Siemens has released an update for the SINUMERIK 828D and recommends to update to the latest version. Siemens recommends specific countermeasures for products where updates are not, or not yet available. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-178380.txt ∗∗∗ # SSA-280624: Multiple Vulnerabilities in SCALANCE W1750D ∗∗∗ --------------------------------------------- The Scalance W1750D device contains multiple vulnerabilities that could allow an attacker to inject commands or trigger buffer overflows. Siemens is preparing updates and recommends countermeasures for products where updates are not, or not yet available. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-280624.txt ∗∗∗ Advantech WebAccess SCADA ∗∗∗ --------------------------------------------- This advisory contains mitigations for a Missing Authorization vulnerability in the Advantech WebAccess SCADA HMI platform. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-285-01 ∗∗∗ Advantech WebAccess ∗∗∗ --------------------------------------------- This advisory contains mitigations for Heap-based Buffer Overflow, and Stack-based Buffer Overflow vulnerabilities in the Advantech WebAccess HMI platform. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-285-02 ∗∗∗ Schneider Electric IGSS ∗∗∗ --------------------------------------------- This advisory contains mitigations for Classic Buffer Overflow, Unrestricted Upload of File with Dangerous Type, Path Traversal, and Missing Authentication for Critical Function vulnerabilities in Schneider Electric IGSS (Interactive Graphical SCADA System) software. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-285-03 ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect AIX ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Data Risk Manager is affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-data-risk-manager-is-… ∗∗∗ Security Bulletin: Multiple Apache PDFBox security vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-apache-pdfbox-se… ∗∗∗ Security Bulletin: A vulnerability in IBM WebSphere Application Server affects IBM Spectrum Scale packaged in IBM Elastic Storage Server (CVE-2020-5258) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-we… ∗∗∗ Foxit Reader & PhantomPDF: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-1053 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.10.2021
by Daily end-of-shift report 11 Oct '21

11 Oct '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 08-10-2021 18:00 − Montag 11-10-2021 18:00 Handler: Dimitri Robl Co-Handler: Wolfgang Menezes ===================== = News = ===================== ∗∗∗ Missbrauch mit Malware-Befall: Microsoft deaktiviert Excel 4.0-Makros in Office ∗∗∗ --------------------------------------------- Gegen immer mehr Angriffe über Excel-Makros geht Microsoft nun vor: Standardmäßig werden alle Excel 4.0-Makros in Office 365 demnächst deaktiviert. --------------------------------------------- https://heise.de/-6213387 ∗∗∗ Kaufen Sie nicht in Shops mit @thateer.top Mail-Adressen ein! ∗∗∗ --------------------------------------------- Derzeit tauchen zahlreiche Fake-Shops im Internet auf, die alle ähnlich aufgebaut sind, die gleichen Texte verwenden und unter einer dieser E-Mail-Adressen erreichbar sind: [...] --------------------------------------------- https://www.watchlist-internet.at/news/kaufen-sie-nicht-in-shops-mit-thatee… ∗∗∗ Ransomware wegen Homeoffice auf dem Vormarsch ∗∗∗ --------------------------------------------- Bedingt durch die Coronavirus-Pandemie arbeiten seit 2020 Menschen vermehrt im Homeoffice. Leider konnte die Absicherung dieser Arbeitsplätze mit dieser Entwicklung nicht Schritt halten. Gleichzeitig hat die Cyberkriminalität mit der verstärkten Telearbeit in Unternehmen durch die Pandemiekrise weiter aufgerüstet und ihre [...] --------------------------------------------- https://www.borncity.com/blog/2021/10/11/ransomware-auf-dem-vormarsch/ ∗∗∗ The 5 Phases of Zero Trust Adoption ∗∗∗ --------------------------------------------- Zero trust aims to replace implicit trust with explicit, continuously adaptive trust across users, devices, networks, applications, and data. --------------------------------------------- https://www.darkreading.com/endpoint/the-5-phases-of-zero-trust-adoption ∗∗∗ Scanning for Previous Oracle WebLogic Vulnerabilities, (Sat, Oct 9th) ∗∗∗ --------------------------------------------- In the past few weeks, I have captured multiple instance of traffic related to some past Oracle vulnerabilities that have already been patched. The first is related to a RCE (CVE-2017-10271) that can be triggered to execute commands remotely by bypassing the CVE-2017-3506 patch's limitations. The POST contains an init.sh script which doesn't appear to be available for download. --------------------------------------------- https://isc.sans.edu/diary/rss/27918 ∗∗∗ Things that go "Bump" in the Night: Non HTTP Requests Hitting Web Servers, (Mon, Oct 11th) ∗∗∗ --------------------------------------------- If you are reviewing your web server logs periodically, you may notice some odd requests that are not HTTP requests in your logs. In particular if you have a web server listening on a non standard port. I want to quickly review some of the most common requests like that, that I am seeing: [...] --------------------------------------------- https://isc.sans.edu/diary/rss/27924 ∗∗∗ When criminals go corporate: Ransomware-as-a-service, bulk discounts and more ∗∗∗ --------------------------------------------- This summer, Abnormal Security discovered that some of its customers staff were receiving emails inviting them to install ransomware on a company computer in return for a $1m share of the "profits". --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2021/10/11/ransomware_a… ∗∗∗ CISA Releases Remote Access Guidance for Government Agencies ∗∗∗ --------------------------------------------- The United States Cybersecurity and Infrastructure Security Agency (CISA) last week announced the release a new guidance document: Trusted Internet Connections (TIC) 3.0 Remote User Use Case. --------------------------------------------- https://www.securityweek.com/cisa-releases-remote-access-guidance-governmen… ∗∗∗ InHand Router Flaws Could Expose Many Industrial Companies to Remote Attacks ∗∗∗ --------------------------------------------- Several serious vulnerabilities discovered by researchers in industrial routers made by InHand Networks could expose many organizations to remote attacks, and patches do not appear to be available. --------------------------------------------- https://www.securityweek.com/inhand-router-flaws-could-expose-many-industri… ∗∗∗ Protect your network ∗∗∗ --------------------------------------------- So, you know where your wallet is, yes? And your phone - it's in your pocket, or just over there on the table? Excellent. You might be reading this on your laptop, so you know where that is. You might have a snazzy Smart TV or two? Perhaps you have joined [...] --------------------------------------------- https://connect.geant.org/2021/10/11/protect-your-network ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (apache2, mediawiki, neutron, and tiff), Fedora (chromium, dr_libs, firefox, and grafana), Mageia (apache), openSUSE (chromium and rabbitmq-server), Oracle (kernel), Red Hat (firefox and httpd24-httpd), SUSE (rabbitmq-server), and Ubuntu (libntlm). --------------------------------------------- https://lwn.net/Articles/872547/ ∗∗∗ Security Advisory - Use-after-free Vulnerability in Huawei Products ∗∗∗ --------------------------------------------- https://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20211008… ∗∗∗ Security Advisory - Path Traversal Vulnerability in Huawei PC Product ∗∗∗ --------------------------------------------- https://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20211008… ∗∗∗ Security Bulletin: IBM App Connect Enterprise Certified Container Designers may be vulnerable to arbitrary code execution via CVE-2021-3757 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… ∗∗∗ Security Bulletin: IBM Cloud Pak for Integration is vulnerable to Go vulnerability CVE-2021-31525 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-integra… ∗∗∗ Security Bulletin: A vulnerability in Spring Framework affects IBM Watson Machine Learning Accelerator ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-spring… ∗∗∗ Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU – Jul 2021 – Includes Oracle Jul 2021 CPU ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sdk-java-technology-e… ∗∗∗ MediaWiki Extensions und Skins: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-1050 ∗∗∗ Apache OpenOffice und LibreOffice: Mehrere Schwachstellen ermöglichen Manipulation von Dateien ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-1051 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.10.2021
by Daily end-of-shift report 08 Oct '21

08 Oct '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 07-10-2021 18:00 − Freitag 08-10-2021 18:00 Handler: Dimitri Robl Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Rapid RYUK Ransomware Attack Group Christened as FIN12 ∗∗∗ --------------------------------------------- Prolific ransomware cybercrime groups approach underscores a complicated, layered model of cybercrime. --------------------------------------------- https://www.darkreading.com/attacks-breaches/rapid-ryuk-ransomware-attack-g… ∗∗∗ Sorting Things Out - Sorting Data by IP Address, (Fri, Oct 8th) ∗∗∗ --------------------------------------------- One thing that is huge in making sense of large volumes of data is sorting. Which makes having good sorting tools and methods a big deal when you are working through findings in a security assessment of pentest. --------------------------------------------- https://isc.sans.edu/diary/rss/27916 ∗∗∗ Free BrewDog beer, with a side order of shareholder PII? ∗∗∗ --------------------------------------------- BrewDog exposed the details of over 200,000 ‘Equity for Punks’ shareholders for over 18 months plus many more customers. --------------------------------------------- https://www.pentestpartners.com/security-blog/free-brewdog-beer-with-a-side… ∗∗∗ FontOnLake: Previously unknown malware family targeting Linux ∗∗∗ --------------------------------------------- ESET researchers discover a malware family with tools that show signs they’re used in targeted attacks. --------------------------------------------- https://www.welivesecurity.com/2021/10/07/fontonlake-previously-unknown-mal… ∗∗∗ NSA Releases Guidance on Avoiding the Dangers of Wildcard TLS Certificates and ALPACA Techniques ∗∗∗ --------------------------------------------- The National Security Agency (NSA) has released a Cybersecurity Information (CSI) sheet with guidance to help secure the Department of Defense, National Security Systems, and Defense Industrial Base organizations from poorly implemented wildcard Transport Layer Security (TLS) certificates and the exploitation of Application Layer Protocols Allowing Cross-Protocol Attacks (ALPACA). --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/10/08/nsa-releases-guid… ∗∗∗ Microsoft to disable Excel 4.0 macros, one of the most abused Office features ∗∗∗ --------------------------------------------- Microsoft plans to disable a legacy feature known as Excel 4.0 macros, also XLM macros, for all Microsoft 365 users by the end of the year [...] --------------------------------------------- https://therecord.media/microsoft-to-disable-excel-4-0-macros-one-of-the-mo… ∗∗∗ Malicious PowerPoint Files Constantly Being Distributed ∗∗∗ --------------------------------------------- On April 2021, the ASEC analysis team introduced the malware delivered via PowerPoint files attached to email in the ASEC blog. The team has found continuous malicious activities that use PPAM files in the form of PowerPoint and thus is sharing them. --------------------------------------------- https://asec.ahnlab.com/en/26597/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (libssh), Mageia (firefox), Slackware (httpd), SUSE (xen), and Ubuntu (firefox and mysql-5.7). --------------------------------------------- https://lwn.net/Articles/872267/ ∗∗∗ Google Patches Four Severe Vulnerabilities in Chrome ∗∗∗ --------------------------------------------- Google this week announced the release of an updated Chrome version for Windows, Mac and Linux, to address a total of four high-severity vulnerabilities in the browser. --------------------------------------------- https://www.securityweek.com/google-patches-four-severe-vulnerabilities-chr… ∗∗∗ Apache Releases HTTP Server version 2.4.51 to Address Vulnerabilities Under Exploitation ∗∗∗ --------------------------------------------- On October 7, 2021, the Apache Software Foundation released Apache HTTP Server version 2.4.51 to address Path Traversal and Remote Code Execution vulnerabilities (CVE-2021-41773, CVE-2021-42013) in Apache HTTP Server 2.4.49 and 2.4.50. These vulnerabilities have been exploited in the wild. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/10/07/apache-releases-h… ∗∗∗ Security Bulletin: IBM App Connect Enterprise Certified Container Designers may be vulnerable to arbitrary code execution via CVE-2021-23436 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… ∗∗∗ Security Bulletin: IBM App Connect Enterprise Certified Container could disclose sensitive information to a local user when it is configured to use an IBM Cloud API key to connect to cloud-based connectors (CVE-2021-29906) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… ∗∗∗ Security Bulletin: IBM App Connect Enterprise Certified Container Integration Servers may be vulnerable to a symlink attack due to CVE-2021-39135 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… ∗∗∗ Security Bulletin: Access Control Vulnerability Affects the User Interface of IBM Sterling File Gateway (CVE-2020-4654) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-access-control-vulnerabil… ∗∗∗ Security Bulletin: Node.js as used by IBM Security QRadar Packet Capture contains multiple vulnerabilities (CVE-2020-8201, CVE-2020-8252, CVE-2020-8251, CVE-2020-8277) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-node-js-as-used-by-ibm-se… ∗∗∗ Security Bulletin: IBM App Connect Enterprise Certified Container Integration Servers may be vulnerable to a symlink attack due to CVE-2021-39134 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… ∗∗∗ Security Bulletin: Multiple Apache PDFBox security vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-apache-pdfbox-se… ∗∗∗ Security Bulletin: IBM App Connect Enterprise Certified Container images may be vulnerable to Denial of Service attacks due to CVE-2021-23362 and CVE-2021-27290 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… ∗∗∗ Security Bulletin: IBM MQ Appliance is affected by a sensitive information disclosure vulnerability (CVE-2020-5008) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-is-affec… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM HTTP Server affect IBM Netezza Performance Portal ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Kyocera Drucker: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-1049 ∗∗∗ Johnson Controls exacqVision Server Bundle ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-280-01 ∗∗∗ Mobile Industrial Robots Vehicles and MiR Fleet Software ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-280-02 ∗∗∗ Johnson Controls exacqVision ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-280-03 ∗∗∗ Mitsubishi Electric MELSEC iQ-R Series C Controller Module ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-280-04 ∗∗∗ InHand Networks IR615 Router ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-280-05 ∗∗∗ FATEK Automation WinProladder ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-280-06 ∗∗∗ FATEK Automation Communication Server ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-280-07 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.10.2021
by Daily end-of-shift report 07 Oct '21

07 Oct '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 06-10-2021 18:00 − Donnerstag 07-10-2021 18:00 Handler: Dimitri Robl Co-Handler: Wolfgang Menezes ===================== = News = ===================== ∗∗∗ Air-Gap-Hack: LAN-Kabel als Antenne nutzen, um Daten auszuleiten ∗∗∗ --------------------------------------------- Auch wenn ein Netzwerk nicht mit dem Internet verbunden ist, lassen sich Daten ausleiten. Dazu hat ein Forscher ein LAN-Kabel zur Antenne umfunktioniert. --------------------------------------------- https://www.golem.de/news/air-gap-hack-lan-kabel-als-antenne-nutzen-um-date… ∗∗∗ Cisco schließt Root-Lücke in Intersight Virtual Appliance ∗∗∗ --------------------------------------------- Der Netzwerkausrüster Cisco hat für verschiedene Software wichtige Sicherheitsupdates veröffentlicht. --------------------------------------------- https://heise.de/-6211537 ∗∗∗ Neue Malware-Familie für Linux entdeckt ∗∗∗ --------------------------------------------- Die von ihren Entdeckern FontOnLake getaufte Malware-Familie aus trojanisierten Programmen, Backdoors und einem Rootkit eignet sich für gezielte Angriffe. --------------------------------------------- https://heise.de/-6211764 ∗∗∗ Tor Browser und Tails: Anonymisierender Browser & OS in abgesicherten Versionen ∗∗∗ --------------------------------------------- Etwas später als geplant ist eine neue Version der Linux-Distribution Tails erschienen. An Bord hat sie den ebenfalls taufrischen Tor Browser 10.5.8. --------------------------------------------- https://heise.de/-6211744 ∗∗∗ Hackers use stealthy ShellClient malware on aerospace, telco firms ∗∗∗ --------------------------------------------- Threat researchers investigating malware used to target companies in the aerospace and telecommunications sectors discovered a new threat actor that has been running cyber espionage campaigns since at least 2018. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-use-stealthy-shellcl… ∗∗∗ Unpatched Dahua cams vulnerable to unauthenticated remote access ∗∗∗ --------------------------------------------- Unpatched Dahua cameras are prone to two authentication bypass vulnerabilities, and a proof of concept exploit that came out today makes the case of upgrading pressing. --------------------------------------------- https://www.bleepingcomputer.com/news/security/unpatched-dahua-cams-vulnera… ∗∗∗ MacOS Security: What Security Teams Should Know ∗∗∗ --------------------------------------------- As more macOS patches emerge and cybercriminals and nation-states take aim at the platform, experts discuss how macOS security has evolved and how businesses can protect employees. --------------------------------------------- https://www.darkreading.com/edge-articles/mac-attacks-how-secure-are-the-ma… ∗∗∗ Ransomware in the CIS ∗∗∗ --------------------------------------------- Statistics on ransomware attacks in the CIS and technical descriptions of Trojans, including BigBobRoss/TheDMR, Crysis/Dharma, Phobos/Eking, Cryakl/CryLock, CryptConsole, Fonix/XINOF, Limbozar/VoidCrypt, Thanos/Hakbit and XMRLocker. --------------------------------------------- https://securelist.com/cis-ransomware/104452/ ∗∗∗ Apache HTTP Server CVE-2021-41773 Exploited in the Wild ∗∗∗ --------------------------------------------- On Monday, October 4, 2021, Apache published an advisory on CVE-2021-41773, an unauthenticated remote file disclosure vulnerability in HTTP Server version 2.4.49 (and only in 2.4.49). The vulnerability arises from the mishandling of URL-encoded path traversal characters in the HTTP GET request. Public proof-of-concept exploit code is widely available, and Apache and others have noted that this vulnerability is being exploited in the wild. While the original advisory indicated that CVE-2021-41773 was merely an information disclosure bug, both Rapid7 and community researchers have verified that the vulnerability can be used for remote code execution when mod_cgi is enabled. --------------------------------------------- https://www.rapid7.com/blog/post/2021/10/06/apache-http-server-cve-2021-417… ∗∗∗ Medtronics Insulin Pump Controllers Are Vulnerable to Hackers ∗∗∗ --------------------------------------------- The company just expanded its recall of insulin pump remote controllers that can be hijacked to alter insulin amounts. Medical device maker Medtronic has expanded its recall of remote controllers for its MiniMed 508 and MiniMed Paradigm insulin pumps. The reason? The devices are a potential cybersecurity risk. According to the Food and Drug Administration, unauthorized people could hijack the devices to alter how much insulin is delivered to a patient. --------------------------------------------- https://gizmodo.com/medtronics-insulin-pump-controllers-are-vulnerable-to-h… ∗∗∗ Life is Pane: Persistence via Preview Handlers ∗∗∗ --------------------------------------------- [...] The preview pane allows users to have a quick peek at the content of a selected file without actually having to open it. This feature is disabled on default Windows 10 builds, but can be enabled in the Explorer menu under View→Preview pane. While this seems relatively simple at face value, it is anything but under the hood. For example, how does Windows know how to display the contents of certain filetypes but not others? Are the previews controlled by Explorer or is it done in another process? Are these handlers abusable? We spent a few days exploring preview handlers to gain a deeper understanding of how they work and answer these questions. --------------------------------------------- https://posts.specterops.io/life-is-pane-persistence-via-preview-handlers-3… ∗∗∗ CVE-2021-26420: Remote Code Execution in SharePoint via Workflow Compilation ∗∗∗ --------------------------------------------- In June of 2021, Microsoft released a patch to correct CVE-2021-26420 - a remote code execution bug in the supported versions of Microsoft SharePoint Server. This bug was reported to the ZDI program by an anonymous researcher and is also known as ZDI-21-755. This blog takes a deeper look at the root cause of this vulnerability. --------------------------------------------- https://www.thezdi.com/blog/2021/10/5/cve-2021-26420-remote-code-execution-… ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco Security Advisories ∗∗∗ --------------------------------------------- Cisco hat Security Advisories zu 16 Schwachstellen veröffentlicht. Keine davon wird als "Critical" eingestuft, sechs als "High". --------------------------------------------- https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&first… ∗∗∗ IBM Security Bulletins 2021-10-07 ∗∗∗ --------------------------------------------- IBM hat 21 Security Bulletins veröffentlicht. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Advisory: Cisco ATA19X Privilege Escalation and RCE ∗∗∗ --------------------------------------------- 1. Lack of User Privilege Separation Enforcement in Web Management Interface: The web management interface on the ATA191 does not necessarily prevent the “user” account from performing “admin”-privileged actions. As such, a user who logs in with “user” privileges is able to perform actions that should only be performed by an “admin” user. 2. Post-Authentication Command Injection Remote Code Execution (CVE-2021-34710): The web management interface suffers [...] --------------------------------------------- https://www.iot-inspector.com/blog/advisory-cisco-ata19x-privilege-escalati… ∗∗∗ CVE-2021-33602: Denial-of-Service (DoS) Vulnerabilty ∗∗∗ --------------------------------------------- A vulnerability affecting the F-Secure antivirus engine was discovered when the engine tries to unpack a zip archive (LZW decompression method), and this can crash the scanning engine. The vulnerability can be exploited remotely by an attacker. A successful attack will result in denial-of-service of the antivirus engine. --------------------------------------------- https://www.f-secure.com/en/business/support-and-downloads/security-advisor… ∗∗∗ Typo3: Neue Version schließt zwei Sicherheitslücken im CMS ∗∗∗ --------------------------------------------- Lücken im Content-Management-System hätten Angreifern schlimmstenfalls Admin-Rechte gewähren können. Die neue Typo3-Version 11.5 bannt die Gefahr. --------------------------------------------- https://heise.de/-6211486 ∗∗∗ High Severity Vulnerability Patched in Access Demo Importer Plugin ∗∗∗ --------------------------------------------- On August 9, 2021, the Wordfence Threat Intelligence team attempted to initiate the responsible disclosure process for a vulnerability that we discovered in Access Demo Importer, a WordPress plugin installed on over 20,000 [...] --------------------------------------------- https://www.wordfence.com/blog/2021/10/high-severity-vulnerability-patched-… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr), Mageia (cockpit, fail2ban, libcryptopp, libss7, nodejs, opendmarc, and weechat), openSUSE (curl, ffmpeg, git, glibc, go1.16, libcryptopp, and nodejs8), SUSE (apache2, curl, ffmpeg, git, glibc, go1.16, grilo, libcryptopp, nodejs8, transfig, and webkit2gtk3), and Ubuntu (linux-oem-5.10 and python-bottle). --------------------------------------------- https://lwn.net/Articles/872154/ ∗∗∗ Apache OpenOffice: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-1041 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.10.2021
by Daily end-of-shift report 06 Oct '21

06 Oct '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 05-10-2021 18:00 − Mittwoch 06-10-2021 18:00 Handler: Dimitri Robl Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Collaborative Research on the CONTI Ransomware Group ∗∗∗ --------------------------------------------- Ransomware remains one of the pre-eminent cyber threats, with the evolution in tactics, techniques and procedures (TTPs) amongst threat actor groups over recent years upping the stakes for both victims and defenders. --------------------------------------------- https://team-cymru.com/blog/2021/10/05/collaborative-research-on-the-conti-… ∗∗∗ Syniverse: Möglicherweise SMS von Milliarden Menschen gehackt ∗∗∗ --------------------------------------------- Hacker sind über Jahre in ein Unternehmen eingedrungen, das Anrufe und SMS zwischen Mobilfunkunternehmen austauscht. --------------------------------------------- https://www.golem.de/news/syniverse-moeglicherweise-sms-von-milliarden-mens… ∗∗∗ Threat hunting in large datasets by clustering security events ∗∗∗ --------------------------------------------- Security tools can produce very large amounts of data that even the most sophisticated organizations may struggle to manage. Big data processing tools, such as spark, can be a powerful tool in the arsenal of security teams. --------------------------------------------- https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets… ∗∗∗ Landespolizeidirektion Steiermark: Warnung vor Betrugsversuchen mittels LPD-SMS ∗∗∗ --------------------------------------------- Am Montag, 4. Oktober 2021, versendeten unbekannte Täter in betrügerischer Absicht SMS Nachrichten. Als Absender scheint "Landespolizeidirektion (LPD) auf". Die Polizei warnt eindringlich vor diesen Betrugsversuchen. --------------------------------------------- https://www.watchlist-internet.at/news/landespolizeidirektion-steiermark-wa… ∗∗∗ Unsere Tipps, um unseriöse Notfalldienste zu entlarven! ∗∗∗ --------------------------------------------- Bei Notfällen wie einem Rohrbruch, Stromausfall oder einem Gasgebrechen ist schnelle Hilfe notwendig. Häufig bleibt da für eine genaue Überprüfung der Handwerksdienste keine Zeit. --------------------------------------------- https://www.watchlist-internet.at/news/unsere-tipps-um-unserioese-notfalldi… ∗∗∗ Cybersecurity in Power Grids: Challenges and Opportunities. (arXiv:2105.00013v2 [cs.CR] UPDATED) ∗∗∗ --------------------------------------------- Increasing volatilities within power transmission and distribution forcepower grid operators to amplify their use of communication infrastructure tomonitor and control their grid. The resulting increase in communication creates a larger attack surface for malicious actors. --------------------------------------------- http://arxiv.org/abs/2105.00013 ===================== = Vulnerabilities = ===================== ∗∗∗ Actively exploited Apache 0-day also allows remote code execution ∗∗∗ --------------------------------------------- Proof-of-Concept (PoC) exploits for the Apache web server zero-day surfaced on the internet revealing that the vulnerability is far more critical than originally disclosed. These exploits show that the scope of the vulnerability transcends path traversal, allowing attackers remote code execution (RCE) abilities. --------------------------------------------- https://www.bleepingcomputer.com/news/security/actively-exploited-apache-0-… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- IBM veröffentlicht 31 Security Bulletins. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (cryptopp), Mageia (apache), Slackware (httpd), and Ubuntu (squid, squid3). --------------------------------------------- https://lwn.net/Articles/872029/ ∗∗∗ FortiWebManager - Injection vulnerabilities ∗∗∗ --------------------------------------------- https://www.fortiguard.com/psirt/FG-IR-20-027 ∗∗∗ FortiAnalyzer & FortiManager - Forticloud credentials observed in cleartext in the logfile ∗∗∗ --------------------------------------------- https://www.fortiguard.com/psirt/FG-IR-21-112 ∗∗∗ FortiSDNConnector - Credential leak ∗∗∗ --------------------------------------------- https://www.fortiguard.com/psirt/FG-IR-20-183 ∗∗∗ FortiClientEMS - Session cookie does not expire after logout ∗∗∗ --------------------------------------------- https://www.fortiguard.com/psirt/FG-IR-20-072 ∗∗∗ XSA-386 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-386.html ∗∗∗ Samba: Mehrere Schwachstellen ermöglichen Denial of Service ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-1034 ∗∗∗ Mitsubishi Electric GOT and Tension Controller ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-278-01 ∗∗∗ Emerson WirelessHART Gateway ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-278-02 ∗∗∗ Moxa MXview Network Management Software ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-278-03 ∗∗∗ Medtronic MiniMed MMT-500/MMT-503 Remote Controllers (Update A) ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/ICSMA-18-219-02 ∗∗∗ CISA Releases Security Advisory for Honeywell Experion and ACE Controllers ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/10/05/cisa-releases-sec… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.10.2021
by Daily end-of-shift report 05 Oct '21

05 Oct '21

===================== = End-of-Day report = ===================== Timeframe: Montag 04-10-2021 18:00 − Dienstag 05-10-2021 18:00 Handler: Wolfgang Menezes Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ New UEFI bootkit used to backdoor Windows devices since 2012 ∗∗∗ --------------------------------------------- A newly discovered and previously undocumented UEFI (Unified Extensible Firmware Interface) bootkit has been used by attackers to backdoor Windows systems by hijacking the Windows Boot Manager since at least 2012. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-uefi-bootkit-used-to-bac… ∗∗∗ HiKam - "Hi – Ich bin (nicht) deine Kamera" ∗∗∗ --------------------------------------------- Die Sicherheit von IoT-Geräten, wie z.B. Überwachungskameras, sollte viel mehr im Fokus von Herstellern und Nutzern liegen. In der Realität ist dies leider nicht der Fall. Jahr für Jahr werden mehr IoT-Geräte entdeckt, die eine P2P-Cloud-Verbindung nutzen. Der Defcon-Talk von Paul Marrapese letztes Jahr und die letzte Entdeckung von Mandiant beschreiben nur einen Auszug dessen, was sich in diesem Bereich der IT-Security abgespielt hat. Im Rahmen dieses Blogposts möchten wir Ihnen aktuelle Informationen zur zugrundeliegenden IoT-Sicherheitsproblematik anhand eines konkreten Gerätes vorstellen: die HiKam S6. --------------------------------------------- https://sec-consult.com/de/blog/detail/hikam-hi-ich-bin-nicht-deine-kamera/ ∗∗∗ Kleinanzeigenbetrug mit gefälschter Post-Website ∗∗∗ --------------------------------------------- Kriminelle verwenden eine gefälschte Post-Website www.post-service.online für Kleinanzeigenbetrug. Sie suchen nach hochpreisigen Angeboten und geben vor, den Kauf über einen erfundenen Kurierservice der Post abwickeln zu wollen. Ziel ist es, den Opfern das Geld aus der Tasche zu ziehen, denn in weiterer Folge werden Kreditkartendaten abgefragt und die Freigabe einer Zahlung verlangt. --------------------------------------------- https://www.watchlist-internet.at/news/kleinanzeigenbetrug-mit-gefaelschter… ===================== = Vulnerabilities = ===================== ∗∗∗ Löchrige UPnP-Umsetzung in alten Broadcom-SDKs macht Router angreifbar ∗∗∗ --------------------------------------------- Einige Routermodelle mit EoL-Status etwa von Linksys & Cisco sind dank Lücken in alten Broadcom-SDK-Versionen via UPnP angreifbar. Updates gibt es nicht. --------------------------------------------- https://heise.de/-6209100 ∗∗∗ Sicherheitsupdate: Angreifer könnten auf Dateien von Apache-Webservern zugreifen ∗∗∗ --------------------------------------------- Angreifer haben es derzeit auf Apache-Webserver abgesehen. Davon ist aber nur eine bestimmte Version bedroht. Die Path-Traversal-Lücke (CVE-2021-41773) betrifft ausschließlich die Apache-HTTP-Server-Version 2.4.49. --------------------------------------------- https://heise.de/-6209130 ∗∗∗ TYPO3-CORE-SA-2021-015: HTTP Host Header Injection in Request Handling ∗∗∗ --------------------------------------------- It has been discovered that TYPO3 CMS is susceptible to host spoofing due to improper validation of the HTTP Host header. TYPO3 uses the HTTP Host header, for example, to generate absolute URLs during the frontend rendering process. Since the host header itself is provided by the client, it can be forged to any value, even in a name-based virtual hosts environment. CVE-ID: CVE-2021-41114 --------------------------------------------- https://typo3.org/security/advisory/typo3-core-sa-2021-015 ∗∗∗ TYPO3-CORE-SA-2021-014: Cross-Site-Request-Forgery in Backend URI Handling ∗∗∗ --------------------------------------------- It has been discovered that the new TYPO3 v11 feature that allows users to create and share deep links in the backend user interface is vulnerable to cross-site-request-forgery. [...] To successfully carry out an attack, an attacker must trick his victim to access a compromised system. The victim must have an active session in the TYPO3 backend at that time. --------------------------------------------- https://typo3.org/security/advisory/typo3-core-sa-2021-014 ∗∗∗ Android Security Bulletin—October 2021 ∗∗∗ --------------------------------------------- The Android Security Bulletin contains details of security vulnerabilities affecting Android devices. Security patch levels of 2021-10-05 or later address all of these issues. --------------------------------------------- https://source.android.com/security/bulletin/2021-10-01 ∗∗∗ docker: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein lokaler Angreifer kann mehrere Schwachstellen in docker ausnutzen, um seine Privilegien zu erhöhen oder Informationen offenzulegen. --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-1033 ∗∗∗ SYSS-2021-047: Authentication Bypass in Omikron MultiCash ∗∗∗ --------------------------------------------- In der Desktopanwendung MultiCash 4 können mittels der Rechte- und Passwortüberprüfung administrative Rechte über die Anwendung erlang werden. --------------------------------------------- https://www.syss.de/pentest-blog/syss-2021-047-authentication-bypass-in-omi… ∗∗∗ Security Bulletin: IBM Event Streams is potentially affected by multiple node vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-event-streams-is-pote… ∗∗∗ Security Bulletin: IBM Event Streams is affected by potential data integrity issue (CVE-2020-25649) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-event-streams-is-affe… ∗∗∗ Security Bulletin: IBM Event Streams is affected by multiple vulnerabilities in the Java runtime ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-event-streams-is-affe… ∗∗∗ Security Bulletin: The Community Edition of IBM ILOG CPLEX Optimization Studio is affected by a vulnerability in libcurl (CVE-2021-22925) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-the-community-edition-of-… ∗∗∗ Security Bulletin: The Community Edition of IBM ILOG CPLEX Optimization Studio is affected by a vulnerability in libcurl (CVE-2021-22924) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-the-community-edition-of-… ∗∗∗ Security Bulletin: The Community Edition of IBM ILOG CPLEX Optimization Studio is affected by a vulnerability in libcurl (CVE-2021-22945) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-the-community-edition-of-… ∗∗∗ Security Bulletin: Publicly disclosed vulnerabilities from Kernel affect IBM Netezza Host Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-publicly-disclosed-vulner… ∗∗∗ Security Bulletin: Apache Solr, shipped with IBM Operations Analytics – Log Analysis, susceptible to multiple vulnerabilities in Apache Tika ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-solr-shipped-with-… ∗∗∗ Security Bulletin: Vulnerability in MetadataExtractor used by Apache Solr affect IBM Operations Analytics – Log Analysis Analysis (CVE-2019-14262) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-metadata… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.10.2021
by Daily end-of-shift report 04 Oct '21

04 Oct '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 01-10-2021 18:00 − Montag 04-10-2021 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Ransomware: Conti-Erpressergruppe verbittet sich Leaks ihrer Verhandlungs-Chats ∗∗∗ --------------------------------------------- Die Cyberkriminellen hinter der Conti-Ransomware drohen jedem Opfer mit Veröffentlichung seiner Daten, sollten Details über die Erpressung im Netz auftauchen. --------------------------------------------- https://heise.de/-6206790 ∗∗∗ Andoid-Banking-Trojaner Hydra hat es auf Commerzbank-Kunden abgesehen ∗∗∗ --------------------------------------------- Online-Kriminelle versuchen Kunden der Commerzbank abzuzocken. Damit es dazu kommt, müssen Opfer aber mitspielen. --------------------------------------------- https://heise.de/-6207752 ∗∗∗ SMS mit Link zu Fotoalbum verbreitet Schadsoftware ∗∗∗ --------------------------------------------- Zahlreiche NutzerInnen berichten, dass sie SMS mit einem Link zu einem Fotoalbum erhalten. Angeblich wurden dort private Fotos hochgeladen. Achtung: Der Link führt zu Schadsoftware! --------------------------------------------- https://www.watchlist-internet.at/news/sms-mit-link-zu-fotoalbum-verbreitet… ∗∗∗ Webinar: Internetkriminalität - so schützen Sie sich! ∗∗∗ --------------------------------------------- Internetfallen & Betrugsmaschen werden immer ausgeklügelter. Umso wichtiger ist die Fähigkeit, Merkmale einer Betrugsmasche frühzeitig zu erkennen. In einem Webinar geben wir Ihnen einen Überblick über aktuelle Bedrohungen im Internet und zeigen Ihnen, wie Sie sich davor schützen können. --------------------------------------------- https://www.watchlist-internet.at/news/webinar-internetkriminalitaet-so-sch… ∗∗∗ Endpoint Security ist überall gefragt ∗∗∗ --------------------------------------------- Viele Endpunkte mögen auf den ersten Blick unwichtig erscheinen. Aber ungeschützte Systeme mit oder ohne Internetzugang sind ein Einfallstor für Hacker. Deshalb ist ein umfassendes Konzept für Endpoint Security für Unternehmen jeder Größe sehr wichtig. --------------------------------------------- https://www.zdnet.de/88397023/endpoint-security-ist-ueberall-gefragt/ ∗∗∗ New Atom Silo ransomware targets vulnerable Confluence servers ∗∗∗ --------------------------------------------- Atom Silo, a newly spotted ransomware group, is targeting a recently patched and actively exploited Confluence Server and Data Center vulnerability to deploy their ransomware payloads. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-atom-silo-ransomware-tar… ∗∗∗ Innovative Proxy Phantom ATO Fraud Ring Haunts eCommerce Accounts ∗∗∗ --------------------------------------------- The group uses millions of password combos at the rate of nearly 2,700 login attempts per second with new techniques that push the ATO envelope. --------------------------------------------- https://threatpost.com/proxy-phantom-fraud-ecommerce-accounts/175241/ ∗∗∗ PoC Exploit Released for macOS Gatekeeper Bypass ∗∗∗ --------------------------------------------- Rasmus Sten, a software engineer with F-Secure, has released proof-of-concept (PoC) exploit code for a macOS Gatekeeper bypass that Apple patched in April this year. The PoC exploit targets CVE-2021-1810, a vulnerability that can lead to the bypass of all three protections that Apple implemented against malicious file downloads, namely file quarantine, Gatekeeper, and notarization. --------------------------------------------- https://www.securityweek.com/poc-exploit-released-macos-gatekeeper-bypass ∗∗∗ Boutique "Dark" Botnet Hunting for Crumbs ∗∗∗ --------------------------------------------- [...] But aside from these more visible botnets, there are smaller, "Boutique" botnets. They go after less common vulnerabilities and pick systems that the major botnets find not lucrative enough to go after. Usually, only a few vulnerable devices are exposed. Taking the animal analogy a bit too far: These are like crustaceans on the ocean floor living off what the predators above discard. One such botnet is "Dark Bot". --------------------------------------------- https://isc.sans.edu/diary/rss/27898 ∗∗∗ Expired Lets Encrypt Root Certificate Causes Problems for Many Companies ∗∗∗ --------------------------------------------- A root certificate used by Let’s Encrypt expired on September 30 and, despite being notified a long time in advance, many companies experienced problems. read more --------------------------------------------- https://www.securityweek.com/expired-lets-encrypt-root-certificate-causes-p… ∗∗∗ BazarLoader and the Conti Leaks ∗∗∗ --------------------------------------------- In July, we observed an intrusion that started from a BazarLoader infection and lasted approximately three days. The threat actor’s main priority was to map the domain network, while [...] --------------------------------------------- https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/ ∗∗∗ Misconfigured Airflows Leak Thousands of Credentials from Popular Services ∗∗∗ --------------------------------------------- Apache Airflow is the #1 starred open-source workflows application on GitHub Workflow management platforms are an indispensable tool for automating business and IT tasks. These platforms make it easier to create, schedule and monitor workflows. They are typically hosted on the cloud to provide increased accessibility and scalability. On the flip side, misconfigured instances that allow [...] --------------------------------------------- https://www.intezer.com/blog/cloud-security/misconfigured-airflows-leak-cre… ∗∗∗ Phish, Phished, Phisher: A Quick Peek Inside a Telegram Harvester ∗∗∗ --------------------------------------------- In one of the smaller campaigns we monitored last month (September 2021), the threat actor inadvertently exposed Telegram credentials to their harvester. This opportunity provided us some insight into their operations; a peek behind the curtains we wanted to share. --------------------------------------------- https://blog.nviso.eu/2021/10/04/phish-phished-phisher-a-quick-peek-inside-… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (apache2, fig2dev, mediawiki, plib, and qemu), Fedora (chromium, curl, kernel, kernel-headers, kernel-tools, openssh, rust-addr2line, rust-backtrace, rust-cranelift-bforest, rust-cranelift-codegen, rust-cranelift-codegen-meta, rust-cranelift-codegen-shared, rust-cranelift-entity, rust-cranelift-frontend, rust-cranelift-native, rust-cranelift-wasm, rust-gimli, rust-object, rust-wasmparser, rust-wasmtime-cache, rust-wasmtime-environ, [...] --------------------------------------------- https://lwn.net/Articles/871841/ ∗∗∗ Shodan Verified Vulns 2021-10-01 ∗∗∗ --------------------------------------------- Mit 2021-10-01 sah die Schwachstellenlandschaft in Österreich laut Shodan wie folgt aus: Wie auch in den letzten Monaten dominieren TLS/SSL-Schwachstellen sowie Lücken in Microsofts Exchange Server das Bild. Während Server, die für die im März veröffentlichte und geschlossene "ProxyLogon" Exploit-Chain (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065) anfällig sind, mittlerweile eher selten sind, scheinen die im April bzw. Mai [...] --------------------------------------------- https://cert.at/de/aktuelles/2021/10/shodan-verified-vulns-2021-10-01 ∗∗∗ Multiple vulnerabilities in Rexroth IndraMotion and IndraLogic series ∗∗∗ --------------------------------------------- BOSCH-SA-741752: The control systems series Rexroth IndraMotion MLC and IndraLogic XLC are affected by multiple vulnerabilities in the web server, which - in combination - ultimately enable an attacker to log in to the system. --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-741752.html ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Netty vulnerability CVE-2021-21295 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K55834441 ∗∗∗ OpenSSL vulnerability CVE-2021-3712 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K19559038 ∗∗∗ Red Enterprise Linux Advanced Virtualization: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-1026 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 01.10.2021
by Daily end-of-shift report 01 Oct '21

01 Oct '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 30-09-2021 18:00 − Freitag 01-10-2021 18:00 Handler: Dimitri Robl Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Hydra malware targets customers of Germanys second largest bank ∗∗∗ --------------------------------------------- The Hydra banking trojan is back to targeting European e-banking platform users, and more specifically, customers of Commerzbank, Germanys second-largest financial institution. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hydra-malware-targets-custom… ∗∗∗ Flubot Android malware now spreads via fake security updates ∗∗∗ --------------------------------------------- The Flubot malware has switched to a new and likely more effective lure to compromise Android devices, now trying to trick its victims into infecting themselves with the help of fake security updates warning them of Flubot infections. --------------------------------------------- https://www.bleepingcomputer.com/news/security/flubot-android-malware-now-s… ∗∗∗ Hackers rob thousands of Coinbase customers using MFA flaw ∗∗∗ --------------------------------------------- Crypto exchange Coinbase disclosed that a threat actor stole cryptocurrency from 6,000 customers after using a vulnerability to bypass the companys SMS multi-factor authentication security feature. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-rob-thousands-of-coi… ∗∗∗ New Tool to Add to Your LOLBAS List: cvtres.exe , (Fri, Oct 1st) ∗∗∗ --------------------------------------------- LOLBAS (“Living Off the Land Binaries And Scripts”) is a list of tools[1] that are present on any Windows system because they are provided by Microsoft as useful tools to perform system maintenance, updates, etc. This list is maintained and upgraded regularly. This is a good starting point when you need to investigate suspicious processes activity on a system (proactively or in forensics investigation). --------------------------------------------- https://isc.sans.edu/diary/27892 ∗∗∗ Introduction to ICS Security Part 3 ∗∗∗ --------------------------------------------- In part 3 of the Introduction to ICS blog series, Stephan Mathezer discusses Remote Access Connections into ICS, examines why they here to stay, and reviews the best practices for securing them. --------------------------------------------- https://www.sans.org/blog/introduction-to-ics-security-part-3/ ∗∗∗ Android Trojan GriftHorse, the gift horse you definitely should look in the mouth ∗∗∗ --------------------------------------------- The GriftHorse Android Trojan is a widespread campaign with millions of victims in over 70 countries. --------------------------------------------- https://blog.malwarebytes.com/android/2021/09/android-trojan-grifthorse-the… ∗∗∗ ESET Threat Report T2 2021 ∗∗∗ --------------------------------------------- Unsere Sicherheitsforscher analysieren die Cybersicherheitslage und die ESET-Telemetriedaten im zweiten Drittel des Jahres 2021. --------------------------------------------- https://www.welivesecurity.com/deutsch/2021/09/30/eset-threat-report-t2-202… ∗∗∗ Heute startet der Europäische Monat der Cyber-Sicherheit! ∗∗∗ --------------------------------------------- Wie jedes Jahr steht auch heuer der Oktober ganz im Zeichen der Cyber-Sicherheit. Auch Österreich nimmt wieder an der EU-weiten Kampagne „European Cyber Security Month“ (ESCM) teil. Ziel ist es, das Bewusstsein über die Risiken im Netz zu stärken und gezielt Informationen zur IT-Sicherheit zu verbreiten. --------------------------------------------- https://www.watchlist-internet.at/news/heute-startet-der-europaeische-monat… ∗∗∗ Credential Harvesting at Scale Without Malware ∗∗∗ --------------------------------------------- Email credential harvesting can lead to business email compromise and ransomware. Often, attackers simply ask for victims’ credentials. --------------------------------------------- https://unit42.paloaltonetworks.com/credential-harvesting/ ∗∗∗ Fortinet, Shopify and more report issues after root CA certificate from Lets Encrypt expires ∗∗∗ --------------------------------------------- Experts had been warning for weeks that there would be issues resulting from the expiration of root CA certificates provided by Lets Encrypt. --------------------------------------------- https://www.zdnet.com/article/fortinet-shopify-others-report-issues-after-r… ===================== = Vulnerabilities = ===================== ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- IBM hat 11 Security Bulletins veröffentlicht. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (curl, krb5, openssl1.0, and taglib), Fedora (cifs-utils), SUSE (libqt5-qtbase and rubygem-activerecord-4_2), and Ubuntu (linux-raspi, linux-raspi-5.4 and linux-raspi2). --------------------------------------------- https://lwn.net/Articles/871564/ ∗∗∗ Google Patches Two More Exploited Zero-Day Vulnerabilities in Chrome ∗∗∗ --------------------------------------------- Google on Thursday announced the rollout of a Chrome update to address four security vulnerabilities, including two that are already being exploited in the wild. --------------------------------------------- https://www.securityweek.com/google-patches-two-more-exploited-zero-day-vul… ∗∗∗ Command Injection Vulnerability in QVR ∗∗∗ --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-21-38 ∗∗∗ Stored XSS Vulnerabilities in Photo Station ∗∗∗ --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-21-41 ∗∗∗ Stored XSS Vulnerability in Photo Station ∗∗∗ --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-21-42 ∗∗∗ Stored XSS Vulnerability in Image2PDF ∗∗∗ --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-21-43 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 30.09.2021
by Daily end-of-shift report 30 Sep '21

30 Sep '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 29-09-2021 18:00 − Donnerstag 30-09-2021 18:00 Handler: Dimitri Robl Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ RansomEXX ransomware Linux encryptor may damage victims files ∗∗∗ --------------------------------------------- Cybersecurity firm Profero has discovered that the RansomExx gang does not correctly lock Linux files during encryption, leading to potentially corrupted files. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ransomexx-ransomware-linux-e… ∗∗∗ Stop That Phish! ∗∗∗ --------------------------------------------- Although ransomware holds a significant mindshare in security, phishing continues to be an effective and efficient tool for threat actors. In this blog, Tim Helming walks through various anti-phishing tools and methods available to defenders. --------------------------------------------- https://www.domaintools.com/resources/blog/stop-that-phish ∗∗∗ An overview of malware hashing algorithms ∗∗∗ --------------------------------------------- VirusTotals "Basic Properties" tab alone lists eight different hashes and supports even more to use them for queries and hunt signatures. Hashes are important for malware analysis, as well as identification, description and detection. But why do so many of them exist and when should you use which hash function? --------------------------------------------- https://www.gdatasoftware.com/blog/2021/09/an-overview-of-malware-hashing-a… ∗∗∗ TLS-Zertifikate: Altes Lets-Encrypt-Root läuft ab ∗∗∗ --------------------------------------------- Bei Fehlkonfigurationen und alten Geräten können Zertifikatsfehler mit Lets Encrypt auftreten. --------------------------------------------- https://www.golem.de/news/tls-zertifikate-altes-let-s-encrypt-root-laeuft-a… ∗∗∗ GhostEmperor: From ProxyLogon to kernel mode ∗∗∗ --------------------------------------------- While investigating a recent rise of attacks against Exchange servers, we noticed a recurring cluster of activity that appeared in several distinct compromised networks. With a long-standing operation, high profile victims, advanced toolset and no affinity to a known threat actor, we decided to dub the cluster GhostEmperor. --------------------------------------------- https://securelist.com/ghostemperor-from-proxylogon-to-kernel-mode/104407/ ∗∗∗ What is Cryptocurrency Mining Malware? ∗∗∗ --------------------------------------------- Cryptocurrency mining malware is typically a stealthy malware that farms the resources on a system (computers, smartphones, and other electronic devices connected to the internet) to generate revenue for the cyber criminals controlling it. Instead of using video game consoles or graphics card farms, these particular cryptominers are using the computers and servers of the people around them for their processing power - without permission. --------------------------------------------- https://blog.sucuri.net/2021/09/what-is-cryptocurrency-mining-malware-2.html ∗∗∗ Apple-Pay-Funktion erlaubt angeblich Geldklau von gesperrten iPhones ∗∗∗ --------------------------------------------- Sicherheitsexperten haben die Express-ÖPNV-Funktion auf Herz und Nieren getestet und kommen zu dem Schluss, dass unerwünschte Visa-Zahlungen möglich sind. --------------------------------------------- https://heise.de/-6204960 ∗∗∗ Bericht: Android-Trojaner GriftHorse kassiert bei über 10 Millionen Opfern ab ∗∗∗ --------------------------------------------- Online-Kriminelle sollen mit Trojaner-Apps Abos abschließen und darüber hunderte Millionen Euro erbeutet haben, warnen Sicherheitsforscher. --------------------------------------------- https://heise.de/-6205272 ∗∗∗ A wolf in sheeps clothing: Actors spread malware by leveraging trust in Amnesty International and fear of Pegasus ∗∗∗ --------------------------------------------- By Vitor Ventura and Arnaud Zobec. Threat actors are impersonating the group Amnesty International and promising to protect against the Pegasus spyware as part of a scheme to deliver malware. --------------------------------------------- https://blog.talosintelligence.com/2021/09/fakeantipegasusamnesty.html ∗∗∗ Telemetry Report Shows Patch Status of High-Profile Vulnerabilities ∗∗∗ --------------------------------------------- A record number of new security vulnerabilities (18,352) were reported in 2020. This year, the number is likely to be higher (13,002 by September 1). The problem with a zero-day vulnerability is that it remains a zero-day until it is patched by both the vendor and the user. --------------------------------------------- https://www.securityweek.com/telemetry-report-shows-patch-status-high-profi… ∗∗∗ The Ransomware Threat in 2021 ∗∗∗ --------------------------------------------- New research from Symantec finds that organizations face an unprecedented level of danger from targeted ransomware attacks as the number of adversaries multiply alongside an increased sophistication in tactics. --------------------------------------------- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ra… ∗∗∗ Facebook open-sources internal tool used to detect security bugs in Android apps ∗∗∗ --------------------------------------------- Facebook has open-sourced Mariana Trench, one of its internal security tools, used by its security teams for finding and fixing bugs in Android and Java applications. --------------------------------------------- https://therecord.media/facebook-open-sources-internal-tool-used-to-detect-… ∗∗∗ Ransomware attack disrupts hundreds of bookstores across France, Belgium, and the Netherlands ∗∗∗ --------------------------------------------- Hundreds of bookstores across France, Belgium, and the Netherlands have had their operations disrupted this week after a ransomware attack crippled the IT systems of TiteLive, a French company that operates a SaaS platform for book sales and inventory management. --------------------------------------------- https://therecord.media/ransomware-attack-disrupts-hundreds-of-bookstores-a… ∗∗∗ After the storm - how to move on with NTLM ∗∗∗ --------------------------------------------- I remember that, about 15 years ago, we already flagged the absence of SMB signing as a vulnerability in reports. Though at that time, we circled more around the theoretical risk of someone tampering SMB traffic due to the lack of integrity protection. None of us really had an idea how to make use of that vulnerability. The later obviously changed. --------------------------------------------- https://cyberstoph.org/posts/2021/09/after-the-storm-how-to-move-on-with-nt… ===================== = Vulnerabilities = ===================== ∗∗∗ Linkit - Moderately critical - Cross Site Scripting - SA-CONTRIB-2021-042 ∗∗∗ --------------------------------------------- Linkit provides an easy interface for internal and external linking with WYSIWYG editors by using an autocomplete field. It does not sufficiently sanitize user input. This vulnerability is mitigated by the fact that an attacker must have a role with the permission to create or edit an entity bundle. --------------------------------------------- https://www.drupal.org/sa-contrib-2021-042 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libxstream-java, uwsgi, and weechat), Fedora (libspf2, libvirt, mingw-python3, mono-tools, python-flask-restx, and sharpziplib), Mageia (gstreamer, libgcrypt, libgd, mosquitto, php, python-pillow, qtwebengine5, and webkit2), openSUSE (postgresql12 and postgresql13), SUSE (haproxy, postgresql12, postgresql13, and rabbitmq-server), and Ubuntu (commons-io and linux-oem-5.13). --------------------------------------------- https://lwn.net/Articles/871424/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- IBM hat 12 Security Bulletins veröffentlicht. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Boston Scientific Zoom Latitude ∗∗∗ --------------------------------------------- This advisory contains mitigations for Use of Password Hash with Insufficient Computational Effort, Missing Protection Against Hardware Reverse Engineering Using Integrated Circuit (IC) Imaging Techniques, Improper Access Control, Missing Support for Integrity Check, and Reliance on Component That is Not Updateable vulnerabilities in the Boston Scientific Zoom Latitude programmer/recorder/monitor (PRM) 3120 model. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsma-21-273-01 ∗∗∗ Security Advisory - Improper Authentication Vulnerability in Huawei Product ∗∗∗ --------------------------------------------- https://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210929… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 29.09.2021
by Daily end-of-shift report 29 Sep '21

29 Sep '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 28-09-2021 18:00 − Mittwoch 29-09-2021 18:00 Handler: Dimitri Robl Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ NSA, CISA share VPN security tips to defend against hackers ∗∗∗ --------------------------------------------- The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) have released guidance for hardening the security of virtual private network (VPN) solutions. --------------------------------------------- https://www.bleepingcomputer.com/news/security/nsa-cisa-share-vpn-security-… ∗∗∗ Why Should I Care About HTTP Request Smuggling? ∗∗∗ --------------------------------------------- HTTP request smuggling is a growing vulnerability, but you can manage the risk with proper server configuration. --------------------------------------------- https://www.darkreading.com/edge-ask-the-experts/why-should-i-care-about-ht… ∗∗∗ DarkHalo after SolarWinds: the Tomiris connection ∗∗∗ --------------------------------------------- We discovered a campaign delivering the Tomiris backdoor that shows a number of similarities with the Sunshuttle malware distributed by DarkHalo APT and target overlaps with Kazuar. --------------------------------------------- https://securelist.com/darkhalo-after-solarwinds-the-tomiris-connection/104… ∗∗∗ Conti Ransomware Expands Ability to Blow Up Backups ∗∗∗ --------------------------------------------- The Conti ransomware gang has developed novel tactics to demolish backups, especially the Veeam recovery software. --------------------------------------------- https://threatpost.com/conti-ransomware-backups/175114/ ∗∗∗ How nation-state attackers like NOBELIUM are changing cybersecurity ∗∗∗ --------------------------------------------- In the first of a four-part series on the NOBELIUM nation-state attack, we describe the attack and explain why enterprises should be cautious. --------------------------------------------- https://www.microsoft.com/security/blog/2021/09/28/how-nation-state-attacke… ∗∗∗ Serious Security: Let’s Encrypt gets ready to go it alone (in a good way!) ∗∗∗ --------------------------------------------- Lets Encrypt is set to become a mainstream, self-certifying web certificate authority - heres why it took so many years. --------------------------------------------- https://nakedsecurity.sophos.com/2021/09/28/serious-security-lets-encrypt-g… ∗∗∗ Keeping Track of Time: Network Time Protocol and a GPSD Bug, (Wed, Sep 29th) ∗∗∗ --------------------------------------------- The Network Time Protocol (NTP) has been critical in ensuring time is accurately kept for various systems businesses and organizations rely on. --------------------------------------------- https://isc.sans.edu/diary/rss/27886 ∗∗∗ Phone screenshots accidentally leaked online by stalkerware-type company ∗∗∗ --------------------------------------------- Stalkerware-type company pcTattleTale hasnt been very careful about securing the screenshots it sneakily takes from its victims phones. --------------------------------------------- https://blog.malwarebytes.com/stalkerware/2021/09/phone-screenshots-acciden… ∗∗∗ Betrügerische Mail im Namen der Volksbank unterwegs ∗∗∗ --------------------------------------------- Derzeit werden massenhaft betrügerische Phishing-Mails im Namen der Volksbank verschickt. Angeblich wurde eine „irrtümlich ausgeführte Überweisung“ gesperrt. --------------------------------------------- https://www.watchlist-internet.at/news/betruegerische-mail-im-namen-der-vol… ∗∗∗ New GriftHorse malware has infected more than 10 million Android phones ∗∗∗ --------------------------------------------- Security researchers have found a massive malware operation that has infected more than 10 million Android smartphones across more than 70 countries since at least November 2020 and is making millions of dollars for its operators on a monthly basis. --------------------------------------------- https://therecord.media/new-grifthorse-malware-has-infected-more-than-10-mi… ===================== = Vulnerabilities = ===================== ∗∗∗ AirTags als Echtwelt-Trojaner: Apple lässt XSS-Lücke über Monate offen ∗∗∗ --------------------------------------------- Ein weiterer Sicherheitsforscher hat wegen Verärgerung über Apples zugeknöpftes Bug-Bounty-Programm eine Zero-Day-Schwachstelle veröffentlicht. --------------------------------------------- https://heise.de/-6204364 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (iaito, libssh, radare2, and squashfs-tools), openSUSE (hivex, shibboleth-sp, and transfig), SUSE (python-urllib3 and shibboleth-sp), and Ubuntu (apache2, linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-dell300x, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, linux-snapdragon, and linux-hwe-5.11, linux-azure, linux-azure-5.11, linux-oracle-5.11). --------------------------------------------- https://lwn.net/Articles/871227/ ∗∗∗ Security Bulletin: Bulletin: App Connect Professional is affected by Apache Tomcat vulnerabilities. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-bulletin-app-connect-prof… ∗∗∗ Security Bulletin: Security vulnerabilities in IBM SDK for Node.js might affect the configuration editor used by IBM Business Automation Workflow and IBM Business Process Manager (BPM) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities of Mozilla Firefox (less than Firefox 78.14.0 ESR + CVE-2021-29967) have affected Synthetic Playback Agent 8.1.4.0-8.1.4 IF14 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerabilities in IBM Java SDK affects App Connect Professional ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-ja… ∗∗∗ Security Bulletin: Cross-Site Scripting vulnerability affect IBM Business Automation Workflow and IBM Business Process Manager (BPM) – CVE-2021-29834 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cross-site-scripting-vuln… ∗∗∗ Security Bulletin: IBM Kenexa LCMS Premier On Premise – CVE-2021-2341 (deferred from Oracle Jul 2021 CPU for Java 7.x) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-kenexa-lcms-premier-o… ∗∗∗ Security Bulletin: Multiple vulnerabilities may affect IBM Business Automation Workflow and IBM Business Process Manager (BPM) offline documentation ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Aspera Web Application (Console, Shares) are affected by jQuery vulnerability (cross-site scripting) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-aspera-web-application-co… ∗∗∗ Security Bulletin: IBM Kenexa LMS On Premise -IBM SDK, Java Technology Edition Quarterly CPU – Jul 2021 – Includes Oracle Jul 2021 CPU (minus CVE-2021-2341) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-kenexa-lms-on-premise… ∗∗∗ Security Bulletin: IBM Kenexa LMS On Premise -CVE-2021-2341 (deferred from Oracle Jul 2021 CPU for Java 7.x) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-kenexa-lms-on-premise… ∗∗∗ F-Secure Internet Gatekeeper: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-1020 ∗∗∗ Elastic Stack Misconfiguration can lead to DDoS or Data Exfiltration ∗∗∗ --------------------------------------------- https://securitythreatnews.com/2021/09/29/elastic-stack-misconfiguration-ca… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.09.2021
by Daily end-of-shift report 28 Sep '21

28 Sep '21

===================== = End-of-Day report = ===================== Timeframe: Montag 27-09-2021 18:00 − Dienstag 28-09-2021 18:00 Handler: Dimitri Robl Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ FoggyWeb: Targeted NOBELIUM malware leads to persistent backdoor ∗∗∗ --------------------------------------------- In-depth analysis of newly detected NOBELIUM malware: a post-exploitation backdoor that Microsoft Threat Intelligence Center (MSTIC) refers to as FoggyWeb. NOBELIUM uses FoggyWeb to remotely exfiltrate the configuration database of compromised AD FS servers, decrypted token-signing certificate, and token-decryption certificate, as well as to download and execute additional components. --------------------------------------------- https://www.microsoft.com/security/blog/2021/09/27/foggyweb-targeted-nobeli… ∗∗∗ TLS 1.3 and SSL - the current state of affairs, (Tue, Sep 28th) ∗∗∗ --------------------------------------------- It has been over 3 years since the specification for TLS 1.3 was published, and although the protocol has some minor drawbacks, it is undoubtedly the most secure TLS version so far. One would therefore hope that the adoption of TLS 1.3 and its use on web servers around the globe would steadily increase over time (ideally hand in hand with a slow disappearance of older cryptographic protocols, especially the historic SSL 2.0 and SSL 3.0). --------------------------------------------- https://isc.sans.edu/diary/rss/27882 ∗∗∗ Securing mobile devices. A timely reminder ∗∗∗ --------------------------------------------- If you’re commuting again or if you’re responsible for securing your people’s devices it’s a good idea to revisit and review your security admin for mobile devices. This post isn’t breaking any new ground, but it is a good place to start that review process, and think about your security behaviours. --------------------------------------------- https://www.pentestpartners.com/security-blog/securing-mobile-devices-a-tim… ∗∗∗ Vorsicht, wenn die Wohnungsbesichtigung über booking.com abgewickelt werden sollte ∗∗∗ --------------------------------------------- Sie haben endlich Ihre Traumwohnung gefunden? Der einzige Haken: Sie sollten schon vor der Besichtigung eine Kaution bezahlen, die angeblich von booking.com verwaltet wird? Dann sind Sie auf ein betrügerisches Wohnungsinserat gestoßen. Zahlen Sie keinesfalls eine Kaution vor der Besichtigung. Diese Wohnung gibt es nicht und Sie verlieren Ihre geleistete Zahlung! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-wenn-die-wohnungsbesichtigu… ∗∗∗ Highlights From the Unit 42 Cloud Threat Report, 2H 2021 ∗∗∗ --------------------------------------------- In the Unit 42 Cloud Threat Report, 2H 2021, our researchers dive deep into the full scope of supply chain attacks in the cloud and explain often misunderstood details about how they occur. We also provide actionable recommendations any organization can adopt immediately to begin protecting their software supply chains in the cloud. --------------------------------------------- https://unit42.paloaltonetworks.com/cloud-threat-report-2h-2021/ ∗∗∗ Anatomy and Disruption of Metasploit Shellcode ∗∗∗ --------------------------------------------- In April 2021 we went through the anatomy of a Cobalt Strike stager and how some of its signature evasion techniques ended up being ineffective against detection technologies. In this blog post we will go one level deeper and focus on Metasploit, an often-used framework interoperable with Cobalt Strike. --------------------------------------------- https://blog.nviso.eu/2021/09/02/anatomy-and-disruption-of-metasploit-shell… ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI-21-1116: NETGEAR R7800 net-cgi Out-Of-Bounds Write Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of NETGEAR R7800 routers. Authentication is not required to exploit this vulnerability. CVE ID: CVE-2021-34947 --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-1116/ ∗∗∗ SSA-728618: Multiple Vulnerabilities in Solid Edge before SE2021MP8 ∗∗∗ --------------------------------------------- Siemens has released a new version for Solid Edge that fixes multiple file parsing vulnerabilities which could be triggered when the application reads files in IFC, JT or OBJ formats. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-728618.txt ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (kernel), openSUSE (gd, grilo, nodejs14, and transfig), Oracle (nodejs:14 and squid), Red Hat (kernel and shim and fwupd), SUSE (apache2, atftp, gd, and python-Pillow), and Ubuntu (apache2, linux, linux-aws, linux-aws-5.11, linux-gcp, linux-kvm, linux-oracle, linux-raspi, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gcp, linux-gcp-5.4, linux-gke, linux-gke-5.4, linux-gkeop, linux-gkeop-5.4, linux-hwe-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, and vim). --------------------------------------------- https://lwn.net/Articles/871096/ ∗∗∗ D-LINK Router: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- D-LINK Router DIR-X1560 < 1.04B04, D-LINK Router DIR-X6060 < 1.02B01 Ein entfernter, anonymer Angreifer kann eine Schwachstelle in verschiedenen D-LINK Routern ausnutzen, um einen Denial of Service Angriff durchzuführen. --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-1019 ∗∗∗ Security Bulletin: IBM Security SOAR is using a version of Elasticsearch that has known vulnerabilities (CVE-2021-22137, CVE-2021-22135) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-soar-is-usin… ∗∗∗ Security Bulletin: PostgreSQL Vulnerability Affects IBM Sterling Connect:Direct for Microsoft Windows (CVE-2021-32029) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-postgresql-vulnerability-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.09.2021
by Daily end-of-shift report 27 Sep '21

27 Sep '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 24-09-2021 18:00 − Montag 27-09-2021 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Jetzt patchen! Exploit-Code für Chrome und Edge in Umlauf ∗∗∗ --------------------------------------------- Angriffe auf die Webbrowser Chrome und Edge könnten kurz bevor stehen. Reparierte Versionen stehen zum Download bereit. --------------------------------------------- https://heise.de/-6201629 ∗∗∗ He escaped the Dark Web’s biggest bust. Now he’s back ∗∗∗ --------------------------------------------- DeSnake apparently eluded the takedown of AlphaBay and now plans to resurrect it. --------------------------------------------- https://arstechnica.com/?p=1798352 ∗∗∗ BloodyStealer and gaming assets for sale ∗∗∗ --------------------------------------------- We take a closer look at threats linked to loss of accounts with popular video game digital distribution services, such as Steam and Origin. We also explore the kind of game-related data that ends up on the black market. --------------------------------------------- https://securelist.com/bloodystealer-and-gaming-assets-for-sale/104319/ ∗∗∗ Video: Strings Analysis: VBA & Excel4 Maldoc, (Sat, Sep 25th) ∗∗∗ --------------------------------------------- I did record a video for my diary entry "Strings Analysis: VBA & Excel4 Maldoc", showing how to use CyberChef to analyze a maldoc. --------------------------------------------- https://isc.sans.edu/diary/rss/27874 ∗∗∗ New Android Malware Steals Financial Data from 378 Banking and Wallet Apps ∗∗∗ --------------------------------------------- The operators behind the BlackRock mobile malware have surfaced back with a new Android banking trojan called ERMAC that targets Poland and has its roots in the infamous Cerberus malware, according to the latest research. "The new trojan already has active distribution campaigns and is targeting 378 banking and wallet apps with overlays," ThreatFabrics CEO Cengiz Han Sahin said [...] --------------------------------------------- https://thehackernews.com/2021/09/new-android-malware-steals-financial.html ∗∗∗ New security feature in September 2021 Cumulative Update for Exchange Server ∗∗∗ --------------------------------------------- [...] As part of our continued work to help you protect your Exchange Servers, in the September 2021 Cumulative Update (CU) we have added a new feature called the Microsoft Exchange Emergency Mitigation service. This new service is not a replacement for installing Exchange Server Security Updates (SUs), but [...] --------------------------------------------- https://techcommunity.microsoft.com/t5/exchange-team-blog/new-security-feat… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (kernel, libxml-security-java, and openssl), Fedora (fetchmail and python-rsa), openSUSE (grafana-piechart-panel and opera), and Red Hat (nodejs:14). --------------------------------------------- https://lwn.net/Articles/870597/ ∗∗∗ Command Injection Vulnerabilities in QVR ∗∗∗ --------------------------------------------- Two command injection vulnerabilities have been reported to affect certain QNAP EOL devices running QVR. If exploited, these vulnerabilities allow remote attackers to run arbitrary commands. --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-21-35 ∗∗∗ GNU C Library (glibc) vulnerability CVE-2021-33574 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K43700555 ∗∗∗ LibreSSL: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-1014 ∗∗∗ GitHub Enterprise Server: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-1015 ∗∗∗ OpenSSH: Schwachstelle ermöglicht Privilegieneskalation ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-1017 ∗∗∗ FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 Remote Privilege Escalation ∗∗∗ --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5685.php ∗∗∗ FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 Hidden Backdoor Account (Write Access) ∗∗∗ --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5684.php ∗∗∗ FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 Unauthenticated Config Download ∗∗∗ --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5683.php ∗∗∗ FatPipe Networks WARP 10.2.2 Authorization Bypass ∗∗∗ --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5682.php ∗∗∗ FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 CSRF Add Admin Exploit ∗∗∗ --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5681.php ∗∗∗ Security Bulletin: OpenSSL for IBM i is affected by CVE-2021-3711 and CVE-2021-3712 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-openssl-for-ibm-i-is-affe… ∗∗∗ Security Bulletin: CVE-2021-2341 may affect IBM® SDK, Java™ Technology Edition ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2021-2341-may-affect-… ∗∗∗ Security Bulletin: IBM Planning Analytics Workspace is affected by security vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-planning-analytics-wo… ∗∗∗ Security Bulletin: Integrated application server and integrated web services for IBM i are affected by CVE-2021-35517 and CVE-2021-36090 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-integrated-application-se… ∗∗∗ Security Bulletin: Multiple vulnerabilities in Apache HTTP Server affect IBM i ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerabilities in Node.js affect IBM App Connect Enterprise and IBM Integration Bus (CVE-2020-7774) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-node-j… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 24.09.2021
by Daily end-of-shift report 24 Sep '21

24 Sep '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 23-09-2021 18:00 − Freitag 24-09-2021 18:00 Handler: Dimitri Robl Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Sicherheitsupdates: Kritische Admin-Lücke mit Höchstwertung bedroht Cisco-Geräte ∗∗∗ --------------------------------------------- Der Netzwerkausrüster hat jede Menge Sicherheitslücken geschlossen. Erfolgreiche Attacken können gefährliche Auswirkungen haben. --------------------------------------------- https://heise.de/-6200359 ∗∗∗ Frustriert von Apple: Sicherheitsforscher veröffentlicht 0-Day-Lücken für iOS 15 ∗∗∗ --------------------------------------------- Der Konzern habe nur einen der Bugs still gestopft und nicht weiter reagiert, so der Sicherheitsforscher. Die Lücken geben Apps wohl Zugriff auf Nutzerdaten. --------------------------------------------- https://heise.de/-6200907 ∗∗∗ Malware devs trick Windows validation with malformed certs ∗∗∗ --------------------------------------------- Google researchers spotted malware developers creating malformed code signatures seen as valid in Windows to bypass security software. --------------------------------------------- https://www.bleepingcomputer.com/news/security/malware-devs-trick-windows-v… ∗∗∗ TangleBot Malware Reaches Deep into Android Device Functions ∗∗∗ --------------------------------------------- The mobile baddie grants itself access to almost everything, enabling spying, data-harvesting, stalking and fraud attacks, among others. --------------------------------------------- https://threatpost.com/tanglebot-malware-device-functions/174999/ ∗∗∗ Keep an Eye on Your Users Mobile Devices (Simple Inventory), (Fri, Sep 24th) ∗∗∗ --------------------------------------------- Today, smartphones are everywhere and became our best friends for many tasks. Probably your users already access their corporate mailbox via a mobile device. If it's not yet the case, you probably have many requests to implement this. They are two ways to achieve this: [...] --------------------------------------------- https://isc.sans.edu/diary/rss/27868 ∗∗∗ Fake-Shop-Alarm: Kaufen Sie keine Fahrräder auf efahrrad-shop.com! ∗∗∗ --------------------------------------------- Der Online-Shop efahrrad-shop.com präsentiert sich auf seiner Webseite als „ausgezeichneter und zertifizierter Online Fahrradfachhandel“. Doch wer sich die Seite genauer anschaut, stößt auf zahlreiche Ungereimtheiten. So findet sich ein fehlerhaftes Impressum auf der Webseite und die angegebenen Preise liegen deutlich unter den üblichen Preisen. Alles Hinweise dafür, dass es sich um einen Fake-Shop handelt. --------------------------------------------- https://www.watchlist-internet.at/news/fake-shop-alarm-kaufen-sie-keine-fah… ∗∗∗ FamousSparrow: A suspicious hotel guest ∗∗∗ --------------------------------------------- Yet another APT group that exploited the ProxyLogon vulnerability in March 2021 --------------------------------------------- https://www.welivesecurity.com/2021/09/23/famoussparrow-suspicious-hotel-gu… ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI-21-1112: Trend Micro HouseCall for Home Networks Uncontrolled Search Path Element Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows local attackers to escalate privileges on affected installations of Trend Micro HouseCall for Home Networks. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-1112/ ∗∗∗ SonicWall warns users to patch critical vulnerability “as soon as possible” ∗∗∗ --------------------------------------------- SonicWall is asking SMA 100 series customers to patch their appliances against a vulnerability that could give attackers administrator access. --------------------------------------------- https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/09/sonicwal… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (mupdf), Fedora (ghostscript, gifsicle, and ntfs-3g), openSUSE (kernel and nodejs14), and SUSE (curl, ffmpeg, gd, hivex, kernel, nodejs14, python-reportlab, sqlite3, and xen). --------------------------------------------- https://lwn.net/Articles/870365/ ∗∗∗ Apple Releases Security Updates ∗∗∗ --------------------------------------------- Apple has released security updates to address vulnerabilities in multiple products. An attacker could exploit these vulnerabilities to take control of an affected system. These vulnerabilities have been detected in exploits in the wild. CISA encourages users and administrators to review the Apple security page for iOS 12.5.5 and Security Update 2021-006 Catalina and apply the necessary updates as soon as possible. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/09/23/apple-releases-se… ∗∗∗ BIG-IP APM XSS vulnerability CVE-2021-23054 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K41997459 ∗∗∗ Trend Micro ServerProtect: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-1010 ∗∗∗ Security Bulletin: Publicly disclosed vulnerabilities from Kernel affect IBM Netezza Host Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-publicly-disclosed-vulner… ∗∗∗ Security Bulletin: Publicly disclosed vulnerabilities from Bind affect IBM Netezza Host Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-publicly-disclosed-vulner… ∗∗∗ Security Bulletin: Public disclosed vulnerability from OpenSSL affects IBM Netezza Host Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-public-disclosed-vulnerab… ∗∗∗ Security Bulletin: Rational Asset Analyzer is affected by a WebSphere Application Server vulnerability. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-rational-asset-analyzer-i… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.09.2021
by Daily end-of-shift report 23 Sep '21

23 Sep '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 22-09-2021 18:00 − Donnerstag 23-09-2021 18:00 Handler: Dimitri Robl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Hackers are scanning for VMware CVE-2021-22005 targets, patch now! ∗∗∗ --------------------------------------------- Threat actors have already started targeting Internet-exposed VMware vCenter servers unpatched against a critical arbitrary file upload vulnerability patched yesterday that could lead to remote code execution. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-are-scanning-for-vmw… ∗∗∗ How REvil May Have Ripped Off Its Own Affiliates ∗∗∗ --------------------------------------------- A newly discovered backdoor and double chats could have enabled REvil ransomware-as-a-service operators to hijack victim cases and snatch affiliates’ cuts of ransom payments. --------------------------------------------- https://threatpost.com/how-revil-may-have-ripped-off-its-own-affiliates/174… ∗∗∗ Excel Recipe: Some VBA Code with a Touch of Excel4 Macro, (Thu, Sep 23rd) ∗∗∗ --------------------------------------------- Microsoft Excel supports two types of macros. The legacy format is known as “Excel4 macro” and the new (but already used for a while) is based on VBA. We already cover both formats in many diaries. Yesterday, I spotted an interesting sample that implements… both! --------------------------------------------- https://isc.sans.edu/diary/rss/27864 ∗∗∗ iOS 15 und macOS 12: Alte TLS-Versionen haben ausgedient ∗∗∗ --------------------------------------------- Apple will TLS 1.0 und 1.1 bald nicht mehr unterstützen. In iOS 15 & Co gelten die alten Versionen des Verschlüsselungsprotokolls bereits als abgekündigt. --------------------------------------------- https://heise.de/-6199902 ∗∗∗ BulletProofLink: Wo der ganze Phishing-Spam herkommt ∗∗∗ --------------------------------------------- Microsoft beschreibt im Detail, wie auch absolute Neulinge ohne Vorkenntnisse spielend leicht ins Geschäft mit geklauten Zugangsdaten einsteigen können. --------------------------------------------- https://heise.de/-6199720 ∗∗∗ Cyber Threats to Global Electric Sector on the Rise ∗∗∗ --------------------------------------------- The number of cyber intrusions and attacks targeting the Electric sector is increasing and in 2020 Dragos identified three new Activity Groups (AGs) targeting the Electric Sector: [...] --------------------------------------------- https://www.dragos.com/blog/industry-news/cyber-threats-to-global-electric-… ∗∗∗ Plugging the holes: How to prevent corporate data leaks in the cloud ∗∗∗ --------------------------------------------- Misconfigurations of cloud resources can lead to various security incidents and ultimately cost your organization dearly. Here’s what you can do to prevent cloud configuration conundrums. --------------------------------------------- https://www.welivesecurity.com/2021/09/22/plugging-holes-how-prevent-corpor… ∗∗∗ Rückblick auf das zweite Drittel 2021 ∗∗∗ --------------------------------------------- Das zweite Drittel 2021 ist vorbei und wie auch das erste gab es viel zu tun. Microsofts Exchange Server war diesmal nicht die einzige Mailserver-Software, in der kritische Lücken gefunden wurden; exim reihte sich mit gleich 21 Schwachsstellen in die Liste ein. Außerdem ging ab Juni wieder eine DDoS-Erpressungswelle um. --------------------------------------------- https://cert.at/de/blog/2021/9/ruckblick-auf-das-zweite-drittel-2021 ∗∗∗ CISA, FBI, and NSA Release Joint Cybersecurity Advisory on Conti Ransomware ∗∗∗ --------------------------------------------- CISA, the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) have released a joint Cybersecurity Advisory (CSA) alerting organizations of increased Conti ransomware attacks. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/09/22/cisa-fbi-and-nsa-… ∗∗∗ CISA Releases Guidance: IPv6 Considerations for TIC 3.0 ∗∗∗ --------------------------------------------- The federal government has prioritized the transition of federal networks to Internet Protocol version 6 (IPv6) since the release of Office of Management and Budget (OMB) Memorandum 05-22 in 2005. In 2020, OMB renewed its focus on IPv6 through the publication of OMB Memorandum 21-07. That memorandum specifically entrusts CISA with enhancing the Trusted Internet Connections (TIC) program to fully support the implementation of IPv6 in federal IT systems. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2021/09/23/cisa-releases-gui… ∗∗∗ Securing Microservices ∗∗∗ --------------------------------------------- Do you remember how it felt to get your first email account? Not only were you able to communicate with multiple people in a fast and efficient manner, it also gave you an online identity you could use to access a wide range of services. As time progressed, though, you became increasingly aware of email’s […] --------------------------------------------- https://www.intezer.com/blog/cloud-security/securing-microservices/ ===================== = Vulnerabilities = ===================== ∗∗∗ Drupal Security Advisories ∗∗∗ --------------------------------------------- Drupal hat 12 Security Advisories zu "Contributed projects", d.h. Software, die nicht vom Drupal-Team selbst entwickelt wird, veröffentlicht. Vier davon werden als "Critical" eingestuft. --------------------------------------------- https://www.drupal.org/security/contrib ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- IBMs PSIRT hat 26 Security Bulletins veröffentlicht. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Cisco Security Advisories ∗∗∗ --------------------------------------------- Cisco hat 31 Security Advisories veröffentlicht. Drei davon werden als "Critical" eingestuft, 13 als "High". --------------------------------------------- https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&first… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (ruby-kaminari and tomcat8), Mageia (389-ds-base, ansible, apache, apr, cpio, curl, firefox, ghostscript, gifsicle, gpac, libarchive, libgd, libssh, lynx, nextcloud-client, openssl, postgresql, proftpd, python3, thunderbird, tor, and vim), openSUSE (chromium, ffmpeg, grilo, hivex, linuxptp, and samba), Oracle (go-toolset:ol8, kernel, kernel-container, krb5, mysql:8.0, and nodejs:12), SUSE (ffmpeg, firefox, grilo, hivex, kernel, linuxptp, nodejs14, and --------------------------------------------- https://lwn.net/Articles/870190/ ∗∗∗ Trane Symbio ∗∗∗ --------------------------------------------- This advisory contains mitigations for a Code Injection vulnerability in Trane Symbio 700 and Symbio 800 controllers. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-266-01 ∗∗∗ Trane Tracer ∗∗∗ --------------------------------------------- This advisory contains mitigations for a Code Injection vulnerability in Trane Tracer SC, Tracer SC+, and Tracer Concierge building automation products. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-266-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.09.2021
by Daily end-of-shift report 22 Sep '21

22 Sep '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 21-09-2021 18:00 − Mittwoch 22-09-2021 18:00 Handler: Dimitri Robl Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Apple users warned: Clicking this attachment will take over your macOS ∗∗∗ --------------------------------------------- A code execution bug in Apple's macOS allows remote attackers to run arbitrary commands on your device. And the worst part is, Apple hasn't fully patched it yet, as tested by Ars. --------------------------------------------- https://arstechnica.com/?p=1797268 ∗∗∗ Datenanalyse: Steigende Zahl automatisierter Cyberangriffe ∗∗∗ --------------------------------------------- Automatisierung ist seit Jahren ein wichtiges Thema. Auch Online-Kriminelle haben laut eine Analyse die Vorteile für sich entdeckt. Kriminelle Hacker setzen nach einer neuen Datenanalyse bei Cyberangriffen immer häufiger auf automatisierte Massenattacken. Seltener werden dagegen gezielte Angriffe, bei denen Hacker noch persönlich am Computer sitzen... --------------------------------------------- https://heise.de/-6198205 ∗∗∗ Recently Patched Vulnerabilities in Ninja Forms Plugin Affect Over 1 Million Site Owners ∗∗∗ --------------------------------------------- We strongly recommend updating immediately to the latest patched version of Ninja Forms to patch these security issues, which is version 3.5.8.2 of Ninja Forms at the time of this publication. --------------------------------------------- https://www.wordfence.com/blog/2021/09/recently-patched-vulnerabilities-in-… ∗∗∗ Bei diesen Investitionsplattformen verlieren Sie Ihr Geld ∗∗∗ --------------------------------------------- Im Internet findet man unzählige Möglichkeiten, Geld einfach und unkompliziert zu investieren. Auf Trading-Plattformen wie infinitycapitalg.com, suntonfx.com oder windsorglobalaustria.com werden hohe Gewinnchancen, auch ohne großes Finanzwissen versprochen. Klingt zwar sehr verlockend, führt in Wahrheit aber zu sehr hohen Verlusten! Unser Tipp: Checken Sie die Investorenwarnungen der Finanzmarktaufsicht. --------------------------------------------- https://www.watchlist-internet.at/news/bei-diesen-investitionsplattformen-v… ∗∗∗ Microsoft Exchange Autodiscover-Designfehler ermöglicht Abgriff von Zugangsdaten ∗∗∗ --------------------------------------------- Sicherheitsforscher von Guardicore sind in Microsoft Exchange auf einen Designfehler gestoßen, der es Angreifern ermöglicht, über externe Autodiscover-Domains die Anmeldedaten von Domains abzugreifen. Möglich wird dies, weil sich Autodiscover-Domains außerhalb der Domäne des Nutzers (aber noch in derselben TLD) missbrauchen lassen. --------------------------------------------- https://www.borncity.com/blog/2021/09/22/microsoft-exchange-autodiscover-de… ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI-21-1104: McAfee Endpoint Security Incorrect Permission Assignment Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows local attackers to escalate privileges on affected installations of McAfee Endpoint Security. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-1104/ ∗∗∗ Patch now! Insecure Hikvision security cameras can be taken over remotely ∗∗∗ --------------------------------------------- The vulnerability found by Watchfull_IP is listed under CVE-2021-36260 and could allow an unauthenticated attacker to gain full access to the device and possibly perform lateral movement into internal networks.. --------------------------------------------- https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/09/patch-no… ∗∗∗ September 22, 2021 TNS-2021-16 [R1] Stand-alone Security Patch Available for Tenable.sc versions 5.16.0 to 5.19.1 ∗∗∗ --------------------------------------------- One of the third-party components (OpenSSL) was found to contain vulnerabilities, and updated versions have been made available by the providers. Out of caution, and in line with best practice, Tenable opted to upgrade the bundled OpenSSL components to address the potential impact of these issues. Tenable.sc patch SC-202109.1 updates OpenSSL to version 1.1.1l to address the identified vulnerabilities. --------------------------------------------- http://www.tenable.com/security/tns-2021-16 ∗∗∗ VMSA-2021-0020 ∗∗∗ --------------------------------------------- Multiple vulnerabilities in VMware vCenter Server were privately reported to VMware. Updates are available to remediate these vulnerabilities in affected VMware products. CVSSv3 Range: 4.3-9.8 CVE(s): CVE-2021-21991, CVE-2021-21992, CVE-2021-21993, CVE-2021-22005, CVE-2021-22006, CVE-2021-22007, CVE-2021-22008, CVE-2021-22009, CVE-2021-22010, CVE-2021-22011, CVE-2021-22012, CVE-2021-22013, CVE-2021-22014, CVE-2021-22015, CVE-2021-22016, CVE-2021-22017, CVE-2021-22018, CVE-2021-22019, CVE-2021-22020 --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2021-0020.html ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (grilo), Fedora (curl, firefox, mingw-python-pillow, python-pillow, python2-pillow, and webkit2gtk3), openSUSE (chromium, grafana-piechart-panel, kernel, libcroco, php-composer, and xen), Oracle (curl, kernel, and nss and nspr), Red Hat (nodejs:12), Slackware (alpine), SUSE (ghostscript, grafana-piechart-panel, kernel, and xen), and Ubuntu (linux, linux-hwe, linux-hwe-5.11, linux-hwe-5.4, linux-raspi, linux-raspi-5.4, and linux-raspi2). --------------------------------------------- https://lwn.net/Articles/870002/ ∗∗∗ Apple iTunes: Mehrere Schwachstellen ermöglichen Ausführen von beliebigem Programmcode mit den Rechten des Dienstes ∗∗∗ --------------------------------------------- Ein entfernter Angreifer kann mehrere Schwachstellen in Apple iTunes ausnutzen, um beliebigen Programmcode mit den Rechten des Dienstes auszuführen. --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0997 ∗∗∗ Apple Safari: Mehrere Schwachstellen ermöglichen Ausführen von beliebigem Programmcode mit den Rechten des Dienstes ∗∗∗ --------------------------------------------- Ein entfernter Angreifer kann mehrere Schwachstellen in Apple Safari ausnutzen, um beliebigen Programmcode mit den Rechten des Dienstes auszuführen. --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0996 ∗∗∗ Apple macOS: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, anonymer oder lokaler Angreifer kann mehrere Schwachstellen in Apple macOS ausnutzen, um beliebigen Programmcode mit Administratorrechten auszuführen, beliebigen Programmcode auszuführen, Informationen offenzulegen, seine Privilegien zu erhöhen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen. --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0994 ∗∗∗ Apple macOS: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode mit Benutzerrechten ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann eine Schwachstelle in Apple macOS ausnutzen, um beliebigen Programmcode mit Benutzerrechten auszuführen. --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-1000 ∗∗∗ Security Advisory - Server-Side Request Forgery Vulnerability in Huawei Product ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210922-… ∗∗∗ Security Advisory - Improper File Upload Control Vulnerability in Huawei FusionCompute Product ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210922-… ∗∗∗ Security Advisory - Command Injection Vulnerability in Huawei FusionCompute Product ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210922-… ∗∗∗ Security Bulletin: IBM® Java™ SDK Technology Edition affects IBM Security Verify Governance, Identity Manager virtual appliance component (ISVG IMVA) (CVE-2020-14781,CVE-2020-14782) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-java-sdk-technology-e… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by multiple vulnerabilities (CVE-2021-20377, CVE-2020-4690) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM QRadar Azure marketplace images include Open Management Infrastructure RPM, which is vulnerable to Remote Code Execution (CVE-2021-38647) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-azure-marketpl… ∗∗∗ Security Bulletin: IBM Jazz for Service Management is vulnerable to stored cross-site scripting (CVE-2021-29800) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-jazz-for-service-mana… ∗∗∗ Security Bulletin: IBM Security Guardium Insights is affected by multiple vulnerabilities (CVE-2021-3538, CVE-2021-33502, CVE-2021-3450, CVE-2021-3449) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-ins… ∗∗∗ Security Bulletin: App Connect Professional is affected by Apache Tomcat vulnerabilities. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-app-connect-professional-… ∗∗∗ Security Bulletin: Publicly disclosed vulnerabilities from Bind affect IBM Netezza Host Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-publicly-disclosed-vulner… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM MessageGateway ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: OpenSSL publicly disclosed vulnerability affects MessageGateway (CVE-2021-3712) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-openssl-publicly-disclose… ∗∗∗ Security Bulletin: Vulnerabilities in Node.js affect IBM App Connect Enterprise v11, v12 (CVE-2020-7608) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-node-j… ∗∗∗ Security Bulletin: Multiple security vulnerabilities have been fixed in IBM Security Verify Governance, Identity Manager virtual appliance component (ISVG IMVA) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.09.2021
by Daily end-of-shift report 21 Sep '21

21 Sep '21

===================== = End-of-Day report = ===================== Timeframe: Montag 20-09-2021 18:00 − Dienstag 21-09-2021 18:00 Handler: Dimitri Robl Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ A guide to combatting human-operated ransomware: Part 1 ∗∗∗ --------------------------------------------- As human-operated ransomware is on the rise, Microsoft’s Detection and Response Team (DART) shares how they investigate these attacks and what to consider when faced with a similar event in your organization. --------------------------------------------- https://www.microsoft.com/security/blog/2021/09/20/a-guide-to-combatting-hu… ∗∗∗ Mama Always Told Me Not to Trust Strangers without Certificates (Moar Netgear Pwnage) ∗∗∗ --------------------------------------------- This blog post details a vulnerability, the exploitation of which results in Remote Code Execution (RCE) as root, that impacts many modern Netgear Small Offices/Home Offices (SOHO) devices. The vulnerability isn’t your typical router vulnerability, in that the source of the vulnerability is located within a third-party component included in the firmware of many Netgear devices. This code is part of Circle, which adds parental control features to these devices. --------------------------------------------- https://blog.grimm-co.com/2021/09/mama-always-told-me-not-to-trust.html ∗∗∗ Does Your Organization Have a Security.txt File? ∗∗∗ --------------------------------------------- It happens all the time: Organizations get hacked because there isnt an obvious way for security researchers to let them know about security vulnerabilities or data leaks. Or maybe it isnt entirely clear who should get the report when remote access to an organizations internal network is being sold in the cybercrime underground. In a bid to minimize these scenarios, a growing number of major companies are adopting "Security.txt," a proposed new Internet standard... --------------------------------------------- https://krebsonsecurity.com/2021/09/does-your-organization-have-a-security-… ∗∗∗ TinyTurla - Turla deploys new malware to keep a secret backdoor on victim machines ∗∗∗ --------------------------------------------- Cisco Talos found a previously undiscovered backdoor from the Turla APT that we are seeing in the wild. This simple backdoor is likely used as a second-chance backdoor to maintain access to the system, even if the primary malware is removed. It could also be used as a second-stage dropper to infect the system with additional malware. --------------------------------------------- https://blog.talosintelligence.com/2021/09/tinyturla.html ∗∗∗ OpenOffice Vulnerability Exposes Users to Code Execution Attacks ∗∗∗ --------------------------------------------- A buffer overflow vulnerability in Apache OpenOffice could be exploited to execute arbitrary code on target machines using malicious documents. Tracked as CVE-2021-33035 and discovered by security researcher Eugene Lim, the bug affects OpenOffice versions up to 4.1.10, with patches deployed in the 4.1.11 beta only, meaning that most installations out there are likely vulnerable. --------------------------------------------- https://www.securityweek.com/openoffice-vulnerability-exposes-users-code-ex… ∗∗∗ Vorsicht beim Welpen-Kauf im Internet! ∗∗∗ --------------------------------------------- Wollen Sie online einen Hundewelpen kaufen? Wenn ja, dann stoßen Sie möglicherweise auf unseriöse Angebote. Der Watchlist Internet werden derzeit zahlreiche Seiten gemeldet, die angeben Rasse-Hundewelpen zu verkaufen und das meist zu einem günstigen Preis. Nicht nur die Preise, sondern auch liebevolle Fotos und Beschreibungen verlocken dazu, einen Kauf zu tätigen. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-beim-welpen-kauf-im-interne… ∗∗∗ Russian security firm sinkholes part of the dangerous Meris DDoS botnet ∗∗∗ --------------------------------------------- Rostelecom-Solar, the cybersecurity division of Russian telecom giant Rostelecom, said on Monday that it sinkholed a part of the Meris DDoS botnet after identifying a mistake from the malwares creators. --------------------------------------------- https://therecord.media/russian-security-firm-sinkholes-part-of-the-dangero… ===================== = Vulnerabilities = ===================== ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- IBM hat 21 Security Bulletins veröffentlicht. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (webkit2gtk, wpewebkit, and xen), Oracle (kernel), Red Hat (curl, go-toolset:rhel8, krb5, mysql:8.0, nodejs:12, and nss and nspr), and Ubuntu (curl and tiff). --------------------------------------------- https://lwn.net/Articles/869923/ ∗∗∗ Apple iOS & iPadOS: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- iOS 15 und iPadOS 15 sowie iOS 14.8 und iPadOS 14.8 veröffentlicht. --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0993 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.09.2021
by Daily end-of-shift report 20 Sep '21

20 Sep '21

===================== = End-of-Day report = ===================== Timeframe: Freitag 17-09-2021 18:00 − Montag 20-09-2021 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Jetzt patchen! Krypto-Miner schlüpft durch OMIGOD-Lücken auf Azure-Server ∗∗∗ --------------------------------------------- Angreifer attackieren derzeit Azure-Kunden mit virtuellen Linux-PCs. Admins sollten jetzt handeln und die verfügbaren Sicherheitsupdates installieren. --------------------------------------------- https://heise.de/-6195928 ∗∗∗ Epik data breach impacts 15 million users, including non-customers ∗∗∗ --------------------------------------------- Scraped WHOIS data of NON-Epik customers also exposed in the 180 GB leak. --------------------------------------------- https://arstechnica.com/?p=1796568 ∗∗∗ Bring Your APIs Out of the Shadows to Protect Your Business ∗∗∗ --------------------------------------------- APIs are immensely more complex to secure. Shadow APIs - those unknown or forgotten API endpoints that escape the attention and protection of IT - present a real risk to your business. Learn how to identify shadow APIs and take control of them before attackers do. --------------------------------------------- https://threatpost.com/apis-out-of-shadows-protect-your-business/169334/ ∗∗∗ Video: Simple Analysis Of A CVE-2021-40444 .docx Document, (Sun, Sep 19th) ∗∗∗ --------------------------------------------- I created a video for the analysis I described in my last diary entry "Simple Analysis Of A CVE-2021-40444 .docx Document". --------------------------------------------- https://isc.sans.edu/diary/rss/27850 ∗∗∗ EventBuilder Exposed Information of Over 100,000 Event Registrants ∗∗∗ --------------------------------------------- Event management company EventBuilder exposed files containing the personal information of at least 100,000 users who registered for events on its platform. --------------------------------------------- https://www.securityweek.com/eventbuilder-exposed-information-over-100000-e… ∗∗∗ Network Security Trends: May-July 2021 ∗∗∗ --------------------------------------------- Network security trends, May-July 2021: We analyze how vulnerabilities are being exploited in the wild and rank the most common types of attacks. --------------------------------------------- https://unit42.paloaltonetworks.com/network-security-trends/ ∗∗∗ Threat landscape for industrial automation systems. Statistics for H1 2021 ∗∗∗ --------------------------------------------- In H1 2021, the percentage of ICS computers on which malicious objects were blocked was 33.8%, which was 0.4 p.p. more than in H2 2020. --------------------------------------------- https://ics-cert.kaspersky.com/reports/2021/09/09/threat-landscape-for-indu… ∗∗∗ ‘Yes, we are breaking the law:’ An interview with the operator of a marketplace for stolen data ∗∗∗ --------------------------------------------- A website called Marketo emerged earlier this year, billing itself as a marketplace where people can buy leaked data. Although Marketo isn’t a ransomware group, it appears to borrow key strategies from those types of threat actors. --------------------------------------------- https://therecord.media/yes-we-are-breaking-the-law-an-interview-with-the-o… ===================== = Vulnerabilities = ===================== ∗∗∗ #OMIGOD Exploits Captured in the Wild. Researchers responsible for half of scans for related ports., (Mon, Sep 20th) ∗∗∗ --------------------------------------------- After the "OMIGOD" vulnerability details were made public, and it became obvious that exploiting vulnerable hosts would be trivial, researchers and attackers started pretty much immediately to scan for vulnerable hosts. We saw a quick rise of scans, particularly against port:1270. --------------------------------------------- https://isc.sans.edu/diary/rss/27852 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (gnutls28, nettle, nextcloud-desktop, and openssl1.0), Fedora (dovecot-fts-xapian, drupal7, ghostscript, haproxy, libtpms, lynx, wordpress, and xen), openSUSE (xen), Red Hat (rh-ruby27-ruby), and SUSE (openssl, openssl1, and xen). --------------------------------------------- https://lwn.net/Articles/869863/ ∗∗∗ Researchers put together a list of vulnerabilities abused by Ransomware - Look for these immediately ∗∗∗ --------------------------------------------- LINK To make it easy, I pulled it and created a simple txt list you can use. These are the some of the initial access methods. --------------------------------------------- https://securitythreatnews.com/2021/09/20/researchers-put-together-a-list-o… ∗∗∗ McAfee Endpoint Security: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K21-0991 ∗∗∗ Security Bulletin: IBM Aspera Webapps are vulnerable to cross-site scripting (CVE-2020-11022, CVE-2020-11023). ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-aspera-webapps-are-vu… ∗∗∗ Security Bulletin: IBM SDK, Java Tech Edition Quarterly CPU – Apr 2021 + Oracle Apr 2021; Jul 2021 + Oracle 2021 CPU ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sdk-java-tech-edition… ∗∗∗ Security Bulletin: Aspera Web Applications (Shares, Console) are affected by OpenSSL Vulnerabilities (CVE-2021-23839, CVE-2021-23840, CVE-2021-23841) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-aspera-web-applications-s… ∗∗∗ Security Bulletin: IBM Data Replication Java SDK Update ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-data-replication-java… ∗∗∗ Security Bulletin: IBM Data Replication Java SDK Update ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-data-replication-java… ∗∗∗ Security Bulletin: ISC DHCP for IBM i is affected by CVE-2021-25217 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-isc-dhcp-for-ibm-i-is-aff… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM WebSphere Cast Iron Solution & App Connect Professional ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Data Replication Java SDK Update ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-data-replication-java… ∗∗∗ Security Bulletin: IBM Cloud Pak for Data could allow a local user with special privileges to obtain highly sensitive information ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-data-co… ∗∗∗ Security Bulletin: IBM Aspera Webapps products (Shares, Console) are affected by OpenSSL Vulnerability (CVE-2021-3712) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-aspera-webapps-produc… ∗∗∗ Security Bulletin: IBM Aspera Webapps (Shares, Console) are vulnerable to an OpenSSL Vunerability (CVE-2020-7656). ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-aspera-webapps-shares… ∗∗∗ Security Bulletin: IBM SDK, Java Tech Edition Quarterly CPU Apr 2021 + Oracle APR 2021; Jul 2021 + Oracle Jul 2021 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sdk-java-tech-edition… ∗∗∗ Security Bulletin: Aspera Web Applications (Shares, Console) are affected by an OpenSSL Vulnerability (CVE-2020-1971) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-aspera-web-applications-s… ∗∗∗ Security Bulletin: Multiple vulnerabilities in Apache Commons* affect Tivoli Netcool/OMNIbus WebGUI (CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities is affecting Tivoli Netcool/OMNIbus WebGUI ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.09.2021
by Daily end-of-shift report 17 Sep '21

17 Sep '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 16-09-2021 18:00 − Freitag 17-09-2021 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ OMIGOD: Microsoft lässt Azure-Admins mit Linux-Lücke allein ∗∗∗ --------------------------------------------- Kritische Lücken in der Microsoft-Cloud ermöglichen Root-Angriffe auf Linux-VMs. Microsoft weist die Verantwortung für wichtige Updates allerdings von sich. --------------------------------------------- https://heise.de/-6194618 ∗∗∗ US-Heimatschutz warnt vor weitreichenden Angriffen über Zoho ADSelfService Plus ∗∗∗ --------------------------------------------- Über eine kritische Sicherheitslücke haben sich APT-Gruppen Zugang zu den Netzwerken mehrerer Organisationen verschafft. --------------------------------------------- https://heise.de/-6194780 ∗∗∗ Exploitation of the CVE-2021-40444 vulnerability in MSHTML ∗∗∗ --------------------------------------------- Last week, Microsoft reported the RCE vulnerability CVE-2021-40444 in the MSHTML browser engine. Kaspersky is aware of targeted attacks using this vulnerability, and our products protect against attacks leveraging it. --------------------------------------------- https://securelist.com/exploitation-of-the-cve-2021-40444-vulnerability-in-… ∗∗∗ Malicious Calendar Subscriptions Are Back?, (Fri, Sep 17th) ∗∗∗ --------------------------------------------- Did this threat really disappear? This isnt a brand new technique to deliver malicious content to mobile devices but it seems that attackers started new waves of spam campaigns based on malicious calendar subscriptions. --------------------------------------------- https://isc.sans.edu/diary/rss/27846 ∗∗∗ A Cheat-Sheet on Internet Cookies – (Who, What, When, Why & How) ∗∗∗ --------------------------------------------- What are internet cookies, how should you feel about them? Are they helpful, harmless, dangerous? Cookies are key to our modern online experience with targeted website ads and predictive search text that seems to read our minds. Cookies help us gain a customized online experience, but what do we lose? Are we being manipulated by our own data? --------------------------------------------- https://blog.sucuri.net/2021/09/a-cheat-sheet-on-internet-cookies-who-what-… ∗∗∗ AMD Chipset Driver Vulnerability Can Allow Hackers to Obtain Sensitive Data ∗∗∗ --------------------------------------------- Chipmaker AMD has patched a driver vulnerability that could allow an attacker to obtain sensitive information from the targeted system. --------------------------------------------- https://www.securityweek.com/amd-chipset-driver-vulnerability-can-allow-hac… ∗∗∗ DDoS botnets, cryptominers target Azure systems after OMIGOD exploit goes public ∗∗∗ --------------------------------------------- Threat actors are attacking Azure Linux-based servers using a recently disclosed security flaw named OMIGOD in order to hijack vulnerable systems into DDoS or crypto-mining botnets. --------------------------------------------- https://therecord.media/ddos-botnets-cryptominers-target-azure-systems-afte… ===================== = Vulnerabilities = ===================== ∗∗∗ Analysis of CVE-2021-30860 ∗∗∗ --------------------------------------------- In this guest blog post, the security researcher Tom McGuire details the flaw and fix of CVE-2021-30860, a zero-click vulnerability, exploited in the wild. --------------------------------------------- https://objective-see.com/blog/blog_0x67.html ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (firefox and thunderbird), Fedora (haproxy, wordpress, and xen), openSUSE (apache2-mod_auth_openidc, fail2ban, ghostscript, haserl, libcroco, nextcloud, and wireshark), Oracle (kernel and kernel-container), Slackware (httpd), SUSE (crmsh, gtk-vnc, libcroco, Mesa, postgresql12, postgresql13, and transfig), and Ubuntu (libgcrypt20, linux-gcp, linux-gcp-4.15, linux-hwe-5.4, linux-oem-5.13, python3.4, python3.5, and qtbase-opensource-src). --------------------------------------------- https://lwn.net/Articles/869521/ ∗∗∗ Siemens RUGGEDCOM ROX ∗∗∗ --------------------------------------------- This advisory contains mitigations for Exposure of Sensitive Information to an Unauthorized Actor, Execution with Unnecessary Privileges, and Improper Handling of Insufficient Permissions or Privileges vulnerabilities in Siemens RUGGEDCOM ROX devices. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-259-01 ∗∗∗ Schneider Electric EcoStruxure and SCADAPack ∗∗∗ --------------------------------------------- This advisory contains mitigations for a Path Traversal vulnerability in Schneider Electric EcoStruxure Control Expert, EcoStruxure Process Expert, SCADAPack RemoteConnect software designed for the x70 SCADAPack system. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-259-02 ∗∗∗ Siemens Teamcenter ∗∗∗ --------------------------------------------- This advisory contains mitigations for Privilege Defined with Unsafe Actions, Authorization Bypass Through User-Controlled Key, and Improper Restriction of XML External Entity Reference vulnerabilities in the Siemens Teamcenter virtualization platform. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-257-08 ∗∗∗ Security Bulletin: A security vulnerability in NGINX ffects IBM Cloud Automation Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: A security vulnerability in Node.js pac-resolver module affects IBM Cloud Automation Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: A security vulnerability in Golang GO affects IBM Cloud Automation Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: A security vulnerability in Golang Go affects IBM Cloud Automation Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: IBM® Db2® could allow a local user to read and write specific files due to weak file permissions (CVE-2020-4976) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-could-allow-a-loc… ∗∗∗ Security Bulletin: IBM API Connect is impacted by multiple vulnerabilities in IBM Http server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connect-is-impact… ∗∗∗ Security Bulletin: A security vulnerability in Node.js xmlhttprequest-ssl module affects IBM Cloud Automation Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: A security vulnerability in Node.js affects IBM Cloud Automation Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: September 2021 :Multiple vulnerabilities in IBM Java Runtime affect CICS Transaction Gateway ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-september-2021-multiple-v… ∗∗∗ Security Bulletin: A security vulnerability in Node.js xmlhttprequest-ssl module affects IBM Cloud Automation Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: September 2021 : A vulnerability in IBM Java Runtime affects CICS Transaction Gateway ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-september-2021-a-vulnerab… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 16.09.2021
by Daily end-of-shift report 16 Sep '21

16 Sep '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 15-09-2021 18:00 − Donnerstag 16-09-2021 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Phishing 101: why depend on one suspicious message subject when you can use many?, (Thu, Sep 16th) ∗∗∗ --------------------------------------------- There are many e-mail subjects that people tend to associate with phishing due to their overuse in this area. Among the more traditional and common phishing subjects, that most people have probably seen at some point, are variations on the [...] --------------------------------------------- https://isc.sans.edu/diary/rss/27842 ∗∗∗ Third Critical Bug Affects Netgear Smart Switches — Details and PoC Released ∗∗∗ --------------------------------------------- New details have been revealed about a recently remediated critical vulnerability in Netgear smart switches that could be leveraged by an attacker to potentially execute malicious code and take control of vulnerable devices. The flaw — dubbed "Seventh Inferno" (CVSS score: 9.8) — is part of a trio of security weaknesses, called Demons Cries (CVSS score: 9.8) and Draconian Fear (CVSS score: 7.8) --------------------------------------------- https://thehackernews.com/2021/09/third-critical-bug-affects-netgear.html ∗∗∗ PetitPotam – NTLM Relay to AD CS ∗∗∗ --------------------------------------------- Deployment of an Active Directory Certificate Services (AD CS) on a corporate environment could allow system administrators to utilize it for establishing trust between different directory objects. However, it could allow red team operators to conduct an NTLM relay attack towards the web interface of an AD CS in order to compromise the network. --------------------------------------------- https://pentestlab.blog/2021/09/14/petitpotam-ntlm-relay-to-ad-cs/ ∗∗∗ Hunderttausende MikroTik-Router sind seit 2018 angreifbar ∗∗∗ --------------------------------------------- Ein auf die Geräte spezialisiertes Botnetz hat in den vergangenen Monaten großangelegte Angriffe auf Cloudflare und Yandex zu verantworten. --------------------------------------------- https://heise.de/-6193825 ∗∗∗ Operation Layover: How we tracked an attack on the aviation industry to five years of compromise ∗∗∗ --------------------------------------------- Cisco Talos linked the recent aviation targeting campaigns to an actor who has been targeting the aviation industry for two years. The same actor has been running successful malware campaigns for more than five years. --------------------------------------------- https://blog.talosintelligence.com/2021/09/operation-layover-how-we-tracked… ∗∗∗ Vorsicht vor unseriösen Shops auf Pinterest ∗∗∗ --------------------------------------------- Günstige Modeangebote auf Pinterest entpuppen sich im Nachhinein als Kostenfalle. Oft kommt es zu hohen Lieferkosten, Zollkosten oder Rücksendekosten – Falls Retouren überhaupt akzeptiert werden. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-unserioesen-shops-auf-p… ∗∗∗ Untangling the Spider Web: The Curious Connection Between WIZARD SPIDER’s Ransomware Infrastructure and a Windows Zero-Day Exploit ∗∗∗ --------------------------------------------- RiskIQ’s Team Atlas assesses with high confidence that the network infrastructure supporting the exploitation of a Windows zero-day vulnerability disclosed by Microsoft on September 7, CVE-2021-40444, shares historical connections with that of a ransomware syndicate known as WIZARD SPIDER. This group, also tracked separately under the names UNC1878 and RYUK, deploys several different ransomware families in targeted Big-Game Hunting campaigns. --------------------------------------------- https://www.riskiq.com/blog/external-threat-management/wizard-spider-window… ∗∗∗ Dangling Domains: Security Threats, Detection and Prevalence ∗∗∗ --------------------------------------------- Dangling domains are a largely overlooked threat in DNS, but they can be exploited for domain hijacking and are important to detect. --------------------------------------------- https://unit42.paloaltonetworks.com/dangling-domains/ ∗∗∗ New Go malware Capoae targets WordPress installs, Linux systems ∗∗∗ --------------------------------------------- Capoae highlights the increase of cyberattacks designed to deploy cryptocurrency-mining payloads. --------------------------------------------- https://www.zdnet.com/article/new-go-malware-capoae-targets-wordpress-insta… ∗∗∗ Malware samples found trying to hack Windows from its Linux subsystem ∗∗∗ --------------------------------------------- Security researchers at Lumens Black Lotus Labs have found a series of malware samples that were configured to infect the Windows Subsystem for Linux and then pivot to its native Windows environment. --------------------------------------------- https://therecord.media/malware-samples-found-trying-to-hack-windows-from-i… ∗∗∗ Universal decryptor released for past REvil ransomware victims ∗∗∗ --------------------------------------------- Romanian cybersecurity firm Bitdefender has published today a universal decryption utility that will be able to help past victims of the REvil (Sodinokibi) ransomware gang recover their encrypted files — if they still have them. --------------------------------------------- https://therecord.media/universal-decryptor-released-for-past-revil-ransomw… ===================== = Vulnerabilities = ===================== ∗∗∗ Kritische Sicherheitslücke ohne Patch gefährdet ältere IBM-System-X-Server ∗∗∗ --------------------------------------------- Die Server werden seit 2020 nicht mehr mit Updates versorgt. Angreifer können sie nun über eine Lücke in der Firmware der Admin-Schnittstelle IMM kapern. --------------------------------------------- https://heise.de/-6193718 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (sssd), Fedora (libtpms and vim), openSUSE (kernel and php7-pear), Oracle (kernel), Slackware (curl), and Ubuntu (libgcrypt20 and squashfs-tools). --------------------------------------------- https://lwn.net/Articles/869380/ ∗∗∗ Several Access Bypass, CSRF Vulnerabilities Patched in Drupal ∗∗∗ --------------------------------------------- Drupal developers on Wednesday informed users that updates released for Drupal 8.9, 9.1 and 9.2 patch five vulnerabilities that can be exploited for cross-site request forgery (CSRF) and access bypass. --------------------------------------------- https://www.securityweek.com/several-access-bypass-csrf-vulnerabilities-pat… ∗∗∗ iTunes U 3.8.3 ∗∗∗ --------------------------------------------- https://support.apple.com/kb/HT212809 ∗∗∗ Security Bulletin: WebSphere Application Server is vulnerable to Information Disclosure (CVE-2021-29842) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-websphere-application-ser… ∗∗∗ Security Bulletin: IBM Aspera Webapps are vulnerable to cross-site scripting (CVE-2020-7656). ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-aspera-webapps-are-vu… ∗∗∗ Security Bulletin: A vulnerability in IBM Java Runtime affects TXSeries for Multiplatforms ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… ∗∗∗ Security Bulletin: libXml2 used by IBM InfoSphere Identity Insight has a potential vulnerability (CVE-2021-3518) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-libxml2-used-by-ibm-infos… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in Apache Commons Compress affect WebSphere Application Server Liberty (CVE-2021-33517, CVE-2021-36090) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM® Db2® could allow a local user to read and write specific files due to weak file permissions (CVE-2020-4976) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-could-allow-a-loc… ∗∗∗ Security Bulletin: IBM® Db2® is vulnerable to an information disclosure, exposing remote storage credentials to privileged users under specific conditions.(CVE-2021-29752) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect AIX ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: A vulnerability in Bouncy Castle affect IBM Watson Machine Learning Accelerator ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-bouncy… ∗∗∗ Security Bulletin: IBM® Db2® could disclose sensitive information when using ADMIN_CMD with LOAD or BACKUP. (CVE-2021-29825) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-could-disclose-se… ∗∗∗ Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU – Apr 2021 – Includes Oracle Apr 2021 CPU minus CVE-2021-2163 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sdk-java-technology-e… ∗∗∗ Security Bulletin: IBM® Db2® under very specific conditions, could allow a local user to keep running a procedure that could cause the system to run out of memory.and cause a denial of service. (CVE-2021-29763) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-under-very-specif… ∗∗∗ OpenSSH: Schwachstelle ermöglicht Offenlegung von Informationen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0979 ∗∗∗ Kubernetes: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0977 ∗∗∗ Fluent Bit: Schwachstelle ermöglicht Darstellen falscher Informationen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0985 ∗∗∗ Atlassian Jira Software: Schwachstelle ermöglicht Codeausführung ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0980 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 15.09.2021
by Daily end-of-shift report 15 Sep '21

15 Sep '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 14-09-2021 18:00 − Mittwoch 15-09-2021 18:00 Handler: Dimitri Robl Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Phishing-Alarm: Kriminelle behaupten Ihr Amazon-Konto sei gesperrt! ∗∗∗ --------------------------------------------- BetrügerInnen verschicken derzeit ein vermeintliches E-Mail von Amazon. Darin behaupten sie, dass Ihr Amazon-Konto und alle ausstehenden Bestellungen gesperrt wurden. Wer gerade etwas bestellt hat, ärgert sich natürlich über diese E-Mail. Doch es besteht kein Grund zur Sorge. Kriminelle versuchen nur an Ihre Zugangsdaten zu kommen. --------------------------------------------- https://www.watchlist-internet.at/news/phishing-alarm-kriminelle-behaupten-… ∗∗∗ The September 2021 Security Update Review ∗∗∗ --------------------------------------------- It’s the second Tuesday of the month, and that means the latest security updates from Adobe and Microsoft have been released. Apple and Google Chrome also released updates yesterday to fix bugs under active attack. Take a break from your regularly scheduled activities and join us as we review the details for their latest security offerings. --------------------------------------------- https://www.thezdi.com/blog/2021/9/14/the-september-2021-security-update-re… ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI-21-1066: (0Day) Parallels Desktop virtio-net Memory Corruption Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows local attackers to escalate privileges on affected installations of Parallels Desktop. An attacker must first obtain the ability to execute high-privileged code on the target guest system in order to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-1066/ ∗∗∗ Cisco IOS XR Software IP Service Level Agreements and Two-Way Active Measurement Protocol Denial of Service Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the IP Service Level Agreements (IP SLA) responder and Two-Way Active Measurement Protocol (TWAMP) features of Cisco IOS XR Software could allow an unauthenticated, remote attacker to cause device packet memory to become exhausted or cause the IP SLA process to crash, resulting in a denial of service (DoS) condition. Version 1.1: Added additional SMUs. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Vulnerabilities in the Autodesk FBX Review software ∗∗∗ --------------------------------------------- Applications and Services that utilize the Autodesk FBX Review have been affected by Use-After-Free, Memory Corruption, Out-Of-Bounds Read, Untrusted Pointer Dereference, Out-Of-Bounds Write, and Directory Traversal vulnerabilities. Exploitation of these vulnerabilities could lead to remote code execution and/or denial-of-service. --------------------------------------------- https://www.autodesk.com/trust/security-advisories/adsk-sa-2021-0001 ∗∗∗ Patchday: Microsoft schließt von Angreifern ausgenutzte Lücke in Windows ∗∗∗ --------------------------------------------- Seit Anfang September haben Angreifer eine Windows-Lücke im Visier. Nun gibt es Sicherheitsupdates. Auch PrintNightmare spielt am Patchday nochmal eine Rolle. --------------------------------------------- https://heise.de/-6192327 ∗∗∗ SAP schließt ungewohnt viele kritische Sicherheitslücken zum Patchday ∗∗∗ --------------------------------------------- Admins aufgepasst: SAPs Security Advisory zum Patchday im September beinhaltet gleich fünf Hinweise zu kritischen Lücken in NetWeaver und weiteren Produkten. --------------------------------------------- https://heise.de/-6192352 ∗∗∗ Patchday: Adobe schließt Schadcode-Lücken in Photoshop & Co. ∗∗∗ --------------------------------------------- Es sind wichtige Sicherheitsupdates für verschiedene Anwendungen von Adobe erschienen. Der Softwarehersteller stuft viele Schwachstellen als kritisch ein. --------------------------------------------- https://heise.de/-6192382 ∗∗∗ Mozilla NSS vulnerability CVE-2020-12413 ∗∗∗ --------------------------------------------- This can lead to an attacker being able to compute the pre-master secret in connections that have used a Diffie-Hellman (DH)-based cipher suite. In such a case, this would result in the attacker being able to eavesdrop on all encrypted communications sent over that TLS connection. The highest threat from this vulnerability is to data confidentiality. Affected products: F5OS, Traffix SDC --------------------------------------------- https://support.f5.com/csp/article/K28409184 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (chromium, element-desktop, element-web, firefox, ghostscript, and hedgedoc), Fedora (kernel and openssl), openSUSE (ghostscript, htmldoc, and openssl-1_0_0), Oracle (libtirpc), Red Hat (cyrus-imapd, kernel, and kernel-rt), SUSE (ghostscript), and Ubuntu (apport, curl, and squashfs-tools). --------------------------------------------- https://lwn.net/Articles/869301/ ∗∗∗ Linux Kernel: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- Ein lokaler Angreifer kann eine Schwachstelle im Linux Kernel ausnutzen, um einen Denial of Service Angriff durchzuführen. --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0970 ∗∗∗ cURL: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in cURL ausnutzen, um einen Denial of Service Angriff durchzuführen oder die Kryptographie zu umgehen. --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0969 ∗∗∗ Internet Systems Consortium BIND: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- Ein entfernter, authentisierter Angreifer kann eine Schwachstelle in Internet Systems Consortium BIND ausnutzen, um einen Denial of Service Angriff durchzuführen. --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0968 ∗∗∗ AMD Prozessoren und Chipsätze: Schwachstelle ermöglicht Offenlegung von Informationen ∗∗∗ --------------------------------------------- Ein lokaler Angreifer kann eine Schwachstelle im AMD Prozessoren und Chipsätzen ausnutzen, um Informationen offenzulegen. --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0967 ∗∗∗ SYSS-2021-040: TechRadar for Confluence Server 5.6 - 7.13.0 – Persistent Cross-Site Scripting (XSS) in Feld "Title" (CVE-2021-37412) ∗∗∗ --------------------------------------------- Das Atlassian Confluence Plug-in “TechRadar” verwendet bis Version 1.1 keine ausreichende Eingabevalidierung. Dadurch sind Persistent XSS-Angriffe möglich. --------------------------------------------- https://www.syss.de/pentest-blog/syss-2021-040-techradar-for-confluence-ser… ∗∗∗ Microsoft Azure-Schwachstelle OMIGOD in Linux VMs patchen ∗∗∗ --------------------------------------------- Wer unter Microsoft Azure für Linux-VMs verantwortlich ist, muss dringend reagieren. Dort wurden stillschweigen einen Verwaltungsagenten installiert, der RCE- und LPE-Schwachstellen aufweisen. Die OMIGOD genannte Sicherheitslücke muss manuell gepatcht werden, da kein Azure-update-Mechanismus existiert. --------------------------------------------- https://www.borncity.com/blog/2021/09/15/microsoft-azure-schwachstelle-omig… ∗∗∗ Security Bulletin: Vulnerabilities in IBM Java Runtime affect IBM Integration Bus and IBM App Connect Enterpise v11, V12 (CVE-2021-2161) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-ja… ∗∗∗ Security Bulletin: Multiple security vulnerabilities in IBM Java SDK affects IBM Voice Gateway ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: Security Vulnerabilities in IBM® Java SDK July 2021 CPU affect multiple IBM Continuous Engineering products based on IBM Jazz Technology ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ Security Bulletin: IBM App Connect Enterprise Certified Container may be vulnerable to Denial of Service via CVE-2021-34558 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… ∗∗∗ Security Bulletin: IBM App Connect Enterprise Certified Container may be vulnerable to Denial of Service via CVE-2021-33198 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by the following vulnerabilities ( CVE-2021-29773, CVE-2021-2161) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM QRadar SIEM is vulnerable to using weaker than expected cryptographic algorithms (CVE-2021-29750) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-is-vulner… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by an Information Exposure vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM App Connect Enterprise Certified Container may be vulnerable to Denial of Service via CVE-2021-33196 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… ∗∗∗ Digi PortServer TS 16 ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-257-01 ∗∗∗ Johnson Controls Sensormatic Electronics KT-1 ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-257-02-0 ∗∗∗ Schneider Electric Struxureware Data Center Expert ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-257-03 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.09.2021
by Daily end-of-shift report 14 Sep '21

14 Sep '21

===================== = End-of-Day report = ===================== Timeframe: Montag 13-09-2021 18:00 − Dienstag 14-09-2021 18:00 Handler: Dimitri Robl Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ New Zloader attacks disable Windows Defender to evade detection ∗∗∗ --------------------------------------------- An ongoing Zloader campaign uses a new infection chain to disable Microsoft Defender Antivirus (formerly Windows Defender) on victims computers to evade detection. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-zloader-attacks-disable-… ∗∗∗ Vermilion Strike: Linux and Windows Re-implementation of Cobalt Strike ∗∗∗ --------------------------------------------- In August 2021, we at Intezer discovered a fully undetected ELF implementation of Cobalt Strike’s beacon, which we named Vermilion Strike. The stealthy sample uses Cobalt Strike’s Command and Control (C2) protocol when communicating to the C2 server and has Remote Access capabilities such as uploading files, running shell commands and writing to files. The malware is fully undetected in VirusTotal at the time of this writing and was uploaded from Malaysia. --------------------------------------------- https://www.intezer.com/blog/malware-analysis/vermilionstrike-reimplementat… ∗∗∗ Lücken im Matrix-Protokoll gefährden Ende-zu-Ende-Verschlüsselung von Messengern ∗∗∗ --------------------------------------------- Aufgrund von kritischen Lücken in verschiedenen Matrix-Clients könnten Angreifer eigentlich verschlüsselte Nachrichten mitlesen. --------------------------------------------- https://heise.de/-6191625 ∗∗∗ Apple releases emergency update: Patch, but don’t panic ∗∗∗ --------------------------------------------- Spyware developed by the company NSO Group is back in the news today after Apple released an emergency fix for iPhones, iPads, Macs, and Apple Watches. The update fixes a vulnerability silently exploited by software called Pegasus, which is often used in high-level surveillance campaigns by governments. --------------------------------------------- https://blog.malwarebytes.com/privacy-2/2021/09/apple-releases-emergency-up… ∗∗∗ Facebook: Cineplexx-Gewinnspiel für "James Bond"-Tickets ist Fake ∗∗∗ --------------------------------------------- Auf Facebook kursiert gerade ein Fake-Gewinnspiel der Seite „Cineplexx Österreich“. Dort werden angeblich 2 „VIP-Spionage-Tickets“ für den neuen James Bond Film verlost. Die Teilnahme funktioniert ganz einfach: Man muss lediglich den Beitrag kommentieren. In weiterer Folge erhalten TeilnehmerInnen dann über den Facebook-Messenger eine Gewinnbenachrichtigung und werden gebeten, auf einen Link zu klicken. Vorsicht: Die Facebook-Seite „Cineplexx Österreich“ ist Fake, Sie tappen in eine Abo-Falle! --------------------------------------------- https://www.watchlist-internet.at/news/facebook-cineplexx-gewinnspiel-fuer-… ∗∗∗ Benutzt hier jemand Travis CI? Stellt sich raus: Keine gute Idee ∗∗∗ --------------------------------------------- Ich sage euch, die Leichtigkeit, mit der die Leute ihren Kram in die Cloud schieben, ist immer wieder atemberaubend. Als ob das nicht dein Problem ist, wenn bei denen dann was kaputt geht!? --------------------------------------------- http://blog.fefe.de/?ts=9fbe5059 ===================== = Vulnerabilities = ===================== ∗∗∗ Citrix ShareFile Storage Zones Controller Security Update ∗∗∗ --------------------------------------------- A security issue has been identified in Citrix ShareFile storage zones controller which, if exploited, would allow an unauthenticated attacker to remotely compromise the storage zones controller. --------------------------------------------- https://support.citrix.com/article/CTX328123 ∗∗∗ Siemens Advisories/Bulletins ∗∗∗ --------------------------------------------- Siemens hat am 14.9.2021 21 neue und 25 aktualisierte Advisories/Bulletins veröffentlicht. --------------------------------------------- https://new.siemens.com/global/en/products/services/cert.html ∗∗∗ SAP Security Patch Day - September 2021 ∗∗∗ --------------------------------------------- On 14th of September 2021, SAP Security Patch Day saw the release of 17 Security Notes. There were 2 updates to previously released Patch Day Security Note. --------------------------------------------- https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=585106405 ∗∗∗ Nitro PDF Pro: Security-Update verhindert Codeausführung über präparierte PDFs ∗∗∗ --------------------------------------------- Die Software Nitro PDF Pro war unter anderem mittels schädlicher PDF-Dateien angreifbar. Die neueste Version umfasst zwei wichtige Sicherheitslücken-Fixes. --------------------------------------------- https://heise.de/-6191199 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by openSUSE (libaom and nextcloud), Oracle (cyrus-imapd, firefox, and thunderbird), Red Hat (kernel and kpatch-patch), Scientific Linux (firefox and thunderbird), and Ubuntu (apport). --------------------------------------------- https://lwn.net/Articles/869221/ ∗∗∗ Atlassian Jira Software: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Jira ist eine Webanwendung zur Softwareentwicklung. Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Atlassian Jira Software ausnutzen, um Informationen offenzulegen, Sicherheitsmaßnahmen zu umgehen und einen Denial of Service Zustand herbeizuführen. --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0961 ∗∗∗ ImageMagick: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- ImageMagick ist eine Sammlung von Programmbibliotheken und Werkzeugen, die Grafiken in zahlreichen Formaten verarbeiten kann. Ein entfernter, anonymer Angreifer kann eine Schwachstelle in ImageMagick ausnutzen, um Sicherheitsvorkehrungen zu umgehen. --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-0962 ∗∗∗ Sicherheitslücke in HP OMEN Gaming Hub ∗∗∗ --------------------------------------------- Sicherheitsforscher von SentinelOne haben jetzt eine schwerwiegende Sicherheitslücke im HP OMEN Gaming Hub gefunden. Die Sicherheitslücke im Treiber der Gamingsoftware von HP OMEN erlaubt Angreifern Systemrechte zu erlangen. Dies ermöglicht Systemeingriffe und das Einschleusen von Malware für nichtprivilegierte Nutzer. --------------------------------------------- https://www.borncity.com/blog/2021/09/14/sicherheitslcke-in-hp-omen-gaming-… ∗∗∗ ZDI-21-1065: (0Day) Autodesk Navisworks DWG File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-1065/ ∗∗∗ ZDI-21-1064: (0Day) Autodesk Navisworks PDF File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-1064/ ∗∗∗ ZDI-21-1063: (0Day) Autodesk Navisworks PDF File Parsing Memory Corruption Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-1063/ ∗∗∗ ZDI-21-1062: (0Day) Autodesk Navisworks DWG File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-1062/ ∗∗∗ ZDI-21-1061: (0Day) Autodesk Navisworks PDF File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-1061/ ∗∗∗ ZDI-21-1060: (0Day) Autodesk Navisworks DWG File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-21-1060/ ∗∗∗ Security Bulletin: CVE-2021-2341 may affect IBM® SDK, Java™ Technology Edition ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2021-2341-may-affect-… ∗∗∗ Security Bulletin: IBM Maximo Asset Management is vulnerable to cross-site scripting (CVE-2021-29744) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-asset-manageme… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: Cross-site scripting vulnerability in IBM Financial Transaction Manager for SWIFT Services ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cross-site-scripting-vuln… ∗∗∗ Security Bulletin: Multiple vulnerabilities may affect IBM® SDK, Java™ Technology Edition ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Security Guardium ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a Spring Framework vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Maximo Asset Management is vulnerable to Stored Cross-site Scripting (CVE-2021-29743) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-asset-manageme… ∗∗∗ Security Bulletin: Multiple Vulnerabilities Have Been Identified In IBM Security Verify Privilege Vault ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM DB2 affect the IBM Intelligent Operations Center (CVE-2020-4701, CVE-2020-4739) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily